diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 88d163d67cebf..dd4ecb79e3a0b 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,4 +1,4 @@
-<!-- 🛈
+<!-- ℹ️
 
  Hello!
 
@@ -9,7 +9,7 @@
  PLEASE title the FIRST commit appropriately, so that if you squash all
  your commits into one, the combined commit message makes sense.
  For overall help on editing and submitting pull requests, visit:
-  https://kubernetes.io/docs/contribute/start/#improve-existing-content
+  https://kubernetes.io/docs/contribute/suggest-improvements/
 
  Use the default base branch, “main”, if you're documenting existing
  features in the English localization.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3dcdc63977426..c5ae697ceabf7 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,7 +9,7 @@ These are just guidelines, not rules. Use your best judgment, and feel free to p
 
 ### Code of Conduct
 
-Kubernetes follows the [Cloud Native Computing Foundation (CNCF) Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). By participating, you are expected to uphold this code. Please report unacceptable behavior to the
+Kubernetes follows the [Cloud Native Computing Foundation (CNCF) Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). By participating, you are expected to uphold this code. Please report unacceptable behavior to the
 [Kubernetes Code of Conduct Committee](https://github.com/kubernetes/community/tree/master/committee-code-of-conduct) <conduct@kubernetes.io>.
 
 ### Documentation and Site Decisions
diff --git a/Dockerfile b/Dockerfile
index a45fa4f0ac611..fecd5b050317b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@
 # change is that the Hugo version is now an overridable argument rather than a fixed
 # environment variable.
 
-FROM golang:1.16-alpine
+FROM golang:1.18-alpine
 
 LABEL maintainer="Luc Perkins <lperkins@linuxfoundation.org>"
 
@@ -24,7 +24,7 @@ RUN mkdir $HOME/src && \
     cd "hugo-${HUGO_VERSION}" && \
     go install --tags extended
 
-FROM golang:1.16-alpine
+FROM golang:1.18-alpine
 
 RUN apk add --no-cache \
     runuser \
diff --git a/Makefile b/Makefile
index 57fca6e2d1ba4..4b3ca99864f67 100644
--- a/Makefile
+++ b/Makefile
@@ -71,11 +71,15 @@ container-image: ## Build a container image for the preview of the website
 		--tag $(CONTAINER_IMAGE) \
 		--build-arg HUGO_VERSION=$(HUGO_VERSION)
 
+container-push: container-image ## Push container image for the preview of the website
+	$(CONTAINER_ENGINE) push $(CONTAINER_IMAGE)
+
 container-build: module-check
 	$(CONTAINER_RUN) --read-only --mount type=tmpfs,destination=/tmp,tmpfs-mode=01777 $(CONTAINER_IMAGE) sh -c "npm ci && hugo --minify --environment development"
 
-container-serve: module-check ## Boot the development server using container. Run `make container-image` before this.
-	$(CONTAINER_RUN) --cap-drop=ALL --cap-add=AUDIT_WRITE --read-only --mount type=tmpfs,destination=/tmp,tmpfs-mode=01777 -p 1313:1313 $(CONTAINER_IMAGE) hugo server --buildFuture --environment development --bind 0.0.0.0 --destination /tmp/hugo --cleanDestinationDir
+# no build lock to allow for read-only mounts
+container-serve: module-check ## Boot the development server using container.
+	$(CONTAINER_RUN) --cap-drop=ALL --cap-add=AUDIT_WRITE --read-only --mount type=tmpfs,destination=/tmp,tmpfs-mode=01777 -p 1313:1313 $(CONTAINER_IMAGE) hugo server --buildFuture --environment development --bind 0.0.0.0 --destination /tmp/hugo --cleanDestinationDir --noBuildLock
 
 test-examples:
 	scripts/test_examples.sh install
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index 76bf2cd73ac3a..296e743a8450d 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -3,6 +3,7 @@ aliases:
     - onlydole
     - mrbobbytables
     - sftim
+    - nate-double-u
   sig-docs-blog-reviewers: # Reviewers for blog content
     - mrbobbytables
     - onlydole
@@ -24,6 +25,7 @@ aliases:
     - jimangel
     - jlbutler
     - kbhawkey
+    - kcmartin
     - natalisucks
     - onlydole
     - pi-victor
@@ -179,6 +181,7 @@ aliases:
     - tanjunchen
     - tengqm
     - xichengliudui
+    - ydFu
     # zhangxiaoyu-zidif
   sig-docs-pt-owners: # Admins for Portuguese content
     - edsoncelio
@@ -249,7 +252,6 @@ aliases:
     - cpanato # SIG Technical Lead
     - jeremyrickard # SIG Technical Lead
     - justaugustus # SIG Chair
-    - LappleApple # SIG Program Manager
     - puerco # SIG Technical Lead
     - saschagrunert # SIG Chair
   release-engineering-approvers:
diff --git a/README-zh.md b/README-zh.md
index 700777d7a1928..e3ac58fb935c9 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -13,7 +13,14 @@ This repository contains the assets required to build the [Kubernetes website an
 我们非常高兴您想要参与贡献！
 
 <!--
-# Using this repository
+- [Contributing to the docs](#contributing-to-the-docs)
+- [Localization ReadMes](#localization-readmemds)
+-->
+- [为文档做贡献](#为文档做贡献)
+- [README.md 本地化](#readmemd-本地化)
+
+<!--
+## Using this repository
 
 You can run the website locally using Hugo (Extended version), or you can run it in a container runtime. We strongly recommend using the container runtime, as it gives deployment consistency with the live website.
 -->
@@ -46,7 +53,7 @@ Before you start, install the dependencies. Clone the repository and navigate to
 -->
 开始前，先安装这些依赖。克隆本仓库并进入对应目录：
 
-```
+```bash
 git clone https://github.com/kubernetes/website.git
 cd website
 ```
@@ -57,8 +64,8 @@ The Kubernetes website uses the [Docsy Hugo theme](https://github.com/google/doc
 
 Kubernetes 网站使用的是 [Docsy Hugo 主题](https://github.com/google/docsy#readme)。 即使你打算在容器中运行网站，我们也强烈建议你通过运行以下命令来引入子模块和其他开发依赖项：
 
-```
-# pull in the Docsy submodule
+```bash
+# 引入 Docsy 子模块
 git submodule update --init --recursive --depth 1
 ```
 
@@ -72,15 +79,23 @@ To build the site in a container, run the following to build the container image
 
 要在容器中构建网站，请通过以下命令来构建容器镜像并运行：
 
-```
+```bash
 make container-image
 make container-serve
 ```
 
 <!--
-Open up your browser to http://localhost:1313 to view the website. As you make changes to the source files, Hugo updates the website and forces a browser refresh.
+If you see errors, it probably means that the hugo container did not have enough computing resources available. To solve it, increase the amount of allowed CPU and memory usage for Docker on your machine ([MacOSX](https://docs.docker.com/docker-for-mac/#resources) and [Windows](https://docs.docker.com/docker-for-windows/#resources)).
 -->
-启动浏览器，打开 http://localhost:1313 来查看网站。
+如果您看到错误，这可能意味着 hugo 容器没有足够的可用计算资源。
+要解决这个问题，请增加机器（[MacOSX](https://docs.docker.com/docker-for-mac/#resources)
+和 [Windows](https://docs.docker.com/docker-for-windows/#resources)）上
+Docker 允许的 CPU 和内存使用量。
+
+<!--
+Open up your browser to <http://localhost:1313> to view the website. As you make changes to the source files, Hugo updates the website and forces a browser refresh.
+-->
+启动浏览器，打开 <http://localhost:1313> 来查看网站。
 当你对源文件作出修改时，Hugo 会更新网站并强制浏览器执行刷新操作。
 
 <!--
@@ -98,24 +113,90 @@ Hugo 扩展版本。
 若要在本地构造和测试网站，请运行：
 
 ```bash
-# install dependencies
+# 安装依赖
 npm ci
 make serve
 ```
 
 <!--
-This will start the local Hugo server on port 1313. Open up your browser to http://localhost:1313 to view the website. As you make changes to the source files, Hugo updates the website and forces a browser refresh.
+This will start the local Hugo server on port 1313. Open up your browser to <http://localhost:1313> to view the website. As you make changes to the source files, Hugo updates the website and forces a browser refresh.
 -->
 上述命令会在端口 1313 上启动本地 Hugo 服务器。
-启动浏览器，打开 http://localhost:1313 来查看网站。
+启动浏览器，打开 <http://localhost:1313> 来查看网站。
 当你对源文件作出修改时，Hugo 会更新网站并强制浏览器执行刷新操作。
 
+<!--
+## Building the API reference pages
+-->
+## 构建 API 参考页面
+
+<!--
+The API reference pages located in `content/en/docs/reference/kubernetes-api` are built from the Swagger specification, using <https://github.com/kubernetes-sigs/reference-docs/tree/master/gen-resourcesdocs>.
+
+To update the reference pages for a new Kubernetes release follow these steps:
+-->
+位于 `content/en/docs/reference/kubernetes-api` 的 API 参考页面是根据 Swagger 规范构建的，使用 <https://github.com/kubernetes-sigs/reference-docs/tree/master/gen-resourcesdocs>。
+
+要更新新 Kubernetes 版本的参考页面，请执行以下步骤：
+
+<!--
+1. Pull in the `api-ref-generator` submodule:
+-->
+1. 拉取 `api-ref-generator` 子模块：
+
+   ```bash
+   git submodule update --init --recursive --depth 1
+   ```
+
+<!--
+2. Update the Swagger specification:
+-->
+2. 更新 Swagger 规范：
+
+   ```bash
+   curl 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json' > api-ref-assets/api/swagger.json
+   ```
+
+<!--
+3. In `api-ref-assets/config/`, adapt the files `toc.yaml` and `fields.yaml` to reflect the changes of the new release.
+-->
+3. 在 `api-ref-assets/config/` 中，调整文件 `toc.yaml` 和 `fields.yaml` 以反映新版本的变化。
+
+<!--
+4. Next, build the pages:
+-->
+4. 接下来，构建页面：
+
+   ```bash
+   make api-reference
+   ```
+
+<!--
+   You can test the results locally by making and serving the site from a container image:
+-->
+   您可以通过从容器映像创建和提供站点来在本地测试结果：
+
+   ```bash
+   make container-image
+   make container-serve
+   ```
+
+<!--
+   In a web browser, go to <http://localhost:1313/docs/reference/kubernetes-api/> to view the API reference.
+-->
+   在 Web 浏览器中，打开 <http://localhost:1313/docs/reference/kubernetes-api/> 查看 API 参考。
+
+<!--
+5. When all changes of the new contract are reflected into the configuration files `toc.yaml` and `fields.yaml`, create a Pull Request with the newly generated API reference pages.
+-->
+5. 当所有新的更改都反映到配置文件 `toc.yaml` 和 `fields.yaml` 中时，使用新生成的 API 参考页面创建一个 Pull Request。
+
 <!--
 ## Troubleshooting
+
 ### error: failed to transform resource: TOCSS: failed to transform "scss/main.scss" (text/x-scss): this feature is not available in your current Hugo version
 
 Hugo is shipped in two set of binaries for technical reasons. The current website runs based on the **Hugo Extended** version only. In the [release page](https://github.com/gohugoio/hugo/releases) look for archives with `extended` in the name. To confirm, run `hugo version` and look for the word `extended`.
-
 -->
 ## 故障排除
 
@@ -135,18 +216,24 @@ If you run `make serve` on macOS and receive the following error:
 
 如果在 macOS 上运行 `make serve` 收到以下错误：
 
-```
+```bash
 ERROR 2020/08/01 19:09:18 Error: listen tcp 127.0.0.1:1313: socket: too many open files
 make: *** [serve] Error 1
 ```
 
+<!--
+Try checking the current limit for open files:
+-->
 试着查看一下当前打开文件数的限制：
 
 `launchctl limit maxfiles`
 
-然后运行以下命令（参考https://gist.github.com/tombigel/d503800a282fcadbee14b537735d202c）：
+<!--
+Then run the following commands (adapted from <https://gist.github.com/tombigel/d503800a282fcadbee14b537735d202c>):
+-->
+然后运行以下命令（参考 <https://gist.github.com/tombigel/d503800a282fcadbee14b537735d202c>）：
 
-```
+```shell
 #!/bin/sh
 
 # These are the original gist links, linking to my gists now.
@@ -165,6 +252,9 @@ sudo chown root:wheel /Library/LaunchDaemons/limit.maxproc.plist
 sudo launchctl load -w /Library/LaunchDaemons/limit.maxfiles.plist
 ```
 
+<!--
+This works for Catalina as well as Mojave macOS.
+-->
 这适用于 Catalina 和 Mojave macOS。
 
 <!--
@@ -174,7 +264,8 @@ Learn more about SIG Docs Kubernetes community and meetings on the [community pa
 
 You can also reach the maintainers of this project at:
 
-- [Slack](https://kubernetes.slack.com/messages/sig-docs) [Get an invite for this Slack](https://slack.k8s.io/)
+- [Slack](https://kubernetes.slack.com/messages/sig-docs)
+  - [Get an invite for this Slack](https://slack.k8s.io/)
 - [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-docs)
 -->
 # 参与 SIG Docs 工作
@@ -184,20 +275,21 @@ You can also reach the maintainers of this project at:
 
 你也可以通过以下渠道联系本项目的维护人员：
 
-- [Slack](https://kubernetes.slack.com/messages/sig-docs) [加入Slack](https://slack.k8s.io/)
+- [Slack](https://kubernetes.slack.com/messages/sig-docs)
+  - [获得此 Slack 的邀请](https://slack.k8s.io/)
 - [邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs)
 
 <!--
 ## Contributing to the docs
 
-You can click the **Fork** button in the upper-right area of the screen to create a copy of this repository in your GitHub account. This copy is called a *fork*. Make any changes you want in your fork, and when you are ready to send those changes to us, go to your fork and create a new pull request to let us know about it.
+You can click the **Fork** button in the upper-right area of the screen to create a copy of this repository in your GitHub account. This copy is called a _fork_. Make any changes you want in your fork, and when you are ready to send those changes to us, go to your fork and create a new pull request to let us know about it.
 
-Once your pull request is created, a Kubernetes reviewer will take responsibility for providing clear, actionable feedback.  As the owner of the pull request, **it is your responsibility to modify your pull request to address the feedback that has been provided to you by the Kubernetes reviewer.**
+Once your pull request is created, a Kubernetes reviewer will take responsibility for providing clear, actionable feedback. As the owner of the pull request, **it is your responsibility to modify your pull request to address the feedback that has been provided to you by the Kubernetes reviewer.**
 -->
 # 为文档做贡献
 
 你也可以点击屏幕右上方区域的 **Fork** 按钮，在你自己的 GitHub
-账号下创建本仓库的拷贝。此拷贝被称作 *fork*。
+账号下创建本仓库的拷贝。此拷贝被称作 _fork_。
 你可以在自己的拷贝中任意地修改文档，并在你已准备好将所作修改提交给我们时，
 在你自己的拷贝下创建一个拉取请求（Pull Request），以便让我们知道。
 
@@ -208,7 +300,7 @@ Once your pull request is created, a Kubernetes reviewer will take responsibilit
 <!--
 Also, note that you may end up having more than one Kubernetes reviewer provide you feedback or you may end up getting feedback from a Kubernetes reviewer that is different than the one initially assigned to provide you feedback.
 
-Furthermore, in some cases, one of your reviewers might ask for a technical review from a Kubernetes tech reviewer when needed.  Reviewers will do their best to provide feedback in a timely fashion but response time can vary based on circumstances.
+Furthermore, in some cases, one of your reviewers might ask for a technical review from a Kubernetes tech reviewer when needed. Reviewers will do their best to provide feedback in a timely fashion but response time can vary based on circumstances.
 -->
 还要提醒的一点，有时可能会有不止一个 Kubernetes 评审人为你提供反馈意见。
 有时候，某个评审人的意见和另一个最初被指派的评审人的意见不同。
@@ -220,17 +312,65 @@ Furthermore, in some cases, one of your reviewers might ask for a technical revi
 <!--
 For more information about contributing to the Kubernetes documentation, see:
 
-* [Contribute to Kubernetes docs](https://kubernetes.io/docs/contribute/)
-* [Page Content Types](https://kubernetes.io/docs/contribute/style/page-content-types/)
-* [Documentation Style Guide](https://kubernetes.io/docs/contribute/style/style-guide/)
-* [Localizing Kubernetes Documentation](https://kubernetes.io/docs/contribute/localization/)
+- [Contribute to Kubernetes docs](https://kubernetes.io/docs/contribute/)
+- [Page Content Types](https://kubernetes.io/docs/contribute/style/page-content-types/)
+- [Documentation Style Guide](https://kubernetes.io/docs/contribute/style/style-guide/)
+- [Localizing Kubernetes Documentation](https://kubernetes.io/docs/contribute/localization/)
 -->
 有关为 Kubernetes 文档做出贡献的更多信息，请参阅：
 
-* [贡献 Kubernetes 文档](https://kubernetes.io/docs/contribute/)
-* [页面内容类型](https://kubernetes.io/docs/contribute/style/page-content-types/)
-* [文档风格指南](https://kubernetes.io/docs/contribute/style/style-guide/)
-* [本地化 Kubernetes 文档](https://kubernetes.io/docs/contribute/localization/)
+- [贡献 Kubernetes 文档](https://kubernetes.io/docs/contribute/)
+- [页面内容类型](https://kubernetes.io/docs/contribute/style/page-content-types/)
+- [文档风格指南](https://kubernetes.io/docs/contribute/style/style-guide/)
+- [本地化 Kubernetes 文档](https://kubernetes.io/docs/contribute/localization/)
+
+<!--
+### New contributor ambassadors
+-->
+### 新贡献者大使
+
+<!--
+If you need help at any point when contributing, the [New Contributor Ambassadors](https://kubernetes.io/docs/contribute/advanced/#serve-as-a-new-contributor-ambassador) are a good point of contact. These are SIG Docs approvers whose responsibilities include mentoring new contributors and helping them through their first few pull requests. The best place to contact the New Contributors Ambassadors would be on the [Kubernetes Slack](https://slack.k8s.io/). Current New Contributors Ambassadors for SIG Docs:
+-->
+如果您在贡献时需要帮助，[新贡献者大使](https://kubernetes.io/docs/contribute/advanced/#serve-as-a-new-contributor-ambassador)是一个很好的联系人。
+这些是 SIG Docs 批准者，其职责包括指导新贡献者并帮助他们完成最初的几个拉取请求。
+联系新贡献者大使的最佳地点是 [Kubernetes Slack](https://slack.k8s.io/)。
+SIG Docs 的当前新贡献者大使：
+
+<!--
+| Name                       | Slack                      | GitHub                     |                   
+| -------------------------- | -------------------------- | -------------------------- |
+| Arsh Sharma                | @arsh                      | @RinkiyaKeDad              |
+-->
+| 姓名                       | Slack                      | GitHub                     |                   
+| -------------------------- | -------------------------- | -------------------------- |
+| Arsh Sharma                | @arsh                      | @RinkiyaKeDad              |
+
+<!--
+## Localization `README.md`'s
+-->
+## `README.md` 本地化
+
+<!--
+| Language                   | Language                   |
+| -------------------------- | -------------------------- |
+| [Chinese](README-zh.md)    | [Korean](README-ko.md)     |
+| [French](README-fr.md)     | [Polish](README-pl.md)     |
+| [German](README-de.md)     | [Portuguese](README-pt.md) |
+| [Hindi](README-hi.md)      | [Russian](README-ru.md)    |
+| [Indonesian](README-id.md) | [Spanish](README-es.md)    |
+| [Italian](README-it.md)    | [Ukrainian](README-uk.md)  |
+| [Japanese](README-ja.md)   | [Vietnamese](README-vi.md) |
+-->
+| 语言                       | 语言                       |
+| -------------------------- | -------------------------- |
+| [中文](README-zh.md)       | [韩语](README-ko.md)       |
+| [法语](README-fr.md)       | [波兰语](README-pl.md)     |
+| [德语](README-de.md)       | [葡萄牙语](README-pt.md)   |
+| [印地语](README-hi.md)     | [俄语](README-ru.md)       |
+| [印尼语](README-id.md)     | [西班牙语](README-es.md)   |
+| [意大利语](README-it.md)   | [乌克兰语](README-uk.md)   |
+| [日语](README-ja.md)       | [越南语](README-vi.md)     |
 
 # 中文本地化
 
@@ -241,19 +381,19 @@ For more information about contributing to the Kubernetes documentation, see:
 * [Slack channel](https://kubernetes.slack.com/messages/kubernetes-docs-zh)
 
 <!--
-### Code of conduct
+## Code of conduct
 
 Participation in the Kubernetes community is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 -->
-# 行为准则
+## 行为准则
 
 参与 Kubernetes 社区受 [CNCF 行为准则](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) 约束。
 
 <!--
-## Thank you!
+## Thank you
 
 Kubernetes thrives on community participation, and we appreciate your contributions to our website and our documentation!
 -->
-# 感谢！
+## 感谢你
 
 Kubernetes 因为社区的参与而蓬勃发展，感谢您对我们网站和文档的贡献！
diff --git a/README.md b/README.md
index 005452ef06c1a..f037e0426b633 100644
--- a/README.md
+++ b/README.md
@@ -36,10 +36,10 @@ git submodule update --init --recursive --depth 1
 
 ## Running the website using a container
 
-To build the site in a container, run the following to build the container image and run it:
+To build the site in a container, run the following:
 
 ```bash
-make container-image
+# You can set $CONTAINER_ENGINE to the name of any Docker-like container tool
 make container-serve
 ```
 
@@ -189,7 +189,7 @@ If you need help at any point when contributing, the [New Contributor Ambassador
 
 ## Code of conduct
 
-Participation in the Kubernetes community is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+Participation in the Kubernetes community is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
 
 ## Thank you
 
diff --git a/assets/scss/_custom.scss b/assets/scss/_custom.scss
index 1ebe8c81faed2..db0263d9914b7 100644
--- a/assets/scss/_custom.scss
+++ b/assets/scss/_custom.scss
@@ -634,12 +634,12 @@ body.td-documentation {
 
   a {
     color: inherit;
-    border-bottom: 1px solid #fff;
+    text-decoration: underline;
   }
 
   a:hover {
     color: inherit;
-    border-bottom: none;
+    text-decoration: initial;
   }
 }
 
@@ -648,6 +648,9 @@ body.td-documentation {
 }
 
 #announcement {
+  // default background is blue; overrides are possible
+  color: #fff;
+
   .announcement-main {
     margin-left: auto;
     margin-right: auto;
@@ -660,9 +663,8 @@ body.td-documentation {
   }
 
 
-  /* always white */
   h1, h2, h3, h4, h5, h6, p * {
-    color: #ffffff;
+    color: inherit; /* defaults to white */
     background: transparent;
 
     img.event-logo {
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 5039818482f3d..542d58016c7e9 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -9,17 +9,20 @@ options:
 steps:
     # It's fine to bump the tag to a recent version, as needed
   - name: "gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20210917-12df099d55"
-    entrypoint: make
+    entrypoint: 'bash'
     env:
       - DOCKER_CLI_EXPERIMENTAL=enabled
       - TAG=$_GIT_TAG
       - BASE_REF=$_PULL_BASE_REF
     args:
-      - container-image
+      - -c
+      - |
+        gcloud auth configure-docker \
+        && make container-push
 substitutions:
   # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and
   # can be used as a substitution
   _GIT_TAG: "12345"
   # _PULL_BASE_REF will contain the ref that was pushed to to trigger this build -
-  # a branch like 'master' or 'release-0.2', or a tag like 'v0.2'.
-  _PULL_BASE_REF: "master"
+  # a branch like 'main' or 'release-0.2', or a tag like 'v0.2'.
+  _PULL_BASE_REF: "main"
diff --git a/config.toml b/config.toml
index 6ad3ac39f3f11..1f80097163db6 100644
--- a/config.toml
+++ b/config.toml
@@ -122,7 +122,7 @@ id = "UA-00000000-0"
 
 [params]
 copyright_k8s = "The Kubernetes Authors"
-copyright_linux =  "Copyright © 2020 The Linux Foundation ®."
+copyright_linux = "Copyright © 2020 The Linux Foundation ®."
 
 # privacy_policy = "https://policies.google.com/privacy"
 
@@ -155,10 +155,10 @@ githubWebsiteRaw = "raw.githubusercontent.com/kubernetes/website"
 # GitHub repository link for editing a page and opening issues.
 github_repo = "https://github.com/kubernetes/website"
 
-#Searching
+# Searching
 k8s_search = true
 
-#The following search parameters are specific to Docsy's implementation. Kubernetes implementes its own search-related partials and scripts.
+# The following search parameters are specific to Docsy's implementation. Kubernetes implementes its own search-related partials and scripts.
 
 # Google Custom Search Engine ID. Remove or comment out to disable search.
 #gcs_engine_id = "011737558837375720776:fsdu1nryfng"
@@ -221,11 +221,11 @@ sidebar_menu_compact = false
 sidebar_menu_foldable = true
 # https://github.com/gohugoio/hugo/issues/8918#issuecomment-903314696
 sidebar_cache_limit = 1
-#  Set to true to disable breadcrumb navigation.
+# Set to true to disable breadcrumb navigation.
 breadcrumb_disable = false
-#  Set to true to hide the sidebar search box (the top nav search box will still be displayed if search is enabled)
+# Set to true to hide the sidebar search box (the top nav search box will still be displayed if search is enabled)
 sidebar_search_disable = false
-#  Set to false if you don't want to display a logo (/assets/icons/logo.svg) in the top nav bar
+# Set to false if you don't want to display a logo (/assets/icons/logo.svg) in the top nav bar
 navbar_logo = true
 # Set to true to disable the About link in the site footer
 footer_about_disable = false
@@ -246,50 +246,50 @@ no = 'Sorry to hear that. Please <a href="https://github.com/USERNAME/REPOSITORY
 	name = "User mailing list"
 	url = "https://discuss.kubernetes.io"
 	icon = "fa fa-envelope"
-  desc = "Discussion and help from your fellow users"
+	desc = "Discussion and help from your fellow users"
 
 [[params.links.user]]
 	name = "Twitter"
 	url = "https://twitter.com/kubernetesio"
 	icon = "fab fa-twitter"
-  desc = "Follow us on Twitter to get the latest news!"
+	desc = "Follow us on Twitter to get the latest news!"
 
 [[params.links.user]]
 	name = "Calendar"
 	url = "https://calendar.google.com/calendar/embed?src=calendar%40kubernetes.io"
 	icon = "fas fa-calendar-alt"
-  desc = "Google Calendar for Kubernetes"
+	desc = "Google Calendar for Kubernetes"
 
 [[params.links.user]]
 	name = "Youtube"
 	url = "https://youtube.com/kubernetescommunity"
 	icon = "fab fa-youtube"
-  desc = "Youtube community videos"
+	desc = "Youtube community videos"
 
 # Developer relevant links. These will show up on right side of footer and in the community page if you have one.
 [[params.links.developer]]
 	name = "GitHub"
 	url = "https://github.com/kubernetes/kubernetes"
 	icon = "fab fa-github"
-  desc = "Development takes place here!"
+	desc = "Development takes place here!"
 
 [[params.links.developer]]
 	name = "Slack"
 	url = "https://slack.k8s.io"
 	icon = "fab fa-slack"
-  desc = "Chat with other project developers"
+	desc = "Chat with other project developers"
 
 [[params.links.developer]]
 	name = "Contribute"
 	url = "https://git.k8s.io/community/contributors/guide"
 	icon = "fas fa-edit"
-  desc = "Contribute to the Kubernetes website"
+	desc = "Contribute to the Kubernetes website"
 
 [[params.links.developer]]
 	name = "Stack Overflow"
 	url = "https://stackoverflow.com/questions/tagged/kubernetes"
 	icon = "fab fa-stack-overflow"
-  desc = "Practical questions and curated answers"
+	desc = "Practical questions and curated answers"
 
 # Language definitions.
 
@@ -297,27 +297,29 @@ no = 'Sorry to hear that. Please <a href="https://github.com/USERNAME/REPOSITORY
 [languages.en]
 title = "Kubernetes"
 description = "Production-Grade Container Orchestration"
-languageName ="English"
+languageName = "English"
 # Weight used for sorting.
 weight = 1
 languagedirection = "ltr"
 
-[languages.zh]
+[languages.zh-cn]
 title = "Kubernetes"
 description = "生产级别的容器编排系统"
-languageName = "中文 Chinese"
+languageName = "中文 (Chinese)"
+languageNameLatinScript = "Chinese"
 weight = 2
-contentDir = "content/zh"
+contentDir = "content/zh-cn"
 languagedirection = "ltr"
 
-[languages.zh.params]
+[languages.zh-cn.params]
 time_format_blog = "2006.01.02"
 language_alternatives = ["en"]
 
 [languages.ko]
 title = "Kubernetes"
 description = "운영 수준의 컨테이너 오케스트레이션"
-languageName = "한국어 Korean"
+languageName = "한국어 (Korean)"
+languageNameLatinScript = "Korean"
 weight = 3
 contentDir = "content/ko"
 languagedirection = "ltr"
@@ -329,7 +331,8 @@ language_alternatives = ["en"]
 [languages.ja]
 title = "Kubernetes"
 description = "プロダクショングレードのコンテナ管理基盤"
-languageName = "日本語 Japanese"
+languageName = "日本語 (Japanese)"
+languageNameLatinScript = "Japanese"
 weight = 4
 contentDir = "content/ja"
 languagedirection = "ltr"
@@ -341,7 +344,8 @@ language_alternatives = ["en"]
 [languages.fr]
 title = "Kubernetes"
 description = "Solution professionnelle d’orchestration de conteneurs"
-languageName ="Français"
+languageName = "Français (French)"
+languageNameLatinScript = "Français"
 weight = 5
 contentDir = "content/fr"
 languagedirection = "ltr"
@@ -354,7 +358,8 @@ language_alternatives = ["en"]
 [languages.it]
 title = "Kubernetes"
 description = "Orchestrazione di Container in produzione"
-languageName = "Italiano"
+languageName = "Italiano (Italian)"
+languageNameLatinScript = "Italiano"
 weight = 6
 contentDir = "content/it"
 languagedirection = "ltr"
@@ -367,7 +372,8 @@ language_alternatives = ["en"]
 [languages.no]
 title = "Kubernetes"
 description = "Production-Grade Container Orchestration"
-languageName ="Norsk"
+languageName = "Norsk (Norwegian)"
+languageNameLatinScript = "Norsk"
 weight = 7
 contentDir = "content/no"
 languagedirection = "ltr"
@@ -380,7 +386,8 @@ language_alternatives = ["en"]
 [languages.de]
 title = "Kubernetes"
 description = "Produktionsreife Container-Orchestrierung"
-languageName ="Deutsch"
+languageName = "Deutsch (German)"
+languageNameLatinScript = "Deutsch"
 weight = 8
 contentDir = "content/de"
 languagedirection = "ltr"
@@ -393,7 +400,8 @@ language_alternatives = ["en"]
 [languages.es]
 title = "Kubernetes"
 description = "Orquestación de contenedores para producción"
-languageName ="Español"
+languageName = "Español (Spanish)"
+languageNameLatinScript = "Español"
 weight = 9
 contentDir = "content/es"
 languagedirection = "ltr"
@@ -406,8 +414,10 @@ language_alternatives = ["en"]
 [languages.pt-br]
 title = "Kubernetes"
 description = "Orquestração de contêineres em nível de produção"
-languageName ="Português"
-weight = 9
+languageName = "Português (Portuguese)"
+languageNameLatinScript = "Português"
+weight = 10
+
 contentDir = "content/pt-br"
 languagedirection = "ltr"
 
@@ -420,7 +430,8 @@ language_alternatives = ["en"]
 title = "Kubernetes"
 description = "Orkestrasi Kontainer dengan Skala Produksi"
 languageName ="Bahasa Indonesia"
-weight = 10
+languageNameLatinScript = "Bahasa Indonesia"
+weight = 11
 contentDir = "content/id"
 languagedirection = "ltr"
 
@@ -432,8 +443,9 @@ language_alternatives = ["en"]
 [languages.hi]
 title = "Kubernetes"
 description = "Production-Grade Container Orchestration"
-languageName = "Hindi"
-weight = 11
+languageName = "हिन्दी (Hindi)"
+languageNameLatinScript = "Hindi"
+weight = 12
 contentDir = "content/hi"
 languagedirection = "ltr"
 
@@ -444,16 +456,18 @@ language_alternatives = ["en"]
 [languages.vi]
 title = "Kubernetes"
 description = "Giải pháp điều phối container trong môi trường production"
-languageName = "Tiếng Việt"
+languageName = "Tiếng Việt (Vietnamese)"
+languageNameLatinScript = "Tiếng Việt"
 contentDir = "content/vi"
-weight = 12
+weight = 13
 languagedirection = "ltr"
 
 [languages.ru]
 title = "Kubernetes"
 description = "Первоклассная оркестрация контейнеров"
-languageName = "Русский"
-weight = 12
+languageName = "Русский (Russian)"
+languageNameLatinScript = "Russian"
+weight = 14
 contentDir = "content/ru"
 languagedirection = "ltr"
 
@@ -465,8 +479,9 @@ language_alternatives = ["en"]
 [languages.pl]
 title = "Kubernetes"
 description = "Produkcyjny system zarządzania kontenerami"
-languageName = "Polski"
-weight = 13
+languageName = "Polski (Polish)"
+languageNameLatinScript = "Polski"
+weight = 15
 contentDir = "content/pl"
 languagedirection = "ltr"
 
@@ -478,8 +493,9 @@ language_alternatives = ["en"]
 [languages.uk]
 title = "Kubernetes"
 description = "Довершена система оркестрації контейнерів"
-languageName = "Українська"
-weight = 14
+languageName = "Українська (Ukrainian)"
+languageNameLatinScript = "Ukrainian"
+weight = 16
 contentDir = "content/uk"
 languagedirection = "ltr"
 
diff --git a/content/de/docs/concepts/extend-kubernetes/_index.md b/content/de/docs/concepts/extend-kubernetes/_index.md
index 5e389601ea642..a537b745adaa1 100644
--- a/content/de/docs/concepts/extend-kubernetes/_index.md
+++ b/content/de/docs/concepts/extend-kubernetes/_index.md
@@ -1,4 +1,4 @@
 ---
-title: "Kubernets erweitern"
+title: "Kubernetes erweitern"
 weight: 110
 ---
diff --git a/content/de/docs/contribute/_index.md b/content/de/docs/contribute/_index.md
index db7c6687abaf7..e1ddd56875233 100644
--- a/content/de/docs/contribute/_index.md
+++ b/content/de/docs/contribute/_index.md
@@ -1,6 +1,6 @@
 ---
 content_type: concept
-title: Zur Kubernets-Dokumentation beitragen
+title: Zur Kubernetes-Dokumentation beitragen
 linktitle: Mitmachen
 main_menu: true
 weight: 80
diff --git a/content/de/docs/contribute/participate/pr-wranglers.md b/content/de/docs/contribute/participate/pr-wranglers.md
index 9b8dab89c39f0..1a184fcf651b6 100644
--- a/content/de/docs/contribute/participate/pr-wranglers.md
+++ b/content/de/docs/contribute/participate/pr-wranglers.md
@@ -76,6 +76,6 @@ Um eine Pull-Anfrage zu schließen, hinterlasse einen `/close`-Kommentar zu dem
 
 {{< note >}}
 
-Der [`fejta-bot`](https://github.com/fejta-bot) Bot markiert Themen nach 90 Tagen Inaktivität als veraltet. Nach weiteren 30 Tagen markiert er Issues als faul und schließt sie.  PR-Beauftragte sollten Themen nach 14-30 Tagen Inaktivität schließen.
+Der [`k8s-ci-robot`](https://github.com/k8s-ci-robot) Bot markiert Themen nach 90 Tagen Inaktivität als veraltet. Nach weiteren 30 Tagen markiert er Issues als faul und schließt sie.  PR-Beauftragte sollten Themen nach 14-30 Tagen Inaktivität schließen.
 
 {{< /note >}}
diff --git a/content/de/docs/tasks/job/_index.md b/content/de/docs/tasks/job/_index.md
index ab0432135f8e9..0497a5cfc6003 100644
--- a/content/de/docs/tasks/job/_index.md
+++ b/content/de/docs/tasks/job/_index.md
@@ -1,5 +1,6 @@
 ---
 title: "Jobs ausführen"
+description: Führen Sie Jobs mit paralleler Verarbeitung aus.
 weight: 50
 ---
 
diff --git a/content/de/docs/tutorials/kubernetes-basics/_index.html b/content/de/docs/tutorials/kubernetes-basics/_index.html
index 8bf1c1dc38cac..8cb49dce31dff 100644
--- a/content/de/docs/tutorials/kubernetes-basics/_index.html
+++ b/content/de/docs/tutorials/kubernetes-basics/_index.html
@@ -46,7 +46,7 @@ <h2>Was kann Kubernetes für Sie tun?</h2>
     </div>
 
     <div id="basics-modules" class="content__modules">
-      <h2>Kubernets Grundlagen Module</h2>
+      <h2>Kubernetes Grundlagen Module</h2>
       <div class="row">
         <div class="col-md-12">
           <div class="row">
diff --git a/content/de/includes/default-storage-class-prereqs.md b/content/de/includes/default-storage-class-prereqs.md
index 3865e644b734d..1ca065cc148c8 100644
--- a/content/de/includes/default-storage-class-prereqs.md
+++ b/content/de/includes/default-storage-class-prereqs.md
@@ -1 +1 @@
-Sie benötigen entweder einen dynamischen PersistentVolume-Anbieter mit einer [Standard-Speicherklasse](/docs/concepts/storage/storage-classes/), oder Sie selbst stellen statische [PersistentVolumes](/docs/user-guide/persistent-volumes/#provisioning) bereit, um die [PersistentVolumeClaims](/docs/user-guide/persistent-volumes/#persistentvolumeclaims) zu erfüllen, die hier verwendet werden.
\ No newline at end of file
+Sie benötigen entweder einen dynamischen PersistentVolume-Anbieter mit einer [Standard-Speicherklasse](/docs/concepts/storage/storage-classes/), oder Sie selbst stellen statische [PersistentVolumes](/docs/concepts/storage/persistent-volumes/#provisioning) bereit, um die [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) zu erfüllen, die hier verwendet werden.
\ No newline at end of file
diff --git a/content/en/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md b/content/en/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
index 54e4fbe4ad7f3..45502e0072d5a 100644
--- a/content/en/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
+++ b/content/en/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
@@ -1,9 +1,13 @@
 ---
-title: Welcome to the Kubernetes Blog! 
+title: Welcome to the Kubernetes Blog!
 date: 2015-03-20
 slug: welcome-to-kubernetes-blog
 url: /blog/2015/03/Welcome-To-Kubernetes-Blog
+evergreen: true
 ---
+
+**Author:** Kit Merker (Google)
+
 Welcome to the new Kubernetes Blog. Follow this blog to learn about the Kubernetes Open Source project. We plan to post release notes, how-to articles, events, and maybe even some off topic fun here from time to time.
 
 
@@ -25,6 +29,3 @@ To start things off, here's a roundup of recent Kubernetes posts from other site
 
 
 Happy cloud computing!
-
-
- - Kit Merker - Product Manager, Google Cloud Platform
diff --git a/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0160.md b/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0160.md
index abe97435eb476..86dcc36bb9669 100644
--- a/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0160.md
+++ b/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0160.md
@@ -1,8 +1,9 @@
 ---
-title: " Kubernetes Release: 0.16.0 "
+title: "Kubernetes Release: 0.16.0"
 date: 2015-05-11
 slug: kubernetes-release-0160
 url: /blog/2015/05/Kubernetes-Release-0160
+evergreen: true
 ---
 Release Notes:
 
diff --git a/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0170.md b/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0170.md
index 29d86abe6d067..0859edc059d94 100644
--- a/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0170.md
+++ b/content/en/blog/_posts/2015-05-00-Kubernetes-Release-0170.md
@@ -1,8 +1,9 @@
 ---
-title: " Kubernetes Release: 0.17.0 "
+title: "Kubernetes Release: 0.17.0"
 date: 2015-05-15
 slug: kubernetes-release-0170
 url: /blog/2015/05/Kubernetes-Release-0170
+evergreen: true
 ---
 Release Notes:  
 
diff --git a/content/en/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md b/content/en/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
index 98b4c49d67d8e..ae0b3f8f39a69 100644
--- a/content/en/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
+++ b/content/en/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
@@ -1,9 +1,10 @@
 ---
-title: " Announcing the First Kubernetes Enterprise Training Course "
+title: "Announcing the First Kubernetes Enterprise Training Course"
 date: 2015-07-08
 slug: announcing-first-kubernetes-enterprise
 url: /blog/2015/07/Announcing-First-Kubernetes-Enterprise
 ---
+
 At Google we rely on Linux application containers to run our core infrastructure. Everything from Search to Gmail runs in containers. &nbsp;In fact, we like containers so much that even our Google Compute Engine VMs run in containers! &nbsp;Because containers are critical to our business, we have been working with the community on many of the basic container technologies (from cgroups to Docker’s LibContainer) and even decided to build the next generation of Google’s container scheduling technology, Kubernetes, in the open.
 
 
diff --git a/content/en/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md b/content/en/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
index 754f6319e0efb..953504df01494 100644
--- a/content/en/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
+++ b/content/en/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
@@ -1,9 +1,13 @@
 ---
-title: " Kubernetes 1.1 Performance upgrades, improved tooling and a growing community  "
+title: "Kubernetes 1.1 Performance upgrades, improved tooling and a growing community"
 date: 2015-11-09
 slug: kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community
 url: /blog/2015/11/Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community
+evergreen: true
 ---
+
+**Author:** David Aronchick (Google)
+
 Since the Kubernetes 1.0 release in July, we’ve seen tremendous adoption by companies building distributed systems to manage their container clusters. We’re also been humbled by the rapid growth of the community who help make Kubernetes better everyday. We have seen commercial offerings such as Tectonic by CoreOS and RedHat Atomic Host emerge to deliver deployment and support of Kubernetes. And a growing ecosystem has added Kubernetes support including tool vendors such as Sysdig and Project Calico.  
 
 With the help of hundreds of contributors, we’re proud to announce the availability of Kubernetes 1.1, which offers major performance upgrades, improved tooling, and new features that make applications even easier to build and deploy.  
@@ -50,4 +54,3 @@ As we mentioned above, we would love your help:
 
 But, most of all, just let us know how you are transforming your business using Kubernetes, and how we can help you do it even faster. Thank you for your support!  
 
-&nbsp;- David Aronchick, Senior Product Manager for Kubernetes and Google Container Engine
diff --git a/content/en/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md b/content/en/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
index 38ee6129fda13..c0995e1c147d9 100644
--- a/content/en/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
+++ b/content/en/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
@@ -1,37 +1,41 @@
 ---
-title: " KubeCon EU 2016: Kubernetes Community in London "
+title: "KubeCon EU 2016: Kubernetes Community in London"
 date: 2016-02-24
 slug: kubecon-eu-2016-kubernetes-community-in
 url: /blog/2016/02/Kubecon-Eu-2016-Kubernetes-Community-In
+evergreen: true
 ---
 
-KubeCon EU 2016 is the inaugural [European Kubernetes](http://kubernetes.io/) community conference that follows on the American launch in November 2015. KubeCon is fully dedicated to education and community engagement for[Kubernetes](http://kubernetes.io/) enthusiasts, production users and the surrounding ecosystem.
+**Author:** Sarah Novotny (Google)
+
+KubeCon EU 2016 is the inaugural European Kubernetes community conference that follows on the American launch in November 2015. KubeCon is fully dedicated to education and community engagement for [Kubernetes](/) enthusiasts, production users and the surrounding ecosystem.
 
 Come join us in London and hang out with hundreds from the Kubernetes community and experience a wide variety of deep technical expert talks and use cases.
 
 Don’t miss these great speaker sessions at the conference:
 
-* “Kubernetes Hardware Hacks: Exploring the Kubernetes API Through Knobs, Faders, and Sliders” by Ian Lewis and Brian Dorsey, Developer Advocate, Google -* [http://sched.co/6Bl3](http://sched.co/6Bl3)  
+* “Kubernetes Hardware Hacks: Exploring the Kubernetes API Through Knobs, Faders, and Sliders” by Ian Lewis and Brian Dorsey, Developer Advocate, Google [https://sched.co/6Bl3](http://sched.co/6Bl3)
+
+* “rktnetes: what's new with container runtimes and Kubernetes” by Jonathan Boulle, Developer and Team Lead at CoreOS [https://sched.co/6BY7](http://sched.co/6BY7)
+
+* “Kubernetes Documentation: Contributing, fixing issues, collecting bounties” by John Mulhausen, Lead Technical Writer, Google [https://sched.co/6BUP](http://sched.co/6BUP)&nbsp;
+
+* “[What is OpenStack's role in a Kubernetes world?](https://kubeconeurope2016.sched.org/event/6BYC/what-is-openstacks-role-in-a-kubernetes-world?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” By Thierry Carrez, Director of Engineering, OpenStack Foundation [https://sched.co/6BYC](http://sched.co/6BYC)
 
-* “rktnetes: what's new with container runtimes and Kubernetes” by Jonathan Boulle, Developer and Team Lead at CoreOS -* [http://sched.co/6BY7](http://sched.co/6BY7)
+* “A Practical Guide to Container Scheduling” by Mandy Waite, Developer Advocate, Google [https://sched.co/6BZa](http://sched.co/6BZa)
 
-* “Kubernetes Documentation: Contributing, fixing issues, collecting bounties” by John Mulhausen, Lead Technical Writer, Google -* [http://sched.co/6BUP](http://sched.co/6BUP)&nbsp;
-* “[What is OpenStack's role in a Kubernetes world?](https://kubeconeurope2016.sched.org/event/6BYC/what-is-openstacks-role-in-a-kubernetes-world?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” By Thierry Carrez, Director of Engineering, OpenStack Foundation -* http://sched.co/6BYC
-* “A Practical Guide to Container Scheduling” by Mandy Waite, Developer Advocate, Google -* [http://sched.co/6BZa](http://sched.co/6BZa)  
+* “[Kubernetes in Production in The New York Times newsroom](https://kubeconeurope2016.sched.org/event/67f2/kubernetes-in-production-in-the-new-york-times-newsroom?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” Eric Lewis, Web Developer, New York Times [https://sched.co/67f2](http://sched.co/67f2)
 
-* “[Kubernetes in Production in The New York Times newsroom](https://kubeconeurope2016.sched.org/event/67f2/kubernetes-in-production-in-the-new-york-times-newsroom?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” Eric Lewis, Web Developer, New York Times -* [http://sched.co/67f2](http://sched.co/67f2)
-* “[Creating an Advanced Load Balancing Solution for Kubernetes with NGINX](https://kubeconeurope2016.sched.org/event/6Bc9/creating-an-advanced-load-balancing-solution-for-kubernetes-with-nginx?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” by Andrew Hutchings, Technical Product Manager, NGINX -* http://sched.co/6Bc9
-* And many more http://kubeconeurope2016.sched.org/
+* “[Creating an Advanced Load Balancing Solution for Kubernetes with NGINX](https://kubeconeurope2016.sched.org/event/6Bc9/creating-an-advanced-load-balancing-solution-for-kubernetes-with-nginx?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” by Andrew Hutchings, Technical Product Manager, NGINX [https://sched.co/6Bc9](https://sched.co/6Bc9)
 
+…and many more https://kubeconeurope2016.sched.org/
 
-Get your KubeCon EU [tickets here](https://ti.to/kubecon/kubecon-eu-2016).
+
+~Get your KubeCon EU [tickets here](https://ti.to/kubecon/kubecon-eu-2016)~.
 
 Venue Location: CodeNode * 10 South Pl, London, United Kingdom  
 Accommodations: [hotels](https://skillsmatter.com/contact-us#hotels)   
 Website: [kubecon.io](https://www.kubecon.io/)   
 Twitter: [@KubeConio](https://twitter.com/kubeconio) #KubeCon
-Google is a proud Diamond sponsor of KubeCon EU 2016. Come to London next month, March 10th & 11th, and visit booth #13 to learn all about Kubernetes, Google Container Engine (GKE) and Google Cloud Platform!  
 
-_KubeCon is organized by KubeAcademy, LLC, a community-driven group of developers focused on the education of developers and the promotion of Kubernetes._  
-
--* Sarah Novotny, Kubernetes Community Manager, Google  
+Google is a proud Diamond sponsor of KubeCon EU 2016. Come to London next month, March 10th & 11th, and visit booth #13 to learn all about Kubernetes, Google Container Engine (GKE) and Google Cloud Platform!  
diff --git a/content/en/blog/_posts/2016-03-00-Kubernetes-1-2-Even-More-Performance-Upgrades-Plus-Easier-Application-Deployment-And-Management-.md b/content/en/blog/_posts/2016-03-00-Kubernetes-1-2-Even-More-Performance-Upgrades-Plus-Easier-Application-Deployment-And-Management-.md
index c63763d4e5462..bc9083bc0d042 100644
--- a/content/en/blog/_posts/2016-03-00-Kubernetes-1-2-Even-More-Performance-Upgrades-Plus-Easier-Application-Deployment-And-Management-.md
+++ b/content/en/blog/_posts/2016-03-00-Kubernetes-1-2-Even-More-Performance-Upgrades-Plus-Easier-Application-Deployment-And-Management-.md
@@ -1,17 +1,20 @@
 ---
-title: " Kubernetes 1.2: Even more performance upgrades, plus easier application deployment and management  "
+title: "Kubernetes 1.2: Even more performance upgrades, plus easier application deployment and management"
 date: 2016-03-17
 slug: kubernetes-1.2-even-more-performance-upgrades-plus-easier-application-deployment-and-management
 url: /blog/2016/03/Kubernetes-1-2-Even-More-Performance-Upgrades-Plus-Easier-Application-Deployment-And-Management
+evergreen: true
 ---
-Today we released Kubernetes 1.2. This release represents significant improvements for large organizations building distributed systems. Now with over 680 unique contributors to the project, this release represents our largest yet.  
+**Author:** David Aronchick (Google)
+
+Today the Kubernetes project released Kubernetes 1.2. This release represents significant improvements for large organizations building distributed systems. Now with over 680 unique contributors to the project, this release represents our largest yet.  
 
 From the beginning, our mission has been to make building distributed systems easy and accessible for all. With the Kubernetes 1.2 release we’ve made strides towards our goal by increasing scale, decreasing latency and overall simplifying the way applications are deployed and managed. Now, developers at organizations of all sizes can build production scale apps more easily than ever before.&nbsp;
 
-### What’s new:&nbsp;
+## What’s new
 
 - **Significant scale improvements**. Increased cluster scale by 400% to 1,000 nodes and 30,000 containers per cluster.
-- **Simplified application deployment and management**.&nbsp;
+- **Simplified application deployment and management**.
 
   - Dynamic Configuration (via the ConfigMap API) enables applications to pull their configuration when they run rather than packaging it in at build time.&nbsp;
   - Turnkey Deployments (via the Beta Deployment API) let you declare your application and Kubernetes will do the rest. It handles versioning, multiple simultaneous rollouts, aggregating status across all pods, maintaining application availability and rollback.&nbsp;
@@ -28,15 +31,15 @@ From the beginning, our mission has been to make building distributed systems ea
 
 - **And many more**. For a complete list of updates, see the [release notes on github](https://github.com/kubernetes/kubernetes/releases/tag/v1.2.0).&nbsp;
 
-#### Community&nbsp;
+## Community
 
-All these improvements would not be possible without our enthusiastic and global community. The momentum is astounding. We’re seeing over 400 pull requests per week, a 50% increase since the previous 1.1 release. There are meetups and conferences discussing Kubernetes nearly every day, on top of the 85 Kubernetes related [meetup groups](http://www.meetup.com/topics/kubernetes/) around the world. We’ve also seen significant participation in the community in the form of Special Interest Groups, with 18 active SIGs that cover topics from AWS and OpenStack to big data and scalability, to get involved [join or start a new SIG](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)). Lastly, we’re proud that Kubernetes is the first project to be accepted to the Cloud Native Computing Foundation (CNCF), read more about the announcement [here](https://cncf.io/news/announcement/2016/03/cloud-native-computing-foundation-accepts-kubernetes-first-hosted-projec-0).&nbsp;
+All these improvements would not be possible without our enthusiastic and global community. The momentum is astounding. We’re seeing over 400 pull requests per week, a 50% increase since the previous 1.1 release. There are meetups and conferences discussing Kubernetes nearly every day, on top of the 85 Kubernetes related [meetup groups](http://www.meetup.com/topics/kubernetes/) around the world. We’ve also seen significant participation in the community in the form of Special Interest Groups, with 18 active SIGs that cover topics from AWS and OpenStack to big data and scalability, to get involved [join or start a new SIG](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)). Lastly, we’re proud that Kubernetes is the first project to be accepted to the Cloud Native Computing Foundation (CNCF), read more about the announcement [here](https://cncf.io/news/announcement/2016/03/cloud-native-computing-foundation-accepts-kubernetes-first-hosted-projec-0).
 
 
 
-#### Documentation&nbsp;
+## Documentation
 
-With Kubernetes 1.2 comes a relaunch of our website at [kubernetes.io](http://kubernetes.io/). We’ve slimmed down the docs contribution process so that all you have to do is fork/clone and send a PR. And the site works the same whether you’re staging it on your laptop, on github.io, or viewing it in production. It’s a pure GitHub Pages project; no scripts, no plugins.&nbsp;
+With Kubernetes 1.2 comes a relaunch of our website at [kubernetes.io](http://kubernetes.io/). We’ve slimmed down the docs contribution process so that all you have to do is fork/clone and send a PR. And the site works the same whether you’re staging it on your laptop, on github.io, or viewing it in production. It’s a pure GitHub Pages project; no scripts, no plugins.
 
 
 
@@ -48,7 +51,7 @@ To entice you even further to contribute, we’re also announcing our new bounty
 
 
 
-#### Roadmap&nbsp;
+## Roadmap
 
 All of our work is done in the open, to learn the latest about the project j[oin the weekly community meeting](https://groups.google.com/forum/#!forum/kubernetes-community-video-chat) or [watch a recorded hangout](https://www.youtube.com/playlist?list=PL69nYSiGNLP1pkHsbPjzAewvMgGUpkCnJ). In keeping with our major release schedule of every three to four months, here are just a few items that are in development for [next release and beyond](https://github.com/kubernetes/kubernetes/wiki/Release-1.3):&nbsp;
 
@@ -64,7 +67,7 @@ Kubernetes 1.2 is available for download at [get.k8s.io](http://get.k8s.io/) and
 
 
 
-#### Connect&nbsp;
+## Connect
 
 We’d love to hear from you and see you participate in this growing community:&nbsp;
 
@@ -73,8 +76,7 @@ We’d love to hear from you and see you participate in this growing community:&
 - &nbsp;Connect with the community on [Slack](http://slack.kubernetes.io/)&nbsp;
 - Follow us on Twitter [@Kubernetesio](https://twitter.com/kubernetesio) for latest updates&nbsp;
 
-Thank you for your support!&nbsp;
+Thank you for your support!
 
 
 
-&nbsp;-&nbsp;_David Aronchick, Senior Product Manager for Kubernetes, Google_
diff --git a/content/en/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md b/content/en/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
index 7289f57669681..b2a5561dd9cb5 100644
--- a/content/en/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
+++ b/content/en/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
@@ -131,7 +131,7 @@ In this example, the ‘ **tenant-a** ’ namespace would get policy ‘ **pol1*
 
 
 
-Today, [Romana](http://romana.io/), [OpenShift](https://www.openshift.com/), [OpenContrail](http://www.opencontrail.org/) and [Calico](http://projectcalico.org/) support network policies applied to namespaces and pods. Cisco and VMware are working on implementations as well. Both Romana and Calico demonstrated these capabilities with Kubernetes 1.2 recently at KubeCon. You can watch their presentations here: [Romana](https://www.youtube.com/watch?v=f-dLKtK6qCs) ([slides](http://www.slideshare.net/RomanaProject/kubecon-london-2016-ronana-cloud-native-sdn)), [Calico](https://www.youtube.com/watch?v=p1zfh4N4SX0) ([slides](http://www.slideshare.net/kubecon/kubecon-eu-2016-secure-cloudnative-networking-with-project-calico)).&nbsp;
+Today, Romana, OpenShift, OpenContrail and Calico support network policies applied to namespaces and pods. Cisco and VMware are working on implementations as well. Both Romana and Calico demonstrated these capabilities with Kubernetes 1.2 recently at KubeCon. You can watch their presentations here: [Romana](https://www.youtube.com/watch?v=f-dLKtK6qCs) ([slides](http://www.slideshare.net/RomanaProject/kubecon-london-2016-ronana-cloud-native-sdn)), [Calico](https://www.youtube.com/watch?v=p1zfh4N4SX0) ([slides](http://www.slideshare.net/kubecon/kubecon-eu-2016-secure-cloudnative-networking-with-project-calico)).&nbsp;
 
 
 
diff --git a/content/en/blog/_posts/2016-07-00-Kubernetes-1-3-Bridging-Cloud-Native-And-Enterprise-Workloads.md b/content/en/blog/_posts/2016-07-00-Kubernetes-1-3-Bridging-Cloud-Native-And-Enterprise-Workloads.md
index 13e682c0a81aa..bc86fa5eeb444 100644
--- a/content/en/blog/_posts/2016-07-00-Kubernetes-1-3-Bridging-Cloud-Native-And-Enterprise-Workloads.md
+++ b/content/en/blog/_posts/2016-07-00-Kubernetes-1-3-Bridging-Cloud-Native-And-Enterprise-Workloads.md
@@ -1,9 +1,13 @@
 ---
-title: " Kubernetes 1.3: Bridging Cloud Native and Enterprise Workloads "
+title: "Kubernetes 1.3: Bridging Cloud Native and Enterprise Workloads"
 date: 2016-07-06
 slug: kubernetes-1.3-bridging-cloud-native-and-enterprise-workloads
 url: /blog/2016/07/Kubernetes-1-3-Bridging-Cloud-Native-And-Enterprise-Workloads
+evergreen: true
 ---
+
+**Author:** Aparna Sinha, Google
+
 Nearly two years ago, when we officially kicked off the Kubernetes project, we wanted to simplify distributed systems management and provide the core technology required to everyone. The community’s response to this effort has blown us away. Today, thousands of customers, partners and developers are running clusters in production using Kubernetes and have joined the cloud native revolution.&nbsp;  
 
 Thanks to the help of over 800 contributors, we are pleased to announce today the availability of Kubernetes 1.3, our most robust and feature-rich release to date.  
@@ -14,7 +18,7 @@ Product highlights in Kubernetes 1.3 include the ability to bridge services acro
 
 
 
-**What’s new:**
+## What’s new
 
 - **Increased scale and automation** - Customers want to scale their services up and down automatically in response to application demand. In 1.3 we have made it easier to autoscale clusters up and down while doubling the maximum number of nodes per cluster. Customers no longer need to think about cluster size, and can allow the underlying cluster to respond to demand.
 
@@ -31,13 +35,13 @@ Product highlights in Kubernetes 1.3 include the ability to bridge services acro
 - **Updated Kubernetes dashboard UI** - Customers can now use the Kubernetes open source dashboard for the majority of interactions with their clusters, rather than having to use the CLI. The updated UI lets users control, edit and create all workload resources (including Deployments and PetSets).
 - And many more. For a complete list of updates, see the [_release notes on GitHub_](https://github.com/kubernetes/kubernetes/releases/tag/v1.3.0).
 
-**Community**
+## Community
 
 We could not have achieved this milestone without the tireless effort of countless people that are part of the Kubernetes community. We have [19 different Special Interest Groups](https://github.com/kubernetes/community/blob/master/README.md#special-interest-groups-sig), and over 100 meetups around the world. Kubernetes is a community project, built in the open, and it truly would not be possible without the over 233 person-years of effort the community has put in to date. Woot!
 
 
 
-**Availability**
+## Availability
 
 Kubernetes 1.3 is available for download at [get.k8s.io](http://get.k8s.io/)&nbsp;and via the open source repository hosted on [GitHub](http://github.com/kubernetes/kubernetes). To get started with Kubernetes try our [Hello World app](/docs/hellonode/).
 
@@ -47,7 +51,7 @@ To learn the latest about the project, we encourage everyone to [join the weekly
 
 
 
-**Connect**
+## Connect
 
 We’d love to hear from you and see you participate in this growing community:
 
@@ -58,8 +62,4 @@ We’d love to hear from you and see you participate in this growing community:
 
 
 
-Thank you for your support!&nbsp;
-
-
-
--- Aparna Sinha, Product Manager, Google
+Thank you for your support!
diff --git a/content/en/blog/_posts/2016-09-00-High-Performance-Network-Policies-Kubernetes.md b/content/en/blog/_posts/2016-09-00-High-Performance-Network-Policies-Kubernetes.md
index bc21d1edaa80d..c8c452bc67c07 100644
--- a/content/en/blog/_posts/2016-09-00-High-Performance-Network-Policies-Kubernetes.md
+++ b/content/en/blog/_posts/2016-09-00-High-Performance-Network-Policies-Kubernetes.md
@@ -65,7 +65,7 @@ Network policies are an exciting feature, which the Kubernetes community has wor
 
 
 
-There are only a few policy-capable networking backends available for Kubernetes today: [Romana](http://romana.io/), [Calico](http://projectcalico.org/), and [Canal](https://github.com/tigera/canal); with [Weave](http://www.weave.works/) indicating support in the near future. Red Hat’s OpenShift includes network policy features as well.
+There are only a few policy-capable networking backends available for Kubernetes today: Romana, [Calico](http://projectcalico.org/), and [Canal](https://github.com/tigera/canal); with [Weave](http://www.weave.works/) indicating support in the near future. Red Hat’s OpenShift includes network policy features as well.
 
 
 
@@ -100,7 +100,7 @@ This is because during a typical network performance benchmark, there’s no app
 - Hardware: Two servers with Intel Core i5-5250U CPUs (2 core, 2 threads per core) running at 1.60GHz, 16GB RAM and 512GB SSD. NIC: Intel Ethernet Connection I218-V (rev 03)
 - Ubuntu 14.04.5
 - Kubernetes 1.3 for data collection (verified samples on [v1.4.0-beta.5](http://v1.4.0-beta.5/))
-- [Romana v0.9.3.1](https://github.com/romana/romana)
+- Romana v0.9.3.1
 - Client and server load test [software](https://github.com/paninetworks/testing-tools)
 
 For the tests we had a client pod send 2,000 HTTP requests to a server pod. HTTP requests were sent by the client pod at a rate that ensured that neither the server nor network ever saturated. We also made sure each request started a new TCP session by disabling persistent connections (i.e. HTTP [keep-alive](https://en.wikipedia.org/wiki/HTTP_persistent_connection)). We ran each test with different response sizes and measured the average request duration time (how long does it take to complete a request of that size). Finally, we repeated each set of measurements with different policy configurations.
@@ -189,4 +189,4 @@ These tests were performed using Romana as the backend policy provider and other
 
 
 
-If you wish to try it for yourself, we invite you to check out [Romana](http://romana.io/). In our [GitHub repo](https://github.com/romana/romana) you can find an easy to use installer, which works with AWS, Vagrant VMs or any other servers. You can use it to quickly get you started with a Romana powered Kubernetes or OpenStack cluster.
+If you wish to try it for yourself, we invite you to check out Romana. In our GitHub repo you can find an easy to use installer, which works with AWS, Vagrant VMs or any other servers. You can use it to quickly get you started with a Romana powered Kubernetes or OpenStack cluster.
diff --git a/content/en/blog/_posts/2017-08-00-High-Performance-Networking-With-Ec2.md b/content/en/blog/_posts/2017-08-00-High-Performance-Networking-With-Ec2.md
index b735c501e7a2d..181af0aa58cc5 100644
--- a/content/en/blog/_posts/2017-08-00-High-Performance-Networking-With-Ec2.md
+++ b/content/en/blog/_posts/2017-08-00-High-Performance-Networking-With-Ec2.md
@@ -9,7 +9,7 @@ url: /blog/2017/08/High-Performance-Networking-With-Ec2
 One of the most popular platforms for running Kubernetes is Amazon Web Services’ Elastic Compute Cloud (AWS EC2). With more than a decade of experience delivering IaaS, and expanding over time to include a rich set of services with easy to consume APIs, EC2 has captured developer mindshare and loyalty worldwide.
 
 
-When it comes to networking, however, EC2 has some limits that hinder performance and make deploying Kubernetes clusters to production unnecessarily complex. The preview release of [Romana v2.0](http://romana.io/), a network and security automation solution for Cloud Native applications, includes features that address some well known network issues when running Kubernetes in EC2.
+When it comes to networking, however, EC2 has some limits that hinder performance and make deploying Kubernetes clusters to production unnecessarily complex. The preview release of Romana v2.0, a network and security automation solution for Cloud Native applications, includes features that address some well known network issues when running Kubernetes in EC2.
 
 
 ## Traditional VPC Networking Performance Roadblocks
@@ -40,7 +40,7 @@ Whether you were interested in advanced networking for traffic isolation or runn
 The way to avoid running out of VPC routes is to use them sparingly by making them forward pod traffic for multiple instances. From a networking perspective, what that means is that the VPC route needs to forward to a router, which can then forward traffic on to the final destination instance.
 
 
-[Romana](http://romana.io/) is a CNI network provider that configures routes on the host to forward pod network traffic without an overlay. Since inter-node routes are installed on hosts, no VPC routes are necessary at all. However, when the VPC is split into subnets for an HA deployment across zones, VPC routes are necessary.
+Romana is a CNI network provider that configures routes on the host to forward pod network traffic without an overlay. Since inter-node routes are installed on hosts, no VPC routes are necessary at all. However, when the VPC is split into subnets for an HA deployment across zones, VPC routes are necessary.
 
 
 Fortunately, inter-node routes on hosts allows them to act as a network router and forward traffic inbound from another zone just as it would for traffic from local pods. This makes any Kubernetes node configured by Romana able to accept inbound pod traffic from other zones and forward it to the proper destination node on the subnet.
@@ -73,8 +73,5 @@ When using Romana v2.0, native VPC networking is now available for clusters of a
 ![](https://archive.org/download/hpc-ec2-vpc-2/hpc-ec2-vpc-2.png)
 
 
-The preview release of Romana v2.0 is available [here](http://romana.io/preview). We welcome comments and feedback so we can make EC2 deployments of Kubernetes as fast and reliable as possible.    
-
-
 
 -- _Juergen Brendel and Chris Marino, co-founders of Pani Networks, sponsor of the Romana project_
diff --git a/content/en/blog/_posts/2017-09-00-Kubernetes-18-Security-Workloads-And.md b/content/en/blog/_posts/2017-09-00-Kubernetes-18-Security-Workloads-And.md
index d8f09da2988d8..e2f031f8a52b2 100644
--- a/content/en/blog/_posts/2017-09-00-Kubernetes-18-Security-Workloads-And.md
+++ b/content/en/blog/_posts/2017-09-00-Kubernetes-18-Security-Workloads-And.md
@@ -3,8 +3,10 @@ title: " Kubernetes 1.8: Security, Workloads and Feature Depth "
 date: 2017-09-29
 slug: kubernetes-18-security-workloads-and
 url: /blog/2017/09/Kubernetes-18-Security-Workloads-And
+evergreen: true
 ---
-_Editor's note: today's post is by Aparna Sinha, Group Product Manager, Kubernetes, Google; Ihor Dvoretskyi, Developer Advocate, CNCF; Jaice Singer DuMars, Kubernetes Ambassador, Microsoft; and Caleb Miles, Technical Program Manager, CoreOS on the latest release of Kubernetes 1.8._  
+
+**Authors:** Kubernetes v1.8 release team
 
 
 We’re pleased to announce the delivery of Kubernetes 1.8, our third release this year. Kubernetes 1.8 represents a snapshot of many exciting enhancements and refinements underway. In addition to functional improvements, we’re increasing project-wide focus on maturing [process](https://github.com/kubernetes/sig-release), formalizing [architecture](https://github.com/kubernetes/community/tree/master/sig-architecture), and strengthening Kubernetes’ [governance model](https://github.com/kubernetes/community/tree/master/community/elections/2017). The evolution of mature processes clearly signals that sustainability is a driving concern, and helps to ensure that Kubernetes is a viable and thriving project far into the future.  
@@ -50,7 +52,7 @@ The [Release team](https://github.com/kubernetes/features/blob/master/release-1.
 As the Kubernetes community has grown, our release process has become an amazing demonstration of collaboration in open source software development. Kubernetes continues to gain new users at a rapid clip. This growth creates a positive feedback cycle where more contributors commit code creating a more vibrant ecosystem.  
 
 
-## User Highlights
+## User highlights
 
 According to [Redmonk](http://redmonk.com/fryan/2017/09/10/cloud-native-technologies-in-the-fortune-100/), 54 percent of Fortune 100 companies are running Kubernetes in some form with adoption coming from every sector across the world. Recent user stories from the community include:   
 
@@ -91,3 +93,6 @@ The simplest way to get involved with Kubernetes is by joining one of the many [
 - Follow us on Twitter [@Kubernetesio](https://twitter.com/kubernetesio) for latest updates
 - Chat with the community on [Slack](http://slack.k8s.io/).
 - [Share your Kubernetes story.](https://docs.google.com/a/linuxfoundation.org/forms/d/e/1FAIpQLScuI7Ye3VQHQTwBASrgkjQDSS5TP0g3AXfFhwSM9YpHgxRKFA/viewform)
+
+
+_Editor's note: this announcement was authored by Aparna Sinha (Google), Ihor Dvoretskyi (CNCF), Jaice Singer DuMars (Microsoft), and Caleb Miles (CoreOS)._
diff --git a/content/en/blog/_posts/2017-12-00-Kubernetes-19-Workloads-Expanded-Ecosystem.md b/content/en/blog/_posts/2017-12-00-Kubernetes-19-Workloads-Expanded-Ecosystem.md
index cb73d95162ef2..cefcf21452095 100644
--- a/content/en/blog/_posts/2017-12-00-Kubernetes-19-Workloads-Expanded-Ecosystem.md
+++ b/content/en/blog/_posts/2017-12-00-Kubernetes-19-Workloads-Expanded-Ecosystem.md
@@ -1,9 +1,13 @@
 ---
-title: " Kubernetes 1.9: Apps Workloads GA and Expanded Ecosystem "
+title: "Kubernetes 1.9: Apps Workloads GA and Expanded Ecosystem"
 date: 2017-12-15
 slug: kubernetes-19-workloads-expanded-ecosystem
 url: /blog/2017/12/Kubernetes-19-Workloads-Expanded-Ecosystem
+evergreen: true
 ---
+
+**Authors:** Kubernetes v1.9 release team
+
 We’re pleased to announce the delivery of Kubernetes 1.9, our fourth and final release this year.  
 
 Today’s release continues the evolution of an increasingly rich feature set, more robust stability, and even greater community contributions. As the fourth release of the year, it gives us an opportunity to look back at the progress made in key areas. Particularly notable is the advancement of the Apps Workloads API to stable. This removes any reservations potential adopters might have had about the functional stability required to run mission-critical workloads. Another big milestone is the beta release of Windows support, which opens the door for many Windows-specific applications and workloads to run in Kubernetes, significantly expanding the implementation scenarios and enterprise readiness of Kubernetes.  
@@ -87,7 +91,7 @@ For recorded sessions from the largest Kubernetes gathering, [KubeCon + CloudNat
 
 ## Webinar
 
-Join members of the Kubernetes 1.9 release team on **January 9th from 10am-11am PT** to learn about the major features in this release as they demo some of the highlights in the areas of Windows and Docker support, storage, admission control, and the workloads API.&nbsp;[Register here](https://zoom.us/webinar/register/WN_oVjQMwyzQFOmWsfVzDsa2A).  
+Join members of the Kubernetes 1.9 release team on **January 9th from 10am-11am PT** to learn about the major features in this release as they demo some of the highlights in the areas of Windows and Docker support, storage, admission control, and the workloads API.&nbsp;[~Register here~](https://zoom.us/webinar/register/WN_oVjQMwyzQFOmWsfVzDsa2A).  
 
 
 ## Get involved:
diff --git a/content/en/blog/_posts/2018-03-26-kubernetes-1-10-stabilizing-storage-security-networking.md b/content/en/blog/_posts/2018-03-26-kubernetes-1-10-stabilizing-storage-security-networking.md
index 922ec9f706d23..904b2d34e970b 100644
--- a/content/en/blog/_posts/2018-03-26-kubernetes-1-10-stabilizing-storage-security-networking.md
+++ b/content/en/blog/_posts/2018-03-26-kubernetes-1-10-stabilizing-storage-security-networking.md
@@ -1,13 +1,9 @@
 ---
-title: 'Kubernetes 1.10: Stabilizing Storage, Security, and Networking '
-author: kbarnard
-tags:
+title: 'Kubernetes 1.10: Stabilizing Storage, Security, and Networking'
 date: 2018-03-26
 modified_time: '2018-03-27T11:01:39.569-07:00'
-blogger_id: tag:blogger.com,1999:blog-112706738355446097.post-6519705795358457586
-blogger_orig_url: https://kubernetes.io/blog/2018/03/26/kubernetes-1.10-stabilizing-storage-security-networking/
 slug: kubernetes-1.10-stabilizing-storage-security-networking
-date: 2018-03-26
+evergreen: true
 ---
 
 ***Editor's note: today's post is by the [1.10 Release
diff --git a/content/en/blog/_posts/2018-06-26-kubernetes-1-11-release-announcement.md b/content/en/blog/_posts/2018-06-26-kubernetes-1-11-release-announcement.md
index a5d9f8b4d0508..4d3007f29076e 100644
--- a/content/en/blog/_posts/2018-06-26-kubernetes-1-11-release-announcement.md
+++ b/content/en/blog/_posts/2018-06-26-kubernetes-1-11-release-announcement.md
@@ -3,6 +3,7 @@ layout: blog
 title: 'Kubernetes 1.11: In-Cluster Load Balancing and CoreDNS Plugin Graduate to General Availability'
 date:  2018-06-27
 slug: kubernetes-1.11-release-announcement
+evergreen: true
 ---
 
 **Author**: Kubernetes 1.11 [Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.11/release_team.md)
diff --git a/content/en/blog/_posts/2018-09-27-kubernetes-1-12-release-announcement.md b/content/en/blog/_posts/2018-09-27-kubernetes-1-12-release-announcement.md
index b24a6cbe0904a..1f847a38cab1f 100644
--- a/content/en/blog/_posts/2018-09-27-kubernetes-1-12-release-announcement.md
+++ b/content/en/blog/_posts/2018-09-27-kubernetes-1-12-release-announcement.md
@@ -2,6 +2,7 @@
 layout: blog
 title:  'Kubernetes 1.12: Kubelet TLS Bootstrap and Azure Virtual Machine Scale Sets (VMSS) Move to General Availability'
 date:   2018-09-27
+evergreen: true
 ---
 
 **Author**: The 1.12 [Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.12/release_team.md)
diff --git a/content/en/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md b/content/en/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
index 095e47a73dd6d..13158529a26c7 100644
--- a/content/en/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
+++ b/content/en/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
@@ -1,13 +1,12 @@
 ---
-layout: "Blog"
+layout: blog
 title: "Kubernetes 2018 North American Contributor Summit"
-date: 2018-10-16    
+date: 2018-10-16
+evergreen: true
 ---
 
 **Authors:**
-[Bob Killen][bob] (University of Michigan)
-[Sahdev Zala][sahdev] (IBM),
-[Ihor Dvoretskyi][ihor] (CNCF) 
+[Bob Killen][bob] (University of Michigan), [Sahdev Zala][sahdev] (IBM), [Ihor Dvoretskyi][ihor] (CNCF)
 
 
 The 2018 North American Kubernetes Contributor Summit to be hosted right before
@@ -22,32 +21,34 @@ Unlike previous Contributor Summits, the event now spans two-days with a more
 relaxed ‘hallway’ track and general Contributor get-together to be hosted from
 5-8pm on Sunday December 9th at the [Garage Lounge and Gaming Hall][garage], just
 a short walk away from the Convention Center. There, contributors can enjoy
-billiards, bowling, trivia and more; accompanied by a variety of food and drink. 
+billiards, bowling, trivia and more; accompanied by a variety of food and drink.
 
 Things pick up the following day, Monday the 10th with three separate tracks: 
 
-### New Contributor Workshop:
+### New contributor workshop
 A half day workshop aimed at getting new and first time contributors onboarded
 and comfortable with working within the Kubernetes Community. Staying for the
 duration is required; this is not a workshop you can drop into. 
 
-### Current Contributor Track:
+### Current contributor track
 Reserved for those that are actively engaged with the development of the
 project; the Current Contributor Track includes Talks, Workshops, Birds of a
 Feather, Unconferences, Steering Committee Sessions, and more! Keep an eye on
 the [schedule in GitHub][schedule] as content is frequently being updated.
 
-### Docs Sprint:
-SIG-Docs will have a curated list of issues and challenges to be tackled closer
+### Docs sprint
+
+SIG Docs will have a curated list of issues and challenges to be tackled closer
 to the event date.
 
-## To Register:
+## How To Register {#to-register}
+
 To register for the Contributor Summit, see the [Registration section of the
 Event Details in GitHub][register]. Please note that registrations are being
 reviewed. If you select the “Current Contributor Track” and are not an active
 contributor, you will be asked to attend the New Contributor Workshop, or asked
 to be put on a waitlist. With thousands of contributors and only 300 spots, we
-need to make sure the right folks are in the room. 
+need to make sure the right folks are in the room.
 
 If you have any questions or concerns, please don’t hesitate to reach out to
 the Contributor Summit Events Team at community@kubernetes.io.
diff --git a/content/en/blog/_posts/2018-12-03-kubernetes-1-13-release-announcement.md b/content/en/blog/_posts/2018-12-03-kubernetes-1-13-release-announcement.md
index 8aba0dc232506..3e7648676402b 100644
--- a/content/en/blog/_posts/2018-12-03-kubernetes-1-13-release-announcement.md
+++ b/content/en/blog/_posts/2018-12-03-kubernetes-1-13-release-announcement.md
@@ -3,6 +3,7 @@ layout: blog
 title: 'Kubernetes 1.13: Simplified Cluster Management with Kubeadm, Container Storage Interface (CSI), and CoreDNS as Default DNS are Now Generally Available'
 date: 2018-12-03
 slug: kubernetes-1-13-release-announcement
+evergreen: true
 ---
 
 **Author**: The 1.13 [Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.13/release_team.md)
diff --git a/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md b/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
index 8601a7b94d5a9..7ce410607622a 100644
--- a/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
+++ b/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
@@ -2,6 +2,7 @@
 layout: blog
 title: Production-Ready Kubernetes Cluster Creation with kubeadm
 date: 2018-12-04
+evergreen: true
 ---
 
 **Authors**: Lucas Käldström (CNCF Ambassador) and Luc Perkins (CNCF Developer Advocate)
diff --git a/content/en/blog/_posts/2019-03-20-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits.md b/content/en/blog/_posts/2019-03-20-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits.md
index 37b16daf4c54a..99a8dcd8864b9 100644
--- a/content/en/blog/_posts/2019-03-20-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits.md
+++ b/content/en/blog/_posts/2019-03-20-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits.md
@@ -1,13 +1,13 @@
 ---
 title: A Look Back and What's in Store for Kubernetes Contributor Summits
 date: 2019-03-20
+layout: blog
+evergreen: true
 ---
 
 **Authors:**
 Paris Pittman (Google), Jonas Rosland (VMware)
 
-**tl;dr** - [click here] for Barcelona Contributor Summit information.
-
 {{<figure width="600" src="/images/blog/2019-03-14-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits/celebrationsig.jpg" caption="Seattle Contributor Summit">}}
 
 As our contributing community grows in great numbers, with more than 16,000 contributors this year across 150+ GitHub repositories, it’s important to provide face to face connections for our large distributed teams to have opportunities for collaboration and learning. In [Contributor Experience], our methodology with planning events is a lot like our documentation; we build from personas -- interests, skills, and motivators to name a few. This way we ensure there is valuable content and learning for everyone.
@@ -28,13 +28,14 @@ We build the contributor summits around you:
 
 These personas combined with ample feedback from previous events, produce the   altogether experience that welcomed over 600 contributors in Copenhagen (May), Shanghai(November), and Seattle(December) in 2018. Seattle's event drew over 300+ contributors, equal to Shanghai and Copenhagen combined, for the 6th contributor event in Kubernetes history. In true Kubernetes fashion, we expect another record breaking year of attendance. We've pre-ordered 900+ [contributor patches], a tradition, and we are   looking forward to giving them to you!
 
-With that said...  
+With that said…
+
 **Save the Dates:**  
 Barcelona: May 19th (evening) and 20th (all day)  
 Shanghai: June 24th (all day)  
 San Diego: November 18th, 19th, and activities in KubeCon/CloudNativeCon week
 
-In an effort of continual improvement, here's what to expect from us this year:  
+In an effort of continual improvement, here's what to expect from us this year:
 
 * Large new contributor workshops and contributor socials at all three events expected to break previous attendance records
 * A multiple track event in San Diego for all contributor types including workshops, birds of a feather, lightning talks and more
@@ -42,7 +43,8 @@ In an effort of continual improvement, here's what to expect from us this year:
 * [An event website]!
 * Follow along with updates: kubernetes-dev@googlegroups.com is our main communication hub as always; however, we will also blog here, our [Thursday Kubernetes Community Meeting], [twitter], SIG meetings, event site, discuss.kubernetes.io, and #contributor-summit on Slack.
 * Opportunities to get involved: We still have 2019 roles available!
-Reach out to Contributor Experience via community@kubernetes.io, stop by a Wednesday SIG update meeting, or catch us on Slack (#sig-contribex).  
+Reach out to Contributor Experience via community@kubernetes.io, stop by a Wednesday SIG update meeting, or catch us on Slack (#sig-contribex).
+
 
 {{<figure width="600" src="/images/blog/2019-03-14-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits/unconference.jpg" caption="Unconference voting">}}
 
@@ -51,11 +53,11 @@ Reach out to Contributor Experience via community@kubernetes.io, stop by a Wedne
 Our 2018 crew 🥁  
 Jorge Castro, Paris Pittman, Bob Killen, Jeff Sica, Megan Lehn, Guinevere Saenger, Josh Berkus, Noah Abrahams, Yang Li, Xiangpeng Zhao, Puja Abbassi, Lindsey Tulloch, Zach Corleissen, Tim Pepper, Ihor Dvoretskyi, Nancy Mohamed, Chris Short, Mario Loria, Jason DeTiberus, Sahdev Zala, Mithra Raja
 
-And an introduction to our 2019 crew (a thanks in advance ;) )...  
-Jonas Rosland, Josh Berkus, Paris Pittman, Jorge Castro, Bob Killen, Deb Giles, Guinevere Saenger, Noah Abrahams, Yang Li, Xiangpeng Zhao, Puja Abbassi, Rui Chen, Tim Pepper, Ihor Dvoretskyi, Dawn Foster  
+And an introduction to our 2019 crew (a thanks in advance ;) )…  
+Jonas Rosland, Josh Berkus, Paris Pittman, Jorge Castro, Bob Killen, Deb Giles, Guinevere Saenger, Noah Abrahams, Yang Li, Xiangpeng Zhao, Puja Abbassi, Rui Chen, Tim Pepper, Ihor Dvoretskyi, Dawn Foster
 
 
-## Relive Seattle Contributor Summit 
+## Relive Seattle Contributor Summit
 
 📈 80% growth rate since the Austin 2017 December event
 
@@ -81,15 +83,11 @@ Jonas Rosland, Josh Berkus, Paris Pittman, Jorge Castro, Bob Killen, Deb Giles,
 
 📸 Pictures (special thanks to [rdodev])
 
-Garage Pic
-Reg Desk
-
 {{<figure width="600" src="/images/blog/2019-03-14-A-Look-Back-And-Whats-In-Store-For-Kubernetes-Contributor-Summits/grouppicseatle.JPG" caption="Some of the group in Seattle">}}
 
 “I love Contrib Summit! The intros and deep dives during KubeCon were a great extension of Contrib Summit. Y'all did an excellent job in the morning to level set expectations and prime everyone.” -- julianv    
 “great work! really useful and fun!” - coffeepac
 
-[click here]: https://events.linuxfoundation.org/events/contributor-summit-europe-2019/
 [Contributor Experience]: https://github.com/kubernetes/community/tree/master/sig-contributor-experience
 [Subproject OWNERs]: https://github.com/kubernetes/community/blob/master/community-membership.md
 [Chair or Tech Lead]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance.md
diff --git a/content/en/blog/_posts/2019-03-25-1-14-release-announcement.md b/content/en/blog/_posts/2019-03-25-1-14-release-announcement.md
index 448309ba3a1fc..e021bbf1dbf8d 100644
--- a/content/en/blog/_posts/2019-03-25-1-14-release-announcement.md
+++ b/content/en/blog/_posts/2019-03-25-1-14-release-announcement.md
@@ -2,6 +2,7 @@
 title: 'Kubernetes 1.14: Production-level support for Windows Nodes, Kubectl Updates, Persistent Local Volumes GA'
 date: 2019-03-25
 slug: kubernetes-1-14-release-announcement
+evergreen: true
 ---
 
 **Authors:** The 1.14 [Release Team](https://bit.ly/k8s114-team)
diff --git a/content/en/blog/_posts/2019-04-26-latest-on-localization.md b/content/en/blog/_posts/2019-04-26-latest-on-localization.md
index 8e6176a8ce608..98f1d74706996 100644
--- a/content/en/blog/_posts/2019-04-26-latest-on-localization.md
+++ b/content/en/blog/_posts/2019-04-26-latest-on-localization.md
@@ -8,7 +8,7 @@ date: 2019-04-26
 
 Last year we optimized the Kubernetes website for [hosting multilingual content](/blog/2018/11/08/kubernetes-docs-updates-international-edition/). Contributors responded by adding multiple new localizations: as of April 2019, Kubernetes docs are partially available in nine different languages, with six added in 2019 alone. You can see a list of available languages in the language selector at the top of each page.
 
-By _partially available_, I mean that localizations are ongoing projects. They range from mostly complete ([Chinese docs for 1.12](https://v1-12.docs.kubernetes.io/zh/)) to brand new (1.14 docs in [Portuguese](https://kubernetes.io/pt/)). If you're interested in helping an existing localization, read on!
+By _partially available_, I mean that localizations are ongoing projects. They range from mostly complete ([Chinese docs for 1.12](https://v1-12.docs.kubernetes.io/zh-cn/)) to brand new (1.14 docs in [Portuguese](https://kubernetes.io/pt/)). If you're interested in helping an existing localization, read on!
 
 ## What is a localization?
 
diff --git a/content/en/blog/_posts/2019-05-02-kubecon-diversity-lunch-and-hack.md b/content/en/blog/_posts/2019-05-02-kubecon-diversity-lunch-and-hack.md
index 41c5fbcf3678d..bf8417673b246 100644
--- a/content/en/blog/_posts/2019-05-02-kubecon-diversity-lunch-and-hack.md
+++ b/content/en/blog/_posts/2019-05-02-kubecon-diversity-lunch-and-hack.md
@@ -2,6 +2,7 @@
 title: "Join us for the 2019 KubeCon Diversity Lunch & Hack"
 date: 2019-05-02
 slug: kubecon-diversity-lunch-and-hack
+evergreen: false
 ---
 
 **Authors:** Kiran Oliver, Podcast Producer, The New Stack
@@ -36,4 +37,4 @@ To make this all possible, we need you. Yes, you, to register. As much as we lov
 
 We look forward to seeing you!
 
-_Special thanks to [Leah Petersen](https://www.linkedin.com/in/leahstunts/), [Sarah Conway](https://www.linkedin.com/in/sarah-conway-6166151/) and [Paris Pittman](https://www.linkedin.com/in/parispittman/) for their help in editing this post._ 
+_Special thanks to [Leah Petersen](https://www.linkedin.com/in/leahstunts/), [Sarah Conway](https://www.linkedin.com/in/sarah-conway-6166151/) and [Paris Pittman](https://www.linkedin.com/in/parispittman/) for their help in editing this post._
diff --git a/content/en/blog/_posts/2019-06-19-kubernetes-1-15-release-announcement.md b/content/en/blog/_posts/2019-06-19-kubernetes-1-15-release-announcement.md
index 3561203548834..83dfb6dd50a93 100644
--- a/content/en/blog/_posts/2019-06-19-kubernetes-1-15-release-announcement.md
+++ b/content/en/blog/_posts/2019-06-19-kubernetes-1-15-release-announcement.md
@@ -3,6 +3,7 @@ layout: blog
 title: "Kubernetes 1.15: Extensibility and Continuous Improvement"
 date: 2019-06-19
 slug: kubernetes-1-15-release-announcement
+evergreen: true
 ---
 **Authors:** The 1.15 [Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.15/release_team.md)
 
diff --git a/content/en/blog/_posts/2019-09-24-san-diego-contributor-summit.md b/content/en/blog/_posts/2019-09-24-san-diego-contributor-summit.md
index 350fbb1735d80..62ea9c833740f 100644
--- a/content/en/blog/_posts/2019-09-24-san-diego-contributor-summit.md
+++ b/content/en/blog/_posts/2019-09-24-san-diego-contributor-summit.md
@@ -3,19 +3,18 @@ layout: blog
 title: "Contributor Summit San Diego Registration Open!"
 date: 2019-09-24
 slug: san-diego-contributor-summit
+evergreen: true
 ---
 
-**Authors: Paris Pittman (Google), Jeffrey Sica (Red Hat), Jonas Rosland (VMware)**
-
-
+**Authors:** Paris Pittman (Google), Jeffrey Sica (Red Hat), Jonas Rosland (VMware)
 
 [Contributor Summit San Diego 2019 Event Page]  
-Registration is now open and in record time, we’ve hit capacity for the
-*new contributor workshop* session of the event! Waitlist is now available.
+In record time, we’ve hit capacity for the *new contributor workshop* session of
+the event!
 
 **Sunday, November 17**  
 Evening Contributor Celebration:  
-[QuartYard]*  
+[QuartYard]†  
 Address: 1301 Market Street, San Diego, CA 92101  
 Time: 6:00PM - 9:00PM  
 
@@ -68,7 +67,7 @@ Check out past blogs on [persona building around our events] and the [Barcelona
 
 ![Group Picture in 2018](/images/blog/2019-09-24-san-diego-contributor-summit/IMG_2588.JPG)
 
-*=QuartYard has a huge stage! Want to perform something in front of your contributor peers? Reach out to us! community@kubernetes.io
+†=QuartYard has a huge stage! Want to perform something in front of your contributor peers? Reach out to us! community@kubernetes.io
 
 
 
diff --git a/content/en/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md b/content/en/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
index e78b6a0ec7c39..f0f28355131b4 100644
--- a/content/en/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
+++ b/content/en/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
@@ -5,13 +5,7 @@ date: 2019-10-10
 slug: contributor-summit-san-diego-schedule
 ---
 
-
-Authors: Josh Berkus (Red Hat), Paris Pittman (Google), Jonas Rosland (VMware)
-
-tl;dr A week ago we announced that [registration is open][reg] for the contributor
-summit , and we're now live with [the full Contributor Summit schedule!][schedule]
-Grab your spot while tickets are still available. There is currently a waitlist
-for new contributor workshop.  ([Register here!][reg])
+**Authors:** Josh Berkus (Red Hat), Paris Pittman (Google), Jonas Rosland (VMware)
 
 There are many great sessions planned for the Contributor Summit, spread across
 five rooms of current contributor content in addition to the new contributor
@@ -32,7 +26,7 @@ While the schedule contains difficult decisions in every timeslot, we've picked
 a few below to give you a taste of what you'll hear, see, and participate in, at
 the summit:
 
-* **[Vision]**: SIG-Architecture will be sharing their vision of where we're going
+* **[Vision]**: SIG Architecture will be sharing their vision of where we're going
   with Kubernetes development for the next year and beyond.
 * **[Security]**: Tim Allclair and CJ Cullen will present on the current state of
   Kubernetes security. In another security talk, Vallery Lancey will lead a
@@ -47,7 +41,7 @@ the summit:
   one, or at least pass one.
 * **[End Users]**: Several end users from the CNCF partner ecosystem, invited by
   Cheryl Hung, will hold a Q&A with contributors to strengthen our feedback loop.
-* **[Docs]**: As always, SIG-Docs will run a three-hour contributing-to-documentation
+* **[Docs]**: As always, SIG Docs will run a three-hour contributing-to-documentation
   workshop.
 
 We're also giving out awards to contributors who distinguished themselves in 2019,
diff --git a/content/en/blog/_posts/2020-02-18-Contributor-Summit-Amsterdam-Schedule-Announced.md b/content/en/blog/_posts/2020-02-18-Contributor-Summit-Amsterdam-Schedule-Announced.md
index ae05bd8b9cbc8..11e3ccc4124e7 100644
--- a/content/en/blog/_posts/2020-02-18-Contributor-Summit-Amsterdam-Schedule-Announced.md
+++ b/content/en/blog/_posts/2020-02-18-Contributor-Summit-Amsterdam-Schedule-Announced.md
@@ -5,25 +5,7 @@ date: 2020-02-18
 slug: Contributor-Summit-Amsterdam-Schedule-Announced
 ---
 
-**Authors:** Jeffrey Sica (Red Hat), Amanda Katona (VMware) 
-
-tl;dr [Registration is open](https://events.linuxfoundation.org/kubernetes-contributor-summit-europe/) and the [schedule is live](https://kcseu2020.sched.com/) so register now and we’ll see you in Amsterdam!
-
-## Kubernetes Contributor Summit 
-
-**Sunday, March 29, 2020**
-
-- Evening Contributor Celebration:
-[ZuidPool](https://www.zuid-pool.nl/en/)
-- Address: [Europaplein 22, 1078 GZ Amsterdam, Netherlands](https://www.google.com/search?q=KubeCon+Amsterdam+2020&ie=UTF-8&ibp=htl;events&rciv=evn&sa=X&ved=2ahUKEwiZoLvQ0dvnAhVST6wKHScBBZ8Q5bwDMAB6BAgSEAE#)
-- Time: 18:00 - 21:00 
-
-**Monday, March 30, 2020**
-
-- All Day Contributor Summit:
-- [Amsterdam RAI](https://www.rai.nl/en/)
-- Address: [Europaplein 24, 1078 GZ Amsterdam, Netherlands](https://www.google.com/search?q=kubecon+amsterdam+2020&oq=kubecon+amste&aqs=chrome.0.35i39j69i57j0l4j69i61l2.3957j1j4&sourceid=chrome&ie=UTF-8&ibp=htl;events&rciv=evn&sa=X&ved=2ahUKEwiZoLvQ0dvnAhVST6wKHScBBZ8Q5bwDMAB6BAgSEAE#)
-- Time:  09:00 - 17:00 (Breakfast at 08:00)
+**Authors:** Jeffrey Sica (Red Hat), Amanda Katona (VMware)
 
 ![Contributor Summit](/images/blog/2020-02-18-Contributor-Summit-Amsterdam-Schedule-Announced/contribsummit.jpg)
 
@@ -32,14 +14,31 @@ Hello everyone and Happy 2020! It’s hard to believe that KubeCon EU 2020 is le
 *   Community
 *   Contributor Improvement
 *   Sustainability
-*   In-depth Technical 
+*   In-depth Technical
 
 On top of the presentations, there will be a dedicated Docs Sprint as well as the New Contributor Workshop 101 and 201 Sessions. All told, we will have five separate rooms of content throughout the day on Monday. Please **[see the full schedule](https://kcseu2020.sched.com/)** to see what sessions you’d be interested in. We hope between the content provided and the inevitable hallway track, everyone has a fun and enriching experience. 
 
 Speaking of fun, the social Sunday night should be a blast! We’re hosting this summit’s social close to the conference center, at [ZuidPool](https://www.zuid-pool.nl/en/). There will be games, bingo, and unconference sign-up throughout the evening. It should be a relaxed way to kick off the week. 
 
-[Registration is open](https://events.linuxfoundation.org/kubernetes-contributor-summit-europe/)! Space is limited so it’s always a good idea to register early. 
+[~Registration is open~](https://events.linuxfoundation.org/kubernetes-contributor-summit-europe/)! Space is limited so it’s always a good idea to register early.
 
 If you have any questions, reach out to the [Amsterdam Team](https://github.com/kubernetes/community/tree/master/events/2020/03-contributor-summit#team) on Slack in the [#contributor-summit](https://kubernetes.slack.com/archives/C7J893413) channel.
 
 Hope to see you there!
+
+## Kubernetes Contributor Summit schedule
+
+**Sunday, March 29, 2020**
+
+- Evening Contributor Celebration:
+[ZuidPool](https://www.zuid-pool.nl/en/)
+- Address: [Europaplein 22, 1078 GZ Amsterdam, Netherlands](https://www.google.com/search?q=KubeCon+Amsterdam+2020&ie=UTF-8&ibp=htl;events&rciv=evn&sa=X&ved=2ahUKEwiZoLvQ0dvnAhVST6wKHScBBZ8Q5bwDMAB6BAgSEAE#)
+- Time: 18:00 - 21:00 
+
+**Monday, March 30, 2020**
+
+- All Day Contributor Summit:
+- [Amsterdam RAI](https://www.rai.nl/en/)
+- Address: [Europaplein 24, 1078 GZ Amsterdam, Netherlands](https://www.google.com/search?q=kubecon+amsterdam+2020&oq=kubecon+amste&aqs=chrome.0.35i39j69i57j0l4j69i61l2.3957j1j4&sourceid=chrome&ie=UTF-8&ibp=htl;events&rciv=evn&sa=X&ved=2ahUKEwiZoLvQ0dvnAhVST6wKHScBBZ8Q5bwDMAB6BAgSEAE#)
+- Time:  09:00 - 17:00 (Breakfast at 08:00)
+
diff --git a/content/en/blog/_posts/2020-03-04-Contributor-Summit-Delayed.md b/content/en/blog/_posts/2020-03-04-Contributor-Summit-Delayed.md
index 1996b6201e339..10d96ec351883 100644
--- a/content/en/blog/_posts/2020-03-04-Contributor-Summit-Delayed.md
+++ b/content/en/blog/_posts/2020-03-04-Contributor-Summit-Delayed.md
@@ -3,13 +3,14 @@ layout: blog
 title: Contributor Summit Amsterdam Postponed
 date: 2020-03-04
 slug: Contributor-Summit-Delayed
+evergreen: true
 ---
 
-**Authors:** Dawn Foster (VMware), Jorge Castro (VMware) 
+**Authors:** Dawn Foster (VMware), Jorge Castro (VMware)
 
 The CNCF has announced that [KubeCon + CloudNativeCon EU has been delayed](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/attend/novel-coronavirus-update/) until July/August of 2020. As a result the Contributor Summit planning team is weighing options for how to proceed. Here’s the current plan:
 
 - There will be an in-person Contributor Summit as planned when KubeCon + CloudNativeCon is rescheduled.
-- We are looking at options for having additional virtual contributor activities in the meantime. 
+- We are looking at options for having additional virtual contributor activities in the meantime.
 
 We will communicate via this blog and the usual communications channels on the final plan. Please bear with us as we adapt when we get more information. Thank you for being patient as the team pivots to bring you a great Contributor Summit!
\ No newline at end of file
diff --git a/content/en/blog/_posts/2020-09-03-warnings/index.md b/content/en/blog/_posts/2020-09-03-warnings/index.md
index 082aa72f6f03a..a5cfb9f710db7 100644
--- a/content/en/blog/_posts/2020-09-03-warnings/index.md
+++ b/content/en/blog/_posts/2020-09-03-warnings/index.md
@@ -60,7 +60,7 @@ so we added two administrator-facing tools to help track use of deprecated APIs
 Starting in Kubernetes v1.19, when a request is made to a deprecated REST API endpoint,
 an `apiserver_requested_deprecated_apis` gauge metric is set to `1` in the kube-apiserver process.
 This metric has labels for the API `group`, `version`, `resource`, and `subresource`,
-and a `removed_version` label that indicates the Kubernetes release in which the API will no longer be served.
+and a `removed_release` label that indicates the Kubernetes release in which the API will no longer be served.
 
 This is an example query using `kubectl`, [prom2json](https://github.com/prometheus/prom2json),
 and [jq](https://stedolan.github.io/jq/) to determine which deprecated APIs have been requested
@@ -169,7 +169,7 @@ You can also find that information through the following Prometheus query,
 which returns information about requests made to deprecated APIs which will be removed in v1.22:
 
 ```promql
-apiserver_requested_deprecated_apis{removed_version="1.22"} * on(group,version,resource,subresource)
+apiserver_requested_deprecated_apis{removed_release="1.22"} * on(group,version,resource,subresource)
 group_right() apiserver_request_total
 ```
 
diff --git a/content/en/blog/_posts/2021-04-22-gateway-api/index.md b/content/en/blog/_posts/2021-04-22-gateway-api/index.md
index c22d45cdbbfaf..145554803d20a 100644
--- a/content/en/blog/_posts/2021-04-22-gateway-api/index.md
+++ b/content/en/blog/_posts/2021-04-22-gateway-api/index.md
@@ -30,9 +30,9 @@ This led to design principles that allow the Gateway API to improve upon Ingress
 
 The Gateway API introduces a few new resource types:
 
-- **[GatewayClasses](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.GatewayClass)** are cluster-scoped resources that act as templates to explicitly define behavior for Gateways derived from them. This is similar in concept to StorageClasses, but for networking data-planes.
-- **[Gateways](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.Gateway)** are the deployed instances of GatewayClasses. They are the logical representation of the data-plane which performs routing, which may be in-cluster proxies, hardware LBs, or cloud LBs.
-- **Routes** are not a single resource, but represent many different protocol-specific Route resources. The [HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.HTTPRoute) has matching, filtering, and routing rules that get applied to Gateways that can process HTTP and HTTPS traffic. Similarly, there are [TCPRoutes](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.TCPRoute), [UDPRoutes](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.UDPRoute), and [TLSRoutes](https://gateway-api.sigs.k8s.io/v1alpha1/references/spec/#networking.x-k8s.io/v1alpha1.TLSRoute) which also have protocol-specific semantics. This model also allows the Gateway API to incrementally expand its protocol support in the future.
+- **[GatewayClasses](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gatewayclass)** are cluster-scoped resources that act as templates to explicitly define behavior for Gateways derived from them. This is similar in concept to StorageClasses, but for networking data-planes.
+- **[Gateways](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway)** are the deployed instances of GatewayClasses. They are the logical representation of the data-plane which performs routing, which may be in-cluster proxies, hardware LBs, or cloud LBs.
+- **Routes** are not a single resource, but represent many different protocol-specific Route resources. The [HTTPRoute](https://gateway-api.sigs.k8s.io/concepts/api-overview/#httproute) has matching, filtering, and routing rules that get applied to Gateways that can process HTTP and HTTPS traffic. Similarly, there are [TCPRoutes](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tcproute-and-udproute), [UDPRoutes](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tcproute-and-udproute), and [TLSRoutes](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) which also have protocol-specific semantics. This model also allows the Gateway API to incrementally expand its protocol support in the future.
 
 ![The resources of the Gateway API](gateway-api-resources.png)
 
diff --git a/content/en/blog/_posts/2021-05-14-using-finalizers-to-control-deletion.md b/content/en/blog/_posts/2021-05-14-using-finalizers-to-control-deletion.md
index a361c4d0bea28..c868b1bd5cb70 100644
--- a/content/en/blog/_posts/2021-05-14-using-finalizers-to-control-deletion.md
+++ b/content/en/blog/_posts/2021-05-14-using-finalizers-to-control-deletion.md
@@ -108,7 +108,7 @@ metadata:
   uid: 93a37fed-23e3-45e8-b6ee-b2521db81638
 ```
 
-In short, what’s happened is that the object was updated, not deleted. That’s because Kubernetes saw that the object contained finalizers and put it into a read-only state. The deletion timestamp signals that the object can only be read, with the exception of removing the finalizer key updates. In other words, the deletion will not be complete until we edit the object and remove the finalizer.
+In short, what’s happened is that the object was updated, not deleted. That’s because Kubernetes saw that the object contained finalizers and blocked removal of the object from etcd. The deletion timestamp signals that deletion was requested, but the deletion will not be complete until we edit the object and remove the finalizer.
 
 Here's a demonstration of using the `patch` command to remove finalizers. If we want to delete an object, we can simply patch it on the command line to remove the finalizers. In this way, the deletion that was running in the background will complete and the object will be deleted. When we attempt to `get` that configmap, it will be gone. 
 
diff --git a/content/en/blog/_posts/2021-09-03-api-server-tracing.md b/content/en/blog/_posts/2021-09-03-api-server-tracing.md
index fc98a68d23fa7..344ff8fa46ab8 100644
--- a/content/en/blog/_posts/2021-09-03-api-server-tracing.md
+++ b/content/en/blog/_posts/2021-09-03-api-server-tracing.md
@@ -42,7 +42,7 @@ samplingRatePerMillion: 10000
 
 ### Enabling Etcd Tracing
 
-Add `--experimental-enable-distributed-tracing`,  `--experimental-distributed-tracing-address=0.0.0.0:4317`, `--experimental-distributed-tracing-service-name=etcd` flags to etcd to enable tracing.  Note that this traces every request, so it will probably generate a lot of traces if you enable it.
+Add `--experimental-enable-distributed-tracing`,  `--experimental-distributed-tracing-address=0.0.0.0:4317`, `--experimental-distributed-tracing-service-name=etcd` flags to etcd to enable tracing.  Note that this traces every request, so it will probably generate a lot of traces if you enable it. Required etcd version is [v3.5+](https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing).
 
 ### Example Trace: List Nodes
 
diff --git a/content/en/blog/_posts/2021-09-13-read-write-once-pod-access-mode-alpha.md b/content/en/blog/_posts/2021-09-13-read-write-once-pod-access-mode-alpha.md
index e569c7a015b9e..64d47ae6574fe 100644
--- a/content/en/blog/_posts/2021-09-13-read-write-once-pod-access-mode-alpha.md
+++ b/content/en/blog/_posts/2021-09-13-read-write-once-pod-access-mode-alpha.md
@@ -255,7 +255,7 @@ The minimum required versions are:
 
 ## What’s next?
 
-As part of the beta graduation for this feature, SIG Storage plans to update the Kubenetes scheduler to support pod preemption in relation to ReadWriteOncePod storage.
+As part of the beta graduation for this feature, SIG Storage plans to update the Kubernetes scheduler to support pod preemption in relation to ReadWriteOncePod storage.
 This means if two pods request a PersistentVolumeClaim with ReadWriteOncePod, the pod with highest priority will gain access to the PersistentVolumeClaim and any pod with lower priority will be preempted from the node and be unable to access the PersistentVolumeClaim.
 
 ## How can I learn more?
diff --git a/content/en/blog/_posts/2022-02-17-updated-dockershim-faq.md b/content/en/blog/_posts/2022-02-17-updated-dockershim-faq.md
index 50d66ec966ffa..74e61b117da72 100644
--- a/content/en/blog/_posts/2022-02-17-updated-dockershim-faq.md
+++ b/content/en/blog/_posts/2022-02-17-updated-dockershim-faq.md
@@ -175,7 +175,7 @@ runtime where possible.
 Another thing to look out for is anything expecting to run for system maintenance
 or nested inside a container when building images will no longer work. For the
 former, you can use the [`crictl`][cr] tool as a drop-in replacement (see
-[mapping from docker cli to crictl](https://kubernetes.io/docs/tasks/debug-application-cluster/crictl/#mapping-from-docker-cli-to-crictl))
+[mapping from docker cli to crictl](https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))
 and for the latter you can use newer container build options like [img], [buildah],
 [kaniko], or [buildkit-cli-for-kubectl] that don’t require Docker.
 
diff --git a/content/en/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md b/content/en/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
index 999c3c514ed24..7bc79b38d1e83 100644
--- a/content/en/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
+++ b/content/en/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
@@ -69,11 +69,11 @@ been deprecated. These removals have been superseded by newer, stable/generally
 
 * [Dynamic kubelet configuration](https://github.com/kubernetes/enhancements/issues/281): `DynamicKubeletConfig` is used to enable the dynamic configuration of the kubelet. The `DynamicKubeletConfig` flag was deprecated in Kubernetes 1.22. In v1.24, this feature gate will be removed from the kubelet. See [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/). Refer to the ["Dynamic kubelet config is removed" KEP](https://github.com/kubernetes/enhancements/issues/281) for more information. 
 * [Dynamic log sanitization](https://github.com/kubernetes/kubernetes/pull/107207): The experimental dynamic log sanitization feature is deprecated and will be removed in v1.24. This feature introduced a logging filter that could be applied to all Kubernetes system components logs to prevent various types of sensitive information from leaking via logs. Refer to [KEP-1753: Kubernetes system components logs sanitization](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1753-logs-sanitization#deprecation) for more information and an [alternative approach](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1753-logs-sanitization#alternatives=).
-* In-tree provisioner to CSI driver migration: This applies to a number of in-tree plugins, including [Portworx](https://github.com/kubernetes/enhancements/issues/2589). Refer to the [In-tree Storage Plugin to CSI Migration Design Doc](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/csi-migration.md#background-and-motivations) for more information. 
+* In-tree provisioner to CSI driver migration: This applies to a number of in-tree plugins, including [Portworx](https://github.com/kubernetes/enhancements/issues/2589). Refer to the [In-tree Storage Plugin to CSI Migration Design Doc](https://git.k8s.io/design-proposals-archive/storage/csi-migration.md#background-and-motivations) for more information. 
 * [Removing Dockershim from kubelet](https://github.com/kubernetes/enhancements/issues/2221): the Container Runtime Interface (CRI) for Docker (i.e. Dockershim) is currently a built-in container runtime in the kubelet code base. It was deprecated in v1.20. As of v1.24, the kubelet will no longer have dockershim. Check out this blog on [what you need to do be ready for v1.24](/blog/2022/03/31/ready-for-dockershim-removal/). 
 * [Storage capacity tracking for pod scheduling](https://github.com/kubernetes/enhancements/issues/1472): The CSIStorageCapacity API supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances scheduling of pods that use CSI volumes with late binding. In v1.24, the CSIStorageCapacity API will be stable. The API graduating to stable initates the deprecation of the v1beta1 CSIStorageCapacity API. Refer to the [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking) for more information. 
 * [The `master` label is no longer present on kubeadm control plane nodes](https://github.com/kubernetes/kubernetes/pull/107533). For new clusters, the label 'node-role.kubernetes.io/master' will no longer be added to control plane nodes, only the label 'node-role.kubernetes.io/control-plane' will be added. For more information, refer to [KEP-2067: Rename the kubeadm "master" label and taint](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint).
-* [VolumeSnapshot v1beta1 CRD will be removed](https://github.com/kubernetes/enhancements/issues/177). Volume snapshot and restore functionality for Kubernetes and the [Container Storage Interface](https://github.com/container-storage-interface/spec/blob/master/spec.md) (CSI), which provides standardized APIs design (CRDs) and adds PV snapshot/restore support for CSI volume drivers, entered beta in v1.20. VolumeSnapshot v1beta1 was deprecated in v1.21 and is now unsupported. Refer to [KEP-177: CSI Snapshot](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/177-volume-snapshot#kep-177-csi-snapshot) and [kubernetes-csi/external-snapshotter](https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v4.1.0) for more information. 
+* [VolumeSnapshot v1beta1 CRD will be removed](https://github.com/kubernetes/enhancements/issues/177). Volume snapshot and restore functionality for Kubernetes and the [Container Storage Interface](https://github.com/container-storage-interface/spec/blob/master/spec.md) (CSI), which provides standardized APIs design (CRDs) and adds PV snapshot/restore support for CSI volume drivers, moved to GA in v1.20. VolumeSnapshot v1beta1 was deprecated in v1.20 and will become unsupported with the v1.24 release. Refer to [KEP-177: CSI Snapshot](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/177-volume-snapshot#kep-177-csi-snapshot) and the [Volume Snapshot GA blog](/blog/2020/12/10/kubernetes-1.20-volume-snapshot-moves-to-ga/) blog article for more information. 
 
 ## What to do
 
diff --git a/content/en/blog/_posts/2022-05-03-kubernetes-release-1.24.md b/content/en/blog/_posts/2022-05-03-kubernetes-release-1.24.md
index 39c574786427e..f29c6c92fe7a8 100644
--- a/content/en/blog/_posts/2022-05-03-kubernetes-release-1.24.md
+++ b/content/en/blog/_posts/2022-05-03-kubernetes-release-1.24.md
@@ -118,6 +118,13 @@ With containerd v1.6.0–v1.6.3, if you do not upgrade the CNI plugins and/or
 declare the CNI config version, you might encounter the following "Incompatible
 CNI versions" or "Failed to destroy network for sandbox" error conditions.
 
+## CSI Snapshot
+
+_This information was added after initial publication._
+
+[VolumeSnapshot v1beta1 CRD has been removed](https://github.com/kubernetes/enhancements/issues/177). 
+Volume snapshot and restore functionality for Kubernetes and the Container Storage Interface (CSI), which provides standardized APIs design (CRDs) and adds PV snapshot/restore support for CSI volume drivers, moved to GA in v1.20. VolumeSnapshot v1beta1 was deprecated in v1.20 and is now unsupported. Refer to [KEP-177: CSI Snapshot](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/177-volume-snapshot#kep-177-csi-snapshot) and [Volume Snapshot GA blog](https://kubernetes.io/blog/2020/12/10/kubernetes-1.20-volume-snapshot-moves-to-ga/) for more information.
+
 ## Other Updates
 
 ### Graduations to Stable
@@ -200,7 +207,7 @@ all the stargazers out there. ✨
 
 ### Ecosystem Updates
 
-* KubeCon + CloudNativeCon Europe 2022 will take place in Valencia, Spain, from 16 – 20 May 2022! You can find more information about the conference and registration on the [event site](https://events.linuxfoundation.org/archive/2021/kubecon-cloudnativecon-europe/).
+* KubeCon + CloudNativeCon Europe 2022 will take place in Valencia, Spain, from 16 – 20 May 2022! You can find more information about the conference and registration on the [event site](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/).
 * In the [2021 Cloud Native Survey](https://www.cncf.io/announcements/2022/02/10/cncf-sees-record-kubernetes-and-container-adoption-in-2021-cloud-native-survey/), the CNCF saw record Kubernetes and container adoption. Take a look at the [results of the survey](https://www.cncf.io/reports/cncf-annual-survey-2021/). 
 * The [Linux Foundation](https://www.linuxfoundation.org/) and [The Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF) announced the availability of a new [Cloud Native Developer Bootcamp](https://training.linuxfoundation.org/training/cloudnativedev-bootcamp/?utm_source=lftraining&utm_medium=pr&utm_campaign=clouddevbc0322) to provide participants with the knowledge and skills to design, build, and deploy cloud native applications. Check out the [announcement](https://www.cncf.io/announcements/2022/03/15/new-cloud-native-developer-bootcamp-provides-a-clear-path-to-cloud-native-careers/) to learn more.
 
@@ -211,7 +218,7 @@ aggregates a number of interesting data points related to the velocity of Kubern
 sub-projects. This includes everything from individual contributions to the number of companies that 
 are contributing, and is an illustration of the depth and breadth of effort that goes into evolving this ecosystem.
 
-In the v1.24 release cycle, which [ran for 17 weeks](https://github.com/kubernetes/sig-release/tree/master/releases/release-1.24) (January 10 to May 3), we saw contributions from [1029 companies](https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1&var-period_name=v1.23.0%20-%20now&var-metric=contributions) and [1179 individuals](https://k8s.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=v1.23.0%20-%20now&var-metric=contributions&var-repogroup_name=Kubernetes&var-country_name=All&var-companies=All&var-repo_name=kubernetes%2Fkubernetes).
+In the v1.24 release cycle, which [ran for 17 weeks](https://github.com/kubernetes/sig-release/tree/master/releases/release-1.24) (January 10 to May 3), we saw contributions from [1029 companies](https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1&var-period_name=v1.23.0%20-%20v1.24.0&var-metric=contributions) and [1179 individuals](https://k8s.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=v1.23.0%20-%20v1.24.0&var-metric=contributions&var-repogroup_name=Kubernetes&var-country_name=All&var-companies=All&var-repo_name=kubernetes%2Fkubernetes).
 
 ## Upcoming Release Webinar
 
diff --git a/content/en/blog/_posts/2022-05-05-volume-expansion-ga.md b/content/en/blog/_posts/2022-05-05-volume-expansion-ga.md
index c97d50ea3142c..c823ae8a2c251 100644
--- a/content/en/blog/_posts/2022-05-05-volume-expansion-ga.md
+++ b/content/en/blog/_posts/2022-05-05-volume-expansion-ga.md
@@ -49,7 +49,7 @@ Not every volume type however is expandable by default. Some volume types such a
 must have capability `EXPAND_VOLUME` in controller or node service (or both if appropriate). Please refer to documentation of your CSI driver, to find out
 if it supports volume expansion.
 
-Please refer to volume expansion documentation for intree volume types which support volume expansion - [Expanding Persistent Volumes](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims)
+Please refer to volume expansion documentation for intree volume types which support volume expansion - [Expanding Persistent Volumes](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims).
 
 
 In general to provide some degree of control over volumes that can be expanded, only dynamically provisioned PVCs whose storage class has `allowVolumeExpansion` parameter set to `true` are expandable.
@@ -85,7 +85,7 @@ provider to find out - what mode of volume expansion it supports.
 
 When volume expansion was introduced as an alpha feature, Kubernetes only supported offline filesystem
 expansion on the node and hence required users to restart their pods for file system resizing to finish. 
-his behaviour has been changed and Kubernetes tries its best to fulfil any resize request regardless
+His behaviour has been changed and Kubernetes tries its best to fulfil any resize request regardless
 of whether the underlying PersistentVolume volume is online or offline. If your storage provider supports
 online expansion then no Pod restart should be necessary for volume expansion to finish.
 
diff --git a/content/en/blog/_posts/2022-05-06-storage-capacity-GA/index.md b/content/en/blog/_posts/2022-05-06-storage-capacity-GA/index.md
index 35d6838f518d0..2bb85059e3682 100644
--- a/content/en/blog/_posts/2022-05-06-storage-capacity-GA/index.md
+++ b/content/en/blog/_posts/2022-05-06-storage-capacity-GA/index.md
@@ -1,6 +1,6 @@
 ---
 layout: blog
-title: "Storage Capacity Tracking reaches GA in Kubernetes 1.24"
+title: "Kubernetes 1.24: Storage Capacity Tracking Now Generally Available"
 date: 2022-05-06
 slug: storage-capacity-ga
 ---
diff --git a/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md b/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md
new file mode 100644
index 0000000000000..5ff495410b61d
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-13-grpc-probes-in-beta.md
@@ -0,0 +1,209 @@
+---
+layout: blog
+title: "Kubernetes 1.24: gRPC container probes in beta"
+date: 2022-05-13
+slug: grpc-probes-now-in-beta
+---
+
+**Author**: Sergey Kanzhelev (Google)
+
+
+With Kubernetes 1.24 the gRPC probes functionality entered beta and is available by default.
+Now you can configure startup, liveness, and readiness probes for your gRPC app
+without exposing any HTTP endpoint, nor do you need an executable. Kubernetes can natively connect to your your workload via gRPC and query its status.
+
+## Some history
+
+It's useful to let the system managing your workload check that the app is
+healthy, has started OK, and whether the app considers itself good to accept
+traffic. Before the gRPC support was added, Kubernetes already allowed you to
+check for health based on running an executable from inside the container image,
+by making an HTTP request, or by checking whether a TCP connection succeeded.
+
+For most apps, those checks are enough. If your app provides a gRPC endpoint
+for a health (or readiness) check, it is easy
+to repurpose the `exec` probe to use it for gRPC health checking.
+In the blog article [Health checking gRPC servers on Kubernetes](/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/),
+Ahmet Alp Balkan described how you can do that — a mechanism that still works today.
+
+There is a commonly used tool to enable this that was [created](https://github.com/grpc-ecosystem/grpc-health-probe/commit/2df4478982e95c9a57d5fe3f555667f4365c025d)
+on August 21, 2018, and with
+the first release at [Sep 19, 2018](https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.1.0-alpha.1).
+
+This approach for gRPC apps health checking is very popular. There are [3,626 Dockerfiles](https://github.com/search?l=Dockerfile&q=grpc_health_probe&type=code)
+with the `grpc_health_probe` and [6,621 yaml](https://github.com/search?l=YAML&q=grpc_health_probe&type=Code) files that are discovered with the
+basic search on GitHub (at the moment of writing). This is good indication of the tool popularity
+and the need to support this natively.
+
+Kubernetes v1.23 introduced an alpha-quality implementation of native support for
+querying a workload status using gRPC. Because it was an alpha feature,
+this was disabled by default for the v1.23 release.
+
+## Using the feature
+
+We built gRPC health checking in similar way with other probes and believe
+it will be [easy to use](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
+if you are familiar with other probe types in Kubernetes.
+The natively supported health probe has many benefits over the workaround involving `grpc_health_probe` executable.
+
+With the native gRPC support you don't need to download and carry `10MB` of an additional executable with your image.
+Exec probes are generally slower than a gRPC call as they require instantiating a new process to run an executable.
+It also makes the checks less sensible for edge cases when the pod is running at maximum resources and has troubles
+instantiating new processes.
+
+There are a few limitations though. Since configuring a client certificate for probes is hard,
+services that require client authentication are not supported. The built-in probes are also
+not checking the server certificates and ignore related problems.
+
+Built-in checks also cannot be configured to ignore certain types of errors
+(`grpc_health_probe` returns different exit codes for different errors),
+and cannot be "chained" to run the health check on multiple services in a single probe.
+
+But all these limitations are quite standard for gRPC and there are easy workarounds
+for those.
+
+## Try it for yourself
+
+### Cluster-level setup
+
+You can try this feature today. To try native gRPC probes, you can spin up a Kubernetes cluster
+yourself with the `GRPCContainerProbe` feature gate enabled, there are many [tools available](/docs/tasks/tools/).
+
+Since the feature gate `GRPCContainerProbe` is enabled by default in 1.24,
+many vendors will have this functionality working out of the box.
+So you may just create an 1.24 cluster on platform of your choice. Some vendors
+allow to enable alpha features on 1.23 clusters.
+
+For example, at the moment of writing, you can spin up the test cluster on GKE for a quick test.
+Other vendors may also have similar capabilities, especially if you
+are reading this blog post long after the Kubernetes 1.24 release.
+
+On GKE use the following command (note, version is `1.23` and `enable-kubernetes-alpha` are specified).
+
+```shell
+gcloud container clusters create test-grpc \
+    --enable-kubernetes-alpha \
+    --no-enable-autorepair \
+    --no-enable-autoupgrade \
+    --release-channel=rapid \
+    --cluster-version=1.23
+```
+
+You will also need to configure `kubectl` to access the cluster:
+
+```shell
+gcloud container clusters get-credentials test-grpc
+```
+
+### Trying the feature out
+
+Let's create the pod to test how gRPC probes work. For this test we will use the `agnhost` image.
+This is a k8s maintained image with that can be used for all sorts of workload testing.
+For example, it has a useful [grpc-health-checking](https://github.com/kubernetes/kubernetes/blob/b2c5bd2a278288b5ef19e25bf7413ecb872577a4/test/images/agnhost/README.md#grpc-health-checking) module
+that exposes two ports - one is serving health checking service,
+another - http port to react on commands `make-serving` and `make-not-serving`.
+
+Here is an example pod definition. It starts the `grpc-health-checking` module,
+exposes ports `5000` and `8080`, and configures gRPC readiness probe:
+
+``` yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-grpc
+spec:
+  containers:
+  - name: agnhost
+    image: k8s.gcr.io/e2e-test-images/agnhost:2.35
+    command: ["/agnhost", "grpc-health-checking"]
+    ports:
+    - containerPort: 5000
+    - containerPort: 8080
+    readinessProbe:
+      grpc:
+        port: 5000
+```
+
+If the file called `test.yaml`, you can create the pod and check it's status.
+The pod will be in ready state as indicated by the snippet of the output.
+
+```shell
+kubectl apply -f test.yaml
+kubectl describe test-grpc
+```
+
+The output will contain something like this:
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             True
+  ContainersReady   True
+  PodScheduled      True
+```
+
+Now let's change the health checking endpoint status to NOT_SERVING.
+In order to call the http port of the Pod, let's create a port forward:
+
+```shell
+kubectl port-forward test-grpc 8080:8080
+```
+
+You can `curl` to call the command...
+
+```shell
+curl http://localhost:8080/make-not-serving
+```
+
+... and in a few seconds the port status will switch to not ready.
+
+```shell
+kubectl describe pod test-grpc
+```
+
+The output now will have:
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             False
+  ContainersReady   False
+  PodScheduled      True
+
+...
+
+  Warning  Unhealthy  2s (x6 over 42s)  kubelet            Readiness probe failed: service unhealthy (responded with "NOT_SERVING")
+```
+
+Once it is switched back, in about one second the Pod will get back to ready status:
+
+``` bsh
+curl http://localhost:8080/make-serving
+kubectl describe test-grpc
+```
+
+The output indicates that the Pod went back to being `Ready`:
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             True
+  ContainersReady   True
+  PodScheduled      True
+```
+
+This new built-in gRPC health probing on Kubernetes makes implementing a health-check via gRPC
+much easier than the older approach that relied on using a separate `exec` probe. Read through
+the official
+[documentation](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
+to learn more and provide feedback before the feature will be promoted to GA.
+
+## Summary
+
+Kubernetes is a popular workload orchestration platform and we add features based on feedback and demand.
+Features like gRPC probes support is a minor improvement that will make life of many app developers
+easier and apps more resilient. Try it today and give feedback, before the feature went into GA.
diff --git a/content/en/blog/_posts/2022-05-16-volume-populators-beta.md b/content/en/blog/_posts/2022-05-16-volume-populators-beta.md
index 8585014f7ad59..4558f07eae979 100644
--- a/content/en/blog/_posts/2022-05-16-volume-populators-beta.md
+++ b/content/en/blog/_posts/2022-05-16-volume-populators-beta.md
@@ -8,11 +8,11 @@ slug: volume-populators-beta
 **Author:**
 Ben Swartzlander (NetApp)
 
-The volume populators feature is now two releases old and entering beta! The `AnyVolumeDataSouce` feature
+The volume populators feature is now two releases old and entering beta! The `AnyVolumeDataSource` feature
 gate defaults to enabled in Kubernetes v1.24, which means that users can specify any custom resource
 as the data source of a PVC.
 
-An [earlier blog article](/blog/2021/08/30-volume-populators-redesigned/) detailed how the
+An [earlier blog article](/blog/2021/08/30/volume-populators-redesigned/) detailed how the
 volume populators feature works. In short, a cluster administrator can install a CRD and
 associated populator controller in the cluster, and any user who can create instances of 
 the CR can create pre-populated volumes by taking advantage of the populator.
diff --git a/content/en/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md b/content/en/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md
new file mode 100644
index 0000000000000..920d578d01688
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md
@@ -0,0 +1,117 @@
+---
+layout: blog
+title: 'Kubernetes 1.24: Prevent unauthorised volume mode conversion'
+date: 2022-05-18
+slug: prevent-unauthorised-volume-mode-conversion-alpha
+---
+
+**Author:** Raunak Pradip Shah (Mirantis)
+
+Kubernetes v1.24 introduces a new alpha-level feature that prevents unauthorised users 
+from modifying the volume mode of a [`PersistentVolumeClaim`](/docs/concepts/storage/persistent-volumes/) created from an 
+existing [`VolumeSnapshot`](/docs/concepts/storage/volume-snapshots/) in the Kubernetes cluster.  
+
+
+
+### The problem
+
+The [Volume Mode](/docs/concepts/storage/persistent-volumes/#volume-mode) determines whether a volume 
+is formatted into a filesystem or presented as a raw block device.   
+
+Users can leverage the `VolumeSnapshot` feature, which has been stable since Kubernetes v1.20, 
+to create a `PersistentVolumeClaim` (shortened as PVC) from an existing `VolumeSnapshot` in
+the Kubernetes cluster. The PVC spec includes a `dataSource` field, which can point to an 
+existing `VolumeSnapshot` instance.
+Visit [Create a PersistentVolumeClaim from a Volume Snapshot](/docs/concepts/storage/persistent-volumes/#create-persistent-volume-claim-from-volume-snapshot) for more details.
+
+When leveraging the above capability, there is no logic that validates whether the mode of the
+original volume, whose snapshot was taken, matches the mode of the newly created volume.
+
+This presents a security gap that allows malicious users to potentially exploit an 
+as-yet-unknown vulnerability in the host operating system.
+
+Many popular storage backup vendors convert the volume mode during the course of a 
+backup operation, for efficiency purposes, which prevents Kubernetes from blocking
+the operation completely and presents a challenge in distinguishing trusted
+users from malicious ones.
+
+### Preventing unauthorised users from converting the volume mode
+
+In this context, an authorised user is one who has access rights to perform `Update` 
+or `Patch` operations on `VolumeSnapshotContents`, which is a cluster-level resource.  
+It is upto the cluster administrator to provide these rights only to trusted users
+or applications, like backup vendors.
+
+If the alpha feature is [enabled](https://kubernetes-csi.github.io/docs/) in 
+`snapshot-controller`, `snapshot-validation-webhook` and `external-provisioner`,
+then unauthorised users will not be allowed to modify the volume mode of a PVC
+when it is being created from a `VolumeSnapshot`.
+
+To convert the volume mode, an authorised user must do the following:
+
+1. Identify the `VolumeSnapshot` that is to be used as the data source for a newly 
+created PVC in the given namespace. 
+2. Identify the `VolumeSnapshotContent` bound to the above `VolumeSnapshot`.
+
+  ```shell
+  kubectl get volumesnapshot -n <namespace>
+  ```
+
+3. Add the annotation [`snapshot.storage.kubernetes.io/allowVolumeModeChange`](/docs/reference/labels-annotations-taints/#snapshot-storage-kubernetes-io-allowvolumemodechange)
+to the `VolumeSnapshotContent`. 
+
+4. This annotation can be added either via software or manually by the authorised 
+user. The `VolumeSnapshotContent` annotation must look like following manifest fragment:
+
+  ```yaml
+  kind: VolumeSnapshotContent
+  metadata:
+    annotations:
+      - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+  ...
+  ```
+
+**Note**: For pre-provisioned `VolumeSnapshotContents`, you must take an extra
+step of setting `spec.sourceVolumeMode` field to either `Filesystem` or `Block`,
+depending on the mode of the volume from which this snapshot was taken.
+
+An example is shown below:
+
+   ```yaml
+   apiVersion: snapshot.storage.k8s.io/v1
+   kind: VolumeSnapshotContent
+   metadata:
+     annotations:
+     - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+     name: new-snapshot-content-test
+   spec:
+     deletionPolicy: Delete
+     driver: hostpath.csi.k8s.io
+     source:
+       snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002
+     sourceVolumeMode: Filesystem
+     volumeSnapshotRef:
+       name: new-snapshot-test
+       namespace: default
+   ```
+
+Repeat steps 1 to 3 for all `VolumeSnapshotContents` whose volume mode needs to be 
+converted during a backup or restore operation.
+
+If the annotation shown in step 4 above is present on a `VolumeSnapshotContent`
+object, Kubernetes will not prevent the volume mode from being converted.
+Users should keep this in mind before they attempt to add the annotation 
+to any `VolumeSnapshotContent`. 
+
+
+### What's next
+
+[Enable this feature](https://kubernetes-csi.github.io/docs/) and let us know 
+what you think!
+
+We hope this feature causes no disruption to existing workflows while preventing
+malicious users from exploiting security vulnerabilities in their clusters. 
+
+For any queries or issues, join [Kubernetes on Slack](https://slack.k8s.io/) and
+create a thread in the #sig-storage channel. Alternately, create an issue in the
+CSI external-snapshotter [repository](https://github.com/kubernetes-csi/external-snapshotter).
\ No newline at end of file
diff --git a/content/en/blog/_posts/2022-05-20-non-graceful-node-shutdown.md b/content/en/blog/_posts/2022-05-20-non-graceful-node-shutdown.md
new file mode 100644
index 0000000000000..f8f4876285bdd
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-20-non-graceful-node-shutdown.md
@@ -0,0 +1,96 @@
+---
+layout: blog
+title: "Kubernetes 1.24: Introducing Non-Graceful Node Shutdown Alpha"
+date: 2022-05-20
+slug: kubernetes-1-24-non-graceful-node-shutdown-alpha
+---
+
+**Authors** Xing Yang and Yassine Tijani (VMware)
+
+Kubernetes v1.24 introduces alpha support for [Non-Graceful Node Shutdown](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2268-non-graceful-shutdown). This feature allows stateful workloads to failover to a different node after the original node is shutdown or in a non-recoverable state such as hardware failure or broken OS.
+
+## How is this different from Graceful Node Shutdown
+
+You might have heard about the [Graceful Node Shutdown](/docs/concepts/architecture/nodes/#graceful-node-shutdown) capability of Kubernetes,
+and are wondering how the Non-Graceful Node Shutdown feature is different from that. Graceful Node Shutdown
+allows Kubernetes to detect when a node is shutting down cleanly, and handles that situation appropriately.
+A Node Shutdown can be "graceful" only if the node shutdown action can be detected by the kubelet ahead
+of the actual shutdown. However, there are cases where a node shutdown action may not be detected by
+the kubelet. This could happen either because the shutdown command does not trigger the systemd inhibitor
+locks mechanism that kubelet relies upon, or because of a configuration error
+(the `ShutdownGracePeriod` and `ShutdownGracePeriodCriticalPods` are not configured properly).
+
+Graceful node shutdown relies on Linux-specific support. The kubelet does not watch for upcoming
+shutdowns on Windows nodes (this may change in a future Kubernetes release).
+
+When a node is shutdown but without the kubelet detecting it, pods on that node
+also shut down ungracefully. For stateless apps, that's often not a problem (a ReplicaSet adds a new pod once
+the cluster detects that the affected node or pod has failed). For stateful apps, the story is more complicated.
+If you use a StatefulSet and have a pod from that StatefulSet on a node that fails uncleanly, that affected pod
+will be marked as terminating; the StatefulSet cannot create a replacement pod because the pod
+still exists in the cluster.
+As a result, the application running on the StatefulSet may be degraded or even offline. If the original, shut
+down node comes up again, the kubelet on that original node reports in, deletes the existing pods, and
+the control plane makes a replacement pod for that StatefulSet on a different running node.
+If the original node has failed and does not come up, those stateful pods would be stuck in a
+terminating status on that failed node indefinitely.
+
+```
+$ kubectl get pod -o wide
+NAME    READY   STATUS        RESTARTS   AGE   IP           NODE                      NOMINATED NODE   READINESS GATES
+web-0   1/1     Running       0          100m   10.244.2.4   k8s-node-876-1639279816   <none>           <none>
+web-1   1/1     Terminating   0          100m   10.244.1.3   k8s-node-433-1639279804   <none>           <none>
+```
+
+## Try out the new non-graceful shutdown handling
+
+To use the non-graceful node shutdown handling, you must enable the `NodeOutOfServiceVolumeDetach`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for the `kube-controller-manager`
+component.
+
+In the case of a node shutdown, you can manually taint that node as out of service. You should make certain that
+the node is truly shutdown (not in the middle of restarting) before you add that taint. You could add that
+taint following a shutdown that the kubelet did not detect and handle in advance; another case where you
+can use that taint is when the node is in a non-recoverable state due to a hardware failure or a broken OS.
+The values you set for that taint can be `node.kubernetes.io/out-of-service=nodeshutdown: "NoExecute"`
+or `node.kubernetes.io/out-of-service=nodeshutdown:" NoSchedule"`.
+Provided you have enabled the feature gate mentioned earlier, setting the out-of-service taint on a Node
+means that pods on the node will be deleted unless if there are matching tolerations on the pods.
+Persistent volumes attached to the shutdown node will be detached, and for StatefulSets, replacement pods will
+be created successfully on a different running node.
+
+```
+$ kubectl taint nodes <node-name> node.kubernetes.io/out-of-service=nodeshutdown:NoExecute
+
+$ kubectl get pod -o wide
+NAME    READY   STATUS    RESTARTS   AGE    IP           NODE                      NOMINATED NODE   READINESS GATES
+web-0   1/1     Running   0          150m   10.244.2.4   k8s-node-876-1639279816   <none>           <none>
+web-1   1/1     Running   0          10m    10.244.1.7   k8s-node-433-1639279804   <none>           <none>
+```
+
+Note: Before applying the out-of-service taint, you **must** verify that a node is already in shutdown or power off state (not in the middle of restarting), either because the user intentionally shut it down or the node is down due to hardware failures, OS issues, etc.
+
+Once all the workload pods that are linked to the out-of-service node are moved to a new running node, and the shutdown node has been recovered, you should remove
+that taint on the affected node after the node is recovered.
+If you know that the node will not return to service, you could instead delete the node from the cluster.
+
+## What’s next?
+
+Depending on feedback and adoption, the Kubernetes team plans to push the Non-Graceful Node Shutdown implementation to Beta in either 1.25 or 1.26.
+
+This feature requires a user to manually add a taint to the node to trigger workloads failover and remove the taint after the node is recovered. In the future, we plan to find ways to automatically detect and fence nodes that are shutdown/failed and automatically failover workloads to another node.
+
+## How can I learn more?
+
+Check out the [documentation](/docs/concepts/architecture/nodes/#non-graceful-node-shutdown)
+for non-graceful node shutdown.
+
+## How to get involved?
+
+This feature has a long story. Yassine Tijani ([yastij](https://github.com/yastij)) started the KEP more than two years ago. Xing Yang ([xing-yang](https://github.com/xing-yang)) continued to drive the effort. There were many discussions among SIG Storage, SIG Node, and API reviewers to nail down the design details. Ashutosh Kumar ([sonasingh46](https://github.com/sonasingh46)) did most of the implementation and brought it to Alpha in Kubernetes 1.24.
+
+We want to thank the following people for their insightful reviews: Tim Hockin  ([thockin](https://github.com/thockin)) for his guidance on the design, Jing Xu ([jingxu97](https://github.com/jingxu97)), Hemant Kumar ([gnufied](https://github.com/gnufied)), and Michelle Au ([msau42](https://github.com/msau42)) for reviews from SIG Storage side, and Mrunal Patel ([mrunalp](https://github.com/mrunalp)), David Porter ([bobbypage](https://github.com/bobbypage)), Derek Carr ([derekwaynecarr](https://github.com/derekwaynecarr)), and Danielle Endocrimes ([endocrimes](https://github.com/endocrimes)) for reviews from SIG Node side.
+
+There are many people who have helped review the design and implementation along the way. We want to thank everyone who has contributed to this effort including the about 30 people who have reviewed the [KEP](https://github.com/kubernetes/enhancements/pull/1116) and implementation over the last couple of years.
+
+This feature is a collaboration between SIG Storage and SIG Node. For those interested in getting involved with the design and development of any part of the Kubernetes Storage system, join the [Kubernetes Storage Special Interest Group](https://github.com/kubernetes/community/tree/master/sig-storage) (SIG). For those interested in getting involved with the design and development of the components that support the controlled interactions between pods and host resources, join the [Kubernetes Node SIG](https://github.com/kubernetes/community/tree/master/sig-node).
diff --git a/content/en/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md b/content/en/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md
new file mode 100644
index 0000000000000..c17453a6def84
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md
@@ -0,0 +1,137 @@
+---
+layout: blog
+title: "Kubernetes 1.24: Avoid Collisions Assigning IP Addresses to Services"
+date: 2022-05-23
+slug: service-ip-dynamic-and-static-allocation
+---
+
+**Author:** Antonio Ojea (Red Hat)
+
+
+In Kubernetes, [Services](/docs/concepts/services-networking/service/) are an abstract way to expose
+an application running on a set of Pods. Services
+can have a cluster-scoped virtual IP address (using a Service of `type: ClusterIP`).
+Clients can connect using that virtual IP address, and Kubernetes then load-balances traffic to that
+Service across the different backing Pods.
+
+## How Service ClusterIPs are allocated?
+
+A Service `ClusterIP` can be assigned:
+
+_dynamically_
+: the cluster's control plane automatically picks a free IP address from within the configured IP range for `type: ClusterIP` Services.
+
+_statically_
+: you specify an IP address of your choice, from within the configured IP range for Services.
+
+Across your whole cluster, every Service `ClusterIP` must be unique.
+Trying to create a Service with a specific `ClusterIP` that has already
+been allocated will return an error.
+
+## Why do you need to reserve Service Cluster IPs?
+
+Sometimes you may want to have Services running in well-known IP addresses, so other components and
+users in the cluster can use them.
+
+The best example is the DNS Service for the cluster. Some Kubernetes installers assign the 10th address from
+the Service IP range to the DNS service. Assuming you configured your cluster with Service IP range
+10.96.0.0/16 and you want your DNS Service IP to be 10.96.0.10, you'd have to create a Service like
+this:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: CoreDNS
+  name: kube-dns
+  namespace: kube-system
+spec:
+  clusterIP: 10.96.0.10
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+    targetPort: 53
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+    targetPort: 53
+  selector:
+    k8s-app: kube-dns
+  type: ClusterIP
+```
+
+but as I explained before, the IP address 10.96.0.10 has not been reserved; if other Services are created
+before or in parallel with dynamic allocation, there is a chance they can allocate this IP, hence,
+you will not be able to create the DNS Service because it will fail with a conflict error.
+
+## How can you avoid Service ClusterIP conflicts? {#avoid-ClusterIP-conflict}
+
+In Kubernetes 1.24, you can enable a new feature gate `ServiceIPStaticSubrange`.
+Turning this on allows you to use a different IP
+allocation strategy for Services, reducing the risk of collision.
+
+The `ClusterIP` range will be divided, based on the formula `min(max(16, cidrSize / 16), 256)`,
+described as _never less than 16 or more than 256 with a graduated step between them_.
+
+Dynamic IP assignment will use the upper band by default, once this has been exhausted it will
+use the lower range. This will allow users to use static allocations on the lower band with a low
+risk of collision.
+
+Examples:
+
+#### Service IP CIDR block: 10.96.0.0/24
+
+Range Size: 2<sup>8</sup> - 2 = 254  
+Band Offset: `min(max(16, 256/16), 256)` = `min(16, 256)` = 16  
+Static band start: 10.96.0.1  
+Static band end: 10.96.0.16  
+Range end: 10.96.0.254   
+
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/24
+    "Static" : 16
+    "Dynamic" : 238
+{{< /mermaid >}}
+
+#### Service IP CIDR block: 10.96.0.0/20
+
+Range Size: 2<sup>12</sup> - 2 = 4094  
+Band Offset: `min(max(16, 4096/16), 256)` = `min(256, 256)` = 256  
+Static band start: 10.96.0.1  
+Static band end: 10.96.1.0  
+Range end: 10.96.15.254  
+
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/20
+    "Static" : 256
+    "Dynamic" : 3838
+{{< /mermaid >}}
+
+#### Service IP CIDR block: 10.96.0.0/16
+
+Range Size: 2<sup>16</sup> - 2 = 65534  
+Band Offset: `min(max(16, 65536/16), 256)` = `min(4096, 256)` = 256  
+Static band start: 10.96.0.1  
+Static band ends: 10.96.1.0  
+Range end: 10.96.255.254  
+
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/16
+    "Static" : 256
+    "Dynamic" : 65278
+{{< /mermaid >}}
+
+## Get involved with SIG Network
+
+The current SIG-Network [KEPs](https://github.com/orgs/kubernetes/projects/10) and [issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fnetwork) on GitHub illustrate the SIG’s areas of emphasis.
+
+[SIG Network meetings](https://github.com/kubernetes/community/tree/master/sig-network) are a friendly, welcoming venue for you to connect with the community and share your ideas.
+Looking forward to hearing from you!
+
diff --git a/content/en/blog/_posts/2022-05-25-contextual-logging/index.md b/content/en/blog/_posts/2022-05-25-contextual-logging/index.md
new file mode 100644
index 0000000000000..2d5ef5c4c7229
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-25-contextual-logging/index.md
@@ -0,0 +1,251 @@
+---
+layout: blog
+title: "Contextual Logging in Kubernetes 1.24"
+date: 2022-05-25
+slug: contextual-logging
+canonicalUrl: https://kubernetes.dev/blog/2022/05/25/contextual-logging/
+---
+
+ **Authors:** Patrick Ohly (Intel)
+
+The [Structured Logging Working
+Group](https://github.com/kubernetes/community/blob/master/wg-structured-logging/README.md)
+has added new capabilities to the logging infrastructure in Kubernetes
+1.24. This blog post explains how developers can take advantage of those to
+make log output more useful and how they can get involved with improving Kubernetes.
+
+## Structured logging
+
+The goal of [structured
+logging](https://github.com/kubernetes/enhancements/blob/master/keps/sig-instrumentation/1602-structured-logging/README.md)
+is to replace C-style formatting and the resulting opaque log strings with log
+entries that have a well-defined syntax for storing message and parameters
+separately, for example as a JSON struct.
+
+When using the traditional klog text output format for structured log calls,
+strings were originally printed with `\n` escape sequences, except when
+embedded inside a struct. For structs, log entries could still span multiple
+lines, with no clean way to split the log stream into individual entries:
+
+```
+I1112 14:06:35.783529  328441 structured_logging.go:51] "using InfoS" longData={Name:long Data:Multiple
+lines
+with quite a bit
+of text. internal:0}
+I1112 14:06:35.783549  328441 structured_logging.go:52] "using InfoS with\nthe message across multiple lines" int=1 stringData="long: Multiple\nlines\nwith quite a bit\nof text." str="another value"
+```
+
+Now, the `<` and `>` markers along with indentation are used to ensure that splitting at a
+klog header at the start of a line is reliable and the resulting output is human-readable:
+
+```
+I1126 10:31:50.378204  121736 structured_logging.go:59] "using InfoS" longData=<
+	{Name:long Data:Multiple
+	lines
+	with quite a bit
+	of text. internal:0}
+ >
+I1126 10:31:50.378228  121736 structured_logging.go:60] "using InfoS with\nthe message across multiple lines" int=1 stringData=<
+	long: Multiple
+	lines
+	with quite a bit
+	of text.
+ > str="another value"
+```
+
+Note that the log message itself is printed with quoting. It is meant to be a
+fixed string that identifies a log entry, so newlines should be avoided there.
+
+Before Kubernetes 1.24, some log calls in kube-scheduler still used `klog.Info`
+for multi-line strings to avoid the unreadable output. Now all log calls have
+been updated to support structured logging.
+
+## Contextual logging
+
+[Contextual logging](https://github.com/kubernetes/enhancements/blob/master/keps/sig-instrumentation/3077-contextual-logging/README.md)
+is based on the [go-logr API](https://github.com/go-logr/logr#a-minimal-logging-api-for-go). The key
+idea is that libraries are passed a logger instance by their caller and use
+that for logging instead of accessing a global logger. The binary decides about
+the logging implementation, not the libraries. The go-logr API is designed
+around structured logging and supports attaching additional information to a
+logger.
+
+This enables additional use cases:
+
+- The caller can attach additional information to a logger:
+  - [`WithName`](https://pkg.go.dev/github.com/go-logr/logr#Logger.WithName) adds a prefix
+  - [`WithValues`](https://pkg.go.dev/github.com/go-logr/logr#Logger.WithValues) adds key/value pairs
+
+  When passing this extended logger into a function and a function uses it
+  instead of the global logger, the additional information is
+  then included in all log entries, without having to modify the code that
+  generates the log entries. This is useful in highly parallel applications
+  where it can become hard to identify all log entries for a certain operation
+  because the output from different operations gets interleaved.
+
+- When running unit tests, log output can be associated with the current test.
+  Then when a test fails, only the log output of the failed test gets shown
+  by `go test`. That output can also be more verbose by default because it
+  will not get shown for successful tests. Tests can be run in parallel
+  without interleaving their output.
+
+One of the design decisions for contextual logging was to allow attaching a
+logger as value to a `context.Context`. Since the logger encapsulates all
+aspects of the intended logging for the call, it is *part* of the context and
+not just *using* it. A practical advantage is that many APIs already have a
+`ctx` parameter or adding one has additional advantages, like being able to get
+rid of `context.TODO()` calls inside the functions.
+
+Another decision was to not break compatibility with klog v2:
+
+- Libraries that use the traditional klog logging calls in a binary that has
+  set up contextual logging will work and log through the logging backend
+  chosen by the binary. However, such log output will not include the
+  additional information and will not work well in unit tests, so libraries
+  should be modified to support contextual logging. The [migration guide](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/migration-to-structured-logging.md)
+  for structured logging has been extended to also cover contextual logging.
+
+- When a library supports contextual logging and retrieves a logger from its
+  context, it will still work in a binary that does not initialize contextual
+  logging because it will get a logger that logs through klog.
+
+In Kubernetes 1.24, contextual logging is a new alpha feature with
+`ContextualLogging` as feature gate. When disabled (the default), the new klog
+API calls for contextual logging (see below) become no-ops to avoid performance
+or functional regressions.
+
+No Kubernetes component has been converted yet. An [example program](https://github.com/kubernetes/kubernetes/blob/v1.24.0-beta.0/staging/src/k8s.io/component-base/logs/example/cmd/logger.go)
+in the Kubernetes repository demonstrates how to enable contextual logging in a
+binary and how the output depends on the binary's parameters:
+
+```console
+$ cd $GOPATH/src/k8s.io/kubernetes/staging/src/k8s.io/component-base/logs/example/cmd/
+$ go run . --help
+...
+      --feature-gates mapStringBool  A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                     AllAlpha=true|false (ALPHA - default=false)
+                                     AllBeta=true|false (BETA - default=false)
+                                     ContextualLogging=true|false (ALPHA - default=false)
+$ go run . --feature-gates ContextualLogging=true
+...
+I0404 18:00:02.916429  451895 logger.go:94] "example/myname: runtime" foo="bar" duration="1m0s"
+I0404 18:00:02.916447  451895 logger.go:95] "example: another runtime" foo="bar" duration="1m0s"
+```
+
+The `example` prefix and `foo="bar"` were added by the caller of the function
+which logs the `runtime` message and `duration="1m0s"` value.
+
+The sample code for klog includes an
+[example](https://github.com/kubernetes/klog/blob/v2.60.1/ktesting/example/example_test.go)
+for a unit test with per-test output.
+
+## klog enhancements
+
+### Contextual logging API
+
+The following calls manage the lookup of a logger:
+
+[`FromContext`](https://pkg.go.dev/k8s.io/klog/v2#FromContext)
+: from a `context` parameter, with fallback to the global logger
+
+[`Background`](https://pkg.go.dev/k8s.io/klog/v2#Background)
+: the global fallback, with no intention to support contextual logging
+
+[`TODO`](https://pkg.go.dev/k8s.io/klog/v2#TODO)
+: the global fallback, but only as a temporary solution until the function gets extended to accept
+  a logger through its parameters
+
+[`SetLoggerWithOptions`](https://pkg.go.dev/k8s.io/klog/v2#SetLoggerWithOptions)
+: changes the fallback logger; when called with [`ContextualLogger(true)`](https://pkg.go.dev/k8s.io/klog/v2#ContextualLogger),
+  the logger is ready to be called directly, in which case logging will be done
+  without going through klog
+
+To support the feature gate mechanism in Kubernetes, klog has wrapper calls for
+the corresponding go-logr calls and a global boolean controlling their behavior:
+
+- [`LoggerWithName`](https://pkg.go.dev/k8s.io/klog/v2#LoggerWithName)
+- [`LoggerWithValues`](https://pkg.go.dev/k8s.io/klog/v2#LoggerWithValues)
+- [`NewContext`](https://pkg.go.dev/k8s.io/klog/v2#NewContext)
+- [`EnableContextualLogging`](https://pkg.go.dev/k8s.io/klog/v2#EnableContextualLogging)
+
+Usage of those functions in Kubernetes code is enforced with a linter
+check. The klog default for contextual logging is to enable the functionality
+because it is considered stable in klog. It is only in Kubernetes binaries
+where that default gets overridden and (in some binaries) controlled via the
+`--feature-gate` parameter.
+
+### ktesting logger
+
+The new [ktesting](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/ktesting) package
+implements logging through `testing.T` using klog's text output format. It has
+a [single API call](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/ktesting#NewTestContext) for
+instrumenting a test case and [support for command line flags](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/ktesting/init).
+
+### klogr
+
+[`klog/klogr`](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/klogr) continues to be
+supported and it's default behavior is unchanged: it formats structured log
+entries using its own, custom format and prints the result via klog.
+
+However, this usage is discouraged because that format is neither
+machine-readable (in contrast to real JSON output as produced by zapr, the
+go-logr implementation used by Kubernetes) nor human-friendly (in contrast to
+the klog text format).
+
+Instead, a klogr instance should be created with
+[`WithFormat(FormatKlog)`](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/klogr#WithFormat)
+which chooses the klog text format. A simpler construction method with the same
+result is the new
+[`klog.NewKlogr`](https://pkg.go.dev/k8s.io/klog/v2#NewKlogr). That is the
+logger that klog returns as fallback when nothing else is configured.
+
+### Reusable output test
+
+A lot of go-logr implementations have very similar unit tests where they check
+the result of certain log calls. If a developer didn't know about certain
+caveats like for example a `String` function that panics when called, then it
+is likely that both the handling of such caveats and the unit test are missing.
+
+[`klog.test`](https://pkg.go.dev/k8s.io/klog/v2@v2.60.1/test) is a reusable set
+of test cases that can be applied to a go-logr implementation.
+
+### Output flushing
+
+klog used to start a goroutine unconditionally during `init` which flushed
+buffered data at a hard-coded interval. Now that goroutine is only started on
+demand (i.e. when writing to files with buffering) and can be controlled with
+[`StopFlushDaemon`](https://pkg.go.dev/k8s.io/klog/v2#StopFlushDaemon) and
+[`StartFlushDaemon`](https://pkg.go.dev/k8s.io/klog/v2#StartFlushDaemon).
+
+When a go-logr implementation buffers data, flushing that data can be
+integrated into [`klog.Flush`](https://pkg.go.dev/k8s.io/klog/v2#Flush) by
+registering the logger with the
+[`FlushLogger`](https://pkg.go.dev/k8s.io/klog/v2#FlushLogger) option.
+
+### Various other changes
+
+For a description of all other enhancements see in the [release notes](https://github.com/kubernetes/klog/releases).
+
+## logcheck
+
+Originally designed as a linter for structured log calls, the
+ [`logcheck`](https://github.com/kubernetes/klog/tree/788efcdee1e9be0bfbe5b076343d447314f2377e/hack/tools/logcheck)
+tool has been enhanced to support also contextual logging and traditional klog
+log calls. These enhanced checks already found bugs in Kubernetes, like calling
+`klog.Info` instead of `klog.Infof` with a format string and parameters.
+
+It can be included as a plugin in a `golangci-lint` invocation, which is how
+[Kubernetes uses it now](https://github.com/kubernetes/kubernetes/commit/17e3c555c5115f8c9176bae10ba45baa04d23a7b),
+or get invoked stand-alone.
+
+We are in the process of [moving the tool](https://github.com/kubernetes/klog/issues/312) into a new repository because it isn't
+really related to klog and its releases should be tracked and tagged properly.
+
+## Next steps
+
+The [Structured Logging WG](https://github.com/kubernetes/community/tree/master/wg-structured-logging)
+is always looking for new contributors. The migration
+away from C-style logging is now going to target structured, contextual logging
+in one step to reduce the overall code churn and number of PRs. Changing log
+calls is good first contribution to Kubernetes and an opportunity to get to
+know code in various different areas.
diff --git a/content/en/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md b/content/en/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md
new file mode 100644
index 0000000000000..aa6257eb3ef6a
--- /dev/null
+++ b/content/en/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md
@@ -0,0 +1,148 @@
+---
+layout: blog
+title: 'Kubernetes 1.24: Maximum Unavailable Replicas for StatefulSet'
+date: 2022-05-27
+slug: maxunavailable-for-statefulset
+---
+
+**Author:** Mayank Kumar (Salesforce)
+
+Kubernetes [StatefulSets](/docs/concepts/workloads/controllers/statefulset/), since their introduction in 
+1.5 and becoming stable in 1.9, have been widely used to run stateful applications. They provide stable pod identity, persistent
+per pod storage and ordered graceful deployment, scaling and rolling updates. You can think of StatefulSet as the atomic building
+block for running complex stateful applications. As the use of Kubernetes has grown, so has the number of scenarios requiring
+StatefulSets. Many of these scenarios, require faster rolling updates than the currently supported one-pod-at-a-time updates, in the 
+case where you're using the `OrderedReady` Pod management policy for a StatefulSet.
+
+ 
+Here are some examples:
+
+-  I am using a StatefulSet to orchestrate a multi-instance, cache based application where the size of the cache is large. The cache 
+   starts cold and requires some siginificant amount of time before the container can start. There could be more initial startup tasks
+   that are required. A RollingUpdate on this StatefulSet would take a lot of time before the application is fully updated. If the 
+   StatefulSet supported updating more than one pod at a time, it would result in a much faster update.
+
+-  My stateful application is composed of leaders and followers or one writer and multiple readers. I have multiple readers or 
+   followers and my application can tolerate multiple pods going down at the same time. I want to update this application more than
+   one pod at a time so that i get the new updates rolled out quickly, especially if the number of instances of my application are
+   large. Note that my application still requires unique identity per pod.
+
+
+In order to support such scenarios, Kubernetes 1.24 includes a new alpha feature to help. Before you can use the new feature you must
+enable the `MaxUnavailableStatefulSet` feature flag. Once you enable that, you can specify a new field called `maxUnavailable`, part 
+of the `spec` for a StatefulSet. For example: 
+
+```
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: web
+  namespace: default
+spec:
+  podManagementPolicy: OrderedReady  # you must set OrderedReady
+  replicas: 5
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: k8s.gcr.io/nginx-slim:0.8
+        imagePullPolicy: IfNotPresent
+        name: nginx
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 2 # this is the new alpha field, whose default value is 1
+      partition: 0
+    type: RollingUpdate
+```
+
+If you enable the new feature and you don't specify a value for `maxUnavailable` in a StatefulSet, Kubernetes applies a default
+`maxUnavailable: 1`. This matches the behavior you would see if you don't enable the new feature.
+
+I'll run through a scenario based on that example manifest to demonstrate how this feature works. I will deploy a StatefulSet that
+has 5 replicas, with `maxUnavailable` set to 2 and `partition` set to 0.
+
+I can trigger a rolling update by changing the image to `k8s.gcr.io/nginx-slim:0.9`. Once I initiate the rolling update, I can 
+watch the pods update 2 at a time as the current value of maxUnavailable is 2. The below output shows a span of time and is not 
+complete.  The maxUnavailable can be an absolute number (for example, 2) or a percentage of desired Pods (for example, 10%). The 
+absolute number is calculated from percentage by rounding down.  
+```
+kubectl get pods --watch 
+```
+
+```
+NAME    READY   STATUS    RESTARTS   AGE
+web-0   1/1     Running   0          85s
+web-1   1/1     Running   0          2m6s
+web-2   1/1     Running   0          106s
+web-3   1/1     Running   0          2m47s
+web-4   1/1     Running   0          2m27s
+web-4   1/1     Terminating   0          5m43s ----> start terminating 4
+web-3   1/1     Terminating   0          6m3s  ----> start terminating 3
+web-3   0/1     Terminating   0          6m7s
+web-3   0/1     Pending       0          0s
+web-3   0/1     Pending       0          0s
+web-4   0/1     Terminating   0          5m48s
+web-4   0/1     Terminating   0          5m48s
+web-3   0/1     ContainerCreating   0          2s
+web-3   1/1     Running             0          2s
+web-4   0/1     Pending             0          0s
+web-4   0/1     Pending             0          0s
+web-4   0/1     ContainerCreating   0          0s
+web-4   1/1     Running             0          1s
+web-2   1/1     Terminating         0          5m46s ----> start terminating 2 (only after both 4 and 3 are running)
+web-1   1/1     Terminating         0          6m6s  ----> start terminating 1
+web-2   0/1     Terminating         0          5m47s
+web-1   0/1     Terminating         0          6m7s
+web-1   0/1     Pending             0          0s
+web-1   0/1     Pending             0          0s
+web-1   0/1     ContainerCreating   0          1s
+web-1   1/1     Running             0          2s
+web-2   0/1     Pending             0          0s
+web-2   0/1     Pending             0          0s
+web-2   0/1     ContainerCreating   0          0s
+web-2   1/1     Running             0          1s
+web-0   1/1     Terminating         0          6m6s ----> start terminating 0 (only after 2 and 1 are running)
+web-0   0/1     Terminating         0          6m7s
+web-0   0/1     Pending             0          0s
+web-0   0/1     Pending             0          0s
+web-0   0/1     ContainerCreating   0          0s
+web-0   1/1     Running             0          1s
+```
+Note that as soon as the rolling update starts, both 4 and 3 (the two highest ordinal pods) start terminating at the same time. Pods 
+with ordinal 4 and 3 may become ready at their own pace. As soon as both pods 4 and 3 are ready, pods 2 and 1 start terminating at the
+same time. When pods 2 and 1 are both running and ready, pod 0 starts terminating. 
+
+In Kubernetes, updates to StatefulSets follow a strict ordering when updating Pods. In this example, the update starts at replica 4, then
+replica 3, then replica 2, and so on, one pod at a time. When going one pod at a time, its not possible for 3 to be running and ready 
+before 4. When `maxUnavailable` is more than 1 (in the example scenario I set `maxUnavailable` to 2), it is possible that replica 3 becomes 
+ready and running before replica 4 is ready&mdash;and that is ok. If you're a developer and you set `maxUnavailable` to more than 1, you should 
+know that this outcome is possible and you must ensure that your application is able to handle such ordering issues that occur
+if any. When you set `maxUnavailable` greater than 1, the ordering is guaranteed in between each batch of pods being updated. That guarantee
+means that pods in update batch 2 (replicas 2 and 1) cannot start updating until the pods from batch 0 (replicas 4 and 3) are ready.
+
+Although Kubernetes refers to these as _replicas_, your stateful application may have a different view and each pod of the StatefulSet may
+be holding completely different data than other pods. The important thing here is that updates to StatefulSets happen in batches, and you can
+now have a batch size larger than 1 (as an alpha feature).
+
+Also note, that the above behavior is with `podManagementPolicy: OrderedReady`. If you defined a StatefulSet as `podManagementPolicy: Parallel`,
+not only `maxUnavailable` number of replicas are terminated at the same time; `maxUnavailable` number of replicas start in `ContainerCreating`
+phase at the same time as well. This is called bursting.
+
+So, now you may have a lot of questions about:-
+- What is the behavior when you set `podManagementPolicy: Parallel`?
+- What is the behavior when `partition` to a value other than `0`?
+
+It might be better to try and see it for yourself. This is an alpha feature, and the Kubernetes contributors are looking for feedback on this feature. Did
+this help you achieve your stateful scenarios Did you find a bug or do you think the behavior as implemented is not intuitive or can
+break applications or catch them by surprise? Please [open an issue](https://github.com/kubernetes/kubernetes/issues) to let us know.
+
+## Further reading and next steps {#next-steps}
+- [Maximum unavailable Pods](/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods)
+- [KEP for MaxUnavailable for StatefulSet](https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/961-maxunavailable-for-statefulset)
+- [Implementation](https://github.com/kubernetes/kubernetes/pull/82162/files)
+- [Enhancement Tracking Issue](https://github.com/kubernetes/enhancements/issues/961)
diff --git a/content/en/blog/_posts/2022-06-01-annual-report-2021.md b/content/en/blog/_posts/2022-06-01-annual-report-2021.md
new file mode 100644
index 0000000000000..e0a41303573b0
--- /dev/null
+++ b/content/en/blog/_posts/2022-06-01-annual-report-2021.md
@@ -0,0 +1,19 @@
+---
+layout: blog
+title: "Annual Report Summary 2021"
+date: 2022-06-01
+slug: annual-report-summary-2021
+---
+
+**Author:** Paris Pittman (Steering Committee)
+
+Last year, we published our first [Annual Report Summary](/blog/2021/06/28/announcing-kubernetes-community-group-annual-reports/) for 2020 and it's already time for our second edition!
+
+[2021 Annual Report Summary](https://www.cncf.io/reports/kubernetes-annual-report-2021/)
+
+This summary reflects the work that has been done in 2021 and the initiatives on deck for the rest of 2022. Please forward to organizations and indidviduals participating in upstream activities, planning cloud native strategies, and/or those looking to help out. To find a specific community group's complete report, go to the [kubernetes/community repo](https://github.com/kubernetes/community) under the groups folder. Example: [sig-api-machinery/annual-report-2021.md](https://github.com/kubernetes/community/blob/master/sig-api-machinery/annual-report-2021.md)
+
+You’ll see that this report summary is a growth area in itself. It takes us roughly 6 months to prepare and execute, which isn’t helpful or valuable to anyone as a fast moving project with short and long term needs. How can we make this better? Provide your feedback here: https://github.com/kubernetes/steering/issues/242
+
+Reference:
+[Annual Report Documentation](https://github.com/kubernetes/community/blob/master/committee-steering/governance/annual-reports.md)
diff --git a/content/en/community/code-of-conduct.md b/content/en/community/code-of-conduct.md
index a66b0572bffd9..84c95370a33f0 100644
--- a/content/en/community/code-of-conduct.md
+++ b/content/en/community/code-of-conduct.md
@@ -8,9 +8,9 @@ community_styles_migrated: true
 <div class="community-section" id="cncf-code-of-conduct-intro">
 <p>
 Kubernetes follows the
-<a href="https://github.com/cncf/foundation/blob/master/code-of-conduct.md">CNCF Code of Conduct</a>.
+<a href="https://github.com/cncf/foundation/blob/main/code-of-conduct.md">CNCF Code of Conduct</a>.
 The text of the CNCF CoC is replicated below, as of
-<a href="https://github.com/cncf/foundation/blob/214585e24aab747fb85c2ea44fbf4a2442e30de6/code-of-conduct.md">commit 214585e</a>.
+<a href="https://github.com/cncf/foundation/blob/71b12a2f8b4589788ef2d69b351a3d035c68d927/code-of-conduct.md">commit 71b12a2</a>.
 If you notice that this is out of date, please
 <a href="https://github.com/kubernetes/website/issues/new">file an issue</a>.
 </p>
diff --git a/content/en/community/static/cncf-code-of-conduct.md b/content/en/community/static/cncf-code-of-conduct.md
index d07444c418368..fb3202b24a24f 100644
--- a/content/en/community/static/cncf-code-of-conduct.md
+++ b/content/en/community/static/cncf-code-of-conduct.md
@@ -1,45 +1,72 @@
 <!-- Do not edit this file directly. Get the latest from
-     https://github.com/cncf/foundation/blob/master/code-of-conduct.md -->
-## CNCF Community Code of Conduct v1.0
+     https://github.com/cncf/foundation/blob/main/code-of-conduct.md -->
+## CNCF Community Code of Conduct v1.1
 
 ### Contributor Code of Conduct
 
-As contributors and maintainers of this project, and in the interest of fostering
+As contributors and maintainers in the CNCF community, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
 through reporting issues, posting feature requests, updating documentation,
 submitting pull requests or patches, and other activities.
 
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
+We are committed to making participation in the CNCF community a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression,
 sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
 religion, or nationality.
 
-Examples of unacceptable behavior by participants include:
+## Scope
 
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+
+### CNCF Events
+
+CNCF events, or events run by the Linux Foundation with professional events staff, are governed by the Linux Foundation [Events Code of Conduct](https://events.linuxfoundation.org/code-of-conduct/) available on the event page. This is designed to be used in conjunction with the CNCF Code of Conduct.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect
+of managing this project.
+Project maintainers who do not follow or enforce the Code of
 Conduct may be permanently removed from the project team.
 
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
+## Reporting
 
-Instances of abusive, harassing, or otherwise unacceptable behavior in Kubernetes may be reported by contacting the [Kubernetes Code of Conduct Committee](https://git.k8s.io/community/committee-code-of-conduct) via <conduct@kubernetes.io>. For other projects, please contact a CNCF project maintainer or our mediator, Mishi Choudhary <mishi@linux.com>.
+For incidents occurring in the Kubernetes community, contact the [Kubernetes Code of Conduct Committee](https://git.k8s.io/community/committee-code-of-conduct) via <conduct@kubernetes.io>. You can expect a response within three business days.
 
-This Code of Conduct is adapted from the Contributor Covenant
-(https://contributor-covenant.org), version 1.2.0, available at
-https://contributor-covenant.org/version/1/2/0/
+For other projects, please contact the CNCF staff via <conduct@cncf.io>. You can expect a response within three business days.
+
+In matters that require an outside mediator, CNCF has retained Mishi Choudhary (mishi@linux.com). Use of an outside mediator can be requested when reporting or used at CNCF staff's discretion. In general, contacting <conduct@cncf.io> directly is preferred.
+
+
+## Enforcement
 
-### CNCF Events Code of Conduct
+The Kubernetes project's [Code of Conduct Committee](https://github.com/kubernetes/community/tree/master/committee-code-of-conduct) enforces code of conduct issues. For all other projects, the CNCF enforces code of conduct issues.
 
-CNCF events are governed by the Linux Foundation [Code of Conduct](https://events.linuxfoundation.org/code-of-conduct/) available on the event page. This is designed to be compatible with the above policy and also includes more details on responding to incidents.
+Both bodies try to resolve incidents without punishment, but may remove people from the project or CNCF communities at their discretion.
+
+## Acknowledgements
+
+This Code of Conduct is adapted from the Contributor Covenant
+(http://contributor-covenant.org), version 2.0 available at
+http://contributor-covenant.org/version/2/0/code_of_conduct/
\ No newline at end of file
diff --git a/content/en/community/static/community-values.md b/content/en/community/static/community-values.md
index f6469a3e61ad2..6fd1a1a06ccf2 100644
--- a/content/en/community/static/community-values.md
+++ b/content/en/community/static/community-values.md
@@ -3,26 +3,26 @@
 
 # Kubernetes Community Values
 
-Kubernetes Community culture is frequently cited as a substantial contributor to the meteoric rise of this Open Source project.  Below are the distilled values which have evolved over the last many years in our community pushing our project and peers toward constant improvement.
+Kubernetes Community culture contributes substantially to the project's success. The following values have evolved over time, pushing our project and peers toward constant improvement.
 
 ## Distribution is better than centralization
 
-The scale of the Kubernetes project is only viable through high-trust and high-visibility distribution of work, which includes delegation of authority, decision making, technical design, code ownership, and documentation.  Distributed asynchronous ownership, collaboration, communication and decision making are the cornerstone of our world-wide community.
+The scale of the Kubernetes project is only viable through high-trust and high-visibility distribution of work, which includes delegation of authority, decision making, technical design, code ownership, and documentation.  Distributed asynchronous ownership, collaboration, communication and decision making are the cornerstones of our world-wide community.
 
 ## Community over product or company
 
-We are here as a community first, our allegiance is to the intentional stewardship of the Kubernetes project for the benefit of all its members and users everywhere.  We support working together publicly for the common goal of a vibrant interoperable ecosystem providing an excellent experience for our users. Individuals gain status through work, companies gain status through their commitments to support this community and fund the resources necessary for the project  to operate.
+We are here as a community first. Our allegiance is to the intentional stewardship of the Kubernetes project for the benefit of all its members and users everywhere. We support working together publicly for the common goal of a vibrant interoperable ecosystem, providing an excellent experience for our users. Individuals gain status through work. Companies gain status through their commitments to support this community and fund the resources necessary for the project to operate.
 
 ## Automation over process
 
-Large projects have a lot of less exciting, yet, hard work.  We value time spent automating repetitive work more highly than toil. Where that work cannot be automated, it is our culture to recognize and reward all types of contributions. However, heroism is not sustainable.
+Large projects have a lot of hard yet less exciting work. We value time spent automating repetitive work more highly than toil. Where work cannot be automated, our culture recognizes and rewards all types of contributions while recognizing that heroism is not sustainable.
 
 ## Inclusive is better than exclusive
 
-Broadly successful and useful technology requires different perspectives and skill sets which can only be heard in a welcoming and respectful environment.  Community membership is a privilege, not a right. Community Leadership is earned through effort, scope, quality, quantity, and duration of contributions. Our community shows respect for the time and effort put into a discussion regardless of where a contributor is on their growth path.
+Broadly successful and useful technologies require different perspectives and skill sets, which can only be heard in a welcoming and respectful environment. Community membership is a privilege, not a right. Community members earn leadership through effort, scope, quality, quantity, and duration of contributions. Our community respects the time and effort put into a discussion, regardless of where a contributor is on their growth path.
 
 ## Evolution is better than stagnation
 
-Openness to new ideas and studied technological evolution make Kubernetes a stronger project.  Continual improvement, servant leadership, mentorship and respect are the foundations of the Kubernetes project culture. It is the duty for leaders in the Kubernetes community to find, sponsor, and promote new community members. Leaders should expect to step aside. Community members should expect to step up.
+Openness to new ideas and studied technological evolution make Kubernetes a stronger project. Continual improvement, servant leadership, mentorship, and respect are the foundations of Kubernetes culture. Kubernetes community leaders have a duty to find, sponsor, and promote new community members. Leaders should expect to step aside. Community members should expect to step up.
 
 **"Culture eats strategy for breakfast."   --Peter Drucker**
diff --git a/content/en/community/values.md b/content/en/community/values.md
index 675e93c865b71..2974dc1e434b6 100644
--- a/content/en/community/values.md
+++ b/content/en/community/values.md
@@ -9,7 +9,15 @@ community_styles_migrated: true
 sitemap:
   priority: 0.1
 ---
+
 <div class="community-section" id="values-legacy">
+<p>
+This page is a replicated version of
+<a href="https://www.kubernetes.dev/community/values/">Kubernetes Community Values</a>, as of
+<a href="https://github.com/kubernetes/community/blob/5c642749a030c5f7b2363a6bb9bad00a56a92161/values.md">commit 5c64274</a>.
+If you notice that this is out of date, please
+<a href="https://github.com/kubernetes/website/issues/new">file an issue</a>.
+</p>
 {{< include "/static/community-values.md" >}}
 </div>
 
diff --git a/content/en/docs/concepts/architecture/control-plane-node-communication.md b/content/en/docs/concepts/architecture/control-plane-node-communication.md
index a4814aab4b45e..df384800e9606 100644
--- a/content/en/docs/concepts/architecture/control-plane-node-communication.md
+++ b/content/en/docs/concepts/architecture/control-plane-node-communication.md
@@ -2,7 +2,7 @@
 reviewers:
 - dchen1107
 - liggitt
-title: Control Plane-Node Communication
+title: Communication between Nodes and the Control Plane
 content_type: concept
 weight: 20
 aliases:
@@ -11,62 +11,109 @@ aliases:
 
 <!-- overview -->
 
-This document catalogs the communication paths between the control plane (apiserver) and the Kubernetes cluster. The intent is to allow users to customize their installation to harden the network configuration such that the cluster can be run on an untrusted network (or on fully public IPs on a cloud provider).
-
-
+This document catalogs the communication paths between the API server and the Kubernetes cluster.
+The intent is to allow users to customize their installation to harden the network configuration
+such that the cluster can be run on an untrusted network (or on fully public IPs on a cloud
+provider).
 
 <!-- body -->
 
 ## Node to Control Plane
-Kubernetes has a "hub-and-spoke" API pattern. All API usage from nodes (or the pods they run) terminates at the apiserver. None of the other control plane components are designed to expose remote services. The apiserver is configured to listen for remote connections on a secure HTTPS port (typically 443) with one or more forms of client [authentication](/docs/reference/access-authn-authz/authentication/) enabled.
-One or more forms of [authorization](/docs/reference/access-authn-authz/authorization/) should be enabled, especially if [anonymous requests](/docs/reference/access-authn-authz/authentication/#anonymous-requests) or [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens) are allowed.
 
-Nodes should be provisioned with the public root certificate for the cluster such that they can connect securely to the apiserver along with valid client credentials. A good approach is that the client credentials provided to the kubelet are in the form of a client certificate. See [kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for automated provisioning of kubelet client certificates.
+Kubernetes has a "hub-and-spoke" API pattern. All API usage from nodes (or the pods they run)
+terminates at the API server. None of the other control plane components are designed to expose
+remote services. The API server is configured to listen for remote connections on a secure HTTPS
+port (typically 443) with one or more forms of client
+[authentication](/docs/reference/access-authn-authz/authentication/) enabled.
+One or more forms of [authorization](/docs/reference/access-authn-authz/authorization/) should be
+enabled, especially if [anonymous requests](/docs/reference/access-authn-authz/authentication/#anonymous-requests)
+or [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens)
+are allowed.
+
+Nodes should be provisioned with the public root certificate for the cluster such that they can
+connect securely to the API server along with valid client credentials. A good approach is that the
+client credentials provided to the kubelet are in the form of a client certificate. See
+[kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+for automated provisioning of kubelet client certificates.
 
-Pods that wish to connect to the apiserver can do so securely by leveraging a service account so that Kubernetes will automatically inject the public root certificate and a valid bearer token into the pod when it is instantiated.
-The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is redirected (via kube-proxy) to the HTTPS endpoint on the apiserver.
+Pods that wish to connect to the API server can do so securely by leveraging a service account so
+that Kubernetes will automatically inject the public root certificate and a valid bearer token
+into the pod when it is instantiated.
+The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is
+redirected (via `kube-proxy`) to the HTTPS endpoint on the API server.
 
-The control plane components also communicate with the cluster apiserver over the secure port.
+The control plane components also communicate with the API server over the secure port.
 
-As a result, the default operating mode for connections from the nodes and pods running on the nodes to the control plane is secured by default and can run over untrusted and/or public networks.
+As a result, the default operating mode for connections from the nodes and pods running on the
+nodes to the control plane is secured by default and can run over untrusted and/or public
+networks.
 
-## Control Plane to node
+## Control plane to node
 
-There are two primary communication paths from the control plane (apiserver) to the nodes. The first is from the apiserver to the kubelet process which runs on each node in the cluster. The second is from the apiserver to any node, pod, or service through the apiserver's proxy functionality.
+There are two primary communication paths from the control plane (the API server) to the nodes.
+The first is from the API server to the kubelet process which runs on each node in the cluster.
+The second is from the API server to any node, pod, or service through the API server's _proxy_
+functionality.
 
-### apiserver to kubelet
+### API server to kubelet
 
-The connections from the apiserver to the kubelet are used for:
+The connections from the API server to the kubelet are used for:
 
 * Fetching logs for pods.
-* Attaching (through kubectl) to running pods.
+* Attaching (usually through `kubectl`) to running pods.
 * Providing the kubelet's port-forwarding functionality.
 
-These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks and **unsafe** to run over untrusted and/or public networks.
+These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not
+verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle
+attacks and **unsafe** to run over untrusted and/or public networks.
 
-To verify this connection, use the `--kubelet-certificate-authority` flag to provide the apiserver with a root certificate bundle to use to verify the kubelet's serving certificate.
+To verify this connection, use the `--kubelet-certificate-authority` flag to provide the API
+server with a root certificate bundle to use to verify the kubelet's serving certificate.
 
-If that is not possible, use [SSH tunneling](#ssh-tunnels) between the apiserver and kubelet if required to avoid connecting over an
+If that is not possible, use [SSH tunneling](#ssh-tunnels) between the API server and kubelet if
+required to avoid connecting over an
 untrusted or public network.
 
-Finally, [Kubelet authentication and/or authorization](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/) should be enabled to secure the kubelet API.
 
-### apiserver to nodes, pods, and services
+Finally, [Kubelet authentication and/or authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
+should be enabled to secure the kubelet API.
 
-The connections from the apiserver to a node, pod, or service default to plain HTTP connections and are therefore neither authenticated nor encrypted. They can be run over a secure HTTPS connection by prefixing `https:` to the node, pod, or service name in the API URL, but they will not validate the certificate provided by the HTTPS endpoint nor provide client credentials. So while the connection will be encrypted, it will not provide any guarantees of integrity. These connections **are not currently safe** to run over untrusted or public networks.
+### API server to nodes, pods, and services
+
+The connections from the API server to a node, pod, or service default to plain HTTP connections
+and are therefore neither authenticated nor encrypted. They can be run over a secure HTTPS
+connection by prefixing `https:` to the node, pod, or service name in the API URL, but they will
+not validate the certificate provided by the HTTPS endpoint nor provide client credentials. So
+while the connection will be encrypted, it will not provide any guarantees of integrity. These
+connections **are not currently safe** to run over untrusted or public networks.
 
 ### SSH tunnels
 
-Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this configuration, the apiserver initiates an SSH tunnel to each node in the cluster (connecting to the ssh server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or service through the tunnel.
-This tunnel ensures that the traffic is not exposed outside of the network in which the nodes are running.
+Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this
+configuration, the API server initiates an SSH tunnel to each node in the cluster (connecting to
+the SSH server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or
+service through the tunnel.
+This tunnel ensures that the traffic is not exposed outside of the network in which the nodes are
+running.
 
-SSH tunnels are currently deprecated, so you shouldn't opt to use them unless you know what you are doing. The Konnectivity service is a replacement for this communication channel.
+{{< note >}}
+SSH tunnels are currently deprecated, so you shouldn't opt to use them unless you know what you
+are doing. The [Konnectivity service](#konnectivity-service) is a replacement for this
+communication channel.
+{{< /note >}}
 
 ### Konnectivity service
 
 {{< feature-state for_k8s_version="v1.18" state="beta" >}}
 
-As a replacement to the SSH tunnels, the Konnectivity service provides TCP level proxy for the control plane to cluster communication. The Konnectivity service consists of two parts: the Konnectivity server in the control plane network and the Konnectivity agents in the nodes network. The Konnectivity agents initiate connections to the Konnectivity server and maintain the network connections.
-After enabling the Konnectivity service, all control plane to nodes traffic goes through these connections.
+As a replacement to the SSH tunnels, the Konnectivity service provides TCP level proxy for the
+control plane to cluster communication. The Konnectivity service consists of two parts: the
+Konnectivity server in the control plane network and the Konnectivity agents in the nodes network.
+The Konnectivity agents initiate connections to the Konnectivity server and maintain the network
+connections.
+After enabling the Konnectivity service, all control plane to nodes traffic goes through these
+connections.
+
+Follow the [Konnectivity service task](/docs/tasks/extend-kubernetes/setup-konnectivity/) to set
+up the Konnectivity service in your cluster.
 
-Follow the [Konnectivity service task](/docs/tasks/extend-kubernetes/setup-konnectivity/) to set up the Konnectivity service in your cluster.
diff --git a/content/en/docs/concepts/architecture/nodes.md b/content/en/docs/concepts/architecture/nodes.md
index 39d229a8976a5..2321fc6474ff9 100644
--- a/content/en/docs/concepts/architecture/nodes.md
+++ b/content/en/docs/concepts/architecture/nodes.md
@@ -458,7 +458,7 @@ Message:        Pod was terminated in response to imminent node shutdown.
 
 {{< feature-state state="alpha" for_k8s_version="v1.24" >}}
 
-A node shutdown action may not be detected by kubelet's Node Shutdown Mananger, 
+A node shutdown action may not be detected by kubelet's Node Shutdown Manager, 
 either because the command does not trigger the inhibitor locks mechanism used by 
 kubelet or because of a user error, i.e., the ShutdownGracePeriod and 
 ShutdownGracePeriodCriticalPods are not configured properly. Please refer to above 
@@ -654,7 +654,7 @@ see [KEP-2400](https://github.com/kubernetes/enhancements/issues/2400) and its
 
 * Learn about the [components](/docs/concepts/overview/components/#node-components) that make up a node.
 * Read the [API definition for Node](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#node-v1-core).
-* Read the [Node](https://git.k8s.io/community/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node)
+* Read the [Node](https://git.k8s.io/design-proposals-archive/architecture/architecture.md#the-kubernetes-node)
   section of the architecture design document.
 * Read about [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/).
 
diff --git a/content/en/docs/concepts/cluster-administration/_index.md b/content/en/docs/concepts/cluster-administration/_index.md
index 7e5827a6f7a2c..ace5297b330cf 100644
--- a/content/en/docs/concepts/cluster-administration/_index.md
+++ b/content/en/docs/concepts/cluster-administration/_index.md
@@ -63,8 +63,8 @@ Before choosing a guide, here are some considerations:
 
 ### Securing the kubelet
   * [Control Plane-Node communication](/docs/concepts/architecture/control-plane-node-communication/)
-  * [TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
-  * [Kubelet authentication/authorization](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
+  * [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
+  * [Kubelet authentication/authorization](/docs/reference/acess-authn-authz/kubelet-authn-authz/)
 
 ## Optional Cluster Services
 
diff --git a/content/en/docs/concepts/cluster-administration/addons.md b/content/en/docs/concepts/cluster-administration/addons.md
index 20626f2ff4a14..5f7df077c9b72 100644
--- a/content/en/docs/concepts/cluster-administration/addons.md
+++ b/content/en/docs/concepts/cluster-administration/addons.md
@@ -18,19 +18,19 @@ This page lists some of the available add-ons and links to their respective inst
 * [ACI](https://www.github.com/noironetworks/aci-containers) provides integrated container networking and network security with Cisco ACI.
 * [Antrea](https://antrea.io/) operates at Layer 3/4 to provide networking and security services for Kubernetes, leveraging Open vSwitch as the networking data plane.
 * [Calico](https://docs.projectcalico.org/latest/introduction/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer.
-* [Canal](https://github.com/tigera/canal/tree/master/k8s-install) unites Flannel and Calico, providing networking and network policy.
+* [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) unites Flannel and Calico, providing networking and network policy.
 * [Cilium](https://github.com/cilium/cilium) is a L3 network and network policy plugin that can enforce HTTP/API/L7 policies transparently. Both routing and overlay/encapsulation mode are supported, and it can work on top of other CNI plugins.
-* [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, Romana, or Weave.
+* [CNI-Genie](https://github.com/cni-genie/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, or Weave.
 * [Contiv](https://contivpp.io/) provides configurable networking (native L3 using BGP, overlay using vxlan, classic L2, and Cisco-SDN/ACI) for various use cases and a rich policy framework. Contiv project is fully [open sourced](https://github.com/contiv). The [installer](https://github.com/contiv/install) provides both kubeadm and non-kubeadm based installation options.
 * [Contrail](https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), based on [Tungsten Fabric](https://tungsten.io), is an open source, multi-cloud network virtualization and policy management platform. Contrail and Tungsten Fabric are integrated with orchestration systems such as Kubernetes, OpenShift, OpenStack and Mesos, and provide isolation modes for virtual machines, containers/pods and bare metal workloads.
 * [Flannel](https://github.com/flannel-io/flannel#deploying-flannel-manually) is an overlay network provider that can be used with Kubernetes.
 * [Knitter](https://github.com/ZTE/Knitter/) is a plugin to support multiple network interfaces in a Kubernetes pod.
-* Multus is a Multi plugin for multiple network support in Kubernetes to support all CNI plugins (e.g. Calico, Cilium, Contiv, Flannel), in addition to SRIOV, DPDK, OVS-DPDK and VPP based workloads in Kubernetes.
+* [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) is a Multi plugin for multiple network support in Kubernetes to support all CNI plugins (e.g. Calico, Cilium, Contiv, Flannel), in addition to SRIOV, DPDK, OVS-DPDK and VPP based workloads in Kubernetes.
 * [OVN-Kubernetes](https://github.com/ovn-org/ovn-kubernetes/) is a networking provider for Kubernetes based on [OVN (Open Virtual Network)](https://github.com/ovn-org/ovn/), a virtual networking implementation that came out of the Open vSwitch (OVS) project. OVN-Kubernetes provides an overlay based networking implementation for Kubernetes, including an OVS based implementation of load balancing and network policy.
-* [OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) is OVN based CNI controller plugin to provide cloud native based Service function chaining(SFC), Multiple OVN overlay networking, dynamic subnet creation, dynamic creation of virtual networks, VLAN Provider network, Direct provider network and pluggable with other Multi-network plugins, ideal for edge based cloud native workloads in Multi-cluster networking
-* [NSX-T](https://docs.vmware.com/en/VMware-NSX-T/2.0/nsxt_20_ncp_kubernetes.pdf) Container Plug-in (NCP) provides integration between VMware NSX-T and container orchestrators such as Kubernetes, as well as integration between NSX-T and container-based CaaS/PaaS platforms such as Pivotal Container Service (PKS) and OpenShift.
+* [OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) is OVN based CNI controller plugin to provide cloud native based Service function chaining(SFC), Multiple OVN overlay networking, dynamic subnet creation, dynamic creation of virtual networks, VLAN Provider network, Direct provider network and pluggable with other Multi-network plugins, ideal for edge based cloud native workloads in Multi-cluster networking.
+* [NSX-T](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html) Container Plug-in (NCP) provides integration between VMware NSX-T and container orchestrators such as Kubernetes, as well as integration between NSX-T and container-based CaaS/PaaS platforms such as Pivotal Container Service (PKS) and OpenShift.
 * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst) is an SDN platform that provides policy-based networking between Kubernetes Pods and non-Kubernetes environments with visibility and security monitoring.
-* **Romana** is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy API](/docs/concepts/services-networking/network-policies/). Kubeadm add-on installation details available [here](https://github.com/romana/romana/tree/master/containerize).
+* [Romana](https://github.com/romana) is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy](/docs/concepts/services-networking/network-policies/) API.
 * [Weave Net](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) provides networking and network policy, will carry on working on both sides of a network partition, and does not require an external database.
 
 ## Service Discovery
diff --git a/content/en/docs/concepts/cluster-administration/flow-control.md b/content/en/docs/concepts/cluster-administration/flow-control.md
index 9e8f2a79238a7..ccf1eb5887f84 100644
--- a/content/en/docs/concepts/cluster-administration/flow-control.md
+++ b/content/en/docs/concepts/cluster-administration/flow-control.md
@@ -174,7 +174,7 @@ to balance progress between request flows.
 
 The queuing configuration allows tuning the fair queuing algorithm for a
 priority level. Details of the algorithm can be read in the
-[enhancement proposal](#whats-next), but in short:
+[enhancement proposal](https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1040-priority-and-fairness), but in short:
 
 * Increasing `queues` reduces the rate of collisions between different flows, at
   the cost of increased memory usage. A value of 1 here effectively disables the
@@ -331,7 +331,7 @@ Thus, in a situation with a mixture of servers of different versions
 there may be thrashing as long as different servers have different
 opinions of the proper content of these objects.
 
-Each `kube-apiserver` makes an inital maintenance pass over the
+Each `kube-apiserver` makes an initial maintenance pass over the
 mandatory and suggested configuration objects, and after that does
 periodic maintenance (once per minute) of those objects.
 
@@ -471,11 +471,15 @@ poorly-behaved workloads that may be harming system health.
   requests, broken down by the labels `phase` (which takes on the
   values `waiting` and `executing`) and `request_kind` (which takes on
   the values `mutating` and `readOnly`).  The observations are made
-  periodically at a high rate.
+  periodically at a high rate.  Each observed value is a ratio,
+  between 0 and 1, of a number of requests divided by the
+  corresponding limit on the number of requests (queue length limit
+  for waiting and concurrency limit for executing).
 
 * `apiserver_flowcontrol_read_vs_write_request_count_watermarks` is a
   histogram vector of high or low water marks of the number of
-  requests broken down by the labels `phase` (which takes on the
+  requests (divided by the corresponding limit to get a ratio in the
+  range 0 to 1) broken down by the labels `phase` (which takes on the
   values `waiting` and `executing`) and `request_kind` (which takes on
   the values `mutating` and `readOnly`); the label `mark` takes on
   values `high` and `low`.  The water marks are accumulated over
@@ -502,11 +506,15 @@ poorly-behaved workloads that may be harming system health.
   values `waiting` and `executing`) and `priority_level`.  Each
   histogram gets observations taken periodically, up through the last
   activity of the relevant sort.  The observations are made at a high
-  rate.
+  rate.  Each observed value is a ratio, between 0 and 1, of a number
+  of requests divided by the corresponding limit on the number of
+  requests (queue length limit for waiting and concurrency limit for
+  executing).
 
 * `apiserver_flowcontrol_priority_level_request_count_watermarks` is a
   histogram vector of high or low water marks of the number of
-  requests broken down by the labels `phase` (which takes on the
+  requests (divided by the corresponding limit to get a ratio in the
+  range 0 to 1) broken down by the labels `phase` (which takes on the
   values `waiting` and `executing`) and `priority_level`; the label
   `mark` takes on values `high` and `low`.  The water marks are
   accumulated over windows bounded by the times when an observation
@@ -514,6 +522,31 @@ poorly-behaved workloads that may be harming system health.
   `apiserver_flowcontrol_priority_level_request_count_samples`.  These
   water marks show the range of values that occurred between samples.
 
+* `apiserver_flowcontrol_priority_level_seat_count_samples` is a
+  histogram vector of observations of the utilization of a priority
+  level's concurrency limit, broken down by `priority_level`.  This
+  utilization is the fraction (number of seats occupied) /
+  (concurrency limit).  This metric considers all stages of execution
+  (both normal and the extra delay at the end of a write to cover for
+  the corresponding notification work) of all requests except WATCHes;
+  for those it considers only the initial stage that delivers
+  notifications of pre-existing objects.  Each histogram in the vector
+  is also labeled with `phase: executing` (there is no seat limit for
+  the waiting phase).  Each histogram gets observations taken
+  periodically, up through the last activity of the relevant sort.
+  The observations
+  are made at a high rate.  
+
+* `apiserver_flowcontrol_priority_level_seat_count_watermarks` is a
+  histogram vector of high or low water marks of the utilization of a
+  priority level's concurrency limit, broken down by `priority_level`
+  and `mark` (which takes on values `high` and `low`).  Each histogram
+  in the vector is also labeled with `phase: executing` (there is no
+  seat limit for the waiting phase).  The water marks are accumulated
+  over windows bounded by the times when an observation was added to
+  `apiserver_flowcontrol_priority_level_seat_count_samples`.  These
+  water marks show the range of values that occurred between samples.
+
 * `apiserver_flowcontrol_request_queue_length_after_enqueue` is a
   histogram vector of queue lengths for the queues, broken down by
   the labels `priority_level` and `flow_schema`, as sampled by the
@@ -556,6 +589,22 @@ poorly-behaved workloads that may be harming system health.
   and `priority_level` (indicating the one to which the request was
   assigned).
 
+* `apiserver_flowcontrol_watch_count_samples` is a histogram vector of
+  the number of active WATCH requests relevant to a given write,
+  broken down by `flow_schema` and `priority_level`.
+
+* `apiserver_flowcontrol_work_estimated_seats` is a histogram vector
+  of the number of estimated seats (maximum of initial and final stage
+  of execution) associated with requests, broken down by `flow_schema`
+  and `priority_level`.
+
+* `apiserver_flowcontrol_request_dispatch_no_accommodation_total` is a
+  counter vec of the number of events that in principle could have led
+  to a request being dispatched but did not, due to lack of available
+  concurrency, broken down by `flow_schema` and `priority_level`.  The
+  relevant sorts of events are arrival of a request and completion of
+  a request.
+
 ### Debug endpoints
 
 When you enable the API Priority and Fairness feature, the `kube-apiserver`
diff --git a/content/en/docs/concepts/cluster-administration/manage-deployment.md b/content/en/docs/concepts/cluster-administration/manage-deployment.md
index c09e59f1df879..c90715da09956 100644
--- a/content/en/docs/concepts/cluster-administration/manage-deployment.md
+++ b/content/en/docs/concepts/cluster-administration/manage-deployment.md
@@ -461,7 +461,7 @@ That's it! The Deployment will declaratively update the deployed nginx applicati
 ## {{% heading "whatsnext" %}}
 
 
-- Learn about [how to use `kubectl` for application introspection and debugging](/docs/tasks/debug-application-cluster/debug-application-introspection/).
+- Learn about [how to use `kubectl` for application introspection and debugging](/docs/tasks/debug/debug-application/debug-running-pod/).
 - See [Configuration Best Practices and Tips](/docs/concepts/configuration/overview/).
 
 
diff --git a/content/en/docs/concepts/cluster-administration/networking.md b/content/en/docs/concepts/cluster-administration/networking.md
index 9fed36c2fd698..b780ef15ca43b 100644
--- a/content/en/docs/concepts/cluster-administration/networking.md
+++ b/content/en/docs/concepts/cluster-administration/networking.md
@@ -203,4 +203,4 @@ to run, and in both cases, the network provides one IP address per pod - as is s
 
 The early design of the networking model and its rationale, and some future
 plans are described in more detail in the
-[networking design document](https://git.k8s.io/community/contributors/design-proposals/network/networking.md).
+[networking design document](https://git.k8s.io/design-proposals-archive/network/networking.md).
diff --git a/content/en/docs/concepts/configuration/organize-cluster-access-kubeconfig.md b/content/en/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
index 713592cf989ec..87c4737ad765f 100644
--- a/content/en/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
+++ b/content/en/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
@@ -18,7 +18,7 @@ It does not mean that there is a file named `kubeconfig`.
 {{< /note >}}
 
 {{< warning >}}
-Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure. 
+Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure.
 If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.
 {{< /warning>}}
 
@@ -53,7 +53,7 @@ clusters and namespaces.
 A *context* element in a kubeconfig file is used to group access parameters
 under a convenient name. Each context has three parameters: cluster, namespace, and user.
 By default, the `kubectl` command-line tool uses parameters from
-the *current context* to communicate with the cluster. 
+the *current context* to communicate with the cluster.
 
 To choose the current context:
 ```
@@ -150,16 +150,16 @@ are stored absolutely.
 
 ## Proxy
 
-You can configure `kubectl` to use proxy by setting `proxy-url` in the kubeconfig file, like:
+You can configure `kubectl` to use a proxy per cluster using `proxy-url` in your kubeconfig file, like this:
 
 ```yaml
 apiVersion: v1
 kind: Config
 
-proxy-url: https://proxy.host:3128
-
 clusters:
 - cluster:
+    proxy-url: http://proxy.example.org:3128
+    server: https://k8s.example.org/k8s/clusters/c-xxyyzz
   name: development
 
 users:
@@ -168,7 +168,6 @@ users:
 contexts:
 - context:
   name: development
-
 ```
 
 
diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md
index d9611439a4566..f83372532fc5e 100644
--- a/content/en/docs/concepts/configuration/secret.md
+++ b/content/en/docs/concepts/configuration/secret.md
@@ -247,6 +247,8 @@ You can still [manually create](/docs/tasks/configure-pod-container/configure-se
 a service account token Secret; for example, if you need a token that never expires.
 However, using the [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
 subresource to obtain a token to access the API is recommended instead.
+You can use the [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+command to obtain a token from the `TokenRequest` API.
 {{< /note >}}
 
 #### Projection of Secret keys to specific paths
@@ -886,15 +888,30 @@ In this case, `0` means you have created an empty Secret.
 ### Service account token Secrets
 
 A `kubernetes.io/service-account-token` type of Secret is used to store a
-token that identifies a
+token credential that identifies a
 {{< glossary_tooltip text="service account" term_id="service-account" >}}.
+
+Since 1.22, this type of Secret is no longer used to mount credentials into Pods,
+and obtaining tokens via the [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
+API is recommended instead of using service account token Secret objects.
+Tokens obtained from the `TokenRequest` API are more secure than ones stored in Secret objects,
+because they have a bounded lifetime and are not readable by other API clients.
+You can use the [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+command to obtain a token from the `TokenRequest` API.
+
+You should only create a service account token Secret object
+if you can't use the `TokenRequest` API to obtain a token,
+and the security exposure of persisting a non-expiring token credential
+in a readable API object is acceptable to you.
+
 When using this Secret type, you need to ensure that the
 `kubernetes.io/service-account.name` annotation is set to an existing
-service account name. A Kubernetes
-{{< glossary_tooltip text="controller" term_id="controller" >}} fills in some
-other fields such as the `kubernetes.io/service-account.uid` annotation, and the
-`token` key in the `data` field, which is set to contain an authentication
-token.
+service account name. If you are creating both the ServiceAccount and
+the Secret objects, you should create the ServiceAccount object first.
+
+After the Secret is created, a Kubernetes {{< glossary_tooltip text="controller" term_id="controller" >}}
+fills in some other fields such as the `kubernetes.io/service-account.uid` annotation, and the
+`token` key in the `data` field, which is populated with an authentication token.
 
 The following example configuration declares a service account token Secret:
 
@@ -911,20 +928,14 @@ data:
   extra: YmFyCg==
 ```
 
-When creating a `Pod`, Kubernetes automatically finds or creates a service account
-Secret and then automatically modifies your Pod to use this Secret. The service account
-token Secret contains credentials for accessing the Kubernetes API.
-
-The automatic creation and use of API credentials can be disabled or
-overridden if desired. However, if all you need to do is securely access the
-API server, this is the recommended workflow.
+After creating the Secret, wait for Kubernetes to populate the `token` key in the `data` field.
 
 See the [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/)
 documentation for more information on how service accounts work.  
 You can also check the `automountServiceAccountToken` field and the
 `serviceAccountName` field of the
 [`Pod`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
-for information on referencing service account from Pods.
+for information on referencing service account credentials from within Pods.
 
 ### Docker config Secrets
 
@@ -982,7 +993,7 @@ kubectl create secret docker-registry secret-tiger-docker \
 ```
 
 That command creates a Secret of type `kubernetes.io/dockerconfigjson`.
-If you dump the `.data.dockercfgjson` field from that new Secret and then
+If you dump the `.data.dockerconfigjson` field from that new Secret and then
 decode it from base64:
 
 ```shell
@@ -1291,7 +1302,7 @@ on that node.
 - When deploying applications that interact with the Secret API, you should
   limit access using
   [authorization policies](/docs/reference/access-authn-authz/authorization/) such as
-  [RBAC]( /docs/reference/access-authn-authz/rbac/).
+  [RBAC](/docs/reference/access-authn-authz/rbac/).
 - In the Kubernetes API, `watch` and `list` requests for Secrets within a namespace
   are extremely powerful capabilities. Avoid granting this access where feasible, since
   listing Secrets allows the clients to inspect the values of every Secret in that
@@ -1310,7 +1321,7 @@ have access to run a Pod that then exposes the Secret.
 - When deploying applications that interact with the Secret API, you should
   limit access using
   [authorization policies](/docs/reference/access-authn-authz/authorization/) such as
-  [RBAC]( /docs/reference/access-authn-authz/rbac/).
+  [RBAC](/docs/reference/access-authn-authz/rbac/).
 - In the API server, objects (including Secrets) are persisted into
   {{< glossary_tooltip term_id="etcd" >}}; therefore:
   - only allow cluster admistrators to access etcd (this includes read-only access);
diff --git a/content/en/docs/concepts/configuration/windows-resource-management.md b/content/en/docs/concepts/configuration/windows-resource-management.md
index 6593caa5fb09c..955fea194a4b1 100644
--- a/content/en/docs/concepts/configuration/windows-resource-management.md
+++ b/content/en/docs/concepts/configuration/windows-resource-management.md
@@ -32,52 +32,48 @@ host, and thus privileged containers are not available on Windows.
 Containers cannot assume an identity from the host because the Security Account Manager
 (SAM) is separate.
 
-## Memory reservations {#resource-management-memory}
+## Memory management {#resource-management-memory}
 
 Windows does not have an out-of-memory process killer as Linux does. Windows always
 treats all user-mode memory allocations as virtual, and pagefiles are mandatory.
 
-Windows nodes do not overcommit memory for processes running in containers. The
+Windows nodes do not overcommit memory for processes. The
 net effect is that Windows won't reach out of memory conditions the same way Linux
 does, and processes page to disk instead of being subject to out of memory (OOM)
 termination. If memory is over-provisioned and all physical memory is exhausted,
 then paging can slow down performance.
 
-You can place bounds on memory use for workloads using the kubelet
-parameters `--kubelet-reserve` and/or `--system-reserve`; these account
-for memory usage on the node (outside of containers), and reduce
-[NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable).
-As you deploy workloads, set resource limits on containers. This also subtracts from
-`NodeAllocatable` and prevents the scheduler from adding more pods once a node is full.
-
-{{< note >}}
-When you set memory resource limits for Windows containers, you should either set a
-limit and leave the memory request unspecified, or set the request equal to the limit.
-{{< /note >}}
-
-On Windows, good practice to avoid over-provisioning is to configure the kubelet
-with a system reserved memory of at least 2GiB to account for Windows, Kubernetes
-and container runtime overheads.
-
-## CPU reservations {#resource-management-cpu}
-
-To account for CPU use by the operating system, the container runtime, and by
-Kubernetes host processes such as the kubelet, you can (and should) reserve a
-percentage of total CPU. You should determine this CPU reservation taking account of
-to the number of CPU cores available on the node. To decide on the CPU percentage to
-reserve, identify the maximum pod density for each node and monitor the CPU usage of
-the system services running there, then choose a value that meets your workload needs.
+## CPU management {#resource-management-cpu}
 
-You can place bounds on CPU usage for workloads using the
-kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to
-account for CPU usage on the node (outside of containers).
-This reduces `NodeAllocatable`.
-The cluster-wide scheduler then takes this reservation into account when determining
-pod placement.
+Windows can limit the amount of CPU time allocated for different processes but cannot
+guarantee a minimum amount of CPU time.
 
-On Windows, the kubelet supports a command-line flag to set the priority of the
+On Windows, the kubelet supports a command-line flag to set the
+[scheduling priority](https://docs.microsoft.com/windows/win32/procthread/scheduling-priorities) of the
 kubelet process: `--windows-priorityclass`. This flag allows the kubelet process to get
 more CPU time slices when compared to other processes running on the Windows host.
 More information on the allowable values and their meaning is available at
 [Windows Priority Classes](https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities#priority-class).
 To ensure that running Pods do not starve the kubelet of CPU cycles, set this flag to `ABOVE_NORMAL_PRIORITY_CLASS` or above.
+
+## Resource reservation {#resource-reservation}
+
+To account for memory and CPU used by the operating system, the container runtime, and by
+Kubernetes host processes such as the kubelet, you can (and should) reserve
+memory and CPU resources with the  `--kube-reserved` and/or `--system-reserved` kubelet flags.
+On Windows these values are only used to calculate the node's
+[allocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) resources.
+
+{{< caution >}}
+As you deploy workloads, set resource memory and CPU limits on containers.
+This also subtracts from `NodeAllocatable` and helps the cluster-wide scheduler in determining which pods to place on which nodes.
+
+Scheduling pods without limits may over-provision the Windows nodes and in extreme
+cases can cause the nodes to become unhealthy.
+{{< /caution >}}
+
+On Windows, a good practice is to reserve at least 2GiB of memory.
+
+To determine how much CPU to reserve,
+identify the maximum pod density for each node and monitor the CPU usage of
+the system services running there, then choose a value that meets your workload needs.
diff --git a/content/en/docs/concepts/containers/runtime-class.md b/content/en/docs/concepts/containers/runtime-class.md
index 38a74cf18680e..6366ee05519e1 100644
--- a/content/en/docs/concepts/containers/runtime-class.md
+++ b/content/en/docs/concepts/containers/runtime-class.md
@@ -97,7 +97,7 @@ spec:
 This will instruct the kubelet to use the named RuntimeClass to run this pod. If the named
 RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod will enter the
 `Failed` terminal [phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase). Look for a
-corresponding [event](/docs/tasks/debug-application-cluster/debug-application-introspection/) for an
+corresponding [event](/docs/tasks/debug/debug-application/debug-running-pod/) for an
 error message.
 
 If no `runtimeClassName` is specified, the default RuntimeHandler will be used, which is equivalent
diff --git a/content/en/docs/concepts/extend-kubernetes/_index.md b/content/en/docs/concepts/extend-kubernetes/_index.md
index 3cf3eb1f7a676..5404f8c463b15 100644
--- a/content/en/docs/concepts/extend-kubernetes/_index.md
+++ b/content/en/docs/concepts/extend-kubernetes/_index.md
@@ -17,26 +17,29 @@ no_list: true
 
 <!-- overview -->
 
-Kubernetes is highly configurable and extensible. As a result,
-there is rarely a need to fork or submit patches to the Kubernetes
-project code.
+Kubernetes is highly configurable and extensible. As a result, there is rarely a need to fork or
+submit patches to the Kubernetes project code.
 
-This guide describes the options for customizing a Kubernetes
-cluster. It is aimed at {{< glossary_tooltip text="cluster operators" term_id="cluster-operator" >}} who want to
-understand how to adapt their Kubernetes cluster to the needs of
-their work environment. Developers who are prospective {{< glossary_tooltip text="Platform Developers" term_id="platform-developer" >}} or Kubernetes Project {{< glossary_tooltip text="Contributors" term_id="contributor" >}} will also find it
-useful as an introduction to what extension points and patterns
-exist, and their trade-offs and limitations.
+This guide describes the options for customizing a Kubernetes cluster. It is aimed at
+{{< glossary_tooltip text="cluster operators" term_id="cluster-operator" >}} who want to understand
+how to adapt their Kubernetes cluster to the needs of their work environment. Developers who are
+prospective {{< glossary_tooltip text="Platform Developers" term_id="platform-developer" >}} or
+Kubernetes Project {{< glossary_tooltip text="Contributors" term_id="contributor" >}} will also
+find it useful as an introduction to what extension points and patterns exist, and their
+trade-offs and limitations.
 
 <!-- body -->
 
 ## Overview
 
-Customization approaches can be broadly divided into *configuration*, which only involves changing flags, local configuration files, or API resources; and *extensions*, which involve running additional programs or services. This document is primarily about extensions.
+Customization approaches can be broadly divided into *configuration*, which only involves changing
+flags, local configuration files, or API resources; and *extensions*, which involve running
+additional programs or services. This document is primarily about extensions.
 
 ## Configuration
 
-*Configuration files* and *flags* are documented in the Reference section of the online documentation, under each binary:
+*Configuration files* and *flags* are documented in the Reference section of the online
+documentation, under each binary:
 
 * [kubelet](/docs/reference/command-line-tools-reference/kubelet/)
 * [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/)
@@ -44,9 +47,22 @@ Customization approaches can be broadly divided into *configuration*, which only
 * [kube-controller-manager](/docs/reference/command-line-tools-reference/kube-controller-manager/)
 * [kube-scheduler](/docs/reference/command-line-tools-reference/kube-scheduler/).
 
-Flags and configuration files may not always be changeable in a hosted Kubernetes service or a distribution with managed installation. When they are changeable, they are usually only changeable by the cluster administrator. Also, they are subject to change in future Kubernetes versions, and setting them may require restarting processes. For those reasons, they should be used only when there are no other options.
-
-*Built-in Policy APIs*, such as [ResourceQuota](/docs/concepts/policy/resource-quotas/), [PodSecurityPolicies](/docs/concepts/security/pod-security-policy/), [NetworkPolicy](/docs/concepts/services-networking/network-policies/) and Role-based Access Control ([RBAC](/docs/reference/access-authn-authz/rbac/)), are built-in Kubernetes APIs. APIs are typically used with hosted Kubernetes services and with managed Kubernetes installations. They are declarative and use the same conventions as other Kubernetes resources like pods, so new cluster configuration can be repeatable and be managed the same way as applications. And, where they are stable, they enjoy a [defined support policy](/docs/reference/using-api/deprecation-policy/) like other Kubernetes APIs. For these reasons, they are preferred over *configuration files* and *flags* where suitable.
+Flags and configuration files may not always be changeable in a hosted Kubernetes service or a
+distribution with managed installation. When they are changeable, they are usually only changeable
+by the cluster administrator. Also, they are subject to change in future Kubernetes versions, and
+setting them may require restarting processes. For those reasons, they should be used only when
+there are no other options.
+
+*Built-in Policy APIs*, such as [ResourceQuota](/docs/concepts/policy/resource-quotas/),
+[PodSecurityPolicies](/docs/concepts/security/pod-security-policy/),
+[NetworkPolicy](/docs/concepts/services-networking/network-policies/) and Role-based Access Control
+([RBAC](/docs/reference/access-authn-authz/rbac/)), are built-in Kubernetes APIs.
+APIs are typically used with hosted Kubernetes services and with managed Kubernetes installations.
+They are declarative and use the same conventions as other Kubernetes resources like pods,
+so new cluster configuration can be repeatable and be managed the same way as applications.
+And, where they are stable, they enjoy a
+[defined support policy](/docs/reference/using-api/deprecation-policy/) like other Kubernetes APIs.
+For these reasons, they are preferred over *configuration files* and *flags* where suitable.
 
 ## Extensions
 
@@ -70,10 +86,9 @@ There is a specific pattern for writing client programs that work well with
 Kubernetes called the *Controller* pattern. Controllers typically read an
 object's `.spec`, possibly do things, and then update the object's `.status`.
 
-A controller is a client of Kubernetes. When Kubernetes is the client and
-calls out to a remote service, it is called a *Webhook*. The remote service
-is called a *Webhook Backend*. Like Controllers, Webhooks do add a point of
-failure.
+A controller is a client of Kubernetes. When Kubernetes is the client and calls out to a remote
+service, it is called a *Webhook*. The remote service is called a *Webhook Backend*. Like
+Controllers, Webhooks do add a point of failure.
 
 In the webhook model, Kubernetes makes a network request to a remote service.
 In the *Binary Plugin* model, Kubernetes executes a binary (program).
@@ -95,15 +110,35 @@ This diagram shows the extension points in a Kubernetes system.
 <!-- image source diagrams: https://docs.google.com/drawings/d/1k2YdJgNTtNfW7_A8moIIkij-DmVgEhNrn3y2OODwqQQ/view -->
 ![Extension Points](/docs/concepts/extend-kubernetes/extension-points.png)
 
-1.   Users often interact with the Kubernetes API using `kubectl`. [Kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugins/) extend the kubectl binary. They only affect the individual user's local environment, and so cannot enforce site-wide policies.
-2.   The apiserver handles all requests. Several types of extension points in the apiserver allow authenticating requests, or blocking them based on their content, editing content, and handling deletion. These are described in the [API Access Extensions](#api-access-extensions) section.
-3.   The apiserver serves various kinds of *resources*. *Built-in resource kinds*, like `pods`, are defined by the Kubernetes project and can't be changed. You can also add resources that you define, or that other projects have defined, called *Custom Resources*, as explained in the [Custom Resources](#user-defined-types) section. Custom Resources are often used with API Access Extensions.
-4.   The Kubernetes scheduler decides which nodes to place pods on. There are several ways to extend scheduling. These are described in the [Scheduler Extensions](#scheduler-extensions) section.
-5.   Much of the behavior of Kubernetes is implemented by programs called Controllers which are clients of the API-Server. Controllers are often used in conjunction with Custom Resources.
-6.   The kubelet runs on servers, and helps pods appear like virtual servers with their own IPs on the cluster network. [Network Plugins](#network-plugins) allow for different implementations of pod networking.
-7.  The kubelet also mounts and unmounts volumes for containers. New types of storage can be supported via [Storage Plugins](#storage-plugins).
+1. Users often interact with the Kubernetes API using `kubectl`.
+   [Kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugins/) extend the kubectl binary.
+   They only affect the individual user's local environment, and so cannot enforce site-wide policies.
+
+1. The API server handles all requests. Several types of extension points in the API server allow
+   authenticating requests, or blocking them based on their content, editing content, and handling
+   deletion. These are described in the [API Access Extensions](#api-access-extensions) section.
+
+1. The API server serves various kinds of *resources*. *Built-in resource kinds*, like `pods`, are
+   defined by the Kubernetes project and can't be changed. You can also add resources that you
+   define, or that other projects have defined, called *Custom Resources*, as explained in the
+   [Custom Resources](#user-defined-types) section. Custom Resources are often used with API access
+   extensions.
+
+1. The Kubernetes scheduler decides which nodes to place pods on. There are several ways to extend
+   scheduling. These are described in the [Scheduler Extensions](#scheduler-extensions) section.
+
+1. Much of the behavior of Kubernetes is implemented by programs called Controllers which are
+   clients of the API server. Controllers are often used in conjunction with Custom Resources.
+
+1. The kubelet runs on servers, and helps pods appear like virtual servers with their own IPs on
+   the cluster network. [Network Plugins](#network-plugins) allow for different implementations of
+   pod networking.
 
-If you are unsure where to start, this flowchart can help. Note that some solutions may involve several types of extensions.
+1. The kubelet also mounts and unmounts volumes for containers. New types of storage can be
+   supported via [Storage Plugins](#storage-plugins).
+
+If you are unsure where to start, this flowchart can help. Note that some solutions may involve
+several types of extensions.
 
 <!-- image source drawing: https://docs.google.com/drawings/d/1sdviU6lDz4BpnzJNHfNpQrqI9F19QZ07KnhnxVrp2yg/edit -->
 ![Flowchart for Extension](/docs/concepts/extend-kubernetes/flowchart.png)
@@ -112,60 +147,86 @@ If you are unsure where to start, this flowchart can help. Note that some soluti
 
 ### User-Defined Types
 
-Consider adding a Custom Resource to Kubernetes if you want to define new controllers, application configuration objects or other declarative APIs, and to manage them using Kubernetes tools, such as `kubectl`.
+Consider adding a Custom Resource to Kubernetes if you want to define new controllers, application
+configuration objects or other declarative APIs, and to manage them using Kubernetes tools, such
+as `kubectl`.
 
 Do not use a Custom Resource as data storage for application, user, or monitoring data.
 
-For more about Custom Resources, see the [Custom Resources concept guide](/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
+For more about Custom Resources, see the
+[Custom Resources concept guide](/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 
 
 ### Combining New APIs with Automation
 
-The combination of a custom resource API and a control loop is called the [Operator pattern](/docs/concepts/extend-kubernetes/operator/). The Operator pattern is used to manage specific, usually stateful, applications. These custom APIs and control loops can also be used to control other resources, such as storage or policies.
+The combination of a custom resource API and a control loop is called the
+[Operator pattern](/docs/concepts/extend-kubernetes/operator/). The Operator pattern is used to manage
+specific, usually stateful, applications. These custom APIs and control loops can also be used to
+control other resources, such as storage or policies.
 
 ### Changing Built-in Resources
 
-When you extend the Kubernetes API by adding custom resources, the added resources always fall into a new API Groups. You cannot replace or change existing API groups.
-Adding an API does not directly let you affect the behavior of existing APIs (e.g. Pods), but API Access Extensions do.
+When you extend the Kubernetes API by adding custom resources, the added resources always fall
+into a new API Groups. You cannot replace or change existing API groups.
+Adding an API does not directly let you affect the behavior of existing APIs (e.g. Pods), but API
+Access Extensions do.
 
 
 ### API Access Extensions
 
-When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then subject to various types of Admission Control. See [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/) for more on this flow.
+When a request reaches the Kubernetes API Server, it is first Authenticated, then Authorized, then
+subject to various types of Admission Control. See
+[Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/)
+for more on this flow.
 
 Each of these steps offers extension points.
 
-Kubernetes has several built-in authentication methods that it supports. It can also sit behind an authenticating proxy, and it can send a token from an Authorization header to a remote service for verification (a webhook). All of these methods are covered in the [Authentication documentation](/docs/reference/access-authn-authz/authentication/).
+Kubernetes has several built-in authentication methods that it supports. It can also sit behind an
+authenticating proxy, and it can send a token from an Authorization header to a remote service for
+verification (a webhook). All of these methods are covered in the
+[Authentication documentation](/docs/reference/access-authn-authz/authentication/).
 
 ### Authentication
 
-[Authentication](/docs/reference/access-authn-authz/authentication/) maps headers or certificates in all requests to a username for the client making the request.
-
-Kubernetes provides several built-in authentication methods, and an [Authentication webhook](/docs/reference/access-authn-authz/authentication/#webhook-token-authentication) method if those don't meet your needs.
+[Authentication](/docs/reference/access-authn-authz/authentication/) maps headers or certificates
+in all requests to a username for the client making the request.
 
+Kubernetes provides several built-in authentication methods, and an
+[Authentication webhook](/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
+method if those don't meet your needs.
 
 ### Authorization
 
-[Authorization](/docs/reference/access-authn-authz/authorization/) determines whether specific users can read, write, and do other operations on API resources. It works at the level of whole resources -- it doesn't discriminate based on arbitrary object fields. If the built-in authorization options don't meet your needs, [Authorization webhook](/docs/reference/access-authn-authz/webhook/) allows calling out to user-provided code to make an authorization decision.
-
+[Authorization](/docs/reference/access-authn-authz/authorization/) determines whether specific
+users can read, write, and do other operations on API resources. It works at the level of whole
+resources -- it doesn't discriminate based on arbitrary object fields. If the built-in
+authorization options don't meet your needs, [Authorization webhook](/docs/reference/access-authn-authz/webhook/)
+allows calling out to user-provided code to make an authorization decision.
 
 ### Dynamic Admission Control
 
-After a request is authorized, if it is a write operation, it also goes through [Admission Control](/docs/reference/access-authn-authz/admission-controllers/) steps. In addition to the built-in steps, there are several extensions:
+After a request is authorized, if it is a write operation, it also goes through
+[Admission Control](/docs/reference/access-authn-authz/admission-controllers/) steps.
+In addition to the built-in steps, there are several extensions:
 
-*   The [Image Policy webhook](/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook) restricts what images can be run in containers.
-*   To make arbitrary admission control decisions, a general [Admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) can be used. Admission Webhooks can reject creations or updates.
+* The [Image Policy webhook](/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook)
+  restricts what images can be run in containers.
+* To make arbitrary admission control decisions, a general
+  [Admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
+  can be used. Admission Webhooks can reject creations or updates.
 
 ## Infrastructure Extensions
 
 ### Storage Plugins
 
-[Flex Volumes](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/flexvolume-deployment.md
-) allow users to mount volume types without built-in support by having the
-Kubelet call a Binary Plugin to mount the volume.
-
-FlexVolume is deprecated since Kubernetes v1.23. The Out-of-tree CSI driver is the recommended way to write volume drivers in Kubernetes. See [Kubernetes Volume Plugin FAQ for Storage Vendors](https://github.com/kubernetes/community/blob/master/sig-storage/volume-plugin-faq.md#kubernetes-volume-plugin-faq-for-storage-vendors) for more information.
+[Flex Volumes](https://git.k8s.io/design-proposals-archive/storage/flexvolume-deployment.md)
+allow users to mount volume types without built-in support by having the kubelet call a binary
+plugin to mount the volume.
 
+FlexVolume is deprecated since Kubernetes v1.23. The out-of-tree CSI driver is the recommended way
+to write volume drivers in Kubernetes. See
+[Kubernetes Volume Plugin FAQ for Storage Vendors](https://github.com/kubernetes/community/blob/master/sig-storage/volume-plugin-faq.md#kubernetes-volume-plugin-faq-for-storage-vendors)
+for more information.
 
 ### Device Plugins
 
@@ -173,7 +234,6 @@ Device plugins allow a node to discover new Node resources (in addition to the
 builtin ones like cpu and memory) via a
 [Device Plugin](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/).
 
-
 ### Network Plugins
 
 Different networking fabrics can be supported via node-level
@@ -191,7 +251,7 @@ This is a significant undertaking, and almost all Kubernetes users find they
 do not need to modify the scheduler.
 
 The scheduler also supports a
-[webhook](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/scheduler_extender.md)
+[webhook](https://git.k8s.io/design-proposals-archive/scheduling/scheduler_extender.md)
 that permits a webhook backend (scheduler extension) to filter and prioritize
 the nodes chosen for a pod.
 
diff --git a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
index 6785dccdac334..6f265f57f34cc 100644
--- a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
+++ b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
@@ -8,7 +8,7 @@ weight: 20
 <!-- overview -->
 {{< feature-state for_k8s_version="v1.10" state="beta" >}}
 
-Kubernetes provides a [device plugin framework](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/resource-management/device-plugin.md)
+Kubernetes provides a [device plugin framework](https://git.k8s.io/design-proposals-archive/resource-management/device-plugin.md)
 that you can use to advertise system hardware resources to the
 {{< glossary_tooltip term_id="kubelet" >}}.
 
diff --git a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
index dc3940d5e9719..647111b37555a 100644
--- a/content/en/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
+++ b/content/en/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
@@ -14,6 +14,8 @@ weight: 10
 Kubernetes {{< skew currentVersion >}} supports [Container Network Interface](https://github.com/containernetworking/cni)
 (CNI) plugins for cluster networking. You must use a CNI plugin that is compatible with your cluster and that suits your needs. Different plugins are available (both open- and closed- source) in the wider Kubernetes ecosystem.
 
+A CNI plugin is required to implement the [Kubernetes network model](/docs/concepts/services-networking/#the-kubernetes-network-model). 
+
 You must use a CNI plugin that is compatible with the 
 [v0.4.0](https://github.com/containernetworking/cni/blob/spec-v0.4.0/SPEC.md) or later
 releases of the CNI specification. The Kubernetes project recommends using a plugin that is
@@ -24,26 +26,37 @@ CNI specification (plugins can be compatible with multiple spec versions).
 
 ## Installation
 
-A CNI plugin is required to implement the [Kubernetes network model](/docs/concepts/services-networking/#the-kubernetes-network-model). The CRI manages its own CNI plugins. There are two Kubelet command line parameters to keep in mind when using plugins:
+A Container Runtime, in the networking context, is a daemon on a node configured to provide CRI Services for kubelet. In particular, the Container Runtime must be configured to load the CNI plugins required to implement the Kubernetes network model.
 
-* `cni-bin-dir`: Kubelet probes this directory for plugins on startup
-* `network-plugin`: The network plugin to use from `cni-bin-dir`.  It must match the name reported by a plugin probed from the plugin directory.  For CNI plugins, this is `cni`.
+{{< note >}}
+Prior to Kubernetes 1.24, the CNI plugins could also be managed by the kubelet using the `cni-bin-dir` and `network-plugin` command-line parameters.
+These command-line parameters were removed in Kubernetes 1.24, with management of the CNI no longer in scope for kubelet.
 
-## Network Plugin Requirements
+See [Troubleshooting CNI plugin-related errors](/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors/)
+if you are facing issues following the removal of dockershim.
+{{< /note >}}
+
+For specific information about how a Container Runtime manages the CNI plugins, see the documentation for that Container Runtime, for example:
+- [containerd](https://github.com/containerd/containerd/blob/main/script/setup/install-cni)
+- [CRI-O](https://github.com/cri-o/cri-o/blob/main/contrib/cni/README.md)
 
-Besides providing the [`NetworkPlugin` interface](https://github.com/kubernetes/kubernetes/tree/{{< param "fullversion" >}}/pkg/kubelet/dockershim/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy.  The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.  For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.  If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
+For specific information about how to install and manage a CNI plugin, see the documentation for that plugin or [networking provider](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model).
 
-By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like Docker with a bridge) work correctly with the iptables proxy.
+## Network Plugin Requirements
 
-### CNI
+For plugin developers and users who regularly build or deploy Kubernetes, the plugin may also need specific configuration to support kube-proxy.
+The iptables proxy depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.
+For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.
+If the plugin does not use a Linux bridge, but uses something like Open vSwitch or some other mechanism instead, it should ensure container traffic is appropriately routed for the proxy.
 
-The CNI plugin is selected by passing Kubelet the `--network-plugin=cni` command-line option.  Kubelet reads a file from `--cni-conf-dir` (default `/etc/cni/net.d`) and uses the CNI configuration from that file to set up each pod's network.  The CNI configuration file must match the [CNI specification](https://github.com/containernetworking/cni/blob/master/SPEC.md#network-configuration), and any required CNI plugins referenced by the configuration must be present in `--cni-bin-dir` (default `/opt/cni/bin`).
+By default, if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like Docker with a bridge) work correctly with the iptables proxy.
 
-If there are multiple CNI configuration files in the directory, the kubelet uses the configuration file that comes first by name in lexicographic order.
+### Loopback CNI
 
-In addition to the CNI plugin specified by the configuration file, Kubernetes requires the standard CNI [`lo`](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go) plugin, at minimum version 0.2.0
+In addition to the CNI plugin installed on the nodes for implementing the Kubernetes network model, Kubernetes also requires the container runtimes to provide a loopback interface `lo`, which is used for each sandbox (pod sandboxes, vm sandboxes, ...).
+Implementing the loopback interface can be accomplished by re-using the [CNI loopback plugin.](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go) or by developing your own code to achieve this (see [this example from CRI-O](https://github.com/cri-o/ocicni/blob/release-1.24/pkg/ocicni/util_linux.go#L91)).
 
-#### Support hostPort
+### Support hostPort
 
 The CNI networking plugin supports `hostPort`. You can use the official [portmap](https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap)
 plugin offered by the CNI plugin team or use your own plugin with portMapping functionality.
@@ -80,7 +93,7 @@ For example:
 }
 ```
 
-#### Support traffic shaping
+### Support traffic shaping
 
 **Experimental Feature**
 
@@ -132,8 +145,4 @@ metadata:
 ...
 ```
 
-## Usage Summary
-
-* `--network-plugin=cni` specifies that we use the `cni` network plugin with actual CNI plugin binaries located in `--cni-bin-dir` (default `/opt/cni/bin`) and CNI plugin configuration located in `--cni-conf-dir` (default `/etc/cni/net.d`).
-
 ## {{% heading "whatsnext" %}}
diff --git a/content/en/docs/concepts/extend-kubernetes/operator.md b/content/en/docs/concepts/extend-kubernetes/operator.md
index 96a17ada96601..133814e98acb5 100644
--- a/content/en/docs/concepts/extend-kubernetes/operator.md
+++ b/content/en/docs/concepts/extend-kubernetes/operator.md
@@ -111,7 +111,9 @@ Operator.
 {{% thirdparty-content %}}
 
 * [Charmed Operator Framework](https://juju.is/)
+* [Java Operator SDK](https://github.com/java-operator-sdk/java-operator-sdk)
 * [Kopf](https://github.com/nolar/kopf) (Kubernetes Operator Pythonic Framework)
+* [kube-rs](https://kube.rs/) (Rust)
 * [kubebuilder](https://book.kubebuilder.io/)
 * [KubeOps](https://buehler.github.io/dotnet-operator-sdk/) (.NET operator SDK)
 * [KUDO](https://kudo.dev/) (Kubernetes Universal Declarative Operator)
diff --git a/content/en/docs/concepts/overview/kubernetes-api.md b/content/en/docs/concepts/overview/kubernetes-api.md
index 3c0bba3adb927..b72d1aab1fdd8 100644
--- a/content/en/docs/concepts/overview/kubernetes-api.md
+++ b/content/en/docs/concepts/overview/kubernetes-api.md
@@ -76,7 +76,7 @@ request headers as follows:
 
 Kubernetes implements an alternative Protobuf based serialization format that
 is primarily intended for intra-cluster communication. For more information
-about this format, see the [Kubernetes Protobuf serialization](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/protobuf.md) design proposal and the
+about this format, see the [Kubernetes Protobuf serialization](https://git.k8s.io/design-proposals-archive/api-machinery/protobuf.md) design proposal and the
 Interface Definition Language (IDL) files for each schema located in the Go
 packages that define the API objects.
 
diff --git a/content/en/docs/concepts/overview/working-with-objects/names.md b/content/en/docs/concepts/overview/working-with-objects/names.md
index 9bafb1584c549..7b6b380e3566d 100644
--- a/content/en/docs/concepts/overview/working-with-objects/names.md
+++ b/content/en/docs/concepts/overview/working-with-objects/names.md
@@ -100,4 +100,4 @@ UUIDs are standardized as ISO/IEC 9834-8 and as ITU-T X.667.
 ## {{% heading "whatsnext" %}}
 
 * Read about [labels](/docs/concepts/overview/working-with-objects/labels/) in Kubernetes.
-* See the [Identifiers and Names in Kubernetes](https://git.k8s.io/community/contributors/design-proposals/architecture/identifiers.md) design document.
+* See the [Identifiers and Names in Kubernetes](https://git.k8s.io/design-proposals-archive/architecture/identifiers.md) design document.
diff --git a/content/en/docs/concepts/policy/limit-range.md b/content/en/docs/concepts/policy/limit-range.md
index 8158b78437516..f5a7e66cace4a 100644
--- a/content/en/docs/concepts/policy/limit-range.md
+++ b/content/en/docs/concepts/policy/limit-range.md
@@ -53,7 +53,7 @@ Neither contention nor changes to a LimitRange will affect already created resou
 
 ## {{% heading "whatsnext" %}}
 
-Refer to the [LimitRanger design document](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md) for more information.
+Refer to the [LimitRanger design document](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_limit_range.md) for more information.
 
 For examples on using limits, see:
 
diff --git a/content/en/docs/concepts/policy/resource-quotas.md b/content/en/docs/concepts/policy/resource-quotas.md
index 0e88ca34335a0..8d9490b8289eb 100644
--- a/content/en/docs/concepts/policy/resource-quotas.md
+++ b/content/en/docs/concepts/policy/resource-quotas.md
@@ -22,8 +22,7 @@ be consumed by resources in that namespace.
 
 Resource quotas work like this:
 
-- Different teams work in different namespaces.  Currently this is voluntary, but
-  support for making this mandatory via ACLs is planned.
+- Different teams work in different namespaces. This can be enforced with [RBAC](/docs/reference/access-authn-authz/rbac/).
 
 - The administrator creates one ResourceQuota for each namespace.
 
@@ -698,7 +697,7 @@ and it is to be created in a namespace other than `kube-system`.
 
 ## {{% heading "whatsnext" %}}
 
-- See [ResourceQuota design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md) for more information.
+- See [ResourceQuota design doc](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_resource_quota.md) for more information.
 - See a [detailed example for how to use resource quota](/docs/tasks/administer-cluster/quota-api-object/).
-- Read [Quota support for priority class design doc](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/pod-priority-resourcequota.md).
+- Read [Quota support for priority class design doc](https://git.k8s.io/design-proposals-archive/scheduling/pod-priority-resourcequota.md).
 - See [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765)
diff --git a/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
index 067e3d60ed76b..db9f1d900d682 100644
--- a/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -124,8 +124,8 @@ For example, consider the following Pod spec:
 
 In this example, the following rules apply:
 
-  * The node *must* have a label with the key `kubernetes.io/os` and
-    the value `linux`.
+  * The node *must* have a label with the key `topology.kubernetes.io/zone` and
+    the value of that label *must* be either `antarctica-east1` or `antarctica-west1`.
   * The node *preferably* has a label with the key `another-node-label-key` and
     the value `another-node-label-value`.
 
@@ -302,9 +302,8 @@ the Pod onto a node that is in the same zone as one or more Pods with the label
 `topology.kubernetes.io/zone=R` label if there are other nodes in the
 same zone currently running Pods with the `Security=S2` Pod label.
 
-See the
-[design doc](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)
-for many more examples of Pod affinity and anti-affinity.
+To get yourself more familiar with the examples of Pod affinity and anti-affinity,
+refer to the [design proposal](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md).
 
 You can use the `In`, `NotIn`, `Exists` and `DoesNotExist` values in the
 `operator` field for Pod affinity and anti-affinity.
@@ -472,8 +471,8 @@ The above Pod will only run on the node `kube-01`.
 ## {{% heading "whatsnext" %}}
 
 * Read more about [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/) .
-* Read the design docs for [node affinity](https://git.k8s.io/community/contributors/design-proposals/scheduling/nodeaffinity.md)
-  and for [inter-pod affinity/anti-affinity](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md).
+* Read the design docs for [node affinity](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)
+  and for [inter-pod affinity/anti-affinity](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md).
 * Learn about how the [topology manager](/docs/tasks/administer-cluster/topology-manager/) takes part in node-level
   resource allocation decisions. 
 * Learn how to use [nodeSelector](/docs/tasks/configure-pod-container/assign-pods-nodes/).
diff --git a/content/en/docs/concepts/scheduling-eviction/pod-overhead.md b/content/en/docs/concepts/scheduling-eviction/pod-overhead.md
index 72b160653e1ae..2610ea80ad998 100644
--- a/content/en/docs/concepts/scheduling-eviction/pod-overhead.md
+++ b/content/en/docs/concepts/scheduling-eviction/pod-overhead.md
@@ -97,7 +97,7 @@ The output is:
 map[cpu:250m memory:120Mi]
 ```
 
-If a ResourceQuota is defined, the sum of container requests as well as the
+If a [ResourceQuota](/docs/concepts/policy/resource-quotas/) is defined, the sum of container requests as well as the
 `overhead` field are counted.
 
 When the kube-scheduler is deciding which node should run a new Pod, the scheduler considers that Pod's
diff --git a/content/en/docs/concepts/scheduling-eviction/resource-bin-packing.md b/content/en/docs/concepts/scheduling-eviction/resource-bin-packing.md
index a81d9904ac632..951d3f273de4e 100644
--- a/content/en/docs/concepts/scheduling-eviction/resource-bin-packing.md
+++ b/content/en/docs/concepts/scheduling-eviction/resource-bin-packing.md
@@ -3,70 +3,100 @@ reviewers:
 - bsalamat
 - k82cn
 - ahg-g
-title: Resource Bin Packing for Extended Resources
+title: Resource Bin Packing
 content_type: concept
 weight: 80
 ---
 
 <!-- overview -->
 
-{{< feature-state for_k8s_version="v1.16" state="alpha" >}}
-
-The kube-scheduler can be configured to enable bin packing of resources along
-with extended resources using `RequestedToCapacityRatioResourceAllocation`
-priority function. Priority functions can be used to fine-tune the
-kube-scheduler as per custom needs. 
+In the [scheduling-plugin](/docs/reference/scheduling/config/#scheduling-plugins)  `NodeResourcesFit` of kube-scheduler, there are two 
+scoring strategies that support the bin packing of resources: `MostAllocated` and `RequestedToCapacityRatio`.
 
 <!-- body -->
 
-## Enabling Bin Packing using RequestedToCapacityRatioResourceAllocation
+## Enabling bin packing using MostAllocated strategy
+The `MostAllocated` strategy scores the nodes based on the utilization of resources, favoring the ones with higher allocation.
+For each resource type, you can set a weight to modify its influence in the node score.
+
+To set the `MostAllocated` strategy for the `NodeResourcesFit` plugin, use a
+[scheduler configuration](/docs/reference/scheduling/config) similar to the following:
 
-Kubernetes allows the users to specify the resources along with weights for
+```yaml
+apiVersion: kubescheduler.config.k8s.io/v1beta3
+kind: KubeSchedulerConfiguration
+profiles:
+- pluginConfig:
+  - args:
+      scoringStrategy:
+        resources:
+        - name: cpu
+          weight: 1
+        - name: memory
+          weight: 1
+        - name: intel.com/foo
+          weight: 3
+        - name: intel.com/bar
+          weight: 3
+        type: MostAllocated
+    name: NodeResourcesFit
+```
+
+To learn more about other parameters and their default configuration, see the API documentation for 
+[`NodeResourcesFitArgs`](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs).
+
+## Enabling bin packing using RequestedToCapacityRatio
+
+The `RequestedToCapacityRatio` strategy allows the users to specify the resources along with weights for
 each resource to score nodes based on the request to capacity ratio. This
 allows users to bin pack extended resources by using appropriate parameters
-and improves the utilization of scarce resources in large clusters. The
-behavior of the `RequestedToCapacityRatioResourceAllocation` priority function
-can be controlled by a configuration option called `RequestedToCapacityRatioArgs`. 
-This argument consists of two parameters `shape` and `resources`. The `shape` 
+to improve the utilization of scarce resources in large clusters. It favors nodes according to a
+configured function of the allocated resources. The behavior of the `RequestedToCapacityRatio` in
+the `NodeResourcesFit` score function can be controlled by the
+[scoringStrategy](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy) field.
+Within the `scoringStrategy` field, you can configure two parameters: `requestedToCapacityRatioParam` and
+`resources`. The `shape` in `requestedToCapacityRatioParam` 
 parameter allows the user to tune the function as least requested or most 
 requested based on `utilization` and `score` values.  The `resources` parameter 
 consists of `name` of the resource to be considered during scoring and `weight` 
 specify the weight of each resource.
 
 Below is an example configuration that sets
-`requestedToCapacityRatioArguments` to bin packing behavior for extended
-resources `intel.com/foo` and `intel.com/bar`.
+the bin packing behavior for extended resources `intel.com/foo` and `intel.com/bar`
+using the `requestedToCapacityRatio` field.
 
 ```yaml
 apiVersion: kubescheduler.config.k8s.io/v1beta3
 kind: KubeSchedulerConfiguration
 profiles:
-# ...
-  pluginConfig:
-  - name: RequestedToCapacityRatio
-    args: 
-      shape:
-      - utilization: 0
-        score: 10
-      - utilization: 100
-        score: 0
-      resources:
-      - name: intel.com/foo
-        weight: 3
-      - name: intel.com/bar
-        weight: 5
+- pluginConfig:
+  - args:
+      scoringStrategy:
+        resources:
+        - name: intel.com/foo
+          weight: 3
+        - name: intel.com/bar
+          weight: 3
+        requestedToCapacityRatioParam:
+          shape:
+          - utilization: 0
+            score: 0
+          - utilization: 100
+            score: 10
+        type: RequestedToCapacityRatio
+    name: NodeResourcesFit
 ```
 
 Referencing the `KubeSchedulerConfiguration` file with the kube-scheduler 
 flag `--config=/path/to/config/file` will pass the configuration to the 
 scheduler.
 
-**This feature is disabled by default**
+To learn more about other parameters and their default configuration, see the API documentation for 
+[`NodeResourcesFitArgs`](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs).
 
-### Tuning the Priority Function
+### Tuning the score function
 
-`shape` is used to specify the behavior of the
-`RequestedToCapacityRatioPriority` function.
+`shape` is used to specify the behavior of the `RequestedToCapacityRatio` function.
 
 ```yaml
 shape:
diff --git a/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md b/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md
index 030f28e7d1887..ff7718a1f3fe4 100644
--- a/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md
+++ b/content/en/docs/concepts/scheduling-eviction/taint-and-toleration.md
@@ -15,8 +15,7 @@ is a property of {{< glossary_tooltip text="Pods" term_id="pod" >}} that *attrac
 a set of {{< glossary_tooltip text="nodes" term_id="node" >}} (either as a preference or a
 hard requirement). _Taints_ are the opposite -- they allow a node to repel a set of pods.
 
-_Tolerations_ are applied to pods, and allow (but do not require) the pods to schedule
-onto nodes with matching taints.
+_Tolerations_ are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also [evaluates other parameters](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) as part of its function.
 
 Taints and tolerations work together to ensure that pods are not scheduled
 onto inappropriate nodes. One or more taints are applied to a node; this
diff --git a/content/en/docs/concepts/security/controlling-access.md b/content/en/docs/concepts/security/controlling-access.md
index e7ba78e1c4cff..04b13a82c5f29 100644
--- a/content/en/docs/concepts/security/controlling-access.md
+++ b/content/en/docs/concepts/security/controlling-access.md
@@ -4,6 +4,7 @@ reviewers:
 - lavalamp
 title: Controlling Access to the Kubernetes API
 content_type: concept
+weight: 50
 ---
 
 <!-- overview -->
diff --git a/content/en/docs/concepts/security/multi-tenancy.md b/content/en/docs/concepts/security/multi-tenancy.md
new file mode 100755
index 0000000000000..8db2ad87c1c5c
--- /dev/null
+++ b/content/en/docs/concepts/security/multi-tenancy.md
@@ -0,0 +1,271 @@
+---
+title: Multi-tenancy
+content_type: concept
+weight: 70
+---
+
+<!-- overview -->
+
+This page provides an overview of available configuration options and best practices for cluster multi-tenancy.
+
+Sharing clusters saves costs and simplifies administration. However, sharing clusters also presents challenges such as security, fairness, and managing _noisy neighbors_.
+
+Clusters can be shared in many ways. In some cases, different applications may run in the same cluster. In other cases, multiple instances of the same application may run in the same cluster, one for each end user. All these types of sharing are frequently described using the umbrella term _multi-tenancy_.
+
+While Kubernetes does not have first-class concepts of end users or tenants, it provides several features to help manage different tenancy requirements. These are discussed below.
+
+<!-- body -->
+## Use cases
+
+The first step to determining how to share your cluster is understanding your use case, so you can evaluate the patterns and tools available. In general, multi-tenancy in Kubernetes clusters falls into two broad categories, though many variations and hybrids are also possible.
+
+### Multiple teams 
+
+A common form of multi-tenancy is to share a cluster between multiple teams within an organization, each of whom may operate one or more workloads. These workloads frequently need to communicate with each other, and with other workloads located on the same or different clusters.
+
+In this scenario, members of the teams often have direct access to Kubernetes resources via tools such as `kubectl`, or indirect access through GitOps controllers or other types of release automation tools. There is often some level of trust between members of different teams, but Kubernetes policies such as RBAC, quotas, and network policies are essential to safely and fairly share clusters.
+
+### Multiple customers 
+
+The other major form of multi-tenancy frequently involves a Software-as-a-Service (SaaS) vendor running multiple instances of a workload for customers. This business model is so strongly associated with this deployment style that many people call it "SaaS tenancy." However, a better term might be "multi-customer tenancy,” since SaaS vendors may also use other deployment models, and this deployment model can also be used outside of SaaS.
+
+
+In this scenario, the customers do not have access to the cluster; Kubernetes is invisible from their perspective and is only used by the vendor to manage the workloads. Cost optimization is frequently a critical concern, and Kubernetes policies are used to ensure that the workloads are strongly isolated from each other.
+
+
+## Terminology
+
+### Tenants
+
+When discussing multi-tenancy in Kubernetes, there is no single definition for a "tenant". Rather, the definition of a tenant will vary depending on whether multi-team or multi-customer tenancy is being discussed.
+
+In multi-team usage, a tenant is typically a team, where each team typically deploys a small number of workloads that scales with the complexity of the service. However, the definition of "team" may itself be fuzzy, as teams may be organized into higher-level divisions or subdivided into smaller teams.
+
+
+By contrast, if each team deploys dedicated workloads for each new client, they are using a multi-customer model of tenancy. In this case, a "tenant" is simply a group of users who share a single workload. This may be as large as an entire company, or as small as a single team at that company.
+
+In many cases, the same organization may use both definitions of "tenants" in different contexts. For example, a platform team may offer shared services such as security tools and databases to multiple internal “customers” and a SaaS vendor may also have multiple teams sharing a development cluster. Finally, hybrid architectures are also possible, such as a SaaS provider using a combination of per-customer workloads for sensitive data, combined with multi-tenant shared services.
+
+
+{{< figure src="/images/docs/multi-tenancy.png" title="A cluster showing coexisting tenancy models" class="diagram-large" >}}
+
+
+### Isolation
+
+There are several ways to design and build multi-tenant solutions with Kubernetes. Each of these methods comes with its own set of tradeoffs that impact the isolation level, implementation effort, operational complexity, and cost of service. 
+
+
+A Kubernetes cluster consists of a control plane which runs Kubernetes software, and a data plane consisting of worker nodes where tenant workloads are executed as pods. Tenant isolation can be applied in both the control plane and the data plane based on organizational requirements.
+
+The level of isolation offered is sometimes described using terms like “hard” multi-tenancy, which implies strong isolation, and “soft” multi-tenancy, which implies weaker isolation. In particular, "hard" multi-tenancy is often used to describe cases where the tenants do not trust each other, often from security and resource sharing perspectives (e.g. guarding against attacks such as data exfiltration or DoS). Since data planes typically have much larger attack surfaces, "hard" multi-tenancy often requires extra attention to isolating the data-plane, though control plane isolation  also remains critical. 
+
+However, the terms "hard" and "soft" can often be confusing, as there is no single definition that will apply to all users. Rather, "hardness" or "softness" is better understood as a broad spectrum, with many different techniques that can be used to maintain different types of isolation in your clusters, based on your requirements.
+
+
+In more extreme cases, it may be easier or necessary to forgo any cluster-level sharing at all and assign each tenant their dedicated cluster, possibly even running on dedicated hardware if VMs are not considered an adequate security boundary. This may be easier with managed Kubernetes clusters, where the overhead of creating and operating clusters is at least somewhat taken on by a cloud provider. The benefit of stronger tenant isolation must be evaluated against the cost and complexity of managing multiple clusters. The [Multi-cluster SIG](https://git.k8s.io/community/sig-multicluster/README.md) is responsible for addressing these types of use cases.
+
+
+
+The remainder of this page focuses on isolation techniques used for shared Kubernetes clusters. However, even if you are considering dedicated clusters, it may be valuable to review these recommendations, as it will give you the flexibility to shift to shared clusters in the future if your needs or capabilities change.
+
+
+## Control plane isolation
+
+Control plane isolation ensures that different tenants cannot access or affect each others' Kubernetes API resources. 
+
+### Namespaces
+
+In Kubernetes, a {{< glossary_tooltip text="Namespace" term_id="namespace" >}} provides a mechanism for isolating groups of API resources within a single cluster. This isolation has two key dimensions:
+
+1. Object names within a namespace can overlap with names in other namespaces, similar to files in folders. This allows tenants to name their resources without having to consider what other tenants are doing.
+
+2. Many Kubernetes security policies are scoped to namespaces. For example, RBAC Roles and Network Policies are namespace-scoped resources. Using RBAC, Users and Service Accounts can be restricted to a namespace.
+
+In a multi-tenant environment, a Namespace helps segment a tenant's workload into a logical and distinct management unit. In fact, a common practice is to isolate every workload in its own namespace, even if multiple workloads are operated by the same tenant. This ensures that each workload has its own identity and can be configured with an appropriate security policy.
+
+The namespace isolation model requires configuration of several other Kubernetes resources, networking plugins, and adherence to security best practices to properly isolate tenant workloads. These considerations are discussed below.
+
+### Access controls
+
+The most important type of isolation for the control plane is authorization. If teams or their workloads can access or modify each others' API resources, they can change or disable all other types of policies thereby negating any protection those policies may offer. As a result, it is critical to ensure that each tenant has the appropriate access to only the namespaces they need, and no more. This is known as the "Principle of Least Privilege."
+
+
+Role-based access control (RBAC) is commonly used to enforce authorization in the Kubernetes control plane, for both users and workloads (service accounts). [Roles](/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) and [role bindings](/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) are Kubernetes objects that are used at a namespace level to enforce access control in your application; similar objects exist for authorizing access to cluster-level objects, though these are less useful for multi-tenant clusters.
+
+In a multi-team environment, RBAC must be used to restrict tenants' access to the appropriate namespaces, and ensure that cluster-wide resources can only be accessed or modified by privileged users such as cluster administrators. 
+
+If a policy ends up granting a user more permissions than they need, this is likely a signal that the namespace containing the affected resources should be refactored into finer-grained namespaces. Namespace management tools may simplify the management of these finer-grained namespaces by applying common RBAC policies to different namespaces, while still allowing fine-grained policies where necessary.
+
+### Quotas 
+
+Kubernetes workloads consume node resources, like CPU and memory.  In a multi-tenant environment, you can use
+[Resource Quotas](/docs/concepts/policy/resource-quotas/) to manage resource usage of tenant workloads.
+For the multiple teams use case, where tenants have access to the Kubernetes API, you can use resource quotas
+to limit the number of API resources (for example: the number of Pods, or the number of ConfigMaps)
+that a tenant can create. Limits on object count ensure fairness and aim to avoid _noisy neighbor_ issues from
+affecting other tenants that share a control plane.
+
+Resource quotas are namespaced objects. By mapping tenants to namespaces, cluster admins can use quotas to ensure that a tenant cannot monopolize a cluster's resources or overwhelm its control plane. Namespace management tools simplify the administration of quotas. In addition, while Kubernetes quotas only apply within a single namespace, some namespace management tools allow groups of namespaces to share quotas, giving administrators far more flexibility with less effort than built-in quotas.
+
+Quotas prevent a single tenant from consuming greater than their allocated share of resources hence minimizing the “noisy neighbor” issue, where one tenant negatively impacts the performance of other tenants' workloads. 
+
+When you apply a quota to namespace, Kubernetes requires you to also specify resource requests and limits for each container. Limits are the upper bound for the amount of resources that a container can consume. Containers that attempt to consume resources that exceed the configured limits will either be throttled or killed, based on the resource type. When resource requests are set lower than limits, each container is guaranteed the requested amount but there may still be some potential for impact across workloads.
+
+Quotas cannot protect against all kinds of resource sharing, such as network traffic. Node isolation (described below) may be a better solution for this problem.
+
+## Data Plane Isolation
+
+Data plane isolation ensures that pods and workloads for different tenants are sufficiently isolated.
+
+### Network isolation
+
+By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all network traffic is unencrypted. This can lead to security vulnerabilities where traffic is accidentally or maliciously sent to an unintended destination, or is intercepted by a workload on a compromised node.
+
+Pod-to-pod communication can be controlled  using [Network Policies](/docs/concepts/services-networking/network-policies/), which restrict communication between pods using namespace labels or IP address ranges. In a multi-tenant environment where strict network isolation between tenants is required,   starting with a default policy that denies communication between pods is recommended with another rule that allows all pods to query the DNS server for name resolution. With such a default policy in place, you can begin adding more permissive rules that allow for communication within a namespace. This scheme can be further refined as required. Note that this only applies to pods within a single control plane; pods that belong to different virtual control planes cannot talk to each other via Kubernetes networking.
+
+Namespace management tools may simplify the creation of default or common network policies. In addition, some of these tools allow you to enforce a consistent set of namespace labels across your cluster, ensuring that they are a trusted basis for your policies.
+
+{{< warning >}}
+Network policies require a [CNI plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni) that supports the implementation of network policies. Otherwise, NetworkPolicy resources will be ignored.
+{{< /warning >}}
+
+More advanced network isolation may be provided by service meshes, which provide OSI Layer 7 policies based on workload identity, in addition to namespaces. These higher-level policies can make it easier to manage namespaced based multi-tenancy, especially when multiple namespaces are dedicated to a single tenant. They frequently also offer encryption using mutual TLS, protecting your data even in the presence of a compromised node, and work across dedicated or virtual clusters. However, they can be significantly more complex to manage and may not be appropriate for all users.
+
+### Storage isolation
+
+Kubernetes offers several types of volumes that can be used as persistent storage for workloads. For security and data-isolation, [dynamic volume provisioning](/docs/concepts/storage/dynamic-provisioning/) is recommended and volume types that use node resources should be avoided. 
+
+[StorageClasses](/docs/concepts/storage/storage-classes/) allow you to describe custom "classes" of storage offered by your cluster, based on quality-of-service levels, backup policies, or custom policies determined by the cluster administrators. 
+
+Pods can request storage using a [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/). A PersistentVolumeClaim is a namespaced resource, which enables isolating portions of the storage system and dedicating it to tenants within the shared Kubernetes cluster. However, it is important to note that a PersistentVolume is a cluster-wide resource and has a lifecycle independent of workloads and namespaces.
+
+For example, you can configure a separate StorageClass for each tenant and use this to strengthen isolation.
+If a StorageClass is shared, you should set a [reclaim policy of `Delete`](/docs/concepts/storage/storage-classes/#reclaim-policy)
+to ensure that a PersistentVolume cannot be reused across different namespaces.
+
+### Sandboxing containers
+
+{{% thirdparty-content %}}
+
+Kubernetes pods are composed of one or more containers that execute on worker nodes. Containers utilize OS-level virtualization and hence offer a weaker isolation boundary than virtual machines that utilize hardware-based virtualization.
+
+In a shared environment, unpatched vulnerabilities in the application and system layers can be exploited by attackers for container breakouts and remote code execution that allow access to host resources. In some applications, like a Content Management System (CMS), customers may be allowed the ability to upload and execute untrusted scripts or code. In either case, mechanisms to further isolate and protect workloads using strong isolation are desirable.
+
+Sandboxing provides a way to isolate workloads running in a shared cluster. It typically involves running each pod in a separate execution environment such as a virtual machine or a userspace kernel. Sandboxing is often recommended when you are running untrusted code, where workloads are assumed to be malicious. Part of the reason this type of isolation is necessary is because containers are processes running on a shared kernel; they mount file systems like /sys and /proc from the underlying host, making them less secure than an application that runs on a virtual machine which has its own kernel. While controls such as seccomp, AppArmor, and SELinux can be used to strengthen the security of containers, it is hard to apply a universal set of rules to all workloads running in a shared cluster. Running workloads in a sandbox environment helps to insulate the host from container escapes, where an attacker exploits a vulnerability to gain access to the host system and all the processes/files running on that host.
+
+Virtual machines and userspace kernels are 2 popular approaches to sandboxing. The following sandboxing implementations are available:
+* [gVisor](https://gvisor.dev/) intercepts syscalls from containers and runs them through a userspace kernel, written in Go, with limited access to the underlying host.
+* [Kata Containers](https://katacontainers.io/) is an OCI compliant runtime that allows you to run containers in a VM. The hardware virtualization available in Kata offers an added layer of security for containers running untrusted code. 
+
+### Node Isolation
+
+Node isolation is another technique that you can use to isolate tenant workloads from each other. With node isolation, a set of nodes is dedicated to running pods from a particular tenant and co-mingling of tenant pods is prohibited. This configuration reduces the noisy tenant issue, as all pods running on a node will belong to a single tenant. The risk of information disclosure is slightly lower with node isolation because an attacker that manages to escape from a container will only have access to the containers and volumes mounted to that node.
+
+Although workloads from different tenants are running on different nodes, it is important to be aware that the kubelet and (unless using virtual control planes) the API service are still shared services. A skilled attacker could use the permissions assigned to the kubelet or other pods running on the node to move laterally within the cluster and gain access to tenant workloads running on other nodes. If this is a major concern, consider implementing compensating controls such as seccomp, AppArmor or SELinux or explore using sandboxed containers or creating separate clusters for each tenant. 
+
+Node isolation is a little easier to reason about from a billing standpoint than sandboxing containers since you can charge back per node rather than per pod. It also has fewer compatibility and performance issues and may be easier to implement than sandboxing containers. For example, nodes for each tenant can be configured with taints so that only pods with the corresponding toleration can run on them. A mutating webhook could then be used to automatically add tolerations and node affinities to pods deployed into tenant namespaces so that they run on a specific set of nodes designated for that tenant.
+
+Node isolation can be implemented using an [pod node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) or a [Virtual Kubelet](https://github.com/virtual-kubelet).
+
+## Additional Considerations
+
+This section discusses other Kubernetes constructs and patterns that are relevant for multi-tenancy.
+
+### API Priority and Fairness
+
+[API priority and fairness](/docs/concepts/cluster-administration/flow-control/) is a Kubernetes feature that allows you to assign a priority to certain pods running within the cluster. When an application calls the Kubernetes API, the API server evaluates the priority assigned to pod. Calls from pods with higher priority are fulfilled before those with a lower priority. When contention is high, lower priority calls can be queued until the server is less busy or you can reject the requests. 
+
+Using API priority and fairness will not be very common in SaaS environments unless you are allowing customers to run applications that interface with the Kubernetes API, e.g. a controller.
+
+### Quality-of-Service (QoS) {#qos}
+
+When you’re running a SaaS application, you may want the ability to offer different Quality-of-Service (QoS) tiers of service to different tenants. For example, you may have freemium service that comes with fewer performance guarantees and features and a for-fee service tier with specific performance guarantees. Fortunately, there are several Kubernetes constructs that can help you accomplish this within a shared cluster, including network QoS, storage classes, and pod priority and preemption. The idea with each of these is to provide tenants with the quality of service that they paid for. Let’s start by looking at networking QoS. 
+
+Typically, all pods on a node share a network interface. Without network QoS, some pods may consume an unfair share of the available bandwidth at the expense of other pods. The Kubernetes [bandwidth plugin](https://www.cni.dev/plugins/current/meta/bandwidth/) creates an [extended resource](/docs/concepts/configuration/manage-resources-containers/#extended-resources) for networking that allows you to use Kubernetes resources constructs, i.e. requests/limits, to apply rate limits to pods by using Linux tc queues. Be aware that the plugin is considered experimental as per the [Network Plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#support-traffic-shaping) documentation and should be thoroughly tested before use in production environments. 
+
+For storage QoS, you will likely want to create different storage classes or profiles with different performance characteristics. Each storage profile can be associated with a different tier of service that is optimized for different workloads such IO, redundancy, or throughput. Additional logic might be necessary to allow the tenant to associate the appropriate storage profile with their workload.
+
+Finally, there’s [pod priority and preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/) where you can assign priority values to pods. When scheduling pods, the scheduler will try evicting pods with lower priority when there are insufficient resources to schedule pods that are assigned a higher priority. If you have a use case where tenants have different service tiers in in a shared cluster e.g. free and paid, you may want to give higher priority to certain tiers using this feature.
+
+### DNS
+
+Kubernetes clusters include a Domain Name System (DNS) service to provide translations from names to IP addresses, for all Services and Pods. By default, the Kubernetes DNS service allows lookups across all namespaces in the cluster.
+
+In multi-tenant environments where tenants can access pods and other Kubernetes resources, or where
+stronger isolation is required, it may be necessary to prevent pods from looking up services in other
+Namespaces.
+You can restrict cross-namespace DNS lookups by configuring security rules for the DNS service.
+For example, CoreDNS (the default DNS service for Kubernetes) can leverage Kubernetes metadata
+to restrict queries to Pods and Services within a namespace. For more information, read an
+[example](https://github.com/coredns/policy#kubernetes-metadata-multi-tenancy-policy) of configuring
+this within the CoreDNS documentation.
+
+When a [Virtual Control Plane per tenant](#virtual-control-plane-per-tenant) model is used, a DNS service must be configured per tenant or a multi-tenant DNS service must be used. Here is an example of a [customized version of CoreDNS](https://github.com/kubernetes-sigs/cluster-api-provider-nested/blob/main/virtualcluster/doc/tenant-dns.md) that supports multiple tenants.
+
+### Operators
+
+[Operators](/docs/concepts/extend-kubernetes/operator/) are Kubernetes controllers that manage applications. Operators can simplify the management of multiple instances of an application, like a database service, which makes them a common building block in the multi-consumer (SaaS) multi-tenancy use case.  
+
+Operators used in a multi-tenant environment should follow a stricter set of guidelines. Specifically, the Operator should: 
+* Support creating resources within different tenant namespaces, rather than just in the namespace in which the Operator is deployed.
+* Ensure that the Pods are configured with resource requests and limits, to ensure scheduling and fairness.  
+* Support configuration of Pods for data-plane isolation techniques such as node isolation and sandboxed containers.
+
+## Implementations
+
+{{% thirdparty-content %}}
+
+There are two primary ways to share a Kubernetes cluster for multi-tenancy: using Namespaces (i.e. a Namespace per tenant) or by virtualizing the control plane (i.e. Virtual control plane per tenant).
+
+In both cases, data plane isolation, and management of additional considerations such as API Priority and Fairness, is also recommended. 
+
+Namespace isolation is well-supported by Kubernetes, has a negligible resource cost, and provides mechanisms to allow tenants to interact appropriately, such as by allowing service-to-service communication. However, it can be difficult to configure, and doesn't apply to Kubernetes resources that can't be namespaced, such as Custom Resource Definitions, Storage Classes, and Webhooks.
+
+Control plane virtualization allows for isolation of non-namespaced resources at the cost of somewhat higher resource usage and more difficult cross-tenant sharing. It is a good option when namespace isolation is insufficient but dedicated clusters are undesirable, due to the high cost of maintaining them (especially on-prem) or due to their higher overhead and lack of resource sharing. However, even within a virtualized control plane, you will likely see benefits by using namespaces as well.
+
+The two options are discussed in more detail in the following sections:
+
+### Namespace per tenant
+
+As previously mentioned, you should consider isolating each workload in its own namespace, even if you are using dedicated clusters or virtualized control planes. This ensures that each workload only has access to its own resources, such as Config Maps and Secrets, and allows you to tailor dedicated security policies for each workload. In addition, it is a best practice to give each namespace names that are unique across your entire fleet (i.e., even if they are in separate clusters), as this gives you the flexibility to switch between dedicated and shared clusters in the future, or to use multi-cluster tooling such as service meshes.
+
+Conversely, there are also advantages to assigning namespaces at the tenant level, not just the workload level, since there are often policies that apply to all workloads owned by a single tenant. However, this raises its own problems. Firstly, this makes it difficult or impossible to customize policies to individual workloads, and secondly, it may be challenging to come up with a single level of "tenancy" that should be given a namespace. For example, an organization may have divisions, teams, and subteams - which should be assigned a namespace?
+
+To solve this, Kubernetes provides the [Hierarchical Namespace Controller (HNC)](https://github.com/kubernetes-sigs/hierarchical-namespaces), which allows you to organize your namespaces into hierarchies, and share certain policies and resources between them. It also helps you manage namespace labels, namespace lifecycles, and delegated management, and share resource quotas across related namespaces. These capabilities can be useful in both multi-team and multi-customer scenarios.
+
+Other projects that provide similar capabilities and aid in managing namespaced resources are listed below:
+
+#### Multi-team tenancy
+
+* [Capsule](https://github.com/clastix/capsule)
+* [Kiosk](https://github.com/loft-sh/kiosk)
+
+#### Multi-customer tenancy
+
+* [Kubeplus](https://github.com/cloud-ark/kubeplus)
+
+#### Policy engines
+
+Policy engines provide features to validate and generate tenant configurations:
+
+* [Kyverno](https://kyverno.io/)
+* [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+
+### Virtual control plane per tenant
+
+Another form of control-plane isolation is to use Kubernetes extensions to provide each tenant a virtual control-plane that enables segmentation of cluster-wide API resources. [Data plane isolation](#data-plane-isolation) techniques can be used with this model to securely manage worker nodes across tenants.
+
+The virtual control plane based multi-tenancy model extends namespace-based multi-tenancy by providing each tenant with dedicated control plane components, and hence complete control over cluster-wide resources and add-on services. Worker nodes are shared across all tenants, and are managed by a Kubernetes cluster that is normally inaccessible to tenants. This cluster is often referred to as a _super-cluster_ (or sometimes as a _host-cluster_). Since a tenant’s control-plane is not directly associated with underlying compute resources it is referred to as a _virtual control plane_.
+
+A virtual control plane typically consists of the Kubernetes API server, the controller manager, and the etcd data store. It interacts with the super cluster via a metadata synchronization controller which coordinates changes across tenant control planes and the control plane of the super--cluster. 
+
+By using per-tenant dedicated control planes, most of the isolation problems due to sharing one API server among all tenants are solved. Examples include noisy neighbors in the control plane, uncontrollable blast radius of policy misconfigurations, and conflicts between cluster scope objects such as webhooks and CRDs.  Hence, the virtual control plane model is particularly suitable for cases where each tenant requires access to a Kubernetes API server and expects the full cluster manageability. 
+
+The improved isolation comes at the  cost of running and maintaining an individual virtual control plane per tenant. In addition, per-tenant control planes do not solve isolation problems in the data plane, such as node-level noisy neighbors or security threats. These must still be addressed separately.
+
+The Kubernetes [Cluster API - Nested (CAPN)](https://github.com/kubernetes-sigs/cluster-api-provider-nested/tree/main/virtualcluster) project provides an implementation of virtual control planes. 
+
+#### Other implementations
+* [Kamaji](https://github.com/clastix/kamaji)
+* [vcluster](https://github.com/loft-sh/vcluster)
+
diff --git a/content/en/docs/concepts/security/pod-security-admission.md b/content/en/docs/concepts/security/pod-security-admission.md
index 1e452ea6af8be..60f87c04d9e09 100644
--- a/content/en/docs/concepts/security/pod-security-admission.md
+++ b/content/en/docs/concepts/security/pod-security-admission.md
@@ -37,8 +37,8 @@ To use this mechanism, your cluster must enforce Pod Security admission.
 
 ### Built-in Pod Security admission enforcement
 
-In Kubernetes v{{< skew currentVersion >}}, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is a beta feature and is enabled by default. You must have this feature gate enabled.
+From Kubernetes v1.23, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is a beta feature and is enabled by default.
+This page is part of the documentation for Kubernetes v{{< skew currentVersion >}}.
 If you are running a different version of Kubernetes, consult the documentation for that release.
 
 ### Alternative: installing the `PodSecurity` admission webhook {#webhook}
@@ -102,7 +102,7 @@ For each mode, there are two labels that determine the policy used:
 pod-security.kubernetes.io/<MODE>: <LEVEL>
 
 # Optional: per-mode version label that can be used to pin the policy to the
-# version that shipped with a given Kubernetes minor version (for example v{{< skew latestVersion >}}).
+# version that shipped with a given Kubernetes minor version (for example v{{< skew currentVersion >}}).
 #
 # MODE must be one of `enforce`, `audit`, or `warn`.
 # VERSION must be a valid Kubernetes minor version, or `latest`.
diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 393468ac745af..47e93d3e9ea89 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -29,10 +29,9 @@ This guide outlines the requirements of each policy.
 **The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is
 typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users.
 
-The Privileged policy is defined by an absence of restrictions. For allow-by-default enforcement
-mechanisms (such as gatekeeper), the Privileged policy may be an absence of applied constraints
-rather than an instantiated profile. In contrast, for a deny-by-default mechanism (such as Pod
-Security Policy) the Privileged policy should enable all controls (disable all restrictions).
+The Privileged policy is defined by an absence of restrictions. Allow-by-default
+mechanisms (such as gatekeeper) may be Privileged by default. In contrast, for a deny-by-default mechanism (such as Pod
+Security Policy) the Privileged policy should disable all restrictions.
 
 ### Baseline
 
@@ -58,7 +57,7 @@ fail validation.
 		<tr>
 			<td style="white-space: nowrap">HostProcess</td>
 			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an <strong>alpha</strong> feature as of Kubernetes <strong>v1.22</strong>.</p>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. {{< feature-state for_k8s_version="v1.23" state="beta" >}}</p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
@@ -458,6 +457,16 @@ of individual policies are not defined here.
 - {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
 - {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
 
+### Alternatives
+
+{{% thirdparty-content %}}
+
+Other alternatives for enforcing policies are being developed in the Kubernetes ecosystem, such as: 
+- [Kubewarden](https://github.com/kubewarden)
+- [Kyverno](https://kyverno.io/policies/pod-security/)
+- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+
+
 ## FAQ
 
 ### Why isn't there a profile between privileged and baseline?
@@ -481,14 +490,6 @@ as well as other related parameters outside the Security Context. As of July 202
 [Pod Security Policies](/docs/concepts/security/pod-security-policy/) are deprecated in favor of the
 built-in [Pod Security Admission Controller](/docs/concepts/security/pod-security-admission/). 
 
-{{% thirdparty-content %}}
-
-Other alternatives for enforcing security profiles are being developed in the Kubernetes
-ecosystem, such as: 
-- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper).
-- [Kubewarden](https://github.com/kubewarden).
-- [Kyverno](https://kyverno.io/policies/pod-security/).
-
 ### What profiles should I apply to my Windows Pods?
 
 Windows in Kubernetes has some limitations and differentiators from standard Linux-based
diff --git a/content/en/docs/concepts/security/rbac-good-practices.md b/content/en/docs/concepts/security/rbac-good-practices.md
new file mode 100644
index 0000000000000..cfcc8b3cb93fb
--- /dev/null
+++ b/content/en/docs/concepts/security/rbac-good-practices.md
@@ -0,0 +1,180 @@
+---
+reviewers:
+title: Role Based Access Control Good Practices
+description: >
+  Principles and practices for good RBAC design for cluster operators.
+content_type: concept
+weight: 60
+---
+
+<!-- overview -->
+
+Kubernetes {{< glossary_tooltip text="RBAC" term_id="rbac" >}} is a key security control 
+to ensure that cluster users and workloads have only the access to resources required to 
+execute their roles. It is important to ensure that, when designing permissions for cluster
+users, the cluster administrator understands the areas where privilge escalation could occur, 
+to reduce the risk of excessive access leading to security incidents.
+
+The good practices laid out here should be read in conjunction with the general [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update).
+
+<!-- body -->
+
+## General good practice
+
+### Least privilege
+
+Ideally minimal RBAC rights should be assigned to users and service accounts. Only permissions 
+explicitly required for their operation should be used. Whilst each cluster will be different, 
+some general rules that can be applied are :
+
+ - Assign permissions at the namespace level where possible. Use RoleBindings as opposed to 
+   ClusterRoleBindings to give users rights only within a specific namespace.
+ - Avoid providing wildcard permissions when possible, especially to all resources.
+   As Kubernetes is an extensible system, providing wildcard access gives rights
+   not just to all object types presently in the cluster, but also to all future object types
+   which are created in the future.
+ - Administrators should not use `cluster-admin` accounts except where specifically needed. 
+   Providing a low privileged account with [impersonation rights](/docs/reference/access-authn-authz/authentication/#user-impersonation)
+   can avoid accidental modification of cluster resources.
+ - Avoid adding users to the `system:masters` group. Any user who is a member of this group 
+   bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be 
+   revoked by removing RoleBindings or ClusterRoleBindings. As an aside, if a cluster is 
+   using an authorization webhook, membership of this group also bypasses that webhook (requests 
+   from users who are members of that group are never sent to the webhook)
+
+### Minimize distribution of privileged tokens
+
+Ideally, pods shouldn't be assigned service accounts that have been granted powerful permissions (for example, any of the rights listed under
+[privilege escalation risks](#privilege-escalation-risks)). 
+In cases where a workload requires powerful permissions, consider the following practices:
+
+ - Limit the number of nodes running powerful pods. Ensure that any DaemonSets you run
+  are necessary and are run with least privilege to limit the blast radius of container escapes.
+ - Avoid running powerful pods alongside untrusted or publicly-exposed ones. Consider using 
+   [Taints and Toleration](/docs/concepts/scheduling-eviction/taint-and-toleration/), [NodeAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity), or [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) to ensure 
+   pods don't run alongside untrusted or less-trusted Pods. Pay especial attention to
+   situations where less-trustworthy Pods are not meeting the **Restricted** Pod Security Standard.
+
+### Hardening
+
+Kubernetes defaults to providing access which may not be required in every cluster. Reviewing 
+the RBAC rights provided by default can provide opportunities for security hardening.
+In general, changes should not be made to rights provided to `system:` accounts some options 
+to harden cluster rights exist:
+
+- Review bindings for the `system:unauthenticated` group and remove where possible, as this gives 
+  access to anyone who can contact the API server at a network level.
+- Avoid the default auto-mounting of service account tokens by setting
+  `automountServiceAccountToken: false`. For more details, see
+  [using default service account token](/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server).
+  Setting this value for a Pod will overwrite the service account setting, workloads
+  which require service account tokens can still mount them.
+
+### Periodic review
+
+It is vital to periodically review the Kubernetes RBAC settings for redundant entries and 
+possible privilege escalations.
+If an attacker is able to create a user account with the same name as a deleted user,
+they can automatically inherit all the rights of the deleted user, especially the
+rights assigned to that user.
+
+## Kubernetes RBAC - privilege escalation risks {#privilege-escalation-risks}
+
+Within Kubernetes RBAC there are a number of privileges which, if granted, can allow a user or a service account
+to escalate their privileges in the cluster or affect systems outside the cluster.
+
+This section is intended to provide visibility of the areas where cluster operators 
+should take care, to ensure that they do not inadvertently allow for more access to clusters than intended.
+
+### Listing secrets
+
+It is generally clear that allowing `get` access on Secrets will allow a user to read their contents.
+It is also important to note that `list` and `watch` access also effectively allow for users to reveal the Secret contents.
+For example, when a List response is returned (for example, via `kubectl get secrets -A -o yaml`), the response
+includes the contents of all Secrets.
+
+### Workload creation
+
+Users who are able to create workloads (either Pods, or
+[workload resources](/docs/concepts/workloads/controllers/) that manage Pods) will
+be able to gain access to the underlying node unless restrictions based on the Kubernetes
+[Pod Security Standards](/docs/concepts/security/pod-security-standards/) are in place.
+
+Users who can run privileged Pods can use that access to gain node access and potentially to
+further elevate their privileges. Where you do not fully trust a user or other principal
+with the ability to create suitably secure and isolated Pods, you should enforce either the
+**Baseline** or **Restricted** Pod Security Standard.
+You can use [Pod Security admission](/docs/concepts/security/pod-security-admission/)
+or other (third party) mechanisms to implement that enforcement.
+
+You can also use the deprecated [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) mechanism
+to restrict users' abilities to create privileged Pods (N.B. PodSecurityPolicy is scheduled for removal
+in version 1.25).
+
+Creating a workload in a namespace also grants indirect access to Secrets in that namespace. 
+Creating a pod in kube-system or a similarly privileged namespace can grant a user access to 
+Secrets they would not have through RBAC directly.
+
+### Persistent volume creation
+
+As noted in the [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems) documentation, access to create PersistentVolumes can allow for escalation of access to the underlying host. Where access to persistent storage is required trusted administrators should create 
+PersistentVolumes, and constrained users should use PersistentVolumeClaims to access that storage.
+
+### Access to `proxy` subresource of Nodes
+
+Users with access to the proxy sub-resource of node objects have rights to the Kubelet API, 
+which allows for command execution on every pod on the node(s) which they have rights to. 
+This access bypasses audit logging and admission control, so care should be taken before 
+granting rights to this resource.
+
+### Escalate verb
+
+Generally the RBAC system prevents users from creating clusterroles with more rights than 
+they possess. The exception to this is the `escalate` verb. As noted in the [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update),
+users with this right can effectively escalate their privileges.
+
+### Bind verb
+
+Similar to the `escalate` verb, granting users this right allows for bypass of Kubernetes 
+in-built protections against privilege escalation, allowing users to create bindings to 
+roles with rights they do not already have.
+
+### Impersonate verb
+
+This verb allows users to impersonate and gain the rights of other users in the cluster. 
+Care should be taken when granting it, to ensure that excessive permissions cannot be gained 
+via one of the impersonated accounts.
+
+### CSRs and certificate issuing
+
+The CSR API allows for users with `create` rights to CSRs and `update` rights on `certificatesigningrequests/approval` 
+where the signer is `kubernetes.io/kube-apiserver-client` to create new client certificates 
+which allow users to authenticate to the cluster. Those client certificates can have arbitrary 
+names including duplicates of Kubernetes system components. This will effectively allow for privilege escalation.
+
+### Token request
+
+Users with `create` rights on `serviceaccounts/token` can create TokenRequests to issue 
+tokens for existing service accounts. 
+
+### Control admission webhooks
+
+Users with control over `validatingwebhookconfigurations` or `mutatingwebhookconfigurations` 
+can control webhooks that can read any object admitted to the cluster, and in the case of 
+mutating webhooks, also mutate admitted objects.
+
+
+## Kubernetes RBAC - denial of service risks {#denial-of-service-risks}
+
+### Object creation denial-of-service {#object-creation-dos}
+Users who have rights to create objects in a cluster may be able to create sufficient large 
+objects to create a denial of service condition either based on the size or number of objects, as discussed in
+[etcd used by Kubernetes is vulnerable to OOM attack](https://github.com/kubernetes/kubernetes/issues/107325). This may be
+specifically relevant in multi-tenant clusters if semi-trusted or untrusted users 
+are allowed limited access to a system.
+
+One option for mitigation of this issue would be to use [resource quotas](/docs/concepts/policy/resource-quotas/#object-count-quota)
+to limit the quantity of objects which can be created.
+
+## {{% heading "whatsnext" %}}
+* To learn more about RBAC, see the [RBAC documentation](/docs/reference/access-authn-authz/rbac/).
diff --git a/content/en/docs/concepts/security/windows-security.md b/content/en/docs/concepts/security/windows-security.md
index 1341f38c59e4a..8c0704ac2bad4 100644
--- a/content/en/docs/concepts/security/windows-security.md
+++ b/content/en/docs/concepts/security/windows-security.md
@@ -6,7 +6,7 @@ reviewers:
 - perithompson
 title:    Security For Windows Nodes
 content_type: concept
-weight: 75
+weight: 40
 ---
 
 <!-- overview -->
@@ -51,5 +51,5 @@ Windows containers can also run as Active Directory identities by utilizing [Gro
 Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
 POSIX capabilities) are not supported on Windows nodes.
 
-Privileged containers are [not supported](#compatibility-v1-pod-spec-containers-securitycontext) on Windows.
+Privileged containers are [not supported](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext) on Windows.
 Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod) can be used on Windows to perform many of the tasks performed by privileged containers on Linux.
diff --git a/content/en/docs/concepts/services-networking/_index.md b/content/en/docs/concepts/services-networking/_index.md
index ab1b784658bb8..b4f78610753c9 100644
--- a/content/en/docs/concepts/services-networking/_index.md
+++ b/content/en/docs/concepts/services-networking/_index.md
@@ -7,26 +7,25 @@ description: >
 
 ## The Kubernetes network model
 
-Every [`Pod`](/docs/concepts/workloads/pods/) gets its own IP address. 
+Every [`Pod`](/docs/concepts/workloads/pods/) in a cluster gets its own unique cluster-wide IP address. 
 This means you do not need to explicitly create links between `Pods` and you 
 almost never need to deal with mapping container ports to host ports.  
 This creates a clean, backwards-compatible model where `Pods` can be treated 
 much like VMs or physical hosts from the perspectives of port allocation, 
-naming, service discovery, [load balancing](/docs/concepts/services-networking/ingress/#load-balancing), application configuration, 
-and migration.
+naming, service discovery, [load balancing](/docs/concepts/services-networking/ingress/#load-balancing), 
+application configuration, and migration.
 
 Kubernetes imposes the following fundamental requirements on any networking
 implementation (barring any intentional network segmentation policies):
 
-   * pods on a [node](/docs/concepts/architecture/nodes/) can communicate with all pods on all nodes without NAT
+   * pods can communicate with all other pods on any other [node](/docs/concepts/architecture/nodes/) 
+     without NAT
    * agents on a node (e.g. system daemons, kubelet) can communicate with all
      pods on that node
 
 Note: For those platforms that support `Pods` running in the host network (e.g.
-Linux):
-
-   * pods in the host network of a node can communicate with all pods on all
-     nodes without NAT
+Linux), when pods are attached to the host network of a node they can still communicate 
+with all pods on all nodes without NAT.
 
 This model is not only less complex overall, but it is principally compatible
 with the desire for Kubernetes to enable low-friction porting of apps from VMs
diff --git a/content/en/docs/concepts/services-networking/dns-pod-service.md b/content/en/docs/concepts/services-networking/dns-pod-service.md
index 9ca11a34571cb..939269f8ec2c7 100644
--- a/content/en/docs/concepts/services-networking/dns-pod-service.md
+++ b/content/en/docs/concepts/services-networking/dns-pod-service.md
@@ -8,8 +8,8 @@ weight: 20
 ---
 <!-- overview -->
 
-Kubernetes creates DNS records for services and pods. You can contact
-services with consistent DNS names instead of IP addresses. 
+Kubernetes creates DNS records for Services and Pods. You can contact
+Services with consistent DNS names instead of IP addresses. 
 
 <!-- body -->
 
@@ -25,20 +25,20 @@ Pod's own namespace and the cluster's default domain.
 
 ### Namespaces of Services 
 
-A DNS query may return different results based on the namespace of the pod making 
-it. DNS queries that don't specify a namespace are limited to the pod's 
-namespace. Access services in other namespaces by specifying it in the DNS query. 
+A DNS query may return different results based on the namespace of the Pod making 
+it. DNS queries that don't specify a namespace are limited to the Pod's 
+namespace. Access Services in other namespaces by specifying it in the DNS query. 
 
-For example, consider a pod in a `test` namespace. A `data` service is in 
+For example, consider a Pod in a `test` namespace. A `data` Service is in 
 the `prod` namespace. 
 
-A query for `data` returns no results, because it uses the pod's `test` namespace. 
+A query for `data` returns no results, because it uses the Pod's `test` namespace. 
 
 A query for `data.prod` returns the intended result, because it specifies the 
 namespace. 
 
-DNS queries may be expanded using the pod's `/etc/resolv.conf`. Kubelet 
-sets this file for each pod. For example, a query for just `data` may be 
+DNS queries may be expanded using the Pod's `/etc/resolv.conf`. Kubelet 
+sets this file for each Pod. For example, a query for just `data` may be 
 expanded to `data.test.svc.cluster.local`. The values of the `search` option 
 are used to expand queries. To learn more about DNS queries, see 
 [the `resolv.conf` manual page.](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) 
@@ -49,7 +49,7 @@ search <namespace>.svc.cluster.local svc.cluster.local cluster.local
 options ndots:5
 ```
 
-In summary, a pod in the _test_ namespace can successfully resolve either 
+In summary, a Pod in the _test_ namespace can successfully resolve either 
 `data.prod` or `data.prod.svc.cluster.local`.
 
 ### DNS Records
@@ -70,14 +70,14 @@ For more up-to-date specification, see
 ### A/AAAA records
 
 "Normal" (not headless) Services are assigned a DNS A or AAAA record,
-depending on the IP family of the service, for a name of the form
+depending on the IP family of the Service, for a name of the form
 `my-svc.my-namespace.svc.cluster-domain.example`.  This resolves to the cluster IP
 of the Service.
 
 "Headless" (without a cluster IP) Services are also assigned a DNS A or AAAA record,
-depending on the IP family of the service, for a name of the form
+depending on the IP family of the Service, for a name of the form
 `my-svc.my-namespace.svc.cluster-domain.example`.  Unlike normal
-Services, this resolves to the set of IPs of the pods selected by the Service.
+Services, this resolves to the set of IPs of the Pods selected by the Service.
 Clients are expected to consume the set or else use standard round-robin
 selection from the set.
 
@@ -87,36 +87,36 @@ SRV Records are created for named ports that are part of normal or [Headless
 Services](/docs/concepts/services-networking/service/#headless-services).
 For each named port, the SRV record would have the form
 `_my-port-name._my-port-protocol.my-svc.my-namespace.svc.cluster-domain.example`.
-For a regular service, this resolves to the port number and the domain name:
+For a regular Service, this resolves to the port number and the domain name:
 `my-svc.my-namespace.svc.cluster-domain.example`.
-For a headless service, this resolves to multiple answers, one for each pod
-that is backing the service, and contains the port number and the domain name of the pod
+For a headless Service, this resolves to multiple answers, one for each Pod
+that is backing the Service, and contains the port number and the domain name of the Pod
 of the form `auto-generated-name.my-svc.my-namespace.svc.cluster-domain.example`.
 
 ## Pods
 
 ### A/AAAA records
 
-In general a pod has the following DNS resolution:
+In general a Pod has the following DNS resolution:
 
 `pod-ip-address.my-namespace.pod.cluster-domain.example`.
 
-For example, if a pod in the `default` namespace has the IP address 172.17.0.3,
+For example, if a Pod in the `default` namespace has the IP address 172.17.0.3,
 and the domain name for your cluster is `cluster.local`, then the Pod has a DNS name:
 
 `172-17-0-3.default.pod.cluster.local`.
 
-Any pods exposed by a Service have the following DNS resolution available:
+Any Pods exposed by a Service have the following DNS resolution available:
 
 `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`.
 
 ### Pod's hostname and subdomain fields
 
-Currently when a pod is created, its hostname is the Pod's `metadata.name` value.
+Currently when a Pod is created, its hostname is the Pod's `metadata.name` value.
 
 The Pod spec has an optional `hostname` field, which can be used to specify the
 Pod's hostname. When specified, it takes precedence over the Pod's name to be
-the hostname of the pod. For example, given a Pod with `hostname` set to
+the hostname of the Pod. For example, given a Pod with `hostname` set to
 "`my-host`", the Pod will have its hostname set to "`my-host`".
 
 The Pod spec also has an optional `subdomain` field which can be used to specify
@@ -173,14 +173,14 @@ spec:
     name: busybox
 ```
 
-If there exists a headless service in the same namespace as the pod and with
+If there exists a headless Service in the same namespace as the Pod and with
 the same name as the subdomain, the cluster's DNS Server also returns an A or AAAA
 record for the Pod's fully qualified hostname.
 For example, given a Pod with the hostname set to "`busybox-1`" and the subdomain set to
 "`default-subdomain`", and a headless Service named "`default-subdomain`" in
-the same namespace, the pod will see its own FQDN as
+the same namespace, the Pod will see its own FQDN as
 "`busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example`". DNS serves an
-A or AAAA record at that name, pointing to the Pod's IP. Both pods "`busybox1`" and
+A or AAAA record at that name, pointing to the Pod's IP. Both Pods "`busybox1`" and
 "`busybox2`" can have their distinct A or AAAA records.
 
 The Endpoints object can specify the `hostname` for any endpoint addresses,
@@ -189,7 +189,7 @@ along with its IP.
 {{< note >}}
 Because A or AAAA records are not created for Pod names, `hostname` is required for the Pod's A or AAAA
 record to be created. A Pod with no `hostname` but with `subdomain` will only create the
-A or AAAA record for the headless service (`default-subdomain.my-namespace.svc.cluster-domain.example`),
+A or AAAA record for the headless Service (`default-subdomain.my-namespace.svc.cluster-domain.example`),
 pointing to the Pod's IP address. Also, Pod needs to become ready in order to have a
 record unless `publishNotReadyAddresses=True` is set on the Service.
 {{< /note >}}
@@ -205,17 +205,17 @@ When you set `setHostnameAsFQDN: true` in the Pod spec, the kubelet writes the P
 {{< note >}}
 In Linux, the hostname field of the kernel (the `nodename` field of `struct utsname`) is limited to 64 characters.
 
-If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
+If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
 {{< /note >}}
 
 ### Pod's DNS Policy
 
-DNS policies can be set on a per-pod basis. Currently Kubernetes supports the
-following pod-specific DNS policies. These policies are specified in the
+DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the
+following Pod-specific DNS policies. These policies are specified in the
 `dnsPolicy` field of a Pod Spec.
 
 - "`Default`": The Pod inherits the name resolution configuration from the node
-  that the pods run on.
+  that the Pods run on.
   See [related discussion](/docs/tasks/administer-cluster/dns-custom-nameservers)
   for more details.
 - "`ClusterFirst`": Any DNS query that does not match the configured cluster
@@ -226,6 +226,7 @@ following pod-specific DNS policies. These policies are specified in the
   for details on how DNS queries are handled in those cases.
 - "`ClusterFirstWithHostNet`": For Pods running with hostNetwork, you should
   explicitly set its DNS policy "`ClusterFirstWithHostNet`".
+  - Note: This is not supported on Windows. See [below](#dns-windows) for details
 - "`None`": It allows a Pod to ignore DNS settings from the Kubernetes
   environment. All DNS settings are supposed to be provided using the
   `dnsConfig` field in the Pod Spec.
@@ -306,7 +307,7 @@ For IPv6 setup, search path and name server should be setup like this:
 kubectl exec -it dns-example -- cat /etc/resolv.conf
 ```
 The output is similar to this:
-```shell
+```
 nameserver fd00:79:30::a
 search default.svc.cluster-domain.example svc.cluster-domain.example cluster-domain.example
 options ndots:5
@@ -323,8 +324,25 @@ If the feature gate `ExpandedDNSConfig` is enabled for the kube-apiserver and
 the kubelet, it is allowed for Kubernetes to have at most 32 search domains and
 a list of search domains of up to 2048 characters.
 
-## {{% heading "whatsnext" %}}
+## DNS resolution on Windows nodes {#dns-windows}
+
+- ClusterFirstWithHostNet is not supported for Pods that run on Windows nodes.
+  Windows treats all names with a `.` as a FQDN and skips FQDN resolution.
+- On Windows, there are multiple DNS resolvers that can be used. As these come with
+  slightly different behaviors, using the
+  [`Resolve-DNSName`](https://docs.microsoft.com/powershell/module/dnsclient/resolve-dnsname)
+  powershell cmdlet for name query resolutions is recommended.
+- On Linux, you have a DNS suffix list, which is used after resolution of a name as fully
+  qualified has failed.
+  On Windows, you can only have 1 DNS suffix, which is the DNS suffix associated with that
+  Pod's namespace (example: `mydns.svc.cluster.local`). Windows can resolve FQDNs, Services,
+  or network name which can be resolved with this single suffix. For example, a Pod spawned
+  in the `default` namespace, will have the DNS suffix `default.svc.cluster.local`.
+  Inside a Windows Pod, you can resolve both `kubernetes.default.svc.cluster.local`
+  and `kubernetes`, but not the partially qualified names (`kubernetes.default` or
+  `kubernetes.default.svc`).
 
+## {{% heading "whatsnext" %}}
 
 For guidance on administering DNS configurations, check
 [Configure DNS Service](/docs/tasks/administer-cluster/dns-custom-nameservers/)
diff --git a/content/en/docs/concepts/services-networking/dual-stack.md b/content/en/docs/concepts/services-networking/dual-stack.md
index a120df4392784..921d69e8fbf94 100644
--- a/content/en/docs/concepts/services-networking/dual-stack.md
+++ b/content/en/docs/concepts/services-networking/dual-stack.md
@@ -1,16 +1,15 @@
 ---
-reviewers:
-- lachie83
-- khenidak
-- aramase
-- bridgetkromhout
 title: IPv4/IPv6 dual-stack
 feature:
   title: IPv4/IPv6 dual-stack
   description: >
     Allocation of IPv4 and IPv6 addresses to Pods and Services
-
 content_type: concept
+reviewers:
+  - lachie83
+  - khenidak
+  - aramase
+  - bridgetkromhout
 weight: 70
 ---
 
@@ -18,11 +17,11 @@ weight: 70
 
 {{< feature-state for_k8s_version="v1.23" state="stable" >}}
 
-IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to {{< glossary_tooltip text="Pods" term_id="pod" >}} and {{< glossary_tooltip text="Services" term_id="service" >}}.
-
-IPv4/IPv6 dual-stack networking is enabled by default for your Kubernetes cluster starting in 1.21, allowing the simultaneous assignment of both IPv4 and IPv6 addresses.
-
+IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to
+{{< glossary_tooltip text="Pods" term_id="pod" >}} and {{< glossary_tooltip text="Services" term_id="service" >}}.
 
+IPv4/IPv6 dual-stack networking is enabled by default for your Kubernetes cluster starting in
+1.21, allowing the simultaneous assignment of both IPv4 and IPv6 addresses.
 
 <!-- body -->
 
@@ -30,68 +29,78 @@ IPv4/IPv6 dual-stack networking is enabled by default for your Kubernetes cluste
 
 IPv4/IPv6 dual-stack on your Kubernetes cluster provides the following features:
 
-   * Dual-stack Pod networking (a single IPv4 and IPv6 address assignment per Pod)
-   * IPv4 and IPv6 enabled Services
-   * Pod off-cluster egress routing (eg. the Internet) via both IPv4 and IPv6 interfaces
+* Dual-stack Pod networking (a single IPv4 and IPv6 address assignment per Pod)
+* IPv4 and IPv6 enabled Services
+* Pod off-cluster egress routing (eg. the Internet) via both IPv4 and IPv6 interfaces
 
 ## Prerequisites
 
 The following prerequisites are needed in order to utilize IPv4/IPv6 dual-stack Kubernetes clusters:
 
-   * Kubernetes 1.20 or later  
-     For information about using dual-stack services with earlier
-     Kubernetes versions, refer to the documentation for that version
-     of Kubernetes.
-   * Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide Kubernetes nodes with routable IPv4/IPv6 network interfaces)
-   * A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports dual-stack networking.
+* Kubernetes 1.20 or later  
+
+  For information about using dual-stack services with earlier
+  Kubernetes versions, refer to the documentation for that version
+  of Kubernetes.
+
+* Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide
+  Kubernetes nodes with routable IPv4/IPv6 network interfaces)
+* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that
+  supports dual-stack networking.
 
 ## Configure IPv4/IPv6 dual-stack
 
 To configure IPv4/IPv6 dual-stack, set dual-stack cluster network assignments:
 
-   * kube-apiserver:
-      * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
-   * kube-controller-manager:
-      * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
-      * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
-      * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` defaults to /24 for IPv4 and /64 for IPv6
-   * kube-proxy:
-      * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
-   * kubelet:
-      * when there is no `--cloud-provider` the administrator can pass a comma-separated pair
-        of IP addresses via `--node-ip` to manually configure dual-stack `.status.addresses`
-        for that Node.
-        If a Pod runs on that node in HostNetwork mode, the Pod reports these IP addresses in its
-        `.status.podIPs` field.
-        All `podIPs` in a node match the IP family preference defined by the
-        `.status.addresses` field for that Node.
+* kube-apiserver:
+  * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
+* kube-controller-manager:
+  * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
+  * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
+  * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` defaults to /24 for IPv4 and /64 for IPv6
+* kube-proxy:
+  * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
+* kubelet:
+  * when there is no `--cloud-provider` the administrator can pass a comma-separated pair of IP
+    addresses via `--node-ip` to manually configure dual-stack `.status.addresses` for that Node.
+    If a Pod runs on that node in HostNetwork mode, the Pod reports these IP addresses in its
+    `.status.podIPs` field.
+    All `podIPs` in a node match the IP family preference defined by the `.status.addresses`
+    field for that Node.
 
 {{< note >}}
 An example of an IPv4 CIDR: `10.244.0.0/16` (though you would supply your own address range)
 
-An example of an IPv6 CIDR: `fdXY:IJKL:MNOP:15::/64` (this shows the format but is not a valid address - see [RFC 4193](https://tools.ietf.org/html/rfc4193))
-
+An example of an IPv6 CIDR: `fdXY:IJKL:MNOP:15::/64` (this shows the format but is not a valid
+address - see [RFC 4193](https://tools.ietf.org/html/rfc4193))
 {{< /note >}}
 
 ## Services
 
 You can create {{< glossary_tooltip text="Services" term_id="service" >}} which can use IPv4, IPv6, or both.
 
-The address family of a Service defaults to the address family of the first service cluster IP range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver).
+The address family of a Service defaults to the address family of the first service cluster IP
+range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver).
 
 When you define a Service you can optionally configure it as dual stack. To specify the behavior you want, you
 set the `.spec.ipFamilyPolicy` field to one of the following values:
 
-* `SingleStack`: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
+* `SingleStack`: Single-stack service. The control plane allocates a cluster IP for the Service,
+  using the first configured service cluster IP range.
 * `PreferDualStack`:
   * Allocates IPv4 and IPv6 cluster IPs for the Service.
 * `RequireDualStack`: Allocates Service `.spec.ClusterIPs` from both IPv4 and IPv6 address ranges.
-  * Selects the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family of the first element in the `.spec.ipFamilies` array.
+  * Selects the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family
+    of the first element in the `.spec.ipFamilies` array.
 
-If you would like to define which IP family to use for single stack or define the order of IP families for dual-stack, you can choose the address families by setting an optional field, `.spec.ipFamilies`, on the Service. 
+If you would like to define which IP family to use for single stack or define the order of IP
+families for dual-stack, you can choose the address families by setting an optional field,
+`.spec.ipFamilies`, on the Service. 
 
 {{< note >}}
-The `.spec.ipFamilies` field is immutable because the `.spec.ClusterIP` cannot be reallocated on a Service that already exists. If you want to change `.spec.ipFamilies`, delete and recreate the Service.
+The `.spec.ipFamilies` field is immutable because the `.spec.ClusterIP` cannot be reallocated on a
+Service that already exists. If you want to change `.spec.ipFamilies`, delete and recreate the
+Service.
 {{< /note >}}
 
 You can set `.spec.ipFamilies` to any of the following array values:
@@ -109,139 +118,197 @@ These examples demonstrate the behavior of various dual-stack Service configurat
 
 #### Dual-stack options on new Services
 
-1. This Service specification does not explicitly define `.spec.ipFamilyPolicy`. When you create this Service, Kubernetes assigns a cluster IP for the Service from the first configured `service-cluster-ip-range` and sets the `.spec.ipFamilyPolicy` to `SingleStack`. ([Services without selectors](/docs/concepts/services-networking/service/#services-without-selectors) and [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors will behave in this same way.)
-
-{{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
-
-1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When you create this Service on a dual-stack cluster, Kubernetes assigns both IPv4 and IPv6 addresses for the service. The control plane updates the `.spec` for the Service to record the IP address assignments. The field `.spec.ClusterIPs` is the primary field, and contains both assigned IP addresses; `.spec.ClusterIP` is a secondary field with its value calculated from `.spec.ClusterIPs`.
+1. This Service specification does not explicitly define `.spec.ipFamilyPolicy`. When you create
+   this Service, Kubernetes assigns a cluster IP for the Service from the first configured
+   `service-cluster-ip-range` and sets the `.spec.ipFamilyPolicy` to `SingleStack`. ([Services
+   without selectors](/docs/concepts/services-networking/service/#services-without-selectors) and
+   [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors
+   will behave in this same way.)
+
+   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+
+1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When
+   you create this Service on a dual-stack cluster, Kubernetes assigns both IPv4 and IPv6
+   addresses for the service. The control plane updates the `.spec` for the Service to record the IP
+   address assignments. The field `.spec.ClusterIPs` is the primary field, and contains both assigned
+   IP addresses; `.spec.ClusterIP` is a secondary field with its value calculated from
+   `.spec.ClusterIPs`.
    
-      * For the `.spec.ClusterIP` field, the control plane records the IP address that is from the same address family as the first service cluster IP range. 
-      * On a single-stack cluster, the `.spec.ClusterIPs` and `.spec.ClusterIP` fields both only list one address. 
-      * On a cluster with dual-stack enabled, specifying `RequireDualStack` in `.spec.ipFamilyPolicy` behaves the same as `PreferDualStack`.
+   * For the `.spec.ClusterIP` field, the control plane records the IP address that is from the
+     same address family as the first service cluster IP range. 
+   * On a single-stack cluster, the `.spec.ClusterIPs` and `.spec.ClusterIP` fields both only list
+     one address. 
+   * On a cluster with dual-stack enabled, specifying `RequireDualStack` in `.spec.ipFamilyPolicy`
+     behaves the same as `PreferDualStack`.
 
-{{< codenew file="service/networking/dual-stack-preferred-svc.yaml" >}}
+   {{< codenew file="service/networking/dual-stack-preferred-svc.yaml" >}}
 
-1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well as defining `PreferDualStack` in `.spec.ipFamilyPolicy`. When Kubernetes assigns an IPv6 and IPv4 address in `.spec.ClusterIPs`, `.spec.ClusterIP` is set to the IPv6 address because that is the first element in the `.spec.ClusterIPs` array, overriding the default.
+1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well
+   as defining `PreferDualStack` in `.spec.ipFamilyPolicy`. When Kubernetes assigns an IPv6 and
+   IPv4 address in `.spec.ClusterIPs`, `.spec.ClusterIP` is set to the IPv6 address because that is
+   the first element in the `.spec.ClusterIPs` array, overriding the default.
 
-{{< codenew file="service/networking/dual-stack-preferred-ipfamilies-svc.yaml" >}}
+   {{< codenew file="service/networking/dual-stack-preferred-ipfamilies-svc.yaml" >}}
 
 #### Dual-stack defaults on existing Services
 
-These examples demonstrate the default behavior when dual-stack is newly enabled on a cluster where Services already exist. (Upgrading an existing cluster to 1.21 or beyond will enable dual-stack.)
+These examples demonstrate the default behavior when dual-stack is newly enabled on a cluster
+where Services already exist. (Upgrading an existing cluster to 1.21 or beyond will enable
+dual-stack.)
 
-1. When dual-stack is enabled on a cluster, existing Services (whether `IPv4` or `IPv6`) are configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set `.spec.ipFamilies` to the address family of the existing Service. The existing Service cluster IP will be stored in `.spec.ClusterIPs`.
+1. When dual-stack is enabled on a cluster, existing Services (whether `IPv4` or `IPv6`) are
+   configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
+   `.spec.ipFamilies` to the address family of the existing Service. The existing Service cluster IP
+   will be stored in `.spec.ClusterIPs`.
 
-{{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
 
    You can validate this behavior by using kubectl to inspect an existing service.
 
-```shell
-kubectl get svc my-service -o yaml
-```
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: MyApp
-  name: my-service
-spec:
-  clusterIP: 10.0.197.123
-  clusterIPs:
-  - 10.0.197.123
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: MyApp
-  type: ClusterIP
-status:
-  loadBalancer: {}
-```
-
-1. When dual-stack is enabled on a cluster, existing [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors are configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set `.spec.ipFamilies` to the address family of the first service cluster IP range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.ClusterIP` is set to `None`.
-
-{{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+   ```shell
+   kubectl get svc my-service -o yaml
+   ```
+
+   ```yaml
+   apiVersion: v1
+   kind: Service
+   metadata:
+     labels:
+       app: MyApp
+     name: my-service
+   spec:
+     clusterIP: 10.0.197.123
+     clusterIPs:
+     - 10.0.197.123
+     ipFamilies:
+     - IPv4
+     ipFamilyPolicy: SingleStack
+     ports:
+     - port: 80
+       protocol: TCP
+       targetPort: 80
+     selector:
+       app: MyApp
+     type: ClusterIP
+   status:
+     loadBalancer: {}
+   ```
+
+1. When dual-stack is enabled on a cluster, existing
+   [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors are
+   configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
+   `.spec.ipFamilies` to the address family of the first service cluster IP range (configured via the
+   `--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.ClusterIP` is set to
+   `None`.
+
+   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
 
    You can validate this behavior by using kubectl to inspect an existing headless service with selectors.
 
-```shell
-kubectl get svc my-service -o yaml
-```
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: MyApp
-  name: my-service
-spec:
-  clusterIP: None
-  clusterIPs:
-  - None
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: MyApp
-```
+   ```shell
+   kubectl get svc my-service -o yaml
+   ```
+
+   ```yaml
+   apiVersion: v1
+   kind: Service
+   metadata:
+     labels:
+       app: MyApp
+     name: my-service
+   spec:
+     clusterIP: None
+     clusterIPs:
+     - None
+     ipFamilies:
+     - IPv4
+     ipFamilyPolicy: SingleStack
+     ports:
+     - port: 80
+       protocol: TCP
+       targetPort: 80
+     selector:
+       app: MyApp
+   ```
 
 #### Switching Services between single-stack and dual-stack
 
 Services can be changed from single-stack to dual-stack and from dual-stack to single-stack.
 
-1. To change a Service from single-stack to dual-stack, change `.spec.ipFamilyPolicy` from `SingleStack` to `PreferDualStack` or `RequireDualStack` as desired. When you change this Service from single-stack to dual-stack, Kubernetes assigns the missing address family so that the Service now has IPv4 and IPv6 addresses.
+1. To change a Service from single-stack to dual-stack, change `.spec.ipFamilyPolicy` from
+   `SingleStack` to `PreferDualStack` or `RequireDualStack` as desired. When you change this
+   Service from single-stack to dual-stack, Kubernetes assigns the missing address family so that the
+   Service now has IPv4 and IPv6 addresses.
 
    Edit the Service specification updating the `.spec.ipFamilyPolicy` from `SingleStack` to `PreferDualStack`.
 
-Before:
-```yaml
-spec:
-  ipFamilyPolicy: SingleStack
-```
-After:
-```yaml
-spec:
-  ipFamilyPolicy: PreferDualStack
-```
+   Before:
+
+   ```yaml
+   spec:
+     ipFamilyPolicy: SingleStack
+   ```
+
+   After:
 
-1. To change a Service from dual-stack to single-stack, change `.spec.ipFamilyPolicy` from `PreferDualStack` or `RequireDualStack` to `SingleStack`. When you change this Service from dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.ClusterIPs` array, and sets `.spec.ClusterIP` to that IP address and sets `.spec.ipFamilies` to the address family of `.spec.ClusterIPs`.
+   ```yaml
+   spec:
+     ipFamilyPolicy: PreferDualStack
+   ```
+
+1. To change a Service from dual-stack to single-stack, change `.spec.ipFamilyPolicy` from
+   `PreferDualStack` or `RequireDualStack` to `SingleStack`. When you change this Service from
+   dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.ClusterIPs`
+   array, and sets `.spec.ClusterIP` to that IP address and sets `.spec.ipFamilies` to the address
+   family of `.spec.ClusterIPs`.
 
 ### Headless Services without selector
 
-For [Headless Services without selectors](/docs/concepts/services-networking/service/#without-selectors) and without `.spec.ipFamilyPolicy` explicitly set, the `.spec.ipFamilyPolicy` field defaults to `RequireDualStack`.
+For [Headless Services without selectors](/docs/concepts/services-networking/service/#without-selectors)
+and without `.spec.ipFamilyPolicy` explicitly set, the `.spec.ipFamilyPolicy` field defaults to
+`RequireDualStack`.
 
 ### Service type LoadBalancer
 
 To provision a dual-stack load balancer for your Service:
-   * Set the `.spec.type` field to `LoadBalancer`
-   * Set `.spec.ipFamilyPolicy` field to `PreferDualStack` or `RequireDualStack`
+
+* Set the `.spec.type` field to `LoadBalancer`
+* Set `.spec.ipFamilyPolicy` field to `PreferDualStack` or `RequireDualStack`
 
 {{< note >}}
-To use a dual-stack `LoadBalancer` type Service, your cloud provider must support IPv4 and IPv6 load balancers.
+To use a dual-stack `LoadBalancer` type Service, your cloud provider must support IPv4 and IPv6
+load balancers.
 {{< /note >}}
 
 ## Egress traffic
 
-If you want to enable egress traffic in order to reach off-cluster destinations (eg. the public Internet) from a Pod that uses non-publicly routable IPv6 addresses, you need to enable the Pod to use a publicly routed IPv6 address via a mechanism such as transparent proxying or IP masquerading. The [ip-masq-agent](https://github.com/kubernetes-sigs/ip-masq-agent) project supports IP masquerading on dual-stack clusters.
+If you want to enable egress traffic in order to reach off-cluster destinations (eg. the public
+Internet) from a Pod that uses non-publicly routable IPv6 addresses, you need to enable the Pod to
+use a publicly routed IPv6 address via a mechanism such as transparent proxying or IP
+masquerading. The [ip-masq-agent](https://github.com/kubernetes-sigs/ip-masq-agent) project
+supports IP masquerading on dual-stack clusters.
 
 {{< note >}}
 Ensure your {{< glossary_tooltip text="CNI" term_id="cni" >}} provider supports IPv6.
 {{< /note >}}
 
-## {{% heading "whatsnext" %}}
+## Windows support
 
+Kubernetes on Windows does not support single-stack "IPv6-only" networking. However,
+dual-stack IPv4/IPv6 networking for pods and nodes with single-family services
+is supported.
+
+You can use IPv4/IPv6 dual-stack networking with `l2bridge` networks.
+
+{{< note >}}
+Overlay (VXLAN) networks on Windows **do not** support dual-stack networking.
+{{< /note >}}
+
+You can read more about the different network modes for Windows within the
+[Networking on Windows](/docs/concepts/services-networking/windows-networking#network-modes) topic.
+
+## {{% heading "whatsnext" %}}
 
 * [Validate IPv4/IPv6 dual-stack](/docs/tasks/network/validate-dual-stack) networking
-* [Enable dual-stack networking using kubeadm
-](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
+* [Enable dual-stack networking using kubeadm](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
+
diff --git a/content/en/docs/concepts/services-networking/ingress.md b/content/en/docs/concepts/services-networking/ingress.md
index da3ad5c6b4d13..aebcc800c62b0 100644
--- a/content/en/docs/concepts/services-networking/ingress.md
+++ b/content/en/docs/concepts/services-networking/ingress.md
@@ -30,23 +30,8 @@ For clarity, this guide defines the following terms:
 Traffic routing is controlled by rules defined on the Ingress resource.
 
 Here is a simple example where an Ingress sends all its traffic to one Service:
-{{< mermaid >}}
-graph LR;
-  client([client])-. Ingress-managed <br> load balancer .->ingress[Ingress];
-  ingress-->|routing rule|service[Service];
-  subgraph cluster
-  ingress;
-  service-->pod1[Pod];
-  service-->pod2[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service,pod1,pod2 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
 
+{{< figure src="/docs/images/ingress.svg" alt="ingress-diagram" class="diagram-large" caption="Figure. Ingress" link="https://mermaid.live/edit#pako:eNqNkstuwyAQRX8F4U0r2VHqPlSRKqt0UamLqlnaWWAYJygYLB59KMm_Fxcix-qmGwbuXA7DwAEzzQETXKutof0Ovb4vaoUQkwKUu6pi3FwXM_QSHGBt0VFFt8DRU2OWSGrKUUMlVQwMmhVLEV1Vcm9-aUksiuXRaO_CEhkv4WjBfAgG1TrGaLa-iaUw6a0DcwGI-WgOsF7zm-pN881fvRx1UDzeiFq7ghb1kgqFWiElyTjnuXVG74FkbdumefEpuNuRu_4rZ1pqQ7L5fL6YQPaPNiFuywcG9_-ihNyUkm6YSONWkjVNM8WUIyaeOJLO3clTB_KhL8NQDmVe-OJjxgZM5FhFiiFTK5zjDkxHBQ9_4zB4a-x20EGNSZhyaKmXrg7f5hSsvufUwTMXThtMWiot5Jh6p9ffimHijIezaSVoeN0uiqcfMJvf7w" >}}
 
 An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting. An [Ingress controller](/docs/concepts/services-networking/ingress-controllers) is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.
 
@@ -398,25 +383,8 @@ A fanout configuration routes traffic from a single IP address to more than one
 based on the HTTP URI being requested. An Ingress allows you to keep the number of load balancers
 down to a minimum. For example, a setup like:
 
-{{< mermaid >}}
-graph LR;
-  client([client])-. Ingress-managed <br> load balancer .->ingress[Ingress, 178.91.123.132];
-  ingress-->|/foo|service1[Service service1:4200];
-  ingress-->|/bar|service2[Service service2:8080];
-  subgraph cluster
-  ingress;
-  service1-->pod1[Pod];
-  service1-->pod2[Pod];
-  service2-->pod3[Pod];
-  service2-->pod4[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
+{{< figure src="/docs/images/ingressFanOut.svg" alt="ingress-fanout-diagram" class="diagram-large" caption="Figure. Ingress Fan Out" link="https://mermaid.live/edit#pako:eNqNUslOwzAQ_RXLvYCUhMQpUFzUUzkgcUBwbHpw4klr4diR7bCo8O8k2FFbFomLPZq3jP00O1xpDpjijWHtFt09zAuFUCUFKHey8vf6NE7QrdoYsDZumGIb4Oi6NAskNeOoZJKpCgxK4oXwrFVgRyi7nCVXWZKRPMlysv5yD6Q4Xryf1Vq_WzDPooJs9egLNDbolKTpT03JzKgh3zWEztJZ0Niu9L-qZGcdmAMfj4cxvWmreba613z9C0B-AMQD-V_AdA-A4j5QZu0SatRKJhSqhZR0wjmPrDP6CeikrutQxy-Cuy2dtq9RpaU2dJKm6fzI5Glmg0VOLio4_5dLjx27hFSC015KJ2VZHtuQvY2fuHcaE43G0MaCREOow_FV5cMxHZ5-oPX75UM5avuXhXuOI9yAaZjg_aLuBl6B3RYaKDDtSw4166QrcKE-emrXcubghgunDaY1kxYizDqnH99UhakzHYykpWD9hjS--fEJoIELqQ" >}}
+
 
 would require an Ingress such as:
 
@@ -460,25 +428,7 @@ you are using, you may need to create a default-http-backend
 
 Name-based virtual hosts support routing HTTP traffic to multiple host names at the same IP address.
 
-{{< mermaid >}}
-graph LR;
-  client([client])-. Ingress-managed <br> load balancer .->ingress[Ingress, 178.91.123.132];
-  ingress-->|Host: foo.bar.com|service1[Service service1:80];
-  ingress-->|Host: bar.foo.com|service2[Service service2:80];
-  subgraph cluster
-  ingress;
-  service1-->pod1[Pod];
-  service1-->pod2[Pod];
-  service2-->pod3[Pod];
-  service2-->pod4[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
+{{< figure src="/docs/images/ingressNameBased.svg" alt="ingress-namebase-diagram" class="diagram-large" caption="Figure. Ingress Name Based Virtual hosting" link="https://mermaid.live/edit#pako:eNqNkl9PwyAUxb8KYS-atM1Kp05m9qSJJj4Y97jugcLtRqTQAPVPdN_dVlq3qUt8gZt7zvkBN7xjbgRgiteW1Rt0_zjLNUJcSdD-ZBn21WmcoDu9tuBcXDHN1iDQVWHnSBkmUMEU0xwsSuK5DK5l745QejFNLtMkJVmSZmT1Re9NcTz_uDXOU1QakxTMJtxUHw7ss-SQLhehQEODTsdH4l20Q-zFyc84-Y67pghv5apxHuweMuj9eS2_NiJdPhix-kMgvwQShOyYMNkJoEUYM3PuGkpUKyY1KqVSdCSEiJy35gnoqCzLvo5fpPAbOqlfI26UsXQ0Ho9nB5CnqesRGTnncPYvSqsdUvqp9KRdlI6KojjEkB0mnLgjDRONhqENBYm6oXbLV5V1y6S7-l42_LowlIN2uFm_twqOcAW2YlK0H_i9c-bYb6CCHNO2FFCyRvkc53rbWptaMA83QnpjMS2ZchBh1nizeNMcU28bGEzXkrV_pArN7Sc0rBTu" >}}
 
 
 The following Ingress tells the backing load balancer to route requests based on
diff --git a/content/en/docs/concepts/services-networking/network-policies.md b/content/en/docs/concepts/services-networking/network-policies.md
index dc4e2b76ca93a..9a97abfb5b1bf 100644
--- a/content/en/docs/concepts/services-networking/network-policies.md
+++ b/content/en/docs/concepts/services-networking/network-policies.md
@@ -54,7 +54,7 @@ POSTing this to the API server for your cluster will have no effect unless your
 __Mandatory Fields__: As with all other Kubernetes config, a NetworkPolicy
 needs `apiVersion`, `kind`, and `metadata` fields.  For general information
 about working with config files, see
-[Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/),
+[Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/),
 and [Object Management](/docs/concepts/overview/working-with-objects/object-management).
 
 __spec__: NetworkPolicy [spec](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) has all the information needed to define a particular network policy in the given namespace.
@@ -258,7 +258,7 @@ standardized label to target a specific namespace.
 
 ## What you can't do with network policies (at least, not yet)
 
-As of Kubernetes {{< skew latestVersion >}}, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers.  In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API.
+As of Kubernetes {{< skew currentVersion >}}, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers.  In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API.
 
 - Forcing internal cluster traffic to go through a common gateway (this might be best served with a service mesh or other proxy).
 - Anything TLS related (use a service mesh or ingress controller for this).
diff --git a/content/en/docs/concepts/services-networking/service-traffic-policy.md b/content/en/docs/concepts/services-networking/service-traffic-policy.md
index b7a367a4b7e19..b9abe34b3fc73 100644
--- a/content/en/docs/concepts/services-networking/service-traffic-policy.md
+++ b/content/en/docs/concepts/services-networking/service-traffic-policy.md
@@ -60,12 +60,6 @@ considered.
 When the [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 `ServiceInternalTrafficPolicy` is enabled, `spec.internalTrafficPolicy` defaults to "Cluster".
 
-## Constraints
-
-* Service Internal Traffic Policy is not used when `externalTrafficPolicy` is set
-  to `Local` on a Service. It is possible to use both features in the same cluster
-  on different Services, just not on the same Service.
-
 ## {{% heading "whatsnext" %}}
 
 * Read about [Topology Aware Hints](/docs/concepts/services-networking/topology-aware-hints)
diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md
index 679f96b139d69..ad5af427ec3ed 100644
--- a/content/en/docs/concepts/services-networking/service.md
+++ b/content/en/docs/concepts/services-networking/service.md
@@ -122,7 +122,7 @@ metadata:
 spec:
   containers:
   - name: nginx
-    image: nginx:11.14.2
+    image: nginx:stable
     ports:
       - containerPort: 80
         name: http-web-svc
@@ -192,6 +192,7 @@ where it's running, by adding an Endpoints object manually:
 apiVersion: v1
 kind: Endpoints
 metadata:
+  # the name here should match the name of the Service
   name: my-service
 subsets:
   - addresses:
@@ -203,6 +204,10 @@ subsets:
 The name of the Endpoints object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
+When you create an [Endpoints](/docs/reference/kubernetes-api/service-resources/endpoints-v1/)
+object for a Service, you set the name of the new object to be the same as that
+of the Service.
+
 {{< note >}}
 The endpoint IPs _must not_ be: loopback (127.0.0.0/8 for IPv4, ::1/128 for IPv6), or
 link-local (169.254.0.0/16 and 224.0.0.0/24 for IPv4, fe80::/64 for IPv6).
@@ -394,6 +399,10 @@ You can also set the maximum session sticky time by setting
 `service.spec.sessionAffinityConfig.clientIP.timeoutSeconds` appropriately.
 (the default value is 10800, which works out to be 3 hours).
 
+{{< note >}}
+On Windows, setting the maximum session sticky time for Services is not supported.
+{{< /note >}}
+
 ## Multi-Port Services
 
 For some Services, you need to expose more than one port.
@@ -447,7 +456,7 @@ server will return a 422 HTTP status code to indicate that there's a problem.
 
 You can set the `spec.externalTrafficPolicy` field to control how traffic from external sources is routed.
 Valid values are `Cluster` and `Local`. Set the field to `Cluster` to route external traffic to all ready endpoints
-and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are are no node-local
+and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are no node-local
 endpoints, the kube-proxy does not forward any traffic for the relevant Service.
 
 {{< note >}}
@@ -853,6 +862,17 @@ metadata:
 [...]
 ```
 
+{{% /tab %}}
+{{% tab name="OCI" %}}
+
+```yaml
+[...]
+metadata:
+    name: my-service
+    annotations:
+        service.beta.kubernetes.io/oci-load-balancer-internal: true
+[...]
+```
 {{% /tab %}}
 {{< /tabs >}}
 
diff --git a/content/en/docs/concepts/services-networking/windows-networking.md b/content/en/docs/concepts/services-networking/windows-networking.md
new file mode 100644
index 0000000000000..6aa79f0a0369a
--- /dev/null
+++ b/content/en/docs/concepts/services-networking/windows-networking.md
@@ -0,0 +1,164 @@
+---
+reviewers:
+- aravindhp
+- jayunit100
+- jsturtevant
+- marosset
+title: Networking on Windows
+content_type: concept
+weight: 75
+---
+
+<!-- overview -->
+
+Kubernetes supports running nodes on either Linux or Windows. You can mix both kinds of node
+within a single cluster.
+This page provides an overview to networking specific to the Windows operating system.
+
+<!-- body -->
+## Container networking on Windows {#networking}
+
+Networking for Windows containers is exposed through
+[CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
+Windows containers function similarly to virtual machines in regards to
+networking. Each container has a virtual network adapter (vNIC) which is connected
+to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the
+Host Compute Service (HCS) work together to create containers and attach container
+vNICs to networks. HCS is responsible for the management of containers whereas HNS
+is responsible for the management of networking resources such as:
+
+* Virtual networks (including creation of vSwitches)
+* Endpoints / vNICs
+* Namespaces
+* Policies including packet encapsulations, load-balancing rules, ACLs, and NAT rules.
+
+The Windows HNS and vSwitch implement namespacing and can
+create virtual NICs as needed for a pod or container. However, many configurations such
+as DNS, routes, and metrics are stored in the Windows registry database rather than as
+files inside `/etc`, which is how Linux stores those configurations. The Windows registry for the container
+is separate from that of the host, so concepts like mapping `/etc/resolv.conf` from
+the host into a container don't have the same effect they would on Linux. These must
+be configured using Windows APIs run in the context of that container. Therefore
+CNI implementations need to call the HNS instead of relying on file mappings to pass
+network details into the pod or container.
+
+## Network modes
+
+Windows supports five different networking drivers/modes: L2bridge, L2tunnel,
+Overlay (Beta), Transparent, and NAT. In a heterogeneous cluster with Windows and Linux
+worker nodes, you need to select a networking solution that is compatible on both
+Windows and Linux. The following table lists the out-of-tree plugins are supported on Windows,
+with recommendations on when to use each CNI:
+
+| Network Driver | Description | Container Packet Modifications | Network Plugins | Network Plugin Characteristics |
+| -------------- | ----------- | ------------------------------ | --------------- | ------------------------------ |
+| L2bridge       | Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. | MAC is rewritten to host MAC, IP may be rewritten to host IP using HNS OutboundNAT policy. | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge), [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), Flannel host-gateway uses win-bridge | win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires user-defined routes (UDR) for inter-node connectivity. |
+| L2Tunnel | This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. | MAC rewritten, IP visible on the underlay network | [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that [Azure Virtual Network provides](https://azure.microsoft.com/en-us/services/virtual-network/). For example, securely connect to Azure services or use Azure NSGs. See [azure-cni for some examples](https://docs.microsoft.com/azure/aks/concepts-network#azure-cni-advanced-networking) |
+| Overlay | Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. | Encapsulated with an outer header. | [win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay), Flannel VXLAN (uses win-overlay) | win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags)  if you are restricted on IPs in your datacenter.  This option requires [KB4489899](https://support.microsoft.com/help/4489899) on Windows Server 2019. |
+| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which enables intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.  <br/> Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. <br/> NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. |
+| NAT (*not used in Kubernetes*) | Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called [WinNAT](https://techcommunity.microsoft.com/t5/virtualization/windows-nat-winnat-capabilities-and-limitations/ba-p/382303) | MAC and IP is rewritten to host MAC/IP. | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | Included here for completeness |
+
+As outlined above, the [Flannel](https://github.com/coreos/flannel)
+[CNI plugin](https://github.com/flannel-io/cni-plugin)
+is also [supported](https://github.com/flannel-io/cni-plugin#windows-support-experimental) on Windows via the
+[VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**Beta support** ; delegates to win-overlay)
+and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge).
+
+This plugin supports delegating to one of the reference CNI plugins (win-overlay,
+win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for
+automatic node subnet lease assignment and HNS network creation. This plugin reads
+in its own configuration file (cni.conf), and aggregates it with the environment
+variables from the FlannelD generated subnet.env file. It then delegates to one of
+the reference CNI plugins for network plumbing, and sends the correct configuration
+containing the node-assigned subnet to the IPAM plugin (for example: `host-local`).
+
+For Node, Pod, and Service objects, the following network flows are supported for
+TCP/UDP traffic:
+
+* Pod → Pod (IP)
+* Pod → Pod (Name)
+* Pod → Service (Cluster IP)
+* Pod → Service (PQDN, but only if there are no ".")
+* Pod → Service (FQDN)
+* Pod → external (IP)
+* Pod → external (DNS)
+* Node → Pod
+* Pod → Node
+
+## IP address management (IPAM) {#ipam}
+
+The following IPAM options are supported on Windows:
+
+* [host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
+* [azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only)
+* [Windows Server IPAM](https://docs.microsoft.com/windows-server/networking/technologies/ipam/ipam-top) (fallback option if no IPAM is set)
+
+## Load balancing and Services
+
+A Kubernetes {{< glossary_tooltip text="Service" term_id="service" >}} is an abstraction
+that defines a logical set of Pods and a means to access them over a network.
+In a cluster that includes Windows nodes, you can use the following types of Service:
+
+* `NodePort`
+* `ClusterIP`
+* `LoadBalancer`
+* `ExternalName`
+
+Windows container networking differs in some important ways from Linux networking.
+The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture)
+provides additional details and background.
+
+On Windows, you can use the following settings to configure Services and load
+balancing behavior:
+
+{{< table caption="Windows Service Settings" >}}
+| Feature | Description | Minimum Supported Windows OS build | How to enable |
+| ------- | ----------- | -------------------------- | ------------- |
+| Session affinity | Ensures that connections from a particular client are passed to the same Pod each time. | Windows Server 2022 | Set `service.spec.sessionAffinity` to "ClientIP" |
+| Direct Server Return (DSR) | Load balancing mode where the IP address fixups and the LBNAT occurs at the container vSwitch port directly; service traffic arrives with the source IP set as the originating pod IP. | Windows Server 2019 | Set the following flags in kube-proxy: `--feature-gates="WinDSR=true" --enable-dsr=true` |
+| Preserve-Destination | Skips DNAT of service traffic, thereby preserving the virtual IP of the target service in packets reaching the backend Pod. Also disables node-node forwarding. | Windows Server, version 1903 | Set `"preserve-destination": "true"` in service annotations and enable DSR in kube-proxy. |
+| IPv4/IPv6 dual-stack networking | Native IPv4-to-IPv4 in parallel with IPv6-to-IPv6 communications to, from, and within a cluster | Windows Server 2019 | See [IPv4/IPv6 dual-stack](#ipv4ipv6-dual-stack) |
+| Client IP preservation | Ensures that source IP of incoming ingress traffic gets preserved. Also disables node-node forwarding. |  Windows Server 2019  | Set `service.spec.externalTrafficPolicy` to "Local" and enable DSR in kube-proxy |
+{{< /table >}}
+
+{{< warning >}}
+There are known issue with NodePort Services on overlay networking, if the destination node is running Windows Server 2022.
+To avoid the issue entirely, you can configure the service with `externalTrafficPolicy: Local`.
+
+There are known issues with Pod to Pod connectivity on l2bridge network on Windows Server 2022 with KB5005619 or higher installed.
+To workaround the issue and restore Pod to Pod connectivity, you can disable the WinDSR feature in kube-proxy.
+
+These issues require OS fixes.
+Please follow https://github.com/microsoft/Windows-Containers/issues/204 for updates.
+{{< /warning >}}
+
+## Limitations
+
+The following networking functionality is _not_ supported on Windows nodes:
+
+* Host networking mode
+* Local NodePort access from the node itself (works for other nodes or external clients)
+* More than 64 backend pods (or unique destination addresses) for a single Service
+* IPv6 communication between Windows pods connected to overlay networks
+* Local Traffic Policy in non-DSR mode
+* Outbound communication using the ICMP protocol via the `win-overlay`, `win-bridge`, or using the Azure-CNI plugin.\
+  Specifically, the Windows data plane ([VFP](https://www.microsoft.com/research/project/azure-virtual-filtering-platform/))
+  doesn't support ICMP packet transpositions, and this means:
+  * ICMP packets directed to destinations within the same network (such as pod to pod communication via ping) 
+    work as expected;
+  * TCP/UDP packets work as expected;
+  * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) 
+    cannot be transposed and thus will not be routed back to their source;
+  * Since TCP/UDP packets can still be transposed, you can substitute `ping <destination>` with
+    `curl <destination>` when debugging connectivity with the outside world.
+
+Other limitations:
+
+* Windows reference network plugins win-bridge and win-overlay do not implement
+  [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0,
+  due to a missing `CHECK` implementation.
+* The Flannel VXLAN CNI plugin has the following limitations on Windows:
+  * Node-pod connectivity is only possible for local pods with Flannel v0.12.0 (or higher).
+  * Flannel is restricted to using VNI 4096 and UDP port 4789. See the official
+    [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
+    backend docs for more details on these parameters.
diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md
index 16f0b8ed3b354..66aa8f7f8a860 100644
--- a/content/en/docs/concepts/storage/persistent-volumes.md
+++ b/content/en/docs/concepts/storage/persistent-volumes.md
@@ -540,6 +540,15 @@ In the CLI, the access modes are abbreviated to:
 * RWX - ReadWriteMany
 * RWOP - ReadWriteOncePod
 
+{{< note >}}
+Kubernetes uses volume access modes to match PersistentVolumeClaims and PersistentVolumes.
+In some cases, the volume access modes also constrain where the PersistentVolume can be mounted.
+Volume access modes do **not** enforce write protection once the storage has been mounted.
+Even if the access modes are specified as ReadWriteOnce, ReadOnlyMany, or ReadWriteMany, they don't set any constraints on the volume.
+For example, even if a PersistentVolume is created as ReadOnlyMany, it is no guarantee that it will be read-only.
+If the access modes are specified as ReadWriteOncePod, the volume is constrained and can be mounted on only a single Pod.
+{{< /note >}}
+
 > __Important!__ A volume can only be mounted using one access mode at a time, even if it supports many.  For example, a GCEPersistentDisk can be mounted as ReadWriteOnce by a single node or ReadOnlyMany by many nodes, but not at the same time.
 
 
@@ -673,7 +682,7 @@ Claims use [the same convention as volumes](#volume-mode) to indicate the consum
 
 ### Resources
 
-Claims, like Pods, can request specific quantities of a resource. In this case, the request is for storage. The same [resource model](https://git.k8s.io/community/contributors/design-proposals/scheduling/resources.md) applies to both volumes and claims.
+Claims, like Pods, can request specific quantities of a resource. In this case, the request is for storage. The same [resource model](https://git.k8s.io/design-proposals-archive/scheduling/resources.md) applies to both volumes and claims.
 
 ### Selector
 
@@ -1012,7 +1021,7 @@ and need persistent storage, it is recommended that you use the following patter
 
 * Learn more about [Creating a PersistentVolume](/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume).
 * Learn more about [Creating a PersistentVolumeClaim](/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim).
-* Read the [Persistent Storage design document](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md).
+* Read the [Persistent Storage design document](https://git.k8s.io/design-proposals-archive/storage/persistent-storage.md).
 
 ### API references {#reference}
 
diff --git a/content/en/docs/concepts/storage/projected-volumes.md b/content/en/docs/concepts/storage/projected-volumes.md
index ed7c31db1475d..df67132cf599f 100644
--- a/content/en/docs/concepts/storage/projected-volumes.md
+++ b/content/en/docs/concepts/storage/projected-volumes.md
@@ -26,7 +26,7 @@ Currently, the following types of volume sources can be projected:
 * [`serviceAccountToken`](#serviceaccounttoken)
 
 All sources are required to be in the same namespace as the Pod. For more details,
-see the [all-in-one volume](https://github.com/kubernetes/design-proposals-archive/blob/main/node/all-in-one-volume.md) design document.
+see the [all-in-one volume](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md) design document.
 
 ### Example configuration with a secret, a downwardAPI, and a configMap {#example-configuration-secret-downwardapi-configmap}
 
diff --git a/content/en/docs/concepts/storage/storage-classes.md b/content/en/docs/concepts/storage/storage-classes.md
index 53ee88a2e7071..8fda0b2ff3f3e 100644
--- a/content/en/docs/concepts/storage/storage-classes.md
+++ b/content/en/docs/concepts/storage/storage-classes.md
@@ -87,7 +87,7 @@ for provisioning PVs. This field must be specified.
 You are not restricted to specifying the "internal" provisioners
 listed here (whose names are prefixed with "kubernetes.io" and shipped
 alongside Kubernetes). You can also run and specify external provisioners,
-which are independent programs that follow a [specification](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/volume-provisioning.md)
+which are independent programs that follow a [specification](https://git.k8s.io/design-proposals-archive/storage/volume-provisioning.md)
 defined by Kubernetes. Authors of external provisioners have full discretion
 over where their code lives, how the provisioner is shipped, how it needs to be
 run, what volume plugin it uses (including Flex), etc. The repository
diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md
index cc9a9565eb87a..fd994c97fa7fb 100644
--- a/content/en/docs/concepts/storage/volumes.md
+++ b/content/en/docs/concepts/storage/volumes.md
@@ -64,7 +64,9 @@ a different volume.
 
 Kubernetes supports several types of volumes.
 
-### awsElasticBlockStore {#awselasticblockstore}
+### awsElasticBlockStore (deprecated) {#awselasticblockstore}
+
+{{< feature-state for_k8s_version="v1.17" state="deprecated" >}}
 
 An `awsElasticBlockStore` volume mounts an Amazon Web Services (AWS)
 [EBS volume](https://aws.amazon.com/ebs/) into your pod. Unlike
@@ -115,7 +117,7 @@ spec:
       fsType: ext4
 ```
 
-If the EBS volume is partitioned, you can supply the optional field `partition: "<partition number>"` to specify which parition to mount on.
+If the EBS volume is partitioned, you can supply the optional field `partition: "<partition number>"` to specify which partition to mount on.
 
 #### AWS EBS CSI migration
 
@@ -135,7 +137,9 @@ beta features must be enabled.
 To disable the `awsElasticBlockStore` storage plugin from being loaded by the controller manager
 and the kubelet, set the `InTreePluginAWSUnregister` flag to `true`.
 
-### azureDisk {#azuredisk}
+### azureDisk (deprecated) {#azuredisk}
+
+{{< feature-state for_k8s_version="v1.19" state="deprecated" >}}
 
 The `azureDisk` volume type mounts a Microsoft Azure [Data Disk](https://docs.microsoft.com/en-us/azure/aks/csi-storage-drivers) into a pod.
 
@@ -158,7 +162,9 @@ must be installed on the cluster and the `CSIMigration` feature must be enabled.
 To disable the `azureDisk` storage plugin from being loaded by the controller manager
 and the kubelet, set the `InTreePluginAzureDiskUnregister` flag to `true`.
 
-### azureFile {#azurefile}
+### azureFile (deprecated) {#azurefile}
+
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
 
 The `azureFile` volume type mounts a Microsoft Azure File volume (SMB 2.1 and 3.0)
 into a pod.
@@ -201,7 +207,9 @@ You must have your own Ceph server running with the share exported before you ca
 
 See the [CephFS example](https://github.com/kubernetes/examples/tree/master/volumes/cephfs/) for more details.
 
-### cinder
+### cinder (deprecated) {#cinder}
+
+{{< feature-state for_k8s_version="v1.18" state="deprecated" >}}
 
 {{< note >}}
 Kubernetes must be configured with the OpenStack cloud provider.
@@ -295,15 +303,17 @@ keyed with `log_level`.
 
 ### downwardAPI {#downwardapi}
 
-A `downwardAPI` volume makes downward API data available to applications.
-It mounts a directory and writes the requested data in plain text files.
+A `downwardAPI` volume makes {{< glossary_tooltip term_id="downward-api" text="downward API" >}}
+data available to applications. Within the volume, you can find the exposed
+data as read-only files in plain text format.
 
 {{< note >}}
-A container using the downward API as a [`subPath`](#using-subpath) volume mount will not
-receive downward API updates.
+A container using the downward API as a [`subPath`](#using-subpath) volume mount does not
+receive updates when field values change.
 {{< /note >}}
 
-See the [downward API example](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/) for more details.
+See [Expose Pod Information to Containers Through Files](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
+to learn more.
 
 ### emptyDir {#emptydir}
 
@@ -390,7 +400,9 @@ You must have your own Flocker installation running before you can use it.
 
 See the [Flocker example](https://github.com/kubernetes/examples/tree/master/staging/volumes/flocker) for more details.
 
-### gcePersistentDisk
+### gcePersistentDisk (deprecated) {#gcepersistentdisk}
+
+{{< feature-state for_k8s_version="v1.17" state="deprecated" >}}
 
 A `gcePersistentDisk` volume mounts a Google Compute Engine (GCE)
 [persistent disk](https://cloud.google.com/compute/docs/disks) (PD) into your Pod.
@@ -1146,7 +1158,7 @@ to the [volume plugin FAQ](https://github.com/kubernetes/community/blob/master/s
 (CSI) defines a standard interface for container orchestration systems (like
 Kubernetes) to expose arbitrary storage systems to their container workloads.
 
-Please read the [CSI design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md) for more information.
+Please read the [CSI design proposal](https://git.k8s.io/design-proposals-archive/storage/container-storage-interface.md) for more information.
 
 {{< note >}}
 Support for CSI spec versions 0.2 and 0.3 are deprecated in Kubernetes
@@ -1166,8 +1178,8 @@ CSI driver.
 A `csi` volume can be used in a Pod in three different ways:
 
 * through a reference to a [PersistentVolumeClaim](#persistentvolumeclaim)
-* with a [generic ephemeral volume](/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volume)
-* with a [CSI ephemeral volume](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)
+* with a [generic ephemeral volume](/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes)
+* with a [CSI ephemeral volume](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volumes)
 if the driver supports that (beta feature)
 
 The following fields are available to storage administrators to configure a CSI
@@ -1234,12 +1246,26 @@ You can set up your
 You can directly configure CSI volumes within the Pod
 specification. Volumes specified in this way are ephemeral and do not
 persist across pod restarts. See [Ephemeral
-Volumes](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)
+Volumes](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volumes)
 for more information.
 
 For more information on how to develop a CSI driver, refer to the
 [kubernetes-csi documentation](https://kubernetes-csi.github.io/docs/)
 
+#### Windows CSI proxy
+
+{{< feature-state for_k8s_version="v1.22" state="stable" >}}
+
+CSI node plugins need to perform various privileged
+operations like scanning of disk devices and mounting of file systems. These operations
+differ for each host operating system. For Linux worker nodes, containerized CSI node
+node plugins are typically deployed as privileged containers. For Windows worker nodes,
+privileged operations for containerized CSI node plugins is supported using
+[csi-proxy](https://github.com/kubernetes-csi/csi-proxy), a community-managed,
+stand-alone binary that needs to be pre-installed on each Windows node.
+
+For more details, refer to the deployment guide of the CSI plugin you wish to deploy.
+
 #### Migrating to CSI drivers from in-tree plugins
 
 {{< feature-state for_k8s_version="v1.17" state="beta" >}}
@@ -1256,6 +1282,14 @@ provisioning/delete, attach/detach, mount/unmount and resizing of volumes.
 In-tree plugins that support `CSIMigration` and have a corresponding CSI driver implemented
 are listed in [Types of Volumes](#volume-types).
 
+The following in-tree plugins support persistent storage on Windows nodes:
+
+* [`awsElasticBlockStore`](#awselasticblockstore)
+* [`azureDisk`](#azuredisk)
+* [`azureFile`](#azurefile)
+* [`gcePersistentDisk`](#gcepersistentdisk)
+* [`vsphereVolume`](#vspherevolume)
+
 ### flexVolume
 
 {{< feature-state for_k8s_version="v1.23" state="deprecated" >}}
@@ -1267,6 +1301,12 @@ volume plugin path on each node and in some cases the control plane nodes as wel
 Pods interact with FlexVolume drivers through the `flexVolume` in-tree volume plugin.
 For more details, see the FlexVolume [README](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md#readme) document.
 
+The following FlexVolume [plugins](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows),
+deployed as PowerShell scripts on the host, support Windows nodes:
+
+* [SMB](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~smb.cmd)
+* [iSCSI](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~iscsi.cmd)
+
 {{< note >}}
 FlexVolume is deprecated. Using an out-of-tree CSI driver is the recommended way to integrate external storage with Kubernetes.
 
diff --git a/content/en/docs/concepts/storage/windows-storage.md b/content/en/docs/concepts/storage/windows-storage.md
new file mode 100644
index 0000000000000..b8f40177ca005
--- /dev/null
+++ b/content/en/docs/concepts/storage/windows-storage.md
@@ -0,0 +1,71 @@
+---
+reviewers:
+- jingxu97
+- mauriciopoppe
+- jayunit100
+- jsturtevant
+- marosset
+- aravindhp
+title: Windows Storage
+content_type: concept
+---
+
+<!-- overview -->
+
+This page provides an storage overview specific to the Windows operating system.
+
+<!-- body -->
+
+## Persistent storage {#storage}
+
+Windows has a layered filesystem driver to mount container layers and create a copy
+filesystem based on NTFS. All file paths in the container are resolved only within
+the context of that container.
+
+* With Docker, volume mounts can only target a directory in the container, and not
+  an individual file. This limitation does not apply to containerd.
+* Volume mounts cannot project files or directories back to the host filesystem.
+* Read-only filesystems are not supported because write access is always required
+  for the Windows registry and SAM database. However, read-only volumes are supported.
+* Volume user-masks and permissions are not available. Because the SAM is not shared
+  between the host & container, there's no mapping between them. All permissions are
+  resolved within the context of the container.
+
+As a result, the following storage functionality is not supported on Windows nodes:
+
+* Volume subpath mounts: only the entire volume can be mounted in a Windows container
+* Subpath volume mounting for Secrets
+* Host mount projection
+* Read-only root filesystem (mapped volumes still support `readOnly`)
+* Block device mapping
+* Memory as the storage medium (for example, `emptyDir.medium` set to `Memory`)
+* File system features like uid/gid; per-user Linux filesystem permissions
+* Setting [secret permissions with DefaultMode](/docs/concepts/configuration/secret/#secret-files-permissions) (due to UID/GID dependency)
+* NFS based storage/volume support
+* Expanding the mounted volume (resizefs)
+
+Kubernetes {{< glossary_tooltip text="volumes" term_id="volume" >}} enable complex
+applications, with data persistence and Pod volume sharing requirements, to be deployed
+on Kubernetes. Management of persistent volumes associated with a specific storage
+back-end or protocol includes actions such as provisioning/de-provisioning/resizing
+of volumes, attaching/detaching a volume to/from a Kubernetes node and
+mounting/dismounting a volume to/from individual containers in a pod that needs to
+persist data.
+
+Volume management components are shipped as Kubernetes volume
+[plugin](/docs/concepts/storage/volumes/#types-of-volumes).
+The following broad classes of Kubernetes volume plugins are supported on Windows:
+
+* [`FlexVolume plugins`](/docs/concepts/storage/volumes/#flexVolume)
+  * Please note that FlexVolumes have been deprecated as of 1.23
+* [`CSI Plugins`](/docs/concepts/storage/volumes/#csi)
+
+##### In-tree volume plugins
+
+The following in-tree plugins support persistent storage on Windows nodes:
+
+* [`awsElasticBlockStore`](/docs/concepts/storage/volumes/#awselasticblockstore)
+* [`azureDisk`](/docs/concepts/storage/volumes/#azuredisk)
+* [`azureFile`](/docs/concepts/storage/volumes/#azurefile)
+* [`gcePersistentDisk`](/docs/concepts/storage/volumes/#gcepersistentdisk)
+* [`vsphereVolume`](/docs/concepts/storage/volumes/#vspherevolume)
diff --git a/content/en/docs/setup/production-environment/windows/_index.md b/content/en/docs/concepts/windows/_index.md
similarity index 100%
rename from content/en/docs/setup/production-environment/windows/_index.md
rename to content/en/docs/concepts/windows/_index.md
diff --git a/content/en/docs/concepts/windows/intro.md b/content/en/docs/concepts/windows/intro.md
new file mode 100644
index 0000000000000..91e9412759fe5
--- /dev/null
+++ b/content/en/docs/concepts/windows/intro.md
@@ -0,0 +1,387 @@
+---
+reviewers:
+- jayunit100
+- jsturtevant
+- marosset
+- perithompson
+title: Windows containers in Kubernetes
+content_type: concept
+weight: 65
+---
+
+<!-- overview -->
+
+Windows applications constitute a large portion of the services and applications that
+run in many organizations. [Windows containers](https://aka.ms/windowscontainers)
+provide a way to encapsulate processes and package dependencies, making it easier
+to use DevOps practices and follow cloud native patterns for Windows applications.
+
+Organizations with investments in Windows-based applications and Linux-based
+applications don't have to look for separate orchestrators to manage their workloads,
+leading to increased operational efficiencies across their deployments, regardless
+of operating system.
+
+<!-- body -->
+
+## Windows nodes in Kubernetes
+
+To enable the orchestration of Windows containers in Kubernetes, include Windows nodes
+in your existing Linux cluster. Scheduling Windows containers in
+{{< glossary_tooltip text="Pods" term_id="pod" >}} on Kubernetes is similar to
+scheduling Linux-based containers.
+
+In order to run Windows containers, your Kubernetes cluster must include
+multiple operating systems.
+While you can only run the {{< glossary_tooltip text="control plane" term_id="control-plane" >}} on Linux,
+you can deploy worker nodes running either Windows or Linux.
+
+Windows {{< glossary_tooltip text="nodes" term_id="node" >}} are
+[supported](#windows-os-version-support) provided that the operating system is
+Windows Server 2019.
+
+This document uses the term *Windows containers* to mean Windows containers with
+process isolation. Kubernetes does not support running Windows containers with
+[Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container).
+
+## Compatibility and limitations {#limitations}
+
+Some node features are only available if you use a specific
+[container runtime](#container-runtime); others are not available on Windows nodes,
+including:
+
+* HugePages: not supported for Windows containers
+* Privileged containers: not supported for Windows containers.
+  [HostProcess Containers](/docs/tasks/configure-pod-container/create-hostprocess-pod/) offer similar functionality.
+* TerminationGracePeriod: requires containerD
+
+Not all features of shared namespaces are supported. See [API compatibility](#api)
+for more details.
+
+See [Windows OS version compatibility](#windows-os-version-support) for details on
+the Windows versions that Kubernetes is tested against.
+
+From an API and kubectl perspective, Windows containers behave in much the same
+way as Linux-based containers. However, there are some notable differences in key
+functionality which are outlined in this section.
+
+### Comparison with Linux {#compatibility-linux-similarities}
+
+Key Kubernetes elements work the same way in Windows as they do in Linux. This
+section refers to several key workload abstractions and how they map to Windows.
+
+* [Pods](/docs/concepts/workloads/pods/)
+
+  A Pod is the basic building block of Kubernetes–the smallest and simplest unit in
+  the Kubernetes object model that you create or deploy. You may not deploy Windows and
+  Linux containers in the same Pod. All containers in a Pod are scheduled onto a single
+  Node where each Node represents a specific platform and architecture. The following
+  Pod capabilities, properties and events are supported with Windows containers:
+
+  * Single or multiple containers per Pod with process isolation and volume sharing
+  * Pod `status` fields
+  * Readiness, liveness, and startup probes
+  * postStart & preStop container lifecycle hooks
+  * ConfigMap, Secrets: as environment variables or volumes
+  * `emptyDir` volumes
+  * Named pipe host mounts
+  * Resource limits
+  * OS field: 
+
+    The `.spec.os.name` field should be set to `windows` to indicate that the current Pod uses Windows containers.
+    The `IdentifyPodOS` feature gate needs to be enabled for this field to be recognized.
+
+    {{< note >}}
+    Starting from 1.24, the `IdentifyPodOS` feature gate is in Beta stage and defaults to be enabled.
+    {{< /note >}}
+
+    If the `IdentifyPodOS` feature gate is enabled and you set the `.spec.os.name` field to `windows`,
+    you must not set the following fields in the `.spec` of that Pod:
+
+    * `spec.hostPID`
+    * `spec.hostIPC`
+    * `spec.securityContext.seLinuxOptions`
+    * `spec.securityContext.seccompProfile`
+    * `spec.securityContext.fsGroup`
+    * `spec.securityContext.fsGroupChangePolicy`
+    * `spec.securityContext.sysctls`
+    * `spec.shareProcessNamespace`
+    * `spec.securityContext.runAsUser`
+    * `spec.securityContext.runAsGroup`
+    * `spec.securityContext.supplementalGroups`
+    * `spec.containers[*].securityContext.seLinuxOptions`
+    * `spec.containers[*].securityContext.seccompProfile`
+    * `spec.containers[*].securityContext.capabilities`
+    * `spec.containers[*].securityContext.readOnlyRootFilesystem`
+    * `spec.containers[*].securityContext.privileged`
+    * `spec.containers[*].securityContext.allowPrivilegeEscalation`
+    * `spec.containers[*].securityContext.procMount`
+    * `spec.containers[*].securityContext.runAsUser`
+    * `spec.containers[*].securityContext.runAsGroup`
+
+    In the above list, wildcards (`*`) indicate all elements in a list.
+    For example, `spec.containers[*].securityContext` refers to the SecurityContext object
+    for all containers. If any of these fields is specified, the Pod will
+    not be admited by the API server.
+
+* [Workload resources](/docs/concepts/workloads/controllers/) including:
+  * ReplicaSet
+  * Deployment
+  * StatefulSet
+  * DaemonSet
+  * Job
+  * CronJob
+  * ReplicationController
+* {{< glossary_tooltip text="Services" term_id="service" >}}
+  See [Load balancing and Services](#load-balancing-and-services) for more details.
+
+Pods, workload resources, and Services are critical elements to managing Windows
+workloads on Kubernetes. However, on their own they are not enough to enable
+the proper lifecycle management of Windows workloads in a dynamic cloud native
+environment.
+
+* `kubectl exec`
+* Pod and container metrics
+* {{< glossary_tooltip text="Horizontal pod autoscaling" term_id="horizontal-pod-autoscaler" >}}
+* {{< glossary_tooltip text="Resource quotas" term_id="resource-quota" >}}
+* Scheduler preemption
+
+### Command line options for the kubelet {#kubelet-compatibility}
+
+Some kubelet command line options behave differently on Windows, as described below:
+
+* The `--windows-priorityclass` lets you set the scheduling priority of the kubelet process
+  (see [CPU resource management](/docs/concepts/configuration/windows-resource-management/#resource-management-cpu))
+* The `--kube-reserved`, `--system-reserved` , and `--eviction-hard` flags update
+  [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+* Eviction by using `--enforce-node-allocable` is not implemented
+* Eviction by using `--eviction-hard` and `--eviction-soft` are not implemented
+* When running on a Windows node the kubelet does not have memory or CPU
+  restrictions. `--kube-reserved` and `--system-reserved` only subtract from `NodeAllocatable`
+  and do not guarantee resource provided for workloads.
+  See [Resource Management for Windows nodes](/docs/concepts/configuration/windows-resource-management/#resource-reservation)
+  for more information.
+* The `MemoryPressure` Condition is not implemented
+* The kubelet does not take OOM eviction actions
+
+### API compatibility {#api}
+
+There are subtle differences in the way the Kubernetes APIs work for Windows due to the OS
+and container runtime. Some workload properties were designed for Linux, and fail to run on Windows.
+
+At a high level, these OS concepts are different:
+
+* Identity - Linux uses userID (UID) and groupID (GID) which
+  are represented as integer types. User and group names
+  are not canonical - they are just an alias in `/etc/groups`
+  or `/etc/passwd` back to UID+GID. Windows uses a larger binary
+  [security identifier](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) (SID)
+  which is stored in the Windows Security Access Manager (SAM) database. This
+  database is not shared between the host and containers, or between containers.
+* File permissions - Windows uses an access control list based on (SIDs), whereas
+  POSIX systems such as Linux use a bitmask based on object permissions and UID+GID,
+  plus _optional_ access control lists.
+* File paths - the convention on Windows is to use `\` instead of `/`. The Go IO
+  libraries typically accept both and just make it work, but when you're setting a
+  path or command line that's interpreted inside a container, `\` may be needed.
+* Signals - Windows interactive apps handle termination differently, and can
+  implement one or more of these:
+  * A UI thread handles well-defined messages including `WM_CLOSE`.
+  * Console apps handle Ctrl-C or Ctrl-break using a Control Handler.
+  * Services register a Service Control Handler function that can accept
+    `SERVICE_CONTROL_STOP` control codes.
+
+Container exit codes follow the same convention where 0 is success, and nonzero is failure.
+The specific error codes may differ across Windows and Linux. However, exit codes
+passed from the Kubernetes components (kubelet, kube-proxy) are unchanged.
+
+#### Field compatibility for container specifications {#compatibility-v1-pod-spec-containers}
+
+The following list documents differences between how Pod container specifications
+work between Windows and Linux:
+
+* Huge pages are not implemented in the Windows container
+  runtime, and are not available. They require [asserting a user
+  privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support)
+  that's not configurable for containers.
+* `requests.cpu` and `requests.memory` - requests are subtracted
+  from node available resources, so they can be used to avoid overprovisioning a
+  node. However, they cannot be used to guarantee resources in an overprovisioned
+  node. They should be applied to all containers as a best practice if the operator
+  wants to avoid overprovisioning entirely.
+* `securityContext.allowPrivilegeEscalation` -
+   not possible on Windows; none of the capabilities are hooked up
+* `securityContext.capabilities` -
+   POSIX capabilities are not implemented on Windows
+* `securityContext.privileged` -
+   Windows doesn't support privileged containers
+* `securityContext.procMount` -
+   Windows doesn't have a `/proc` filesystem
+* `securityContext.readOnlyRootFilesystem` -
+   not possible on Windows; write access is required for registry & system
+   processes to run inside the container
+* `securityContext.runAsGroup` -
+   not possible on Windows as there is no GID support
+* `securityContext.runAsNonRoot` -
+   this setting will prevent containers from running as `ContainerAdministrator`
+   which is the closest equivalent to a root user on Windows.
+* `securityContext.runAsUser` -
+   use [`runAsUserName`](/docs/tasks/configure-pod-container/configure-runasusername)
+   instead
+* `securityContext.seLinuxOptions` -
+   not possible on Windows as SELinux is Linux-specific
+* `terminationMessagePath` -
+   this has some limitations in that Windows doesn't support mapping single files. The
+   default value is `/dev/termination-log`, which does work because it does not
+   exist on Windows by default.
+
+#### Field compatibility for Pod specifications {#compatibility-v1-pod}
+
+The following list documents differences between how Pod specifications work between Windows and Linux:
+
+* `hostIPC` and `hostpid` - host namespace sharing is not possible on Windows
+* `hostNetwork` - There is no Windows OS support to share the host network
+* `dnsPolicy` - setting the Pod `dnsPolicy` to `ClusterFirstWithHostNet` is
+   not supported on Windows because host networking is not provided. Pods always
+   run with a container network.
+* `podSecurityContext` (see below)
+* `shareProcessNamespace` - this is a beta feature, and depends on Linux namespaces
+  which are not implemented on Windows. Windows cannot share process namespaces or
+  the container's root filesystem. Only the network can be shared.
+* `terminationGracePeriodSeconds` - this is not fully implemented in Docker on Windows,
+  see the [GitHub issue](https://github.com/moby/moby/issues/25982).
+  The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT,
+  then Windows waits 5 seconds by default, and finally shuts down
+  all processes using the normal Windows shutdown behavior. The 5
+  second default is actually in the Windows registry
+  [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183),
+  so it can be overridden when the container is built.
+* `volumeDevices` - this is a beta feature, and is not implemented on Windows.
+  Windows cannot attach raw block devices to pods.
+* `volumes`
+  * If you define an `emptyDir` volume, you cannot set its volume source to `memory`.
+* You cannot enable `mountPropagation` for volume mounts as this is not
+  supported on Windows.
+
+#### Field compatibility for Pod security context {#compatibility-v1-pod-spec-containers-securitycontext}
+
+None of the Pod [`securityContext`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) fields work on Windows.
+
+## Node problem detector
+
+The node problem detector (see
+[Monitor Node Health](/docs/tasks/debug/debug-cluster/monitor-node-health/))
+has preliminary support for Windows.
+For more information, visit the project's [GitHub page](https://github.com/kubernetes/node-problem-detector#windows).
+
+## Pause container
+
+In a Kubernetes Pod, an infrastructure or “pause” container is first created
+to host the container. In Linux, the cgroups and namespaces that make up a pod
+need a process to maintain their continued existence; the pause process provides
+this. Containers that belong to the same pod, including infrastructure and worker
+containers, share a common network endpoint (same IPv4 and / or IPv6 address, same
+network port spaces). Kubernetes uses pause containers to allow for worker containers
+crashing or restarting without losing any of the networking configuration.
+
+Kubernetes maintains a multi-architecture image that includes support for Windows.
+For Kubernetes v{{< skew currentVersion >}} the recommended pause image is `k8s.gcr.io/pause:3.6`.
+The [source code](https://github.com/kubernetes/kubernetes/tree/master/build/pause)
+is available on GitHub.
+
+Microsoft maintains a different multi-architecture image, with Linux and Windows
+amd64 support, that you can find as `mcr.microsoft.com/oss/kubernetes/pause:3.6`.
+This image is built from the same source as the Kubernetes maintained image but
+all of the Windows binaries are [authenticode signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode) by Microsoft.
+The Kubernetes project recommends using the Microsoft maintained image if you are
+deploying to a production or production-like environment that requires signed
+binaries.
+
+## Container runtimes {#container-runtime}
+
+You need to install a
+{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
+into each node in the cluster so that Pods can run there.
+
+The following container runtimes work with Windows:
+
+{{% thirdparty-content %}}
+
+### ContainerD
+
+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
+
+You can use {{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+
+as the container runtime for Kubernetes nodes that run Windows.
+
+Learn how to [install ContainerD on a Windows node](/docs/setup/production-environment/container-runtimes/#install-containerd).
+
+{{< note >}}
+There is a [known limitation](/docs/tasks/configure-pod-container/configure-gmsa/#gmsa-limitations)
+when using GMSA with containerd to access Windows network shares, which requires a
+kernel patch.
+{{< /note >}}
+
+### Mirantis Container Runtime {#mcr}
+
+[Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR)
+is available as a container runtime for all Windows Server 2019 and later versions.
+
+See [Install MCR on Windows Servers](https://docs.mirantis.com/mcr/20.10/install/mcr-windows.html) for more information.
+
+## Windows OS version compatibility {#windows-os-version-support}
+
+On Windows nodes, strict compatibility rules apply where the host OS version must
+match the container base image OS version. Only Windows containers with a container
+operating system of Windows Server 2019 are fully supported.
+
+For Kubernetes v{{< skew currentVersion >}}, operating system compatibility for Windows nodes (and Pods)
+is as follows:
+
+Windows Server LTSC release
+: Windows Server 2019
+: Windows Server 2022
+
+Windows Server SAC release
+:  Windows Server version 20H2
+
+The Kubernetes [version-skew policy](/docs/setup/release/version-skew-policy/) also applies.
+
+## Getting help and troubleshooting {#troubleshooting}
+
+Your main source of help for troubleshooting your Kubernetes cluster should start
+with the [Troubleshooting](/docs/tasks/debug/)
+page.
+
+Some additional, Windows-specific troubleshooting help is included
+in this section. Logs are an important element of troubleshooting
+issues in Kubernetes. Make sure to include them any time you seek
+troubleshooting assistance from other contributors. Follow the
+instructions in the
+SIG Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs).
+
+### Reporting issues and feature requests
+
+If you have what looks like a bug, or you would like to
+make a feature request, please follow the [SIG Windows contributing guide](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#reporting-issues-and-feature-requests) to create a new issue.
+You should first search the list of issues in case it was
+reported previously and comment with your experience on the issue and add additional
+logs. SIG Windows channel on the Kubernetes Slack is also a great avenue to get some initial support and
+troubleshooting ideas prior to creating a ticket.
+
+## Deployment tools
+
+The kubeadm tool helps you to deploy a Kubernetes cluster, providing the control
+plane to manage the cluster it, and nodes to run your workloads.
+[Adding Windows nodes](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
+explains how to deploy Windows nodes to your cluster using kubeadm.
+
+The Kubernetes [cluster API](https://cluster-api.sigs.k8s.io/) project also provides means to automate deployment of Windows nodes.
+
+## Windows distribution channels
+
+For a detailed explanation of Windows distribution channels see the
+[Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19).
+
+Information on the different Windows Server servicing channels
+including their support models can be found at
+[Windows Server servicing channels](https://docs.microsoft.com/en-us/windows-server/get-started/servicing-channels-comparison).
diff --git a/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md b/content/en/docs/concepts/windows/user-guide.md
similarity index 79%
rename from content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md
rename to content/en/docs/concepts/windows/user-guide.md
index 7177a4aa05046..450a1bb5e0739 100644
--- a/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md
+++ b/content/en/docs/concepts/windows/user-guide.md
@@ -3,7 +3,6 @@ reviewers:
 - jayunit100
 - jsturtevant
 - marosset
-- perithompson
 title: Guide for scheduling Windows containers in Kubernetes
 content_type: concept
 weight: 75
@@ -11,31 +10,29 @@ weight: 75
 
 <!-- overview -->
 
-Windows applications constitute a large portion of the services and applications that run in many organizations. 
-This guide walks you through the steps to configure and deploy a Windows container in Kubernetes.
-
-
+Windows applications constitute a large portion of the services and applications that run in many organizations.
+This guide walks you through the steps to configure and deploy Windows containers in Kubernetes.
 
 <!-- body -->
 
 ## Objectives
 
 * Configure an example deployment to run Windows containers on the Windows node
-* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA)
+* Highlight Windows specific funcationality in Kubernetes
 
 ## Before you begin
 
-* Create a Kubernetes cluster that includes a 
+* Create a Kubernetes cluster that includes a
 control plane and a [worker node running Windows Server](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
-* It is important to note that creating and deploying services and workloads on Kubernetes 
-behaves in much the same way for Linux and Windows containers. 
-[Kubectl commands](/docs/reference/kubectl/) to interface with the cluster are identical. 
+* It is important to note that creating and deploying services and workloads on Kubernetes
+behaves in much the same way for Linux and Windows containers.
+[Kubectl commands](/docs/reference/kubectl/) to interface with the cluster are identical.
 The example in the section below is provided to jumpstart your experience with Windows containers.
 
 ## Getting Started: Deploying a Windows container
 
-To deploy a Windows container on Kubernetes, you must first create an example application. 
-The example YAML file below creates a simple webserver application. 
+The example YAML file below deploys a simple webserver application running inside a Windows container.
+
 Create a service spec named `win-webserver.yaml` with the contents below:
 
 ```yaml
@@ -83,8 +80,8 @@ spec:
 ```
 
 {{< note >}}
-Port mapping is also supported, but for simplicity in this example 
-the container port 80 is exposed directly to the service.
+Port mapping is also supported, but for simplicity this example exposes
+port 80 of the container directly to the Service.
 {{< /note >}}
 
 1. Check that all nodes are healthy:
@@ -104,20 +101,19 @@ the container port 80 is exposed directly to the service.
 
 1. Check that the deployment succeeded. To verify:
 
-    * Two containers per pod on the Windows node, use `docker ps` 
-    * Two pods listed from the Linux control plane node, use `kubectl get pods` 
-    * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux control plane node 
+    * Two pods listed from the Linux control plane node, use `kubectl get pods`
+    * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux control plane node
       to check for a web server response
-    * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) 
+    * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node)
       using docker exec or kubectl exec
-    * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) 
+    * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`)
       from the Linux control plane node and from individual pods
     * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services)
     * Inbound connectivity, `curl` the NodePort from the Linux control plane node or machines outside of the cluster
     * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec
 
 {{< note >}}
-Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. 
+Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack.
 Only Windows pods are able to access service IPs.
 {{< /note >}}
 
@@ -125,43 +121,43 @@ Only Windows pods are able to access service IPs.
 
 ### Capturing logs from workloads
 
-Logs are an important element of observability; they enable users to gain insights 
-into the operational aspect of workloads and are a key ingredient to troubleshooting issues. 
-Because Windows containers and workloads inside Windows containers behave differently from Linux containers, 
-users had a hard time collecting logs, limiting operational visibility. 
-Windows workloads for example are usually configured to log to ETW (Event Tracing for Windows) 
-or push entries to the application event log. 
-[LogMonitor](https://github.com/microsoft/windows-container-tools/tree/master/LogMonitor), an open source tool by Microsoft, 
-is the recommended way to monitor configured log sources inside a Windows container. 
-LogMonitor supports monitoring event logs, ETW providers, and custom application logs, 
+Logs are an important element of observability; they enable users to gain insights
+into the operational aspect of workloads and are a key ingredient to troubleshooting issues.
+Because Windows containers and workloads inside Windows containers behave differently from Linux containers,
+users had a hard time collecting logs, limiting operational visibility.
+Windows workloads for example are usually configured to log to ETW (Event Tracing for Windows)
+or push entries to the application event log.
+[LogMonitor](https://github.com/microsoft/windows-container-tools/tree/master/LogMonitor), an open source tool by Microsoft,
+is the recommended way to monitor configured log sources inside a Windows container.
+LogMonitor supports monitoring event logs, ETW providers, and custom application logs,
 piping them to STDOUT for consumption by `kubectl logs <pod>`.
 
-Follow the instructions in the LogMonitor GitHub page to copy its binaries and configuration files 
+Follow the instructions in the LogMonitor GitHub page to copy its binaries and configuration files
 to all your containers and add the necessary entrypoints for LogMonitor to push your logs to STDOUT.
 
-## Using configurable Container usernames
+## Configuring container user
 
-Starting with Kubernetes v1.16, Windows containers can be configured to run their entrypoints and processes 
-with different usernames than the image defaults. 
-The way this is achieved is a bit different from the way it is done for Linux containers. 
+### Using configurable Container usernames
+
+Windows containers can be configured to run their entrypoints and processes
+with different usernames than the image defaults.
 Learn more about it [here](/docs/tasks/configure-pod-container/configure-runasusername/).
 
-## Managing Workload Identity with Group Managed Service Accounts
+### Managing Workload Identity with Group Managed Service Accounts
 
-Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). 
-Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, 
-simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. 
-Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. 
+Windows container workloads can be configured to use Group Managed Service Accounts (GMSA).
+Group Managed Service Accounts are a specific type of Active Directory account that provide automatic password management,
+simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers.
+Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA.
 Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa/).
 
 ## Taints and Tolerations
 
-Users today need to use some combination of taints and node selectors in order to 
-keep Linux and Windows workloads on their respective OS-specific nodes. 
-This likely imposes a burden only on Windows users. The recommended approach is outlined below, 
+Users need to use some combination of taints and node selectors in order to
+schedule Linux and Windows workloads to their respective OS-specific nodes.
+The recommended approach is outlined below,
 with one of its main goals being that this approach should not break compatibility for existing Linux workloads.
 
-
 If the `IdentifyPodOS` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is
 enabled, you can (and should) set `.spec.os.name` for a Pod to indicate the operating system
 that the containers in that Pod are designed for. For Pods that run Linux containers, set
@@ -184,26 +180,26 @@ so taints and tolerations and node selectors are still required
 
 ### Ensuring OS-specific workloads land on the appropriate container host
 
-Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. 
+Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations.
 All Kubernetes nodes today have the following default labels:
 
 * kubernetes.io/os = [windows|linux]
 * kubernetes.io/arch = [amd64|arm64|...]
 
-If a Pod specification does not specify a nodeSelector like `"kubernetes.io/os": windows`, 
-it is possible the Pod can be scheduled on any host, Windows or Linux. 
-This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. 
+If a Pod specification does not specify a nodeSelector like `"kubernetes.io/os": windows`,
+it is possible the Pod can be scheduled on any host, Windows or Linux.
+This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux.
 The best practice is to use a nodeSelector.
 
-However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers, 
-as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators. 
-In those situations, you may be hesitant to make the configuration change to add nodeSelectors. 
-The alternative is to use Taints. Because the kubelet can set Taints during registration, 
+However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers,
+as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators.
+In those situations, you may be hesitant to make the configuration change to add nodeSelectors.
+The alternative is to use Taints. Because the kubelet can set Taints during registration,
 it could easily be modified to automatically add a taint when running on Windows only.
 
 For example:  `--register-with-taints='os=windows:NoSchedule'`
 
-By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). 
+By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods).
 In order for a Windows Pod to be scheduled on a Windows node, 
 it would need both the nodeSelector and the appropriate matching toleration to choose Windows.
 
@@ -223,26 +219,24 @@ tolerations:
 The Windows Server version used by each pod must match that of the node. If you want to use multiple Windows
 Server versions in the same cluster, then you should set additional node labels and nodeSelectors.
 
-Kubernetes 1.17 automatically adds a new label `node.kubernetes.io/windows-build` to simplify this. 
+Kubernetes 1.17 automatically adds a new label `node.kubernetes.io/windows-build` to simplify this.
 If you're running an older version, then it's recommended to add this label manually to Windows nodes.
 
-This label reflects the Windows major, minor, and build number that need to match for compatibility. 
+This label reflects the Windows major, minor, and build number that need to match for compatibility.
 Here are values used today for each Windows Server version.
 
 | Product Name                         |   Build Number(s)      |
 |--------------------------------------|------------------------|
 | Windows Server 2019                  | 10.0.17763             |
-| Windows Server version 1809          | 10.0.17763             |
-| Windows Server version 1903          | 10.0.18362             |
-
+| Windows Server, Version 20H2         | 10.0.19042             |
+| Windows Server 2022                  | 10.0.20348             |
 
 ### Simplifying with RuntimeClass
 
-[RuntimeClass] can be used to simplify the process of using taints and tolerations. 
+[RuntimeClass] can be used to simplify the process of using taints and tolerations.
 A cluster administrator can create a `RuntimeClass` object which is used to encapsulate these taints and tolerations.
 
-
-1. Save this file to `runtimeClasses.yml`. It includes the appropriate `nodeSelector` 
+1. Save this file to `runtimeClasses.yml`. It includes the appropriate `nodeSelector`
 for the Windows OS, architecture, and version.
 
 ```yaml
@@ -313,7 +307,4 @@ spec:
     app: iis-2019
 ```
 
-
-
-
 [RuntimeClass]: https://kubernetes.io/docs/concepts/containers/runtime-class/
diff --git a/content/en/docs/concepts/workloads/controllers/job.md b/content/en/docs/concepts/workloads/controllers/job.md
index 74a232831a45c..9d917505dee8a 100644
--- a/content/en/docs/concepts/workloads/controllers/job.md
+++ b/content/en/docs/concepts/workloads/controllers/job.md
@@ -51,13 +51,8 @@ job.batch/pi created
 
 Check on the status of the Job with `kubectl`:
 
-```shell
-kubectl describe jobs/pi
-```
-
-The output is similar to this:
-
-```
+{{< tabs name="Check status of Job" >}}
+{{< tab name="kubectl describe job pi" codelang="bash" >}}
 Name:           pi
 Namespace:      default
 Selector:       controller-uid=c9948307-e56d-4b5d-8302-ae2d7b7da67c
@@ -91,7 +86,62 @@ Events:
   Type    Reason            Age   From            Message
   ----    ------            ----  ----            -------
   Normal  SuccessfulCreate  14m   job-controller  Created pod: pi-5rwd7
-```
+{{< /tab >}}
+{{< tab name="kubectl get job pi -o yaml" codelang="bash" >}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    kubectl.kubernetes.io/last-applied-configuration: |
+      {"apiVersion":"batch/v1","kind":"Job","metadata":{"annotations":{},"name":"pi","namespace":"default"},"spec":{"backoffLimit":4,"template":{"spec":{"containers":[{"command":["perl","-Mbignum=bpi","-wle","print bpi(2000)"],"image":"perl","name":"pi"}],"restartPolicy":"Never"}}}}
+  creationTimestamp: "2022-06-15T08:40:15Z"
+  generation: 1
+  labels:
+    controller-uid: 863452e6-270d-420e-9b94-53a54146c223
+    job-name: pi
+  name: pi
+  namespace: default
+  resourceVersion: "987"
+  uid: 863452e6-270d-420e-9b94-53a54146c223
+spec:
+  backoffLimit: 4
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  selector:
+    matchLabels:
+      controller-uid: 863452e6-270d-420e-9b94-53a54146c223
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        controller-uid: 863452e6-270d-420e-9b94-53a54146c223
+        job-name: pi
+    spec:
+      containers:
+      - command:
+        - perl
+        - -Mbignum=bpi
+        - -wle
+        - print bpi(2000)
+        image: perl
+        imagePullPolicy: Always
+        name: pi
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+status:
+  active: 1
+  ready: 1
+  startTime: "2022-06-15T08:40:15Z"
+{{< /tab >}}
+{{< /tabs >}}
 
 To view completed Pods of a Job, use `kubectl get pods`.
 
@@ -119,7 +169,7 @@ kubectl logs $pods
 
 The output is similar to this:
 
-```shell
+```
 3.1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989380952572010654858632788659361533818279682303019520353018529689957736225994138912497217752834791315155748572424541506959508295331168617278558890750983817546374649393192550604009277016711390098488240128583616035637076601047101819429555961989467678374494482553797747268471040475346462080466842590694912933136770289891521047521620569660240580381501935112533824300355876402474964732639141992726042699227967823547816360093417216412199245863150302861829745557067498385054945885869269956909272107975093029553211653449872027559602364806654991198818347977535663698074265425278625518184175746728909777727938000816470600161452491921732172147723501414419735685481613611573525521334757418494684385233239073941433345477624168625189835694855620992192221842725502542568876717904946016534668049886272327917860857843838279679766814541009538837863609506800642251252051173929848960841284886269456042419652850222106611863067442786220391949450471237137869609563643719172874677646575739624138908658326459958133904780275901
 ```
 
@@ -253,9 +303,19 @@ due to a logical error in configuration etc.
 To do so, set `.spec.backoffLimit` to specify the number of retries before
 considering a Job as failed. The back-off limit is set by default to 6. Failed
 Pods associated with the Job are recreated by the Job controller with an
-exponential back-off delay (10s, 20s, 40s ...) capped at six minutes. The
-back-off count is reset when a Job's Pod is deleted or successful without any
-other Pods for the Job failing around that time.
+exponential back-off delay (10s, 20s, 40s ...) capped at six minutes.
+
+The number of retries is calculated in two ways:
+- The number of Pods with `.status.phase = "Failed"`.
+- When using `restartPolicy = "OnFailure"`, the number of retries in all the
+  containers of Pods with `.status.phase` equal to `Pending` or `Running`.
+
+If either of the calculations reaches the `.spec.backoffLimit`, the Job is
+considered failed.
+
+When the [`JobTrackingWithFinalizers`](#job-tracking-with-finalizers) feature is
+disabled, the number of failed Pods is only based on Pods that are still present
+in the API.
 
 {{< note >}}
 If your job has `restartPolicy = "OnFailure"`, keep in mind that your Pod running the Job
@@ -405,7 +465,7 @@ The pattern names are also links to examples and more detailed description.
 | ----------------------------------------- |:-----------------:|:---------------------------:|:-------------------:|
 | [Queue with Pod Per Work Item]            |         ✓         |                             |      sometimes      |
 | [Queue with Variable Pod Count]           |         ✓         |             ✓               |                     |
-| [Indexed Job with Static Work Assignment] |         ✓         |                             |          ✓          | 
+| [Indexed Job with Static Work Assignment] |         ✓         |                             |          ✓          |
 | [Job Template Expansion]                  |                   |                             |          ✓          |
 
 When you specify completions with `.spec.completions`, each Pod created by the Job controller
@@ -631,7 +691,6 @@ In order to use this behavior, you must enable the `JobTrackingWithFinalizers`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/)
 and the [controller manager](/docs/reference/command-line-tools-reference/kube-controller-manager/).
-It is enabled by default.
 
 When enabled, the control plane tracks new Jobs using the behavior described
 below. Jobs created before the feature was enabled are unaffected. As a user,
diff --git a/content/en/docs/concepts/workloads/controllers/replicaset.md b/content/en/docs/concepts/workloads/controllers/replicaset.md
index 8024e6246a9ef..470a5e5024150 100644
--- a/content/en/docs/concepts/workloads/controllers/replicaset.md
+++ b/content/en/docs/concepts/workloads/controllers/replicaset.md
@@ -78,7 +78,7 @@ kubectl describe rs/frontend
 
 And you will see output similar to:
 
-```shell
+```
 Name:         frontend
 Namespace:    default
 Selector:     tier=frontend
@@ -130,7 +130,7 @@ kubectl get pods frontend-b2zdv -o yaml
 
 The output will look similar to this, with the frontend ReplicaSet's info set in the metadata's ownerReferences field:
 
-```shell
+```yaml
 apiVersion: v1
 kind: Pod
 metadata:
@@ -181,7 +181,7 @@ kubectl get pods
 
 The output shows that the new Pods are either already terminated, or in the process of being terminated:
 
-```shell
+```
 NAME             READY   STATUS        RESTARTS   AGE
 frontend-b2zdv   1/1     Running       0          10m
 frontend-vcmts   1/1     Running       0          10m
@@ -210,7 +210,7 @@ kubectl get pods
 ```
 
 Will reveal in its output:
-```shell
+```
 NAME             READY   STATUS    RESTARTS   AGE
 frontend-hmmj2   1/1     Running   0          9s
 pod1             1/1     Running   0          36s
@@ -387,7 +387,7 @@ As such, it is recommended to use Deployments when you want ReplicaSets.
 
 ### Bare Pods
 
-Unlike the case where a user directly created Pods, a ReplicaSet replaces Pods that are deleted or terminated for any reason, such as in the case of node failure or disruptive node maintenance, such as a kernel upgrade. For this reason, we recommend that you use a ReplicaSet even if your application requires only a single Pod. Think of it similarly to a process supervisor, only it supervises multiple Pods across multiple nodes instead of individual processes on a single node. A ReplicaSet delegates local container restarts to some agent on the node (for example, Kubelet or Docker).
+Unlike the case where a user directly created Pods, a ReplicaSet replaces Pods that are deleted or terminated for any reason, such as in the case of node failure or disruptive node maintenance, such as a kernel upgrade. For this reason, we recommend that you use a ReplicaSet even if your application requires only a single Pod. Think of it similarly to a process supervisor, only it supervises multiple Pods across multiple nodes instead of individual processes on a single node. A ReplicaSet delegates local container restarts to some agent on the node such as Kubelet.
 
 ### Job
 
diff --git a/content/en/docs/concepts/workloads/pods/downward-api.md b/content/en/docs/concepts/workloads/pods/downward-api.md
new file mode 100644
index 0000000000000..fcee383c45f44
--- /dev/null
+++ b/content/en/docs/concepts/workloads/pods/downward-api.md
@@ -0,0 +1,131 @@
+---
+title: Downward API
+content_type: concept
+description: >
+  There are two ways to expose Pod and container fields to a running container:
+  environment variables, and as files that are populated by a special volume type.
+  Together, these two ways of exposing Pod and container fields are called the downward API.
+---
+
+<!-- overview -->
+
+It is sometimes useful for a container to have information about itself, without
+being overly coupled to Kubernetes. The _downward API_ allows containers to consume
+information about themselves or the cluster without using the Kubernetes client
+or API server.
+
+An example is an existing application that assumes a particular well-known
+environment variable holds a unique identifier. One possibility is to wrap the
+application, but that is tedious and error-prone, and it violates the goal of low
+coupling. A better option would be to use the Pod's name as an identifier, and
+inject the Pod's name into the well-known environment variable.
+
+In Kubernetes, there are two ways to expose Pod and container fields to a running container:
+
+* as [environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
+* as [files in a `downwardAPI` volume](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
+
+Together, these two ways of exposing Pod and container fields are called the
+_downward API_.
+
+<!-- body -->
+
+## Available fields
+
+Only some Kubernetes API fields are available through the downward API. This
+section lists which fields you can make available.
+
+You can pass information from available Pod-level fields using `fieldRef`.
+At the API level, the `spec` for a Pod always defines at least one
+[Container](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container).
+You can pass information from available Container-level fields using
+`resourceFieldRef`.
+
+### Information available via `fieldRef` {#downwardapi-fieldRef}
+
+For most Pod-level fields, you can provide them to a container either as
+an environment variable or using a `downwardAPI` volume. The fields available
+via either mechanism are:
+
+`metadata.name`
+: the pod's name
+
+`metadata.namespace`
+: the pod's {{< glossary_tooltip text="namespace" term_id="namespace" >}}
+
+`metadata.uid`
+: the pod's unique ID
+
+`metadata.annotations['<KEY>']`
+: the value of the pod's {{< glossary_tooltip text="annotation" term_id="annotation" >}} named `<KEY>` (for example, `metadata.annotations['myannotation']`)
+
+`metadata.labels['<KEY>']`
+: the text value of the pod's {{< glossary_tooltip text="label" term_id="label" >}} named `<KEY>` (for example, `metadata.labels['mylabel']`)
+
+`spec.serviceAccountName`
+: the name of the pod's {{< glossary_tooltip text="service account" term_id="service-account" >}}
+
+`spec.nodeName`
+: the name of the {{< glossary_tooltip term_id="node" text="node">}} where the Pod is executing
+
+`status.hostIP`
+: the primary IP address of the node to which the Pod is assigned
+
+`status.podIP`
+: the pod's primary IP address (usually, its IPv4 address)
+
+In addition, the following information is available through
+a `downwardAPI` volume `fieldRef`, but **not as environment variables**:
+
+`metadata.labels`
+: all of the pod's labels, formatted as `label-key="escaped-label-value"` with one label per line
+
+`metadata.annotations`
+: all of the pod's annotations, formatted as `annotation-key="escaped-annotation-value"` with one annotation per line  
+
+### Information available via `resourceFieldRef` {#downwardapi-resourceFieldRef}
+
+These container-level fields allow you to provide information about
+[requests and limits](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)
+for resources such as CPU and memory.
+
+
+`resource: limits.cpu`
+: A container's CPU limit
+
+`resource: requests.cpu`
+: A container's CPU request
+
+`resource: limits.memory`
+: A container's memory limit
+
+`resource: requests.memory`
+: A container's memory request
+
+`resource: limits.hugepages-*`
+: A container's hugepages limit (provided that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
+
+`resource: requests.hugepages-*`
+: A container's hugepages request (provided that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
+
+`resource: limits.ephemeral-storage`
+: A container's ephemeral-storage limit
+
+`resource: requests.ephemeral-storage`
+: A container's ephemeral-storage request
+
+#### Fallback information for resource limits
+
+If CPU and memory limits are not specified for a container, and you use the
+downward API to try to expose that information, then the
+kubelet defaults to exposing the maximum allocatable value for CPU and memory
+based on the [node allocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+calculation.
+
+## {{% heading "whatsnext" %}}
+
+You can read about [`downwardAPI` volumes](/docs/concepts/storage/volumes/#downwardapi).
+
+You can try using the downward API to expose container- or Pod-level information:
+* as [environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
+* as [files in `downwardAPI` volume](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
diff --git a/content/en/docs/concepts/workloads/pods/init-containers.md b/content/en/docs/concepts/workloads/pods/init-containers.md
index 371ef58dac2df..61b90d17d0b05 100644
--- a/content/en/docs/concepts/workloads/pods/init-containers.md
+++ b/content/en/docs/concepts/workloads/pods/init-containers.md
@@ -334,4 +334,3 @@ Kubernetes, consult the documentation for the version you are using.
 * Read about [creating a Pod that has an init container](/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container)
 * Learn how to [debug init containers](/docs/tasks/debug/debug-application/debug-init-containers/)
 
-
diff --git a/content/en/docs/concepts/workloads/pods/pod-topology-spread-constraints.md b/content/en/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
index 34ca33d6b13cd..fe50cf7e2d4f8 100644
--- a/content/en/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
+++ b/content/en/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
@@ -64,6 +64,7 @@ metadata:
 spec:
   topologySpreadConstraints:
     - maxSkew: <integer>
+      minDomains: <integer>
       topologyKey: <string>
       whenUnsatisfiable: <string>
       labelSelector: <object>
@@ -143,7 +144,7 @@ If we want an incoming Pod to be evenly spread with existing Pods across zones,
 
 `topologyKey: zone` implies the even distribution will only be applied to the nodes which have label pair "zone:&lt;any value&gt;" present. `whenUnsatisfiable: DoNotSchedule` tells the scheduler to let it stay pending if the incoming Pod can't satisfy the constraint.
 
-If the scheduler placed this incoming Pod into "zoneA", the Pods distribution would become [3, 1], hence the actual skew is 2 (3 - 1) - which violates `maxSkew: 1`. In this example, the incoming Pod can only be placed onto "zoneB":
+If the scheduler placed this incoming Pod into "zoneA", the Pods distribution would become [3, 1], hence the actual skew is 2 (3 - 1) - which violates `maxSkew: 1`. In this example, the incoming Pod can only be placed into "zoneB":
 
 {{<mermaid>}}
 graph BT
@@ -188,7 +189,7 @@ graph BT
 
 You can tweak the Pod spec to meet various kinds of requirements:
 
-- Change `maxSkew` to a bigger value like "2" so that the incoming Pod can be placed onto "zoneA" as well.
+- Change `maxSkew` to a bigger value like "2" so that the incoming Pod can be placed into "zoneA" as well.
 - Change `topologyKey` to "node" so as to distribute the Pods evenly across nodes instead of zones. In the above example, if `maxSkew` remains "1", the incoming Pod can only be placed onto "node4".
 - Change `whenUnsatisfiable: DoNotSchedule` to `whenUnsatisfiable: ScheduleAnyway` to ensure the incoming Pod to be always schedulable (suppose other scheduling APIs are satisfied). However, it's preferred to be placed onto the topology domain which has fewer matching Pods. (Be aware that this preferability is jointly normalized with other internal scheduling priorities like resource usage ratio, etc.)
 
@@ -219,7 +220,7 @@ You can use 2 TopologySpreadConstraints to control the Pods spreading on both zo
 
 {{< codenew file="pods/topology-spread-constraints/two-constraints.yaml" >}}
 
-In this case, to match the first constraint, the incoming Pod can only be placed onto "zoneB"; while in terms of the second constraint, the incoming Pod can only be placed onto "node4". Then the results of 2 constraints are ANDed, so the only viable option is to place on "node4".
+In this case, to match the first constraint, the incoming Pod can only be placed into "zoneB"; while in terms of the second constraint, the incoming Pod can only be placed onto "node4". Then the results of 2 constraints are ANDed, so the only viable option is to place on "node4".
 
 Multiple constraints can lead to conflicts. Suppose you have a 3-node cluster across 2 zones:
 
@@ -242,7 +243,7 @@ graph BT
     class zoneA,zoneB cluster;
 {{< /mermaid >}}
 
-If you apply "two-constraints.yaml" to this cluster, you will notice "mypod" stays in `Pending` state. This is because: to satisfy the first constraint, "mypod" can only be put to "zoneB"; while in terms of the second constraint, "mypod" can only put to "node2". Then a joint result of "zoneB" and "node2" returns nothing.
+If you apply "two-constraints.yaml" to this cluster, you will notice "mypod" stays in `Pending` state. This is because: to satisfy the first constraint, "mypod" can only placed into "zoneB"; while in terms of the second constraint, "mypod" can only be placed onto "node2". Then a joint result of "zoneB" and "node2" returns nothing.
 
 To overcome this situation, you can either increase the `maxSkew` or modify one of the constraints to use `whenUnsatisfiable: ScheduleAnyway`.
 
@@ -286,7 +287,7 @@ class n5 k8s;
 class zoneC cluster;
 {{< /mermaid >}}
 
-and you know that "zoneC" must be excluded. In this case, you can compose the yaml as below, so that "mypod" will be placed onto "zoneB" instead of "zoneC". Similarly `spec.nodeSelector` is also respected.
+and you know that "zoneC" must be excluded. In this case, you can compose the yaml as below, so that "mypod" will be placed into "zoneB" instead of "zoneC". Similarly `spec.nodeSelector` is also respected.
 
 {{< codenew file="pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml" >}}
 
@@ -301,9 +302,9 @@ There are some implicit conventions worth noting here:
 - The scheduler will bypass the nodes without `topologySpreadConstraints[*].topologyKey` present. This implies that:
 
   1. the Pods located on those nodes do not impact `maxSkew` calculation - in the above example, suppose "node1" does not have label "zone", then the 2 Pods will be disregarded, hence the incoming Pod will be scheduled into "zoneA".
-  2. the incoming Pod has no chances to be scheduled onto this kind of nodes - in the above example, suppose a "node5" carrying label `{zone-typo: zoneC}` joins the cluster, it will be bypassed due to the absence of label key "zone".
+  2. the incoming Pod has no chances to be scheduled onto such nodes - in the above example, suppose a "node5" carrying label `{zone-typo: zoneC}` joins the cluster, it will be bypassed due to the absence of label key "zone".
 
-- Be aware of what will happen if the incomingPod's `topologySpreadConstraints[*].labelSelector` doesn't match its own labels. In the above example, if we remove the incoming Pod's labels, it can still be placed onto "zoneB" since the constraints are still satisfied. However, after the placement, the degree of imbalance of the cluster remains unchanged - it's still zoneA having 2 Pods which hold label {foo:bar}, and zoneB having 1 Pod which holds label {foo:bar}. So if this is not what you expect, we recommend the workload's `topologySpreadConstraints[*].labelSelector` to match its own labels.
+- Be aware of what will happen if the incoming Pod's `topologySpreadConstraints[*].labelSelector` doesn't match its own labels. In the above example, if we remove the incoming Pod's labels, it can still be placed into "zoneB" since the constraints are still satisfied. However, after the placement, the degree of imbalance of the cluster remains unchanged - it's still zoneA having 2 Pods which hold label {foo:bar}, and zoneB having 1 Pod which holds label {foo:bar}. So if this is not what you expect, we recommend the workload's `topologySpreadConstraints[*].labelSelector` to match its own labels.
 
 ### Cluster-level default constraints
 
diff --git a/content/en/docs/contribute/_index.md b/content/en/docs/contribute/_index.md
index 61a4e0a118588..b4c7d838fa704 100644
--- a/content/en/docs/contribute/_index.md
+++ b/content/en/docs/contribute/_index.md
@@ -18,8 +18,15 @@ card:
 {{< note >}}
 To learn more about contributing to Kubernetes in general, see the
 [contributor documentation](https://www.kubernetes.dev/docs/).
+
+You can also read the
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}}
+[page](https://contribute.cncf.io/contributors/projects/#kubernetes)
+about contributing to Kubernetes.
 {{< /note >}}
 
+---
+
 This website is maintained by [Kubernetes SIG Docs](/docs/contribute/#get-involved-with-sig-docs).
 
 Kubernetes documentation contributors:
@@ -138,7 +145,7 @@ class first,second white
 {{</ mermaid >}}
 Figure 2. Preparation for your first contribution.
 
-- Read the [Contribution overview](/docs/contribute/new-content/overview/) to
+- Read the [Contribution overview](/docs/contribute/new-content/) to
   learn about the different ways you can contribute.
 - Check [`kubernetes/website` issues list](https://github.com/kubernetes/website/issues/)
   for issues that make good entry points.
diff --git a/content/en/docs/contribute/advanced.md b/content/en/docs/contribute/advanced.md
index 9c37906f3d4e4..b825ad5e2c469 100644
--- a/content/en/docs/contribute/advanced.md
+++ b/content/en/docs/contribute/advanced.md
@@ -8,7 +8,7 @@ weight: 98
 <!-- overview -->
 
 This page assumes that you understand how to
-[contribute to new content](/docs/contribute/new-content/overview) and
+[contribute to new content](/docs/contribute/new-content/) and
 [review others' work](/docs/contribute/review/reviewing-prs/), and are ready
 to learn about more ways to contribute. You need to use the Git command line
 client and other tools for some of these tasks.
@@ -136,7 +136,7 @@ The role of co-chair is one of service: co-chairs build contributor capacity, ha
 Responsibilities include:
 
 - Keep SIG Docs focused on maximizing developer happiness through excellent documentation
-- Exemplify the [community code of conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and hold SIG members accountable to it
+- Exemplify the [community code of conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md) and hold SIG members accountable to it
 - Learn and set best practices for the SIG by updating contribution guidelines
 - Schedule and run SIG meetings: weekly status updates, quarterly retro/planning sessions, and others as needed
 - Schedule and run doc sprints at KubeCon events and other conferences
@@ -147,7 +147,7 @@ Responsibilities include:
 
 To schedule and run effective meetings, these guidelines show what to do, how to do it, and why.
 
-**Uphold the [community code of conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)**:
+**Uphold the [community code of conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)**:
 
 - Hold respectful, inclusive discussions with respectful, inclusive language.
 
diff --git a/content/en/docs/contribute/localization.md b/content/en/docs/contribute/localization.md
index 7630bdc7d9ebd..86ef49b2b914f 100644
--- a/content/en/docs/contribute/localization.md
+++ b/content/en/docs/contribute/localization.md
@@ -13,14 +13,19 @@ card:
 
 <!-- overview -->
 
-This page shows you how to [localize](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/) the docs for a different language.
+This page shows you how to
+[localize](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/) the docs for a
+different language.
 
 
 <!-- body -->
 
 ## Contribute to an existing localization
 
-You can help add or improve content to an existing localization. In [Kubernetes Slack](https://slack.k8s.io/) you'll find a channel for each localization. There is also a general [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations) where you can say hello.
+You can help add or improve content to an existing localization. In [Kubernetes
+Slack](https://slack.k8s.io/) you'll find a channel for each localization. There is also a general
+[SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations)
+where you can say hello.
 
 {{< note >}}
 If you want to work on a localization that already exists, check
@@ -30,11 +35,14 @@ English original. You might see extra details there.
 
 ### Find your two-letter language code
 
-First, consult the [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php) to find your localization's two-letter language code. For example, the two-letter code for Korean is `ko`.
+First, consult the [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php)
+to find your localization's two-letter language code. For example, the two-letter code for Korean
+is `ko`.
 
 ### Fork and clone the repo
 
-First, [create your own fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the [kubernetes/website](https://github.com/kubernetes/website) repository.
+First, [create your own fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the
+[kubernetes/website](https://github.com/kubernetes/website) repository.
 
 Then, clone your fork and `cd` into it:
 
@@ -43,7 +51,8 @@ git clone https://github.com/<username>/website
 cd website
 ```
 
-The website content directory includes sub-directories for each language. The localization you want to help out with is inside `content/<two-letter-code>`.
+The website content directory includes sub-directories for each language. The localization you
+want to help out with is inside `content/<two-letter-code>`.
 
 ### Suggest changes
 
@@ -57,8 +66,9 @@ equivalent fix by updating the localization you're working on.
 Please limit pull requests to a single localization, since pull requests that change
 content in multiple localizations could be difficult to review.
 
-Follow [Suggesting Content Improvements](/docs/contribute/suggest-improvements/) to propose changes to
-that localization. The process is very similar to proposing changes to the upstream (English) content.
+Follow [Suggesting Content Improvements](/docs/contribute/suggesting-improvements/)
+to propose changes to that localization. The process is very similar to proposing changes to the
+upstream (English) content.
 
 ## Start a new localization
 
@@ -86,60 +96,92 @@ can incrementally work towards that goal.
 
 ### Find community
 
-Let Kubernetes SIG Docs know you're interested in creating a localization! Join the [SIG Docs Slack channel](https://kubernetes.slack.com/messages/sig-docs) and the [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations). Other localization teams are happy to help you get started and answer any questions you have.
+Let Kubernetes SIG Docs know you're interested in creating a localization! Join the
+[SIG Docs Slack channel](https://kubernetes.slack.com/messages/sig-docs) and the
+[SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations).
+Other localization teams are happy to help you get started and answer any questions you have.
 
-Please also consider participating in the [SIG Docs Localization Subgroup meeting](https://github.com/kubernetes/community/tree/master/sig-docs).  The mission of the SIG Docs localization subgroup is to work across the SIG Docs localization teams to collaborate on defining and documenting the processes for creating localized contribution guides. In addition, the SIG Docs localization subgroup will look for opportunities for the creation and sharing of common tools across localization teams and also serve to identify new requirements to the SIG Docs Leadership team.  If you have questions about this meeting, please inquire on the [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations).
+Please also consider participating in the
+[SIG Docs Localization Subgroup meeting](https://github.com/kubernetes/community/tree/master/sig-docs).
+The mission of the SIG Docs localization subgroup is to work across the SIG Docs localization
+teams to collaborate on defining and documenting the processes for creating localized contribution
+guides. In addition, the SIG Docs localization subgroup will look for opportunities for the
+creation and sharing of common tools across localization teams and also serve to identify new
+requirements to the SIG Docs Leadership team.  If you have questions about this meeting, please
+inquire on the [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations).
 
-You can also create a Slack channel for your localization in the `kubernetes/community` repository. For an example of adding a Slack channel, see the PR for [adding a channel for Persian](https://github.com/kubernetes/community/pull/4980).
+You can also create a Slack channel for your localization in the `kubernetes/community`
+repository. For an example of adding a Slack channel, see the PR for
+[adding a channel for Persian](https://github.com/kubernetes/community/pull/4980).
 
 ### Join the Kubernetes GitHub organization
 
-Once you've opened a localization PR, you can become members of the Kubernetes GitHub organization. Each person on the team needs to create their own [Organization Membership Request](https://github.com/kubernetes/org/issues/new/choose) in the `kubernetes/org` repository.
+Once you've opened a localization PR, you can become members of the Kubernetes GitHub
+organization. Each person on the team needs to create their own
+[Organization Membership Request](https://github.com/kubernetes/org/issues/new/choose)
+in the `kubernetes/org` repository.
 
 ### Add your localization team in GitHub
 
-Next, add your Kubernetes localization team to [`sig-docs/teams.yaml`](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml). For an example of adding a localization team, see the PR to add the [Spanish localization team](https://github.com/kubernetes/org/pull/685).
-
-Members of `@kubernetes/sig-docs-**-owners` can approve PRs that change content within (and only within) your localization directory: `/content/**/`.
-
-For each localization, The `@kubernetes/sig-docs-**-reviews` team automates review assignment for new PRs.
+Next, add your Kubernetes localization team to
+[`sig-docs/teams.yaml`](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml).
+For an example of adding a localization team, see the PR to add the
+[Spanish localization team](https://github.com/kubernetes/org/pull/685).
 
+Members of `@kubernetes/sig-docs-**-owners` can approve PRs that change content within (and only
+within) your localization directory: `/content/**/`.
+For each localization, The `@kubernetes/sig-docs-**-reviews` team automates review assignment for
+new PRs.
 Members of `@kubernetes/website-maintainers` can create new localization branches to coordinate translation efforts.
-
-Members of `@kubernetes/website-milestone-maintainers` can use the `/milestone` [Prow command](https://prow.k8s.io/command-help) to assign a milestone to issues or PRs.
+Members of `@kubernetes/website-milestone-maintainers` can use the `/milestone`
+[Prow command](https://prow.k8s.io/command-help) to assign a milestone to issues or PRs.
 
 ### Configure the workflow
 
-Next, add a GitHub label for your localization in the `kubernetes/test-infra` repository. A label lets you filter issues and pull requests for your specific language.
-
-For an example of adding a label, see the PR for adding the [Italian language label](https://github.com/kubernetes/test-infra/pull/11316).
+Next, add a GitHub label for your localization in the `kubernetes/test-infra` repository. A label
+lets you filter issues and pull requests for your specific language.
 
+For an example of adding a label, see the PR for adding the
+[Italian language label](https://github.com/kubernetes/test-infra/pull/11316).
 
 ### Modify the site configuration
 
-The Kubernetes website uses Hugo as its web framework. The website's Hugo configuration resides in the  [`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml) file. To support a new localization, you'll need to modify `config.toml`.
+The Kubernetes website uses Hugo as its web framework. The website's Hugo configuration resides in
+the  [`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml) file.
+To support a new localization, you'll need to modify `config.toml`.
 
-Add a configuration block for the new language to `config.toml`, under the existing `[languages]` block. The German block, for example, looks like:
+Add a configuration block for the new language to `config.toml`, under the existing `[languages]` block.
+The German block, for example, looks like:
 
 ```toml
 [languages.de]
 title = "Kubernetes"
 description = "Produktionsreife Container-Verwaltung"
 languageName = "Deutsch (German)"
-languageNameLatinScript = "German"
+languageNameLatinScript = "Deutsch"
 contentDir = "content/de"
 weight = 8
 ```
 
-The value for `languageName` will be listed in language selection bar. Assign "language name in native script (language name in latin script)" to `languageName`, for example, `languageName = "한국어 (Korean)"`. `languageNameLatinScript` can be used to access the language name in latin script and use it in the theme. Assign "language name in latin script" to `languageNameLatinScript`, for example, `languageNameLatinScript ="Korean"`. 
+The value for `languageName` will be listed in language selection bar. Assign "language name in
+native script and language (English language name in latin script)" to `languageName`.
+For example, `languageName = "한국어 (Korean)"` or `languageName = "Deutsch (German)"`.
+
+`languageNameLatinScript` can be used to access the language name in latin script and use it in
+the theme. Assign "language name in latin script" to `languageNameLatinScript`. For example,
+`languageNameLatinScript ="Korean"` or `languageNameLatinScript = "Deutsch"`. 
 
-When assigning a `weight` parameter for your block, find the language block with the highest weight and add 1 to that value.
+When assigning a `weight` parameter for your block, find the language block with the highest
+weight and add 1 to that value.
 
-For more information about Hugo's multilingual support, see "[Multilingual Mode](https://gohugo.io/content-management/multilingual/)".
+For more information about Hugo's multilingual support, see
+"[Multilingual Mode](https://gohugo.io/content-management/multilingual/)".
 
 ### Add a new localization directory
 
-Add a language-specific subdirectory to the [`content`](https://github.com/kubernetes/website/tree/main/content) folder in the repository. For example, the two-letter code for German is `de`:
+Add a language-specific subdirectory to the
+[`content`](https://github.com/kubernetes/website/tree/main/content) folder in the repository.
+For example, the two-letter code for German is `de`:
 
 ```shell
 mkdir content/de
@@ -149,28 +191,34 @@ You also need to create a directory inside `data/i18n` for
 [localized strings](#site-strings-in-i18n); look at existing localizations
 for an example. To use these new strings, you must also create a symbolic link
 from `i18n/<localization>.toml` to the actual string configuration in
-`data/i18n/<localization>/<localization>.toml` (remember to commit the symbolic
-link).
+`data/i18n/<localization>/<localization>.toml` (remember to commit the symbolic link).
 
 For example, for German the strings live in `data/i18n/de/de.toml`, and
 `i18n/de.toml` is a symbolic link to `data/i18n/de/de.toml`.
 
 ### Localize the community code of conduct
 
-Open a PR against the [`cncf/foundation`](https://github.com/cncf/foundation/tree/master/code-of-conduct-languages) repository to add the code of conduct in your language.
-
+Open a PR against the [`cncf/foundation`](https://github.com/cncf/foundation/tree/main/code-of-conduct-languages)
+repository to add the code of conduct in your language.
 
 ### Setting up the OWNERS files
 
-To set the roles of each user contributing to the localization, create an `OWNERS` file inside the language-specific subdirectory with:
+To set the roles of each user contributing to the localization, create an `OWNERS` file inside the
+language-specific subdirectory with:
 
-- **reviewers**: A list of kubernetes teams with reviewer roles, in this case, the `sig-docs-**-reviews` team created in [Add your localization team in GitHub](#add-your-localization-team-in-github).
-- **approvers**: A list of kubernetes teams with approvers roles, in this case, the `sig-docs-**-owners` team created in [Add your localization team in GitHub](#add-your-localization-team-in-github).
-- **labels**: A list of GitHub labels to automatically apply to a PR, in this case, the language label created in [Configure the workflow](#configure-the-workflow).
+- **reviewers**: A list of kubernetes teams with reviewer roles, in this case, the
+  `sig-docs-**-reviews` team created in
+  [Add your localization team in GitHub](#add-your-localization-team-in-github).
+- **approvers**: A list of kubernetes teams with approvers roles, in this case, the
+  `sig-docs-**-owners` team created in
+  [Add your localization team in GitHub](#add-your-localization-team-in-github).
+- **labels**: A list of GitHub labels to automatically apply to a PR, in this case, the language
+  label created in [Configure the workflow](#configure-the-workflow).
 
 More information about the `OWNERS` file can be found at [go.k8s.io/owners](https://go.k8s.io/owners).
 
-The [Spanish OWNERS file](https://git.k8s.io/website/content/es/OWNERS), with language code `es`, looks like:
+The [Spanish OWNERS file](https://git.k8s.io/website/content/es/OWNERS),
+with language code `es`, looks like:
 
 ```yaml
 # See the OWNERS docs at https://go.k8s.io/owners
@@ -188,9 +236,13 @@ labels:
 - language/es
 ```
 
-After adding the language-specific `OWNERS` file, update the [root `OWNERS_ALIASES`](https://git.k8s.io/website/OWNERS_ALIASES) file with the new Kubernetes teams for the localization, `sig-docs-**-owners` and `sig-docs-**-reviews`.
+After adding the language-specific `OWNERS` file, update the [root
+`OWNERS_ALIASES`](https://git.k8s.io/website/OWNERS_ALIASES) file with the new Kubernetes teams
+for the localization, `sig-docs-**-owners` and `sig-docs-**-reviews`.
 
-For each team, add the list of GitHub users requested in [Add your localization team in GitHub](#add-your-localization-team-in-github), in alphabetical order.
+For each team, add the list of GitHub users requested in
+[Add your localization team in GitHub](#add-your-localization-team-in-github),
+in alphabetical order.
 
 ```diff
 --- a/OWNERS_ALIASES
@@ -214,33 +266,45 @@ For each team, add the list of GitHub users requested in [Add your localization
 
 ### Open a pull request
 
-Next, [open a pull request](/docs/contribute/new-content/open-a-pr/#open-a-pr) (PR) to add a localization to the `kubernetes/website` repository.
+Next, [open a pull request](/docs/contribute/new-content/open-a-pr/#open-a-pr) (PR) to add a
+localization to the `kubernetes/website` repository.
+The PR must include all of the [minimum required content](#minimum-required-content) before it can
+be approved.
 
-The PR must include all of the [minimum required content](#minimum-required-content) before it can be approved.
-
-For an example of adding a new localization, see the PR to enable [docs in French](https://github.com/kubernetes/website/pull/12548).
+For an example of adding a new localization, see the PR to enable
+[docs in French](https://github.com/kubernetes/website/pull/12548).
 
 ### Add a localized README file
 
-To guide other localization contributors, add a new [`README-**.md`](https://help.github.com/articles/about-readmes/) to the top level of [k/website](https://github.com/kubernetes/website/), where `**` is the two-letter language code. For example, a German README file would be `README-de.md`.
+To guide other localization contributors, add a new
+[`README-**.md`](https://help.github.com/articles/about-readmes/) to the top level of
+[k/website](https://github.com/kubernetes/website/), where `**` is the two-letter language code.
+For example, a German README file would be `README-de.md`.
 
-Provide guidance to localization contributors in the localized `README-**.md` file. Include the same information contained in `README.md` as well as:
+Provide guidance to localization contributors in the localized `README-**.md` file.
+Include the same information contained in `README.md` as well as:
 
 - A point of contact for the localization project
 - Any information specific to the localization
 
-After you create the localized README, add a link to the file from the main English `README.md`, and include contact information in English. You can provide a GitHub ID, email address, [Slack channel](https://slack.com/), or other method of contact. You must also provide a link to your localized Community Code of Conduct.
+After you create the localized README, add a link to the file from the main English `README.md`,
+and include contact information in English. You can provide a GitHub ID, email address,
+[Slack channel](https://slack.com/), or other method of contact. You must also provide a link to your
+localized Community Code of Conduct.
 
 ### Launching your new localization
 
 Once a localization meets requirements for workflow and minimum output, SIG Docs will:
 
 - Enable language selection on the website
-- Publicize the localization's availability through [Cloud Native Computing Foundation](https://www.cncf.io/about/) (CNCF) channels, including the [Kubernetes blog](https://kubernetes.io/blog/).
+- Publicize the localization's availability through
+  [Cloud Native Computing Foundation](https://www.cncf.io/about/)(CNCF) channels, including the
+  [Kubernetes blog](https://kubernetes.io/blog/).
 
 ## Translating content
 
-Localizing *all* of the Kubernetes documentation is an enormous task. It's okay to start small and expand over time.
+Localizing *all* of the Kubernetes documentation is an enormous task. It's okay to start small and
+expand over time.
 
 ### Minimum required content
 
@@ -251,23 +315,29 @@ Description | URLs
 Home | [All heading and subheading URLs](/docs/home/)
 Setup | [All heading and subheading URLs](/docs/setup/)
 Tutorials | [Kubernetes Basics](/docs/tutorials/kubernetes-basics/), [Hello Minikube](/docs/tutorials/hello-minikube/)
-Site strings | [All site strings](#Site-strings-in-i18n) in a new localized TOML file
+Site strings | [All site strings](#site-strings-in-i18n) in a new localized TOML file
 Releases | [All heading and subheading URLs](/releases)
 
-Translated documents must reside in their own `content/**/` subdirectory, but otherwise follow the same URL path as the English source. For example, to prepare the [Kubernetes Basics](/docs/tutorials/kubernetes-basics/) tutorial for translation into German, create a subfolder under the `content/de/` folder and copy the English source:
+Translated documents must reside in their own `content/**/` subdirectory, but otherwise follow the
+same URL path as the English source. For example, to prepare the
+[Kubernetes Basics](/docs/tutorials/kubernetes-basics/) tutorial for translation into German,
+create a subfolder under the `content/de/` folder and copy the English source:
 
 ```shell
 mkdir -p content/de/docs/tutorials
 cp content/en/docs/tutorials/kubernetes-basics.md content/de/docs/tutorials/kubernetes-basics.md
 ```
 
-Translation tools can speed up the translation process. For example, some editors offers plugins to quickly translate text.
+Translation tools can speed up the translation process. For example, some editors offers plugins
+to quickly translate text.
 
 {{< caution >}}
-Machine-generated translation is insufficient on its own. Localization requires extensive human review to meet minimum standards of quality.
+Machine-generated translation is insufficient on its own. Localization requires extensive human
+review to meet minimum standards of quality.
 {{< /caution >}}
 
-To ensure accuracy in grammar and meaning, members of your localization team should carefully review all machine-generated translations before publishing.
+To ensure accuracy in grammar and meaning, members of your localization team should carefully
+review all machine-generated translations before publishing.
 
 ### Source files
 
@@ -278,17 +348,21 @@ To find source files for your target version:
 
 1. Navigate to the Kubernetes website repository at https://github.com/kubernetes/website.
 2. Select a branch for your target version from the following table:
-    Target version | Branch
-    -----|-----
-    Latest version | [`main`](https://github.com/kubernetes/website/tree/main)
-    Previous version | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
-    Next version | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
 
-The `main` branch holds content for the current release `{{< latest-version >}}`. The release team will create a `{{< release-branch >}}` branch before the next release: v{{< skew nextMinorVersion >}}.
+   Target version | Branch
+   -----|-----
+   Latest version | [`main`](https://github.com/kubernetes/website/tree/main)
+   Previous version | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
+   Next version | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
+
+The `main` branch holds content for the current release `{{< latest-version >}}`. The release team
+will create a `{{< release-branch >}}` branch before the next release: v{{< skew nextMinorVersion >}}.
 
 ### Site strings in i18n
 
-Localizations must include the contents of [`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/main/data/i18n/en/en.toml) in a new language-specific file. Using German as an example: `data/i18n/de/de.toml`.
+Localizations must include the contents of
+[`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/main/data/i18n/en/en.toml)
+in a new language-specific file. Using German as an example: `data/i18n/de/de.toml`.
 
 Add a new localization directory and file to `data/i18n/`. For example, with German (`de`):
 
@@ -306,17 +380,22 @@ placeholder text for the search form:
 other = "Suchen"
 ```
 
-Localizing site strings lets you customize site-wide text and features: for example, the legal copyright text in the footer on each page.
+Localizing site strings lets you customize site-wide text and features: for example, the legal
+copyright text in the footer on each page.
 
 ### Language specific style guide and glossary
 
-Some language teams have their own language-specific style guide and glossary. For example, see the [Korean Localization Guide](/ko/docs/contribute/localization_ko/).
+Some language teams have their own language-specific style guide and glossary.
+For example, see the [Korean Localization Guide](/ko/docs/contribute/localization_ko/).
 
 ### Language specific Zoom meetings
 
-If the localization project needs a separate meeting time, contact a SIG Docs Co-Chair or Tech Lead to create a new reoccurring Zoom meeting and calendar invite. This is only needed when the the team is large enough to sustain and require a separate meeting.
+If the localization project needs a separate meeting time, contact a SIG Docs Co-Chair or Tech
+Lead to create a new reoccurring Zoom meeting and calendar invite. This is only needed when the
+the team is large enough to sustain and require a separate meeting.
 
-Per CNCF policy, the localization teams must upload their meetings to the SIG Docs YouTube playlist. A SIG Docs Co-Chair or Tech Lead can help with the process until SIG Docs automates it.
+Per CNCF policy, the localization teams must upload their meetings to the SIG Docs YouTube
+playlist. A SIG Docs Co-Chair or Tech Lead can help with the process until SIG Docs automates it.
 
 ## Branching strategy
 
@@ -326,43 +405,66 @@ when starting out and the localization is not yet live.
 
 To collaborate on a localization branch:
 
-1. A team member of [@kubernetes/website-maintainers](https://github.com/orgs/kubernetes/teams/website-maintainers) opens a localization branch from a source branch on https://github.com/kubernetes/website.
+1. A team member of
+   [@kubernetes/website-maintainers](https://github.com/orgs/kubernetes/teams/website-maintainers)
+   opens a localization branch from a source branch on https://github.com/kubernetes/website.
 
-    Your team approvers joined the `@kubernetes/website-maintainers` team when you [added your localization team](#add-your-localization-team-in-github) to the [`kubernetes/org`](https://github.com/kubernetes/org) repository.
+   Your team approvers joined the `@kubernetes/website-maintainers` team when you
+   [added your localization team](#add-your-localization-team-in-github) to the
+   [`kubernetes/org`](https://github.com/kubernetes/org) repository.
 
-    We recommend the following branch naming scheme:
+   We recommend the following branch naming scheme:
 
-    `dev-<source version>-<language code>.<team milestone>`
+   `dev-<source version>-<language code>.<team milestone>`
 
-    For example, an approver on a German localization team opens the localization branch `dev-1.12-de.1` directly against the k/website repository, based on the source branch for Kubernetes v1.12.
+   For example, an approver on a German localization team opens the localization branch
+   `dev-1.12-de.1` directly against the k/website repository, based on the source branch for
+   Kubernetes v1.12.
 
 2. Individual contributors open feature branches based on the localization branch.
 
-    For example, a German contributor opens a pull request with changes to `kubernetes:dev-1.12-de.1` from `username:local-branch-name`.
+   For example, a German contributor opens a pull request with changes to
+   `kubernetes:dev-1.12-de.1` from `username:local-branch-name`.
 
 3. Approvers review and merge feature branches into the localization branch.
 
-4. Periodically, an approver merges the localization branch to its source branch by opening and approving a new pull request. Be sure to squash the commits before approving the pull request.
+4. Periodically, an approver merges the localization branch to its source branch by opening and
+   approving a new pull request. Be sure to squash the commits before approving the pull request.
 
-Repeat steps 1-4 as needed until the localization is complete. For example, subsequent German localization branches would be: `dev-1.12-de.2`, `dev-1.12-de.3`, etc.
+Repeat steps 1-4 as needed until the localization is complete. For example, subsequent German
+localization branches would be: `dev-1.12-de.2`, `dev-1.12-de.3`, etc.
 
 Teams must merge localized content into the same branch from which the content was sourced.
-
 For example:
+
 - a localization branch sourced from `main` must be merged into `main`.
-- a localization branch sourced from `release-{{% skew "prevMinorVersion" %}}` must be merged into `release-{{% skew "prevMinorVersion" %}}`.
+- a localization branch sourced from `release-{{% skew "prevMinorVersion" %}}` must be merged into
+  `release-{{% skew "prevMinorVersion" %}}`.
 
 {{< note >}}
-If your localization branch was created from `main` branch but it is not merged into `main` before new release branch `{{< release-branch >}}` created, merge it into both `main` and new release branch `{{< release-branch >}}`. To merge your localization branch into new release branch `{{< release-branch >}}`, you need to switch upstream branch of your localization branch to `{{< release-branch >}}`.
+If your localization branch was created from `main` branch but it is not merged into `main` before
+new release branch `{{< release-branch >}}` created, merge it into both `main` and new release
+branch `{{< release-branch >}}`. To merge your localization branch into new release branch
+`{{< release-branch >}}`, you need to switch upstream branch of your localization branch to
+`{{< release-branch >}}`.
 {{< /note >}}
 
-At the beginning of every team milestone, it's helpful to open an issue comparing upstream changes between the previous localization branch and the current localization branch. There are two scripts for comparing upstream changes. [`upstream_changes.py`](https://github.com/kubernetes/website/tree/main/scripts#upstream_changespy) is useful for checking the changes made to a specific file. And [`diff_l10n_branches.py`](https://github.com/kubernetes/website/tree/main/scripts#diff_l10n_branchespy) is useful for creating a list of outdated files for a specific localization branch.
+At the beginning of every team milestone, it's helpful to open an issue comparing upstream changes
+between the previous localization branch and the current localization branch.
+There are two scripts for comparing upstream changes.
+
+- [`upstream_changes.py`](https://github.com/kubernetes/website/tree/main/scripts#upstream_changespy)
+  is useful for checking the changes made to a specific file. And
+- [`diff_l10n_branches.py`](https://github.com/kubernetes/website/tree/main/scripts#diff_l10n_branchespy)
+  is useful for creating a list of outdated files for a specific localization branch.
 
-While only approvers can open a new localization branch and merge pull requests, anyone can open a pull request for a new localization branch. No special permissions are required.
+While only approvers can open a new localization branch and merge pull requests, anyone can open a
+pull request for a new localization branch. No special permissions are required.
 
-For more information about working from forks or directly from the repository, see ["fork and clone the repo"](#fork-and-clone-the-repo).
+For more information about working from forks or directly from the repository, see
+["fork and clone the repo"](#fork-and-clone-the-repo).
 
 ## Upstream contributions
 
 SIG Docs welcomes upstream contributions and corrections to the English source.
-                                                                                                                                      
+
diff --git a/content/en/docs/contribute/new-content/blogs-case-studies.md b/content/en/docs/contribute/new-content/blogs-case-studies.md
index 83b950105c8ad..3034f66ce8722 100644
--- a/content/en/docs/contribute/new-content/blogs-case-studies.md
+++ b/content/en/docs/contribute/new-content/blogs-case-studies.md
@@ -16,16 +16,17 @@ Case studies require extensive review before they're approved.
 
 ## The Kubernetes Blog
 
-The Kubernetes blog is used by the project to communicate new features, community reports, and any news that might be relevant to the Kubernetes community. 
-This includes end users and developers. 
-Most of the blog's content is about things happening in the core project, but we encourage you to submit about things happening elsewhere in the ecosystem too!
+The Kubernetes blog is used by the project to communicate new features, community reports, and any
+news that might be relevant to the Kubernetes community. This includes end users and developers. 
+Most of the blog's content is about things happening in the core project, but we encourage you to
+submit about things happening elsewhere in the ecosystem too!
 
 Anyone can write a blog post and submit it for review.
 
 ### Submit a Post
 
-Blog posts should not be commercial in nature and should consist of original content that applies broadly to the Kubernetes community.
-Appropriate blog content includes:
+Blog posts should not be commercial in nature and should consist of original content that applies
+broadly to the Kubernetes community. Appropriate blog content includes:
 
 - New Kubernetes capabilities
 - Kubernetes projects updates
@@ -43,75 +44,138 @@ Unsuitable content includes:
 
 To submit a blog post, follow these steps:
 
-1. [Sign the CLA](https://kubernetes.io/docs/contribute/start/#sign-the-cla) if you have not yet done so.
-1. Have a look at the Markdown format for existing blog posts in the [website repository](https://github.com/kubernetes/website/tree/master/content/en/blog/_posts).
+1. [Sign the CLA](https://github.com/kubernetes/community/blob/master/CLA.md)
+   if you have not yet done so.
+
+1. Have a look at the Markdown format for existing blog posts in the
+   [website repository](https://github.com/kubernetes/website/tree/master/content/en/blog/_posts).
+
 1. Write out your blog post in a text editor of your choice.
-1. On the same link from step 2, click the Create new file button. Paste your content into the editor. Name the file to match the proposed title of the blog post, but don’t put the date in the file name. The blog reviewers will work with you on the final file name and the date the blog will be published.
+
+1. On the same link from step 2, click the Create new file button. Paste your content into the editor.
+   Name the file to match the proposed title of the blog post, but don’t put the date in the file name.
+   The blog reviewers will work with you on the final file name and the date the blog will be published.
+
 1. When you save the file, GitHub will walk you through the pull request process.
-1. A blog post reviewer will review your submission and work with you on feedback and final details. When the blog post is approved, the blog will be scheduled for publication.
+
+1. A blog post reviewer will review your submission and work with you on feedback and final details.
+   When the blog post is approved, the blog will be scheduled for publication.
 
 ### Guidelines and expectations
 
 - Blog posts should not be vendor pitches. 
-  - Articles must contain content that applies broadly to the Kubernetes community. For example, a submission should focus on upstream Kubernetes as opposed to vendor-specific configurations. Check the [Documentation style guide](/docs/contribute/style/content-guide/#what-s-allowed) for what is typically allowed on Kubernetes properties. 
-  - Links should primarily be to the official Kubernetes documentation. When using external references, links should be diverse - For example a submission shouldn't contain only links back to a single company's blog.
-  - Sometimes this is a delicate balance. The [blog team](https://kubernetes.slack.com/messages/sig-docs-blog/) is there to give guidance on whether a post is appropriate for the Kubernetes blog, so don't hesitate to reach out. 
+
+  - Articles must contain content that applies broadly to the Kubernetes community. For example, a
+    submission should focus on upstream Kubernetes as opposed to vendor-specific configurations.
+    Check the [Documentation style guide](/docs/contribute/style/content-guide/#what-s-allowed) for
+    what is typically allowed on Kubernetes properties. 
+  - Links should primarily be to the official Kubernetes documentation. When using external
+    references, links should be diverse - For example a submission shouldn't contain only links
+    back to a single company's blog.
+  - Sometimes this is a delicate balance. The [blog team](https://kubernetes.slack.com/messages/sig-docs-blog/)
+    is there to give guidance on whether a post is appropriate for the Kubernetes blog, so don't
+    hesitate to reach out. 
+
 - Blog posts are not published on specific dates.
-    - Articles are reviewed by community volunteers. We'll try our best to accommodate specific timing, but we make no guarantees.
-  - Many core parts of the Kubernetes projects submit blog posts during release windows, delaying publication times. Consider submitting during a quieter period of the release cycle.
-  - If you are looking for greater coordination on post release dates, coordinating with [CNCF marketing](https://www.cncf.io/about/contact/) is a more appropriate choice than submitting a blog post.
-  - Sometimes reviews can get backed up. If you feel your review isn't getting the attention it needs, you can reach out to the blog team via [this slack channel](https://kubernetes.slack.com/messages/sig-docs-blog/) to ask in real time. 
+
+    - Articles are reviewed by community volunteers. We'll try our best to accommodate specific
+      timing, but we make no guarantees.
+  - Many core parts of the Kubernetes projects submit blog posts during release windows, delaying
+    publication times. Consider submitting during a quieter period of the release cycle.
+  - If you are looking for greater coordination on post release dates, coordinating with
+    [CNCF marketing](https://www.cncf.io/about/contact/) is a more appropriate choice than submitting a blog post.
+  - Sometimes reviews can get backed up. If you feel your review isn't getting the attention it needs,
+    you can reach out to the blog team via [this slack channel](https://kubernetes.slack.com/messages/sig-docs-blog/)
+    to ask in real time. 
+
 - Blog posts should be relevant to Kubernetes users.
-  - Topics related to participation in or results of Kubernetes SIGs activities are always on topic (see the work in the [Upstream Marketing Team](https://github.com/kubernetes/community/blob/master/communication/marketing-team/blog-guidelines.md#upstream-marketing-blog-guidelines) for support on these posts). 
-  - The components of Kubernetes are purposely modular, so tools that use existing integration points like CNI and CSI are on topic. 
-  - Posts about other CNCF projects may or may not be on topic. We recommend asking the blog team before submitting a draft.
-    - Many CNCF projects have their own blog. These are often a better choice for posts. There are times of major feature or milestone for a CNCF project that users would be interested in reading on the Kubernetes blog.
-  - Blog posts about contributing to the Kubernetes project should be in the [Kubernetes Contributors site](https://kubernetes.dev)
+
+  - Topics related to participation in or results of Kubernetes SIGs activities are always on
+    topic (see the work in the [Upstream Marketing Team](https://github.com/kubernetes/community/blob/master/communication/marketing-team/blog-guidelines.md#upstream-marketing-blog-guidelines)
+    for support on these posts). 
+  - The components of Kubernetes are purposely modular, so tools that use existing integration
+    points like CNI and CSI are on topic. 
+  - Posts about other CNCF projects may or may not be on topic. We recommend asking the blog team
+    before submitting a draft.
+    - Many CNCF projects have their own blog. These are often a better choice for posts. There are
+      times of major feature or milestone for a CNCF project that users would be interested in
+      reading on the Kubernetes blog.
+  - Blog posts about contributing to the Kubernetes project should be in the
+    [Kubernetes Contributors site](https://kubernetes.dev)
+
 - Blog posts should be original content
+
   - The official blog is not for repurposing existing content from a third party as new content.
-  - The [license](https://github.com/kubernetes/website/blob/main/LICENSE) for the blog allows commercial use of the content for commercial purposes, but not the other way around.
+  - The [license](https://github.com/kubernetes/website/blob/main/LICENSE) for the blog allows
+    commercial use of the content for commercial purposes, but not the other way around.
+
 - Blog posts should aim to be future proof
-  - Given the development velocity of the project, we want evergreen content that won't require updates to stay accurate for the reader. 
-  - It can be a better choice to add a tutorial or update official documentation than to write a high level overview as a blog post.
-    - Consider concentrating the long technical content as a call to action of the blog post, and focus on the problem space or why readers should care.
+
+  - Given the development velocity of the project, we want evergreen content that won't require
+    updates to stay accurate for the reader. 
+  - It can be a better choice to add a tutorial or update official documentation than to write a
+    high level overview as a blog post.
+    - Consider concentrating the long technical content as a call to action of the blog post, and
+      focus on the problem space or why readers should care.
 
 ### Technical Considerations for submitting a blog post
 
-Submissions need to be in Markdown format to be used by the [Hugo](https://gohugo.io/) generator for the blog. There are [many resources available](https://gohugo.io/documentation/) on how to use this technology stack.
+Submissions need to be in Markdown format to be used by the [Hugo](https://gohugo.io/) generator
+for the blog. There are [many resources available](https://gohugo.io/documentation/) on how to use
+this technology stack.
 
-We recognize that this requirement makes the process more difficult for less-familiar folks to submit, and we're constantly looking at solutions to lower this bar. If you have ideas on how to lower the barrier, please volunteer to help out. 
+We recognize that this requirement makes the process more difficult for less-familiar folks to
+submit, and we're constantly looking at solutions to lower this bar. If you have ideas on how to
+lower the barrier, please volunteer to help out. 
 
-The SIG Docs [blog subproject](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject) manages the review process for blog posts. For more information, see [Submit a post](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject#submit-a-post).
+The SIG Docs [blog subproject](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject)
+manages the review process for blog posts. For more information, see
+[Submit a post](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject#submit-a-post).
 
 To submit a blog post follow these directions:
 
-- [Open a pull request](/docs/contribute/new-content/open-a-pr/#fork-the-repo) with a new blog post. New blog posts go under the [`content/en/blog/_posts`](https://github.com/kubernetes/website/tree/main/content/en/blog/_posts) directory.
+- [Open a pull request](/docs/contribute/new-content/open-a-pr/#fork-the-repo) with a new blog post.
+  New blog posts go under the [`content/en/blog/_posts`](https://github.com/kubernetes/website/tree/main/content/en/blog/_posts)
+  directory.
 
-- Ensure that your blog post follows the correct naming conventions and the following frontmatter (metadata) information:
+- Ensure that your blog post follows the correct naming conventions and the following frontmatter
+  (metadata) information:
 
-  - The Markdown file name must follow the format `YYYY-MM-DD-Your-Title-Here.md`. For example, `2020-02-07-Deploying-External-OpenStack-Cloud-Provider-With-Kubeadm.md`.
-  - Do **not** include dots in the filename. A name like `2020-01-01-whats-new-in-1.19.md` causes failures during a build.
+  - The Markdown file name must follow the format `YYYY-MM-DD-Your-Title-Here.md`. For example,
+    `2020-02-07-Deploying-External-OpenStack-Cloud-Provider-With-Kubeadm.md`.
+  - Do **not** include dots in the filename. A name like `2020-01-01-whats-new-in-1.19.md` causes
+    failures during a build.
   - The front matter must include the following:
 
-  ```yaml
-  ---
-  layout: blog
-  title: "Your Title Here"
-  date: YYYY-MM-DD
-  slug: text-for-URL-link-here-no-spaces
-  ---
-  ```
-  - The first or initial commit message should be a short summary of the work being done and should stand alone as a description of the blog post. Please note that subsequent edits to your blog will be squashed into this main commit, so it should be as useful as possible. 
+    ```yaml
+    ---
+    layout: blog
+    title: "Your Title Here"
+    date: YYYY-MM-DD
+    slug: text-for-URL-link-here-no-spaces
+    ---
+    ```
+
+  - The first or initial commit message should be a short summary of the work being done and
+    should stand alone as a description of the blog post. Please note that subsequent edits to
+    your blog will be squashed into this main commit, so it should be as useful as possible. 
+
     - Examples of a good commit message:
-      -  _Add blog post on the foo kubernetes feature_
-      -  _blog: foobar announcement_
+      - _Add blog post on the foo kubernetes feature_
+      - _blog: foobar announcement_
     - Examples of bad commit message:
       - _Add blog post_
       - _._
       - _initial commit_
       - _draft post_
-  - The blog team will then review your PR and give you comments on things you might need to fix. After that the bot will merge your PR and your blog post will be published. 
-  - If the content of the blog post contains only content that is not expected to require updates to stay accurate for the reader, it can be marked as evergreen and exempted from the automatic warning about outdated content added to blog posts older than one year.
+
+  - The blog team will then review your PR and give you comments on things you might need to fix.
+    After that the bot will merge your PR and your blog post will be published. 
+
+  - If the content of the blog post contains only content that is not expected to require updates
+    to stay accurate for the reader, it can be marked as evergreen and exempted from the automatic
+    warning about outdated content added to blog posts older than one year.
+
     - To mark a blog post as evergreen, add this to the front matter:
       
       ```yaml
@@ -121,13 +185,15 @@ To submit a blog post follow these directions:
       - **Tutorials** that only apply to specific releases or versions and not all future versions
       - References to pre-GA APIs or features
 
-
 ## Submit a case study
 
-Case studies highlight how organizations are using Kubernetes to solve
-real-world problems. The Kubernetes marketing team and members of the {{< glossary_tooltip text="CNCF" term_id="cncf" >}} collaborate with you on all case studies.
+Case studies highlight how organizations are using Kubernetes to solve real-world problems. The
+Kubernetes marketing team and members of the {{< glossary_tooltip text="CNCF" term_id="cncf" >}}
+collaborate with you on all case studies.
 
 Have a look at the source for the
 [existing case studies](https://github.com/kubernetes/website/tree/main/content/en/case-studies).
 
-Refer to the [case study guidelines](https://github.com/cncf/foundation/blob/master/case-study-guidelines.md) and submit your request as outlined in the guidelines.
+Refer to the [case study guidelines](https://github.com/cncf/foundation/blob/master/case-study-guidelines.md)
+and submit your request as outlined in the guidelines.
+
diff --git a/content/en/docs/contribute/new-content/open-a-pr.md b/content/en/docs/contribute/new-content/open-a-pr.md
index 548dbac5d01eb..666dfdce965ec 100644
--- a/content/en/docs/contribute/new-content/open-a-pr.md
+++ b/content/en/docs/contribute/new-content/open-a-pr.md
@@ -28,7 +28,7 @@ If your changes are large, read [Work from a local fork](#fork-the-repo) to lear
 ## Changes using GitHub
 
 If you're less experienced with git workflows, here's an easier method of
-opening a pull request. The figure below outlines the steps and the details follow.
+opening a pull request. Figure 1 outlines the steps and the details follow.
 
 <!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
 <!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
@@ -61,7 +61,7 @@ class tasks,tasks2 white
 class id1 k8s
 {{</ mermaid >}}
 
-***Figure - Steps for opening a PR using GitHub***
+Figure 1. Steps for opening a PR using GitHub.
 
 1.  On the page where you see the issue, select the pencil icon at the top right.
     You can also scroll to the bottom of the page and select **Edit this page**.
@@ -122,7 +122,7 @@ work from a local fork.
 
 Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) installed on your computer. You can also use a git UI application.
 
-The figure below shows the steps to follow when you work from a local fork. The details for each step follow.
+Figure 2 shows the steps to follow when you work from a local fork. The details for each step follow.
 
 <!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
 <!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
@@ -151,7 +151,8 @@ class 1,2,3,3a,4,5,6 grey
 class S,T spacewhite
 class changes,changes2 white
 {{</ mermaid >}}
-***Figure - Working from a local fork to make your changes***
+
+Figure 2. Working from a local fork to make your changes.
 
 ### Fork the kubernetes/website repository
 
@@ -291,34 +292,24 @@ You can either build the website's container image or run Hugo locally. Building
 The commands below use Docker as default container engine. Set the `CONTAINER_ENGINE` environment variable to override this behaviour.
 {{< /note >}}
 
-1.  Build the image locally:
-
-      ```bash
-      # Use docker (default)
-      make container-image
-
-      ### OR ###
+1. Build the container image locally  
+   _You only need this step if you are testing a change to the Hugo tool itself_
+   ```bash
+   # Run this in a terminal (if required)
+   make container-image
+   ```
 
-      # Use podman
-      CONTAINER_ENGINE=podman make container-image
-      ```
+1. Start Hugo in a container:
 
-2. After building the `kubernetes-hugo` image locally, build and serve the site:
+   ```bash
+   # Run this in a terminal
+   make container-serve
+   ```
 
-      ```bash
-      # Use docker (default)
-      make container-serve
-
-      ### OR ###
-
-      # Use podman
-      CONTAINER_ENGINE=podman make container-serve
-      ```
-
-3.  In a web browser, navigate to `https://localhost:1313`. Hugo watches the
+1.  In a web browser, navigate to `https://localhost:1313`. Hugo watches the
     changes and rebuilds the site as needed.
 
-4.  To stop the local Hugo instance, go back to the terminal and type `Ctrl+C`,
+1.  To stop the local Hugo instance, go back to the terminal and type `Ctrl+C`,
     or close the terminal window.
 
 {{% /tab %}}
@@ -353,7 +344,7 @@ Alternately, install and use the `hugo` command on your computer:
 
 ### Open a pull request from your fork to kubernetes/website {#open-a-pr}
 
-The figure below shows the steps to open a PR from your fork to the K8s/website. The details follow.
+Figure 3 shows the steps to open a PR from your fork to the K8s/website. The details follow.
 <!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
 <!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
 
@@ -379,7 +370,8 @@ classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:b
 class 1,2,3,4,5,6,7,8 grey
 class first,second white
 {{</ mermaid >}}
-***Figure - Steps to open a PR from your fork to the K8s/website***
+
+Figure 3. Steps to open a PR from your fork to the K8s/website.
 
 1. In a web browser, go to the [`kubernetes/website`](https://github.com/kubernetes/website/) repository.
 2. Select **New Pull Request**.
diff --git a/content/en/docs/contribute/participate/_index.md b/content/en/docs/contribute/participate/_index.md
index ff4714f8034c4..b76423ededd89 100644
--- a/content/en/docs/contribute/participate/_index.md
+++ b/content/en/docs/contribute/participate/_index.md
@@ -115,6 +115,6 @@ SIG Docs approvers. Here's how it works.
 
 For more information about contributing to the Kubernetes documentation, see:
 
-- [Contributing new content](/docs/contribute/new-content/overview/)
+- [Contributing new content](/docs/contribute/new-content/)
 - [Reviewing content](/docs/contribute/review/reviewing-prs)
 - [Documentation style guide](/docs/contribute/style/)
diff --git a/content/en/docs/contribute/participate/pr-wranglers.md b/content/en/docs/contribute/participate/pr-wranglers.md
index 865af3580531b..ee553c64d68c8 100644
--- a/content/en/docs/contribute/participate/pr-wranglers.md
+++ b/content/en/docs/contribute/participate/pr-wranglers.md
@@ -84,7 +84,7 @@ To close a pull request, leave a `/close` comment on the PR.
 
 {{< note >}}
 
-The [`fejta-bot`](https://github.com/fejta-bot) bot marks issues as stale after 90 days of inactivity. After 30 more days it marks issues as rotten and closes them.  PR wranglers should close issues after 14-30 days of inactivity.
+The [`k8s-triage-robot`](https://github.com/k8s-triage-robot) bot marks issues as stale after 90 days of inactivity. After 30 more days it marks issues as rotten and closes them.  PR wranglers should close issues after 14-30 days of inactivity.
 
 {{< /note >}}
 
@@ -100,4 +100,4 @@ In late 2021, SIG Docs introduced the PR Wrangler Shadow Program. The program wa
 
 - Others can reach out on the [#sig-docs Slack channel](https://kubernetes.slack.com/messages/sig-docs) for requesting to shadow an assigned PR Wrangler for a specific week. Feel free to reach out to Brad Topol (`@bradtopol`) or one of the [SIG Docs co-chairs/leads](https://github.com/kubernetes/community/tree/master/sig-docs#leadership).
 
-- Once you've signed up to shadow a PR Wrangler, introduce yourself to the PR Wrangler on the [Kubernetes Slack](slack.k8s.io).
\ No newline at end of file
+- Once you've signed up to shadow a PR Wrangler, introduce yourself to the PR Wrangler on the [Kubernetes Slack](https://slack.k8s.io).
diff --git a/content/en/docs/contribute/participate/roles-and-responsibilities.md b/content/en/docs/contribute/participate/roles-and-responsibilities.md
index c577c3f8be8dc..10d6072ce3699 100644
--- a/content/en/docs/contribute/participate/roles-and-responsibilities.md
+++ b/content/en/docs/contribute/participate/roles-and-responsibilities.md
@@ -32,7 +32,7 @@ Anyone can:
 - Suggest improvements on [Slack](https://slack.k8s.io/) or the
   [SIG docs mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-docs).
 
-After [signing the CLA](/docs/contribute/new-content/overview/#sign-the-cla), anyone can also:
+After [signing the CLA](https://github.com/kubernetes/community/blob/master/CLA.md), anyone can also:
 
 - Open a pull request to improve existing content, add new content, or write a blog post or case study
 - Create diagrams, graphics assets, and embeddable screencasts and videos
diff --git a/content/en/docs/contribute/review/reviewing-prs.md b/content/en/docs/contribute/review/reviewing-prs.md
index 3e71e9c43434a..54b209dc0e24e 100644
--- a/content/en/docs/contribute/review/reviewing-prs.md
+++ b/content/en/docs/contribute/review/reviewing-prs.md
@@ -7,7 +7,8 @@ weight: 10
 
 <!-- overview -->
 
-Anyone can review a documentation pull request. Visit the [pull requests](https://github.com/kubernetes/website/pulls) section in the Kubernetes website repository to see open pull requests.
+Anyone can review a documentation pull request. Visit the [pull requests](https://github.com/kubernetes/website/pulls)
+section in the Kubernetes website repository to see open pull requests.
 
 Reviewing documentation pull requests is a
 great way to introduce yourself to the Kubernetes community.
@@ -27,7 +28,9 @@ Before reviewing, it's a good idea to:
 
 Before you start a review:
 
-- Read the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and ensure that you abide by it at all times.
+
+- Read the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+  and ensure that you abide by it at all times.
 - Be polite, considerate, and helpful.
 - Comment on positive aspects of PRs as well as changes.
 - Be empathetic and mindful of how your review may be received.
@@ -36,7 +39,8 @@ Before you start a review:
 
 ## Review process
 
-In general, review pull requests for content and style in English. Figure 1 outlines the steps for the review process. The details for each step follow.
+In general, review pull requests for content and style in English. Figure 1 outlines the steps for
+the review process. The details for each step follow.
 
 <!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
 <!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
@@ -69,33 +73,40 @@ class third,fourth white
 
 Figure 1. Review process steps.
 
-1.  Go to
-    [https://github.com/kubernetes/website/pulls](https://github.com/kubernetes/website/pulls).
-    You see a list of every open pull request against the Kubernetes website and
-    docs.
-
-2.  Filter the open PRs using one or all of the following labels:
-    - `cncf-cla: yes` (Recommended): PRs submitted by contributors who have not signed the CLA cannot be merged. See [Sign the CLA](/docs/contribute/new-content/overview/#sign-the-cla) for more information.
-    - `language/en` (Recommended): Filters for english language PRs only.
-    - `size/<size>`: filters for PRs of a certain size. If you're new, start with smaller PRs.
-
-    Additionally, ensure the PR isn't marked as a work in progress. PRs using the `work in progress` label are not ready for review yet.
-
-3.  Once you've selected a PR to review, understand the change by:
-    - Reading the PR description to understand the changes made, and read any linked issues
-    - Reading any comments by other reviewers
-    - Clicking the **Files changed** tab to see the files and lines changed
-    - Previewing the changes in the Netlify preview build by scrolling to the PR's build check section at the bottom of the **Conversation** tab.
-      Here's a screenshot (this shows GitHub's desktop site; if you're reviewing
-      on a tablet or smartphone device, the GitHub web UI is slightly different):
-      {{< figure src="/images/docs/github_netlify_deploy_preview.png" alt="GitHub pull request details including link to Netlify preview" >}}
-      To open the preview, click on the  **Details** link of the **deploy/netlify** line in the list of checks.
-
-4.  Go to the **Files changed** tab to start your review.
-    1. Click on the `+` symbol  beside the line you want to comment on.
-    2. Fill in any comments you have about the line and click either **Add single comment** (if you have only one comment to make) or  **Start a review** (if you have multiple comments to make).
-    3. When finished, click **Review changes** at the top of the page. Here, you can add
-       add a summary of your review (and leave some positive comments for the contributor!),
+1. Go to [https://github.com/kubernetes/website/pulls](https://github.com/kubernetes/website/pulls).
+   You see a list of every open pull request against the Kubernetes website and docs.
+
+2. Filter the open PRs using one or all of the following labels:
+
+   - `cncf-cla: yes` (Recommended): PRs submitted by contributors who have not signed the CLA
+     cannot be merged. See [Sign the CLA](/docs/contribute/new-content/#sign-the-cla)
+     for more information.
+   - `language/en` (Recommended): Filters for english language PRs only.
+   - `size/<size>`: filters for PRs of a certain size. If you're new, start with smaller PRs.
+
+   Additionally, ensure the PR isn't marked as a work in progress. PRs using the `work in
+   progress` label are not ready for review yet.
+
+3. Once you've selected a PR to review, understand the change by:
+
+   - Reading the PR description to understand the changes made, and read any linked issues
+   - Reading any comments by other reviewers
+   - Clicking the **Files changed** tab to see the files and lines changed
+   - Previewing the changes in the Netlify preview build by scrolling to the PR's build check
+     section at the bottom of the **Conversation** tab.
+     Here's a screenshot (this shows GitHub's desktop site; if you're reviewing
+     on a tablet or smartphone device, the GitHub web UI is slightly different):
+     {{< figure src="/images/docs/github_netlify_deploy_preview.png" alt="GitHub pull request details including link to Netlify preview" >}}
+     To open the preview, click on the  **Details** link of the **deploy/netlify** line in the
+     list of checks.
+
+4. Go to the **Files changed** tab to start your review.
+
+   1. Click on the `+` symbol  beside the line you want to comment on.
+   1. Fill in any comments you have about the line and click either **Add single comment** (if you
+      have only one comment to make) or  **Start a review** (if you have multiple comments to make).
+   1. When finished, click **Review changes** at the top of the page. Here, you can add
+      a summary of your review (and leave some positive comments for the contributor!),
       approve the PR, comment or request changes as needed. New contributors should always
       choose **Comment**.
 
@@ -119,14 +130,22 @@ When reviewing, use the following as a starting point.
 
 ### Website
 
-- Did this PR change or remove a page title, slug/alias or anchor link? If so, are there broken links as a result of this PR? Is there another option, like changing the page title without changing the slug?
+- Did this PR change or remove a page title, slug/alias or anchor link? If so, are there broken
+  links as a result of this PR? Is there another option, like changing the page title without
+  changing the slug?
+
 - Does the PR introduce a new page? If so:
-  - Is the page using the right [page content type](/docs/contribute/style/page-content-types/) and associated Hugo shortcodes?
+
+  - Is the page using the right [page content type](/docs/contribute/style/page-content-types/)
+    and associated Hugo shortcodes?
   - Does the page appear correctly in the section's side navigation (or at all)?
   - Should the page appear on the [Docs Home](/docs/home/) listing?
-- Do the changes show up in the Netlify preview? Be particularly vigilant about lists, code blocks, tables, notes and images.
+
+- Do the changes show up in the Netlify preview? Be particularly vigilant about lists, code
+  blocks, tables, notes and images.
 
 ### Other
 
-For small issues with a PR, like typos or whitespace, prefix your comments with `nit:`.  This lets the author know the issue is non-critical.
+For small issues with a PR, like typos or whitespace, prefix your comments with `nit:`.
+This lets the author know the issue is non-critical.
 
diff --git a/content/en/docs/contribute/suggesting-improvements.md b/content/en/docs/contribute/suggesting-improvements.md
index 9cab3f7a72bc4..d79df11476419 100644
--- a/content/en/docs/contribute/suggesting-improvements.md
+++ b/content/en/docs/contribute/suggesting-improvements.md
@@ -1,6 +1,5 @@
 ---
 title: Suggesting content improvements
-slug: suggest-improvements
 content_type: concept
 weight: 10
 card:
diff --git a/content/en/docs/home/supported-doc-versions.md b/content/en/docs/home/supported-doc-versions.md
index b955f95f567a7..fd3559a4d3786 100644
--- a/content/en/docs/home/supported-doc-versions.md
+++ b/content/en/docs/home/supported-doc-versions.md
@@ -10,3 +10,8 @@ card:
 
 This website contains documentation for the current version of Kubernetes
 and the four previous versions of Kubernetes.
+
+The availability of documentation for a Kubernetes version is separate from whether
+that release is currently supported.
+Read [Support period](/releases/patch-releases/#support-period) to learn about
+which versions of Kubernetes are officially supported, and for how long.
\ No newline at end of file
diff --git a/content/en/docs/images/ingress.svg b/content/en/docs/images/ingress.svg
new file mode 100644
index 0000000000000..450a0aae9b4fa
--- /dev/null
+++ b/content/en/docs/images/ingress.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 683.28125 224" style="max-width: 683.28125px;" height="224" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(464.8125,112)" id="flowchart-cluster-82" class="cluster"><rect y="-104" x="-210.46875" height="208" width="420.9375"></rect><g id="graph-divText" transform="translate(0, -90)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead118)" d="M80.015625,112L94.54296875,112C109.0703125,112,138.125,112,167.1796875,112C196.234375,112,225.2890625,112,243.98307291666666,112C262.6770833333333,112,271.0104166666667,112,275.1770833333333,112L279.34375,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead118"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service" class="edgePath LS-ingress LE-service"><path style="fill:none" marker-end="url(#arrowhead119)" d="M348.46875,112L359.6731770833333,112C370.8776041666667,112,393.2864583333333,112,415.6953125,112C438.1041666666667,112,460.5130208333333,112,471.7174479166667,112L482.921875,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead119"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service-pod1" class="edgePath LS-service LE-pod1"><path style="fill:none" marker-end="url(#arrowhead120)" d="M547.2456781914893,90L552.6396276595744,85.83333333333333C558.0335771276596,81.66666666666667,568.8214760638298,73.33333333333333,578.3820921985815,69.16666666666667C587.9427083333334,65,596.2760416666666,65,600.4427083333334,65L604.609375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead120"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service-pod2" class="edgePath LS-service LE-pod2"><path style="fill:none" marker-end="url(#arrowhead121)" d="M547.2456781914893,134L552.6396276595744,138.16666666666666C558.0335771276596,142.33333333333334,568.8214760638298,150.66666666666666,578.3820921985815,154.83333333333334C587.9427083333334,159,596.2760416666666,159,600.4427083333334,159L604.609375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead121"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,112)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(415.6953125,112)" class="edgeLabel"><g class="label" transform="translate(-42.2265625,-12)"><rect height="24" width="84.453125" ry="0" rx="0"></rect><foreignObject height="24" width="84.453125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service" id="L-L-ingress-service">routing rule</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service' L-LE-pod1" id="L-L-service-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service' L-LE-pod2" id="L-L-service-pod2"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(313.90625,112)" id="flowchart-ingress-74" class="node k8s"><rect class="label-container" height="44" width="69.125" y="-22" x="-34.5625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.5625,-12)"><foreignObject height="24" width="49.125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(627.4453125,65)" id="flowchart-pod1-79" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(518.765625,112)" id="flowchart-service-76" class="node k8s"><rect class="label-container" height="44" width="71.6875" y="-22" x="-35.84375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-25.84375,-12)"><foreignObject height="24" width="51.6875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(627.4453125,159)" id="flowchart-pod2-81" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,112)" id="flowchart-client-73" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/en/docs/images/ingressFanOut.svg b/content/en/docs/images/ingressFanOut.svg
new file mode 100644
index 0000000000000..a6bf202635164
--- /dev/null
+++ b/content/en/docs/images/ingressFanOut.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 854.515625 412" style="max-width: 854.515625px;" height="412" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(550.4296875,206)" id="flowchart-cluster-158" class="cluster"><rect y="-198" x="-296.0859375" height="396" width="592.171875"></rect><g id="graph-divText" transform="translate(0, -184)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead193)" d="M80.015625,206L94.54296875,206C109.0703125,206,138.125,206,167.1796875,206C196.234375,206,225.2890625,206,243.98307291666666,206C262.6770833333333,206,271.0104166666667,206,275.1770833333333,206L279.34375,206" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead193"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service1" class="edgePath LS-ingress LE-service1"><path style="fill:none" marker-end="url(#arrowhead194)" d="M406.0119680851064,184L423.35372340425533,172C440.6954787234043,160,475.37898936170217,136,499.54886968085106,124C523.71875,112,537.375,112,544.203125,112L551.03125,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead194"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service2" class="edgePath LS-ingress LE-service2"><path style="fill:none" marker-end="url(#arrowhead195)" d="M406.0119680851064,228L423.35372340425533,240C440.6954787234043,252,475.37898936170217,276,499.54886968085106,288C523.71875,300,537.375,300,544.203125,300L551.03125,300" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead195"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod1" class="edgePath LS-service1 LE-pod1"><path style="fill:none" marker-end="url(#arrowhead196)" d="M691.0531914893617,90L701.0182845744681,85.83333333333333C710.9833776595746,81.66666666666667,730.9135638297872,73.33333333333333,745.0453235815603,69.16666666666667C759.1770833333334,65,767.5104166666666,65,771.6770833333334,65L775.84375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead196"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod2" class="edgePath LS-service1 LE-pod2"><path style="fill:none" marker-end="url(#arrowhead197)" d="M691.0531914893617,134L701.0182845744681,138.16666666666666C710.9833776595746,142.33333333333334,730.9135638297872,150.66666666666666,745.0453235815603,154.83333333333334C759.1770833333334,159,767.5104166666666,159,771.6770833333334,159L775.84375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead197"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod3" class="edgePath LS-service2 LE-pod3"><path style="fill:none" marker-end="url(#arrowhead198)" d="M691.0531914893617,278L701.0182845744681,273.8333333333333C710.9833776595746,269.6666666666667,730.9135638297872,261.3333333333333,745.0453235815603,257.1666666666667C759.1770833333334,253,767.5104166666666,253,771.6770833333334,253L775.84375,253" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead198"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod4" class="edgePath LS-service2 LE-pod4"><path style="fill:none" marker-end="url(#arrowhead199)" d="M691.0531914893617,322L701.0182845744681,326.1666666666667C710.9833776595746,330.3333333333333,730.9135638297872,338.6666666666667,745.0453235815603,342.8333333333333C759.1770833333334,347,767.5104166666666,347,771.6770833333334,347L775.84375,347" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead199"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,206)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(510.0625,112)" class="edgeLabel"><g class="label" transform="translate(-15.7421875,-12)"><rect height="24" width="31.484375" ry="0" rx="0"></rect><foreignObject height="24" width="31.484375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service1" id="L-L-ingress-service1">/foo</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(510.0625,300)" class="edgeLabel"><g class="label" transform="translate(-15.96875,-12)"><rect height="24" width="31.9375" ry="0" rx="0"></rect><foreignObject height="24" width="31.9375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service2" id="L-L-ingress-service2">/bar</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod1" id="L-L-service1-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod2" id="L-L-service1-pod2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod3" id="L-L-service2-pod3"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod4" id="L-L-service2-pod4"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(374.21875,206)" id="flowchart-ingress-144" class="node k8s"><rect class="label-container" height="44" width="189.75" y="-22" x="-94.875" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-84.875,-12)"><foreignObject height="24" width="169.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress, 178.91.123.132</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,65)" id="flowchart-pod1-151" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(638.4375,112)" id="flowchart-service1-146" class="node k8s"><rect class="label-container" height="44" width="174.8125" y="-22" x="-87.40625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-77.40625,-12)"><foreignObject height="24" width="154.8125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service1:4200</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,159)" id="flowchart-pod2-153" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,253)" id="flowchart-pod3-155" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(638.4375,300)" id="flowchart-service2-148" class="node k8s"><rect class="label-container" height="44" width="174.8125" y="-22" x="-87.40625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-77.40625,-12)"><foreignObject height="24" width="154.8125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service2:8080</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,347)" id="flowchart-pod4-157" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,206)" id="flowchart-client-143" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/en/docs/images/ingressNameBased.svg b/content/en/docs/images/ingressNameBased.svg
new file mode 100644
index 0000000000000..7e1d7be98c60f
--- /dev/null
+++ b/content/en/docs/images/ingressNameBased.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 934.40625 412" style="max-width: 934.40625px;" height="412" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(590.375,206)" id="flowchart-cluster-234" class="cluster"><rect y="-198" x="-336.03125" height="396" width="672.0625"></rect><g id="graph-divText" transform="translate(0, -184)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead271)" d="M80.015625,206L94.54296875,206C109.0703125,206,138.125,206,167.1796875,206C196.234375,206,225.2890625,206,243.98307291666666,206C262.6770833333333,206,271.0104166666667,206,275.1770833333333,206L279.34375,206" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead271"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service1" class="edgePath LS-ingress LE-service1"><path style="fill:none" marker-end="url(#arrowhead272)" d="M417.32463430851067,184L440.83693484042556,172C464.34923537234044,160,511.3738364361702,136,549.7702515514185,124C588.1666666666666,112,617.9348958333334,112,632.8190104166666,112L647.703125,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead272"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service2" class="edgePath LS-ingress LE-service2"><path style="fill:none" marker-end="url(#arrowhead273)" d="M417.32463430851067,228L440.83693484042556,240C464.34923537234044,252,511.3738364361702,276,549.7702515514185,288C588.1666666666666,300,617.9348958333334,300,632.8190104166666,300L647.703125,300" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead273"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod1" class="edgePath LS-service1 LE-pod1"><path style="fill:none" marker-end="url(#arrowhead274)" d="M775.406914893617,90L784.6281582446809,85.83333333333333C793.8494015957446,81.66666666666667,812.2918882978723,73.33333333333333,825.6797983156029,69.16666666666667C839.0677083333334,65,847.4010416666666,65,851.5677083333334,65L855.734375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead274"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod2" class="edgePath LS-service1 LE-pod2"><path style="fill:none" marker-end="url(#arrowhead275)" d="M775.406914893617,134L784.6281582446809,138.16666666666666C793.8494015957446,142.33333333333334,812.2918882978723,150.66666666666666,825.6797983156029,154.83333333333334C839.0677083333334,159,847.4010416666666,159,851.5677083333334,159L855.734375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead275"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod3" class="edgePath LS-service2 LE-pod3"><path style="fill:none" marker-end="url(#arrowhead276)" d="M775.406914893617,278L784.6281582446809,273.8333333333333C793.8494015957446,269.6666666666667,812.2918882978723,261.3333333333333,825.6797983156029,257.1666666666667C839.0677083333334,253,847.4010416666666,253,851.5677083333334,253L855.734375,253" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead276"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod4" class="edgePath LS-service2 LE-pod4"><path style="fill:none" marker-end="url(#arrowhead277)" d="M775.406914893617,322L784.6281582446809,326.1666666666667C793.8494015957446,330.3333333333333,812.2918882978723,338.6666666666667,825.6797983156029,342.8333333333333C839.0677083333334,347,847.4010416666666,347,851.5677083333334,347L855.734375,347" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead277"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,206)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(558.3984375,112)" class="edgeLabel"><g class="label" transform="translate(-64.3046875,-12)"><rect height="24" width="128.609375" ry="0" rx="0"></rect><foreignObject height="24" width="128.609375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service1" id="L-L-ingress-service1">Host: foo.bar.com</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(558.3984375,300)" class="edgeLabel"><g class="label" transform="translate(-64.3046875,-12)"><rect height="24" width="128.609375" ry="0" rx="0"></rect><foreignObject height="24" width="128.609375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service2" id="L-L-ingress-service2">Host: bar.foo.com</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod1" id="L-L-service1-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod2" id="L-L-service1-pod2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod3" id="L-L-service2-pod3"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod4" id="L-L-service2-pod4"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(374.21875,206)" id="flowchart-ingress-220" class="node k8s"><rect class="label-container" height="44" width="189.75" y="-22" x="-94.875" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-84.875,-12)"><foreignObject height="24" width="169.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress, 178.91.123.132</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,65)" id="flowchart-pod1-227" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(726.71875,112)" id="flowchart-service1-222" class="node k8s"><rect class="label-container" height="44" width="158.03125" y="-22" x="-79.015625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-69.015625,-12)"><foreignObject height="24" width="138.03125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service1:80</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,159)" id="flowchart-pod2-229" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,253)" id="flowchart-pod3-231" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(726.71875,300)" id="flowchart-service2-224" class="node k8s"><rect class="label-container" height="44" width="158.03125" y="-22" x="-79.015625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-69.015625,-12)"><foreignObject height="24" width="138.03125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service2:80</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,347)" id="flowchart-pod4-233" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,206)" id="flowchart-client-219" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/en/docs/images/tutor-service-nodePort-fig01.svg b/content/en/docs/images/tutor-service-nodePort-fig01.svg
new file mode 100644
index 0000000000000..bb4d866f853f3
--- /dev/null
+++ b/content/en/docs/images/tutor-service-nodePort-fig01.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 484.78125 84" style="max-width: 484.78125px;" height="84" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}</style><g><g class="output"><g class="clusters"></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-node2" class="edgePath LS-client LE-node2"><path style="fill:none" marker-end="url(#arrowhead23)" d="M69.015625,36.50387051372273L73.18229166666667,35.753225428102276C77.34895833333333,35.00258034248182,85.68229166666667,33.50129017124091,94.015625,33.44708453891548C102.34895833333333,33.392878906590056,110.68229166666667,34.78575781318012,114.84895833333333,35.48219726647515L119.015625,36.178636719770175" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead23"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node2-client" class="edgePath LS-node2 LE-client"><path style="fill:none" marker-end="url(#arrowhead24)" d="M119.015625,47.821363280229825L114.84895833333333,48.51780273352485C110.68229166666667,49.21424218681989,102.34895833333333,50.607121093409944,94.015625,50.55291546108452C85.68229166666667,50.49870982875908,77.34895833333333,48.99741965751818,73.18229166666667,48.246774571897724L69.015625,47.49612948627727" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead24"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node2-node1" class="edgePath LS-node2 LE-node1"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead25)" d="M188.671875,32.096334444107846L195.76171875,30.080278703423204C202.8515625,28.064222962738565,217.03125,24.03211148136928,231.2109375,24.03211148136928C245.390625,24.03211148136928,259.5703125,28.064222962738565,266.66015625,30.080278703423204L273.75,32.096334444107846" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead25"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-node2" class="edgePath LS-node1 LE-node2"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead26)" d="M273.75,51.903665555892154L266.66015625,53.919721296576796C259.5703125,55.93577703726144,245.390625,59.96788851863072,231.2109375,59.96788851863071C217.03125,59.96788851863072,202.8515625,55.93577703726144,195.76171875,53.919721296576796L188.671875,51.903665555892154" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead26"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-endpoint" class="edgePath LS-node1 LE-endpoint"><path style="fill:none" marker-end="url(#arrowhead27)" d="M343.40625,42L347.5729166666667,42C351.7395833333333,42,360.0729166666667,42,368.40625,42C376.7395833333333,42,385.0729166666667,42,389.2395833333333,42L393.40625,42" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead27"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node2" id="L-L-client-node2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node2' L-LE-client" id="L-L-node2-client"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(231.2109375,20)" class="edgeLabel"><g class="label" transform="translate(-17.5390625,-12)"><rect height="24" width="35.078125" ry="0" rx="0"></rect><foreignObject height="24" width="35.078125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node2' L-LE-node1" id="L-L-node2-node1">SNAT</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(231.2109375,64)" class="edgeLabel"><g class="label" transform="translate(-17.5390625,-12)"><rect height="24" width="35.078125" ry="0" rx="0"></rect><foreignObject height="24" width="35.078125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-node2" id="L-L-node1-node2">SNAT</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-endpoint" id="L-L-node1-endpoint"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(38.5078125,42)" id="flowchart-client-10" class="node plain"><rect class="label-container" height="44" width="61.015625" y="-22" x="-30.5078125" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(153.84375,42)" id="flowchart-node2-11" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 2</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(308.578125,42)" id="flowchart-node1-15" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 1</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(435.09375,42)" id="flowchart-endpoint-19" class="node k8s"><rect class="label-container" height="44" width="83.375" y="-22" x="-41.6875" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-31.6875,-12)"><foreignObject height="24" width="63.375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Endpoint</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/en/docs/images/tutor-service-nodePort-fig02.svg b/content/en/docs/images/tutor-service-nodePort-fig02.svg
new file mode 100644
index 0000000000000..1a891575e5f58
--- /dev/null
+++ b/content/en/docs/images/tutor-service-nodePort-fig02.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 212.25 248" style="max-width: 212.25px;" height="248" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}</style><g><g class="output"><g class="clusters"></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-node1" class="edgePath LS-client LE-node1"><path style="fill:none" marker-end="url(#arrowhead69)" d="M81.58909574468085,52L76.2851839539007,56.166666666666664C70.98127216312056,60.333333333333336,60.373448581560275,68.66666666666667,55.06953679078014,77C49.765625,85.33333333333333,49.765625,93.66666666666667,49.765625,97.83333333333333L49.765625,102" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead69"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-client-node2" class="edgePath LS-client LE-node2"><path style="fill:none" marker-end="url(#arrowhead70)" d="M137.59840425531914,52L142.9023160460993,56.166666666666664C148.20622783687944,60.333333333333336,158.8140514184397,68.66666666666667,164.11796320921985,77C169.421875,85.33333333333333,169.421875,93.66666666666667,169.421875,97.83333333333333L169.421875,102" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead70"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-endpoint" class="edgePath LS-node1 LE-endpoint"><path style="fill:none" marker-end="url(#arrowhead71)" d="M45.084773936170215,146L44.198249113475185,150.16666666666666C43.31172429078015,154.33333333333334,41.538674645390074,162.66666666666666,41.538674645390074,171C41.538674645390074,179.33333333333334,43.31172429078015,187.66666666666666,44.19824911347518,191.83333333333334L45.084773936170215,196" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead71"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-endpoint-node1" class="edgePath LS-endpoint LE-node1"><path style="fill:none" marker-end="url(#arrowhead72)" d="M54.446476063829785,196L55.33300088652482,191.83333333333334C56.21952570921985,187.66666666666666,57.992575354609926,179.33333333333334,57.992575354609926,171C57.992575354609926,162.66666666666666,56.21952570921985,154.33333333333334,55.333000886524815,150.16666666666666L54.446476063829785,146" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead72"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node1" id="L-L-client-node1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node2" id="L-L-client-node2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-endpoint" id="L-L-node1-endpoint"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-endpoint' L-LE-node1" id="L-L-endpoint-node1"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(109.59375,30)" id="flowchart-client-66" class="node plain"><rect class="label-container" height="44" width="61.015625" y="-22" x="-30.5078125" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(49.765625,124)" id="flowchart-node1-67" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 1</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(169.421875,124)" id="flowchart-node2-69" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 2</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(49.765625,218)" id="flowchart-endpoint-71" class="node k8s"><rect class="label-container" height="44" width="83.53125" y="-22" x="-41.765625" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-31.765625,-12)"><foreignObject height="24" width="63.53125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">endpoint</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/en/docs/reference/_index.md b/content/en/docs/reference/_index.md
index c4e217af2a497..0ebd59c40684f 100644
--- a/content/en/docs/reference/_index.md
+++ b/content/en/docs/reference/_index.md
@@ -77,6 +77,7 @@ operator to use or manage a cluster.
 * [kube-apiserver configuration (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/)
 * [kube-apiserver configuration (v1)](/docs/reference/config-api/apiserver-config.v1/)
 * [kube-apiserver encryption (v1)](/docs/reference/config-api/apiserver-encryption.v1/)
+* [kube-apiserver event rate limit (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1/)
 * [kubelet configuration (v1alpha1)](/docs/reference/config-api/kubelet-config.v1alpha1/) and
   [kubelet configuration (v1beta1)](/docs/reference/config-api/kubelet-config.v1beta1/)
 * [kubelet credential providers (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)
@@ -88,6 +89,7 @@ operator to use or manage a cluster.
 * [Client authentication API (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/) and 
   [Client authentication API (v1)](/docs/reference/config-api/client-authentication.v1/)
 * [WebhookAdmission configuration (v1)](/docs/reference/config-api/apiserver-webhookadmission.v1/)
+* [ImagePolicy API (v1alpha1)](/docs/reference/config-api/imagepolicy.v1alpha1/)
 
 ## Config API for kubeadm
 
@@ -97,6 +99,6 @@ operator to use or manage a cluster.
 ## Design Docs
 
 An archive of the design docs for Kubernetes functionality. Good starting points are
-[Kubernetes Architecture](https://git.k8s.io/community/contributors/design-proposals/architecture/architecture.md) and
-[Kubernetes Design Overview](https://git.k8s.io/community/contributors/design-proposals).
+[Kubernetes Architecture](https://git.k8s.io/design-proposals-archive/architecture/architecture.md) and
+[Kubernetes Design Overview](https://git.k8s.io/design-proposals-archive).
 
diff --git a/content/en/docs/reference/access-authn-authz/_index.md b/content/en/docs/reference/access-authn-authz/_index.md
index 86d06488a8742..3677f79c57149 100644
--- a/content/en/docs/reference/access-authn-authz/_index.md
+++ b/content/en/docs/reference/access-authn-authz/_index.md
@@ -24,3 +24,5 @@ Reference documentation:
 - Service accounts
   - [Developer guide](/docs/tasks/configure-pod-container/configure-service-account/)
   - [Administration](/docs/reference/access-authn-authz/service-accounts-admin/)
+- [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
+  - including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md
index abc3ee968195f..f03b04f8e3908 100644
--- a/content/en/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@@ -94,7 +94,7 @@ kube-apiserver -h | grep enable-admission-plugins
 In the current version, the default ones are:
 
 ```shell
-CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
+CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, PodSecurity, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
 ```
 
 ## What does each admission controller do?
@@ -139,7 +139,7 @@ requests with the `spec.signerName` requested on the CertificateSigningRequest r
 See [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/) for more
 information on the permissions required to perform different actions on CertificateSigningRequest resources.
 
-### CertificateSubjectRestrictions {#certificatesubjectrestrictions}
+### CertificateSubjectRestriction {#certificatesubjectrestriction}
 
 This admission controller observes creation of CertificateSigningRequest resources that have a `spec.signerName`
 of `kubernetes.io/kube-apiserver-client`. It rejects any request that specifies a 'group' (or 'organization attribute')
@@ -232,12 +232,10 @@ of it.
 This admission controller mitigates the problem where the API server gets flooded by
 event requests. The cluster admin can specify event rate limits by:
 
- * Enabling the `EventRateLimit` admission controller;
- * Referencing an `EventRateLimit` configuration file from the file provided to the API
-   server's command line flag `--admission-control-config-file`:
+* Enabling the `EventRateLimit` admission controller;
+* Referencing an `EventRateLimit` configuration file from the file provided to the API
+  server's command line flag `--admission-control-config-file`:
 
-{{< tabs name="eventratelimit_example" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -246,19 +244,6 @@ plugins:
   path: eventconfig.yaml
 ...
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# Deprecated in v1.17 in favor of apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: EventRateLimit
-  path: eventconfig.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 There are four types of limits that can be specified in the configuration:
 
@@ -283,7 +268,7 @@ limits:
   burst: 50
 ```
 
-See the [EventRateLimit proposal](https://git.k8s.io/community/contributors/design-proposals/api-machinery/admission_control_event_rate_limit.md)
+See the [EventRateLimit Config API (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/)
 for more details.
 
 ### ExtendedResourceToleration {#extendedresourcetoleration}
@@ -319,8 +304,6 @@ imagePolicy:
 
 Reference the ImagePolicyWebhook configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
 
-{{< tabs name="imagepolicywebhook_example1" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -329,24 +312,9 @@ plugins:
   path: imagepolicyconfig.yaml
 ...
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# Deprecated in v1.17 in favor of apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: ImagePolicyWebhook
-  path: imagepolicyconfig.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 Alternatively, you can embed the configuration directly in the file:
 
-{{< tabs name="imagepolicywebhook_example2" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -360,31 +328,14 @@ plugins:
       retryBackoff: 500
       defaultAllow: true
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# Deprecated in v1.17 in favor of apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: ImagePolicyWebhook
-  configuration:
-    imagePolicy:
-      kubeConfigFile: <path-to-kubeconfig-file>
-      allowTTL: 50
-      denyTTL: 50
-      retryBackoff: 500
-      defaultAllow: true
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 The ImagePolicyWebhook config file must reference a
 [kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 formatted file which sets up the connection to the backend.
 It is required that the backend communicate over TLS.
 
-The kubeconfig file's cluster field must point to the remote service, and the user field must contain the returned authorizer.
+The kubeconfig file's `cluster` field must point to the remote service, and the `user` field
+must contain the returned authorizer.
 
 ```yaml
 # clusters refers to the remote service.
@@ -405,11 +356,21 @@ users:
 For additional HTTP configuration, refer to the
 [kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) documentation.
 
-#### Request Payloads
+#### Request payloads
 
-When faced with an admission decision, the API Server POSTs a JSON serialized `imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action. This object contains fields describing the containers being admitted, as well as any pod annotations that match `*.image-policy.k8s.io/*`.
+When faced with an admission decision, the API Server POSTs a JSON serialized
+`imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action.
+This object contains fields describing the containers being admitted, as well as
+any pod annotations that match `*.image-policy.k8s.io/*`.
 
-Note that webhook API objects are subject to the same versioning compatibility rules as other Kubernetes API objects. Implementers should be aware of looser compatibility promises for alpha objects and check the "apiVersion" field of the request to ensure correct deserialization. Additionally, the API Server must enable the imagepolicy.k8s.io/v1alpha1 API extensions group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
+{{ note }}
+The webhook API objects are subject to the same versioning compatibility rules
+as other Kubernetes API objects. Implementers should be aware of looser compatibility
+promises for alpha objects and check the `apiVersion` field of the request to
+ensure correct deserialization.
+Additionally, the API Server must enable the `imagepolicy.k8s.io/v1alpha1` API extensions
+group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
+{{ /note }}
 
 An example request body:
 
@@ -434,7 +395,9 @@ An example request body:
 }
 ```
 
-The remote service is expected to fill the `ImageReviewStatus` field of the request and respond to either allow or disallow access. The response body's "spec" field is ignored and may be omitted. A permissive response would return:
+The remote service is expected to fill the `ImageReviewStatus` field of the request and
+respond to either allow or disallow access. The response body's `spec` field is ignored and
+may be omitted. A permissive response would return:
 
 ```json
 {
@@ -459,19 +422,23 @@ To disallow access, the service would return:
 }
 ```
 
-For further documentation refer to the `imagepolicy.v1alpha1` API objects and `plugin/pkg/admission/imagepolicy/admission.go`.
+For further documentation refer to the
+[`imagepolicy.v1alpha1` API](/docs/reference/config-api/imagepolicy.v1alpha1/).
 
 #### Extending with Annotations
 
-All annotations on a Pod that match `*.image-policy.k8s.io/*` are sent to the webhook. Sending annotations allows users who are aware of the image policy backend to send extra information to it, and for different backends implementations to accept different information.
+All annotations on a Pod that match `*.image-policy.k8s.io/*` are sent to the webhook.
+Sending annotations allows users who are aware of the image policy backend to
+send extra information to it, and for different backends implementations to
+accept different information.
 
 Examples of information you might put here are:
 
- * request to "break glass" to override a policy, in case of emergency.
- * a ticket number from a ticket system that documents the break-glass request
- * provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
+* request to "break glass" to override a policy, in case of emergency.
+* a ticket number from a ticket system that documents the break-glass request
+* provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
 
-In any case, the annotations are provided by the user and are not validated by Kubernetes in any way. In the future, if an annotation is determined to be widely useful, it may be promoted to a named field of `ImageReviewSpec`.
+In any case, the annotations are provided by the user and are not validated by Kubernetes in any way.
 
 ### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology}
 
@@ -480,14 +447,16 @@ This admission controller denies any pod that defines `AntiAffinity` topology ke
 
 ### LimitRanger {#limitranger}
 
-This admission controller will observe the incoming request and ensure that it does not violate any of the constraints
-enumerated in the `LimitRange` object in a `Namespace`.  If you are using `LimitRange` objects in
-your Kubernetes deployment, you MUST use this admission controller to enforce those constraints. LimitRanger can also
-be used to apply default resource requests to Pods that don't specify any; currently, the default LimitRanger
-applies a 0.1 CPU requirement to all Pods in the `default` namespace.
+This admission controller will observe the incoming request and ensure that it does not violate
+any of the constraints enumerated in the `LimitRange` object in a `Namespace`.  If you are using
+`LimitRange` objects in your Kubernetes deployment, you MUST use this admission controller to
+enforce those constraints. LimitRanger can also be used to apply default resource requests to Pods
+that don't specify any; currently, the default LimitRanger applies a 0.1 CPU requirement to all
+Pods in the `default` namespace.
 
-See the [limitRange design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md)
-and the [example of Limit Range](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/) for more details.
+See the [LimitRange API reference](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
+and the [example of LimitRange](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+for more details.
 
 ### MutatingAdmissionWebhook {#mutatingadmissionwebhook}
 
@@ -502,21 +471,20 @@ webhooks or validating admission controllers will permit the request to finish.
 
 If you disable the MutatingAdmissionWebhook, you must also disable the
 `MutatingWebhookConfiguration` object in the `admissionregistration.k8s.io/v1`
-group/version via the `--runtime-config` flag (both are on by default in
-versions >= 1.9).
+group/version via the `--runtime-config` flag, both are on by default.
 
 #### Use caution when authoring and installing mutating webhooks
 
- * Users may be confused when the objects they try to create are different from
-   what they get back.
- * Built in control loops may break when the objects they try to create are
-   different when read back.
-   * Setting originally unset fields is less likely to cause problems than
-     overwriting fields set in the original request. Avoid doing the latter.
- * Future changes to control loops for built-in resources or third-party resources
-   may break webhooks that work well today. Even when the webhook installation API
-   is finalized, not all possible webhook behaviors will be guaranteed to be supported
-   indefinitely.
+* Users may be confused when the objects they try to create are different from
+  what they get back.
+* Built in control loops may break when the objects they try to create are
+  different when read back.
+  * Setting originally unset fields is less likely to cause problems than
+    overwriting fields set in the original request. Avoid doing the latter.
+* Future changes to control loops for built-in resources or third-party resources
+  may break webhooks that work well today. Even when the webhook installation API
+  is finalized, not all possible webhook behaviors will be guaranteed to be supported
+  indefinitely.
 
 ### NamespaceAutoProvision {#namespaceautoprovision}
 
@@ -533,26 +501,28 @@ If the namespace referenced from a request doesn't exist, the request is rejecte
 
 ### NamespaceLifecycle {#namespacelifecycle}
 
-This admission controller enforces that a `Namespace` that is undergoing termination cannot have new objects created in it,
-and ensures that requests in a non-existent `Namespace` are rejected. This admission controller also prevents deletion of
-three system reserved namespaces `default`, `kube-system`, `kube-public`.
+This admission controller enforces that a `Namespace` that is undergoing termination cannot have
+new objects created in it, and ensures that requests in a non-existent `Namespace` are rejected.
+This admission controller also prevents deletion of three system reserved namespaces `default`,
+`kube-system`, `kube-public`.
 
-A `Namespace` deletion kicks off a sequence of operations that remove all objects (pods, services, etc.) in that
-namespace.  In order to enforce integrity of that process, we strongly recommend running this admission controller.
+A `Namespace` deletion kicks off a sequence of operations that remove all objects (pods, services,
+etc.) in that namespace.  In order to enforce integrity of that process, we strongly recommend
+running this admission controller.
 
 ### NodeRestriction {#noderestriction}
 
 This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller,
 kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
 Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
-In Kubernetes 1.11+, kubelets are not allowed to update or remove taints from their `Node` API object.
+kubelets are not allowed to update or remove taints from their `Node` API object.
 
-In Kubernetes 1.13+, the `NodeRestriction` admission plugin prevents kubelets from deleting their `Node` API object,
+The `NodeRestriction` admission plugin prevents kubelets from deleting their `Node` API object,
 and enforces kubelet modification of labels under the `kubernetes.io/` or `k8s.io/` prefixes as follows:
 
 * **Prevents** kubelets from adding/removing/updating labels with a `node-restriction.kubernetes.io/` prefix.
-This label prefix is reserved for administrators to label their `Node` objects for workload isolation purposes,
-and kubelets will not be allowed to modify labels with that prefix.
+  This label prefix is reserved for administrators to label their `Node` objects for workload isolation purposes,
+  and kubelets will not be allowed to modify labels with that prefix.
 * **Allows** kubelets to add/remove/update these labels and label prefixes:
   * `kubernetes.io/hostname`
   * `kubernetes.io/arch`
@@ -566,9 +536,11 @@ and kubelets will not be allowed to modify labels with that prefix.
   * `kubelet.kubernetes.io/`-prefixed labels
   * `node.kubernetes.io/`-prefixed labels
 
-Use of any other labels under the `kubernetes.io` or `k8s.io` prefixes by kubelets is reserved, and may be disallowed or allowed by the `NodeRestriction` admission plugin in the future.
+Use of any other labels under the `kubernetes.io` or `k8s.io` prefixes by kubelets is reserved,
+and may be disallowed or allowed by the `NodeRestriction` admission plugin in the future.
 
-Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly.
+Future versions may add additional restrictions to ensure kubelets have the minimal set of
+permissions required to operate correctly.
 
 ### OwnerReferencesPermissionEnforcement {#ownerreferencespermissionenforcement}
 
@@ -582,7 +554,8 @@ subresource of the referenced *owner* can change it.
 
 {{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
-This admission controller implements additional validations for checking incoming `PersistentVolumeClaim` resize requests.
+This admission controller implements additional validations for checking incoming
+`PersistentVolumeClaim` resize requests.
 
 Enabling the `PersistentVolumeClaimResize` admission controller is recommended.
 This admission controller prevents resizing of all claims by default unless a claim's `StorageClass`
@@ -624,9 +597,10 @@ Starting from 1.11, this admission controller is disabled by default.
 
 {{< feature-state for_k8s_version="v1.5" state="alpha" >}}
 
-This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration.
+This admission controller defaults and limits what node selectors may be used within a namespace
+by reading a namespace annotation and a global configuration.
 
-#### Configuration File Format
+#### Configuration file format
 
 `PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
 Note that the configuration file format will move to a versioned file in a future release.
@@ -639,10 +613,9 @@ podNodeSelectorPluginConfig:
  namespace2: name-of-node-selector
 ```
 
-Reference the `PodNodeSelector` configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
+Reference the `PodNodeSelector` configuration file from the file provided to the API server's
+command line flag `--admission-control-config-file`:
 
-{{< tabs name="podnodeselector_example1" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -651,23 +624,11 @@ plugins:
   path: podnodeselector.yaml
 ...
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# Deprecated in v1.17 in favor of apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: PodNodeSelector
-  path: podnodeselector.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 #### Configuration Annotation Format
 
-`PodNodeSelector` uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.
+`PodNodeSelector` uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign
+node selectors to namespaces.
 
 ```yaml
 apiVersion: v1
@@ -682,13 +643,14 @@ metadata:
 
 This admission controller has the following behavior:
 
-1. If the `Namespace` has an annotation with a key `scheduler.alpha.kubernetes.io/node-selector`, use its value as the
-node selector.
-2. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the `PodNodeSelector`
-plugin configuration file as the node selector.
-3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts result in rejection.
-4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the plugin configuration file.
-Conflicts result in rejection.
+1. If the `Namespace` has an annotation with a key `scheduler.alpha.kubernetes.io/node-selector`,
+   use its value as the node selector.
+2. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the
+   `PodNodeSelector` plugin configuration file as the node selector.
+3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts
+   result in rejection.
+4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the
+   plugin configuration file. Conflicts result in rejection.
 
 {{< note >}}
 PodNodeSelector allows forcing pods to run on specifically labeled nodes. Also see the PodTolerationRestriction
@@ -721,7 +683,8 @@ for more information.
 
 {{< feature-state for_k8s_version="v1.7" state="alpha" >}}
 
-The PodTolerationRestriction admission controller verifies any conflict between tolerations of a pod and the tolerations of its namespace.
+The PodTolerationRestriction admission controller verifies any conflict between tolerations of a
+pod and the tolerations of its namespace.
 It rejects the pod request if there is a conflict.
 It then merges the tolerations annotated on the namespace into the tolerations of the pod.
 The resulting tolerations are checked against a list of allowed tolerations annotated to the namespace.
@@ -748,16 +711,18 @@ metadata:
 
 ### Priority {#priority}
 
-The priority admission controller uses the `priorityClassName` field and populates the integer value of the priority.
+The priority admission controller uses the `priorityClassName` field and populates the integer
+value of the priority.
 If the priority class is not found, the Pod is rejected.
 
 ### ResourceQuota {#resourcequota}
 
-This admission controller will observe the incoming request and ensure that it does not violate any of the constraints
-enumerated in the `ResourceQuota` object in a `Namespace`.  If you are using `ResourceQuota`
-objects in your Kubernetes deployment, you MUST use this admission controller to enforce quota constraints.
+This admission controller will observe the incoming request and ensure that it does not violate
+any of the constraints enumerated in the `ResourceQuota` object in a `Namespace`.  If you are
+using `ResourceQuota` objects in your Kubernetes deployment, you MUST use this admission
+controller to enforce quota constraints.
 
-See the [resourceQuota design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md)
+See the [ResourceQuota API reference](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
 and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for more details.
 
 ### RuntimeClass {#runtimeclass}
@@ -793,14 +758,15 @@ pod privileges.
 
 This admission controller implements automation for
 [serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/).
-We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects.
+We strongly recommend using this admission controller if you intend to make use of Kubernetes
+`ServiceAccount` objects.
 
 ### StorageObjectInUseProtection
 
 The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection`
 finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV).
 In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed
-from the PVC or PV by PVC or PV Protection Controller. 
+from the PVC or PV by PVC or PV Protection Controller.
 Refer to the
 [Storage Object in Use Protection](/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection)
 for more detailed information.
@@ -809,7 +775,10 @@ for more detailed information.
 
 {{< feature-state for_k8s_version="v1.17" state="stable" >}}
 
-This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods to be scheduled on new Nodes before their taints were updated to accurately reflect their reported conditions.
+This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created
+Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods
+to be scheduled on new Nodes before their taints were updated to accurately reflect their reported
+conditions.
 
 ### ValidatingAdmissionWebhook {#validatingadmissionwebhook}
 
diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md
index b33b2391992cc..1641cb8e54ad1 100644
--- a/content/en/docs/reference/access-authn-authz/authentication.md
+++ b/content/en/docs/reference/access-authn-authz/authentication.md
@@ -856,6 +856,14 @@ rules:
   resourceNames: ["06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"]
 ```
 
+{{< note >}}
+Impersonating a user or group allows you to perform any action as if you were that user or group;
+for that reason, impersonation is not namespace scoped.
+If you want to allow impersonation using Kubernetes RBAC, 
+this requires using a `ClusterRole` and a `ClusterRoleBinding`,
+not a `Role` and `RoleBinding`.
+{{< /note >}}
+
 ## client-go credential plugins
 
 {{< feature-state for_k8s_version="v1.22" state="stable" >}}
diff --git a/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md b/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
index 7e743be63df58..74367d50c98e7 100644
--- a/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
+++ b/content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
@@ -15,7 +15,7 @@ creating new clusters or joining new nodes to an existing cluster.  It was built
 to support [kubeadm](/docs/reference/setup-tools/kubeadm/), but can be used in other contexts
 for users that wish to start clusters without `kubeadm`. It is also built to
 work, via RBAC policy, with the
-[Kubelet TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) system.
+[Kubelet TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) system.
 
 
 <!-- body -->
@@ -70,7 +70,7 @@ controller on the controller manager.
 
 Each valid token is backed by a secret in the `kube-system` namespace.  You can
 find the full design doc
-[here](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md).
+[here](https://git.k8s.io/design-proposals-archive/cluster-lifecycle/bootstrap-discovery.md).
 
 Here is what the secret looks like.
 
diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md b/content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
similarity index 100%
rename from content/en/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md
rename to content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md b/content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
similarity index 100%
rename from content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md
rename to content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
diff --git a/content/en/docs/reference/access-authn-authz/node.md b/content/en/docs/reference/access-authn-authz/node.md
index 6e7c538eb01c7..bc9863219f7d5 100644
--- a/content/en/docs/reference/access-authn-authz/node.md
+++ b/content/en/docs/reference/access-authn-authz/node.md
@@ -43,7 +43,7 @@ have the minimal set of permissions required to operate correctly.
 In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as 
 being in the `system:nodes` group, with a username of `system:node:<nodeName>`.
 This group and user name format match the identity created for each kubelet as part of 
-[kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/).
+[kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/).
 
 The value of `<nodeName>` **must** match precisely the name of the node as registered by the kubelet. By default, this is the host name as provided by `hostname`, or overridden via the [kubelet option](/docs/reference/command-line-tools-reference/kubelet/) `--hostname-override`. However, when using the `--cloud-provider` kubelet option, the specific hostname may be determined by the cloud provider, ignoring the local `hostname` and the `--hostname-override` option. 
 For specifics about how the kubelet determines the hostname, see the [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).
diff --git a/content/en/docs/reference/access-authn-authz/psp-to-pod-security-standards.md b/content/en/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
index 468579f982a37..6c820a6e99c1c 100644
--- a/content/en/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
+++ b/content/en/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
@@ -17,7 +17,7 @@ For each applicable parameter, the allowed values for the
 [Baseline](/docs/concepts/security/pod-security-standards/#baseline) and
 [Restricted](/docs/concepts/security/pod-security-standards/#restricted) profiles are listed.
 Anything outside the allowed values for those profiles would fall under the
-[Privileged](/docs/concepts/security/pod-security-standards/#priveleged) profile. "No opinion"
+[Privileged](/docs/concepts/security/pod-security-standards/#privileged) profile. "No opinion"
 means all values are allowed under all Pod Security Standards.
 
 For a step-by-step migration guide, see
diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
index 57a074a29a47a..d085251e4337f 100644
--- a/content/en/docs/reference/access-authn-authz/rbac.md
+++ b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -798,7 +798,7 @@ This is commonly used by add-on API servers for unified authentication and autho
 <td><b>system:node-bootstrapper</b></td>
 <td>None</td>
 <td>Allows access to the resources required to perform
-<a href="/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/">kubelet TLS bootstrapping</a>.</td>
+<a href="/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/">kubelet TLS bootstrapping</a>.</td>
 </tr>
 <tr>
 <td><b>system:node-problem-detector</b></td>
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 8eb23b3a473eb..9d1e67b3c05ae 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -761,7 +761,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
   Requires Portworx CSI driver to be installed and configured in the cluster.
 - `CSINodeInfo`: Enable all logic related to the CSINodeInfo API object in `csi.storage.k8s.io`.
 - `CSIPersistentVolume`: Enable discovering and mounting volumes provisioned through a
-  [CSI (Container Storage Interface)](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md)
+  [CSI (Container Storage Interface)](https://git.k8s.io/design-proposals-archive/storage/container-storage-interface.md)
   compatible volume plugin.
 - `CSIServiceAccountToken`: Enable CSI drivers to receive the pods' service account token
   that they mount volumes for. See
@@ -1086,10 +1086,10 @@ Each feature gate is designed for enabling/disabling a specific feature:
   [Bound Service Account Tokens](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md)
   for more details.
 - `RotateKubeletClientCertificate`: Enable the rotation of the client TLS certificate on the kubelet.
-  See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)
+  See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)
   for more details.
 - `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet.
-  See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)
+  See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)
   for more details.
 - `RunAsGroup`: Enable control over the primary group ID set on the init
   processes of containers.
diff --git a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
index d391dfc46b2c2..34ced450e0ca1 100644
--- a/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
+++ b/content/en/docs/reference/command-line-tools-reference/kube-proxy.md
@@ -43,31 +43,31 @@ kube-proxy [flags]
 <tbody>
 
 <tr>
-<td colspan="2">--azure-container-registry-config string</td>
+<td colspan="2">--add_dir_header</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Path to the file containing Azure container registry configuration information.</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true, adds the file directory to the header of the log messages</p></td>
 </tr>
 
 <tr>
-<td colspan="2">--bind-address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 0.0.0.0</td>
+<td colspan="2">--alsologtostderr</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces). This parameter is ignored if a config file is specified by --config.</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>log to standard error as well as files</p></td>
 </tr>
 
 <tr>
-<td colspan="2">--bind-address-hard-fail</td>
+<td colspan="2">--bind-address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 0.0.0.0</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true kube-proxy will treat failure to bind to a port as fatal and exit</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces). This parameter is ignored if a config file is specified by --config.</p></td>
 </tr>
 
 <tr>
-<td colspan="2">--boot-id-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/proc/sys/kernel/random/boot_id"</td>
+<td colspan="2">--bind-address-hard-fail</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Comma-separated list of files to check for boot-id. Use the first one that exists.</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true kube-proxy will treat failure to bind to a port as fatal and exit</p></td>
 </tr>
 
 <tr>
@@ -84,20 +84,6 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true cleanup iptables and ipvs rules and exit.</p></td>
 </tr>
 
-<tr>
-<td colspan="2">--cloud-provider-gce-l7lb-src-cidrs cidrs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 130.211.0.0/22,35.191.0.0/16</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>CIDRs opened in GCE firewall for L7 LB traffic proxy &amp; health checks</p></td>
-</tr>
-
-<tr>
-<td colspan="2">--cloud-provider-gce-lb-src-cidrs cidrs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>CIDRs opened in GCE firewall for L4 LB traffic proxy &amp; health checks</p></td>
-</tr>
-
 <tr>
 <td colspan="2">--cluster-cidr string</td>
 </tr>
@@ -147,20 +133,6 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Idle timeout for established TCP connections (0 to leave as-is)</p></td>
 </tr>
 
-<tr>
-<td colspan="2">--default-not-ready-toleration-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 300</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration.</p></td>
-</tr>
-
-<tr>
-<td colspan="2">--default-unreachable-toleration-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 300</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration.</p></td>
-</tr>
-
 <tr>
 <td colspan="2">--detect-local-mode LocalMode</td>
 </tr>
@@ -172,7 +144,7 @@ kube-proxy [flags]
 <td colspan="2">--feature-gates &lt;comma-separated 'key=True|False' pairs&gt;</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>APIListChunking=true|false (BETA - default=true)<br/>APIPriorityAndFairness=true|false (BETA - default=true)<br/>APIResponseCompression=true|false (BETA - default=true)<br/>APIServerIdentity=true|false (ALPHA - default=false)<br/>APIServerTracing=true|false (ALPHA - default=false)<br/>AllAlpha=true|false (ALPHA - default=false)<br/>AllBeta=true|false (BETA - default=false)<br/>AnyVolumeDataSource=true|false (BETA - default=true)<br/>AppArmor=true|false (BETA - default=true)<br/>CPUManager=true|false (BETA - default=true)<br/>CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>CSIInlineVolume=true|false (BETA - default=true)<br/>CSIMigration=true|false (BETA - default=true)<br/>CSIMigrationAWS=true|false (BETA - default=true)<br/>CSIMigrationAzureFile=true|false (BETA - default=true)<br/>CSIMigrationGCE=true|false (BETA - default=true)<br/>CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>CSIMigrationRBD=true|false (ALPHA - default=false)<br/>CSIMigrationvSphere=true|false (BETA - default=false)<br/>CSIVolumeHealth=true|false (ALPHA - default=false)<br/>ContextualLogging=true|false (ALPHA - default=false)<br/>CronJobTimeZone=true|false (ALPHA - default=false)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>DevicePlugins=true|false (BETA - default=true)<br/>DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>DisableCloudProviders=true|false (ALPHA - default=false)<br/>DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>DownwardAPIHugePages=true|false (BETA - default=true)<br/>EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>EphemeralContainers=true|false (BETA - default=true)<br/>ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>GRPCContainerProbe=true|false (BETA - default=true)<br/>GracefulNodeShutdown=true|false (BETA - default=true)<br/>GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>HPAContainerMetrics=true|false (ALPHA - default=false)<br/>HPAScaleToZero=true|false (ALPHA - default=false)<br/>HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>IdentifyPodOS=true|false (BETA - default=true)<br/>InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>JobReadyPods=true|false (BETA - default=true)<br/>JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>KubeletCredentialProviders=true|false (BETA - default=true)<br/>KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>KubeletPodResources=true|false (BETA - default=true)<br/>KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>LogarithmicScaleDown=true|false (BETA - default=true)<br/>MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>MemoryManager=true|false (BETA - default=true)<br/>MemoryQoS=true|false (ALPHA - default=false)<br/>MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>MixedProtocolLBService=true|false (BETA - default=true)<br/>NetworkPolicyEndPort=true|false (BETA - default=true)<br/>NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>NodeSwap=true|false (ALPHA - default=false)<br/>OpenAPIEnums=true|false (BETA - default=true)<br/>OpenAPIV3=true|false (BETA - default=true)<br/>PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>PodDeletionCost=true|false (BETA - default=true)<br/>PodSecurity=true|false (BETA - default=true)<br/>ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>ProcMountType=true|false (ALPHA - default=false)<br/>ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>QOSReserved=true|false (ALPHA - default=false)<br/>ReadWriteOncePod=true|false (ALPHA - default=false)<br/>RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>RemainingItemCount=true|false (BETA - default=true)<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>SeccompDefault=true|false (ALPHA - default=false)<br/>ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>StorageVersionAPI=true|false (ALPHA - default=false)<br/>StorageVersionHash=true|false (BETA - default=true)<br/>TopologyAwareHints=true|false (BETA - default=true)<br/>TopologyManager=true|false (BETA - default=true)<br/>VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>WinDSR=true|false (ALPHA - default=false)<br/>WinOverlay=true|false (BETA - default=true)<br/>WindowsHostProcessContainers=true|false (BETA - default=true)This parameter is ignored if a config file is specified by --config.</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>APIListChunking=true|false (BETA - default=true)<br/>APIPriorityAndFairness=true|false (BETA - default=true)<br/>APIResponseCompression=true|false (BETA - default=true)<br/>APIServerIdentity=true|false (ALPHA - default=false)<br/>APIServerTracing=true|false (ALPHA - default=false)<br/>AllAlpha=true|false (ALPHA - default=false)<br/>AllBeta=true|false (BETA - default=false)<br/>AnyVolumeDataSource=true|false (BETA - default=true)<br/>AppArmor=true|false (BETA - default=true)<br/>CPUManager=true|false (BETA - default=true)<br/>CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>CSIInlineVolume=true|false (BETA - default=true)<br/>CSIMigration=true|false (BETA - default=true)<br/>CSIMigrationAWS=true|false (BETA - default=true)<br/>CSIMigrationAzureFile=true|false (BETA - default=true)<br/>CSIMigrationGCE=true|false (BETA - default=true)<br/>CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>CSIMigrationRBD=true|false (ALPHA - default=false)<br/>CSIMigrationvSphere=true|false (BETA - default=false)<br/>CSIVolumeHealth=true|false (ALPHA - default=false)<br/>CronJobTimeZone=true|false (ALPHA - default=false)<br/>CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>DevicePlugins=true|false (BETA - default=true)<br/>DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>DisableCloudProviders=true|false (ALPHA - default=false)<br/>DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>DownwardAPIHugePages=true|false (BETA - default=true)<br/>EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>EphemeralContainers=true|false (BETA - default=true)<br/>ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>GRPCContainerProbe=true|false (BETA - default=true)<br/>GracefulNodeShutdown=true|false (BETA - default=true)<br/>GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>HPAContainerMetrics=true|false (ALPHA - default=false)<br/>HPAScaleToZero=true|false (ALPHA - default=false)<br/>HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>IdentifyPodOS=true|false (BETA - default=true)<br/>InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>JobReadyPods=true|false (BETA - default=true)<br/>JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>KubeletCredentialProviders=true|false (BETA - default=true)<br/>KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>KubeletPodResources=true|false (BETA - default=true)<br/>KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>LogarithmicScaleDown=true|false (BETA - default=true)<br/>MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>MemoryManager=true|false (BETA - default=true)<br/>MemoryQoS=true|false (ALPHA - default=false)<br/>MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>MixedProtocolLBService=true|false (BETA - default=true)<br/>NetworkPolicyEndPort=true|false (BETA - default=true)<br/>NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>NodeSwap=true|false (ALPHA - default=false)<br/>OpenAPIEnums=true|false (BETA - default=true)<br/>OpenAPIV3=true|false (BETA - default=true)<br/>PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>PodDeletionCost=true|false (BETA - default=true)<br/>PodSecurity=true|false (BETA - default=true)<br/>ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>ProcMountType=true|false (ALPHA - default=false)<br/>ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>QOSReserved=true|false (ALPHA - default=false)<br/>ReadWriteOncePod=true|false (ALPHA - default=false)<br/>RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>RemainingItemCount=true|false (BETA - default=true)<br/>RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>SeccompDefault=true|false (ALPHA - default=false)<br/>ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>StorageVersionAPI=true|false (ALPHA - default=false)<br/>StorageVersionHash=true|false (BETA - default=true)<br/>TopologyAwareHints=true|false (BETA - default=true)<br/>TopologyManager=true|false (BETA - default=true)<br/>VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>WinDSR=true|false (ALPHA - default=false)<br/>WinOverlay=true|false (BETA - default=true)<br/>WindowsHostProcessContainers=true|false (BETA - default=true)This parameter is ignored if a config file is specified by --config.</p></td>
 </tr>
 
 <tr>
@@ -302,10 +274,38 @@ kube-proxy [flags]
 </tr>
 
 <tr>
-<td colspan="2">--machine-id-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/machine-id,/var/lib/dbus/machine-id"</td>
+<td colspan="2">--log_backtrace_at &lt;a string in the form 'file:N'&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: :0</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Comma-separated list of files to check for machine-id. Use the first one that exists.</p></td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>when logging hits line file:N, emit a stack trace</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--log_dir string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If non-empty, write log files in this directory</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--log_file string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If non-empty, use this log file</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--log_file_max_size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 1800</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>log to standard error instead of files</p></td>
 </tr>
 
 <tr>
@@ -343,6 +343,13 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses. This parameter is ignored if a config file is specified by --config.</p></td>
 </tr>
 
+<tr>
+<td colspan="2">--one_output</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true, only write logs to their native severity level (vs also writing to each lower severity level)</p></td>
+</tr>
+
 <tr>
 <td colspan="2">--oom-score-adj int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: -999</td>
 </tr>
@@ -392,6 +399,27 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is &lt;major&gt;.&lt;minor&gt;, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that.This parameter is ignored if a config file is specified by --config.</p></td>
 </tr>
 
+<tr>
+<td colspan="2">--skip_headers</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true, avoid header prefixes in the log messages</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--skip_log_headers</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>If true, avoid headers when opening log files</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--stderrthreshold int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 2</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>logs at or above this threshold go to stderr</p></td>
+</tr>
+
 <tr>
 <td colspan="2">--udp-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 250ms</td>
 </tr>
@@ -399,6 +427,13 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxy-mode=userspace</p></td>
 </tr>
 
+<tr>
+<td colspan="2">-v, --v int</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>number for the log level verbosity</p></td>
+</tr>
+
 <tr>
 <td colspan="2">--version version[=true]</td>
 </tr>
@@ -406,6 +441,13 @@ kube-proxy [flags]
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Print version information and quit</p></td>
 </tr>
 
+<tr>
+<td colspan="2">--vmodule &lt;comma-separated 'pattern=N' settings&gt;</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>comma-separated list of pattern=N settings for file-filtered logging</p></td>
+</tr>
+
 <tr>
 <td colspan="2">--write-config-to string</td>
 </tr>
diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet.md b/content/en/docs/reference/command-line-tools-reference/kubelet.md
index 555414a6ebcfb..b10e1b70574ea 100644
--- a/content/en/docs/reference/command-line-tools-reference/kubelet.md
+++ b/content/en/docs/reference/command-line-tools-reference/kubelet.md
@@ -44,70 +44,70 @@ kubelet [flags]
 <td colspan="2">--add-dir-header</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 0.0.0.0 </td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The IP address for the Kubelet to serve on (set to <code>0.0.0.0</code> or <code>::</code> for listening in all interfaces and IP families)  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The IP address for the Kubelet to serve on (set to <code>0.0.0.0</code> or <code>::</code> for listening in all interfaces and IP families)  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--allowed-unsafe-sysctls strings</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in <code>&ast;</code>). Use these at your own risk. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in <code>&ast;</code>). Use these at your own risk. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--alsologtostderr</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Log to standard error as well as files (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Log to standard error as well as files (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--anonymous-auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of <code>system:anonymous</code>, and a group name of <code>system:unauthenticated</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of <code>system:anonymous</code>, and a group name of <code>system:unauthenticated</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--authentication-token-webhook</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Use the <code>TokenReview</code> API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Use the <code>TokenReview</code> API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--authentication-token-webhook-cache-ttl duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>2m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache responses from the webhook token authenticator. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache responses from the webhook token authenticator. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--authorization-mode string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>AlwaysAllow</code></td></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--authorization-webhook-cache-authorized-ttl duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>5m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache 'authorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache 'authorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--authorization-webhook-cache-unauthorized-ttl duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>30s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache 'unauthorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The duration to cache 'unauthorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -135,28 +135,28 @@ kubelet [flags]
 <td colspan="2">--cgroup-driver string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>cgroupfs</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Driver that the kubelet uses to manipulate cgroups on the host.  Possible values: <code>cgroupfs</code>, <code>systemd</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)/td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Driver that the kubelet uses to manipulate cgroups on the host.  Possible values: <code>cgroupfs</code>, <code>systemd</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cgroup-root string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>''</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cgroups-per-qos&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--client-ca-file string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the <code>CommonName</code> of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the <code>CommonName</code> of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -177,14 +177,14 @@ kubelet [flags]
 <td colspan="2">--cluster-dns strings</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of DNS server IP address. This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst".<br/><B>Note:</B> all DNS servers appearing in the list MUST serve the same set of records otherwise name resolution within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted for name resolution. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of DNS server IP address. This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst".<br/><B>Note:</B> all DNS servers appearing in the list MUST serve the same set of records otherwise name resolution within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted for name resolution. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cluster-domain string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -219,14 +219,14 @@ kubelet [flags]
 <td colspan="2">--container-log-max-files int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Set the maximum number of container log files that can be present for a container. The number must be &gt;= 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Set the maximum number of container log files that can be present for a container. The number must be &gt;= 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--container-log-max-size string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>10Mi</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Set the maximum size (e.g. <code>10Mi</code>) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Set the maximum size (e.g. <code>10Mi</code>) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -248,42 +248,42 @@ kubelet [flags]
 <td colspan="2">--contention-profiling</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cpu-cfs-quota&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable CPU CFS quota enforcement for containers that specify CPU limits (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable CPU CFS quota enforcement for containers that specify CPU limits (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cpu-cfs-quota-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>100ms</code></td>
    </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Linux Kernel default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Linux Kernel default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cpu-manager-policy string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>none</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">CPU Manager policy to use. Possible values: <code>none</code>, <code>static</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">CPU Manager policy to use. Possible values: <code>none</code>, <code>static</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cpu-manager-policy-options mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of options to fine-tune the behavior of the selected CPU Manager policy. If not supplied, keep the default behaviour. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of options to fine-tune the behavior of the selected CPU Manager policy. If not supplied, keep the default behaviour. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--cpu-manager-reconcile-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>10s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Alpha feature&gt; CPU Manager reconciliation period. Examples: <code>10s</code>, or <code>1m</code>. If not supplied, defaults to node status update frequency. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Alpha feature&gt; CPU Manager reconciliation period. Examples: <code>10s</code>, or <code>1m</code>. If not supplied, defaults to node status update frequency. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -304,84 +304,84 @@ kubelet [flags]
 <td colspan="2">--enable-controller-attach-detach&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--enable-debugging-handlers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables server endpoints for log collection and local running of containers and commands. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enables server endpoints for log collection and local running of containers and commands. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--enable-server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--enforce-node-allocatable strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>pods</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/">here</a> for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--event-burst int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding <code>--event-qps</code>. The number must be &gt;= 0. If 0 will use default burst (10). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding <code>--event-qps</code>. The number must be &gt;= 0. If 0 will use default burst (10). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--event-qps int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">QPS to limit event creations. The number must be &gt;= 0. If 0 will use default QPS (5). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">QPS to limit event creations. The number must be &gt;= 0. If 0 will use default QPS (5). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-hard mapStringString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>imagefs.available<15%,memory.available<100Mi,nodefs.available<10%</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction thresholds (e.g. <code>memory.available<1Gi</code>) that if met would trigger a pod eviction. On a Linux node, the default value also includes <code>nodefs.inodesFree<5%</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction thresholds (e.g. <code>memory.available<1Gi</code>) that if met would trigger a pod eviction. On a Linux node, the default value also includes <code>nodefs.inodesFree<5%</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-max-pod-grace-period int32</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"> Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. If negative, defer to pod specified value. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"> Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. If negative, defer to pod specified value. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-minimum-reclaim mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of minimum reclaims (e.g. <code>imagefs.available=2Gi</code>) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of minimum reclaims (e.g. <code>imagefs.available=2Gi</code>) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-pressure-transition-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>5m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-soft mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction thresholds (e.g. <code>memory.available<1.5Gi</code>) that if met over a corresponding grace period would trigger a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction thresholds (e.g. <code>memory.available<1.5Gi</code>) that if met over a corresponding grace period would trigger a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--eviction-soft-grace-period mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction grace periods (e.g. <code>memory.available=1m30s</code>) that correspond to how long a soft eviction threshold must hold before triggering a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of eviction grace periods (e.g. <code>memory.available=1m30s</code>) that correspond to how long a soft eviction threshold must hold before triggering a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -395,7 +395,7 @@ kubelet [flags]
 <td colspan="2">--experimental-allocatable-ignore-eviction&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>false</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">When set to <code>true</code>, hard eviction thresholds will be ignored while calculating node allocatable. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: will be removed in 1.24 or later)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">When set to <code>true</code>, hard eviction thresholds will be ignored while calculating node allocatable. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/">here</a> for more details. (DEPRECATED: will be removed in 1.24 or later)</td>
 </tr>
 
 <tr>
@@ -409,14 +409,14 @@ kubelet [flags]
 <td colspan="2">--experimental-kernel-memcg-notification</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Use kernelMemcgNotification configuration, this flag will be removed in 1.24 or later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Use kernelMemcgNotification configuration, this flag will be removed in 1.24 or later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--experimental-log-sanitization bool</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] When enabled, prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] When enabled, prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 </tr>
 
 <tr>
@@ -430,7 +430,7 @@ kubelet [flags]
 <td colspan="2">--fail-swap-on&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Makes the Kubelet fail to start if swap is enabled on the node. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Makes the Kubelet fail to start if swap is enabled on the node. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -548,35 +548,35 @@ WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
 WindowsHostProcessContainers=true|false (BETA - default=true)<br/>
 csiMigrationRBD=true|false (ALPHA - default=false)<br/>
-(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--file-check-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>20s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration between checking config files for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration between checking config files for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--hairpin-mode string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>promiscuous-bridge</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">How should the kubelet setup hairpin NAT. This allows endpoints of a Service to load balance back to themselves if they should try to access their own Service. Valid values are <code>promiscuous-bridge</code>, <code>hairpin-veth</code> and <code>none</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">How should the kubelet setup hairpin NAT. This allows endpoints of a Service to load balance back to themselves if they should try to access their own Service. Valid values are <code>promiscuous-bridge</code>, <code>hairpin-veth</code> and <code>none</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--healthz-bind-address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>127.0.0.1</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The IP address for the healthz server to serve on (set to <code>0.0.0.0</code> or <code>::</code> for listening in all interfaces and IP families). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The IP address for the healthz server to serve on (set to <code>0.0.0.0</code> or <code>::</code> for listening in all interfaces and IP families). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--healthz-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10248</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The port of the localhost healthz endpoint (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The port of the localhost healthz endpoint (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -597,7 +597,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--http-check-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>20s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration between checking HTTP for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Duration between checking HTTP for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -618,14 +618,14 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--image-gc-high-threshold int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 85</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The percent of disk usage after which image garbage collection is always run. Values must be within the range [0, 100], To disable image garbage collection, set to 100.   (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The percent of disk usage after which image garbage collection is always run. Values must be within the range [0, 100], To disable image garbage collection, set to 100.   (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--image-gc-low-threshold int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 80</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Values must be within the range [0, 100] and should not be larger than that of <code>--image-gc-high-threshold</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Values must be within the range [0, 100] and should not be larger than that of <code>--image-gc-high-threshold</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -646,14 +646,14 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--iptables-drop-bit int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 15</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The bit of the <code>fwmark</code> space to mark packets for dropping. Must be within the range [0, 31]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The bit of the <code>fwmark</code> space to mark packets for dropping. Must be within the range [0, 31]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--iptables-masquerade-bit int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 14</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The bit of the <code>fwmark</code> space to mark packets for SNAT. Must be within the range [0, 31]. Please match this parameter with corresponding parameter in <code>kube-proxy</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The bit of the <code>fwmark</code> space to mark packets for SNAT. Must be within the range [0, 31]. Please match this parameter with corresponding parameter in <code>kube-proxy</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -667,42 +667,42 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--kernel-memcg-notification</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--kube-api-burst int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Burst to use while talking with kubernetes API server. The number must be >= 0. If 0 will use default burst (10). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Burst to use while talking with kubernetes API server. The number must be >= 0. If 0 will use default burst (10). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--kube-api-content-type string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>application/vnd.kubernetes.protobuf</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Content type of requests sent to apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Content type of requests sent to apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--kube-api-qps int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">QPS to use while talking with kubernetes API server. The number must be &gt;= 0. If 0 will use default QPS (5). Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">QPS to use while talking with kubernetes API server. The number must be &gt;= 0. If 0 will use default QPS (5). Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--kube-reserved mapStringString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: &lt;None&gt;</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See <a href="http://kubernetes.io/docs/user-guide/compute-resources">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--kube-reserved-cgroup string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>''</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Absolute name of the top level cgroup that is used to manage kubernetes components for which compute resources were reserved via <code>--kube-reserved</code> flag. Ex. <code>/kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Absolute name of the top level cgroup that is used to manage kubernetes components for which compute resources were reserved via <code>--kube-reserved</code> flag. Ex. <code>/kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -716,7 +716,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--kubelet-cgroups string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -730,28 +730,28 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--log-backtrace-at &lt;A string of format 'file:line'&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>":0"</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--log-dir string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If non-empty, write log files in this directory. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If non-empty, write log files in this directory. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--log-file string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If non-empty, use this log file. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If non-empty, use this log file. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 1800</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
@@ -765,49 +765,49 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--log-json-info-buffer-size string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>'0'</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--log-json-split-stream</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">[Experimental] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--logging-format string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>text</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br/>Non-default formats don't honor these flags: <code>--add-dir-header</code>, <code>--alsologtostderr</code>, <code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>, <code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip_headers</code>, <code>--skip_log_headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>.<br/>Non-default choices are currently alpha and subject to change without warning. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br/>Non-default formats don't honor these flags: <code>--add-dir-header</code>, <code>--alsologtostderr</code>, <code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>, <code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip_headers</code>, <code>--skip_log_headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>.<br/>Non-default choices are currently alpha and subject to change without warning. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">log to standard error instead of files. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">log to standard error instead of files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--make-iptables-util-chains&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, kubelet will ensure <code>iptables</code> utility rules are present on host. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, kubelet will ensure <code>iptables</code> utility rules are present on host. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--manifest-url string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">URL for accessing additional Pod specifications to run (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">URL for accessing additional Pod specifications to run (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--manifest-url-header string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of HTTP headers to use when accessing the URL provided to <code>--manifest-url</code>. Multiple headers with the same name will be added in the same order provided. This flag can be repeatedly invoked. For example: <code>--manifest-url-header 'a:hello,b:again,c:world' --manifest-url-header 'b:beautiful'</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Comma-separated list of HTTP headers to use when accessing the URL provided to <code>--manifest-url</code>. Multiple headers with the same name will be added in the same order provided. This flag can be repeatedly invoked. For example: <code>--manifest-url-header 'a:hello,b:again,c:world' --manifest-url-header 'b:beautiful'</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -821,14 +821,14 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--max-open-files int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 1000000</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of files that can be opened by Kubelet process. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of files that can be opened by Kubelet process. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--max-pods int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 110</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of Pods that can run on this Kubelet. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of Pods that can run on this Kubelet. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -849,7 +849,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--memory-manager-policy string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>None</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Memory Manager policy to use. Possible values: <code>'None'</code>, <code>'Static'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Memory Manager policy to use. Possible values: <code>'None'</code>, <code>'Static'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -863,7 +863,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--minimum-image-ttl-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>2m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Minimum age for an unused image before it is garbage collected. Examples: <code>'300ms'</code>, <code>'10s'</code> or <code>'2h45m'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Minimum age for an unused image before it is garbage collected. Examples: <code>'300ms'</code>, <code>'10s'</code> or <code>'2h45m'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -898,14 +898,14 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--node-status-max-images int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 50</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The maximum number of images to report in <code>node.status.images</code>. If <code>-1</code> is specified, no cap will be applied. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The maximum number of images to report in <code>node.status.images</code>. If <code>-1</code> is specified, no cap will be applied. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--node-status-update-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>10s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with <code>nodeMonitorGracePeriod</code> in Node controller. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with <code>nodeMonitorGracePeriod</code> in Node controller. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -919,21 +919,21 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--one-output</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, only write logs to their native severity level (vs also writing to each lower severity level). (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If true, only write logs to their native severity level (vs also writing to each lower severity level). (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--oom-score-adj int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: -999</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The <code>oom-score-adj</code> value for kubelet process. Values must be within the range [-1000, 1000]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The <code>oom-score-adj</code> value for kubelet process. Values must be within the range [-1000, 1000]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--pod-cidr string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. For IPv6, the maximum number of IP's allocated is 65536 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. For IPv6, the maximum number of IP's allocated is 65536 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -947,56 +947,56 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--pod-manifest-path string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Path to the directory containing static pod files to run, or the path to a single static pod file. Files starting with dots will be ignored. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Path to the directory containing static pod files to run, or the path to a single static pod file. Files starting with dots will be ignored. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--pod-max-pids int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: -1</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Set the maximum number of processes per pod. If <code>-1</code>, the kubelet defaults to the node allocatable PID capacity. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Set the maximum number of processes per pod. If <code>-1</code>, the kubelet defaults to the node allocatable PID capacity. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--pods-per-core int32</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of Pods per core that can run on this kubelet. The total number of pods on this kubelet cannot exceed <code>--max-pods</code>, so <code>--max-pods</code> will be used if this calculation results in a larger number of pods allowed on the kubelet. A value of <code>0</code> disables this limit. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Number of Pods per core that can run on this kubelet. The total number of pods on this kubelet cannot exceed <code>--max-pods</code>, so <code>--max-pods</code> will be used if this calculation results in a larger number of pods allowed on the kubelet. A value of <code>0</code> disables this limit. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10250</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The port for the kubelet to serve on. (DEPRECATED: This parameter should be set via the config file specified by the kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The port for the kubelet to serve on. (DEPRECATED: This parameter should be set via the config file specified by the kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--protect-kernel-defaults</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"> Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"> Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--provider-id string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Unique identifier for identifying the node in a machine database, i.e cloud provider. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Unique identifier for identifying the node in a machine database, i.e cloud provider. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--qos-reserved mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Alpha feature&gt; A set of <code>&lt;resource name&gt;=&lt;percentage&gt;</code> (e.g. <code>memory=50%</code>) pairs that describe how pod resource requests are reserved at the QoS level. Currently only <code>memory</code> is supported. Requires the <code>QOSReserved</code> feature gate to be enabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Alpha feature&gt; A set of <code>&lt;resource name&gt;=&lt;percentage&gt;</code> (e.g. <code>memory=50%</code>) pairs that describe how pod resource requests are reserved at the QoS level. Currently only <code>memory</code> is supported. Requires the <code>QOSReserved</code> feature gate to be enabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--read-only-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10255</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The read-only port for the kubelet to serve on with no authentication/authorization (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The read-only port for the kubelet to serve on with no authentication/authorization (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1010,7 +1010,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--register-node&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1024,42 +1024,42 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--register-with-taints mapStringString</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Register the node with the given list of taints (comma separated <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Register the node with the given list of taints (comma separated <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--registry-burst int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 10</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding <code>--registry-qps</code>. Only used if <code>--registry-qps</code> is greater than 0. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding <code>--registry-qps</code>. Only used if <code>--registry-qps</code> is greater than 0. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--registry-qps int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 5</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If &gt; 0, limit registry pull QPS to this value.  If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If &gt; 0, limit registry pull QPS to this value.  If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--reserved-cpus string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma-separated list of CPUs or CPU ranges that are reserved for system and kubernetes usage. This specific list will supersede cpu counts in <code>--system-reserved</code> and <code>--kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma-separated list of CPUs or CPU ranges that are reserved for system and kubernetes usage. This specific list will supersede cpu counts in <code>--system-reserved</code> and <code>--kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--reserved-memory string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma-separated list of memory reservations for NUMA nodes. (e.g. <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>). The total sum for each memory type should be equal to the sum of <code>--kube-reserved</code>, <code>--system-reserved</code> and <code>--eviction-threshold</code>. See https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/#reserved-memory-flag for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A comma-separated list of memory reservations for NUMA nodes. (e.g. <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>). The total sum for each memory type should be equal to the sum of <code>--kube-reserved</code>, <code>--system-reserved</code> and <code>--eviction-threshold</code>. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/#reserved-memory-flag">here</a> for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--resolv-conf string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>/etc/resolv.conf</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Resolver configuration file used as the basis for the container DNS resolution configuration. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Resolver configuration file used as the basis for the container DNS resolution configuration. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1073,21 +1073,21 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--rotate-certificates</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">&lt;Warning: Beta feature&gt; Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--rotate-server-certificates</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Auto-request and rotate the kubelet serving certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Auto-request and rotate the kubelet serving certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--runonce</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1101,7 +1101,7 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--runtime-request-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>2m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Timeout of all runtime requests except long running request - <code>pull</code>, <code>logs</code>, <code>exec</code> and <code>attach</code>. When timeout exceeded, kubelet will cancel the request, throw out an error and retry later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Timeout of all runtime requests except long running request - <code>pull</code>, <code>logs</code>, <code>exec</code> and <code>attach</code>. When timeout exceeded, kubelet will cancel the request, throw out an error and retry later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1115,70 +1115,70 @@ csiMigrationRBD=true|false (ALPHA - default=false)<br/>
 <td colspan="2">--serialize-image-pulls&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version &lt; 1.9 or an <code>aufs</code> storage backend. Issue #10959 has more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version &lt; 1.9 or an <code>aufs</code> storage backend. Issue #10959 has more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--skip-headers</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, avoid header prefixes in the log messages. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, avoid header prefixes in the log messages. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--skip-log-headers</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, avoid headers when opening log files. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">If <code>true</code>, avoid headers when opening log files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--stderrthreshold int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 2</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--streaming-connection-idle-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>4h0m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum time a streaming connection can be idle before the connection is automatically closed. <code>0</code> indicates no timeout. Example: <code>5m</code>. Note: All connections to the kubelet server have a maximum duration of 4 hours.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Maximum time a streaming connection can be idle before the connection is automatically closed. <code>0</code> indicates no timeout. Example: <code>5m</code>. Note: All connections to the kubelet server have a maximum duration of 4 hours.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--sync-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>1m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Max period between synchronizing running containers and config. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Max period between synchronizing running containers and config. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--system-cgroups string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under <code>'/'</code>. Empty for no container. Rolling back the flag requires a reboot. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under <code>'/'</code>. Empty for no container. Rolling back the flag requires a reboot. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--system-reserved mapStringString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: &lt;none&gt;</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for non-kubernetes components. Currently only <code>cpu</code> and <code>memory</code> are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for non-kubernetes components. Currently only <code>cpu</code> and <code>memory</code> are supported. See <a href="http://kubernetes.io/docs/user-guide/compute-resources">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--system-reserved-cgroup string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>''</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via <code>--system-reserved</code> flag. Ex. <code>/system-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via <code>--system-reserved</code> flag. Ex. <code>/system-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--tls-cert-file string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If <code>--tls-cert-file</code> and <code>--tls-private-key-file</code> are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to <code>--cert-dir</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If <code>--tls-cert-file</code> and <code>--tls-private-key-file</code> are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to <code>--cert-dir</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1190,21 +1190,21 @@ Preferred values:
 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384<br/>
 Insecure values:
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
-(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 </tr>
 
 <tr>
 <td colspan="2">--tls-min-version string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Minimum TLS version supported. Possible values: <code>VersionTLS10</code>, <code>VersionTLS11</code>, <code>VersionTLS12</code>, <code>VersionTLS13</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Minimum TLS version supported. Possible values: <code>VersionTLS10</code>, <code>VersionTLS11</code>, <code>VersionTLS12</code>, <code>VersionTLS13</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--tls-private-key-file string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">File containing x509 private key matching <code>--tls-cert-file</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">File containing x509 private key matching <code>--tls-cert-file</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 
@@ -1212,14 +1212,14 @@ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_E
 <td colspan="2">--topology-manager-policy string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>'none'</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Topology Manager policy to use. Possible values: <code>'none'</code>, <code>'best-effort'</code>, <code>'restricted'</code>, <code>'single-numa-node'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Topology Manager policy to use. Possible values: <code>'none'</code>, <code>'best-effort'</code>, <code>'restricted'</code>, <code>'single-numa-node'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--topology-manager-scope string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>container</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: <code>'container'</code>, <code>'pod'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: <code>'container'</code>, <code>'pod'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
@@ -1247,14 +1247,14 @@ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_E
 <td colspan="2">--volume-plugin-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>/usr/libexec/kubernetes/kubelet-plugins/volume/exec/</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The full path of the directory in which to search for additional third party volume plugins. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">The full path of the directory in which to search for additional third party volume plugins. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 
 <tr>
 <td colspan="2">--volume-stats-agg-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>1m0s</code></td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes. To disable volume calculations, set to <code>0</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes. To disable volume calculations, set to <code>0</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 </tr>
 </tbody>
 </table>
diff --git a/content/en/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md b/content/en/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md
new file mode 100644
index 0000000000000..2189c4910d277
--- /dev/null
+++ b/content/en/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md
@@ -0,0 +1,121 @@
+---
+title: Event Rate Limit Configuration (v1alpha1)
+content_type: tool-reference
+package: eventratelimit.admission.k8s.io/v1alpha1
+auto_generated: true
+---
+
+
+## Resource Types 
+
+
+- [Configuration](#eventratelimit-admission-k8s-io-v1alpha1-Configuration)
+  
+    
+
+## `Configuration`     {#eventratelimit-admission-k8s-io-v1alpha1-Configuration}
+    
+
+
+<p>Configuration provides configuration for the EventRateLimit admission
+controller.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>eventratelimit.admission.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>Configuration</code></td></tr>
+    
+  
+<tr><td><code>limits</code> <B>[Required]</B><br/>
+<a href="#eventratelimit-admission-k8s-io-v1alpha1-Limit"><code>[]Limit</code></a>
+</td>
+<td>
+   <p>limits are the limits to place on event queries received.
+Limits can be placed on events received server-wide, per namespace,
+per user, and per source+object.
+At least one limit is required.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `Limit`     {#eventratelimit-admission-k8s-io-v1alpha1-Limit}
+    
+
+**Appears in:**
+
+- [Configuration](#eventratelimit-admission-k8s-io-v1alpha1-Configuration)
+
+
+<p>Limit is the configuration for a particular limit type</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>type</code> <B>[Required]</B><br/>
+<a href="#eventratelimit-admission-k8s-io-v1alpha1-LimitType"><code>LimitType</code></a>
+</td>
+<td>
+   <p>type is the type of limit to which this configuration applies</p>
+</td>
+</tr>
+<tr><td><code>qps</code> <B>[Required]</B><br/>
+<code>int32</code>
+</td>
+<td>
+   <p>qps is the number of event queries per second that are allowed for this
+type of limit. The qps and burst fields are used together to determine if
+a particular event query is accepted. The qps determines how many queries
+are accepted once the burst amount of queries has been exhausted.</p>
+</td>
+</tr>
+<tr><td><code>burst</code> <B>[Required]</B><br/>
+<code>int32</code>
+</td>
+<td>
+   <p>burst is the burst number of event queries that are allowed for this type
+of limit. The qps and burst fields are used together to determine if a
+particular event query is accepted. The burst determines the maximum size
+of the allowance granted for a particular bucket. For example, if the burst
+is 10 and the qps is 3, then the admission control will accept 10 queries
+before blocking any queries. Every second, 3 more queries will be allowed.
+If some of that allowance is not used, then it will roll over to the next
+second, until the maximum allowance of 10 is reached.</p>
+</td>
+</tr>
+<tr><td><code>cacheSize</code><br/>
+<code>int32</code>
+</td>
+<td>
+   <p>cacheSize is the size of the LRU cache for this type of limit. If a bucket
+is evicted from the cache, then the allowance for that bucket is reset. If
+more queries are later received for an evicted bucket, then that bucket
+will re-enter the cache with a clean slate, giving that bucket a full
+allowance of burst queries.</p>
+<p>The default cache size is 4096.</p>
+<p>If limitType is 'server', then cacheSize is ignored.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LimitType`     {#eventratelimit-admission-k8s-io-v1alpha1-LimitType}
+    
+(Alias of `string`)
+
+**Appears in:**
+
+- [Limit](#eventratelimit-admission-k8s-io-v1alpha1-Limit)
+
+
+<p>LimitType is the type of the limit (e.g., per-namespace)</p>
+
+
+
+  
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
new file mode 100644
index 0000000000000..f420623559cfa
--- /dev/null
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -0,0 +1,168 @@
+---
+title: Image Policy API (v1alpha1)
+content_type: tool-reference
+package: imagepolicy.k8s.io/v1alpha1
+auto_generated: true
+---
+
+
+## Resource Types 
+
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+  
+    
+
+## `ImageReview`     {#imagepolicy-k8s-io-v1alpha1-ImageReview}
+    
+
+
+<p>ImageReview checks if the set of images in a pod are allowed.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>imagepolicy.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>ImageReview</code></td></tr>
+    
+  
+<tr><td><code>metadata</code><br/>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
+</td>
+<td>
+   <p>Standard object's metadata.
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p>
+Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.</td>
+</tr>
+<tr><td><code>spec</code> <B>[Required]</B><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec"><code>ImageReviewSpec</code></a>
+</td>
+<td>
+   <p>Spec holds information about the pod being evaluated</p>
+</td>
+</tr>
+<tr><td><code>status</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus"><code>ImageReviewStatus</code></a>
+</td>
+<td>
+   <p>Status is filled in by the backend and indicates whether the pod should be allowed.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewContainerSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec}
+    
+
+**Appears in:**
+
+- [ImageReviewSpec](#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec)
+
+
+<p>ImageReviewContainerSpec is a description of a container within the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>image</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>This can be in the form image:tag or image@SHA:012345679abcdef.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec}
+    
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+<p>ImageReviewSpec is a description of the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>containers</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec"><code>[]ImageReviewContainerSpec</code></a>
+</td>
+<td>
+   <p>Containers is a list of a subset of the information in each container of the Pod being created.</p>
+</td>
+</tr>
+<tr><td><code>annotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+   <p>Annotations is a list of key-value pairs extracted from the Pod's annotations.
+It only includes keys which match the pattern <code>*.image-policy.k8s.io/*</code>.
+It is up to each webhook backend to determine how to interpret these annotations, if at all.</p>
+</td>
+</tr>
+<tr><td><code>namespace</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>Namespace is the namespace the pod is being created in.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewStatus`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus}
+    
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+<p>ImageReviewStatus is the result of the review for the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>allowed</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <p>Allowed indicates that all images were allowed to be run.</p>
+</td>
+</tr>
+<tr><td><code>reason</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>Reason should be empty unless Allowed is false in which case it
+may contain a short description of what is wrong.  Kubernetes
+may truncate excessively long errors when displaying to the user.</p>
+</td>
+</tr>
+<tr><td><code>auditAnnotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+   <p>AuditAnnotations will be added to the attributes object of the
+admission controller request using 'AddAnnotation'.  The keys should
+be prefix-less (i.e., the admission controller will add an
+appropriate prefix).</p>
+</td>
+</tr>
+</tbody>
+</table>
+  
\ No newline at end of file
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md
index 8874cf6a36342..377ac021b6792 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta2.md
@@ -143,7 +143,7 @@ configuration types to be used during a <code>kubeadm init</code> run.</p>
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">criSocket</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;/var/run/dockershim.sock&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">taints</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span>- <span style="color:#000;font-weight:bold">key</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;kubeadmNode&#34;</span><span style="color:#bbb">
-</span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;master&#34;</span><span style="color:#bbb">
+</span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;someValue&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">effect</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;NoSchedule&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">kubeletExtraArgs</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">v</span>:<span style="color:#bbb"> </span><span style="color:#099">4</span><span style="color:#bbb">
@@ -348,7 +348,7 @@ could be used for assigning a stable DNS to the control plane.</li>
 <code>string</code>
 </td>
 <td>
-   <p><code>mageRepository</code> sets the container registry to pull images from.
+   <p><code>imageRepository</code> sets the container registry to pull images from.
 If empty, <code>k8s.gcr.io</code> will be used by default; in case of kubernetes version is
 a CI build (kubernetes version starts with <code>ci/</code>) <code>gcr.io/k8s-staging-ci-images</code>
 is used as a default for control plane components and for kube-proxy, while
@@ -876,7 +876,9 @@ cluster information.
 </td>
 <td>
    <p><code>tlsBootstrapToken</code> is a token used for TLS bootstrapping.
-If <code>bootstrapToken</code> is set, this field is defaulted to <code>.bootstrapToken.token, but can be overridden. If </code>file` is set, this field <strong>must be set</strong> in case the KubeConfigFile does not
+If <code>bootstrapToken</code> is set, this field is defaulted to <code>.bootstrapToken.token</code>,
+but can be overridden.
+If <code>file</code> is set, this field <strong>must be set</strong> in case the KubeConfigFile does not
 contain any other authentication information.</p>
 </td>
 </tr>
@@ -1080,7 +1082,7 @@ originated from the Kubernetes/Kubernetes release process</p>
 <code>string</code>
 </td>
 <td>
-   <p><code>mageRepository</code> sets the container registry to pull images from.
+   <p><code>imageRepository</code> sets the container registry to pull images from.
 If not set, the <code>imageRepository</code> defined in ClusterConfiguration will be used.</p>
 </td>
 </tr>
@@ -1267,7 +1269,7 @@ Defaults to the hostname of the node if not provided.</p>
 <code>string</code>
 </td>
 <td>
-   <p>`criSocket is used to retrieve container runtime information. This information will
+   <p><code>criSocket</code> is used to retrieve container runtime information. This information will
 be annotated to the Node API object, for later re-use.</p>
 </td>
 </tr>
@@ -1276,9 +1278,9 @@ be annotated to the Node API object, for later re-use.</p>
 </td>
 <td>
    <p><code>taints</code> specifies the taints the Node API object should be registered with.
-If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted to
-<code>'node-role.kubernetes.io/master=&quot;&quot;'</code>. If you don't want to taint your control-plane node,
-set this field to an empty list, i.e. <code>taints: []</code> in the YAML file. This field is
+If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted with
+a control-plane taint for control-plane nodes. If you don't want to taint your control-plane
+node, set this field to an empty list, i.e. <code>taints: []</code>, in the YAML file. This field is
 solely used for Node registration.</p>
 </td>
 </tr>
diff --git a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
index ca7ef7c287502..75fc7c1ecfdfe 100644
--- a/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
+++ b/content/en/docs/reference/config-api/kubeadm-config.v1beta3.md
@@ -152,7 +152,7 @@ configuration types to be used during a <code>kubeadm init</code> run.</p>
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">criSocket</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;/var/run/dockershim.sock&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">taints</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">  </span>- <span style="color:#000;font-weight:bold">key</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;kubeadmNode&#34;</span><span style="color:#bbb">
-</span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;master&#34;</span><span style="color:#bbb">
+</span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;someValue&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">effect</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;NoSchedule&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">kubeletExtraArgs</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">v</span>:<span style="color:#bbb"> </span><span style="color:#099">4</span><span style="color:#bbb">
@@ -1160,9 +1160,9 @@ This information will be annotated to the Node API object, for later re-use</p>
 </td>
 <td>
    <p><code>tains</code> specifies the taints the Node API object should be registered with.
-If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted to
-<code>taints: [&quot;node-role.kubernetes.io/master:&quot;&quot;]</code>.
-If you don't want to taint your control-plane node, set this field to an empty slice,
+If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted
+with a control-plane taint for control-plane nodes.
+If you don't want to taint your control-plane node, set this field to an empty list,
 i.e. <code>taints: []</code> in the YAML file. This field is solely used for Node registration.</p>
 </td>
 </tr>
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
index ed68500044176..42755470cbb33 100644
--- a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
+++ b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -943,7 +943,7 @@ Default: &quot;&quot;</p>
 <td>
    <p>systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce <code>systemReserved</code> compute resource reservation for OS system daemons.
-Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
+Refer to <a href="https://git.k8s.io/design-proposals-archive/node/node-allocatable.md">Node Allocatable</a>
 doc for more information.
 Default: &quot;&quot;</p>
 </td>
@@ -954,7 +954,7 @@ Default: &quot;&quot;</p>
 <td>
    <p>kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce <code>KubeReserved</code> compute resource reservation for Kubernetes node system daemons.
-Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
+Refer to <a href="https://git.k8s.io/design-proposals-archive/node/node-allocatable.md">Node Allocatable</a>
 doc for more information.
 Default: &quot;&quot;</p>
 </td>
@@ -970,7 +970,7 @@ If <code>none</code> is specified, no other options may be specified.
 When <code>system-reserved</code> is in the list, systemReservedCgroup must be specified.
 When <code>kube-reserved</code> is in the list, kubeReservedCgroup must be specified.
 This field is supported only when <code>cgroupsPerQOS</code> is set to true.
-Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
+Refer to <a href="https://git.k8s.io/design-proposals-archive/node/node-allocatable.md">Node Allocatable</a>
 for more information.
 Default: [&quot;pods&quot;]</p>
 </td>
diff --git a/content/en/docs/reference/glossary/downward-api.md b/content/en/docs/reference/glossary/downward-api.md
new file mode 100644
index 0000000000000..a3d9a46336174
--- /dev/null
+++ b/content/en/docs/reference/glossary/downward-api.md
@@ -0,0 +1,28 @@
+---
+title: Downward API
+id: downward-api
+date: 2022-03-21
+short_description: >
+  A mechanism to expose Pod and container field values to code running in a container.
+aka:
+full_link: /docs/concepts/workloads/pods/downward-api/
+tags:
+- architecture
+---
+Kubernetes' mechanism to expose Pod and container field values to code running in a container.
+<!--more-->
+It is sometimes useful for a container to have information about itself, without
+needing to make changes to the container code that directly couple it to Kubernetes.
+
+The Kubernetes downward API allows containers to consume information about themselves
+or their context in a Kubernetes cluster. Applications in containers can have
+access to that information, without the application needing to act as a client of
+the Kubernetes API.
+
+There are two ways to expose Pod and container fields to a running container:
+
+- using [environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
+- using [a `downwardAPI` volume](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
+
+Together, these two ways of exposing Pod and container fields are called the _downward API_.
+
diff --git a/content/en/docs/reference/kubectl/cheatsheet.md b/content/en/docs/reference/kubectl/cheatsheet.md
index e1711ea542615..693c66d1fbe86 100644
--- a/content/en/docs/reference/kubectl/cheatsheet.md
+++ b/content/en/docs/reference/kubectl/cheatsheet.md
@@ -30,14 +30,14 @@ You can also use a shorthand alias for `kubectl` that also works with completion
 
 ```bash
 alias k=kubectl
-complete -F __start_kubectl k
+complete -o default -F __start_kubectl k
 ```
 
 ### ZSH
 
 ```bash
 source <(kubectl completion zsh)  # setup autocomplete in zsh into the current shell
-echo "[[ $commands[kubectl] ]] && source <(kubectl completion zsh)" >> ~/.zshrc # add autocomplete permanently to your zsh shell
+echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc # add autocomplete permanently to your zsh shell
 ```
 ### A Note on --all-namespaces
 
@@ -280,7 +280,7 @@ kubectl patch deployment valid-deployment  --type json   -p='[{"op": "remove", "
 # Add a new element to a positional array
 kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'
 
-# Update a deployment's replicas count by patching it's scale subresource
+# Update a deployment's replica count by patching its scale subresource
 kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
 ```
 
diff --git a/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md b/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
index dbcc8f889e0f0..d26dfdbaf9efc 100644
--- a/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
+++ b/content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
@@ -1879,7 +1879,7 @@ PodStatus represents information about the status of a pod. Status may trail the
 
 - **qosClass** (string)
 
-  The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md
+  The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/design-proposals-archive/node/resource-qos.md
   
   
 
diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index e68cb668d3081..4b74774ea7888 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -17,7 +17,7 @@ This document serves both as a reference to the values and as a coordination poi
 
 ### app.kubernetes.io/component
 
-Example: `app.kubernetes.io/component=database`
+Example: `app.kubernetes.io/component: "database"`
 
 Used on: All Objects
 
@@ -27,7 +27,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/created-by
 
-Example: `app.kubernetes.io/created-by=controller-manager`
+Example: `app.kubernetes.io/created-by: "controller-manager"`
 
 Used on: All Objects
 
@@ -37,7 +37,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/instance
 
-Example: `app.kubernetes.io/instance=mysql-abcxzy`
+Example: `app.kubernetes.io/instance: "mysql-abcxzy"`
 
 Used on: All Objects
 
@@ -47,7 +47,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/managed-by
 
-Example: `app.kubernetes.io/managed-by=helm`
+Example: `app.kubernetes.io/managed-by: "helm"`
 
 Used on: All Objects
 
@@ -57,7 +57,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/name
 
-Example: `app.kubernetes.io/name=mysql`
+Example: `app.kubernetes.io/name: "mysql"`
 
 Used on: All Objects
 
@@ -67,7 +67,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/part-of
 
-Example: `app.kubernetes.io/part-of=wordpress`
+Example: `app.kubernetes.io/part-of: "wordpress"`
 
 Used on: All Objects
 
@@ -77,7 +77,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/version
 
-Example: `app.kubernetes.io/version="5.7.21"`
+Example: `app.kubernetes.io/version: "5.7.21"`
 
 Used on: All Objects
 
@@ -87,7 +87,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### kubernetes.io/arch
 
-Example: `kubernetes.io/arch=amd64`
+Example: `kubernetes.io/arch: "amd64"`
 
 Used on: Node
 
@@ -95,7 +95,7 @@ The Kubelet populates this with `runtime.GOARCH` as defined by Go. This can be h
 
 ### kubernetes.io/os
 
-Example: `kubernetes.io/os=linux`
+Example: `kubernetes.io/os: "linux"`
 
 Used on: Node
 
@@ -103,7 +103,7 @@ The Kubelet populates this with `runtime.GOOS` as defined by Go. This can be han
 
 ### kubernetes.io/metadata.name
 
-Example: `kubernetes.io/metadata.name=mynamespace`
+Example: `kubernetes.io/metadata.name: "mynamespace"`
 
 Used on: Namespaces
 
@@ -124,7 +124,7 @@ This label has been deprecated. Please use `kubernetes.io/os` instead.
 
 ### kubernetes.io/hostname {#kubernetesiohostname}
 
-Example: `kubernetes.io/hostname=ip-172-20-114-199.ec2.internal`
+Example: `kubernetes.io/hostname: "ip-172-20-114-199.ec2.internal"`
 
 Used on: Node
 
@@ -135,7 +135,7 @@ This label is also used as part of the topology hierarchy.  See [topology.kubern
 
 ### kubernetes.io/change-cause {#change-cause}
 
-Example: `kubernetes.io/change-cause=kubectl edit --record deployment foo`
+Example: `kubernetes.io/change-cause: "kubectl edit --record deployment foo"`
 
 Used on: All Objects
 
@@ -161,7 +161,7 @@ The value for this annotation must be **true** to take effect. This annotation i
 
 ### controller.kubernetes.io/pod-deletion-cost {#pod-deletion-cost}
 
-Example: `controller.kubernetes.io/pod-deletion-cost=10`
+Example: `controller.kubernetes.io/pod-deletion-cost: "10"`
 
 Used on: Pod
 
@@ -212,7 +212,7 @@ For example, `10M` means 10 megabits per second.
 
 ### node.kubernetes.io/instance-type {#nodekubernetesioinstance-type}
 
-Example: `node.kubernetes.io/instance-type=m3.medium`
+Example: `node.kubernetes.io/instance-type: "m3.medium"`
 
 Used on: Node
 
@@ -237,7 +237,7 @@ See [topology.kubernetes.io/zone](#topologykubernetesiozone).
 
 Example:
 
-`statefulset.kubernetes.io/pod-name=mystatefulset-7`
+`statefulset.kubernetes.io/pod-name: "mystatefulset-7"`
 
 When a StatefulSet controller creates a Pod for the StatefulSet, the control plane
 sets this label on that Pod. The value of the label is the name of the Pod being created.
@@ -249,7 +249,7 @@ StatefulSet topic for more details.
 
 Example:
 
-`topology.kubernetes.io/region=us-east-1`
+`topology.kubernetes.io/region: "us-east-1"`
 
 See [topology.kubernetes.io/zone](#topologykubernetesiozone).
 
@@ -257,7 +257,7 @@ See [topology.kubernetes.io/zone](#topologykubernetesiozone).
 
 Example:
 
-`topology.kubernetes.io/zone=us-east-1c`
+`topology.kubernetes.io/zone: "us-east-1c"`
 
 Used on: Node, PersistentVolume
 
@@ -286,7 +286,7 @@ adding the labels manually (or adding support for `PersistentVolumeLabel`). With
 
 ### volume.beta.kubernetes.io/storage-provisioner (deprecated)
 
-Example: `volume.beta.kubernetes.io/storage-provisioner: k8s.io/minikube-hostpath`
+Example: `volume.beta.kubernetes.io/storage-provisioner: "k8s.io/minikube-hostpath"`
 
 Used on: PersistentVolumeClaim
 
@@ -310,7 +310,7 @@ This annotation will be added to dynamic provisioning required PVC.
 
 ### node.kubernetes.io/windows-build {#nodekubernetesiowindows-build}
 
-Example: `node.kubernetes.io/windows-build=10.0.17763`
+Example: `node.kubernetes.io/windows-build: "10.0.17763"`
 
 Used on: Node
 
@@ -320,7 +320,7 @@ The label's value is in the format "MajorVersion.MinorVersion.BuildNumber".
 
 ### service.kubernetes.io/headless {#servicekubernetesioheadless}
 
-Example: `service.kubernetes.io/headless=""`
+Example: `service.kubernetes.io/headless: ""`
 
 Used on: Service
 
@@ -328,15 +328,33 @@ The control plane adds this label to an Endpoints object when the owning Service
 
 ### kubernetes.io/service-name {#kubernetesioservice-name}
 
-Example: `kubernetes.io/service-name="nginx"`
+Example: `kubernetes.io/service-name: "nginx"`
 
 Used on: Service
 
 Kubernetes uses this label to differentiate multiple Services. Used currently for `ELB`(Elastic Load Balancer) only.
 
+### kubernetes.io/service-account.name
+
+Example: `kubernetes.io/service-account.name: "sa-name"`
+
+Used on: Secret
+
+This annotation records the {{< glossary_tooltip term_id="name" text="name">}} of the
+ServiceAccount that the token (stored in the Secret of type `kubernetes.io/service-account-token`) represents.
+
+### kubernetes.io/service-account.uid
+
+Example: `kubernetes.io/service-account.uid: da68f9c6-9d26-11e7-b84e-002dc52800da`
+
+Used on: Secret
+
+This annotation records the {{< glossary_tooltip term_id="uid" text="unique ID" >}} of the
+ServiceAccount that the token (stored in the Secret of type `kubernetes.io/service-account-token`) represents.
+
 ### endpointslice.kubernetes.io/managed-by {#endpointslicekubernetesiomanaged-by}
 
-Example: `endpointslice.kubernetes.io/managed-by="controller"`
+Example: `endpointslice.kubernetes.io/managed-by: "controller"`
 
 Used on: EndpointSlices
 
@@ -344,7 +362,7 @@ The label is used to indicate the controller or entity that manages an EndpointS
 
 ### endpointslice.kubernetes.io/skip-mirror {#endpointslicekubernetesioskip-mirror}
 
-Example: `endpointslice.kubernetes.io/skip-mirror="true"`
+Example: `endpointslice.kubernetes.io/skip-mirror: "true"`
 
 Used on: Endpoints
 
@@ -352,7 +370,7 @@ The label can be set to `"true"` on an Endpoints resource to indicate that the E
 
 ### service.kubernetes.io/service-proxy-name {#servicekubernetesioservice-proxy-name}
 
-Example: `service.kubernetes.io/service-proxy-name="foo-bar"`
+Example: `service.kubernetes.io/service-proxy-name: "foo-bar"`
 
 Used on: Service
 
@@ -364,7 +382,7 @@ Example: `experimental.windows.kubernetes.io/isolation-type: "hyperv"`
 
 Used on: Pod
 
-The annotation is used to run Windows containers with Hyper-V isolation. To use Hyper-V isolation feature and create a Hyper-V isolated container, the kubelet should be started with feature gates HyperVContainer=true and the Pod should include the annotation experimental.windows.kubernetes.io/isolation-type=hyperv.
+The annotation is used to run Windows containers with Hyper-V isolation. To use Hyper-V isolation feature and create a Hyper-V isolated container, the kubelet should be started with feature gates HyperVContainer=true and the Pod should include the annotation `experimental.windows.kubernetes.io/isolation-type: hyperv`.
 
 {{< note >}}
 You can only set this annotation on Pods that have a single container.
@@ -387,7 +405,7 @@ Starting in v1.18, this annotation is deprecated in favor of `spec.ingressClassN
 
 ### storageclass.kubernetes.io/is-default-class
 
-Example: `storageclass.kubernetes.io/is-default-class=true`
+Example: `storageclass.kubernetes.io/is-default-class: "true"`
 
 Used on: StorageClass
 
@@ -449,43 +467,43 @@ Use [Taints and Tolerations](/docs/concepts/scheduling-eviction/taint-and-tolera
 
 ### node.kubernetes.io/not-ready
 
-Example: `node.kubernetes.io/not-ready:NoExecute`
+Example: `node.kubernetes.io/not-ready: "NoExecute"`
 
 The node controller detects whether a node is ready by monitoring its health and adds or removes this taint accordingly.
 
 ### node.kubernetes.io/unreachable
 
-Example: `node.kubernetes.io/unreachable:NoExecute`
+Example: `node.kubernetes.io/unreachable: "NoExecute"`
 
 The node controller adds the taint to a node corresponding to the [NodeCondition](/docs/concepts/architecture/nodes/#condition) `Ready` being `Unknown`.
 
 ### node.kubernetes.io/unschedulable
 
-Example: `node.kubernetes.io/unschedulable:NoSchedule`
+Example: `node.kubernetes.io/unschedulable: "NoSchedule"`
 
 The taint will be added to a node when initializing the node to avoid race condition.
 
 ### node.kubernetes.io/memory-pressure
 
-Example: `node.kubernetes.io/memory-pressure:NoSchedule`
+Example: `node.kubernetes.io/memory-pressure: "NoSchedule"`
 
 The kubelet detects memory pressure based on `memory.available` and `allocatableMemory.available` observed on a Node. The observed values are then compared to the corresponding thresholds that can be set on the kubelet to determine if the Node condition and taint should be added/removed.
 
 ### node.kubernetes.io/disk-pressure
 
-Example: `node.kubernetes.io/disk-pressure:NoSchedule`
+Example: `node.kubernetes.io/disk-pressure :"NoSchedule"`
 
 The kubelet detects disk pressure based on `imagefs.available`, `imagefs.inodesFree`, `nodefs.available` and `nodefs.inodesFree`(Linux only) observed on a Node. The observed values are then compared to the corresponding thresholds that can be set on the kubelet to determine if the Node condition and taint should be added/removed.
 
 ### node.kubernetes.io/network-unavailable
 
-Example: `node.kubernetes.io/network-unavailable:NoSchedule`
+Example: `node.kubernetes.io/network-unavailable: "NoSchedule"`
 
 This is initially set by the kubelet when the cloud provider used indicates a requirement for additional network configuration. Only when the route on the cloud is configured properly will the taint be removed by the cloud provider.
 
 ### node.kubernetes.io/pid-pressure
 
-Example: `node.kubernetes.io/pid-pressure:NoSchedule`
+Example: `node.kubernetes.io/pid-pressure: "NoSchedule"`
 
 The kubelet checks D-value of the size of `/proc/sys/kernel/pid_max` and the PIDs consumed by Kubernetes on a node to get the number of available PIDs that referred to as the `pid.available` metric. The metric is then compared to the corresponding threshold that can be set on the kubelet to determine if the node condition and taint should be added/removed.
 
@@ -506,19 +524,19 @@ for further details about when and how to use this taint.
 
 ### node.cloudprovider.kubernetes.io/uninitialized
 
-Example: `node.cloudprovider.kubernetes.io/uninitialized:NoSchedule`
+Example: `node.cloudprovider.kubernetes.io/uninitialized: "NoSchedule"`
 
 Sets this taint on a node to mark it as unusable, when kubelet is started with the "external" cloud provider, until a controller from the cloud-controller-manager initializes this node, and then removes the taint.
 
 ### node.cloudprovider.kubernetes.io/shutdown
 
-Example: `node.cloudprovider.kubernetes.io/shutdown:NoSchedule`
+Example: `node.cloudprovider.kubernetes.io/shutdown: "NoSchedule"`
 
 If a Node is in a cloud provider specified shutdown state, the Node gets tainted accordingly with `node.cloudprovider.kubernetes.io/shutdown` and the taint effect of `NoSchedule`.
 
 ### pod-security.kubernetes.io/enforce
 
-Example: `pod-security.kubernetes.io/enforce: baseline`
+Example: `pod-security.kubernetes.io/enforce: "baseline"`
 
 Used on: Namespace
 
@@ -532,7 +550,7 @@ for more information.
 
 ### pod-security.kubernetes.io/enforce-version
 
-Example: `pod-security.kubernetes.io/enforce-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/enforce-version: "{{< skew currentVersion >}}"`
 
 Used on: Namespace
 
@@ -545,7 +563,7 @@ for more information.
 
 ### pod-security.kubernetes.io/audit
 
-Example: `pod-security.kubernetes.io/audit: baseline`
+Example: `pod-security.kubernetes.io/audit: "baseline"`
 
 Used on: Namespace
 
@@ -559,7 +577,7 @@ for more information.
 
 ### pod-security.kubernetes.io/audit-version
 
-Example: `pod-security.kubernetes.io/audit-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/audit-version: "{{< skew currentVersion >}}"`
 
 Used on: Namespace
 
@@ -572,7 +590,7 @@ for more information.
 
 ### pod-security.kubernetes.io/warn
 
-Example: `pod-security.kubernetes.io/warn: baseline`
+Example: `pod-security.kubernetes.io/warn: "baseline"`
 
 Used on: Namespace
 
@@ -588,7 +606,7 @@ for more information.
 
 ### pod-security.kubernetes.io/warn-version
 
-Example: `pod-security.kubernetes.io/warn-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/warn-version: "{{< skew currentVersion >}}"`
 
 Used on: Namespace
 
diff --git a/content/en/docs/reference/ports-and-protocols.md b/content/en/docs/reference/ports-and-protocols.md
index 91d6cba8e7665..8ca5bc0774444 100644
--- a/content/en/docs/reference/ports-and-protocols.md
+++ b/content/en/docs/reference/ports-and-protocols.md
@@ -7,7 +7,7 @@ weight: 50
 When running Kubernetes in an environment with strict network boundaries, such 
 as on-premises datacenter with physical network firewalls or Virtual 
 Networks in Public Cloud, it is useful to be aware of the ports and protocols 
-used by Kubernetes components
+used by Kubernetes components.
 
 ## Control plane
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
index 1abc7d9bac648..9cd82c43167ca 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
@@ -92,6 +92,3 @@ kubeadm certs generate-csr [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
index 7dc59c45d4c6b..b7708955007e0 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
@@ -87,6 +87,3 @@ kubeadm certs renew apiserver [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
index 84d75bfd36d8a..0fde99368ceef 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
@@ -87,6 +87,3 @@ kubeadm certs renew etcd-healthcheck-client [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
index 60acaae1dbf20..214b353b00708 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
@@ -87,6 +87,3 @@ kubeadm certs renew etcd-peer [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
index 969157fe3e507..cd8b73908d277 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
@@ -87,6 +87,3 @@ kubeadm certs renew etcd-server [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
index 0f85b4fbc2183..7dd3a4f820f7c 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
@@ -67,6 +67,3 @@ kubeadm config images [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
index 74c870e3dba89..d46abeab03fb9 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
@@ -116,6 +116,3 @@ kubeadm config images list [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
index 1c634871eb24a..ea7c83e14bd21 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
@@ -79,6 +79,3 @@ kubeadm config print join-defaults [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
index 64777661d03ae..1ff70e5cb8464 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
@@ -60,6 +60,3 @@ kubeadm init phase addon [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
index 547601e364905..a47b8390be52b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
@@ -85,6 +85,3 @@ kubeadm init phase certs etcd-ca [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
index a3df321d886fc..d6c0630075068 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
@@ -69,6 +69,3 @@ kubeadm init phase certs sa [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
index f1ebdbcf12afd..1eb52e8287c2c 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
@@ -116,6 +116,3 @@ kubeadm init phase kubeconfig all [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
index 70e4c634b027c..55a98fae965c1 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
@@ -81,6 +81,3 @@ kubeadm init phase kubelet-finalize all [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
index 11d2407499e86..a79f41f610422 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
@@ -88,6 +88,3 @@ kubeadm init phase kubelet-start [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
index 345621f7030a9..61e5a0c9468ed 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
@@ -81,6 +81,3 @@ kubeadm init phase preflight [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
index 515060a76c7bb..e242f4eedd84b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
@@ -95,6 +95,3 @@ kubeadm init phase upload-certs [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
index 3c087368a77e3..ba4e91fa89e0e 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
@@ -74,6 +74,3 @@ kubeadm init phase upload-config all [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
index 13e561f486287..930b2d94a2b32 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
@@ -83,6 +83,3 @@ kubeadm init phase upload-config kubeadm [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
index 07768a16c6efb..f7ea8ea39aae0 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
@@ -67,6 +67,3 @@ kubeadm join phase control-plane-join [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
index 7a3517652d7dc..496213ce90650 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
@@ -95,6 +95,3 @@ kubeadm join phase control-plane-join all [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
index c06ddaae40e4f..d127f67fd80db 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
@@ -9,7 +9,6 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-
 Add a new local etcd member
 
 ### Synopsis
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
index 6952dbca80ca4..3dc12615a9560 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
@@ -67,6 +67,3 @@ kubeadm join phase control-plane-prepare [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
index 661edf597deac..1d5351f3aff99 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
@@ -151,6 +151,3 @@ kubeadm join phase control-plane-prepare all [api-server-endpoint] [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
index 647511594058c..81355a775e8a2 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
@@ -110,8 +110,6 @@ kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags]
 </tbody>
 </table>
 
-
-
 ### Options inherited from parent commands
 
    <table style="width: 100%; table-layout: fixed;">
@@ -130,6 +128,3 @@ kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
index 5896b25337b15..cafb58658ecc6 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
@@ -123,6 +123,3 @@ kubeadm join phase kubelet-start [api-server-endpoint] [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
index e09b75f9283a0..ae869d7f476ad 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
@@ -117,6 +117,3 @@ kubeadm reset [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
index ceabd2045e96a..4120c0a97d137 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
@@ -74,6 +74,3 @@ kubeadm reset phase cleanup-node [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
index d2c1060ff4ac2..3fd91a98a6223 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
@@ -67,6 +67,3 @@ kubeadm reset phase remove-etcd-member [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
index 5384fc4d6cce2..025ab1efac99d 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
@@ -91,6 +91,3 @@ kubeadm token [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
index a2a217033c88b..4687fcbba1e5a 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
@@ -9,7 +9,6 @@ guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-
 Create bootstrap tokens on the server
 
 ### Synopsis
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
index 2040bd3f94ac1..30b76787988bf 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
@@ -79,6 +79,3 @@ kubeadm token delete [token-value] ...
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
index eb5e3c4cace98..718257f8afc77 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
@@ -102,6 +102,3 @@ kubeadm upgrade diff [version] [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
index a8a3138c887ac..12fbe5b8f390b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
@@ -117,6 +117,3 @@ kubeadm upgrade node [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
index 6b86c950548ec..ce5b6f842970b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
@@ -56,6 +56,3 @@ Use this command to invoke single phase of the node workflow
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
index d82a193898a21..ff44d0d7dae3e 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
@@ -67,6 +67,3 @@ kubeadm upgrade node phase preflight [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
index b86c7259774d3..38cc27bee91b4 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
@@ -67,6 +67,3 @@ kubeadm version [flags]
 
 </tbody>
 </table>
-
-
-
diff --git a/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md b/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md
index 74428b914834e..4a9e125379ea6 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/implementation-details.md
@@ -219,7 +219,7 @@ Other API server flags that are set unconditionally are:
 
  - `--insecure-port=0` to avoid insecure connections to the api server
  - `--enable-bootstrap-token-auth=true` to enable the `BootstrapTokenAuthenticator` authentication module.
-   See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
+   See [TLS Bootstrapping](/docs/reference/access-authn-authn/kubelet-tls-bootstrapping/) for more details
  - `--allow-privileged` to `true` (required e.g. by kube proxy)
  - `--requestheader-client-ca-file` to `front-proxy-ca.crt`
  - `--enable-admission-plugins` to:
@@ -266,7 +266,7 @@ The static Pod manifest for the controller manager is affected by following para
 Other flags that are set unconditionally are:
 
  - `--controllers` enabling all the default controllers plus `BootstrapSigner` and `TokenCleaner` controllers for TLS bootstrap.
-   See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
+   See [TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for more details
  - `--use-service-account-credentials` to `true`
  - Flags for using certificates generated in previous steps:
     - `--root-ca-file` to `ca.crt`
@@ -329,7 +329,7 @@ Please note that:
 ### Configure TLS-Bootstrapping for node joining
 
 Kubeadm uses [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) for joining new nodes to an
-existing cluster; for more details see also [design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md).
+existing cluster; for more details see also [design proposal](https://git.k8s.io/design-proposals-archive/cluster-lifecycle/bootstrap-discovery.md).
 
 `kubeadm init` ensures that everything is properly configured for this process, and this includes following steps as well as
 setting API server and controller flags as already described in previous paragraphs.
@@ -420,7 +420,7 @@ Similarly to `kubeadm init`, also `kubeadm join` internal workflow consists of a
 
 This is split into discovery (having the Node trust the Kubernetes Master) and TLS bootstrap (having the Kubernetes Master trust the Node).
 
-see [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) or the corresponding [design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md).
+see [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) or the corresponding [design proposal](https://git.k8s.io/design-proposals-archive/cluster-lifecycle/bootstrap-discovery.md).
 
 ### Preflight checks
 
diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md
index fc87e796c2ed7..fdb117c5d545b 100644
--- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md
+++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -52,7 +52,7 @@ following steps:
 
 1. Makes all the necessary configurations for allowing node joining with the
    [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
-   [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+   [TLS Bootstrap](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
    mechanism:
 
    - Write a ConfigMap for making available all the information required
@@ -242,6 +242,15 @@ where `config.yaml` contains the custom `imageRepository`, and/or `imageTag`
 for etcd and CoreDNS.
 * Pass the same `config.yaml` to `kubeadm init`.
 
+#### Custom sandbox (pause) images {#custom-pause-image}
+
+To set a custom image for these you need to configure this in your 
+{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
+to use the image.
+Consult the documentation for your container runtime to find out how to change this setting;
+for selected container runtimes, you can also find advice within the
+[Container Runtimes]((/docs/setup/production-environment/container-runtimes/) topic.
+
 ### Uploading control-plane certificates to the cluster
 
 By adding the flag `--upload-certs` to `kubeadm init` you can temporary upload
diff --git a/content/en/docs/reference/using-api/_index.md b/content/en/docs/reference/using-api/_index.md
index 5e335fb191c37..6592deb3c7155 100644
--- a/content/en/docs/reference/using-api/_index.md
+++ b/content/en/docs/reference/using-api/_index.md
@@ -39,7 +39,7 @@ The JSON and Protobuf serialization schemas follow the same guidelines for
 schema changes. The following descriptions cover both formats.
 
 The API versioning and software versioning are indirectly related.
-The [API and release versioning proposal](https://git.k8s.io/community/contributors/design-proposals/release/versioning.md)
+The [API and release versioning proposal](https://git.k8s.io/design-proposals-archive/release/versioning.md)
 describes the relationship between API versioning and software versioning.
 
 Different API versions indicate different levels of stability and support. You
@@ -83,7 +83,7 @@ Here's a summary of each level:
 
 ## API groups
 
-[API groups](https://git.k8s.io/community/contributors/design-proposals/api-machinery/api-group.md)
+[API groups](https://git.k8s.io/design-proposals-archive/api-machinery/api-group.md)
 make it easier to extend the Kubernetes API.
 The API group is specified in a REST path and in the `apiVersion` field of a
 serialized object.
@@ -124,4 +124,4 @@ Kubernetes stores its serialized state in terms of the API resources by writing
 
 - Learn more about [API conventions](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#api-conventions)
 - Read the design documentation for
-  [aggregator](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/aggregated-api-servers.md)
+  [aggregator](https://git.k8s.io/design-proposals-archive/api-machinery/aggregated-api-servers.md)
diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md
index 2e4fb85df289e..1a722acffd229 100644
--- a/content/en/docs/reference/using-api/api-concepts.md
+++ b/content/en/docs/reference/using-api/api-concepts.md
@@ -15,8 +15,8 @@ primary resources via the standard HTTP verbs (POST, PUT, PATCH, DELETE,
 GET).
 
 For some resources, the API includes additional subresources that allow
-fine grained authorization (such as a separating viewing details for a Pod from
-retrieving its logs), and can accept and serve those resources in different
+fine grained authorization (such as separate views for Pod details and
+log retrievals), and can accept and serve those resources in different
 representations for convenience or efficiency.
 
 Kubernetes supports efficient change notifications on resources via *watches*.
diff --git a/content/en/docs/reference/using-api/client-libraries.md b/content/en/docs/reference/using-api/client-libraries.md
index 8647198fe9dd7..145599cdd9203 100644
--- a/content/en/docs/reference/using-api/client-libraries.md
+++ b/content/en/docs/reference/using-api/client-libraries.md
@@ -28,14 +28,17 @@ The following client libraries are officially maintained by
 [Kubernetes SIG API Machinery](https://github.com/kubernetes/community/tree/master/sig-api-machinery).
 
 
-| Language | Client Library | Sample Programs |
-|----------|----------------|-----------------|
-| dotnet   | [github.com/kubernetes-client/csharp](https://github.com/kubernetes-client/csharp) | [browse](https://github.com/kubernetes-client/csharp/tree/master/examples/simple)
-| Go       | [github.com/kubernetes/client-go/](https://github.com/kubernetes/client-go/) | [browse](https://github.com/kubernetes/client-go/tree/master/examples)
-| Haskell  | [github.com/kubernetes-client/haskell](https://github.com/kubernetes-client/haskell) | [browse](https://github.com/kubernetes-client/haskell/tree/master/kubernetes-client/example)
-| Java     | [github.com/kubernetes-client/java](https://github.com/kubernetes-client/java/) | [browse](https://github.com/kubernetes-client/java#installation)
-| JavaScript   | [github.com/kubernetes-client/javascript](https://github.com/kubernetes-client/javascript) | [browse](https://github.com/kubernetes-client/javascript/tree/master/examples)
-| Python   | [github.com/kubernetes-client/python/](https://github.com/kubernetes-client/python/) | [browse](https://github.com/kubernetes-client/python/tree/master/examples)
+| Language   | Client Library | Sample Programs |
+|------------|----------------|-----------------|
+| C          | [github.com/kubernetes-client/c](https://github.com/kubernetes-client/c/) | [browse](https://github.com/kubernetes-client/c/tree/master/examples)
+| dotnet     | [github.com/kubernetes-client/csharp](https://github.com/kubernetes-client/csharp) | [browse](https://github.com/kubernetes-client/csharp/tree/master/examples/simple)
+| Go         | [github.com/kubernetes/client-go/](https://github.com/kubernetes/client-go/) | [browse](https://github.com/kubernetes/client-go/tree/master/examples)
+| Haskell    | [github.com/kubernetes-client/haskell](https://github.com/kubernetes-client/haskell) | [browse](https://github.com/kubernetes-client/haskell/tree/master/kubernetes-client/example)
+| Java       | [github.com/kubernetes-client/java](https://github.com/kubernetes-client/java/) | [browse](https://github.com/kubernetes-client/java#installation)
+| JavaScript | [github.com/kubernetes-client/javascript](https://github.com/kubernetes-client/javascript) | [browse](https://github.com/kubernetes-client/javascript/tree/master/examples)
+| Perl       | [github.com/kubernetes-client/perl/](https://github.com/kubernetes-client/perl/) | [browse](https://github.com/kubernetes-client/perl/tree/master/examples)
+| Python     | [github.com/kubernetes-client/python/](https://github.com/kubernetes-client/python/) | [browse](https://github.com/kubernetes-client/python/tree/master/examples)
+| Ruby       | [github.com/kubernetes-client/ruby/](https://github.com/kubernetes-client/ruby/) | [browse](https://github.com/kubernetes-client/ruby/tree/master/examples)
 
 ## Community-maintained client libraries
 
diff --git a/content/en/docs/reference/using-api/deprecation-guide.md b/content/en/docs/reference/using-api/deprecation-guide.md
index 08601313d95aa..d448344504aa9 100644
--- a/content/en/docs/reference/using-api/deprecation-guide.md
+++ b/content/en/docs/reference/using-api/deprecation-guide.md
@@ -110,8 +110,10 @@ The **policy/v1beta1** API version of PodDisruptionBudget will no longer be serv
 
 PodSecurityPolicy in the **policy/v1beta1** API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.
 
-PodSecurityPolicy replacements are still under discussion, but current use can be migrated to
-[3rd-party admission webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/) now.
+Migrate to [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
+or a [3rd party admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/).
+For a migration guide, see [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](/docs/tasks/configure-pod-container/migrate-from-psp/).
+For more information on the deprecation, see [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/).
 
 #### RuntimeClass {#runtimeclass-v125}
 
@@ -174,7 +176,7 @@ The **authentication.k8s.io/v1beta1** API version of TokenReview is no longer se
 
 #### SubjectAccessReview resources {#subjectaccessreview-resources-v122}
 
-The **authorization.k8s.io/v1beta1** API version of LocalSubjectAccessReview, SelfSubjectAccessReview, and SubjectAccessReview is no longer served as of v1.22.
+The **authorization.k8s.io/v1beta1** API version of LocalSubjectAccessReview, SelfSubjectAccessReview, SubjectAccessReview, and SelfSubjectRulesReview is no longer served as of v1.22.
 
 * Migrate manifests and API clients to use the **authorization.k8s.io/v1** API version, available since v1.6.
 * Notable changes:
diff --git a/content/en/docs/reference/using-api/server-side-apply.md b/content/en/docs/reference/using-api/server-side-apply.md
index 6b932278dc8c1..e9f951a76a8cb 100644
--- a/content/en/docs/reference/using-api/server-side-apply.md
+++ b/content/en/docs/reference/using-api/server-side-apply.md
@@ -125,7 +125,8 @@ this occurs, the applier has 3 options to resolve the conflicts:
 
 * **Overwrite value, become sole manager:** If overwriting the value was
   intentional (or if the applier is an automated process like a controller) the
-  applier should set the `force` query parameter to true and make the request
+  applier should set the `force` query parameter to true (in kubectl, it can be done by
+  using the `--force-conflicts` flag with the apply command) and make the request
   again. This forces the operation to succeed, changes the value of the field,
   and removes the field from all other managers' entries in managedFields.
 
diff --git a/content/en/docs/setup/_index.md b/content/en/docs/setup/_index.md
index bb73375553d27..ba9b3c6785ee5 100644
--- a/content/en/docs/setup/_index.md
+++ b/content/en/docs/setup/_index.md
@@ -27,6 +27,13 @@ control, available resources, and expertise required to operate and manage a clu
 You can [download Kubernetes](/releases/download/) to deploy a Kubernetes cluster
 on a local machine, into the cloud, or for your own datacenter.
 
+Several [Kubernetes components](/docs/concepts/overview/components/) such as `kube-apiserver` or `kube-proxy` can also be
+deployed as [container images](/releases/download/#container-images) within the cluster.
+
+It is **recommended** to run Kubernetes components as container images wherever
+that is possible, and to have Kubernetes manage those components.
+Components that run containers - notably, the kubelet - can't be included in this category.
+
 If you don't want to manage a Kubernetes cluster yourself, you could pick a managed service, including
 [certified platforms](/docs/setup/production-environment/turnkey-solutions/).
 There are also other standardized and custom solutions across a wide range of cloud and
@@ -60,4 +67,5 @@ for deploying Kubernetes is [kubeadm](/docs/setup/production-environment/tools/k
 Kubernetes is designed for its {{< glossary_tooltip term_id="control-plane" text="control plane" >}} to
 run on Linux. Within your cluster you can run applications on Linux or other operating systems, including
 Windows.
-- Learn to [set up clusters with Windows nodes](/docs/setup/production-environment/windows/)
+
+- Learn to [set up clusters with Windows nodes](/docs/concepts/windows/)
diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md
index 6d6d576c39641..23e4ac8df70b4 100644
--- a/content/en/docs/setup/best-practices/certificates.md
+++ b/content/en/docs/setup/best-practices/certificates.md
@@ -22,7 +22,7 @@ This page explains the certificates that your cluster requires.
 Kubernetes requires PKI for the following operations:
 
 * Client certificates for the kubelet to authenticate to the API server
-* Kubelet [server certificates](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#client-and-serving-certificates)
+* Kubelet [server certificates](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates)
   for the API server to talk to the kubelets
 * Server certificate for the API server endpoint
 * Client certificates for administrators of the cluster to authenticate to the API server
diff --git a/content/en/docs/setup/production-environment/_index.md b/content/en/docs/setup/production-environment/_index.md
index 7d8200a6b3cab..32c91d4f752c9 100644
--- a/content/en/docs/setup/production-environment/_index.md
+++ b/content/en/docs/setup/production-environment/_index.md
@@ -28,29 +28,29 @@ on or hand to others, consider how your requirements for a Kubernetes cluster
 are influenced by the following issues:
 
 - *Availability*: A single-machine Kubernetes [learning environment](/docs/setup/#learning-environment)
-has a single point of failure. Creating a highly available cluster means considering:
+  has a single point of failure. Creating a highly available cluster means considering:
   - Separating the control plane from the worker nodes.
   - Replicating the control plane components on multiple nodes.
   - Load balancing traffic to the cluster’s {{< glossary_tooltip term_id="kube-apiserver" text="API server" >}}.
   - Having enough worker nodes available, or able to quickly become available, as changing workloads warrant it.
 
 - *Scale*: If you expect your production Kubernetes environment to receive a stable amount of
-demand, you might be able to set up for the capacity you need and be done. However,
-if you expect demand to grow over time or change dramatically based on things like
-season or special events, you need to plan how to scale to relieve increased
-pressure from more requests to the control plane and worker nodes or scale down to reduce unused
-resources.
+  demand, you might be able to set up for the capacity you need and be done. However,
+  if you expect demand to grow over time or change dramatically based on things like
+  season or special events, you need to plan how to scale to relieve increased
+  pressure from more requests to the control plane and worker nodes or scale down to reduce unused
+  resources.
 
 - *Security and access management*: You have full admin privileges on your own
-Kubernetes learning cluster. But shared clusters with important workloads, and
-more than one or two users, require a more refined approach to who and what can
-access cluster resources. You can use role-based access control
-([RBAC](/docs/reference/access-authn-authz/rbac/)) and other
-security mechanisms to make sure that users and workloads can get access to the
-resources they need, while keeping workloads, and the cluster itself, secure.
-You can set limits on the resources that users and workloads can access
-by managing [policies](/docs/concepts/policy/) and
-[container resources](/docs/concepts/configuration/manage-resources-containers/).
+  Kubernetes learning cluster. But shared clusters with important workloads, and
+  more than one or two users, require a more refined approach to who and what can
+  access cluster resources. You can use role-based access control
+  ([RBAC](/docs/reference/access-authn-authz/rbac/)) and other
+  security mechanisms to make sure that users and workloads can get access to the
+  resources they need, while keeping workloads, and the cluster itself, secure.
+  You can set limits on the resources that users and workloads can access
+  by managing [policies](/docs/concepts/policy/) and
+  [container resources](/docs/concepts/configuration/manage-resources-containers/).
 
 Before building a Kubernetes production environment on your own, consider
 handing off some or all of this job to 
@@ -59,16 +59,16 @@ providers or other [Kubernetes Partners](https://kubernetes.io/partners/).
 Options include:
 
 - *Serverless*: Just run workloads on third-party equipment without managing
-a cluster at all. You will be charged for things like CPU usage, memory, and
-disk requests.
+  a cluster at all. You will be charged for things like CPU usage, memory, and
+  disk requests.
 - *Managed control plane*: Let the provider manage the scale and availability
-of the cluster's control plane, as well as handle patches and upgrades.
+  of the cluster's control plane, as well as handle patches and upgrades.
 - *Managed worker nodes*: Configure pools of nodes to meet your needs,
-then the provider makes sure those nodes are available and ready to implement
-upgrades when needed.
+  then the provider makes sure those nodes are available and ready to implement
+  upgrades when needed.
 - *Integration*: There are providers that integrate Kubernetes with other
-services you may need, such as storage, container registries, authentication
-methods, and development tools.
+  services you may need, such as storage, container registries, authentication
+  methods, and development tools.
 
 Whether you build a production Kubernetes cluster yourself or work with
 partners, review the following sections to evaluate your needs as they relate
@@ -99,52 +99,52 @@ and ensuring that it can be repaired if something goes wrong is important,
 consider these steps:
 
 - *Choose deployment tools*: You can deploy a control plane using tools such
-as kubeadm, kops, and kubespray. See
-[Installing Kubernetes with deployment tools](/docs/setup/production-environment/tools/)
-to learn tips for production-quality deployments using each of those deployment
-methods. Different [Container Runtimes](/docs/setup/production-environment/container-runtimes/)
-are available to use with your deployments.
+  as kubeadm, kops, and kubespray. See
+  [Installing Kubernetes with deployment tools](/docs/setup/production-environment/tools/)
+  to learn tips for production-quality deployments using each of those deployment
+  methods. Different [Container Runtimes](/docs/setup/production-environment/container-runtimes/)
+  are available to use with your deployments.
 - *Manage certificates*: Secure communications between control plane services
-are implemented using certificates. Certificates are automatically generated
-during deployment or you can generate them using your own certificate authority.
-See [PKI certificates and requirements](/docs/setup/best-practices/certificates/) for details.
+  are implemented using certificates. Certificates are automatically generated
+  during deployment or you can generate them using your own certificate authority.
+  See [PKI certificates and requirements](/docs/setup/best-practices/certificates/) for details.
 - *Configure load balancer for apiserver*: Configure a load balancer
-to distribute external API requests to the apiserver service instances running on different nodes. See 
-[Create an External Load Balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/)
-for details.
+  to distribute external API requests to the apiserver service instances running on different nodes. See 
+  [Create an External Load Balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/)
+  for details.
 - *Separate and backup etcd service*: The etcd services can either run on the
-same machines as other control plane services or run on separate machines, for
-extra security and availability. Because etcd stores cluster configuration data,
-backing up the etcd database should be done regularly to ensure that you can
-repair that database if needed.
-See the [etcd FAQ](https://etcd.io/docs/v3.4/faq/) for details on configuring and using etcd.
-See [Operating etcd clusters for Kubernetes](/docs/tasks/administer-cluster/configure-upgrade-etcd/)
-and [Set up a High Availability etcd cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
-for details.
+  same machines as other control plane services or run on separate machines, for
+  extra security and availability. Because etcd stores cluster configuration data,
+  backing up the etcd database should be done regularly to ensure that you can
+  repair that database if needed.
+  See the [etcd FAQ](https://etcd.io/docs/v3.4/faq/) for details on configuring and using etcd.
+  See [Operating etcd clusters for Kubernetes](/docs/tasks/administer-cluster/configure-upgrade-etcd/)
+  and [Set up a High Availability etcd cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
+  for details.
 - *Create multiple control plane systems*: For high availability, the
-control plane should not be limited to a single machine. If the control plane
-services are run by an init service (such as systemd), each service should run on at
-least three machines. However, running control plane services as pods in
-Kubernetes ensures that the replicated number of services that you request
-will always be available.
-The scheduler should be fault tolerant,
-but not highly available. Some deployment tools set up [Raft](https://raft.github.io/)
-consensus algorithm to do leader election of Kubernetes services. If the
-primary goes away, another service elects itself and take over. 
+  control plane should not be limited to a single machine. If the control plane
+  services are run by an init service (such as systemd), each service should run on at
+  least three machines. However, running control plane services as pods in
+  Kubernetes ensures that the replicated number of services that you request
+  will always be available.
+  The scheduler should be fault tolerant,
+  but not highly available. Some deployment tools set up [Raft](https://raft.github.io/)
+  consensus algorithm to do leader election of Kubernetes services. If the
+  primary goes away, another service elects itself and take over. 
 - *Span multiple zones*: If keeping your cluster available at all times is
-critical, consider creating a cluster that runs across multiple data centers,
-referred to as zones in cloud environments. Groups of zones are referred to as regions.
-By spreading a cluster across
-multiple zones in the same region, it can improve the chances that your
-cluster will continue to function even if one zone becomes unavailable.
-See [Running in multiple zones](/docs/setup/best-practices/multiple-zones/) for details.
+  critical, consider creating a cluster that runs across multiple data centers,
+  referred to as zones in cloud environments. Groups of zones are referred to as regions.
+  By spreading a cluster across
+  multiple zones in the same region, it can improve the chances that your
+  cluster will continue to function even if one zone becomes unavailable.
+  See [Running in multiple zones](/docs/setup/best-practices/multiple-zones/) for details.
 - *Manage on-going features*: If you plan to keep your cluster over time,
-there are tasks you need to do to maintain its health and security. For example,
-if you installed with kubeadm, there are instructions to help you with
-[Certificate Management](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
-and [Upgrading kubeadm clusters](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
-See [Administer a Cluster](/docs/tasks/administer-cluster/)
-for a longer list of Kubernetes administrative tasks.
+  there are tasks you need to do to maintain its health and security. For example,
+  if you installed with kubeadm, there are instructions to help you with
+  [Certificate Management](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
+  and [Upgrading kubeadm clusters](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
+  See [Administer a Cluster](/docs/tasks/administer-cluster/)
+  for a longer list of Kubernetes administrative tasks.
 
 To learn about available options when you run control plane services, see
 [kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/),
@@ -166,39 +166,36 @@ consider how you want to manage your worker nodes (also referred to
 simply as *nodes*).  
 
 - *Configure nodes*: Nodes can be physical or virtual machines. If you want to
-create and manage your own nodes, you can install a supported operating system,
-then add and run the appropriate
-[Node services](/docs/concepts/overview/components/#node-components). Consider:
+  create and manage your own nodes, you can install a supported operating system,
+  then add and run the appropriate
+  [Node services](/docs/concepts/overview/components/#node-components). Consider:
   - The demands of your workloads when you set up nodes by having appropriate memory, CPU, and disk speed and storage capacity available.
   - Whether generic computer systems will do or you have workloads that need GPU processors, Windows nodes, or VM isolation.
 - *Validate nodes*: See [Valid node setup](/docs/setup/best-practices/node-conformance/)
-for information on how to ensure that a node meets the requirements to join
-a Kubernetes cluster.
+  for information on how to ensure that a node meets the requirements to join
+  a Kubernetes cluster.
 - *Add nodes to the cluster*: If you are managing your own cluster you can
-add nodes by setting up your own machines and either adding them manually or
-having them register themselves to the cluster’s apiserver. See the
-[Nodes](/docs/concepts/architecture/nodes/) section for information on how to set up Kubernetes to add nodes in these ways.
-- *Add Windows nodes to the cluster*: Kubernetes offers support for Windows
-worker nodes, allowing you to run workloads implemented in Windows containers. See
-[Windows in Kubernetes](/docs/setup/production-environment/windows/) for details.
+  add nodes by setting up your own machines and either adding them manually or
+  having them register themselves to the cluster’s apiserver. See the
+  [Nodes](/docs/concepts/architecture/nodes/) section for information on how to set up Kubernetes to add nodes in these ways.
 - *Scale nodes*: Have a plan for expanding the capacity your cluster will
-eventually need. See [Considerations for large clusters](/docs/setup/best-practices/cluster-large/)
-to help determine how many nodes you need, based on the number of pods and
-containers you need to run. If you are managing nodes yourself, this can mean
-purchasing and installing your own physical equipment.
+  eventually need. See [Considerations for large clusters](/docs/setup/best-practices/cluster-large/)
+  to help determine how many nodes you need, based on the number of pods and
+  containers you need to run. If you are managing nodes yourself, this can mean
+  purchasing and installing your own physical equipment.
 - *Autoscale nodes*: Most cloud providers support
-[Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#readme)
-to replace unhealthy nodes or grow and shrink the number of nodes as demand requires. See the
-[Frequently Asked Questions](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md)
-for how the autoscaler works and
-[Deployment](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#deployment)
-for how it is implemented by different cloud providers. For on-premises, there
-are some virtualization platforms that can be scripted to spin up new nodes
-based on demand.
+  [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#readme)
+  to replace unhealthy nodes or grow and shrink the number of nodes as demand requires. See the
+  [Frequently Asked Questions](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md)
+  for how the autoscaler works and
+  [Deployment](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#deployment)
+  for how it is implemented by different cloud providers. For on-premises, there
+  are some virtualization platforms that can be scripted to spin up new nodes
+  based on demand.
 - *Set up node health checks*: For important workloads, you want to make sure
-that the nodes and pods running on those nodes are healthy. Using the
-[Node Problem Detector](/docs/tasks/debug/debug-cluster/monitor-node-health/)
-daemon, you can ensure your nodes are healthy.
+  that the nodes and pods running on those nodes are healthy. Using the
+  [Node Problem Detector](/docs/tasks/debug/debug-cluster/monitor-node-health/)
+  daemon, you can ensure your nodes are healthy.
 
 ## Production user management
 
@@ -215,39 +212,51 @@ cluster (authentication) and deciding if they have permissions to do what they
 are asking (authorization):
 
 - *Authentication*: The apiserver can authenticate users using client
-certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.
-You can choose which authentication methods you want to use.
-Using plugins, the apiserver can leverage your organization’s existing
-authentication methods, such as LDAP or Kerberos. See
-[Authentication](/docs/reference/access-authn-authz/authentication/)
-for a description of these different methods of authenticating Kubernetes users.
-- *Authorization*: When you set out to authorize your regular users, you will probably choose between RBAC and ABAC authorization. See [Authorization Overview](/docs/reference/access-authn-authz/authorization/) to review different modes for authorizing user accounts (as well as service account access to your cluster):
-  - *Role-based access control* ([RBAC](/docs/reference/access-authn-authz/rbac/)): Lets you assign access to your cluster by allowing specific sets of permissions to authenticated users. Permissions can be assigned for a specific namespace (Role) or across the entire cluster (ClusterRole). Then using RoleBindings and ClusterRoleBindings, those permissions can be attached to particular users.
-  - *Attribute-based access control* ([ABAC](/docs/reference/access-authn-authz/abac/)): Lets you create policies based on resource attributes in the cluster and will allow or deny access based on those attributes. Each line of a policy file identifies versioning properties (apiVersion and kind) and a map of spec properties to match the subject (user or group), resource property, non-resource property (/version or /apis), and readonly. See [Examples](/docs/reference/access-authn-authz/abac/#examples) for details.
+  certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.
+  You can choose which authentication methods you want to use.
+  Using plugins, the apiserver can leverage your organization’s existing
+  authentication methods, such as LDAP or Kerberos. See
+  [Authentication](/docs/reference/access-authn-authz/authentication/)
+  for a description of these different methods of authenticating Kubernetes users.
+- *Authorization*: When you set out to authorize your regular users, you will probably choose
+  between RBAC and ABAC authorization. See [Authorization Overview](/docs/reference/access-authn-authz/authorization/)
+  to review different modes for authorizing user accounts (as well as service account access to
+  your cluster):
+  - *Role-based access control* ([RBAC](/docs/reference/access-authn-authz/rbac/)): Lets you
+    assign access to your cluster by allowing specific sets of permissions to authenticated users.
+    Permissions can be assigned for a specific namespace (Role) or across the entire cluster
+    (ClusterRole). Then using RoleBindings and ClusterRoleBindings, those permissions can be attached
+    to particular users.
+  - *Attribute-based access control* ([ABAC](/docs/reference/access-authn-authz/abac/)): Lets you
+    create policies based on resource attributes in the cluster and will allow or deny access
+    based on those attributes. Each line of a policy file identifies versioning properties (apiVersion
+    and kind) and a map of spec properties to match the subject (user or group), resource property,
+    non-resource property (/version or /apis), and readonly. See
+    [Examples](/docs/reference/access-authn-authz/abac/#examples) for details.
 
 As someone setting up authentication and authorization on your production Kubernetes cluster, here are some things to consider:
 
 - *Set the authorization mode*: When the Kubernetes API server
-([kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/))
-starts, the supported authentication modes must be set using the *--authorization-mode*
-flag. For example, that flag in the *kube-adminserver.yaml* file (in */etc/kubernetes/manifests*)
-could be set to Node,RBAC. This would allow Node and RBAC authorization for authenticated requests.
+  ([kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/))
+  starts, the supported authentication modes must be set using the *--authorization-mode*
+  flag. For example, that flag in the *kube-adminserver.yaml* file (in */etc/kubernetes/manifests*)
+  could be set to Node,RBAC. This would allow Node and RBAC authorization for authenticated requests.
 - *Create user certificates and role bindings (RBAC)*: If you are using RBAC
-authorization, users can create a CertificateSigningRequest (CSR) that can be
-signed by the cluster CA. Then you can bind Roles and ClusterRoles to each user.
-See [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/)
-for details.
+  authorization, users can create a CertificateSigningRequest (CSR) that can be
+  signed by the cluster CA. Then you can bind Roles and ClusterRoles to each user.
+  See [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/)
+  for details.
 - *Create policies that combine attributes (ABAC)*: If you are using ABAC
-authorization, you can assign combinations of attributes to form policies to
-authorize selected users or groups to access particular resources (such as a
-pod), namespace, or apiGroup. For more information, see
-[Examples](/docs/reference/access-authn-authz/abac/#examples).
+  authorization, you can assign combinations of attributes to form policies to
+  authorize selected users or groups to access particular resources (such as a
+  pod), namespace, or apiGroup. For more information, see
+  [Examples](/docs/reference/access-authn-authz/abac/#examples).
 - *Consider Admission Controllers*: Additional forms of authorization for
-requests that can come in through the API server include
-[Webhook Token Authentication](/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
-Webhooks and other special authorization types need to be enabled by adding
-[Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/)
-to the API server.
+  requests that can come in through the API server include
+  [Webhook Token Authentication](/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
+  Webhooks and other special authorization types need to be enabled by adding
+  [Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/)
+  to the API server.
 
 ## Set limits on workload resources
 
@@ -256,38 +265,45 @@ of the Kubernetes control plane. Consider these items when setting up for the
 needs of your cluster's workloads:
 
 - *Set namespace limits*: Set per-namespace quotas on things like memory and CPU. See
-[Manage Memory, CPU, and API Resources](/docs/tasks/administer-cluster/manage-resources/)
-for details. You can also set
-[Hierarchical Namespaces](/blog/2020/08/14/introducing-hierarchical-namespaces/)
-for inheriting limits.
+  [Manage Memory, CPU, and API Resources](/docs/tasks/administer-cluster/manage-resources/)
+  for details. You can also set
+  [Hierarchical Namespaces](/blog/2020/08/14/introducing-hierarchical-namespaces/)
+  for inheriting limits.
 - *Prepare for DNS demand*: If you expect workloads to massively scale up,
-your DNS service must be ready to scale up as well. See
-[Autoscale the DNS service in a Cluster](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/).
+  your DNS service must be ready to scale up as well. See
+  [Autoscale the DNS service in a Cluster](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/).
 - *Create additional service accounts*: User accounts determine what users can
-do on a cluster, while a service account defines pod access within a particular
-namespace. By default, a pod takes on the default service account from its namespace.
-See [Managing Service Accounts](/docs/reference/access-authn-authz/service-accounts-admin/)
-for information on creating a new service account. For example, you might want to:
-  - Add secrets that a pod could use to pull images from a particular container registry. See [Configure Service Accounts for Pods](/docs/tasks/configure-pod-container/configure-service-account/) for an example.
-  - Assign RBAC permissions to a service account. See [ServiceAccount permissions](/docs/reference/access-authn-authz/rbac/#service-account-permissions) for details.
+  do on a cluster, while a service account defines pod access within a particular
+  namespace. By default, a pod takes on the default service account from its namespace.
+  See [Managing Service Accounts](/docs/reference/access-authn-authz/service-accounts-admin/)
+  for information on creating a new service account. For example, you might want to:
+  - Add secrets that a pod could use to pull images from a particular container registry. See
+    [Configure Service Accounts for Pods](/docs/tasks/configure-pod-container/configure-service-account/)
+    for an example.
+  - Assign RBAC permissions to a service account. See
+    [ServiceAccount permissions](/docs/reference/access-authn-authz/rbac/#service-account-permissions)
+    for details.
 
 ## {{% heading "whatsnext" %}}
 
 - Decide if you want to build your own production Kubernetes or obtain one from
-available [Turnkey Cloud Solutions](/docs/setup/production-environment/turnkey-solutions/)
-or [Kubernetes Partners](https://kubernetes.io/partners/).
+  available [Turnkey Cloud Solutions](/docs/setup/production-environment/turnkey-solutions/)
+  or [Kubernetes Partners](https://kubernetes.io/partners/).
 - If you choose to build your own cluster, plan how you want to
-handle [certificates](/docs/setup/best-practices/certificates/)
-and set up high availability for features such as
-[etcd](/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
-and the
-[API server](/docs/setup/production-environment/tools/kubeadm/ha-topology/).
-- Choose from [kubeadm](/docs/setup/production-environment/tools/kubeadm/), [kops](/docs/setup/production-environment/tools/kops/) or [Kubespray](/docs/setup/production-environment/tools/kubespray/)
-deployment methods.
+  handle [certificates](/docs/setup/best-practices/certificates/)
+  and set up high availability for features such as
+  [etcd](/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
+  and the
+  [API server](/docs/setup/production-environment/tools/kubeadm/ha-topology/).
+- Choose from [kubeadm](/docs/setup/production-environment/tools/kubeadm/),
+  [kops](/docs/setup/production-environment/tools/kops/) or
+  [Kubespray](/docs/setup/production-environment/tools/kubespray/)
+  deployment methods.
 - Configure user management by determining your
-[Authentication](/docs/reference/access-authn-authz/authentication/) and
-[Authorization](/docs/reference/access-authn-authz/authorization/) methods.
+  [Authentication](/docs/reference/access-authn-authz/authentication/) and
+  [Authorization](/docs/reference/access-authn-authz/authorization/) methods.
 - Prepare for application workloads by setting up
-[resource limits](/docs/tasks/administer-cluster/manage-resources/),
-[DNS autoscaling](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)
-and [service accounts](/docs/reference/access-authn-authz/service-accounts-admin/).
+  [resource limits](/docs/tasks/administer-cluster/manage-resources/),
+  [DNS autoscaling](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)
+  and [service accounts](/docs/reference/access-authn-authz/service-accounts-admin/).
+
diff --git a/content/en/docs/setup/production-environment/container-runtimes.md b/content/en/docs/setup/production-environment/container-runtimes.md
index 1f658fa262b92..dd432afd3de57 100644
--- a/content/en/docs/setup/production-environment/container-runtimes.md
+++ b/content/en/docs/setup/production-environment/container-runtimes.md
@@ -36,8 +36,8 @@ part of Kubernetes (this removal was
 [announced](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
 as part of the v1.20 release).
 You can read
-[Check whether Dockershim deprecation affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/) to understand how this removal might
-affect you. To learn about migrating from using dockershim, see
+[Check whether Dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)
+to understand how this removal might affect you. To learn about migrating from using dockershim, see
 [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/).
 
 If you are running a version of Kubernetes other than v{{< skew currentVersion >}},
@@ -46,6 +46,41 @@ check the documentation for that version.
 
 
 <!-- body -->
+## Install and configure prerequisites
+
+The following steps apply common settings for Kubernetes nodes on Linux. 
+
+You can skip a particular setting if you're certain you don't need it.
+
+For more information, see [Network Plugin Requirements](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements) or the documentation for your specific container runtime.
+
+### Forwarding IPv4 and letting iptables see bridged traffic
+
+Verify that the `br_netfilter` module is loaded by running `lsmod | grep br_netfilter`. 
+
+To load it explicitly, run `sudo modprobe br_netfilter`.
+
+In order for a Linux node's iptables to correctly view bridged traffic, verify that `net.bridge.bridge-nf-call-iptables` is set to 1 in your `sysctl` config. For example:
+
+```bash
+cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
+overlay
+br_netfilter
+EOF
+
+sudo modprobe overlay
+sudo modprobe br_netfilter
+
+# sysctl params required by setup, params persist across reboots
+cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+EOF
+
+# Apply sysctl params without reboot
+sudo sysctl --system
+```
 
 ## Cgroup drivers
 
@@ -132,45 +167,22 @@ using the (deprecated) v1alpha2 API instead.
 
 {{% thirdparty-content %}}
 
-
 ### containerd
 
 This section outlines the necessary steps to use containerd as CRI runtime.
 
 Use the following commands to install Containerd on your system:
 
-1. Install and configure prerequisites:
-
-   (these instructions apply to Linux nodes only)
-
-   ```shell
-   cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
-   overlay
-   br_netfilter
-   EOF
-
-   sudo modprobe overlay
-   sudo modprobe br_netfilter
-
-   # Setup required sysctl params, these persist across reboots.
-   cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
-   net.bridge.bridge-nf-call-iptables  = 1
-   net.ipv4.ip_forward                 = 1
-   net.bridge.bridge-nf-call-ip6tables = 1
-   EOF
-
-   # Apply sysctl params without reboot
-   sudo sysctl --system
-   ```
-
-1. Install containerd:
+Follow the instructions for [getting started with containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md). Return to this step once you've created a valid configuration file, `config.toml`. 
 
-   Visit
-   [Getting started with containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md)
-   and follow the instructions there, up to the point where you have a valid
-   configuration file, config.toml.
-   On Linux, you can find this file under the path `/etc/containerd/config.toml`.
-   On Windows, you can find this file under the path `C:\Program Files\containerd\config.toml`.
+{{< tabs name="Finding your config.toml file" >}}
+{{% tab name="Linux" %}}
+You can find this file under the path `/etc/containerd/config.toml`.
+{{% /tab %}}
+{{< tab name="Windows" >}}
+You can find this file under the path `C:\Program Files\containerd\config.toml`.
+{{< /tab >}}
+{{< /tabs >}}
 
 On Linux the default CRI socket for containerd is `/run/containerd/containerd.sock`.
 On Windows the default CRI endpoint is `npipe://./pipe/containerd-containerd`.
@@ -185,6 +197,14 @@ To use the `systemd` cgroup driver in `/etc/containerd/config.toml` with `runc`,
   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
     SystemdCgroup = true
 ```
+{{< note >}}
+If you installed containerd from a package (for example, RPM or `.deb`), you may find
+that the CRI integration plugin is disabled by default.
+
+You need CRI support enabled to use containerd with Kubernetes. Make sure that `cri`
+is not included in the`disabled_plugins` list within `/etc/containerd/config.toml`;
+if you made changes to that file, also restart `containerd`.
+{{< /note >}}
 
 If you apply this change, make sure to restart containerd:
 
@@ -193,7 +213,19 @@ sudo systemctl restart containerd
 ```
 
 When using kubeadm, manually configure the
-[cgroup driver for kubelet](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-control-plane-node).
+[cgroup driver for kubelet](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/#configuring-the-kubelet-cgroup-driver).
+
+#### Overriding the sandbox (pause) image {#override-pause-image-containerd}
+
+In your [containerd config](https://github.com/containerd/cri/blob/master/docs/config.md) you can overwrite the
+sandbox image by setting the following config:
+
+```toml
+[plugins."io.containerd.grpc.v1.cri"]
+  sandbox_image = "k8s.gcr.io/pause:3.2"
+```
+
+You might need to restart `containerd` as well once you've updated the config file: `systemctl restart containerd`.
 
 ### CRI-O
 
@@ -221,6 +253,19 @@ in sync.
 
 For CRI-O, the CRI socket is `/var/run/crio/crio.sock` by default.
 
+#### Overriding the sandbox (pause) image {#override-pause-image-cri-o}
+
+In your [CRI-O config](https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md) you can set the following
+config value:
+
+```toml
+[crio.image]
+pause_image="registry.k8s.io/pause:3.6"
+```
+
+This config option supports live configuration reload to apply this change: `systemctl reload crio` or by sending
+`SIGHUP` to the `crio` process.
+
 ### Docker Engine {#docker}
 
 {{< note >}}
@@ -237,6 +282,12 @@ Docker Engine with Kubernetes.
 
 For `cri-dockerd`, the CRI socket is `/run/cri-dockerd.sock` by default.
 
+#### Overriding the sandbox (pause) image {#override-pause-image-cri-dockerd}
+
+The `cri-dockerd` adapter accepts a command line argument for
+specifying which container image to use as the Pod infrastructure container (“pause image”).
+The command line argument to use is `--pod-infra-container-image`.
+
 ### Mirantis Container Runtime {#mcr}
 
 [Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR) is a commercially
@@ -251,6 +302,12 @@ visit [MCR Deployment Guide](https://docs.mirantis.com/mcr/20.10/install.html).
 Check the systemd unit named `cri-docker.socket` to find out the path to the CRI
 socket.
 
+#### Overriding the sandbox (pause) image {#override-pause-image-cri-dockerd-mcr}
+
+The `cri-dockerd` adapter accepts a command line argument for
+specifying which container image to use as the Pod infrastructure container (“pause image”).
+The command line argument to use is `--pod-infra-container-image`.
+
 ## {{% heading "whatsnext" %}}
 
 As well as a container runtime, your cluster will need a working
diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
index d7897dfec5817..eedee3b5a304f 100644
--- a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
+++ b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
@@ -91,7 +91,8 @@ to not download the default container images which are hosted at `k8s.gcr.io`.
 
 Kubeadm has commands that can help you pre-pull the required images
 when creating a cluster without an internet connection on its nodes.
-See [Running kubeadm without an internet connection](/docs/reference/setup-tools/kubeadm/kubeadm-init#without-internet-connection) for more details.
+See [Running kubeadm without an internet connection](/docs/reference/setup-tools/kubeadm/kubeadm-init#without-internet-connection)
+for more details.
 
 Kubeadm allows you to use a custom image repository for the required images.
 See [Using custom images](/docs/reference/setup-tools/kubeadm/kubeadm-init#custom-images)
@@ -365,7 +366,8 @@ The output is similar to this:
 5didvk.d09sbcov8ph2amjw
 ```
 
-If you don't have the value of `--discovery-token-ca-cert-hash`, you can get it by running the following command chain on the control-plane node:
+If you don't have the value of `--discovery-token-ca-cert-hash`, you can get it by running the
+following command chain on the control-plane node:
 
 ```bash
 openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
@@ -506,7 +508,7 @@ options.
 * Verify that your cluster is running properly with [Sonobuoy](https://github.com/heptio/sonobuoy)
 * <a id="lifecycle" />See [Upgrading kubeadm clusters](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
   for details about upgrading your cluster using `kubeadm`.
-* Learn about advanced `kubeadm` usage in the [kubeadm reference documentation](/docs/reference/setup-tools/kubeadm/kubeadm)
+* Learn about advanced `kubeadm` usage in the [kubeadm reference documentation](/docs/reference/setup-tools/kubeadm/)
 * Learn more about Kubernetes [concepts](/docs/concepts/) and [`kubectl`](/docs/reference/kubectl/).
 * See the [Cluster Networking](/docs/concepts/cluster-administration/networking/) page for a bigger list
   of Pod network add-ons.
@@ -544,8 +546,8 @@ field when using `--config`. This option will control the versions
 of kube-apiserver, kube-controller-manager, kube-scheduler and kube-proxy.
 
 Example:
-* kubeadm is at {{< skew latestVersion >}}
-* `kubernetesVersion` must be at {{< skew latestVersion >}} or {{< skew prevMinorVersion >}}
+* kubeadm is at {{< skew currentVersion >}}
+* `kubernetesVersion` must be at {{< skew currentVersion >}} or {{< skew currentVersionAddMinor -1 >}}
 
 ### kubeadm's skew against the kubelet
 
@@ -553,8 +555,8 @@ Similarly to the Kubernetes version, kubeadm can be used with a kubelet version
 version as kubeadm or one version older.
 
 Example:
-* kubeadm is at {{< skew latestVersion >}}
-* kubelet on the host must be at {{< skew latestVersion >}} or {{< skew prevMinorVersion >}}
+* kubeadm is at {{< skew currentVersion >}}
+* kubelet on the host must be at {{< skew currentVersion >}} or {{< skew currentVersionAddMinor -1 >}}
 
 ### kubeadm's skew against kubeadm
 
@@ -567,17 +569,17 @@ the same node with `kubeadm upgrade`. Similar rules apply to the rest of the kub
 with the exception of `kubeadm upgrade`.
 
 Example for `kubeadm join`:
-* kubeadm version {{< skew latestVersion >}} was used to create a cluster with `kubeadm init`
-* Joining nodes must use a kubeadm binary that is at version {{< skew latestVersion >}}
+* kubeadm version {{< skew currentVersion >}} was used to create a cluster with `kubeadm init`
+* Joining nodes must use a kubeadm binary that is at version {{< skew currentVersion >}}
 
 Nodes that are being upgraded must use a version of kubeadm that is the same MINOR
 version or one MINOR version newer than the version of kubeadm used for managing the
 node.
 
 Example for `kubeadm upgrade`:
-* kubeadm version {{< skew prevMinorVersion >}} was used to create or upgrade the node
-* The version of kubeadm used for upgrading the node must be at {{< skew prevMinorVersion >}}
-or {{< skew latestVersion >}}
+* kubeadm version {{< skew currentVersionAddMinor -1 >}} was used to create or upgrade the node
+* The version of kubeadm used for upgrading the node must be at {{< skew currentVersionAddMinor -1 >}}
+or {{< skew currentVersion >}}
 
 To learn more about the version skew between the different Kubernetes component see
 the [Version Skew Policy](https://kubernetes.io/releases/version-skew-policy/).
@@ -603,7 +605,7 @@ Workarounds:
 
 kubeadm deb/rpm packages and binaries are built for amd64, arm (32-bit), arm64, ppc64le, and s390x
 following the [multi-platform
-proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/multi-platform.md).
+proposal](https://git.k8s.io/design-proposals-archive/multi-platform.md).
 
 Multiplatform container images for the control plane and addons are also supported since v1.12.
 
@@ -613,4 +615,6 @@ supports your chosen platform.
 
 ## Troubleshooting {#troubleshooting}
 
-If you are running into difficulties with kubeadm, please consult our [troubleshooting docs](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/).
+If you are running into difficulties with kubeadm, please consult our
+[troubleshooting docs](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/).
+
diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
index 8ccc267224ef7..993ecf3878d24 100644
--- a/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
+++ b/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
@@ -45,26 +45,6 @@ may [fail](https://github.com/kubernetes/kubeadm/issues/31).
 If you have more than one network adapter, and your Kubernetes components are not reachable on the default
 route, we recommend you add IP route(s) so Kubernetes cluster addresses go via the appropriate adapter.
 
-## Letting iptables see bridged traffic
-
-Make sure that the `br_netfilter` module is loaded. This can be done by running `lsmod | grep br_netfilter`. To load it explicitly call `sudo modprobe br_netfilter`.
-
-As a requirement for your Linux Node's iptables to correctly see bridged traffic, you should ensure `net.bridge.bridge-nf-call-iptables` is set to 1 in your `sysctl` config, e.g.
-
-```bash
-cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
-br_netfilter
-EOF
-
-cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
-net.bridge.bridge-nf-call-ip6tables = 1
-net.bridge.bridge-nf-call-iptables = 1
-EOF
-sudo sysctl --system
-```
-
-For more details please see the [Network Plugin Requirements](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements) page.
-
 ## Check required ports
 These
 [required ports](/docs/reference/ports-and-protocols/)
@@ -202,7 +182,6 @@ name=Kubernetes
 baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
 enabled=1
 gpgcheck=1
-repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 exclude=kubelet kubeadm kubectl
 EOF
diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
index 0573fb942e44d..c5abcde425365 100644
--- a/content/en/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
+++ b/content/en/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
@@ -45,7 +45,7 @@ The general approach is to generate all certs on one node and only distribute
 the *necessary* files to the other nodes.
 
 {{< note >}}
-kubeadm contains all the necessary crytographic machinery to generate
+kubeadm contains all the necessary cryptographic machinery to generate
 the certificates described below; no other cryptographic tooling is required for
 this example.
 {{< /note >}}
diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
index ac8d89ee3a17b..7b195a34fd0a3 100644
--- a/content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
+++ b/content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
@@ -114,7 +114,7 @@ sudo kubeadm reset
 
 A possible solution is to restart the container runtime and then re-run `kubeadm reset`.
 You can also use `crictl` to debug the state of the container runtime. See
-[Debugging Kubernetes nodes with crictl](/docs/tasks/debug-application-cluster/crictl/).
+[Debugging Kubernetes nodes with crictl](/docs/tasks/debug/debug-cluster/crictl/).
 
 ## Pods in `RunContainerError`, `CrashLoopBackOff` or `Error` state
 
diff --git a/content/en/docs/setup/production-environment/tools/kubespray.md b/content/en/docs/setup/production-environment/tools/kubespray.md
index fd594b92f8915..e0525562c6556 100644
--- a/content/en/docs/setup/production-environment/tools/kubespray.md
+++ b/content/en/docs/setup/production-environment/tools/kubespray.md
@@ -6,7 +6,7 @@ weight: 30
 
 <!-- overview -->
 
-This quickstart helps to install a Kubernetes cluster hosted on GCE, Azure, OpenStack, AWS, vSphere, Packet (bare metal), Oracle Cloud Infrastructure (Experimental) or Baremetal with [Kubespray](https://github.com/kubernetes-sigs/kubespray).
+This quickstart helps to install a Kubernetes cluster hosted on GCE, Azure, OpenStack, AWS, vSphere, Equinix Metal (formerly Packet), Oracle Cloud Infrastructure (Experimental) or Baremetal with [Kubespray](https://github.com/kubernetes-sigs/kubespray).
 
 Kubespray is a composition of [Ansible](https://docs.ansible.com/) playbooks, [inventory](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ansible.md), provisioning tools, and domain knowledge for generic OS/Kubernetes clusters configuration management tasks. Kubespray provides:
 
@@ -46,7 +46,7 @@ Kubespray provides the following utilities to help provision your environment:
 * [Terraform](https://www.terraform.io/) scripts for the following cloud providers:
   * [AWS](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform/aws)
   * [OpenStack](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform/openstack)
-  * [Packet](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform/packet)
+  * [Equinix Metal](https://github.com/kubernetes-sigs/kubespray/tree/master/contrib/terraform/metal)
 
 ### (2/5) Compose an inventory file
 
diff --git a/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md b/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
deleted file mode 100644
index 9c6ab896d7627..0000000000000
--- a/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
+++ /dev/null
@@ -1,917 +0,0 @@
----
-reviewers:
-- jayunit100
-- jsturtevant
-- marosset
-- perithompson
-title: Windows containers in Kubernetes
-content_type: concept
-weight: 65
----
-
-<!-- overview -->
-
-Windows applications constitute a large portion of the services and applications that
-run in many organizations. [Windows containers](https://aka.ms/windowscontainers)
-provide a way to encapsulate processes and package dependencies, making it easier
-to use DevOps practices and follow cloud native patterns for Windows applications.
-
-Organizations with investments in Windows-based applications and Linux-based
-applications don't have to look for separate orchestrators to manage their workloads,
-leading to increased operational efficiencies across their deployments, regardless
-of operating system.
-
-<!-- body -->
-
-## Windows nodes in Kubernetes
-
-To enable the orchestration of Windows containers in Kubernetes, include Windows nodes
-in your existing Linux cluster. Scheduling Windows containers in
-{{< glossary_tooltip text="Pods" term_id="pod" >}} on Kubernetes is similar to
-scheduling Linux-based containers.
-
-In order to run Windows containers, your Kubernetes cluster must include
-multiple operating systems.
-While you can only run the {{< glossary_tooltip text="control plane" term_id="control-plane" >}} on Linux, you can deploy worker nodes running either Windows or Linux depending on your workload needs.
-
-Windows {{< glossary_tooltip text="nodes" term_id="node" >}} are
-[supported](#windows-os-version-support) provided that the operating system is
-Windows Server 2019.
-
-This document uses the term *Windows containers* to mean Windows containers with
-process isolation. Kubernetes does not support running Windows containers with
-[Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container).
-
-## Compatibility and limitations {#limitations}
-
-Some node features are only available if you use a specific
-[container runtime](#container-runtime); others are not available on Windows nodes,
-including:
-
-* HugePages: not supported for Windows containers
-* Privileged containers: not supported for Windows containers
-* TerminationGracePeriod: requires containerD
-
-Not all features of shared namespaces are supported. See [API compatibility](#api)
-for more details.
-
-See [Windows OS version compatibility](#windows-os-version-support) for details on
-the Windows versions that Kubernetes is tested against.
-
-From an API and kubectl perspective, Windows containers behave in much the same
-way as Linux-based containers. However, there are some notable differences in key
-functionality which are outlined in this section.
-
-### Comparison with Linux {#compatibility-linux-similarities}
-
-Key Kubernetes elements work the same way in Windows as they do in Linux. This
-section refers to several key workload enablers and how they map to Windows.
-
-* [Pods](/docs/concepts/workloads/pods/)
-
-  A Pod is the basic building block of Kubernetes–the smallest and simplest unit in
-  the Kubernetes object model that you create or deploy. You may not deploy Windows and
-  Linux containers in the same Pod. All containers in a Pod are scheduled onto a single
-  Node where each Node represents a specific platform and architecture. The following
-  Pod capabilities, properties and events are supported with Windows containers:
-
-  * Single or multiple containers per Pod with process isolation and volume sharing
-  * Pod `status` fields
-  * Readiness and Liveness probes
-  * postStart & preStop container lifecycle events
-  * ConfigMap, Secrets: as environment variables or volumes
-  * `emptyDir` volumes
-  * Named pipe host mounts
-  * Resource limits
-  * OS field: 
-
-    The `.spec.os.name` field should be set to `windows` to indicate that the current Pod uses Windows containers.
-    The `IdentifyPodOS` feature gate needs to be enabled for this field to be recognized and used by control plane
-    components and kubelet.
-
-    {{< note >}}
-    Starting from 1.24, the `IdentifyPodOS` feature gate is in Beta stage and defaults to be enabled.
-    {{< /note >}}
-
-    If the `IdentifyPodOS` feature gate is enabled and you set the `.spec.os.name` field to `windows`,
-    you must not set the following fields in the `.spec` of that Pod:
-
-    * `spec.hostPID`
-    * `spec.hostIPC`
-    * `spec.securityContext.seLinuxOptions`
-    * `spec.securityContext.seccompProfile`
-    * `spec.securityContext.fsGroup`
-    * `spec.securityContext.fsGroupChangePolicy`
-    * `spec.securityContext.sysctls`
-    * `spec.shareProcessNamespace`
-    * `spec.securityContext.runAsUser`
-    * `spec.securityContext.runAsGroup`
-    * `spec.securityContext.supplementalGroups`
-    * `spec.containers[*].securityContext.seLinuxOptions`
-    * `spec.containers[*].securityContext.seccompProfile`
-    * `spec.containers[*].securityContext.capabilities`
-    * `spec.containers[*].securityContext.readOnlyRootFilesystem`
-    * `spec.containers[*].securityContext.privileged`
-    * `spec.containers[*].securityContext.allowPrivilegeEscalation`
-    * `spec.containers[*].securityContext.procMount`
-    * `spec.containers[*].securityContext.runAsUser`
-    * `spec.containers[*].securityContext.runAsGroup`
-
-    In the above list, wildcards (`*`) indicate all elements in a list.
-    For example, `spec.containers[*].securityContext` refers to the SecurityContext object
-    for all containers. If any of these fields is specified, the Pod will
-    not be admited by the API server.
-
-* [Workload resources](/docs/concepts/workloads/controllers/) including:
-  * ReplicaSet
-  * Deployments
-  * StatefulSets
-  * DaemonSet
-  * Job
-  * CronJob
-  * ReplicationController
-* {{< glossary_tooltip text="Services" term_id="service" >}}
-  See [Load balancing and Services](#load-balancing-and-services) for more details.
-
-Pods, workload resources, and Services are critical elements to managing Windows
-workloads on Kubernetes. However, on their own they are not enough to enable
-the proper lifecycle management of Windows workloads in a dynamic cloud native
-environment. Kubernetes also supports:
-
-* `kubectl exec`
-* Pod and container metrics
-* {{< glossary_tooltip text="Horizontal pod autoscaling" term_id="horizontal-pod-autoscaler" >}}
-* {{< glossary_tooltip text="Resource quotas" term_id="resource-quota" >}}
-* Scheduler preemption
-
-
-### Networking on Windows nodes {#compatibility-networking}
-
-Networking for Windows containers is exposed through
-[CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
-Windows containers function similarly to virtual machines in regards to
-networking. Each container has a virtual network adapter (vNIC) which is connected
-to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the
-Host Compute Service (HCS) work together to create containers and attach container
-vNICs to networks. HCS is responsible for the management of containers whereas HNS
-is responsible for the management of networking resources such as:
-
-* Virtual networks (including creation of vSwitches)
-* Endpoints / vNICs
-* Namespaces
-* Policies including packet encapsulations, load-balancing rules, ACLs, and NAT rules.
-
-#### Container networking {#networking}
-
-The Windows HNS and vSwitch implement namespacing and can
-create virtual NICs as needed for a pod or container. However, many configurations such
-as DNS, routes, and metrics are stored in the Windows registry database rather than as
-files inside `/etc`, which is how Linux stores those configurations. The Windows registry for the container
-is separate from that of the host, so concepts like mapping `/etc/resolv.conf` from
-the host into a container don't have the same effect they would on Linux. These must
-be configured using Windows APIs run in the context of that container. Therefore
-CNI implementations need to call the HNS instead of relying on file mappings to pass
-network details into the pod or container.
-
-The following networking functionality is _not_ supported on Windows nodes:
-
-* Host networking mode
-* Local NodePort access from the node itself (works for other nodes or external clients)
-* More than 64 backend pods (or unique destination addresses) for a single Service
-* IPv6 communication between Windows pods connected to overlay networks
-* Local Traffic Policy in non-DSR mode
-* Outbound communication using the ICMP protocol via the `win-overlay`, `win-bridge`, or using the Azure-CNI plugin.\
-  Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions, and this means:
-  * ICMP packets directed to destinations within the same network (such as pod to pod communication via ping) work as expected and without any limitations;
-  * TCP/UDP packets work as expected and without any limitations;
-  * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source;
-  * Since TCP/UDP packets can still be transposed, you can substitute `ping <destination>` with `curl <destination>` to get some debugging insight into connectivity with the outside world.
-
-Overlay networking support in kube-proxy is a beta feature. In addition, it requires
-[KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887)
-to be installed on Windows Server 2019.
-
-#### Network modes
-
-Windows supports five different networking drivers/modes: L2bridge, L2tunnel,
-Overlay (beta), Transparent, and NAT. In a heterogeneous cluster with Windows and Linux
-worker nodes, you need to select a networking solution that is compatible on both
-Windows and Linux. The following out-of-tree plugins are supported on Windows,
-with recommendations on when to use each CNI:
-
-| Network Driver | Description | Container Packet Modifications | Network Plugins | Network Plugin Characteristics |
-| -------------- | ----------- | ------------------------------ | --------------- | ------------------------------ |
-| L2bridge       | Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. | MAC is rewritten to host MAC, IP may be rewritten to host IP using HNS OutboundNAT policy. | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge), [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), Flannel host-gateway uses win-bridge | win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires user-defined routes (UDR) for inter-node connectivity. |
-| L2Tunnel | This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. | MAC rewritten, IP visible on the underlay network | [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that [Azure Virtual Network provides](https://azure.microsoft.com/en-us/services/virtual-network/). For example, securely connect to Azure services or use Azure NSGs. See [azure-cni for some examples](https://docs.microsoft.com/en-us/azure/aks/concepts-network#azure-cni-advanced-networking) |
-| Overlay (Overlay networking for Windows in Kubernetes is in *alpha* stage) | Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. | Encapsulated with an outer header. | [win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay), Flannel VXLAN (uses win-overlay) | win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags)  if you are restricted on IPs in your datacenter.  This option requires [KB4489899](https://support.microsoft.com/help/4489899) on Windows Server 2019. |
-| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which enables intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.  <br/> Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. <br/> NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. |
-| NAT (*not used in Kubernetes*) | Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called [WinNAT](https://techcommunity.microsoft.com/t5/virtualization/windows-nat-winnat-capabilities-and-limitations/ba-p/382303) | MAC and IP is rewritten to host MAC/IP. | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | Included here for completeness |
-
-As outlined above, the [Flannel](https://github.com/coreos/flannel)
-CNI [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel)
-is also [supported](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) on Windows via the
-[VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay)
-and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge).
-
-This plugin supports delegating to one of the reference CNI plugins (win-overlay,
-win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for
-automatic node subnet lease assignment and HNS network creation. This plugin reads
-in its own configuration file (cni.conf), and aggregates it with the environment
-variables from the FlannelD generated subnet.env file. It then delegates to one of
-the reference CNI plugins for network plumbing, and sends the correct configuration
-containing the node-assigned subnet to the IPAM plugin (for example: `host-local`).
-
-For Node, Pod, and Service objects, the following network flows are supported for
-TCP/UDP traffic:
-
-* Pod → Pod (IP)
-* Pod → Pod (Name)
-* Pod → Service (Cluster IP)
-* Pod → Service (PQDN, but only if there are no ".")
-* Pod → Service (FQDN)
-* Pod → external (IP)
-* Pod → external (DNS)
-* Node → Pod
-* Pod → Node
-
-#### CNI plugin limitations
-
-* Windows reference network plugins win-bridge and win-overlay do not implement
-  [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0,
-  due to a missing `CHECK` implementation.
-* The Flannel VXLAN CNI plugin has the following limitations on Windows:
-
-1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel v0.12.0 (or higher).
-2. Flannel is restricted to using VNI 4096 and UDP port 4789. See the official
-   [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
-   backend docs for more details on these parameters.
-
-#### IP address management (IPAM) {#ipam}
-
-The following IPAM options are supported on Windows:
-
-* [host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
-* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set)
-* [azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only)
-
-#### Load balancing and Services
-
-A Kubernetes {{< glossary_tooltip text="Service" term_id="service" >}} is an abstraction
-that defines a logical set of Pods and a means to access them over a network.
-In a cluster that includes Windows nodes, you can use the following types of Service:
-
-  * `NodePort`
-  * `ClusterIP`
-  * `LoadBalancer`
-  * `ExternalName`
-
-{{< warning >}}
-There are known issue with NodePort services on overlay networking, if the target destination node is running Windows Server 2022.
-To avoid the issue entirely, you can configure the service with `externalTrafficPolicy: Local`.
-
-There are known issues with pod to pod connectivity on l2bridge network on Windows Server 2022 with KB5005619 or higher installed.
-To workaround the issue and restore pod-pod connectivity, you can disable the WinDSR feature in kube-proxy.
-
-These issues require OS fixes.
-Please follow https://github.com/microsoft/Windows-Containers/issues/204 for updates.
-{{< /warning >}}
-
-Windows container networking differs in some important ways from Linux networking.
-The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) provides
-additional details and background.
-
-On Windows, you can use the following settings to configure Services and load
-balancing behavior:
-
-{{< table caption="Windows Service Settings" >}}
-| Feature | Description | Supported Kubernetes version  | Supported Windows OS build | How to enable |
-| ------- | ----------- | ----------------------------- | -------------------------- | ------------- |
-| Session affinity | Ensures that connections from a particular client are passed to the same Pod each time. | v1.20+ | [Windows Server vNext Insider Preview Build 19551](https://blogs.windows.com/windowsexperience/2020/01/28/announcing-windows-server-vnext-insider-preview-build-19551/) (or higher) | Set `service.spec.sessionAffinity` to "ClientIP" |
-| Direct Server Return (DSR) | Load balancing mode where the IP address fixups and the LBNAT occurs at the container vSwitch port directly; service traffic arrives with the source IP set as the originating pod IP. | v1.20+ | Windows Server 2019 | Set the following flags in kube-proxy: `--feature-gates="WinDSR=true" --enable-dsr=true` |
-| Preserve-Destination | Skips DNAT of service traffic, thereby preserving the virtual IP of the target service in packets reaching the backend Pod. Also disables node-node forwarding. | v1.20+ | Windows Server, version 1903 (or higher) | Set `"preserve-destination": "true"` in service annotations and enable DSR in kube-proxy. |
-| IPv4/IPv6 dual-stack networking | Native IPv4-to-IPv4 in parallel with IPv6-to-IPv6 communications to, from, and within a cluster | v1.19+ | Windows Server, version 2019 | See [IPv4/IPv6 dual-stack](#ipv4ipv6-dual-stack) |
-| Client IP preservation | Ensures that source IP of incoming ingress traffic gets preserved. Also disables node-node forwarding. | v1.20+ | Windows Server, version 2019  | Set `service.spec.externalTrafficPolicy` to "Local" and enable DSR in kube-proxy |
-{{< /table >}}
-
-##### Session affinity
-
-Setting the maximum session sticky time for Windows services using
-`service.spec.sessionAffinityConfig.clientIP.timeoutSeconds` is not supported.
-
-#### DNS {#dns-limitations}
-
-* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a
-  `.` as a FQDN and skips FQDN resolution
-* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On
-  Windows, you can only have 1 DNS suffix, which is the DNS suffix associated with that
-  pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs
-  and services or names resolvable with just that suffix. For example, a pod spawned
-  in the default namespace, will have the DNS suffix **default.svc.cluster.local**.
-  Inside a Windows pod, you can resolve both **kubernetes.default.svc.cluster.local**
-  and **kubernetes**, but not the in-betweens, like **kubernetes.default** or
-  **kubernetes.default.svc**.
-* On Windows, there are multiple DNS resolvers that can be used. As these come with
-  slightly different behaviors, using the `Resolve-DNSName` utility for name query
-  resolutions is recommended.
-
-#### IPv6 networking
-
-Kubernetes on Windows does not support single-stack "IPv6-only" networking. However,
-dual-stack IPv4/IPv6 networking for pods and nodes with single-family services
-is supported.
-
-You can use IPv4/IPv6 dual-stack networking with `l2bridge` networks. See [configure IPv4/IPv6 dual stack](/docs/concepts/services-networking/dual-stack#configure-ipv4-ipv6-dual-stack) for more details.
-
-{{< note >}}
-Overlay (VXLAN) networks on Windows do not support dual-stack networking.
-{{< /note >}}
-
-### Persistent storage {#compatibility-storage}
-
-Windows has a layered filesystem driver to mount container layers and create a copy
-filesystem based on NTFS. All file paths in the container are resolved only within
-the context of that container.
-
-* With Docker, volume mounts can only target a directory in the container, and not
-  an individual file. This limitation does not exist with CRI-containerD runtime.
-* Volume mounts cannot project files or directories back to the host filesystem.
-* Read-only filesystems are not supported because write access is always required
-  for the Windows registry and SAM database. However, read-only volumes are supported.
-* Volume user-masks and permissions are not available. Because the SAM is not shared
-  between the host & container, there's no mapping between them. All permissions are
-  resolved within the context of the container.
-
-As a result, the following storage functionality is not supported on Windows nodes:
-
-* Volume subpath mounts: only the entire volume can be mounted in a Windows container
-* Subpath volume mounting for Secrets
-* Host mount projection
-* Read-only root filesystem (mapped volumes still support `readOnly`)
-* Block device mapping
-* Memory as the storage medium (for example, `emptyDir.medium` set to `Memory`)
-* File system features like uid/gid; per-user Linux filesystem permissions
-* DefaultMode (due to UID/GID dependency)
-* NFS based storage/volume support
-* Expanding the mounted volume (resizefs)
-
-Kubernetes {{< glossary_tooltip text="volumes" term_id="volume" >}} enable complex
-applications, with data persistence and Pod volume sharing requirements, to be deployed
-on Kubernetes. Management of persistent volumes associated with a specific storage
-back-end or protocol includes actions such as provisioning/de-provisioning/resizing
-of volumes, attaching/detaching a volume to/from a Kubernetes node and
-mounting/dismounting a volume to/from individual containers in a pod that needs to
-persist data.
-
-The code implementing these volume management actions for a specific storage back-end
-or protocol is shipped in the form of a Kubernetes volume
-[plugin](/docs/concepts/storage/volumes/#types-of-volumes).
-The following broad classes of Kubernetes volume plugins are supported on Windows:
-
-##### In-tree volume plugins
-
-Code associated with in-tree volume plugins ship as part of the core Kubernetes code
-base. Deployment of in-tree volume plugins do not require installation of additional
-scripts or deployment of separate containerized plugin components. These plugins can
-handle provisioning/de-provisioning and resizing of volumes in the storage backend,
-attaching/detaching of volumes to/from a Kubernetes node and mounting/dismounting a
-volume to/from individual containers in a pod. The following in-tree plugins support
-persistent storage on Windows nodes:
-
-* [`awsElasticBlockStore`](/docs/concepts/storage/volumes/#awselasticblockstore)
-* [`azureDisk`](/docs/concepts/storage/volumes/#azuredisk)
-* [`azureFile`](/docs/concepts/storage/volumes/#azurefile)
-* [`gcePersistentDisk`](/docs/concepts/storage/volumes/#gcepersistentdisk)
-* [`vsphereVolume`](/docs/concepts/storage/volumes/#vspherevolume)
-
-#### FlexVolume plugins
-
-Code associated with [FlexVolume](/docs/concepts/storage/volumes/#flexVolume)
-plugins ship as out-of-tree scripts or binaries that need to be deployed directly
-on the host. FlexVolume plugins handle attaching/detaching of volumes to/from a
-Kubernetes node and mounting/dismounting a volume to/from individual containers
-in a pod. Provisioning/De-provisioning of persistent volumes associated
-with FlexVolume plugins may be handled through an external provisioner that
-is typically separate from the FlexVolume plugins. The following FlexVolume
-[plugins](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows),
-deployed as PowerShell scripts on the host, support Windows nodes:
-
-* [SMB](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~smb.cmd)
-* [iSCSI](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~iscsi.cmd)
-
-#### CSI plugins
-
-{{< feature-state for_k8s_version="v1.19" state="beta" >}}
-
-Code associated with {{< glossary_tooltip text="CSI" term_id="csi" >}} plugins ship
-as out-of-tree scripts and binaries that are typically distributed as container
-images and deployed using standard Kubernetes constructs like DaemonSets and
-StatefulSets.
-CSI plugins handle a wide range of volume management actions in Kubernetes:
-provisioning/de-provisioning/resizing of volumes, attaching/detaching of volumes
-to/from a Kubernetes node and mounting/dismounting a volume to/from individual
-containers in a pod, backup/restore of persistent data using snapshots and cloning.
-CSI plugins typically consist of node plugins (that run on each node as a DaemonSet)
-and controller plugins.
-
-CSI node plugins (especially those associated with persistent volumes exposed as
-either block devices or over a shared file-system) need to perform various privileged
-operations like scanning of disk devices, mounting of file systems, etc. These
-operations differ for each host operating system. For Linux worker nodes, containerized
-CSI node plugins are typically deployed as privileged containers. For Windows worker
-nodes, privileged operations for containerized CSI node plugins is supported using
-[csi-proxy](https://github.com/kubernetes-csi/csi-proxy), a community-managed,
-stand-alone binary that needs to be pre-installed on each Windows node.
-
-For more details, refer to the deployment guide of the CSI plugin you wish to deploy.
-
-### Command line options for the kubelet {#kubelet-compatibility}
-
-The behavior of some kubelet command line options behave differently on Windows, as described below:
-
-* The `--windows-priorityclass` lets you set the scheduling priority of the kubelet process (see [CPU resource management](/docs/concepts/configuration/windows-resource-management/#resource-management-cpu))
-* The `--kubelet-reserve`, `--system-reserve` , and `--eviction-hard` flags update [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
-* Eviction by using `--enforce-node-allocable` is not implemented
-* Eviction by using `--eviction-hard` and `--eviction-soft` are not implemented
-* A kubelet running on a Windows node does not have memory
-  restrictions. `--kubelet-reserve` and `--system-reserve` do not set limits on
-  kubelet or processes running on the host. This means kubelet or a process on the host
-  could cause memory resource starvation outside the node-allocatable and scheduler.
-* The `MemoryPressure` Condition is not implemented
-* The kubelet does not take OOM eviction actions
-
-### API compatibility {#api}
-
-There are no differences in how most of the Kubernetes APIs work for Windows. The
-subtleties around what's different come down to differences in the OS and container
-runtime. In certain situations, some properties on workload resources were designed
-under the assumption that they would be implemented on Linux, and fail to run on Windows.
-
-At a high level, these OS concepts are different:
-
-* Identity - Linux uses userID (UID) and groupID (GID) which
-  are represented as integer types. User and group names
-  are not canonical - they are just an alias in `/etc/groups`
-  or `/etc/passwd` back to UID+GID. Windows uses a larger binary
-  [security identifier](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) (SID)
-  which is stored in the Windows Security Access Manager (SAM) database. This
-  database is not shared between the host and containers, or between containers.
-* File permissions - Windows uses an access control list based on (SIDs), whereas
-  POSIX systems such as Linux use a bitmask based on object permissions and UID+GID,
-  plus _optional_ access control lists.
-* File paths - the convention on Windows is to use `\` instead of `/`. The Go IO
-  libraries typically accept both and just make it work, but when you're setting a
-  path or command line that's interpreted inside a container, `\` may be needed.
-* Signals - Windows interactive apps handle termination differently, and can
-  implement one or more of these:
-  * A UI thread handles well-defined messages including `WM_CLOSE`.
-  * Console apps handle Ctrl-C or Ctrl-break using a Control Handler.
-  * Services register a Service Control Handler function that can accept
-    `SERVICE_CONTROL_STOP` control codes.
-
-Container exit codes follow the same convention where 0 is success, and nonzero is failure.
-The specific error codes may differ across Windows and Linux. However, exit codes
-passed from the Kubernetes components (kubelet, kube-proxy) are unchanged.
-
-##### Field compatibility for container specifications {#compatibility-v1-pod-spec-containers}
-
-The following list documents differences between how Pod container specifications
-work between Windows and Linux:
-
-* Huge pages are not implemented in the Windows container
-  runtime, and are not available. They require [asserting a user
-  privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support)
-  that's not configurable for containers.
-* `requests.cpu` and `requests.memory` - requests are subtracted
-  from node available resources, so they can be used to avoid overprovisioning a
-  node. However, they cannot be used to guarantee resources in an overprovisioned
-  node. They should be applied to all containers as a best practice if the operator
-  wants to avoid overprovisioning entirely.
-* `securityContext.allowPrivilegeEscalation` -
-   not possible on Windows; none of the capabilities are hooked up
-* `securityContext.capabilities` -
-   POSIX capabilities are not implemented on Windows
-* `securityContext.privileged` -
-   Windows doesn't support privileged containers
-* `securityContext.procMount` -
-   Windows doesn't have a `/proc` filesystem
-* `securityContext.readOnlyRootFilesystem` -
-   not possible on Windows; write access is required for registry & system
-   processes to run inside the container
-* `securityContext.runAsGroup` -
-   not possible on Windows as there is no GID support
-* `securityContext.runAsNonRoot` -
-   this setting will prevent containers from running as `ContainerAdministrator`
-   which is the closest equivalent to a root user on Windows.
-* `securityContext.runAsUser` -
-   use [`runAsUserName`](/docs/tasks/configure-pod-container/configure-runasusername)
-   instead
-* `securityContext.seLinuxOptions` -
-   not possible on Windows as SELinux is Linux-specific
-* `terminationMessagePath` -
-   this has some limitations in that Windows doesn't support mapping single files. The
-   default value is `/dev/termination-log`, which does work because it does not
-   exist on Windows by default.
-
-##### Field compatibility for Pod specifications {#compatibility-v1-pod}
-
-The following list documents differences between how Pod specifications work between Windows and Linux:
-
-* `hostIPC` and `hostpid` - host namespace sharing is not possible on Windows
-* `hostNetwork` - There is no Windows OS support to share the host network
-* `dnsPolicy` - setting the Pod `dnsPolicy` to `ClusterFirstWithHostNet` is
-   not supported on Windows because host networking is not provided. Pods always
-   run with a container network.
-* `podSecurityContext` (see below)
-* `shareProcessNamespace` - this is a beta feature, and depends on Linux namespaces
-  which are not implemented on Windows. Windows cannot share process namespaces or
-  the container's root filesystem. Only the network can be shared.
-* `terminationGracePeriodSeconds` - this is not fully implemented in Docker on Windows,
-  see the [GitHub issue](https://github.com/moby/moby/issues/25982).
-  The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT,
-  then Windows waits 5 seconds by default, and finally shuts down
-  all processes using the normal Windows shutdown behavior. The 5
-  second default is actually in the Windows registry
-  [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183),
-  so it can be overridden when the container is built.
-* `volumeDevices` - this is a beta feature, and is not implemented on Windows.
-  Windows cannot attach raw block devices to pods.
-* `volumes`
-  * If you define an `emptyDir` volume, you cannot set its volume source to `memory`.
-* You cannot enable `mountPropagation` for volume mounts as this is not
-  supported on Windows.
-
-##### Field compatibility for Pod security context {#compatibility-v1-pod-spec-containers-securitycontext}
-
-None of the Pod [`securityContext`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) fields work on Windows.
-
-### Node problem detector
-
-The node problem detector (see
-[Monitor Node Health](/docs/tasks/debug/debug-cluster/monitor-node-health/))
-is not compatible with Windows.
-
-### Pause container
-
-In a Kubernetes Pod, an infrastructure or “pause” container is first created
-to host the container. In Linux, the cgroups and namespaces that make up a pod
-need a process to maintain their continued existence; the pause process provides
-this. Containers that belong to the same pod, including infrastructure and worker
-containers, share a common network endpoint (same IPv4 and / or IPv6 address, same
-network port spaces). Kubernetes uses pause containers to allow for worker containers
-crashing or restarting without losing any of the networking configuration.
-
-Kubernetes maintains a multi-architecture image that includes support for Windows.
-For Kubernetes v{{< skew currentVersion >}} the recommended pause image is `k8s.gcr.io/pause:3.6`.
-The [source code](https://github.com/kubernetes/kubernetes/tree/master/build/pause)
-is available on GitHub.
-
-Microsoft maintains a different multi-architecture image, with Linux and Windows
-amd64 support, that you can find as `mcr.microsoft.com/oss/kubernetes/pause:3.6`.
-This image is built from the same source as the Kubernetes maintained image but
-all of the Windows binaries are [authenticode signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode) by Microsoft.
-The Kubernetes project recommends using the Microsoft maintained image if you are
-deploying to a production or production-like environment that requires signed
-binaries.
-
-### Container runtimes {#container-runtime}
-
-You need to install a
-{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-into each node in the cluster so that Pods can run there.
-
-The following container runtimes work with Windows:
-
-{{% thirdparty-content %}}
-
-#### cri-containerd
-
-{{< feature-state for_k8s_version="v1.20" state="stable" >}}
-
-You can use {{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+
-as the container runtime for Kubernetes nodes that run Windows.
-
-Learn how to [install ContainerD on a Windows node](/docs/setup/production-environment/container-runtimes/#install-containerd).
-
-{{< note >}}
-There is a [known limitation](/docs/tasks/configure-pod-container/configure-gmsa/#gmsa-limitations)
-when using GMSA with containerd to access Windows network shares, which requires a
-kernel patch.
-{{< /note >}}
-
-#### Mirantis Container Runtime {#mcr}
-
-[Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR) is available as a container runtime for all Windows Server 2019 and later versions.
-
-See [Install MCR on Windows Servers](https://docs.mirantis.com/mcr/20.10/install/mcr-windows.html) for more information.
-
-## Windows OS version compatibility {#windows-os-version-support}
-
-On Windows nodes, strict compatibility rules apply where the host OS version must
-match the container base image OS version. Only Windows containers with a container
-operating system of Windows Server 2019 are fully supported.
-
-For Kubernetes v{{< skew currentVersion >}}, operating system compatibility for Windows nodes (and Pods)
-is as follows:
-
-Windows Server LTSC release
-: Windows Server 2019
-: Windows Server 2022
-
-Windows Server SAC release
-:  Windows Server version 20H2
-
-The Kubernetes [version-skew policy](/docs/setup/release/version-skew-policy/) also applies.
-
-## Getting help and troubleshooting {#troubleshooting}
-
-Your main source of help for troubleshooting your Kubernetes cluster should start
-with the [Troubleshooting](/docs/tasks/debug/debug-cluster/)
-page.
-
-Some additional, Windows-specific troubleshooting help is included
-in this section. Logs are an important element of troubleshooting
-issues in Kubernetes. Make sure to include them any time you seek
-troubleshooting assistance from other contributors. Follow the
-instructions in the
-SIG Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs).
-
-### Node-level troubleshooting {#troubleshooting-node}
-
-1. How do I know `start.ps1` completed successfully?
-
-   You should see kubelet, kube-proxy, and (if you chose Flannel as your networking
-   solution) flanneld host-agent processes running on your node, with running logs
-   being displayed in separate PowerShell windows. In addition to this, your Windows
-   node should be listed as "Ready" in your Kubernetes cluster.
-
-1. Can I configure the Kubernetes node processes to run in the background as services?
-
-   The kubelet and kube-proxy are already configured to run as native Windows Services,
-   offering resiliency by re-starting the services automatically in the event of
-   failure (for example a process crash). You have two options for configuring these
-   node components as services.
-
-    1. As native Windows Services
-
-        You can run the kubelet and kube-proxy as native Windows Services using `sc.exe`.
-
-        ```powershell
-        # Create the services for kubelet and kube-proxy in two separate commands
-        sc.exe create <component_name> binPath= "<path_to_binary> --service <other_args>"
-
-        # Please note that if the arguments contain spaces, they must be escaped.
-        sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' <other_args>"
-
-        # Start the services
-        Start-Service kubelet
-        Start-Service kube-proxy
-
-        # Stop the service
-        Stop-Service kubelet (-Force)
-        Stop-Service kube-proxy (-Force)
-
-        # Query the service status
-        Get-Service kubelet
-        Get-Service kube-proxy
-        ```
-
-    1. Using `nssm.exe`
-
-       You can also always use alternative service managers like
-       [nssm.exe](https://nssm.cc/) to run these processes (flanneld,
-       kubelet & kube-proxy) in the background for you. You can use this
-       [sample script](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/register-svc.ps1),
-       leveraging nssm.exe to register kubelet, kube-proxy, and flanneld.exe to run
-       as Windows services in the background.
-
-       ```powershell
-       register-svc.ps1 -NetworkMode <Network mode> -ManagementIP <Windows Node IP> -ClusterCIDR <Cluster subnet> -KubeDnsServiceIP <Kube-dns Service IP> -LogDir <Directory to place logs>
-
-       # NetworkMode      = The network mode l2bridge (flannel host-gw, also the default value) or overlay (flannel vxlan) chosen as a network solution
-       # ManagementIP     = The IP address assigned to the Windows node. You can use ipconfig to find this
-       # ClusterCIDR      = The cluster subnet range. (Default value 10.244.0.0/16)
-       # KubeDnsServiceIP = The Kubernetes DNS service IP (Default value 10.96.0.10)
-       # LogDir           = The directory where kubelet and kube-proxy logs are redirected into their respective output files (Default value C:\k)
-       ```
-
-       If the above referenced script is not suitable, you can manually configure
-       `nssm.exe` using the following examples.
-
-       ```powershell
-       # Register flanneld.exe
-       nssm install flanneld C:\flannel\flanneld.exe
-       nssm set flanneld AppParameters --kubeconfig-file=c:\k\config --iface=<ManagementIP> --ip-masq=1 --kube-subnet-mgr=1
-       nssm set flanneld AppEnvironmentExtra NODE_NAME=<hostname>
-       nssm set flanneld AppDirectory C:\flannel
-       nssm start flanneld
-
-       # Register kubelet.exe
-       # Microsoft releases the pause infrastructure container at mcr.microsoft.com/oss/kubernetes/pause:3.6
-       nssm install kubelet C:\k\kubelet.exe
-       nssm set kubelet AppParameters --hostname-override=<hostname> --v=6 --pod-infra-container-image=mcr.microsoft.com/oss/kubernetes/pause:3.6 --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns=<DNS-service-IP> --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false  --log-dir=<log directory> --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config
-       nssm set kubelet AppDirectory C:\k
-       nssm start kubelet
-
-       # Register kube-proxy.exe (l2bridge / host-gw)
-       nssm install kube-proxy C:\k\kube-proxy.exe
-       nssm set kube-proxy AppDirectory c:\k
-       nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --hostname-override=<hostname>--kubeconfig=c:\k\config --enable-dsr=false --log-dir=<log directory> --logtostderr=false
-       nssm.exe set kube-proxy AppEnvironmentExtra KUBE_NETWORK=cbr0
-       nssm set kube-proxy DependOnService kubelet
-       nssm start kube-proxy
-
-       # Register kube-proxy.exe (overlay / vxlan)
-       nssm install kube-proxy C:\k\kube-proxy.exe
-       nssm set kube-proxy AppDirectory c:\k
-       nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --feature-gates="WinOverlay=true" --hostname-override=<hostname> --kubeconfig=c:\k\config --network-name=vxlan0 --source-vip=<source-vip> --enable-dsr=false --log-dir=<log directory> --logtostderr=false
-       nssm set kube-proxy DependOnService kubelet
-       nssm start kube-proxy
-       ```
-
-       For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file:
-
-       ```powershell
-       nssm set <Service Name> AppStdout C:\k\mysvc.log
-       nssm set <Service Name> AppStderr C:\k\mysvc.log
-       ```
-
-       For additional details, see [NSSM - the Non-Sucking Service Manager](https://nssm.cc/usage).
-
-1. My Pods are stuck at "Container Creating" or restarting over and over
-
-   Check that your pause image is compatible with your OS version. The
-   [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources)
-   assume that both the OS and the containers are version 1803. If you have a later
-   version of Windows, such as an Insider build, you need to adjust the images
-   accordingly. See [Pause container](#pause-container) for more details.
-
-### Network troubleshooting {#troubleshooting-network}
-
-1. My Windows Pods do not have network connectivity
-
-   If you are using virtual machines, ensure that MAC spoofing is **enabled** on all
-   the VM network adapter(s).
-
-1. My Windows Pods cannot ping external resources
-
-   Windows Pods do not have outbound rules programmed for the ICMP protocol. However,
-   TCP/UDP is supported. When trying to demonstrate connectivity to resources
-   outside of the cluster, substitute `ping <IP>` with corresponding
-   `curl <IP>` commands.
-
-   If you are still facing problems, most likely your network configuration in
-   [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
-   deserves some extra attention. You can always edit this static file. The
-   configuration update will apply to any new Kubernetes resources.
-
-   One of the Kubernetes networking requirements
-   (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is
-   for cluster communication to occur without
-   NAT internally. To honor this requirement, there is an
-   [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20)
-   for all the communication where you do not want outbound NAT to occur. However,
-   this also means that you need to exclude the external IP you are trying to query
-   from the `ExceptionList`. Only then will the traffic originating from your Windows
-   pods be SNAT'ed correctly to receive a response from the outside world. In this
-   regard, your `ExceptionList` in `cni.conf` should look as follows:
-
-   ```conf
-   "ExceptionList": [
-                   "10.244.0.0/16",  # Cluster subnet
-                   "10.96.0.0/12",   # Service subnet
-                   "10.127.130.0/24" # Management (host) subnet
-               ]
-   ```
-
-1. My Windows node cannot access `NodePort` type Services
-
-   Local NodePort access from the node itself fails. This is a known
-   limitation. NodePort access works from other nodes or external clients.
-
-1. vNICs and HNS endpoints of containers are being deleted
-
-   This issue can be caused when the `hostname-override` parameter is not passed to
-   [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve
-   it, users need to pass the hostname to kube-proxy as follows:
-
-   ```powershell
-   C:\k\kube-proxy.exe --hostname-override=$(hostname)
-   ```
-
-1. With flannel, my nodes are having issues after rejoining a cluster
-
-   Whenever a previously deleted node is being re-joined to the cluster, flannelD
-   tries to assign a new pod subnet to the node. Users should remove the old pod
-   subnet configuration files in the following paths:
-
-   ```powershell
-   Remove-Item C:\k\SourceVip.json
-   Remove-Item C:\k\SourceVipRequest.json
-   ```
-
-1. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created"
-
-   There are numerous reports of this [issue](https://github.com/coreos/flannel/issues/1066); most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to relaunch `start.ps1` or relaunch it manually as follows:
-
-   ```powershell
-   [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows_Worker_Hostname>")
-   C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows_Worker_Node_IP> --ip-masq=1 --kube-subnet-mgr=1
-   ```
-
-1. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env`
-
-   This indicates that Flannel didn't launch correctly. You can either try
-   to restart `flanneld.exe` or you can copy the files over manually from
-   `/run/flannel/subnet.env` on the Kubernetes master to `C:\run\flannel\subnet.env`
-   on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different
-   number. For example, if node subnet 10.244.4.1/24 is desired:
-
-   ```env
-   FLANNEL_NETWORK=10.244.0.0/16
-   FLANNEL_SUBNET=10.244.4.1/24
-   FLANNEL_MTU=1500
-   FLANNEL_IPMASQ=true
-   ```
-
-1. My Windows node cannot access my services using the service IP
-
-   This is a known limitation of the networking stack on Windows. However, Windows Pods can access the Service IP.
-
-1. No network adapter is found when starting the kubelet
-
-   The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for the kubelet to work — has failed:
-
-   ```powershell
-   Get-HnsNetwork | ? Name -ieq "cbr0"
-   Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*"
-   ```
-
-   Often it is worthwhile to modify the [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation.
-
-1. DNS resolution is not properly working
-
-   Check the DNS limitations for Windows in this [section](#dns-limitations).
-
-1. `kubectl port-forward` fails with "unable to do port forwarding: wincat not found"
-
-   This was implemented in Kubernetes 1.15 by including `wincat.exe` in the pause infrastructure container `mcr.microsoft.com/oss/kubernetes/pause:3.6`. Be sure to use a supported version of Kubernetes.
-   If you would like to build your own pause infrastructure container be sure to include [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat).
-
-1. My Kubernetes installation is failing because my Windows Server node is behind a proxy
-
-   If you are behind a proxy, the following PowerShell environment variables must be defined:
-
-   ```PowerShell
-   [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine)
-   [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine)
-   ```
-
-### Further investigation
-
-If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through:
-
-* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic
-* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/)
-* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows)
-
-### Reporting issues and feature requests
-
-If you have what looks like a bug, or you would like to
-make a feature request, please use the
-[GitHub issue tracking system](https://github.com/kubernetes/kubernetes/issues).
-You can open issues on
-[GitHub](https://github.com/kubernetes/kubernetes/issues/new/choose) and assign
-them to SIG-Windows. You should first search the list of issues in case it was
-reported previously and comment with your experience on the issue and add additional
-logs. SIG-Windows Slack is also a great avenue to get some initial support and
-troubleshooting ideas prior to creating a ticket.
-
-If filing a bug, please include detailed information about how to reproduce the problem, such as:
-
-* Kubernetes version: output from `kubectl version`
-* Environment details: Cloud provider, OS distro, networking choice and configuration, and Docker version
-* Detailed steps to reproduce the problem
-* [Relevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)
-
-It helps if you tag the issue as **sig/windows**, by commenting on the issue with `/sig windows`. This helps to bring
-the issue to a SIG Windows member's attention
-
-
-## {{% heading "whatsnext" %}}
-
-### Deployment tools
-
-The kubeadm tool helps you to deploy a Kubernetes cluster, providing the control
-plane to manage the cluster it, and nodes to run your workloads.
-[Adding Windows nodes](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
-explains how to deploy Windows nodes to your cluster using kubeadm.
-
-The Kubernetes [cluster API](https://cluster-api.sigs.k8s.io/) project also provides means to automate deployment of Windows nodes.
-
-### Windows distribution channels
-
-For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19).
-
-Information on the different Windows Server servicing channels
-including their support models can be found at
-[Windows Server servicing channels](https://docs.microsoft.com/en-us/windows-server/get-started/servicing-channels-comparison).
diff --git a/content/en/docs/tasks/access-application-cluster/access-cluster-services.md b/content/en/docs/tasks/access-application-cluster/access-cluster-services.md
index 262071094ce5c..456662692ee25 100644
--- a/content/en/docs/tasks/access-application-cluster/access-cluster-services.md
+++ b/content/en/docs/tasks/access-application-cluster/access-cluster-services.md
@@ -64,17 +64,17 @@ kubectl cluster-info
 The output is similar to this:
 
 ```
-Kubernetes master is running at https://104.197.5.247
-elasticsearch-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy
-kibana-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kibana-logging/proxy
-kube-dns is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kube-dns/proxy
-grafana is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
-heapster is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
+Kubernetes master is running at https://192.0.2.1
+elasticsearch-logging is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy
+kibana-logging is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/kibana-logging/proxy
+kube-dns is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/kube-dns/proxy
+grafana is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
+heapster is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
 ```
 
 This shows the proxy-verb URL for accessing each service.
 For example, this cluster has cluster-level logging enabled (using Elasticsearch), which can be reached
-at `https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/` if suitable credentials are passed, or through a kubectl proxy at, for example:
+at `https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/` if suitable credentials are passed, or through a kubectl proxy at, for example:
 `http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`.
 
 {{< note >}}
@@ -104,13 +104,13 @@ The supported formats for the `<service_name>` segment of the URL are:
 * To access the Elasticsearch service endpoint `_search?q=user:kimchy`, you would use:
 
     ```
-    http://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy
+    http://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy
     ```
 
 * To access the Elasticsearch cluster health information `_cluster/health?pretty=true`, you would use:
 
     ```
-    https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true
+    https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true
     ```
 
     The health information is similar to this:
@@ -133,7 +133,7 @@ The supported formats for the `<service_name>` segment of the URL are:
 * To access the *https* Elasticsearch service health information `_cluster/health?pretty=true`, you would use:
 
     ```
-    https://104.197.5.247/api/v1/namespaces/kube-system/services/https:elasticsearch-logging/proxy/_cluster/health?pretty=true
+    https://192.0.2.1/api/v1/namespaces/kube-system/services/https:elasticsearch-logging:/proxy/_cluster/health?pretty=true
     ```
 
 #### Using web browsers to access services running on the cluster
diff --git a/content/en/docs/tasks/access-application-cluster/access-cluster.md b/content/en/docs/tasks/access-application-cluster/access-cluster.md
index aae96d3e96bcc..f20fe407e8717 100644
--- a/content/en/docs/tasks/access-application-cluster/access-cluster.md
+++ b/content/en/docs/tasks/access-application-cluster/access-cluster.md
@@ -233,7 +233,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - locates apiserver
     - adds authentication headers
 
-1.  The [apiserver proxy](#discovering-builtin-services):
+1.  The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services):
 
     - is a bastion built into the apiserver
     - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
diff --git a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
index 8b79d7042f48c..0c3d05d62fc32 100644
--- a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
+++ b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
@@ -22,7 +22,8 @@ It does not mean that there is a file named `kubeconfig`.
 
 
 {{< warning >}}
-Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure. 
+Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig
+file could result in malicious code execution or file exposure.
 If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.
 {{< /warning>}}
 
@@ -50,7 +51,7 @@ to the scratch cluster requires authentication by username and password.
 Create a directory named `config-exercise`. In your
 `config-exercise` directory, create a file named `config-demo` with this content:
 
-```shell
+```yaml
 apiVersion: v1
 kind: Config
 preferences: {}
@@ -115,7 +116,7 @@ kubectl config --kubeconfig=config-demo view
 
 The output shows the two clusters, two users, and three contexts:
 
-```shell
+```yaml
 apiVersion: v1
 clusters:
 - cluster:
@@ -271,7 +272,7 @@ For example:
 ### Linux
 
 ```shell
-export KUBECONFIG_SAVED=$KUBECONFIG
+export KUBECONFIG_SAVED="$KUBECONFIG"
 ```
 
 ### Windows PowerShell
@@ -290,7 +291,7 @@ Temporarily append two paths to your `KUBECONFIG` environment variable. For exam
 ### Linux
 
 ```shell
-export KUBECONFIG=$KUBECONFIG:config-demo:config-demo-2
+export KUBECONFIG="${KUBECONFIG}:config-demo:config-demo-2"
 ```
 
 ### Windows PowerShell
@@ -356,7 +357,7 @@ For example:
 ### Linux
 
 ```shell
-export KUBECONFIG=$KUBECONFIG:$HOME/.kube/config
+export KUBECONFIG="${KUBECONFIG}:${HOME}/.kube/config"
 ```
 
 ### Windows Powershell
@@ -379,7 +380,7 @@ Return your `KUBECONFIG` environment variable to its original value. For example
 ### Linux
 
 ```shell
-export KUBECONFIG=$KUBECONFIG_SAVED
+export KUBECONFIG="$KUBECONFIG_SAVED"
 ```
 
 ### Windows PowerShell
diff --git a/content/en/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md b/content/en/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
index ba8f7b1244c8c..3b2648f9437e7 100644
--- a/content/en/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
+++ b/content/en/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
@@ -11,180 +11,169 @@ This page shows how to use `kubectl port-forward` to connect to a MongoDB
 server running in a Kubernetes cluster. This type of connection can be useful
 for database debugging.
 
-
-
-
 ## {{% heading "prerequisites" %}}
 
-
 * {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
 * Install [MongoDB Shell](https://www.mongodb.com/try/download/shell).
 
-
-
-
 <!-- steps -->
 
 ## Creating MongoDB deployment and service
 
 1. Create a Deployment that runs MongoDB:
 
-    ```shell
-    kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-deployment.yaml
-    ```
-
-    The output of a successful command verifies that the deployment was created:
+   ```shell
+   kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-deployment.yaml
+   ```
 
-    ```
-    deployment.apps/mongo created
-    ```
+   The output of a successful command verifies that the deployment was created:
 
-    View the pod status to check that it is ready:
+   ```
+   deployment.apps/mongo created
+   ```
 
-    ```shell
-    kubectl get pods
-    ```
+   View the pod status to check that it is ready:
 
-    The output displays the pod created:
+   ```shell
+   kubectl get pods
+   ```
 
-    ```
-    NAME                     READY   STATUS    RESTARTS   AGE
-    mongo-75f59d57f4-4nd6q   1/1     Running   0          2m4s
-    ```
+   The output displays the pod created:
 
-    View the Deployment's status:
+   ```
+   NAME                     READY   STATUS    RESTARTS   AGE
+   mongo-75f59d57f4-4nd6q   1/1     Running   0          2m4s
+   ```
 
-    ```shell
-    kubectl get deployment
-    ```
+   View the Deployment's status:
 
-    The output displays that the Deployment was created:
+   ```shell
+   kubectl get deployment
+   ```
 
-    ```
-    NAME    READY   UP-TO-DATE   AVAILABLE   AGE
-    mongo   1/1     1            1           2m21s
-    ```
+   The output displays that the Deployment was created:
 
-    The Deployment automatically manages a ReplicaSet.
-    View the ReplicaSet status using:
+   ```
+   NAME    READY   UP-TO-DATE   AVAILABLE   AGE
+   mongo   1/1     1            1           2m21s
+   ```
 
-    ```shell
-    kubectl get replicaset
-    ```
+   The Deployment automatically manages a ReplicaSet.
+   View the ReplicaSet status using:
 
-    The output displays that the ReplicaSet was created:
+   ```shell
+   kubectl get replicaset
+   ```
 
-    ```
-    NAME               DESIRED   CURRENT   READY   AGE
-    mongo-75f59d57f4   1         1         1       3m12s
-    ```
+   The output displays that the ReplicaSet was created:
 
+   ```
+   NAME               DESIRED   CURRENT   READY   AGE
+   mongo-75f59d57f4   1         1         1       3m12s
+   ```
 
 2. Create a Service to expose MongoDB on the network:
 
-    ```shell
-    kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-service.yaml
-    ```
+   ```shell
+   kubectl apply -f https://k8s.io/examples/application/mongodb/mongo-service.yaml
+   ```
 
-    The output of a successful command verifies that the Service was created:
+   The output of a successful command verifies that the Service was created:
 
-    ```
-    service/mongo created
-    ```
+   ```
+   service/mongo created
+   ```
 
-    Check the Service created:
+   Check the Service created:
 
-    ```shell
-    kubectl get service mongo
-    ```
+   ```shell
+   kubectl get service mongo
+   ```
 
-    The output displays the service created:
+   The output displays the service created:
 
-    ```
-    NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
-    mongo   ClusterIP   10.96.41.183   <none>        27017/TCP   11s
-    ```
+   ```
+   NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
+   mongo   ClusterIP   10.96.41.183   <none>        27017/TCP   11s
+   ```
 
 3. Verify that the MongoDB server is running in the Pod, and listening on port 27017:
 
-    ```shell
-    # Change mongo-75f59d57f4-4nd6q to the name of the Pod
-    kubectl get pod mongo-75f59d57f4-4nd6q --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
-    ```
+   ```shell
+   # Change mongo-75f59d57f4-4nd6q to the name of the Pod
+   kubectl get pod mongo-75f59d57f4-4nd6q --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
+   ```
 
-    The output displays the port for MongoDB in that Pod:
+   The output displays the port for MongoDB in that Pod:
 
-    ```
-    27017
-    ```
+   ```
+   27017
+   ```
 
-    (this is the TCP port allocated to MongoDB on the internet).
+   27017 is the TCP port allocated to MongoDB on the internet.
 
 ## Forward a local port to a port on the Pod
 
-1.  `kubectl port-forward` allows using resource name, such as a pod name, to select a matching pod to port forward to.
+1. `kubectl port-forward` allows using resource name, such as a pod name, to select a matching pod to port forward to.
 
 
-    ```shell
-    # Change mongo-75f59d57f4-4nd6q to the name of the Pod
-    kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
-    ```
+   ```shell
+   # Change mongo-75f59d57f4-4nd6q to the name of the Pod
+   kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
+   ```
 
-    which is the same as
+   which is the same as
 
-    ```shell
-    kubectl port-forward pods/mongo-75f59d57f4-4nd6q 28015:27017
-    ```
+   ```shell
+   kubectl port-forward pods/mongo-75f59d57f4-4nd6q 28015:27017
+   ```
 
-    or
+   or
 
-    ```shell
-    kubectl port-forward deployment/mongo 28015:27017
-    ```
+   ```shell
+   kubectl port-forward deployment/mongo 28015:27017
+   ```
 
-    or
+   or
 
-    ```shell
-    kubectl port-forward replicaset/mongo-75f59d57f4 28015:27017
-    ```
+   ```shell
+   kubectl port-forward replicaset/mongo-75f59d57f4 28015:27017
+   ```
 
-    or
+   or
 
-    ```shell
-    kubectl port-forward service/mongo 28015:27017
-    ```
+   ```shell
+   kubectl port-forward service/mongo 28015:27017
+   ```
 
-    Any of the above commands works. The output is similar to this:
+   Any of the above commands works. The output is similar to this:
 
-    ```
-    Forwarding from 127.0.0.1:28015 -> 27017
-    Forwarding from [::1]:28015 -> 27017
-    ```
+   ```
+   Forwarding from 127.0.0.1:28015 -> 27017
+   Forwarding from [::1]:28015 -> 27017
+   ```
 
-{{< note >}}
-
-`kubectl port-forward` does not return. To continue with the exercises, you will need to open another terminal.
+   {{< note >}}
+   `kubectl port-forward` does not return. To continue with the exercises, you will need to open another terminal.
+   {{< /note >}}
 
-{{< /note >}}
+2. Start the MongoDB command line interface:
 
-2.  Start the MongoDB command line interface:
+   ```shell
+   mongosh --port 28015
+   ```
 
-    ```shell
-    mongosh --port 28015
-    ```
+3. At the MongoDB command line prompt, enter the `ping` command:
 
-3.  At the MongoDB command line prompt, enter the `ping` command:
+   ```
+   db.runCommand( { ping: 1 } )
+   ```
 
-    ```
-    db.runCommand( { ping: 1 } )
-    ```
+   A successful ping request returns:
 
-    A successful ping request returns:
-
-    ```
-    { ok: 1 }
-    ```
+   ```
+   { ok: 1 }
+   ```
 
 ### Optionally let _kubectl_ choose the local port {#let-kubectl-choose-local-port}
 
@@ -204,7 +193,6 @@ Forwarding from 127.0.0.1:63753 -> 27017
 Forwarding from [::1]:63753 -> 27017
 ```
 
-
 <!-- discussion -->
 
 ## Discussion
@@ -219,9 +207,7 @@ The support for UDP protocol is tracked in
 [issue 47862](https://github.com/kubernetes/kubernetes/issues/47862).
 {{< /note >}}
 
-
-
-
 ## {{% heading "whatsnext" %}}
 
 Learn more about [kubectl port-forward](/docs/reference/generated/kubectl/kubectl-commands/#port-forward).
+
diff --git a/content/en/docs/tasks/administer-cluster/certificates.md b/content/en/docs/tasks/administer-cluster/certificates.md
index 2338b0cdc76fe..44effe93403d3 100644
--- a/content/en/docs/tasks/administer-cluster/certificates.md
+++ b/content/en/docs/tasks/administer-cluster/certificates.md
@@ -1,5 +1,5 @@
 ---
-title: Certificates
+title: Generate Certificates Manually
 content_type: task
 weight: 20
 ---
diff --git a/content/en/docs/tasks/administer-cluster/cluster-upgrade.md b/content/en/docs/tasks/administer-cluster/cluster-upgrade.md
index 6e9dc302c445c..e3f9595d26bf1 100644
--- a/content/en/docs/tasks/administer-cluster/cluster-upgrade.md
+++ b/content/en/docs/tasks/administer-cluster/cluster-upgrade.md
@@ -21,8 +21,8 @@ At a high level, the steps you perform are:
 ## {{% heading "prerequisites" %}}
 
 You must have an existing cluster. This page is about upgrading from Kubernetes
-{{< skew prevMinorVersion >}} to Kubernetes {{< skew latestVersion >}}. If your cluster
-is not currently running Kubernetes {{< skew prevMinorVersion >}} then please check
+{{< skew currentVersionAddMinor -1 >}} to Kubernetes {{< skew currentVersion >}}. If your cluster
+is not currently running Kubernetes {{< skew currentVersionAddMinor -1 >}} then please check
 the documentation for the version of Kubernetes that you plan to upgrade to.
 
 ## Upgrade approaches
@@ -55,7 +55,7 @@ At this point you should
 [install the latest version of `kubectl`](/docs/tasks/tools/).
 
 For each node in your cluster, [drain](/docs/tasks/administer-cluster/safely-drain-node/)
-that node and then either replace it with a new node that uses the {{< skew latestVersion >}}
+that node and then either replace it with a new node that uses the {{< skew currentVersion >}}
 kubelet, or upgrade the kubelet on that node and bring the node back into service.
 
 ### Other deployments {#upgrade-other}
diff --git a/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md b/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
index bf5ddd8f5fb71..be77074dc14e7 100644
--- a/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
+++ b/content/en/docs/tasks/administer-cluster/configure-upgrade-etcd.md
@@ -150,7 +150,7 @@ access to clients with the certificate `k8sclient.cert`.
 
 Once etcd is configured correctly, only clients with valid certificates can
 access it. To give Kubernetes API servers the access, configure them with the
-flags `--etcd-certfile=k8sclient.cert`,`--etcd-keyfile=k8sclient.key` and
+flags `--etcd-certfile=k8sclient.cert`, `--etcd-keyfile=k8sclient.key` and
 `--etcd-cafile=ca.cert`.
 
 {{< note >}}
@@ -319,7 +319,7 @@ employed to recover the data of a failed cluster.
 
 Before starting the restore operation, a snapshot file must be present. It can
 either be a snapshot file from a previous backup operation, or from a remaining
-[data directory]( https://etcd.io/docs/current/op-guide/configuration/#--data-dir).
+[data directory](https://etcd.io/docs/current/op-guide/configuration/#--data-dir).
 Here is an example:
 
 ```shell
diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md
index c48f9ee2dab2f..d510caff81a98 100644
--- a/content/en/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md
@@ -88,8 +88,8 @@ Name | Encryption | Strength | Speed | Key Length | Other Considerations
 `identity` | None | N/A | N/A | N/A | Resources written as-is without encryption. When set as the first provider, the resource will be decrypted as new values are written.
 `secretbox` | XSalsa20 and Poly1305 | Strong | Faster | 32-byte | A newer standard and may not be considered acceptable in environments that require high levels of review.
 `aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented.
-`aescbc` | AES-CBC with PKCS#7 padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
-`kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with PKCS#7 padding, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/)
+`aescbc` | AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
+`kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/)
 
 Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider
 is the first provider, the first key is used for encryption.
diff --git a/content/en/docs/tasks/administer-cluster/kms-provider.md b/content/en/docs/tasks/administer-cluster/kms-provider.md
index 15bc1290ff97c..d2ea73d761c30 100644
--- a/content/en/docs/tasks/administer-cluster/kms-provider.md
+++ b/content/en/docs/tasks/administer-cluster/kms-provider.md
@@ -19,35 +19,50 @@ This page shows how to configure a Key Management Service (KMS) provider and plu
 
 <!-- steps -->
 
-The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd. The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption. The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS. The KMS provider uses gRPC to communicate with a specific KMS 
-plugin. The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s) as the Kubernetes master(s), is responsible for all communication with the remote KMS.
+The KMS encryption provider uses an envelope encryption scheme to encrypt data in etcd.
+The data is encrypted using a data encryption key (DEK); a new DEK is generated for each encryption.
+The DEKs are encrypted with a key encryption key (KEK) that is stored and managed in a remote KMS.
+The KMS provider uses gRPC to communicate with a specific KMS plugin.
+The KMS plugin, which is implemented as a gRPC server and deployed on the same host(s)
+as the Kubernetes control plane, is responsible for all communication with the remote KMS.
 
 ## Configuring the KMS provider
 
-To configure a KMS provider on the API server, include a provider of type ```kms``` in the providers array in the encryption configuration file and set the following properties:
+To configure a KMS provider on the API server, include a provider of type `kms` in the
+`providers` array in the encryption configuration file and set the following properties:
 
 * `name`: Display name of the KMS plugin.
 * `endpoint`: Listen address of the gRPC server (KMS plugin). The endpoint is a UNIX domain socket.
 * `cachesize`: Number of data encryption keys (DEKs) to be cached in the clear.
   When cached, DEKs can be used without another call to the KMS;
   whereas DEKs that are not cached require a call to the KMS to unwrap.
-* `timeout`: How long should kube-apiserver wait for kms-plugin to respond before returning an error (default is 3 seconds).
+* `timeout`: How long should `kube-apiserver` wait for kms-plugin to respond before
+  returning an error (default is 3 seconds).
 
-See [Understanding the encryption at rest configuration.](/docs/tasks/administer-cluster/encrypt-data)
+See [Understanding the encryption at rest configuration](/docs/tasks/administer-cluster/encrypt-data).
 
 ## Implementing a KMS plugin
 
-To implement a KMS plugin, you can develop a new plugin gRPC server or enable a KMS plugin already provided by your cloud provider. You then integrate the plugin with the remote KMS and deploy it on the Kubernetes master.
+To implement a KMS plugin, you can develop a new plugin gRPC server or enable a KMS plugin
+already provided by your cloud provider.
+You then integrate the plugin with the remote KMS and deploy it on the Kubernetes master.
 
 ### Enabling the KMS supported by your cloud provider 
+
 Refer to your cloud provider for instructions on enabling the cloud provider-specific KMS plugin.
 
 ### Developing a KMS plugin gRPC server
-You can develop a KMS plugin gRPC server using a stub file available for Go. For other languages, you use a proto file to create a stub file that you can use to develop the gRPC server code.
 
-* Using Go: Use the functions and data structures in the stub file: [service.pb.go](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go) to develop the gRPC server code 
+You can develop a KMS plugin gRPC server using a stub file available for Go. For other languages,
+you use a proto file to create a stub file that you can use to develop the gRPC server code.
+
+* Using Go: Use the functions and data structures in the stub file:
+  [service.pb.go](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go)
+  to develop the gRPC server code 
 
-* Using languages other than Go: Use the protoc compiler with the proto file: [service.proto](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto) to generate a stub file for the specific language
+* Using languages other than Go: Use the protoc compiler with the proto file:
+  [service.proto](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto)
+  to generate a stub file for the specific language
 
 Then use the functions and data structures in the stub file to develop the server code.
 
@@ -55,7 +70,7 @@ Then use the functions and data structures in the stub file to develop the serve
 
 * kms plugin version: `v1beta1`
 
-  In response to procedure call Version, a compatible KMS plugin should return v1beta1 as VersionResponse.version.
+  In response to procedure call Version, a compatible KMS plugin should return `v1beta1` as `VersionResponse.version`.
 
 * message version: `v1beta1`
 
@@ -69,12 +84,15 @@ Then use the functions and data structures in the stub file to develop the serve
 
 The KMS plugin can communicate with the remote KMS using any protocol supported by the KMS.
 All configuration data, including authentication credentials the KMS plugin uses to communicate with the remote KMS, 
-are stored and managed by the KMS plugin independently. The KMS plugin can encode the ciphertext with additional metadata that may be required before sending it to the KMS for decryption.
+are stored and managed by the KMS plugin independently.
+The KMS plugin can encode the ciphertext with additional metadata that may be required before sending it to the KMS for decryption.
 
 ### Deploying the KMS plugin 
+
 Ensure that the KMS plugin runs on the same host(s) as the Kubernetes master(s).
 
 ## Encrypting your data with the KMS provider
+
 To encrypt the data:
 
 1. Create a new encryption configuration file using the appropriate properties for the `kms` provider:
@@ -94,32 +112,43 @@ To encrypt the data:
          - identity: {}
    ```
 
-1. Set the `--encryption-provider-config` flag on the kube-apiserver to point to the location of the configuration file.
+1. Set the `--encryption-provider-config` flag on the kube-apiserver to point to
+   the location of the configuration file.
 1. Restart your API server.
 
+For details about the `EncryptionConfiguration` format, please check the
+[API server encryption API reference](/docs/reference/config-api/apiserver-encryption.v1/).
+
 ## Verifying that the data is encrypted
 
 Data is encrypted when written to etcd. After restarting your `kube-apiserver`, 
 any newly created or updated secret should be encrypted when stored. To verify,
 you can use the `etcdctl` command line program to retrieve the contents of your secret.
 
-1. Create a new secret called secret1 in the default namespace:
-   ```
+1. Create a new secret called `secret1` in the `default` namespace:
+
+   ```shell
    kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
    ```
-1. Using the etcdctl command line, read that secret out of etcd:
-   ```
+
+1. Using the `etcdctl` command line, read that secret out of etcd:
+
+   ```shell
    ETCDCTL_API=3 etcdctl get /kubernetes.io/secrets/default/secret1 [...] | hexdump -C
    ```
-   where `[...]` must be the additional arguments for connecting to the etcd server.
 
-1. Verify the stored secret is prefixed with `k8s:enc:kms:v1:`, which indicates that the `kms` provider has encrypted the resulting data.
+   where `[...]` contains the additional arguments for connecting to the etcd server.
+
+1. Verify the stored secret is prefixed with `k8s:enc:kms:v1:`, which indicates that
+   the `kms` provider has encrypted the resulting data.
 
 1. Verify that the secret is correctly decrypted when retrieved via the API:
-   ```
+
+   ```shell
    kubectl describe secret secret1 -n default
    ```
-   should match `mykey: mydata`
+
+   The Secret should contain `mykey: mydata`
 
 ## Ensuring all secrets are encrypted
 
@@ -129,7 +158,7 @@ The following command reads all secrets and then updates them to apply server si
 If an error occurs due to a conflicting write, retry the command.
 For larger clusters, you may wish to subdivide the secrets by namespace or script an update.
 
-```
+```shell
 kubectl get secrets --all-namespaces -o json | kubectl replace -f -
 ```
 
@@ -156,12 +185,12 @@ To switch from a local encryption provider to the `kms` provider and re-encrypt
                  secret: <BASE 64 ENCODED SECRET>
    ```
 
-1. Restart all kube-apiserver processes.
+1. Restart all `kube-apiserver` processes.
 
 1. Run the following command to force all secrets to be re-encrypted using the `kms` provider.
 
-   ```
-   kubectl get secrets --all-namespaces -o json| kubectl replace -f -
+   ```shell
+   kubectl get secrets --all-namespaces -o json | kubectl replace -f -
    ```
 
 ## Disabling encryption at rest
@@ -183,9 +212,12 @@ To disable encryption at rest:
              endpoint: unix:///tmp/socketfile.sock
              cachesize: 100
    ```
-1. Restart all kube-apiserver processes. 
+
+1. Restart all `kube-apiserver` processes. 
+
 1. Run the following command to force all secrets to be decrypted.
-   ```
+
+   ```shell
    kubectl get secrets --all-namespaces -o json | kubectl replace -f -
    ```
 
diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md b/content/en/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
deleted file mode 100644
index 7009eb2d2a18e..0000000000000
--- a/content/en/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
+++ /dev/null
@@ -1,256 +0,0 @@
----
-reviewers:
-- jayunit100
-- jsturtevant
-- marosset
-- perithompson
-title: Adding Windows nodes
-min-kubernetes-server-version: 1.17
-content_type: tutorial
-weight: 30
----
-
-<!-- overview -->
-
-{{< feature-state for_k8s_version="v1.18" state="beta" >}}
-
-You can use Kubernetes to run a mixture of Linux and Windows nodes, so you can mix Pods that run on Linux on with Pods that run on Windows. This page shows how to register Windows nodes to your cluster.
-
-
-## {{% heading "prerequisites" %}}
- {{< version-check >}}
-
-* Obtain a [Windows Server 2019 license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing)
-(or higher) in order to configure the Windows node that hosts Windows containers.
-If you are using VXLAN/Overlay networking you must have also have [KB4489899](https://support.microsoft.com/help/4489899) installed.
-
-* A Linux-based Kubernetes kubeadm cluster in which you have access to the control plane (see [Creating a single control-plane cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)).
-
-
-
-
-## {{% heading "objectives" %}}
-
-
-* Register a Windows node to the cluster
-* Configure networking so Pods and Services on Linux and Windows can communicate with each other
-
-
-
-
-<!-- lessoncontent -->
-
-## Getting Started: Adding a Windows Node to Your Cluster
-
-### Networking Configuration
-
-Once you have a Linux-based Kubernetes control-plane node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity.
-
-#### Configuring Flannel
-
-1. Prepare Kubernetes control plane for Flannel
-
-    Some minor preparation is recommended on the Kubernetes control plane in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. The following command must be run on all Linux nodes:
-
-    ```bash
-    sudo sysctl net.bridge.bridge-nf-call-iptables=1
-    ```
-
-1. Download & configure Flannel for Linux
-
-    Download the most recent Flannel manifest:
-
-    ```bash
-    wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
-    ```
-
-    Modify the `net-conf.json` section of the flannel manifest in order to set the VNI to 4096 and the Port to 4789. It should look as follows:
-
-    ```json
-    net-conf.json: |
-        {
-          "Network": "10.244.0.0/16",
-          "Backend": {
-            "Type": "vxlan",
-            "VNI": 4096,
-            "Port": 4789
-          }
-        }
-    ```
-
-    {{< note >}}The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. See the [VXLAN documentation](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan).
-    for an explanation of these fields.{{< /note >}}
-
-    {{< note >}}To use L2Bridge/Host-gateway mode instead change the value of `Type` to `"host-gw"` and omit `VNI` and `Port`.{{< /note >}}
-
-1. Apply the Flannel manifest and validate
-
-    Let's apply the Flannel configuration:
-
-    ```bash
-    kubectl apply -f kube-flannel.yml
-    ```
-
-    After a few minutes, you should see all the pods as running if the Flannel pod network was deployed.
-
-    ```bash
-    kubectl get pods -n kube-system
-    ```
-
-    The output should include the Linux flannel DaemonSet as running:
-
-    ```
-    NAMESPACE     NAME                                      READY        STATUS    RESTARTS   AGE
-    ...
-    kube-system   kube-flannel-ds-54954                     1/1          Running   0          1m
-    ```
-
-1. Add Windows Flannel and kube-proxy DaemonSets
-
-    Now you can add Windows-compatible versions of Flannel and kube-proxy. In order
-    to ensure that you get a compatible version of kube-proxy, you'll need to substitute
-    the tag of the image. The following example shows usage for Kubernetes {{< param "fullversion" >}},
-    but you should adjust the version for your own deployment.
-
-    ```bash
-    curl -L https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/kube-proxy.yml | sed 's/VERSION/{{< param "fullversion" >}}/g' | kubectl apply -f -
-    kubectl apply -f https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/flannel-overlay.yml
-    ```
-    {{< note >}}
-    If you're using host-gateway use https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/flannel-host-gw.yml instead
-    {{< /note >}}
-
-    {{< note >}}
-If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2") on the Windows nodes, you have to modify the line:
-
-```powershell
-wins cli process run --path /k/flannel/setup.exe --args "--mode=overlay --interface=Ethernet"
-```
-
-in the `flannel-host-gw.yml` or `flannel-overlay.yml` file and specify your interface accordingly.
-
-```bash
-# Example
-curl -L https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/flannel-overlay.yml | sed 's/Ethernet/Ethernet0 2/g' | kubectl apply -f -
-```
-    {{< /note >}}
-
-
-
-### Joining a Windows worker node
-
-{{< note >}}
-All code snippets in Windows sections are to be run in a PowerShell environment
-with elevated permissions (Administrator) on the Windows worker node.
-{{< /note >}}
-
-{{< tabs name="tab-windows-kubeadm-runtime-installation" >}}
-
-{{% tab name="CRI-containerD" %}}
-
-#### Install containerD
-
-```powershell
-curl.exe -LO https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/Install-Containerd.ps1
-.\Install-Containerd.ps1
-```
-
-{{< note >}}
-To install a specific version of containerD specify the version with -ContainerDVersion.
-
-```powershell
-# Example
-.\Install-Containerd.ps1 -ContainerDVersion 1.4.1
-```
-
-If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2") on the Windows nodes, specify the name with `-netAdapterName`.
-
-```powershell
-# Example
-.\Install-Containerd.ps1 -netAdapterName "Ethernet0 2"
-```
-
-{{< /note >}}
-
-#### Install wins, kubelet, and kubeadm
-
-```PowerShell
-curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
-.\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}} -ContainerRuntime containerD
-```
-
-[Install `crictl` from the cri-tools package](https://github.com/kubernetes-sigs/cri-tools)
-which is required so that kubeadm can talk to the CRI endpoint.
-
-#### Run `kubeadm` to join the node
-
-Use the command that was given to you when you ran `kubeadm init` on a control plane host.
-If you no longer have this command, or the token has expired, you can run `kubeadm token create --print-join-command`
-(on a control plane host) to generate a new token and join command.
-
-{{% /tab %}}
-
-{{% tab name="Docker Engine" %}}
-
-#### Install Docker Engine
-
-Install the `Containers` feature
-
-```powershell
-Install-WindowsFeature -Name containers
-```
-
-Install Docker
-Instructions to do so are available at [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker).
-
-[Install cri-dockerd](https://github.com/Mirantis/cri-dockerd) which is required so that the kubelet
-can communicate with Docker on a CRI compatible endpoint.
-
-{{< note >}}
-Docker Engine does not implement the [CRI](/docs/concepts/architecture/cri/)
-which is a requirement for a container runtime to work with Kubernetes.
-For that reason, an additional service [cri-dockerd](https://github.com/Mirantis/cri-dockerd)
-has to be installed. cri-dockerd is a project based on the legacy built-in
-Docker Engine support that was [removed](/dockershim) from the kubelet in version 1.24.
-{{< /note >}}
-
-Install `crictl` from the [cri-tools project](https://github.com/kubernetes-sigs/cri-tools)
-which is required so that kubeadm can talk to the CRI endpoint.
-
-#### Install wins, kubelet, and kubeadm
-
-```PowerShell
-curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
-.\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}}
-```
-
-#### Run `kubeadm` to join the node
-
-Use the command that was given to you when you ran `kubeadm init` on a control plane host.
-If you no longer have this command, or the token has expired, you can run `kubeadm token create --print-join-command`
-(on a control plane host) to generate a new token and join command.
-
-{{% /tab %}}
-
-{{< /tabs >}}
-
-### Verifying your installation
-
-You should now be able to view the Windows node in your cluster by running:
-
-```bash
-kubectl get nodes -o wide
-```
-
-If your new node is in the `NotReady` state it is likely because the flannel image is still downloading.
-You can check the progress as before by checking on the flannel pods in the `kube-system` namespace:
-
-```shell
-kubectl -n kube-system get pods -l app=flannel
-```
-
-Once the flannel Pod is running, your node should enter the `Ready` state and then be available to handle workloads.
-
-## {{% heading "whatsnext" %}}
-
-- [Upgrading Windows kubeadm nodes](/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes)
diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md b/content/en/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
index d9df7fb38c31b..1b2a2e4cbe7dc 100644
--- a/content/en/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
+++ b/content/en/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
@@ -68,14 +68,12 @@ and passing it to the local node kubelet.
 
 ## Using the `cgroupfs` driver
 
-As this guide explains using the `cgroupfs` driver with kubeadm is not recommended.
-
-To continue using `cgroupfs` and to prevent `kubeadm upgrade` from modifying the
+To use `cgroupfs` and to prevent `kubeadm upgrade` from modifying the
 `KubeletConfiguration` cgroup driver on existing setups, you must be explicit
 about its value. This applies to a case where you do not wish future versions
 of kubeadm to apply the `systemd` driver by default.
 
-See the below section on "Modify the kubelet ConfigMap" for details on
+See the below section on "[Modify the kubelet ConfigMap](#modify-the-kubelet-configmap)" for details on
 how to be explicit about the value.
 
 If you wish to configure a container runtime to use the `cgroupfs` driver,
diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index 696a69ba828c8..18032fc4b3989 100644
--- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -244,7 +244,7 @@ serverTLSBootstrap: true
 ```
 
 If you have already created the cluster you must adapt it by doing the following:
- - Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace.
+ - Find and edit the `kubelet-config-{{< skew currentVersion >}}` ConfigMap in the `kube-system` namespace.
 In that ConfigMap, the `kubelet` key has a
 [KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
 document as its value. Edit the KubeletConfiguration document to set `serverTLSBootstrap: true`.
@@ -276,7 +276,7 @@ By default, these serving certificate will expire after one year. Kubeadm sets t
 `KubeletConfiguration` field `rotateCertificates` to `true`, which means that close
 to expiration a new set of CSRs for the serving certificates will be created and must
 be approved to complete the rotation. To understand more see
-[Certificate Rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation).
+[Certificate Rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation).
 
 If you are looking for a solution for automatic approval of these CSRs it is recommended
 that you contact your cloud provider and ask if they have a CSR signer that verifies
diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
index 8040e1185f884..783b107927186 100644
--- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
+++ b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
@@ -29,7 +29,7 @@ The upgrade workflow at high level is the following:
 
 ## {{% heading "prerequisites" %}}
 
-- Make sure you read the [release notes]({{< latest-release-notes >}}) carefully.
+- Make sure you read the [release notes](https://git.k8s.io/kubernetes/CHANGELOG) carefully.
 - The cluster should use a static control plane and etcd pods or external etcd.
 - Make sure to back up any important components, such as app-level state stored in a database.
   `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice.
@@ -79,83 +79,87 @@ Pick a control plane node that you wish to upgrade first. It must have the `/etc
 
 **For the first control plane node**
 
--  Upgrade kubeadm:
+- Upgrade kubeadm:
 
-{{< tabs name="k8s_install_kubeadm_first_cp" >}}
-{{% tab name="Ubuntu, Debian or HypriotOS" %}}
-    # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
-    apt-mark unhold kubeadm && \
-    apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
-    apt-mark hold kubeadm
-{{% /tab %}}
-{{% tab name="CentOS, RHEL or Fedora" %}}
-    # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
-    yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-{{% /tab %}}
-{{< /tabs >}}
-<br />
+  {{< tabs name="k8s_install_kubeadm_first_cp" >}}
+  {{% tab name="Ubuntu, Debian or HypriotOS" %}}
+  ```shell
+   # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
+   apt-mark unhold kubeadm && \
+   apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
+   apt-mark hold kubeadm
+   ```
+  {{% /tab %}}
+  {{% tab name="CentOS, RHEL or Fedora" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
+  yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
+  {{% /tab %}}
+  {{< /tabs >}}
+  <br />
 
--  Verify that the download works and has the expected version:
+- Verify that the download works and has the expected version:
 
-    ```shell
-    kubeadm version
-    ```
+  ```shell
+  kubeadm version
+  ```
 
--   Verify the upgrade plan:
+- Verify the upgrade plan:
 
-    ```shell
-    kubeadm upgrade plan
-    ```
+  ```shell
+  kubeadm upgrade plan
+  ```
 
-    This command checks that your cluster can be upgraded, and fetches the versions you can upgrade to.
-    It also shows a table with the component config version states.
+  This command checks that your cluster can be upgraded, and fetches the versions you can upgrade to.
+  It also shows a table with the component config version states.
 
-{{< note >}}
-`kubeadm upgrade` also automatically renews the certificates that it manages on this node.
-To opt-out of certificate renewal the flag `--certificate-renewal=false` can be used.
-For more information see the [certificate management guide](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs).
-{{</ note >}}
+  {{< note >}}
+  `kubeadm upgrade` also automatically renews the certificates that it manages on this node.
+  To opt-out of certificate renewal the flag `--certificate-renewal=false` can be used.
+  For more information see the [certificate management guide](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs).
+  {{</ note >}}
+  
+  {{< note >}}
+  If `kubeadm upgrade plan` shows any component configs that require manual upgrade, users must provide
+  a config file with replacement configs to `kubeadm upgrade apply` via the `--config` command line flag.
+  Failing to do so will cause `kubeadm upgrade apply` to exit with an error and not perform an upgrade.
+  {{</ note >}}
 
-{{< note >}}
-If `kubeadm upgrade plan` shows any component configs that require manual upgrade, users must provide
-a config file with replacement configs to `kubeadm upgrade apply` via the `--config` command line flag.
-Failing to do so will cause `kubeadm upgrade apply` to exit with an error and not perform an upgrade.
-{{</ note >}}
+- Choose a version to upgrade to, and run the appropriate command. For example:
 
--  Choose a version to upgrade to, and run the appropriate command. For example:
+  ```shell
+  # replace x with the patch version you picked for this upgrade
+  sudo kubeadm upgrade apply v{{< skew currentVersion >}}.x
+  ```
 
-    ```shell
-    # replace x with the patch version you picked for this upgrade
-    sudo kubeadm upgrade apply v{{< skew currentVersion >}}.x
-    ```
+  Once the command finishes you should see:
 
-    Once the command finishes you should see:
+  ```
+  [upgrade/successful] SUCCESS! Your cluster was upgraded to "v{{< skew currentVersion >}}.x". Enjoy!
 
-    ```
-    [upgrade/successful] SUCCESS! Your cluster was upgraded to "v{{< skew currentVersion >}}.x". Enjoy!
+  [upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so.
+  ```
 
-    [upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so.
-    ```
+- Manually upgrade your CNI provider plugin.
 
--  Manually upgrade your CNI provider plugin.
+  Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow.
+  Check the [addons](/docs/concepts/cluster-administration/addons/) page to
+  find your CNI provider and see whether additional upgrade steps are required.
 
-    Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow.
-    Check the [addons](/docs/concepts/cluster-administration/addons/) page to
-    find your CNI provider and see whether additional upgrade steps are required.
-
-    This step is not required on additional control plane nodes if the CNI provider runs as a DaemonSet.
+  This step is not required on additional control plane nodes if the CNI provider runs as a DaemonSet.
 
 **For the other control plane nodes**
 
 Same as the first control plane node but use:
 
-```
+```shell
 sudo kubeadm upgrade node
 ```
 
 instead of:
 
-```
+```shell
 sudo kubeadm upgrade apply
 ```
 
@@ -163,46 +167,50 @@ Also calling `kubeadm upgrade plan` and upgrading the CNI provider plugin is no
 
 ### Drain the node
 
--  Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
+- Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
 
-    ```shell
-    # replace <node-to-drain> with the name of your node you are draining
-    kubectl drain <node-to-drain> --ignore-daemonsets
-    ```
+  ```shell
+  # replace <node-to-drain> with the name of your node you are draining
+  kubectl drain <node-to-drain> --ignore-daemonsets
+  ```
 
 ### Upgrade kubelet and kubectl
 
--  Upgrade the kubelet and kubectl:
-
-{{< tabs name="k8s_install_kubelet" >}}
-{{% tab name="Ubuntu, Debian or HypriotOS" %}}
-    # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
-    apt-mark unhold kubelet kubectl && \
-    apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
-    apt-mark hold kubelet kubectl
-{{% /tab %}}
-{{% tab name="CentOS, RHEL or Fedora" %}}
-    # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
-    yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-{{% /tab %}}
-{{< /tabs >}}
-<br />
-
--  Restart the kubelet:
-
-    ```shell
-    sudo systemctl daemon-reload
-    sudo systemctl restart kubelet
-    ```
+- Upgrade the kubelet and kubectl:
+
+  {{< tabs name="k8s_install_kubelet" >}}
+  {{% tab name="Ubuntu, Debian or HypriotOS" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
+  apt-mark unhold kubelet kubectl && \
+  apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
+  apt-mark hold kubelet kubectl
+  ```
+  {{% /tab %}}
+  {{% tab name="CentOS, RHEL or Fedora" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
+  yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
+  {{% /tab %}}
+  {{< /tabs >}}
+  <br />
+
+- Restart the kubelet:
+
+  ```shell
+  sudo systemctl daemon-reload
+  sudo systemctl restart kubelet
+  ```
 
 ### Uncordon the node
 
--   Bring the node back online by marking it schedulable:
+- Bring the node back online by marking it schedulable:
 
-    ```shell
-    # replace <node-to-drain> with the name of your node
-    kubectl uncordon <node-to-drain>
-    ```
+  ```shell
+  # replace <node-to-drain> with the name of your node
+  kubectl uncordon <node-to-drain>
+  ```
 
 ## Upgrade worker nodes
 
@@ -211,76 +219,83 @@ without compromising the minimum required capacity for running your workloads.
 
 ### Upgrade kubeadm
 
--  Upgrade kubeadm:
-
-{{< tabs name="k8s_install_kubeadm_worker_nodes" >}}
-{{% tab name="Ubuntu, Debian or HypriotOS" %}}
-    # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
-    apt-mark unhold kubeadm && \
-    apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
-    apt-mark hold kubeadm
-{{% /tab %}}
-{{% tab name="CentOS, RHEL or Fedora" %}}
-    # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
-    yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-{{% /tab %}}
-{{< /tabs >}}
+- Upgrade kubeadm:
+
+  {{< tabs name="k8s_install_kubeadm_worker_nodes" >}}
+  {{% tab name="Ubuntu, Debian or HypriotOS" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
+  apt-mark unhold kubeadm && \
+  apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
+  apt-mark hold kubeadm
+  ```
+  {{% /tab %}}
+  {{% tab name="CentOS, RHEL or Fedora" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
+  yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
+  {{% /tab %}}
+  {{< /tabs >}}
 
 ### Call "kubeadm upgrade"
 
--  For worker nodes this upgrades the local kubelet configuration:
+- For worker nodes this upgrades the local kubelet configuration:
 
-    ```shell
-    sudo kubeadm upgrade node
-    ```
+  ```shell
+  sudo kubeadm upgrade node
+  ```
 
 ### Drain the node
 
--  Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
+- Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
 
-    ```shell
-    # replace <node-to-drain> with the name of your node you are draining
-    kubectl drain <node-to-drain> --ignore-daemonsets
-    ```
+  ```shell
+  # replace <node-to-drain> with the name of your node you are draining
+  kubectl drain <node-to-drain> --ignore-daemonsets
+  ```
 
 ### Upgrade kubelet and kubectl
 
--  Upgrade the kubelet and kubectl:
-
-{{< tabs name="k8s_kubelet_and_kubectl" >}}
-{{% tab name="Ubuntu, Debian or HypriotOS" %}}
-    # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
-    apt-mark unhold kubelet kubectl && \
-    apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
-    apt-mark hold kubelet kubectl
-{{% /tab %}}
-{{% tab name="CentOS, RHEL or Fedora" %}}
-    # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
-    yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-{{% /tab %}}
-{{< /tabs >}}
-<br />
-
--  Restart the kubelet:
-
-    ```shell
-    sudo systemctl daemon-reload
-    sudo systemctl restart kubelet
-    ```
+- Upgrade the kubelet and kubectl:
+
+  {{< tabs name="k8s_kubelet_and_kubectl" >}}
+  {{% tab name="Ubuntu, Debian or HypriotOS" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-00 with the latest patch version
+  apt-mark unhold kubelet kubectl && \
+  apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
+  apt-mark hold kubelet kubectl
+  {{% /tab %}}
+  {{% tab name="CentOS, RHEL or Fedora" %}}
+  ```shell
+  # replace x in {{< skew currentVersion >}}.x-0 with the latest patch version
+  yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
+  {{% /tab %}}
+  {{< /tabs >}}
+  <br />
+
+- Restart the kubelet:
+
+  ```shell
+  sudo systemctl daemon-reload
+  sudo systemctl restart kubelet
+  ```
 
 ### Uncordon the node
 
--   Bring the node back online by marking it schedulable:
+- Bring the node back online by marking it schedulable:
 
-    ```shell
-    # replace <node-to-drain> with the name of your node
-    kubectl uncordon <node-to-drain>
-    ```
+  ```shell
+  # replace <node-to-drain> with the name of your node
+  kubectl uncordon <node-to-drain>
+  ```
 
 ## Verify the status of the cluster
 
-After the kubelet is upgraded on all nodes verify that all nodes are available again by running the following command
-from anywhere kubectl can access the cluster:
+After the kubelet is upgraded on all nodes verify that all nodes are available again by running
+the following command from anywhere kubectl can access the cluster:
 
 ```shell
 kubectl get nodes
@@ -296,6 +311,7 @@ This command is idempotent and eventually makes sure that the actual state is th
 To recover from a bad state, you can also run `kubeadm upgrade apply --force` without changing the version that your cluster is running.
 
 During upgrade kubeadm writes the following backup folders under `/etc/kubernetes/tmp`:
+
 - `kubeadm-backup-etcd-<date>-<time>`
 - `kubeadm-backup-manifests-<date>-<time>`
 
@@ -334,3 +350,4 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
 
 - Fetches the kubeadm `ClusterConfiguration` from the cluster.
 - Upgrades the kubelet configuration for this node.
+
diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md b/content/en/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
index 35857d09a0205..a581cc16d38ad 100644
--- a/content/en/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
+++ b/content/en/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
@@ -34,7 +34,7 @@ upgrade the control plane nodes before upgrading your Windows nodes.
 
     ```powershell
     # replace {{< param "fullversion" >}} with your desired version
-    curl.exe -Lo C:\k\kubeadm.exe https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubeadm.exe
+    curl.exe -Lo <path-to-kubeadm.exe>  https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubeadm.exe
     ```
 
 ### Drain the node
@@ -62,16 +62,28 @@ upgrade the control plane nodes before upgrading your Windows nodes.
     kubeadm upgrade node
     ```
 
-### Upgrade kubelet
+### Upgrade kubelet and kube-proxy
 
 1.  From the Windows node, upgrade and restart the kubelet:
 
     ```powershell
     stop-service kubelet
-    curl.exe -Lo C:\k\kubelet.exe https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubelet.exe
+    curl.exe -Lo <path-to-kubelet.exe> https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubelet.exe
     restart-service kubelet
     ```
 
+2. From the Windows node, upgrade and restart the kube-proxy.
+
+    ```powershell
+    stop-service kube-proxy
+    curl.exe -Lo <path-to-kube-proxy.exe> https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kube-proxy.exe
+    restart-service kube-proxy
+    ```
+
+{{< note >}}
+If you are running kube-proxy in a HostProcess container within a Pod, and not as a Windows Service, you can upgrade kube-proxy by applying a newer version of your kube-proxy manifests.
+{{< /note >}}
+
 ### Uncordon the node
 
 1.  From a machine with access to the Kubernetes API,
@@ -81,14 +93,7 @@ bring the node back online by marking it schedulable:
     # replace <node-to-drain> with the name of your node
     kubectl uncordon <node-to-drain>
     ```
-### Upgrade kube-proxy
-
-1. From a machine with access to the Kubernetes API, run the following,
-again replacing {{< param "fullversion" >}} with your desired version:
 
-    ```shell
-    curl -L https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/kube-proxy.yml | sed 's/VERSION/{{< param "fullversion" >}}/g' | kubectl apply -f -
-    ```
 
 
 
diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
index 6c52dea6e176d..e0255eb2bd4d9 100644
--- a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
+++ b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
@@ -27,7 +27,7 @@ in the namespace.
 
 You must have access to create namespaces in your cluster.
 
-Your cluster must have at least 1.0 CPU available for use to run the task examples.
+Each node in your cluster must have at least 1.0 CPU available for Pods.
 See [meaning of CPU](/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)
 to learn what Kubernetes means by “1 CPU”.
 
@@ -45,7 +45,7 @@ kubectl create namespace constraints-cpu-example
 
 ## Create a LimitRange and a Pod
 
-Here's an example manifest for a LimitRange:
+Here's a manifest for an example {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}}:
 
 {{< codenew file="admin/resource/cpu-constraints.yaml" >}}
 
@@ -96,7 +96,7 @@ on these resources, the two values must be the same.
 
 Here's a manifest for a Pod that has one container. The container manifest
 specifies a CPU request of 500 millicpu and a CPU limit of 800 millicpu. These satisfy the
-minimum and maximum CPU constraints imposed by the LimitRange.
+minimum and maximum CPU constraints imposed by the LimitRange for this namespace.
 
 {{< codenew file="admin/resource/cpu-constraints-pod.yaml" >}}
 
@@ -214,7 +214,10 @@ applied the
 [default CPU request and limit](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
 from the LimitRange for this namespace.
 
-At this point, your Pod might be running or it might not be running. Recall that a prerequisite for this task is that your cluster must have at least 1 CPU available for use. If each of your Nodes has only 1 CPU, then there might not be enough allocatable CPU on any Node to accommodate a request of 800 millicpu. If you happen to be using Nodes with 2 CPU, then you probably have enough CPU to accommodate the 800 millicpu request.
+At this point, your Pod may or may not be running. Recall that a prerequisite for
+this task is that your Nodes must have at least 1 CPU available for use. If each of your Nodes has only 1 CPU,
+then there might not be enough allocatable CPU on any Node to accommodate a request of 800 millicpu. 
+If you happen to be using Nodes with 2 CPU, then you probably have enough CPU to accommodate the 800 millicpu request.
 
 Delete your Pod:
 
diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
index 14d50aa4d7b0d..5bbd37fa1856c 100644
--- a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
+++ b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
@@ -140,7 +140,8 @@ Create the Pod:
 kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-3.yaml --namespace=default-cpu-example
 ```
 
-View the specification of the Pod that you created:
+View the [specification](/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)
+of the Pod that you created:
 
 ```
 kubectl get pod default-cpu-demo-3 --output=yaml --namespace=default-cpu-example
diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
index 3efd899075bbd..9d2d707cb06b9 100644
--- a/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
+++ b/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
@@ -11,8 +11,9 @@ description: >-
 <!-- overview -->
 
 This page shows how to set minimum and maximum values for memory used by containers
-running in a namespace. You specify minimum and maximum memory values in a
-[LimitRange](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#limitrange-v1-core)
+running in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}. 
+You specify minimum and maximum memory values in a
+[LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
 object. If a Pod does not meet the constraints imposed by the LimitRange,
 it cannot be created in the namespace.
 
@@ -76,8 +77,8 @@ file for the LimitRange, they were created automatically.
 Now whenever you define a Pod within the constraints-mem-example namespace, Kubernetes
 performs these steps:
 
-* If any container in that Pod does not specify its own memory request and limit, assign
-the default memory request and limit to that container.
+* If any container in that Pod does not specify its own memory request and limit, 
+the control plane assigns the default memory request and limit to that container.
 
 * Verify that every container in that Pod requests at least 500 MiB of memory.
 
diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
index 025277127d620..1013800e44a8e 100644
--- a/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
+++ b/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
@@ -172,7 +172,7 @@ resources:
 If your namespace has a memory {{< glossary_tooltip text="resource quota" term_id="resource-quota" >}}
 configured,
 it is helpful to have a default value in place for memory limit.
-Here are two of the restrictions that a resource quota imposes on a namespace:
+Here are three of the restrictions that a resource quota imposes on a namespace:
 
 * For every Pod that runs in the namespace, the Pod and each of its containers must have a memory limit.
   (If you specify a memory limit for every container in a Pod, Kubernetes can infer the Pod-level memory
diff --git a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
index f54be498d4966..b10f75dd9ce71 100644
--- a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
+++ b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
@@ -16,7 +16,7 @@ installations. Our [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) is
 to understand the problem better.
 
 Dockershim was removed from Kubernetes with the release of v1.24.
-If you use Docker via dockershim as your container runtime, and wish to upgrade to v1.24,
+If you use Docker Engine via dockershim as your container runtime, and wish to upgrade to v1.24,
 it is recommended that you either migrate to another runtime or find an alternative means to obtain Docker Engine support.
 Check out [container runtimes](/docs/setup/production-environment/container-runtimes/)
 section to know your options. Make sure to
@@ -29,8 +29,8 @@ configuration.
 
 These tasks will help you to migrate:
 
-* [Check whether Dockershim deprecation affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
-* [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/)
+* [Check whether Dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)
+* [Migrate Docker Engine nodes from dockershim to cri-dockerd](/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/)
 * [Migrating telemetry and security agents from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/)
 
 
diff --git a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
index b4074a1385f6a..8c5c8b3a72431 100644
--- a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
+++ b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
@@ -44,7 +44,7 @@ for detailed steps to install containerd.
 1. Install the `containerd.io` package from the official Docker repositories. 
    Instructions for setting up the Docker repository for your respective Linux distribution and
    installing the `containerd.io` package can be found at 
-   [Install Docker Engine](https://docs.docker.com/engine/install/#server).
+   [Getting started with containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md).
 
 1. Configure containerd:
 
@@ -136,7 +136,7 @@ Run `kubectl get nodes -o wide` and containerd appears as the runtime for the no
 
 Finally if everything goes well, remove Docker.
 
-{{< tabs name="tab-remove-docker-enigine" >}}
+{{< tabs name="tab-remove-docker-engine" >}}
 {{% tab name="CentOS" %}}
 
 ```shell
@@ -163,3 +163,9 @@ sudo apt-get purge docker-ce docker-ce-cli
 {{% /tab %}}
 {{< /tabs >}}
 
+The preceding commands don't remove images, containers, volumes, or customized configuration files on your host.
+To delete them, follow Docker's instructions to [Uninstall Docker Engine](https://docs.docker.com/engine/install/ubuntu/#uninstall-docker-engine).
+
+{{< caution >}}
+Docker's instructions for uninstalling Docker Engine create a risk of deleting containerd. Be careful when executing commands.
+{{< /caution >}}
diff --git a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
index dbfe02d9e6ee2..c4247f085a2b8 100644
--- a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
+++ b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
@@ -41,7 +41,7 @@ node-2       Ready    v1.16.15   docker://19.3.1
 node-3       Ready    v1.16.15   docker://19.3.1
 ```
 If your runtime shows as Docker Engine, you still might not be affected by the
-removal of dockershim in Kubernetes 1.24. [Check the runtime
+removal of dockershim in Kubernetes v1.24. [Check the runtime
 endpoint](#which-endpoint) to see if you use dockershim. If you don't use
 dockershim, you aren't affected. 
 
@@ -64,7 +64,7 @@ The container runtime talks to the kubelet over a Unix socket using the [CRI
 protocol](/docs/concepts/architecture/cri/), which is based on the gRPC
 framework. The kubelet acts as a client, and the runtime acts as the server.
 In some cases, you might find it useful to know which socket your nodes use. For
-example, with the removal of dockershim in Kubernetes 1.24 and later, you might
+example, with the removal of dockershim in Kubernetes v1.24 and later, you might
 want to know whether you use Docker Engine with dockershim.
 
 {{<note>}}
@@ -93,6 +93,7 @@ nodes.
         name to find out which runtime you use. For example,
         `unix:///run/containerd/containerd.sock` is the containerd endpoint.
 
-If you use Docker Engine with the dockershim, [migrate to a different runtime](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/),
-or, if you want to continue using Docker Engine in v1.24 and later, migrate to a
+If you want to change the Container Runtime on a Node from Docker Engine to containerd,
+you can find out more information on [migrating from Docker Engine to  containerd](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/),
+or, if you want to continue using Docker Engine in Kubernetes v1.24 and later, migrate to a
 CRI-compatible adapter like [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd).
\ No newline at end of file
diff --git a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
index 3835057c916c7..7b88929445522 100644
--- a/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
+++ b/content/en/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
@@ -8,24 +8,33 @@ weight: 70
 
 <!-- overview -->
 
-Kubernetes' support for direct integration with Docker Engine is deprecated, and will be removed. Most apps do not have a direct dependency on runtime hosting containers. However, there are still a lot of telemetry and monitoring agents that has a dependency on docker to collect containers metadata, logs and metrics. This document aggregates information on how to detect these dependencies and links on how to migrate these agents to use generic tools or alternative runtimes.
+{{% thirdparty-content %}}
+
+Kubernetes' support for direct integration with Docker Engine is deprecated and
+has been removed. Most apps do not have a direct dependency on runtime hosting
+containers. However, there are still a lot of telemetry and monitoring agents
+that have a dependency on Docker to collect containers metadata, logs, and
+metrics. This document aggregates information on how to detect these
+dependencies as well as links on how to migrate these agents to use generic tools or
+alternative runtimes.
 
 ## Telemetry and security agents
 
-Within a Kubernetes cluster there are a few different ways to run telemetry or security agents.
-Some agents have a direct dependency on Docker Engine when they run as DaemonSets or
-directly on nodes.
+Within a Kubernetes cluster there are a few different ways to run telemetry or
+security agents.  Some agents have a direct dependency on Docker Engine when
+they run as DaemonSets or directly on nodes.
 
 ### Why do some telemetry agents communicate with Docker Engine?
 
 Historically, Kubernetes was written to work specifically with Docker Engine.
-Kubernetes took care of networking and scheduling, relying on Docker Engine for launching
-and running containers (within Pods) on a node. Some information that is relevant to telemetry,
-such as a pod name, is only available from Kubernetes components. Other data, such as container
-metrics, is not the responsibility of the container runtime. Early telemetry agents needed to query the
-container runtime **and** Kubernetes to report an accurate picture. Over time, Kubernetes gained
-the ability to support multiple runtimes, and now supports any runtime that is compatible with
-the container runtime interface.
+Kubernetes took care of networking and scheduling, relying on Docker Engine for
+launching and running containers (within Pods) on a node. Some information that
+is relevant to telemetry, such as a pod name, is only available from Kubernetes
+components. Other data, such as container metrics, is not the responsibility of
+the container runtime. Early telemetry agents needed to query the container
+runtime *and* Kubernetes to report an accurate picture. Over time, Kubernetes
+gained the ability to support multiple runtimes, and now supports any runtime
+that is compatible with the [container runtime interface](/docs/concepts/architecture/cri/).
 
 Some telemetry agents rely specifically on Docker Engine tooling. For example, an agent
 might run a command such as
@@ -68,12 +77,90 @@ The script above only detects the most common uses.
 
 ### Detecting Docker dependency from node agents
 
-In case your cluster nodes are customized and install additional security and
-telemetry agents on the node, make sure to check with the vendor of the agent whether it has dependency on Docker.
+If your cluster nodes are customized and install additional security and
+telemetry agents on the node, check with the agent vendor
+to verify whether it has any dependency on Docker.
 
 ### Telemetry and security agent vendors
 
+This section is intended to aggregate information about various telemetry and
+security agents that may have a dependency on container runtimes.
+
 We keep the work in progress version of migration instructions for various telemetry and security agent vendors
 in [Google doc](https://docs.google.com/document/d/1ZFi4uKit63ga5sxEiZblfb-c23lFhvy6RXVPikS8wf0/edit#).
 Please contact the vendor to get up to date instructions for migrating from dockershim.
 
+## Migration from dockershim
+
+### [Aqua](https://www.aquasec.com)
+
+No changes are needed: everything should work seamlessly on the runtime switch.
+
+### [Datadog](https://www.datadoghq.com/product/)
+
+How to migrate:
+[Docker deprecation in Kubernetes](https://docs.datadoghq.com/agent/guide/docker-deprecation/)
+The pod that accesses Docker Engine may have a name containing any of:
+
+- `datadog-agent`
+- `datadog`
+- `dd-agent`
+
+### [Dynatrace](https://www.dynatrace.com/)
+
+How to migrate:
+[Migrating from Docker-only to generic container metrics in Dynatrace](https://community.dynatrace.com/t5/Best-practices/Migrating-from-Docker-only-to-generic-container-metrics-in/m-p/167030#M49)
+
+Containerd support announcement: [Get automated full-stack visibility into
+containerd-based Kubernetes
+environments](https://www.dynatrace.com/news/blog/get-automated-full-stack-visibility-into-containerd-based-kubernetes-environments/)
+
+CRI-O support announcement: [Get automated full-stack visibility into your CRI-O Kubernetes containers (Beta)](https://www.dynatrace.com/news/blog/get-automated-full-stack-visibility-into-your-cri-o-kubernetes-containers-beta/)
+
+The pod accessing Docker may have name containing: 
+- `dynatrace-oneagent`
+
+### [Falco](https://falco.org)
+
+How to migrate:
+
+[Migrate Falco from dockershim](https://falco.org/docs/getting-started/deployment/#docker-deprecation-in-kubernetes)
+Falco supports any CRI-compatible runtime (containerd is used in the default configuration); the documentation explains all details.
+The pod accessing Docker may have name containing: 
+- `falco`
+
+### [Prisma Cloud Compute](https://docs.paloaltonetworks.com/prisma/prisma-cloud.html)
+
+Check [documentation for Prisma Cloud](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kubernetes.html),
+under the "Install Prisma Cloud on a CRI (non-Docker) cluster" section.
+The pod accessing Docker may be named like:
+- `twistlock-defender-ds`
+
+### [SignalFx (Splunk)](https://www.splunk.com/en_us/investor-relations/acquisitions/signalfx.html)
+
+The SignalFx Smart Agent (deprecated) uses several different monitors for Kubernetes including
+`kubernetes-cluster`, `kubelet-stats/kubelet-metrics`, and `docker-container-stats`.
+The `kubelet-stats` monitor was previously deprecated by the vendor, in favor of `kubelet-metrics`.
+The `docker-container-stats` monitor is the one affected by dockershim removal.
+Do not use the `docker-container-stats` with container runtimes other than Docker Engine.
+
+
+How to migrate from dockershim-dependant agent:
+1. Remove `docker-container-stats` from the list of [configured monitors](https://github.com/signalfx/signalfx-agent/blob/main/docs/monitor-config.md).
+   Note, keeping this monitor enabled with non-dockershim runtime will result in incorrect metrics
+   being reported when docker is installed on node and no metrics when docker is not installed.
+2. [Enable and configure `kubelet-metrics`](https://github.com/signalfx/signalfx-agent/blob/main/docs/monitors/kubelet-metrics.md) monitor.
+
+
+{{< note >}}
+The set of collected metrics will change. Review your alerting rules and dashboards.
+{{< /note >}}
+
+The Pod accessing Docker may be named something like:
+
+- `signalfx-agent`
+
+### Yahoo Kubectl Flame
+
+Flame does not support container runtimes other than Docker. See
+[https://github.com/yahoo/kubectl-flame/issues/51](https://github.com/yahoo/kubectl-flame/issues/51)
diff --git a/content/en/docs/tasks/administer-cluster/namespaces.md b/content/en/docs/tasks/administer-cluster/namespaces.md
index 231de37e262f5..a91a51e95a416 100644
--- a/content/en/docs/tasks/administer-cluster/namespaces.md
+++ b/content/en/docs/tasks/administer-cluster/namespaces.md
@@ -71,7 +71,7 @@ to define *Hard* resource usage limits that a *Namespace* may consume.
 A limit range defines min/max constraints on the amount of resources a single entity can consume in
 a *Namespace*.
 
-See [Admission control: Limit Range](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md)
+See [Admission control: Limit Range](https://git.k8s.io/design-proposals-archive/resource-management/admission_control_limit_range.md)
 
 A namespace can be in one of two phases:
 
@@ -112,7 +112,7 @@ The name of your namespace must be a valid
 
 There's an optional field `finalizers`, which allows observables to purge resources whenever the namespace is deleted. Keep in mind that if you specify a nonexistent finalizer, the namespace will be created but will get stuck in the `Terminating` state if the user tries to delete it.
 
-More information on `finalizers` can be found in the namespace [design doc](https://git.k8s.io/community/contributors/design-proposals/architecture/namespaces.md#finalizers).
+More information on `finalizers` can be found in the namespace [design doc](https://git.k8s.io/design-proposals-archive/architecture/namespaces.md#finalizers).
 
 ## Deleting a namespace
 
@@ -314,7 +314,7 @@ across namespaces, you need to use the fully qualified domain name (FQDN).
 
 * Learn more about [setting the namespace preference](/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-preference).
 * Learn more about [setting the namespace for a request](/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-for-a-request)
-* See [namespaces design](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/namespaces.md).
+* See [namespaces design](https://git.k8s.io/design-proposals-archive/architecture/namespaces.md).
 
 
 
diff --git a/content/en/docs/tasks/administer-cluster/quota-api-object.md b/content/en/docs/tasks/administer-cluster/quota-api-object.md
index 11592d2152ccd..ad38f102d4854 100644
--- a/content/en/docs/tasks/administer-cluster/quota-api-object.md
+++ b/content/en/docs/tasks/administer-cluster/quota-api-object.md
@@ -89,7 +89,7 @@ kubectl get persistentvolumeclaims --namespace=quota-object-example
 
 The output shows that the PersistentVolumeClaim exists and has status Pending:
 
-```shell
+```
 NAME             STATUS
 pvc-quota-demo   Pending
 ```
diff --git a/content/en/docs/tasks/administer-cluster/reconfigure-kubelet.md b/content/en/docs/tasks/administer-cluster/reconfigure-kubelet.md
index 82a501e5d4689..e1effd8f05275 100644
--- a/content/en/docs/tasks/administer-cluster/reconfigure-kubelet.md
+++ b/content/en/docs/tasks/administer-cluster/reconfigure-kubelet.md
@@ -29,7 +29,7 @@ Please find documentation on this feature in [earlier versions of documentation]
 There is no recommended replacement for this feature that works generically
 across various Kubernetes distributions. If you are using managed Kubernetes
 version, please consult with the vendor hosting Kubernetes for the best
-practices for customizing your Kubernetes. If you are using KubeAdm, refer to
+practices for customizing your Kubernetes. If you are using `kubeadm`, refer to
 [Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/).
 
 In order to migrate off the Dynamic Kubelet Configuration feature, the
diff --git a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md
index 8922a2fe003ba..f39122790328f 100644
--- a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md
+++ b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md
@@ -95,7 +95,10 @@ system daemon should ideally run within its own child control group. Refer to
 for more details on recommended control group hierarchy.
 
 Note that Kubelet **does not** create `--kube-reserved-cgroup` if it doesn't
-exist. Kubelet will fail if an invalid cgroup is specified.
+exist. Kubelet will fail if an invalid cgroup is specified. With `systemd`
+cgroup driver, you should follow a specific pattern for the name of the cgroup you
+define: the name should be the value you set for `--kube-reserved-cgroup`,
+with `.slice` appended.
 
 ### System Reserved
 
@@ -120,7 +123,10 @@ It is recommended that the OS system daemons are placed under a top level
 control group (`system.slice` on systemd machines for example).
 
 Note that `kubelet` **does not** create `--system-reserved-cgroup` if it doesn't
-exist. `kubelet` will fail if an invalid cgroup is specified.
+exist. `kubelet` will fail if an invalid cgroup is specified.  With `systemd`
+cgroup driver, you should follow a specific pattern for the name of the cgroup you
+define: the name should be the value you set for `--system-reserved-cgroup`,
+with `.slice` appended.
 
 ### Explicitly Reserved CPU List
 
diff --git a/content/en/docs/tasks/administer-cluster/securing-a-cluster.md b/content/en/docs/tasks/administer-cluster/securing-a-cluster.md
index f125fd6cf2042..2be416ceb6a21 100644
--- a/content/en/docs/tasks/administer-cluster/securing-a-cluster.md
+++ b/content/en/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -13,15 +13,10 @@ content_type: task
 This document covers topics related to protecting a cluster from accidental or malicious access
 and provides recommendations on overall security.
 
-
-
 ## {{% heading "prerequisites" %}}
 
-
 * {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
-
-
 <!-- steps -->
 
 ## Controlling access to the Kubernetes API
@@ -77,11 +72,13 @@ Consult the [authorization reference section](/docs/reference/access-authn-authz
 
 ## Controlling access to the Kubelet
 
-Kubelets expose HTTPS endpoints which grant powerful control over the node and containers. By default Kubelets allow unauthenticated access to this API.
+Kubelets expose HTTPS endpoints which grant powerful control over the node and containers.
+By default Kubelets allow unauthenticated access to this API.
 
 Production clusters should enable Kubelet authentication and authorization.
 
-Consult the [Kubelet authentication/authorization reference](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization) for more information.
+Consult the [Kubelet authentication/authorization reference](/docs/reference/access-authn-authz/kubelet-authn-authz/)
+for more information.
 
 ## Controlling the capabilities of a workload or user at runtime
 
diff --git a/content/en/docs/tasks/administer-cluster/topology-manager.md b/content/en/docs/tasks/administer-cluster/topology-manager.md
index e8d2e7c19d6c9..4002537f0cc35 100644
--- a/content/en/docs/tasks/administer-cluster/topology-manager.md
+++ b/content/en/docs/tasks/administer-cluster/topology-manager.md
@@ -20,7 +20,7 @@ An increasing number of systems leverage a combination of CPUs and hardware acce
 
 In order to extract the best performance, optimizations related to CPU isolation, memory and device locality are required. However, in Kubernetes, these optimizations are handled by a disjoint set of components.
 
-_Topology Manager_ is a Kubelet component that aims to co-ordinate the set of components that are responsible for these optimizations.
+_Topology Manager_ is a Kubelet component that aims to coordinate the set of components that are responsible for these optimizations.
  
 
 
@@ -267,4 +267,4 @@ Using this information the Topology Manager calculates the optimal hint for the
 ### Known Limitations
 1. The maximum number of NUMA nodes that Topology Manager allows is 8. With more than 8 NUMA nodes there will be a state explosion when trying to enumerate the possible NUMA affinities and generating their hints.
 
-2. The scheduler is not topology-aware, so it is possible to be scheduled on a node and then fail on the node due to the Topology Manager.
\ No newline at end of file
+2. The scheduler is not topology-aware, so it is possible to be scheduled on a node and then fail on the node due to the Topology Manager.
diff --git a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
index 137571d8e8a65..d923d6356c1f7 100644
--- a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
+++ b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md
@@ -171,7 +171,7 @@ kubectl get pod memory-demo-2 --output=yaml --namespace=mem-example
 
 The output shows that the Container was killed because it is out of memory (OOM):
 
-```shell
+```yaml
 lastState:
    terminated:
      containerID: 65183c1877aaec2e8427bc95609cc52677a454b56fcb24340dbd22917c23b10f
@@ -278,7 +278,7 @@ kubectl describe pod memory-demo-3 --namespace=mem-example
 
 The output shows that the Container cannot be scheduled because of insufficient memory on the Nodes:
 
-```shell
+```
 Events:
   ...  Reason            Message
        ------            -------
@@ -291,8 +291,8 @@ The memory resource is measured in bytes. You can express memory as a plain inte
 fixed-point integer with one of these suffixes: E, P, T, G, M, K, Ei, Pi, Ti, Gi, Mi, Ki.
 For example, the following represent approximately the same value:
 
-```shell
-128974848, 129e6, 129M , 123Mi
+```
+128974848, 129e6, 129M, 123Mi
 ```
 
 Delete your Pod:
diff --git a/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md
index f1e6e6e9efe53..1e19a26fbba88 100644
--- a/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md
+++ b/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md
@@ -34,7 +34,7 @@ Kubernetes cluster.
     worker1   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker1
     worker2   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker2
     ```
-1. Chose one of your nodes, and add a label to it:
+1. Choose one of your nodes, and add a label to it:
 
     ```shell
     kubectl label nodes <your-node-name> disktype=ssd
diff --git a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index b26baabe9e35a..3f4c1c8dcdd3d 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -438,8 +438,8 @@ to 127.0.0.1. If your pod relies on virtual hosts, which is probably the more co
 case, you should not use `host`, but rather set the `Host` header in `httpHeaders`.
 
 For an HTTP probe, the kubelet sends two request headers in addition to the mandatory `Host` header:
-`User-Agent`, and `Accept`. The default values for these headers are `kube-probe/{{< skew latestVersion >}}`
-(where `{{< skew latestVersion >}}` is the version of the kubelet ), and `*/*` respectively.
+`User-Agent`, and `Accept`. The default values for these headers are `kube-probe/{{< skew currentVersion >}}`
+(where `{{< skew currentVersion >}}` is the version of the kubelet ), and `*/*` respectively.
 
 You can override the default headers by defining `.httpHeaders` for the probe; for example
 
diff --git a/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md b/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
index 73755891ca49c..54a9da1c08a5f 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
@@ -282,7 +282,7 @@ PersistentVolume are not present on the Pod resource itself.
 
 
 * Learn more about [PersistentVolumes](/docs/concepts/storage/persistent-volumes/).
-* Read the [Persistent Storage design document](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md).
+* Read the [Persistent Storage design document](https://git.k8s.io/design-proposals-archive/storage/persistent-storage.md).
 
 ### Reference
 
diff --git a/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md b/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md
index 62b334e06824b..a4882ff88293d 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md
@@ -10,7 +10,7 @@ card:
 <!-- overview -->
 Many applications rely on configuration which is used during either application initialization or runtime.
 Most of the times there is a requirement to adjust values assigned to configuration parameters.
-ConfigMaps is the kubernetes way to inject application pods with configuration data. 
+ConfigMaps is the kubernetes way to inject application pods with configuration data.
 ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable. This page provides a series of usage examples demonstrating how to create ConfigMaps and configure Pods using data stored in ConfigMaps.
 
 
@@ -461,35 +461,35 @@ configmap/special-config-2-c92b5mmcf2 created
 
 ### Define a container environment variable with data from a single ConfigMap
 
-1.  Define an environment variable as a key-value pair in a ConfigMap:
+1. Define an environment variable as a key-value pair in a ConfigMap:
 
-    ```shell
-    kubectl create configmap special-config --from-literal=special.how=very
-    ```
+   ```shell
+   kubectl create configmap special-config --from-literal=special.how=very
+   ```
 
-2.  Assign the `special.how` value defined in the ConfigMap to the `SPECIAL_LEVEL_KEY` environment variable in the Pod specification.
+2. Assign the `special.how` value defined in the ConfigMap to the `SPECIAL_LEVEL_KEY` environment variable in the Pod specification.
 
    {{< codenew file="pods/pod-single-configmap-env-variable.yaml" >}}
 
    Create the Pod:
 
- ```shell
- kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml
- ```
+   ```shell
+   kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml
+   ```
 
    Now, the Pod's output includes environment variable `SPECIAL_LEVEL_KEY=very`.
 
 ### Define container environment variables with data from multiple ConfigMaps
 
- * As with the previous example, create the ConfigMaps first.
+* As with the previous example, create the ConfigMaps first.
 
-   {{< codenew file="configmap/configmaps.yaml" >}}
+  {{< codenew file="configmap/configmaps.yaml" >}}
 
-   Create the ConfigMap:
+  Create the ConfigMap:
 
- ```shell
- kubectl create -f https://kubernetes.io/examples/configmap/configmaps.yaml
- ```
+  ```shell
+  kubectl create -f https://kubernetes.io/examples/configmap/configmaps.yaml
+  ```
 
 * Define the environment variables in the Pod specification.
 
@@ -497,9 +497,9 @@ configmap/special-config-2-c92b5mmcf2 created
 
   Create the Pod:
 
- ```shell
- kubectl create -f https://kubernetes.io/examples/pods/pod-multiple-configmap-env-variable.yaml
- ```
+  ```shell
+  kubectl create -f https://kubernetes.io/examples/pods/pod-multiple-configmap-env-variable.yaml
+  ```
 
   Now, the Pod's output includes environment variables `SPECIAL_LEVEL_KEY=very` and `LOG_LEVEL=INFO`.
 
@@ -515,21 +515,21 @@ This functionality is available in Kubernetes v1.6 and later.
 
   Create the ConfigMap:
 
- ```shell
- kubectl create -f https://kubernetes.io/examples/configmap/configmap-multikeys.yaml
- ```
+  ```shell
+  kubectl create -f https://kubernetes.io/examples/configmap/configmap-multikeys.yaml
+  ```
 
 * Use `envFrom` to define all of the ConfigMap's data as container environment variables. The key from the ConfigMap becomes the environment variable name in the Pod.
 
- {{< codenew file="pods/pod-configmap-envFrom.yaml" >}}
+  {{< codenew file="pods/pod-configmap-envFrom.yaml" >}}
 
- Create the Pod:
+  Create the Pod:
 
- ```shell
- kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-envFrom.yaml
- ```
+  ```shell
+  kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-envFrom.yaml
+  ```
 
- Now, the Pod's output includes environment variables `SPECIAL_LEVEL=very` and `SPECIAL_TYPE=charm`.
+  Now, the Pod's output includes environment variables `SPECIAL_LEVEL=very` and `SPECIAL_TYPE=charm`.
 
 
 ## Use ConfigMap-defined environment variables in Pod commands
@@ -548,7 +548,7 @@ kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-env-var-valu
 
 produces the following output in the `test-container` container:
 
-```shell
+```
 very charm
 ```
 
@@ -582,7 +582,7 @@ kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-volume.yaml
 
 When the pod runs, the command `ls /etc/config/` produces the output below:
 
-```shell
+```
 SPECIAL_LEVEL
 SPECIAL_TYPE
 ```
@@ -610,7 +610,7 @@ kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-volume-speci
 
 When the pod runs, the command `cat /etc/config/keys` produces the output below:
 
-```shell
+```
 very
 ```
 
@@ -635,8 +635,7 @@ existence after a pod has started.
 
 Kubelet checks whether the mounted ConfigMap is fresh on every periodic sync. However, it uses its local TTL-based cache for getting the current value of the
 ConfigMap. As a result, the total delay from the moment when the ConfigMap is updated to the moment when new keys are projected to the pod can be as long as
-kubelet sync period (1 minute by default) + TTL of ConfigMaps cache (1 minute by default) in kubelet. You can trigger an immediate refresh by updating one of
-the pod's annotations.
+kubelet sync period (1 minute by default) + TTL of ConfigMaps cache (1 minute by default) in kubelet.
 
 {{< note >}}
 A container using a ConfigMap as a [subPath](/docs/concepts/storage/volumes/#using-subpath) volume will not receive ConfigMap updates.
@@ -680,15 +679,15 @@ data:
 
 - If you use `envFrom` to define environment variables from ConfigMaps, keys that are considered invalid will be skipped. The pod will be allowed to start, but the invalid names will be recorded in the event log (`InvalidVariableNames`). The log message lists each skipped key. For example:
 
-   ```shell
-   kubectl get events
-   ```
+  ```shell
+  kubectl get events
+  ```
 
-   The output is similar to this:
-   ```
-   LASTSEEN FIRSTSEEN COUNT NAME          KIND  SUBOBJECT  TYPE      REASON                            SOURCE                MESSAGE
-   0s       0s        1     dapi-test-pod Pod              Warning   InvalidEnvironmentVariableNames   {kubelet, 127.0.0.1}  Keys [1badkey, 2alsobad] from the EnvFrom configMap default/myconfig were skipped since they are considered invalid environment variable names.
-   ```
+  The output is similar to this:
+  ```
+  LASTSEEN FIRSTSEEN COUNT NAME          KIND  SUBOBJECT  TYPE      REASON                            SOURCE                MESSAGE
+  0s       0s        1     dapi-test-pod Pod              Warning   InvalidEnvironmentVariableNames   {kubelet, 127.0.0.1}  Keys [1badkey, 2alsobad] from the EnvFrom configMap default/myconfig were skipped since they are considered invalid environment variable names.
+  ```
 
 - ConfigMaps reside in a specific {{< glossary_tooltip term_id="namespace" >}}. A ConfigMap can only be referenced by pods residing in the same namespace.
 
@@ -699,4 +698,3 @@ data:
 ## {{% heading "whatsnext" %}}
 
 * Follow a real world example of [Configuring Redis using a ConfigMap](/docs/tutorials/configuration/configure-redis-using-configmap/).
-
diff --git a/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md b/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md
index b7681a81181af..97457b55f1115 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md
@@ -89,4 +89,3 @@ The output shows that nginx is serving the web page that was written by the init
 
 
 
-
diff --git a/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md b/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
index ca71e7a721364..fb558931db6fe 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
@@ -83,5 +83,5 @@ kubectl delete secret user pass
 ## {{% heading "whatsnext" %}}
 
 * Learn more about [`projected`](/docs/concepts/storage/volumes/#projected) volumes.
-* Read the [all-in-one volume](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/all-in-one-volume.md) design document.
+* Read the [all-in-one volume](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md) design document.
 
diff --git a/content/en/docs/tasks/configure-pod-container/configure-runasusername.md b/content/en/docs/tasks/configure-pod-container/configure-runasusername.md
index 9ddcac270ffd0..58028f9c8983a 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-runasusername.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-runasusername.md
@@ -57,7 +57,7 @@ echo $env:USERNAME
 
 The output should be:
 
-```shell
+```
 ContainerUser
 ```
 
@@ -97,7 +97,7 @@ echo $env:USERNAME
 
 The output should be:
 
-```shell
+```
 ContainerAdministrator
 ```
 
@@ -120,7 +120,7 @@ For more information about these limtations, check [here](https://support.micros
 ## {{% heading "whatsnext" %}}
 
 
-* [Guide for scheduling Windows containers in Kubernetes](/docs/setup/production-environment/windows/user-guide-windows-containers/)
-* [Managing Workload Identity with Group Managed Service Accounts (GMSA)](/docs/setup/production-environment/windows/user-guide-windows-containers/#managing-workload-identity-with-group-managed-service-accounts)
+* [Guide for scheduling Windows containers in Kubernetes](/docs/concepts/windows/user-guide/)
+* [Managing Workload Identity with Group Managed Service Accounts (GMSA)](/docs/concepts/windows/user-guide/#managing-workload-identity-with-group-managed-service-accounts)
 * [Configure GMSA for Windows pods and containers](/docs/tasks/configure-pod-container/configure-gmsa/)
 
diff --git a/content/en/docs/tasks/configure-pod-container/configure-service-account.md b/content/en/docs/tasks/configure-pod-container/configure-service-account.md
index ffb863a19f7f9..70122389448dd 100644
--- a/content/en/docs/tasks/configure-pod-container/configure-service-account.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-service-account.md
@@ -42,7 +42,7 @@ You can access the API from inside a pod using automatically mounted service acc
 The API permissions of the service account depend on the
 [authorization plugin and policy](/docs/reference/access-authn-authz/authorization/#authorization-modules) in use.
 
-In version 1.6+, you can opt out of automounting API credentials for a service account by setting `automountServiceAccountToken: false` on the service account:
+You can opt out of automounting API credentials on `/var/run/secrets/kubernetes.io/serviceaccount/token` for a service account by setting `automountServiceAccountToken: false` on the ServiceAccount:
 
 ```yaml
 apiVersion: v1
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index a7dcbafd340cf..ed5506c45b689 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -214,3 +214,10 @@ container, aiming to limit the degree of privileges so as to avoid accidental (o
 malicious) damage to the host. The LocalSystem service account has the highest level
 of privilege of the three and should be used only if absolutely necessary. Where possible,
 use the LocalService service account as it is the least privileged of the three options.
+
+## Troubleshooting HostProcess containers
+
+- HostProcess containers fail to start with `failed to create user process token: failed to logon user: Access is denied.: unknown`
+
+  Ensure containerd is running as `LocalSystem` or `LocalService` service accounts. User accounts (even Administrator accounts) do not have permissions to create logon tokens for any of the supported [user accounts](#choosing-a-user-account).
+  
\ No newline at end of file
diff --git a/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
index 9f46360a5ceaf..dcf771e811647 100644
--- a/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
+++ b/content/en/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -38,7 +38,7 @@ plugins:
     #
     # Version label values must be one of:
     # - "latest" (default) 
-    # - specific version like "v{{< skew latestVersion >}}"
+    # - specific version like "v{{< skew currentVersion >}}"
     defaults:
       enforce: "privileged"
       enforce-version: "latest"
@@ -78,7 +78,7 @@ plugins:
     #
     # Version label values must be one of:
     # - "latest" (default) 
-    # - specific version like "v{{< skew latestVersion >}}"
+    # - specific version like "v{{< skew currentVersion >}}"
     defaults:
       enforce: "privileged"
       enforce-version: "latest"
diff --git a/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md b/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
index 121f9b15e7c54..4157d6ba67430 100644
--- a/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
+++ b/content/en/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
@@ -7,7 +7,11 @@ content_type: task
 min-kubernetes-server-version: v1.22
 ---
 
-Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards).
+Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards). The three policies
+[privileged](/docs/concepts/security/pod-security-standards/#privileged), [baseline](/docs/concepts/security/pod-security-standards/#baseline)
+and [restricted](/docs/concepts/security/pod-security-standards/#restricted) broadly cover the security spectrum
+and are implemented by the [Pod Security](/docs/concepts/security/pod-security-admission/) {{< glossary_tooltip
+text="admission controller" term_id="admission-controller" >}}.
 
 ## {{% heading "prerequisites" %}}
 
@@ -22,7 +26,7 @@ This manifest defines a Namespace `my-baseline-namespace` that:
 - _Blocks_ any pods that don't satisfy the `baseline` policy requirements.
 - Generates a user-facing warning and adds an audit annotation to any created pod that does not
   meet the `restricted` policy requirements.
-- Pins the versions of the `baseline` and `restricted` policies to v{{< skew latestVersion >}}.
+- Pins the versions of the `baseline` and `restricted` policies to v{{< skew currentVersion >}}.
 
 ```yaml
 apiVersion: v1
@@ -31,13 +35,13 @@ metadata:
   name: my-baseline-namespace
   labels:
     pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/enforce-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/enforce-version: v{{< skew currentVersion >}}
 
     # We are setting these to our _desired_ `enforce` level.
     pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/audit-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/audit-version: v{{< skew currentVersion >}}
     pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/warn-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/warn-version: v{{< skew currentVersion >}}
 ```
 
 ## Add labels to existing namespaces with `kubectl label`
@@ -78,10 +82,10 @@ kubectl get namespaces --selector='!pod-security.kubernetes.io/enforce'
 ### Applying to a single namespace
 
 You can update a specific namespace as well. This command adds the `enforce=restricted`
-policy to `my-existing-namespace`, pinning the restricted policy version to v{{< skew latestVersion >}}.
+policy to `my-existing-namespace`, pinning the restricted policy version to v{{< skew currentVersion >}}.
 
 ```shell
 kubectl label --overwrite ns my-existing-namespace \
   pod-security.kubernetes.io/enforce=restricted \
-  pod-security.kubernetes.io/enforce-version=v{{< skew latestVersion >}}
+  pod-security.kubernetes.io/enforce-version=v{{< skew currentVersion >}}
 ```
diff --git a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
index 1879ba5ba749b..f7d78ea13eb2a 100644
--- a/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
+++ b/content/en/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -323,7 +323,7 @@ configuration of the API server:
 
 To verify that the PodSecurityPolicy admission controller is no longer enabled, you can manually run
 a test by impersonating a user without access to any PodSecurityPolicies (see the
-[PodSecurityPolicy example](/docs/concepts/policy/pod-security-policy/#example)), or by verifying in
+[PodSecurityPolicy example](/docs/concepts/security/pod-security-policy/#example)), or by verifying in
 the API server logs. At startup, the API server outputs log lines listing the loaded admission
 controller plugins:
 
diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md
index 91b914bc54530..80d942b724e52 100644
--- a/content/en/docs/tasks/configure-pod-container/security-context.md
+++ b/content/en/docs/tasks/configure-pod-container/security-context.md
@@ -452,7 +452,7 @@ applied to Volumes as follows:
 
 * `fsGroup`: Volumes that support ownership management are modified to be owned
   and writable by the GID specified in `fsGroup`. See the
-  [Ownership Management design document](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
+  [Ownership Management design document](https://git.k8s.io/design-proposals-archive/storage/volume-ownership-management.md)
   for more details.
 
 * `seLinuxOptions`: Volumes that support SELinux labeling are relabeled to be accessible
@@ -482,10 +482,10 @@ kubectl delete pod security-context-demo-4
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core)
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
 * [Tuning Docker with the newest security enhancements](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
-* [Security Contexts design document](https://git.k8s.io/community/contributors/design-proposals/auth/security_context.md)
-* [Ownership Management design document](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
+* [Security Contexts design document](https://git.k8s.io/design-proposals-archive/auth/security_context.md)
+* [Ownership Management design document](https://git.k8s.io/design-proposals-archive/storage/volume-ownership-management.md)
 * [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/)
 * [AllowPrivilegeEscalation design
-  document](https://git.k8s.io/community/contributors/design-proposals/auth/no-new-privs.md)
+  document](https://git.k8s.io/design-proposals-archive/auth/no-new-privs.md)
 * For more information about security mechanisms in Linux, see
 [Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features) (Note: Some information is out of date)
diff --git a/content/en/docs/tasks/configure-pod-container/share-process-namespace.md b/content/en/docs/tasks/configure-pod-container/share-process-namespace.md
index dfb8e40906af5..773a0b6544fc9 100644
--- a/content/en/docs/tasks/configure-pod-container/share-process-namespace.md
+++ b/content/en/docs/tasks/configure-pod-container/share-process-namespace.md
@@ -1,6 +1,5 @@
 ---
 title: Share Process Namespace between Containers in a Pod
-min-kubernetes-server-version: v1.10
 reviewers:
 - verb
 - yujuhong
@@ -11,64 +10,69 @@ weight: 160
 
 <!-- overview -->
 
-{{< feature-state state="stable" for_k8s_version="v1.17" >}}
-
 This page shows how to configure process namespace sharing for a pod. When
 process namespace sharing is enabled, processes in a container are visible
-to all other containers in that pod.
+to all other containers in the same pod.
 
 You can use this feature to configure cooperating containers, such as a log
 handler sidecar container, or to troubleshoot container images that don't
 include debugging utilities like a shell.
 
-
-
 ## {{% heading "prerequisites" %}}
 
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-
+{{< include "task-tutorial-prereqs.md" >}}
 
 <!-- steps -->
 
 ## Configure a Pod
 
-Process Namespace Sharing is enabled using the `shareProcessNamespace` field of
-`v1.PodSpec`. For example:
+Process namespace sharing is enabled using the `shareProcessNamespace` field of
+`.spec` for a Pod. For example:
 
 {{< codenew file="pods/share-process-namespace.yaml" >}}
 
 1. Create the pod `nginx` on your cluster:
 
-    ```shell
-    kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
-    ```
+   ```shell
+   kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
+   ```
 
 1. Attach to the `shell` container and run `ps`:
 
-    ```shell
-    kubectl attach -it nginx -c shell
-    ```
+   ```shell
+   kubectl attach -it nginx -c shell
+   ```
+
+   If you don't see a command prompt, try pressing enter. In the container shell:
+
+   ```shell
+   # run this inside the "shell" container
+   ps ax
+   ```
 
-    If you don't see a command prompt, try pressing enter.
+   The output is similar to this:
 
-    ```
-    / # ps ax
-    PID   USER     TIME  COMMAND
-        1 root      0:00 /pause
-        8 root      0:00 nginx: master process nginx -g daemon off;
-       14 101       0:00 nginx: worker process
-       15 root      0:00 sh
-       21 root      0:00 ps ax
-    ```
+   ```none
+   PID   USER     TIME  COMMAND
+       1 root      0:00 /pause
+       8 root      0:00 nginx: master process nginx -g daemon off;
+      14 101       0:00 nginx: worker process
+      15 root      0:00 sh
+      21 root      0:00 ps ax
+   ```
 
 You can signal processes in other containers. For example, send `SIGHUP` to
-nginx to restart the worker process. This requires the `SYS_PTRACE` capability.
+`nginx` to restart the worker process. This requires the `SYS_PTRACE` capability.
 
+```shell
+# run this inside the "shell" container
+kill -HUP 8   # change "8" to match the PID of the nginx leader process, if necessary
+ps ax
 ```
-/ # kill -HUP 8
-/ # ps ax
+
+The output is similar to this:
+
+```none
 PID   USER     TIME  COMMAND
     1 root      0:00 /pause
     8 root      0:00 nginx: master process nginx -g daemon off;
@@ -77,12 +81,18 @@ PID   USER     TIME  COMMAND
    23 root      0:00 ps ax
 ```
 
-It's even possible to access another container image using the
+It's even possible to access the file system of another container using the
 `/proc/$pid/root` link.
 
+```shell
+# run this inside the "shell" container
+# change "8" to the PID of the Nginx process, if necessary
+head /proc/8/root/etc/nginx/nginx.conf
 ```
-/ # head /proc/8/root/etc/nginx/nginx.conf
 
+The output is similar to this:
+
+```none
 user  nginx;
 worker_processes  1;
 
@@ -94,21 +104,19 @@ events {
     worker_connections  1024;
 ```
 
-
-
 <!-- discussion -->
 
-## Understanding Process Namespace Sharing
+## Understanding process namespace sharing
 
 Pods share many resources so it makes sense they would also share a process
-namespace. Some container images may expect to be isolated from other
-containers, though, so it's important to understand these differences:
+namespace. Some containers may expect to be isolated from others, though,
+so it's important to understand the differences:
 
-1. **The container process no longer has PID 1.** Some container images refuse
+1. **The container process no longer has PID 1.** Some containers refuse
    to start without PID 1 (for example, containers using `systemd`) or run
    commands like `kill -HUP 1` to signal the container process. In pods with a
-   shared process namespace, `kill -HUP 1` will signal the pod sandbox.
-   (`/pause` in the above example.)
+   shared process namespace, `kill -HUP 1` will signal the pod sandbox
+   (`/pause` in the above example).
 
 1. **Processes are visible to other containers in the pod.** This includes all
    information visible in `/proc`, such as passwords that were passed as arguments
@@ -118,6 +126,3 @@ containers, though, so it's important to understand these differences:
    `/proc/$pid/root` link.** This makes debugging easier, but it also means
    that filesystem secrets are protected only by filesystem permissions.
 
-
-
-
diff --git a/content/en/docs/tasks/configure-pod-container/static-pod.md b/content/en/docs/tasks/configure-pod-container/static-pod.md
index 11df9fde0491a..c137382f5b51f 100644
--- a/content/en/docs/tasks/configure-pod-container/static-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/static-pod.md
@@ -67,12 +67,12 @@ For example, this is how to start a simple web server as a static Pod:
     ssh my-node1
     ```
 
-2. Choose a directory, say `/etc/kubelet.d` and place a web server Pod definition there, for example `/etc/kubelet.d/static-web.yaml`:
+2. Choose a directory, say `/etc/kubernetes/manifests` and place a web server Pod definition there, for example `/etc/kubernetes/manifests/static-web.yaml`:
 
     ```shell
     # Run this command on the node where kubelet is running
-    mkdir /etc/kubelet.d/
-    cat <<EOF >/etc/kubelet.d/static-web.yaml
+    mkdir -p /etc/kubernetes/manifests/
+    cat <<EOF >/etc/kubernetes/manifests/static-web.yaml
     apiVersion: v1
     kind: Pod
     metadata:
@@ -90,10 +90,10 @@ For example, this is how to start a simple web server as a static Pod:
     EOF
     ```
 
-3. Configure your kubelet on the node to use this directory by running it with `--pod-manifest-path=/etc/kubelet.d/` argument. On Fedora edit `/etc/kubernetes/kubelet` to include this line:
+3. Configure your kubelet on the node to use this directory by running it with `--pod-manifest-path=/etc/kubernetes/manifests/` argument. On Fedora edit `/etc/kubernetes/kubelet` to include this line:
 
    ```
-   KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubelet.d/"
+   KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubernetes/manifests/"
    ```
    or add the `staticPodPath: <the directory>` field in the
    [kubelet configuration file](/docs/reference/config-api/kubelet-config.v1beta1/).
@@ -224,7 +224,7 @@ CONTAINER       IMAGE                                 CREATED           STATE
 
 ## Dynamic addition and removal of static pods
 
-The running kubelet periodically scans the configured directory (`/etc/kubelet.d` in our example) for changes and adds/removes Pods as files appear/disappear in this directory.
+The running kubelet periodically scans the configured directory (`/etc/kubernetes/manifests` in our example) for changes and adds/removes Pods as files appear/disappear in this directory.
 
 ```shell
 # This assumes you are using filesystem-hosted static Pod configuration
diff --git a/content/en/docs/tasks/debug/debug-application/debug-pods.md b/content/en/docs/tasks/debug/debug-application/debug-pods.md
index 77fff23a525aa..d7ff76fe04dc6 100644
--- a/content/en/docs/tasks/debug/debug-application/debug-pods.md
+++ b/content/en/docs/tasks/debug/debug-application/debug-pods.md
@@ -3,7 +3,7 @@ reviewers:
 - mikedanese
 - thockin
 title: Debug Pods
-content_type: concept
+content_type: task
 weight: 10
 ---
 
@@ -156,5 +156,5 @@ to make sure that your `Service` is running, has `Endpoints`, and your `Pods` ar
 actually serving; you have DNS working, iptables rules installed, and kube-proxy
 does not seem to be misbehaving.
 
-You may also visit [troubleshooting document](/docs/tasks/debug/overview/) for more information.
+You may also visit [troubleshooting document](/docs/tasks/debug/) for more information.
 
diff --git a/content/en/docs/tasks/debug/debug-application/debug-service.md b/content/en/docs/tasks/debug/debug-application/debug-service.md
index 42d615dca9e5c..3c20effc992dd 100644
--- a/content/en/docs/tasks/debug/debug-application/debug-service.md
+++ b/content/en/docs/tasks/debug/debug-application/debug-service.md
@@ -2,7 +2,7 @@
 reviewers:
 - thockin
 - bowei
-content_type: concept
+content_type: task
 title: Debug Services
 weight: 20
 ---
@@ -728,13 +728,13 @@ Service is not working.  Please let us know what is going on, so we can help
 investigate!
 
 Contact us on
-[Slack](/docs/tasks/debug/overview/#slack) or
+[Slack](https://slack.k8s.io/) or
 [Forum](https://discuss.kubernetes.io) or
 [GitHub](https://github.com/kubernetes/kubernetes).
 
 ## {{% heading "whatsnext" %}}
 
-Visit the [troubleshooting overview document](/docs/tasks/debug/overview/)
+Visit the [troubleshooting overview document](/docs/tasks/debug/)
 for more information.
 
 
diff --git a/content/en/docs/tasks/debug/debug-cluster/_index.md b/content/en/docs/tasks/debug/debug-cluster/_index.md
index 9c0ad56a4c69a..29fb9a06ae71e 100644
--- a/content/en/docs/tasks/debug/debug-cluster/_index.md
+++ b/content/en/docs/tasks/debug/debug-cluster/_index.md
@@ -36,7 +36,13 @@ kubectl cluster-info dump
 
 ### Example: debugging a down/unreachable node
 
-Sometimes when debugging it can be useful to look at the status of a node -- for example, because you've noticed strange behavior of a Pod that's running on the node, or to find out why a Pod won't schedule onto the node. As with Pods, you can use `kubectl describe node` and `kubectl get node -o yaml` to retrieve detailed information about nodes. For example, here's what you'll see if a node is down (disconnected from the network, or kubelet dies and won't restart, etc.). Notice the events that show the node is NotReady, and also notice that the pods are no longer running (they are evicted after five minutes of NotReady status).
+Sometimes when debugging it can be useful to look at the status of a node -- for example, because
+you've noticed strange behavior of a Pod that's running on the node, or to find out why a Pod
+won't schedule onto the node. As with Pods, you can use `kubectl describe node` and `kubectl get
+node -o yaml` to retrieve detailed information about nodes. For example, here's what you'll see if
+a node is down (disconnected from the network, or kubelet dies and won't restart, etc.). Notice
+the events that show the node is NotReady, and also notice that the pods are no longer running
+(they are evicted after five minutes of NotReady status).
 
 ```shell
 kubectl get nodes
@@ -222,14 +228,16 @@ of the relevant log files.  On systemd-based systems, you may need to use `journ
 
 ### Control Plane nodes
 
-   * `/var/log/kube-apiserver.log` - API Server, responsible for serving the API
-   * `/var/log/kube-scheduler.log` - Scheduler, responsible for making scheduling decisions
-   * `/var/log/kube-controller-manager.log` - a component that runs most Kubernetes built-in {{<glossary_tooltip text="controllers" term_id="controller">}}, with the notable exception of scheduling (the kube-scheduler handles scheduling).
+* `/var/log/kube-apiserver.log` - API Server, responsible for serving the API
+* `/var/log/kube-scheduler.log` - Scheduler, responsible for making scheduling decisions
+* `/var/log/kube-controller-manager.log` - a component that runs most Kubernetes built-in
+  {{<glossary_tooltip text="controllers" term_id="controller">}}, with the notable exception of scheduling
+  (the kube-scheduler handles scheduling).
 
 ### Worker Nodes
 
-   * `/var/log/kubelet.log` - logs from the kubelet, responsible for running containers on the node
-   * `/var/log/kube-proxy.log` - logs from `kube-proxy`, which is responsible for directing traffic to Service endpoints
+* `/var/log/kubelet.log` - logs from the kubelet, responsible for running containers on the node
+* `/var/log/kube-proxy.log` - logs from `kube-proxy`, which is responsible for directing traffic to Service endpoints
 
 ## Cluster failure modes
 
@@ -237,45 +245,46 @@ This is an incomplete list of things that could go wrong, and how to adjust your
 
 ### Contributing causes
 
-  - VM(s) shutdown
-  - Network partition within cluster, or between cluster and users
-  - Crashes in Kubernetes software
-  - Data loss or unavailability of persistent storage (e.g. GCE PD or AWS EBS volume)
-  - Operator error, for example misconfigured Kubernetes software or application software
+- VM(s) shutdown
+- Network partition within cluster, or between cluster and users
+- Crashes in Kubernetes software
+- Data loss or unavailability of persistent storage (e.g. GCE PD or AWS EBS volume)
+- Operator error, for example misconfigured Kubernetes software or application software
 
 ### Specific scenarios
 
-  - API server VM shutdown or apiserver crashing
-    - Results
-      - unable to stop, update, or start new pods, services, replication controller
-      - existing pods and services should continue to work normally, unless they depend on the Kubernetes API
-  - API server backing storage lost
-    - Results
-      - the kube-apiserver component fails to start successfully and become healthy
-      - kubelets will not be able to reach it but will continue to run the same pods and provide the same service proxying
-      - manual recovery or recreation of apiserver state necessary before apiserver is restarted
-  - Supporting services (node controller, replication controller manager, scheduler, etc) VM shutdown or crashes
-    - currently those are colocated with the apiserver, and their unavailability has similar consequences as apiserver
-    - in future, these will be replicated as well and may not be co-located
-    - they do not have their own persistent state
-  - Individual node (VM or physical machine) shuts down
-    - Results
-      - pods on that Node stop running
-  - Network partition
-    - Results
-      - partition A thinks the nodes in partition B are down; partition B thinks the apiserver is down. (Assuming the master VM ends up in partition A.)
-  - Kubelet software fault
-    - Results
-      - crashing kubelet cannot start new pods on the node
-      - kubelet might delete the pods or not
-      - node marked unhealthy
-      - replication controllers start new pods elsewhere
-  - Cluster operator error
-    - Results
-      - loss of pods, services, etc
-      - lost of apiserver backing store
-      - users unable to read API
-      - etc.
+- API server VM shutdown or apiserver crashing
+  - Results
+    - unable to stop, update, or start new pods, services, replication controller
+    - existing pods and services should continue to work normally, unless they depend on the Kubernetes API
+- API server backing storage lost
+  - Results
+    - the kube-apiserver component fails to start successfully and become healthy
+    - kubelets will not be able to reach it but will continue to run the same pods and provide the same service proxying
+    - manual recovery or recreation of apiserver state necessary before apiserver is restarted
+- Supporting services (node controller, replication controller manager, scheduler, etc) VM shutdown or crashes
+  - currently those are colocated with the apiserver, and their unavailability has similar consequences as apiserver
+  - in future, these will be replicated as well and may not be co-located
+  - they do not have their own persistent state
+- Individual node (VM or physical machine) shuts down
+  - Results
+    - pods on that Node stop running
+- Network partition
+  - Results
+    - partition A thinks the nodes in partition B are down; partition B thinks the apiserver is down.
+      (Assuming the master VM ends up in partition A.)
+- Kubelet software fault
+  - Results
+    - crashing kubelet cannot start new pods on the node
+    - kubelet might delete the pods or not
+    - node marked unhealthy
+    - replication controllers start new pods elsewhere
+- Cluster operator error
+  - Results
+    - loss of pods, services, etc
+    - lost of apiserver backing store
+    - users unable to read API
+    - etc.
 
 ### Mitigations
 
@@ -308,9 +317,13 @@ This is an incomplete list of things that could go wrong, and how to adjust your
 
 ## {{% heading "whatsnext" %}}
 
-* Learn about the metrics available in the [Resource Metrics Pipeline](resource-metrics-pipeline)
-* Discover additional tools for [monitoring resource usage](resource-usage-monitoring)
-* Use Node Problem Detector to [monitor node health](monitor-node-health)
-* Use `crictl` to [debug Kubernetes nodes](crictl)
-* Get more information about [Kubernetes auditing](audit)
-* Use `telepresence` to [develop and debug services locally](local-debugging)
+* Learn about the metrics available in the
+  [Resource Metrics Pipeline](/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/)
+* Discover additional tools for
+  [monitoring resource usage](/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)
+* Use Node Problem Detector to
+  [monitor node health](/docs/tasks/debug/debug-cluster/monitor-node-health/)
+* Use `crictl` to [debug Kubernetes nodes](/docs/tasks/debug/debug-cluster/crictl/)
+* Get more information about [Kubernetes auditing](/docs/tasks/debug/debug-cluster/audit/)
+* Use `telepresence` to [develop and debug services locally](/docs/tasks/debug/debug-cluster/local-debugging/)
+
diff --git a/content/en/docs/tasks/debug/debug-cluster/local-debugging.md b/content/en/docs/tasks/debug/debug-cluster/local-debugging.md
index f556deaa39dee..1d97a4134dd46 100644
--- a/content/en/docs/tasks/debug/debug-cluster/local-debugging.md
+++ b/content/en/docs/tasks/debug/debug-cluster/local-debugging.md
@@ -24,7 +24,7 @@ This document describes using `telepresence` to develop and debug services runni
 
 ## Connecting your local machine to a remote Kubernetes cluster
  
-After installing `telepresence`, run `telepresence connect` to launch it's Daemon and connect your local workstation to the cluster.
+After installing `telepresence`, run `telepresence connect` to launch its Daemon and connect your local workstation to the cluster.
 
 ```
 $ telepresence connect
diff --git a/content/en/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md b/content/en/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
index 62bcc6dfbacbc..2319a878be372 100644
--- a/content/en/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
+++ b/content/en/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
@@ -173,7 +173,7 @@ repository. You must enable the [API aggregation layer](/docs/tasks/extend-kuber
 and register an [APIService](/docs/reference/kubernetes-api/cluster-resources/api-service-v1/)
 for the `metrics.k8s.io` API.
 
-To learn more about the Metrics API, see [resource metrics API design](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/resource-metrics-api.md),
+To learn more about the Metrics API, see [resource metrics API design](https://git.k8s.io/design-proposals-archive/instrumentation/resource-metrics-api.md),
 the [metrics-server repository](https://github.com/kubernetes-sigs/metrics-server) and the
 [resource metrics API](https://github.com/kubernetes/metrics#resource-metrics-api).
 
@@ -237,7 +237,7 @@ To learn more about the metrics-server, see the
 
 You can also check out the following:
 
-* [metrics-server design](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/instrumentation/metrics-server.md)
+* [metrics-server design](https://git.k8s.io/design-proposals-archive/instrumentation/metrics-server.md)
 * [metrics-server FAQ](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md)
 * [metrics-server known issues](https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md)
 * [metrics-server releases](https://github.com/kubernetes-sigs/metrics-server/releases)
diff --git a/content/en/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md b/content/en/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
index b02d6ab31a564..3c270b8122fc9 100644
--- a/content/en/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
+++ b/content/en/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
@@ -41,8 +41,11 @@ memory usage. The kubelet acts as a bridge between the Kubernetes master and
 the nodes, managing the pods and containers running on a machine. The kubelet 
 translates each pod into its constituent containers and fetches individual 
 container usage statistics from the container runtime through the container 
-runtime interface. The kubelet fetches this information from the integrated 
-cAdvisor for the legacy Docker integration.  It then exposes the aggregated pod 
+runtime interface. If you use a container runtime that uses Linux cgroups and
+namespaces to implement containers, and the container runtime does not publish
+usage statistics, then the kubelet can look up those statistics directly
+(using code from [cAdvisor](https://github.com/google/cadvisor)).
+No matter how those statistics arrive, the kubelet then exposes the aggregated pod
 resource usage statistics through the metrics-server Resource Metrics API.
 This API is served at `/metrics/resource/v1beta1` on the kubelet's authenticated and 
 read-only ports. 
diff --git a/content/en/docs/tasks/debug/debug-cluster/windows.md b/content/en/docs/tasks/debug/debug-cluster/windows.md
new file mode 100644
index 0000000000000..c3a06faf1638e
--- /dev/null
+++ b/content/en/docs/tasks/debug/debug-cluster/windows.md
@@ -0,0 +1,176 @@
+---
+reviewers:
+- aravindhp
+- jayunit100
+- jsturtevant
+- marosset
+title: Windows debugging tips
+content_type: concept
+---
+
+<!-- overview -->
+
+<!-- body -->
+
+## Node-level troubleshooting {#troubleshooting-node}
+
+1. My Pods are stuck at "Container Creating" or restarting over and over
+
+   Ensure that your pause image is compatible with your Windows OS version.
+   See [Pause container](/docs/concepts/windows/intro/#pause-container)
+   to see the latest / recommended pause image and/or get more information.
+
+   {{< note >}}
+   If using containerd as your container runtime the pause image is specified in the
+   `plugins.plugins.cri.sandbox_image` field of the of config.toml configration file.
+   {{< /note >}}
+
+1. My pods show status as `ErrImgPull` or `ImagePullBackOff`
+
+   Ensure that your Pod is getting scheduled to a
+   [compatible](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility)
+   Windows Node.
+
+   More information on how to specify a compatible node for your Pod can be found in
+   [this guide](/docs/concepts/windows/user-guide/#ensuring-os-specific-workloads-land-on-the-appropriate-container-host).
+
+## Network troubleshooting {#troubleshooting-network}
+
+1. My Windows Pods do not have network connectivity
+
+   If you are using virtual machines, ensure that MAC spoofing is **enabled** on all
+   the VM network adapter(s).
+
+1. My Windows Pods cannot ping external resources
+
+   Windows Pods do not have outbound rules programmed for the ICMP protocol. However,
+   TCP/UDP is supported. When trying to demonstrate connectivity to resources
+   outside of the cluster, substitute `ping <IP>` with corresponding
+   `curl <IP>` commands.
+
+   If you are still facing problems, most likely your network configuration in
+   [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
+   deserves some extra attention. You can always edit this static file. The
+   configuration update will apply to any new Kubernetes resources.
+
+   One of the Kubernetes networking requirements
+   (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is
+   for cluster communication to occur without
+   NAT internally. To honor this requirement, there is an
+   [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20)
+   for all the communication where you do not want outbound NAT to occur. However,
+   this also means that you need to exclude the external IP you are trying to query
+   from the `ExceptionList`. Only then will the traffic originating from your Windows
+   pods be SNAT'ed correctly to receive a response from the outside world. In this
+   regard, your `ExceptionList` in `cni.conf` should look as follows:
+
+   ```conf
+   "ExceptionList": [
+                   "10.244.0.0/16",  # Cluster subnet
+                   "10.96.0.0/12",   # Service subnet
+                   "10.127.130.0/24" # Management (host) subnet
+               ]
+   ```
+
+1. My Windows node cannot access `NodePort` type Services
+
+   Local NodePort access from the node itself fails. This is a known
+   limitation. NodePort access works from other nodes or external clients.
+
+1. vNICs and HNS endpoints of containers are being deleted
+
+   This issue can be caused when the `hostname-override` parameter is not passed to
+   [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve
+   it, users need to pass the hostname to kube-proxy as follows:
+
+   ```powershell
+   C:\k\kube-proxy.exe --hostname-override=$(hostname)
+   ```
+
+1. My Windows node cannot access my services using the service IP
+
+   This is a known limitation of the networking stack on Windows. However, Windows Pods can access the Service IP.
+
+1. No network adapter is found when starting the kubelet
+
+   The Windows networking stack needs a virtual adapter for Kubernetes networking to work.
+   If the following commands return no results (in an admin shell),
+   virtual network creation — a necessary prerequisite for the kubelet to work — has failed:
+
+   ```powershell
+   Get-HnsNetwork | ? Name -ieq "cbr0"
+   Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*"
+   ```
+
+   Often it is worthwhile to modify the [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7)
+   parameter of the `start.ps1` script, in cases where the host's network adapter isn't "Ethernet".
+   Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation.
+
+1. DNS resolution is not properly working
+
+   Check the DNS limitations for Windows in this [section](#dns-limitations).
+
+1. `kubectl port-forward` fails with "unable to do port forwarding: wincat not found"
+
+   This was implemented in Kubernetes 1.15 by including `wincat.exe` in the pause infrastructure container
+   `mcr.microsoft.com/oss/kubernetes/pause:3.6`.
+   Be sure to use a supported version of Kubernetes.
+   If you would like to build your own pause infrastructure container be sure to include
+   [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat).
+
+1. My Kubernetes installation is failing because my Windows Server node is behind a proxy
+
+   If you are behind a proxy, the following PowerShell environment variables must be defined:
+
+   ```PowerShell
+   [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine)
+   [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine)
+   ```
+
+### Flannel troubleshooting
+
+1. With Flannel, my nodes are having issues after rejoining a cluster
+
+   Whenever a previously deleted node is being re-joined to the cluster, flannelD
+   tries to assign a new pod subnet to the node. Users should remove the old pod
+   subnet configuration files in the following paths:
+
+   ```powershell
+   Remove-Item C:\k\SourceVip.json
+   Remove-Item C:\k\SourceVipRequest.json
+   ```
+
+1. Flanneld is stuck in "Waiting for the Network to be created"
+
+   There are numerous reports of this [issue](https://github.com/coreos/flannel/issues/1066);
+   most likely it is a timing issue for when the management IP of the flannel network is set.
+   A workaround is to relaunch `start.ps1` or relaunch it manually as follows:
+
+   ```powershell
+   [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows_Worker_Hostname>")
+   C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows_Worker_Node_IP> --ip-masq=1 --kube-subnet-mgr=1
+   ```
+
+1. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env`
+
+   This indicates that Flannel didn't launch correctly. You can either try
+   to restart `flanneld.exe` or you can copy the files over manually from
+   `/run/flannel/subnet.env` on the Kubernetes master to `C:\run\flannel\subnet.env`
+   on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different
+   number. For example, if node subnet 10.244.4.1/24 is desired:
+
+   ```env
+   FLANNEL_NETWORK=10.244.0.0/16
+   FLANNEL_SUBNET=10.244.4.1/24
+   FLANNEL_MTU=1500
+   FLANNEL_IPMASQ=true
+   ```
+
+### Further investigation
+
+If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through:
+
+* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic
+* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/)
+* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows)
+
diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
index fdcc276a45f70..31a5fc167756e 100644
--- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
+++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
@@ -353,6 +353,34 @@ spec:
 {{< /tabs >}}
 
 
+### Version removal
+
+An older API version cannot be dropped from a CustomResourceDefinition manifest until existing persisted data has been migrated to the newer API version for all clusters that served the older version of the custom resource, and the old version is removed from the `status.storedVersions` of the CustomResourceDefinition.
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+  name: crontabs.example.com
+spec:
+  group: example.com
+  names:
+    plural: crontabs
+    singular: crontab
+    kind: CronTab
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    # This indicates the v1beta1 version of the custom resource is no longer served.
+    # API requests to this version receive a not found error in the server response.
+    served: false
+    schema: ...
+  - name: v1
+    served: true
+    # The new served version should be set as the storage version
+    storage: true
+    schema: ...
+```
+
 ## Webhook conversion
 
 {{< feature-state state="stable" for_k8s_version="v1.16" >}}
@@ -444,7 +472,7 @@ spec:
     served: true
     # One and only one version must be marked as the storage version.
     storage: true
-    # Each version can define it's own schema when there is no top-level
+    # Each version can define its own schema when there is no top-level
     # schema is defined.
     schema:
       openAPIV3Schema:
@@ -512,7 +540,7 @@ spec:
     served: true
     # One and only one version must be marked as the storage version.
     storage: true
-    # Each version can define it's own schema when there is no top-level
+    # Each version can define its own schema when there is no top-level
     # schema is defined.
     schema:
       openAPIV3Schema:
diff --git a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
index cfe5cb2ad47a1..7766bcedf3b4d 100644
--- a/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
+++ b/content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
@@ -28,11 +28,12 @@ the documentation for that version to see advice that is relevant for your clust
 ## Create a CustomResourceDefinition
 
 When you create a new CustomResourceDefinition (CRD), the Kubernetes API Server
-creates a new RESTful resource path for each version you specify. The CRD can be
-either namespaced or cluster-scoped, as specified in the CRD's `scope` field. As
-with existing built-in objects, deleting a namespace deletes all custom objects
-in that namespace. CustomResourceDefinitions themselves are non-namespaced and
-are available to all namespaces.
+creates a new RESTful resource path for each version you specify. The custom
+resource created from a CRD object can be either namespaced or cluster-scoped,
+as specified in the CRD's `spec.scope` field. As with existing built-in
+objects, deleting a namespace deletes all custom objects in that namespace.
+CustomResourceDefinitions themselves are non-namespaced and are available to
+all namespaces.
 
 For example, if you save the following CustomResourceDefinition to `resourcedefinition.yaml`:
 
@@ -187,7 +188,8 @@ kubectl get crontabs
 ```
 
 ```none
-Error from server (NotFound): Unable to list {"stable.example.com" "v1" "crontabs"}: the server could not find the requested resource (get crontabs.stable.example.com)
+Error from server (NotFound): Unable to list {"stable.example.com" "v1" "crontabs"}: the server could not
+find the requested resource (get crontabs.stable.example.com)
 ```
 
 If you later recreate the same CustomResourceDefinition, it will start out empty.
@@ -206,22 +208,28 @@ CustomResourceDefinition, the structural schema was optional.
 
 A structural schema is an [OpenAPI v3.0 validation schema](#validation) which:
 
-1. specifies a non-empty type (via `type` in OpenAPI) for the root, for each specified field of an object node (via `properties` or `additionalProperties` in OpenAPI) and for each item in an array node (via `items` in OpenAPI), with the exception of:
+1. specifies a non-empty type (via `type` in OpenAPI) for the root, for each specified field of an object node
+   (via `properties` or `additionalProperties` in OpenAPI) and for each item in an array node
+   (via `items` in OpenAPI), with the exception of:
    * a node with `x-kubernetes-int-or-string: true`
    * a node with `x-kubernetes-preserve-unknown-fields: true`
-2. for each field in an object and each item in an array which is specified within any of `allOf`, `anyOf`, `oneOf` or `not`, the schema also specifies the field/item outside of those logical junctors (compare example 1 and 2).
-3. does not set `description`, `type`, `default`, `additionalProperties`, `nullable` within an `allOf`, `anyOf`, `oneOf` or `not`, with the exception of the two pattern for `x-kubernetes-int-or-string: true` (see below).
+2. for each field in an object and each item in an array which is specified within any of `allOf`, `anyOf`,
+   `oneOf` or `not`, the schema also specifies the field/item outside of those logical junctors (compare example 1 and 2).
+3. does not set `description`, `type`, `default`, `additionalProperties`, `nullable` within an `allOf`, `anyOf`,
+   `oneOf` or `not`, with the exception of the two pattern for `x-kubernetes-int-or-string: true` (see below).
 4. if `metadata` is specified, then only restrictions on `metadata.name` and `metadata.generateName` are allowed.
 
-
 Non-structural example 1:
+
 ```yaml
 allOf:
 - properties:
     foo:
       ...
 ```
+
 conflicts with rule 2. The following would be correct:
+
 ```yaml
 properties:
   foo:
@@ -313,10 +321,13 @@ Violations of the structural schema rules are reported in the `NonStructural` co
 
 ### Field pruning
 
-CustomResourceDefinitions store validated resource data in the cluster's persistence store, {{< glossary_tooltip term_id="etcd" text="etcd">}}. As with native Kubernetes resources such as {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}}, if you specify a field that the API server does not recognize, the unknown field  is _pruned_ (removed) before being persisted.
+CustomResourceDefinitions store validated resource data in the cluster's persistence store, {{< glossary_tooltip term_id="etcd" text="etcd">}}.
+As with native Kubernetes resources such as {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}},
+if you specify a field that the API server does not recognize, the unknown field  is _pruned_ (removed) before being persisted.
 
 {{< note >}}
-CRDs converted from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` might lack structural schemas, and `spec.preserveUnknownFields` might be `true`.
+CRDs converted from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` might lack structural schemas,
+and `spec.preserveUnknownFields` might be `true`.
 
 For legacy CustomResourceDefinition objects created as
 `apiextensions.k8s.io/v1beta1` with `spec.preserveUnknownFields` set to
@@ -376,7 +387,10 @@ to clients, `kubectl` also checks for unknown fields and rejects those objects w
 
 #### Controlling pruning
 
-By default, all unspecified fields for a custom resource, across all versions, are pruned. It is possible though to opt-out of that for specifc sub-trees of fields by adding `x-kubernetes-preserve-unknown-fields: true` in the [structural OpenAPI v3 validation schema](#specifying-a-structural-schema).
+By default, all unspecified fields for a custom resource, across all versions, are pruned. It is possible though to
+opt-out of that for specifc sub-trees of fields by adding `x-kubernetes-preserve-unknown-fields: true` in the
+[structural OpenAPI v3 validation schema](#specifying-a-structural-schema).
+
 For example:
 
 ```yaml
@@ -455,7 +469,8 @@ properties:
     x-kubernetes-int-or-string: true
 ```
 
-Also those nodes are partially excluded from rule 3 in the sense that the following two patterns are allowed (exactly those, without variations in order to additional fields):
+Also those nodes are partially excluded from rule 3 in the sense that the following two patterns are allowed
+(exactly those, without variations in order to additional fields):
 
 ```yaml
 x-kubernetes-int-or-string: true
@@ -488,7 +503,8 @@ RawExtensions (as in `runtime.RawExtension` defined in
 [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery/blob/03ac7a9ade429d715a1a46ceaa3724c18ebae54f/pkg/runtime/types.go#L94))
 holds complete Kubernetes objects, i.e. with `apiVersion` and `kind` fields.
 
-It is possible to specify those embedded objects (both completely without constraints or partially specified) by setting `x-kubernetes-embedded-resource: true`. For example:
+It is possible to specify those embedded objects (both completely without constraints or partially specified)
+by setting `x-kubernetes-embedded-resource: true`. For example:
 
 ```yaml
 type: object
@@ -508,7 +524,8 @@ foo:
     ...
 ```
 
-Because `x-kubernetes-preserve-unknown-fields: true` is specified alongside, nothing is pruned. The use of `x-kubernetes-preserve-unknown-fields: true` is optional though.
+Because `x-kubernetes-preserve-unknown-fields: true` is specified alongside, nothing is pruned.
+The use of `x-kubernetes-preserve-unknown-fields: true` is optional though.
 
 With `x-kubernetes-embedded-resource: true`, the `apiVersion`, `kind` and `metadata` are implicitly specified and validated.
 
@@ -771,6 +788,7 @@ The CronTab "my-new-cron-object" is invalid:
 The `rule` under `x-kubernetes-validations` represents the expression which will be evaluated by CEL.
 
 The `message` represents the message displayed when validation fails. If message is unset, the above response would be:
+
 ```
 The CronTab "my-new-cron-object" is invalid:
 * spec: Invalid value: map[string]interface {}{"maxReplicas":10, "minReplicas":0, "replicas":20}: failed rule: self.replicas <= self.maxReplicas
@@ -781,16 +799,19 @@ The request of CRDs create/update will fail if compilation of validation rules f
 Compilation process includes type checking as well.
 
 The compilation failure:
+
 - `no_matching_overload`: this function has no overload for the types of the arguments.
  
-   e.g. Rule like `self == true` against a field of integer type will get error:
+  e.g. Rule like `self == true` against a field of integer type will get error:
+
   ```
   Invalid value: apiextensions.ValidationRule{Rule:"self == true", Message:""}: compilation failed: ERROR: \<input>:1:6: found no matching overload for '_==_' applied to '(int, bool)'
   ```
   
 - `no_such_field`: does not contain the desired field.
   
-   e.g. Rule like `self.nonExistingField > 0` against a non-existing field will return the error:
+  e.g. Rule like `self.nonExistingField > 0` against a non-existing field will return the error:
+
   ```
   Invalid value: apiextensions.ValidationRule{Rule:"self.nonExistingField > 0", Message:""}: compilation failed: ERROR: \<input>:1:5: undefined field 'nonExistingField'
   ```
@@ -798,11 +819,11 @@ The compilation failure:
 - `invalid argument`: invalid argument to macros.
  
   e.g. Rule like `has(self)` will return error:
+
   ```
   Invalid value: apiextensions.ValidationRule{Rule:"has(self)", Message:""}: compilation failed: ERROR: <input>:1:4: invalid argument to has() macro
   ```
 
-
 Validation Rules Examples:
 
 | Rule                                                                             | Purpose                                                                           |
@@ -811,7 +832,7 @@ Validation Rules Examples:
 | `'Available' in self.stateCounts`                                                | Validate that an entry with the 'Available' key exists in a map                   |
 | `(size(self.list1) == 0) != (size(self.list2) == 0)`                             | Validate that one of two lists is non-empty, but not both                         |
 | <code>!('MY_KEY' in self.map1) &#124;&#124; self['MY_KEY'].matches('^[a-zA-Z]*$')</code>               | Validate the value of a map for a specific key, if it is in the map               |
-| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')` | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
+| `self.envars.filter(e, e.name == 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')` | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
 | `has(self.expired) && self.created + self.ttl < self.expired`                    | Validate that 'expired' date is after a 'create' date plus a 'ttl' duration       |
 | `self.health.startsWith('ok')`                                                   | Validate a 'health' string field has the prefix 'ok'                              |
 | `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                             | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
@@ -819,6 +840,7 @@ Validation Rules Examples:
 | `self.metadata.name.startsWith(self.prefix)`                                     | Validate that an object's name has the prefix of another field value              |
 | `self.set1.all(e, !(e in self.set2))`                                            | Validate that two listSets are disjoint                                           |
 | `size(self.names) == size(self.details) && self.names.all(n, n in self.details)` | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+| `size(self.clusters.filter(c, c.name == self.primary)) == 1`                     | Validate that the 'primary' property has one and only one occurrence in the 'clusters' listMap           |
 
 Xref: [Supported evaluation on CEL](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#evaluation)
 
@@ -993,16 +1015,18 @@ Here is the declarations type mapping between OpenAPIv3 and CEL type:
 | 'string' with format=datetime                      | timestamp (google.protobuf.Timestamp)                                                                                        |
 | 'string' with format=duration                      | duration (google.protobuf.Duration)                                                                                          |
 
-xref: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values), [OpenAPI
-types](https://swagger.io/specification/#data-types), [Kubernetes Structural Schemas](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
+xref: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values),
+[OpenAPI types](https://swagger.io/specification/#data-types),
+[Kubernetes Structural Schemas](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
 
 #### Validation functions {#available-validation-functions}
 
 Functions available include:
-  - CEL standard functions, defined in the [list of standard definitions](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#list-of-standard-definitions)
-  - CEL standard [macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
-  - CEL [extended string function library](https://pkg.go.dev/github.com/google/cel-go@v0.11.2/ext#Strings)
-  - Kubernetes [CEL extension library](https://pkg.go.dev/k8s.io/apiextensions-apiserver@v0.24.0/pkg/apiserver/schema/cel/library#pkg-functions)
+
+- CEL standard functions, defined in the [list of standard definitions](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#list-of-standard-definitions)
+- CEL standard [macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+- CEL [extended string function library](https://pkg.go.dev/github.com/google/cel-go@v0.11.2/ext#Strings)
+- Kubernetes [CEL extension library](https://pkg.go.dev/k8s.io/apiextensions-apiserver@v0.24.0/pkg/apiserver/schema/cel/library#pkg-functions)
 
 #### Transition rules
 
@@ -1037,7 +1061,8 @@ applied, e.g. "*path*: update rule *rule* cannot be set on schema because the sc
 schema is not mergeable".
 
 Transition rules are only allowed on _correlatable portions_ of a schema.
-A portion of the schema is correlatable if all `array` parent schemas are of type `x-kubernetes-list-type=map`; any `set`or `atomic`array parent schemas make it impossible to unambiguously correlate a `self` with `oldSelf`.
+A portion of the schema is correlatable if all `array` parent schemas are of type `x-kubernetes-list-type=map`;
+any `set`or `atomic`array parent schemas make it impossible to unambiguously correlate a `self` with `oldSelf`.
 
 Here are some examples for transition rules:
 
@@ -1069,12 +1094,13 @@ For example, a rule that asserts that `self.foo == 1` does not by itself have an
 risk of rejection on validation resource budget groups.
 But if `foo` is a string and you define a validation rule `self.foo.contains("someString")`, that rule takes
 longer to execute depending on how long `foo` is.
-Another example would be if `foo` were an array, and you specified a validation rule `self.foo.all(x, x > 5)`. The cost system always assumes the worst-case scenario if
-a limit on the length of `foo` is not given, and this will happen for anything that can be iterated
-over (lists, maps, etc.).
+Another example would be if `foo` were an array, and you specified a validation rule `self.foo.all(x, x > 5)`.
+The cost system always assumes the worst-case scenario if a limit on the length of `foo` is not
+given, and this will happen for anything that can be iterated over (lists, maps, etc.).
 
 Because of this, it is considered best practice to put a limit via `maxItems`, `maxProperties`, and 
-`maxLength` for anything that will be processed in a validation rule in order to prevent validation errors during cost estimation. For example, given this schema with one rule:
+`maxLength` for anything that will be processed in a validation rule in order to prevent validation
+errors during cost estimation. For example, given this schema with one rule:
 
 ```yaml
 openAPIV3Schema:
@@ -1089,10 +1115,11 @@ openAPIV3Schema:
 ```
 
 then the API server rejects this rule on validation budget grounds with error:
+
 ```
- spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden: 
- CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and 
- maxLength where arrays, maps, and strings are used)
+spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden: 
+CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and 
+maxLength where arrays, maps, and strings are used)
 ```
 
 The rejection happens because `self.all` implies calling `contains()` on every string in `foo`,
@@ -1135,7 +1162,8 @@ openAPIV3Schema:
 ```
 
 If a list inside of a list has a validation rule that uses `self.all`, that is significantly more expensive 
-than a non-nested list with the same rule. A rule that would have been allowed on a non-nested list might need lower limits set on both nested lists in order to be allowed. For example, even without having limits set,
+than a non-nested list with the same rule. A rule that would have been allowed on a non-nested list might need
+lower limits set on both nested lists in order to be allowed. For example, even without having limits set,
 the following rule is allowed:
 
 ```yaml
@@ -1246,15 +1274,20 @@ Defaulting happens on the object
 * when reading from etcd using the storage version defaults,
 * after mutating admission plugins with non-empty patches using the admission webhook object version defaults.
 
-Defaults applied when reading data from etcd are not automatically written back to etcd. An update request via the API is required to persist those defaults back into etcd.
+Defaults applied when reading data from etcd are not automatically written back to etcd.
+An update request via the API is required to persist those defaults back into etcd.
 
 Default values must be pruned (with the exception of defaults for `metadata` fields) and must validate against a provided schema.
 
-Default values for `metadata` fields of `x-kubernetes-embedded-resources: true` nodes (or parts of a default value covering `metadata`) are not pruned during CustomResourceDefinition creation, but through the pruning step during handling of requests.
+Default values for `metadata` fields of `x-kubernetes-embedded-resources: true` nodes (or parts of
+a default value covering `metadata`) are not pruned during CustomResourceDefinition creation, but
+through the pruning step during handling of requests.
 
 #### Defaulting and Nullable
 
-**New in 1.20:** null values for fields that either don't specify the nullable flag, or give it a `false` value, will be pruned before defaulting happens. If a default is present, it will be applied. When nullable is `true`, null values will be conserved and won't be defaulted.
+**New in 1.20:** null values for fields that either don't specify the nullable flag, or give it a
+`false` value, will be pruned before defaulting happens. If a default is present, it will be
+applied. When nullable is `true`, null values will be conserved and won't be defaulted.
 
 For example, given the OpenAPI schema below:
 
@@ -1292,13 +1325,20 @@ spec:
   bar: null
 ```
 
-with `foo` pruned and defaulted because the field is non-nullable, `bar` maintaining the null value due to `nullable: true`, and `baz` pruned because the field is non-nullable and has no default.
+with `foo` pruned and defaulted because the field is non-nullable, `bar` maintaining the null
+value due to `nullable: true`, and `baz` pruned because the field is non-nullable and has no
+default.
 
 ### Publish Validation Schema in OpenAPI v2
 
-CustomResourceDefinition [OpenAPI v3 validation schemas](#validation) which are [structural](#specifying-a-structural-schema) and [enable pruning](#field-pruning) are published as part of the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) from Kubernetes API server.
+CustomResourceDefinition [OpenAPI v3 validation schemas](#validation) which are
+[structural](#specifying-a-structural-schema) and [enable pruning](#field-pruning) are published
+as part of the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
+from Kubernetes API server.
 
-The [kubectl](/docs/reference/kubectl/) command-line tool consumes the published schema to perform client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`) on custom resources. The published schema can be consumed for other purposes as well, like client generation or documentation.
+The [kubectl](/docs/reference/kubectl/) command-line tool consumes the published schema to perform
+client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`)
+on custom resources. The published schema can be consumed for other purposes as well, like client generation or documentation.
 
 The OpenAPI v3 validation schema is converted to OpenAPI v2 schema, and
 show up in `definitions` and `paths` fields in the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions).
@@ -1308,9 +1348,13 @@ kubectl in previous 1.13 version. These modifications prevent kubectl from being
 valid OpenAPI schemas that it doesn't understand. The conversion won't modify the validation schema defined in CRD,
 and therefore won't affect [validation](#validation) in the API server.
 
-1. The following fields are removed as they aren't supported by OpenAPI v2 (in future versions OpenAPI v3 will be used without these restrictions)
+1. The following fields are removed as they aren't supported by OpenAPI v2
+   (in future versions OpenAPI v3 will be used without these restrictions)
+
    - The fields `allOf`, `anyOf`, `oneOf` and `not` are removed
-2. If `nullable: true` is set, we drop `type`, `nullable`, `items` and `properties` because OpenAPI v2 is not able to express nullable. To avoid kubectl to reject good objects, this is necessary.
+
+2. If `nullable: true` is set, we drop `type`, `nullable`, `items` and `properties` because OpenAPI v2 is
+   not able to express nullable. To avoid kubectl to reject good objects, this is necessary.
 
 ### Additional printer columns
 
@@ -1401,7 +1445,8 @@ differentiates between columns shown in standard view or wide view (using the `-
 
 #### Type
 
-A column's `type` field can be any of the following (compare [OpenAPI v3 data types](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#dataTypes)):
+A column's `type` field can be any of the following (compare
+[OpenAPI v3 data types](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#dataTypes)):
 
 - `integer` – non-floating-point numbers
 - `number` – floating point numbers
@@ -1494,8 +1539,9 @@ the status replica value in the `/scale` subresource will default to 0.
   - It must be set to work with HPA.
   - Only JSONPaths under `.status` or `.spec` and with the dot notation are allowed.
   - If there is no value under the `labelSelectorPath` in the custom resource,
-the status selector value in the `/scale` subresource will default to the empty string.
-  - The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form.
+    the status selector value in the `/scale` subresource will default to the empty string.
+  - The field pointed by this JSON path must be a string field (not a complex selector struct)
+    which contains a serialized label selector in string form.
 
 In the following example, both status and scale subresources are enabled.
 
@@ -1702,3 +1748,4 @@ crontabs/my-new-cron-object   3s
 
 * Serve [multiple versions](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/) of a
   CustomResourceDefinition.
+
diff --git a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
index 698bc9c6b42fb..5dddd1119a580 100644
--- a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
+++ b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
@@ -87,14 +87,14 @@ When you set the `https_proxy` variable, tools such as `curl` route HTTPS traffi
 you configured. For this to work, the tool must support SOCKS5 proxying.
 
 {{< note >}}
-In the URL https://localhost/api, `localhost` does not refer to your local client computer.
-Instead, it refers to the endpoint on the remote server knows as `localhost`.
+In the URL https://localhost:6443/api, `localhost` does not refer to your local client computer.
+Instead, it refers to the endpoint on the remote server known as `localhost`.
 The `curl` tool sends the hostname from the HTTPS URL over SOCKS, and the remote server
 resolves that locally (to an address that belongs to its loopback interface).
 {{</ note >}}
 
 ```shell
-curl -k -v https://localhost/api
+curl -k -v https://localhost:6443/api
 ```
 
 To use the official Kubernetes client `kubectl` with a proxy, set the `proxy-url` element
@@ -105,7 +105,7 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: LRMEMMW2 # shortened for readability 
-    server: https://localhost            # the "Kubernetes API" in the diagram above
+    server: https://<API_SERVER_IP_ADRESS>:6443  # the "Kubernetes API" server, in other words the IP address of kubernetes-remote-server.example
     proxy-url: socks5://localhost:1080   # the "SSH SOCKS5 proxy" in the diagram above (DNS resolution over socks is built-in)
   name: default
 contexts:
@@ -142,4 +142,4 @@ Type `unset https_proxy` in a terminal to stop forwarding http traffic through t
 
 ## Further reading
 
-* [OpenSSH remote login client](https://man.openbsd.org/ssh)
\ No newline at end of file
+* [OpenSSH remote login client](https://man.openbsd.org/ssh)
diff --git a/content/en/docs/tasks/inject-data-application/define-interdependent-environment-variables.md b/content/en/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
index 74c5c245db4ea..ee9da2f6828f2 100644
--- a/content/en/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
+++ b/content/en/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
@@ -23,7 +23,7 @@ in a Kubernetes Pod.
 When you create a Pod, you can set dependent environment variables for the containers that run in the Pod. To set dependent environment variables, you can use $(VAR_NAME) in the `value` of `env` in the configuration file.
 
 In this exercise, you create a Pod that runs one container. The configuration
-file for the Pod defines an dependent environment variable with common usage defined. Here is the configuration manifest for the
+file for the Pod defines a dependent environment variable with common usage defined. Here is the configuration manifest for the
 Pod:
 
 {{< codenew file="pods/inject/dependent-envars.yaml" >}}
diff --git a/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md b/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
index d50b3e91a51a5..42302467c1ff2 100644
--- a/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
+++ b/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
@@ -7,38 +7,38 @@ weight: 40
 <!-- overview -->
 
 This page shows how a Pod can use a
-[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
-to expose information about itself to Containers running in the Pod.
-A `DownwardAPIVolumeFile` can expose Pod fields and Container fields.
+[`downwardAPI` volume](/docs/concepts/storage/volumes/#downwardapi),
+to expose information about itself to containers running in the Pod.
+A `downwardAPI` volume can expose Pod fields and container fields.
 
-## {{% heading "prerequisites" %}}
+In Kubernetes, there are two ways to expose Pod and container fields to a running container:
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+* [Environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
+* Volume files, as explained in this task
 
-<!-- steps -->
+Together, these two ways of exposing Pod and container fields are called the
+_downward API_.
 
-## The Downward API
+## {{% heading "prerequisites" %}}
 
-There are two ways to expose Pod and Container fields to a running Container:
+{{< include "task-tutorial-prereqs.md" >}}
 
-* [Environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
-* Volume files
 
-Together, these two ways of exposing Pod and Container fields are called the
-"Downward API".
+<!-- steps -->
 
 ## Store Pod fields
 
-In this exercise, you create a Pod that has one Container.
-Here is the configuration file for the Pod:
+In this part of exercise, you create a Pod that has one container, and you
+project Pod-level fields into the running container as files.
+Here is the manifest for the Pod:
 
 {{< codenew file="pods/inject/dapi-volume.yaml" >}}
 
-In the configuration file, you can see that the Pod has a `downwardAPI` Volume,
-and the Container mounts the Volume at `/etc/podinfo`.
+In the manifest, you can see that the Pod has a `downwardAPI` Volume,
+and the container mounts the volume at `/etc/podinfo`.
 
-Look at the `items` array under `downwardAPI`. Each element of the array is a
-[DownwardAPIVolumeFile](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core).
+Look at the `items` array under `downwardAPI`. Each element of the array
+defines a `downwardAPI` volume.
 The first element specifies that the value of the Pod's
 `metadata.labels` field should be stored in a file named `labels`.
 The second element specifies that the value of the Pod's `annotations`
@@ -46,7 +46,7 @@ field should be stored in a file named `annotations`.
 
 {{< note >}}
 The fields in this example are Pod fields. They are not
-fields of the Container in the Pod.
+fields of the container in the Pod.
 {{< /note >}}
 
 Create the Pod:
@@ -69,7 +69,7 @@ kubectl logs kubernetes-downwardapi-volume-example
 
 The output shows the contents of the `labels` file and the `annotations` file:
 
-```shell
+```
 cluster="test-cluster1"
 rack="rack-22"
 zone="us-est-coast"
@@ -145,26 +145,30 @@ Exit the shell:
 /# exit
 ```
 
-## Store Container fields
+## Store container fields
 
-The preceding exercise, you stored Pod fields in a
-[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)..
-In this next exercise, you store Container fields. Here is the configuration
-file for a Pod that has one Container:
+The preceding exercise, you made Pod-level fields accessible using the
+downward API.
+In this next exercise, you are going to pass fields that are part of the Pod
+definition, but taken from the specific
+[container](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
+rather than from the Pod overall. Here is a manifest for a Pod that again has
+just one container:
 
 {{< codenew file="pods/inject/dapi-volume-resources.yaml" >}}
 
-In the configuration file, you can see that the Pod has a
-[`downwardAPI` volume](/concepts/storage/volumes/#downwardapi),
-and the Container mounts the volume at `/etc/podinfo`.
+In the manifest, you can see that the Pod has a
+[`downwardAPI` volume](/docs/concepts/storage/volumes/#downwardapi),
+and that the single container in that Pod mounts the volume at `/etc/podinfo`.
 
-Look at the `items` array under `downwardAPI`. Each element of the array is a
-[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core).
+Look at the `items` array under `downwardAPI`. Each element of the array
+defines a file in the downward API volume.
 
-The first element specifies that in the Container named `client-container`,
+The first element specifies that in the container named `client-container`,
 the value of the `limits.cpu` field in the format specified by `1m` should be
-stored in a file named `cpu_limit`. The `divisor` field is optional and has the
-default value of `1` which means cores for cpu and bytes for memory.
+published as a file named `cpu_limit`. The `divisor` field is optional and has the
+default value of `1`. A divisor of 1 means cores for `cpu` resources, or
+bytes for `memory` resources.
 
 Create the Pod:
 
@@ -181,7 +185,8 @@ kubectl exec -it kubernetes-downwardapi-volume-example-2 -- sh
 In your shell, view the `cpu_limit` file:
 
 ```shell
-/# cat /etc/podinfo/cpu_limit
+# Run this in a shell inside the container
+cat /etc/podinfo/cpu_limit
 ```
 
 You can use similar commands to view the `cpu_request`, `mem_limit` and
@@ -189,79 +194,20 @@ You can use similar commands to view the `cpu_request`, `mem_limit` and
 
 <!-- discussion -->
 
-<!-- TODO: This section should be extracted out of the task page. -->
-## Capabilities of the Downward API
-
-The following information is available to containers through environment
-variables and `downwardAPI` volumes:
-
-* Information available via `fieldRef`:
-
-  * `metadata.name` - the pod's name
-  * `metadata.namespace` - the pod's namespace
-  * `metadata.uid` - the pod's UID
-  * `metadata.labels['<KEY>']` - the value of the pod's label `<KEY>`
-    (for example, `metadata.labels['mylabel']`)
-  * `metadata.annotations['<KEY>']` - the value of the pod's annotation `<KEY>`
-    (for example, `metadata.annotations['myannotation']`)
-
-* Information available via `resourceFieldRef`:
-
-  * A Container's CPU limit
-  * A Container's CPU request
-  * A Container's memory limit
-  * A Container's memory request
-  * A Container's hugepages limit (provided that the `DownwardAPIHugePages`
-    [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
-  * A Container's hugepages request (provided that the `DownwardAPIHugePages`
-    [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
-  * A Container's ephemeral-storage limit
-  * A Container's ephemeral-storage request
-
-In addition, the following information is available through
-`downwardAPI` volume `fieldRef`:
-
-* `metadata.labels` - all of the pod's labels, formatted as `label-key="escaped-label-value"`
-  with one label per line
-* `metadata.annotations` - all of the pod's annotations, formatted as
-  `annotation-key="escaped-annotation-value"` with one annotation per line
-
-The following information is available through environment variables:
-
-* `status.podIP` - the pod's IP address
-* `spec.serviceAccountName` - the pod's service account name
-* `spec.nodeName` - the name of the node to which the scheduler always attempts to
-  schedule the pod
-* `status.hostIP` - the IP of the node to which the Pod is assigned
-
-{{< note >}}
-If CPU and memory limits are not specified for a Container, the
-Downward API defaults to the node allocatable value for CPU and memory.
-{{< /note >}}
-
 ## Project keys to specific paths and file permissions
 
 You can project keys to specific paths and specific permissions on a per-file
 basis. For more information, see
 [Secrets](/docs/concepts/configuration/secret/).
 
-## Motivation for the Downward API
-
-It is sometimes useful for a container to have information about itself, without
-being overly coupled to Kubernetes. The Downward API allows containers to consume
-information about themselves or the cluster without using the Kubernetes client
-or API server.
-
-An example is an existing application that assumes a particular well-known
-environment variable holds a unique identifier. One possibility is to wrap the
-application, but that is tedious and error prone, and it violates the goal of low
-coupling. A better option would be to use the Pod's name as an identifier, and
-inject the Pod's name into the well-known environment variable.
-
 ## {{% heading "whatsnext" %}}
 
-* Check the [`PodSpec`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
-  API definition which defines the desired state of a Pod.
+* Read the [`spec`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec)
+  API definition for Pod. This includes the definition of Container (part of Pod).
+* Read the list of [available fields](/docs/concepts/workloads/pods/downward-api/#available-fields) that you
+  can expose using the downward API.
+
+Read about volumes in the legacy API reference:
 * Check the [`Volume`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
   API definition which defines a generic volume in a Pod for containers to access.
 * Check the [`DownwardAPIVolumeSource`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumesource-v1-core)
@@ -271,4 +217,3 @@ inject the Pod's name into the well-known environment variable.
   populating a file in the Downward API volume.
 * Check the [`ResourceFieldSelector`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
   API definition which specifies the container resources and their output format.
-
diff --git a/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md b/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
index 2b59921c6e367..163b3498dc24a 100644
--- a/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
+++ b/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
@@ -7,50 +7,40 @@ weight: 30
 <!-- overview -->
 
 This page shows how a Pod can use environment variables to expose information
-about itself to Containers running in the Pod. Environment variables can expose
-Pod fields and Container fields.
+about itself to containers running in the Pod, using the _downward API_.
+You can use environment variables to expose Pod fields, container fields, or both.
 
+In Kubernetes, there are two ways to expose Pod and container fields to a running container:
 
+* _Environment variables_, as explained in this task
+* [Volume files](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
 
+Together, these two ways of exposing Pod and container fields are called the
+downward API.
 
 ## {{% heading "prerequisites" %}}
 
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-
-
+{{< include "task-tutorial-prereqs.md" >}}
 
 <!-- steps -->
 
-## The Downward API
-
-There are two ways to expose Pod and Container fields to a running Container:
-
-* Environment variables
-* [Volume Files](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api)
-
-Together, these two ways of exposing Pod and Container fields are called the
-*Downward API*.
-
-
 ## Use Pod fields as values for environment variables
 
-In this exercise, you create a Pod that has one Container. Here is the
-configuration file for the Pod:
+In this part of exercise, you create a Pod that has one container, and you
+project Pod-level fields into the running container as environment variables.
 
 {{< codenew file="pods/inject/dapi-envars-pod.yaml" >}}
 
-In the configuration file, you can see five environment variables. The `env`
+In that manifest, you can see five environment variables. The `env`
 field is an array of
-[EnvVars](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvar-v1-core).
+environment variable definitions.
 The first element in the array specifies that the `MY_NODE_NAME` environment
 variable gets its value from the Pod's `spec.nodeName` field. Similarly, the
 other environment variables get their names from Pod fields.
 
 {{< note >}}
 The fields in this example are Pod fields. They are not fields of the
-Container in the Pod.
+container in the Pod.
 {{< /note >}}
 
 Create the Pod:
@@ -59,13 +49,14 @@ Create the Pod:
 kubectl apply -f https://k8s.io/examples/pods/inject/dapi-envars-pod.yaml
 ```
 
-Verify that the Container in the Pod is running:
+Verify that the container in the Pod is running:
 
 ```shell
+# If the new Pod isn't yet healthy, rerun this command a few times.
 kubectl get pods
 ```
 
-View the Container's logs:
+View the container's logs:
 
 ```shell
 kubectl logs dapi-envars-fieldref
@@ -82,10 +73,10 @@ default
 ```
 
 To see why these values are in the log, look at the `command` and `args` fields
-in the configuration file. When the Container starts, it writes the values of
+in the configuration file. When the container starts, it writes the values of
 five environment variables to stdout. It repeats this every ten seconds.
 
-Next, get a shell into the Container that is running in your Pod:
+Next, get a shell into the container that is running in your Pod:
 
 ```shell
 kubectl exec -it dapi-envars-fieldref -- sh
@@ -94,7 +85,8 @@ kubectl exec -it dapi-envars-fieldref -- sh
 In your shell, view the environment variables:
 
 ```shell
-/# printenv
+# Run this in a shell inside the container
+printenv
 ```
 
 The output shows that certain environment variables have been assigned the
@@ -111,22 +103,26 @@ MY_NODE_NAME=minikube
 MY_POD_NAME=dapi-envars-fieldref
 ```
 
-## Use Container fields as values for environment variables
+## Use container fields as values for environment variables
+
+In the preceding exercise, you used information from Pod-level fields as the values
+for environment variables.
+In this next exercise, you are going to pass fields that are part of the Pod
+definition, but taken from the specific
+[container](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
+rather than from the Pod overall.
 
-In the preceding exercise, you used Pod fields as the values for environment
-variables. In this next exercise, you use Container fields as the values for
-environment variables. Here is the configuration file for a Pod that has one
-container:
+Here is a manifest for another Pod that again has just one container:
 
 {{< codenew file="pods/inject/dapi-envars-container.yaml" >}}
 
-In the configuration file, you can see four environment variables. The `env`
+In this manifest, you can see four environment variables. The `env`
 field is an array of
-[EnvVars](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvar-v1-core).
+environment variable definitions.
 The first element in the array specifies that the `MY_CPU_REQUEST` environment
-variable gets its value from the `requests.cpu` field of a Container named
+variable gets its value from the `requests.cpu` field of a container named
 `test-container`. Similarly, the other environment variables get their values
-from Container fields.
+from fields that are specific to this container.
 
 Create the Pod:
 
@@ -134,13 +130,14 @@ Create the Pod:
 kubectl apply -f https://k8s.io/examples/pods/inject/dapi-envars-container.yaml
 ```
 
-Verify that the Container in the Pod is running:
+Verify that the container in the Pod is running:
 
 ```shell
+# If the new Pod isn't yet healthy, rerun this command a few times.
 kubectl get pods
 ```
 
-View the Container's logs:
+View the container's logs:
 
 ```shell
 kubectl logs dapi-envars-resourcefieldref
@@ -155,18 +152,20 @@ The output shows the values of selected environment variables:
 67108864
 ```
 
+## {{% heading "whatsnext" %}}
 
 
-## {{% heading "whatsnext" %}}
+* Read [Defining Environment Variables for a Container](/docs/tasks/inject-data-application/define-environment-variable-container/)
+* Read the [`spec`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec)
+  API definition for Pod. This includes the definition of Container (part of Pod).
+* Read the list of [available fields](/docs/concepts/workloads/pods/downward-api/#available-fields) that you
+  can expose using the downward API.
 
+Read about Pods, containers and environment variables in the legacy API reference:
 
-* [Defining Environment Variables for a Container](/docs/tasks/inject-data-application/define-environment-variable-container/)
 * [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
 * [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
 * [EnvVar](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvar-v1-core)
 * [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core)
 * [ObjectFieldSelector](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#objectfieldselector-v1-core)
 * [ResourceFieldSelector](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
-
-
-
diff --git a/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md b/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md
index e37e5b65691a9..e99ea5473c560 100644
--- a/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md
+++ b/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md
@@ -13,7 +13,8 @@ CronJobs was promoted to general availability in Kubernetes v1.21. If you are us
 Kubernetes, please refer to the documentation for the version of Kubernetes that you are using,
 so that you see accurate information. Older Kubernetes versions do not support the `batch/v1` CronJob API.
 
-You can use a {{< glossary_tooltip text="CronJob" term_id="cronjob" >}} to run {{< glossary_tooltip text="Jobs" term_id="job" >}} on a time-based schedule.
+You can use a {{< glossary_tooltip text="CronJob" term_id="cronjob" >}} to run {{< glossary_tooltip text="Jobs" term_id="job" >}}
+on a time-based schedule.
 These automated jobs run like [Cron](https://en.wikipedia.org/wiki/Cron) tasks on a Linux or UNIX system.
 
 Cron jobs are useful for creating periodic and recurring tasks, like running backups or sending emails.
@@ -87,6 +88,7 @@ You can stop watching the job and view the cron job again to see that it schedul
 ```shell
 kubectl get cronjob hello
 ```
+
 The output is similar to this:
 
 ```
@@ -94,7 +96,8 @@ NAME    SCHEDULE      SUSPEND   ACTIVE   LAST SCHEDULE   AGE
 hello   */1 * * * *   False     0        50s             75s
 ```
 
-You should see that the cron job `hello` successfully scheduled a job at the time specified in `LAST SCHEDULE`. There are currently 0 active jobs, meaning that the job has completed or failed.
+You should see that the cron job `hello` successfully scheduled a job at the time specified in
+`LAST SCHEDULE`. There are currently 0 active jobs, meaning that the job has completed or failed.
 
 Now, find the pods that the last scheduled job created and view the standard output of one of the pods.
 
@@ -127,7 +130,7 @@ kubectl delete cronjob hello
 ```
 
 Deleting the cron job removes all the jobs and pods it created and stops it from creating additional jobs.
-You can read more about removing jobs in [garbage collection](/docs/concepts/workloads/controllers/garbage-collection/).
+You can read more about removing jobs in [garbage collection](/docs/concepts/architecture/garbage-collection/).
 
 ## Writing a Cron Job Spec
 
@@ -144,7 +147,8 @@ All modifications to a cron job, especially its `.spec`, are applied only to the
 ### Schedule
 
 The `.spec.schedule` is a required field of the `.spec`.
-It takes a [Cron](https://en.wikipedia.org/wiki/Cron) format string, such as `0 * * * *` or `@hourly`, as schedule time of its jobs to be created and executed.
+It takes a [Cron](https://en.wikipedia.org/wiki/Cron) format string, such as `0 * * * *` or `@hourly`,
+as schedule time of its jobs to be created and executed.
 
 The format also includes extended "Vixie cron" step values. As explained in the
 [FreeBSD manual](https://www.freebsd.org/cgi/man.cgi?crontab%285%29):
@@ -157,13 +161,15 @@ The format also includes extended "Vixie cron" step values. As explained in the
 > asterisk, so if you want to say "every two hours", just use `*/2`.
 
 {{< note >}}
-A question mark (`?`) in the schedule has the same meaning as an asterisk `*`, that is, it stands for any of available value for a given field.
+A question mark (`?`) in the schedule has the same meaning as an asterisk `*`, that is,
+it stands for any of available value for a given field.
 {{< /note >}}
 
 ### Job Template
 
 The `.spec.jobTemplate` is the template for the job, and it is required.
-It has exactly the same schema as a [Job](/docs/concepts/workloads/controllers/job/), except that it is nested and does not have an `apiVersion` or `kind`.
+It has exactly the same schema as a [Job](/docs/concepts/workloads/controllers/job/), except that
+it is nested and does not have an `apiVersion` or `kind`.
 For information about writing a job `.spec`, see [Writing a Job Spec](/docs/concepts/workloads/controllers/job/#writing-a-job-spec).
 
 ### Starting Deadline
@@ -188,8 +194,10 @@ It specifies how to treat concurrent executions of a job that is created by this
 The spec may specify only one of the following concurrency policies:
 
 * `Allow` (default): The cron job allows concurrently running jobs
-* `Forbid`: The cron job does not allow concurrent runs; if it is time for a new job run and the previous job run hasn't finished yet, the cron job skips the new job run
-* `Replace`: If it is time for a new job run and the previous job run hasn't finished yet, the cron job replaces the currently running job run with a new job run
+* `Forbid`: The cron job does not allow concurrent runs; if it is time for a new job run and the
+  previous job run hasn't finished yet, the cron job skips the new job run
+* `Replace`: If it is time for a new job run and the previous job run hasn't finished yet, the
+  cron job replaces the currently running job run with a new job run
 
 Note that concurrency policy only applies to the jobs created by the same cron job.
 If there are multiple cron jobs, their respective jobs are always allowed to run concurrently.
@@ -203,13 +211,15 @@ Defaults to false.
 
 {{< caution >}}
 Executions that are suspended during their scheduled time count as missed jobs.
-When `.spec.suspend` changes from `true` to `false` on an existing cron job without a [starting deadline](#starting-deadline), the missed jobs are scheduled immediately.
+When `.spec.suspend` changes from `true` to `false` on an existing cron job without a
+[starting deadline](#starting-deadline), the missed jobs are scheduled immediately.
 {{< /caution >}}
 
 ### Jobs History Limits
 
 The `.spec.successfulJobsHistoryLimit` and `.spec.failedJobsHistoryLimit` fields are optional.
 These fields specify how many completed and failed jobs should be kept.
-By default, they are set to 3 and 1 respectively.  Setting a limit to `0` corresponds to keeping none of the corresponding kind of jobs after they finish.
+By default, they are set to 3 and 1 respectively.  Setting a limit to `0` corresponds to keeping
+none of the corresponding kind of jobs after they finish.
 
 
diff --git a/content/en/docs/tasks/manage-daemon/update-daemon-set.md b/content/en/docs/tasks/manage-daemon/update-daemon-set.md
index e435f392fe49e..d6d6b68f198a2 100644
--- a/content/en/docs/tasks/manage-daemon/update-daemon-set.md
+++ b/content/en/docs/tasks/manage-daemon/update-daemon-set.md
@@ -79,7 +79,7 @@ kubectl apply -f https://k8s.io/examples/controllers/fluentd-daemonset.yaml --dr
 
 The output from both commands should be:
 
-```shell
+```
 RollingUpdate
 ```
 
diff --git a/content/en/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md b/content/en/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
index 7b38703c741d0..ad2fc411733f1 100644
--- a/content/en/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
+++ b/content/en/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
@@ -82,7 +82,7 @@ kubectl get deployment patch-demo --output yaml
 
 The output shows that the PodSpec in the Deployment has two Containers:
 
-```shell
+```yaml
 containers:
 - image: redis
   imagePullPolicy: Always
@@ -309,7 +309,7 @@ kubectl patch deployment retainkeys-demo --type merge --patch-file patch-file-no
 
 In the output, you can see that it is not possible to set `type` as `Recreate` when a value is defined for `spec.strategy.rollingUpdate`:
 
-```shell
+```
 The Deployment "retainkeys-demo" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate'
 ```
 
@@ -341,7 +341,7 @@ kubectl get deployment retainkeys-demo --output yaml
 
 The output shows that the strategy object in the Deployment does not contain the `rollingUpdate` key anymore:
 
-```shell
+```yaml
 spec:
   strategy:
     type: Recreate
diff --git a/content/en/docs/tasks/run-application/force-delete-stateful-set-pod.md b/content/en/docs/tasks/run-application/force-delete-stateful-set-pod.md
index a4a145f5b411c..dc8aef28577b2 100644
--- a/content/en/docs/tasks/run-application/force-delete-stateful-set-pod.md
+++ b/content/en/docs/tasks/run-application/force-delete-stateful-set-pod.md
@@ -51,7 +51,7 @@ Pods may also enter these states when the user attempts graceful deletion of a P
 on an unreachable Node.
 The only ways in which a Pod in such a state can be removed from the apiserver are as follows:
 
-* The Node object is deleted (either by you, or by the [Node Controller](/docs/concepts/architecture/nodes/)).
+* The Node object is deleted (either by you, or by the [Node Controller](/docs/concepts/architecture/nodes/#node-controller)).
 * The kubelet on the unresponsive Node starts responding, kills the Pod and removes the entry from the apiserver.
 * Force deletion of the Pod by the user.
 
diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md
index e9a446287c0b1..2adfa3dc6a535 100644
--- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md
+++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md
@@ -337,9 +337,9 @@ APIs, cluster administrators must ensure that:
    * For external metrics, this is the `external.metrics.k8s.io` API.  It may be provided by the custom metrics adapters provided above.
 
 For more information on these different metrics paths and how they differ please see the relevant design proposals for
-[the HPA V2](https://github.com/kubernetes/design-proposals-archive/blob/main/autoscaling/hpa-v2.md),
-[custom.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/custom-metrics-api.md)
-and [external.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/external-metrics-api.md).
+[the HPA V2](https://git.k8s.io/design-proposals-archive/autoscaling/hpa-v2.md),
+[custom.metrics.k8s.io](https://git.k8s.io/design-proposals-archive/instrumentation/custom-metrics-api.md)
+and [external.metrics.k8s.io](https://git.k8s.io/design-proposals-archive/instrumentation/external-metrics-api.md).
 
 For examples of how to use them see [the walkthrough for using custom metrics](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics)
 and [the walkthrough for using external metrics](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-metrics-not-related-to-kubernetes-objects).
@@ -400,7 +400,7 @@ scaling in that direction.
 ### Stabilization window
 
 The stabilization window is used to restrict the [flapping](#flapping) of
-replicas count when the metrics used for scaling keep fluctuating. The autoscaling algorithm
+replica count when the metrics used for scaling keep fluctuating. The autoscaling algorithm
 uses this window to infer a previous desired state and avoid unwanted changes to workload
 scale.
 
diff --git a/content/en/docs/tasks/run-application/run-replicated-stateful-application.md b/content/en/docs/tasks/run-application/run-replicated-stateful-application.md
index 03da601a488a7..8d9e754c2e361 100644
--- a/content/en/docs/tasks/run-application/run-replicated-stateful-application.md
+++ b/content/en/docs/tasks/run-application/run-replicated-stateful-application.md
@@ -14,7 +14,7 @@ weight: 30
 <!-- overview -->
 
 This page shows how to run a replicated stateful application using a
-[StatefulSet](/docs/concepts/workloads/controllers/statefulset/) controller.
+{{< glossary_tooltip term_id="statefulset" >}}.
 This application is a replicated MySQL database. The example topology has a
 single primary server and multiple replicas, using asynchronous row-based
 replication.
@@ -24,12 +24,10 @@ replication.
 on general patterns for running stateful applications in Kubernetes.
 {{< /note >}}
 
-
-
 ## {{% heading "prerequisites" %}}
 
 
-* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+* {{< include "task-tutorial-prereqs.md" >}}
 * {{< include "default-storage-class-prereqs.md" >}}
 * This tutorial assumes you are familiar with
   [PersistentVolumes](/docs/concepts/storage/persistent-volumes/)
@@ -46,7 +44,7 @@ on general patterns for running stateful applications in Kubernetes.
 ## {{% heading "objectives" %}}
 
 
-* Deploy a replicated MySQL topology with a StatefulSet controller.
+* Deploy a replicated MySQL topology with a StatefulSet.
 * Send MySQL client traffic.
 * Observe resistance to downtime.
 * Scale the StatefulSet up and down.
@@ -60,7 +58,7 @@ on general patterns for running stateful applications in Kubernetes.
 The example MySQL deployment consists of a ConfigMap, two Services,
 and a StatefulSet.
 
-### ConfigMap
+### Create a ConfigMap {#configmap}
 
 Create the ConfigMap from the following YAML configuration file:
 
@@ -71,7 +69,7 @@ kubectl apply -f https://k8s.io/examples/application/mysql/mysql-configmap.yaml
 ```
 
 This ConfigMap provides `my.cnf` overrides that let you independently control
-configuration on the primary MySQL server and replicas.
+configuration on the primary MySQL server and its replicas.
 In this case, you want the primary server to be able to serve replication logs to replicas
 and you want replicas to reject any writes that don't come via replication.
 
@@ -80,7 +78,7 @@ portions to apply to different Pods.
 Each Pod decides which portion to look at as it's initializing,
 based on information provided by the StatefulSet controller.
 
-### Services
+### Create Services {#services}
 
 Create the Services from the following YAML configuration file:
 
@@ -90,23 +88,24 @@ Create the Services from the following YAML configuration file:
 kubectl apply -f https://k8s.io/examples/application/mysql/mysql-services.yaml
 ```
 
-The Headless Service provides a home for the DNS entries that the StatefulSet
-controller creates for each Pod that's part of the set.
-Because the Headless Service is named `mysql`, the Pods are accessible by
+The headless Service provides a home for the DNS entries that the StatefulSet
+{{< glossary_tooltip text="controllers" term_id="controller" >}} creates for each
+Pod that's part of the set.
+Because the headless Service is named `mysql`, the Pods are accessible by
 resolving `<pod-name>.mysql` from within any other Pod in the same Kubernetes
 cluster and namespace.
 
-The Client Service, called `mysql-read`, is a normal Service with its own
+The client Service, called `mysql-read`, is a normal Service with its own
 cluster IP that distributes connections across all MySQL Pods that report
 being Ready. The set of potential endpoints includes the primary MySQL server and all
 replicas.
 
-Note that only read queries can use the load-balanced Client Service.
+Note that only read queries can use the load-balanced client Service.
 Because there is only one primary MySQL server, clients should connect directly to the
-primary MySQL Pod (through its DNS entry within the Headless Service) to execute
+primary MySQL Pod (through its DNS entry within the headless Service) to execute
 writes.
 
-### StatefulSet
+### Create the StatefulSet {#statefulset}
 
 Finally, create the StatefulSet from the following YAML configuration file:
 
@@ -122,7 +121,7 @@ You can watch the startup progress by running:
 kubectl get pods -l app=mysql --watch
 ```
 
-After a while, you should see all 3 Pods become Running:
+After a while, you should see all 3 Pods become `Running`:
 
 ```
 NAME      READY     STATUS    RESTARTS   AGE
@@ -132,8 +131,11 @@ mysql-2   2/2       Running   0          1m
 ```
 
 Press **Ctrl+C** to cancel the watch.
+
+{{< note >}}
 If you don't see any progress, make sure you have a dynamic PersistentVolume
-provisioner enabled as mentioned in the [prerequisites](#before-you-begin).
+provisioner enabled, as mentioned in the [prerequisites](#before-you-begin).
+{{< /note >}}
 
 This manifest uses a variety of techniques for managing stateful Pods as part of
 a StatefulSet. The next section highlights some of these techniques to explain
@@ -155,10 +157,10 @@ properties to perform orderly startup of MySQL replication.
 ### Generating configuration
 
 Before starting any of the containers in the Pod spec, the Pod first runs any
-[Init Containers](/docs/concepts/workloads/pods/init-containers/)
+[init containers](/docs/concepts/workloads/pods/init-containers/)
 in the order defined.
 
-The first Init Container, named `init-mysql`, generates special MySQL config
+The first init container, named `init-mysql`, generates special MySQL config
 files based on the ordinal index.
 
 The script determines its own ordinal index by extracting it from the end of
@@ -166,8 +168,7 @@ the Pod name, which is returned by the `hostname` command.
 Then it saves the ordinal (with a numeric offset to avoid reserved values)
 into a file called `server-id.cnf` in the MySQL `conf.d` directory.
 This translates the unique, stable identity provided by the StatefulSet
-controller into the domain of MySQL server IDs, which require the same
-properties.
+into the domain of MySQL server IDs, which require the same properties.
 
 The script in the `init-mysql` container also applies either `primary.cnf` or
 `replica.cnf` from the ConfigMap by copying the contents into `conf.d`.
@@ -187,7 +188,7 @@ logs might not go all the way back to the beginning of time.
 These conservative assumptions are the key to allow a running StatefulSet
 to scale up and down over time, rather than being fixed at its initial size.
 
-The second Init Container, named `clone-mysql`, performs a clone operation on
+The second init container, named `clone-mysql`, performs a clone operation on
 a replica Pod the first time it starts up on an empty PersistentVolume.
 That means it copies all existing data from another running Pod,
 so its local state is consistent enough to begin replicating from the primary server.
@@ -202,7 +203,7 @@ Ready before starting Pod `N+1`.
 
 ### Starting replication
 
-After the Init Containers complete successfully, the regular containers run.
+After the init containers complete successfully, the regular containers run.
 The MySQL Pods consist of a `mysql` container that runs the actual `mysqld`
 server, and an `xtrabackup` container that acts as a
 [sidecar](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns).
@@ -291,13 +292,13 @@ endpoint might be selected upon each connection attempt:
 You can press **Ctrl+C** when you want to stop the loop, but it's useful to keep
 it running in another window so you can see the effects of the following steps.
 
-## Simulating Pod and Node downtime
+## Simulate Pod and Node failure {#simulate-pod-and-node-downtime}
 
 To demonstrate the increased availability of reading from the pool of replicas
 instead of a single server, keep the `SELECT @@server_id` loop from above
 running while you force a Pod out of the Ready state.
 
-### Break the Readiness Probe
+### Break the Readiness probe
 
 The [readiness probe](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
 for the `mysql` container runs the command `mysql -h 127.0.0.1 -e 'SELECT 1'`
@@ -371,14 +372,18 @@ NAME      READY     STATUS    RESTARTS   AGE       IP            NODE
 mysql-2   2/2       Running   0          15m       10.244.5.27   kubernetes-node-9l2t
 ```
 
-Then drain the Node by running the following command, which cordons it so
+Then, drain the Node by running the following command, which cordons it so
 no new Pods may schedule there, and then evicts any existing Pods.
 Replace `<node-name>` with the name of the Node you found in the last step.
 
-This might impact other applications on the Node, so it's best to
-**only do this in a test cluster**.
+{{< caution >}}
+Draining a Node can impact other workloads and applications 
+running on the same node. Only perform the following step in a test
+cluster.
+{{< /caution >}}
 
 ```shell
+# See above advice about impact on other workloads
 kubectl drain <node-name> --force --delete-emptydir-data --ignore-daemonsets
 ```
 
@@ -413,8 +418,9 @@ kubectl uncordon <node-name>
 
 ## Scaling the number of replicas
 
-With MySQL replication, you can scale your read query capacity by adding replicas.
-With StatefulSet, you can do this with a single command:
+When you use MySQL replication, you can scale your read query capacity by
+adding replicas.
+For a StatefulSet, you can achieve this with a single command:
 
 ```shell
 kubectl scale statefulset mysql  --replicas=5
@@ -453,10 +459,13 @@ Scaling back down is also seamless:
 kubectl scale statefulset mysql --replicas=3
 ```
 
-Note, however, that while scaling up creates new PersistentVolumeClaims
+{{< note >}}
+Although scaling up creates new PersistentVolumeClaims
 automatically, scaling down does not automatically delete these PVCs.
+
 This gives you the choice to keep those initialized PVCs around to make
 scaling back up quicker, or to extract data before deleting them.
+{{< /note >}}
 
 You can see this by running:
 
diff --git a/content/en/docs/tasks/tls/certificate-rotation.md b/content/en/docs/tasks/tls/certificate-rotation.md
index 2db0c1255daf9..8d1992845cdfa 100644
--- a/content/en/docs/tasks/tls/certificate-rotation.md
+++ b/content/en/docs/tasks/tls/certificate-rotation.md
@@ -28,7 +28,7 @@ default, these certificates are issued with one year expiration so that they do
 not need to be renewed too frequently.
 
 Kubernetes contains [kubelet certificate
-rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/),
+rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/),
 that will automatically generate a new key and request a new certificate from
 the Kubernetes API as the current certificate approaches expiration. Once the
 new certificate is available, it will be used for authenticating connections to
diff --git a/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md b/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
index 4ea543aef8d07..bad390575d574 100644
--- a/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
+++ b/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
@@ -1,6 +1,5 @@
 ---
 title: Manual Rotation of CA Certificates
-min-kubernetes-server-version: v1.13
 content_type: task
 ---
 
@@ -10,11 +9,13 @@ This page shows how to manually rotate the certificate authority (CA) certificat
 
 ## {{% heading "prerequisites" %}}
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}}
 
 
-- For more information about authentication in Kubernetes, see [Authenticating](/docs/reference/access-authn-authz/authentication).
-- For more information about best practices for CA certificates, see [Single root CA](/docs/setup/best-practices/certificates/#single-root-ca).
+- For more information about authentication in Kubernetes, see
+  [Authenticating](/docs/reference/access-authn-authz/authentication).
+- For more information about best practices for CA certificates, see
+  [Single root CA](/docs/setup/best-practices/certificates/#single-root-ca).
 
 <!-- steps -->
 
@@ -24,36 +25,41 @@ This page shows how to manually rotate the certificate authority (CA) certificat
 Make sure to back up your certificate directory along with configuration files and any other necessary files.
 
 This approach assumes operation of the Kubernetes control plane in a HA configuration with multiple API servers.
-Graceful termination of the API server is also assumed so clients can cleanly disconnect from one API server and reconnect to another.
+Graceful termination of the API server is also assumed so clients can cleanly disconnect from one API server and
+reconnect to another.
 
 Configurations with a single API server will experience unavailability while the API server is being restarted.
 {{< /caution >}}
 
-1. Distribute the new CA certificates and private keys
-   (ex: `ca.crt`, `ca.key`, `front-proxy-ca.crt`, and `front-proxy-ca.key`)
-   to all your control plane nodes in the Kubernetes certificates directory.
+1. Distribute the new CA certificates and private keys (for example: `ca.crt`, `ca.key`, `front-proxy-ca.crt`,
+   and `front-proxy-ca.key`) to all your control plane nodes in the Kubernetes certificates directory.
 
-1. Update {{< glossary_tooltip text="kube-controller-manager" term_id="kube-controller-manager" >}}'s `--root-ca-file` to
-   include both old and new CA. Then restart the component.
+1. Update the `--root-ca-file` flag for the {{< glossary_tooltip term_id="kube-controller-manager" >}} to include
+   both old and new CA, then restart the kube-controller-manager.
 
-   Any service account created after this point will get secrets that include both old and new CAs.
+   Any {{< glossary_tooltip text="ServiceAccount" term_id="service-account" >}} created after this point will get
+   Secrets that include both old and new CAs.
 
    {{< note >}}
    The files specified by the kube-controller-manager flags `--client-ca-file` and `--cluster-signing-cert-file`
    cannot be CA bundles. If these flags and `--root-ca-file` point to the same `ca.crt` file which is now a
-   bundle (includes both old and new CA) you will face an error. To workaround this problem you can copy the new CA to a separate
-   file and make the flags `--client-ca-file` and `--cluster-signing-cert-file` point to the copy. Once `ca.crt` is no longer
-   a bundle you can restore the problem flags to point to `ca.crt` and delete the copy.
+   bundle (includes both old and new CA) you will face an error. To workaround this problem you can copy the new CA
+   to a separate file and make the flags `--client-ca-file` and `--cluster-signing-cert-file` point to the copy.
+   Once `ca.crt` is no longer a bundle you can restore the problem flags to point to `ca.crt` and delete the copy.
+
+   [Issue 1350](https://github.com/kubernetes/kubeadm/issues/1350) for kubeadm tracks an bug with the
+   kube-controller-manager being unable to accept a CA bundle.
    {{< /note >}}
 
-1. Update all service account tokens to include both old and new CA certificates.
+1. Update all Secrets that hold service account tokens to include both old and new CA certificates.
 
-   If any pods are started before new CA is used by API servers, they will get this update and trust both old and new CAs.
+    If any Pods are started before new CA is used by API servers, the new Pods get this update and will trust both
+    old and new CAs.
 
    ```shell
    base64_encoded_ca="$(base64 -w0 <path to file containing both old and new CAs>)"
 
-   for namespace in $(kubectl get ns --no-headers | awk '{print $1}'); do
+   for namespace in $(kubectl get namespace --no-headers -o name | cut -d / -f 2 ); do
        for token in $(kubectl get secrets --namespace "$namespace" --field-selector type=kubernetes.io/service-account-token -o name); do
            kubectl get $token --namespace "$namespace" -o yaml | \
              /bin/sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | \
@@ -62,15 +68,18 @@ Configurations with a single API server will experience unavailability while the
    done
    ```
 
-1. Restart all pods using in-cluster configs (ex: kube-proxy, coredns, etc) so they can use the updated certificate authority data from *ServiceAccount* secrets.
+1. Restart all pods using in-cluster configurations (for example: kube-proxy, CoreDNS, etc) so they can use the
+   updated certificate authority data from Secrets that link to ServiceAccounts.
 
-   * Make sure coredns, kube-proxy and other pods using in-cluster configs are working as expected.
+   * Make sure CoreDNS, kube-proxy and other Pods using in-cluster configurations are working as expected.
 
-1. Append the both old and new CA to the file against `--client-ca-file` and `--kubelet-certificate-authority` flag in the `kube-apiserver` configuration.
+1. Append the both old and new CA to the file against `--client-ca-file` and `--kubelet-certificate-authority`
+   flag in the `kube-apiserver` configuration.
 
 1. Append the both old and new CA to the file against `--client-ca-file` flag in the `kube-scheduler` configuration.
 
-1. Update certificates for user accounts by replacing the content of `client-certificate-data` and `client-key-data` respectively.
+1. Update certificates for user accounts by replacing the content of `client-certificate-data` and `client-key-data`
+   respectively.
 
    For information about creating certificates for individual user accounts, see
    [Configure certificates for user accounts](/docs/setup/best-practices/certificates/#configure-certificates-for-user-accounts).
@@ -78,40 +87,46 @@ Configurations with a single API server will experience unavailability while the
    Additionally, update the `certificate-authority-data` section in the kubeconfig files,
    respectively with Base64-encoded old and new certificate authority data
 
-1. Follow below steps in a rolling fashion.
+1. Update the `--root-ca-file` flag for the {{< glossary_tooltip term_id="cloud-controller-manager" >}} to include
+   both old and new CA, then restart the cloud-controller-manager.
+
+   {{< note >}}
+   If your cluster does not have a cloud-controller-manager, you can skip this step.
+   {{< /note >}}
+
+1. Follow the steps below in a rolling fashion.
 
-   1. Restart any other *[aggregated api servers](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)*
-      or *webhook handlers* to trust the new CA certificates.
+   1. Restart any other
+      [aggregated API servers](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) or
+      webhook handlers to trust the new CA certificates.
 
    1. Restart the kubelet by update the file against `clientCAFile` in kubelet configuration and
-      `certificate-authority-data` in kubelet.conf to use both the old and new CA on all nodes.
+      `certificate-authority-data` in `kubelet.conf` to use both the old and new CA on all nodes.
 
-      If your kubelet is not using client certificate rotation update `client-certificate-data` and
-      `client-key-data` in kubelet.conf on all nodes along with the kubelet client certificate file
+      If your kubelet is not using client certificate rotation, update `client-certificate-data` and
+      `client-key-data` in `kubelet.conf` on all nodes along with the kubelet client certificate file
       usually found in `/var/lib/kubelet/pki`.
 
-
    1. Restart API servers with the certificates (`apiserver.crt`, `apiserver-kubelet-client.crt` and
       `front-proxy-client.crt`) signed by new CA.
       You can use the existing private keys or new private keys.
       If you changed the private keys then update these in the Kubernetes certificates directory as well.
 
-      Since the pod trusts both old and new CAs, there will be a momentarily disconnection
-      after which the pod's kube client will reconnect to the new API server
-      that uses the certificate signed by the new CA.
-
-      * Restart Scheduler to use the new CAs.
+      Since the Pods in your cluster trust both old and new CAs, there will be a momentarily disconnection
+      after which pods' Kubernetes clients reconnect to the new API server.
+      The new API server uses a certificate signed by the new CA.
 
+      * Restart the {{< glossary_tooltip term_id="kube-scheduler" text="kube-scheduler" >}} to use and
+        trust the new CAs.
       * Make sure control plane components logs no TLS errors.
 
       {{< note >}}
-      To generate certificates and private keys for your cluster using the `openssl` command line tool, see [Certificates (`openssl`)](/docs/tasks/administer-cluster/certificates/#openssl).
+      To generate certificates and private keys for your cluster using the `openssl` command line tool,
+      see [Certificates (`openssl`)](/docs/tasks/administer-cluster/certificates/#openssl).
       You can also use [`cfssl`](/docs/tasks/administer-cluster/certificates/#cfssl).
       {{< /note >}}
 
-   1. Annotate any Daemonsets and Deployments to trigger pod replacement in a safer rolling fashion.
-
-      Example:
+    1. Annotate any DaemonSets and Deployments to trigger pod replacement in a safer rolling fashion.
 
       ```shell
       for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
@@ -129,7 +144,10 @@ Configurations with a single API server will experience unavailability while the
       see [configure pod disruption budget](/docs/tasks/run-application/configure-pdb/).
       {{< /note >}}
 
-1. If your cluster is using bootstrap tokens to join nodes, update the ConfigMap `cluster-info` in the `kube-public` namespace with new CA.
+        Depending on how you use StatefulSets you may also need to perform similar rolling replacement.
+
+1. If your cluster is using bootstrap tokens to join nodes, update the ConfigMap `cluster-info` in the `kube-public`
+   namespace with new CA.
 
    ```shell
    base64_encoded_ca="$(base64 -w0 /etc/kubernetes/pki/ca.crt)"
@@ -141,19 +159,24 @@ Configurations with a single API server will experience unavailability while the
 
 1. Verify the cluster functionality.
 
-   1. Validate the logs from control plane components, along with the kubelet and the
-      kube-proxy are not throwing any tls errors, see
-      [looking at the logs](/docs/tasks/debug/debug-cluster/#looking-at-logs).
+    1. Check the logs from control plane components, along with the kubelet and the kube-proxy.
+       Ensure those components are not reporting any TLS errors; see
+       [looking at the logs](/docs/tasks/debug/debug-cluster/#looking-at-logs) for more details.
 
-   1. Validate logs from any aggregated api servers and pods using in-cluster config.
+    1. Validate logs from any aggregated api servers and pods using in-cluster config.
 
 1. Once the cluster functionality is successfully verified:
 
    1. Update all service account tokens to include new CA certificate only.
 
-      * All pods using an in-cluster kubeconfig will eventually need to be restarted to pick up the new SA secret for the old CA to be completely untrusted.
+      * All pods using an in-cluster kubeconfig will eventually need to be restarted to pick up the new Secret,
+        so that no Pods are relying on the old cluster CA.
 
-   1. Restart the control plane components by removing the old CA from the kubeconfig files and the files against `--client-ca-file`, `--root-ca-file` flags resp.
+   1. Restart the control plane components by removing the old CA from the kubeconfig files and the files against
+      `--client-ca-file`, `--root-ca-file` flags resp.
 
-   1. Restart kubelet by removing the old CA from file against the `clientCAFile` flag and kubelet kubeconfig file.
+   1. On each node, restart the kubelet by removing the old CA from file against the `clientCAFile` flag
+      and from the kubelet kubeconfig file. You should carry this out as a rolling update.
 
+      If your cluster lets you make this change, you can also roll it out by replacing nodes rather than
+      reconfiguring them.
diff --git a/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md b/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
index 0024ff8bbc5f1..8a5889b81392c 100644
--- a/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
+++ b/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
@@ -43,7 +43,7 @@ If you have an alias for kubectl, you can extend shell completion to work with t
 
 ```bash
 echo 'alias k=kubectl' >>~/.bashrc
-echo 'complete -F __start_kubectl k' >>~/.bashrc
+echo 'complete -o default -F __start_kubectl k' >>~/.bashrc
 ```
 
 {{< note >}}
diff --git a/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md b/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
index 98545406497ba..47243c575ac61 100644
--- a/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
+++ b/content/en/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
@@ -77,7 +77,7 @@ You now have to ensure that the kubectl completion script gets sourced in all yo
 
     ```bash
     echo 'alias k=kubectl' >>~/.bash_profile
-    echo 'complete -F __start_kubectl k' >>~/.bash_profile
+    echo 'complete -o default -F __start_kubectl k' >>~/.bash_profile
     ```
 
 - If you installed kubectl with Homebrew (as explained [here](/docs/tasks/tools/install-kubectl-macos/#install-with-homebrew-on-macos)), then the kubectl completion script should already be in `/usr/local/etc/bash_completion.d/kubectl`. In that case, you don't need to do anything.
diff --git a/content/en/docs/tasks/tools/install-kubectl-linux.md b/content/en/docs/tasks/tools/install-kubectl-linux.md
index 6595fb1588778..d027ab647d8d1 100644
--- a/content/en/docs/tasks/tools/install-kubectl-linux.md
+++ b/content/en/docs/tasks/tools/install-kubectl-linux.md
@@ -138,10 +138,9 @@ For example, to download version {{< param "fullversion" >}} on Linux, type:
 cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
 [kubernetes]
 name=Kubernetes
-baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
+baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
 enabled=1
 gpgcheck=1
-repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 EOF
 sudo yum install -y kubectl
diff --git a/content/en/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html b/content/en/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
index bb926a1d197d5..fd3db09a42996 100644
--- a/content/en/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
+++ b/content/en/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/configuration/configure-redis-using-configmap.md b/content/en/docs/tutorials/configuration/configure-redis-using-configmap.md
index ec6edb9cc7037..d95e752208fec 100644
--- a/content/en/docs/tutorials/configuration/configure-redis-using-configmap.md
+++ b/content/en/docs/tutorials/configuration/configure-redis-using-configmap.md
@@ -8,7 +8,7 @@ content_type: tutorial
 
 <!-- overview -->
 
-This page provides a real world example of how to configure Redis using a ConfigMap and builds upon the [Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task. 
+This page provides a real world example of how to configure Redis using a ConfigMap and builds upon the [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task. 
 
 
 
@@ -27,7 +27,7 @@ This page provides a real world example of how to configure Redis using a Config
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
 * The example shown on this page works with `kubectl` 1.14 and above.
-* Understand [Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/).
+* Understand [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/).
 
 
 
@@ -78,7 +78,7 @@ kubectl get pod/redis configmap/example-redis-config
 
 You should see the following output:
 
-```shell
+```
 NAME        READY   STATUS    RESTARTS   AGE
 pod/redis   1/1     Running   0          8s
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html b/content/en/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
index 5301c6b7a14ef..2649ce4f9476b 100644
--- a/content/en/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html b/content/en/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
index 915304f9127e5..d8a525a6d515d 100644
--- a/content/en/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/explore/explore-interactive.html b/content/en/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
index ad79ec5d7f60c..82b5f4bb332b5 100644
--- a/content/en/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/expose/expose-interactive.html b/content/en/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
index 2b5d3aa365f37..ce5eeb455f966 100644
--- a/content/en/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/expose/expose-intro.html b/content/en/docs/tutorials/kubernetes-basics/expose/expose-intro.html
index 1996859e2e4f1..b362669c05287 100644
--- a/content/en/docs/tutorials/kubernetes-basics/expose/expose-intro.html
+++ b/content/en/docs/tutorials/kubernetes-basics/expose/expose-intro.html
@@ -66,7 +66,7 @@ <h3>Services and Labels</h3>
 		
 		<div class="row">
 			<div class="col-md-8">
-				<p>A Service routes traffic across a set of Pods. Services are the abstraction that allow pods to die and replicate in Kubernetes without impacting your application. Discovery and routing among dependent Pods (such as the frontend and backend components in an application) is handled by Kubernetes Services.</p>
+				<p>A Service routes traffic across a set of Pods. Services are the abstraction that allows pods to die and replicate in Kubernetes without impacting your application. Discovery and routing among dependent Pods (such as the frontend and backend components in an application) are handled by Kubernetes Services.</p>
 				<p>Services match a set of Pods using <a href="/docs/concepts/overview/working-with-objects/labels">labels and selectors</a>, a grouping primitive that allows logical operation on objects in Kubernetes. Labels are key/value pairs attached to objects and can be used in any number of ways:</p>
 				<ul>
 					<li>Designate objects for development, test, and production</li>
diff --git a/content/en/docs/tutorials/kubernetes-basics/scale/scale-interactive.html b/content/en/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
index 3fedf79782a5b..ad01e64c02cb1 100644
--- a/content/en/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/kubernetes-basics/update/update-interactive.html b/content/en/docs/tutorials/kubernetes-basics/update/update-interactive.html
index 2e70d61d7412e..99184ddb3e130 100644
--- a/content/en/docs/tutorials/kubernetes-basics/update/update-interactive.html
+++ b/content/en/docs/tutorials/kubernetes-basics/update/update-interactive.html
@@ -11,7 +11,7 @@
 
 <link href="/docs/tutorials/kubernetes-basics/public/css/styles.css" rel="stylesheet">
 <link href="/docs/tutorials/kubernetes-basics/public/css/overrides.css" rel="stylesheet">
-<script src="https://katacoda.com/embed.js"></script>
+{{< katacoda-tutorial >}}
 
 <div class="layout" id="top">
 
diff --git a/content/en/docs/tutorials/services/source-ip.md b/content/en/docs/tutorials/services/source-ip.md
index bb9a622c98d7f..9eab7538d4336 100644
--- a/content/en/docs/tutorials/services/source-ip.md
+++ b/content/en/docs/tutorials/services/source-ip.md
@@ -206,19 +206,8 @@ Note that these are not the correct client IPs, they're cluster internal IPs. Th
 
 Visually:
 
-{{< mermaid >}}
-graph LR;
-  client(client)-->node2[Node 2];
-  node2-->client;
-  node2-. SNAT .->node1[Node 1];
-  node1-. SNAT .->node2;
-  node1-->endpoint(Endpoint);
-
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  class node1,node2,endpoint k8s;
-  class client plain;
-{{</ mermaid >}}
+{{< figure src="/docs/images/tutor-service-nodePort-fig01.svg" alt="source IP nodeport figure 01" class="diagram-large" caption="Figure. Source IP Type=NodePort using SNAT" link="https://mermaid.live/edit#pako:eNqNkV9rwyAUxb-K3LysYEqS_WFYKAzat9GHdW9zDxKvi9RoMIZtlH732ZjSbE970cu5v3s86hFqJxEYfHjRNeT5ZcUtIbXRaMNN2hZ5vrYRqt52cSXV-4iMSuwkZiYtyX739EqWaahMQ-V1qPxDVLNOvkYrO6fj2dupWMR2iiT6foOKdEZoS5Q2hmVSStoH7w7IMqXUVOefWoaG3XVftHbGeZYVRbH6ZXJ47CeL2-qhxvt_ucTe1SUlpuMN6CX12XeGpLdJiaMMFFr0rdAyvvfxjHEIDbbIgcVSohKDCRy4PUV06KQIuJU6OA9MCdMjBTEEt_-2NbDgB7xAGy3i97VJPP0ABRmcqg" >}}
+
 
 To avoid this, Kubernetes has a feature to
 [preserve the client source IP](/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip).
@@ -262,20 +251,8 @@ This is what happens:
 
 Visually:
 
-{{< mermaid >}}
-graph TD;
-  client --> node1[Node 1];
-  client(client) --x node2[Node 2];
-  node1 --> endpoint(endpoint);
-  endpoint --> node1;
-
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  class node1,node2,endpoint k8s;
-  class client plain;
-{{</ mermaid >}}
-
 
+{{< figure src="/docs/images/tutor-service-nodePort-fig02.svg" alt="source IP nodeport figure 02" class="diagram-large" caption="Figure. Source IP Type=NodePort preserves client source IP address" link="" >}}
 
 ## Source IP for Services with `Type=LoadBalancer`
 
diff --git a/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md b/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
index 480316a09c80c..d3c426d7894da 100644
--- a/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
+++ b/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
@@ -16,7 +16,7 @@ This tutorial shows you how to deploy a WordPress site and a MySQL database usin
 A [PersistentVolume](/docs/concepts/storage/persistent-volumes/) (PV) is a piece of storage in the cluster that has been manually provisioned by an administrator, or dynamically provisioned by Kubernetes using a [StorageClass](/docs/concepts/storage/storage-classes).  A [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) (PVC) is a request for storage by a user that can be fulfilled by a PV. PersistentVolumes and PersistentVolumeClaims are independent from Pod lifecycles and preserve data through restarting, rescheduling, and even deleting Pods.
 
 {{< warning >}}
-This deployment is not suitable for production use cases, as it uses single instance WordPress and MySQL Pods. Consider using [WordPress Helm Chart](https://github.com/kubernetes/charts/tree/master/stable/wordpress) to deploy WordPress in production.
+This deployment is not suitable for production use cases, as it uses single instance WordPress and MySQL Pods. Consider using [WordPress Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/wordpress) to deploy WordPress in production.
 {{< /warning >}}
 
 {{< note >}}
@@ -236,7 +236,7 @@ Do not leave your WordPress installation on this page. If another user finds it,
 ## {{% heading "whatsnext" %}}
 
 
-* Learn more about [Introspection and Debugging](/docs/tasks/debug/debug-application)
+* Learn more about [Introspection and Debugging](/docs/tasks/debug/debug-application/debug-running-pod/)
 * Learn more about [Jobs](/docs/concepts/workloads/controllers/job/)
 * Learn more about [Port Forwarding](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
 * Learn how to [Get a Shell to a Container](/docs/tasks/debug/debug-application/get-shell-running-container/)
diff --git a/content/en/examples/application/mysql/mysql-configmap.yaml b/content/en/examples/application/mysql/mysql-configmap.yaml
index 6aa5bfe4e5dc6..9adb0344a31a6 100644
--- a/content/en/examples/application/mysql/mysql-configmap.yaml
+++ b/content/en/examples/application/mysql/mysql-configmap.yaml
@@ -4,15 +4,14 @@ metadata:
   name: mysql
   labels:
     app: mysql
+    app.kubernetes.io/name: mysql
 data:
   primary.cnf: |
     # Apply this config only on the primary.
     [mysqld]
     log-bin
-    datadir=/var/lib/mysql/mysql
   replica.cnf: |
     # Apply this config only on replicas.
     [mysqld]
     super-read-only
-    datadir=/var/lib/mysql/mysql
 
diff --git a/content/en/examples/application/mysql/mysql-services.yaml b/content/en/examples/application/mysql/mysql-services.yaml
index 6743cf707ad4a..bc015066780c3 100644
--- a/content/en/examples/application/mysql/mysql-services.yaml
+++ b/content/en/examples/application/mysql/mysql-services.yaml
@@ -5,6 +5,7 @@ metadata:
   name: mysql
   labels:
     app: mysql
+    app.kubernetes.io/name: mysql
 spec:
   ports:
   - name: mysql
@@ -21,6 +22,8 @@ metadata:
   name: mysql-read
   labels:
     app: mysql
+    app.kubernetes.io/name: mysql
+    readonly: "true"
 spec:
   ports:
   - name: mysql
diff --git a/content/en/examples/application/mysql/mysql-statefulset.yaml b/content/en/examples/application/mysql/mysql-statefulset.yaml
index bb61537fcf338..85563a2abc879 100644
--- a/content/en/examples/application/mysql/mysql-statefulset.yaml
+++ b/content/en/examples/application/mysql/mysql-statefulset.yaml
@@ -6,12 +6,14 @@ spec:
   selector:
     matchLabels:
       app: mysql
+      app.kubernetes.io/name: mysql
   serviceName: mysql
   replicas: 3
   template:
     metadata:
       labels:
         app: mysql
+        app.kubernetes.io/name: mysql
     spec:
       initContainers:
       - name: init-mysql
diff --git a/content/en/examples/controllers/job.yaml b/content/en/examples/controllers/job.yaml
index b448f2eb81daf..a6e40bc778d6d 100644
--- a/content/en/examples/controllers/job.yaml
+++ b/content/en/examples/controllers/job.yaml
@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
       - name: pi
-        image: perl
+        image: perl:5.34
         command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
       restartPolicy: Never
   backoffLimit: 4
diff --git a/content/en/examples/pods/pod-with-affinity-anti-affinity.yaml b/content/en/examples/pods/pod-with-affinity-anti-affinity.yaml
index a7d14b2d6f755..5dcc7693b67c8 100644
--- a/content/en/examples/pods/pod-with-affinity-anti-affinity.yaml
+++ b/content/en/examples/pods/pod-with-affinity-anti-affinity.yaml
@@ -8,10 +8,11 @@ spec:
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
-          - key: kubernetes.io/os
+          - key: topology.kubernetes.io/zone
             operator: In
             values:
-            - linux
+            - antarctica-east1
+            - antarctica-west1
       preferredDuringSchedulingIgnoredDuringExecution:
       - weight: 1
         preference:
@@ -29,4 +30,4 @@ spec:
             - key-2
   containers:
   - name: with-node-affinity
-    image: k8s.gcr.io/pause:2.0
\ No newline at end of file
+    image: k8s.gcr.io/pause:2.0
diff --git a/content/en/releases/_index.md b/content/en/releases/_index.md
index d374f6eb5ab6a..689402cadf5cc 100644
--- a/content/en/releases/_index.md
+++ b/content/en/releases/_index.md
@@ -7,7 +7,7 @@ type: docs
 
 <!-- overview -->
 
-The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew latestVersion >}}, {{< skew prevMinorVersion >}}, {{< skew oldestMinorVersion >}}).  Kubernetes 1.19 and newer receive [approximately 1 year of patch support](/releases/patch-releases/#support-period). Kubernetes 1.18 and older received approximately 9 months of patch support.
+The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew currentVersion >}}, {{< skew currentVersionAddMinor -1 >}}, {{< skew currentVersionAddMinor -2 >}}).  Kubernetes 1.19 and newer receive [approximately 1 year of patch support](/releases/patch-releases/#support-period). Kubernetes 1.18 and older received approximately 9 months of patch support.
 
 Kubernetes versions are expressed as **x.y.z**,
 where **x** is the major version, **y** is the minor version, and **z** is the patch version, following [Semantic Versioning](https://semver.org/) terminology.
@@ -22,6 +22,6 @@ More information in the [version skew policy](/releases/version-skew-policy/) do
 
 ## Upcoming Release
 
-Check out the [schedule](https://github.com/kubernetes/sig-release/tree/master/releases/release-{{< skew nextMinorVersion >}}) for the upcoming **{{< skew nextMinorVersion >}}** Kubernetes release!
+Check out the [schedule](https://github.com/kubernetes/sig-release/tree/master/releases/release-{{< skew currentVersionAddMinor 1 >}}) for the upcoming **{{< skew currentVersionAddMinor 1 >}}** Kubernetes release!
 
 ## Helpful Resources
diff --git a/content/en/releases/patch-releases.md b/content/en/releases/patch-releases.md
index 144e74676b53b..91bdcc58bb91e 100644
--- a/content/en/releases/patch-releases.md
+++ b/content/en/releases/patch-releases.md
@@ -78,10 +78,10 @@ releases may also occur in between these.
 
 | Monthly Patch Release | Cherry Pick Deadline | Target date |
 | --------------------- | -------------------- | ----------- |
-| May 2022              | 2022-05-20           | 2022-05-24  |
-| June 2022             | 2022-06-10           | 2022-06-15  |
 | July 2022             | 2022-07-08           | 2022-07-13  |
-| August 2022           | 2022-08-12           | 2022-08-16  |
+| August 2022           | 2022-08-12           | 2022-08-17  |
+| September 2022        | 2022-09-09           | 2022-09-14  |
+| October 2022          | 2022-10-07           | 2022-10-12  |
 
 ## Detailed Release History for Active Branches
 
@@ -93,6 +93,8 @@ End of Life for **1.24** is **2023-09-29**
 
 | PATCH RELEASE | CHERRY PICK DEADLINE | TARGET DATE | NOTE |
 |---------------|----------------------|-------------|------|
+| 1.24.3        | 2022-07-08           | 2022-07-13  |      |
+| 1.24.2        | 2022-06-10           | 2022-06-15  |      |
 | 1.24.1        | 2022-05-20           | 2022-05-24  |      |
 
 ### 1.23
@@ -103,11 +105,13 @@ End of Life for **1.23** is **2023-02-28**.
 
 | Patch Release | Cherry Pick Deadline | Target Date | Note |
 |---------------|----------------------|-------------|------|
+| 1.23.9        | 2022-07-08           | 2022-07-13  |      |
+| 1.23.8        | 2022-06-10           | 2022-06-15  |      |
 | 1.23.7        | 2022-05-20           | 2022-05-24  |      |
 | 1.23.6        | 2022-04-08           | 2022-04-13  |      |
 | 1.23.5        | 2022-03-11           | 2022-03-16  |      |
 | 1.23.4        | 2022-02-11           | 2022-02-16  |      |
-| 1.23.3        | 2022-01-24           | 2022-01-25  | [Out-of-Band Release](https://groups.google.com/u/2/a/kubernetes.io/g/dev/c/Xl1sm-CItaY) |
+| 1.23.3        | 2022-01-24           | 2022-01-25  | [Out-of-Band Release](https://groups.google.com/a/kubernetes.io/g/dev/c/Xl1sm-CItaY) |
 | 1.23.2        | 2022-01-14           | 2022-01-19  |      |
 | 1.23.1        | 2021-12-14           | 2021-12-16  |      |
 
@@ -119,6 +123,8 @@ End of Life for **1.22** is **2022-10-28**
 
 | Patch Release | Cherry Pick Deadline | Target Date | Note |
 |---------------|----------------------|-------------|------|
+| 1.22.12       | 2022-07-08           | 2022-07-13  |      |
+| 1.22.11       | 2022-06-10           | 2022-06-15  |      |
 | 1.22.10       | 2022-05-20           | 2022-05-24  |      |
 | 1.22.9        | 2022-04-08           | 2022-04-13  |      |
 | 1.22.8        | 2022-03-11           | 2022-03-16  |      |
@@ -130,34 +136,13 @@ End of Life for **1.22** is **2022-10-28**
 | 1.22.2        | 2021-09-10           | 2021-09-15  |      |
 | 1.22.1        | 2021-08-16           | 2021-08-19  |      |
 
-### 1.21
-
-**1.21** enters maintenance mode on **2022-04-28**
-
-End of Life for **1.21** is **2022-06-28**
-
-| Patch Release | Cherry Pick Deadline | Target Date | Note |
-| ------------- | -------------------- | ----------- | ---------------------------------------------------------------------- |
-| 1.21.13       | 2022-05-20           | 2022-05-24  |                                                                        |
-| 1.21.12       | 2022-04-08           | 2022-04-13  |                                                                        |
-| 1.21.11       | 2022-03-11           | 2022-03-16  |                                                                        |
-| 1.21.10       | 2022-02-11           | 2022-02-16  |                                                                        |
-| 1.21.9        | 2022-01-14           | 2022-01-19  |                                                                        |
-| 1.21.8        | 2021-12-10           | 2021-12-15  |                                                                        |
-| 1.21.7        | 2021-11-12           | 2021-11-17  |                                                                        |
-| 1.21.6        | 2021-10-22           | 2021-10-27  |                                                                        |
-| 1.21.5        | 2021-09-10           | 2021-09-15  |                                                                        |
-| 1.21.4        | 2021-08-07           | 2021-08-11  |                                                                        |
-| 1.21.3        | 2021-07-10           | 2021-07-14  |                                                                        |
-| 1.21.2        | 2021-06-12           | 2021-06-16  |                                                                        |
-| 1.21.1        | 2021-05-07           | 2021-05-12  | [Regression](https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs) |
-
 ## Non-Active Branch History
 
 These releases are no longer supported.
 
 | Minor Version | Final Patch Release | EOL Date   | Note                                                                   |
 | ------------- | ------------------- | ---------- | ---------------------------------------------------------------------- |
+| 1.21          | 1.21.14             | 2022-06-28 |                                                                        |
 | 1.20          | 1.20.15             | 2022-02-28 |                                                                        |
 | 1.19          | 1.19.16             | 2021-10-28 |                                                                        |
 | 1.18          | 1.18.20             | 2021-06-18 | Created to resolve regression introduced in 1.18.19                    |
diff --git a/content/en/releases/release-cycle.jpg b/content/en/releases/release-cycle.jpg
new file mode 100644
index 0000000000000..8519fca6bd82d
Binary files /dev/null and b/content/en/releases/release-cycle.jpg differ
diff --git a/content/en/releases/release-lifecycle.jpg b/content/en/releases/release-lifecycle.jpg
new file mode 100644
index 0000000000000..ac30788ba322a
Binary files /dev/null and b/content/en/releases/release-lifecycle.jpg differ
diff --git a/content/en/releases/release.md b/content/en/releases/release.md
index 5542b412024e3..f69424b7f9f71 100644
--- a/content/en/releases/release.md
+++ b/content/en/releases/release.md
@@ -17,9 +17,9 @@ create an enhancement, issue, or pull request which targets a specific release
 milestone.
 
 - [TL;DR](#tldr)
-  - [Normal Dev (Weeks 1-8)](#normal-dev-weeks-1-8)
-  - [Code Freeze (Weeks 9-11)](#code-freeze-weeks-9-11)
-  - [Post-Release (Weeks 11+)](#post-release-weeks-11)
+  - [Normal Dev (Weeks 1-11)](#normal-dev-weeks-1-11)
+  - [Code Freeze (Weeks 12-14)](#code-freeze-weeks-12-14)
+  - [Post-Release (Weeks 14+)](#post-release-weeks-14+)
 - [Definitions](#definitions)
 - [The Release Cycle](#the-release-cycle)
 - [Removal Of Items From The Milestone](#removal-of-items-from-the-milestone)
@@ -54,14 +54,14 @@ requirements exist when the target milestone is a prior release (see
 If you want your PR to get merged, it needs the following required labels and
 milestones, represented here by the Prow /commands it would take to add them:
 
-### Normal Dev (Weeks 1-8)
+### Normal Dev (Weeks 1-11)
 
 - /sig {name}
 - /kind {type}
 - /lgtm
 - /approved
 
-### [Code Freeze][code-freeze] (Weeks 9-11)
+### [Code Freeze][code-freeze] (Weeks 12-14)
 
 - /milestone {v1.y}
 - /sig {name}
@@ -69,7 +69,7 @@ milestones, represented here by the Prow /commands it would take to add them:
 - /lgtm
 - /approved
 
-### Post-Release (Weeks 11+)
+### Post-Release (Weeks 14+)
 
 Return to 'Normal Dev' phase requirements:
 
@@ -90,43 +90,43 @@ The general labeling process should be consistent across artifact types.
 
 ## Definitions
 
-- _issue owners_: Creator, assignees, and user who moved the issue into a
+- *issue owners*: Creator, assignees, and user who moved the issue into a
   release milestone
 
-- _Release Team_: Each Kubernetes release has a team doing project management
+- *Release Team*: Each Kubernetes release has a team doing project management
   tasks described [here][release-team].
 
   The contact info for the team associated with any given release can be found
   [here](https://git.k8s.io/sig-release/releases/).
 
-- _Y days_: Refers to business days
+- *Y days*: Refers to business days
 
-- _enhancement_: see "[Is My Thing an Enhancement?](https://git.k8s.io/enhancements/README.md#is-my-thing-an-enhancement)"
+- *enhancement*: see "[Is My Thing an Enhancement?](https://git.k8s.io/enhancements/README.md#is-my-thing-an-enhancement)"
 
-- _[Enhancements Freeze][enhancements-freeze]_:
+- *[Enhancements Freeze][enhancements-freeze]*:
   the deadline by which [KEPs][keps] have to be completed in order for
   enhancements to be part of the current release
 
-- _[Exception Request][exceptions]_:
+- *[Exception Request][exceptions]*:
   The process of requesting an extension on the deadline for a particular
   Enhancement
 
-- _[Code Freeze][code-freeze]_:
+- *[Code Freeze][code-freeze]*:
   The period of ~4 weeks before the final release date, during which only
   critical bug fixes are merged into the release.
 
-- _[Pruning](https://git.k8s.io/sig-release/releases/release_phases.md#pruning)_:
+- *[Pruning](https://git.k8s.io/sig-release/releases/release_phases.md#pruning)*:
   The process of removing an Enhancement from a release milestone if it is not
   fully implemented or is otherwise considered not stable.
 
-- _release milestone_: semantic version string or
+- *release milestone*: semantic version string or
   [GitHub milestone](https://help.github.com/en/github/managing-your-work-on-github/associating-milestones-with-issues-and-pull-requests)
   referring to a release MAJOR.MINOR `vX.Y` version.
 
   See also
-  [release versioning](/contributors/design-proposals/release/versioning.md).
+  [release versioning](https://git.k8s.io/design-proposals-archive/release/versioning.md).
 
-- _release branch_: Git branch `release-X.Y` created for the `vX.Y` milestone.
+- *release branch*: Git branch `release-X.Y` created for the `vX.Y` milestone.
 
   Created at the time of the `vX.Y-rc.0` release and maintained after the
   release for approximately 12 months with `vX.Y.Z` patch releases.
@@ -136,9 +136,9 @@ The general labeling process should be consistent across artifact types.
 
 ## The Release Cycle
 
-![Image of one Kubernetes release cycle](release-cycle.png)
+![Image of one Kubernetes release cycle](release-cycle.jpg)
 
-Kubernetes releases currently happen approximately four times per year.
+Kubernetes releases currently happen approximately three times per year.
 
 The release process can be thought of as having three main phases:
 
@@ -161,7 +161,7 @@ conjunction with the Release Team's [Enhancements Lead](https://git.k8s.io/sig-r
 
 After Enhancements Freeze, tracking milestones on PRs and issues is important.
 Items within the milestone are used as a punchdown list to complete the
-release. _On issues_, milestones must be applied correctly, via triage by the
+release. *On issues*, milestones must be applied correctly, via triage by the
 SIG, so that [Release Team][release-team] can track bugs and enhancements (any
 enhancement-related issue needs a milestone).
 
@@ -189,7 +189,7 @@ under that automation umbrella should be have a milestone applied.
 Implementation and bug fixing is ongoing across the cycle, but culminates in a
 code freeze period.
 
-**[Code Freeze][code-freeze]** starts in week ~10 and continues for ~2 weeks.
+**[Code Freeze][code-freeze]** starts in week ~12 and continues for ~2 weeks.
 Only critical bug fixes are accepted into the release codebase during this
 time.
 
@@ -204,7 +204,7 @@ back to the release branch. The release is built from the release branch.
 
 Each release is part of a broader Kubernetes lifecycle:
 
-![Image of Kubernetes release lifecycle spanning three releases](release-lifecycle.png)
+![Image of Kubernetes release lifecycle spanning three releases](release-lifecycle.jpg)
 
 ## Removal Of Items From The Milestone
 
@@ -355,11 +355,11 @@ issue kind labels must be set:
 - `kind/feature`: New functionality.
 - `kind/flake`: CI test case is showing intermittent failures.
 
-[cherry-picks]: /community/blob/master/contributors/devel/sig-release/cherry-picks.md
+[cherry-picks]: /contributors/devel/sig-release/cherry-picks.md
 [code-freeze]: https://git.k8s.io/sig-release/releases/release_phases.md#code-freeze
 [enhancements-freeze]: https://git.k8s.io/sig-release/releases/release_phases.md#enhancements-freeze
 [exceptions]: https://git.k8s.io/sig-release/releases/release_phases.md#exceptions
 [keps]: https://git.k8s.io/enhancements/keps
-[release-managers]: https://git.k8s.io/sig-release/release-managers.md
+[release-managers]: https://kubernetes.io/releases/release-managers/
 [release-team]: https://git.k8s.io/sig-release/release-team
-[sig-list]: /sig-list.md
+[sig-list]: /sig-list.md
\ No newline at end of file
diff --git a/content/en/releases/version-skew-policy.md b/content/en/releases/version-skew-policy.md
index 87f6cf2c6278a..730f892c80cc9 100644
--- a/content/en/releases/version-skew-policy.md
+++ b/content/en/releases/version-skew-policy.md
@@ -21,12 +21,12 @@ Specific cluster deployment tools may place additional restrictions on version s
 ## Supported versions
 
 Kubernetes versions are expressed as **x.y.z**, where **x** is the major version, **y** is the minor version, and **z** is the patch version, following [Semantic Versioning](https://semver.org/) terminology.
-For more information, see [Kubernetes Release Versioning](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/release/versioning.md#kubernetes-release-versioning).
+For more information, see [Kubernetes Release Versioning](https://git.k8s.io/design-proposals-archive/release/versioning.md#kubernetes-release-versioning).
 
-The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew latestVersion >}}, {{< skew prevMinorVersion >}}, {{< skew oldestMinorVersion >}}).  Kubernetes 1.19 and newer receive approximately 1 year of patch support. Kubernetes 1.18 and older received approximately 9 months of patch support.
+The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew currentVersion >}}, {{< skew currentVersionAddMinor -1 >}}, {{< skew currentVersionAddMinor -2 >}}).  Kubernetes 1.19 and newer receive approximately 1 year of patch support. Kubernetes 1.18 and older received approximately 9 months of patch support.
 
 Applicable fixes, including security fixes, may be backported to those three release branches, depending on severity and feasibility.
-Patch releases are cut from those branches at a [regular cadence](https://git.k8s.io/sig-release/releases/patch-releases.md#cadence), plus additional urgent releases, when required.
+Patch releases are cut from those branches at a [regular cadence](https://kubernetes.io/releases/patch-releases/#cadence), plus additional urgent releases, when required.
 
 The [Release Managers](/releases/release-managers/) group owns this decision.
 
@@ -40,8 +40,8 @@ In [highly-available (HA) clusters](/docs/setup/production-environment/tools/kub
 
 Example:
 
-* newest `kube-apiserver` is at **{{< skew latestVersion >}}**
-* other `kube-apiserver` instances are supported at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}**
+* newest `kube-apiserver` is at **{{< skew currentVersion >}}**
+* other `kube-apiserver` instances are supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
 
 ### kubelet
 
@@ -49,8 +49,8 @@ Example:
 
 Example:
 
-* `kube-apiserver` is at **{{< skew latestVersion >}}**
-* `kubelet` is supported at **{{< skew latestVersion >}}**, **{{< skew prevMinorVersion >}}**, and **{{< skew oldestMinorVersion >}}**
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kubelet` is supported at **{{< skew currentVersion >}}**, **{{< skew currentVersionAddMinor -1 >}}**, and **{{< skew currentVersionAddMinor -2 >}}**
 
 {{< note >}}
 If version skew exists between `kube-apiserver` instances in an HA cluster, this narrows the allowed `kubelet` versions.
@@ -58,8 +58,8 @@ If version skew exists between `kube-apiserver` instances in an HA cluster, this
 
 Example:
 
-* `kube-apiserver` instances are at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}**
-* `kubelet` is supported at **{{< skew prevMinorVersion >}}**, and **{{< skew oldestMinorVersion >}}** (**{{< skew latestVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew prevMinorVersion >}}**)
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+* `kubelet` is supported at **{{< skew currentVersionAddMinor -1 >}}**, and **{{< skew currentVersionAddMinor -2 >}}** (**{{< skew currentVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew currentVersionAddMinor -1 >}}**)
 
 ### kube-controller-manager, kube-scheduler, and cloud-controller-manager
 
@@ -67,8 +67,8 @@ Example:
 
 Example:
 
-* `kube-apiserver` is at **{{< skew latestVersion >}}**
-* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}**
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
 
 {{< note >}}
 If version skew exists between `kube-apiserver` instances in an HA cluster, and these components can communicate with any `kube-apiserver` instance in the cluster (for example, via a load balancer), this narrows the allowed versions of these components.
@@ -76,9 +76,9 @@ If version skew exists between `kube-apiserver` instances in an HA cluster, and
 
 Example:
 
-* `kube-apiserver` instances are at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}**
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
 * `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` communicate with a load balancer that can route to any `kube-apiserver` instance
-* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew prevMinorVersion >}}** (**{{< skew latestVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew prevMinorVersion >}}**)
+* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew currentVersionAddMinor -1 >}}** (**{{< skew currentVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew currentVersionAddMinor -1 >}}**)
 
 ### kubectl
 
@@ -86,8 +86,8 @@ Example:
 
 Example:
 
-* `kube-apiserver` is at **{{< skew latestVersion >}}**
-* `kubectl` is supported at **{{< skew nextMinorVersion >}}**, **{{< skew latestVersion >}}**, and **{{< skew prevMinorVersion >}}**
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kubectl` is supported at **{{< skew currentVersionAddMinor 1 >}}**, **{{< skew currentVersion >}}**, and **{{< skew currentVersionAddMinor -1 >}}**
 
 {{< note >}}
 If version skew exists between `kube-apiserver` instances in an HA cluster, this narrows the supported `kubectl` versions.
@@ -95,27 +95,27 @@ If version skew exists between `kube-apiserver` instances in an HA cluster, this
 
 Example:
 
-* `kube-apiserver` instances are at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}**
-* `kubectl` is supported at **{{< skew latestVersion >}}** and **{{< skew prevMinorVersion >}}** (other versions would be more than one minor version skewed from one of the `kube-apiserver` components)
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+* `kubectl` is supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}** (other versions would be more than one minor version skewed from one of the `kube-apiserver` components)
 
 ## Supported component upgrade order
 
 The supported version skew between components has implications on the order in which components must be upgraded.
-This section describes the order in which components must be upgraded to transition an existing cluster from version **{{< skew prevMinorVersion >}}** to version **{{< skew latestVersion >}}**.
+This section describes the order in which components must be upgraded to transition an existing cluster from version **{{< skew currentVersionAddMinor -1 >}}** to version **{{< skew currentVersion >}}**.
 
 ### kube-apiserver
 
 Pre-requisites:
 
-* In a single-instance cluster, the existing `kube-apiserver` instance is **{{< skew prevMinorVersion >}}**
-* In an HA cluster, all `kube-apiserver` instances are at **{{< skew prevMinorVersion >}}** or **{{< skew latestVersion >}}** (this ensures maximum skew of 1 minor version between the oldest and newest `kube-apiserver` instance)
-* The `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` instances that communicate with this server are at version **{{< skew prevMinorVersion >}}** (this ensures they are not newer than the existing API server version, and are within 1 minor version of the new API server version)
-* `kubelet` instances on all nodes are at version **{{< skew prevMinorVersion >}}** or **{{< skew oldestMinorVersion >}}** (this ensures they are not newer than the existing API server version, and are within 2 minor versions of the new API server version)
+* In a single-instance cluster, the existing `kube-apiserver` instance is **{{< skew currentVersionAddMinor -1 >}}**
+* In an HA cluster, all `kube-apiserver` instances are at **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersion >}}** (this ensures maximum skew of 1 minor version between the oldest and newest `kube-apiserver` instance)
+* The `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` instances that communicate with this server are at version **{{< skew currentVersionAddMinor -1 >}}** (this ensures they are not newer than the existing API server version, and are within 1 minor version of the new API server version)
+* `kubelet` instances on all nodes are at version **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersionAddMinor -2 >}}** (this ensures they are not newer than the existing API server version, and are within 2 minor versions of the new API server version)
 * Registered admission webhooks are able to handle the data the new `kube-apiserver` instance will send them:
-  * `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration` objects are updated to include any new versions of REST resources added in **{{< skew latestVersion >}}** (or use the [`matchPolicy: Equivalent` option](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) available in v1.15+)
-  * The webhooks are able to handle any new versions of REST resources that will be sent to them, and any new fields added to existing versions in **{{< skew latestVersion >}}**
+  * `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration` objects are updated to include any new versions of REST resources added in **{{< skew currentVersion >}}** (or use the [`matchPolicy: Equivalent` option](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) available in v1.15+)
+  * The webhooks are able to handle any new versions of REST resources that will be sent to them, and any new fields added to existing versions in **{{< skew currentVersion >}}**
 
-Upgrade `kube-apiserver` to **{{< skew latestVersion >}}**
+Upgrade `kube-apiserver` to **{{< skew currentVersion >}}**
 
 {{< note >}}
 Project policies for [API deprecation](/docs/reference/using-api/deprecation-policy/) and
@@ -127,17 +127,17 @@ require `kube-apiserver` to not skip minor versions when upgrading, even in sing
 
 Pre-requisites:
 
-* The `kube-apiserver` instances these components communicate with are at **{{< skew latestVersion >}}** (in HA clusters in which these control plane components can communicate with any `kube-apiserver` instance in the cluster, all `kube-apiserver` instances must be upgraded before upgrading these components)
+* The `kube-apiserver` instances these components communicate with are at **{{< skew currentVersion >}}** (in HA clusters in which these control plane components can communicate with any `kube-apiserver` instance in the cluster, all `kube-apiserver` instances must be upgraded before upgrading these components)
 
-Upgrade `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` to **{{< skew latestVersion >}}**
+Upgrade `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` to **{{< skew currentVersion >}}**
 
 ### kubelet
 
 Pre-requisites:
 
-* The `kube-apiserver` instances the `kubelet` communicates with are at **{{< skew latestVersion >}}**
+* The `kube-apiserver` instances the `kubelet` communicates with are at **{{< skew currentVersion >}}**
 
-Optionally upgrade `kubelet` instances to **{{< skew latestVersion >}}** (or they can be left at **{{< skew prevMinorVersion >}}** or **{{< skew oldestMinorVersion >}}**)
+Optionally upgrade `kubelet` instances to **{{< skew currentVersion >}}** (or they can be left at **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersionAddMinor -2 >}}**)
 
 {{< note >}}
 Before performing a minor version `kubelet` upgrade, [drain](/docs/tasks/administer-cluster/safely-drain-node/) pods from that node.
@@ -159,7 +159,7 @@ Running a cluster with `kubelet` instances that are persistently two minor versi
 
 Example:
 
-If `kube-proxy` version is **{{< skew oldestMinorVersion >}}**:
+If `kube-proxy` version is **{{< skew currentVersionAddMinor -2 >}}**:
 
-* `kubelet` version must be at the same minor version as **{{< skew oldestMinorVersion >}}**.
-* `kube-apiserver` version must be between **{{< skew oldestMinorVersion >}}** and **{{< skew latestVersion >}}**, inclusive.
+* `kubelet` version must be at the same minor version as **{{< skew currentVersionAddMinor -2 >}}**.
+* `kube-apiserver` version must be between **{{< skew currentVersionAddMinor -2 >}}** and **{{< skew currentVersion >}}**, inclusive.
diff --git a/content/es/docs/_index.md b/content/es/docs/_index.md
index a5cbf56e30d44..caf9a58d7a9f0 100644
--- a/content/es/docs/_index.md
+++ b/content/es/docs/_index.md
@@ -16,7 +16,7 @@ Como podrá comprobar, la mayor parte de la documentación aún está disponible
 
 <!-- body -->
 
-Si quiere participar, puede entrar al canal de Slack [#kubernets-docs-es](http://slack.kubernetes.io/) y formar parte del equipo detrás de la localización.
+Si quiere participar, puede entrar al canal de Slack [#kubernetes-docs-es](http://slack.kubernetes.io/) y formar parte del equipo detrás de la localización.
 
 También puede pasar por el canal para solicitar la traducción de alguna página en concreto o reportar algún error que se haya podido encontrar. ¡Cualquier aportación será bien recibida!
 
diff --git a/content/es/docs/concepts/configuration/secret.md b/content/es/docs/concepts/configuration/secret.md
index 7120f0476bb9d..8fd08c0285486 100644
--- a/content/es/docs/concepts/configuration/secret.md
+++ b/content/es/docs/concepts/configuration/secret.md
@@ -862,7 +862,7 @@ tu debes usar `ls -la` para verlos al enumerar los contenidos del directorio.
 
 ### Caso de uso: Secret visible para un contenedor en un pod
 
-Considere un programa que necesita manejar solicitudes HTTP, hacer una lógicca empresarial compleja y luego firmar algunos mensajes con un HMAC. Debido a que tiene una lógica de aplicación compleja, puede haber una vulnerabilidad de lectura remota de archivos inadvertida en el servidor, lo que podría exponer la clave privada a un atacante.
+Considere un programa que necesita manejar solicitudes HTTP, hacer una lógica empresarial compleja y luego firmar algunos mensajes con un HMAC. Debido a que tiene una lógica de aplicación compleja, puede haber una vulnerabilidad de lectura remota de archivos inadvertida en el servidor, lo que podría exponer la clave privada a un atacante.
 
 Esto podría dividirse en dos procesos en dos contenedores: un contenedor de frontend que maneja la interacción del usuario y la lógica empresarial. pero que no puede ver la clave privada; y un contenedor de firmante que puede ver la clave privada, y responde a solicitudes de firma simples del frontend (ejemplo, a través de redes de localhost).
 
diff --git a/content/es/docs/concepts/workloads/pods/init-containers.md b/content/es/docs/concepts/workloads/pods/init-containers.md
index fad0220899ea1..fafb6ae2f608e 100644
--- a/content/es/docs/concepts/workloads/pods/init-containers.md
+++ b/content/es/docs/concepts/workloads/pods/init-containers.md
@@ -338,4 +338,4 @@ Kubernetes, consulta la documentación de la versión que estás utilizando.
 ## {{% heading "whatsnext" %}}
 
 * Lee acerca de [creando un Pod que tiene un contenedor de inicialización](/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container)
-* Aprende cómo [depurar contenedores de inicialización](/docs/tasks/debug-application-cluster/debug-init-containers/)
+* Aprende cómo [depurar contenedores de inicialización](/docs/tasks/debug/debug-application/debug-init-containers/)
diff --git a/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md b/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
index fd470c26332e8..feefb194edd26 100644
--- a/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
+++ b/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
@@ -44,7 +44,7 @@ Si tiene un alias para kubectl, puede extender el completado del shell para trab
 
 ```bash
 echo 'alias k=kubectl' >>~/.bashrc
-echo 'complete -F __start_kubectl k' >>~/.bashrc
+echo 'complete -o default -F __start_kubectl k' >>~/.bashrc
 ```
 
 {{< note >}}
diff --git a/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md b/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
index 5c6dd3d8e63b8..00437e7a67377 100644
--- a/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
+++ b/content/es/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
@@ -76,7 +76,7 @@ Ahora debe asegurarse de que el script de completado de kubectl se obtenga en to
 
     ```bash
     echo 'alias k=kubectl' >>~/.bash_profile
-    echo 'complete -F __start_kubectl k' >>~/.bash_profile
+    echo 'complete -o default -F __start_kubectl k' >>~/.bash_profile
     ```
 
 - Si instaló kubectl con Homebrew (como se explica [aquí](/docs/tasks/tools/install-kubectl-macos/#install-with-homebrew-on-macos)), entonces el script de completado de kubectl ya debería estar en `/usr/local/etc/bash_completion.d/kubectl`. En ese caso, no necesita hacer nada.
diff --git a/content/fr/docs/concepts/workloads/pods/init-containers.md b/content/fr/docs/concepts/workloads/pods/init-containers.md
index fb4b6f3270174..2af4306b0ba93 100644
--- a/content/fr/docs/concepts/workloads/pods/init-containers.md
+++ b/content/fr/docs/concepts/workloads/pods/init-containers.md
@@ -325,6 +325,6 @@ redémarrage du conteneur d'application.
 
 
 * Lire à propos de la [création d'un Pod ayant un init container](/docs/tasks/configure-pod-container/configure-pod-initialization/#creating-a-pod-that-has-an-init-container)
-* Apprendre à [debugger les init containers](/docs/tasks/debug-application-cluster/debug-init-containers/)
+* Apprendre à [debugger les init containers](/docs/tasks/debug/debug-application/debug-init-containers/)
 
 
diff --git a/content/fr/docs/tasks/configure-pod-container/assign-cpu-resource.md b/content/fr/docs/tasks/configure-pod-container/assign-cpu-resource.md
index 284024b425a07..297cbd700ea21 100644
--- a/content/fr/docs/tasks/configure-pod-container/assign-cpu-resource.md
+++ b/content/fr/docs/tasks/configure-pod-container/assign-cpu-resource.md
@@ -212,7 +212,7 @@ vous pouvez utiliser efficacement les ressources CPU disponibles sur les Nœuds
 En gardant une demande faible de CPU de pod, vous donnez au Pod une bonne chance d'être ordonnancé.
 En ayant une limite CPU supérieure à la demande de CPU, vous accomplissez deux choses :
 
-* Le Pod peut avoir des pics d'activité où il utilise les ressources CPU qui se sont déjà disponible.
+* Le Pod peut avoir des pics d'activité où il utilise les ressources CPU qui sont déjà disponibles.
 * La quantité de ressources CPU qu'un Pod peut utiliser pendant une pic d'activité est limitée à une quantité raisonnable.
 
 ## Nettoyage
diff --git a/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 5902ca926d3c6..2aa904144f2e7 100644
--- a/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -37,7 +37,7 @@ Le champ `periodSeconds` spécifie que le Kubelet doit effectuer un check de liv
 Au démarrage, le conteneur exécute cette commande :
 
 ```shell
-/bin/sh -c "touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600"
+/bin/sh -c "touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600"
 ```
 
 Pour les 30 premières secondes de la vie du conteneur, il y a un fichier `/tmp/healthy`.
diff --git a/content/fr/docs/tasks/configure-pod-container/configure-pod-initialization.md b/content/fr/docs/tasks/configure-pod-container/configure-pod-initialization.md
index 6d1ca96b3173e..eeb33a0d4b8c4 100644
--- a/content/fr/docs/tasks/configure-pod-container/configure-pod-initialization.md
+++ b/content/fr/docs/tasks/configure-pod-container/configure-pod-initialization.md
@@ -81,7 +81,7 @@ La sortie montre que nginx sert la page web qui a été écrite par le conteneur
 [communiquer entre conteneurs fonctionnant dans le même Pod](/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/).
 * Pour en savoir plus sur [Init Conteneurs](/docs/concepts/workloads/pods/init-containers/).
 * Pour en savoir plus sur [Volumes](/docs/concepts/storage/volumes/).
-* Pour en savoir plus sur [Débogage des Init Conteneurs](/docs/tasks/debug-application-cluster/debug-init-containers/)
+* Pour en savoir plus sur [Débogage des Init Conteneurs](/docs/tasks/debug/debug-application/debug-init-containers/)
 
 
 
diff --git a/content/fr/examples/pods/probe/exec-liveness.yaml b/content/fr/examples/pods/probe/exec-liveness.yaml
index 07bf75f85c6f3..6a9c9b3213718 100644
--- a/content/fr/examples/pods/probe/exec-liveness.yaml
+++ b/content/fr/examples/pods/probe/exec-liveness.yaml
@@ -11,7 +11,7 @@ spec:
     args:
     - /bin/sh
     - -c
-    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600
     livenessProbe:
       exec:
         command:
diff --git a/content/fr/includes/default-storage-class-prereqs.md b/content/fr/includes/default-storage-class-prereqs.md
index c0a21bec17dc0..eefd9fcf90ed2 100644
--- a/content/fr/includes/default-storage-class-prereqs.md
+++ b/content/fr/includes/default-storage-class-prereqs.md
@@ -1 +1 @@
-Vous devez disposer soit d'un fournisseur PersistentVolume dynamique avec une valeur par défaut [StorageClass](/docs/concepts/storage/storage-classes/), soit préparer [un PersistentVolumes statique](/docs/user-guide/persistent-volumes/#provisioning) pour satisfaire les [PersistentVolumeClaims](/docs/user-guide/persistent-volumes/#persistentvolumeclaims) utilisés ici.
+Vous devez disposer soit d'un fournisseur PersistentVolume dynamique avec une valeur par défaut [StorageClass](/docs/concepts/storage/storage-classes/), soit préparer [un PersistentVolumes statique](/docs/concepts/storage/persistent-volumes/#provisioning) pour satisfaire les [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) utilisés ici.
diff --git a/content/id/docs/concepts/workloads/pods/disruptions.md b/content/id/docs/concepts/workloads/pods/disruptions.md
index 7a09eed3a502f..f466bc6300ac5 100644
--- a/content/id/docs/concepts/workloads/pods/disruptions.md
+++ b/content/id/docs/concepts/workloads/pods/disruptions.md
@@ -67,7 +67,7 @@ Kubernetes menawarkan fitur-fitur untuk membantu menjalankan aplikasi-aplikasi d
 Pemilik aplikasi dapat membuat objek `PodDisruptionBudget` (PDB) untuk setiap aplikasi. Sebuah PDB membatasi jumlah Pod yang boleh mati secara bersamaan pada aplikasi yang direplikasi dikarenakan disrupsi yang disengaja.
 Misalnya, sebuah aplikasi yang bekerja secara _quorum_ mau memastikan bahwa jumlah replika yang berjalan tidak jatuh ke bawah yang dibutuhkan untuk membentuk sebuah _quorum_. Contoh lainnya, sebuah _front-end_ web mungkin perlu memastikan bahwa jumlah replika yang melayani trafik tidak pernah turun ke total persentase yang telah ditentukan.
 
-Administrator klaster dan penyedia layanan Kubernetes sebaiknya menggunakan alat-alat yang menghormati PDB dengan cara berkomunikasi dengan [Eviction API](/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api) dari pada menghapus Pod atau Deployment secara langsung. Contohnya adalah perintah `kubectl drain` dan skrip pembaruan Kubernets-on-GCE (`cluster/gce/upgrade.sh`)
+Administrator klaster dan penyedia layanan Kubernetes sebaiknya menggunakan alat-alat yang menghormati PDB dengan cara berkomunikasi dengan [Eviction API](/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api) dari pada menghapus Pod atau Deployment secara langsung. Contohnya adalah perintah `kubectl drain` dan skrip pembaruan Kubernetes-on-GCE (`cluster/gce/upgrade.sh`)
 
 Saat seorang administrator klaster ingin melakukan _drain_ terhadap sebuah node, ia akan menggunakan perintah `kubectl drain`. Alat tersebut mencoba untuk "mengusir" semua Pod di node tersebut. Permintaan untuk mengusir Pod tersebut mungkin ditolak untuk sementara, dan alat tersebut akan mencoba ulang permintaannya secara periodik hingga semua Pod dihapus, atau hingga batas waktu yang ditentukan telah dicapai.
 
diff --git a/content/id/docs/contribute/participate/_index.md b/content/id/docs/contribute/participate/_index.md
index 72c561432b5b9..cd47d6230971d 100644
--- a/content/id/docs/contribute/participate/_index.md
+++ b/content/id/docs/contribute/participate/_index.md
@@ -71,8 +71,8 @@ dua buah [prow _plugin_](https://github.com/kubernetes/test-infra/tree/master/pr
 - approve
 
 Kedua _plugin_ menggunakan berkas
-[OWNERS](https://github.com/kubernetes/website/blob/master/OWNERS) dan
-[OWNERS_ALIASES](https://github.com/kubernetes/website/blob/master/OWNERS_ALIASES)
+[OWNERS](https://github.com/kubernetes/website/blob/main/OWNERS) dan
+[OWNERS_ALIASES](https://github.com/kubernetes/website/blob/main/OWNERS_ALIASES)
 dalam level teratas dari repositori GitHub `kubernetes/website` untuk mengontrol
 bagaimana prow bekerja di dalam repositori.
 
diff --git a/content/id/docs/tasks/administer-cluster/dns-debugging-resolution.md b/content/id/docs/tasks/administer-cluster/dns-debugging-resolution.md
index aeeeab1001d84..67b451db52b34 100644
--- a/content/id/docs/tasks/administer-cluster/dns-debugging-resolution.md
+++ b/content/id/docs/tasks/administer-cluster/dns-debugging-resolution.md
@@ -160,7 +160,7 @@ Nama layanan adalah `kube-dns` baik untuk CoreDNS maupun kube-dns.
 {{< /note >}}
 
 Jika kamu telah membuat Service atau seharusnya Service telah dibuat secara bawaan namun ternyata tidak muncul, lihat
-[_debugging_ Service](/docs/tasks/debug-application-cluster/debug-service/) untuk informasi lebih lanjut.
+[_debugging_ Service](/docs/tasks/debug/debug-application/debug-service/) untuk informasi lebih lanjut.
 
 ### Apakah endpoint DNS telah ekspos?
 
@@ -175,7 +175,7 @@ kube-dns   10.180.3.17:53,10.180.3.17:53    1h
 ```
 
 Jika kamu tidak melihat _endpoint_, lihat bagian _endpoint_ pada dokumentasi
-[_debugging_ Service](/docs/tasks/debug-application-cluster/debug-service/).
+[_debugging_ Service](/docs/tasks/debug/debug-application/debug-service/).
 
 Untuk tambahan contoh Kubernetes DNS, lihat
 [contoh cluster-dns](https://github.com/kubernetes/examples/tree/master/staging/cluster-dns) pada repositori Kubernetes GitHub.
diff --git a/content/id/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/id/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 934f6178cd9e5..96b08d1aca0b7 100644
--- a/content/id/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/id/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -59,7 +59,7 @@ kode selain 0, maka kubelet akan mematikan Container dan mengulangnya kembali.
 Saat dimulai, Container akan menjalankan perintah berikut:
 
 ```shell
-/bin/sh -c "touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600"
+/bin/sh -c "touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600"
 ```
 
 Container memiliki berkas `/tmp/healthy` pada saat 30 detik pertama setelah dijalankan.
diff --git a/content/id/docs/tasks/configure-pod-container/static-pod.md b/content/id/docs/tasks/configure-pod-container/static-pod.md
index 6088b458db837..b13c95608b60b 100644
--- a/content/id/docs/tasks/configure-pod-container/static-pod.md
+++ b/content/id/docs/tasks/configure-pod-container/static-pod.md
@@ -33,7 +33,7 @@ sebuah {{< glossary_tooltip text="DaemonSet" term_id="daemonset" >}}.
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
-Laman ini mengasumsikan kamu menggunakan {{< glossary_tooltip term_id="docker" >}}
+Laman ini mengasumsikan kamu menggunakan {{< glossary_tooltip term_id="cri-o" >}}
 untuk menjalankan Pod, dan Node kamu berjalan menggunakan sistem operasi Fedora.
 Instruksi untuk distribusi lain atau instalasi Kubernetes mungkin berbeda.
 
@@ -90,23 +90,23 @@ Sebagai contoh, ini cara untuk memulai server web sederhana sebagai Pod statis:
 
 3. Atur kubelet pada Node untuk menggunakan direktori ini dengan menjalankannya menggunakan argumen `--pod-manifest-path=/etc/kubelet.d/`. Pada Fedora, ubah berkas `/etc/kubernetes/kubelet` dengan menambahkan baris berikut:
 
-    ```
-    KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubelet.d/"
-    ```
-    atau tambahkan _field_ `staticPodPath: <direktori>` pada [berkas konfigurasi kubelet](/docs/tasks/administer-cluster/kubelet-config-file).
+   ```
+   KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubelet.d/"
+   ```
+   atau tambahkan _field_ `staticPodPath: <direktori>` pada [berkas konfigurasi kubelet](/docs/tasks/administer-cluster/kubelet-config-file).
 
 4. Jalankan ulang kubelet. Pada Fedora, kamu dapat menjalankan:
 
-    ```shell
-    # Jalankan perintah berikut pada Node tempat kubelet berjalan
-    systemctl restart kubelet
-    ```
+   ```shell
+   # Jalankan perintah berikut pada Node tempat kubelet berjalan
+   systemctl restart kubelet
+   ```
 
 ### Manifes Pod statis pada Web {#konfigurasi-melalui-http}
 
 Berkas yang ditentukan pada argumen `--manifest-url=<URL>` akan diunduh oleh kubelet secara berkala
 dan kubelet akan menginterpretasinya sebagai sebuah berkas JSON/YAML yang berisikan definisi Pod.
-Mirip dengan cara kerja [manifes pada _filesystem_](##konfigurasi-melalui-berkas-sistem),
+Mirip dengan cara kerja [manifes pada _filesystem_](#konfigurasi-melalui-berkas-sistem),
 kubelet akan mengambil manifes berdasarkan jadwal. Jika ada perubahan pada daftar
 Pod statis, maka kubelet akan menerapkannya.
 
@@ -153,12 +153,12 @@ akan dijalankan.
 Kamu dapat melihat Container yang berjalan (termasuk Pod statis) dengan menjalankan (pada Node):
 ```shell
 # Jalankan perintah ini pada Node tempat kubelet berjalan
-docker ps
+crictl ps
 ```
 
 Keluarannya kira-kira seperti berikut:
 
-```
+```console
 CONTAINER ID IMAGE         COMMAND  CREATED        STATUS         PORTS     NAMES
 f6d05272b57e nginx:latest  "nginx"  8 minutes ago  Up 8 minutes             k8s_web.6f802af4_static-web-fk-node1_default_67e24ed9466ba55986d120c867395f3c_378e5f3c
 ```
@@ -169,8 +169,8 @@ Kamu dapat melihat Pod _mirror_ tersebut pada API server:
 kubectl get pods
 ```
 ```
-NAME                       READY     STATUS    RESTARTS   AGE
-static-web-my-node1        1/1       Running   0          2m
+NAME         READY   STATUS    RESTARTS        AGE
+static-web   1/1     Running   0               2m
 ```
 
 {{< note >}}
@@ -189,18 +189,18 @@ Kamu dapat mencoba untuk menggunakan kubelet untuk menghapus Pod _mirror_ terseb
 namun kubelet tidak akan menghapus Pod statis:
 
 ```shell
-kubectl delete pod static-web-my-node1
+kubectl delete pod static-web
 ```
 ```
-pod "static-web-my-node1" deleted
+pod "static-web" deleted
 ```
 Kamu akan melihat bahwa Pod tersebut tetap berjalan:
 ```shell
 kubectl get pods
 ```
 ```
-NAME                       READY     STATUS    RESTARTS   AGE
-static-web-my-node1        1/1       Running   0          12s
+NAME         READY   STATUS    RESTARTS   AGE
+static-web   1/1     Running   0          4s
 ```
 
 Kembali ke Node tempat kubelet berjalan, kamu dapat mencoba menghentikan Container
@@ -210,13 +210,13 @@ secara otomatis:
 
 ```shell
 # Jalankan perintah ini pada Node tempat kubelet berjalan
-docker stop f6d05272b57e # ganti dengan ID pada Container-mu
+crictl stop 129fd7d382018 # ganti dengan ID pada Container-mu
 sleep 20
-docker ps
+crictl ps
 ```
-```
-CONTAINER ID        IMAGE         COMMAND                CREATED       ...
-5b920cbaf8b1        nginx:latest  "nginx -g 'daemon of   2 seconds ago ...
+```console
+CONTAINER       IMAGE                                 CREATED           STATE      NAME    ATTEMPT    POD ID
+89db4553e1eeb   docker.io/library/nginx@sha256:...    19 seconds ago    Running    web     1          34533c6729106
 ```
 
 ## Penambahan dan pengurangan secara dinamis pada Pod statis
@@ -231,13 +231,13 @@ Pod sesuai dengan penambahan/pengurangan berkas pada direktori tersebut.
 #
 mv /etc/kubelet.d/static-web.yaml /tmp
 sleep 20
-docker ps
+crictl ps
 # Kamu mendapatkan bahwa tidak ada Container nginx yang berjalan
 mv /tmp/static-web.yaml  /etc/kubelet.d/
 sleep 20
-docker ps
-```
+crictl ps
 ```
-CONTAINER ID        IMAGE         COMMAND                CREATED           ...
-e7a62e3427f1        nginx:latest  "nginx -g 'daemon of   27 seconds ago
+```console
+CONTAINER       IMAGE                                 CREATED           STATE      NAME    ATTEMPT    POD ID
+f427638871c35   docker.io/library/nginx@sha256:...    19 seconds ago    Running    web     1          34533c6729106
 ```
diff --git a/content/id/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/id/docs/tasks/run-application/horizontal-pod-autoscale.md
index cd82ded0b18df..c9b74657baa67 100644
--- a/content/id/docs/tasks/run-application/horizontal-pod-autoscale.md
+++ b/content/id/docs/tasks/run-application/horizontal-pod-autoscale.md
@@ -281,9 +281,9 @@ mengakses API ini, administrator klaster harus memastikan bahwa:
   `false` untuk mengubah ke *autoscaling* berdasarkan Heapster, dimana ini sudah tidak didukung lagi.
 
 Untuk informasi lebih lanjut mengenai metrik-metrik ini dan bagaimana perbedaan setiap metrik, perhatikan proposal
-desain untuk [HPA V2](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/autoscaling/hpa-v2.md),
-[custom.metrics.k8s.io](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/instrumentation/custom-metrics-api.md)
-dan [external.metrics.k8s.io](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/instrumentation/external-metrics-api.md).
+desain untuk [HPA V2](https://github.com/kubernetes/design-proposals-archive/blob/main/autoscaling/hpa-v2.md),
+[custom.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/custom-metrics-api.md)
+dan [external.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/external-metrics-api.md).
 
 Untuk contoh bagaimana menggunakan metrik-metrik ini, perhatikan [panduan penggunaan metrik khusus](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics)
 dan [panduan penggunaan metrik eksternal](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-metrics-not-related-to-kubernetes-objects).
diff --git a/content/id/docs/tutorials/kubernetes-basics/explore/explore-intro.html b/content/id/docs/tutorials/kubernetes-basics/explore/explore-intro.html
index a6381b3275490..1b3b494b1afdf 100644
--- a/content/id/docs/tutorials/kubernetes-basics/explore/explore-intro.html
+++ b/content/id/docs/tutorials/kubernetes-basics/explore/explore-intro.html
@@ -76,9 +76,9 @@ <h2 style="color: #3771e3;">Ikhtisar Pod</h2>
                 <h2>Node</h2>
                 <p>Sebuah Pod selalu berjalan dalam sebuah <b>Node</b>. Node merupakan sebuah mesin pekerja (<i>worker</i>) di Kubernetes dan mungkin merupakan mesin virtual ataupun fisik, tergantung dari klaster. Tiap Node dikelola oleh control plane. Satu Node dapat memiliki beberapa Pod, dan control plane Kubernetes yang otomatis menangani penjadwalan pod seluruh Node-Node dalam klaster. Penjadwalan otomatis oleh control plane memperhitungkan tersedianya sumber daya tiap Node.</p>
 
-                <p>Tiap Node Kuberbetes menjalankan setidaknya:</p>
+                <p>Tiap Node Kubernetes menjalankan setidaknya:</p>
                 <ul>
-                    <li>Kubelet, satu proses yang bertanggung jawab untuk berkomunikasi antara control plane Kuberneter dan Node; ini juga mengelola Pod-Pod dan kontainer-kontainer yang berjalan di sebuah mesin.</li>
+                    <li>Kubelet, satu proses yang bertanggung jawab untuk berkomunikasi antara control plane Kubernetes dan Node; ini juga mengelola Pod-Pod dan kontainer-kontainer yang berjalan di sebuah mesin.</li>
                     <li>Satu <i>container runtime</i>, seperti Docker, bertanggung jawab untuk menarik <i>image</i> kontainer dari register, membuka kontainer, dan menjalankan aplikasi.</li>
                 </ul>
 
diff --git a/content/id/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml b/content/id/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
index 87bd198cfdab7..ac19efe4a2350 100644
--- a/content/id/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
+++ b/content/id/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
   - name: count
-    image: busybox
+    image: busybox:1.28
     args:
     - /bin/sh
     - -c
@@ -22,14 +22,14 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-log-1
-    image: busybox
-    args: [/bin/sh, -c, 'tail -n+1 -f /var/log/1.log']
+    image: busybox:1.28
+    args: [/bin/sh, -c, 'tail -n+1 -F /var/log/1.log']
     volumeMounts:
     - name: varlog
       mountPath: /var/log
   - name: count-log-2
-    image: busybox
-    args: [/bin/sh, -c, 'tail -n+1 -f /var/log/2.log']
+    image: busybox:1.28
+    args: [/bin/sh, -c, 'tail -n+1 -F /var/log/2.log']
     volumeMounts:
     - name: varlog
       mountPath: /var/log
diff --git a/content/id/examples/pods/probe/exec-liveness.yaml b/content/id/examples/pods/probe/exec-liveness.yaml
index 07bf75f85c6f3..6a9c9b3213718 100644
--- a/content/id/examples/pods/probe/exec-liveness.yaml
+++ b/content/id/examples/pods/probe/exec-liveness.yaml
@@ -11,7 +11,7 @@ spec:
     args:
     - /bin/sh
     - -c
-    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600
     livenessProbe:
       exec:
         command:
diff --git a/content/it/docs/concepts/overview/components.md b/content/it/docs/concepts/overview/components.md
index 906d1f701336c..2734b38674639 100644
--- a/content/it/docs/concepts/overview/components.md
+++ b/content/it/docs/concepts/overview/components.md
@@ -1,5 +1,7 @@
 ---
 title: I componenti di Kubernetes
+description: >
+  Un cluster di Kubernetes è costituito da un insieme di componenti che sono, come minimo, un Control Plane e uno o più sistemi di elaborazione, detti nodi.
 content_type: concept
 weight: 20
 card: 
diff --git a/content/it/docs/concepts/overview/kubernetes-api.md b/content/it/docs/concepts/overview/kubernetes-api.md
index 5214bea53a330..78022336e84d5 100644
--- a/content/it/docs/concepts/overview/kubernetes-api.md
+++ b/content/it/docs/concepts/overview/kubernetes-api.md
@@ -1,5 +1,7 @@
 ---
-title: Le API di Kubernetes 
+title: Le API di Kubernetes
+description: >
+  Le API di Kubernetes ti permettono di interrogare e manipolare lo stato degli oggetti in Kubernetes. Il cuore del Control Plane di Kubernetes è l'API server e le API HTTP che esso espone. Ogni entità o componente che si interfaccia con il cluster (gli utenti, le singole parti del tuo cluster, i componenti esterni), comunica attraverso l'API server.
 content_type: concept
 weight: 30
 card: 
diff --git a/content/it/training/_index.html b/content/it/training/_index.html
index a8eee4e468d43..051fc87557dbc 100644
--- a/content/it/training/_index.html
+++ b/content/it/training/_index.html
@@ -95,7 +95,7 @@ <h5>
           <h5>
             <b>Certified Kubernetes Administrator (CKA)</b>
           </h5>
-          <p>Il programma "Certified Kubernetes Administrator" assicura che la persona ha le capacità, conoscenze, e competenze per operare come amministratore di Kubernets.</p>
+          <p>Il programma "Certified Kubernetes Administrator" assicura che la persona ha le capacità, conoscenze, e competenze per operare come amministratore di Kubernetes.</p>
           <br>
           <a href=https://training.linuxfoundation.org/certification/certified-kubernetes-administrator-cka/" target="_blank" class="button">Vai alla certificazione</a>
         </center>
diff --git a/content/ja/docs/concepts/cluster-administration/networking.md b/content/ja/docs/concepts/cluster-administration/networking.md
index 444e7ef3d1eb5..37ce7102bce2e 100644
--- a/content/ja/docs/concepts/cluster-administration/networking.md
+++ b/content/ja/docs/concepts/cluster-administration/networking.md
@@ -88,9 +88,9 @@ Details on how the AOS system works can be accessed here: https://www.apstra.com
 さらに、このCNIは[ネットワークポリシーの適用のためにCalico](https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/calico.html)と一緒に実行できます。AWS VPC CNIプロジェクトは、[GitHubのドキュメント](https://github.com/aws/amazon-vpc-cni-k8s)とともにオープンソースで公開されています。
 
 ### Azure CNI for Kubernetes
-[Azure CNI](https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview) is an [open source](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) plugin that integrates Kubernetes Pods with an Azure Virtual Network (also known as VNet) providing network performance at par with VMs. Pods can connect to peered VNet and to on-premises over Express Route or site-to-site VPN and are also directly reachable from these networks. Pods can access Azure services, such as storage and SQL, that are protected by Service Endpoints or Private Link. You can use VNet security policies and routing to filter Pod traffic. The plugin assigns VNet IPs to Pods by utilizing a pool of secondary IPs pre-configured on the Network Interface of a Kubernetes node.
+[Azure CNI](https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview)は、Kubernetes PodをAzure仮想ネットワーク(VNetとも呼ばれます)と統合する[オープンソース](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md)プラグインで、VMと同等のネットワーク パフォーマンスを提供します。Pod は、ExpressRouteまたはサイト間VPN経由でピアリングされたVNetおよびオンプレミスに接続でき、これらのネットワークから直接アクセスすることもできます。Podは、サービスエンドポイントまたはプライベートリンクによって保護されているストレージやSQLなどのAzureサービスにアクセスできます。VNetセキュリティポリシーとルーティングを使用して、Podトラフィックをフィルター処理できます。プラグインは、Kubernetesノードのネットワークインターフェイスで事前に構成されたセカンダリIPのプールを利用して、VNet IPをPodに割り当てます。
 
-Azure CNI is available natively in the [Azure Kubernetes Service (AKS)] (https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni).
+Azure CNIは、[Azure Kubernetes Service (AKS)] (https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni)でネイティブに利用できます。
 
 
 ### Big Cloud Fabric from Big Switch Networks
diff --git a/content/ja/docs/concepts/configuration/manage-resources-containers.md b/content/ja/docs/concepts/configuration/manage-resources-containers.md
index 6f699bb4779e7..d9e5a13b4190e 100644
--- a/content/ja/docs/concepts/configuration/manage-resources-containers.md
+++ b/content/ja/docs/concepts/configuration/manage-resources-containers.md
@@ -17,7 +17,7 @@ Pod内のコンテナのリソース*要求*を指定すると、スケジュー
 
 <!-- body -->
 
-## 要求と制限
+## 要求と制限 {#requests-and-limits}
 
 Podが動作しているNodeに利用可能なリソースが十分にある場合、そのリソースの`要求`が指定するよりも多くのリソースをコンテナが使用することが許可されます
 ただし、コンテナはそのリソースの`制限`を超えて使用することはできません。
@@ -33,7 +33,7 @@ Podが動作しているNodeに利用可能なリソースが十分にある場
 コンテナが自身のメモリー制限を指定しているが、メモリー要求を指定していない場合、Kubernetesは制限に一致するメモリー要求を自動的に割り当てます。同様に、コンテナが自身のCPU制限を指定しているが、CPU要求を指定していない場合、Kubernetesは制限に一致するCPU要求を自動的に割り当てます。
 {{< /note >}}
 
-## リソースタイプ
+## リソースタイプ {#resource-types}
 
 *CPU*と*メモリー*はいずれも*リソースタイプ*です。リソースタイプには基本単位があります。
 CPUは計算処理を表し、[Kubernetes CPUs](#meaning-of-cpu)の単位で指定されます。
@@ -54,7 +54,7 @@ CPUとメモリーは、まとめて*コンピュートリソース*または単
 それらは[API resources](/ja/docs/concepts/overview/kubernetes-api/)とは異なります。
 Podや[Services](/ja/docs/concepts/services-networking/service/)などのAPIリソースは、Kubernetes APIサーバーを介して読み取りおよび変更できるオブジェクトです。
 
-## Podとコンテナのリソース要求と制限
+## Podとコンテナのリソース要求と制限 {#resource-requests-and-limits-of-pod-and-container}
 
 Podの各コンテナは、次の1つ以上を指定できます。
 
@@ -68,9 +68,9 @@ Podの各コンテナは、次の1つ以上を指定できます。
 要求と制限はそれぞれのコンテナでのみ指定できますが、このPodリソースの要求と制限の関係性について理解すると便利です。
 特定のリソースタイプの*Podリソース要求/制限*は、Pod内の各コンテナに対するそのタイプのリソース要求/制限の合計です。
 
-## Kubernetesにおけるリソースの単位
+## Kubernetesにおけるリソースの単位 {#resource-units-in-kubernetes}
 
-### CPUの意味
+### CPUの意味 {#meaning-of-cpu}
 
 CPUリソースの制限と要求は、*cpu*単位で測定されます。
 Kuberenetesにおける1つのCPUは、クラウドプロバイダーの**1 vCPU/コア**およびベアメタルのインテルプロセッサーの**1 ハイパースレッド**に相当します。
@@ -85,7 +85,7 @@ Kuberenetesにおける1つのCPUは、クラウドプロバイダーの**1 vCPU
 CPUは常に相対量としてではなく、絶対量として要求されます。
 0.1は、シングルコア、デュアルコア、あるいは48コアマシンのどのCPUに対してでも、同一の量を要求します。
 
-### メモリーの意味
+### メモリーの意味 {#meaning-of-memory}
 
 `メモリー`の制限と要求はバイト単位で測定されます。
 E、P、T、G、M、Kのいずれかのサフィックスを使用して、メモリーを整数または固定小数点数として表すことができます。
@@ -128,7 +128,7 @@ spec:
         cpu: "500m"
 ```
 
-## リソース要求を含むPodがどのようにスケジュールされるか
+## リソース要求を含むPodがどのようにスケジュールされるか {#how-pods-with-resource-requests-are-scheduled}
 
 Podを作成すると、KubernetesスケジューラーはPodを実行するNodeを選択します。
 各Nodeには、リソースタイプごとに最大容量があります。それは、Podに提供できるCPUとメモリの量です。
@@ -136,7 +136,7 @@ Podを作成すると、KubernetesスケジューラーはPodを実行するNode
 Node上の実際のメモリーまたはCPUリソースの使用率は非常に低いですが、容量チェックが失敗した場合、スケジューラーはNodeにPodを配置しないことに注意してください。
 これにより、例えば日々のリソース要求のピーク時など、リソース利用が増加したときに、Nodeのリソース不足から保護されます。
 
-## リソース制限のあるPodがどのように実行されるか
+## リソース制限のあるPodがどのように実行されるか {#how-pods-with-resource-limits-are-run}
 
 kubeletがPodのコンテナを開始すると、CPUとメモリーの制限がコンテナランタイムに渡されます。
 
@@ -166,13 +166,13 @@ Dockerを使用する場合:
 
 コンテナをスケジュールできないか、リソース制限が原因で強制終了されているかどうかを確認するには、[トラブルシューティング](#troubleshooting)のセクションを参照してください。
 
-### コンピュートリソースとメモリーリソースの使用量を監視する
+### コンピュートリソースとメモリーリソースの使用量を監視する {#monitoring-compute-memory-resource-usage}
 
 Podのリソース使用量は、Podのステータスの一部として報告されます。
 
 オプションの[監視ツール](/docs/tasks/debug-application-cluster/resource-usage-monitoring/)がクラスターにおいて利用可能な場合、Podのリソース使用量は[メトリクスAPI](/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#the-metrics-api)から直接、もしくは監視ツールから取得できます。
 
-## ローカルのエフェメラルストレージ
+## ローカルのエフェメラルストレージ {#local-ephemeral-storage}
 
 <!-- feature gate LocalStorageCapacityIsolation -->
 {{< feature-state for_k8s_version="v1.10" state="beta" >}}
@@ -192,7 +192,7 @@ Nodeに障害が発生すると、そのエフェメラルストレージ内の
 
 ベータ版の機能として、Kubernetesでは、Podが消費するローカルのエフェメラルストレージの量を追跡、予約、制限することができます。
 
-### ローカルエフェメラルストレージの設定
+### ローカルエフェメラルストレージの設定 {#configurations-for-local-ephemeral-storage}
 
 Kubernetesは、Node上のローカルエフェメラルストレージを構成する2つの方法をサポートしています。
 {{< tabs name="local_storage_configurations" >}}
@@ -235,7 +235,7 @@ kubeletは、ローカルストレージの使用量を測定できます。
 kubeletは、`tmpfs`のemptyDirボリュームをローカルのエフェメラルストレージとしてではなく、コンテナメモリーとして追跡します。
 {{< /note >}}
 
-### ローカルのエフェメラルストレージの要求と制限設定
+### ローカルのエフェメラルストレージの要求と制限設定 {#setting-requests-and-limits-for-local-ephemeral-storage}
 
 ローカルのエフェメラルストレージを管理するためには _ephemeral-storage_ パラメーターを利用することができます。
 Podの各コンテナは、次の1つ以上を指定できます。
@@ -288,7 +288,7 @@ spec:
       emptyDir: {}
 ```
 
-### エフェメラルストレージを要求するPodのスケジュール方法
+### エフェメラルストレージを要求するPodのスケジュール方法 {#how-pods-with-ephemeral-storage-requests-are-scheduled}
 
 Podを作成すると、KubernetesスケジューラーはPodを実行するNodeを選択します。
 各Nodeには、Podに提供できるローカルのエフェメラルストレージの上限があります。
@@ -375,7 +375,7 @@ Kubernetesが使用しないようにする必要があります。
 {{% /tab %}}
 {{< /tabs >}}
 
-## 拡張リソース
+## 拡張リソース {#extended-resources}
 
 拡張リソースは`kubernetes.io`ドメインの外で完全に修飾されたリソース名です。
 これにより、クラスタオペレータはKubernetesに組み込まれていないリソースをアドバタイズし、ユーザはそれを利用することができるようになります。
@@ -384,16 +384,16 @@ Kubernetesが使用しないようにする必要があります。
 第一に、クラスタオペレーターは拡張リソースをアドバタイズする必要があります。
 第二に、ユーザーはPodで拡張リソースを要求する必要があります。
 
-### 拡張リソースの管理
+### 拡張リソースの管理 {#managing-extended-resources}
 
-#### Nodeレベルの拡張リソース
+#### Nodeレベルの拡張リソース {#node-level-extended-resources}
 
 Nodeレベルの拡張リソースはNodeに関連付けられています。
 
-##### デバイスプラグイン管理のリソース
+##### デバイスプラグイン管理のリソース {#device-plugin-managed-resources}
 各Nodeにデバイスプラグインで管理されているリソースをアドバタイズする方法については、[デバイスプラグイン](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)を参照してください。
 
-##### その他のリソース
+##### その他のリソース {#other-resources}
 新しいNodeレベルの拡張リソースをアドバタイズするには、クラスタオペレータはAPIサーバに`PATCH`HTTPリクエストを送信し、クラスタ内のNodeの`status.capacity`に利用可能な量を指定します。
 この操作の後、ノードの`status.capacity`には新しいリソースが含まれます。
 `status.allocatable`フィールドは、kubeletによって非同期的に新しいリソースで自動的に更新されます。
@@ -416,7 +416,7 @@ JSON-Patchの操作パス値は、JSON-Pointerとして解釈されます。
 詳細については、[IETF RFC 6901, section 3](https://tools.ietf.org/html/rfc6901#section-3)を参照してください。
 {{< /note >}}
 
-#### クラスターレベルの拡張リソース
+#### クラスターレベルの拡張リソース {#cluster-level-extended-resources}
 
 クラスターレベルの拡張リソースはノードに関連付けられていません。
 これらは通常、リソース消費とリソースクォータを処理するスケジューラー拡張機能によって管理されます。
@@ -449,7 +449,7 @@ JSON-Patchの操作パス値は、JSON-Pointerとして解釈されます。
 }
 ```
 
-### 拡張リソースの消費
+### 拡張リソースの消費 {#consuming-extended-resources}
 
 ユーザーは、CPUやメモリのようにPodのスペックで拡張されたリソースを消費できます。
 利用可能な量以上のリソースが同時にPodに割り当てられないように、スケジューラーがリソースアカウンティングを行います。
@@ -493,9 +493,9 @@ spec:
         example.com/foo: 1
 ```
 
-## トラブルシューティング
+## トラブルシューティング {#troubleshooting}
 
-### failedSchedulingイベントメッセージが表示され、Podが保留中になる
+### failedSchedulingイベントメッセージが表示され、Podが保留中になる {#my-pods-are-pending-with-event-message-failedscheduling}
 
 スケジューラーがPodが収容されるNodeを見つけられない場合、場所が見つかるまでPodはスケジュールされないままになります。
 スケジューラーがPodの場所を見つけられないたびに、次のようなイベントが生成されます。
@@ -562,7 +562,7 @@ Allocated resources:
 [リソースクォータ](/docs/concepts/policy/resource-quotas/)機能は、消費できるリソースの総量を制限するように設定することができます。
 名前空間と組み合わせて使用すると、1つのチームがすべてのリソースを占有するのを防ぐことができます。
 
-### コンテナが終了した
+### コンテナが終了した {#my-container-is-terminated}
 
 コンテナはリソース不足のため、終了する可能性があります。
 コンテナがリソース制限に達したために強制終了されているかどうかを確認するには、対象のPodで`kubectl describe pod`を呼び出します。
diff --git a/content/ja/docs/concepts/extend-kubernetes/operator.md b/content/ja/docs/concepts/extend-kubernetes/operator.md
index c45fe88f63d48..b7fae76b35c3a 100644
--- a/content/ja/docs/concepts/extend-kubernetes/operator.md
+++ b/content/ja/docs/concepts/extend-kubernetes/operator.md
@@ -89,6 +89,7 @@ kubectl edit SampleDB/example-database # 手動でいくつかの設定を変更
 * ユースケースに合わせた、既製のオペレーターを[OperatorHub.io](https://operatorhub.io/)から見つけます
 * 自前のオペレーターを書くために既存のツールを使います、例:
   * [Charmed Operator Framework](https://juju.is/)
+  * [Java Operator SDK](https://github.com/java-operator-sdk/java-operator-sdk)
   * [Kopf](https://github.com/nolar/kopf) (Kubernetes Operator Pythonic Framework)
   * [KUDO](https://kudo.dev/)（Kubernetes Universal Declarative Operator）を使います
   * [kubebuilder](https://book.kubebuilder.io/)を使います
diff --git a/content/ja/docs/concepts/scheduling-eviction/api-eviction.md b/content/ja/docs/concepts/scheduling-eviction/api-eviction.md
new file mode 100644
index 0000000000000..5092c96b19b45
--- /dev/null
+++ b/content/ja/docs/concepts/scheduling-eviction/api-eviction.md
@@ -0,0 +1,92 @@
+---
+title: APIを起点とした退避
+content_type: concept
+weight: 70
+---
+
+{{< glossary_definition term_id="api-eviction" length="short" >}} </br>
+
+Eviction APIを直接呼び出すか、`kubectl drain`コマンドのように{{<glossary_tooltip term_id="kube-apiserver" text="APIサーバー">}}のクライアントを使って退避を要求することが可能です。これにより、`Eviction`オブジェクトを作成し、APIサーバーにPodを終了させます。
+
+APIを起点とした退避は[`PodDisruptionBudgets`](/docs/tasks/run-application/configure-pdb/)と[`terminationGracePeriodSeconds`](/ja/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)の設定を優先します。
+
+APIを使用してPodのEvictionオブジェクトを作成することは、Podに対してポリシー制御された[`DELETE`操作](/docs/reference/kubernetes-api/workload-resources/pod-v1/#delete-delete-a-pod)を実行することに似ています。
+
+## Eviction APIの実行 {#calling-the-eviction-api}
+
+Kubernetes APIへアクセスして`Eviction`オブジェクトを作るために[Kubernetesのプログラミング言語のクライアント](/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api)を使用できます。
+そのためには、次の例のようなデータをPOSTすることで操作を試みることができます。
+
+{{< tabs name="Eviction_example" >}}
+{{% tab name="policy/v1" %}}
+{{< note >}}
+`policy/v1`においてEvictionはv1.22以上で利用可能です。それ以前のリリースでは、`policy/v1beta1`を使用してください。
+{{< /note >}}
+
+```json
+{
+  "apiVersion": "policy/v1",
+  "kind": "Eviction",
+  "metadata": {
+    "name": "quux",
+    "namespace": "default"
+  }
+}
+```
+{{% /tab %}}
+{{% tab name="policy/v1beta1" %}}
+{{< note >}}
+v1.22で非推奨となり、`policy/v1`が採用されました。
+{{< /note >}}
+
+```json
+{
+  "apiVersion": "policy/v1beta1",
+  "kind": "Eviction",
+  "metadata": {
+    "name": "quux",
+    "namespace": "default"
+  }
+}
+```
+{{% /tab %}}
+{{< /tabs >}}
+
+また、以下の例のように`curl`や`wget`を使ってAPIにアクセスすることで、操作を試みることもできます。
+
+```bash
+curl -v -H 'Content-type: application/json' https://your-cluster-api-endpoint.example/api/v1/namespaces/default/pods/quux/eviction -d @eviction.json
+```
+
+## APIを起点とした退避の仕組み {#how-api-initiated-eviction-works}
+
+APIを使用して退去を要求した場合、APIサーバーはアドミッションチェックを行い、以下のいずれかを返します。
+
+* `200 OK`:この場合、退去が許可されると`Eviction`サブリソースが作成され、PodのURLに`DELETE`リクエストを送るのと同じように、Podが削除されます。
+* `429 Too Many Requests`:{{<glossary_tooltip term_id="pod-disruption-budget" text="PodDisruptionBudget">}}の設定により、現在退去が許可されていないことを示します。しばらく時間を空けてみてください。また、APIのレート制限のため、このようなレスポンスが表示されることもあります。
+* `500 Internal Server Error`:複数のPodDisruptionBudgetが同じPodを参照している場合など、設定に誤りがあり退去が許可されないことを示します。
+
+退去させたいPodがPodDisruptionBudgetを持つワークロードの一部でない場合、APIサーバーは常に`200 OK`を返して退去を許可します。
+
+APIサーバーが退去を許可した場合、以下の流れでPodが削除されます。
+
+1. APIサーバーの`Pod`リソースの削除タイムスタンプが更新され、APIサーバーは`Pod`リソースが終了したと見なします。また`Pod`リソースは、設定された猶予期間が設けられます。
+1. ローカルのPodが動作しているNodeの{{<glossary_tooltip term_id="kubelet" text="kubelet">}}は、`Pod`リソースが終了するようにマークされていることに気付き、Podの適切なシャットダウンを開始します。
+1. kubeletがPodをシャットダウンしている間、コントロールプレーンは{{<glossary_tooltip term_id="endpoint" text="Endpoint">}}オブジェクトからPodを削除します。その結果、コントローラーはPodを有効なオブジェクトと見なさないようになります。
+1. Podの猶予期間が終了すると、kubeletはローカルPodを強制的に終了します。
+1. kubeletはAPIサーバーに`Pod`リソースを削除するように指示します。
+1. APIサーバーは`Pod`リソースを削除します。
+
+## トラブルシューティング {#troubleshooting-stuck-evictions}
+
+場合によっては、アプリケーションが壊れた状態になり、対処しない限りEviction APIが`429`または`500`レスポンスを返すだけとなることがあります。例えば、ReplicaSetがアプリケーション用のPodを作成しても、新しいPodが`Ready`状態にならない場合などです。また、最後に退去したPodの終了猶予期間が長い場合にも、この事象が見られます。
+
+退去が進まない場合は、以下の解決策を試してみてください。
+
+* 問題を引き起こしている自動化された操作を中止または一時停止し、操作を再開する前に、スタックしているアプリケーションを調査を行ってください。
+* しばらく待ってから、Eviction APIを使用する代わりに、クラスターのコントロールプレーンから直接Podを削除してください。
+
+## {{% heading "whatsnext" %}}
+* [Pod Disruption Budget](/docs/tasks/run-application/configure-pdb/)でアプリケーションを保護する方法について学ぶ
+* [Node不足による退避](/docs/concepts/scheduling-eviction/node-pressure-eviction/)について学ぶ
+* [Podの優先度とプリエンプション](/docs/concepts/scheduling-eviction/pod-priority-preemption/)について学ぶ
diff --git a/content/ja/docs/concepts/security/overview.md b/content/ja/docs/concepts/security/overview.md
index 3cb67943f63de..f1bb1fed433cb 100644
--- a/content/ja/docs/concepts/security/overview.md
+++ b/content/ja/docs/concepts/security/overview.md
@@ -125,7 +125,7 @@ TLS経由のアクセスのみ | コードがTCP通信を必要とする場合
 関連するKubernetesセキュリティについて学びます。
 
 * [Podセキュリティの標準](/ja/docs/concepts/security/pod-security-standards/)
-* [Podのネットワークポリシー]](/ja/docs/concepts/services-networking/network-policies/)
+* [Podのネットワークポリシー](/ja/docs/concepts/services-networking/network-policies/)
 * [Kubernetes APIへのアクセスを制御する](/docs/concepts/security/controlling-access)
 * [クラスターの保護](/docs/tasks/administer-cluster/securing-a-cluster/)
 * コントロールプレーンとの[通信時のデータ暗号化](/docs/tasks/tls/managing-tls-in-a-cluster/)
diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 92ab055a5994a..42647228e6180 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -72,8 +72,7 @@ Kubernetes1.8のように、ユーザーは`.spec.template`のラベルにマッ
 
 ### 選択したNode上でPodを稼働させる
 
-もしユーザーが`.spec.template.spec.nodeSelector`を指定したとき、DaemonSetコントローラーは、その[node
-selector](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)にマッチするPodをNode上に作成します。同様に、もし`.spec.template.spec.affinity`を指定したとき、DaemonSetコントローラーは[node affinity](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)マッチするPodをNode上に作成します。
+もしユーザーが`.spec.template.spec.nodeSelector`を指定したとき、DaemonSetコントローラーは、その[node selector](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)にマッチするNode上にPodを作成します。同様に、もし`.spec.template.spec.affinity`を指定したとき、DaemonSetコントローラーは[node affinity](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)にマッチするNode上にPodを作成します。
 もしユーザーがどちらも指定しないとき、DaemonSetコントローラーは全てのNode上にPodを作成します。
 
 ## Daemon Podがどのようにスケジューリングされるか
diff --git a/content/ja/docs/concepts/workloads/controllers/deployment.md b/content/ja/docs/concepts/workloads/controllers/deployment.md
index c106a6d71e8d9..b62151fc54583 100644
--- a/content/ja/docs/concepts/workloads/controllers/deployment.md
+++ b/content/ja/docs/concepts/workloads/controllers/deployment.md
@@ -68,11 +68,6 @@ Deploymentによって作成されたReplicaSetを管理しないでください
   kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml
   ```
 
-  {{< note >}}
-  実行したコマンドを`kubernetes.io/change-cause`というアノテーションに記録するために`--record`フラグを指定できます。
-  これは将来的な問題の調査のために有効です。例えば、各Deploymentのリビジョンにおいて実行されたコマンドを見るときに便利です。
-  {{< /note >}}
-
 
 2. Deploymentが作成されたことを確認するために、`kubectl get deployments`を実行してください。
 
@@ -158,12 +153,12 @@ Deploymentを更新するには以下のステップに従ってください。
 1. nginxのPodで、`nginx:1.14.2`イメージの代わりに`nginx:1.16.1`を使うように更新します。
 
     ```shell
-    kubectl --record deployment.apps/nginx-deployment set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
+    kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
     ```
     または単に次のコマンドを使用します。
 
     ```shell
-    kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1 --record
+    kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
     ```
 
     実行結果は以下のとおりです。
@@ -235,7 +230,7 @@ Deploymentを更新するには以下のステップに従ってください。
 
     次にPodを更新させたいときは、DeploymentのPodテンプレートを再度更新するだけです。
 
-    Deploymentは、Podが更新されている間に特定の数のPodのみ停止状態になることを保証します。デフォルトでは、目標とするPod数の少なくとも25%が停止状態になることを保証します(25% max unavailable)。
+    Deploymentは、Podが更新されている間に特定の数のPodのみ停止状態になることを保証します。デフォルトでは、目標とするPod数の少なくとも75%が稼働状態であることを保証します(25% max unavailable)。
 
     また、DeploymentはPodが更新されている間に、目標とするPod数を特定の数まで超えてPodを稼働させることを保証します。デフォルトでは、目標とするPod数に対して最大でも125%を超えてPodを稼働させることを保証します(25% max surge)。
 
@@ -317,7 +312,7 @@ Deploymentのリビジョンは、Deploymentのロールアウトがトリガー
 * `nginx:1.16.1`の代わりに`nginx:1.161`というイメージに更新して、Deploymentの更新中にタイプミスをしたと仮定します。
 
     ```shell
-    kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.161 --record=true
+    kubectl set image deployment/nginx-deployment nginx=nginx:1.161
     ```
 
     実行結果は以下のとおりです。
@@ -431,15 +426,14 @@ Deploymentのリビジョンは、Deploymentのロールアウトがトリガー
     ```
     deployments "nginx-deployment"
     REVISION    CHANGE-CAUSE
-    1           kubectl apply --filename=https://k8s.io/examples/controllers/nginx-deployment.yaml --record=true
-    2           kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1 --record=true
-    3           kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.161 --record=true
+    1           kubectl apply --filename=https://k8s.io/examples/controllers/nginx-deployment.yaml
+    2           kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
+    3           kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.161
     ```
 
     `CHANGE-CAUSE`はリビジョンの作成時にDeploymentの`kubernetes.io/change-cause`アノテーションからリビジョンにコピーされます。以下の方法により`CHANGE-CAUSE`メッセージを指定できます。
 
     * `kubectl annotate deployment.v1.apps/nginx-deployment kubernetes.io/change-cause="image updated to 1.16.1"`の実行によりアノテーションを追加します。
-    * リソースの変更時に`kubectl`コマンドの内容を記録するために`--record`フラグを追加します。
     * リソースのマニフェストを手動で編集します。
 
 2. 各リビジョンの詳細を確認するためには以下のコマンドを実行してください。
@@ -452,7 +446,7 @@ Deploymentのリビジョンは、Deploymentのロールアウトがトリガー
     deployments "nginx-deployment" revision 2
       Labels:       app=nginx
               pod-template-hash=1159050644
-      Annotations:  kubernetes.io/change-cause=kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1 --record=true
+      Annotations:  kubernetes.io/change-cause=kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
       Containers:
        nginx:
         Image:      nginx:1.16.1
@@ -512,7 +506,7 @@ Deploymentのリビジョンは、Deploymentのロールアウトがトリガー
     CreationTimestamp:      Sun, 02 Sep 2018 18:17:55 -0500
     Labels:                 app=nginx
     Annotations:            deployment.kubernetes.io/revision=4
-                            kubernetes.io/change-cause=kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1 --record=true
+                            kubernetes.io/change-cause=kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
     Selector:               app=nginx
     Replicas:               3 desired | 3 updated | 3 total | 3 available | 0 unavailable
     StrategyType:           RollingUpdate
diff --git a/content/ja/docs/concepts/workloads/pods/ephemeral-containers.md b/content/ja/docs/concepts/workloads/pods/ephemeral-containers.md
index beb92b3b882cd..b99d193308a50 100644
--- a/content/ja/docs/concepts/workloads/pods/ephemeral-containers.md
+++ b/content/ja/docs/concepts/workloads/pods/ephemeral-containers.md
@@ -42,7 +42,7 @@ weight: 80
 
 エフェメラルコンテナを利用する場合には、他のコンテナ内のプロセスにアクセスできるように、[プロセス名前空間の共有](/ja/docs/tasks/configure-pod-container/share-process-namespace/)を有効にすると便利です。
 
-エフェメラルコンテナを利用してトラブルシューティングを行う例については、[デバッグ用のエフェメラルコンテナを使用してデバッグする](/docs/tasks/debug-application-cluster/debug-running-pod/#ephemeral-container)を参照してください。
+エフェメラルコンテナを利用してトラブルシューティングを行う例については、[デバッグ用のエフェメラルコンテナを使用してデバッグする](/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container)を参照してください。
 
 ## Ephemeral containers API
 
diff --git a/content/ja/docs/contribute/review/for-approvers.md b/content/ja/docs/contribute/review/for-approvers.md
index 3a96595ea82a5..ea17bba99ecf1 100644
--- a/content/ja/docs/contribute/review/for-approvers.md
+++ b/content/ja/docs/contribute/review/for-approvers.md
@@ -59,7 +59,7 @@ reviewerとapproverが最もよく使うprowコマンドには、以下のよう
 {{< table caption="Prow commands for reviewing" >}}
 Prowコマンド | Roleの制限 | 説明
 :------------|:------------------|:-----------
-`/lgtm` | 誰でも。ただし、オートメーションがトリガされるのはReviewerまたはApproverが使用したときのみ。 | PRのレビューが完了し、変更に納得したことを知らせる。
+`/lgtm` | Organizationメンバー | PRのレビューが完了し、変更に納得したことを知らせる。
 `/approve` | Approver | PRをマージすることを承認する。
 `/assign` | ReviewerまたはApprover | PRのレビューまたは承認するひとを割り当てる。
 `/close` | ReviewerまたはApprover | issueまたはPRをcloseする。
@@ -93,7 +93,7 @@ PRで利用できるすべてのコマンド一覧を確認するには、[Prow
   `priority/important-longterm` | 6ヶ月以内に取り組む。
   `priority/backlog` | 無期限に延期可能。リソースに余裕がある時に取り組む。
   `priority/awaiting-more-evidence` | よいissueの可能性があるissueを見失わないようにするためのプレースホルダー。
-  `help`または`good first issue` | KubernetesまたはSIG Docsでほとんど経験がない人に適したissue。より詳しい情報は、[Help WantedとGood First Issueラベル](https://github.com/kubernetes/community/blob/master/contributors/guide/help-wanted.md)を読んでください。
+  `help`または`good first issue` | KubernetesまたはSIG Docsでほとんど経験がない人に適したissue。より詳しい情報は、[Help WantedとGood First Issueラベル](https://kubernetes.dev/docs/guide/help-wanted/)を読んでください。
   {{< /table >}}
 
   あなたの裁量で、issueのオーナーシップを取り、issueに対するPRを提出してください(簡単なissueや、自分がすでに行った作業に関連するissueである場合は特に)。
diff --git a/content/ja/docs/reference/glossary/api-eviction.md b/content/ja/docs/reference/glossary/api-eviction.md
new file mode 100644
index 0000000000000..25677032b9ad8
--- /dev/null
+++ b/content/ja/docs/reference/glossary/api-eviction.md
@@ -0,0 +1,23 @@
+---
+title: APIを起点とした退避
+id: api-eviction
+date: 2021-04-27
+full_link: /ja/docs/concepts/scheduling-eviction/api-eviction/
+short_description: >
+  APIを起点とした退避は、Eviction　APIを使用してEvictionオブジェクトを作成し、Podの正常終了を起動させるプロセスです。
+aka:
+tags:
+- operation
+---
+APIを起点とした退避は、[Eviction API](/docs/reference/generated/kubernetes-api/{{<param "version">}}/#create-eviction-pod-v1-core)を使用して退避オブジェクトを作成し、Podの正常終了を起動させるプロセスです。
+
+
+<!--more-->
+
+`kubectl drain`コマンドのようなkube-apiserverのクライアントを使用し、Eviction APIを直接呼び出すことで、退避を要求することができます。`Eviction`オブジェクトが生成された時、APIサーバーは対象のPodを終了させます。
+
+APIを起点とした退避は[`PodDisruptionBudgets`](/docs/tasks/run-application/configure-pdb/)と[`terminationGracePeriodSeconds`](/ja/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)の設定を優先します。
+
+APIを起点とした退避は、[Node不足による退避](/docs/concepts/scheduling-eviction/eviction/#kubelet-eviction)とは異なります。
+
+* 詳しくは[APIを起点とした退避](/ja/docs/concepts/scheduling-eviction/api-eviction/)をご覧ください。
diff --git a/content/ja/docs/reference/glossary/cloud-controller-manager.md b/content/ja/docs/reference/glossary/cloud-controller-manager.md
index 6e9c9104daa8f..d0e705c7c18aa 100644
--- a/content/ja/docs/reference/glossary/cloud-controller-manager.md
+++ b/content/ja/docs/reference/glossary/cloud-controller-manager.md
@@ -4,7 +4,7 @@ id: cloud-controller-manager
 date: 2018-04-12
 full_link: /ja/docs/concepts/architecture/cloud-controller/
 short_description: >
-  サードパーティクラウドプロバイダーにKubernetewを結合するコントロールプレーンコンポーネント
+  サードパーティクラウドプロバイダーにKubernetesを結合するコントロールプレーンコンポーネント
 aka: 
 tags:
 - core-object
diff --git a/content/ja/docs/setup/best-practices/certificates.md b/content/ja/docs/setup/best-practices/certificates.md
index b1e5448be7a39..3ec8f9c0042ae 100644
--- a/content/ja/docs/setup/best-practices/certificates.md
+++ b/content/ja/docs/setup/best-practices/certificates.md
@@ -74,7 +74,7 @@ CAの秘密鍵をクラスターにコピーしたくない場合、自身で全
 
 [1]: クラスターに接続するIPおよびDNS名( [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)を使用する場合と同様、ロードバランサーのIPおよびDNS名、`kubernetes`、`kubernetes.default`、`kubernetes.default.svc`、`kubernetes.default.svc.cluster`、`kubernetes.default.svc.cluster.local`)
 
-`kind`は下記の[x509の鍵用途](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)のタイプにマッピングされます:
+`kind`は下記の[x509の鍵用途](https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage)のタイプにマッピングされます:
 
 | 種類   | 鍵の用途  　　　                                                                     |
 |--------|---------------------------------------------------------------------------------|
diff --git a/content/ja/docs/setup/release/version-skew-policy.md b/content/ja/docs/setup/release/version-skew-policy.md
index eb0764bcc3a4d..3e58503462ea9 100644
--- a/content/ja/docs/setup/release/version-skew-policy.md
+++ b/content/ja/docs/setup/release/version-skew-policy.md
@@ -16,7 +16,7 @@ Kubernetesのバージョンは**x.y.z**の形式で表現され、**x**はメ
 
 Kubernetesプロジェクトでは、最新の3つのマイナーリリースについてリリースブランチを管理しています ({{< skew latestVersion >}}, {{< skew prevMinorVersion >}}, {{< skew oldestMinorVersion >}})。
 
-セキュリティフィックスを含む適用可能な修正は、重大度や実行可能性によってはこれら3つのリリースブランチにバックポートされることもあります。パッチリリースは、これらのブランチから [定期的に](https://git.k8s.io/sig-release/releases/patch-releases.md#cadence) 切り出され、必要に応じて追加の緊急リリースも行われます。
+セキュリティフィックスを含む適用可能な修正は、重大度や実行可能性によってはこれら3つのリリースブランチにバックポートされることもあります。パッチリリースは、これらのブランチから [定期的に](https://kubernetes.io/releases/patch-releases/#cadence) 切り出され、必要に応じて追加の緊急リリースも行われます。
 
  [リリースマネージャー](https://git.k8s.io/sig-release/release-managers.md)グループがこれを決定しています。
 
diff --git a/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index bb06ebe5db49f..1bac7b00183fd 100644
--- a/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -158,7 +158,7 @@ Kubernetesの認証局は、そのままでは機能しません。
 
 ビルトインサイナーを有効にするには、`--cluster-signing-cert-file`と`--cluster-signing-key-file`フラグを渡す必要があります。
 
-新しいクラスターを作成する場合は、kubeadm[設定ファイル](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3)を使用します。
+新しいクラスターを作成する場合は、kubeadm[設定ファイル](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3)を使用します。
 
 ```yaml
 apiVersion: kubeadm.k8s.io/v1beta3
diff --git a/content/ja/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md b/content/ja/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
new file mode 100644
index 0000000000000..8266904358b1f
--- /dev/null
+++ b/content/ja/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
@@ -0,0 +1,197 @@
+---
+title: ネームスペースのデフォルトのメモリー要求と制限を設定する
+content_type: task
+weight: 10
+description: >-
+  ネームスペースのデフォルトのメモリーリソース制限を定義して、そのネームスペース内のすべての新しいPodにメモリーリソース制限が設定されるようにします。
+---
+
+<!-- overview -->
+
+このページでは、{{< glossary_tooltip text="ネームスペース" term_id="namespace" >}}のデフォルトのメモリー要求と制限を設定する方法を説明します。
+
+Kubernetesクラスターはネームスペースに分割することができます。デフォルトのメモリー[制限](/ja/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)を持つネームスペースがあり、独自のメモリー制限を指定しないコンテナでPodを作成しようとすると、{{< glossary_tooltip text="コントロールプレーン" term_id="control-plane" >}}はそのコンテナにデフォルトのメモリー制限を割り当てます。
+
+Kubernetesは、このトピックで後ほど説明する特定の条件下で、デフォルトのメモリー要求を割り当てます。
+
+
+
+## {{% heading "prerequisites" %}}
+
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+クラスターにネームスペースを作成するには、アクセス権が必要です。
+
+クラスターの各ノードには、最低でも2GiBのメモリーが必要です。
+
+
+
+<!-- steps -->
+
+## ネームスペースの作成
+
+この演習で作成したリソースがクラスターの他の部分から分離されるように、ネームスペースを作成します。
+
+```shell
+kubectl create namespace default-mem-example
+```
+
+## LimitRangeとPodの作成
+
+以下は、{{< glossary_tooltip text="LimitRange" term_id="limitrange" >}}のマニフェストの例です。このマニフェストでは、デフォルトのメモリー要求とデフォルトのメモリー制限を指定しています。
+
+{{< codenew file="admin/resource/memory-defaults.yaml" >}}
+
+default-mem-exampleネームスペースにLimitRangeを作成します:
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults.yaml --namespace=default-mem-example
+```
+
+default-mem-exampleネームスペースでPodを作成し、そのPod内のコンテナがメモリー要求とメモリー制限の値を独自に指定しない場合、{{< glossary_tooltip text="コントロールプレーン" term_id="control-plane" >}}はデフォルト値のメモリー要求256MiBとメモリー制限512MiBを適用します。
+
+以下は、コンテナを1つ持つPodのマニフェストの例です。コンテナは、メモリー要求とメモリー制限を指定していません。
+
+{{< codenew file="admin/resource/memory-defaults-pod.yaml" >}}
+
+Podを作成します:
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod.yaml --namespace=default-mem-example
+```
+
+Podの詳細情報を表示します:
+
+```shell
+kubectl get pod default-mem-demo --output=yaml --namespace=default-mem-example
+```
+
+この出力は、Podのコンテナのメモリー要求が256MiBで、メモリー制限が512MiBであることを示しています。
+これらはLimitRangeで指定されたデフォルト値です。
+
+```shell
+containers:
+- image: nginx
+  imagePullPolicy: Always
+  name: default-mem-demo-ctr
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      memory: 256Mi
+```
+
+Podを削除します:
+
+```shell
+kubectl delete pod default-mem-demo --namespace=default-mem-example
+```
+
+## コンテナの制限を指定し、要求を指定しない場合
+
+以下は1つのコンテナを持つPodのマニフェストです。コンテナはメモリー制限を指定しますが、メモリー要求は指定しません。
+
+{{< codenew file="admin/resource/memory-defaults-pod-2.yaml" >}}
+
+Podを作成します:
+
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-2.yaml --namespace=default-mem-example
+```
+
+Podの詳細情報を表示します:
+
+```shell
+kubectl get pod default-mem-demo-2 --output=yaml --namespace=default-mem-example
+```
+
+この出力は、コンテナのメモリー要求がそのメモリー制限に一致するように設定されていることを示しています。
+コンテナにはデフォルトのメモリー要求値である256Miが割り当てられていないことに注意してください。
+
+```
+resources:
+  limits:
+    memory: 1Gi
+  requests:
+    memory: 1Gi
+```
+
+## コンテナの要求を指定し、制限を指定しない場合
+
+1つのコンテナを持つPodのマニフェストです。コンテナはメモリー要求を指定しますが、メモリー制限は指定しません。
+
+{{< codenew file="admin/resource/memory-defaults-pod-3.yaml" >}}
+
+Podを作成します:
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-3.yaml --namespace=default-mem-example
+```
+
+Podの詳細情報を表示します:
+
+```shell
+kubectl get pod default-mem-demo-3 --output=yaml --namespace=default-mem-example
+```
+
+この出力は、コンテナのメモリー要求が、コンテナのマニフェストで指定された値に設定されていることを示しています。
+コンテナは512MiB以下のメモリーを使用するように制限されていて、これはネームスペースのデフォルトのメモリー制限と一致します。
+
+```
+resources:
+  limits:
+    memory: 512Mi
+  requests:
+    memory: 128Mi
+```
+
+## デフォルトのメモリー制限と要求の動機
+
+ネームスペースにメモリー{{< glossary_tooltip text="リソースクォータ" term_id="resource-quota" >}}が設定されている場合、メモリー制限のデフォルト値を設定しておくと便利です。
+
+以下はリソースクォータがネームスペースに課す制限のうちの2つです。
+
+* ネームスペースで実行されるすべてのPodについて、Podとその各コンテナにメモリー制限を設ける必要があります(Pod内のすべてのコンテナに対してメモリー制限を指定すると、Kubernetesはそのコンテナの制限を合計することでPodレベルのメモリー制限を推測することができます)。
+* メモリー制限は、当該Podがスケジュールされているノードのリソース予約を適用します。ネームスペース内のすべてのPodに対して予約されるメモリーの総量は、指定された制限を超えてはなりません。
+* また、ネームスペース内のすべてのPodが実際に使用するメモリーの総量も、指定された制限を超えてはなりません。
+
+LimitRangeの追加時:
+
+コンテナを含む、そのネームスペース内のいずれかのPodが独自のメモリー制限を指定していない場合、コントロールプレーンはそのコンテナにデフォルトのメモリー制限を適用し、メモリーのResourceQuotaによって制限されているネームスペース内でPodを実行できるようにします。
+
+## クリーンアップ
+
+ネームスペースを削除します:
+
+```shell
+kubectl delete namespace default-mem-example
+```
+
+
+
+## {{% heading "whatsnext" %}}
+
+
+### クラスター管理者向け
+
+* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+
+* [Namespaceに対する最小および最大メモリー制約の構成](ja/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+
+* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+
+* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+
+* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+
+* [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+
+### アプリケーション開発者向け
+
+* [コンテナおよびPodへのメモリーリソースの割り当て](ja/docs/tasks/configure-pod-container/assign-memory-resource/)
+
+* [コンテナおよびPodへのCPUリソースの割り当て](ja/docs/tasks/configure-pod-container/assign-cpu-resource/)
+
+* [PodにQuality of Serviceを設定する](ja/docs/tasks/configure-pod-container/quality-service-pod/)
diff --git a/content/ja/docs/tasks/administer-cluster/nodelocaldns.md b/content/ja/docs/tasks/administer-cluster/nodelocaldns.md
index 4a5e59a2cae91..e7f97ea7f678c 100644
--- a/content/ja/docs/tasks/administer-cluster/nodelocaldns.md
+++ b/content/ja/docs/tasks/administer-cluster/nodelocaldns.md
@@ -45,7 +45,7 @@ NodeLocal DNSキャッシュは、クラスターノード上でDNSキャッシ
 {{< figure src="/images/docs/nodelocaldns.svg" alt="NodeLocal DNSCache flow" title="Nodelocal DNSCacheのフロー" caption="この図は、NodeLocal DNSキャッシュがDNSクエリーをどう扱うかを表したものです。" >}}
 
 ## 設定
-{{< note >}} NodeLocal DNSキャッシュ用のローカルに待ち受けているIPアドレスは、169.254.20.0/16の範囲のIPか、既存のIPと衝突しないことが保証されている他のIPとなります。このドキュメントでは例として169.254.10を使用します。
+{{< note >}} NodeLocal DNSキャッシュのローカルリッスン用のIPアドレスは、クラスタ内の既存のIPと衝突しないことが保証できるものであれば、どのようなアドレスでもかまいません。例えば、IPv4のリンクローカル範囲169.254.0.0/16やIPv6のユニークローカルアドレス範囲fd00::/8から、ローカルスコープのアドレスを使用することが推奨されています。
 {{< /note >}}
 
 この機能は、下記の手順により有効化できます。
diff --git a/content/ja/docs/tasks/administer-cluster/securing-a-cluster.md b/content/ja/docs/tasks/administer-cluster/securing-a-cluster.md
index d1a852efa2b63..221090019397a 100644
--- a/content/ja/docs/tasks/administer-cluster/securing-a-cluster.md
+++ b/content/ja/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -154,7 +154,7 @@ API用のetcdバックエンドへの書き込みアクセスは、クラスタ
 
 ### 監査ログの有効
 
-[audit logger](/docs/tasks/debug-application-cluster/audit/)はベータ版の機能で、APIによって行われたアクションを記録し、侵害があった場合に後から分析できるようにするものです。
+[audit logger](/docs/tasks/debug/debug-cluster/audit/)はベータ版の機能で、APIによって行われたアクションを記録し、侵害があった場合に後から分析できるようにするものです。
 
 監査ログを有効にして、ログファイルを安全なサーバーにアーカイブすることをお勧めします。
 
diff --git a/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 08e48b9fa7e87..2ac539bf06c34 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -51,7 +51,7 @@ Probeの動作としては、kubeletは`cat /tmp/healthy`を対象のコンテ
 このコンテナは、起動すると次のコマンドを実行します:
 
 ```shell
-/bin/sh -c "touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600"
+/bin/sh -c "touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600"
 ```
 
 コンテナが起動してから初めの30秒間は`/tmp/healthy`ファイルがコンテナ内に存在します。
diff --git a/content/ja/docs/tasks/debug-application-cluster/debug-running-pod.md b/content/ja/docs/tasks/debug-application-cluster/debug-running-pod.md
new file mode 100644
index 0000000000000..3e2c1c42f0b41
--- /dev/null
+++ b/content/ja/docs/tasks/debug-application-cluster/debug-running-pod.md
@@ -0,0 +1,279 @@
+---
+title: 実行中のPodのデバッグ
+content_type: task
+---
+
+<!-- overview -->
+
+このページでは、ノード上で動作している(またはクラッシュしている)Podをデバッグする方法について説明します。
+
+
+## {{% heading "prerequisites" %}}
+
+
+* あなたの{{< glossary_tooltip text="Pod" term_id="pod" >}}は既にスケジュールされ、実行されているはずです。Pod がまだ実行されていない場合は、[Troubleshoot Applications](/docs/tasks/debug-application-cluster/debug-application/) から始めてください。
+
+* いくつかの高度なデバッグ手順では、Podがどのノードで動作しているかを知り、そのノードでコマンドを実行するためのシェルアクセス権を持っていることが必要です。`kubectl` を使用する標準的なデバッグ手順の実行には、そのようなアクセスは必要ではありません。
+
+
+
+<!-- steps -->
+
+## Podログを調べます {#examine-pod-logs}
+
+まず、影響を受けるコンテナのログを見ます。
+
+```shell
+kubectl logs ${POD_NAME} ${CONTAINER_NAME}
+```
+
+コンテナが以前にクラッシュしたことがある場合、以前のコンテナのクラッシュログにアクセスすることができます。
+
+```shell
+kubectl logs --previous ${POD_NAME} ${CONTAINER_NAME}
+```
+
+## container execによるデバッグ {#container-exec}
+
+もし{{< glossary_tooltip text="container image" term_id="image" >}}がデバッグユーティリティを含んでいれば、LinuxやWindows OSのベースイメージからビルドしたイメージのように、`kubectl exec` で特定のコンテナ内でコマンドを実行することが可能です。
+
+```shell
+kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}
+```
+
+{{< note >}}
+`-c ${CONTAINER_NAME}`は省略可能です。コンテナを1つだけ含むPodの場合は省略できます。
+{{< /note >}}
+
+例として、実行中のCassandra Podからログを見るには、次のように実行します。
+
+```shell
+kubectl exec cassandra -- cat /var/log/cassandra/system.log
+```
+
+例えば`kubectl exec`の`-i`と`-t`引数を使って、端末に接続されたシェルを実行することができます。
+
+```shell
+kubectl exec -it cassandra -- sh
+```
+
+詳しくは、[実行中のコンテナのシェルを取得する](/docs/tasks/debug-application-cluster/get-shell-running-container/)を参照してください。
+
+## エフェメラルコンテナによるデバッグ {#ephemeral-container}
+
+{{< feature-state state="beta" for_k8s_version="v1.23" >}}
+
+{{< glossary_tooltip text="エフェメラルコンテナ" term_id="ephemeral-container" >}}は、コンテナがクラッシュしたり、コンテナイメージにデバッグユーティリティが含まれていないなどの理由で`kubectl exec`が不十分な場合に、対話的にトラブルシューティングを行うのに便利です([ディストロ・イメージ](
+https://github.com/GoogleContainerTools/distroless)の場合など)。
+
+### エフェメラルコンテナを使用したデバッグ例 {#ephemeral-container-example}
+
+実行中のPodにエフェメラルコンテナを追加するには、`kubectl debug`コマンドを使用することができます。
+まず、サンプル用のPodを作成します。
+
+```shell
+kubectl run ephemeral-demo --image=k8s.gcr.io/pause:3.1 --restart=Never
+```
+
+このセクションの例では、デバッグユーティリティが含まれていない`pause`コンテナイメージを使用していますが、この方法はすべてのコンテナイメージで動作します。
+
+もし、`kubectl exec`を使用してシェルを作成しようとすると、このコンテナイメージにはシェルが存在しないため、エラーが表示されます。
+
+```shell
+kubectl exec -it ephemeral-demo -- sh
+```
+
+```
+OCI runtime exec failed: exec failed: container_linux.go:346: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown
+```
+
+代わりに、`kubectl debug` を使ってデバッグ用のコンテナを追加することができます。
+引数に`-i`/`--interactive`を指定すると、`kubectl`は自動的にエフェメラルコンテナのコンソールにアタッチされます。
+
+```shell
+kubectl debug -it ephemeral-demo --image=busybox --target=ephemeral-demo
+```
+
+```
+Defaulting debug container name to debugger-8xzrl.
+If you don't see a command prompt, try pressing enter.
+/ #
+```
+
+このコマンドは新しいbusyboxコンテナを追加し、それにアタッチします。`target`パラメーターは、他のコンテナのプロセス名前空間をターゲットにします。これは`kubectl run`が作成するPodで[process namespace sharing](/docs/tasks/configure-pod-container/share-process-namespace/)を有効にしないため、指定する必要があります。
+
+{{< note >}}
+`target` パラメーターは {{< glossary_tooltip text="Container Runtime" term_id="container-runtime" >}} でサポートされている必要があります。サポートされていない場合、エフェメラルコンテナは起動されないか、`ps`が他のコンテナ内のプロセスを表示しないように孤立したプロセス名前空間を使用して起動されます。
+{{< /note >}}
+
+新しく作成されたエフェメラルコンテナの状態は`kubectl describe`を使って見ることができます。
+
+```shell
+kubectl describe pod ephemeral-demo
+```
+
+```
+...
+Ephemeral Containers:
+  debugger-8xzrl:
+    Container ID:   docker://b888f9adfd15bd5739fefaa39e1df4dd3c617b9902082b1cfdc29c4028ffb2eb
+    Image:          busybox
+    Image ID:       docker-pullable://busybox@sha256:1828edd60c5efd34b2bf5dd3282ec0cc04d47b2ff9caa0b6d4f07a21d1c08084
+    Port:           <none>
+    Host Port:      <none>
+    State:          Running
+      Started:      Wed, 12 Feb 2020 14:25:42 +0100
+    Ready:          False
+    Restart Count:  0
+    Environment:    <none>
+    Mounts:         <none>
+...
+```
+
+終了したら`kubectl delete`を使ってPodを削除してください。
+
+```shell
+kubectl delete pod ephemeral-demo
+```
+
+## Podのコピーを使ったデバッグ
+
+Podの設定オプションによって、特定の状況でのトラブルシューティングが困難になることがあります。
+例えば、コンテナイメージにシェルが含まれていない場合、またはアプリケーションが起動時にクラッシュした場合は、`kubectl exec`を実行してトラブルシューティングを行うことができません。
+このような状況では、`kubectl debug` を使用してデバッグを支援するために設定値を変更したPodのコピーです。
+
+### 新しいコンテナを追加しながらPodをコピーします
+
+新しいコンテナを追加することは、アプリケーションが動作しているが期待通りの動作をせず、トラブルシューティングユーティリティをPodに追加したい場合に便利な場合があります。
+例えば、アプリケーションのコンテナイメージは`busybox`上にビルドされているが、`busybox`に含まれていないデバッグユーティリティが必要な場合があります。このシナリオは `kubectl run` を使ってシミュレーションすることができます。
+
+```shell
+kubectl run myapp --image=busybox --restart=Never -- sleep 1d
+```
+
+このコマンドを実行すると、`myapp`のコピーに`myapp-debug`という名前が付き、デバッグ用の新しいUbuntuコンテナが追加されます。
+
+```shell
+kubectl debug myapp -it --image=ubuntu --share-processes --copy-to=myapp-debug
+```
+
+```
+Defaulting debug container name to debugger-w7xmf.
+If you don't see a command prompt, try pressing enter.
+root@myapp-debug:/#
+```
+
+{{< note >}}
+* `kubectl debug`は`--container`フラグでコンテナ名を選択しない場合、自動的にコンテナ名を生成します。
+
+* `i`フラグを指定すると、デフォルトで`kubectl debug`が新しいコンテナにアタッチされます。これを防ぐには、`--attach=false`を指定します。セッションが切断された場合は、`kubectl attach`を使用して再接続することができます。
+
+* `share-processes` を指定すると、Pod 内のコンテナからプロセスを参照することができます。この仕組みについて詳しくは、[Share Process Namespace between Containers in a Pod](/docs/tasks/configure-pod-container/share-process-namespace/)を参照してください。
+{{< /note >}}
+
+デバッグが終わったら、Podの後始末をするのを忘れないでください。
+
+```shell
+kubectl delete pod myapp myapp-debug
+```
+
+### Podのコマンドを変更しながらコピーします
+
+デバッグフラグを追加するためや、アプリケーションがクラッシュするためなど、コンテナのコマンドを変更すると便利な場合があります。
+アプリケーションのクラッシュをシミュレートするには、`kubectl run`を使用して、すぐに終了するコンテナを作成します。
+
+```
+kubectl run --image=busybox myapp -- false
+```
+
+`kubectl describe pod myapp` を使用すると、このコンテナがクラッシュしていることがわかります。
+
+```
+Containers:
+  myapp:
+    Image:         busybox
+    ...
+    Args:
+      false
+    State:          Waiting
+      Reason:       CrashLoopBackOff
+    Last State:     Terminated
+      Reason:       Error
+      Exit Code:    1
+```
+
+`kubectl debug`を使うと、コマンドをインタラクティブシェルに変更したこのPodのコピーを作成することができます。
+
+```
+kubectl debug myapp -it --copy-to=myapp-debug --container=myapp -- sh
+```
+
+```
+If you don't see a command prompt, try pressing enter.
+/ #
+```
+
+これで、ファイルシステムのパスのチェックやコンテナコマンドの手動実行などのタスクを実行するために使用できる対話型シェルが完成しました。
+
+{{< note >}}
+* 特定のコンテナのコマンドを変更するには、そのコンテナ名を`--container`で指定する必要があり、そうしないと`kubectl debug`が代わりに指定したコマンドを実行する新しいコンテナを作成します。
+
+* ` i` フラグは、デフォルトで `kubectl debug` がコンテナにアタッチされるようにします。これを防ぐには、`--attach=false`を指定します。セッションが切断された場合は、`kubectl attach` を使用して再接続することができます。
+{{< /note >}}
+
+デバッグが終わったら、Podの後始末をするのを忘れないでください。
+
+```shell
+kubectl delete pod myapp myapp-debug
+```
+
+### コンテナイメージを変更してPodをコピーします
+
+状況によっては、動作不良のPodを通常のプロダクション用のイメージから、デバッグ・ビルドや追加ユーティリティを含むイメージに変更したい場合があります。
+
+例として、`kubectl run`を使用してPodを作成します。
+
+```
+kubectl run myapp --image=busybox --restart=Never -- sleep 1d
+```
+
+ここで、`kubectl debug`を使用してコピーを作成し、そのコンテナイメージを`ubuntu`に変更します。
+
+```
+kubectl debug myapp --copy-to=myapp-debug --set-image=*=ubuntu
+```
+
+`set-image`の構文は、`kubectl set image`と同じ`container_name=image`の構文を使用します。`*=ubuntu`は、全てのコンテナのイメージを`ubuntu`に変更することを意味します。
+
+デバッグが終わったら、Podの後始末をするのを忘れないでください。
+
+```shell
+kubectl delete pod myapp myapp-debug
+```
+
+## ノード上のシェルによるデバッグ {#node-shell-session}
+
+いずれの方法でもうまくいかない場合は、Podが動作しているノードを探し出し、ホストの名前空間で動作する特権Podを作成します。
+ノード上で `kubectl debug` を使って対話型のシェルを作成するには、以下を実行します。
+
+```shell
+kubectl debug node/mynode -it --image=ubuntu
+```
+
+```
+Creating debugging pod node-debugger-mynode-pdx84 with container debugger on node mynode.
+If you don't see a command prompt, try pressing enter.
+root@ek8s:/#
+```
+
+ノードでデバッグセッションを作成する場合、以下の点に注意してください:
+
+* `kubectl debug`はノードの名前に基づいて新しい Pod の名前を自動的に生成します。
+* コンテナはホストのIPC、Network、PIDネームスペースで実行されます。
+* ノードのルートファイルシステムは`/host`にマウントされます。
+
+デバッグが終わったら、Podの後始末をするのを忘れないでください。
+
+```shell
+kubectl delete pod node-debugger-mynode-pdx84
+```
diff --git a/content/ja/docs/tasks/debug-application-cluster/monitor-node-health.md b/content/ja/docs/tasks/debug-application-cluster/monitor-node-health.md
new file mode 100644
index 0000000000000..44d627a04c0f0
--- /dev/null
+++ b/content/ja/docs/tasks/debug-application-cluster/monitor-node-health.md
@@ -0,0 +1,151 @@
+---
+title: ノードの健全性を監視します
+content_type: task
+reviewers:
+- ptux
+---
+
+<!-- overview -->
+
+*Node Problem Detector*は、ノードの健全性を監視し、報告するためのデーモンです。
+`Node Problem Detector`は`DaemonSet`として、あるいはスタンドアロンデーモンとして実行することができます。
+
+`Node Problem Detector`は様々なデーモンからノードの問題に関する情報を収集し、これらの状態を[NodeCondition](/ja/docs/concepts/architecture/nodes/#condition)および[Event](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#event-v1-core)としてAPIサーバーにレポートします。
+`Node Problem Detector`のインストール方法と使用方法については、[Node Problem Detectorプロジェクトドキュメント](https://github.com/kubernetes/node-problem-detector)を参照してください。
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!-- steps -->
+
+## 制限事項
+
+* Node Problem Detectorは、ファイルベースのカーネルログのみをサポートします。
+  `journald`のようなログツールはサポートされていません。
+
+* Node Problem Detectorは、カーネルの問題を報告するためにカーネルログフォーマットを使用します。
+  カーネルログフォーマットを拡張する方法については、[Add support for another log format](#support-other-log-format) を参照してください。
+
+## ノード問題検出の有効化
+
+クラウドプロバイダーによっては、`Node Problem Detector`を{{< glossary_tooltip text="Addon" term_id="addons" >}}として有効にしている場合があります。
+また、`kubectl`を使って`Node Problem Detector`を有効にするか、`Addon pod`を作成することで有効にできます。
+
+### kubectlを使用してNode Problem Detectorを有効化します {#using-kubectl}
+
+`kubectl`は`Node Problem Detector`を最も柔軟に管理することができます。
+デフォルトの設定を上書きして自分の環境に合わせたり、カスタマイズしたノードの問題を検出したりすることができます。
+例えば:
+
+1. `node-problem-detector.yaml`のような`Node Problem Detector`の設定を作成します:
+
+   {{< codenew file="debug/node-problem-detector.yaml" >}}
+
+   {{< note >}}
+   システムログのディレクトリが、お使いのOSのディストリビューションに合っていることを確認する必要があります。
+   {{< /note >}}
+
+1. `Node Problem Detector`を`kubectl`で起動します。
+
+   ```shell
+   kubectl apply -f https://k8s.io/examples/debug/node-problem-detector.yaml
+   ```
+
+### Addon podを使用してNode Problem Detectorを有効化します {#using-addon-pod}
+
+カスタムのクラスターブートストラップソリューションを使用していて、デフォルトの設定を上書きする必要がない場合は、`Addon Pod`を利用してデプロイをさらに自動化できます。
+`node-problem-detector.yaml`を作成し、制御プレーンノードの`Addon Pod`のディレクトリ`/etc/kubernetes/addons/node-problem-detector`に設定を保存します。
+
+## コンフィギュレーションを上書きします
+
+`Node Problem Detector`の Dockerイメージをビルドする際に、[default configuration](https://github.com/kubernetes/node-problem-detector/tree/v0.1/config)が埋め込まれます。
+
+[`ConfigMap`](/ja/docs/tasks/configure-pod-container/configure-pod-configmap/) を使用することで設定を上書きすることができます。
+
+
+1. `config/` にある設定ファイルを変更します
+1. `ConfigMap` `node-problem-detector-config`を作成します。
+
+   ```shell
+   kubectl create configmap node-problem-detector-config --from-file=config/
+   ```
+
+1. `node-problem-detector.yaml`を変更して、`ConfigMap`を使用するようにします。
+
+   {{< codenew file="debug/node-problem-detector-configmap.yaml" >}}
+
+1. 新しい設定ファイルで`Node Problem Detector`を再作成します。
+
+   ```shell
+   # If you have a node-problem-detector running, delete before recreating
+   kubectl delete -f https://k8s.io/examples/debug/node-problem-detector.yaml
+   kubectl apply -f https://k8s.io/examples/debug/node-problem-detector-configmap.yaml
+   ```
+
+{{< note >}}
+この方法は `kubectl` で起動された Node Problem Detector にのみ適用されます。
+{{< /note >}}
+
+ノード問題検出装置がクラスターアドオンとして実行されている場合、設定の上書きはサポートされていません。
+`Addon Manager`は、`ConfigMap`をサポートしていません。
+
+## Kernel Monitor
+
+*Kernel Monitor*は`Node Problem Detector`でサポートされるシステムログ監視デーモンです。
+*Kernel Monitor*はカーネルログを監視し、事前に定義されたルールに従って既知のカーネル問題を検出します。
+*Kernel Monitor*は[`config/kernel-monitor.json`](https://github.com/kubernetes/node-problem-detector/blob/v0.1/config/kernel-monitor.json)にある一連の定義済みルールリストに従ってカーネルの問題を照合します。
+ルールリストは拡張可能です。設定を上書きすることで、ルールリストを拡張することができます。
+
+### 新しいNodeConditionsの追加
+
+新しい`NodeCondition`をサポートするには、例えば`config/kernel-monitor.json`の`conditions`フィールド内に条件定義を作成します。
+
+```json
+{
+  "type": "NodeConditionType",
+  "reason": "CamelCaseDefaultNodeConditionReason",
+  "message": "arbitrary default node condition message"
+}
+```
+
+### 新たな問題の発見
+
+新しい問題を検出するために、`config/kernel-monitor.json`の`rules`フィールドを新しいルール定義で拡張することができます。
+
+```json
+{
+  "type": "temporary/permanent",
+  "condition": "NodeConditionOfPermanentIssue",
+  "reason": "CamelCaseShortReason",
+  "message": "regexp matching the issue in the kernel log"
+}
+```
+
+### カーネルログデバイスのパスの設定 {#kernel-log-device-path}
+
+ご使用のオペレーティングシステム(OS)ディストリビューションのカーネルログパスをご確認ください。
+Linuxカーネルの[ログデバイス](https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg)は通常`/dev/kmsg`として表示されます。
+しかし、OSのディストリビューションによって、ログパスの位置は異なります。
+`config/kernel-monitor.json`の`log`フィールドは、コンテナ内のログパスを表します。
+`log`フィールドは、`Node Problem Detector`で見たデバイスパスと一致するように設定することができます。
+
+### 別のログ形式をサポートします {#support-other-log-format}
+
+Kernel monitorは[`Translator`](https://github.com/kubernetes/node-problem-detector/blob/v0.1/pkg/kernelmonitor/translator/translator.go)プラグインを使用して、カーネルログの内部データ構造を変換します。
+新しいログフォーマット用に新しいトランスレータを実装することができます。
+
+<!-- discussion -->
+
+## 推奨・制限事項
+
+ノードの健全性を監視するために、クラスターでNode Problem Detectorを実行することが推奨されます。
+`Node Problem Detector`を実行する場合、各ノードで余分なリソースのオーバーヘッドが発生することが予想されます。
+
+通常これは問題ありません。
+
+* カーネルログは比較的ゆっくりと成長します。
+* Node Problem Detector にはリソース制限が設定されています。
+* 高負荷時であっても、リソースの使用は許容範囲内です。
+
+詳細は`Node Problem Detector`[ベンチマーク結果](https://github.com/kubernetes/node-problem-detector/issues/2#issuecomment-220255629)を参照してください。
diff --git a/content/ja/docs/tasks/debug-application-cluster/troubleshooting.md b/content/ja/docs/tasks/debug-application-cluster/troubleshooting.md
new file mode 100644
index 0000000000000..436afc14eaf61
--- /dev/null
+++ b/content/ja/docs/tasks/debug-application-cluster/troubleshooting.md
@@ -0,0 +1,88 @@
+---
+content_type: concept
+title: トラブルシューティング
+---
+
+<!-- overview -->
+
+時には物事がうまくいかないこともあります。このガイドは、それらを正すことを目的としています。
+
+ 2つのセクションから構成されています:
+
+* [Troubleshooting your application](/docs/tasks/debug-application-cluster/debug-application/) - Kubernetesにコードをデプロイしていて、なぜ動かないのか不思議に思っているユーザーに便利です。
+* [Troubleshooting your cluster](/docs/tasks/debug-application-cluster/debug-cluster/) - クラスター管理者やKubernetesクラスターに不満がある人に有用です。
+
+また、使用している[リリース](https://github.com/kubernetes/kubernetes/releases)の既知の問題を確認する必要があります。
+
+<!-- body -->
+
+## ヘルプを受けます
+
+もしあなたの問題が上記のどのガイドでも解決されない場合は、Kubernetesコミュニティから助けを得るための様々な方法があります。
+
+### ご質問
+
+本サイトのドキュメントは、様々な疑問に対する答えを提供するために構成されています。
+
+[Concepts](/docs/concepts/)では、Kubernetesのアーキテクチャーと各コンポーネントの動作について説明し、[Setup](/docs/setup/)では、使い始めるための実用的な手順を提供しています。
+[Tasks](/docs/tasks/) は、よく使われるタスクの実行方法を示し、 [Tutorials](/docs/tutorials/)は、実世界の業界特有、またはエンドツーエンドの開発シナリオ、より包括的なウォークスルーとなります。
+[Reference](/docs/reference/)セクションでは、[Kubernetes API(/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)と`kubectl`](/docs/reference/kubectl/overview/)などのコマンドラインインターフェース(CLI)に関する詳しいドキュメントが提供されています。
+
+## ヘルプ!私の質問はカバーされていません!今すぐ助けてください!
+
+### Stack Overflow
+
+コミュニティの誰かがすでに同じような質問をしている可能性があり、あなたの問題を解決できるかもしれません。
+Kubernetesチームも[Kubernetesタグが付けられた投稿](https://stackoverflow.com/questions/tagged/kubernetes)を監視しています。
+もし役立つ既存の質問がない場合は、[新しく質問してみてください](https://stackoverflow.com/questions/ask?tags=kubernetes)。
+
+
+### Slack
+
+Kubernetesコミュニティの多くの人々は、Kubernetes Slackの`#kubernetes-users`チャンネルに集まっています。
+Slackは登録が必要です。[招待をリクエストする](https://slack.kubernetes.io)ことができ、登録は誰でも可能です）。
+お気軽にお越しいただき、何でも質問してください。
+登録が完了したら、WebブラウザまたはSlackの専用アプリから[Kubernetes organization in Slack](https://kubernetes.slack.com)にアクセスします。
+
+登録が完了したら、増え続けるチャンネルリストを見て、興味のある様々なテーマについて調べてみましょう。
+たとえば、Kubernetesの初心者は、[`#kubernetes-novice`](https://kubernetes.slack.com/messages/kubernetes-novice)に参加してみるのもよいでしょう。
+別の例として、開発者は[`#kubernetes-dev`](https://kubernetes.slack.com/messages/kubernetes-dev)チャンネルに参加するとよいでしょう。
+
+また、多くの国別/言語別チャンネルがあります。これらのチャンネルに参加すれば、地域特有のサポートや情報を得ることができます。
+
+{{< table caption="Country / language specific Slack channels" >}}
+Country | Channels
+:---------|:------------
+中国 | [`#cn-users`](https://kubernetes.slack.com/messages/cn-users), [`#cn-events`](https://kubernetes.slack.com/messages/cn-events)
+フィンランド | [`#fi-users`](https://kubernetes.slack.com/messages/fi-users)
+フランス | [`#fr-users`](https://kubernetes.slack.com/messages/fr-users), [`#fr-events`](https://kubernetes.slack.com/messages/fr-events)
+ドイツ | [`#de-users`](https://kubernetes.slack.com/messages/de-users), [`#de-events`](https://kubernetes.slack.com/messages/de-events)
+インド | [`#in-users`](https://kubernetes.slack.com/messages/in-users), [`#in-events`](https://kubernetes.slack.com/messages/in-events)
+イタリア | [`#it-users`](https://kubernetes.slack.com/messages/it-users), [`#it-events`](https://kubernetes.slack.com/messages/it-events)
+日本 | [`#jp-users`](https://kubernetes.slack.com/messages/jp-users), [`#jp-events`](https://kubernetes.slack.com/messages/jp-events)
+韓国 | [`#kr-users`](https://kubernetes.slack.com/messages/kr-users)
+オランダ | [`#nl-users`](https://kubernetes.slack.com/messages/nl-users)
+ノルウェー | [`#norw-users`](https://kubernetes.slack.com/messages/norw-users)
+ポーランド | [`#pl-users`](https://kubernetes.slack.com/messages/pl-users)
+ロシア | [`#ru-users`](https://kubernetes.slack.com/messages/ru-users)
+スペイン | [`#es-users`](https://kubernetes.slack.com/messages/es-users)
+スウェーデン | [`#se-users`](https://kubernetes.slack.com/messages/se-users)
+トルコ | [`#tr-users`](https://kubernetes.slack.com/messages/tr-users), [`#tr-events`](https://kubernetes.slack.com/messages/tr-events)
+{{< /table >}}
+
+### フォーラム
+
+Kubernetesの公式フォーラムへの参加は大歓迎です[discuss.kubernetes.io](https://discuss.kubernetes.io)。
+
+### バグと機能の要望
+
+バグらしきものを発見した場合、または機能要望を出したい場合、[GitHub課題追跡システム](https://github.com/kubernetes/kubernetes/issues)をご利用ください。
+課題を提出する前に、既存の課題を検索して、あなたの課題が解決されているかどうかを確認してください。
+
+バグを報告する場合は、そのバグを再現するための詳細な情報を含めてください。
+
+* Kubernetes のバージョン: `kubectl version`
+* クラウドプロバイダー、OSディストリビューション、ネットワーク構成、Dockerバージョン
+* 問題を再現するための手順
+
+
diff --git a/content/ja/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md b/content/ja/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
index 5e7b77443d190..a55a093c2bd34 100644
--- a/content/ja/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
+++ b/content/ja/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
@@ -234,7 +234,7 @@ WordPressのインストールをこのページのまま放置してはいけ
 ## {{% heading "whatsnext" %}}
 
 
-* [イントロスペクションとデバッグ](/docs/tasks/debug-application-cluster/debug-application-introspection/)についてさらに学ぶ
+* [イントロスペクションとデバッグ](/docs/tasks/debug/debug-application)についてさらに学ぶ
 * [Job](/docs/concepts/workloads/controllers/job/)についてさらに学ぶ
 * [Portフォワーディング](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)についてさらに学ぶ
 * [コンテナへのシェルを取得する](/ja/docs/tasks/debug-application-cluster/get-shell-running-container/)方法について学ぶ
diff --git a/content/ja/examples/admin/resource/cpu-constraints-pod-3.yaml b/content/ja/examples/admin/resource/cpu-constraints-pod-3.yaml
deleted file mode 100644
index 896d98ec2f7d4..0000000000000
--- a/content/ja/examples/admin/resource/cpu-constraints-pod-3.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: constraints-cpu-demo-4
-spec:
-  containers:
-  - name: constraints-cpu-demo-4-ctr
-    image: nginx
-    resources:
-      limits:
-        cpu: "800m"
-      requests:
-        cpu: "100m"
diff --git a/content/ja/examples/pods/probe/exec-liveness.yaml b/content/ja/examples/pods/probe/exec-liveness.yaml
index 07bf75f85c6f3..6a9c9b3213718 100644
--- a/content/ja/examples/pods/probe/exec-liveness.yaml
+++ b/content/ja/examples/pods/probe/exec-liveness.yaml
@@ -11,7 +11,7 @@ spec:
     args:
     - /bin/sh
     - -c
-    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600
     livenessProbe:
       exec:
         command:
diff --git a/content/ja/includes/default-storage-class-prereqs.md b/content/ja/includes/default-storage-class-prereqs.md
index 52d100d6ef791..648bbfc1acdb7 100644
--- a/content/ja/includes/default-storage-class-prereqs.md
+++ b/content/ja/includes/default-storage-class-prereqs.md
@@ -1 +1 @@
-ここで使用されている[PersistentVolumeClaims](/docs/user-guide/persistent-volumes/#persistentvolumeclaims)の要件を満たすには、デフォルトの[StorageClass](/docs/concepts/storage/storage-classes/)を使用して動的PersistentVolumeプロビジョナーを作成するか、[PersistentVolumesを静的にプロビジョニングする](/docs/user-guide/persistent-volumes/#provisioning)必要があります。
+ここで使用されている[PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)の要件を満たすには、デフォルトの[StorageClass](/docs/concepts/storage/storage-classes/)を使用して動的PersistentVolumeプロビジョナーを作成するか、[PersistentVolumesを静的にプロビジョニングする](/docs/concepts/storage/persistent-volumes/#provisioning)必要があります。
diff --git a/content/ko/docs/contribute/participate/pr-wranglers.md b/content/ko/docs/contribute/participate/pr-wranglers.md
index 424f9b0227ea8..833b006f1a4b9 100644
--- a/content/ko/docs/contribute/participate/pr-wranglers.md
+++ b/content/ko/docs/contribute/participate/pr-wranglers.md
@@ -85,6 +85,6 @@ PR 랭글러는 일주일 간 매일 다음의 일을 해야 한다.
 
 {{< note >}}
 
-[`fejta-bot`](https://github.com/fejta-bot)이라는 봇은 90일 동안 활동이 없으면 이슈를 오래된 것(stale)으로 표시한다. 30일이 더 지나면 rotten으로 표시하고 종료한다. PR 랭글러는 14-30일 동안 활동이 없으면 이슈를 닫아야 한다.
+[`k8s-triage-robot`](https://github.com/k8s-triage-robot)이라는 봇은 90일 동안 활동이 없으면 이슈를 오래된 것(stale)으로 표시한다. 30일이 더 지나면 rotten으로 표시하고 종료한다. PR 랭글러는 14-30일 동안 활동이 없으면 이슈를 닫아야 한다.
 
 {{< /note >}}
diff --git a/content/pl/releases/_index.md b/content/pl/releases/_index.md
index 46c2a7659f5ab..a5cb3fdc52ca6 100644
--- a/content/pl/releases/_index.md
+++ b/content/pl/releases/_index.md
@@ -7,7 +7,7 @@ type: docs
 
 <!-- overview -->
 
-Projekt Kubernetes zapewnia wsparcie dla trzech ostatnich wydań _minor_ ({{< skew latestVersion >}}, {{< skew prevMinorVersion >}}, {{< skew oldestMinorVersion >}}). Poprawki do wydania 1.19 i nowszych będą publikowane przez około rok. Kuberetes w wersji 1.18 i wcześniejszych będzie otrzymywał poprawki przez 9 miesięcy.
+Projekt Kubernetes zapewnia wsparcie dla trzech ostatnich wydań _minor_ ({{< skew latestVersion >}}, {{< skew prevMinorVersion >}}, {{< skew oldestMinorVersion >}}). Poprawki do wydania 1.19 i nowszych będą publikowane przez około rok. Kubernetes w wersji 1.18 i wcześniejszych będzie otrzymywał poprawki przez 9 miesięcy.
 
 Wersje Kubernetesa oznaczane są jako **x.y.z**,
 gdzie **x** jest oznaczeniem wersji głównej (_major_), **y** — podwersji (_minor_), a **z** — numer poprawki (_patch_), zgodnie z terminologią [Semantic Versioning](https://semver.org/).
diff --git a/content/pt-br/blog/_posts/2022-02-17-updated-dockershim-faq.md b/content/pt-br/blog/_posts/2022-02-17-updated-dockershim-faq.md
index bf92c1fedce11..77e1ce0e6f1b8 100644
--- a/content/pt-br/blog/_posts/2022-02-17-updated-dockershim-faq.md
+++ b/content/pt-br/blog/_posts/2022-02-17-updated-dockershim-faq.md
@@ -15,7 +15,7 @@ como parte do lançamento do Kubernetes v1.20. Para obter mais detalhes sobre
 o que isso significa, confira a postagem do blog
 [Não entre em pânico: Kubernetes e Docker](/pt-br/blog/2020/12/02/dont-panic-kubernetes-and-docker/).
 
-Além disso, você pode ler [verifique se a remoção do dockershim afeta você](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+Além disso, você pode ler [verifique se a remoção do dockershim afeta você](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)
 para determinar qual impacto a remoção do _dockershim_ teria para você
 ou para sua organização.
 
@@ -170,7 +170,7 @@ contêiner assim que possível.
 Outro aspecto a ser observado é que ferramentas para manutenção do sistema ou execuções dentro de um
 contêiner no momento da criação de imagens podem não funcionar mais. Para o primeiro, a ferramenta 
 [`crictl`][cr] pode ser utilizada como um substituto natural (veja 
-[migrando do docker cli para o crictl](https://kubernetes.io/docs/tasks/debug-application-cluster/crictl/#mapping-from-docker-cli-to-crictl))
+[migrando do docker cli para o crictl](https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))
 e para o último, você pode usar novas opções de construções de contêiner, como [img], [buildah],
 [kaniko], ou [buildkit-cli-for-kubectl] que não requerem Docker.
 
diff --git a/content/pt-br/docs/concepts/cluster-administration/addons.md b/content/pt-br/docs/concepts/cluster-administration/addons.md
index f3a00ae26d03e..73551e9e657ab 100644
--- a/content/pt-br/docs/concepts/cluster-administration/addons.md
+++ b/content/pt-br/docs/concepts/cluster-administration/addons.md
@@ -21,7 +21,7 @@ Esta página lista alguns dos complementos disponíveis e links com suas respect
 * [Canal](https://github.com/tigera/canal/tree/master/k8s-install) une Flannel e Calico, fornecendo rede e política de rede.
 * [Cilium](https://github.com/cilium/cilium) é um plug-in de rede de camada 3 e de políticas de rede que pode aplicar políticas HTTP/API/camada 7 de forma transparente. Tanto o modo de roteamento quanto o de sobreposição/encapsulamento são suportados. Este plug-in também consegue operar no topo de outros plug-ins CNI.
 * [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) permite que o Kubernetes se conecte facilmente a uma variedade de plug-ins CNI, como Calico, Canal, Flannel, Romana ou Weave.
-* [Contiv](http://contiv.github.io) oferece serviços de rede configuráveis para diferentes casos de uso (camada 3 nativa usando BGP, _overlay_ (sobreposição) usando vxlan, camada 2 clássica e Cisco-SDN/ACI) e também um _framework_ rico de políticas de rede. O projeto Contiv é totalmente [open source](http://github.com/contiv). O [instalador](http://github.com/contiv/install) fornece opções de instalação com ou sem kubeadm.
+* [Contiv](https://contivpp.io/) oferece serviços de rede configuráveis para diferentes casos de uso (camada 3 nativa usando BGP, _overlay_ (sobreposição) usando vxlan, camada 2 clássica e Cisco-SDN/ACI) e também um _framework_ rico de políticas de rede. O projeto Contiv é totalmente [open source](http://github.com/contiv). O [instalador](http://github.com/contiv/install) fornece opções de instalação com ou sem kubeadm.
 * [Contrail](http://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/) é uma plataforma open source baseada no [Tungsten Fabric](https://tungsten.io) que oferece virtualização de rede multi-nuvem e gerenciamento de políticas de rede. O Contrail e o Tungsten Fabric são integrados a sistemas de orquestração de contêineres, como Kubernetes, OpenShift, OpenStack e Mesos, e fornecem modos de isolamento para cargas de trabalho executando em máquinas virtuais, contêineres/pods e servidores físicos.
 * [Flannel](https://github.com/flannel-io/flannel#deploying-flannel-manually) é um provedor de redes _overlay_ (sobrepostas) que pode ser usado com o Kubernetes.
 * [Knitter](https://github.com/ZTE/Knitter/) é um plug-in para suporte de múltiplas interfaces de rede em Pods do Kubernetes.
@@ -30,7 +30,7 @@ Esta página lista alguns dos complementos disponíveis e links com suas respect
 * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst) é uma plataforma de rede definida por software que fornece serviços de rede baseados em políticas entre os Pods do Kubernetes e os ambientes não-Kubernetes, com visibilidade e monitoramento de segurança.
 * [OVN-Kubernetes](https://github.com/ovn-org/ovn-kubernetes/) é um provedor de rede para o Kubernetes baseado no [OVN (Open Virtual Network)](https://github.com/ovn-org/ovn/), uma implementação de redes virtuais que surgiu através do projeto Open vSwitch (OVS). O OVN-Kubernetes fornece uma implementação de rede baseada em _overlay_ (sobreposição) para o Kubernetes, incluindo uma implementação baseada em OVS para serviços de balanceamento de carga e políticas de rede.
 * [OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) é um plug-in controlador CNI baseado no OVN (Open Virtual Network) que fornece serviços de rede _cloud native_, como _Service Function Chaining_ (SFC), redes _overlay_ (sobrepostas) OVN múltiplas, criação dinâmica de subredes, criação dinâmica de redes virtuais, provedor de rede VLAN e provedor de rede direto, e é plugável a outros plug-ins multi-rede. Ideal para cargas de trabalho que utilizam computação de borda _cloud native_ em redes multi-cluster.
-* [Romana](http://romana.io) é uma solução de rede de camada 3 para redes de pods que também suporta a [API NetworkPolicy](/docs/concepts/services-networking/network-policies/). Detalhes da instalação do complemento Kubeadm disponíveis [aqui](https://github.com/romana/romana/tree/master/containerize).
+* [Romana](https://github.com/romana/romana) é uma solução de rede de camada 3 para redes de pods que também suporta a [API NetworkPolicy](/pt-br/docs/concepts/services-networking/network-policies/). Detalhes da instalação do complemento Kubeadm disponíveis [aqui](https://github.com/romana/romana/tree/master/containerize).
 * [Weave Net](https://www.weave.works/docs/net/latest/kube-addon/) fornece rede e política de rede, funciona em ambos os lados de uma partição de rede e não requer um banco de dados externo.
 
 ## Descoberta de Serviço
diff --git a/content/pt-br/docs/concepts/configuration/configmap.md b/content/pt-br/docs/concepts/configuration/configmap.md
index e3666a8542484..3fe111a078858 100644
--- a/content/pt-br/docs/concepts/configuration/configmap.md
+++ b/content/pt-br/docs/concepts/configuration/configmap.md
@@ -45,7 +45,7 @@ são opcionais. O campo `data` foi pensado para conter sequências de bytes UTF-
 foi planejado para conter dados binários em forma de strings codificadas em base64.
 
 É obrigatório que o nome de um ConfigMap seja um
-[subdomínio DNS válido](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[subdomínio DNS válido](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 Cada chave sob as seções `data` ou `binaryData` pode conter quaisquer caracteres alfanuméricos,
 `-`, `_` e `.`. As chaves armazenadas na seção `data` não podem colidir com as chaves armazenadas
diff --git a/content/pt-br/docs/concepts/configuration/secret.md b/content/pt-br/docs/concepts/configuration/secret.md
index bd0cd7315dcad..0fc63bc2e2d19 100644
--- a/content/pt-br/docs/concepts/configuration/secret.md
+++ b/content/pt-br/docs/concepts/configuration/secret.md
@@ -65,7 +65,7 @@ A camada de gerenciamento do Kubernetes também utiliza Secrets. Por exemplo,
 os [Secrets de tokens de autoinicialização](#bootstrap-token-secrets) são um
 mecanismo que auxilia a automação do registro de nós.
 
-O nome de um Secret deve ser um [subdomínio DNS válido](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+O nome de um Secret deve ser um [subdomínio DNS válido](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 Você pode especificar o campo `data` e/ou o campo `stringData` na criação de um
 arquivo de configuração de um Secret. Ambos os campos `data` e `stringData` são
 opcionais. Os valores das chaves no campo `data` devem ser strings codificadas
diff --git a/content/pt-br/docs/concepts/containers/runtime-class.md b/content/pt-br/docs/concepts/containers/runtime-class.md
index 8f6e33aeeee90..ee090beedcc3b 100644
--- a/content/pt-br/docs/concepts/containers/runtime-class.md
+++ b/content/pt-br/docs/concepts/containers/runtime-class.md
@@ -66,7 +66,7 @@ handler: myconfiguration  # Nome da configuração CRI correspondente
 ```
 
 O nome de um objeto RuntimeClass deve ser um 
-[nome de subdomínio DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+[nome de subdomínio DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 {{< note >}}
 É recomendado que operações de escrita no objeto RuntimeClass (criar/atualizar/patch/apagar)
diff --git a/content/pt-br/docs/concepts/overview/working-with-objects/names.md b/content/pt-br/docs/concepts/overview/working-with-objects/names.md
index 16556d127afae..bbe5a4987165b 100644
--- a/content/pt-br/docs/concepts/overview/working-with-objects/names.md
+++ b/content/pt-br/docs/concepts/overview/working-with-objects/names.md
@@ -1,30 +1,83 @@
 ---
-title: Nomes
+title: Nomes de objetos e IDs
 content_type: concept
 weight: 20
 ---
 
 <!-- overview -->
 
-Cada objeto em um cluster possui um Nome que é único para aquele tipo de recurso.
-Todo objeto do Kubernetes também possui um UID que é único para todo o cluster.
+Cada objeto em seu cluster possui um [_Nome_](#names) que é único para aquele
+tipo de recurso.
+Todo objeto do Kubernetes também possui um [_UID_](#uids) que é único para todo
+o cluster.
 
-Por exemplo, você pode ter apenas um Pod chamado "myapp-1234", porém você pode ter um Pod
-e um Deployment ambos com o nome "myapp-1234".
+Por exemplo, você pode ter apenas um Pod chamado `myapp-1234` dentro de um
+[namespace](/pt-br/docs/concepts/overview/working-with-objects/namespaces/), porém
+você pode ter um Pod e um Deployment ambos com o nome `myapp-1234`.
 
-Para atributos não únicos providenciados por usuário, Kubernetes providencia [labels](/docs/concepts/overview/working-with-objects/labels/) e [annotations](/docs/concepts/overview/working-with-objects/annotations/).
+Para atributos não-únicos definidos pelo usuário, o Kubernetes fornece
+[labels](/docs/concepts/overview/working-with-objects/labels/) e
+[annotations](/docs/concepts/overview/working-with-objects/annotations/).
 
 
+<!-- body -->
 
+## Nomes {#names}
 
-<!-- body -->
+{{< glossary_definition term_id="name" length="all" >}}
+
+{{< note >}}
+Em casos em que objetos representam uma entidade física, como no caso de um Nó
+representando um host físico, caso o host seja recriado com o mesmo nome mas o
+objeto Nó não seja recriado, o Kubernetes trata o novo host como o host antigo,
+o que pode causar inconsistências.
+{{< /note >}}
+
+Abaixo estão descritos quatro tipos de restrições de nomes comumente utilizadas
+para recursos.
+
+### Nomes de subdomínio DNS {#dns-subdomain-names}
+
+A maior parte dos recursos do Kubernetes requerem um nome que possa ser
+utilizado como um nome de subdomínio DNS, conforme definido na
+[RFC 1123](https://tools.ietf.org/html/rfc1123).
+Isso significa que o nome deve:
+
+- conter no máximo 253 caracteres
+- conter somente caracteres alfanuméricos em caixa baixa, traço ('-') ou ponto
+  ('.').
+- iniciar com um caractere alfanumérico
+- terminar com um caractere alfanumérico
+
+### Nomes de rótulos da RFC 1123 {#dns-label-names}
+
+Alguns tipos de recurso requerem que seus nomes sigam o padrão de rótulos DNS
+definido na [RFC 1123](https://tools.ietf.org/html/rfc1123).
+Isso significa que o nome deve:
+
+- conter no máximo 63 caracteres
+- conter somente caracteres alfanuméricos em caixa baixa ou traço ('-')
+- iniciar com um caractere alfanumérico
+- terminar com um caractere alfanumérico
+
+### Nomes de rótulo da RFC 1035
+
+Alguns tipos de recurso requerem que seus nomes sigam o padrão de rótulos DNS
+definido na [RFC 1035](https://tools.ietf.org/html/rfc1035).
+Isso significa que o nome deve:
 
-## Nomes
+- conter no máximo 63 caracteres
+- conter somente caracteres alfanuméricos em caixa baixa ou traço ('-')
+- iniciar com um caractere alfanumérico
+- terminar com um caractere alfanumérico
 
+### Nomes de segmentos de caminhos
 
-Recursos Kubernetes podem ter nomes com até 253 caracteres. Os caracteres permitidos em nomes são: dígitos (0-9), letras minúsculas (a-z), `-`, e `.`.
+Alguns tipos de recurso requerem que seus nomes possam ser seguramente
+codificados como um segmento de caminho, ou seja, o nome não pode ser "." ou
+".." e não pode conter "/" ou "%".
 
-A seguir, um exemplo para um Pod chamado `nginx-demo`.
+Exemplo de um manifesto para um Pod chamado `nginx-demo`.
 
 ```yaml
 apiVersion: v1
@@ -45,13 +98,15 @@ Alguns tipos de recursos possuem restrições adicionais em seus nomes.
 
 ## UIDs
 
+{{< glossary_definition term_id="uid" length="all" >}}
 
-Kubernetes UIDs são identificadores únicos universais (também chamados de UUIDs).
-UUIDs utilizam padrões ISO/IEC 9834-8 e ITU-T X.667.
+UIDs no Kubernetes são identificadores únicos universais (também conhecidos como
+UUIDs).
+UUIDs seguem os padrões ISO/IEC 9834-8 e ITU-T X.667.
 
 
 ## {{% heading "whatsnext" %}}
 
-* Leia sobre [labels](/docs/concepts/overview/working-with-objects/labels/) em Kubernetes.
-* Consulte o documento de design [Identificadores e Nomes em Kubernetes](https://git.k8s.io/community/contributors/design-proposals/architecture/identifiers.md).
+* Leia sobre [labels](/docs/concepts/overview/working-with-objects/labels/) no Kubernetes.
+* Consulte o documento de design [Identifiers and Names in Kubernetes](https://git.k8s.io/community/contributors/design-proposals/architecture/identifiers.md).
 
diff --git a/content/pt-br/docs/concepts/policy/_index.md b/content/pt-br/docs/concepts/policy/_index.md
new file mode 100644
index 0000000000000..1b5e70aa9b225
--- /dev/null
+++ b/content/pt-br/docs/concepts/policy/_index.md
@@ -0,0 +1,6 @@
+---
+title: "Políticas"
+weight: 90
+description: >
+  Políticas que você pode configurar e que afetam grupos de recursos.
+---
diff --git a/content/pt-br/docs/concepts/policy/limit-range.md b/content/pt-br/docs/concepts/policy/limit-range.md
index 929a760c2e532..33db813a6048a 100644
--- a/content/pt-br/docs/concepts/policy/limit-range.md
+++ b/content/pt-br/docs/concepts/policy/limit-range.md
@@ -23,7 +23,7 @@ O suporte ao _LimitRange_ foi ativado por padrão desde o Kubernetes 1.10.
 
 Um _LimitRange_ é aplicado em um _namespace_ específico quando há um objeto _LimitRange_ nesse _namespace_.
 
-O nome de um objeto _LimitRange_ deve ser um [nome de subdomínio DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+O nome de um objeto _LimitRange_ deve ser um [nome de subdomínio DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 ### Visão geral do Limit Range
 
diff --git a/content/pt-br/docs/concepts/policy/resource-quotas.md b/content/pt-br/docs/concepts/policy/resource-quotas.md
index b20baffb83ea7..6468858348532 100644
--- a/content/pt-br/docs/concepts/policy/resource-quotas.md
+++ b/content/pt-br/docs/concepts/policy/resource-quotas.md
@@ -34,7 +34,7 @@ As cotas de recursos funcionam assim:
   Veja o [passo a passo](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
   para um exemplo de como evitar este problema. 
 
-O nome de um objeto `ResourceQuota` deve ser um [nome do subdomínio DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+O nome de um objeto `ResourceQuota` deve ser um [nome do subdomínio DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 Exemplos de políticas que podem ser criadas usando _namespaces_ e cotas são:
 
diff --git a/content/pt-br/docs/concepts/security/overview.md b/content/pt-br/docs/concepts/security/overview.md
index cfef9135f7bf5..0cbbbf29612b2 100644
--- a/content/pt-br/docs/concepts/security/overview.md
+++ b/content/pt-br/docs/concepts/security/overview.md
@@ -103,7 +103,7 @@ vulnerável a um ataque de exaustão de recursos e, por consequência, o risco d
 Autorização RBAC (acesso à API Kubernetes) | https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 Autenticação | https://kubernetes.io/docs/concepts/security/controlling-access/
 Gerenciamento de segredos na aplicação (e encriptando-os no etcd em repouso) | https://kubernetes.io/docs/concepts/configuration/secret/ <br> https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
-Políticas de segurança do Pod | https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+Garantir que os Pods atendem aos padrões de segurança do Pod | https://kubernetes.io/docs/concepts/security/pod-security-standards/#policy-instantiation
 Qualidade de serviço (e gerenciamento de recursos de cluster) | https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/
 Políticas de Rede | https://kubernetes.io/docs/concepts/services-networking/network-policies/
 TLS para Kubernetes Ingress | https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
diff --git a/content/pt-br/docs/concepts/storage/_index.md b/content/pt-br/docs/concepts/storage/_index.md
new file mode 100644
index 0000000000000..41cfbb35075d7
--- /dev/null
+++ b/content/pt-br/docs/concepts/storage/_index.md
@@ -0,0 +1,8 @@
+---
+title: "Armazenamento"
+weight: 70
+description: >
+  Formas de fornecer armazenamento temporário e de longa duração a Pods em seu
+  cluster.
+---
+
diff --git a/content/pt-br/docs/concepts/storage/persistent-volumes.md b/content/pt-br/docs/concepts/storage/persistent-volumes.md
index 65396a3c37b18..12ff2700fe412 100644
--- a/content/pt-br/docs/concepts/storage/persistent-volumes.md
+++ b/content/pt-br/docs/concepts/storage/persistent-volumes.md
@@ -1,15 +1,9 @@
 ---
-reviewers:
-- jsafrane
-- saad-ali
-- thockin
-- msau42
-- xing-yang
 title: Volumes Persistentes
 feature:
   title: Orquestração de Armazenamento
   description: >
-    Montar automaticamente o armazenamento de sua escolha, seja de um armazenamento local, de um provedor de cloud pública, como <a href="https://cloud.google.com/storage/">GCP</a> ou <a href="https://aws.amazon.com/products/storage/">AWS</a>, ou um armazenameto de rede, como NFS, iSCSI, Gluster, Ceph, Cinder ou Flocker.
+    Monte automaticamente o armazenamento de sua escolha, seja de um armazenamento local, de um provedor de cloud pública, como <a href="https://cloud.google.com/storage/">GCP</a> ou <a href="https://aws.amazon.com/products/storage/">AWS</a>, ou um armazenamento de rede, como NFS, iSCSI, Gluster, Ceph, Cinder ou Flocker.
 
 content_type: conceito
 weight: 20
@@ -28,7 +22,7 @@ O gerenciamento de armazenamento é uma questão bem diferente do gerenciamento
 
 Um _PersistentVolume_ (PV) é uma parte do armazenamento dentro do cluster que tenha sido provisionada por um administrador, ou dinamicamente utilizando [Classes de Armazenamento](/docs/concepts/storage/storage-classes/). Isso é um recurso dentro do cluster da mesma forma que um nó também é. PVs são plugins de volume da mesma forma que Volumes, porém eles têm um ciclo de vida independente de qualquer Pod que utilize um PV. Essa API tem por objetivo mostrar os detalhes da implementação do armazenamento, seja ele NFS, iSCSI, ou um armazenamento específico de um provedor de cloud pública.
 
-Uma_PersistentVolumeClaim_ (PVC) é uma requisição para armazenamento por um usuário. É similar a um Pod. Pods utilizam recursos do nó e PVCs utilizam recursos do PV. Pods podem solicitar níveis específicos de recursos (CPU e Memória). Claims podem solicitar tamanho e modos de acesso específicos (exemplo: montagem como ReadWriteOnce, ReadOnlyMany ou ReadWriteMany, veja [Modos de Acesso](#modos-de-acesso)).
+Uma _PersistentVolumeClaim_ (PVC) é uma requisição para armazenamento por um usuário. É similar a um Pod. Pods utilizam recursos do nó e PVCs utilizam recursos do PV. Pods podem solicitar níveis específicos de recursos (CPU e Memória). Claims podem solicitar tamanho e modos de acesso específicos (exemplo: montagem como ReadWriteOnce, ReadOnlyMany ou ReadWriteMany, veja [Modos de Acesso](#modos-de-acesso)).
 
 Enquanto as PersistentVolumeClaims permitem que um usuário utilize recursos de armazenamento de forma limitada, é comum que usuários precisem de PersistentVolumes com diversas propriedades, como desempenho, para problemas diversos. Os administradores de cluster precisam estar aptos a oferecer uma variedade de PersistentVolumes que difiram em tamanho e modo de acesso, sem expor os usuários a detalhes de como esses volumes são implementados. Para necessidades como essas, temos o recurso de _StorageClass_.
 
@@ -314,7 +308,7 @@ Tipos de PersistentVolume são implementados como plugins. Atualmente o Kubernet
 
 ## Volumes Persistentes
 
-Cada PV contém uma `spec` e um status, que é a especificação e o status do volume. O nome do PersistentVolume deve ser um [DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+Cada PV contém uma `spec` e um status, que é a especificação e o status do volume. O nome do PersistentVolume deve ser um [DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 ```yaml
 apiVersion: v1
@@ -468,7 +462,7 @@ A CLI mostrará o nome do PV que foi atrelado à PVC
 
 ## PersistentVolumeClaims
 
-Cada PVC contém uma `spec` e um status, que é a especificação e estado de uma requisição. O nome de um objeto PersistentVolumeClaim precisa ser um [DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+Cada PVC contém uma `spec` e um status, que é a especificação e estado de uma requisição. O nome de um objeto PersistentVolumeClaim precisa ser um [DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 ```yaml
 apiVersion: v1
diff --git a/content/pt-br/docs/concepts/storage/volumes.md b/content/pt-br/docs/concepts/storage/volumes.md
new file mode 100644
index 0000000000000..d2c42b832e76e
--- /dev/null
+++ b/content/pt-br/docs/concepts/storage/volumes.md
@@ -0,0 +1,978 @@
+---
+reviewers:
+- jsafrane
+- saad-ali
+- thockin
+- msau42
+title: Volumes
+content_type: conceito
+weight: 10
+---
+
+<!-- Visão Geral -->
+
+Os arquivos em disco em um contêiner são efêmeros, o que apresenta alguns problemas para 
+aplicações não triviais quando executadas em contêineres. Um problema é a perda de arquivos 
+quando um contêiner quebra. O kubelet reinicia o contêiner, mas em um estado limpo. Um segundo 
+problema ocorre ao compartilhar arquivos entre contêineres que são executados juntos em 
+um `Pod`. A abstração de {{< glossary_tooltip text="volume" term_id="volume" >}} 
+do Kubernetes resolve ambos os problemas. Sugere-se familiaridade com [Pods](/docs/concepts/workloads/pods/) .
+
+<!-- body -->
+## Contexto
+
+Docker tem um conceito de [volumes](https://docs.docker.com/storage/), embora seja um pouco mais 
+simples e menos gerenciado. Um volume Docker é um diretório em disco ou em outro contêiner. 
+O Docker oferece drivers de volume, mas a funcionalidade é um pouco limitada.
+
+O Kubernetes suporta muitos tipos de volumes. Um {{< glossary_tooltip term_id="pod" text="Pod" >}} é capaz de utilizar qualquer quantidade de tipos de volumes simultaneamente. Os tipos de volume efêmeros têm a mesma vida útil do pod, mas os volumes persistentes existem além da vida útil de um pod. Quando um pod deixa de existir, o Kubernetes destrói volumes efêmeros; no entanto, o Kubernetes não destrói volumes persistentes. Para qualquer tipo de volume em um determinado pod, os dados são preservados entre as reinicializações do contêiner.
+
+Em sua essência, um volume é um diretório, eventualmente com alguns dados dentro dele, que é acessível aos contêineres de um Pod. Como esse diretório vem a ser, o meio que o suporta e o conteúdo do mesmo são determinados pelo tipo particular de volume utilizado.
+
+Para utilizar um volume, especifique os volumes que serão disponibilizados para o Pod em `.spec.volumes` e declare onde montar esses volumes dentro dos contêineres em `.spec.containers[*].volumeMounts`. Um processo em um contêiner enxerga uma visualização do sistema de arquivos composta pelo do conteúdo inicial da {{< glossary_tooltip text="imagem do contêiner" term_id="image" >}} mais os volumes (se definidos) montados dentro do contêiner. O processo enxerga um sistema de arquivos raiz que inicialmente corresponde ao conteúdo da imagem do contêiner. Qualquer gravação dentro dessa hierarquia do sistema de arquivos, se permitida, afetará o que esse processo enxerga quando ele executa um acesso subsequente ao sistema de arquivos. Os volumes são montados nos [caminhos especificados](#using-subpath) dentro da imagem. Para cada contêiner definido em um Pod, você deve especificar independentemente onde montar cada volume utilizado pelo contêiner.
+
+Volumes não podem ser montados dentro de outros volumes (mas você pode consultar [Utilizando subPath](#using-subpath) para um mecanismo relacionado). Além disso, um volume não pode conter um link físico para qualquer outro dado em um volume diferente.
+
+## Tipos de Volumes {#volume-types}
+
+Kubernetes suporta vários tipos de volumes.
+
+### awsElasticBlockStore {#awselasticblockstore}
+
+Um volume `awsElasticBlockStore` monta um [volume EBS](https://aws.amazon.com/ebs/) da Amazon Web Services (AWS) em seu pod. Ao contrário do `emptyDir`que é apagado quando um pod é removido, o conteúdo de um volume EBS é preservado e o volume é desmontado. Isto significa que um volume EBS pode ser previamente populado com dados e que os dados podem ser compartilhados entre Pods.
+
+{{< note >}}
+Você precisa criar um volume EBS usando `aws ec2 create-volume` ou pela API da AWS antes que você consiga utilizá-lo. 
+{{< /note >}}
+
+Existem algumas restrições ao utilizar um volume `awsElasticBlockStore`:
+
+* Os nós nos quais os Pods estão sendo executados devem ser instâncias AWS EC2
+* Estas instâncias devem estar na mesma região e na mesma zona de disponibilidade que o volume EBS
+* O EBS suporta montar um volume em apenas uma única instância EC2
+
+#### Criando um volume AWS EBS
+
+Antes de poder utilizar um volume EBS com um pod, precisa criá-lo.
+
+```shell
+aws ec2 create-volume --availability-zone=eu-west-1a --size=10 --volume-type=gp2
+```
+
+Certifique-se de que a zona corresponde à mesma zona em que criou o cluster. Verifique se o tamanho e o tipo de volume EBS são adequados para a sua utilização.
+
+#### Exemplo de configuração do AWS EBS
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-ebs
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-ebs
+      name: test-volume
+  volumes:
+  - name: test-volume
+    # Esse volume AWS EBS já deve existir.
+    awsElasticBlockStore:
+      volumeID: "<volume id>"
+      fsType: ext4
+```
+
+Se o volume EBS estiver particionado, é possível informar o campo opcional `partition: "<partition em umber>"` para especificar em que partição deve ser montado.
+
+#### Migração de CSI do AWS EBS
+
+{{< feature-state for_k8s_version="v1.17" state="beta" >}}
+
+Quando o recurso `CSIMigration` para `awsElasticBlockStore` está habilitado, todas as operações de plugin do tipo in-tree são redirecionadas para o driver Cointainer Storage Interface (CSI) `ebs.csi.aws.com`. Para usar esse recurso, o [driver CSI AWS EBS](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) deve estar instalado no cluster e os recursos beta `CSIMigration` e `CSIMigrationAWS` devem estar ativados.
+
+#### Migração CSI AWS EBS concluída
+
+{{< feature-state for_k8s_version="v1.17" state="alpha" >}}
+
+Para desabilitar o carregamento do plugin de armazenamento `awsElasticBlockStore` pelo gerenciador de controladores e pelo kubelet, defina a flag `InTreePluginAWSUnregister` como `true`.
+
+### azureDisk {#azuredisk}
+
+O tipo de volume `azureDisk` monta um [Disco de Dados](https://docs.microsoft.com/en-us/azure/aks/csi-storage-drivers) Microsoft Azure em um pod.
+
+Para obter mais detalhes, consulte [plugin de volume `azureDisk`](https://github.com/kubernetes/examples/tree/master/staging/volumes/azure_disk/README.md).
+
+#### Migração de CSI do azureDisk
+
+{{< feature-state for_k8s_version="v1.19" state="beta" >}}
+
+Quando o recurso `CSIMigration` para `azureDisk` está habilitado, todas as operações de plugin do tipo in-tree são redirecionadas para o Driver de Cointêiner Storage Interface (CSI) `disk.csi.azure.com`. Para utilizar este recurso, o [Driver CSI Azure Disk](https://github.com/kubernetes-sigs/azuredisk-csi-driver) deve estar instalado no cluster e os recursos `CSIMigration` e `CSIMigrationAzureDisk` devem estar ativados.
+
+#### Migração CSI azureDisk concluída
+
+{{< feature-state for_k8s_version="v1.21" state="alpha" >}}
+
+Para desabilitar o carregamento do plugin de armazenamento `azureDisk` pelo gerenciador de controladores e pelo kubelet, defina a flag `InTreePluginAzureDiskUnregister` como `true`.
+
+### azureFile {#azurefile}
+
+O tipo de volume `azureFile` monta um volume de arquivo Microsoft Azure (SMB 2.1 e 3.0) em um pod.
+
+Para obter mais detalhes, consulte [plugin de volume `azureFile`](https://github.com/kubernetes/examples/tree/master/staging/volumes/azure_file/README.md).
+
+#### Migração de CSI azureFile
+
+{{< feature-state for_k8s_version="v1.21" state="beta" >}}
+
+Quando o recurso `CSIMigration` para `azureFile` está habilitado, todas as operações de plugin do tipo in-tree são redirecionadas para o Driver de Cointainer Storage Interface (CSI) `file.csi.azure.com`. Para utilizar este recurso, o [Driver CSI do Azure Disk](https://github.com/kubernetes-sigs/azurefile-csi-driver) deve estar instalado no cluster e as [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) `CSIMigration` e `CSIMigrationAzureFile` devem estar habilitadas.
+
+O driver de CSI do Azure File não oferece suporte ao uso do mesmo volume por fsgroups diferentes, se a migração de CSI Azurefile estiver habilitada, o uso do mesmo volume por fsgroups diferentes não será suportado.
+
+#### Migração do CSI azureFile concluída
+
+{{< feature-state for_k8s_version="v1.21" state="alpha" >}}
+
+Para desabilitar o carregamento do plugin de armazenamento `azureFile` pelo gerenciador de controladores e pelo kubelet, defina a flag `InTreePluginAzureFileUnregister` como `true`.
+
+### cephfs
+
+Um volume `cephfs` permite que um volume CephFS existente seja montado no seu Pod. Ao contrário do `emptyDir` que é apagado quando um pod é removido, o conteúdo de um volume `cephfs` é preservado e o volume é simplesmente desmontado. Isto significa que um volume `cephfs` pode ser previamente populado com dados e que os dados podem ser compartilhados entre os Pods. O volume `cephfs` pode ser montado por vários gravadores simultaneamente.
+
+{{< note >}} Você deve ter seu próprio servidor Ceph funcionando com o compartilhamento acessível antes de poder utilizá-lo. {{< /note >}}
+
+Consulte o [ exemplo CephFS](https://github.com/kubernetes/examples/tree/master/volumes/cephfs/) para mais detalhes.
+
+### cinder
+
+{{< note >}} O Kubernetes deve ser configurado com o provedor de nuvem OpenStack. {{< /note >}}
+
+O tipo de volume `cinder` é utilizado para montar o volume do OpenStack Cinder no seu pod.
+
+#### Exemplo de configuração de volume Cinder
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cinder
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-cinder-container
+    volumeMounts:
+    - mountPath: /test-cinder
+      name: test-volume
+  volumes:
+  - name: test-volume
+    # Esse volume OpenStack já deve existir.
+    cinder:
+      volumeID: "<volume id>"
+      fsType: ext4
+```
+
+#### Migração de CSI OpenStack
+
+{{< feature-state for_k8s_version="v1.21" state="beta" >}}
+
+O recurso `CSIMigration` para o Cinder é ativado por padrão no Kubernetes 1.21. Ele redireciona todas as operações de plugin do tipo in-tree para o Driver de Cointainer Storage Interface (CSI) `cinder.csi.openstack.org`. O [Driver CSI OpenStack Cinder](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) tem de estar instalado no cluster. Você pode desativar a migração Cinder CSI para o seu cluster definindo a [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) `CSIMigrationOpenStack` como `false`. Se você desativar o recurso `CSIMigrationOpenStack`, o plugin de volume in-tree do Cinder assume a responsabilidade por todos os aspectos do gerenciamento de armazenamento de volume do Cinder.
+
+### configMap
+
+Um [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) oferece uma forma de injetar dados de configuração em Pods. Os dados armazenados em um ConfigMap podem ser referenciados em um volume de tipo `configMap` e depois consumidos por aplicações conteinerizadas executadas em um pod.
+
+Ao referenciar um ConfigMap, você informa o nome do ConfigMap no volume. Pode personalizar o caminho utilizado para uma entrada específica no ConfigMap. A seguinte configuração mostra como montar o `log-config` do ConfigMap em um Pod chamado `configmap-pod`:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: configmap-pod
+spec:
+  containers:
+    - name: test
+      image: busybox:1.28
+      volumeMounts:
+        - name: config-vol
+          mountPath: /etc/config
+  volumes:
+    - name: config-vol
+      configMap:
+        name: log-config
+        items:
+          - key: log_level
+            path: log_level
+```
+
+O ConfigMap `log-config` é montado como um volume e todos os conteúdos armazenados em sua entrada `log_level` são montados no Pod através do caminho `/etc/config/log_level`. Observe que esse caminho é derivado do volume `mountPath`e do `path` configurado com `log_level`.
+
+{{< note >}}
+
+* É preciso criar um [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) antes de usá-lo.
+
+* Um contêiner que utiliza ConfigMap através de um ponto de montagem com a propriedade [`subPath`](#using-subpath) não receberá atualizações deste ConfigMap.
+
+* Os dados de texto são expostos como arquivos utilizando a codificação de caracteres UTF-8. Para outras codificações de caracteres, use `binaryData`. {{< /note >}}
+
+### downwardAPI {#downwardapi}
+
+Um volume `downwardAPI` disponibiliza dados da downward API para as aplicações. Ele monta um diretório e grava os dados solicitados em arquivos de texto sem formatação.
+
+{{< note >}} Um contêiner que utiliza downward API através de um ponto de montagem com a propriedade [`subPath`](#using-subpath) não receberá atualizações desta downward API. {{< /note >}}
+
+Consulte [o exemplo de downward API](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/) para obter mais detalhes.
+
+### emptyDir {#emptydir}
+
+Um volume `emptyDir` é criado pela primeira vez quando um Pod é atribuído a um nó e existe enquanto esse Pod estiver sendo executado nesse nó. Como o nome diz, o volume `emptyDir` está inicialmente vazio. Todos os contêineres no Pod podem ler e gravar os mesmos arquivos no volume `emptyDir`, embora esse volume possa ser montado no mesmo caminho ou em caminhos diferentes em cada contêiner. Quando um Pod é removido de um nó por qualquer motivo, os dados no `emptyDir` são eliminados permanentemente.
+
+{{< note >}} A falha de um contêiner *não* remove um Pod de um nó. Os dados em um volume `emptyDir` são mantidos em caso de falha do contêiner. {{< /note >}}
+
+Alguns usos para um `emptyDir` são:
+
+* espaço temporário, como para uma merge sort baseado em disco
+* ponto de verificação de um processamento longo para recuperação de falhas
+* manter arquivos que um contêiner gerenciador de conteúdo busca enquanto um contêiner de webserver entrega os dados
+
+Dependendo do seu ambiente, os volumes `emptyDir` são armazenados em qualquer mídia que componha o nó, como disco ou SSD, ou armazenamento de rede. No entanto, se você definir o campo `emptyDir.medium` como `"Memory"`, o Kubernetes monta um tmpfs (sistema de arquivos com suporte de RAM) para você. Embora o tmpfs seja muito rápido, tenha em atenção que, ao contrário dos discos, o tmpfs é limpo na reinicialização do nó e quaisquer arquivos que grave consomem o limite de memória do seu contêiner.
+
+{{< note >}} Se a [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) `SizeMemoryBackedVolumes` estiver habilitada, é possível especificar um tamanho para volumes mantidos em memória.  Se nenhum tamanho for especificado, os volumes mantidos em memória são dimensionados para 50% da memória em um host Linux. {{< /note>}}
+
+#### Exemplo de configuração emptyDir
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pd
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+  volumes:
+  - name: cache-volume
+    emptyDir: {}
+```
+
+### fc (fibre channel) {#fc}
+
+Um tipo de volume `fc` permite que um volume de armazenamento de fibre channel existente seja montado em um Pod. Você pode especificar um ou vários WWNs usando o parâmetro `targetWWNs` em sua configuração de volume. Se forem especificados vários WWNs, o targetWWNs espera que esses WWNs sejam de conexões multipath.
+
+{{< note >}} Para que os hosts Kubernetes possam acessá-los, é necessário configurar o zoneamento FC SAN para alocar e mascarar essas LUNs (volumes) para os WWNs de destino. {{< /note >}}
+
+Consulte [o exemplo de fibre channel](https://github.com/kubernetes/examples/tree/master/staging/volumes/fibre_channel) para obter mais detalhes.
+
+### flocker (descontinuado) {#flocker}
+
+[Flocker](https://github.com/ClusterHQ/flocker) é um gerenciador de volumes de dados de contêineres em cluster de código aberto. O Flocker oferece gerenciamento e orquestração de volumes de dados suportados por uma variedade de backends de armazenamento.
+
+Um volume `flocker` permite que um conjunto de dados Flocker seja montado em um Pod. Se o conjunto de dados ainda não existir no Flocker, ele precisará ser criado primeiro com o CLI do Flocker ou usando a API do Flocker. Se o conjunto de dados já existir, ele será anexado pelo Flocker ao nó que o pod está escalonado. Isto significa que os dados podem ser compartilhados entre os Pods, conforme necessário.
+
+{{< note >}} Antes de poder utilizá-lo, é necessário ter a sua própria instalação do Flocker em execução. {{< /note >}}
+
+Consulte [exemplo do Flocker](https://github.com/kubernetes/examples/tree/master/staging/volumes/flocker) para obter mais detalhes.
+
+### gcePersistentDisk
+
+Um volume `gcePersistentDisk` monta um [disco persistente](https://cloud.google.com/compute/docs/disks) (PD) do Google Compute Engine (GCE) no seu Pod. Ao contrário do `emptyDir` que é apagado quando um pod é removido, o conteúdo de um PD é preservado e o volume é simplesmente desmontado. Isto significa que um PD pode ser previamente populado com dados e que os dados podem ser compartilhados entre os Pods.
+
+{{< note >}} Você dever criar um PD utilizando `gcloud`, ou via GCE API ou via UI antes de poder utilizá-lo. {{< /note >}}
+
+Existem algumas restrições ao utilizar um `gcePersistentDisk`:
+
+* Os nós nos quais os Pods estão sendo executados devem ser VMs GCE
+* Essas VMs precisam estar no mesmo projeto e zona GCE que o disco persistente
+
+Uma característica do disco persistente GCE é o acesso simultâneo somente leitura a um disco persistente. Um volume `gcePersistentDisk` permite que vários consumidores montem simultaneamente um disco persistente como somente leitura. Isto significa que é possível alimentar previamente um PD com o seu conjunto de dados e, em seguida, disponibilizá-lo em paralelo a quantos Pods necessitar. Infelizmente, os PDs só podem ser montados por um único consumidor no modo de leitura e escrita. Não são permitidos gravadores simultâneos.
+
+O uso de um disco persistente GCE com um Pod controlado por um ReplicaSet falhará, a menos que o PD seja somente leitura ou a contagem de réplica seja 0 ou 1.
+
+#### Criando um disco persistente GCE {#gce-create-persistent-disk}
+
+Antes de poder utilizar um disco persistente GCE com um Pod, é necessário criá-lo.
+
+```shell
+gcloud compute disks create --size=500GB --zone=us-central1-a my-data-disk
+```
+
+#### Exemplo de configuração de disco persistente GCE
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pd
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-pd
+      name: test-volume
+  volumes:
+  - name: test-volume
+    # Esse Disco Persistente (PD) GCE já deve existir.
+    gcePersistentDisk:
+      pdName: my-data-disk
+      fsType: ext4
+```
+
+#### Discos persistentes regionais
+
+O recurso de [Discos persistentes regionais](https://cloud.google.com/compute/docs/disks/#repds) permite a criação de discos persistentes que estão disponíveis em duas zonas dentro da mesma região. Para usar esse recurso, o volume deve ser provisionado como PersistentVolume; referenciar o volume diretamente a partir de um pod não é uma configuração suportada.
+
+#### Provisionar manualmente um PersistentVolume PD Regional
+
+O provisionamento dinâmico é possível usando [uma StorageClass para GCE PD](/docs/concepts/storage/storage-classes/#gce). Antes de criar um PersistentVolume, você deve criar o disco persistente:
+
+```shell
+gcloud compute disks create --size=500GB my-data-disk
+  --region us-central1
+  --replica-zones us-central1-a,us-central1-b
+```
+
+#### Exemplo de configuração de disco persistente regional
+
+```yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: test-volume
+spec:
+  capacity:
+    storage: 400Gi
+  accessModes:
+  - ReadWriteOnce
+  gcePersistentDisk:
+    pdName: my-data-disk
+    fsType: ext4
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        # failure-domain.beta.kubernetes.io/zone deve ser usado para versões anteriores à 1.21
+        - key: topology.kubernetes.io/zone
+          operator: In
+          values:
+          - us-central1-a
+          - us-central1-b
+```
+
+#### Migração do CSI GCE
+
+{{< feature-state for_k8s_version="v1.17" state="beta" >}}
+
+Quando o recurso `CSIMigration` para o GCE PD é habilitado, todas as operações de plugin do plugin in-tree existente são redirecionadas para o Driver de Cointainer Storage Interface (CSI) `pd.csi.storage.gke.io`. Para utilizar este recurso, o [Driver CSI GCE PD](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) deve ser instalado no cluster e os recursos beta `CSIMigration` e `CSIMigrationGCE` devem estar habilitados.
+
+#### Migração de CSI GCE concluída
+
+{{< feature-state for_k8s_version="v1.21" state="alpha" >}}
+
+Para desabilitar o carregamento do plugin de armazenamento `gcePersistentDisk` pelo gerenciador de controladores e pelo kubelet, defina a flag `InTreePluginGCEUnregister` como `true`.
+
+### gitRepo (descontinuado) {#gitrepo}
+
+{{< warning >}}O tipo de volume `gitRepo` foi descontinuado. Para provisionar um contêiner com um repositório git , monte um [EmptyDir](#emptydir) em um InitContainer que clone o repositório usando git, depois monte [o EmptyDir](#emptydir) no contêiner do Pod. {{< /warning >}}
+
+Um volume `gitRepo` é um exemplo de um plugin de volume. Este plugin monta um diretório vazio e clona um repositório git neste diretório para que seu Pod utilize.
+
+Aqui está um exemplo de um volume `gitRepo`:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: server
+spec:
+  containers:
+  - image: nginx
+    name: nginx
+    volumeMounts:
+    - mountPath: /mypath
+      name: git-volume
+  volumes:
+  - name: git-volume
+    gitRepo:
+      repository: "git@somewhere:me/my-git-repository.git"
+      revision: "22f1d8406d464b0c0874075539c1f2e96c253775"
+```
+
+### glusterfs
+
+Um volume `glusterfs` permite que um volume [Glusterfs](https://www.gluster.org) (um sistema de arquivos em rede de código aberto) seja montado no seu Pod. Ao contrário do `emptyDir` que é apagado quando um Pod é removido, o conteúdo de um volume `glusterfs` é preservado e o volume é simplesmente desmontado. Isto significa que um volume glusterfs pode ser previamente populado com dados e que os dados podem ser compartilhados entre Pods. O GlusterFS pode ser montado para escrita por vários pods simultaneamente.
+
+{{< note >}} Para poder utilizá-lo, é necessário ter a sua própria instalação do GlusterFS em execução. {{< /note >}}
+
+Consulte o [exemplo do GlusterFS](https://github.com/kubernetes/examples/tree/master/volumes/glusterfs) para obter mais detalhes.
+
+### hostPath {#hostpath}
+
+{{< warning >}} Os volumes HostPath apresentam muitos riscos de segurança e é uma prática recomendada evitar o uso de HostPaths quando possível. Quando um volume HostPath precisa ser usado, ele deve ser definido com escopo apenas para o arquivo ou diretório necessário e montado como ReadOnly.
+
+Se você restringir o acesso do HostPath a diretórios específicos através da AdmissionPolicy, a propriedade `volumeMounts` DEVE obrigatoriamente usar pontos de montagem `readOnly` para que a política seja eficaz. {{< /warning >}}
+
+Um volume `hostPath` monta um arquivo ou diretório do sistema de arquivos do nó do host em seu Pod. Isto não é algo de que a maioria dos Pods irá precisar, mas oferece uma poderosa alternativa de escape para algumas aplicações.
+
+Por exemplo, alguns usos para um `hostPath` são:
+
+* Executar um contêiner que necessita de acesso aos documentos internos do Docker; utilizar um `hostPath` apontando para `/var/lib/docker`
+* Executando o cAdvisor em um contêiner; use um `hostPath` apontando para `/sys`
+* Permitir que um Pod especifique se um dado `hostPath` deve existir antes de o Pod ser executado, se deve ser criado e como deve existir
+
+Além da propriedade obrigatória `path` , você pode opcionalmente definir um `type` para um volume `hostPath`.
+
+Os valores suportados para o campo `type` são:
+
+| Valor| Comportamento|
+|:----------|:----------|
+| | A string vazia (padrão) é para compatibilidade com versões anteriores, o que significa que nenhuma verificação será executada antes de montar o volume hostPath.|
+| `DirectoryOrCreate`| Se nada existir no caminho indicado, um diretório vazio será criado lá, conforme necessário, com permissão definida para 0755, tendo o mesmo grupo e propriedade com a Kubelet.|
+| `Directory`| Um diretório deve existir no caminho indicado|
+| `FileOrCreate`| Se não houver nada no caminho indicado, um arquivo vazio será criado lá, conforme necessário, com permissão definida para 0644, tendo o mesmo grupo e propriedade com Kubelet.|
+| `File`| Um arquivo deve existir no caminho indicado|
+| `Socket`| Um socket UNIX deve existir no caminho indicado|
+| `CharDevice`| Deve existir um dispositivo de caracteres no caminho indicado|
+| `BlockDevice`| Deve existir um dispositivo de bloco no caminho indicado|
+
+Tenha cuidado ao utilizar este tipo de volume, porque:
+
+* Os HostPaths podem expor as credenciais privilegiadas do sistema (como para o Kubelet) ou APIs privilegiadas (como o container runtime socket), que podem ser usadas para o explorar vulnerabilidades de escape do contêiner ou para atacar outras partes do cluster.
+* Os Pods com configuração idêntica (como criado a partir de um PodTemplate) podem se comportar de forma diferente em nós diferentes devido a arquivos diferentes nos nós
+* Os arquivos ou diretórios criados nos hosts subjacentes são graváveis apenas pelo root. Você precisa executar seu processo como root em um [contêiner privilegiado](/docs/tasks/configure-pod-container/security-context/) ou modificar as permissões de arquivo no host para poder gravar em um volume `hostPath`
+
+#### Exemplo de configuração do hostPath
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pd
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-pd
+      name: test-volume
+  volumes:
+  - name: test-volume
+    hostPath:
+      # localização do diretório no host
+      path: /data
+      # este campo é opcional
+      type: Directory
+```
+
+{{< caution >}} O modo `FileOrCreate` não cria o diretório onde ficará arquivo. Se o caminho de diretório do arquivo montado não existir, o pod não será iniciado. Para garantir que esse modo funcione, você pode tentar montar diretórios e arquivos separadamente, como mostrado em [configuração `FileOrCreate`](#hostpath-fileorcreate-example). {{< /caution >}}
+
+#### Exemplo de configuração FileOrCreate do hostPath {#hostpath-fileorcreate-example}
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-webserver
+spec:
+  containers:
+  - name: test-webserver
+    image: k8s.gcr.io/test-webserver:latest
+    volumeMounts:
+    - mountPath: /var/local/aaa
+      name: mydir
+    - mountPath: /var/local/aaa/1.txt
+      name: myfile
+  volumes:
+  - name: mydir
+    hostPath:
+      # Certifique-se de que o diretório foi criado.
+      path: /var/local/aaa
+      type: DirectoryOrCreate
+  - name: myfile
+    hostPath:
+      path: /var/local/aaa/1.txt
+      type: FileOrCreate
+```
+
+### iscsi
+
+Um volume `iscsi` permite que um volume iSCSI (SCSI sobre IP) existente seja montado no seu Pod. Ao contrário do `emptyDir` que é apagado quando um Pod é removido, o conteúdo de um volume `iscsi` é preservado e o volume é simplesmente desmontado. Isto significa que um volume iscsi pode ser previamente populado com dados e que os dados podem ser compartilhados entre os Pods.
+
+{{< note >}} Você deve ter seu próprio servidor iSCSI rodando com o volume criado antes de poder utilizá-lo. {{< /note >}}
+
+Uma característica do iSCSI é que ele pode ser montado como somente leitura por vários consumidores simultaneamente. Isto significa que um volume pode ser previamente populado com seu conjunto de dados e, em seguida, ser disponibilizado em paralelo para tantos Pods quanto necessitar. Infelizmente, os volumes iSCSI só podem ser montados por um único consumidor no modo de leitura-escrita. Não são permitidos gravadores simultâneos.
+
+Consulte o [exemplo iSCSI](https://github.com/kubernetes/examples/tree/master/volumes/iscsi) para obter mais detalhes.
+
+### local
+
+Um volume `local` representa um dispositivo de armazenamento local montado, como um disco, partição ou diretório.
+
+Os volumes locais só podem ser usados como um PersistentVolume criado estaticamente. O provisionamento dinâmico não é suportado.
+
+Em comparação com volumes `hostPath`, os volumes `local` são usados de forma durável e portátil, sem escalonamento manual dos Pods para os nós. O sistema está ciente das restrições de nós do volume, observando a afinidade do nó com o PersistentVolume.
+
+No entanto, os volumes `local` estão sujeitos à disponibilidade do nó que o comporta e não são adequados para todas as aplicações. Se um nó não está íntegro, então o volume `local` torna-se inacessível pelo pod. O pod que utiliza este volume não consegue ser executado. Os aplicativos que usam volumes `local` devem ser capazes de tolerar essa disponibilidade reduzida, bem como uma possível perda de dados, dependendo das caraterísticas de durabilidade do disco subjacente.
+
+O exemplo a seguir mostra um PersistentVolume usando um volume `local` e `nodeAffinity`:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: example-pv
+spec:
+  capacity:
+    storage: 100Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: local-storage
+  local:
+    path: /mnt/disks/ssd1
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - example-node
+```
+
+É preciso definir a propriedade `nodeAffinity` do PersistentVolume ao utilizar volumes `local`. O escalonador do Kubernetes usa o PersistentVolume `nodeAffinity` para escalonar esses pods para o nó correto.
+
+A propriedade `volumeMode` do PersistentVolume pode ser definida como "Block" (ao invés do valor padrão "Filesystem") para expor o volume local como um dispositivo de bloco bruto.
+
+Ao usar volumes locais, é recomendável criar uma StorageClass com a propriedade `volumeBindingMode` definida como `WaitForFirstConsumer`. Para obter mais detalhes, consulte o exemplo local [StorageClass](/docs/concepts/storage/storage-classes/#local). A postergação da vinculação do volume garante que a decisão de vinculação da PersistentVolumeClaim também será avaliada com quaisquer outras restrições de nós que o Pod possa ter, tais como requisitos de recursos de nós, seletores de nós, afinidade do Pod e anti afinidade do Pod.
+
+Um provisionador estático externo pode ser executado separadamente para uma melhor gestão do ciclo de vida do volume local. Observe que este provisionador ainda não suporta o provisionamento dinâmico. Para um exemplo sobre como executar um provisionador local externo, veja o [manual do usuário do provisionador local do volume](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner).
+
+{{< note >}} O PersistentVolume local exige que o usuário faça limpeza e remoção manual se o provisionador estático externo não for utilizado para gerenciar o ciclo de vida do volume. {{< /note >}}
+
+### nfs
+
+Um volume `nfs` permite que um compartilhamento NFS (Network File System) existente seja montado em um Pod. Ao contrário do `emptyDir` que é apagado quando um Pod é removido, o conteúdo de um volume `nfs` é preservado e o volume é simplesmente desmontado. Isto significa que um volume NFS pode ser previamente populado com dados e que os dados podem ser compartilhados entre os Pods. O NFS pode ser montado por vários gravadores simultaneamente.
+
+{{< note >}} Você deve ter seu próprio servidor NFS rodando com o compartilhamento acessível antes de poder utilizá-lo. {{< /note >}}
+
+Consulte o [exemplo NFS](https://github.com/kubernetes/examples/tree/master/staging/volumes/nfs) para obter mais detalhes.
+
+### persistentVolumeClaim {#persistentvolumeclaim}
+
+Um volume `persistentVolumeClaim` é usado para montar um [PersistentVolume](/pt-br/docs/concepts/storage/persistent-volumes/) em um Pod. PersistentVolumeClaims são uma forma de os usuários "solicitarem" armazenamento durável (como um GCE PersistentDisk ou um volume iSCSI) sem conhecerem os detalhes do ambiente de nuvem em particular.
+
+Consulte as informações sobre [PersistentVolumes](/pt-br/docs/concepts/storage/persistent-volumes/) para obter mais detalhes.
+
+### portworxVolume {#portworxvolume}
+
+Um `portworxVolume` é uma camada de armazenamento em bloco extensível que funciona hiperconvergente com Kubernetes. O [Portworx](https://portworx.com/use-case/kubernetes-storage/) tira as impressões digitais de um armazenamento em um servidor, organiza com base nas capacidades e agrega capacidade em múltiplos servidores. Portworx funciona em máquinas virtuais ou em nós Linux bare-metal.
+
+Um `portworxVolume` pode ser criado dinamicamente através do Kubernetes ou também pode ser previamente provisionado e referenciado dentro de um Pod. Aqui está um exemplo de um Pod referenciando um volume Portworx pré-provisionado:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-portworx-volume-pod
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /mnt
+      name: pxvol
+  volumes:
+  - name: pxvol
+    # Este volume Portworx já deve existir.
+    portworxVolume:
+      volumeID: "pxvol"
+      fsType: "<fs-type>"
+```
+
+{{< note >}} Certifique-se de ter um PortworxVolume com o nome `pxvol` antes de usá-lo no Pod. {{< /note >}}
+
+Para obter mais detalhes, consulte os exemplos de [volume Portworx](https://github.com/kubernetes/examples/tree/master/staging/volumes/portworx/README.md) .
+
+### projetado
+
+Um volume projetado mapeia várias fontes de volume existentes dentro do mesmo diretório. Para obter mais detalhes, consulte [Volumes projetados](/docs/concepts/storage/projected-volumes/).
+
+### quobyte (descontinuado) {#quobyte}
+
+Um Volume `quobyte` permite que um volume [Quobyte](https://www.quobyte.com) existente seja montado no seu Pod.
+
+{{< note >}} Você deve ter seu próprio Quobyte configurado e funcionando com os volumes criados antes de poder utilizá-lo. {{< /note >}}
+
+Quobyte oferece suporte para o {{< glossary_tooltip text="Container Storage Interface" term_id="csi" >}}. CSI é o plugin recomendado para usar volumes Quobyte dentro de Kubernetes. O projeto GitHub da Quobyte tem [instruções](https://github.com/quobyte/quobyte-csi#quobyte-csi) para implantar o Quobyte usando o CSI, acompanhado de exemplos.
+
+### rbd
+
+Um volume `rbd` permite que um volume [Rados Block Device](https://docs.ceph.com/en/latest/rbd/) (RBD) seja montado em seu Pod. Ao contrário do `emptyDir` que é apagado quando um pod é removido, o conteúdo de um volume `rbd` é preservado e o volume é desmontado. Isto significa que um volume RBD pode ser previamente populado com dados e que os dados podem ser compartilhados entre os Pods.
+
+{{< note >}} Você deve ter uma instalação Ceph em funcionamento antes de poder usar o RBD. {{< /note >}}
+
+Uma caraterística do RBD é que ele pode ser montado como somente leitura por vários consumidores simultaneamente. Isto significa que um volume pode ser previamente populado com seu conjunto de dados e, em seguida, ser disponibilizado em paralelo para tantos pods quanto necessitar. Infelizmente, os volumes RBD só podem ser montados por um único consumidor no modo de leitura-escrita. Não são permitidos gravadores simultâneos.
+
+Consulte o [exemplo RBD](https://github.com/kubernetes/examples/tree/master/volumes/rbd) para obter mais detalhes.
+
+#### Migração de CSI RBD {#rbd-csi-migration}
+
+{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+
+Quando o recurso `CSIMigration` do `RBD` está ativado, redireciona todas as operações do plugin in-tree existente para o driver {{< glossary_tooltip text="CSI" term_id="csi" >}} `rbd.csi.ceph.com`. Para utilizar este recurso, o [driver Ceph CSI](https://github.com/ceph/ceph-csi) deve estar instalado no cluster e as [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) `CSIMigration` e `csiMigrationRBD` devem estar habilitadas.
+
+{{< note >}}
+
+Como operador do cluster Kubernetes que administra o armazenamento, aqui estão os pré-requisitos que você deve atender antes de tentar a migração para o driver CSI RBD:
+
+* Você deve instalar o driver Ceph CSI (`rbd.csi.ceph.com`), v3.5.0 ou superior, no cluster Kubernetes.
+* Considerando que o campo `clusterID` é um parâmetro necessário para o driver CSI e sua operação , mas o campo in-tree StorageClass tem o parâmetro obrigatório `monitors`, um administrador de armazenamento Kubernetes precisa criar um clusterID baseado no hash dos monitores (ex.:`#echo -n '<monitors_string>' | md5sum`) no mapa de configuração do CSI e manter os monitores sob esta configuração de clusterID.
+* Além disso, se o valor de `adminId` no Storageclass in-tree for diferente de `admin`, o `adminSecretName` mencionado no Storageclass in-tree tem que ser corrigido com o valor base64 do valor do parâmetro `adminId`, caso contrário esta etapa pode ser ignorada. {{< /note >}}
+
+### secret
+
+Um volume `secret` é usado para passar informações sensíveis, tais como senhas, para Pods. Você pode armazenar segredos na API Kubernetes e montá-los como arquivos para serem usados por pods sem necessidade de vinculação direta ao Kubernetes. Volumes `secret` são mantidos pelo tmpfs (um sistema de arquivos com baseado em memória RAM) para que nunca sejam gravados em armazenamento não volátil.
+
+{{< note >}}Você deve criar um Secret na API Kubernetes antes de poder utilizá-lo. {{< /note >}}
+
+{{< note >}} Um contêiner que utiliza um Secret como ponto de montagem para a propriedade [`subPath`](#using-subpath) não receberá atualizações deste Secret. {{< /note >}}
+
+Para obter mais detalhes, consulte [Configurando Secrets](/pt-br/docs/concepts/configuration/secret/).
+
+### storageOS (descontinuado) {#storageos}
+
+Um volume `storageos` permite que um volume [StorageOS](https://www.storageos.com) existente seja montado em seu Pod.
+
+O StorageOS funciona como um contêiner dentro de seu ambiente Kubernetes, tornando o armazenamento local ou anexado acessível a partir de qualquer nó dentro do cluster Kubernetes. Os dados podem ser replicados para a proteção contra falhas do nó. O provisionamento e a compressão podem melhorar a utilização e reduzir os custos.
+
+Em sua essência, o StorageOS fornece armazenamento em bloco para containers, acessível a partir de um sistema de arquivo.
+
+O Conteiner StorageOS requer Linux de 64 bits e não possui dependências adicionais. Uma licença para desenvolvedores está disponível gratuitamente.
+
+{{< caution >}} Você deve executar o container StorageOS em cada nó que deseja acessar os volumes do StorageOS ou que contribuirá com a capacidade de armazenamento para o pool. Para obter instruções de instalação, consulte a [documentação do StorageOS](https://docs.storageos.com). {{< /caution >}}
+
+O exemplo a seguir é uma configuração do Pod com StorageOS:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    name: redis
+    role: master
+  name: test-storageos-redis
+spec:
+  containers:
+    - name: master
+      image: kubernetes/redis:v1
+      env:
+        - name: MASTER
+          value: "true"
+      ports:
+        - containerPort: 6379
+      volumeMounts:
+        - mountPath: /redis-master-data
+          name: redis-data
+  volumes:
+    - name: redis-data
+      storageos:
+        # O volume `redis-vol01` já deve existir dentro do StorageOS no namespace `default`.
+        volumeName: redis-vol01
+        fsType: ext4
+```
+
+Para obter mais informações sobre StorageOS, provisionamento dinâmico e PersistentVolumeClaims, consulte os [exemplos do StorageOS](https://github.com/kubernetes/examples/blob/master/volumes/storageos).
+
+### vsphereVolume {#vspherevolume}
+
+{{< note >}} Você deve configurar o Kubernetes vSphere Cloud Provider. Para obter informações sobre a configuração do cloudprovider, consulte o [Guia Introdutório do vSphere](https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/). {{< /note >}}
+
+Um `vsphereVolume` é usado para montar um volume VMDK do vSphere em seu Pod. O conteúdo de um volume é preservado quando é desmontado. Ele suporta sistemas de armazenamento de dados tanto do tipo VMFS quanto do tipo VSAN.
+
+{{< note >}} Você deve criar o volume do VMDK vSphere usando um dos métodos a seguir antes de usar com um Pod. {{< /note >}}
+
+#### Criar um volume VMDK {#creating-vmdk-volume}
+
+Escolha um dos seguintes métodos para criar um VMDK.
+
+{{< tabs name="tabs_volumes" >}}
+{{% tab name="Criar usando vmkfstools" %}} 
+Primeiro acesse o ESX via ssh, depois use o seguinte comando para criar um VMDK:
+
+```shell
+vmkfstools -c 2G /vmfs/volumes/DatastoreName/volumes/myDisk.vmdk
+```
+
+{{% /tab %}}
+{{% tab name="Criar usando vmware-vdiskmanager" %}}
+Utilize o seguinte comando para criar um VMDK:
+
+```shell
+vmware-vdiskmanager -c -t 0 -s 40GB -a lsilogic myDisk.vmdk
+```
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+#### Exemplo de configuração do VMDK no vSphere {#vsphere-vmdk-configuration}
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-vmdk
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-vmdk
+      name: test-volume
+  volumes:
+  - name: test-volume
+    # This VMDK volume must already exist.
+    vsphereVolume:
+      volumePath: "[DatastoreName] volumes/myDisk"
+      fsType: ext4
+```
+
+Para obter mais informações, consulte os exemplos de [volume do vSphere](https://github.com/kubernetes/examples/tree/master/staging/volumes/vsphere) .
+
+#### Migração de CSI vSphere {#vsphere-csi-migration}
+
+{{< feature-state for_k8s_version="v1.19" state="beta" >}}
+
+Quando o recurso `CSIMigration` do `vsphereVolume` está ativado, redireciona todas as operações do plugin in-tree existente para o driver {{< glossary_tooltip text="CSI" term_id="csi" >}} `csi.vsphere.vmware.com`. Para usar esse recurso, o [driver CSI do vSphere](https://github.com/kubernetes-sigs/vsphere-csi-driver) deve estar instalado no cluster e as [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) `CSIMigration` e `CSIMigrationvSphere` devem estar habilitadas.
+
+Isso também requer que a versão mínima do vSphere vCenter/ESXi seja 7.0u1 e a versão mínima do hardware seja a VM versão 15.
+
+{{< note >}} Os seguintes parâmetros da StorageClass do plugin integrado `vsphereVolume` não são suportados pelo driver CSI do vSphere:
+
+* `diskformat`
+* `hostfailurestotolerate`
+* `forceprovisioning`
+* `cachereservation`
+* `diskstripes`
+* `objectspacereservation`
+* `iopslimit`
+
+Os volumes existentes criados usando esses parâmetros serão migrados para o driver CSI do vSphere, mas novos volumes criados pelo driver de CSI do vSphere não estarão respeitando esses parâmetros. {{< /note >}}
+
+#### Migração do CSI do vSphere foi concluída {#vsphere-csi-migration-complete}
+
+{{< feature-state for_k8s_version="v1.19" state="beta" >}}
+
+Para desativar o carregamento do plugin de armazenamento `vsphereVolume` pelo gerenciador de controladores e pelo kubelet, defina a flag `InTreePluginvSphereUnregister` como `true`. Você precisa instalar o driver `csi.vsphere.vmware.com` {{< glossary_tooltip text="CSI" term_id="csi" >}} em todos os nós de processamento.
+
+#### Migração de driver CSI do Portworx
+
+{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+
+O recurso `CSIMigration` para Portworx foi adicionado, mas desativado por padrão no Kubernetes 1.23 visto que está no estado alfa. Ele redireciona todas as operações de plugin do tipo in-tree para o Driver de Cointainer Storage Interface (CSI) `pxd.portworx.com`. [O driver CSI Portworx](https://docs.portworx.com/portworx-install-with-kubernetes/storage-operations/csi/) deve ser instalado no cluster. Para ativar o recurso, defina `CSIMigrationPortworx=true` no kube-controller-manager e no kubelet.
+
+## Utilizando subPath {#using-subpath}
+
+Às vezes, é útil compartilhar um volume para múltiplos usos em um único pod. A propriedade `volumeMounts.subPath` especifica um sub caminho dentro do volume referenciado em vez de sua raiz.
+
+O exemplo a seguir mostra como configurar um Pod com um ambiente LAMP (Linux, Apache, MySQL e PHP) usando um único volume compartilhado. Esta exemplo de configuração `subPath` não é recomendada para uso em produção.
+
+O código e os ativos da aplicação PHP mapeiam para a pasta do volume `html` e o banco de dados MySQL é armazenado na pasta do volume `mysql` . Por exemplo:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-lamp-site
+spec:
+    containers:
+    - name: mysql
+      image: mysql
+      env:
+      - name: MYSQL_ROOT_PASSWORD
+        value: "rootpasswd"
+      volumeMounts:
+      - mountPath: /var/lib/mysql
+        name: site-data
+        subPath: mysql
+    - name: php
+      image: php:7.0-apache
+      volumeMounts:
+      - mountPath: /var/www/html
+        name: site-data
+        subPath: html
+    volumes:
+    - name: site-data
+      persistentVolumeClaim:
+        claimName: my-lamp-site-data
+```
+
+### Usando subPath com variáveis de ambiente expandidas {#using-subpath-expanded-environment}
+
+{{< feature-state for_k8s_version="v1.17" state="stable" >}}
+
+Use o campo `subPathExpr` para construir nomes de diretório `subPath` a partir de variáveis de ambiente da downward API. As propriedades `subPath` e `subPathExpr` são mutuamente exclusivas.
+
+Neste exemplo, um `Pod` usa `subPathExpr` para criar um diretório `pod1` dentro do volume `hostPath` `/var/log/pods`. O volume `hostPath`recebe o nome `Pod` do `downwardAPI`. O diretório `/var/log/pods/pod1` do host é montado em `/logs` no contêiner.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod1
+spec:
+  containers:
+  - name: container1
+    env:
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.name
+    image: busybox:1.28
+    command: [ "sh", "-c", "while [ true ]; do echo 'Hello'; sleep 10; done | tee -a /logs/hello.txt" ]
+    volumeMounts:
+    - name: workdir1
+      mountPath: /logs
+      # A expansão de variáveis usa parênteses (não chaves).
+      subPathExpr: $(POD_NAME)
+  restartPolicy: Never
+  volumes:
+  - name: workdir1
+    hostPath:
+      path: /var/log/pods
+```
+
+## Recursos
+
+A mídia de armazenamento(como Disco ou SSD) de um volume `emptyDir` é determinada por meio do sistema de arquivos que mantém o diretório raiz do kubelet (normalmente `/var/lib/kubelet`). Não há limite para quanto espaço um volume `emptyDir` ou `hostPath` podem consumir, e não há isolamento entre contêineres ou entre pods.
+
+Para saber mais sobre como solicitar espaço usando uma especificação de recursos, consulte [como gerenciar recursos](/pt-br/docs/concepts/configuration/manage-resources-containers/).
+
+## Plugins de volume out-of-tree
+
+Os plugins de volume out-of-tree incluem o {{< glossary_tooltip text="Container Storage Interface" term_id="csi" >}} (CSI) e também o FlexVolume (que foi descontinuado). Esses plugins permitem que os fornecedores de armazenamento criem plugins de armazenamento personalizados sem adicionar seu código-fonte do plugin ao repositório Kubernetes.
+
+Anteriormente, todos os plugins de volume eram "in-tree". Os plugins "in-tree" eram construídos, vinculados, compilados e distribuídos com o código principal dos binários do Kubernetes. Isto significava que a adição de um novo sistema de armazenamento ao Kubernetes (um plugin de volume) exigia uma validação do código no repositório central de código Kubernetes.
+
+Tanto o CSI quanto o FlexVolume permitem que os plugins de volume sejam desenvolvidos independentemente da base de código Kubernetes e implantados (instalados) nos clusters Kubernetes como extensões.
+
+Para fornecedores de armazenamento que procuram criar um plugin de volume out-of-tree, consulte as [Perguntas mais frequentes sobre plugins de volume](https://github.com/kubernetes/community/blob/master/sig-storage/volume-plugin-faq.md).
+
+### csi
+
+O [Cointainer Storage Interface](https://github.com/container-storage-interface/spec/blob/master/spec.md) (CSI) define uma interface padrão para sistemas de orquestração de contêineres (como Kubernetes) para expor sistemas de armazenamento arbitrários a suas cargas de trabalho de contêiner.
+
+Leia a [proposta de design CSI](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md) para obter mais informações.
+
+{{< note >}} O suporte para as versões 0.2 e 0.3 da especificação CSI foi descontinuado no Kubernetes v1.13 e será removido em uma versão futura. {{< /note >}}
+
+{{< note >}} Os controladores CSI podem não ser compatíveis em todas as versões do Kubernetes. Consulte a documentação específica do driver CSI para ver as etapas de implantação suportadas para cada versão do Kubernetes e uma matriz de compatibilidade. {{< /note >}}
+
+Uma vez que um driver de volume compatível com CSI seja implantado em um cluster Kubernetes, os usuários podem usar o tipo de volume `csi` para anexar ou montar os volumes expostos pelo driver CSI.
+
+Um volume `csi` pode ser utilizado em um Pod de três formas diferentes:
+
+* Através de uma referência a [PersistentVolumeClaim](#persistentvolumeclaim)
+* com um [volume efêmero genérico](/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volume) (recurso alfa)
+* com [volume efêmero de CSI](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume) se o driver suportar esse (recurso beta)
+
+Os seguintes campos estão disponíveis para administradores de armazenamento configurarem um volume persistente de CSI:
+
+* `driver`: Um valor do tipo string que especifica o nome do driver de volume a ser usado. Este valor deve corresponder ao valor retornado no `GetPluginInfoResponse` pelo driver CSI, conforme definido na [especificação CSI](https://github.com/container-storage-interface/spec/blob/master/spec.md#getplugininfo). Ele é usado pelo Kubernetes para identificar qual driver CSI chamar, e pelos componentes do driver CSI para identificar quais objetos PV pertencem ao driver CSI.
+* `volumeHandle`: Um valor do tipo string que identifica exclusivamente o volume. Este valor deve corresponder ao valor retornado no campo `volume.id` em `CreateVolumeResponse` pelo driver CSI, conforme definido na [especificação CSI](https://github.com/container-storage-interface/spec/blob/master/spec.md#createvolume). O valor é passado como `volume_id` em todas as chamadas para o driver de volume CSI quando se faz referência ao volume.
+* `readOnly`: Um valor booleano opcional que indica se o volume deve ser "ControllerPublished" (anexado) como somente leitura. O valor padrão é false. Este valor é passado para o driver CSI através do campo `readonly` em `ControllerPublishVolumeRequest`.
+* `fsType`: Se o `VolumeMode` do PV for `Filesystem` então este campo pode ser usado para especificar o sistema de arquivos que deve ser usado para montar o volume. Se o volume não tiver sido formatado e a formatação for suportada, este valor será utilizado para formatar o volume. Este valor é passado para o driver CSI através do campo `VolumeCapability` nas propriedades `ControllerPublishVolumeRequest`, `NodeStageVolumeRequest` e `NodePublishVolumeRequest`.
+* `volumeAttributes`: Um mapa de valores do tipo string para string que especifica propriedades estáticas de um volume. Este mapa deve corresponder ao mapa retornado no campo `volume.attributes` do `CreateVolumeResponse` pelo driver CSI, conforme definido na [especificação CSI](https://github.com/container-storage-interface/spec/blob/master/spec.md#createvolume). O mapa é passado para o driver CSI através do campo `volume_context` nas propriedades `ControllerPublishVolumeRequest`, `NodeStageVolumeRequest`, e `NodePublishVolumeRequest`.
+* `controllerPublishSecretRef`: Uma referência ao objeto Secret que contém informações confidenciais para passar ao driver CSI para completar as chamadas CSI `ControllerPublishVolume` e `ControllerUnpublishVolume`. Este campo é opcional e pode estar vazio se não for necessário nenhum segredo. Se o Secret contiver mais de um segredo, todos os segredos serão passados.
+* `nodeStageSecretRef`: Uma referência ao objeto Secret que contém informações confidenciais para passar ao driver de CSI para completar a chamada de CSI do `NodeStageVolume`. Este campo é opcional e pode estar vazio se não for necessário nenhum segredo. Se o Secret contiver mais de um segredo, todos os segredos serão passados.
+* `nodePublishSecretRef`: Uma referência ao objeto Secret que contém informações confidenciais para passar ao driver de CSI para completar a chamada de CSI do `NodePublishVolume`. Este campo é opcional e pode estar vazio se não for necessário nenhum segredo. Se o objeto Secret contiver mais de um segredo, todos os segredos serão passados.
+
+#### Suporte CSI para volume de bloco bruto
+
+{{< feature-state for_k8s_version="v1.18" state="stable" >}}
+
+Os fornecedores com drivers CSI externos podem implementar o suporte de volume de blocos brutos nas cargas de trabalho Kubernetes.
+
+Você pode configurar o [PersistentVolume/PersistentVolumeClaim com suporte de volume de bloco bruto](/pt-br/docs/concepts/storage/persistent-volumes/#suporte-a-volume-de-bloco-bruto) , como habitualmente, sem quaisquer alterações específicas de CSI.
+
+#### Volumes efêmeros de CSI
+
+{{< feature-state for_k8s_version="v1.16" state="beta" >}}
+
+É possível configurar diretamente volumes CSI dentro da especificação do Pod. Os volumes especificados desta forma são efêmeros e não persistem nas reinicializações do pod. Consulte [Volumes efêmeros](/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume) para obter mais informações.
+
+Para obter mais informações sobre como desenvolver um driver CSI, consulte a [documentação kubernetes-csi](https://kubernetes-csi.github.io/docs/)
+
+#### Migrando para drivers CSI a partir de plugins in-tree
+
+{{< feature-state for_k8s_version="v1.17" state="beta" >}}
+
+Quando o recurso `CSIMigration` está habilitado, direciona operações relacionadas a plugins in-tree existentes para plugins CSI correspondentes (que devem ser instalados e configurados). Como resultado, os operadores não precisam fazer nenhuma alteração de configuração para Storage Classes, PersistentVolumes ou PersistentVolumeClaims existentes (referindo-se aos plugins in-tree) quando a transição para um driver CSI que substitui um plugin in-tree.
+
+As operações e características que são suportadas incluem: provisionamento/exclusão, anexação/remoção, montargem/desmontagem e redimensionamento de volumes.
+
+Plugins in-tree que suportam `CSIMigration` e têm um driver CSI correspondente implementado são listados [em tipos de volumes](#volume-types).
+
+### flexVolume
+
+{{< feature-state for_k8s_version="v1.23" state="deprecated" >}}
+
+O FlexVolume é uma interface de plugin out-of-tree que usa um modelo baseado em execução para fazer interface com drivers de armazenamento. Os binários do driver FlexVolume devem ser instalados em um caminho de plugin de volume predefinido em cada nó e, em alguns casos, também nos nós da camada de gerenciamento.
+
+Os Pods interagem com os drivers do FlexVolume através do plugin de volume in-tree `flexVolume`. Para obter mais detalhes, consulte o documento [README](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md#readme) do FlexVolume.
+
+{{< note >}} O FlexVolume foi descontinuado. Usar um driver CSI out-of-tree é a maneira recomendada de integrar o armazenamento externo com Kubernetes.
+
+Os mantenedores do driver FlexVolume devem implementar um driver CSI e ajudar a migrar usuários de drivers FlexVolume para CSI. Os usuários do FlexVolume devem mover suas cargas de trabalho para usar o driver CSI equivalente. {{< /note >}}
+
+## Propagação de montagem
+
+A propagação de montagem permite compartilhar volumes montados por um contêiner para outros contêineres no mesmo pod, ou mesmo para outros pods no mesmo nó.
+
+A propagação de montagem de um volume é controlada pelo campo `mountPropagation` na propriedade `Container.volumeMounts`. Os seus valores são:
+
+* `None` - Este volume de montagem não receberá do host nenhuma montagem posterior que seja montada para este volume ou qualquer um de seus subdiretórios. De forma semelhante, nenhum ponto de montagem criado pelo contêiner será visível no host. Este é o modo padrão.
+  
+  Este modo é igual à propagação de montagem `private` conforme descrito na [documentação do kernel Linux](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt)
+
+* `HostToContainer` - Este volume de montagem receberá todas as montagens posteriores que forem montadas para este volume ou qualquer um de seus subdiretórios.
+  
+  Em outras palavras, se o host montar qualquer coisa dentro do volume de montagem, o container o visualizará montado ali.
+  
+  Da mesma forma, se qualquer Pod com propagação de montagem `Bidirectional` para o mesmo volume montar qualquer coisa lá, o contêiner com propagação de montagem `HostToContainer` o reconhecerá.
+  
+  Este modo é igual à propagação de montagem `rslave` conforme descrito na [documentação do kernel Linux](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt)
+
+* `Bidirectional` - Esta montagem de volume se comporta da mesma forma que a montagem de volume `HostToContainer`. Além disso, todas as montagens de volume criadas pelo contêiner serão propagadas de volta ao host e a todos os contêineres de todas os pods que utilizam o mesmo volume.
+  
+  Um caso de uso típico para este modo é um Pod com um driver FlexVolume ou CSI ou um Pod que precisa montar algo no host utilizando um volume `hostPath`.
+  
+  Este modo é igual à propagação de montagem `rshared` conforme descrito na [documentação do kernel Linux](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt)
+  
+  {{< warning >}} A propagação de montagem `Bidirectional` pode ser perigosa. Ela pode danificar o sistema operacional do host e, portanto, ela só é permitida em contêineres privilegiados. A familiaridade com o comportamento do kernel Linux é fortemente recomendada. Além disso, quaisquer montagens de volume criadas por contêineres em pods devem ser destruídas ( desmontadas) pelos contêineres ao final. {{< /warning >}}
+
+### Configuração
+
+Antes que a propagação da montagem possa funcionar corretamente em algumas distribuições (CoreOS, RedHat/Centos, Ubuntu), o compartilhamento de montagem deve ser configurado corretamente no Docker como mostrado abaixo.
+
+Edite seu arquivo de serviços `systemd` do Docker. Configure a propriedade `MountFlags` da seguinte forma:
+
+```shell
+MountFlags=shared
+```
+
+Ou, se a propriedade `MountFlags=slave`existir, remova-a. Em seguida, reinicie o daemon Docker:
+
+```shell
+sudo systemctl daemon-reload
+sudo systemctl restart docker
+```
+
+## {{% heading "whatsnext" %}}
+
+Siga um exemplo de [implantação do WordPress e MySQL com volumes persistentes](/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/).
diff --git a/content/pt-br/docs/concepts/workloads/controllers/cron-jobs.md b/content/pt-br/docs/concepts/workloads/controllers/cron-jobs.md
index 19c7cd8604fe0..564b626162931 100644
--- a/content/pt-br/docs/concepts/workloads/controllers/cron-jobs.md
+++ b/content/pt-br/docs/concepts/workloads/controllers/cron-jobs.md
@@ -20,7 +20,7 @@ Se a camada de gerenciamento do cluster executa o kube-controller-manager em Pod
 
 {{< /caution >}}
 
-Ao criar o manifesto para um objeto CronJob, verifique se o nome que você forneceu é um [nome de subdomínio DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
+Ao criar o manifesto para um objeto CronJob, verifique se o nome que você forneceu é um [nome de subdomínio DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 O nome não pode ter mais que 52 caracteres. Esta limitação existe porque o controlador do CronJob adicionará automaticamente 11 caracteres ao final do nome escolhido para a tarefa, e o tamanho máximo de um nome de tarefa não pode ultrapassar 63 caracteres.
 
 <!-- body -->
diff --git a/content/pt-br/docs/reference/glossary/application-developer.md b/content/pt-br/docs/reference/glossary/application-developer.md
new file mode 100644
index 0000000000000..037a9413ad78d
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/application-developer.md
@@ -0,0 +1,17 @@
+---
+title: Desenvolvedor de Aplicativos
+id: application-developer
+date: 2018-04-12
+full_link: 
+short_description: >
+  Uma pessoa que escreve um aplicativo que é executado em um cluster Kubernetes.
+
+aka: 
+tags:
+- user-type
+---
+ Uma pessoa que escreve um aplicativo que é executado em um cluster Kubernetes.
+
+<!--more--> 
+
+Um desenvolvedor de aplicativos se concentra em uma parte da aplicação. O seu foco pode variar significativamente em tamanho.
diff --git a/content/pt-br/docs/reference/glossary/applications.md b/content/pt-br/docs/reference/glossary/applications.md
new file mode 100644
index 0000000000000..a00ca0ec6cbaf
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/applications.md
@@ -0,0 +1,12 @@
+---
+title: Aplicações
+id: applications
+date: 2019-05-12
+full_link:
+short_description: >
+  A camada onde vários aplicativos em contêiner são executados.
+aka:
+tags:
+- fundamental
+---
+ A camada onde vários aplicativos em contêiner são executados.
diff --git a/content/pt-br/docs/reference/glossary/certificate.md b/content/pt-br/docs/reference/glossary/certificate.md
new file mode 100644
index 0000000000000..d43ead1f32cfd
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/certificate.md
@@ -0,0 +1,17 @@
+---
+title: Certificado
+id: certificate
+date: 2018-04-12
+full_link: /docs/tasks/tls/managing-tls-in-a-cluster/
+short_description: >
+  Um arquivo criptograficamente seguro usado para validar o acesso ao cluster Kubernetes.
+
+aka: 
+tags:
+- security
+---
+ Um arquivo criptograficamente seguro usado para validar o acesso ao cluster Kubernetes.
+
+<!--more--> 
+
+Os certificados permitem que aplicativos dentro de um cluster Kubernetes acessem a API do Kubernetes com segurança. Os certificados validam que os clientes têm permissão para acessar a API.
\ No newline at end of file
diff --git a/content/pt-br/docs/reference/glossary/cidr.md b/content/pt-br/docs/reference/glossary/cidr.md
new file mode 100644
index 0000000000000..3073e6560c2d2
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/cidr.md
@@ -0,0 +1,17 @@
+---
+title: CIDR
+id: cidr
+date: 2019-11-12
+full_link: 
+short_description: >
+  CIDR é uma notação para descrever blocos de endereços IP e é muito usada em várias configurações de rede.
+
+aka:
+tags:
+- networking
+---
+CIDR (em inglês - Classless Inter-Domain Routing) é uma notação para descrever blocos de endereços IP e é muito usada em várias configurações de rede.
+
+<!--more-->
+
+No contexto do Kubernetes, cada {{< glossary_tooltip text="Nó" term_id="node" >}} recebe um intervalo de endereços IP através do endereço inicial e uma máscara de sub-rede usando CIDR. Isso permite que os Nodes atribuam a cada {{< glossary_tooltip text="Pod" term_id="pod" >}} um endereço IP exclusivo. Embora originalmente seja um conceito para IPv4, o CIDR também foi expandido para incluir IPv6.
\ No newline at end of file
diff --git a/content/pt-br/docs/reference/glossary/cla.md b/content/pt-br/docs/reference/glossary/cla.md
new file mode 100644
index 0000000000000..5a282a9606497
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/cla.md
@@ -0,0 +1,17 @@
+---
+title: CLA (Contrato de Licença de Colaborador)
+id: cla
+date: 2018-04-12
+full_link: https://github.com/kubernetes/community/blob/master/CLA.md
+short_description: >
+  Termos sob os quais um colaborador concede uma licença a um projeto de código aberto por suas contribuições.
+
+aka: 
+tags:
+- community
+---
+ Termos sob os quais um {{< glossary_tooltip text="colaborador" term_id="contributor" >}} concede uma licença a um projeto de código aberto por suas contribuições.
+
+<!--more--> 
+
+Os CLAs ajudam a resolver disputas legais envolvendo material contribuído e propriedade intelectual.
diff --git a/content/pt-br/docs/reference/glossary/cluster-architect.md b/content/pt-br/docs/reference/glossary/cluster-architect.md
new file mode 100644
index 0000000000000..3aeb95e084eef
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/cluster-architect.md
@@ -0,0 +1,17 @@
+---
+title: Arquiteto de Cluster
+id: cluster-architect
+date: 2018-04-12
+full_link: 
+short_description: >
+  Uma pessoa que projeta infraestrutura que envolve um ou mais clusters Kubernetes.
+
+aka: 
+tags:
+- user-type
+---
+ Uma pessoa que projeta infraestrutura que envolve um ou mais clusters Kubernetes.
+
+<!--more--> 
+
+Os arquitetos de clusters estão preocupados com as melhores práticas para sistemas distribuídos, por exemplo&#58; alta disponibilidade e segurança.
\ No newline at end of file
diff --git a/content/pt-br/docs/reference/glossary/cluster-infrastructure.md b/content/pt-br/docs/reference/glossary/cluster-infrastructure.md
new file mode 100644
index 0000000000000..a65f04a346f69
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/cluster-infrastructure.md
@@ -0,0 +1,13 @@
+---
+title: Infraestrutura de Cluster
+id: cluster-infrastructure
+date: 2019-05-12
+full_link:
+short_description: >
+ A camada de infraestrutura fornece e mantém máquinas virtuais, redes, grupos de segurança e outros.
+
+aka:
+tags:
+- operation
+---
+ A camada de infraestrutura fornece e mantém máquinas virtuais, redes, grupos de segurança e outros.
diff --git a/content/pt-br/docs/reference/glossary/data-plane.md b/content/pt-br/docs/reference/glossary/data-plane.md
new file mode 100644
index 0000000000000..2e7c9946f98d6
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/data-plane.md
@@ -0,0 +1,13 @@
+---
+title: Plano de Dados
+id: data-plane
+date: 2019-05-12
+full_link:
+short_description: >
+  A camada que fornece capacidade, tais como CPU, memória, rede e armazenamento, para que os contêineres possam ser executados e conectados a uma rede.
+
+aka:
+tags:
+- fundamental
+---
+ A camada que fornece capacidade, tais como CPU, memória, rede e armazenamento, para que os contêineres possam ser executados e conectados a uma rede.
diff --git a/content/pt-br/docs/reference/glossary/ingress.md b/content/pt-br/docs/reference/glossary/ingress.md
new file mode 100644
index 0000000000000..889b62a24469a
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/ingress.md
@@ -0,0 +1,20 @@
+---
+title: Ingress
+id: ingress
+date: 2018-04-12
+full_link: /docs/concepts/services-networking/ingress/
+short_description: >
+  Um objeto da API que gerencia o acesso externo aos serviços em um cluster, normalmente HTTP.
+
+aka: 
+tags:
+- networking
+- architecture
+- extension
+---
+ Um objeto da API (do inglês "Application Programming Interface") que gerencia o acesso externo aos serviços em um cluster, normalmente HTTP.
+
+<!--more--> 
+
+Um Ingress pode fornecer as capacidades de um proxy reverso para as aplicações.
+
diff --git a/content/pt-br/docs/reference/glossary/name.md b/content/pt-br/docs/reference/glossary/name.md
new file mode 100644
index 0000000000000..292f1de3e6dc9
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/name.md
@@ -0,0 +1,20 @@
+---
+title: Nome
+id: name
+date: 2018-04-12
+full_link: /pt-br/docs/concepts/overview/working-with-objects/names
+short_description: >
+  Uma string fornecida pelo cliente que referencia um objeto em uma URL de
+  recurso, como por exemplo `/api/v1/pods/qualquer-nome`.
+
+aka: 
+tags:
+- fundamental
+---
+ Uma string fornecida pelo cliente que referencia um objeto em uma URL de
+ recurso, como por exemplo `/api/v1/pods/qualquer-nome`.
+
+<!--more--> 
+
+Somente um objeto de um dado tipo pode ter um certo nome por vez. No entanto,
+se você remover o objeto, você poderá criar um novo objeto com o mesmo nome.
diff --git a/content/pt-br/docs/reference/glossary/reviewer.md b/content/pt-br/docs/reference/glossary/reviewer.md
new file mode 100644
index 0000000000000..ff367087ee375
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/reviewer.md
@@ -0,0 +1,17 @@
+---
+title: Revisor
+id: reviewer
+date: 2018-04-12
+full_link: 
+short_description: >
+  Uma pessoa que revisa o código quanto à qualidade e correção em alguma parte do projeto.
+
+aka: 
+tags:
+- community
+---
+ Uma pessoa que revisa o código quanto à qualidade e correção em alguma parte do projeto.
+
+<!--more--> 
+
+Os revisores têm conhecimento sobre o código base e os princípios de engenharia de software. O estado do revisor é atribuído a uma parte do código.
\ No newline at end of file
diff --git a/content/pt-br/docs/reference/glossary/sysctl.md b/content/pt-br/docs/reference/glossary/sysctl.md
new file mode 100644
index 0000000000000..715d01f7c26cd
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/sysctl.md
@@ -0,0 +1,19 @@
+---
+title: sysctl
+id: sysctl
+date: 2019-02-12
+full_link: /docs/tasks/administer-cluster/sysctl-cluster/
+short_description: >
+  Uma interface para obter e definir parâmetros do kernel Unix.
+
+aka:
+tags:
+- tool
+---
+ `sysctl` é uma interface semi-padronizada para ler ou alterar os atributos do kernel Unix em execução.
+
+<!--more-->
+
+Em sistemas do tipo Unix, `sysctl` é tanto o nome da ferramenta que os administradores usam para visualizar e modificar essas configurações, quanto a chamada do sistema que a ferramenta usa.
+
+Os {{< glossary_tooltip text="contêineres" term_id="container" >}} em execução e os plugins de rede podem depender dos valores definidos do `sysctl`.
\ No newline at end of file
diff --git a/content/pt-br/docs/reference/glossary/uid.md b/content/pt-br/docs/reference/glossary/uid.md
index c5e34fd185862..25d1032572083 100644
--- a/content/pt-br/docs/reference/glossary/uid.md
+++ b/content/pt-br/docs/reference/glossary/uid.md
@@ -2,12 +2,20 @@
 title: UID
 id: uid
 date: 2021-03-16
-full_link: 
+full_link: /pt-br/docs/concepts/overview/working-with-objects/names
 short_description: >
-   Um identificador exclusivo (UID) é uma sequência numérica ou alfanumérica associada a uma única entidade em um determinado sistema.
+   Uma string gerada pelos sistemas do Kubernetes para identificar objetos de
+   forma única.
    
 aka: 
 tags:
-- authentication
+- fundamental
 ---
-Um identificador exclusivo (UID) é uma sequência numérica ou alfanumérica associada a uma única entidade em um determinado sistema. Os UIDs tornam possível endereçar essa entidade para que ela possa ser acessada e interagida. Cada usuário é identificado no sistema por seu UID e os nomes de usuário geralmente são usados apenas como uma interface para humanos.
\ No newline at end of file
+   Uma string gerada pelos sistemas do Kubernetes para identificar objetos de
+   forma única.
+
+<!-- more -->
+
+Cada objeto criado durante todo o ciclo de vida do cluster do Kubernetes possui
+um UID distinto. O objetivo deste identificador é distinguir ocorrências
+históricas de entidades semelhantes.
diff --git a/content/pt-br/docs/reference/glossary/volume-plugin.md b/content/pt-br/docs/reference/glossary/volume-plugin.md
new file mode 100644
index 0000000000000..1936fdf3f2b20
--- /dev/null
+++ b/content/pt-br/docs/reference/glossary/volume-plugin.md
@@ -0,0 +1,18 @@
+---
+title: Plugin de Volume
+id: volumeplugin
+date: 2018-04-12
+full_link: 
+short_description: >
+  Um plugin de volume permite a integração do armazenamento dentro de um Pod.
+
+aka: 
+tags:
+- core-object
+- storage
+---
+ Um plugin de volume permite a integração do armazenamento dentro de um {{< glossary_tooltip text="Pod" term_id="pod" >}}.
+
+<!--more--> 
+
+Um plugin de volume permite anexar e montar volumes de armazenamento para uso por um {{< glossary_tooltip text="Pod" term_id="pod" >}}. Os plugins de volume podem estar _dentro_ ou _fora da árvore_. _Na árvore_, os plugins fazem parte do repositório de código Kubernetes e seguem seu ciclo de lançamento. Os plugins _fora da árvore_ são desenvolvidos de forma independente.
\ No newline at end of file
diff --git a/content/pt-br/docs/setup/production-environment/turnkey-solutions.md b/content/pt-br/docs/setup/production-environment/turnkey-solutions.md
new file mode 100644
index 0000000000000..d60a54a754ca6
--- /dev/null
+++ b/content/pt-br/docs/setup/production-environment/turnkey-solutions.md
@@ -0,0 +1,12 @@
+---
+title: Soluções de Nuvem Prontas para uso
+content_type: concept
+weight: 30
+---
+<!-- overview -->
+
+Essa página fornece uma lista de provedores de soluções certificadas do Kubernetes. Na página de cada provedor, você pode aprender como instalar e configurar clusters prontos para produção.
+
+<!-- body -->
+
+{{< cncf-landscape helpers=true category="certified-kubernetes-hosted" >}}
diff --git a/content/pt-br/docs/tasks/configmap-secret/managing-secret-using-config-file.md b/content/pt-br/docs/tasks/configmap-secret/managing-secret-using-config-file.md
index 0bac8410fa3ce..cefd54838399c 100644
--- a/content/pt-br/docs/tasks/configmap-secret/managing-secret-using-config-file.md
+++ b/content/pt-br/docs/tasks/configmap-secret/managing-secret-using-config-file.md
@@ -59,7 +59,7 @@ data:
 ```
 
 Perceba que o nome do objeto Secret precisa ser um 
-[nome de subdomínio DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-name) válido.
+[nome de subdomínio DNS](/pt-br/docs/concepts/overview/working-with-objects/names#dns-subdomain-names) válido.
 
 {{< note >}}
 Os valores serializados dos dados JSON e YAML de um Secret são codificados em strings
diff --git a/content/ru/docs/concepts/architecture/garbage-collection.md b/content/ru/docs/concepts/architecture/garbage-collection.md
index e94da8fc623cb..5c7a83c39294b 100644
--- a/content/ru/docs/concepts/architecture/garbage-collection.md
+++ b/content/ru/docs/concepts/architecture/garbage-collection.md
@@ -12,7 +12,7 @@ weight: 50
   * [Объекты без ссылок на владельца Objects](#owners-dependents)
   * [Не используемые контейнеры и образы контейнеров](#containers-images)
   * [Dynamically provisioned PersistentVolumes with a StorageClass reclaim policy of Delete](/docs/concepts/storage/persistent-volumes/#delete)
-  * [Устаревшие или просроченные запросы подписания сертификатов (CSR)](/reference/access-authn-authz/certificate-signing-requests/#request-signing-process)
+  * [Устаревшие или просроченные запросы подписания сертификатов (CSR)](/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process)
   * {{<glossary_tooltip text="Nodes" term_id="node">}} удалено в следующих сценариях:
     * В облаке, когда кластер использует [диспетчер облачных контроллеров](/docs/concepts/architecture/cloud-controller/)
     * Локально когда кластер использует дополнение, аналогичное диспетчер облачных контроллеров
diff --git a/content/ru/docs/contribute/advanced.md b/content/ru/docs/contribute/advanced.md
index bb4ff9a35f97a..7ee4af13cf8a4 100644
--- a/content/ru/docs/contribute/advanced.md
+++ b/content/ru/docs/contribute/advanced.md
@@ -63,7 +63,7 @@ weight: 30
 
 {{< note >}}
 
-Бот [`fejta-bot`](https://github.com/fejta-bot) автоматически помечает заявки как устаревшие после 90 дней отсутствия активности, а затем закрывает их после ещё 30 дней простоя, когда они становятся тухлыми. Дежурные по PR должны закрывать заявки после 14-30 дней бездействия.
+Бот [`k8s-ci-robot`](https://github.com/k8s-ci-robot) автоматически помечает заявки как устаревшие после 90 дней отсутствия активности, а затем закрывает их после ещё 30 дней простоя, когда они становятся тухлыми. Дежурные по PR должны закрывать заявки после 14-30 дней бездействия.
 
 {{< /note >}}
 
diff --git a/content/ru/docs/setup/learning-environment/minikube.md b/content/ru/docs/setup/learning-environment/minikube.md
index 500d171abecbb..fea7e142528c9 100644
--- a/content/ru/docs/setup/learning-environment/minikube.md
+++ b/content/ru/docs/setup/learning-environment/minikube.md
@@ -525,6 +525,4 @@ Minikube использует [libmachine](https://github.com/docker/machine/tre
 
 ## Сообщество
 
-Помощь, вопросы и комментарии приветствуются и поощряются! Разработчики Minikube проводят время на [Slack](https://kubernetes.slack.com) в канале #minikube (получить приглашение можно [здесь](http://slack.kubernetes.io/)). У нас также есть [список рассылки kubernetes-dev на Google Groups](https://groups.google.com/forum/#!forum/kubernetes-dev). Если вы отправляете сообщение в список, пожалуйста, начните вашу тему с "minikube: ".
-
-
+Помощь, вопросы и комментарии приветствуются и поощряются! Разработчики Minikube проводят время на [Slack](https://kubernetes.slack.com) в канале #minikube (получить приглашение можно [здесь](http://slack.kubernetes.io/)). У нас также есть [список рассылки dev@kubernetes на Google Groups](https://groups.google.com/a/kubernetes.io/g/dev/). Если вы отправляете сообщение в список, пожалуйста, начните вашу тему с "minikube: ".
diff --git a/content/ru/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/ru/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index c55819902a74f..fd99c78cd6733 100644
--- a/content/ru/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/ru/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -59,7 +59,7 @@ kubelet исполняет команду `cat /tmp/healthy` в целевом 
 Когда контейнер запускается, он исполняет команду
 
 ```shell
-/bin/sh -c "touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600"
+/bin/sh -c "touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600"
 ```
 
 Для первых 30 секунд жизни контейнера существует файл `/tmp/healthy`.
diff --git a/content/ru/docs/tutorials/kubernetes-basics/_index.html b/content/ru/docs/tutorials/kubernetes-basics/_index.html
index e6548931c38a9..ccdaefe8b8696 100644
--- a/content/ru/docs/tutorials/kubernetes-basics/_index.html
+++ b/content/ru/docs/tutorials/kubernetes-basics/_index.html
@@ -99,7 +99,7 @@ <h2>Учебные модули по основам Kubernetes</h2>
               <div class="thumbnail">
                 <a href="/ru/docs/tutorials/kubernetes-basics/update/update-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_06.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/ru/docs/tutorials/kubernetes-basics/update/update-intro/"><h5>6. Обновление приложение</h5></a>
+                  <a href="/ru/docs/tutorials/kubernetes-basics/update/update-intro/"><h5>6. Обновление приложения</h5></a>
                 </div>
               </div>
             </div>
diff --git a/content/ru/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html b/content/ru/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
index 502beb23bd35a..738d2b0bc6786 100644
--- a/content/ru/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
+++ b/content/ru/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
@@ -28,7 +28,7 @@ <h3>Темы</h3>
             <div class="col-md-8">
                 <h3>Развёртывания Kubernetes</h3>
 
-                <p>Как только вы запустили кластер Kubernetes, вы можете развернуть свои контейнеризированные приложения в него. Для этого вам нужно создать конфигурацию <b>развёртывания (Deployment)</b> в Kubernetes. Развёртывание сообщает Kubernetes, как создавать и обновлять экземпляры вашего приложения. После создания развёртывания ведущий узел Kubernetes планирует запустить экземпляры приложения на отдельных узлах в кластере.</p>
+                <p>Как только вы запустили кластер Kubernetes, вы можете развернуть на нём свои контейнеризированные приложения. Для этого вам нужно создать конфигурацию <b>развёртывания (Deployment)</b> в Kubernetes. Развёртывание сообщает Kubernetes, как создавать и обновлять экземпляры вашего приложения. После создания развёртывания ведущий узел Kubernetes планирует запустить экземпляры приложения на отдельных узлах в кластере.</p>
 
                 <p>Когда экземпляры приложения были созданы, контроллер развёртывания Kubernetes непрерывно отслеживает их. Если узел, на котором размещен экземпляр, вышёл из строя или был удалён, контроллер развёртывания вместо этого экземпляра использует экземпляр на другом узле в кластере. <b>Этот процесс представляет собой механизм самовосстановления, обеспечивающий работу кластера в случае возникновения аппаратных неисправностей либо технических работ.</b>
 
diff --git a/content/ru/docs/tutorials/kubernetes-basics/expose/expose-intro.html b/content/ru/docs/tutorials/kubernetes-basics/expose/expose-intro.html
index 07cb3cd2df051..1a59057eb88ea 100644
--- a/content/ru/docs/tutorials/kubernetes-basics/expose/expose-intro.html
+++ b/content/ru/docs/tutorials/kubernetes-basics/expose/expose-intro.html
@@ -29,7 +29,7 @@ <h3>Темы</h3>
 			<h3>Обзор сервисов Kubernetes</h3>
 			<p><a href="/docs/concepts/workloads/pods/pod-overview/">Под</a> — это расходный материал в Kubernetes. У подов есть <a href="/docs/concepts/workloads/pods/pod-lifecycle/">жизненный цикл</a>. Когда рабочий узел завершается, запущенные поды в узле также уничтожаются. После этого <a href="/docs/concepts/workloads/controllers/replicaset/">ReplicaSet</a> попытается автоматически вернуть кластер обратно в требуемое состояние, создавая новые поды, чтобы поддержать работоспособность приложения. Другой пример — бэкенд для обработки изображений с 3 репликами. Поскольку это взаимозаменяемые реплики, то они не влияют на фронтенд-часть, даже если под был уничтожен и пересоздан. Тем не менее, каждый под в кластере Kubernetes имеет уникальный IP-адрес, даже под на одном и том же узле, поэтому должен быть способ автоматической координации изменений между подами, чтобы приложения продолжали функционировать.</p>
 
-			<p>Сервис в Kubernetes — это абстрактный объект, который определяет логический набор подов и политику доступа к ним. Сервисы создают слабую связь между подами, которые от них зависят. Сервис создаётся в формате YAML <a href="/docs/concepts/configuration/overview/#general-configuration-tips">(рекомендуемый формат)</a> или JSON, как и все остальные объекты в Kubernetes. Как правило, набор подов для сервиса определяется <i>LabelSelector</i> (ниже описано, в каких случаях понадобиться сервис без указания <code>selector</code> в спецификации).</p>
+			<p>Сервис в Kubernetes — это абстрактный объект, который определяет логический набор подов и политику доступа к ним. Сервисы создают слабую связь между подами, которые от них зависят. Сервис создаётся в формате YAML <a href="/docs/concepts/configuration/overview/#general-configuration-tips">(рекомендуемый формат)</a> или JSON, как и все остальные объекты в Kubernetes. Как правило, набор подов для сервиса определяется <i>LabelSelector</i> (ниже описано, в каких случаях понадобится сервис без указания <code>selector</code> в спецификации).</p>
 
 			<p>Хотя у каждого пода есть уникальный IP-адрес, эти IP-адреса не доступны за пределами кластера без использования сервиса. Сервисы позволяют приложениям принимать трафик. Сервисы могут быть по-разному открыты, в зависимости от указанного поля <code>type</code> в ServiceSpec:</p>
 			<ul>
diff --git a/content/ru/examples/pods/probe/exec-liveness.yaml b/content/ru/examples/pods/probe/exec-liveness.yaml
index 07bf75f85c6f3..6a9c9b3213718 100644
--- a/content/ru/examples/pods/probe/exec-liveness.yaml
+++ b/content/ru/examples/pods/probe/exec-liveness.yaml
@@ -11,7 +11,7 @@ spec:
     args:
     - /bin/sh
     - -c
-    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; sleep 600
     livenessProbe:
       exec:
         command:
diff --git a/content/uk/docs/concepts/overview/what-is-kubernetes.md b/content/uk/docs/concepts/overview/what-is-kubernetes.md
index 4bc2cb6a006af..0b720f4aca705 100644
--- a/content/uk/docs/concepts/overview/what-is-kubernetes.md
+++ b/content/uk/docs/concepts/overview/what-is-kubernetes.md
@@ -60,7 +60,7 @@ Each VM is a full machine running all the components, including its own operatin
 <!--
 **Container deployment era:** Containers are similar to VMs, but they have relaxed isolation properties to share the Operating System (OS) among the applications. Therefore, containers are considered lightweight. Similar to a VM, a container has its own filesystem, CPU, memory, process space, and more. As they are decoupled from the underlying infrastructure, they are portable across clouds and OS distributions.
 -->
-**Ера розгортання контейнерів:** Контейнери схожі на VM, але мають спрощений варіант ізоляції і використовують спільну операційну систему для усіх застосунків. Саму тому контейнери вважаються легковісними. Подібно до VM, контейнер має власну файлову систему, ЦПУ, пам'ять, простір процесів тощо. Оскільки контейнери вивільнені від підпорядкованої інфраструктури, їх можна легко переміщати між хмарними провайдерами чи дистрибутивами операційних систем.
+**Ера розгортання контейнерів:** Контейнери схожі на VM, але мають спрощений варіант ізоляції і використовують спільну операційну систему для усіх застосунків. Саме тому контейнери вважаються "легкими", в порівнянні з віртуалками. Подібно до VM, контейнер має власну файлову систему, ЦПУ, пам'ять, простір процесів тощо. Оскільки контейнери вивільнені від підпорядкованої інфраструктури, їх можна легко переміщати між хмарними провайдерами чи дистрибутивами операційних систем.
 <!--
 Containers have become popular because they provide extra benefits, such as:
 -->
@@ -93,7 +93,7 @@ Containers have become popular because they provide extra benefits, such as:
 <!--
 ## Why you need Kubernetes and what can it do
 -->
-## Чому вам потрібен Kebernetes і що він може робити
+## Чому вам потрібен Kubernetes і що він може робити
 
 <!--
 Containers are a good way to bundle and run your applications. In a production environment, you need to manage the containers that run the applications and ensure that there is no downtime. For example, if a container goes down, another container needs to start. Wouldn't it be easier if this behavior was handled by a system?
diff --git a/content/zh/OWNERS b/content/zh-cn/OWNERS
similarity index 100%
rename from content/zh/OWNERS
rename to content/zh-cn/OWNERS
diff --git a/content/zh/_common-resources/images/blocks.svg b/content/zh-cn/_common-resources/images/blocks.svg
similarity index 100%
rename from content/zh/_common-resources/images/blocks.svg
rename to content/zh-cn/_common-resources/images/blocks.svg
diff --git a/content/zh/_common-resources/images/flower.svg b/content/zh-cn/_common-resources/images/flower.svg
similarity index 100%
rename from content/zh/_common-resources/images/flower.svg
rename to content/zh-cn/_common-resources/images/flower.svg
diff --git a/content/zh/_common-resources/images/kub_video_banner_homepage.jpg b/content/zh-cn/_common-resources/images/kub_video_banner_homepage.jpg
similarity index 100%
rename from content/zh/_common-resources/images/kub_video_banner_homepage.jpg
rename to content/zh-cn/_common-resources/images/kub_video_banner_homepage.jpg
diff --git a/content/zh/_common-resources/images/scalable.svg b/content/zh-cn/_common-resources/images/scalable.svg
similarity index 100%
rename from content/zh/_common-resources/images/scalable.svg
rename to content/zh-cn/_common-resources/images/scalable.svg
diff --git a/content/zh/_common-resources/images/suitcase.svg b/content/zh-cn/_common-resources/images/suitcase.svg
similarity index 100%
rename from content/zh/_common-resources/images/suitcase.svg
rename to content/zh-cn/_common-resources/images/suitcase.svg
diff --git a/content/zh/_common-resources/index.md b/content/zh-cn/_common-resources/index.md
similarity index 100%
rename from content/zh/_common-resources/index.md
rename to content/zh-cn/_common-resources/index.md
diff --git a/content/zh/_index.html b/content/zh-cn/_index.html
similarity index 100%
rename from content/zh/_index.html
rename to content/zh-cn/_index.html
diff --git a/content/zh/blog/_index.md b/content/zh-cn/blog/_index.md
similarity index 82%
rename from content/zh/blog/_index.md
rename to content/zh-cn/blog/_index.md
index 5a7b51631ba61..ddd878254ab49 100644
--- a/content/zh/blog/_index.md
+++ b/content/zh-cn/blog/_index.md
@@ -15,6 +15,6 @@ menu:
 https://kubernetes.io/docs/contribute/new-content/blogs-case-studies/#write-a-blog-post -->
 
 有关为博客提供内容的信息，请参见
-https://kubernetes.io/zh/docs/contribute/new-content/blogs-case-studies/#write-a-blog-post
+https://kubernetes.io/zh-cn/docs/contribute/new-content/blogs-case-studies/#write-a-blog-post
 
 {{< /comment >}}
\ No newline at end of file
diff --git a/content/zh/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md b/content/zh-cn/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md
similarity index 93%
rename from content/zh/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md
rename to content/zh-cn/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md
index 90dd2a13176a1..f085117d1cdbd 100644
--- a/content/zh/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md
+++ b/content/zh-cn/blog/_posts/2015-03-00-Kubernetes-Gathering-Videos.md
@@ -1,18 +1,13 @@
 ---
-
 title: " Kubernetes 采集视频 "
 date: 2015-03-23
 slug: kubernetes-gathering-videos
 ---
-
 <!--
----
-
 title: " Kubernetes Gathering Videos "
 date: 2015-03-23
 slug: kubernetes-gathering-videos
-url: /zh/blog/2015/03/Kubernetes-Gathering-Videos
----
+url: /blog/2015/03/Kubernetes-Gathering-Videos
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md b/content/zh-cn/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md
similarity index 97%
rename from content/zh/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md
rename to content/zh-cn/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md
index e5420ff74b07b..48cc33910f4e5 100644
--- a/content/zh/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md
+++ b/content/zh-cn/blog/_posts/2015-03-00-Weekly-Kubernetes-Community-Hangout.md
@@ -1,16 +1,13 @@
 ---
-title: " Kubernetes 社区每周聚会笔记 - 2015年3月27日 "
+title: "Kubernetes 社区每周聚会笔记 - 2015 年 3 月 27 日"
 date: 2015-03-28
 slug: weekly-kubernetes-community-hangout
 ---
-
 <!--
----
 title: " Weekly Kubernetes Community Hangout Notes - March 27 2015 "
 date: 2015-03-28
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/03/Weekly-Kubernetes-Community-Hangout
----
+url: /blog/2015/03/Weekly-Kubernetes-Community-Hangout
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md b/content/zh-cn/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
similarity index 96%
rename from content/zh/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
rename to content/zh-cn/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
index fd0ea91f108f0..c157b326baf94 100644
--- a/content/zh/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
+++ b/content/zh-cn/blog/_posts/2015-03-00-Welcome-To-Kubernetes-Blog.md
@@ -3,14 +3,11 @@ title: 欢迎来到 Kubernetes 博客!
 date: 2015-03-20
 slug: welcome-to-kubernetes-blog
 ---
-
 <!--
----
 title: Welcome to the Kubernetes Blog!
 date: 2015-03-20
 slug: welcome-to-kubernetes-blog
-url: /zh/blog/2015/03/Welcome-To-Kubernetes-Blog
----
+url: /blog/2015/03/Welcome-To-Kubernetes-Blog
 -->
 
 <!--
@@ -41,7 +38,7 @@ To start things off, here's a roundup of recent Kubernetes posts from other site
 -->
 
 - [使用 Vitess 和 Kubernetes 在云中扩展 MySQL](http://googlecloudplatform.blogspot.com/2015/03/scaling-MySQL-in-the-cloud-with-Vitess-and-Kubernetes.html)
-- [虚拟机上的容器群集](http://googlecloudplatform.blogspot.com/2015/02/container-clusters-on-vms.html)
+- [虚拟机上的容器集群](http://googlecloudplatform.blogspot.com/2015/02/container-clusters-on-vms.html)
 - [想知道的关于 kubernetes 的一切，却又不敢问](http://googlecloudplatform.blogspot.com/2015/01/everything-you-wanted-to-know-about-Kubernetes-but-were-afraid-to-ask.html)
 - [什么构成容器集群？](http://googlecloudplatform.blogspot.com/2015/01/what-makes-a-container-cluster.html)
 - [将 OpenStack 和 Kubernetes 与 Murano 集成](https://www.mirantis.com/blog/integrating-openstack-and-kubernetes-with-murano/)
diff --git a/content/zh/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md b/content/zh-cn/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md
similarity index 97%
rename from content/zh/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md
rename to content/zh-cn/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md
index 41af82357b16a..9f766237f3fda 100644
--- a/content/zh/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2015-04-00-Borg-Predecessor-To-Kubernetes.md
@@ -2,16 +2,14 @@
 title: "Borg: Kubernetes 的前身"
 date: 2015-04-23
 slug: borg-predecessor-to-kubernetes
-url: /zh/blog/2015/04/Borg-Predecessor-To-Kubernetes
 ---
 <!--
----
 title: " Borg: The Predecessor to Kubernetes "
 date: 2015-04-23
 slug: borg-predecessor-to-kubernetes
-url: /zh/blog/2015/04/Borg-Predecessor-To-Kubernetes
----
+url: /blog/2015/04/Borg-Predecessor-To-Kubernetes
 -->
+
 <!--
 Google has been running containerized workloads in production for more than a decade. Whether it's service jobs like web front-ends and stateful servers, infrastructure systems like [Bigtable](http://research.google.com/archive/bigtable.html) and [Spanner](http://research.google.com/archive/spanner.html), or batch frameworks like [MapReduce](http://research.google.com/archive/mapreduce.html) and [Millwheel](http://research.google.com/pubs/pub41378.html), virtually everything at Google runs as a container. Today, we took the wraps off of Borg, Google’s long-rumored internal container-oriented cluster-management system, publishing details at the academic computer systems conference [Eurosys](http://eurosys2015.labri.fr/). You can find the paper [here](https://research.google.com/pubs/pub43438.html).
 -->
@@ -114,6 +112,6 @@ Thanks to the advent of software-defined overlay networks such as [flannel](http
 With the growing popularity of container-based microservice architectures, the lessons Google has learned from running such systems internally have become of increasing interest to the external DevOps community. By revealing some of the inner workings of our cluster manager Borg, and building our next-generation cluster manager as both an open-source project (Kubernetes) and a publicly available hosted service ([Google Container Engine](http://cloud.google.com/container-engine)), we hope these lessons can benefit the broader community outside of Google and advance the state-of-the-art in container scheduling and cluster management. 
 -->
 随着基于容器的微服务架构的日益普及，Google 从内部运行此类系统所汲取的经验教训已引起外部 DevOps 社区越来越多的兴趣。
-通过揭示集群管理器 Borg 的一些内部工作原理，并将下一代集群管理器构建为一个开源项目（Kubernetes）和一个公开可用的托管服务（[Google Container Engine]（http://cloud.google.com/container-engine)) ，我们希望这些课程可以使 Google 之外的广大社区受益，并推动容器调度和集群管理方面的最新技术发展。
+通过揭示集群管理器 Borg 的一些内部工作原理，并将下一代集群管理器构建为一个开源项目（Kubernetes）和一个公开可用的托管服务（[Google Container Engine](http://cloud.google.com/container-engine)），我们希望这些课程可以使 Google 之外的广大社区受益，并推动容器调度和集群管理方面的最新技术发展。
 
 
diff --git a/content/zh/blog/_posts/2015-04-00-Kubernetes-Release-0150.md b/content/zh-cn/blog/_posts/2015-04-00-Kubernetes-Release-0150.md
similarity index 100%
rename from content/zh/blog/_posts/2015-04-00-Kubernetes-Release-0150.md
rename to content/zh-cn/blog/_posts/2015-04-00-Kubernetes-Release-0150.md
diff --git a/content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md b/content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md
similarity index 97%
rename from content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md
rename to content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md
index a95a116b4956a..323cdad934f3d 100644
--- a/content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md
+++ b/content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout.md
@@ -1,17 +1,15 @@
 ---
-title: " 每周 Kubernetes 社区例会笔记 - 2015年4月3日 "
+title: " 每周 Kubernetes 社区例会笔记 - 2015 年 4 月 3 日 "
 date: 2015-04-04
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/04/Weekly-Kubernetes-Community-Hangout
 ---
 <!--
----
 title: " Weekly Kubernetes Community Hangout Notes - April 3 2015 "
 date: 2015-04-04
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/04/Weekly-Kubernetes-Community-Hangout
----
+url: /blog/2015/04/Weekly-Kubernetes-Community-Hangout
 -->
+
 <!--
 # Kubernetes: Weekly Kubernetes Community Hangout Notes
 -->
diff --git a/content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_17.md b/content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_17.md
similarity index 100%
rename from content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_17.md
rename to content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_17.md
diff --git a/content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_29.md b/content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_29.md
similarity index 100%
rename from content/zh/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_29.md
rename to content/zh-cn/blog/_posts/2015-04-00-Weekly-Kubernetes-Community-Hangout_29.md
diff --git a/content/zh/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md b/content/zh-cn/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md
similarity index 97%
rename from content/zh/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md
rename to content/zh-cn/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md
index 275cbead77d3d..c715afe8b21e4 100644
--- a/content/zh/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md
+++ b/content/zh-cn/blog/_posts/2015-05-00-Appc-Support-For-Kubernetes-Through-Rkt.md
@@ -1,17 +1,15 @@
-<!--
 ---
-title: " AppC Support for Kubernetes through RKT "
+title: " 通过 RKT 对 Kubernetes 的 AppC 支持 "
 date: 2015-05-04
 slug: appc-support-for-kubernetes-through-rkt
-url: /zh/blog/2015/05/Appc-Support-For-Kubernetes-Through-Rkt
 ---
--->
----
-title: " 通过 RKT 对 Kubernetes 的 AppC 支持 "
+<!--
+title: " AppC Support for Kubernetes through RKT "
 date: 2015-05-04
 slug: appc-support-for-kubernetes-through-rkt
-url: /zh/blog/2015/05/Appc-Support-For-Kubernetes-Through-Rkt
----
+url: /blog/2015/05/Appc-Support-For-Kubernetes-Through-Rkt
+-->
+
 <!--
 We very recently accepted a pull request to the Kubernetes project to add appc support for the Kubernetes community. &nbsp;Appc is a new open container specification that was initiated by CoreOS, and is supported through CoreOS rkt container runtime.
 -->
diff --git a/content/zh/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md b/content/zh-cn/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md
similarity index 98%
rename from content/zh/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md
rename to content/zh-cn/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md
index 68a50e93c8b97..0ac0f14276861 100644
--- a/content/zh/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md
+++ b/content/zh-cn/blog/_posts/2015-05-00-Kubernetes-On-Openstack.md
@@ -3,14 +3,11 @@ title: " OpenStack 上的 Kubernetes "
 date: 2015-05-19
 slug: kubernetes-on-openstack
 ---
-
 <!--
----
 title: " Kubernetes on OpenStack "
 date: 2015-05-19
 slug: kubernetes-on-openstack
-url: /zh/blog/2015/05/Kubernetes-On-Openstack
----
+url: /blog/2015/05/Kubernetes-On-Openstack
 -->
 
 [![](https://3.bp.blogspot.com/-EOrCHChZJZE/VVZzq43g6CI/AAAAAAAAF-E/JUilRHk369E/s400/Untitled%2Bdrawing.jpg)](https://3.bp.blogspot.com/-EOrCHChZJZE/VVZzq43g6CI/AAAAAAAAF-E/JUilRHk369E/s1600/Untitled%2Bdrawing.jpg)
diff --git a/content/zh/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md b/content/zh-cn/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md
similarity index 97%
rename from content/zh/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md
rename to content/zh-cn/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md
index e7d01a5a6e0ff..39f88f204c30d 100644
--- a/content/zh/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md
+++ b/content/zh-cn/blog/_posts/2015-05-00-Weekly-Kubernetes-Community-Hangout.md
@@ -3,14 +3,11 @@ title: " Kubernetes 社区每周聚会笔记- 2015年5月1日 "
 date: 2015-05-11
 slug: weekly-kubernetes-community-hangout
 ---
-
 <!--
----
 title: " Weekly Kubernetes Community Hangout Notes - May 1 2015 "
 date: 2015-05-11
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/05/Weekly-Kubernetes-Community-Hangout
----
+url: /blog/2015/05/Weekly-Kubernetes-Community-Hangout
 -->
 
 <!--
@@ -104,7 +101,7 @@ Every week the Kubernetes contributing community meet virtually over Google Hang
 
     *     * 可以使用 ServiceAccountToken 创建新的 service account。控制器将为它创建令牌。
 
-    * 可以创建一个带有 service account 的 pod, pod 将在 /var/run/secrets/kubernets.io/…
+    * 可以创建一个带有 service account 的 pod, pod 将在 /var/run/secrets/kubernetes.io/…
 
 <!--
 
diff --git a/content/zh/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md b/content/zh-cn/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md
similarity index 96%
rename from content/zh/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md
rename to content/zh-cn/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md
index 24f7cf35cb339..5a77ecdde88e8 100644
--- a/content/zh/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md
+++ b/content/zh-cn/blog/_posts/2015-06-00-Slides-Cluster-Management-With.md
@@ -3,14 +3,11 @@ title: "幻灯片：Kubernetes 集群管理，爱丁堡大学演讲"
 date: 2015-06-26
 slug: slides-cluster-management-with
 ---
-
 <!--
----
 title: " Slides: Cluster Management with Kubernetes, talk given at the University of Edinburgh "
 date: 2015-06-26
 slug: slides-cluster-management-with
-url: /zh/blog/2015/06/Slides-Cluster-Management-With
----
+url: /blog/2015/06/Slides-Cluster-Management-With
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md b/content/zh-cn/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
similarity index 97%
rename from content/zh/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
rename to content/zh-cn/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
index 9b0013d0d9ad6..298ef84175855 100644
--- a/content/zh/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
+++ b/content/zh-cn/blog/_posts/2015-07-00-Announcing-First-Kubernetes-Enterprise.md
@@ -3,12 +3,12 @@ title: "宣布首个Kubernetes企业培训课程 "
 date: 2015-07-08
 slug: announcing-first-kubernetes-enterprise
 ---
-<!-- ---
+<!--
 title: " Announcing the First Kubernetes Enterprise Training Course "
 date: 2015-07-08
 slug: announcing-first-kubernetes-enterprise
-url: /zh/blog/2015/07/Announcing-First-Kubernetes-Enterprise
---- -->
+url: /blog/2015/07/Announcing-First-Kubernetes-Enterprise
+-->
 
 <!-- At Google we rely on Linux application containers to run our core infrastructure. Everything from Search to Gmail runs in containers. &nbsp;In fact, we like containers so much that even our Google Compute Engine VMs run in containers! &nbsp;Because containers are critical to our business, we have been working with the community on many of the basic container technologies (from cgroups to Docker’s LibContainer) and even decided to build the next generation of Google’s container scheduling technology, Kubernetes, in the open. -->
 在谷歌，我们依赖 Linux 容器应用程序去运行我们的核心基础架构。所有服务，从搜索引擎到Gmail服务，都运行在容器中。事实上，我们非常喜欢容器，甚至我们的谷歌云计算引擎虚拟机也运行在容器上！由于容器对于我们的业务至关重要，我们已经与社区合作开发许多基本的容器技术（从 cgroups 到 Docker 的 LibContainer）,甚至决定去构建谷歌的下一代开源容器调度技术，Kubernetes。
diff --git a/content/zh/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md b/content/zh-cn/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md
similarity index 95%
rename from content/zh/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md
rename to content/zh-cn/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md
index 7e2bc2442368f..54f648fd5c972 100644
--- a/content/zh/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md
+++ b/content/zh-cn/blog/_posts/2015-08-00-Weekly-Kubernetes-Community-Hangout.md
@@ -1,18 +1,14 @@
-<!--
 ---
-title: " Weekly Kubernetes Community Hangout Notes - July 31 2015 "
+title: " Kubernetes 社区每周环聊笔记——2015 年 7 月 31 日 "
 date: 2015-08-04
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/08/Weekly-Kubernetes-Community-Hangout
----
--->
-
 ---
-title: " Kubernetes社区每周环聊笔记-2015年7月31日 "
+<!--
+title: " Weekly Kubernetes Community Hangout Notes - July 31 2015 "
 date: 2015-08-04
 slug: weekly-kubernetes-community-hangout
-url: /zh/blog/2015/08/Weekly-Kubernetes-Community-Hangout
----
+url: /blog/2015/08/Weekly-Kubernetes-Community-Hangout
+-->
 
 <!--
 Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum.  
diff --git a/content/zh/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md b/content/zh-cn/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
similarity index 97%
rename from content/zh/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
rename to content/zh-cn/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
index b90cdcb7fe9ca..045f36966ccb3 100644
--- a/content/zh/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
+++ b/content/zh-cn/blog/_posts/2015-11-00-Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community.md
@@ -2,18 +2,16 @@
 title: " Kubernetes 1.1 性能升级，工具改进和社区不断壮大  "
 date: 2015-11-09
 slug: kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community
-url: /zh/blog/2015/11/Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community
 ---
 <!--
----
 title: " Kubernetes 1.1 Performance upgrades, improved tooling and a growing community  "
 date: 2015-11-09
 slug: kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community
-url: /zh/blog/2015/11/Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community
----
+url: /blog/2015/11/Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community
 -->
+
 <!--
-Since the Kubernetes 1.0 release in July, we’ve seen tremendous adoption by companies building distributed systems to manage their container clusters. We’re also been humbled by the rapid growth of the community who help make Kubernetes better everyday. We have seen commercial offerings such as Tectonic by CoreOS and RedHat Atomic Host emerge to deliver deployment and support of Kubernetes. And a growing ecosystem has added Kubernetes support including tool vendors such as Sysdig and Project Calico. 
+Since the Kubernetes 1.0 release in July, we’ve seen tremendous adoption by companies building distributed systems to manage their container clusters. We’re also been humbled by the rapid growth of the community who help make Kubernetes better everyday. We have seen commercial offerings such as Tectonic by CoreOS and RedHat Atomic Host emerge to deliver deployment and support of Kubernetes. And a growing ecosystem has added Kubernetes support including tool vendors such as Sysdig and Project Calico.  
 -->
 自从 Kubernetes 1.0 在七月发布以来，我们已经看到大量公司采用建立分布式系统来管理其容器集群。
 我们也对帮助 Kubernetes 社区变得更好，迅速发展的人感到钦佩。
@@ -90,7 +88,7 @@ Today, we’re also proud to mark the inaugural Kubernetes conference, [KubeCon]
 <!--
 We’d love to highlight just a few of the many partners making Kubernetes better:  
 -->
-我们想强调几个使 Kuberbetes 变得更好的众多合作伙伴中的几位：
+我们想强调几个使 Kubernetes 变得更好的众多合作伙伴中的几位：
 
 <!--
 > “We are betting our major product, Tectonic – which enables any company to deploy, manage and secure its containers anywhere – on Kubernetes because we believe it is the future of the data center. The release of Kubernetes 1.1 is another major milestone that will create more widespread adoption of distributed systems and containers, and puts us on a path that will inevitably lead to a whole new generation of products and services.” – Alex Polvi, CEO, CoreOS.
diff --git a/content/zh/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md b/content/zh-cn/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md
similarity index 97%
rename from content/zh/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md
rename to content/zh-cn/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md
index 2fb1d70b9f4b7..1eecaafae6e18 100644
--- a/content/zh/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md
+++ b/content/zh-cn/blog/_posts/2015-12-00-Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet.md
@@ -1,16 +1,13 @@
 ---
-title: " 使用 Puppet 管理 Kubernetes Pods，Services 和 Replication Controllers "
+title: "使用 Puppet 管理 Kubernetes Pod、Service 和 Replication Controller"
 date: 2015-12-17
 slug: managing-kubernetes-pods-services-and-replication-controllers-with-puppet
 ---
-
 <!--
----
 title: " Managing Kubernetes Pods, Services and Replication Controllers with Puppet "
 date: 2015-12-17
 slug: managing-kubernetes-pods-services-and-replication-controllers-with-puppet
-url: /zh/blog/2015/12/Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet
----
+url: /blog/2015/12/Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md b/content/zh-cn/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md
similarity index 99%
rename from content/zh/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md
rename to content/zh-cn/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md
index 864e66897041f..793e0375415eb 100644
--- a/content/zh/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md
+++ b/content/zh-cn/blog/_posts/2016-01-00-Kubernetes-Community-Meeting-Notes.md
@@ -2,7 +2,6 @@
 title: " Kubernetes 社区会议记录 - 20160114 "
 date: 2016-01-28
 slug: kubernetes-community-meeting-notes
-url: /zh/blog/2016/01/Kubernetes-Community-Meeting-Notes
 ---
 <!--
 ---
diff --git a/content/zh/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md b/content/zh-cn/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md
similarity index 99%
rename from content/zh/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md
rename to content/zh-cn/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md
index fe29be4795fb1..897c2828d7e05 100644
--- a/content/zh/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2016-01-00-Simple-Leader-Election-With-Kubernetes.md
@@ -1,21 +1,20 @@
-<!--
 ---
-title: " Simple leader election with Kubernetes and Docker "
+title: "Kubernetes 和 Docker 简单的 leader election"
 date: 2016-01-11
 slug: simple-leader-election-with-kubernetes
 ---
-
-####  Overview
--->
-
-title: "Kubernetes 和 Docker 简单的 leader election"
+<!--
+title: " Simple leader election with Kubernetes and Docker "
 date: 2016-01-11
 slug: simple-leader-election-with-kubernetes
-url: /zh/blog/2016/01/Simple-Leader-Election-With-Kubernetes
+-->
 
 <!--
+####  Overview
+
 Kubernetes simplifies the deployment and operational management of services running on clusters. However, it also simplifies the development of these services. In this post we'll see how you can use Kubernetes to easily perform leader election in your distributed application. Distributed applications usually replicate the tasks of a service for reliability and scalability, but often it is necessary to designate one of the replicas as the leader who is responsible for coordination among all of the replicas.
 -->
+#### 概述
 
 Kubernetes 简化了集群上运行的服务的部署和操作管理。但是，它也简化了这些服务的发展。在本文中，我们将看到如何使用 Kubernetes 在分布式应用程序中轻松地执行 leader election。分布式应用程序通常为了可靠性和可伸缩性而复制服务的任务，但通常需要指定其中一个副本作为负责所有副本之间协调的负责人。
 
diff --git a/content/zh/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md b/content/zh-cn/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md
similarity index 99%
rename from content/zh/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md
rename to content/zh-cn/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md
index ca8dfc8da44f7..649ff90059961 100644
--- a/content/zh/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md
+++ b/content/zh-cn/blog/_posts/2016-01-00-Why-Kubernetes-Doesnt-Use-Libnetwork.md
@@ -4,12 +4,12 @@ date: 2016-01-14
 slug: why-kubernetes-doesnt-use-libnetwork
 ---
 
-<!-- ---
+<!--
 title: " Why Kubernetes doesn’t use libnetwork "
 date: 2016-01-14
 slug: why-kubernetes-doesnt-use-libnetwork
-url: /zh/blog/2016/01/Why-Kubernetes-Doesnt-Use-Libnetwork
---- -->
+url: /blog/2016/01/Why-Kubernetes-Doesnt-Use-Libnetwork
+-->
 
 <!-- Kubernetes has had a very basic form of network plugins since before version 1.0 was released — around the same time as Docker's [libnetwork](https://github.com/docker/libnetwork) and Container Network Model ([CNM](https://github.com/docker/libnetwork/blob/master/docs/design.md)) was introduced. Unlike libnetwork, the Kubernetes plugin system still retains its "alpha" designation. Now that Docker's network plugin support is released and supported, an obvious question we get is why Kubernetes has not adopted it yet. After all, vendors will almost certainly be writing plugins for Docker — we would all be better off using the same drivers, right?   -->
 
diff --git a/content/zh/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md b/content/zh-cn/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
similarity index 93%
rename from content/zh/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
rename to content/zh-cn/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
index 09b2880192b25..95677cb77747f 100644
--- a/content/zh/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
+++ b/content/zh-cn/blog/_posts/2016-02-00-Kubecon-Eu-2016-Kubernetes-Community-In.md
@@ -5,12 +5,10 @@ slug: kubecon-eu-2016-kubernetes-community-in
 ---
 
 <!--
----
 title: " KubeCon EU 2016: Kubernetes Community in London "
 date: 2016-02-24
 slug: kubecon-eu-2016-kubernetes-community-in
-url: /zh/blog/2016/02/Kubecon-Eu-2016-Kubernetes-Community-In
----
+url: /blog/2016/02/Kubecon-Eu-2016-Kubernetes-Community-In
 -->
 
 <!--
@@ -29,13 +27,13 @@ Don’t miss these great speaker sessions at the conference:
 不要错过这些优质的演讲：
 
 <!--
-* “Kubernetes Hardware Hacks: Exploring the Kubernetes API Through Knobs, Faders, and Sliders” by Ian Lewis and Brian Dorsey, Developer Advocate, Google -* [http://sched.co/6Bl3](http://sched.co/6Bl3)
+* “Kubernetes Hardware Hacks: Exploring the Kubernetes API Through Knobs, Faders, and Sliders” by Ian Lewis and Brian Dorsey, Developer Advocate, Google -* [http://sched.co/6Bl3](http://sched.co/6Bl3)  
 
 * “rktnetes: what's new with container runtimes and Kubernetes” by Jonathan Boulle, Developer and Team Lead at CoreOS -* [http://sched.co/6BY7](http://sched.co/6BY7)
 
 * “Kubernetes Documentation: Contributing, fixing issues, collecting bounties” by John Mulhausen, Lead Technical Writer, Google -* [http://sched.co/6BUP](http://sched.co/6BUP)&nbsp;
 * “[What is OpenStack's role in a Kubernetes world?](https://kubeconeurope2016.sched.org/event/6BYC/what-is-openstacks-role-in-a-kubernetes-world?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” By Thierry Carrez, Director of Engineering, OpenStack Foundation -* http://sched.co/6BYC
-* “A Practical Guide to Container Scheduling” by Mandy Waite, Developer Advocate, Google -* [http://sched.co/6BZa](http://sched.co/6BZa)
+* “A Practical Guide to Container Scheduling” by Mandy Waite, Developer Advocate, Google -* [http://sched.co/6BZa](http://sched.co/6BZa)  
 
 * “[Kubernetes in Production in The New York Times newsroom](https://kubeconeurope2016.sched.org/event/67f2/kubernetes-in-production-in-the-new-york-times-newsroom?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” Eric Lewis, Web Developer, New York Times -* [http://sched.co/67f2](http://sched.co/67f2)
 * “[Creating an Advanced Load Balancing Solution for Kubernetes with NGINX](https://kubeconeurope2016.sched.org/event/6Bc9/creating-an-advanced-load-balancing-solution-for-kubernetes-with-nginx?iframe=yes&w=i:0;&sidebar=yes&bg=no#?iframe=yes&w=i:100;&sidebar=yes&bg=no)” by Andrew Hutchings, Technical Product Manager, NGINX -* http://sched.co/6Bc9
@@ -60,15 +58,15 @@ Get your KubeCon EU [tickets here](https://ti.to/kubecon/kubecon-eu-2016).
 [在这里](https://ti.to/kubecon/kubecon-eu-2016)获取您的 KubeCon EU 门票。
 
 <!--
-Venue Location: CodeNode * 10 South Pl, London, United Kingdom
-Accommodations: [hotels](https://skillsmatter.com/contact-us#hotels)
-Website: [kubecon.io](https://www.kubecon.io/)
+Venue Location: CodeNode * 10 South Pl, London, United Kingdom  
+Accommodations: [hotels](https://skillsmatter.com/contact-us#hotels)   
+Website: [kubecon.io](https://www.kubecon.io/)   
 Twitter: [@KubeConio](https://twitter.com/kubeconio) #KubeCon
-Google is a proud Diamond sponsor of KubeCon EU 2016. Come to London next month, March 10th & 11th, and visit booth #13 to learn all about Kubernetes, Google Container Engine (GKE) and Google Cloud Platform!
+Google is a proud Diamond sponsor of KubeCon EU 2016. Come to London next month, March 10th & 11th, and visit booth #13 to learn all about Kubernetes, Google Container Engine (GKE) and Google Cloud Platform!  
 -->
-会场地址：CodeNode * 英国伦敦南广场 10 号
-酒店住宿：[酒店](https://skillsmatter.com/contact-us)
-网站：[kubecon.io] (https://www.kubecon.io/)
+会场地址：CodeNode * 英国伦敦南广场 10 号  
+酒店住宿：[酒店](https://skillsmatter.com/contact-us)  
+网站：[kubecon.io] (https://www.kubecon.io/)  
 推特：[@KubeConio] (https://twitter.com/kubeconio)
 谷歌是 KubeCon EU 2016 的钻石赞助商。下个月 3 月 10 - 11 号来伦敦，参观 13 号展位，了解 Kubernetes，Google Container Engine（GKE），Google Cloud Platform 的所有信息!
 
@@ -78,6 +76,6 @@ _KubeCon is organized by KubeAcademy, LLC, a community-driven group of developer
 -* Sarah Novotny, Kubernetes Community Manager, Google
 -->
 
-_KubeCon 是由 KubeAcademy、LLC 组织的，这是一个由社区驱动的开发者团体，专注于开发人员的教育和 kubernet.com 的推广
+_KubeCon 是由 KubeAcademy、LLC 组织的，这是一个由社区驱动的开发者团体，专注于开发人员的教育和 kubernetes 的推广
 -* Sarah Novotny, 谷歌的 Kubernetes 社区经理
 
diff --git a/content/zh/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md b/content/zh-cn/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md
similarity index 86%
rename from content/zh/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md
rename to content/zh-cn/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md
index a9e0f10e4e7a5..8f5a80679f0b0 100644
--- a/content/zh/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md
+++ b/content/zh-cn/blog/_posts/2016-02-00-Kubernetes-Community-Meeting-Notes.md
@@ -4,17 +4,16 @@ date: 2016-02-09
 slug: kubernetes-community-meeting-notes
 ---
 <!--
----
 title: " Kubernetes community meeting notes - 20160204 "
 date: 2016-02-09
 slug: kubernetes-community-meeting-notes
-url: /zh/blog/2016/02/Kubernetes-Community-Meeting-Notes
----
+url: /blog/2016/02/Kubernetes-Community-Meeting-Notes
 -->
+
 <!--
 ####  February 4th - rkt demo (congratulations on the 1.0, CoreOS!), eBay puts k8s on Openstack and considers Openstack on k8s, SIGs, and flaky test surge makes progress.
 -->
-####  2月4日 - rkt演示（祝贺 1.0 版本， CoreOS！）， eBay 将 k8s 放在 Openstack 上并认为 Openstack 在 k8s， SIG 和片状测试激增方面取得了进展。
+####  2 月 4 日 - rkt 演示（祝贺 1.0 版本，CoreOS！），eBay 将 k8s 放在 Openstack 上并认为 Openstack 在 k8s，SIG 和片状测试激增方面取得了进展。
 
 <!--
 The Kubernetes contributing community meets most Thursdays at 10:00PT to discuss the project's status via a videoconference. Here are the notes from the latest meeting.
@@ -35,13 +34,13 @@ Kubernetes 贡献社区在每周四 10:00 PT 开会,通过视频会议讨论项
             * But need more work on e2e test suites
 -->
 * 书记员：Rob Hirschfeld
-* 演示视频（20分钟）：CoreOS rkt + Kubernetes[Shaya Potter]
-    * 期待在未来几个月内看到与rkt和k8s的整合（“rkt-netes”）。 还没有集成到 v1.2版本中。
+* 演示视频（20 分钟）：CoreOS rkt + Kubernetes [Shaya Potter]
+    * 期待在未来几个月内看到与rkt和k8s的整合（“rkt-netes”）。 还没有集成到 v1.2 版本中。
     * Shaya 做了一个演示（8分钟的会议视频参考）
-        * rkt的CLI显示了旋转容器
+        * rkt 的 CLI 显示了旋转容器
         * [注意：音频在点数上是乱码]
         * 关于 k8s&rkt 整合的讨论
-        * 下周 rkt 社区同步：https://groups.google.com/forum/#!topic/rkt-dev/FlwZVIEJGbY
+        * 下周 rkt 社区同步： https://groups.google.com/forum/#!topic/rkt-dev/FlwZVIEJGbY
         * Dawn Chen:
             * 将 rkt 与 kubernetes 集成的其余问题：1）cadivsor 2） DNS 3）与日志记录相关的错误
             * 但是需要在 e2e 测试套件上做更多的工作
@@ -103,13 +102,16 @@ Kubernetes 贡献社区在每周四 10:00 PT 开会,通过视频会议讨论项
 <!--
 To get involved in the Kubernetes community consider joining our [Slack channel][2], taking a look at the [Kubernetes project][3] on GitHub, or join the [Kubernetes-dev Google group][4]. If you're really excited, you can do all of the above and join us for the next community conversation -- February 11th, 2016. Please add yourself or a topic you want to know about to the [agenda][5] and get a calendar invitation by joining [this group][6].
 -->
-要参与 Kubernetes 社区，请考虑加入我们的[Slack 频道][2]，查看 GitHub上的 [Kubernetes 项目][3]，或加入[Kubernetes-dev Google 小组][4]。如果你真的很兴奋，你可以完成上述所有工作并加入我们的下一次社区对话-2016年2月11日。请将您自己或您想要了解的主题添加到[议程][5]并通过加入[此组][6]来获取日历邀请。
+要参与 Kubernetes 社区，请考虑加入我们的 [Slack 频道][2]，查看 GitHub 上的
+[Kubernetes 项目][3]，或加入 [Kubernetes-dev Google 小组][4]。
+如果你真的很兴奋，你可以完成上述所有工作并加入我们的下一次社区对话 - 2016 年 2 月 11 日。
+请将你自己或你想要了解的主题添加到[议程][5]并通过加入[此组][6]来获取日历邀请。
 
  "https://youtu.be/IScpP8Cj0hw?list=PL69nYSiGNLP1pkHsbPjzAewvMgGUpkCnJ"
 
 
 [1]: https://github.com/kubernetes/kubernetes/pull/19714
-[2]: http://slack.k8s.io/
+[2]: https://slack.k8s.io/
 [3]: https://github.com/kubernetes/
 [4]: https://groups.google.com/forum/#!forum/kubernetes-dev
 [5]: https://docs.google.com/document/d/1VQDIAB0OqiSjIHI8AWMvSdceWhnz56jNpZrLs6o7NJY/edit#
diff --git a/content/zh/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md b/content/zh-cn/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md
similarity index 98%
rename from content/zh/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md
rename to content/zh-cn/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md
index 1dc62626dff69..ce29a5681e236 100644
--- a/content/zh/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md
+++ b/content/zh-cn/blog/_posts/2016-02-00-State-Of-Container-World-January-2016.md
@@ -1,17 +1,15 @@
 ---
-title: " 容器世界现状，2016年1月 "
+title: " 容器世界现状，2016 年 1 月 "
 date: 2016-02-01
 slug: state-of-container-world-january-2016
-url: /zh/blog/2016/02/State-Of-Container-World-January-2016
 ---
 <!--
----
 title: " State of the Container World, January 2016 "
 date: 2016-02-01
 slug: state-of-container-world-january-2016
-url: /zh/blog/2016/02/State-Of-Container-World-January-2016
----
+url: /blog/2016/02/State-Of-Container-World-January-2016
 -->
+
 <!--
 At the start of the new year, we sent out a survey to gauge the state of the container world. We’re ready to send the [February edition](https://docs.google.com/forms/d/13yxxBqb5igUhwrrnDExLzZPjREiCnSs-AH-y4SSZ-5c/viewform), but before we do, let’s take a look at the January data from the 119 responses (thank you for participating!).  
 -->
diff --git a/content/zh/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md b/content/zh-cn/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md
similarity index 96%
rename from content/zh/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md
rename to content/zh-cn/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md
index 10420cf73fca0..983495f152f89 100644
--- a/content/zh/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md
+++ b/content/zh-cn/blog/_posts/2016-02-00-kubernetes-community-meeting-notes_23.md
@@ -2,7 +2,6 @@
 title: "Kubernetes 社区会议记录 - 20160218"
 date: 2016-02-23
 slug: kubernetes-community-meeting-notes_23
-url: /zh/blog/2016/02/kubernetes-community-meeting-notes_23
 ---
 
 <!--
@@ -10,8 +9,7 @@ url: /zh/blog/2016/02/kubernetes-community-meeting-notes_23
 title: " Kubernetes Community Meeting Notes - 20160218 "
 date: 2016-02-23
 slug: kubernetes-community-meeting-notes_23
-url: /zh/blog/2016/02/kubernetes-community-meeting-notes_23
-url: /zh/blog/2016/02/kubernetes-community-meeting-notes_23
+url: /blog/2016/02/Kubernetes-community-meeting-notes-20160128
 ---
 -->
 
diff --git a/content/zh/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md b/content/zh-cn/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md
similarity index 98%
rename from content/zh/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md
rename to content/zh-cn/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md
index c34940bcb2a70..00548b1585cdd 100644
--- a/content/zh/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md
+++ b/content/zh-cn/blog/_posts/2016-04-00-Adding-Support-For-Kubernetes-In-Rancher.md
@@ -2,15 +2,12 @@
 title: " 在 Rancher 中添加对 Kuernetes 的支持 "
 date: 2016-04-08
 slug: adding-support-for-kubernetes-in-rancher
-url: /zh/blog/2016/04/Adding-Support-For-Kubernetes-In-Rancher
 ---
 <!--
----
 title: " Adding Support for Kubernetes in Rancher "
 date: 2016-04-08
 slug: adding-support-for-kubernetes-in-rancher
-url: /zh/blog/2016/04/Adding-Support-For-Kubernetes-In-Rancher
----
+url: /blog/2016/04/Adding-Support-For-Kubernetes-In-Rancher
 -->
 <!--
 _Today’s guest post is written by Darren Shepherd, Chief Architect at Rancher Labs, an open-source software platform for managing containers._ -->
diff --git a/content/zh/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md b/content/zh-cn/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
similarity index 99%
rename from content/zh/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
rename to content/zh-cn/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
index 36eee4a09b718..83a6c5e4b99e1 100644
--- a/content/zh/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
+++ b/content/zh-cn/blog/_posts/2016-04-00-Kubernetes-Network-Policy-APIs.md
@@ -2,16 +2,14 @@
 title: “SIG-Networking：1.3 版本引入 Kubernetes 网络策略 API”
 date: 2016-04-18
 slug: kubernetes-network-policy-apis
-url: /zh/blog/2016/04/Kubernetes-Network-Policy-APIs
 ---
 <!--
----
 title: " SIG-Networking: Kubernetes Network Policy APIs Coming in 1.3 "
 date: 2016-04-18
 slug: kubernetes-network-policy-apis
-url: /zh/blog/2016/04/Kubernetes-Network-Policy-APIs
----
+url: /blog/2016/04/Kubernetes-Network-Policy-APIs
 -->
+
 <!--
 _Editor’s note: This week we’re featuring [Kubernetes Special Interest Groups](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)); Today’s post is by the Network-SIG team describing network policy APIs coming in 1.3 - policies for security, isolation and multi-tenancy._  
 -->
diff --git a/content/zh/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md b/content/zh-cn/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md
similarity index 96%
rename from content/zh/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md
rename to content/zh-cn/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md
index 0a24f270581ef..c2b7969abc3b5 100644
--- a/content/zh/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md
+++ b/content/zh-cn/blog/_posts/2016-04-00-Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters.md
@@ -2,16 +2,14 @@
 title: " SIG-ClusterOps: 提升 Kubernetes 集群的可操作性和互操作性 "
 date: 2016-04-19
 slug: sig-clusterops-promote-operability-and-interoperability-of-k8s-clusters
-url: /zh/blog/2016/04/Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters
 ---
 <!--
----
 title: " SIG-ClusterOps: Promote operability and interoperability of Kubernetes clusters "
 date: 2016-04-19
 slug: sig-clusterops-promote-operability-and-interoperability-of-k8s-clusters
-url: /zh/blog/2016/04/Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters
----
+url: /blog/2016/04/Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters
 -->
+
 <!--
 _Editor’s note: This week we’re featuring [Kubernetes Special Interest Groups](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)); Today’s post is by the SIG-ClusterOps team whose mission is to promote operability and interoperability of Kubernetes clusters -- to listen, help & escalate._ 
 -->
diff --git a/content/zh/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md b/content/zh-cn/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md
similarity index 98%
rename from content/zh/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md
rename to content/zh-cn/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md
index 4b3b83ebea575..55a3f40613685 100644
--- a/content/zh/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md
+++ b/content/zh-cn/blog/_posts/2016-05-00-Coreosfest2016-Kubernetes-Community.md
@@ -2,16 +2,14 @@
 title: " CoreOS Fest 2016: CoreOS 和 Kubernetes 在柏林（和旧金山）社区见面会 "
 date: 2016-05-03
 slug: coreosfest2016-kubernetes-community
-url: /zh/blog/2016/05/Coreosfest2016-Kubernetes-Community
 ---
 <!--
----
 title: " CoreOS Fest 2016: CoreOS and Kubernetes Community meet in Berlin (& San Francisco) "
 date: 2016-05-03
 slug: coreosfest2016-kubernetes-community
-url: /zh/blog/2016/05/Coreosfest2016-Kubernetes-Community
----
+url: /blog/2016/05/Coreosfest2016-Kubernetes-Community
 -->
+
 <!--
 [CoreOS Fest 2016](https://coreos.com/fest/) will bring together the container and open source distributed systems community, including many thought leaders in the Kubernetes space. It is the second annual CoreOS community conference, held for the first time in Berlin on May 9th and 10th. CoreOS believes Kubernetes is the container orchestration component to deliver GIFEE (Google’s Infrastructure for Everyone Else).  
 -->
diff --git a/content/zh/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md b/content/zh-cn/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md
similarity index 97%
rename from content/zh/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md
rename to content/zh-cn/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md
index 2231431ccb712..411640e700acc 100644
--- a/content/zh/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md
+++ b/content/zh-cn/blog/_posts/2016-07-00-Bringing-End-To-End-Kubernetes-Testing-To-Azure-2.md
@@ -1,16 +1,13 @@
 ---
-题目: " 将端到端的 Kubernetes 测试引入 Azure （第二部分） "
-日期: 2016-07-18
+title: " 将端到端的 Kubernetes 测试引入 Azure （第二部分） "
+date: 2016-07-18
 slug: bringing-end-to-end-kubernetes-testing-to-azure-2
-url: /zh/blog/2016/07/Bringing-End-To-End-Kubernetes-Testing-To-Azure-2
 ---
 <!--
----
 title: " Bringing End-to-End Kubernetes Testing to Azure (Part 2) "
 date: 2016-07-18
 slug: bringing-end-to-end-kubernetes-testing-to-azure-2
-url: /zh/blog/2016/07/Bringing-End-To-End-Kubernetes-Testing-To-Azure-2
----
+url: /blog/2016/07/Bringing-End-To-End-Kubernetes-Testing-To-Azure-2
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md b/content/zh-cn/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md
similarity index 98%
rename from content/zh/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md
rename to content/zh-cn/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md
index caa0bee915c3b..d805cc7cd0909 100644
--- a/content/zh/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2016-07-00-Citrix-Netscaler-And-Kubernetes.md
@@ -5,12 +5,10 @@ slug: citrix-netscaler-and-kubernetes
 ---
 
 <!--
----
 title: " Citrix + Kubernetes = A Home Run "
 date: 2016-07-14
 slug: citrix-netscaler-and-kubernetes
-url: /zh/blog/2016/07/Citrix-Netscaler-And-Kubernetes
----
+url: /blog/2016/07/Citrix-Netscaler-And-Kubernetes
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md b/content/zh-cn/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md
similarity index 97%
rename from content/zh/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md
rename to content/zh-cn/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md
index d92b18bcc2b74..0e9dcc2d3760b 100644
--- a/content/zh/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2016-07-00-Dashboard-Web-Interface-For-Kubernetes.md
@@ -5,12 +5,10 @@ slug: dashboard-web-interface-for-kubernetes
 ---
 
 <!--
----
 title: " Dashboard - Full Featured Web Interface for Kubernetes "
 date: 2016-07-15
 slug: dashboard-web-interface-for-kubernetes
-url: /zh/blog/2016/07/Dashboard-Web-Interface-For-Kubernetes
----
+url: /blog/2016/07/Dashboard-Web-Interface-For-Kubernetes
 -->
 
 <!--
@@ -41,7 +39,7 @@ The Dashboard UI now handles all workload resources. This means that no matter w
  [![](https://lh3.googleusercontent.com/p9bMGxPx4jE6_Z2KB-MktmyuAxyFst-bEk29M_Bn0Bj5ul7uzinH6u5WjHsMmqhGvBwlABZt06dwQ5qkBZiLq_EM1oddCmpwChvXDNXZypaS5l8uzkKuZj3PBUmzTQT4dgDxSXgz) ](https://lh3.googleusercontent.com/p9bMGxPx4jE6_Z2KB-MktmyuAxyFst-bEk29M_Bn0Bj5ul7uzinH6u5WjHsMmqhGvBwlABZt06dwQ5qkBZiLq_EM1oddCmpwChvXDNXZypaS5l8uzkKuZj3PBUmzTQT4dgDxSXgz)
 -->
 
-Dashboard UI 现在处理所有工作负载资源。这意味着无论您运行什么工作负载类型，它都在 web 界面中可见，并且您可以对其进行操作更改。例如，可以使用[Pet Sets](/docs/user-guide/petset/)修改有状态的 mysql 安装，使用部署对 web 服务器进行滚动更新，或使用守护程序安装群集监视。
+Dashboard UI 现在处理所有工作负载资源。这意味着无论您运行什么工作负载类型，它都在 web 界面中可见，并且您可以对其进行操作更改。例如，可以使用[Pet Sets](/docs/user-guide/petset/)修改有状态的 mysql 安装，使用部署对 web 服务器进行滚动更新，或使用守护程序安装集群监视。
 
 
 
@@ -105,9 +103,9 @@ Here is a list of our focus areas for the following months:
 
 以下是我们接下来几个月的重点领域：
 
-- [Handle more Kubernetes resources](https://github.com/kubernetes/dashboard/issues/961) - 显示群集用户可能与之交互的所有资源。一旦完成，dashboard 就可以完全替代cli。
+- [Handle more Kubernetes resources](https://github.com/kubernetes/dashboard/issues/961) - 显示集群用户可能与之交互的所有资源。一旦完成，dashboard 就可以完全替代cli。
 - [Monitoring and troubleshooting](https://github.com/kubernetes/dashboard/issues/962) - 将资源使用统计信息/图表添加到 Dashboard 中显示的对象。这个重点领域将允许对云应用程序进行可操作的调试和故障排除。
-- [Security, auth and logging in](https://github.com/kubernetes/dashboard/issues/964) - 使仪表板可从群集外部的网络访问，并使用自定义身份验证系统。
+- [Security, auth and logging in](https://github.com/kubernetes/dashboard/issues/964) - 使仪表板可从集群外部的网络访问，并使用自定义身份验证系统。
 
 <!--
 **Connect With Us**
diff --git a/content/zh/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md b/content/zh-cn/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md
similarity index 99%
rename from content/zh/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md
rename to content/zh-cn/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md
index 2b59df1500ee8..198d7d3cd2492 100644
--- a/content/zh/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md
+++ b/content/zh-cn/blog/_posts/2016-07-00-Oh-The-Places-You-Will-Go.md
@@ -5,12 +5,10 @@ slug: oh-the-places-you-will-go
 ---
 
 <!--
----
 title: " Happy Birthday Kubernetes. Oh, the places you’ll go! "
 date: 2016-07-21
 slug: oh-the-places-you-will-go
-url: /zh/blog/2016/07/Oh-The-Places-You-Will-Go
----
+url: /blog/2016/07/Oh-The-Places-You-Will-Go
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md b/content/zh-cn/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md
similarity index 89%
rename from content/zh/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md
rename to content/zh-cn/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md
index 1b425be77b911..f5bc9d4c312d5 100644
--- a/content/zh/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md
+++ b/content/zh-cn/blog/_posts/2016-07-00-stateful-applications-in-containers-kubernetes.md
@@ -2,15 +2,12 @@
 title: "容器中运行有状态的应用！？ Kubernetes 1.3 说 “是！” "
 date: 2016-07-13
 slug: stateful-applications-in-containers-kubernetes
-url: /zh/blog/2016/07/stateful-applications-in-containers-kubernetes
 ---
 <!--
----
 title: " Stateful Applications in Containers!? Kubernetes 1.3 Says “Yes!” "
 date: 2016-07-13
 slug: stateful-applications-in-containers-kubernetes
-url: /zh/blog/2016/07/stateful-applications-in-containers-kubernetes
----
+url: /blog/2016/07/stateful-applications-in-containers-kubernetes
 -->
 
 <!--
@@ -19,9 +16,11 @@ _Editor's note: today’s guest post is from Mark Balch, VP of Products at Diama
 _编者注： 今天的来宾帖子来自 Diamanti 产品副总裁 Mark Balch，他将分享有关他们对 Kubernetes 所做的贡献的更多信息。_ 
 
 <!--
-Congratulations to the Kubernetes community on another [value-packed release](https://kubernetes.io/blog/2016/07/kubernetes-1.3-bridging-cloud-native-and-enterprise-workloads). A focus on stateful applications and federated clusters are two reasons why I’m so excited about 1.3. Kubernetes support for stateful apps such as Cassandra, Kafka, and MongoDB is critical. Important services rely on databases, key value stores, message queues, and more. Additionally, relying on one data center or container cluster simply won’t work as apps grow to serve millions of users around the world. Cluster federation allows users to deploy apps across multiple clusters and data centers for scale and resiliency.  
+
+Congratulations to the Kubernetes community on another [value-packed release](https://kubernetes.io/blog/2016/07/kubernetes-1-3-bridging-cloud-native-and-enterprise-workloads/). A focus on stateful applications and federated clusters are two reasons why I’m so excited about 1.3. Kubernetes support for stateful apps such as Cassandra, Kafka, and MongoDB is critical. Important services rely on databases, key value stores, message queues, and more. Additionally, relying on one data center or container cluster simply won’t work as apps grow to serve millions of users around the world. Cluster federation allows users to deploy apps across multiple clusters and data centers for scale and resiliency.
+
 -->
-祝贺 Kubernetes 社区发布了另一个[有价值的版本](https://kubernetes.io/blog/2016/07/kubernetes-1.3-bridging-cloud-native-and-enterprise-workloads)。
+祝贺 Kubernetes 社区发布了另一个[有价值的版本](https://kubernetes.io/blog/2016/07/kubernetes-1-3-bridging-cloud-native-and-enterprise-workloads/)。
 专注于有状态应用程序和联邦集群是我对 1.3 如此兴奋的两个原因。
 Kubernetes 对有状态应用程序（例如 Cassandra、Kafka 和 MongoDB）的支持至关重要。
 重要服务依赖于数据库、键值存储、消息队列等。
@@ -40,7 +39,7 @@ Diamanti 正在加速在生产中使用有状态应用程序的容器-在这方
 **应用程序不仅仅需要牛**  
 
 <!--
-Beyond stateless containers like web servers (so-called “cattle” because they are interchangeable), users are increasingly deploying stateful workloads with containers to benefit from “build once, run anywhere” and to improve bare metal efficiency/utilization. These “pets” (so-called because each requires special handling) bring new requirements including longer life cycle, configuration dependencies, stateful failover, and performance sensitivity. Container orchestration must address these needs to successfully deploy and scale apps. 
+Beyond stateless containers like web servers (so-called “cattle” because they are interchangeable), users are increasingly deploying stateful workloads with containers to benefit from “build once, run anywhere” and to improve bare metal efficiency/utilization. These “pets” (so-called because each requires special handling) bring new requirements including longer life cycle, configuration dependencies, stateful failover, and performance sensitivity. Container orchestration must address these needs to successfully deploy and scale apps.  
 -->
 除了诸如Web服务器之类的无状态容器（因为它们是可互换的，因此被称为“牛”）之外，用户越来越多地使用容器来部署有状态工作负载，以从“一次构建，随处运行”中受益并提高裸机效率/利用率。
 这些“宠物”（之所以称为“宠物”，是因为每个宠物都需要特殊的处理）带来了新的要求，包括更长的生命周期，配置依赖项，有状态故障转移以及性能敏感性。
@@ -56,10 +55,10 @@ Pet Set 还利用普遍存在的 DNS SRV 记录简化了服务发现，DNS SRV 
 <!--
 Diamanti’s [FlexVolume contribution](https://github.com/kubernetes/kubernetes/pull/13840) to Kubernetes enables stateful workloads by providing persistent volumes with low-latency storage and guaranteed performance, including enforced quality-of-service from container to media.  
 -->
-Diamanti 对 Kubernete s的 [FlexVolume 贡献](https://github.com/kubernetes/kubernetes/pull/13840) 通过为持久卷提供低延迟存储并保证性能来实现有状态工作负载，包括从容器到媒体的强制服务质量。
+Diamanti 对 Kubernetes 的 [FlexVolume 贡献](https://github.com/kubernetes/kubernetes/pull/13840) 通过为持久卷提供低延迟存储并保证性能来实现有状态工作负载，包括从容器到媒体的强制服务质量。
 
 <!--
-**A Federalist** 
+**A Federalist**  
 -->
 **联邦主义者** 
 
@@ -83,7 +82,7 @@ It’s easy to imagine powerful multi-cluster use cases with cross-cluster feder
 很容易想象在将来的版本中具有跨集群联邦服务的强大多集群用例。
 一个示例是根据治理，安全性和性能要求调度容器。
 Diamanti 的调度程序扩展是在考虑了这一概念的基础上开发的。
-我们的[第一个实现](https://github.com/kubernetes/kubernetes/pull/13580)使 Kubernetes 调度程序意识到每个群集节点本地的网络和存储资源。
+我们的[第一个实现](https://github.com/kubernetes/kubernetes/pull/13580)使 Kubernetes 调度程序意识到每个集群节点本地的网络和存储资源。
 将来，类似的概念可以应用于跨集群联邦服务的更广泛的放置控件。
 
 <!--
diff --git a/content/zh-cn/blog/_posts/2016-08-00-Sig-Apps-Running-Apps-In-Kubernetes.md b/content/zh-cn/blog/_posts/2016-08-00-Sig-Apps-Running-Apps-In-Kubernetes.md
new file mode 100644
index 0000000000000..1a18cbe98aa9e
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2016-08-00-Sig-Apps-Running-Apps-In-Kubernetes.md
@@ -0,0 +1,103 @@
+---
+layout: blog
+title: 'SIG Apps: 为 Kubernetes 构建应用并在 Kubernetes 中进行运维'
+date: 2016-08-16
+slug: sig-apps-running-apps-in-kubernetes
+---
+<!--
+title: " SIG Apps: build apps for and operate them in Kubernetes "
+date: 2016-08-16
+slug: sig-apps-running-apps-in-kubernetes
+canonicalUrl: https://kubernetes.io/blog/2016/08/sig-apps-running-apps-in-kubernetes/
+url: /blog/2016/08/Sig-Apps-Running-Apps-In-Kubernetes
+-->
+
+<!--
+_Editor’s note: This post is by the Kubernetes SIG-Apps team sharing how they focus on the developer and devops experience of running applications in Kubernetes._  
+
+Kubernetes is an incredible manager for containerized applications. Because of this, [numerous](https://kubernetes.io/blog/2016/02/sharethis-kubernetes-in-production) [companies](https://blog.box.com/blog/kubernetes-box-microservices-maximum-velocity/) [have](http://techblog.yahoo.co.jp/infrastructure/os_n_k8s/) [started](http://www.nextplatform.com/2015/11/12/inside-ebays-shift-to-kubernetes-and-containers-atop-openstack/) to run their applications in Kubernetes.  
+
+Kubernetes Special Interest Groups ([SIGs](https://github.com/kubernetes/community/blob/master/README.md#special-interest-groups-sig)) have been around to support the community of developers and operators since around the 1.0 release. People organized around networking, storage, scaling and other operational areas.  
+
+As Kubernetes took off, so did the need for tools, best practices, and discussions around building and operating cloud native applications. To fill that need the Kubernetes [SIG Apps](https://github.com/kubernetes/community/tree/master/sig-apps) came into existence.  
+
+SIG Apps is a place where companies and individuals can:
+-->  
+
+**编者注**：这篇文章由 Kubernetes SIG-Apps 团队撰写，分享他们如何关注在 Kubernetes
+中运行应用的开发者和 devops 经验。
+
+Kubernetes 是容器化应用程序的出色管理者。因此，[众多](https://kubernetes.io/blog/2016/02/sharethis-kubernetes-in-production)
+[公司](https://blog.box.com/blog/kubernetes-box-microservices-maximum-velocity/)
+[已经](http://techblog.yahoo.co.jp/infrastructure/os_n_k8s/)
+[开始](http://www.nextplatform.com/2015/11/12/inside-ebays-shift-to-kubernetes-and-containers-atop-openstack/) 在 Kubernetes 中运行应用程序。
+
+Kubernetes 特殊兴趣小组 ([SIGs](https://github.com/kubernetes/community/blob/master/README.md#special-interest-groups-sig))
+自 1.0 版本开始就一直致力于支持开发者和运营商社区。围绕网络、存储、扩展和其他运营领域组织的人员。
+
+随着 Kubernetes 的兴起，对工具、最佳实践以及围绕构建和运营云原生应用程序的讨论的需求也随之增加。为了满足这一需求，
+Kubernetes [SIG Apps](https://github.com/kubernetes/community/tree/master/sig-apps) 应运而生。
+
+SIG Apps 为公司和个人提供以下支持：
+
+<!--
+- see and share demos of the tools being built to enable app operators
+- learn about and discuss needs of app operators
+- organize around efforts to improve the experience
+- -->
+
+- 查看和分享正在构建的、为应用操作人员赋能的工具的演示
+- 了解和讨论应用运营人员的需求
+- 组织各方努力改善体验
+
+<!--
+Since the inception of SIG Apps we’ve had demos of projects like [KubeFuse](https://github.com/opencredo/kubefuse), [KPM](https://github.com/kubespray/kpm), and [StackSmith](https://stacksmith.bitnami.com/). We’ve also executed on a survey of those operating apps in Kubernetes.  
+
+From the survey results we’ve learned a number of things including:
+-->  
+
+自从 SIG Apps 成立以来，我们已经进行了项目演示，例如 [KubeFuse](https://github.com/opencredo/kubefuse)、
+[KPM](https://github.com/kubespray/kpm)，和 [StackSmith](https://stacksmith.bitnami.com/)。 
+我们还对那些负责 Kubernetes 中应用运维的人进行了调查。
+
+从调查结果中，我们学到了很多东西，包括：
+
+<!--
+- That 81% of respondents want some form of autoscaling
+- To store secret information 47% of respondents use built-in secrets. At reset these are not currently encrypted. (If you want to help add encryption there is an [issue](https://github.com/kubernetes/kubernetes/issues/10439) for that.)&nbsp;
+- The most responded questions had to do with 3rd party tools and debugging
+- For 3rd party tools to manage applications there were no clear winners. There are a wide variety of practices
+- An overall complaint about a lack of useful documentation. (Help contribute to the docs [here](https://github.com/kubernetes/kubernetes.github.io).)
+- There’s a lot of data. Many of the responses were optional so we were surprised that 935 of all questions across all candidates were filled in. If you want to look at the data yourself it’s [available online](https://docs.google.com/spreadsheets/d/15SUL7QTpR4Flrp5eJ5TR8A5ZAFwbchfX2QL4MEoJFQ8/edit?usp=sharing).
+-->
+
+- 81% 的受访者希望采用某种形式的自动扩缩
+- 为了存储秘密信息，47% 的受访者使用内置 Secret。目前这些资料并未实现静态加密。 
+  （如果你需要关于加密的帮助，请参见[问题](https://github.com/kubernetes/kubernetes/issues/10439)。)
+- 响应最多的问题与第三方工具和调试有关
+- 对于管理应用程序的第三方工具，没有明确的赢家。有各种各样的做法
+- 总体上对缺乏有用文件有较多抱怨。（请在[此处](https://github.com/kubernetes/kubernetes.github.io)帮助提交文档。）
+- 数据量很大。很多回答是可选的，所以我们很惊讶所有候选人的所有问题中有 935 个都被填写了。
+  如果你想亲自查看数据，可以[在线](https://docs.google.com/spreadsheets/d/15SUL7QTpR4Flrp5eJ5TR8A5ZAFwbchfX2QL4MEoJFQ8/edit?usp=sharing)查看。
+
+<!--
+When it comes to application operation there’s still a lot to be figured out and shared. If you've got opinions about running apps, tooling to make the experience better, or just want to lurk and learn about what's going please come join us.
+-->  
+
+就应用运维而言，仍然有很多东西需要解决和共享。如果你对运行应用程序有看法或者有改善体验的工具，
+或者只是想潜伏并了解状况，请加入我们。
+
+<!--
+- Chat with us on SIG-Apps [Slack channel](https://kubernetes.slack.com/messages/sig-apps)
+- Email as at SIG-Apps [mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-apps)
+- Join our open meetings: weekly at 9AM PT on Wednesdays, [full details here](https://github.com/kubernetes/community/blob/master/sig-apps/README.md#meeting).
+-->
+
+- 在 SIG-Apps [Slack 频道](https://kubernetes.slack.com/messages/sig-apps)与我们聊天
+- 发送邮件到 SIG-Apps [邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-apps)
+- 参加我们的公开会议：太平洋时间每周三上午 9 点，[详情点击此处](https://github.com/kubernetes/community/blob/master/sig-apps/README.md#meeting)
+
+<!--
+_--Matt Farina, Principal Engineer, Hewlett Packard Enterprise_
+-->  
+_--Matt Farina ，Hewlett Packard Enterprise 首席工程师_ 
\ No newline at end of file
diff --git a/content/zh/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md b/content/zh-cn/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md
similarity index 99%
rename from content/zh/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md
rename to content/zh-cn/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md
index 682435db84fde..49c4facdeb60c 100644
--- a/content/zh/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md
+++ b/content/zh-cn/blog/_posts/2016-08-00-Stateful-Applications-Using-Kubernetes-Datera.md
@@ -2,15 +2,12 @@
 title: " 使用 Kubernetes Pet Sets 和 Datera Elastic Data Fabric 的 FlexVolume 扩展有状态的应用程序 "
 date: 2016-08-29
 slug: stateful-applications-using-kubernetes-datera
-url: /zh/blog/2016/08/Stateful-Applications-Using-Kubernetes-Datera
 ---
 <!--
----
 title: " Scaling Stateful Applications using Kubernetes Pet Sets and FlexVolumes with Datera Elastic Data Fabric "
 date: 2016-08-29
 slug: stateful-applications-using-kubernetes-datera
-url: /zh/blog/2016/08/Stateful-Applications-Using-Kubernetes-Datera
----
+url: /blog/2016/08/Stateful-Applications-Using-Kubernetes-Datera
 --->
 
 <!--
diff --git a/content/zh/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md b/content/zh-cn/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md
similarity index 98%
rename from content/zh/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md
rename to content/zh-cn/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md
index 64ff3b1b62ba6..6418a161f4714 100644
--- a/content/zh/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md
+++ b/content/zh-cn/blog/_posts/2017-10-00-Five-Days-Of-Kubernetes-18.md
@@ -3,14 +3,11 @@ title: " Kubernetes 1.8 的五天 "
 date: 2017-10-24
 slug: five-days-of-kubernetes-18
 ---
-
 <!--
----
 title: " Five Days of Kubernetes 1.8 "
 date: 2017-10-24
 slug: five-days-of-kubernetes-18
-url: /zh/blog/2017/10/Five-Days-Of-Kubernetes-18
----
+url: /blog/2017/10/Five-Days-Of-Kubernetes-18
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md b/content/zh-cn/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md
similarity index 96%
rename from content/zh/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md
rename to content/zh-cn/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md
index 971f775d32e52..6fb9a7ad247aa 100644
--- a/content/zh/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md
+++ b/content/zh-cn/blog/_posts/2017-10-00-Kubernetes-Community-Steering-Committee-Election-Results.md
@@ -2,16 +2,14 @@
 title: " Kubernetes 社区指导委员会选举结果 "
 date: 2017-10-05
 slug: kubernetes-community-steering-committee-election-results
-url: /zh/blog/2017/10/Kubernetes-Community-Steering-Committee-Election-Results
 ---
 <!--
----
 title: " Kubernetes Community Steering Committee Election Results "
 date: 2017-10-05
 slug: kubernetes-community-steering-committee-election-results
-url: /zh/blog/2017/10/Kubernetes-Community-Steering-Committee-Election-Results
----
+url: /blog/2017/10/Kubernetes-Community-Steering-Committee-Election-Results
 -->
+
 <!--
 Beginning with the announcement of Kubernetes 1.0 at OSCON in 2015, there has been a concerted effort to share the power and burden of leadership across the Kubernetes community.  
 -->
diff --git a/content/zh/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md b/content/zh-cn/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md
similarity index 97%
rename from content/zh/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md
rename to content/zh-cn/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md
index cab6c2b331509..c30f22aa35624 100644
--- a/content/zh/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2017-11-00-Autoscaling-In-Kubernetes.md
@@ -3,14 +3,11 @@ title: " Kubernetes 中自动缩放 "
 date: 2017-11-17
 slug: autoscaling-in-kubernetes
 ---
-
 <!--
----
 title: " Autoscaling in Kubernetes "
 date: 2017-11-17
 slug: autoscaling-in-kubernetes
-url: /zh/blog/2017/11/Autoscaling-In-Kubernetes
----
+url: /blog/2017/11/Autoscaling-In-Kubernetes
 -->
 
 <!--
diff --git a/content/zh/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md b/content/zh-cn/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md
similarity index 99%
rename from content/zh/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md
rename to content/zh-cn/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md
index d581584659645..dee07c933a2e8 100644
--- a/content/zh/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md
+++ b/content/zh-cn/blog/_posts/2018-01-00-Kubernetes-V19-Beta-Windows-Support.md
@@ -2,15 +2,12 @@
 title: Kubernetes 1.9 对 Windows Server 容器提供 Beta 版本支持
 date: 2018-01-09
 slug: kubernetes-v19-beta-windows-support
-url: /zh/blog/2018/01/Kubernetes-V19-Beta-Windows-Support
 ---
 <!--
----
 title: Kubernetes v1.9 releases beta support for Windows Server Containers
 date: 2018-01-09
 slug: kubernetes-v19-beta-windows-support
-url: /zh/blog/2018/01/Kubernetes-V19-Beta-Windows-Support
----
+url: /blog/2018/01/Kubernetes-V19-Beta-Windows-Support
 --->
 
 <!--
diff --git a/content/zh/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md b/content/zh-cn/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md
similarity index 97%
rename from content/zh/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md
rename to content/zh-cn/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md
index 524fdb684c340..8aca089b4a899 100644
--- a/content/zh/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md
+++ b/content/zh-cn/blog/_posts/2018-03-00-Principles-Of-Container-App-Design.md
@@ -2,15 +2,12 @@
 title: “基于容器的应用程序设计原理”
 date: 2018-03-15
 slug: principles-of-container-app-design
-url: /zh/blog/2018/03/Principles-Of-Container-App-Design
 ---
 <!--
----
 title: "Principles of Container-based Application Design"
 date: 2018-03-15
 slug: principles-of-container-app-design
-url: /zh/blog/2018/03/Principles-Of-Container-App-Design
----
+url: /blog/2018/03/Principles-Of-Container-App-Design
 -->
 
 <!--
@@ -102,11 +99,11 @@ To read more about designing cloud-native applications for Kubernetes, check out
 — [Bilgin Ibryam][4]，首席架构师，Red Hat
 
 <!--
-Twitter: 
  
+Twitter:   
 Blog: [http://www.ofbizian.com][5]  
 Linkedin:
 -->
-推特： 
  
+推特：   
 博客： [http://www.ofbizian.com][5]  
 领英：
 
diff --git a/content/zh/blog/_posts/2018-04-25-open-source-charts-2017.md b/content/zh-cn/blog/_posts/2018-04-25-open-source-charts-2017.md
similarity index 100%
rename from content/zh/blog/_posts/2018-04-25-open-source-charts-2017.md
rename to content/zh-cn/blog/_posts/2018-04-25-open-source-charts-2017.md
diff --git a/content/zh/blog/_posts/2018-05-01-developing-on-kubernetes.md b/content/zh-cn/blog/_posts/2018-05-01-developing-on-kubernetes.md
similarity index 97%
rename from content/zh/blog/_posts/2018-05-01-developing-on-kubernetes.md
rename to content/zh-cn/blog/_posts/2018-05-01-developing-on-kubernetes.md
index 5d31031ec7f10..0e94e5ffbfe71 100644
--- a/content/zh/blog/_posts/2018-05-01-developing-on-kubernetes.md
+++ b/content/zh-cn/blog/_posts/2018-05-01-developing-on-kubernetes.md
@@ -12,20 +12,22 @@ slug: developing-on-kubernetes
 ---
 -->
 
-<!--**Authors**:-->
+<!--
+**Authors**: [Michael Hausenblas](https://twitter.com/mhausenblas) (Red Hat), [Ilya Dmitrichenko](https://twitter.com/errordeveloper) (Weaveworks)
+-->
 **作者**： [Michael Hausenblas](https://twitter.com/mhausenblas) (Red Hat), [Ilya Dmitrichenko](https://twitter.com/errordeveloper) (Weaveworks)
 
 <!-- 
-How do you develop a Kubernetes app? That is, how do you write and test an app that is supposed to run on Kubernetes? This article focuses on the challenges, tools and methods you might want to be aware of to successfully write Kubernetes apps alone or in a team setting. 
+How do you develop a Kubernetes app? That is, how do you write and test an app that is supposed to run on Kubernetes? This article focuses on the challenges, tools and methods you might want to be aware of to successfully write Kubernetes apps alone or in a team setting.
 -->
 
-您将如何开发一个 Kubernates 应用？也就是说，您如何编写并测试一个要在 Kubernates 上运行的应用程序？本文将重点介绍在独自开发或者团队协作中，您可能希望了解到的为了成功编写 Kubernetes 应用程序而需面临的挑战，工具和方法。
+您将如何开发一个 Kubernetes 应用？也就是说，您如何编写并测试一个要在 Kubernetes 上运行的应用程序？本文将重点介绍在独自开发或者团队协作中，您可能希望了解到的为了成功编写 Kubernetes 应用程序而需面临的挑战，工具和方法。
 
 <!--
 We’re assuming you are a developer, you have a favorite programming language, editor/IDE, and a testing framework available. The overarching goal is to introduce minimal changes to your current workflow when developing the app for Kubernetes. For example, if you’re a Node.js developer and are used to a hot-reload setup—that is, on save in your editor the running app gets automagically updated—then dealing with containers and container images, with container registries, Kubernetes deployments, triggers, and more can not only be overwhelming but really take all the fun out if it.
 -->
 
-我们假定您是一位开发人员，有您钟爱的编程语言，编辑器/IDE（集成开发环境），以及可用的测试框架。在针对 Kubernates 开发应用时，最重要的目标是减少对当前工作流程的影响，改变越少越好，尽量做到最小。举个例子，如果您是 Node.js 开发人员，习惯于那种热重载的环境 - 也就是说您在编辑器里一做保存，正在运行的程序就会自动更新 - 那么跟容器、容器镜像或者镜像仓库打交道，又或是跟 Kubernetes 部署、triggers 以及更多头疼东西打交道，不仅会让人难以招架也真的会让开发过程完全失去乐趣。
+我们假定您是一位开发人员，有您钟爱的编程语言，编辑器/IDE（集成开发环境），以及可用的测试框架。在针对 Kubernetes 开发应用时，最重要的目标是减少对当前工作流程的影响，改变越少越好，尽量做到最小。举个例子，如果您是 Node.js 开发人员，习惯于那种热重载的环境 - 也就是说您在编辑器里一做保存，正在运行的程序就会自动更新 - 那么跟容器、容器镜像或者镜像仓库打交道，又或是跟 Kubernetes 部署、triggers 以及更多头疼东西打交道，不仅会让人难以招架也真的会让开发过程完全失去乐趣。
 
 <!--
 In the following, we’ll first discuss the overall development setup, then review tools of the trade, and last but not least do a hands-on walkthrough of three exemplary tools that allow for iterative, local app development against Kubernetes.
@@ -48,10 +50,10 @@ As a developer you want to think about where the Kubernetes cluster you’re dev
 ![Dev Modes](/images/blog/2018-05-01-developing-on-kubernetes/dok-devmodes_preview.png)
 
 <!--
-A number of tools support pure offline development including Minikube, Docker for Mac/Windows, Minishift, and the ones we discuss in detail below. Sometimes, for example, in a microservices setup where certain microservices already run in the cluster, a proxied setup (forwarding traffic into and from the cluster) is preferable and Telepresence is an example tool in this category. The live mode essentially means you’re building and/or deploying against a remote cluster and, finally, the pure online mode means both your development environment and the cluster are remote, as this is the case with, for example, [Eclipse Che](https://www.eclipse.org/che/docs/kubernetes-single-user.html) or [Cloud 9](https://github.com/errordeveloper/k9c). Let’s now have a closer look at the basics of offline development: running Kubernetes locally.
+A number of tools support pure offline development including Minikube, Docker for Mac/Windows, Minishift, and the ones we discuss in detail below. Sometimes, for example, in a microservices setup where certain microservices already run in the cluster, a proxied setup (forwarding traffic into and from the cluster) is preferable and Telepresence is an example tool in this category. The live mode essentially means you’re building and/or deploying against a remote cluster and, finally, the pure online mode means both your development environment and the cluster are remote, as this is the case with, for example, [Eclipse Che](https://www.eclipse.org/che/docs/che-7/introduction-to-eclipse-che/) or [Cloud 9](https://github.com/errordeveloper/k9c). Let’s now have a closer look at the basics of offline development: running Kubernetes locally.
 -->
 
-许多工具支持纯 offline 开发，包括 Minikube、Docker（Mac 版/Windows 版）、Minishift 以及下文中我们将详细讨论的几种。有时，比如说在一个微服务系统中，已经有若干微服务在运行，proxied 模式（通过转发把数据流传进传出集群）就非常合适，Telepresence 就是此类工具的一个实例。live 模式，本质上是您基于一个远程集群进行构建和部署。最后，纯 online 模式意味着您的开发环境和运行集群都是远程的，典型的例子是 [Eclipse Che](https://www.eclipse.org/che/docs/kubernetes-single-user.html) 或者 [Cloud 9](https://github.com/errordeveloper/k9c)。现在让我们仔细看看离线开发的基础：在本地运行 Kubernetes。
+许多工具支持纯 offline 开发，包括 Minikube、Docker（Mac 版/Windows 版）、Minishift 以及下文中我们将详细讨论的几种。有时，比如说在一个微服务系统中，已经有若干微服务在运行，proxied 模式（通过转发把数据流传进传出集群）就非常合适，Telepresence 就是此类工具的一个实例。live 模式，本质上是您基于一个远程集群进行构建和部署。最后，纯 online 模式意味着您的开发环境和运行集群都是远程的，典型的例子是 [Eclipse Che](https://www.eclipse.org/che/docs/che-7/introduction-to-eclipse-che/) 或者 [Cloud 9](https://github.com/errordeveloper/k9c)。现在让我们仔细看看离线开发的基础：在本地运行 Kubernetes。
 
 <!--
 [Minikube](/docs/getting-started-guides/minikube/) is a popular choice for those who prefer to run Kubernetes in a local VM. More recently Docker for [Mac](https://docs.docker.com/docker-for-mac/kubernetes/) and [Windows](https://docs.docker.com/docker-for-windows/kubernetes/) started shipping Kubernetes as an experimental package (in the “edge” channel). Some reasons why you may want to prefer using Minikube over the Docker desktop option are:
@@ -157,7 +159,7 @@ Implications:
 * Deploying to production is up to the user, Draft authors recommend their other project – Brigade
 * Can be used instead of Skaffold, and along the side of Squash
 -->
-* 它允许开发人员使用本地或者远程的 Kubernates 集群
+* 它允许开发人员使用本地或者远程的 Kubernetes 集群
 * 如何部署到生产环境取决于用户， Draft 的作者推荐了他们的另一个项目 - Brigade
 * 可以代替 Skaffold， 并且可以和 Squash 一起使用
 
@@ -255,7 +257,7 @@ More info:
 更多信息：
 
 * [Squash: A Debugger for Kubernetes Apps](https://www.youtube.com/watch?v=5TrV3qzXlgI)
-* [Getting Started Guide](https://github.com/solo-io/squash/blob/master/docs/getting-started.md)
+* [Getting Started Guide](https://squash.solo.io/overview/)
 
 ### Telepresence
 
@@ -397,10 +399,10 @@ Note that for the target Kubernetes cluster we’ve been using Minikube locally,
 请注意，我们一直使用 Minikube 的本地 Kubernetes 集群，但是您也可以使用 ksync 和 Skaffold 的远程集群跟随练习。
 
 <!--
-### Walkthrough: ksync
+## Walkthrough: ksync
 -->
 
-### 实践演练：ksync
+## 实践演练：ksync
 
 <!--
 As a preparation, install [ksync](https://vapor-ware.github.io/ksync/#installation) and then carry out the following steps to prepare the development setup:
@@ -502,11 +504,11 @@ $ kubectl -n=dok apply -f stock-gen/app.yaml
 $ kubectl -n=dok apply -f stock-con/app.yaml
 ```
 <!--
-Once both deployments are created and the pods are running, we forward the `stock-con` service for local consumption (in a separate terminal session):
+Once both deployments are created and the pods are running, we forward the `stock-con` service for local consumption (in a separate terminal session) and check the response of the `healthz` endpoint:
 -->
 
 
-一旦两个部署建好并且 pod 开始运行，我们转发 `stock-con` 服务以供本地读取（另开一个终端窗口）：
+一旦两个部署建好并且 pod 开始运行，我们转发 `stock-con` 服务以供本地读取（另开一个终端窗口）并检查 `healthz` 端点的响应：
 
 ```
 $ kubectl get -n dok po --selector=app=stock-con  \
diff --git a/content/zh/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md b/content/zh-cn/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md
similarity index 97%
rename from content/zh/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md
rename to content/zh-cn/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md
index eb1aba85d2b46..2003493013199 100644
--- a/content/zh/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md
+++ b/content/zh-cn/blog/_posts/2018-05-30-say-hello-to-discuss-kubernetes.md
@@ -1,17 +1,13 @@
 ---
-title: 'Kubernetes 1 11：向 discuss kubernetes 问好'
 layout: blog
+title: 向 Discuss Kubernetes 问好
 date: 2018-05-30
+slug: say-hello-to-discuss-kubernetes
 ---
-
 <!--
----
-title: ' Kubernetes 1 11：say-hello-to-discuss-kubernetes '
-cn-approvers:
-- congfairy
 layout: blog
+title: Say Hello to Discuss Kubernetes
 date: 2018-05-30
----
 -->
 
 <!--   
diff --git a/content/zh-cn/blog/_posts/2018-06-06-4-years-of-k8s.md b/content/zh-cn/blog/_posts/2018-06-06-4-years-of-k8s.md
new file mode 100644
index 0000000000000..ef963994967a6
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2018-06-06-4-years-of-k8s.md
@@ -0,0 +1,56 @@
+---
+title: Kubernetes 这四年
+layout: blog
+date: 2018-06-06
+slug: 4-years-of-k8s
+---
+<!-- 
+layout: blog
+title: 4 Years of K8s
+date: 2018-06-06
+-->
+
+<!--
+**Author**: Joe Beda (CTO and Founder, Heptio)
+
+On June 6, 2014 I checked in the [first commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) of what would become the public repository for Kubernetes. Many would assume that is where the story starts. It is the beginning of history, right? But that really doesn’t tell the whole story.
+-->
+**作者**：Joe Beda（Heptio 首席技术官兼创始人）
+
+2014 年 6 月 6 日，我检查了 Kubernetes 公共代码库的[第一次 commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) 。许多人会认为这是故事开始的地方。这难道不是一切开始的地方吗？但这的确不能把整个过程说清楚。
+
+![k8s_first_commit](/images/blog/2018-06-06-4-years-of-k8s/k8s-first-commit.png)
+ 
+<!--
+The cast leading up to that commit was large and the success for Kubernetes since then is owed to an ever larger cast.
+
+Kubernetes was built on ideas that had been proven out at Google over the previous ten years with Borg. And Borg, itself, owed its existence to even earlier efforts at Google and beyond.
+
+Concretely, Kubernetes started as some prototypes from Brendan Burns combined with ongoing work from me and Craig McLuckie to better align the internal Google experience with the Google Cloud experience. Brendan, Craig, and I really wanted people to use this, so we made the case to build out this prototype as an open source project that would bring the best ideas from Borg out into the open.
+
+After we got the nod, it was time to actually build the system.  We took Brendan’s prototype (in Java), rewrote it in Go, and built just enough to get the core ideas across.  By this time the team had grown to include Ville Aikas, Tim Hockin, Brian Grant, Dawn Chen and Daniel Smith.  Once we had something working, someone had to sign up to clean things up to get it ready for public launch.  That ended up being me. Not knowing the significance at the time, I created a new repo, moved things over, and checked it in.  So while I have the first public commit to the repo, there was work underway well before that.
+
+The version of Kubernetes at that point was really just a shadow of what it was to become.  The core concepts were there but it was very raw.  For example, Pods were called Tasks.  That was changed a day before we went public.  All of this led up to the public announcement of Kubernetes on June 10th, 2014 in a keynote from Eric Brewer at the first DockerCon.  You can watch that video here:
+-->
+
+第一次 commit 涉及的人员众多，自那以后 Kubernetes 的成功归功于更大的开发者阵容。
+
+Kubernetes 建立在过去十年曾经在 Google 的 Borg 集群管理系统中验证过的思路之上。而 Borg 本身也是 Google 和其他公司早期努力的结果。
+
+具体而言，Kubernetes 最初是从 Brendan Burns 的一些原型开始，结合我和 Craig McLuckie 正在进行的工作，以更好地将 Google 内部实践与 Google Cloud 的经验相结合。 Brendan，Craig 和我真的希望人们使用它，所以我们建议将这个原型构建为一个开源项目，将 Borg 的最佳创意带给大家。
+
+在我们所有人同意后，就开始着手构建这个系统了。我们采用了 Brendan 的原型（Java 语言），用 Go 语言重写了它，并且以上述核心思想去构建该系统。到这个时候，团队已经成长为包括 Ville Aikas，Tim Hockin，Brian Grant，Dawn Chen 和 Daniel Smith。一旦我们有了一些工作需求，有人必须承担一些脱敏的工作，以便为公开发布做好准备。这个角色最终由我承担。当时，我不知道这件事情的重要性，我创建了一个新的仓库，把代码搬过来，然后进行了检查。所以在我第一次提交 public commit 之前，就有工作已经启动了。
+
+那时 Kubernetes 的版本只是现在版本的简单雏形。核心概念已经有了，但非常原始。例如，Pods 被称为 Tasks，这在我们推广前一天就被替换。2014年6月10日 Eric Brewe 在第一届 DockerCon 上的演讲中正式发布了 Kubernetes。你可以在此处观看该视频：
+
+<center><iframe width="560" height="315" src="https://www.youtube.com/embed/YrxnVKZeqK8" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></center>  
+
+<!--
+But, however raw, that modest start was enough to pique the interest of a community that started strong and has only gotten stronger.  Over the past four years Kubernetes has exceeded the expectations of all of us that were there early on. We owe the Kubernetes community a huge debt.  The success the project has seen is based not just on code and technology but also the way that an amazing group of people have come together to create something special.  The best expression of this is the [set of Kubernetes values](https://git.k8s.io/community/values.md) that Sarah Novotny helped curate.
+
+Here is to another 4 years and beyond! 🎉🎉🎉
+-->
+
+但是，无论多么原始，这小小的一步足以激起一个开始强大而且变得更强大的社区的兴趣。在过去的四年里，Kubernetes 已经超出了我们所有人的期望。我们对 Kubernetes 社区的所有人员表示感谢。该项目所取得的成功不仅基于代码和技术，还基于一群出色的人聚集在一起所做的有意义的事情。Sarah Novotny 策划的一套 [Kubernetes 价值观](https://github.com/kubernetes/steering/blob/master/values.md)是以上最好的表现形式。
+
+让我们一起期待下一个 4 年！🎉🎉🎉
diff --git a/content/zh/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md b/content/zh-cn/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md
similarity index 98%
rename from content/zh/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md
rename to content/zh-cn/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md
index bb8d7d848c1fd..02f8851c7341e 100644
--- a/content/zh/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md
+++ b/content/zh-cn/blog/_posts/2018-06-07-dynamic-ingress-kubernetes.md
@@ -1,16 +1,16 @@
 ---
-title: 'Kubernetes 内的动态 Ingress'
+title: 'Kubernetes 的动态 Ingress'
+date: 2018-06-07
 layout: blog
+Author: Richard Li (Datawire)
+slug: dynamic-ingress-in-kubernetes
 ---
-
 <!--
 title: Dynamic Ingress in Kubernetes
 date:  2018-06-07
 Author: Richard Li (Datawire)
 -->
 
-作者: Richard Li (Datawire)
-
 <!--
 Kubernetes makes it easy to deploy applications that consist of many microservices, but one of the key challenges with this type of architecture is dynamically routing ingress traffic to each of these services.  One approach is Ambassador, a Kubernetes-native open source API Gateway built on the Envoy Proxy. Ambassador is designed for dynamic environment where services may come and go frequently.
 Ambassador is configured using Kubernetes annotations. Annotations are used to configure specific mappings from a given Kubernetes service to a particular URL. A mapping can include a number of annotations for configuring a route. Examples include rate limiting, protocol, cross-origin request sharing, traffic shadowing, and routing rules.
diff --git a/content/zh-cn/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md b/content/zh-cn/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md
new file mode 100644
index 0000000000000..22e67d30e7c91
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md
@@ -0,0 +1,380 @@
+---
+layout: blog
+date:   2018-06-28
+title: 'Airflow 在 Kubernetes 中的使用（第一部分）：一种不同的操作器'
+slug: airflow-on-kubernetes-part-1-a-different-kind-of-operator
+---
+<!-- 
+layout: blog
+title:  'Airflow on Kubernetes (Part 1): A Different Kind of Operator'
+date:   2018-06-28
+-->
+
+<!--
+Author: Daniel Imberman (Bloomberg LP)
+-->
+作者: Daniel Imberman (Bloomberg LP)
+
+<!--
+## Introduction
+
+As part of Bloomberg's [continued commitment to developing the Kubernetes ecosystem](https://www.techatbloomberg.com/blog/bloomberg-awarded-first-cncf-end-user-award-contributions-kubernetes/), we are excited to announce the Kubernetes Airflow Operator; a mechanism for [Apache Airflow](https://airflow.apache.org/), a popular workflow orchestration framework to natively launch arbitrary Kubernetes Pods using the Kubernetes API.
+-->
+## 介绍
+
+作为 Bloomberg [持续致力于开发 Kubernetes 生态系统](https://www.techatbloomberg.com/blog/bloomberg-awarded-first-cncf-end-user-award-contributions-kubernetes/)的一部分，
+我们很高兴能够宣布 Kubernetes Airflow Operator 的发布;
+[Apache Airflow](https://airflow.apache.org/)的一种机制，一种流行的工作流程编排框架，
+使用 Kubernetes API 可以在本机启动任意的 Kubernetes Pod。
+
+<!--
+## What Is Airflow?
+
+Apache Airflow is one realization of the DevOps philosophy of "Configuration As Code." Airflow allows users to launch multi-step pipelines using a simple Python object DAG (Directed Acyclic Graph). You can define dependencies, programmatically construct complex workflows, and monitor scheduled jobs in an easy to read UI.
+-->
+## 什么是 Airflow?
+
+Apache Airflow 是“配置即代码”的 DevOps 理念的一种实现。
+Airflow 允许用户使用简单的 Python 对象 DAG（有向无环图）启动多步骤流水线。
+你可以在易于阅读的 UI 中定义依赖关系，以编程方式构建复杂的工作流，并监视调度的作业。
+
+<img src="/images/blog/2018-05-25-Airflow-Kubernetes-Operator/2018-05-25-airflow_dags.png" width="85%" alt="Airflow DAGs" />
+<img src="/images/blog/2018-05-25-Airflow-Kubernetes-Operator/2018-05-25-airflow.png" width="85%" alt="Airflow UI" />
+
+<!--
+## Why Airflow on Kubernetes?
+
+Since its inception, Airflow's greatest strength has been its flexibility. Airflow offers a wide range of integrations for services ranging from Spark and HBase, to services on various cloud providers. Airflow also offers easy extensibility through its plug-in framework. However, one limitation of the project is that Airflow users are confined to the frameworks and clients that exist on the Airflow worker at the moment of execution. A single organization can have varied Airflow workflows ranging from data science pipelines to application deployments. This difference in use-case creates issues in dependency management as both teams might use vastly different libraries for their workflows.
+
+To address this issue, we've utilized Kubernetes to allow users to launch arbitrary Kubernetes pods and configurations. Airflow users can now have full power over their run-time environments, resources, and secrets, basically turning Airflow into an "any job you want" workflow orchestrator.
+-->
+## 为什么在 Kubernetes 上使用 Airflow？
+
+自成立以来，Airflow 的最大优势在于其灵活性。
+Airflow 提供广泛的服务集成，包括Spark和HBase，以及各种云提供商的服务。
+Airflow 还通过其插件框架提供轻松的可扩展性。
+但是，该项目的一个限制是 Airflow 用户仅限于执行时 Airflow 站点上存在的框架和客户端。
+单个组织可以拥有各种 Airflow 工作流程，范围从数据科学流到应用程序部署。
+用例中的这种差异会在依赖关系管理中产生问题，因为两个团队可能会在其工作流程使用截然不同的库。
+
+为了解决这个问题，我们使 Kubernetes 允许用户启动任意 Kubernetes Pod 和配置。
+Airflow 用户现在可以在其运行时环境，资源和机密上拥有全部权限，基本上将 Airflow 转变为“你想要的任何工作”工作流程协调器。
+
+<!--
+## The Kubernetes Operator
+
+Before we move any further, we should clarify that an Operator in Airflow is a task definition. When a user creates a DAG, they would use an operator like the "SparkSubmitOperator" or the "PythonOperator" to submit/monitor a Spark job or a Python function respectively. Airflow comes with built-in operators for frameworks like Apache Spark, BigQuery, Hive, and EMR. It also offers a Plugins entrypoint that allows DevOps engineers to develop their own connectors.
+
+Airflow users are always looking for ways to make deployments and ETL pipelines simpler to manage. Any opportunity to decouple pipeline steps, while increasing monitoring, can reduce future outages and fire-fights. The following is a list of benefits provided by the Airflow Kubernetes Operator:
+-->
+## Kubernetes Operator
+
+在进一步讨论之前，我们应该澄清 Airflow 中的 [Operator](https://airflow.apache.org/concepts.html#operators) 是一个任务定义。
+当用户创建 DAG 时，他们将使用像 “SparkSubmitOperator” 或 “PythonOperator” 这样的 Operator 分别提交/监视 Spark 作业或 Python 函数。
+Airflow 附带了 Apache Spark，BigQuery，Hive 和 EMR 等框架的内置运算符。
+它还提供了一个插件入口点，允许DevOps工程师开发自己的连接器。
+
+Airflow 用户一直在寻找更易于管理部署和 ETL 流的方法。
+在增加监控的同时，任何解耦流程的机会都可以减少未来的停机等问题。
+以下是 Airflow Kubernetes Operator 提供的好处：
+
+<!--
+ * **Increased flexibility for deployments:**  
+Airflow's plugin API has always offered a significant boon to engineers wishing to test new functionalities within their DAGs. On the downside, whenever a developer wanted to create a new operator, they had to develop an entirely new plugin. Now, any task that can be run within a Docker container is accessible through the exact same operator, with no extra Airflow code to maintain.
+-->
+ * **提高部署灵活性：**
+Airflow 的插件 API一直为希望在其 DAG 中测试新功能的工程师提供了重要的福利。
+不利的一面是，每当开发人员想要创建一个新的 Operator 时，他们就必须开发一个全新的插件。
+现在，任何可以在 Docker 容器中运行的任务都可以通过完全相同的运算符访问，而无需维护额外的 Airflow 代码。
+
+<!--
+ * **Flexibility of configurations and dependencies:**
+For operators that are run within static Airflow workers, dependency management can become quite difficult. If a developer wants to run one task that requires [SciPy](https://www.scipy.org) and another that requires [NumPy](http://www.numpy.org), the developer would have to either maintain both dependencies within all Airflow workers or offload the task to an external machine (which can cause bugs if that external machine changes in an untracked manner). Custom Docker images allow users to ensure that the tasks environment, configuration, and dependencies are completely idempotent.  
+-->
+ * **配置和依赖的灵活性：**
+
+对于在静态 Airflow 工作程序中运行的 Operator，依赖关系管理可能变得非常困难。
+如果开发人员想要运行一个需要 [SciPy](https://www.scipy.org) 的任务和另一个需要 [NumPy](http://www.numpy.org) 的任务，
+开发人员必须维护所有 Airflow 节点中的依赖关系或将任务卸载到其他计算机（如果外部计算机以未跟踪的方式更改，则可能导致错误）。
+自定义 Docker 镜像允许用户确保任务环境，配置和依赖关系完全是幂等的。
+
+<!--
+ * **Usage of kubernetes secrets for added security:**
+Handling sensitive data is a core responsibility of any DevOps engineer. At every opportunity, Airflow users want to isolate any API keys, database passwords, and login credentials on a strict need-to-know basis. With the Kubernetes operator, users can utilize the Kubernetes Vault technology to store all sensitive data. This means that the Airflow workers will never have access to this information, and can simply request that pods be built with only the secrets they need.
+-->
+ * **使用kubernetes Secret以增加安全性：**
+处理敏感数据是任何开发工程师的核心职责。Airflow 用户总有机会在严格条款的基础上隔离任何API密钥，数据库密码和登录凭据。
+使用 Kubernetes 运算符，用户可以利用 Kubernetes Vault 技术存储所有敏感数据。
+这意味着 Airflow 工作人员将永远无法访问此信息，并且可以容易地请求仅使用他们需要的密码信息构建 Pod。
+
+<!--
+# Architecture
+
+The Kubernetes Operator uses the [Kubernetes Python Client](https://github.com/kubernetes-client/Python) to generate a request that is processed by the APIServer (1). Kubernetes will then launch your pod with whatever specs you've defined (2). Images will be loaded with all the necessary environment variables, secrets and dependencies, enacting a single command. Once the job is launched, the operator only needs to monitor the health of track logs (3). Users will have the choice of gathering logs locally to the scheduler or to any distributed logging service currently in their Kubernetes cluster.
+-->
+# 架构
+
+<img src="/images/blog/2018-05-25-Airflow-Kubernetes-Operator/2018-05-25-airflow-architecture.png" width="85%" alt="Airflow Architecture" />
+
+Kubernetes Operator 使用 [Kubernetes Python客户端](https://github.com/kubernetes-client/Python)生成由 APIServer 处理的请求（1）。
+然后，Kubernetes将使用你定义的需求启动你的 Pod（2）。
+镜像文件中将加载环境变量，Secret 和依赖项，执行单个命令。
+一旦启动作业，Operator 只需要监视跟踪日志的状况（3）。
+用户可以选择将日志本地收集到调度程序或当前位于其 Kubernetes 集群中的任何分布式日志记录服务。
+
+<!--
+# Using the Kubernetes Operator
+
+## A Basic Example
+
+The following DAG is probably the simplest example we could write to show how the Kubernetes Operator works. This DAG creates two pods on Kubernetes: a Linux distro with Python and a base Ubuntu distro without it. The Python pod will run the Python request correctly, while the one without Python will report a failure to the user. If the Operator is working correctly, the `passing-task` pod should complete, while the `failing-task` pod returns a failure to the Airflow webserver.
+-->
+# 使用 Kubernetes Operator
+## 一个基本的例子
+
+以下 DAG 可能是我们可以编写的最简单的示例，以显示 Kubernetes Operator 的工作原理。
+这个 DAG 在 Kubernetes 上创建了两个 Pod：一个带有 Python 的 Linux 发行版和一个没有它的基本 Ubuntu 发行版。
+Python Pod 将正确运行 Python 请求，而没有 Python 的那个将向用户报告失败。
+如果 Operator 正常工作，则应该完成 “passing-task” Pod，而“ falling-task” Pod 则向 Airflow 网络服务器返回失败。
+
+```Python
+from airflow import DAG
+from datetime import datetime, timedelta
+from airflow.contrib.operators.kubernetes_pod_operator import KubernetesPodOperator
+from airflow.operators.dummy_operator import DummyOperator
+
+
+default_args = {
+    'owner': 'airflow',
+    'depends_on_past': False,
+    'start_date': datetime.utcnow(),
+    'email': ['airflow@example.com'],
+    'email_on_failure': False,
+    'email_on_retry': False,
+    'retries': 1,
+    'retry_delay': timedelta(minutes=5)
+}
+
+dag = DAG(
+    'kubernetes_sample', default_args=default_args, schedule_interval=timedelta(minutes=10))
+
+
+start = DummyOperator(task_id='run_this_first', dag=dag)
+
+passing = KubernetesPodOperator(namespace='default',
+                          image="Python:3.6",
+                          cmds=["Python","-c"],
+                          arguments=["print('hello world')"],
+                          labels={"foo": "bar"},
+                          name="passing-test",
+                          task_id="passing-task",
+                          get_logs=True,
+                          dag=dag
+                          )
+
+failing = KubernetesPodOperator(namespace='default',
+                          image="ubuntu:1604",
+                          cmds=["Python","-c"],
+                          arguments=["print('hello world')"],
+                          labels={"foo": "bar"},
+                          name="fail",
+                          task_id="failing-task",
+                          get_logs=True,
+                          dag=dag
+                          )
+
+passing.set_upstream(start)
+failing.set_upstream(start)
+```
+<img src="/images/blog/2018-05-25-Airflow-Kubernetes-Operator/2018-05-25-basic-dag-run.png" width="85%" alt="Basic DAG Run" />
+
+<!--
+## But how does this relate to my workflow?
+
+While this example only uses basic images, the magic of Docker is that this same DAG will work for any image/command pairing you want. The following is a recommended CI/CD pipeline to run production-ready code on an Airflow DAG.
+
+### 1: PR in github
+
+Use Travis or Jenkins to run unit and integration tests, bribe your favorite team-mate into PR'ing your code, and merge to the master branch to trigger an automated CI build.
+
+### 2: CI/CD via Jenkins -> Docker Image
+
+[Generate your Docker images and bump release version within your Jenkins build](https://getintodevops.com/blog/building-your-first-docker-image-with-jenkins-2-guide-for-developers).
+
+### 3: Airflow launches task
+
+Finally, update your DAGs to reflect the new release version and you should be ready to go!
+-->
+## 但这与我的工作流程有什么关系？
+
+虽然这个例子只使用基本映像，但 Docker 的神奇之处在于，这个相同的 DAG 可以用于你想要的任何图像/命令配对。
+以下是推荐的 CI/CD 管道，用于在 Airflow DAG 上运行生产就绪代码。
+
+### 1：github 中的 PR
+
+使用Travis或Jenkins运行单元和集成测试，请你的朋友PR你的代码，并合并到主分支以触发自动CI构建。
+
+### 2：CI/CD 构建 Jenkins - > Docker 镜像
+
+[在 Jenkins 构建中生成 Docker 镜像和更新版本](https://getintodevops.com/blog/building-your-first-Docker-image-with-jenkins-2-guide-for-developers)。
+
+### 3：Airflow 启动任务
+
+最后，更新你的 DAG 以反映新版本，你应该准备好了！
+
+```Python
+production_task = KubernetesPodOperator(namespace='default',
+                          # image="my-production-job:release-1.0.1", <-- old release
+                          image="my-production-job:release-1.0.2",
+                          cmds=["Python","-c"],
+                          arguments=["print('hello world')"],
+                          name="fail",
+                          task_id="failing-task",
+                          get_logs=True,
+                          dag=dag
+                          )
+```
+
+<!--
+# Launching a test deployment
+
+Since the Kubernetes Operator is not yet released, we haven't released an official [helm](https://helm.sh/) chart or operator (however both are currently in progress). However, we are including instructions for a basic deployment below and are actively looking for foolhardy beta testers to try this new feature. To try this system out please follow these steps:
+
+## Step 1: Set your kubeconfig to point to a kubernetes cluster
+
+## Step 2: Clone the Airflow Repo:
+
+Run `git clone https://github.com/apache/incubator-airflow.git` to clone the official Airflow repo.
+
+## Step 3: Run
+
+To run this basic deployment, we are co-opting the integration testing script that we currently use for the Kubernetes Executor (which will be explained in the next article of this series). To launch this deployment, run these three commands:
+-->
+# 启动测试部署
+
+由于 Kubernetes Operator 尚未发布，我们尚未发布官方
+[helm](https://helm.sh/) 图表或 Operator（但两者目前都在进行中）。
+但是，我们在下面列出了基本部署的说明，并且正在积极寻找测试人员来尝试这一新功能。
+要试用此系统，请按以下步骤操作：
+
+## 步骤1：将 kubeconfig 设置为指向 kubernetes 集群
+
+## 步骤2：克隆 Airflow 仓库：
+
+运行 `git clone https://github.com/apache/incubator-airflow.git` 来克隆官方 Airflow 仓库。
+
+## 步骤3：运行
+
+为了运行这个基本 Deployment，我们正在选择我们目前用于 Kubernetes Executor 的集成测试脚本（将在本系列的下一篇文章中对此进行解释）。
+要启动此部署，请运行以下三个命令：
+
+```
+sed -ie "s/KubernetesExecutor/LocalExecutor/g" scripts/ci/kubernetes/kube/configmaps.yaml
+./scripts/ci/kubernetes/Docker/build.sh
+./scripts/ci/kubernetes/kube/deploy.sh
+```
+
+<!--
+Before we move on, let's discuss what these commands are doing:
+
+### sed -ie "s/KubernetesExecutor/LocalExecutor/g" scripts/ci/kubernetes/kube/configmaps.yaml
+
+The Kubernetes Executor is another Airflow feature that allows for dynamic allocation of tasks as idempotent pods. The reason we are switching this to the LocalExecutor is simply to introduce one feature at a time. You are more then welcome to skip this step if you would like to try the Kubernetes Executor, however we will go into more detail in a future article.
+
+### ./scripts/ci/kubernetes/Docker/build.sh
+
+This script will tar the Airflow master source code build a Docker container based on the Airflow distribution
+
+### ./scripts/ci/kubernetes/kube/deploy.sh
+
+Finally, we create a full Airflow deployment on your cluster. This includes Airflow configs, a postgres backend, the webserver + scheduler, and all necessary services between. One thing to note is that the role binding supplied is a cluster-admin, so if you do not have that level of permission on the cluster, you can modify this at scripts/ci/kubernetes/kube/airflow.yaml
+
+## Step 4: Log into your webserver
+
+Now that your Airflow instance is running let's take a look at the UI! The UI lives in port 8080 of the Airflow pod, so simply run
+-->
+在我们继续之前，让我们讨论这些命令正在做什么：
+
+### sed -ie "s/KubernetesExecutor/LocalExecutor/g" scripts/ci/kubernetes/kube/configmaps.yaml
+
+Kubernetes Executor 是另一种 Airflow 功能，允许动态分配任务已解决幂等 Pod 的问题。
+我们将其切换到 LocalExecutor 的原因只是一次引入一个功能。
+如果你想尝试 Kubernetes Executor，欢迎你跳过此步骤，但我们将在以后的文章中详细介绍。
+
+### ./scripts/ci/kubernetes/Docker/build.sh
+
+此脚本将对Airflow主分支代码进行打包，以根据Airflow的发行文件构建Docker容器
+
+### ./scripts/ci/kubernetes/kube/deploy.sh
+
+最后，我们在你的集群上创建完整的Airflow部署。这包括 Airflow 配置，postgres 后端，web 服务器和调度程序以及之间的所有必要服务。
+需要注意的一点是，提供的角色绑定是集群管理员，因此如果你没有该集群的权限级别，可以在 scripts/ci/kubernetes/kube/airflow.yaml 中进行修改。
+
+## 步骤4：登录你的网络服务器
+
+现在你的 Airflow 实例正在运行，让我们来看看 UI！
+用户界面位于 Airflow Pod的 8080 端口，因此只需运行即可：
+
+```
+WEB=$(kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep "airflow" | head -1)
+kubectl port-forward $WEB 8080:8080
+```
+
+<!--
+ Now the Airflow UI will exist on http://localhost:8080. To log in simply enter `airflow`/`airflow` and you should have full access to the Airflow web UI.
+
+## Step 5: Upload a test document
+
+To modify/add your own DAGs, you can use `kubectl cp` to upload local files into the DAG folder of the Airflow scheduler. Airflow will then read the new DAG and automatically upload it to its system. The following command will upload any local file into the correct directory:
+-->
+现在，Airflow UI 将存在于 http://localhost:8080上。
+要登录，只需输入`airflow`/`airflow`，你就可以完全访问 Airflow Web UI。
+
+## 步骤5：上传测试文档
+
+要修改/添加自己的 DAG，可以使用 `kubectl cp` 将本地文件上传到 Airflow 调度程序的 DAG 文件夹中。
+然后，Airflow 将读取新的 DAG 并自动将其上传到其系统。以下命令将任何本地文件上载到正确的目录中：
+
+`kubectl cp <local file> <namespace>/<pod>:/root/airflow/dags -c scheduler`
+
+<!--
+## Step 6: Enjoy!
+
+# So when will I be able to use this?
+
+ While this feature is still in the early stages, we hope to see it released for wide release in the next few months.
+
+# Get Involved
+
+This feature is just the beginning of multiple major efforts to improves Apache Airflow integration into Kubernetes. The Kubernetes Operator has been merged into the [1.10 release branch of Airflow](https://github.com/apache/incubator-airflow/tree/v1-10-test) (the executor in experimental mode), along with a fully k8s native scheduler called the Kubernetes Executor (article to come). These features are still in a stage where early adopters/contributers can have a huge influence on the future of these features.
+
+For those interested in joining these efforts, I'd recommend checkint out these steps:
+
+ * Join the airflow-dev mailing list at dev@airflow.apache.org.
+ * File an issue in [Apache Airflow JIRA](https://issues.apache.org/jira/projects/AIRFLOW/issues/)
+ * Join our SIG-BigData meetings on Wednesdays at 10am PST.
+ * Reach us on slack at #sig-big-data on kubernetes.slack.com
+
+Special thanks to the Apache Airflow and Kubernetes communities, particularly Grant Nicholas, Ben Goldberg, Anirudh Ramanathan, Fokko Dreisprong, and Bolke de Bruin, for your awesome help on these features as well as our future efforts.
+-->
+## 步骤6：使用它！
+# 那么我什么时候可以使用它？
+
+虽然此功能仍处于早期阶段，但我们希望在未来几个月内发布该功能以进行广泛发布。
+
+# 参与其中
+
+此功能只是将 Apache Airflow 集成到 Kubernetes 中的多项主要工作的开始。
+Kubernetes Operator 已合并到 [Airflow 的 1.10 发布分支](https://github.com/apache/incubator-airflow/tree/v1-10-test)（实验模式中的执行模块），
+以及完整的 k8s 本地调度程序称为 Kubernetes Executor（即将发布文章）。
+这些功能仍处于早期采用者/贡献者可能对这些功能的未来产生巨大影响的阶段。
+
+对于有兴趣加入这些工作的人，我建议按照以下步骤：
+
+ * 加入 airflow-dev 邮件列表 dev@airflow.apache.org。
+ * 在 [Apache Airflow JIRA](https://issues.apache.org/jira/projects/AIRFLOW/issues/)中提出问题
+ * 周三上午 10点 太平洋标准时间加入我们的 SIG-BigData 会议。
+ * 在 kubernetes.slack.com 上的 #sig-big-data 找到我们。
+
+特别感谢 Apache Airflow 和 Kubernetes 社区，特别是 Grant Nicholas，Ben Goldberg，Anirudh Ramanathan，Fokko Dreisprong 和 Bolke de Bruin，
+感谢你对这些功能的巨大帮助以及我们未来的努力。
diff --git a/content/zh/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md b/content/zh-cn/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md
similarity index 99%
rename from content/zh/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md
rename to content/zh-cn/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md
index 1d6ed8025e3ee..7484f6a372271 100644
--- a/content/zh/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md
+++ b/content/zh-cn/blog/_posts/2018-07-09-IPVS-In-Cluster-Load-Balancing.md
@@ -1,11 +1,14 @@
 ---
-title: 基于IPVS的集群内部负载均衡
-cn-approvers:
-- congfairy
 layout: blog
-title:  'IPVS-Based In-Cluster Load Balancing Deep Dive'
+title: '基于 IPVS 的集群内部负载均衡'
 date:   2018-07-09
+slug: ipvs-based-in-cluster-load-balancing-deep-dive
 ---
+<!-- 
+layout: blog
+title:  'IPVS-Based In-Cluster Load Balancing Deep Dive'
+date:   2018-07-09
+-->
 
 <!--
 
diff --git a/content/zh/blog/_posts/2018-07-10-coredns-ga.md b/content/zh-cn/blog/_posts/2018-07-10-coredns-ga.md
similarity index 99%
rename from content/zh/blog/_posts/2018-07-10-coredns-ga.md
rename to content/zh-cn/blog/_posts/2018-07-10-coredns-ga.md
index 1fc8aa5249fc7..6523284507e20 100644
--- a/content/zh/blog/_posts/2018-07-10-coredns-ga.md
+++ b/content/zh-cn/blog/_posts/2018-07-10-coredns-ga.md
@@ -2,13 +2,12 @@
 layout: blog
 title: "用于 Kubernetes 集群 DNS 的 CoreDNS GA 正式发布"
 date: 2018-07-10
+slug: coredns-ga-for-kubernetes-cluster-dns
 ---
 <!--
----
 layout: blog
 title: "CoreDNS GA for Kubernetes Cluster DNS"
 date: 2018-07-10
----
 --->
 
 <!--
@@ -88,7 +87,7 @@ customized Corefile for you, including all of the configuration for stub domains
 在 CoreDNS 中，您可以类似地修改 CoreDNS [Corefile](https://coredns.io/2017/07/23/corefile-explained/) 的 ConfigMap，以更改服务发现的工作方式。这种 Corefile 配置提供了比 kube-dns 中更多的选项，因为它是 CoreDNS 用于配置所有功能的主要配置文件，即使与 Kubernetes 不相关的功能也可以操作。
 
 使用 `kubeadm` 将 kube-dns 升级到 CoreDNS 时，现有的 ConfigMap 将被用来为您生成自定义的 Corefile，包括存根域、联盟和上游名称服务器的所有配置。更多详细信息，请参见
-[使用 CoreDNS 进行服务发现](/zh/docs/tasks/administer-cluster/coredns/)。
+[使用 CoreDNS 进行服务发现](/zh-cn/docs/tasks/administer-cluster/coredns/)。
 
 <!--
 ## Bug fixes and enhancements
@@ -143,7 +142,7 @@ can do beyond that specification.
 --->
 ## 一些特殊功能
 
-标准的 CoreDNS Kubernetes 配置旨在与以前的 kube-dns 在行为上向后兼容。但是，通过进行一些配置更改，CoreDNS 允许您修改 DNS 服务发现在群集中的工作方式。这些功能中的许多功能仍要符合 [Kubernetes DNS规范](https://github.com/kubernetes/dns/blob/master/docs/specification.md)；它们在增强了功能的同时保持向后兼容。由于 CoreDNS 并非 *仅* 用于 Kubernetes，而是通用的 DNS 服务器，因此您可以做很多超出该规范的事情。
+标准的 CoreDNS Kubernetes 配置旨在与以前的 kube-dns 在行为上向后兼容。但是，通过进行一些配置更改，CoreDNS 允许您修改 DNS 服务发现在集群中的工作方式。这些功能中的许多功能仍要符合 [Kubernetes DNS规范](https://github.com/kubernetes/dns/blob/master/docs/specification.md)；它们在增强了功能的同时保持向后兼容。由于 CoreDNS 并非 *仅* 用于 Kubernetes，而是通用的 DNS 服务器，因此您可以做很多超出该规范的事情。
 
 <!--
 ### Pods verified mode
diff --git a/content/zh/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md b/content/zh-cn/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md
similarity index 98%
rename from content/zh/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md
rename to content/zh-cn/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md
index a7ca464789045..b36f28351ee45 100644
--- a/content/zh/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md
+++ b/content/zh-cn/blog/_posts/2018-07-11-dynamic-kubelet-configuration.md
@@ -2,13 +2,12 @@
 layout: blog
 title: '动态 Kubelet 配置'
 date: 2018-07-11
+slug: dynamic-kubelet-configuration
 ---
 <!--
----
 layout: blog
 title: 'Dynamic Kubelet Configuration'
 date: 2018-07-11
----
 -->
 
 <!--
@@ -59,7 +58,7 @@ Dynamic Kubelet configuration gives cluster administrators and service providers
 <!--
 Kubernetes v1.10 made it possible to configure the Kubelet via a beta [config file](/docs/tasks/administer-cluster/kubelet-config-file/) API. Kubernetes already provides the ConfigMap abstraction for storing arbitrary file data in the API server.
 -->
-Kubernetes v1.10 使得可以通过 Beta 版本的[配置文件](/zh/docs/tasks/administer-cluster/kubelet-config-file/)
+Kubernetes v1.10 使得可以通过 Beta 版本的[配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/)
 API 配置 kubelet。
 Kubernetes 已经提供了用于在 API 服务器中存储任意文件数据的 ConfigMap 抽象。
 
@@ -93,7 +92,7 @@ Dynamic Kubelet configuration provides the following core features:
 <!--
 To use the dynamic Kubelet configuration feature, a cluster administrator or service provider will first post a ConfigMap containing the desired configuration, then set each Node.Spec.ConfigSource.ConfigMap reference to refer to the new ConfigMap. Operators can update these references at their preferred rate, giving them the ability to perform controlled rollouts of new configurations.
 -->
-要使用动态 Kubelet 配置功能，群集管理员或服务提供商将首先发布包含所需配置的 ConfigMap，
+要使用动态 Kubelet 配置功能，集群管理员或服务提供商将首先发布包含所需配置的 ConfigMap，
 然后设置每个 Node.Spec.ConfigSource.ConfigMap 引用以指向新的 ConfigMap。
 运营商可以以他们喜欢的速率更新这些参考，从而使他们能够执行新配置的受控部署。
 
diff --git a/content/zh/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md b/content/zh-cn/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md
similarity index 98%
rename from content/zh/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md
rename to content/zh-cn/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md
index 755239e9eb9af..51217af127ba9 100644
--- a/content/zh/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md
+++ b/content/zh-cn/blog/_posts/2018-08-02-dynamically-expand-volume-csi.md
@@ -2,14 +2,12 @@
 layout: blog
 title:  '使用 CSI 和 Kubernetes 实现卷的动态扩容'
 date:   2018-08-02
+slug: dynamically-expand-volume-with-csi-and-kubernetes
 ---
-
 <!--
----
 layout: blog
 title:  'Dynamically Expand Volume with CSI and Kubernetes'
 date:   2018-08-02
----
 -->
 
 <!--
@@ -126,7 +124,7 @@ This diagram depicts a kind of high-level Kubernetes archetypes integrated with
 For more details, please visit: https://github.com/container-storage-interface/spec/blob/master/spec.md
 -->
 
-更多详细信息，请访问：https://github.com/container-storage-interface/spec/blob/master/spec.md
+更多详细信息，请访问： https://github.com/container-storage-interface/spec/blob/master/spec.md
 
 <!--
 ## Extend CSI and Kubernetes
diff --git a/content/zh/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md b/content/zh-cn/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md
similarity index 99%
rename from content/zh/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md
rename to content/zh-cn/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md
index 492c6917eb1da..e7384b78b2992 100644
--- a/content/zh/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md
+++ b/content/zh-cn/blog/_posts/2018-08-29-kubernetes-testing-ci-automating-contributor-experience.md
@@ -1,16 +1,15 @@
-<!--
 ---
 layout: blog
+title: '机器可以完成这项工作，一个关于 kubernetes 测试、CI 和自动化贡献者体验的故事'
+date: 2019-08-29
+slug: the-machines-can-do-the-work-a-story-of-kubernetes-testing-ci-and-automating-the-contributor-experience
+---
+<!--
+layout: blog
 title:  'The Machines Can Do the Work, a Story of Kubernetes Testing, CI, and Automating the Contributor Experience'
 date:   2018-08-29
----
 -->
 
----
-layout: blog
-title: '机器可以完成这项工作，一个关于 kubernetes 测试、CI 和自动化贡献者体验的故事'
-date: 2019-08-29
----
 
 <!--
 **Author**: Aaron Crickenberger (Google) and Benjamin Elder (Google)
diff --git a/content/zh/blog/_posts/2018-10-01-health-checking-grpc.md b/content/zh-cn/blog/_posts/2018-10-01-health-checking-grpc.md
similarity index 98%
rename from content/zh/blog/_posts/2018-10-01-health-checking-grpc.md
rename to content/zh-cn/blog/_posts/2018-10-01-health-checking-grpc.md
index 98cf437a2bb6f..0b98ea5baf8f0 100644
--- a/content/zh/blog/_posts/2018-10-01-health-checking-grpc.md
+++ b/content/zh-cn/blog/_posts/2018-10-01-health-checking-grpc.md
@@ -2,13 +2,12 @@
 layout: blog
 title:  '在 Kubernetes 上对 gRPC 服务器进行健康检查'
 date: 2018-10-01
+slug: health-checking-grpc-servers-on-kubernetes
 ---
 <!--
----
 layout: blog
 title:  'Health checking gRPC servers on Kubernetes'
 date: 2018-10-01
----
 --->
 
 <!--
@@ -22,7 +21,7 @@ To learn more, see [Configure Liveness, Readiness and Startup Probes](/docs/task
 This article was originally written about an external tool to achieve the same task._
 -->
 **更新（2021 年 12 月）：** “Kubernetes 从 v1.23 开始具有内置 gRPC 健康探测。
-了解更多信息，请参阅[配置存活探针、就绪探针和启动探针](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)。
+了解更多信息，请参阅[配置存活探针、就绪探针和启动探针](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)。
 本文最初是为有关实现相同任务的外部工具所写。”
 
 <!--
diff --git a/content/zh/blog/_posts/2018-10-03-kubedirector.md b/content/zh-cn/blog/_posts/2018-10-03-kubedirector.md
similarity index 99%
rename from content/zh/blog/_posts/2018-10-03-kubedirector.md
rename to content/zh-cn/blog/_posts/2018-10-03-kubedirector.md
index e07f1bb35fde1..21448cd1a8368 100644
--- a/content/zh/blog/_posts/2018-10-03-kubedirector.md
+++ b/content/zh-cn/blog/_posts/2018-10-03-kubedirector.md
@@ -2,8 +2,8 @@
 layout: blog
 title: 'KubeDirector：在 Kubernetes 上运行复杂状态应用程序的简单方法'
 date: 2018-10-03
+slug: kubedirector-the-easy-way-to-run-complex-stateful-applications-on-kubernetes
 ---
-
 <!--
 layout: blog
 title: 'KubeDirector: The easy way to run complex stateful applications on Kubernetes'
diff --git a/content/zh/blog/_posts/2018-10-10-runtimeclass.md b/content/zh-cn/blog/_posts/2018-10-10-runtimeclass.md
similarity index 95%
rename from content/zh/blog/_posts/2018-10-10-runtimeclass.md
rename to content/zh-cn/blog/_posts/2018-10-10-runtimeclass.md
index 35e86494423f9..09e6d9b38784c 100644
--- a/content/zh/blog/_posts/2018-10-10-runtimeclass.md
+++ b/content/zh-cn/blog/_posts/2018-10-10-runtimeclass.md
@@ -2,13 +2,12 @@
 layout: blog
 title: 'Kubernetes v1.12: RuntimeClass 简介'
 date: 2018-10-10
+slug: kubernetes-v1.12-introducing-runtimeclass
 ---
 <!--
----
 layout: blog
 title: 'Kubernetes v1.12: Introducing RuntimeClass'
 date: 2018-10-10
----
 -->
 
 <!--
@@ -85,8 +84,8 @@ Kubernetes 资源模型期望 Pod 中的容器之间可以共享某些资源。
 The RuntimeClass resource is an important foundation for surfacing runtime properties to the control plane. For example, to implement scheduler support for clusters with heterogeneous nodes supporting different runtimes, we might add [NodeAffinity](/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) terms to the RuntimeClass definition. Another area to address is managing the variable resource requirements to run pods of different runtimes. The [Pod Overhead proposal](https://docs.google.com/document/d/1EJKT4gyl58-kzt2bnwkv08MIUZ6lkDpXcxkHqCvvAp4/preview) was an early take on this that aligns nicely with the RuntimeClass design, and may be pursued further.
 -->
 RuntimeClass 资源是将运行时属性显示到控制平面的重要基础。
-例如，要对具有支持不同运行时间的异构节点的群集实施调度程序支持，我们可以在 RuntimeClass 定义中添加
-[NodeAffinity](/zh/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)条件。
+例如，要对具有支持不同运行时间的异构节点的集群实施调度程序支持，我们可以在 RuntimeClass 定义中添加
+[NodeAffinity](/zh-cn/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)条件。
 另一个需要解决的领域是管理可变资源需求以运行不同运行时的 Pod。
 [Pod Overhead 提案](https://docs.google.com/document/d/1EJKT4gyl58-kzt2bnwkv08MIUZ6lkDpXcxkHqCvvAp4/preview)
 是一项较早的尝试，与 RuntimeClass 设计非常吻合，并且可能会进一步推广。
@@ -107,7 +106,7 @@ Many other RuntimeClass extensions have also been proposed, and will be revisite
 - 提供运行时支持的可选功能，并更好地查看由不兼容功能导致的错误。
 - 自动运行时或功能发现，支持无需手动配置的调度决策。
 - 标准化或一致的 RuntimeClass 名称，用于定义一组具有相同名称的 RuntimeClass 的集群应支持的属性。
-- 动态注册附加的运行时，因此用户可以在不停机的情况下在现有群集上安装新的运行时。
+- 动态注册附加的运行时，因此用户可以在不停机的情况下在现有集群上安装新的运行时。
 - 根据 Pod 的要求“匹配”  RuntimeClass。
   例如，指定运行时属性并使系统与适当的 RuntimeClass 匹配，而不是通过名称显式分配 RuntimeClass。
 
@@ -129,7 +128,7 @@ RuntimeClass will be under active development at least through 2019, and we’re
 -->
 
 - 试试吧！ 作为Alpha功能，还有一些其他设置步骤可以使用RuntimeClass。
-  有关如何使其运行，请参考 [RuntimeClass文档](/zh/docs/concepts/containers/runtime-class/#runtime-class) 。
+  有关如何使其运行，请参考 [RuntimeClass文档](/zh-cn/docs/concepts/containers/runtime-class/#runtime-class) 。
 - 查看 [RuntimeClass Kubernetes 增强建议](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/runtime-class.md) 以获取更多细节设计细节。
 - [沙盒隔离级别决策](https://docs.google.com/document/d/1fe7lQUjYKR0cijRmSbH_y0_l3CYPkwtQa5ViywuNo8Q/preview) 
   记录了最初使 RuntimeClass 成为 Pod 级别选项的思考过程。
diff --git a/content/zh/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md b/content/zh-cn/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md
similarity index 82%
rename from content/zh/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md
rename to content/zh-cn/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md
index 3aefd018ab019..940996da208e2 100644
--- a/content/zh/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md
+++ b/content/zh-cn/blog/_posts/2018-10-11-topology-aware-volume-provisioning.md
@@ -2,13 +2,12 @@
 layout: blog
 title: 'Kubernetes 中的拓扑感知数据卷供应'
 date: 2018-10-11
+slug: topology-aware-volume-provisioning-in-kubernetes
 ---
 <!--
----
 layout: blog
 title: 'Topology-Aware Volume Provisioning in Kubernetes'
 date: 2018-10-11
----
 -->
 
 <!--
@@ -19,7 +18,10 @@ date: 2018-10-11
 <!--
 The multi-zone cluster experience with persistent volumes is improving in Kubernetes 1.12 with the topology-aware dynamic provisioning beta feature. This feature allows Kubernetes to make intelligent decisions when dynamically provisioning volumes by getting scheduler input on the best place to provision a volume for a pod.  In multi-zone clusters, this means that volumes will get provisioned in an appropriate zone that can run your pod, allowing you to easily deploy and scale your stateful workloads across failure domains to provide high availability and fault tolerance.
 -->
-通过提供拓扑感知动态卷供应功能，具有持久卷的多区域集群体验在 Kubernetes 1.12 中得到了改进。此功能使得 Kubernetes 在动态供应卷时能做出明智的决策，方法是从调度器获得为 Pod 提供数据卷的最佳位置。在多区域集群环境，这意味着数据卷能够在满足你的 Pod 运行需要的合适的区域被供应，从而允许您跨故障域轻松部署和扩展有状态工作负载，从而提供高可用性和容错能力。
+通过提供拓扑感知动态卷供应功能，具有持久卷的多区域集群体验在 Kubernetes 1.12
+中得到了改进。此功能使得 Kubernetes 在动态供应卷时能做出明智的决策，方法是从调度器获得为
+Pod 提供数据卷的最佳位置。在多区域集群环境，这意味着数据卷能够在满足你的 Pod
+运行需要的合适的区域被供应，从而允许你跨故障域轻松部署和扩展有状态工作负载，从而提供高可用性和容错能力。
 
 <!--
 ## Previous challenges
@@ -29,7 +31,10 @@ The multi-zone cluster experience with persistent volumes is improving in Kubern
 <!--
 Before this feature, running stateful workloads with zonal persistent disks (such as AWS ElasticBlockStore, Azure Disk, GCE PersistentDisk) in multi-zone clusters had many challenges. Dynamic provisioning was handled independently from pod scheduling, which meant that as soon as you created a PersistentVolumeClaim (PVC), a volume would get provisioned. This meant that the provisioner had no knowledge of what pods were using the volume, and any pod constraints it had that could impact scheduling.
 -->
-在此功能被提供之前，在多区域集群中使用区域化的持久磁盘（例如 AWS ElasticBlockStore，Azure Disk，GCE PersistentDisk）运行有状态工作负载存在许多挑战。动态供应独立于 Pod 调度处理，这意味着只要您创建了一个 PersistentVolumeClaim（PVC），一个卷就会被供应。这也意味着供应者不知道哪些 Pod 正在使用该卷，也不清楚任何可能影响调度的 Pod 约束。
+在此功能被提供之前，在多区域集群中使用区域化的持久磁盘（例如 AWS ElasticBlockStore、
+Azure Disk、GCE PersistentDisk）运行有状态工作负载存在许多挑战。动态供应独立于 Pod
+调度处理，这意味着只要你创建了一个 PersistentVolumeClaim（PVC），一个卷就会被供应。
+这也意味着供应者不知道哪些 Pod 正在使用该卷，也不清楚任何可能影响调度的 Pod 约束。
 
 <!--
 This resulted in unschedulable pods because volumes were provisioned in zones that:
@@ -78,7 +83,7 @@ In 1.12, the following drivers support topology-aware dynamic provisioning:
 -->
 * AWS EBS
 * Azure Disk
-* GCE PD （包括 Regional PD）
+* GCE PD（包括 Regional PD）
 * CSI（alpha） - 目前只有 GCE PD CSI 驱动实现了拓扑支持
 
 <!--
@@ -91,13 +96,13 @@ While the initial set of supported plugins are all zonal-based, we designed this
 -->
 虽然最初支持的插件集都是基于区域的，但我们设计此功能时遵循 Kubernetes 跨环境可移植性的原则。
 拓扑规范是通用的，并使用类似于基于标签的规范，如 Pod nodeSelectors 和 nodeAffinity。
-该机制允许您定义自己的拓扑边界，例如内部部署集群中的机架，而无需修改调度程序以了解这些自定义拓扑。
+该机制允许你定义自己的拓扑边界，例如内部部署集群中的机架，而无需修改调度程序以了解这些自定义拓扑。
 
 <!--
 In addition, the topology information is abstracted away from the pod specification, so a pod does not need knowledge of the underlying storage system’s topology characteristics. This means that you can use the same pod specification across multiple clusters, environments, and storage systems.
 -->
 此外，拓扑信息是从 Pod 规范中抽象出来的，因此 Pod 不需要了解底层存储系统的拓扑特征。
-这意味着您可以在多个集群、环境和存储系统中使用相同的 Pod 规范。
+这意味着你可以在多个集群、环境和存储系统中使用相同的 Pod 规范。
 
 <!--
 ## Getting Started
@@ -107,7 +112,7 @@ In addition, the topology information is abstracted away from the pod specificat
 <!--
 To enable this feature, all you need to do is to create a StorageClass with `volumeBindingMode` set to `WaitForFirstConsumer`:
 -->
-要启用此功能，您需要做的就是创建一个将 `volumeBindingMode` 设置为 `WaitForFirstConsumer` 的 StorageClass：
+要启用此功能，你需要做的就是创建一个将 `volumeBindingMode` 设置为 `WaitForFirstConsumer` 的 StorageClass：
 
 ```
 kind: StorageClass
@@ -210,7 +215,7 @@ spec:
 <!--
 Afterwards, you can see that the volumes were provisioned in zones according to the policies set by the pod:
 -->
-之后，您可以看到根据 Pod 设置的策略在区域中配置卷：
+之后，你可以看到根据 Pod 设置的策略在区域中配置卷：
 
 ```
 $ kubectl get pv -o=jsonpath='{range .items[*]}{.spec.claimRef.name}{"\t"}{.metadata.labels.failure\-domain\.beta\.kubernetes\.io/zone}{"\n"}{end}'
@@ -228,12 +233,13 @@ logs-web-1      us-central1-a
 <!--
 Official documentation on the topology-aware dynamic provisioning feature is available here:https://kubernetes.io/docs/concepts/storage/storage-classes/#volume-binding-mode
 -->
-有关拓扑感知动态供应功能的官方文档可在此处获取：https://kubernetes.io/docs/concepts/storage/storage-classes/#volume-binding-mode
+有关拓扑感知动态供应功能的官方文档可在此处获取：
+https://kubernetes.io/docs/concepts/storage/storage-classes/#volume-binding-mode
 
 <!--
 Documentation for CSI drivers is available at https://kubernetes-csi.github.io/docs/
 -->
-有关 CSI 驱动程序的文档，请访问：https://kubernetes-csi.github.io/docs/
+有关 CSI 驱动程序的文档，请访问： https://kubernetes-csi.github.io/docs/
 
 <!--
 ## What’s next?
@@ -260,9 +266,16 @@ We are actively working on improving this feature to support:
 <!--
 If you have feedback for this feature or are interested in getting involved with the design and development, join the [Kubernetes Storage Special-Interest-Group](https://github.com/kubernetes/community/tree/master/sig-storage) (SIG). We’re rapidly growing and always welcome new contributors.
 -->
-如果您对此功能有反馈意见或有兴趣参与设计和开发，请加入 [Kubernetes 存储特别兴趣小组](https://github.com/kubernetes/community/tree/master/sig-storage)（SIG）。我们正在快速成长，并始终欢迎新的贡献者。
+如果你对此功能有反馈意见或有兴趣参与设计和开发，请加入
+[Kubernetes 存储特别兴趣小组](https://github.com/kubernetes/community/tree/master/sig-storage)（SIG）。
+我们正在快速成长，并始终欢迎新的贡献者。
 
 <!--
 Special thanks to all the contributors that helped bring this feature to beta, including Cheng Xing ([verult](https://github.com/verult)), Chuqiang Li ([lichuqiang](https://github.com/lichuqiang)), David Zhu ([davidz627](https://github.com/davidz627)), Deep Debroy ([ddebroy](https://github.com/ddebroy)), Jan Šafránek ([jsafrane](https://github.com/jsafrane)), Jordan Liggitt ([liggitt](https://github.com/liggitt)), Michelle Au ([msau42](https://github.com/msau42)), Pengfei Ni ([feiskyer](https://github.com/feiskyer)), Saad Ali ([saad-ali](https://github.com/saad-ali)), Tim Hockin ([thockin](https://github.com/thockin)), and Yecheng Fu ([cofyc](https://github.com/cofyc)).
 -->
-特别感谢帮助推出此功能的所有贡献者，包括 Cheng Xing ([verult](https://github.com/verult))、Chuqiang Li ([lichuqiang](https://github.com/lichuqiang))、David Zhu ([davidz627](https://github.com/davidz627))、Deep Debroy ([ddebroy](https://github.com/ddebroy))、Jan Šafránek ([jsafrane](https://github.com/jsafrane))、Jordan Liggitt ([liggitt](https://github.com/liggitt))、Michelle Au ([msau42](https://github.com/msau42))、Pengfei Ni ([feiskyer](https://github.com/feiskyer))、Saad Ali ([saad-ali](https://github.com/saad-ali))、Tim Hockin ([thockin](https://github.com/thockin))，以及 Yecheng Fu ([cofyc](https://github.com/cofyc))。
+特别感谢帮助推出此功能的所有贡献者，包括 Cheng Xing ([verult](https://github.com/verult))、
+Chuqiang Li ([lichuqiang](https://github.com/lichuqiang))、David Zhu ([davidz627](https://github.com/davidz627))、
+Deep Debroy ([ddebroy](https://github.com/ddebroy))、Jan Šafránek ([jsafrane](https://github.com/jsafrane))、
+Jordan Liggitt ([liggitt](https://github.com/liggitt))、Michelle Au ([msau42](https://github.com/msau42))、
+Pengfei Ni ([feiskyer](https://github.com/feiskyer))、Saad Ali ([saad-ali](https://github.com/saad-ali))、
+Tim Hockin ([thockin](https://github.com/thockin))，以及 Yecheng Fu ([cofyc](https://github.com/cofyc))。
diff --git a/content/zh/blog/_posts/2018-10-15-steering-election-results.md b/content/zh-cn/blog/_posts/2018-10-15-steering-election-results.md
similarity index 98%
rename from content/zh/blog/_posts/2018-10-15-steering-election-results.md
rename to content/zh-cn/blog/_posts/2018-10-15-steering-election-results.md
index 8e7d5edf7e569..73d2845fe50a3 100644
--- a/content/zh/blog/_posts/2018-10-15-steering-election-results.md
+++ b/content/zh-cn/blog/_posts/2018-10-15-steering-election-results.md
@@ -2,13 +2,12 @@
 layout: blog
 title: '2018 年督导委员会选举结果'
 date: 2018-10-15
+slug: 2018-steering-committee-election-results
 ---
 <!--
----
 layout: blog
 title: '2018 Steering Committee Election Results'
 date: 2018-10-15
----
 -->
 
 <!-- **Authors**: Jorge Castro (Heptio), Ihor Dvoretskyi (CNCF), Paris Pittman (Google) -->
diff --git a/content/zh/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md b/content/zh-cn/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
similarity index 98%
rename from content/zh/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
rename to content/zh-cn/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
index b504a5c6b6082..af6b93d768f73 100644
--- a/content/zh/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
+++ b/content/zh-cn/blog/_posts/2018-10-16-kubernetes-2018-north-american-contributor-summit.md
@@ -2,14 +2,14 @@
 layout: "Blog"
 title: "Kubernetes 2018 年北美贡献者峰会"
 date: 2018-10-16    
+slug: kubernetes-2018-north-american-contributor-summit
 ---
 <!--
----
 layout: "Blog"
 title: "Kubernetes 2018 North American Contributor Summit"
 date: 2018-10-16    
----
 -->
+
 <!--
 **Authors:**
 -->
diff --git a/content/zh/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md b/content/zh-cn/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md
similarity index 99%
rename from content/zh/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md
rename to content/zh-cn/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md
index cf6d5e58cbd64..90831b02b030f 100644
--- a/content/zh/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md
+++ b/content/zh-cn/blog/_posts/2018-11-08-kubernetes-docs-update-i18n.md
@@ -2,13 +2,12 @@
 layout: blog
 title: 'Kubernetes 文档更新，国际版'
 date: 2018-11-08
+slug: kubernetes-docs-updates-international-edition
 ---
 <!--
----
 layout: blog
 title: 'Kubernetes Docs Updates, International Edition'
 date: 2018-11-08
----
 -->
 
 <!-- **Author**: Zach Corleissen (Linux Foundation) -->
diff --git a/content/zh/blog/_posts/2018-12-05-new-contributor-shanghai.md b/content/zh-cn/blog/_posts/2018-12-05-new-contributor-shanghai.md
similarity index 99%
rename from content/zh/blog/_posts/2018-12-05-new-contributor-shanghai.md
rename to content/zh-cn/blog/_posts/2018-12-05-new-contributor-shanghai.md
index c3c74e429878e..5b8ddff2de21d 100644
--- a/content/zh/blog/_posts/2018-12-05-new-contributor-shanghai.md
+++ b/content/zh-cn/blog/_posts/2018-12-05-new-contributor-shanghai.md
@@ -2,14 +2,12 @@
 layout: blog
 title: '新贡献者工作坊上海站'
 date: 2018-12-05
+slug: new-contributor-workshop-shanghai
 ---
- 
 <!-- 
----
 layout: blog
 title: 'New Contributor Workshop Shanghai'
 date: 2018-12-05
----
  -->
 
 <!--
diff --git a/content/zh/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md b/content/zh-cn/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md
similarity index 99%
rename from content/zh/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md
rename to content/zh-cn/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md
index 3ac5bc89c47d9..a14274d331e30 100644
--- a/content/zh/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md
+++ b/content/zh-cn/blog/_posts/2019-03-07-raw-block-volume-support-to-beta.md
@@ -1,12 +1,12 @@
 ---
+layout: blog
 title: Raw Block Volume 支持进入 Beta
 date: 2019-03-07
+slug: raw-block-volume-support-to-beta
 ---
 <!--
----
 title: Raw Block Volume support to Beta
 date: 2019-03-07
----
 --->
 
 <!--
diff --git a/content/zh/blog/_posts/2019-03-28-PID-Limiting.md b/content/zh-cn/blog/_posts/2019-03-28-PID-Limiting.md
similarity index 98%
rename from content/zh/blog/_posts/2019-03-28-PID-Limiting.md
rename to content/zh-cn/blog/_posts/2019-03-28-PID-Limiting.md
index cb56c0a97ddf7..afada164a325d 100644
--- a/content/zh/blog/_posts/2019-03-28-PID-Limiting.md
+++ b/content/zh-cn/blog/_posts/2019-03-28-PID-Limiting.md
@@ -1,12 +1,12 @@
 ---
+layout: blog
 title: 'Kubernetes 1.14 稳定性改进中的进程ID限制'
 date: 2019-04-15
+slug: process-id-limiting-for-stability-improvements-in-kubernetes-1.14
 ---
 <!--
----
 title: 'Process ID Limiting for Stability Improvements in Kubernetes 1.14'
 date: 2019-04-15
----
 -->
 
 <!--
@@ -34,7 +34,7 @@ In such a scenario, it’s possible for something akin to a fork bomb taking pla
 
 在这里，我们谈论的是某些容器的贪婪性。 在理想情况之外，失控进程有时会发生，特别是在测试集群中。 因此，在这些集群中会发生一些混乱的非生产环境准备就绪的事情。
 
-在这种情况下，可能会在节点内部发生类似于 fork 炸弹耗尽 PID 的攻击。随着资源的缓慢腐蚀，被一些不断产生子进程的僵尸般的进程所接管，其他正常的工作负载会因为这些像气球般不断膨胀的浪费的处理能力而开始受到冲击。这可能导致同一 Pod 上的其他进程缺少所需的 PID。这也可能导致有趣的副作用，因为节点可能会发生故障，并且该Pod的副本将安排到新的机器上，至此，该过程将在整个群集中重复进行。
+在这种情况下，可能会在节点内部发生类似于 fork 炸弹耗尽 PID 的攻击。随着资源的缓慢腐蚀，被一些不断产生子进程的僵尸般的进程所接管，其他正常的工作负载会因为这些像气球般不断膨胀的浪费的处理能力而开始受到冲击。这可能导致同一 Pod 上的其他进程缺少所需的 PID。这也可能导致有趣的副作用，因为节点可能会发生故障，并且该Pod的副本将安排到新的机器上，至此，该过程将在整个集群中重复进行。
 
 <!--
 ## Fixing the Problem
diff --git a/content/zh-cn/blog/_posts/2019-04-26-latest-on-localization.md b/content/zh-cn/blog/_posts/2019-04-26-latest-on-localization.md
new file mode 100644
index 0000000000000..d0a2240423a16
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2019-04-26-latest-on-localization.md
@@ -0,0 +1,113 @@
+---
+layout: blog
+title: '如何参与 Kubernetes 文档的本地化工作'
+date: 2019-04-26
+slug: how-you-can-help-localize-kubernetes-docs
+---
+<!-- 
+layout: blog
+title: 'How You Can Help Localize Kubernetes Docs'
+date: 2019-04-26
+-->
+
+<!-- 
+**Author: Zach Corleissen (Linux Foundation)**
+
+Last year we optimized the Kubernetes website for [hosting multilingual content](/blog/2018/11/08/kubernetes-docs-updates-international-edition/). Contributors responded by adding multiple new localizations: as of April 2019, Kubernetes docs are partially available in nine different languages, with six added in 2019 alone. You can see a list of available languages in the language selector at the top of each page.
+
+By _partially available_, I mean that localizations are ongoing projects. They range from mostly complete ([Chinese docs for 1.12](https://v1-12.docs.kubernetes.io/zh/)) to brand new (1.14 docs in [Portuguese](https://kubernetes.io/pt/)). If you're interested in helping an existing localization, read on!
+-->
+**作者: Zach Corleissen（Linux 基金会）**
+
+去年我们对 Kubernetes 网站进行了优化，加入了[多语言内容的支持](https://kubernetes.io/blog/2018/11/08/kubernetes-docs-updates-international-edition/)。贡献者们踊跃响应，加入了多种新的本地化内容：截至 2019 年 4 月，Kubernetes 文档有了 9 个不同语言的未完成版本，其中有 6 个是 2019 年加入的。在每个 Kubernetes 文档页面的上方，读者都可以看到一个语言选择器，其中列出了所有可用语言。
+
+不论是完成度最高的[中文版 v1.12](https://v1-12.docs.kubernetes.io/zh-cn/)，还是最新加入的[葡萄牙文版 v1.14](https://kubernetes.io/pt/)，各语言的本地化内容还未完成，这是一个进行中的项目。如果读者有兴趣对现有本地化工作提供支持，请继续阅读。
+
+<!-- 
+## What is a localization?
+
+Translation is about words and meaning. Localization is about words, meaning, process, and design.
+
+A localization is like a translation, but more thorough. Instead of just translating words, a localization optimizes the framework for writing and publishing words. For example, most site navigation features (button text) on kubernetes.io are strings contained in a [single file](https://github.com/kubernetes/website/tree/master/i18n). Part of creating a new localization involves adding a language-specific version of that file and translating the strings it contains.
+
+Localization matters because it reduces barriers to adoption and support. When we can read Kubernetes docs in our own language, it's easier to get started using Kubernetes and contributing to its development.
+-->
+## 什么是本地化
+
+翻译是以词表意的问题。而本地化在此基础之上，还包含了过程和设计方面的工作。
+
+本地化和翻译很像，但是包含更多内容。除了进行翻译之外，本地化还要为编写和发布过程的框架进行优化。例如，Kubernetes.io 多数的站点浏览功能（按钮文字）都保存在[单独的文件](https://github.com/kubernetes/website/tree/master/i18n)之中。所以启动新本地化的过程中，需要包含加入对特定文件中字符串进行翻译的工作。
+
+本地化很重要，能够有效的降低 Kubernetes 的采纳和支持门槛。如果能用母语阅读 Kubernetes 文档，就能更轻松的开始使用 Kubernetes，并对其发展作出贡献。
+
+<!-- 
+## How do localizations happen?
+
+The availability of docs in different languages is a feature&mdash;and like all Kubernetes features, contributors develop localized docs in a SIG, share them for review, and add them to the project. 
+
+Contributors work in teams to localize content. Because folks can't approve their own PRs, localization teams have a minimum size of two&mdash;for example, the Italian localization has two contributors. Teams can also be quite large: the Chinese team has several dozen contributors. 
+
+Each team has its own workflow. Some teams localize all content manually; others use editors with translation plugins and review machine output for accuracy. SIG Docs focuses on standards of output; this leaves teams free to adopt the workflow that works best for them. That said, teams frequently collaborate with each other on best practices, and sharing abounds in the best spirit of the Kubernetes community.
+-->
+## 如何启动本地化工作
+
+不同语言的本地化工作都是单独的功能——和其它 Kubernetes 功能一致，贡献者们在一个 SIG 中进行本地化工作，分享出来进行评审，并加入项目。
+
+贡献者们在团队中进行内容的本地化工作。因为自己不能批准自己的 PR，所以一个本地化团队至少应该有两个人——例如意大利文的本地化团队有两个人。这个团队规模可能很大：中文团队有几十个成员。
+
+每个团队都有自己的工作流。有些团队手工完成所有的内容翻译；有些会使用带有翻译插件的编译器，并使用评审机来提供正确性的保障。SIG Docs 专注于输出的标准；这就给了本地化团队采用适合自己工作情况的工作流。这样一来，团队可以根据最佳实践进行协作，并以 Kubernetes 的社区精神进行分享。
+
+<!-- 
+## Helping with localizations
+
+If you're interested in starting a new localization for Kubernetes docs, the [Kubernetes contribution guide](https://kubernetes.io/docs/contribute/localization/) shows you how.
+
+Existing localizations also need help. If you'd like to contribute to an existing project, join the localization team's Slack channel and introduce yourself. Folks on that team can help you get started. 
+
+Localization | Slack channel
+---|---
+Chinese (中文) | [#kubernetes-docs-zh](https://kubernetes.slack.com/messages/CE3LNFYJ1/)
+English | [#sig-docs](https://kubernetes.slack.com/messages/C1J0BPD2M/)
+French (Français) | [#kubernetes-docs-fr](https://kubernetes.slack.com/messages/CG838BFT9/)
+German (Deutsch) | [#kubernetes-docs-de](https://kubernetes.slack.com/messages/CH4UJ2BAL/)
+Hindi | [#kubernetes-docs-hi](https://kubernetes.slack.com/messages/CJ14B9BDJ/)
+Indonesian | [#kubernetes-docs-id](https://kubernetes.slack.com/messages/CJ1LUCUHM/)
+Italian | [#kubernetes-docs-it](https://kubernetes.slack.com/messages/CGB1MCK7X/)
+Japanese (日本語) | [#kubernetes-docs-ja](https://kubernetes.slack.com/messages/CAG2M83S8/)
+Korean (한국어) | [#kubernetes-docs-ko](https://kubernetes.slack.com/messages/CA1MMR86S/)
+Portuguese (Português) | [#kubernetes-docs-pt](https://kubernetes.slack.com/messages/CJ21AS0NA/)
+Spanish (Español) | [#kubernetes-docs-es](https://kubernetes.slack.com/messages/CH7GB2E3B/)
+-->
+## 为本地化工作添砖加瓦
+
+如果你有兴趣为 Kubernetes 文档加入新语种的本地化内容，[Kubernetes contribution guide](https://kubernetes.io/docs/contribute/localization/) 中包含了这方面的相关内容。
+
+已经启动的的本地化工作同样需要支持。如果有兴趣为现存项目做出贡献，可以加入本地化团队的 Slack 频道，去做个自我介绍。各团队的成员会帮助你开始工作。
+
+|语种|Slack 频道|
+|---|---|
+|中文|[#kubernetes-docs-zh](https://kubernetes.slack.com/messages/CE3LNFYJ1/)|
+|英文|[#sig-docs](https://kubernetes.slack.com/messages/C1J0BPD2M/)|
+|法文|[#kubernetes-docs-fr](https://kubernetes.slack.com/messages/CG838BFT9/)|
+|德文|[#kubernetes-docs-de](https://kubernetes.slack.com/messages/CH4UJ2BAL/)|
+|印地|[#kubernetes-docs-hi](https://kubernetes.slack.com/messages/CJ14B9BDJ/)|
+|印度尼西亚文|[#kubernetes-docs-id](https://kubernetes.slack.com/messages/CJ1LUCUHM/)|
+|意大利文|[#kubernetes-docs-it](https://kubernetes.slack.com/messages/CGB1MCK7X/)|
+|日文|[#kubernetes-docs-ja](https://kubernetes.slack.com/messages/CAG2M83S8/)|
+|韩文|[#kubernetes-docs-ko](https://kubernetes.slack.com/messages/CA1MMR86S/)|
+|葡萄牙文|[#kubernetes-docs-pt](https://kubernetes.slack.com/messages/CJ21AS0NA/)|
+|西班牙文|[#kubernetes-docs-es](https://kubernetes.slack.com/messages/CH7GB2E3B/)|
+
+
+<!-- 
+## What's next?
+
+There's a new [Hindi localization](https://kubernetes.slack.com/messages/CJ14B9BDJ/) beginning. Why not add your language, too?
+
+As a chair of SIG Docs, I'd love to see localization spread beyond the docs and into Kubernetes components. Is there a Kubernetes component you'd like to see supported in a different language? Consider making a [Kubernetes Enhancement Proposal](https://github.com/kubernetes/enhancements/tree/master/keps) to support the change.
+-->
+## 下一步？
+
+最新的[印地文本地化](https://kubernetes.slack.com/messages/CJ14B9BDJ/)工作正在启动。为什么不加入你的语言？
+
+身为 SIG Docs 的主席，我甚至希望本地化工作跳出文档范畴，直接为 Kubernetes 组件提供本地化支持。有什么组件是你希望支持不同语言的么？可以提交一个 [Kubernetes Enhancement Proposal](https://github.com/kubernetes/enhancements/tree/master/keps) 来促成这一进步。
\ No newline at end of file
diff --git a/content/zh/blog/_posts/2019-05-14-expanding-our-contributor-workshops.md b/content/zh-cn/blog/_posts/2019-05-14-expanding-our-contributor-workshops.md
similarity index 100%
rename from content/zh/blog/_posts/2019-05-14-expanding-our-contributor-workshops.md
rename to content/zh-cn/blog/_posts/2019-05-14-expanding-our-contributor-workshops.md
diff --git a/content/zh/blog/_posts/2019-06-12-contributor-summit-shanghai.md b/content/zh-cn/blog/_posts/2019-06-12-contributor-summit-shanghai.md
similarity index 99%
rename from content/zh/blog/_posts/2019-06-12-contributor-summit-shanghai.md
rename to content/zh-cn/blog/_posts/2019-06-12-contributor-summit-shanghai.md
index 1d136352bdb72..ae932956ae689 100644
--- a/content/zh/blog/_posts/2019-06-12-contributor-summit-shanghai.md
+++ b/content/zh-cn/blog/_posts/2019-06-12-contributor-summit-shanghai.md
@@ -2,6 +2,7 @@
 layout: blog
 title: '欢迎参加在上海举行的贡献者峰会'
 date: 2019-06-11
+slug: join-us-at-the-contributor-summit-in-shanghai
 ---
 
 <!-- ---
diff --git a/content/zh/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md b/content/zh-cn/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md
similarity index 99%
rename from content/zh/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md
rename to content/zh-cn/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md
index 58ee778b8491e..df46cab3c64cc 100644
--- a/content/zh/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md
+++ b/content/zh-cn/blog/_posts/2019-08-06-OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes.md
@@ -61,7 +61,7 @@ For example, you can enforce policies like:
 <!--
 Kubernetes allows decoupling policy decisions from the API server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to intercept admission requests before they are persisted as objects in Kubernetes. [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) was created to enable users to customize admission control via configuration, not code and to bring awareness of the cluster’s state, not just the single object under evaluation at admission time. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the [Open Policy Agent (OPA)](https://www.openpolicyagent.org), a policy engine for Cloud Native environments hosted by CNCF.
 --->
-在接收请求被持久化为 Kubernetes 中的对象之前，Kubernetes 允许通过 [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) 将策略决策与 API 服务器分离，从而拦截这些请求。[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 创建的目的是使用户能够通过配置（而不是代码）自定义控制许可，并使用户了解群集的状态，而不仅仅是针对评估状态的单个对象，在这些对象准许加入的时候。Gatekeeper 是 Kubernetes 的一个可定制的许可 webhook ，它由 [Open Policy Agent (OPA)](https://www.openpolicyagent.org) 强制执行， OPA 是 Cloud Native 环境下的策略引擎，由 CNCF 主办。
+在接收请求被持久化为 Kubernetes 中的对象之前，Kubernetes 允许通过 [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) 将策略决策与 API 服务器分离，从而拦截这些请求。[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 创建的目的是使用户能够通过配置（而不是代码）自定义控制许可，并使用户了解集群的状态，而不仅仅是针对评估状态的单个对象，在这些对象准许加入的时候。Gatekeeper 是 Kubernetes 的一个可定制的许可 webhook ，它由 [Open Policy Agent (OPA)](https://www.openpolicyagent.org) 强制执行， OPA 是 Cloud Native 环境下的策略引擎，由 CNCF 主办。
 
 <!--
 ## Evolution 
@@ -206,7 +206,7 @@ As you can see, with the Constraint framework, we can reliably share Regos via t
 The audit functionality enables periodic evaluations of replicated resources against the Constraints enforced in the cluster to detect pre-existing misconfigurations. Gatekeeper stores audit results as `violations` listed in the `status` field of the relevant Constraint.  --->
 ### 审核 
 
-根据群集中强制执行的 Constraint，审核功能可定期评估复制的资源，并检测先前存在的错误配置。Gatekeeper 将审核结果存储为 `violations`，在相关 Constraint 的 `status` 字段中列出。
+根据集群中强制执行的 Constraint，审核功能可定期评估复制的资源，并检测先前存在的错误配置。Gatekeeper 将审核结果存储为 `violations`，在相关 Constraint 的 `status` 字段中列出。
 
 ```yaml
 apiVersion: constraints.gatekeeper.sh/v1beta1
diff --git a/content/zh/blog/_posts/2019-09-24-san-diego-contributor-summit.md b/content/zh-cn/blog/_posts/2019-09-24-san-diego-contributor-summit.md
similarity index 100%
rename from content/zh/blog/_posts/2019-09-24-san-diego-contributor-summit.md
rename to content/zh-cn/blog/_posts/2019-09-24-san-diego-contributor-summit.md
diff --git a/content/zh/blog/_posts/2019-10-03-2019-Steering-Committee-Election-Results.md b/content/zh-cn/blog/_posts/2019-10-03-2019-Steering-Committee-Election-Results.md
similarity index 100%
rename from content/zh/blog/_posts/2019-10-03-2019-Steering-Committee-Election-Results.md
rename to content/zh-cn/blog/_posts/2019-10-03-2019-Steering-Committee-Election-Results.md
diff --git a/content/zh/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md b/content/zh-cn/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
similarity index 100%
rename from content/zh/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
rename to content/zh-cn/blog/_posts/2019-10-10-contributor-summit-san-diego-schedule.md
diff --git a/content/zh/blog/_posts/2019-10-29-2019-sig-docs-survey.md b/content/zh-cn/blog/_posts/2019-10-29-2019-sig-docs-survey.md
similarity index 100%
rename from content/zh/blog/_posts/2019-10-29-2019-sig-docs-survey.md
rename to content/zh-cn/blog/_posts/2019-10-29-2019-sig-docs-survey.md
diff --git a/content/zh/blog/_posts/2019-11-05-kubernetes-with-microk8s.md b/content/zh-cn/blog/_posts/2019-11-05-kubernetes-with-microk8s.md
similarity index 99%
rename from content/zh/blog/_posts/2019-11-05-kubernetes-with-microk8s.md
rename to content/zh-cn/blog/_posts/2019-11-05-kubernetes-with-microk8s.md
index 2e789dbcac8ca..c01a3af556d56 100644
--- a/content/zh/blog/_posts/2019-11-05-kubernetes-with-microk8s.md
+++ b/content/zh-cn/blog/_posts/2019-11-05-kubernetes-with-microk8s.md
@@ -1,14 +1,14 @@
 ---
+layout: blog
 title: '使用 Microk8s 在 Linux 上本地运行 Kubernetes'
-
 date: 2019-11-26
+slug: running-kubernetes-locally-on-linux-with-microk8s
 ---
 <!--
----                                           
 title: 'Running Kubernetes locally on Linux with Microk8s'                                                           
 date: 2019-11-26
----
 -->
+
 <!--
 **Authors**: [Ihor Dvoretskyi](https://twitter.com/idvoretskyi), Developer Advocate, Cloud Native Computing Foundation; [Carmine Rimi](https://twitter.com/carminerimi)
 -->
diff --git a/content/zh/blog/_posts/2019-11-26-cloud-native-java-controller-sdk.md b/content/zh-cn/blog/_posts/2019-11-26-cloud-native-java-controller-sdk.md
similarity index 100%
rename from content/zh/blog/_posts/2019-11-26-cloud-native-java-controller-sdk.md
rename to content/zh-cn/blog/_posts/2019-11-26-cloud-native-java-controller-sdk.md
diff --git a/content/zh/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md b/content/zh-cn/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md
similarity index 95%
rename from content/zh/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md
rename to content/zh-cn/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md
index 8792bd7c10efd..31554dbe91703 100644
--- a/content/zh/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md
+++ b/content/zh-cn/blog/_posts/2019-12-09-kubernetes-1.17-release-announcement.md
@@ -69,9 +69,9 @@ Standard labels are used by Kubernetes components to support some features. For
 The labels are reaching general availability in this release. Kubernetes components have been updated to populate the GA and beta labels and to react to both. However, if you are using the beta labels in your pod specs for features such as node affinity, or in your custom controllers, we recommend that you start migrating them to the new GA labels. You can find the documentation for the new labels here:
 -->
 
-- [实例类型](/zh/docs/reference/labels-annotations-taints/#nodekubernetesioinstance-type)
-- [地区](/zh/docs/reference/labels-annotations-taints/#topologykubernetesioregion)
-- [区域](/zh/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
+- [实例类型](/zh-cn/docs/reference/labels-annotations-taints/#nodekubernetesioinstance-type)
+- [地区](/zh-cn/docs/reference/labels-annotations-taints/#topologykubernetesioregion)
+- [区域](/zh-cn/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
 
 <!--
 - [node.kubernetes.io/instance-type](/docs/reference/labels-annotations-taints/#nodekubernetesioinstance-type)
@@ -87,7 +87,9 @@ The labels are reaching general availability in this release. Kubernetes compone
 The Kubernetes Volume Snapshot feature is now beta in Kubernetes v1.17. It was introduced as alpha in Kubernetes v1.12, with a second alpha with breaking changes in Kubernetes v1.13.  This post summarizes the changes in the beta release.
 -->
 ### 卷快照是什么？
-<!-- ### What is a Volume Snapshot? -->
+<!--
+### What is a Volume Snapshot?
+-->
 许多的存储系统(如谷歌云持久化磁盘，亚马逊弹性块存储和许多的内部存储系统)支持为持久卷创建快照。快照代表卷在一个时间点的复制。它可用于配置新卷(使用快照数据提前填充)或恢复卷到一个之前的状态(用快照表示)。
 <!--
 Many storage systems (like Google Cloud Persistent Disks, Amazon Elastic Block Storage, and many on-premise storage systems) provide the ability to create a “snapshot” of a persistent volume. A snapshot represents a point-in-time copy of a volume. A snapshot can be used either to provision a new volume (pre-populated with the snapshot data) or to restore an existing volume to a previous state (represented by the snapshot).
@@ -101,7 +103,7 @@ Kubernetes卷插件系统已经提供了功能强大的抽象用于自动配置
 The Kubernetes volume plugin system already provides a powerful abstraction that automates the provisioning, attaching, and mounting of block and file storage.
 -->
 
-支持所有这些特性是Kubernets负载可移植的目标：Kubernetes旨在分布式系统应用和底层集群之间创建一个抽象层,使得应用可以不感知其运行集群的具体信息并且部署也不需特定集群的知识。
+支持所有这些特性是Kubernetes负载可移植的目标：Kubernetes旨在分布式系统应用和底层集群之间创建一个抽象层,使得应用可以不感知其运行集群的具体信息并且部署也不需特定集群的知识。
 <!--
 Underpinning all these features is the Kubernetes goal of workload portability: Kubernetes aims to create an abstraction layer between distributed systems applications and underlying clusters so that applications can be agnostic to the specifics of the cluster they run on and application deployment requires no “cluster specific” knowledge.
 -->
@@ -145,7 +147,8 @@ Prior to CSI, Kubernetes provided a powerful volume plugin system. These volume
 
 随着更多容器存储接口驱动变成生产环境可用，我们希望所有的Kubernetes用户从容器存储接口模型中获益。然而，我们不希望强制用户以破坏现有基本可用的存储接口的方式去改变负载和配置。道路很明确，我们将不得不用CSI替换树内插件接口。什么是容器存储接口迁移？
 <!--
- As more CSI Drivers were created and became production ready, we wanted all Kubernetes users to reap the benefits of the CSI model. However, we did not want to force users into making workload/configuration changes by breaking the existing generally available storage APIs. The way forward was clear - we would have to replace the backend of the “in-tree plugin” APIs with CSI.What is CSI migration?
+As more CSI Drivers were created and became production ready, we wanted all Kubernetes users to reap the benefits of the CSI model. However, we did not want to force users into making workload/configuration changes by breaking the existing generally available storage APIs. The way forward was clear - we would have to replace the backend of the “in-tree plugin” APIs with CSI.
+What is CSI migration?
 -->
 
 在容器存储接口迁移上所做的努力使得替换现有的树内存储插件，如`kubernetes.io/gce-pd`或`kubernetes.io/aws-ebs`，为相应的容器存储接口驱动成为可能。如果容器存储接口迁移正常工作，Kubernetes终端用户不会注意到任何差别。迁移过后，Kubernetes用户可以继续使用现有接口来依赖树内存储插件的功能。
@@ -165,7 +168,8 @@ The Kubernetes team has worked hard to ensure the stability of storage APIs and
 
 你可以在这篇博客中阅读更多关于[容器存储接口迁移成为公开测试版](https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/).
 <!--
-You can read more in the blog entry about [CSI migration going to beta](https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/). -->
+You can read more in the blog entry about [CSI migration going to beta](https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/).
+-->
 ## 其它更新
 <!--
 ## Other Updates
@@ -225,12 +229,11 @@ You can read more in the blog entry about [CSI migration going to beta](https://
 -->
 ### 可用性
 <!--
- ### Availability
+### Availability
 -->
 Kubernetes 1.17 可以[在GitHub下载](https://github.com/kubernetes/kubernetes/releases/tag/v1.17.0)。开始使用Kubernetes，看看这些[交互教学](https://kubernetes.io/docs/tutorials/)。你可以非常容易使用[kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)安装1.17。
 <!--
-Kubernetes 1.17 is available for [download on GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.17.0). To get started with Kubernetes, check out these [interactive tutorials](https://kubernetes.io/docs/tutorials/). You can also easily install 1.17 using
- [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/).
+Kubernetes 1.17 is available for [download on GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.17.0). To get started with Kubernetes, check out these [interactive tutorials](https://kubernetes.io/docs/tutorials/). You can also easily install 1.17 using [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/).
  -->
 ### 发布团队
 <!--
diff --git a/content/zh/blog/_posts/2020-01-15-Kubernetes-on-MIPS.md b/content/zh-cn/blog/_posts/2020-01-15-Kubernetes-on-MIPS.md
similarity index 100%
rename from content/zh/blog/_posts/2020-01-15-Kubernetes-on-MIPS.md
rename to content/zh-cn/blog/_posts/2020-01-15-Kubernetes-on-MIPS.md
diff --git a/content/zh/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md b/content/zh-cn/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md
similarity index 70%
rename from content/zh/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md
rename to content/zh-cn/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md
index b191daab33686..b263469049c9b 100644
--- a/content/zh/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md
+++ b/content/zh-cn/blog/_posts/2020-03-25-kubernetes-1.18-release-announcement.md
@@ -14,16 +14,21 @@ evergreen: true
 <!--
 We're pleased to announce the delivery of Kubernetes 1.18, our first release of 2020! Kubernetes 1.18 consists of 38 enhancements: 15 enhancements are moving to stable, 11 enhancements in beta, and 12 enhancements in alpha.
 -->
-我们很高兴宣布 Kubernetes 1.18 版本的交付，这是我们 2020 年的第一版！ Kubernetes 1.18 包含 38 个增强功能：15 项增强功能已转为稳定版，11 项增强功能处于 beta 阶段，12 项增强功能处于 alpha 阶段。
+我们很高兴宣布 Kubernetes 1.18 版本的交付，这是我们 2020 年的第一版！Kubernetes
+1.18 包含 38 个增强功能：15 项增强功能已转为稳定版，11 项增强功能处于 beta
+阶段，12 项增强功能处于 alpha 阶段。
 
 <!--
 Kubernetes 1.18 is a "fit and finish" release. Significant work has gone into improving beta and stable features to ensure users have a better experience. An equal effort has gone into adding new developments and exciting new features that promise to enhance the user experience even more.
 -->
-Kubernetes 1.18 是一个近乎 “完美” 的版本。 为了改善 beta 和稳定的特性，已进行了大量工作，以确保用户获得更好的体验。 我们在增强现有功能的同时也增加了令人兴奋的新特性，这些有望进一步增强用户体验。
+Kubernetes 1.18 是一个近乎 “完美” 的版本。为了改善 beta 和稳定的特性，已进行了大量工作，
+以确保用户获得更好的体验。我们在增强现有功能的同时也增加了令人兴奋的新特性，这些有望进一步增强用户体验。
+
 <!--
 Having almost as many enhancements in alpha, beta, and stable is a great achievement. It shows the tremendous effort made by the community on improving the reliability of Kubernetes as well as continuing to expand its existing functionality.
 -->
-对 alpha，beta 和稳定版进行几乎同等程度的增强是一项伟大的成就。 它展现了社区在提高 Kubernetes 的可靠性以及继续扩展其现有功能方面所做的巨大努力。
+对 alpha、beta 和稳定版进行几乎同等程度的增强是一项伟大的成就。它展现了社区在提高
+Kubernetes 的可靠性以及继续扩展其现有功能方面所做的巨大努力。
 
 
 <!--
@@ -39,17 +44,21 @@ Having almost as many enhancements in alpha, beta, and stable is a great achieve
 <!--
 A beta feature of Kubernetes in release 1.18,  the [Topology Manager feature](https://github.com/nolancon/website/blob/f4200307260ea3234540ef13ed80de325e1a7267/content/en/docs/tasks/administer-cluster/topology-manager.md) enables NUMA alignment of CPU and devices (such as SR-IOV VFs) that will allow your workload to run in an environment optimized for low-latency. Prior to the introduction of the Topology Manager, the CPU and Device Manager would make resource allocation decisions independent of each other. This could result in undesirable allocations on multi-socket systems, causing degraded performance on latency critical applications.
 -->
-Kubernetes 在 1.18 版中的 Beta 阶段功能 [拓扑管理器特性](https://github.com/nolancon/website/blob/f4200307260ea3234540ef13ed80de325e1a7267/content/en/docs/tasks/administer-cluster/topology-manager.md) 启用 CPU 和设备（例如 SR-IOV VF）的 NUMA 对齐，这将使您的工作负载在针对低延迟而优化的环境中运行。在引入拓扑管理器之前，CPU 和设备管理器将做出彼此独立的资源分配决策。 这可能会导致在多处理器系统上非预期的资源分配结果，从而导致对延迟敏感的应用程序的性能下降。
+Kubernetes 在 1.18 版中的 Beta 阶段功能[拓扑管理器特性](https://github.com/nolancon/website/blob/f4200307260ea3234540ef13ed80de325e1a7267/content/en/docs/tasks/administer-cluster/topology-manager.md)启用
+CPU 和设备（例如 SR-IOV VF）的 NUMA 对齐，这将使你的工作负载在针对低延迟而优化的环境中运行。
+在引入拓扑管理器之前，CPU 和设备管理器将做出彼此独立的资源分配决策。
+这可能会导致在多处理器系统上非预期的资源分配结果，从而导致对延迟敏感的应用程序的性能下降。
 
 <!--
 ### Serverside Apply Introduces Beta 2
 -->
-### Serverside Apply 推出Beta 2
+### Serverside Apply 推出 Beta 2
 
 <!--
 Server-side Apply was promoted to Beta in 1.16, but is now introducing a second Beta in 1.18. This new version will track and manage changes to fields of all new Kubernetes objects, allowing you to know what changed your resources and when.
 -->
-Serverside Apply 在1.16 中进入 Beta 阶段，但现在在 1.18 中进入了第二个 Beta 阶段。 这个新版本将跟踪和管理所有新 Kubernetes 对象的字段更改，从而使您知道什么更改了资源以及何时发生了更改。
+Serverside Apply 在1.16 中进入 Beta 阶段，但现在在 1.18 中进入了第二个 Beta 阶段。
+这个新版本将跟踪和管理所有新 Kubernetes 对象的字段更改，从而使你知道什么更改了资源以及何时发生了更改。
 
 
 <!--
@@ -60,12 +69,16 @@ Serverside Apply 在1.16 中进入 Beta 阶段，但现在在 1.18 中进入了
 <!--
 In Kubernetes 1.18, there are two significant additions to Ingress: A new `pathType` field and a new `IngressClass` resource. The `pathType` field allows specifying how paths should be matched. In addition to the default `ImplementationSpecific` type, there are new `Exact` and `Prefix` path types. 
 -->
-在 Kubernetes 1.18 中，Ingress 有两个重要的补充：一个新的 `pathType` 字段和一个新的 `IngressClass` 资源。`pathType` 字段允许指定路径的匹配方式。 除了默认的`ImplementationSpecific`类型外，还有新的 `Exact`和`Prefix` 路径类型。
+在 Kubernetes 1.18 中，Ingress 有两个重要的补充：一个新的 `pathType` 字段和一个新的
+`IngressClass` 资源。`pathType` 字段允许指定路径的匹配方式。除了默认的
+`ImplementationSpecific` 类型外，还有新的 `Exact` 和 `Prefix` 路径类型。
 
 <!--
 The `IngressClass` resource is used to describe a type of Ingress within a Kubernetes cluster. Ingresses can specify the class they are associated with by using a new `ingressClassName` field on Ingresses. This new resource and field replace the deprecated `kubernetes.io/ingress.class` annotation.
 -->
-`IngressClass` 资源用于描述 Kubernetes 集群中 Ingress 的类型。  Ingress 对象可以通过在Ingress 资源类型上使用新的`ingressClassName` 字段来指定与它们关联的类。 这个新的资源和字段替换了不再建议使用的 `kubernetes.io/ingress.class` 注解。
+`IngressClass` 资源用于描述 Kubernetes 集群中 Ingress 的类型。Ingress 对象可以通过在
+Ingress 资源类型上使用新的 `ingressClassName` 字段来指定与它们关联的类。
+这个新的资源和字段替换了不再建议使用的 `kubernetes.io/ingress.class` 注解。
 
 <!--
 ### SIG-CLI introduces kubectl alpha debug
@@ -75,7 +88,12 @@ The `IngressClass` resource is used to describe a type of Ingress within a Kuber
 <!--
 SIG-CLI was debating the need for a debug utility for quite some time already. With the development of [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/), it became more obvious how we can support developers with tooling built on top of `kubectl exec`. The addition of the [`kubectl alpha debug` command](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/20190805-kubectl-debug.md) (it is alpha but your feedback is more than welcome), allows developers to easily debug their Pods inside the cluster. We think this addition is invaluable.  This command allows one to create a temporary container which runs next to the Pod one is trying to examine, but also attaches to the console for interactive troubleshooting.
 -->
-SIG-CLI 一直在争论着调试工具的必要性。随着 [临时容器](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/) 的发展，我们如何使用基于 `kubectl exec` 的工具来支持开发人员的必要性变得越来越明显。 [`kubectl alpha debug` 命令](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/20190805-kubectl-debug.md) 的增加，（由于是 alpha 阶段，非常欢迎您反馈意见），使开发人员可以轻松地在集群中调试 Pod。我们认为这个功能的价值非常高。 此命令允许创建一个临时容器，该容器在要尝试检查的 Pod 旁边运行，并且还附加到控制台以进行交互式故障排除。
+SIG-CLI 一直在争论着调试工具的必要性。随着[临时容器](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/)的发展，
+我们如何使用基于 `kubectl exec` 的工具来支持开发人员的必要性变得越来越明显。
+[`kubectl alpha debug` 命令](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/20190805-kubectl-debug.md)的增加，
+（由于是 alpha 阶段，非常欢迎你反馈意见），使开发人员可以轻松地在集群中调试 Pod。
+我们认为这个功能的价值非常高。此命令允许创建一个临时容器，该容器在要尝试检查的
+Pod 旁边运行，并且还附加到控制台以进行交互式故障排除。
 
 <!--
 ### Introducing Windows CSI support alpha for Kubernetes
@@ -85,7 +103,8 @@ SIG-CLI 一直在争论着调试工具的必要性。随着 [临时容器](https
 <!--
 The alpha version of CSI Proxy for Windows is being released with Kubernetes 1.18. CSI proxy enables CSI Drivers on Windows by allowing containers in Windows to perform privileged storage operations.
 -->
-用于 Windows 的 CSI 代理的 Alpha 版本随 Kubernetes 1.18 一起发布。 CSI 代理通过允许Windows 中的容器执行特权存储操作来启用 Windows 上的 CSI 驱动程序。
+用于 Windows 的 CSI 代理的 Alpha 版本随 Kubernetes 1.18 一起发布。CSI 代理通过允许
+Windows 中的容器执行特权存储操作来启用 Windows 上的 CSI 驱动程序。
 
 <!--
 ## Other Updates
@@ -158,7 +177,8 @@ The alpha version of CSI Proxy for Windows is being released with Kubernetes 1.1
 <!--
 Check out the full details of the Kubernetes 1.18 release in our [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md).
 -->
-在我们的 [发布文档](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md)中查看 Kubernetes 1.18 发行版的完整详细信息。
+在我们的[发布文档](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md)中查看
+Kubernetes 1.18 发行版的完整详细信息。
 
 
 <!--
@@ -169,7 +189,10 @@ Check out the full details of the Kubernetes 1.18 release in our [release notes]
 <!--
 Kubernetes 1.18 is available for download on [GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.18.0). To get started with Kubernetes, check out these [interactive tutorials](https://kubernetes.io/docs/tutorials/) or run local Kubernetes clusters using Docker container “nodes” with [kind](https://kind.sigs.k8s.io/). You can also easily install 1.18 using [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/). 
 -->
-Kubernetes 1.18 可以在 [GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.18.0) 上下载。 要开始使用Kubernetes，请查看这些 [交互教程](https://kubernetes.io/docs/tutorials/) 或通过[kind](https://kind.sigs.k8s.io/) 使用 Docker 容器运行本地 kubernetes 集群。您还可以使用[kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)轻松安装 1.18。
+Kubernetes 1.18 可以在 [GitHub](https://github.com/kubernetes/kubernetes/releases/tag/v1.18.0)
+上下载。要开始使用 Kubernetes，请查看这些[交互教程](https://kubernetes.io/docs/tutorials/)或通过
+[kind](https://kind.sigs.k8s.io/) 使用 Docker 容器运行本地 kubernetes 集群。你还可以使用
+[kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/) 轻松安装 1.18。
 
 <!--
 ### Release Team
@@ -179,12 +202,18 @@ Kubernetes 1.18 可以在 [GitHub](https://github.com/kubernetes/kubernetes/rele
 <!--
 This release is made possible through the efforts of hundreds of individuals who contributed both technical and non-technical content. Special thanks to the [release team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.18/release_team.md) led by Jorge Alarcon Ochoa, Site Reliability Engineer at Searchable AI. The 34 release team members coordinated many aspects of the release, from documentation to testing, validation, and feature completeness. 
 -->
-通过数百位贡献了技术和非技术内容的个人的努力，使本次发行成为可能。 特别感谢由 Searchable AI 的网站可靠性工程师 Jorge Alarcon Ochoa 领导的[发布团队](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.18/release_team.md)。 34 位发布团队成员协调了发布的各个方面，从文档到测试、验证和功能完整性。
+通过数百位贡献了技术和非技术内容的个人的努力，使本次发行成为可能。
+特别感谢由 Searchable AI 的网站可靠性工程师 Jorge Alarcon Ochoa
+领导的[发布团队](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.18/release_team.md)。
+34 位发布团队成员协调了发布的各个方面，从文档到测试、验证和功能完整性。
 
 <!--
 As the Kubernetes community has grown, our release process represents an amazing demonstration of collaboration in open source software development. Kubernetes continues to gain new users at a rapid pace. This growth creates a positive feedback cycle where more contributors commit code creating a more vibrant ecosystem. Kubernetes has had over [40,000 individual contributors](https://k8s.devstats.cncf.io/d/24/overall-project-statistics?orgId=1) to date and an active community of more than 3,000 people.
 -->
-随着 Kubernetes 社区的发展壮大，我们的发布过程很好地展示了开源软件开发中的协作。 Kubernetes 继续快速获取新用户。 这种增长创造了一个积极的反馈回路，其中有更多的贡献者提交了代码，从而创建了更加活跃的生态系统。 迄今为止，Kubernetes 已有 [40,000 独立贡献者](https://k8s.devstats.cncf.io/d/24/overall-project-statistics?orgId=1) 和一个超过3000人的活跃社区。
+随着 Kubernetes 社区的发展壮大，我们的发布过程很好地展示了开源软件开发中的协作。
+Kubernetes 继续快速获取新用户。这种增长创造了一个积极的反馈回路，
+其中有更多的贡献者提交了代码，从而创建了更加活跃的生态系统。迄今为止，Kubernetes 已有
+[40,000 独立贡献者](https://k8s.devstats.cncf.io/d/24/overall-project-statistics?orgId=1)和一个超过 3000 人的活跃社区。
 
 <!--
 ### Release Logo
@@ -204,7 +233,10 @@ As the Kubernetes community has grown, our release process represents an amazing
 <!--
 The LHC is the world’s largest and most powerful particle accelerator.  It is the result of the collaboration of thousands of scientists from around the world, all for the advancement of science. In a similar manner, Kubernetes has been a project that has united thousands of contributors from hundreds of organizations – all to work towards the same goal of improving cloud computing in all aspects! "A Bit Quarky" as the release name is meant to remind us that unconventional ideas can bring about great change and keeping an open mind to diversity will lead help us innovate.
 -->
-LHC 是世界上最大，功能最强大的粒子加速器。它是由来自世界各地成千上万科学家合作的结果，所有这些合作都是为了促进科学的发展。以类似的方式，Kubernetes 已经成为一个聚集了来自数百个组织的数千名贡献者–所有人都朝着在各个方面改善云计算的相同目标努力的项目！ 发布名称“ A  Bit Quarky” 的意思是提醒我们，非常规的想法可以带来巨大的变化，对开放性保持开放态度将有助于我们进行创新。
+LHC 是世界上最大，功能最强大的粒子加速器。它是由来自世界各地成千上万科学家合作的结果，
+所有这些合作都是为了促进科学的发展。以类似的方式，Kubernetes
+已经成为一个聚集了来自数百个组织的数千名贡献者–所有人都朝着在各个方面改善云计算的相同目标努力的项目！
+发布名称 “A Bit Quarky” 的意思是提醒我们，非常规的想法可以带来巨大的变化，对开放性保持开放态度将有助于我们进行创新。
 
 
 <!--
@@ -215,7 +247,9 @@ LHC 是世界上最大，功能最强大的粒子加速器。它是由来自世
 <!--
 Maru Lango is a designer currently based in Mexico City. While her area of expertise is Product Design, she also enjoys branding, illustration and visual experiments using CSS + JS and contributing to diversity efforts within the tech and design communities. You may find her in most social media as @marulango or check her website: https://marulango.com
 -->
-Maru Lango 是目前居住在墨西哥城的设计师。她的专长是产品设计，她还喜欢使用 CSS + JS 进行品牌、插图和视觉实验，为技术和设计社区的多样性做贡献。您可能会在大多数社交媒体上以 @marulango 的身份找到她，或查看她的网站： https://marulango.com
+Maru Lango 是目前居住在墨西哥城的设计师。她的专长是产品设计，她还喜欢使用 CSS + JS
+进行品牌、插图和视觉实验，为技术和设计社区的多样性做贡献。你可能会在大多数社交媒体上以
+@marulango 的身份找到她，或查看她的网站： https://marulango.com
 
 <!--
 ### User Highlights
@@ -227,9 +261,12 @@ Maru Lango 是目前居住在墨西哥城的设计师。她的专长是产品设
 - Zendesk is using Kubernetes to [run around 70% of its existing applications](https://www.cncf.io/case-study/zendesk/). It’s also building all new applications to also run on Kubernetes, which has brought time savings, greater flexibility, and increased velocity  to its application development.
 - LifeMiles has [reduced infrastructure spending by 50%](https://www.cncf.io/case-study/lifemiles/) because of its move to Kubernetes. It has also allowed them to double its available resource capacity.
 -->
-- 爱立信正在使用 Kubernetes 和其他云原生技术来交付[高标准的 5G 网络](https://www.cncf.io/case-study/ericsson/)，这可以在 CI/CD 上节省多达 90％ 的支出。
-- Zendesk 正在使用 Kubernetes [运行其现有应用程序的约 70％](https://www.cncf.io/case-study/zendesk/)。它还正在使所构建的所有新应用都可以在 Kubernetes 上运行，从而节省时间、提高灵活性并加快其应用程序开发的速度。
-- LifeMiles 因迁移到 Kubernetes 而[降低了 50% 的基础设施开支](https://www.cncf.io/case-study/lifemiles/)。Kubernetes 还使他们可以将其可用资源容量增加一倍。
+- 爱立信正在使用 Kubernetes 和其他云原生技术来交付[高标准的 5G 网络](https://www.cncf.io/case-study/ericsson/)，
+  这可以在 CI/CD 上节省多达 90％ 的支出。
+- Zendesk 正在使用 Kubernetes [运行其现有应用程序的约 70％](https://www.cncf.io/case-study/zendesk/)。
+  它还正在使所构建的所有新应用都可以在 Kubernetes 上运行，从而节省时间、提高灵活性并加快其应用程序开发的速度。
+- LifeMiles 因迁移到 Kubernetes 而[降低了 50% 的基础设施开支](https://www.cncf.io/case-study/lifemiles/)。
+  Kubernetes 还使他们可以将其可用资源容量增加一倍。
 
 <!--
 ### Ecosystem Updates
@@ -240,8 +277,9 @@ Maru Lango 是目前居住在墨西哥城的设计师。她的专长是产品设
 - The CNCF published the results of its [annual survey](https://www.cncf.io/blog/2020/03/04/2019-cncf-survey-results-are-here-deployments-are-growing-in-size-and-speed-as-cloud-native-adoption-becomes-mainstream/) showing that Kubernetes usage in production is skyrocketing. The survey found that 78% of respondents are using Kubernetes in production compared to 58% last year.
 - The “Introduction to Kubernetes” course hosted by the CNCF [surpassed 100,000 registrations](https://www.cncf.io/announcement/2020/01/28/cloud-native-computing-foundation-announces-introduction-to-kubernetes-course-surpasses-100000-registrations/).
 -->
-- CNCF发布了[年度调查](https://www.cncf.io/blog/2020/03/04/2019-cncf-survey-results-are-here-deployments-are-growing-in-size-and-speed-as-cloud-native-adoption-becomes-mainstream/) 的结果，表明 Kubernetes 在生产中的使用正在飞速增长。调查发现，有78％的受访者在生产中使用Kubernetes，而去年这一比例为 58％。
-- CNCF 举办的 “Kubernetes入门” 课程有[超过 100,000 人注册](https://www.cncf.io/announcement/2020/01/28/cloud-native-computing-foundation-announces-introduction-to-kubernetes-course-surpasses-100000-registrations/)。
+- CNCF 发布了[年度调查](https://www.cncf.io/blog/2020/03/04/2019-cncf-survey-results-are-here-deployments-are-growing-in-size-and-speed-as-cloud-native-adoption-becomes-mainstream/)的结果，
+  表明 Kubernetes 在生产中的使用正在飞速增长。调查发现，有 78％ 的受访者在生产中使用 Kubernetes，而去年这一比例为 58％。
+- CNCF 举办的 “Kubernetes 入门” 课程有[超过 100,000 人注册](https://www.cncf.io/announcement/2020/01/28/cloud-native-computing-foundation-announces-introduction-to-kubernetes-course-surpasses-100000-registrations/)。
 
 <!--
 ### Project Velocity
@@ -251,12 +289,16 @@ Maru Lango 是目前居住在墨西哥城的设计师。她的专长是产品设
 <!--
 The CNCF has continued refining DevStats, an ambitious project to visualize the myriad contributions that go into the project. [K8s DevStats](https://k8s.devstats.cncf.io/d/12/dashboards?orgId=1) illustrates the breakdown of contributions from major company contributors, as well as an impressive set of preconfigured reports on everything from individual contributors to pull request lifecycle times. 
 -->
-CNCF 继续完善 DevStats。这是一个雄心勃勃的项目，旨在对项目中的无数贡献数据进行可视化展示。[K8s DevStats](https://k8s.devstats.cncf.io/d/12/dashboards?orgId=1) 展示了主要公司贡献者的贡献细目，以及一系列令人印象深刻的预定义的报告，涉及从贡献者个人的各方面到 PR 生命周期的各个方面。
+CNCF 继续完善 DevStats。这是一个雄心勃勃的项目，旨在对项目中的无数贡献数据进行可视化展示。
+[K8s DevStats](https://k8s.devstats.cncf.io/d/12/dashboards?orgId=1) 展示了主要公司贡献者的贡献细目，
+以及一系列令人印象深刻的预定义的报告，涉及从贡献者个人的各方面到 PR 生命周期的各个方面。
 
 <!--
 This past quarter, 641 different companies and over 6,409 individuals contributed to Kubernetes. [Check out DevStats](https://k8s.devstats.cncf.io/d/11/companies-contributing-in-repository-groups?orgId=1&var-period=m&var-repogroup_name=All) to learn more about the overall velocity of the Kubernetes project and community.
 -->
-在过去的一个季度中，641 家不同的公司和超过 6,409 个个人为 Kubernetes 作出贡献。 [查看 DevStats](https://k8s.devstats.cncf.io/d/11/companies-contributing-in-repository-groups?orgId=1&var-period=m&var-repogroup_name=All) 以了解有关 Kubernetes 项目和社区发展速度的信息。
+在过去的一个季度中，641 家不同的公司和超过 6,409 个个人为 Kubernetes 作出贡献。
+[查看 DevStats](https://k8s.devstats.cncf.io/d/11/companies-contributing-in-repository-groups?orgId=1&var-period=m&var-repogroup_name=All)
+以了解有关 Kubernetes 项目和社区发展速度的信息。
 
 <!--
 ### Event Update
@@ -266,7 +308,8 @@ This past quarter, 641 different companies and over 6,409 individuals contribute
 <!--
 Kubecon + CloudNativeCon EU 2020 is being pushed back –  for the more most up-to-date information, please check the [Novel Coronavirus Update page](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/attend/novel-coronavirus-update/).
 -->
-Kubecon + CloudNativeCon EU 2020 已经推迟 - 有关最新信息，请查看[新型肺炎发布页面](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/attend/novel-coronavirus-update/)。
+Kubecon + CloudNativeCon EU 2020 已经推迟 - 有关最新信息，
+请查看[新型肺炎发布页面](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/attend/novel-coronavirus-update/)。
 
 <!--
 ### Upcoming Release Webinar
@@ -276,7 +319,9 @@ Kubecon + CloudNativeCon EU 2020 已经推迟 - 有关最新信息，请查看[
 <!--
 Join members of the Kubernetes 1.18 release team on April 23rd, 2020 to learn about the major features in this release including kubectl debug, Topography Manager, Ingress to V1 graduation, and client-go. Register here: https://www.cncf.io/webinars/kubernetes-1-18/.
 -->
-在 2020 年 4 月 23 日，和 Kubernetes 1.18 版本团队一起了解此版本的主要功能，包括 kubectl debug、拓扑管理器、Ingress 毕业为 V1 版本以及 client-go。 在此处注册：https://www.cncf.io/webinars/kubernetes-1-18/ 。
+在 2020 年 4 月 23 日，和 Kubernetes 1.18 版本团队一起了解此版本的主要功能，
+包括 kubectl debug、拓扑管理器、Ingress 毕业为 V1 版本以及 client-go。
+在此处注册： https://www.cncf.io/webinars/kubernetes-1-18/ 。
 
 <!--
 ### Get Involved
@@ -286,7 +331,9 @@ Join members of the Kubernetes 1.18 release team on April 23rd, 2020 to learn ab
 <!--
 The simplest way to get involved with Kubernetes is by joining one of the many [Special Interest Groups](https://github.com/kubernetes/community/blob/master/sig-list.md) (SIGs) that align with your interests. Have something you’d like to broadcast to the Kubernetes community? Share your voice at our weekly [community meeting](https://github.com/kubernetes/community/tree/master/communication), and through the channels below. Thank you for your continued feedback and support.
 -->
-参与 Kubernetes 的最简单方法是加入众多与您的兴趣相关的 [特别兴趣小组](https://github.com/kubernetes/community/blob/master/sig-list.md) (SIGs) 之一。 您有什么想向 Kubernetes 社区发布的内容吗？ 参与我们的每周 [社区会议](https://github.com/kubernetes/community/tree/master/communication)，并通过以下渠道分享您的声音。 感谢您一直以来的反馈和支持。
+参与 Kubernetes 的最简单方法是加入众多与你的兴趣相关的[特别兴趣小组](https://github.com/kubernetes/community/blob/master/sig-list.md)（SIGs）之一。
+你有什么想向 Kubernetes 社区发布的内容吗？参与我们的每周[社区会议](https://github.com/kubernetes/community/tree/master/communication)，
+并通过以下渠道分享你的声音。感谢你一直以来的反馈和支持。
 
 <!--
 - Follow us on Twitter [@Kubernetesio](https://twitter.com/kubernetesio) for latest updates
@@ -300,7 +347,7 @@ The simplest way to get involved with Kubernetes is by joining one of the many [
 - 在 Twitter 上关注我们 [@Kubernetesio](https://twitter.com/kubernetesio)，了解最新动态
 - 在 [Discuss](https://discuss.kubernetes.io/) 上参与社区讨论 
 - 加入 [Slack](http://slack.k8s.io/) 上的社区
--  在[Stack Overflow](http://stackoverflow.com/questions/tagged/kubernetes)提问（或回答）
-- 分享您的 Kubernetes [故事](https://docs.google.com/a/linuxfoundation.org/forms/d/e/1FAIpQLScuI7Ye3VQHQTwBASrgkjQDSS5TP0g3AXfFhwSM9YpHgxRKFA/viewform)
-- 通过 [blog](https://kubernetes.io/blog/)了解更多关于 Kubernetes 的新鲜事
-- 了解更多关于 [Kubernetes 发布团队](https://github.com/kubernetes/sig-release/tree/master/release-team) 的信息
+- 在 [Stack Overflow](http://stackoverflow.com/questions/tagged/kubernetes) 提问（或回答）
+- 分享你的 Kubernetes [故事](https://docs.google.com/a/linuxfoundation.org/forms/d/e/1FAIpQLScuI7Ye3VQHQTwBASrgkjQDSS5TP0g3AXfFhwSM9YpHgxRKFA/viewform)
+- 通过 [blog](https://kubernetes.io/blog/) 了解更多关于 Kubernetes 的新鲜事
+- 了解更多关于 [Kubernetes 发布团队](https://github.com/kubernetes/sig-release/tree/master/release-team)的信息
diff --git a/content/zh/blog/_posts/2020-09-04-introducing-structured-logs.md b/content/zh-cn/blog/_posts/2020-09-04-introducing-structured-logs.md
similarity index 96%
rename from content/zh/blog/_posts/2020-09-04-introducing-structured-logs.md
rename to content/zh-cn/blog/_posts/2020-09-04-introducing-structured-logs.md
index 27026deebf5ea..b483dedaebc7b 100644
--- a/content/zh/blog/_posts/2020-09-04-introducing-structured-logs.md
+++ b/content/zh-cn/blog/_posts/2020-09-04-introducing-structured-logs.md
@@ -92,4 +92,4 @@ Finally, structured logs can help reduce storage costs for logs because most sto
 <!--
 While we have updated over 99% of the log entries by log volume in a typical deployment, there are still thousands of logs to be updated. Pick a file or directory that you would like to improve and [migrate existing log calls to use structured logs](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/migration-to-structured-logging.md). It's a great and easy way to make your first contribution to Kubernetes!
 -->
-虽然在典型部署中，我们已按日志量更新了99％以上的日志条目，但仍有数千个日志需要更新。 选择一个您要改进的文件或目录，然后[迁移现有的日志调用以使用结构化日志]（https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/migration-to-structured-logging.md）。这是对Kubernetes做出第一笔贡献的好方法!
+虽然在典型部署中，我们已按日志量更新了99％以上的日志条目，但仍有数千个日志需要更新。 选择一个您要改进的文件或目录，然后[迁移现有的日志调用以使用结构化日志](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/migration-to-structured-logging.md)。这是对Kubernetes做出第一笔贡献的好方法!
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image01.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image01.png
new file mode 100644
index 0000000000000..91e885613945a
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image01.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image02.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image02.png
new file mode 100644
index 0000000000000..dfd14d7cdc994
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image02.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image03.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image03.png
new file mode 100644
index 0000000000000..443a6f2d671be
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image03.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image04.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image04.png
new file mode 100644
index 0000000000000..e107adc88b6a3
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image04.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image05.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image05.png
new file mode 100644
index 0000000000000..6d80447d094a3
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image05.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image06.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image06.png
new file mode 100644
index 0000000000000..d40b2eb0b6838
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image06.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image07.png b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image07.png
new file mode 100644
index 0000000000000..fc3976040fe09
Binary files /dev/null and b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/image07.png differ
diff --git a/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/index.md b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/index.md
new file mode 100644
index 0000000000000..d2f1fa1e407f4
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2020-09-30-writing-crl-scheduler/index.md
@@ -0,0 +1,255 @@
+---
+layout: blog
+title: "一个编排高可用应用的 Kubernetes 自定义调度器"
+date: 2020-12-21
+slug: writing-crl-scheduler
+---
+<!--
+---
+layout: blog
+title: "A Custom Kubernetes Scheduler to Orchestrate Highly Available Applications"
+date: 2020-12-21
+slug: writing-crl-scheduler
+---
+-->
+**作者**: Chris Seto (Cockroach Labs)
+<!--
+**Author**: Chris Seto (Cockroach Labs)
+-->
+
+<!--
+As long as you're willing to follow the rules, deploying on Kubernetes and air travel can be quite pleasant. More often than not, things will "just work". However, if one is interested in travelling with an alligator that must remain alive or scaling a database that must remain available, the situation is likely to become a bit more complicated. It may even be easier to build one's own plane or database for that matter. Travelling with reptiles aside, scaling a highly available stateful system is no trivial task.
+-->
+只要你愿意遵守规则，那么在 Kubernetes 上的部署和探索可以是相当愉快的。更多时候，事情会 "顺利进行"。
+然而，如果一个人对与必须保持存活的鳄鱼一起旅行或者是对必须保持可用的数据库进行扩展有兴趣，
+情况可能会变得更复杂一点。
+相较于这个问题，建立自己的飞机或数据库甚至还可能更容易一些。撇开与鳄鱼的旅行不谈，扩展一个高可用的有状态系统也不是一件小事。
+
+<!--
+Scaling any system has two main components:
+1. Adding or removing infrastructure that the system will run on, and
+2. Ensuring that the system knows how to handle additional instances of itself being added and removed.
+-->
+任何系统的扩展都有两个主要组成部分。
+1. 增加或删除系统将运行的基础架构，以及
+2. 确保系统知道如何处理自身额外实例的添加和删除。
+
+<!--
+Most stateless systems, web servers for example, are created without the need to be aware of peers. Stateful systems, which includes databases like CockroachDB, have to coordinate with their peer instances and shuffle around data. As luck would have it, CockroachDB handles data redistribution and replication. The tricky part is being able to tolerate failures during these operations by ensuring that data and instances are distributed across many failure domains (availability zones).
+-->
+大多数无状态系统，例如网络服务器，在创建时不需要意识到对等实例。而有状态的系统，包括像 CockroachDB 这样的数据库，
+必须与它们的对等实例协调，并对数据进行 shuffle。运气好的话，CockroachDB 可以处理数据的再分布和复制。
+棘手的部分是在确保数据和实例分布在许多故障域（可用性区域）的操作过程中能够容忍故障的发生。
+
+<!--
+One of Kubernetes' responsibilities is to place "resources" (e.g, a disk or container) into the cluster and satisfy the constraints they request. For example: "I must be in availability zone _A_" (see [Running in multiple zones](/docs/setup/best-practices/multiple-zones/#nodes-are-labeled)), or "I can't be placed onto the same node as this other Pod" (see [Affinity and anti-affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)).
+-->
+Kubernetes 的职责之一是将 "资源"（如磁盘或容器）放入集群中，并满足其请求的约束。
+例如。"我必须在可用性区域 _A_"（见[在多个区域运行](/zh-cn/docs/setup/best-practices/multiple-zones/#nodes-are-labeled)），
+或者 "我不能被放置到与某个 Pod 相同的节点上"
+（见[亲和与反亲和](/zh-cn/docs/setup/best-practices/multiple-zones/#nodes-are-labeled)）。
+
+<!--
+As an addition to those constraints, Kubernetes offers [Statefulsets](/docs/concepts/workloads/controllers/statefulset/) that provide identity to Pods as well as persistent storage that "follows" these identified pods. Identity in a StatefulSet is handled by an increasing integer at the end of a pod's name. It's important to note that this integer must always be contiguous: in a StatefulSet, if pods 1 and 3 exist then pod 2 must also exist.
+-->
+作为对这些约束的补充，Kubernetes 提供了 [StatefulSets](/zh-cn/docs/concepts/workloads/controllers/statefulset/)，
+为 Pod 提供身份，以及 "跟随" 这些指定 Pod 的持久化存储。
+在 StatefulSet 中，身份是由 Pod 名称末尾一个呈增序的整数处理的。
+值得注意的是，这个整数必须始终是连续的：在一个 StatefulSet 中，
+如果 Pod 1 和 3 存在，那么 Pod 2 也必须存在。
+
+<!--
+Under the hood, CockroachCloud deploys each region of CockroachDB as a StatefulSet in its own Kubernetes cluster - see [Orchestrate CockroachDB in a Single Kubernetes Cluster](https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html).
+In this article, I'll be looking at an individual region, one StatefulSet and one Kubernetes cluster which is distributed across at least three availability zones.
+-->
+在架构上，CockroachCloud 将 CockroachDB 的每个区域作为 StatefulSet 部署在自己的 Kubernetes 集群中 -- 
+参见 [Orchestrate CockroachDB in a Single Kubernetes Cluster](https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html)。
+在这篇文章中，我将着眼于一个单独的区域，一个 StatefulSet 和一个至少分布有三个可用区的 Kubernetes 集群。
+
+<!--
+A three-node CockroachCloud cluster would look something like this:
+-->
+一个三节点的 CockroachCloud 集群如下所示：
+
+<!--
+![3-node, multi-zone cockroachdb cluster](image01.png)
+-->
+![3-node, multi-zone cockroachdb cluster](image01.png)
+
+<!--
+When adding additional resources to the cluster we also distribute them across zones. For the speediest user experience, we add all Kubernetes nodes at the same time and then scale up the StatefulSet.
+-->
+在向集群增加额外的资源时，我们也会将它们分布在各个区域。
+为了获得最快的用户体验，我们同时添加所有 Kubernetes 节点，然后扩大 StatefulSet 的规模。
+
+<!--
+![illustration of phases: adding Kubernetes nodes to the multi-zone cockroachdb cluster](image02.png)
+-->
+![illustration of phases: adding Kubernetes nodes to the multi-zone cockroachdb cluster](image02.png)
+
+<!--
+Note that anti-affinities are satisfied no matter the order in which pods are assigned to Kubernetes nodes. In the example, pods 0, 1 and 2 were assigned to zones A, B, and C respectively, but pods 3 and 4 were assigned in a different order, to zones B and A respectively. The anti-affinity is still satisfied because the pods are still placed in different zones.
+-->
+请注意，无论 Pod 被分配到 Kubernetes 节点的顺序如何，都会满足反亲和性。
+在这个例子中，Pod 0、1、2 分别被分配到 A、B、C 区，但 Pod 3 和 4 以不同的顺序被分配到 B 和 A 区。
+反亲和性仍然得到满足，因为 Pod 仍然被放置在不同的区域。
+
+<!--
+To remove resources from a cluster, we perform these operations in reverse order.
+-->
+要从集群中移除资源，我们以相反的顺序执行这些操作。
+
+<!--
+We first scale down the StatefulSet and then remove from the cluster any nodes lacking a CockroachDB pod.
+-->
+我们首先缩小 StatefulSet 的规模，然后从集群中移除任何缺少 CockroachDB Pod 的节点。
+
+<!--
+![illustration of phases: scaling down pods in a multi-zone cockroachdb cluster in Kubernetes](image03.png)
+-->
+![illustration of phases: scaling down pods in a multi-zone cockroachdb cluster in Kubernetes](image03.png)
+
+<!--
+Now, remember that pods in a StatefulSet of size _n_ must have ids in the range `[0,n)`. When scaling down a StatefulSet by _m_, Kubernetes removes _m_ pods, starting from the highest ordinals and moving towards the lowest, [the reverse in which they were added](/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees).
+Consider the cluster topology below:
+-->
+现在，请记住，规模为 _n_ 的 StatefulSet 中的 Pods 一定具有 `[0,n)` 范围内的 id。
+当把一个 StatefulSet 规模缩减了 _m_ 时，Kubernetes 会移除 _m_ 个 Pod，从最高的序号开始，向最低的序号移动，
+[与它们被添加的顺序相反](/zh-cn/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)。
+考虑一下下面的集群拓扑结构。
+
+<!--
+![illustration: cockroachdb cluster: 6 nodes distributed across 3 availability zones](image04.png)
+-->
+![illustration: cockroachdb cluster: 6 nodes distributed across 3 availability zones](image04.png)
+
+<!--
+As ordinals 5 through 3 are removed from this cluster, the statefulset continues to have a presence across all 3 availability zones.
+-->
+当从这个集群中移除 5 号到 3 号 Pod 时，这个 StatefulSet 仍然横跨三个可用区。
+
+<!--
+![illustration: removing 3 nodes from a 6-node, 3-zone cockroachdb cluster](image05.png)
+-->
+![illustration: removing 3 nodes from a 6-node, 3-zone cockroachdb cluster](image05.png)
+
+<!--
+However, Kubernetes' scheduler doesn't _guarantee_ the placement above as we expected at first.
+-->
+然而，Kubernetes 的调度器并不像我们一开始预期的那样 _保证_ 上面的分布。
+
+<!--
+Our combined knowledge of the following is what lead to this misconception.
+* Kubernetes' ability to [automatically spread Pods across zone](/docs/setup/best-practices/multiple-zones/#pods-are-spread-across-zones)
+* The behavior that a StatefulSet with _n_ replicas, when Pods are being deployed, they are created sequentially, in order from `{0..n-1}`. See [StatefulSet](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees) for more details.
+-->
+我们对以下内容的综合认识是导致这种误解的原因。
+* Kubernetes [自动跨区分配 Pod](/zh-cn/docs/setup/best-practices/multiple-zones/#pods-are-spread-across-zones) 的能力
+* 一个有 _n_ 个副本的 StatefulSet，当 Pod 被部署时，它们会按照 `{0...n-1}` 的顺序依次创建。
+更多细节见 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)。
+
+<!--
+Consider the following topology:
+-->
+考虑以下拓扑结构：
+
+<!--
+![illustration: 6-node cockroachdb cluster distributed across 3 availability zones](image06.png)
+-->
+![illustration: 6-node cockroachdb cluster distributed across 3 availability zones](image06.png)
+
+<!--
+These pods were created in order and they are spread across all availability zones in the cluster. When ordinals 5 through 3 are terminated, this cluster will lose its presence in zone C!
+-->
+这些 Pod 是按顺序创建的，它们分布在集群里所有可用区。当序号 5 到 3 的 Pod 被终止时，
+这个集群将从 C 区消失!
+
+<!--
+![illustration: terminating 3 nodes in 6-node cluster spread across 3 availability zones, where 2/2 nodes in the same availability zone are terminated, knocking out that AZ](image07.png)
+-->
+![illustration: terminating 3 nodes in 6-node cluster spread across 3 availability zones, where 2/2 nodes in the same availability zone are terminated, knocking out that AZ](image07.png)
+
+<!--
+Worse yet, our automation, at the time, would remove Nodes A-2, B-2, and C-2. Leaving CRDB-1 in an unscheduled state as persistent volumes are only available in the zone they are initially created in.
+-->
+更糟糕的是，在这个时候，我们的自动化机制将删除节点 A-2，B-2，和 C-2。
+并让 CRDB-1 处于未调度状态，因为持久性卷只在其创建时所处的区域内可用。
+
+<!--
+To correct the latter issue, we now employ a "hunt and peck" approach to removing machines from a cluster. Rather than blindly removing Kubernetes nodes from the cluster, only nodes without a CockroachDB pod would be removed. The much more daunting task was to wrangle the Kubernetes scheduler.
+-->
+为了纠正后一个问题，我们现在采用了一种“狩猎和啄食”的方法来从集群中移除机器。
+与其盲目地从集群中移除 Kubernetes 节点，不如只移除没有 CockroachDB Pod 的节点。
+更为艰巨的任务是管理 Kubernetes 的调度器。
+
+<!--
+## A session of brainstorming left us with 3 options:
+
+### 1. Upgrade to kubernetes 1.18 and make use of Pod Topology Spread Constraints
+
+While this seems like it could have been the perfect solution, at the time of writing Kubernetes 1.18 was unavailable on the two most common managed Kubernetes services in public cloud, EKS and GKE.
+Furthermore, [pod topology spread constraints](/docs/concepts/workloads/pods/pod-topology-spread-constraints/) were still a [beta feature in 1.18](https://v1-18.docs.kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) which meant that it [wasn't guaranteed to be available in managed clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/types-of-clusters#kubernetes_feature_choices) even when v1.18 became available.
+The entire endeavour was concerningly reminiscent of checking [caniuse.com](https://caniuse.com/) when Internet Explorer 8 was still around.
+-->
+## 一场头脑风暴后我们有了 3 个选择。
+
+### 1. 升级到 kubernetes 1.18 并利用 Pod 拓扑分布约束
+
+虽然这似乎是一个完美的解决方案，但在写这篇文章的时候，Kubernetes 1.18 在公有云中两个最常见的
+托管 Kubernetes 服务（ EKS 和 GKE ）上是不可用的。
+此外，[Pod 拓扑分布约束](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/)在 
+[1.18 中仍是测试版功能](https://v1-18.docs.kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/)，
+这意味着即使在 v1.18 可用时，它[也不能保证在托管集群中可用](https://cloud.google.com/kubernetes-engine/docs/concepts/types-of-clusters#kubernetes_feature_choices)。
+整个努力让人联想到在 Internet Explorer 8 还存在的时候访问 [caniuse.com](https://caniuse.com/)。
+
+<!--
+### 2. Deploy a statefulset _per zone_.
+
+Rather than having one StatefulSet distributed across all availability zones, a single StatefulSet with node affinities per zone would allow manual control over our zonal topology.
+Our team had considered this as an option in the past which made it particularly appealing.
+Ultimately, we decided to forego this option as it would have required a massive overhaul to our codebase and performing the migration on existing customer clusters would have been an equally large undertaking.
+-->
+### 2. 在每个区部署一个 StatefulSet。
+
+与跨所有可用区部署一个 StatefulSet 相比，在每个区部署一个带有节点亲和性的 StatefulSet 可以实现手动控制分区拓扑结构。
+我们的团队过去曾考虑过这个选项，我们也倾向此选项。
+但最终，我们决定放弃这个方案，因为这需要对我们的代码库进行大规模的修改，而且在现有的客户集群上进行迁移也是一个同样大的工程。
+
+<!--
+### 3. Write a custom Kubernetes scheduler.
+
+Thanks to an example from [Kelsey Hightower](https://github.com/kelseyhightower/scheduler) and a blog post from [Banzai Cloud](https://banzaicloud.com/blog/k8s-custom-scheduler/), we decided to dive in head first and write our own [custom Kubernetes scheduler](/docs/tasks/extend-kubernetes/configure-multiple-schedulers/).
+Once our proof-of-concept was deployed and running, we quickly discovered that the Kubernetes' scheduler is also responsible for mapping persistent volumes to the Pods that it schedules.
+The output of [`kubectl get events`](/docs/tasks/extend-kubernetes/configure-multiple-schedulers/#verifying-that-the-pods-were-scheduled-using-the-desired-schedulers) had led us to believe there was another system at play.
+In our journey to find the component responsible for storage claim mapping, we discovered the [kube-scheduler plugin system](/docs/concepts/scheduling-eviction/scheduling-framework/). Our next POC was a `Filter` plugin that determined the appropriate availability zone by pod ordinal, and it worked flawlessly!
+
+Our [custom scheduler plugin](https://github.com/cockroachlabs/crl-scheduler) is open source and runs in all of our CockroachCloud clusters.
+Having control over how our StatefulSet pods are being scheduled has let us scale out with confidence.
+We may look into retiring our plugin once pod topology spread constraints are available in GKE and EKS, but the maintenance overhead has been surprisingly low.
+Better still: the plugin's implementation is orthogonal to our business logic. Deploying it, or retiring it for that matter, is as simple as changing the `schedulerName` field in our StatefulSet definitions.
+
+---
+
+_[Chris Seto](https://twitter.com/_ostriches) is a software engineer at Cockroach Labs and works on their Kubernetes automation for [CockroachCloud](https://cockroachlabs.cloud), CockroachDB._
+-->
+
+### 3. 编写一个自定义的 Kubernetes 调度器
+
+感谢 [Kelsey Hightower](https://github.com/kelseyhightower/scheduler) 的例子和 
+[Banzai Cloud](https://banzaicloud.com/blog/k8s-custom-scheduler/) 的博文，我们决定投入进去，编写自己的[自定义 Kubernetes 调度器](/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/)。
+一旦我们的概念验证被部署和运行，我们很快就发现，Kubernetes 的调度器也负责将持久化卷映射到它所调度的 Pod 上。
+[`kubectl get events`](/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/#verifying-that-the-pods-wer-scheduled-using-the-desired-schedulers)
+的输出让我们相信有另一个系统在发挥作用。
+在我们寻找负责存储声明映射的组件的过程中，我们发现了 
+[kube-scheduler 插件系统](/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework/)。
+我们的下一个 POC 是一个"过滤器"插件，它通过 Pod 的序号来确定适当的可用区域，并且工作得非常完美。
+
+我们的[自定义调度器插件](https://github.com/cockroachlabs/crl-scheduler)是开源的，并在我们所有的 CockroachCloud 集群中运行。
+对 StatefulSet Pod 的调度方式有掌控力，让我们有信心扩大规模。
+一旦 GKE 和 EKS 中的 Pod 拓扑分布约束可用，我们可能会考虑让我们的插件退役，但其维护的开销出乎意料地低。
+更好的是：该插件的实现与我们的业务逻辑是横向的。部署它，或取消它，就像改变 StatefulSet 定义中的 "schedulerName" 字段一样简单。
+
+---
+
+[Chris Seto](https://twitter.com/_ostriches) 是 Cockroach 实验室的一名软件工程师，负责 
+[CockroachCloud](https://cockroachlabs.cloud) CockroachDB 的 Kubernetes 自动化。
diff --git a/content/zh/blog/_posts/2020-10-01-contributing-to-the-development-guide/index.md b/content/zh-cn/blog/_posts/2020-10-01-contributing-to-the-development-guide/index.md
similarity index 100%
rename from content/zh/blog/_posts/2020-10-01-contributing-to-the-development-guide/index.md
rename to content/zh-cn/blog/_posts/2020-10-01-contributing-to-the-development-guide/index.md
diff --git a/content/zh/blog/_posts/2020-10-01-contributing-to-the-development-guide/jorge-castro-code-of-conduct.jpg b/content/zh-cn/blog/_posts/2020-10-01-contributing-to-the-development-guide/jorge-castro-code-of-conduct.jpg
similarity index 100%
rename from content/zh/blog/_posts/2020-10-01-contributing-to-the-development-guide/jorge-castro-code-of-conduct.jpg
rename to content/zh-cn/blog/_posts/2020-10-01-contributing-to-the-development-guide/jorge-castro-code-of-conduct.jpg
diff --git a/content/zh/blog/_posts/2020-12-02-dockershim-faq.md b/content/zh-cn/blog/_posts/2020-12-02-dockershim-faq.md
similarity index 88%
rename from content/zh/blog/_posts/2020-12-02-dockershim-faq.md
rename to content/zh-cn/blog/_posts/2020-12-02-dockershim-faq.md
index eb65cc636963f..f484d7abaac5d 100644
--- a/content/zh/blog/_posts/2020-12-02-dockershim-faq.md
+++ b/content/zh-cn/blog/_posts/2020-12-02-dockershim-faq.md
@@ -3,20 +3,18 @@ layout: blog
 title: "弃用 Dockershim 的常见问题"
 date: 2020-12-02
 slug: dockershim-faq
-aliases: [ '/zh/dockershim' ]
 ---
 <!-- 
 layout: blog
 title: "Dockershim Deprecation FAQ"
 date: 2020-12-02
 slug: dockershim-faq
-aliases: [ '/dockershim' ]
 -->
 
 <!--
 _**Update**: There is a [newer version](/blog/2022/02/17/dockershim-faq/) of this article available._
 -->
-_**更新**：本文有[较新版本](/zh/blog/2022/02/17/dockershim-faq/)。_
+_**更新**：本文有[较新版本](/zh-cn/blog/2022/02/17/dockershim-faq/)。_
 
 <!-- 
 This document goes over some frequently asked questions regarding the Dockershim
@@ -25,14 +23,13 @@ on the deprecation of Docker as a container runtime for Kubernetes kubelets, and
 what that means, check out the blog post
 [Don't Panic: Kubernetes and Docker](/blog/2020/12/02/dont-panic-kubernetes-and-docker/).
 
-Also, you can read [check whether Dockershim deprecation affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/) to check whether it does.
+Also, you can read [check whether Dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/) to check whether it does.
 -->
 本文回顾了自 Kubernetes v1.20 版宣布弃用 Dockershim 以来所引发的一些常见问题。
 关于 Kubernetes kubelets 从容器运行时的角度弃用 Docker 的细节以及这些细节背后的含义，请参考博文
 [别慌: Kubernetes 和 Docker](/blog/2020/12/02/dont-panic-kubernetes-and-docker/)。
 
-此外，你可以阅读 [检查 Dockershim 弃用是否影响你](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
-以检查它是否会影响你。
+此外，你可以阅读[检查 Dockershim 移除是否影响你](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)以检查它是否会影响你。
 
 <!-- 
 ### Why is dockershim being deprecated?
@@ -56,7 +53,7 @@ You can read more about the community discussion and planning in the
 -->
 Dockershim 向来都是一个临时解决方案（因此得名：shim）。
 你可以进一步阅读
-[移除 Kubernetes 增强方案 Dockershim][drkep]
+[移除 Dockershim 这一 Kubernetes 增强方案][drkep]
 以了解相关的社区讨论和计划。
 
 <!-- 
@@ -79,7 +76,7 @@ Yes, the only thing changing in 1.20 is a single warning log printed at [kubelet
 startup if using Docker as the runtime.
 -->
 当然可以，在 1.20 版本中仅有的改变就是：如果使用 Docker 运行时，启动 
-[kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) 
+[kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) 
 的过程中将打印一条警告日志。
 
 <!-- 
@@ -90,7 +87,7 @@ startup if using Docker as the runtime.
 <!-- 
 Given the impact of this change, we are using an extended deprecation timeline.
 It will not be removed before Kubernetes 1.22, meaning the earliest release without
-dockershim would be 1.23 in late 2021.
+dockershim would be 1.23 in late 2021. 
 _Update_: removal of dockershim is scheduled for Kubernetes v1.24, see 
 [Dockershim Removal Kubernetes Enhancement Proposal][drkep].
 We will be working closely with vendors and other ecosystem groups to ensure a smooth transition and will evaluate 
@@ -99,9 +96,26 @@ things as the situation evolves.
 考虑到此改变带来的影响，我们使用了一个加长的废弃时间表。
 在 Kubernetes 1.22 版之前，它不会被彻底移除；换句话说，dockershim 被移除的最早版本会是 2021 年底发布的 1.23 版。
 _更新_：dockershim 计划在 Kubernetes 1.24 版被移除，
-请参阅[移除 Kubernetes 增强方案 Dockershim][drkep]。
+请参阅[移除 Dockershim 这一 Kubernetes 增强方案][drkep]。
 我们将与供应商以及其他生态团队紧密合作，确保顺利过渡，并将依据事态的发展评估后续事项。
 
+
+<!--
+### Can I still use dockershim after it is removed from Kubernetes?
+-->
+### 从 Kubernetes 中移除后我还能使用 dockershim 吗？ {#can-i-still-use-dockershim-after-it-is-removed-from-kubernetes}
+
+<!--
+Update:
+Mirantis and Docker have [committed][mirantis] to maintaining the dockershim after
+it is removed from Kubernetes.
+-->
+更新：Mirantis 和 Docker [已承诺][mirantis]在 dockershim 从 Kubernetes
+中删除后对其进行维护。
+
+[mirantis]: https://www.mirantis.com/blog/mirantis-to-take-over-support-of-kubernetes-dockershim-2/
+
+
 <!-- 
 ### Will my existing Docker images still work?
 -->
@@ -164,11 +178,11 @@ related projects follow a similar pattern as well, demonstrating the stability a
 usability of other container runtimes. As an example, OpenShift 4.x has been
 using the [CRI-O] runtime in production since June 2019.
 -->
-此外，[kind](https://kind.sigs.k8s.io/) 项目使用 containerd 已经有年头了，
+此外，[kind] 项目使用 containerd 已经有年头了，
 并且在这个场景中，稳定性还明显得到提升。
 Kind 和 containerd 每天都会做多次协调，以验证对 Kubernetes 代码库的所有更改。
 其他相关项目也遵循同样的模式，从而展示了其他容器运行时的稳定性和可用性。
-例如，OpenShift 4.x 从 2019 年 6 月以来，就一直在生产环境中使用 [CRI-O](https://cri-o.io/) 运行时。
+例如，OpenShift 4.x 从 2019 年 6 月以来，就一直在生产环境中使用 [CRI-O] 运行时。
 
 <!-- 
 For other examples and references you can look at the adopters of containerd and
@@ -182,6 +196,11 @@ CRI-O, two container runtimes under the Cloud Native Computing Foundation ([CNCF
 - [containerd](https://github.com/containerd/containerd/blob/master/ADOPTERS.md)
 - [CRI-O](https://github.com/cri-o/cri-o/blob/master/ADOPTERS.md)
 
+[CRI-O]: https://cri-o.io/
+[kind]: https://kind.sigs.k8s.io/
+[CNCF]: https://cncf.io
+
+
 <!-- 
 ### People keep referencing OCI, what is that?
 -->
@@ -267,14 +286,15 @@ runtime where possible.
 <!-- 
 Another thing to look out for is anything expecting to run for system maintenance
 or nested inside a container when building images will no longer work. For the
-former, you can use the [`crictl`][cr] tool as a drop-in replacement (see [mapping from docker cli to crictl](https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl)) and for the
+former, you can use the [`crictl`][cr] tool as a drop-in replacement (see [mapping from dockercli to crictl](/docs/reference/tools/map-crictl-dockercli/)) and for the
 latter you can use newer container build options like [img], [buildah],
 [kaniko], or [buildkit-cli-for-kubectl] that don’t require Docker.
 -->
 另外还有一个需要关注的点，那就是当创建镜像时，系统维护或嵌入容器方面的任务将无法工作。
 对于前者，可以用 [`crictl`](https://github.com/kubernetes-sigs/cri-tools) 工具作为临时替代方案
-(参见 [从 docker 命令映射到 crictl](https://kubernetes.io/zh/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))；
+(参见[从 docker 命令映射到 crictl](/zh-cn/docs/reference/tools/map-crictl-dockercli/))；
 对于后者，可以用新的容器创建选项，比如
+[cr](https://github.com/kubernetes-sigs/cri-tools)、
 [img](https://github.com/genuinetools/img)、
 [buildah](https://github.com/containers/buildah)、
 [kaniko](https://github.com/GoogleContainerTools/kaniko)、或 
@@ -295,12 +315,12 @@ For instructions on how to use containerd and CRI-O with Kubernetes, see the
 Kubernetes documentation on [Container Runtimes]
 -->
 对于如何协同 Kubernetes 使用 containerd 和 CRI-O 的说明，参见 Kubernetes 文档中这部分：
-[容器运行时](/zh/docs/setup/production-environment/container-runtimes)。
+[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes)。
 
 <!-- 
 ### What if I have more questions?
 -->
-### 我还有问题怎么办？{#what-if-I-have-more-question}
+### 我还有问题怎么办？{#what-if-I-have-more-questions}
 
 <!-- 
 If you use a vendor-supported Kubernetes distribution, you can ask them about
@@ -308,7 +328,7 @@ upgrade plans for their products. For end-user questions, please post them
 to our end user community forum: https://discuss.kubernetes.io/. 
 -->
 如果你使用了一个有供应商支持的 Kubernetes 发行版，你可以咨询供应商他们产品的升级计划。
-对于最终用户的问题，请把问题发到我们的最终用户社区的论坛：https://discuss.kubernetes.io/。
+对于最终用户的问题，请把问题发到我们的最终用户社区的[论坛](https://discuss.kubernetes.io/)。
 
 <!-- 
 You can also check out the excellent blog post
diff --git a/content/zh/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md b/content/zh-cn/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md
similarity index 90%
rename from content/zh/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md
rename to content/zh-cn/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md
index 65e5075cfead8..b49ce9916724a 100644
--- a/content/zh/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md
+++ b/content/zh-cn/blog/_posts/2020-12-02-dont-panic-kubernetes-and-docker.md
@@ -3,24 +3,26 @@ layout: blog
 title: "别慌: Kubernetes 和 Docker"
 date: 2020-12-02
 slug: dont-panic-kubernetes-and-docker
+evergreen: true
 ---
 <!-- 
 layout: blog
 title: "Don't Panic: Kubernetes and Docker"
 date: 2020-12-02
 slug: dont-panic-kubernetes-and-docker
+evergreen: true
 -->
 
 **作者：** Jorge Castro, Duffie Cooley, Kat Cosgrove, Justin Garrison, Noah Kantrowitz, Bob Killen, Rey Lejano, Dan “POP” Papandrea, Jeffrey Sica, Davanum “Dims” Srinivas
 
 <!--
-_Update: Kubernetes support for Docker via `dockershim` is now deprecated.
-For more information, read the [deprecation notice](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation).
+**Update:** _Kubernetes support for Docker via `dockershim` is now removed.
+For more information, read the [removal FAQ](/dockershim).
 You can also discuss the deprecation via a dedicated [GitHub issue](https://github.com/kubernetes/kubernetes/issues/106917)._
 -->
-_更新：Kubernetes 通过 `dockershim` 对 Docker 的支持现已弃用。
-有关更多信息，请阅读[弃用通知](/zh/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)。
-你还可以通过专门的 [GitHub issue](https://github.com/kubernetes/kubernetes/issues/106917) 讨论弃用。_
+**更新**：Kubernetes 通过 `dockershim` 对 Docker 的支持现已移除。
+有关更多信息，请阅读[移除 FAQ](/zh-cn/dockershim)。
+你还可以通过专门的 [GitHub issue](https://github.com/kubernetes/kubernetes/issues/106917) 讨论弃用。
 
 <!-- 
 Kubernetes is [deprecating
@@ -58,16 +60,15 @@ build` can still run in your Kubernetes cluster.
 Docker 仍然是构建容器的利器，使用命令 `docker build` 构建的镜像在 Kubernetes 集群中仍然可以运行。
 
 <!-- 
-If you’re using a managed Kubernetes service like GKE, EKS, or AKS (which [defaults to containerd](https://github.com/Azure/AKS/releases/tag/2020-11-16)) you will need to
+If you’re using a managed Kubernetes service like AKS, EkS or GKE, you will need to
 make sure your worker nodes are using a supported container runtime before
 Docker support is removed in a future version of Kubernetes. If you have node
 customizations you may need to update them based on your environment and runtime
 requirements. Please work with your service provider to ensure proper upgrade
 testing and planning. 
 -->
-如果你正在使用 GKE、EKS、或 AKS 
-([默认使用 containerd](https://github.com/Azure/AKS/releases/tag/2020-11-16))  
-这类托管 Kubernetes 服务，你需要在 Kubernetes 后续版本移除对 Docker 支持之前，
+如果你正在使用 GKE、EKS、或 AKS 这类托管 Kubernetes 服务，
+你需要在 Kubernetes 后续版本移除对 Docker 支持之前，
 确认工作节点使用了被支持的容器运行时。
 如果你的节点被定制过，你可能需要根据你自己的环境和运行时需求更新它们。
 请与你的服务供应商协作，确保做出适当的升级测试和计划。
@@ -75,15 +76,15 @@ testing and planning.
 <!-- 
 If you’re rolling your own clusters, you will also need to make changes to avoid
 your clusters breaking. At v1.20, you will get a deprecation warning for Docker.
-When Docker runtime support is removed in a future release (currently planned
-for the 1.22 release in late 2021) of Kubernetes it will no longer be supported
+When Docker runtime support is removed in a future release (<del>currently planned
+for the 1.22 release in late 2021</del>) of Kubernetes it will no longer be supported
 and you will need to switch to one of the other compliant container runtimes,
 like containerd or CRI-O. Just make sure that the runtime you choose supports
 the docker daemon configurations you currently use (e.g. logging).
 -->
 如果你正在运营你自己的集群，那还应该做些工作，以避免集群中断。
 在 v1.20 版中，你仅会得到一个 Docker 的弃用警告。
-当对 Docker 运行时的支持在 Kubernetes 某个后续发行版（目前的计划是 2021 年晚些时候的 1.22 版）中被移除时，
+当对 Docker 运行时的支持在 Kubernetes 某个后续发行版（<del>目前的计划是 2021 年晚些时候的 1.22 版</del>）中被移除时，
 你需要切换到 containerd 或 CRI-O 等兼容的容器运行时。
 只要确保你选择的运行时支持你当前使用的 Docker 守护进程配置（例如 logging）。
 
@@ -216,4 +217,4 @@ Kubernetes 有很多变化中的功能，没有人是100%的专家。
 Looking for more answers? Check out our accompanying [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) _(updated February 2022)_.
 -->
 还在寻求更多答案吗？请参考我们附带的
-[移除 Dockershim 的常见问题](/zh/blog/2020/12/02/dockershim-faq/) _(2022年2月更新)_。
+[移除 Dockershim 的常见问题](/zh-cn/blog/2020/12/02/dockershim-faq/) _(2022年2月更新)_。
diff --git a/content/zh/blog/_posts/2020-12-08-kubernetes-release-1.20.md b/content/zh-cn/blog/_posts/2020-12-08-kubernetes-release-1.20.md
similarity index 99%
rename from content/zh/blog/_posts/2020-12-08-kubernetes-release-1.20.md
rename to content/zh-cn/blog/_posts/2020-12-08-kubernetes-release-1.20.md
index c88a1cf745638..ccc01f3b33389 100644
--- a/content/zh/blog/_posts/2020-12-08-kubernetes-release-1.20.md
+++ b/content/zh-cn/blog/_posts/2020-12-08-kubernetes-release-1.20.md
@@ -56,7 +56,7 @@ evergreen: true
 请注意，作为新的内置命令，`kubectl debug` 优先于任何名为 “debug” 的 kubectl 插件。你必须重命名受影响的插件。
 
 <!-- Invocations using `kubectl alpha debug` are now deprecated and will be removed in a subsequent release. Update your scripts to use `kubectl debug`. For more information about `kubectl debug`, see [Debugging Running Pods](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/). -->
-`kubectl alpha debug` 现在不推荐使用，并将在后续版本中删除。更新你的脚本以使用 `kubectl debug`。 有关更多信息 `kubectl debug`，请参阅[调试正在运行的 Pod]((https://kubernetes.io/zh/docs/tasks/debug/debug-application/debug-running-pod/)。
+`kubectl alpha debug` 现在不推荐使用，并将在后续版本中删除。更新你的脚本以使用 `kubectl debug`。 有关更多信息 `kubectl debug`，请参阅[调试正在运行的 Pod]((https://kubernetes.io/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/)。
 
 <!-- ### Beta: API Priority and Fairness -->
 ### 测试版：API 优先级和公平性 {#beta-api-priority-and-fairness)
@@ -110,7 +110,7 @@ Kubernetes 社区写了一篇关于弃用的详细[博客文章](https://blog.k8
 新引入的 `ExecProbeTimeout` 特性门控所提供的修复使集群操作员能够恢复到以前的行为，但这种行为将在后续版本中锁定并删除。为了恢复到以前的行为，集群运营商应该将此特性门控设置为 `false`。
 
 <!-- Please review the updated documentation regarding [configuring probes](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) for more details. -->
-有关更多详细信息，请查看有关配置探针的[更新文档](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes)。
+有关更多详细信息，请查看有关配置探针的[更新文档](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes)。
 
 <!-- ## Other Updates -->
 ## 其他更新 {#other-updates}
diff --git a/content/zh/blog/_posts/2020-12-10-Pod-Impersonation-and-Short-lived-Volumes-in-CSI-Drivers.md b/content/zh-cn/blog/_posts/2020-12-10-Pod-Impersonation-and-Short-lived-Volumes-in-CSI-Drivers.md
similarity index 100%
rename from content/zh/blog/_posts/2020-12-10-Pod-Impersonation-and-Short-lived-Volumes-in-CSI-Drivers.md
rename to content/zh-cn/blog/_posts/2020-12-10-Pod-Impersonation-and-Short-lived-Volumes-in-CSI-Drivers.md
diff --git a/content/zh/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md b/content/zh-cn/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md
similarity index 98%
rename from content/zh/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md
rename to content/zh-cn/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md
index c5da376b8db88..1909f2cd33928 100644
--- a/content/zh/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md
+++ b/content/zh-cn/blog/_posts/2021-09-27-SIG-Node-Spotlight/index.md
@@ -168,7 +168,8 @@ SK/EH: It takes time and effort to get to any open source community. SIG Node ma
 ### 最后你有什么想法/资源要分享吗？
 
 SK/EH：进入任何开源社区都需要时间和努力。一开始 SIG Node 可能会因为参与者的数量、工作量和项目范围而让你不知所措。但这是完全值得的。
-请加入我们这个热情的社区! [SIG Node GitHub Repo]（https://github.com/kubernetes/community/tree/master/sig-node）包含许多有用的资源，包括 Slack、邮件列表和其他联系信息。
+请加入我们这个热情的社区! [SIG Node GitHub Repo](https://github.com/kubernetes/community/tree/master/sig-node)
+包含许多有用的资源，包括 Slack、邮件列表和其他联系信息。
 <!--
 ## Wrap Up
 
diff --git a/content/zh/blog/_posts/2021-11-08-steering-committee-results-2021.md b/content/zh-cn/blog/_posts/2021-11-08-steering-committee-results-2021.md
similarity index 100%
rename from content/zh/blog/_posts/2021-11-08-steering-committee-results-2021.md
rename to content/zh-cn/blog/_posts/2021-11-08-steering-committee-results-2021.md
diff --git a/content/zh/blog/_posts/2021-12-08-dual-stack-networking-ga.md b/content/zh-cn/blog/_posts/2021-12-08-dual-stack-networking-ga.md
similarity index 95%
rename from content/zh/blog/_posts/2021-12-08-dual-stack-networking-ga.md
rename to content/zh-cn/blog/_posts/2021-12-08-dual-stack-networking-ga.md
index fa8cd74cc02af..c3bab78e89dc8 100644
--- a/content/zh/blog/_posts/2021-12-08-dual-stack-networking-ga.md
+++ b/content/zh-cn/blog/_posts/2021-12-08-dual-stack-networking-ga.md
@@ -36,7 +36,7 @@ What does dual-stack networking mean for you? Let’s take a look…
 <!--
 [Services](/docs/concepts/services-networking/service/) were single-stack before 1.20, so using both IP families meant creating one Service per IP family. The user experience was simplified in 1.20, when Services were re-implemented to allow both IP families, meaning a single Service can handle both IPv4 and IPv6 workloads. Dual-stack load balancing is possible between services running any combination of IPv4 and IPv6.
 -->
-[Services](/zh/docs/concepts/services-networking/service/) 在 1.20 版本之前是单协议栈的，
+[Services](/zh-cn/docs/concepts/services-networking/service/) 在 1.20 版本之前是单协议栈的，
 因此，使用两个 IP 协议族意味着需为每个 IP 协议族创建一个 Service。在 1.20 版本中对用户体验进行简化，
 重新实现了 Service 以支持两个 IP 协议族，这意味着一个 Service 就可以处理 IPv4 和 IPv6 协议。
 对于 Service 而言，任意的 IPv4 和 IPv6 协议组合都可以实现负载均衡。
@@ -88,7 +88,7 @@ While Services are set according to what you configure, Pods default to whatever
 Even though dual-stack is possible, it is not mandatory to use it. Examples in the documentation show the variety possible in [dual-stack service configurations](/docs/concepts/services-networking/dual-stack/#dual-stack-service-configuration-scenarios).
 -->
 尽管双协议栈是可用的，但并不强制你使用它。
-在[双协议栈服务配置](/zh/docs/concepts/services-networking/dual-stack/#dual-stack-service-configuration-scenarios)
+在[双协议栈服务配置](/zh-cn/docs/concepts/services-networking/dual-stack/#dual-stack-service-configuration-scenarios)
 文档中的示例列出了可能出现的各种场景.
 
 <!--
@@ -99,16 +99,16 @@ Even though dual-stack is possible, it is not mandatory to use it. Examples in t
 <!--
 While upstream Kubernetes now supports [dual-stack networking](/docs/concepts/services-networking/dual-stack/) as a GA or stable feature, each provider’s support of dual-stack Kubernetes may vary. Nodes need to be provisioned with routable IPv4/IPv6 network interfaces. Pods need to be dual-stack. The [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) is what assigns the IP addresses to the Pods, so it's the network plugin being used for the cluster that needs to support dual-stack. Some Container Network Interface (CNI) plugins support dual-stack, as does kubenet.
 -->
-虽然现在上游 Kubernetes 支持[双协议栈网络](/zh/docs/concepts/services-networking/dual-stack/)
+虽然现在上游 Kubernetes 支持[双协议栈网络](/zh-cn/docs/concepts/services-networking/dual-stack/)
 作为 GA 或稳定特性，但每个提供商对双协议栈 Kubernetes 的支持可能会有所不同。节点需要提供可路由的 IPv4/IPv6 网络接口。
-Pod 需要是双协议栈的。[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+Pod 需要是双协议栈的。[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
 是用来为 Pod 分配 IP 地址的，所以集群需要支持双协议栈的网络插件。一些容器网络接口（CNI）插件支持双协议栈，例如 kubenet。
 
 <!--
 Ecosystem support of dual-stack is increasing; you can create [dual-stack clusters with kubeadm](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/), try a [dual-stack cluster locally with KIND](https://kind.sigs.k8s.io/docs/user/configuration/#ip-family), and deploy dual-stack clusters in cloud providers (after checking docs for CNI or kubenet availability).
 -->
 支持双协议栈的生态系统在不断壮大；你可以使用
-[kubeadm 创建双协议栈集群](/zh/docs/setup/production-environment/tools/kubeadm/dual-stack-support/),
+[kubeadm 创建双协议栈集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support/),
 在本地尝试用 [KIND 创建双协议栈集群](https://kind.sigs.k8s.io/docs/user/configuration/#ip-family)，
 还可以将双协议栈集群部署到云上（在查阅 CNI 或 kubenet 可用性的文档之后）
 
diff --git a/content/zh/blog/_posts/2021-12-10-csi-migration-status.md b/content/zh-cn/blog/_posts/2021-12-10-csi-migration-status.md
similarity index 100%
rename from content/zh/blog/_posts/2021-12-10-csi-migration-status.md
rename to content/zh-cn/blog/_posts/2021-12-10-csi-migration-status.md
diff --git a/content/zh/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md b/content/zh-cn/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md
similarity index 96%
rename from content/zh/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md
rename to content/zh-cn/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md
index 6722e9bd4ebf5..2f19fcae560f6 100644
--- a/content/zh/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md
+++ b/content/zh-cn/blog/_posts/2021-12-16-StatefulSet-PVC-Auto-Deletion.md
@@ -23,9 +23,9 @@ Kubernetes v1.23 introduced a new, alpha-level policy for
 StatefulSet spec template for cases when they should be deleted automatically when the StatefulSet
 is deleted or pods in the StatefulSet are scaled down.
 -->
-Kubernetes v1.23 为 [StatefulSets](/zh/docs/concepts/workloads/controllers/statefulset/)
+Kubernetes v1.23 为 [StatefulSets](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
 引入了一个新的 alpha 级策略，用来控制由 StatefulSet 规约模板生成的
-[PersistentVolumeClaims](/zh/docs/concepts/storage/persistent-volumes/) (PVCs) 的生命周期，
+[PersistentVolumeClaims](/zh-cn/docs/concepts/storage/persistent-volumes/) (PVCs) 的生命周期，
 用于当删除 StatefulSet 或减少 StatefulSet 中的 Pods 数量时 PVCs 应该被自动删除的场景。
 
 <!--
@@ -91,7 +91,7 @@ retention policies for the underlying PV are respected.
 第一种情况是 StatefulSet 资源被删除时（这意味着所有副本也被删除），这由 `whenDeleted` 策略控制的。
 第二种情况是 StatefulSet 缩小时，即删除 StatefulSet 部分副本，这由 `whenScaled` 策略控制。
 在这两种情况下，策略即可以是 `Retain` 不涉及相应 PVCs 的改变，也可以是 `Delete` 即删除对应的 PVCs。
-删除是通过普通的[对象删除](/zh/docs/concepts/architecture/garbage-collection/)完成的，
+删除是通过普通的[对象删除](/zh-cn/docs/concepts/architecture/garbage-collection/)完成的，
 因此，的所有保留策略都会被遵照执行。
 
 <!--
@@ -168,7 +168,7 @@ This policy forms a matrix with four cases. I’ll walk through and give an exam
 [documentation](/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-policies) to
 see all the details.
 -->
-查阅[文档](/zh/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-policies)
+查阅[文档](/zh-cn/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-policies)
 获取更多详细信息。
 
 <!--
diff --git a/content/zh/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md b/content/zh-cn/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md
similarity index 94%
rename from content/zh/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md
rename to content/zh-cn/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md
index 557c71cd4dab7..8d6a62c89c19a 100644
--- a/content/zh/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md
+++ b/content/zh-cn/blog/_posts/2022-01-07-kubernetes-is-moving-on-from-dockershim.md
@@ -26,9 +26,9 @@ affected, refer to [Check whether dockershim removal affects you](/docs/tasks/ad
 -->
 Kubernetes 将在即将发布的 1.24 版本中移除 dockershim。我们很高兴能够通过支持开源容器运行时、支持更小的
 kubelet 以及为使用 Kubernetes 的团队提高工程速度来重申我们的社区价值。
-如果你[使用 Docker Engine 作为 Kubernetes 集群的容器运行时](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)，
+如果你[使用 Docker Engine 作为 Kubernetes 集群的容器运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)，
 请准备好在 1.24 中迁移！要检查你是否受到影响，
-请参考[检查移除 Dockershim 对你的影响](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)。
+请参考[检查移除 Dockershim 对你的影响](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)。
 
 <!--
 ## Why we’re moving away from dockershim
@@ -79,10 +79,10 @@ after their announced deprecation.
 -->
 ## 弃用时间线  {#deprecation-timeline}
 
-我们[正式宣布](/zh/blog/2020/12/08/kubernetes-1-20-release-announcement/)于
+我们[正式宣布](/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/)于
 2020 年 12 月弃用 dockershim。目标是在 2022 年 4 月，
 Kubernetes 1.24 中完全移除 dockershim。
-此时间线与我们的[弃用策略](/zh/docs/reference/using api/deprecation-policy/#deprecating-a-feature-or-behavior)一致，
+此时间线与我们的[弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/#deprecating-a-feature-or-behavior)一致，
 即规定已弃用的行为必须在其宣布弃用后至少运行 1 年。
 
 <!--
@@ -96,7 +96,7 @@ to the [Dockershim Deprecation FAQ](/dockershim).
 包括 dockershim 的 Kubernetes 1.23 版本，在 Kubernetes 项目中将再支持一年。
 对于托管 Kubernetes 的供应商，供应商支持可能会持续更长时间，但这取决于公司本身。
 无论如何，我们相信所有集群操作都有时间进行迁移。如果你有更多关于 dockershim 移除的问题，
-请参考[弃用 Dockershim 的常见问题](/zh/blog/2020/12/02/dockershim-faq/)。
+请参考[弃用 Dockershim 的常见问题](/zh-cn/blog/2020/12/02/dockershim-faq/)。
 
 <!--
 We asked you whether you feel prepared for the migration from dockershim in this
@@ -194,6 +194,6 @@ dockershim removal makes up for the migration effort you'll have. Start planning
 now to avoid surprises. We'll have more updates and guides before Kubernetes
 1.24 is released.
 -->
-在这一点上，我们相信你（和 Kubernetes）从移除 dockershim 中获得的价值可以弥补你将要进行的迁移工作。 
+在这一点上，我们相信你（和 Kubernetes）从移除 dockershim 中获得的价值可以弥补你将要进行的迁移工作。
 现在就开始计划以避免出现意外。在 Kubernetes 1.24 发布之前，我们将提供更多更新信息和指南。
 
diff --git a/content/zh/blog/_posts/2022-01-10-meet-our-contributors-APAC-India-region-01.md b/content/zh-cn/blog/_posts/2022-01-10-meet-our-contributors-APAC-India-region-01.md
similarity index 100%
rename from content/zh/blog/_posts/2022-01-10-meet-our-contributors-APAC-India-region-01.md
rename to content/zh-cn/blog/_posts/2022-01-10-meet-our-contributors-APAC-India-region-01.md
diff --git a/content/zh/blog/_posts/2022-01-19-Securing-Admission-Controllers.md b/content/zh-cn/blog/_posts/2022-01-19-Securing-Admission-Controllers.md
similarity index 97%
rename from content/zh/blog/_posts/2022-01-19-Securing-Admission-Controllers.md
rename to content/zh-cn/blog/_posts/2022-01-19-Securing-Admission-Controllers.md
index 99dad347e56a2..caf4c05423d43 100644
--- a/content/zh/blog/_posts/2022-01-19-Securing-Admission-Controllers.md
+++ b/content/zh-cn/blog/_posts/2022-01-19-Securing-Admission-Controllers.md
@@ -23,7 +23,7 @@ slug: secure-your-admission-controllers-and-webhooks
 [Admission control](/docs/reference/access-authn-authz/admission-controllers/) is a key part of Kubernetes security, alongside authentication and authorization. 
 Webhook admission controllers are extensively used to help improve the security of Kubernetes clusters in a variety of ways including restricting the privileges of workloads and ensuring that images deployed to the cluster meet organization’s security requirements.
 -->
-[准入控制](/zh/docs/reference/access-authn-authz/admission-controllers/)和认证、授权都是 Kubernetes 安全性的关键部分。
+[准入控制](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)和认证、授权都是 Kubernetes 安全性的关键部分。
 Webhook 准入控制器被广泛用于以多种方式帮助提高 Kubernetes 集群的安全性，
 包括限制工作负载权限和确保部署到集群的镜像满足组织安全要求。
 
@@ -109,7 +109,7 @@ In most cases, the admission controller webhook used by a cluster will be instal
 <!--
 * **Restrict [RBAC](/docs/reference/access-authn-authz/rbac/) rights**. Any user who has rights which would allow them to modify the configuration of the webhook objects or the workload that the admission controller uses could disrupt its operation. So it’s important to make sure that only cluster administrators have those rights.
 -->
-* **限制 [RBAC](/zh/docs/reference/access-authn-authz/rbac/) 权限**。
+* **限制 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 权限**。
   任何有权修改 webhook 对象的配置或准入控制器使用的工作负载的用户都可以破坏其运行。
   因此，确保只有集群管理员拥有这些权限非常重要。
 <!--
@@ -126,7 +126,7 @@ In most cases, the admission controller webhook used by a cluster will be instal
 * **严格控制外部系统访问**。
   作为集群中的安全服务，准入控制器系统将有权访问敏感信息，如凭证。
   为了降低此信息被发送到集群外的风险，
-  应使用[网络策略](/zh/docs/concepts/services-networking/network-policies/) 
+  应使用[网络策略](/zh-cn/docs/concepts/services-networking/network-policies/) 
   来限制准入控制器服务对外部网络的访问。
 <!--
 * **Each cluster has a dedicated webhook**. Whilst it may be possible to have admission controller webhooks that serve multiple clusters, there is a risk when using that model that an attack on the webhook service would have a larger impact where it’s shared. Also where multiple clusters use an admission controller there will be increased complexity and access requirements, making it harder to secure.
diff --git a/content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md b/content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md
similarity index 99%
rename from content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md
rename to content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md
index 15ac8db1bb8cf..d08b985c80440 100644
--- a/content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md
+++ b/content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/index.md
@@ -12,7 +12,7 @@ title: 'SIG Node CI Subproject Celebrates Two Years of Test Improvements'
 date: 2022-02-16
 slug: sig-node-ci-subproject-celebrates
 canonicalUrl: https://www.kubernetes.dev/blog/2022/02/16/sig-node-ci-subproject-celebrates-two-years-of-test-improvements/
-url: /zh/blog/2022/02/sig-node-ci-subproject-celebrates
+url: /zh-cn/blog/2022/02/sig-node-ci-subproject-celebrates
 ---
 -->
 
diff --git a/content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/release-mostly-green.png b/content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/release-mostly-green.png
similarity index 100%
rename from content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/release-mostly-green.png
rename to content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/release-mostly-green.png
diff --git a/content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/serial-tests-green.png b/content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/serial-tests-green.png
similarity index 100%
rename from content/zh/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/serial-tests-green.png
rename to content/zh-cn/blog/_posts/2022-02-16-sig-node-ci-subproject-celebrates/serial-tests-green.png
diff --git a/content/zh/blog/_posts/2022-02-17-updated-dockershim-faq.md b/content/zh-cn/blog/_posts/2022-02-17-updated-dockershim-faq.md
similarity index 65%
rename from content/zh/blog/_posts/2022-02-17-updated-dockershim-faq.md
rename to content/zh-cn/blog/_posts/2022-02-17-updated-dockershim-faq.md
index 61f3860602843..85d1ce25bf8dd 100644
--- a/content/zh/blog/_posts/2022-02-17-updated-dockershim-faq.md
+++ b/content/zh-cn/blog/_posts/2022-02-17-updated-dockershim-faq.md
@@ -1,9 +1,10 @@
 ---
 layout: blog
-title: "更新：弃用 Dockershim 的常见问题"
-linkTitle: "弃用 Dockershim 的常见问题"
+title: "更新：移除 Dockershim 的常见问题"
+linkTitle: "移除 Dockershim 的常见问题"
 date: 2022-02-17
 slug: dockershim-faq
+aliases: [ 'zh/dockershim' ]
 ---
 <!-- 
 layout: blog
@@ -15,55 +16,69 @@ aliases: [ '/dockershim' ]
 -->
 
 <!--
-**This is an update to the original [Dockershim Deprecation FAQ](/blog/2020/12/02/dockershim-faq/) article,
-published in late 2020.**
+**This supersedes the original
+[Dockershim Deprecation FAQ](/blog/2020/12/02/dockershim-faq/) article,
+published in late 2020. The article includes updates from the v1.24
+release of Kubernetes.**
 -->
-**本文是针对2020年末发布的[弃用 Dockershim 的常见问题](/zh/blog/2020/12/02/dockershim-faq/)的博客更新。**
+**本文是针对 2020 年末发布的[弃用 Dockershim 的常见问题](/zh-cn/blog/2020/12/02/dockershim-faq/)的博客更新。
+本文包括 Kubernetes v1.24 版本的更新。**
+
+---
 
 <!--
 This document goes over some frequently asked questions regarding the
-deprecation and removal of _dockershim_, that was
+removal of _dockershim_ from Kubernetes. The removal was originally
 [announced](/blog/2020/12/08/kubernetes-1-20-release-announcement/)
-as a part of the Kubernetes v1.20 release. For more detail
-on what that means, check out the blog post
+as a part of the Kubernetes v1.20 release. The Kubernetes
+[v1.24 release](/releases/#release-v1-24) actually removed the dockershim
+from Kubernetes.
+-->
+本文介绍了一些关于从 Kubernetes 中移除 _dockershim_ 的常见问题。
+该移除最初是作为 Kubernetes v1.20
+版本的一部分[宣布](/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/)的。
+Kubernetes 在 [v1.24 版](/releases/#release-v1-24)移除了 dockershim。
+
+<!--
+For more on what that means, check out the blog post
 [Don't Panic: Kubernetes and Docker](/blog/2020/12/02/dont-panic-kubernetes-and-docker/).
 -->
-本文回顾了自 Kubernetes v1.20 版本[宣布](/zh/blog/2020/12/08/kubernetes-1-20-release-announcement/)弃用
-Dockershim 以来所引发的一些常见问题。关于弃用细节以及这些细节背后的含义，请参考博文
-[别慌: Kubernetes 和 Docker](/zh/blog/2020/12/02/dont-panic-kubernetes-and-docker/)。
+关于细节请参考博文
+[别慌: Kubernetes 和 Docker](/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/)。
 
 <!--
-Also, you can read [check whether dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
-to determine how much impact the removal of dockershim would have for you
-or for your organization.
+To determine the impact that the removal of dockershim would have for you or your organization,
+you can read [Check whether dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/).
 -->
-你还可以查阅：[检查弃用 Dockershim 对你的影响](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)这篇文章，
-以确定弃用 dockershim 会对你或你的组织带来多大的影响。
+要确定移除 dockershim 是否会对你或你的组织的影响，可以查阅：
+[检查弃用 Dockershim 对你的影响](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+这篇文章。
 
 <!--
-As the Kubernetes 1.24 release has become imminent, we've been working hard to try to make this a smooth transition.
+In the months and days leading up to the Kubernetes 1.24 release, Kubernetes contributors worked hard to try to make this a smooth transition.
 -->
-随着 Kubernetes 1.24 版本的发布迫在眉睫，我们一直在努力尝试使其能够平稳升级顺利过渡。
+在 Kubernetes 1.24 发布之前的几个月和几天里，Kubernetes
+贡献者努力试图让这个过渡顺利进行。
 
 <!--
-- We've written a blog post detailing our [commitment and next steps](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/).
-- We believe there are no major blockers to migration to [other container runtimes](/docs/setup/production-environment/container-runtimes/#container-runtimes).
-- There is also a [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/) guide available.
-- We've also created a page to list
+- A blog post detailing our [commitment and next steps](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/).
+- Checking if there were major blockers to migration to [other container runtimes](/docs/setup/production-environment/container-runtimes/#container-runtimes).
+- Adding a [migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/) guide.
+- Creating a list of
   [articles on dockershim removal and on using CRI-compatible runtimes](/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes/).
   That list includes some of the already mentioned docs, and also covers selected external sources
   (including vendor guides).
 -->
-- 我们已经写了一篇博文，详细说明了我们的[承诺和后续操作](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/)。
-- 我们我们相信可以无障碍的迁移到其他[容器运行时](/zh/docs/setup/production-environment/container-runtimes/#container-runtimes)。
-- 我们撰写了 [dockershim 迁移指南](/docs/tasks/administer-cluster/migrating-from-dockershim/)供你参考。
-- 我们还创建了一个页面来列出[有关 dockershim 移除和使用 CRI 兼容运行时的文章](/zh/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes/)。
+- 一篇详细说明[承诺和后续操作](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/)的博文。
+- 检查是否存在迁移到其他 [容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/#container-runtimes) 的主要障碍。
+- 添加 [从 dockershim 迁移](/docs/tasks/administer-cluster/migrating-from-dockershim/)的指南。
+- 创建了一个[有关 dockershim 移除和使用 CRI 兼容运行时的列表](/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes/)。
   该列表包括一些已经提到的文档，还涵盖了选定的外部资源（包括供应商指南）。
 
 <!--
-### Why is the dockershim being removed from Kubernetes?
+### Why was the dockershim removed from Kubernetes?
 -->
-### 为什么会从 Kubernetes 中移除 dockershim ？
+### 为什么会从 Kubernetes 中移除 dockershim ？ {#why-was-the-dockershim-removed-from-kubernetes}
 
 <!--
 Early versions of Kubernetes only worked with a specific container runtime:
@@ -95,46 +110,101 @@ dockershim 代码一直是一个临时解决方案（因此得名：shim）。
 <!--
 Additionally, features that were largely incompatible with the dockershim, such
 as cgroups v2 and user namespaces are being implemented in these newer CRI
-runtimes. Removing support for the dockershim will allow further development in
-those areas.
+runtimes. Removing the dockershim from Kubernetes allows further development in those areas.
 -->
 此外，在较新的 CRI 运行时中实现了与 dockershim 不兼容的功能，例如 cgroups v2 和用户命名空间。
-取消对 dockershim 的支持将加速这些领域的发展。
+从 Kubernetes 中移除 dockershim 允许在这些领域进行进一步的开发。
+
+<!--
+### Are Docker and containers the same thing?
+-->
+### Docker 和容器一样吗？ {#are-docker-and-containers-the-same-thing}
+
+<!--
+Docker popularized the Linux containers pattern and has been instrumental in
+developing the underlying technology, however containers in Linux have existed
+for a long time. The container ecosystem has grown to be much broader than just
+Docker. Standards like OCI and CRI have helped many tools grow and thrive in our
+ecosystem, some replacing aspects of Docker while others enhance existing
+functionality.
+-->
+Docker 普及了 Linux 容器模式，并在开发底层技术方面发挥了重要作用，但是 Linux
+中的容器已经存在了很长时间，容器生态系统已经发展到比 Docker 广泛得多。
+OCI 和 CRI 等标准帮助许多工具在我们的生态系统中发展壮大，其中一些替代了 Docker
+的某些方面，而另一些则增强了现有功能。
+
+<!--
+### Will my existing container images still work?
+-->
+### 我现有的容器镜像是否仍然有效？ {#will-my-existing-container-images-still-work}
+
+<!--
+Yes, the images produced from `docker build` will work with all CRI implementations.
+All your existing images will still work exactly the same.
+-->
+是的，从 `docker build` 生成的镜像将适用于所有 CRI 实现，
+现有的所有镜像仍将完全相同。
+
+<!--
+#### What about private images?
+-->
+#### 私有镜像呢？ {#what-about-private-images}
+
+<!--
+Yes. All CRI runtimes support the same pull secrets configuration used in
+Kubernetes, either via the PodSpec or ServiceAccount.
+-->
+当然可以，所有 CRI 运行时都支持在 Kubernetes 中使用的相同的 pull secrets
+配置，无论是通过 PodSpec 还是 ServiceAccount。
 
 <!--
 ### Can I still use Docker Engine in Kubernetes 1.23?
 -->
-### 在 Kubernetes 1.23 版本中还可以使用 Docker Engine 吗？
+### 在 Kubernetes 1.23 版本中还可以使用 Docker Engine 吗？ {#can-i-still-use-docker-engine-in-kubernetes-1-23}
 
 <!--
 Yes, the only thing changed in 1.20 is a single warning log printed at [kubelet]
-startup if using Docker Engine as the runtime. You'll see this warning in all versions up to 1.23. The dockershim removal occurs in Kubernetes 1.24.
+startup if using Docker Engine as the runtime. You'll see this warning in all versions up to 1.23. The dockershim removal occurred
+in Kubernetes 1.24.
 -->
 可以使用，在 1.20 版本中唯一的改动是，如果使用 Docker Engine，
-在 [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/)
+在 [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)
 启动时会打印一个警告日志。
-你将在 1.23 版本及以前版本看到此警告。dockershim 将在 Kubernetes 1.24 版本中移除 。
+你将在 1.23 版本及以前版本看到此警告，dockershim 已在 Kubernetes 1.24 版本中移除 。
+
+<!--
+If you're running Kubernetes v1.24 or later, see [Can I still use Docker Engine as my container runtime?](#can-i-still-use-docker-engine-as-my-container-runtime).
+(Remember, you can switch away from the dockershim if you're using any supported Kubernetes release; from release v1.24, you
+**must** switch as Kubernetes no longer incluides the dockershim).
+-->
+如果你运行的是 Kubernetes v1.24 或更高版本，请参阅
+[我仍然可以使用 Docker Engine 作为我的容器运行时吗？](#can-i-still-use-docker-engine-as-my-container-runtime)
+（如果你使用任何支持 dockershim 的版本，可以随时切换离开；从版本 v1.24
+开始，因为 Kubernetes 不再包含 dockershim，你**必须**切换）。
 
 <!--
-### When will dockershim be removed?
+### Which CRI implementation should I use?
 -->
-### 什么时候移除 dockershim ？
+### 我应该用哪个 CRI 实现？ {#which-cri-implementation-should-i-use}
 
 <!--
-Given the impact of this change, we are using an extended deprecation timeline.
-Removal of dockershim is scheduled for Kubernetes v1.24, see [Dockershim Removal Kubernetes Enhancement Proposal][drkep].
-The Kubernetes project will be working closely with vendors and other ecosystem groups to ensure
-a smooth transition and will evaluate things as the situation evolves.
+That’s a complex question and it depends on a lot of factors. If Docker Engine is
+working for you, moving to containerd should be a relatively easy swap and
+will have strictly better performance and less overhead. However, we encourage you
+to explore all the options from the [CNCF landscape] in case another would be an
+even better fit for your environment.
 -->
-考虑到此变更带来的影响，我们使用了一个加长的废弃时间表。
-dockershim 计划在 Kubernetes v1.24 中进行移除，
-参见 [Kubernetes 移除 Dockershim 增强方案](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221-remove-dockershim)。
-Kubernetes 项目将与供应商和其他生态系统组织密切合作，以确保平稳过渡，并将依据事态的发展评估后续事项。
+这是一个复杂的问题，依赖于许多因素。
+如果你正在使用 Docker Engine，迁移到 containerd
+应该是一个相对容易地转换，并将获得更好的性能和更少的开销。
+然而，我们鼓励你探索 [CNCF landscape] 提供的所有选项，做出更适合你的选择。
+
+[CNCF landscape]: https://landscape.cncf.io/card-mode?category=container-runtime&grouping=category
 
 <!--
-### Can I still use Docker Engine as my container runtime?
+#### Can I still use Docker Engine as my container runtime?
 -->
-### 我还可以使用 Docker Engine 作为我的容器运行时吗？
+#### 我还可以使用 Docker Engine 作为我的容器运行时吗？ {#can-i-still-use-docker-engine-as-my-container-runtime}
 
 <!--
 First off, if you use Docker on your own PC to develop or test containers: nothing changes.
@@ -155,51 +225,17 @@ Mirantis 和 Docker 已[承诺](https://www.mirantis.com/blog/mirantis-to-take-o
 替代适配器名为 [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd)。
 
 <!--
-### Will my existing container images still work?
--->
-### 我现有的容器镜像还能正常工作吗？
-
-<!--
-Yes, the images produced from `docker build` will work with all CRI implementations.
-All your existing images will still work exactly the same.
--->
-当然可以，`docker build` 创建的镜像适用于任何 CRI 实现。
-所有你的现有镜像将和往常一样工作。
-
-<!--
-#### What about private images?
--->
-### 私有镜像呢？
-
-<!--
-Yes. All CRI runtimes support the same pull secrets configuration used in
-Kubernetes, either via the PodSpec or ServiceAccount.
--->
-当然可以。所有 CRI 运行时均支持在 Kubernetes 中相同的拉取（pull）Secret 配置，
-无论是通过 PodSpec 还是 ServiceAccount。
-
-<!--
-### Are Docker and containers the same thing?
+You can install `cri-dockerd` and use it to connect the kubelet to Docker Engine. Read [Migrate Docker Engine nodes from dockershim to cri-dockerd](/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/) to learn more.
 -->
-### Docker 和容器是一回事吗？
+你可以安装 `cri-dockerd` 并使用它将 kubelet 连接到 Docker Engine。
+阅读[将 Docker Engine 节点从 dockershim 迁移到 cri-dockerd](/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/)
+以了解更多信息。
 
-<!--
-Docker popularized the Linux containers pattern and has been instrumental in
-developing the underlying technology, however containers in Linux have existed
-for a long time. The container ecosystem has grown to be much broader than just
-Docker. Standards like OCI and CRI have helped many tools grow and thrive in our
-ecosystem, some replacing aspects of Docker while others enhance existing
-functionality.
--->
-Docker 普及了 Linux 容器模式，并在开发底层技术方面发挥了重要作用，
-但是 Linux 中的容器已经存在了很长时间。容器的生态相比于 Docker 具有更宽广的领域。
-OCI 和 CRI 等标准帮助许多工具在我们的生态系统中发展壮大，
-其中一些替代了 Docker 的某些方面，而另一些则增强了现有功能。
 
 <!--
 ### Are there examples of folks using other runtimes in production today?
 -->
-### 现在是否有在生产系统中使用其他运行时的例子？
+### 现在是否有在生产系统中使用其他运行时的例子？ {#are-there-examples-of-folks-using-other-runtimes-in-production-today}
 
 <!--
 All Kubernetes project produced artifacts (Kubernetes binaries) are validated
@@ -233,7 +269,7 @@ CRI-O, two container runtimes under the Cloud Native Computing Foundation ([CNCF
 <!--
 ### People keep referencing OCI, what is that?
 -->
-### 人们总在谈论 OCI，它是什么？
+### 人们总在谈论 OCI，它是什么？ {#people-keep-referencing-oci-what-is-that}
 
 <!--
 OCI stands for the [Open Container Initiative], which standardized many of the
@@ -251,27 +287,11 @@ OCI 是 [Open Container Initiative](https://opencontainers.org/about/overview/)
 这也是 [containerd](https://containerd.io/) 和 [CRI-O](https://cri-o.io/) 依赖的默认运行时。
 CRI 建立在这些底层规范之上，为管理容器提供端到端的标准。
 
-<!--
-### Which CRI implementation should I use?
--->
-### 我应该用哪个 CRI 实现？
-
-<!--
-That’s a complex question and it depends on a lot of factors. If Docker is
-working for you, moving to containerd should be a relatively easy swap and
-will have strictly better performance and less overhead. However, we encourage you
-to explore all the options from the [CNCF landscape] in case another would be an
-even better fit for your environment.
--->
-这是一个复杂的问题，依赖于许多因素。
-如果你正在使用 Docker，迁移到 containerd 应该是一个相对容易地转换，并将获得更好的性能和更少的开销。
-然而，我们鼓励你探索 [CNCF landscape](https://landscape.cncf.io/card-mode?category=container-runtime&grouping=category)
-提供的所有选项，做出更适合你的选择。
 
 <!--
 ### What should I look out for when changing CRI implementations?
 -->
-### 当切换 CRI 实现时，应该注意什么？
+### 当切换 CRI 实现时，应该注意什么？ {#what-should-i-look-out-for-when-changing-cri-implementations}
 
 <!--
 While the underlying containerization code is the same between Docker and most
@@ -284,19 +304,19 @@ common things to consider when migrating are:
 <!--
 - Logging configuration
 - Runtime resource limitations
-- Node provisioning scripts that call docker or use docker via it's control socket
-- Kubectl plugins that require docker CLI or the control socket
+- Node provisioning scripts that call docker or use Docker Engine via its control socket
+- Plugins for `kubectl` that require the `docker` CLI or the Docker Engine control socket
 - Tools from the Kubernetes project that require direct access to Docker Engine
   (for example: the deprecated `kube-imagepuller` tool)
-- Configuration of functionality like `registry-mirrors` and insecure registries 
+- Configuration of functionality like `registry-mirrors` and insecure registries
 - Other support scripts or daemons that expect Docker Engine to be available and are run
   outside of Kubernetes (for example, monitoring or security agents)
 - GPUs or special hardware and how they integrate with your runtime and Kubernetes
 -->
 - 日志配置
 - 运行时的资源限制
-- 调用 docker 或通过其控制套接字使用 docker 的节点配置脚本
-- 需要访问 docker 命令或控制套接字的 kubectl 插件
+- 调用 docker 或通过其控制套接字使用 Docker Engine 的节点配置脚本
+- 需要 `docker` 命令或 Docker Engine 控制套接字的 `kubectl` 插件
 - 需要直接访问 Docker Engine 的 Kubernetes 工具（例如：已弃用的 'kube-imagepuller' 工具）
 - `registry-mirrors` 和不安全注册表等功能的配置
 - 保障 Docker Engine 可用、且运行在 Kubernetes 之外的脚本或守护进程（例如：监视或安全代理）
@@ -304,7 +324,7 @@ common things to consider when migrating are:
 
 <!--
 If you use Kubernetes resource requests/limits or file-based log collection
-DaemonSets then they will continue to work the same, but if you’ve customized
+DaemonSets then they will continue to work the same, but if you've customized
 your `dockerd` configuration, you’ll need to adapt that for your new container
 runtime where possible.
 -->
@@ -314,13 +334,14 @@ runtime where possible.
 <!--
 Another thing to look out for is anything expecting to run for system maintenance
 or nested inside a container when building images will no longer work. For the
-former, you can use the [`crictl`][cr] tool as a drop-in replacement (see [mapping from docker cli to crictl](https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl)) and for the
-latter you can use newer container build options like [img], [buildah],
+former, you can use the [`crictl`][cr] tool as a drop-in replacement (see
+[mapping from docker cli to crictl](https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))
+and for the latter you can use newer container build options like [img], [buildah],
 [kaniko], or [buildkit-cli-for-kubectl] that don’t require Docker.
 -->
 另外还有一个需要关注的点，那就是当创建镜像时，系统维护或嵌入容器方面的任务将无法工作。
 对于前者，可以用 [`crictl`](https://github.com/kubernetes-sigs/cri-tools) 工具作为临时替代方案
-(参阅[从 docker cli 到 crictl 的映射](/zh/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))。
+(参阅[从 docker cli 到 crictl 的映射](/zh-cn/docs/tasks/debug/debug-cluster/crictl/#mapping-from-docker-cli-to-crictl))。
 对于后者，可以用新的容器创建选项，例如
 [img](https://github.com/genuinetools/img)、
 [buildah](https://github.com/containers/buildah)、
@@ -345,15 +366,15 @@ Kubernetes documentation on [Container Runtimes].
 <!--
 ### What if I have more questions?
 -->
-### 我还有其他问题怎么办？
+### 我还有其他问题怎么办？ {#what-if-i-have-more-questions}
 
 <!--
 If you use a vendor-supported Kubernetes distribution, you can ask them about
 upgrade plans for their products. For end-user questions, please post them
-to our end user community forum: https://discuss.kubernetes.io/. 
+to our end user community forum: https://discuss.kubernetes.io/.
 -->
 如果你使用了供应商支持的 Kubernetes 发行版，你可以咨询供应商他们产品的升级计划。
-对于最终用户的问题，请把问题发到我们的最终用户社区的论坛：https://discuss.kubernetes.io/。
+对于最终用户的问题，请把问题发到我们的最终用户社区的[论坛](https://discuss.kubernetes.io/)。
 
 <!--
 You can discuss the decision to remove dockershim via a dedicated
@@ -371,9 +392,9 @@ discussion of the changes.
 对这些变化进行更深入的技术讨论。
 
 <!--
-### Is there any tooling that can help me find dockershim in use
+### Is there any tooling that can help me find dockershim in use?
 -->
-### 是否有任何工具可以帮助我找到正在使用的 dockershim
+### 是否有任何工具可以帮助我找到正在使用的 dockershim？ {#is-there-any-tooling-that-can-help-me-find-dockershim-in-use}
 
 <!--
 Yes! The [Detector for Docker Socket (DDS)][dds] is a kubectl plugin that you can
@@ -383,7 +404,7 @@ Find more details and usage patterns in the DDS project's [README][dds].
 -->
 是的！ [Docker Socket 检测器 (DDS)][dds] 是一个 kubectl 插件，
 你可以安装它用于检查你的集群。 DDS 可以检测运行中的 Kubernetes
-工作负载是否将 Docker 引擎套接字 (`docker.sock`) 作为卷挂载。
+工作负载是否将 Docker Engine 套接字 (`docker.sock`) 作为卷挂载。
 在 DDS 项目的 [README][dds] 中查找更多详细信息和使用方法。
 
 [dds]: https://github.com/aws-containers/kubectl-detector-for-docker-socket
@@ -391,7 +412,7 @@ Find more details and usage patterns in the DDS project's [README][dds].
 <!--
 ### Can I have a hug?
 -->
-### 我可以加入吗？
+### 我可以加入吗？ {#can-i-have-a-hug}
 
 <!--
 Yes, we're still giving hugs as requested. 🤗🤗🤗
diff --git a/content/zh/blog/_posts/2022-03-15-meet-our-contributors-APAC-AU-NZ-region-01.md b/content/zh-cn/blog/_posts/2022-03-15-meet-our-contributors-APAC-AU-NZ-region-01.md
similarity index 100%
rename from content/zh/blog/_posts/2022-03-15-meet-our-contributors-APAC-AU-NZ-region-01.md
rename to content/zh-cn/blog/_posts/2022-03-15-meet-our-contributors-APAC-AU-NZ-region-01.md
diff --git a/content/zh-cn/blog/_posts/2022-03-31-ready-for-dockershim-removal.md b/content/zh-cn/blog/_posts/2022-03-31-ready-for-dockershim-removal.md
new file mode 100644
index 0000000000000..99de335164159
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-03-31-ready-for-dockershim-removal.md
@@ -0,0 +1,111 @@
+---
+layout: blog
+title: "你的集群准备好使用 v1.24 版本了吗？"
+date: 2022-03-31
+slug: ready-for-dockershim-removal
+---
+<!--
+layout: blog
+title: "Is Your Cluster Ready for v1.24?"
+date: 2022-03-31
+slug: ready-for-dockershim-removal
+-->
+
+<!--
+**Author:** Kat Cosgrove
+-->
+**作者:** Kat Cosgrove
+
+
+<!--
+Way back in December of 2020, Kubernetes announced the [deprecation of Dockershim](/blog/2020/12/02/dont-panic-kubernetes-and-docker/). In Kubernetes, dockershim is a software shim that allows you to use the entire Docker engine as your container runtime within Kubernetes. In the upcoming v1.24 release, we are removing Dockershim - the delay between deprecation and removal in line with the [project’s policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) of supporting features for at least one year after deprecation. If you are a cluster operator, this guide includes the practical realities of what you need to know going into this release. Also, what do you need to do to ensure your cluster doesn’t fall over!
+-->
+早在 2020 年 12 月，Kubernetes 就宣布[弃用 Dockershim](/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/)。
+在 Kubernetes 中，dockershim 是一个软件 shim，
+它允许你将整个 Docker 引擎用作 Kubernetes 中的容器运行时。
+在即将发布的 v1.24 版本中，我们将移除 Dockershim - 
+在宣布弃用之后到彻底移除这段时间内，我们至少预留了一年的时间继续支持此功能，
+这符合相关的[项目策略](/zh-cn/docs/reference/using-api/deprecation-policy/)。 
+如果你是集群操作员，则该指南包含你在此版本中需要了解的实际情况。
+另外还包括你需要做些什么来确保你的集群不会崩溃！
+
+<!--
+## First, does this even affect you?
+-->
+## 首先，这对你有影响吗？
+
+<!--
+If you are rolling your own cluster or are otherwise unsure whether or not this removal affects you, stay on the safe side and [check to see if you have any dependencies on Docker Engine](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/). Please note that using Docker Desktop to build your application containers is not a Docker dependency for your cluster. Container images created by Docker are compliant with the [Open Container Initiative (OCI)](https://opencontainers.org/), a Linux Foundation governance structure that defines industry standards around container formats and runtimes. They will work just fine on any container runtime supported by Kubernetes.
+-->
+如果你正在管理自己的集群或不确定此删除是否会影响到你，
+请保持安全状态并[检查你对 Docker Engine 是否有依赖](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/)。 
+请注意，使用 Docker Desktop 构建应用程序容器并不算是集群对 Docker 有依赖。
+Docker 创建的容器镜像符合 [Open Container Initiative (OCI)](https://opencontainers.org/) 规范，
+而 OCI 是 Linux 基金会的一种治理架构，负责围绕容器格式和运行时定义行业标准。 
+这些镜像可以在 Kubernetes 支持的任何容器运行时上正常工作。
+
+<!--
+If you are using a managed Kubernetes service from a cloud provider, and you haven’t explicitly changed the container runtime, there may be nothing else for you to do. Amazon EKS, Azure AKS, and Google GKE all default to containerd now, though you should make sure they do not need updating if you have any node customizations. To check the runtime of your nodes, follow [Find Out What Container Runtime is Used on a Node](/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/).
+-->
+如果你使用的是云服务提供商管理的 Kubernetes 服务，
+并且你确定没有更改过容器运行时，那么你可能不需要做任何事情。 
+Amazon EKS、Azure AKS 和 Google GKE 现在都默认使用 containerd，
+但如果你的集群中有任何自定义的节点，你要确保它们不需要被更新。
+要检查节点的运行时，请参考[查明节点上所使用的容器运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)。
+
+<!--
+Regardless of whether you are rolling your own cluster or using a managed Kubernetes service from a cloud provider, you may need to [migrate telemetry or security agents that rely on Docker Engine](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/). 
+-->
+无论你是在管理自己的集群还是使用云服务提供商管理的 Kubernetes 服务，
+你可能都需要[迁移依赖 Docker Engine 的遥测或安全代理](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/)。
+
+<!--
+## I have a Docker dependency. What now?
+-->
+## 我对 Docker 有依赖。现在该怎么办？
+
+<!--
+If your Kubernetes cluster depends on Docker Engine and you intend to upgrade to Kubernetes v1.24 (which you should eventually do for security and similar reasons), you will need to change your container runtime from Docker Engine to something else or use [cri-dockerd](https://github.com/Mirantis/cri-dockerd). Since [containerd](https://containerd.io/) is a graduated CNCF project and the runtime within Docker itself, it’s a safe bet as an alternative container runtime. Fortunately, the Kubernetes project has already documented the process of [changing a node’s container runtime](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/), using containerd as an example. Instructions are similar for switching to one of the other supported runtimes.
+-->
+如果你的 Kubernetes 集群对 Docker Engine 有依赖，
+并且你打算升级到 Kubernetes v1.24 版本（出于安全和类似原因，你最终应该这样做），
+你需要将容器运行时从 Docker Engine 更改为其他方式或使用 [cri-dockerd](https://github.com/Mirantis/cri-dockerd)。 
+由于 [containerd](https://containerd.io/) 是一个已经毕业的 CNCF 项目，
+并且是 Docker 本身的运行时，因此用它作为容器运行时的替代方式是一个安全的选择。
+幸运的是，Kubernetes 项目已经以 containerd 为例，
+提供了[更改节点容器运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/)的过程文档。
+切换到其它支持的运行时的操作指令与此类似。
+
+<!--
+## I want to upgrade Kubernetes, and I need to maintain compatibility with Docker as a runtime. What are my options?
+-->
+## 我想升级 Kubernetes，并且我需要保持与 Docker 作为运行时的兼容性。我有哪些选择？
+
+<!--
+Fear not, you aren’t being left out in the cold and you don’t have to take the security risk of staying on an old version of Kubernetes. Mirantis and Docker have jointly released, and are maintaining, a replacement for dockershim. That replacement is called [cri-dockerd](https://github.com/Mirantis/cri-dockerd). If you do need to maintain compatibility with Docker as a runtime, install cri-dockerd following the instructions in the project’s documentation.
+-->
+别担心，你不会被冷落，也不必冒着安全风险继续使用旧版本的 Kubernetes。 
+Mirantis 和 Docker 已经联合发布并正在维护 dockershim 的替代品。 
+这种替代品称为 [cri-dockerd](https://github.com/Mirantis/cri-dockerd)。 
+如果你确实需要保持与 Docker 作为运行时的兼容性，请按照项目文档中的说明安装 cri-dockerd。
+
+<!--
+## Is that it?
+-->
+## 这样就可以了吗？
+
+
+<!--
+Yes. As long as you go into this release aware of the changes being made and the details of your own clusters, and you make sure to communicate clearly with your development teams, it will be minimally dramatic. You may have some changes to make to your cluster, application code, or scripts, but all of these requirements are documented. Switching from using Docker Engine as your runtime to using [one of the other supported container runtimes](/docs/setup/production-environment/container-runtimes/) effectively means removing the middleman, since the purpose of dockershim is to access the container runtime used by Docker itself. From a practical perspective, this removal is better both for you and for Kubernetes maintainers in the long-run.
+-->
+是的。只要你深入了解此版本所做的变更和你自己集群的详细信息，
+并确保与你的开发团队进行清晰的沟通，它的不确定性就会降到最低。 
+你可能需要对集群、应用程序代码或脚本进行一些更改，但所有这些要求都已经有说明指导。 
+从使用 Docker Engine 作为运行时，切换到使用[其他任何一种支持的容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)，
+这意味着移除了中间层的组件，因为 dockershim 的作用是访问 Docker 本身使用的容器运行时。 
+从实际角度长远来看，这种移除对你和 Kubernetes 维护者都更有好处。
+
+<!--
+If you still have questions, please first check the [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/).
+-->
+如果你仍有疑问，请先查看[弃用 Dockershim 的常见问题](/zh-cn/blog/2022/02/17/dockershim-faq/)。
diff --git a/content/zh/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md b/content/zh-cn/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
similarity index 93%
rename from content/zh/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
rename to content/zh-cn/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
index ed73904af3af9..3963d3915a922 100644
--- a/content/zh/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
+++ b/content/zh-cn/blog/_posts/2022-04-07-Kubernetes-1-24-removals-and-deprecations.md
@@ -67,7 +67,7 @@ the authors succinctly captured the change's impact and encouraged users to rema
 > Container Runtime Interface (CRI) created for Kubernetes. Docker-produced images
 > will continue to work in your cluster with all runtimes, as they always have.
 -->
-在文章[别慌: Kubernetes 和 Docker](/zh/blog/2020/12/02/dont-panic-kubernetes-and-docker/) 中，
+在文章[别慌: Kubernetes 和 Docker](/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/) 中，
 作者简洁地记述了变化的影响，并鼓励用户保持冷静：
 >弃用 Docker 这个底层运行时，转而支持符合为 Kubernetes 创建的容器运行接口
 >Container Runtime Interface (CRI) 的运行时。
@@ -80,7 +80,7 @@ to container runtimes that are directly compatible with Kubernetes. You can find
 page in the Kubernetes documentation.
 -->
 已经有一些文档指南，提供了关于从 dockershim 迁移到与 Kubernetes 直接兼容的容器运行时的有用信息。
-你可以在 Kubernetes 文档中的[从 dockershim 迁移](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/)
+你可以在 Kubernetes 文档中的[从 dockershim 迁移](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/)
 页面上找到它们。
 
 <!--
@@ -92,7 +92,7 @@ Take a look at the [Is Your Cluster Ready for v1.24?](/blog/2022/03/31/ready-for
 -->
 有关 Kubernetes 为何不再使用 dockershim 的更多信息，
 请参见：[Kubernetes 正在离开 Dockershim](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/)
-和[最新的弃用 Dockershim 的常见问题](/zh/blog/2022/02/17/dockershim-faq/)。
+和[最新的弃用 Dockershim 的常见问题](/zh-cn/blog/2022/02/17/dockershim-faq/)。
 
 查看[你的集群准备好使用 v1.24 了吗？](/blog/2022/03/31/ready-for-dockershim-removal/) 一文，
 了解如何确保你的集群在从 1.23 版本升级到 1.24 版本后继续工作。
@@ -113,7 +113,7 @@ same API is available and that APIs have a minimum lifetime as indicated by the
 ## Kubernetes API 删除和弃用流程  {#the-Kubernetes-api-removal-and-deprecation-process}
 
 Kubernetes 包含大量随时间演变的组件。在某些情况下，这种演变会导致 API、标志或整个特性被删除。
-为了防止用户面对重大变化，Kubernetes 贡献者采用了一项特性[弃用策略](/zh/docs/reference/using-api/deprecation-policy/)。
+为了防止用户面对重大变化，Kubernetes 贡献者采用了一项特性[弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/)。
 此策略确保仅当同一 API 的较新稳定版本可用并且 
 API 具有以下稳定性级别所指示的最短生命周期时，才可能弃用稳定版本 API：
 
@@ -212,14 +212,14 @@ Docker Engine dependencies. Before upgrading to v1.24, you decide to either rema
 ## 需要做什么  {#what-to-do}
 
 ### 删除 Dockershim  {#dockershim-removal}
-如前所述，有一些关于从 [dockershim 迁移](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/)的指南。
-你可以[从查明节点上所使用的容器运行时](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)开始。
+如前所述，有一些关于从 [dockershim 迁移](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/)的指南。
+你可以[从查明节点上所使用的容器运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)开始。
 如果你的节点使用 dockershim，则还有其他可能的 Docker Engine 依赖项，
 例如 Pod 或执行 Docker 命令的第三方工具或 Docker 配置文件中的私有注册表。
-你可以按照[检查弃用 Dockershim 对你的影响](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+你可以按照[检查弃用 Dockershim 对你的影响](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
 的指南来查看可能的 Docker 引擎依赖项。在升级到 1.24 版本之前， 你决定要么继续使用 Docker Engine 并
 [将 Docker Engine 节点从 dockershim 迁移到 cri-dockerd](/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/)，
-要么迁移到与 CRI 兼容的运行时。这是[将节点上的容器运行时从 Docker Engine 更改为 containerd](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/) 的指南。
+要么迁移到与 CRI 兼容的运行时。这是[将节点上的容器运行时从 Docker Engine 更改为 containerd](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/) 的指南。
 
 <!--
 ### `kubectl convert`
@@ -233,7 +233,7 @@ documentation to download and install the `kubectl-convert` binary.
 -->
 ### `kubectl convert`  {#kubectl-convert}
 
-kubectl 的 [`kubectl convert`](/zh/docs/tasks/tools/included/kubectl-convert-overview/)
+kubectl 的 [`kubectl convert`](/zh-cn/docs/tasks/tools/included/kubectl-convert-overview/)
 插件有助于解决弃用 API 的迁移问题。该插件方便了不同 API 版本之间清单的转换，
 例如，从弃用的 API 版本到非弃用的 API 版本。关于 API 迁移过程的更多信息可以在
 [已弃用 API 的迁移指南](/docs/reference/using-api/deprecation-guide/)中找到。按照
@@ -258,7 +258,7 @@ Kubernetes API 的 beta 版本，这些 API 当前为稳定版。1.25 版本还
 <!--
 The official [list of API removals planned for Kubernetes 1.25](/docs/reference/using-api/deprecation-guide/#v1-25) is:
 -->
-[Kubernetes 1.25 计划移除的 API 的官方列表](/zh/docs/reference/using-api/deprecation-guide/#v1-25)是：
+[Kubernetes 1.25 计划移除的 API 的官方列表](/zh-cn/docs/reference/using-api/deprecation-guide/#v1-25)是：
 
 * The beta CronJob API (batch/v1beta1)
 * The beta EndpointSlice API (discovery.k8s.io/v1beta1)
@@ -274,7 +274,7 @@ The official [list of API removals planned for Kubernetes 1.26](/docs/reference/
 * The beta FlowSchema and PriorityLevelConfiguration APIs (flowcontrol.apiserver.k8s.io/v1beta1)
 * The beta HorizontalPodAutoscaler API (autoscaling/v2beta2)
 -->
-[Kubernetes 1.25 计划移除的 API 的官方列表](/zh/docs/reference/using-api/deprecation-guide/#v1-25)是：
+[Kubernetes 1.25 计划移除的 API 的官方列表](/zh-cn/docs/reference/using-api/deprecation-guide/#v1-25)是：
 
 * The beta FlowSchema 和 PriorityLevelConfiguration API (flowcontrol.apiserver.k8s.io/v1beta1)
 * The beta HorizontalPodAutoscaler API (autoscaling/v2beta2)
@@ -297,5 +297,5 @@ Kubernetes 发行说明中宣告了弃用信息。你可以在以下版本的发
 * 我们将正式宣布 [Kubernetes 1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) 的弃用信息，
   作为该版本 CHANGELOG 的一部分。
 
-有关弃用和删除过程的信息，请查看 Kubernetes 官方[弃用策略](/zh/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) 文档。
+有关弃用和删除过程的信息，请查看 Kubernetes 官方[弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) 文档。
 
diff --git a/content/zh/blog/_posts/2022-05-03-dockershim-historical-context.md b/content/zh-cn/blog/_posts/2022-05-03-dockershim-historical-context.md
similarity index 67%
rename from content/zh/blog/_posts/2022-05-03-dockershim-historical-context.md
rename to content/zh-cn/blog/_posts/2022-05-03-dockershim-historical-context.md
index 5a994452715ca..1243b46d77313 100644
--- a/content/zh/blog/_posts/2022-05-03-dockershim-historical-context.md
+++ b/content/zh-cn/blog/_posts/2022-05-03-dockershim-historical-context.md
@@ -21,11 +21,12 @@ So what is the dockershim, and why is it going away?
 -->
 **作者：** Kat Cosgrove
 
-自 Kubernetes v1.24 起，Dockershim 已被删除，这对项目来说是一个积极的举措。 
-然而，背景对于充分理解某事很重要，无论是社交还是软件开发，这值得更深入的审查。 
-除了 Kubernetes v1.24 中的 dockershim 移除之外，我们在社区中看到了一些
-混乱（有时处于恐慌级别）和对这一决定的不满，主要是由于缺乏有关此删除背景的了解。 
-弃用并最终从 Kubernetes 中删除 dockershim 的决定并不是迅速或轻率地做出的。 
+自 Kubernetes v1.24 起，Dockershim 已被删除，这对项目来说是一个积极的举措。
+然而，背景对于充分理解某事很重要，无论是社交还是软件开发，这值得更深入的审查。
+除了 Kubernetes v1.24 中的 dockershim 移除之外，
+我们在社区中看到了一些混乱（有时处于恐慌级别）和对这一决定的不满，
+主要是由于缺乏有关此删除背景的了解。弃用并最终从 Kubernetes 中删除
+dockershim 的决定并不是迅速或轻率地做出的。
 尽管如此，它已经工作了很长时间，以至于今天的许多用户都比这个决定更新，
 更不用提当初为何引入 dockershim 了。
 
@@ -34,55 +35,57 @@ So what is the dockershim, and why is it going away?
 <!--
 In the early days of Kubernetes, we only supported one container runtime. That runtime was Docker Engine. Back then, there weren’t really a lot of other options out there and Docker was the dominant tool for working with containers, so this was not a controversial choice. Eventually, we started adding more container runtimes, like rkt and hypernetes, and it became clear that Kubernetes users want a choice of runtimes working best for them. So Kubernetes needed a way to allow cluster operators the flexibility to use whatever runtime they choose.
 -->
-在 Kubernetes 的早期，我们只支持一个容器运行时，那个运行时就是 Docker Engine。 
-那时，并没有太多其他选择，而 Docker 是使用容器的主要工具，所以这不是一个有争议的选择。 
-最终，我们开始添加更多的容器运行时，比如 rkt 和 hypernetes，很明显 Kubernetes 用户
-希望选择最适合他们的运行时。 因此，Kubernetes 需要一种方法来允许集群操作员灵活地使用
-他们选择的任何运行时。
+在 Kubernetes 的早期，我们只支持一个容器运行时，那个运行时就是 Docker Engine。
+那时，并没有太多其他选择，而 Docker 是使用容器的主要工具，所以这不是一个有争议的选择。
+最终，我们开始添加更多的容器运行时，比如 rkt 和 hypernetes，很明显 Kubernetes
+用户希望选择最适合他们的运行时。因此，Kubernetes 需要一种方法来允许集群操作员灵活地使用他们选择的任何运行时。
 
 <!--
 The [Container Runtime Interface](/blog/2016/12/container-runtime-interface-cri-in-kubernetes/) (CRI) was released to allow that flexibility. The introduction of CRI was great for the project and users alike, but it did introduce a problem: Docker Engine’s use as a container runtime predates CRI, and Docker Engine is not CRI-compatible. To solve this issue, a small software shim (dockershim) was introduced as part of the kubelet component specifically to fill in the gaps between Docker Engine and CRI, allowing cluster operators to continue using Docker Engine as their container runtime largely uninterrupted.
 -->
 [容器运行时接口](/blog/2016/12/container-runtime-interface-cri-in-kubernetes/) (CRI) 
 已发布以支持这种灵活性。 CRI 的引入对项目和用户来说都很棒，但它确实引入了一个问题：Docker Engine
-作为容器运行时的使用早于 CRI，并且 Docker Engine 不兼容 CRI。 为了解决这个问题，在 kubelet 组件
-中引入了一个小型软件 shim (dockershim)，专门用于填补 Docker Engine 和 CRI 之间的空白，
+作为容器运行时的使用早于 CRI，并且 Docker Engine 不兼容 CRI。 为了解决这个问题，在 kubelet
+组件中引入了一个小型软件 shim (dockershim)，专门用于填补 Docker Engine 和 CRI 之间的空白，
 允许集群操作员继续使用 Docker Engine 作为他们的容器运行时基本上不间断。
 
 <!--
 However, this little software shim was never intended to be a permanent solution. Over the course of years, its existence has introduced a lot of unnecessary complexity to the kubelet itself. Some integrations are inconsistently implemented for Docker because of this shim, resulting in an increased burden on maintainers, and maintaining vendor-specific code is not in line with our open source philosophy. To reduce this maintenance burden and move towards a more collaborative community in support of open standards, [KEP-2221 was introduced](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221-remove-dockershim), proposing the removal of the dockershim. With the release of Kubernetes v1.20, the deprecation was official.
 -->
-然而，这个小软件 shim 从来没有打算成为一个永久的解决方案。 多年来，它的存在给 kubelet 
-本身带来了许多不必要的复杂性。 由于这个 shim，Docker 的一些集成实现不一致，导致维护人员
-的负担增加，并且维护特定于供应商的代码不符合我们的开源理念。 为了减少这种维护负担并朝着支
-持开放标准的更具协作性的社区迈进，[引入了 KEP-2221](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221- remove-dockershim)，
-建议移除 dockershim。 随着 Kubernetes v1.20 的发布，正式弃用。
+然而，这个小软件 shim 从来没有打算成为一个永久的解决方案。 多年来，它的存在给
+kubelet 本身带来了许多不必要的复杂性。由于这个 shim，Docker
+的一些集成实现不一致，导致维护人员的负担增加，并且维护特定于供应商的代码不符合我们的开源理念。
+为了减少这种维护负担并朝着支持开放标准的更具协作性的社区迈进，
+[引入了 KEP-2221](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221-remove-dockershim)，
+建议移除 dockershim。随着 Kubernetes v1.20 的发布，正式弃用。
 
 <!--
 We didn’t do a great job communicating this, and unfortunately, the deprecation announcement led to some panic within the community. Confusion around what this meant for Docker as a company, if container images built by Docker would still run, and what Docker Engine actually is led to a conflagration on social media. This was our fault; we should have more clearly communicated what was happening and why at the time. To combat this, we released [a blog](/blog/2020/12/02/dont-panic-kubernetes-and-docker/) and [accompanying FAQ](/blog/2020/12/02/dockershim-faq/) to allay the community’s fears and correct some misconceptions about what Docker is and how containers work within Kubernetes. As a result of the community’s concerns, Docker and Mirantis jointly agreed to continue supporting the dockershim code in the form of [cri-dockerd](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/), allowing you to continue using Docker Engine as your container runtime if need be. For the interest of users who want to try other runtimes, like containerd or cri-o, [migration documentation was written](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/).
 -->
-我们没有很好地传达这一点，不幸的是，弃用公告在社区内引起了一些恐慌。关于这对 Docker 作为
-一家公司意味着什么，Docker 构建的容器镜像是否仍然可以运行，以及 Docker Engine 究竟是
-什么导致了社交媒体上的一场大火，人们感到困惑。这是我们的错；我们应该更清楚地传达当时发生
-的事情和原因。为了解决这个问题，我们发布了[一篇博客](/zh/blog/2020/12/02/dont-panic-kubernetes-and-docker/)
-和[相应的 FAQ](/zh/blog/2020/12/02/dockershim-faq/ ) 以减轻社区的恐惧并纠正对
-Docker 是什么以及容器如何在 Kubernetes 中工作的一些误解。由于社区的关注，Docker 和 Mirantis
-共同决定继续以 [cri-dockerd] 的形式支持 dockershim 代码（https://www.mirantis.com/blog/the-future-of-dockershim-is -cri-dockerd/)，
-允许你在需要时继续使用 Docker Engine 作为容器运行时。对于想要尝试其他运行时（如 containerd 或 cri-o）
-的用户，[已编写迁移文档](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/)。
+我们没有很好地传达这一点，不幸的是，弃用公告在社区内引起了一些恐慌。关于这对
+Docker作为一家公司意味着什么，Docker 构建的容器镜像是否仍然可以运行，以及
+Docker Engine 究竟是什么导致了社交媒体上的一场大火，人们感到困惑。
+这是我们的错；我们应该更清楚地传达当时发生的事情和原因。为了解决这个问题，
+我们发布了[一篇博客](/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/)和[相应的 FAQ](/zh-cn/blog/2020/12/02/dockershim-faq/)
+以减轻社区的恐惧并纠正对 Docker 是什么以及容器如何在 Kubernetes 中工作的一些误解。
+由于社区的关注，Docker 和 Mirantis 共同决定继续以
+[cri-dockerd](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/)
+的形式支持 dockershim 代码，允许你在需要时继续使用 Docker Engine 作为容器运行时。
+对于想要尝试其他运行时（如 containerd 或 cri-o）的用户，
+[已编写迁移文档](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/)。
 
 <!--
 We later [surveyed the community](https://kubernetes.io/blog/2021/11/12/are-you-ready-for-dockershim-removal/) and [discovered that there are still many users with questions and concerns](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim). In response, Kubernetes maintainers and the CNCF committed to addressing these concerns by extending documentation and other programs. In fact, this blog post is a part of this program. With so many end users successfully migrated to other runtimes, and improved documentation, we believe that everyone has a paved way to migration now.
 -->
-我们后来[调查了社区](https://kubernetes.io/blog/2021/11/12/are-you-ready-for-dockershim-removal/)
-[发现还有很多用户有疑问和顾虑](/zh/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim)。 
-作为回应，Kubernetes 维护人员和 CNCF 承诺通过扩展文档和其他程序来解决这些问题。 事实上，这篇博文是 
-这个计划的一部分。 随着如此多的最终用户成功迁移到其他运行时，以及改进的文档，我们相信每个人现在都为迁移铺平了道路。
+我们后来[调查了社区](https://kubernetes.io/blog/2021/11/12/are-you-ready-for-dockershim-removal/)[发现还有很多用户有疑问和顾虑](/zh-cn/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim)。 
+作为回应，Kubernetes 维护人员和 CNCF 承诺通过扩展文档和其他程序来解决这些问题。
+事实上，这篇博文是这个计划的一部分。随着如此多的最终用户成功迁移到其他运行时，以及改进的文档，
+我们相信每个人现在都为迁移铺平了道路。
 
 <!--
 Docker is not going away, either as a tool or as a company. It’s an important part of the cloud native community and the history of the Kubernetes project. We wouldn’t be where we are without them. That said, removing dockershim from kubelet is ultimately good for the community, the ecosystem, the project, and open source at large. This is an opportunity for all of us to come together to support open standards, and we’re glad to be doing so with the help of Docker and the community.
 -->
-Docker 不会消失，无论是作为一种工具还是作为一家公司。 它是云原生社区的重要组成部分，
-也是 Kubernetes 项目的历史。 没有他们，我们就不会是现在的样子。 也就是说，从 kubelet
-中删除 dockershim 最终对社区、生态系统、项目和整个开源都有好处。 这是我们所有人齐心协力
-支持开放标准的机会，我们很高兴在 Docker 和社区的帮助下这样做。
\ No newline at end of file
+Docker 不会消失，无论是作为一种工具还是作为一家公司。它是云原生社区的重要组成部分，
+也是 Kubernetes 项目的历史。没有他们，我们就不会是现在的样子。也就是说，从 kubelet
+中删除 dockershim 最终对社区、生态系统、项目和整个开源都有好处。
+这是我们所有人齐心协力支持开放标准的机会，我们很高兴在 Docker 和社区的帮助下这样做。
diff --git a/content/zh-cn/blog/_posts/2022-05-05-volume-expansion-ga.md b/content/zh-cn/blog/_posts/2022-05-05-volume-expansion-ga.md
new file mode 100644
index 0000000000000..3a5ae01872a0a
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-05-volume-expansion-ga.md
@@ -0,0 +1,207 @@
+---
+layout: blog
+title: "Kubernetes 1.24：卷扩充现在成为稳定功能"
+date: 2022-05-05
+slug: volume-expansion-ga
+---
+
+<!-- 
+---
+layout: blog
+title: "Kubernetes 1.24: Volume Expansion Now A Stable Feature"
+date: 2022-05-05
+slug: volume-expansion-ga
+---
+-->
+
+<!-- 
+**Author:** Hemant Kumar (Red Hat)
+
+Volume expansion was introduced as a alpha feature in Kubernetes 1.8 and it went beta in 1.11 and with Kubernetes 1.24 we are excited to announce general availability(GA)
+of volume expansion.
+
+This feature allows Kubernetes users to simply edit their `PersistentVolumeClaim` objects and specify new size in PVC Spec and Kubernetes will automatically expand the volume
+using storage backend and also expand the underlying file system in-use by the Pod without requiring any downtime at all if possible.
+-->
+**作者：** Hemant Kumar (Red Hat)
+
+卷扩充在 Kubernetes 1.8 作为 Alpha 功能引入，
+在 Kubernetes 1.11 进入了 Beta 阶段。
+在 Kubernetes 1.24 中，我们很高兴地宣布卷扩充正式发布（GA）。
+
+此功能允许 Kubernetes 用户简单地编辑其 `PersistentVolumeClaim` 对象，
+并在 PVC Spec 中指定新的大小，Kubernetes 将使用存储后端自动扩充卷，
+同时也会扩充 Pod 使用的底层文件系统，使得无需任何停机时间成为可能。
+<!--
+### How to use volume expansion
+
+You can trigger expansion for a PersistentVolume by editing the `spec` field of a PVC, specifying a different
+(and larger) storage request. For example, given following PVC:
+
+```yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: myclaim
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi # specify new size here
+```
+-->
+### 如何使用卷扩充
+
+通过编辑 PVC 的 `spec` 字段，指定不同的（和更大的）存储请求，
+可以触发 PersistentVolume 的扩充。
+例如，给定以下 PVC：
+
+```yaml
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: myclaim
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi # 在此处指定新的大小
+```
+<!--
+You can request expansion of the underlying PersistentVolume by specifying a new value instead of old `1Gi` size.
+Once you've changed the requested size, watch the `status.conditions` field of the PVC to see if the
+resize has completed.
+
+When Kubernetes starts expanding the volume - it will add `Resizing` condition to the PVC, which will be removed once expansion completes. More information about progress of
+expansion operation can also be obtained by monitoring events associated with the PVC:
+
+```bash
+kubectl describe pvc <pvc>
+```
+-->
+你可以指定新的值来替代旧的 `1Gi` 大小来请求扩充下层 PersistentVolume。
+一旦你更改了请求的大小，可以查看 PVC 的 `status.conditions` 字段，
+确认卷大小的调整是否已完成。
+
+当 Kubernetes 开始扩充卷时，它会给 PVC 添加 `Resizing` 状况。
+一旦扩充结束，这个状况会被移除。通过监控与 PVC 关联的事件，
+还可以获得更多关于扩充操作进度的信息：
+
+```bash
+kubectl describe pvc <pvc>
+```
+<!--
+### Storage driver support
+
+Not every volume type however is expandable by default. Some volume types such as - intree hostpath volumes are not expandable at all. For CSI volumes - the CSI driver
+must have capability `EXPAND_VOLUME` in controller or node service (or both if appropriate). Please refer to documentation of your CSI driver, to find out
+if it supports volume expansion.
+
+Please refer to volume expansion documentation for intree volume types which support volume expansion - [Expanding Persistent Volumes](/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims).
+-->
+### 存储驱动支持
+
+然而，并不是每种卷类型都默认支持扩充。
+某些卷类型（如树内 hostpath 卷）不支持扩充。
+对于 CSI 卷，
+CSI 驱动必须在控制器或节点服务（如果合适，二者兼备）
+中具有 `EXPAND_VOLUME` 能力。
+请参阅 CSI 驱动的文档，了解其是否支持卷扩充。
+
+有关支持卷扩充的树内（intree）卷类型，
+请参阅卷扩充文档：[扩充 PVC 申领](/zh-cn/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims)。
+
+<!-- 
+In general to provide some degree of control over volumes that can be expanded, only dynamically provisioned PVCs whose storage class has `allowVolumeExpansion` parameter set to `true` are expandable.
+
+A Kubernetes cluster administrator must edit the appropriate StorageClass object and set
+the `allowVolumeExpansion` field to `true`. For example:
+-->
+通常，为了对可扩充的卷提供某种程度的控制，
+只有在存储类将 `allowVolumeExpansion` 参数设置为 `true` 时，
+动态供应的 PVC 才是可扩充的。
+
+Kubernetes 集群管理员必须编辑相应的 StorageClass 对象，
+并将 `allowVolumeExpansion` 字段设置为 `true`。例如：
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: gp2-default
+provisioner: kubernetes.io/aws-ebs
+parameters:
+  secretNamespace: ""
+  secretName: ""
+allowVolumeExpansion: true
+```
+<!--
+### Online expansion compared to offline expansion
+
+By default, Kubernetes attempts to expand volumes immediately after user requests a resize.
+If one or more Pods are using the volume, Kubernetes tries to expands the volume using an online resize;
+as a result volume expansion usually requires no application downtime.
+Filesystem expansion on the node is also performed online and hence does not require shutting
+down any Pod that was using the PVC.
+
+If you expand a PersistentVolume that is not in use, Kubernetes does an offline resize (and,
+because the volume isn't in use, there is again no workload disruption).
+-->
+### 在线扩充与离线扩充比较
+
+默认情况下，Kubernetes 会在用户请求调整大小后立即尝试扩充卷。
+如果一个或多个 Pod 正在使用该卷，
+Kubernetes 会尝试通过在线调整大小来扩充该卷；
+因此，卷扩充通常不需要应用停机。
+节点上的文件系统也可以在线扩充，因此不需要关闭任何正在使用 PVC 的 Pod。
+
+如果要扩充的 PersistentVolume 未被使用，Kubernetes 会用离线方式调整卷大小
+（而且，由于该卷未使用，所以也不会造成工作负载中断）。
+<!-- 
+In some cases though - if underlying Storage Driver can only support offline expansion, users of the PVC must take down their Pod before expansion can succeed. Please refer to documentation of your storage
+provider to find out - what mode of volume expansion it supports.
+
+When volume expansion was introduced as an alpha feature, Kubernetes only supported offline filesystem
+expansion on the node and hence required users to restart their pods for file system resizing to finish. 
+His behaviour has been changed and Kubernetes tries its best to fulfil any resize request regardless
+of whether the underlying PersistentVolume volume is online or offline. If your storage provider supports
+online expansion then no Pod restart should be necessary for volume expansion to finish.
+-->
+但在某些情况下，如果底层存储驱动只能支持离线扩充，
+则 PVC 用户必须先停止 Pod，才能让扩充成功。
+请参阅存储提供商的文档，了解其支持哪种模式的卷扩充。
+
+当卷扩充作为 Alpha 功能引入时，
+Kubernetes 仅支持在节点上进行离线的文件系统扩充，
+因此需要用户重新启动 Pod，才能完成文件系统的大小调整。
+今天，用户的行为已经被改变，无论底层 PersistentVolume 是在线还是离线，
+Kubernetes 都会尽最大努力满足任何调整大小的请求。
+如果你的存储提供商支持在线扩充，则无需重启 Pod 即可完成卷扩充。
+<!-- 
+## Next steps
+
+Although volume expansion is now stable as part of the recent v1.24 release,
+SIG Storage are working to make it even simpler for users of Kubernetes to expand their persistent storage.
+Kubernetes 1.23 introduced features for triggering recovery from failed volume expansion, allowing users
+to attempt self-service healing after a failed resize.
+See [Recovering from volume expansion failure](/docs/concepts/storage/persistent-volumes/#recovering-from-failure-when-expanding-volumes) for more details.
+-->
+## 下一步
+
+尽管卷扩充在最近的 v1.24 发行版中成为了稳定版本，
+但 SIG Storage 团队仍然在努力让 Kubernetes 用户扩充其持久性存储变得更简单。
+Kubernetes 1.23 引入了卷扩充失败后触发恢复机制的功能特性，
+允许用户在大小调整失败后尝试自助修复。
+更多详细信息，请参阅[处理扩充卷过程中的失败](/zh-cn/docs/concepts/storage/persistent-volumes/#recovering-from-failure-when-expanding-volumes)。
+<!--
+The Kubernetes contributor community is also discussing the potential for StatefulSet-driven storage expansion. This proposed
+feature would let you trigger expansion for all underlying PVs that are providing storage to a StatefulSet,
+by directly editing the StatefulSet object.
+See the [Support Volume Expansion Through StatefulSets](https://github.com/kubernetes/enhancements/issues/661) enhancement proposal for more details.
+-->
+Kubernetes 贡献者社区也在讨论有状态（StatefulSet）驱动的存储扩充的潜力。
+这个提议的功能特性将允许用户通过直接编辑 StatefulSet 对象，
+触发为 StatefulSet 提供存储的所有底层 PV 的扩充。
+更多详细信息，请参阅[通过 StatefulSet 支持卷扩充](https://github.com/kubernetes/enhancements/issues/661)的改善提议。
diff --git a/content/zh-cn/blog/_posts/2022-05-06-storage-capacity-GA/index.md b/content/zh-cn/blog/_posts/2022-05-06-storage-capacity-GA/index.md
new file mode 100644
index 0000000000000..7311d7a25500b
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-06-storage-capacity-GA/index.md
@@ -0,0 +1,149 @@
+---
+layout: blog
+title: "Kubernetes 1.24 版本中存储容量跟踪特性进入 GA 阶段"
+date: 2022-05-06
+slug: storage-capacity-ga
+---
+<!--
+layout: blog
+title: "Storage Capacity Tracking reaches GA in Kubernetes 1.24"
+date: 2022-05-06
+slug: storage-capacity-ga
+-->
+
+<!--
+ **Authors:** Patrick Ohly (Intel)
+-->
+ **作者:** Patrick Ohly（Intel）
+
+<!--
+The v1.24 release of Kubernetes brings [storage capacity](/docs/concepts/storage/storage-capacity/)
+tracking as a generally available feature.
+-->
+在 Kubernetes v1.24 版本中，[存储容量](/zh-cn/docs/concepts/storage/storage-capacity/)跟踪已经成为一项正式发布的功能。
+
+<!--
+## Problems we have solved
+-->
+## 已经解决的问题
+
+<!--
+As explained in more detail in the [previous blog post about this
+feature](/blog/2021/04/14/local-storage-features-go-beta/), storage capacity
+tracking allows a CSI driver to publish information about remaining
+capacity. The kube-scheduler then uses that information to pick suitable nodes
+for a Pod when that Pod has volumes that still need to be provisioned.
+-->
+如[上一篇关于此功能的博文](/blog/2021/04/14/local-storage-features-go-beta/)中所详细介绍的，
+存储容量跟踪允许 CSI 驱动程序发布有关剩余容量的信息。当 Pod 仍然有需要配置的卷时，
+kube-scheduler 使用该信息为 Pod 选择合适的节点。
+
+<!--
+Without this information, a Pod may get stuck without ever being scheduled onto
+a suitable node because kube-scheduler has to choose blindly and always ends up
+picking a node for which the volume cannot be provisioned because the
+underlying storage system managed by the CSI driver does not have sufficient
+capacity left.
+-->
+如果没有这些信息，Pod 可能会被卡住，而不会被调度到合适节点，这是因为 kube-scheduler
+只能盲目地选择节点。由于 CSI 驱动程序管理的下层存储系统没有足够的容量，
+kube-scheduler 常常会选择一个无法为其配置卷的节点。
+
+<!--
+Because CSI drivers publish storage capacity information that gets used at a
+later time when it might not be up-to-date anymore, it can still happen that a
+node is picked that doesn't work out after all. Volume provisioning recovers
+from that by informing the scheduler that it needs to try again with a
+different node.
+-->
+因为 CSI 驱动程序发布的这些存储容量信息在被使用的时候可能已经不是最新的信息了，
+所以最终选择的节点无法正常工作的情况仍然可能会发生。
+卷配置通过通知调度程序需要在其他节点上重试来恢复。
+
+<!--
+[Load
+tests](https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/docs/storage-capacity-tracking.md)
+that were done again for promotion to GA confirmed that all storage in a
+cluster can be consumed by Pods with storage capacity tracking whereas Pods got
+stuck without it.
+-->
+升级到 GA 版本后重新进行的[负载测试](https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/docs/storage-capacity-tracking.md)证实，
+集群中部署了存储容量跟踪功能的 Pod 可以使用所有的存储，而没有部署此功能的 Pod 就会被卡住。
+
+<!--
+## Problems we have *not* solved
+-->
+## *尚未*解决的问题
+
+<!--
+Recovery from a failed volume provisioning attempt has one known limitation: if a Pod
+uses two volumes and only one of them could be provisioned, then all future
+scheduling decisions are limited by the already provisioned volume. If that
+volume is local to a node and the other volume cannot be provisioned there, the
+Pod is stuck. This problem pre-dates storage capacity tracking and while the
+additional information makes it less likely to occur, it cannot be avoided in
+all cases, except of course by only using one volume per Pod.
+-->
+如果尝试恢复一个制备失败的卷，存在一个已知的限制：
+如果 Pod 使用两个卷并且只能制备其中一个，那么所有将来的调度决策都受到已经制备的卷的限制。
+如果该卷是节点的本地卷，并且另一个卷无法被制备，则 Pod 会卡住。
+此问题早在存储容量跟踪功能之前就存在，虽然苛刻的附加条件使这种情况不太可能发生，
+但是无法完全避免，当然每个 Pod 仅使用一个卷的情况除外。
+
+<!--
+An idea for solving this was proposed in a [KEP
+draft](https://github.com/kubernetes/enhancements/pull/1703): volumes that were
+provisioned and haven't been used yet cannot have any valuable data and
+therefore could be freed and provisioned again elsewhere. SIG Storage is
+looking for interested developers who want to continue working on this.
+-->
+[KEP 草案](https://github.com/kubernetes/enhancements/pull/1703)中提出了一个解决此问题的想法：
+已制备但尚未被使用的卷不能包含任何有价值的数据，因此可以在其他地方释放并且再次被制备。
+SIG Storage 正在寻找对此感兴趣并且愿意继续从事此工作的开发人员。
+
+<!--
+Also not solved is support in Cluster Autoscaler for Pods with volumes. For CSI
+drivers with storage capacity tracking, a prototype was developed and discussed
+in [a PR](https://github.com/kubernetes/autoscaler/pull/3887). It was meant to
+work with arbitrary CSI drivers, but that flexibility made it hard to configure
+and slowed down scale up operations: because autoscaler was unable to simulate
+volume provisioning, it only scaled the cluster by one node at a time, which
+was seen as insufficient.
+-->
+另一个没有解决的问题是 Cluster Autoscaler 对包含卷的 Pod 的支持。
+对于具有存储容量跟踪功能的 CSI 驱动程序，我们开发了一个原型并在此
+[PR](https://github.com/kubernetes/autoscaler/pull/3887) 中进行了讨论。
+此原型旨在与任意 CSI 驱动程序协同工作，但这种灵活性使其难以配置并减慢了扩展操作：
+因为自动扩展程序无法模拟卷制备操作，它一次只能将集群扩展一个节点，这是此方案的不足之处。
+
+<!--
+Therefore that PR was not merged and a different approach with tighter coupling
+between autoscaler and CSI driver will be needed. For this a better
+understanding is needed about which local storage CSI drivers are used in
+combination with cluster autoscaling. Should this lead to a new KEP, then users
+will have to try out an implementation in practice before it can move to beta
+or GA. So please reach out to SIG Storage if you have an interest in this
+topic.
+-->
+因此，这个 PR 没有被合入，需要另一种不同的方法，在自动缩放器和 CSI 驱动程序之间实现更紧密的耦合。
+为此，需要更好地了解哪些本地存储 CSI 驱动程序与集群自动缩放结合使用。如果这会引出新的 KEP，
+那么用户将不得不在实践中尝试实现，然后才能迁移到 beta 版本或 GA 版本中。
+如果你对此主题感兴趣，请联系 SIG Storage。
+
+<!--
+## Acknowledgements
+-->
+## 致谢
+
+<!--
+Thanks a lot to the members of the community who have contributed to this
+feature or given feedback including members of [SIG
+Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling),
+[SIG
+Autoscaling](https://github.com/kubernetes/community/tree/master/sig-autoscaling),
+and of course [SIG
+Storage](https://github.com/kubernetes/community/tree/master/sig-storage)!
+-->
+非常感谢为此功能做出贡献或提供反馈的 [SIG Scheduling](https://github.com/kubernetes/community/tree/master/sig-scheduling)、
+[SIG Autoscaling](https://github.com/kubernetes/community/tree/master/sig-autoscaling) 
+和 [SIG Storage](https://github.com/kubernetes/community/tree/master/sig-storage) 成员！
diff --git a/content/zh-cn/blog/_posts/2022-05-13-grpc-probes-in-beta.md b/content/zh-cn/blog/_posts/2022-05-13-grpc-probes-in-beta.md
new file mode 100644
index 0000000000000..657f768e31213
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-13-grpc-probes-in-beta.md
@@ -0,0 +1,343 @@
+---
+layout: blog
+title: "Kubernetes 1.24：gRPC 容器探针功能进入 Beta 阶段"
+date: 2022-05-13
+slug: grpc-probes-now-in-beta
+---
+<!--
+layout: blog
+title: "Kubernetes 1.24: gRPC container probes in beta"
+date: 2022-05-13
+slug: grpc-probes-now-in-beta
+-->
+
+<!--
+**Author**: Sergey Kanzhelev (Google)
+-->
+**作者**：Sergey Kanzhelev (Google)
+
+<!--
+With Kubernetes 1.24 the gRPC probes functionality entered beta and is available by default.
+Now you can configure startup, liveness, and readiness probes for your gRPC app
+without exposing any HTTP endpoint, nor do you need an executable. Kubernetes can natively connect to your your workload via gRPC and query its status.
+-->
+在 Kubernetes 1.24 中，gRPC 探针（probe）功能进入了 beta 阶段，默认情况下可用。
+现在，你可以为 gRPC 应用程序配置启动、活跃和就绪探测，而无需公开任何 HTTP 端点，
+也不需要可执行文件。Kubernetes 可以通过 gRPC 直接连接到你的工作负载并查询其状态。
+
+<!--
+## Some history
+
+It's useful to let the system managing your workload check that the app is
+healthy, has started OK, and whether the app considers itself good to accept
+traffic. Before the gRPC support was added, Kubernetes already allowed you to
+check for health based on running an executable from inside the container image,
+by making an HTTP request, or by checking whether a TCP connection succeeded.
+-->
+## 一些历史
+
+让管理你的工作负载的系统检查应用程序是否健康、启动是否正常，以及应用程序是否认为自己可以接收流量，是很有用的。
+在添加 gRPC 探针支持之前，Kubernetes 已经允许你通过从容器镜像内部运行可执行文件、发出 HTTP
+请求或检查 TCP 连接是否成功来检查健康状况。
+
+<!--
+For most apps, those checks are enough. If your app provides a gRPC endpoint
+for a health (or readiness) check, it is easy
+to repurpose the `exec` probe to use it for gRPC health checking.
+In the blog article [Health checking gRPC servers on Kubernetes](/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/),
+Ahmet Alp Balkan described how you can do that — a mechanism that still works today.
+-->
+对于大多数应用程序来说，这些检查就足够了。如果你的应用程序提供了用于运行状况（或准备就绪）检查的
+gRPC 端点，则很容易重新调整 `exec` 探针的用途，将其用于 gRPC 运行状况检查。
+在博文[在 Kubernetes 上对 gRPC 服务器进行健康检查](/zh-cn/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/)中，
+Ahmet Alp Balkan 描述了如何做到这一点 —— 这种机制至今仍在工作。
+
+<!--
+There is a commonly used tool to enable this that was [created](https://github.com/grpc-ecosystem/grpc-health-probe/commit/2df4478982e95c9a57d5fe3f555667f4365c025d)
+on August 21, 2018, and with
+the first release at [Sep 19, 2018](https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.1.0-alpha.1).
+-->
+2018 年 8 月 21 日所[创建](https://github.com/grpc-ecosystem/grpc-health-probe/commit/2df4478982e95c9a57d5fe3f555667f4365c025d)的一种常用工具可以启用此功能，
+工具于 [2018 年 9 月 19 日](https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.1.0-alpha.1)首次发布。
+
+<!--
+This approach for gRPC apps health checking is very popular. There are [3,626 Dockerfiles](https://github.com/search?l=Dockerfile&q=grpc_health_probe&type=code)
+with the `grpc_health_probe` and [6,621 yaml](https://github.com/search?l=YAML&q=grpc_health_probe&type=Code) files that are discovered with the
+basic search on GitHub (at the moment of writing). This is good indication of the tool popularity
+and the need to support this natively.
+-->
+这种 gRPC 应用健康检查的方法非常受欢迎。使用 GitHub 上的基本搜索，发现了带有 `grpc_health_probe`
+的 [3,626 个 Dockerfile 文件](https://github.com/search?l=Dockerfile&q=grpc_health_probe&type=code)和
+[6,621 个 yaml 文件](https://github.com/search?l=YAML&q=grpc_health_probe&type=Code)（在撰写本文时）。
+这很好地表明了该工具的受欢迎程度，以及对其本地支持的需求。
+
+<!--
+Kubernetes v1.23 introduced an alpha-quality implementation of native support for
+querying a workload status using gRPC. Because it was an alpha feature,
+this was disabled by default for the v1.23 release.
+-->
+Kubernetes v1.23 引入了一个 alpha 质量的实现，原生支持使用 gRPC 查询工作负载状态。
+因为这是一个 alpha 特性，所以在 1.23 版中默认是禁用的。
+
+<!--
+## Using the feature
+
+We built gRPC health checking in similar way with other probes and believe
+it will be [easy to use](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
+if you are familiar with other probe types in Kubernetes.
+The natively supported health probe has many benefits over the workaround involving `grpc_health_probe` executable.
+-->
+## 使用该功能
+
+我们用与其他探针类似的方式构建了 gRPC 健康检查，相信如果你熟悉 Kubernetes 中的其他探针类型，
+它会[很容易使用](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)。
+与涉及 `grpc_health_probe` 可执行文件的解决办法相比，原生支持的健康探针有许多好处。
+
+<!--
+With the native gRPC support you don't need to download and carry `10MB` of an additional executable with your image.
+Exec probes are generally slower than a gRPC call as they require instantiating a new process to run an executable.
+It also makes the checks less sensible for edge cases when the pod is running at maximum resources and has troubles
+instantiating new processes.
+-->
+有了原生 gRPC 支持，你不需要在镜像中下载和携带 `10MB` 的额外可执行文件。
+Exec 探针通常比 gRPC 调用慢，因为它们需要实例化一个新进程来运行可执行文件。
+当 Pod 在最大资源下运行并且在实例化新进程时遇到困难时，它还使得对边界情况的检查变得不那么智能。
+
+<!--
+There are a few limitations though. Since configuring a client certificate for probes is hard,
+services that require client authentication are not supported. The built-in probes are also
+not checking the server certificates and ignore related problems.
+-->
+不过有一些限制。由于为探针配置客户端证书很难，因此不支持依赖客户端身份验证的服务。
+内置探针也不检查服务器证书，并忽略相关问题。
+
+<!--
+Built-in checks also cannot be configured to ignore certain types of errors
+(`grpc_health_probe` returns different exit codes for different errors),
+and cannot be "chained" to run the health check on multiple services in a single probe.
+-->
+内置检查也不能配置为忽略某些类型的错误（`grpc_health_probe` 针对不同的错误返回不同的退出代码），
+并且不能“串接”以在单个探测中对多个服务运行健康检查。
+
+<!--
+But all these limitations are quite standard for gRPC and there are easy workarounds
+for those.
+-->
+但是所有这些限制对于 gRPC 来说都是相当标准的，并且有简单的解决方法。
+
+<!--
+## Try it for yourself
+
+### Cluster-level setup
+
+You can try this feature today. To try native gRPC probes, you can spin up a Kubernetes cluster
+yourself with the `GRPCContainerProbe` feature gate enabled, there are many [tools available](/docs/tasks/tools/).
+-->
+## 自己试试
+
+### 集群级设置
+
+你现在可以尝试这个功能。要尝试原生 gRPC 探针，你可以自己启动一个启用了
+`GRPCContainerProbe` 特性门控的 Kubernetes 集群，可用的[工具](/zh-cn/docs/tasks/tools/)有很多。
+
+<!--
+Since the feature gate `GRPCContainerProbe` is enabled by default in 1.24,
+many vendors will have this functionality working out of the box.
+So you may just create an 1.24 cluster on platform of your choice. Some vendors
+allow to enable alpha features on 1.23 clusters.
+-->
+由于特性门控 `GRPCContainerProbe` 在 1.24 版本中是默认启用的，因此许多供应商支持此功能开箱即用。
+因此，你可以在自己选择的平台上创建 1.24 版本集群。一些供应商允许在 1.23 版本集群上启用 alpha 特性。
+
+<!--
+For example, at the moment of writing, you can spin up the test cluster on GKE for a quick test.
+Other vendors may also have similar capabilities, especially if you
+are reading this blog post long after the Kubernetes 1.24 release.
+-->
+例如，在编写本文时，你可以在 GKE 上运行测试集群来进行快速测试。
+其他供应商可能也有类似的功能，尤其是当你在 Kubernetes 1.24 版本发布很久后才阅读这篇博客时。
+
+<!--
+On GKE use the following command (note, version is `1.23` and `enable-kubernetes-alpha` are specified).
+-->
+在 GKE 上使用以下命令（注意，版本是 `1.23`，并且指定了 `enable-kubernetes-alpha`）。
+
+```shell
+gcloud container clusters create test-grpc \
+    --enable-kubernetes-alpha \
+    --no-enable-autorepair \
+    --no-enable-autoupgrade \
+    --release-channel=rapid \
+    --cluster-version=1.23
+```
+
+<!--
+You will also need to configure `kubectl` to access the cluster:
+-->
+你还需要配置 kubectl 来访问集群：
+
+```shell
+gcloud container clusters get-credentials test-grpc
+```
+
+<!--
+### Trying the feature out
+
+Let's create the pod to test how gRPC probes work. For this test we will use the `agnhost` image.
+This is a k8s maintained image with that can be used for all sorts of workload testing.
+For example, it has a useful [grpc-health-checking](https://github.com/kubernetes/kubernetes/blob/b2c5bd2a278288b5ef19e25bf7413ecb872577a4/test/images/agnhost/README.md#grpc-health-checking) module
+that exposes two ports - one is serving health checking service,
+another - http port to react on commands `make-serving` and `make-not-serving`.
+-->
+### 试用该功能
+
+让我们创建 Pod 来测试 gRPC 探针是如何工作的。对于这个测试，我们将使用 `agnhost` 镜像。
+这是一个 k8s 维护的镜像，可用于各种工作负载测试。例如，它有一个有用的
+[grpc-health-checking](https://github.com/kubernetes/kubernetes/blob/b2c5bd2a278288b5ef19e25bf7413ecb872577a4/test/images/agnhost/README.md#grpc-health-checking)
+模块，该模块暴露了两个端口：一个是提供健康检查服务的端口，另一个是对 `make-serving` 和
+`make-not-serving` 命令做出反应的 http 端口。
+
+<!--
+Here is an example pod definition. It starts the `grpc-health-checking` module,
+exposes ports `5000` and `8080`, and configures gRPC readiness probe:
+-->
+下面是一个 Pod 定义示例。它启用 `grpc-health-checking` 模块，暴露 5000 和 8080 端口，并配置 gRPC 就绪探针：
+
+``` yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-grpc
+spec:
+  containers:
+  - name: agnhost
+    image: k8s.gcr.io/e2e-test-images/agnhost:2.35
+    command: ["/agnhost", "grpc-health-checking"]
+    ports:
+    - containerPort: 5000
+    - containerPort: 8080
+    readinessProbe:
+      grpc:
+        port: 5000
+```
+
+<!--
+If the file called `test.yaml`, you can create the pod and check it's status.
+The pod will be in ready state as indicated by the snippet of the output.
+-->
+如果文件名为 `test.yaml`，你可以用以下命令创建 Pod，并检查它的状态。如输出片段所示，Pod 将处于就绪状态。
+
+```shell
+kubectl apply -f test.yaml
+kubectl describe test-grpc
+```
+
+<!--
+The output will contain something like this:
+-->
+输出将包含如下内容：
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             True
+  ContainersReady   True
+  PodScheduled      True
+```
+
+<!--
+Now let's change the health checking endpoint status to NOT_SERVING.
+In order to call the http port of the Pod, let's create a port forward:
+-->
+现在让我们将健康检查端点状态更改为 `NOT_SERVING`。为了调用 Pod 的 http 端口，让我们创建一个端口转发：
+
+```shell
+kubectl port-forward test-grpc 8080:8080
+```
+
+<!--
+You can `curl` to call the command...
+-->
+你可以用 `curl` 来调用这个命令。
+
+```shell
+curl http://localhost:8080/make-not-serving
+```
+
+<!--
+... and in a few seconds the port status will switch to not ready.
+-->
+几秒钟后，端口状态将切换到未就绪。
+
+```shell
+kubectl describe pod test-grpc
+```
+
+<!--
+The output now will have:
+-->
+现在的输出将显示：
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             False
+  ContainersReady   False
+  PodScheduled      True
+
+...
+
+  Warning  Unhealthy  2s (x6 over 42s)  kubelet            Readiness probe failed: service unhealthy (responded with "NOT_SERVING")
+```
+
+<!--
+Once it is switched back, in about one second the Pod will get back to ready status:
+-->
+一旦切换回来，Pod 将在大约一秒钟后恢复到就绪状态：
+
+``` bsh
+curl http://localhost:8080/make-serving
+kubectl describe test-grpc
+```
+
+<!--
+The output indicates that the Pod went back to being `Ready`:
+-->
+输出表明 Pod 恢复为 `Ready`：
+
+```
+Conditions:
+  Type              Status
+  Initialized       True
+  Ready             True
+  ContainersReady   True
+  PodScheduled      True
+```
+
+<!--
+This new built-in gRPC health probing on Kubernetes makes implementing a health-check via gRPC
+much easier than the older approach that relied on using a separate `exec` probe. Read through
+the official
+[documentation](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
+to learn more and provide feedback before the feature will be promoted to GA.
+-->
+Kubernetes 上这种新的内置 gRPC 健康探测，使得通过 gRPC 实现健康检查比依赖使用额外的 `exec`
+探测的旧方法更容易。请阅读官方
+[文档](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
+了解更多信息并在该功能正式发布（GA）之前提供反馈。
+
+<!--
+## Summary
+
+Kubernetes is a popular workload orchestration platform and we add features based on feedback and demand.
+Features like gRPC probes support is a minor improvement that will make life of many app developers
+easier and apps more resilient. Try it today and give feedback, before the feature went into GA.
+-->
+## 总结
+
+Kubernetes 是一个流行的工作负载编排平台，我们根据反馈和需求添加功能。
+像 gRPC 探针支持这样的特性是一个小的改进，它将使许多应用程序开发人员的生活更容易，应用程序更有弹性。
+在该功能 GA（正式发布）之前，现在就试试，并给出反馈。
diff --git a/content/zh-cn/blog/_posts/2022-05-16-volume-populators-beta.md b/content/zh-cn/blog/_posts/2022-05-16-volume-populators-beta.md
new file mode 100644
index 0000000000000..cb867f983733b
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-16-volume-populators-beta.md
@@ -0,0 +1,256 @@
+---
+layout: blog
+title: "Kubernetes 1.24: 卷填充器功能进入 Beta 阶段"
+date: 2022-05-16
+slug: volume-populators-beta
+---
+<!--
+layout: blog
+title: "Kubernetes 1.24: Volume Populators Graduate to Beta"
+date: 2022-05-16
+slug: volume-populators-beta
+-->
+
+<!--
+**Author:**
+Ben Swartzlander (NetApp)
+-->
+**作者：**
+Ben Swartzlander (NetApp)
+
+<!--
+The volume populators feature is now two releases old and entering beta! The `AnyVolumeDataSource` feature
+gate defaults to enabled in Kubernetes v1.24, which means that users can specify any custom resource
+as the data source of a PVC.
+-->
+卷填充器功能现在已经经历两个发行版本并进入 Beta 阶段！
+在 Kubernetes v1.24 中 `AnyVolumeDataSource` 特性门控默认被启用。
+这意味着用户可以指定任何自定义资源作为 PVC 的数据源。
+
+<!--
+An [earlier blog article](/blog/2021/08/30/volume-populators-redesigned/) detailed how the
+volume populators feature works. In short, a cluster administrator can install a CRD and
+associated populator controller in the cluster, and any user who can create instances of 
+the CR can create pre-populated volumes by taking advantage of the populator.
+-->
+[之前的一篇博客](/blog/2021/08/30/volume-populators-redesigned/)详细介绍了卷填充器功能的工作原理。
+简而言之，集群管理员可以在集群中安装 CRD 和相关的填充器控制器，
+任何可以创建 CR 实例的用户都可以利用填充器创建预填充卷。
+
+<!--
+Multiple populators can be installed side by side for different purposes. The SIG storage
+community is already seeing some implementations in public, and more prototypes should
+appear soon.
+-->
+出于不同的目的，可以一起安装多个填充器。存储 SIG 社区已经有了一些公开的实现，更多原型应该很快就会出现。
+
+<!--
+Cluster administrations are **strongly encouraged** to install the
+volume-data-source-validator controller and associated `VolumePopulator` CRD before installing
+any populators so that users can get feedback about invalid PVC data sources.
+-->
+**强烈建议**集群管理人员在安装任何填充器之前安装 volume-data-source-validator 控制器和相关的
+`VolumePopulator` CRD，以便用户可以获得有关无效 PVC 数据源的反馈。
+
+<!--
+## New Features
+-->
+## 新功能
+
+<!--
+The [lib-volume-populator](https://github.com/kubernetes-csi/lib-volume-populator) library
+on which populators are built now includes metrics to help operators monitor and detect
+problems. This library is now beta and latest release is v1.0.1.
+-->
+构建填充器的 [lib-volume-populator](https://github.com/kubernetes-csi/lib-volume-populator)
+库现在包含可帮助操作员监控和检测问题的指标。这个库现在是 beta 阶段，最新版本是 v1.0.1。
+
+<!--
+The [volume data source validator](https://github.com/kubernetes-csi/volume-data-source-validator)
+controller also has metrics support added, and is in beta. The `VolumePopulator` CRD is
+beta and the latest release is v1.0.1.
+-->
+[卷数据源校验器](https://github.com/kubernetes-csi/volume-data-source-validator)控制器也添加了指标支持，
+处于 beta 阶段。`VolumePopulator` CRD 是 beta 阶段，最新版本是 v1.0.1。
+
+<!--
+## Trying it out
+-->
+## 尝试一下
+
+<!--
+To see how this works, you can install the sample "hello" populator and try it
+out.
+-->
+要查看它是如何工作的，你可以安装 “hello” 示例填充器并尝试一下。
+
+<!--
+First install the volume-data-source-validator controller.
+-->
+首先安装 volume-data-source-validator 控制器。
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/volume-data-source-validator/v1.0.1/client/config/crd/populator.storage.k8s.io_volumepopulators.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/volume-data-source-validator/v1.0.1/deploy/kubernetes/rbac-data-source-validator.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/volume-data-source-validator/v1.0.1/deploy/kubernetes/setup-data-source-validator.yaml
+```
+<!--
+Next install the example populator.
+-->
+接下来安装 hello 示例填充器。
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/lib-volume-populator/v1.0.1/example/hello-populator/crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/lib-volume-populator/87a47467b86052819e9ad13d15036d65b9a32fbb/example/hello-populator/deploy.yaml
+```
+<!--
+Your cluster now has a new CustomResourceDefinition that provides a test API named Hello.
+Create an instance of the `Hello` custom resource, with some text:
+-->
+你的集群现在有一个新的 CustomResourceDefinition，它提供了一个名为 Hello 的测试 API。
+创建一个 `Hello` 自定义资源的实例，内容如下：
+
+```yaml
+apiVersion: hello.example.com/v1alpha1
+kind: Hello
+metadata:
+  name: example-hello
+spec:
+  fileName: example.txt
+  fileContents: Hello, world!
+```
+<!--
+Create a PVC that refers to that CR as its data source.
+-->
+创建一个将该 CR 引用为其数据源的 PVC。
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: example-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Mi
+  dataSourceRef:
+    apiGroup: hello.example.com
+    kind: Hello
+    name: example-hello
+  volumeMode: Filesystem
+```
+<!--
+Next, run a Job that reads the file in the PVC.
+-->
+接下来，运行一个读取 PVC 中文件的 Job。
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: example-job
+spec:
+  template:
+    spec:
+      containers:
+        - name: example-container
+          image: busybox:latest
+          command:
+            - cat
+            - /mnt/example.txt
+          volumeMounts:
+            - name: vol
+              mountPath: /mnt
+      restartPolicy: Never
+      volumes:
+        - name: vol
+          persistentVolumeClaim:
+            claimName: example-pvc
+```
+<!--
+Wait for the job to complete (including all of its dependencies).
+-->
+等待 Job 完成（包括其所有依赖项）。
+
+```shell
+kubectl wait --for=condition=Complete job/example-job
+```
+
+<!--
+And last examine the log from the job.
+-->
+最后检查 Job 中的日志。
+
+```shell
+kubectl logs job/example-job
+```
+<!--
+The output should be:
+-->
+输出应该是：
+
+```terminal
+Hello, world!
+```
+<!--
+Note that the volume already contained a text file with the string contents from
+the CR. This is only the simplest example. Actual populators can set up the volume
+to contain arbitrary contents.
+-->
+请注意，该卷已包含一个文本文件，其中包含来自 CR 的字符串内容。这只是最简单的例子。
+实际填充器可以将卷设置为包含任意内容。
+
+<!--
+## How to write your own volume populator
+-->
+## 如何编写自己的卷填充器
+
+<!--
+Developers interested in writing new poplators are encouraged to use the
+[lib-volume-populator](https://github.com/kubernetes-csi/lib-volume-populator) library
+and to only supply a small controller wrapper around the library, and a pod image
+capable of attaching to volumes and writing the appropriate data to the volume.
+-->
+鼓励有兴趣编写新的填充器的开发人员使用
+[lib-volume-populator](https://github.com/kubernetes-csi/lib-volume-populator) 库，
+只提供一个小型控制器，以及一个能够连接到卷并向卷写入适当数据的 Pod 镜像。
+
+<!--
+Individual populators can be extremely generic such that they work with every type
+of PVC, or they can do vendor specific things to rapidly fill a volume with data
+if the volume was provisioned by a specific CSI driver from the same vendor, for
+example, by communicating directly with the storage for that volume.
+-->
+单个填充器非常通用，它们可以与所有类型的 PVC 一起使用，
+或者如果卷是来自同一供应商的特定 CSI 驱动程序供应的，
+它们可以执行供应商特定的的操作以快速用数据填充卷，例如，通过通信直接使用该卷的存储。
+
+<!--
+## How can I learn more?
+-->
+## 我怎样才能了解更多？
+
+<!--
+The enhancement proposal,
+[Volume Populators](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1495-volume-populators), includes lots of detail about the history and technical implementation
+of this feature.
+-->
+增强提案，
+[卷填充器](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1495-volume-populators)，
+包含有关此功能的历史和技术实现的许多详细信息。
+
+<!--
+[Volume populators and data sources](/docs/concepts/storage/persistent-volumes/#volume-populators-and-data-sources), within the documentation topic about persistent volumes,
+explains how to use this feature in your cluster.
+-->
+[卷填充器与数据源](/zh-cn/docs/concepts/storage/persistent-volumes/#volume-populators-and-data-sources),
+在有关持久卷的文档主题中，解释了如何在集群中使用此功能。
+
+<!--
+Please get involved by joining the Kubernetes storage SIG to help us enhance this
+feature. There are a lot of good ideas already and we'd be thrilled to have more!
+-->
+请加入 Kubernetes 的存储 SIG，帮助我们增强这一功能。这里已经有很多好的主意了，我们很高兴能有更多！
+
diff --git a/content/zh-cn/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md b/content/zh-cn/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md
new file mode 100644
index 0000000000000..b4645b030d610
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-18-prevent-unauthorised-volume-mode-conversion.md
@@ -0,0 +1,203 @@
+---
+layout: blog
+title: 'Kubernetes 1.24: 防止未经授权的卷模式转换'
+date: 2022-05-18
+slug: prevent-unauthorised-volume-mode-conversion-alpha
+---
+
+<!--
+layout: blog
+title: 'Kubernetes 1.24: Prevent unauthorised volume mode conversion'
+date: 2022-05-18
+slug: prevent-unauthorised-volume-mode-conversion-alpha
+-->
+
+<!--
+**Author:** Raunak Pradip Shah (Mirantis)
+-->
+**作者：** Raunak Pradip Shah (Mirantis)
+
+<!--
+Kubernetes v1.24 introduces a new alpha-level feature that prevents unauthorised users 
+from modifying the volume mode of a [`PersistentVolumeClaim`](/docs/concepts/storage/persistent-volumes/) created from an 
+existing [`VolumeSnapshot`](/docs/concepts/storage/volume-snapshots/) in the Kubernetes cluster.  
+-->
+Kubernetes v1.24 引入了一个新的 alpha 级特性，可以防止未经授权的用户修改基于 Kubernetes
+集群中已有的 [`VolumeSnapshot`](/zh-cn/docs/concepts/storage/volume-snapshots/)
+创建的 [`PersistentVolumeClaim`](/zh-cn/docs/concepts/storage/persistent-volumes/) 的卷模式。
+
+<!--
+### The problem
+-->
+### 问题
+
+<!--
+The [Volume Mode](/docs/concepts/storage/persistent-volumes/#volume-mode) determines whether a volume 
+is formatted into a filesystem or presented as a raw block device.   
+-->
+[卷模式](/zh-cn/docs/concepts/storage/persistent-volumes/#volume-mode)确定卷是格式化为文件系统还是显示为原始块设备。
+
+<!--
+Users can leverage the `VolumeSnapshot` feature, which has been stable since Kubernetes v1.20, 
+to create a `PersistentVolumeClaim` (shortened as PVC) from an existing `VolumeSnapshot` in
+the Kubernetes cluster. The PVC spec includes a `dataSource` field, which can point to an 
+existing `VolumeSnapshot` instance.
+Visit [Create a PersistentVolumeClaim from a Volume Snapshot](/docs/concepts/storage/persistent-volumes/#create-persistent-volume-claim-from-volume-snapshot) for more details.
+-->
+用户可以使用自 Kubernetes v1.20 以来就稳定的 `VolumeSnapshot` 功能，
+基于 Kubernetes 集群中的已有的 `VolumeSnapshot` 创建一个 `PersistentVolumeClaim` (简称 PVC )。
+PVC 规约包括一个 `dataSource` 字段，它可以指向一个已有的 `VolumeSnapshot` 实例。
+查阅[基于卷快照创建 PVC](/zh-cn/docs/concepts/storage/persistent-volumes/#create-persistent-volume-claim-from-volume-snapshot)
+获取更多详细信息。
+
+<!--
+When leveraging the above capability, there is no logic that validates whether the mode of the
+original volume, whose snapshot was taken, matches the mode of the newly created volume.
+-->
+当使用上述功能时，没有逻辑来验证快照所在的原始卷的模式是否与新创建的卷的模式匹配。
+
+<!--
+This presents a security gap that allows malicious users to potentially exploit an 
+as-yet-unknown vulnerability in the host operating system.
+-->
+这引起了一个安全漏洞，允许恶意用户潜在地利用主机操作系统中的未知漏洞。
+
+<!--
+Many popular storage backup vendors convert the volume mode during the course of a 
+backup operation, for efficiency purposes, which prevents Kubernetes from blocking
+the operation completely and presents a challenge in distinguishing trusted
+users from malicious ones.
+-->
+为了提高效率，许多流行的存储备份供应商在备份操作过程中转换卷模式，
+这使得 Kubernetes 无法完全阻止该操作，并在区分受信任用户和恶意用户方面带来挑战。
+
+<!--
+### Preventing unauthorised users from converting the volume mode
+-->
+### 防止未经授权的用户转换卷模式
+
+<!--
+In this context, an authorised user is one who has access rights to perform `Update` 
+or `Patch` operations on `VolumeSnapshotContents`, which is a cluster-level resource.  
+It is upto the cluster administrator to provide these rights only to trusted users
+or applications, like backup vendors.
+-->
+在这种情况下，授权用户是指有权对 `VolumeSnapshotContents`（集群级资源）执行 `Update`
+或 `Patch` 操作的用户。集群管理员只能向受信任的用户或应用程序（如备份供应商）提供这些权限。
+
+<!--
+If the alpha feature is [enabled](https://kubernetes-csi.github.io/docs/) in 
+`snapshot-controller`, `snapshot-validation-webhook` and `external-provisioner`,
+then unauthorised users will not be allowed to modify the volume mode of a PVC
+when it is being created from a `VolumeSnapshot`.
+-->
+如果在 `snapshot-controller`、`snapshot-validation-webhook` 和
+`external-provisioner` 中[启用](https://kubernetes-csi.github.io/docs/)了这个 alpha
+特性，则基于 `VolumeSnapshot` 创建 PVC 时，将不允许未经授权的用户修改其卷模式。
+
+<!--
+To convert the volume mode, an authorised user must do the following:
+-->
+如要转换卷模式，授权用户必须执行以下操作：
+
+<!--
+1. Identify the `VolumeSnapshot` that is to be used as the data source for a newly 
+created PVC in the given namespace. 
+2. Identify the `VolumeSnapshotContent` bound to the above `VolumeSnapshot`.
+-->
+1. 确定要用作给定命名空间中新创建 PVC 的数据源的 `VolumeSnapshot`。
+2. 确定绑定到上面 `VolumeSnapshot` 的 `VolumeSnapshotContent`。
+
+   ```
+      kubectl get volumesnapshot -n <namespace>
+   ```
+<!--
+3. Add the annotation [`snapshot.storage.kubernetes.io/allowVolumeModeChange`](/docs/reference/labels-annotations-taints/#snapshot-storage-kubernetes-io-allowvolumemodechange)
+to the `VolumeSnapshotContent`. 
+-->
+3. 给 `VolumeSnapshotContent` 添加
+   [`snapshot.storage.kubernetes.io/allowVolumeModeChange`](/zh-cn/docs/reference/labels-annotations-taints/#snapshot-storage-kubernetes-io-allowvolumemodechange)
+   注解。
+
+<!--
+4.This annotation can be added either via software or manually by the authorised 
+user. The `VolumeSnapshotContent` annotation must look like following manifest fragment:
+-->
+4. 此注解可通过软件添加或由授权用户手动添加。`VolumeSnapshotContent` 注解必须类似于以下清单片段：
+
+    ```yaml
+       kind: VolumeSnapshotContent
+       metadata:
+         annotations:
+           - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+       ...
+    ```
+<!--
+**Note**: For pre-provisioned `VolumeSnapshotContents`, you must take an extra
+step of setting `spec.sourceVolumeMode` field to either `Filesystem` or `Block`,
+depending on the mode of the volume from which this snapshot was taken.
+-->
+**注意**：对于预先制备的 `VolumeSnapshotContents`，你必须采取额外的步骤设置 `spec.sourceVolumeMode`
+字段为 `Filesystem` 或 `Block`，这取决于快照所在卷的模式。
+
+<!--
+An example is shown below:
+-->
+如下为一个示例：
+
+```yaml
+   apiVersion: snapshot.storage.k8s.io/v1
+   kind: VolumeSnapshotContent
+   metadata:
+     annotations:
+     - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+     name: new-snapshot-content-test
+   spec:
+     deletionPolicy: Delete
+     driver: hostpath.csi.k8s.io
+     source:
+       snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002
+     sourceVolumeMode: Filesystem
+     volumeSnapshotRef:
+       name: new-snapshot-test
+       namespace: default
+```
+
+<!--
+Repeat steps 1 to 3 for all `VolumeSnapshotContents` whose volume mode needs to be 
+converted during a backup or restore operation.
+-->
+对于在备份或恢复操作期间需要转换卷模式的所有 `VolumeSnapshotContents`，重复步骤 1 到 3。
+
+<!--
+If the annotation shown in step 4 above is present on a `VolumeSnapshotContent`
+object, Kubernetes will not prevent the volume mode from being converted.
+Users should keep this in mind before they attempt to add the annotation 
+to any `VolumeSnapshotContent`. 
+-->
+如果 `VolumeSnapshotContent` 对象上存在上面步骤 4 中显示的注解，Kubernetes 将不会阻止转换卷模式。
+用户在尝试将注解添加到任何 `VolumeSnapshotContent` 之前，应该记住这一点。
+
+<!--
+### What's next
+-->
+### 接下来
+
+<!--
+[Enable this feature](https://kubernetes-csi.github.io/docs/) and let us know 
+what you think!
+-->
+[启用此特性](https://kubernetes-csi.github.io/docs/)并让我们知道你的想法!
+
+<!--
+We hope this feature causes no disruption to existing workflows while preventing
+malicious users from exploiting security vulnerabilities in their clusters. 
+-->
+我们希望此功能不会中断现有工作流程，同时防止恶意用户利用集群中的安全漏洞。
+
+<!--
+For any issues, create a thread in the #sig-storage slack channel or an issue
+in the CSI external-snapshotter [repository](https://github.com/kubernetes-csi/external-snapshotter).
+-->
+若有任何问题，请在 #sig-storage slack 频道中创建一个会话，
+或在 CSI 外部快照存储[仓库](https://github.com/kubernetes-csi/external-snapshotter)中报告一个 issue。
\ No newline at end of file
diff --git a/content/zh-cn/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md b/content/zh-cn/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md
new file mode 100644
index 0000000000000..b3b8b9cb4bb91
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-23-service-ip-dynamic-and-static-allocation.md
@@ -0,0 +1,268 @@
+---
+layout: blog
+title: "Kubernetes 1.24: 避免为 Services 分配 IP 地址时发生冲突"
+date: 2022-05-23
+slug: service-ip-dynamic-and-static-allocation
+---
+<!--
+layout: blog
+title: "Kubernetes 1.24: Avoid Collisions Assigning IP Addresses to Services"
+date: 2022-05-23
+slug: service-ip-dynamic-and-static-allocation
+-->
+
+<!--
+**Author:** Antonio Ojea (Red Hat)
+-->
+**作者：** Antonio Ojea (Red Hat)
+
+<!--
+In Kubernetes, [Services](/docs/concepts/services-networking/service/) are an abstract way to expose
+an application running on a set of Pods. Services
+can have a cluster-scoped virtual IP address (using a Service of `type: ClusterIP`).
+Clients can connect using that virtual IP address, and Kubernetes then load-balances traffic to that
+Service across the different backing Pods.
+-->
+在 Kubernetes 中，[Services](/zh-cn/docs/concepts/services-networking/service/)
+是一种抽象，用来暴露运行在一组 Pod 上的应用。
+Service 可以有一个集群范围的虚拟 IP 地址（使用 `type: ClusterIP` 的 Service）。
+客户端可以使用该虚拟 IP 地址进行连接， Kubernetes 为对该 Service 的访问流量提供负载均衡，以访问不同的后端 Pod。
+
+<!--
+## How Service ClusterIPs are allocated?
+-->
+## Service ClusterIP 是如何分配的？
+
+<!--
+A Service `ClusterIP` can be assigned:
+-->
+Service `ClusterIP` 有如下分配方式：
+
+<!--
+_dynamically_
+: the cluster's control plane automatically picks a free IP address from within the configured IP range for `type: ClusterIP` Services.
+-->
+**动态**
+：群集的控制平面会自动从配置的 IP 范围内为 `type:ClusterIP` 的 Service 选择一个空闲 IP 地址。
+
+<!--
+_statically_
+: you specify an IP address of your choice, from within the configured IP range for Services.
+-->
+**静态**
+：你可以指定一个来自 Service 配置的 IP 范围内的 IP 地址。
+
+<!--
+Across your whole cluster, every Service `ClusterIP` must be unique.
+Trying to create a Service with a specific `ClusterIP` that has already
+been allocated will return an error.
+-->
+在整个集群中，每个 Service 的 `ClusterIP` 必须是唯一的。
+尝试创建一个已经被分配了的 `ClusterIP` 的 Service 将会返回错误。
+
+<!--
+## Why do you need to reserve Service Cluster IPs?
+-->
+## 为什么需要预留 Service Cluster IP？
+
+<!--
+Sometimes you may want to have Services running in well-known IP addresses, so other components and
+users in the cluster can use them.
+-->
+有时，你可能希望让 Service 运行在众所周知的 IP 地址上，以便集群中的其他组件和用户可以使用它们。
+
+<!--
+The best example is the DNS Service for the cluster. Some Kubernetes installers assign the 10th address from
+the Service IP range to the DNS service. Assuming you configured your cluster with Service IP range
+10.96.0.0/16 and you want your DNS Service IP to be 10.96.0.10, you'd have to create a Service like
+this:
+-->
+最好的例子是集群的 DNS Service。一些 Kubernetes 安装程序将 Service IP 范围中的第 10 个地址分配给 DNS Service。
+假设你配置集群 Service IP 范围是 10.96.0.0/16，并且希望 DNS Service IP 为 10.96.0.10，
+那么你必须创建一个如下所示的 Service：
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: CoreDNS
+  name: kube-dns
+  namespace: kube-system
+spec:
+  clusterIP: 10.96.0.10
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+    targetPort: 53
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+    targetPort: 53
+  selector:
+    k8s-app: kube-dns
+  type: ClusterIP
+```
+
+<!--
+but as I explained before, the IP address 10.96.0.10 has not been reserved; if other Services are created
+before or in parallel with dynamic allocation, there is a chance they can allocate this IP, hence,
+you will not be able to create the DNS Service because it will fail with a conflict error.
+-->
+但正如我之前解释的，IP 地址 10.96.0.10 没有被保留；
+如果其他 Service 在动态分配之前创建或与动态分配并行创建，则它们有可能分配此 IP 地址，
+因此，你将无法创建 DNS Service，因为它将因冲突错误而失败。
+
+<!--
+## How can you avoid Service ClusterIP conflicts? {#avoid-ClusterIP-conflict}
+-->
+## 如何避免 Service ClusterIP 冲突？ {#avoid-ClusterIP-conflict}
+
+<!--
+In Kubernetes 1.24, you can enable a new feature gate `ServiceIPStaticSubrange`.
+Turning this on allows you to use a different IP
+allocation strategy for Services, reducing the risk of collision.
+-->
+在 Kubernetes 1.24 中，你可以启用一个新的特性门控 `ServiceIPStaticSubrange`。
+启用此特性允许你为 Service 使用不同的 IP 分配策略，减少冲突的风险。
+
+<!--
+The `ClusterIP` range will be divided, based on the formula `min(max(16, cidrSize / 16), 256)`,
+described as _never less than 16 or more than 256 with a graduated step between them_.
+-->
+`ClusterIP` 范围将根据公式 `min(max(16, cidrSize / 16), 256)` 进行划分，
+该公式可描述为 “在不小于 16 且不大于 256 之间有一个步进量（Graduated Step）”。
+
+<!--
+Dynamic IP assignment will use the upper band by default, once this has been exhausted it will
+use the lower range. This will allow users to use static allocations on the lower band with a low
+risk of collision.
+-->
+分配默认使用上半段地址，当上半段地址耗尽后，将使用下半段地址范围。
+这将允许用户使用下半段地址中静态分配的地址并且降低冲突的风险。
+
+<!--
+Examples:
+-->
+举例：
+
+<!--
+#### Service IP CIDR block: 10.96.0.0/24
+-->
+#### Service IP CIDR 地址段： 10.96.0.0/24
+
+<!--
+Range Size: 2<sup>8</sup> - 2 = 254  
+Band Offset: `min(max(16,256/16),256)` = `min(16,256)` = 16  
+Static band start: 10.96.0.1  
+Static band end: 10.96.0.16  
+Range end: 10.96.0.254   
+-->
+地址段大小：2<sup>8</sup> - 2 = 254  
+地址段偏移：`min(max(16,256/16),256)` = `min(16,256)` = 16  
+静态地址段起点：10.96.0.1  
+静态地址段终点：10.96.0.16  
+地址范围终点：10.96.0.254
+
+<!--
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/24
+    "Static" : 16
+    "Dynamic" : 238
+{{< /mermaid >}}
+-->
+{{< mermaid >}}
+pie showData
+title 10.96.0.0/24
+"静态" : 16
+"动态" : 238
+{{< /mermaid >}}
+
+<!--
+#### Service IP CIDR block: 10.96.0.0/20
+-->
+#### Service IP CIDR 地址段： 10.96.0.0/20
+
+<!--
+Range Size: 2<sup>12</sup> - 2 = 4094  
+Band Offset: `min(max(16,4094/16),256)` = `min(256,256)` = 256  
+Static band start: 10.96.0.1  
+Static band end: 10.96.1.0  
+Range end: 10.96.15.254  
+-->
+地址段大小：2<sup>12</sup> - 2 = 4094  
+地址段偏移：`min(max(16,4094/16),256)` = `min(256,256)` = 256  
+静态地址段起点：10.96.0.1  
+静态地址段终点：10.96.1.0  
+地址范围终点：10.96.15.254
+
+<!--
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/20
+    "Static" : 256
+    "Dynamic" : 3838
+{{< /mermaid >}}
+-->
+{{< mermaid >}}
+pie showData
+title 10.96.0.0/20
+"静态" : 256
+"动态" : 3838
+{{< /mermaid >}}
+
+<!--
+#### Service IP CIDR block: 10.96.0.0/16
+-->
+#### Service IP CIDR 地址段： 10.96.0.0/16
+
+<!--
+Range Size: 2<sup>16</sup> - 2 = 65534  
+Band Offset: `min(max(16,65536/16),256)` = `min(4096,256)` = 256  
+Static band start: 10.96.0.1  
+Static band ends: 10.96.1.0  
+Range end: 10.96.255.254  
+-->
+地址段大小：2<sup>16</sup> - 2 = 65534  
+地址段偏移：`min(max(16,65536/16),256)` = `min(4096,256)` = 256  
+静态地址段起点：10.96.0.1  
+静态地址段终点：10.96.1.0  
+地址范围终点：10.96.255.254
+
+<!--
+{{< mermaid >}}
+pie showData
+    title 10.96.0.0/16
+    "Static" : 256
+    "Dynamic" : 65278
+{{< /mermaid >}}
+-->
+{{< mermaid >}}
+pie showData
+title 10.96.0.0/16
+"静态" : 256
+"动态" : 65278
+{{< /mermaid >}}
+
+<!--
+## Get involved with SIG Network
+-->
+## 加入 SIG Network
+
+<!--
+The current SIG-Network [KEPs](https://github.com/orgs/kubernetes/projects/10) and [issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fnetwork) on GitHub illustrate the SIG’s areas of emphasis.
+-->
+当前 SIG-Network 在 GitHub 上的 [KEPs](https://github.com/orgs/kubernetes/projects/10) 和
+[issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fnetwork)
+表明了该 SIG 的重点领域。
+
+<!--
+[SIG Network meetings](https://github.com/kubernetes/community/tree/master/sig-network) are a friendly, welcoming venue for you to connect with the community and share your ideas.
+Looking forward to hearing from you!
+-->
+[SIG Network 会议](https://github.com/kubernetes/community/tree/master/sig-network)是一个友好、热情的场所，
+你可以与社区联系并分享你的想法。期待你的回音！
diff --git a/content/zh-cn/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md b/content/zh-cn/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md
new file mode 100644
index 0000000000000..a0565b93f8191
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-05-27-maxunavailable-for-statefulset.md
@@ -0,0 +1,239 @@
+---
+layout: blog
+title: 'Kubernetes 1.24: StatefulSet 的最大不可用副本数'
+date: 2022-05-27
+slug: maxunavailable-for-statefulset
+---
+<!--
+layout: blog
+title: 'Kubernetes 1.24: Maximum Unavailable Replicas for StatefulSet'
+date: 2022-05-27
+slug: maxunavailable-for-statefulset
+
+**Author:** Mayank Kumar (Salesforce)
+-->
+**作者：** Mayank Kumar (Salesforce)
+
+<!--
+Kubernetes [StatefulSets](/docs/concepts/workloads/controllers/statefulset/), since their introduction in 
+1.5 and becoming stable in 1.9, have been widely used to run stateful applications. They provide stable pod identity, persistent
+per pod storage and ordered graceful deployment, scaling and rolling updates. You can think of StatefulSet as the atomic building
+block for running complex stateful applications. As the use of Kubernetes has grown, so has the number of scenarios requiring
+StatefulSets. Many of these scenarios, require faster rolling updates than the currently supported one-pod-at-a-time updates, in the 
+case where you're using the `OrderedReady` Pod management policy for a StatefulSet.
+-->
+Kubernetes [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)，
+自 1.5 版本中引入并在 1.9 版本中变得稳定以来，已被广泛用于运行有状态应用。它提供固定的 Pod 身份标识、
+每个 Pod 的持久存储以及 Pod 的有序部署、扩缩容和滚动更新功能。你可以将 StatefulSet
+视为运行复杂有状态应用程序的原子构建块。随着 Kubernetes 的使用增多，需要 StatefulSet 的场景也越来越多。
+当 StatefulSet 的 Pod 管理策略为 `OrderedReady` 时，其中许多场景需要比当前所支持的一次一个 Pod
+的更新更快的滚动更新。
+
+<!--
+Here are some examples:
+
+-  I am using a StatefulSet to orchestrate a multi-instance, cache based application where the size of the cache is large. The cache 
+   starts cold and requires some siginificant amount of time before the container can start. There could be more initial startup tasks
+   that are required. A RollingUpdate on this StatefulSet would take a lot of time before the application is fully updated. If the 
+   StatefulSet supported updating more than one pod at a time, it would result in a much faster update.
+-->
+这里有些例子：
+
+- 我使用 StatefulSet 来编排一个基于缓存的多实例应用程序，其中缓存的规格很大。
+  缓存冷启动，需要相当长的时间才能启动容器。所需要的初始启动任务有很多。在应用程序完全更新之前，
+  此 StatefulSet 上的 RollingUpdate 将花费大量时间。如果 StatefulSet 支持一次更新多个 Pod，
+  那么更新速度会快得多。
+
+<!--
+- My stateful application is composed of leaders and followers or one writer and multiple readers. I have multiple readers or 
+   followers and my application can tolerate multiple pods going down at the same time. I want to update this application more than
+   one pod at a time so that i get the new updates rolled out quickly, especially if the number of instances of my application are
+   large. Note that my application still requires unique identity per pod.
+-->
+- 我的有状态应用程序由 leader 和 follower 或者一个 writer 和多个 reader 组成。
+  我有多个 reader 或 follower，并且我的应用程序可以容忍多个 Pod 同时出现故障。
+  我想一次更新这个应用程序的多个 Pod，特别是当我的应用程序实例数量很多时，这样我就能快速推出新的更新。
+  注意，我的应用程序仍然需要每个 Pod 具有唯一标识。
+
+<!--
+In order to support such scenarios, Kubernetes 1.24 includes a new alpha feature to help. Before you can use the new feature you must
+enable the `MaxUnavailableStatefulSet` feature flag. Once you enable that, you can specify a new field called `maxUnavailable`, part 
+of the `spec` for a StatefulSet. For example: 
+-->
+为了支持这样的场景，Kubernetes 1.24 提供了一个新的 alpha 特性。在使用新特性之前，必须启用
+`MaxUnavailableStatefulSet` 特性标志。一旦启用，就可以指定一个名为 `maxUnavailable` 的新字段，
+这是 StatefulSet `spec` 的一部分。例如：
+
+```
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: web
+  namespace: default
+spec:
+  podManagementPolicy: OrderedReady  # 你必须设为 OrderedReady
+  replicas: 5
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: k8s.gcr.io/nginx-slim:0.8
+        imagePullPolicy: IfNotPresent
+        name: nginx
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 2 # 这是 alpha 特性的字段，默认值是 1
+      partition: 0
+    type: RollingUpdate
+```
+
+<!--
+If you enable the new feature and you don't specify a value for `maxUnavailable` in a StatefulSet, Kubernetes applies a default
+`maxUnavailable: 1`. This matches the behavior you would see if you don't enable the new feature.
+-->
+如果你启用了新特性，但没有在 StatefulSet 中指定 `maxUnavailable` 的值，Kubernetes
+会默认设置 `maxUnavailable: 1`。这与你不启用新特性时看到的行为是一致的。
+
+<!--
+I'll run through a scenario based on that example manifest to demonstrate how this feature works. I will deploy a StatefulSet that
+has 5 replicas, with `maxUnavailable` set to 2 and `partition` set to 0.
+-->
+我将基于该示例清单做场景演练，以演示此特性是如何工作的。我将部署一个有 5 个副本的 StatefulSet，
+`maxUnavailable` 设置为 2 并将 `partition` 设置为 0。
+
+<!--
+I can trigger a rolling update by changing the image to `k8s.gcr.io/nginx-slim:0.9`. Once I initiate the rolling update, I can 
+watch the pods update 2 at a time as the current value of maxUnavailable is 2. The below output shows a span of time and is not 
+complete.  The maxUnavailable can be an absolute number (for example, 2) or a percentage of desired Pods (for example, 10%). The 
+absolute number is calculated from percentage by rounding down. 
+-->
+我可以通过将镜像更改为 `k8s.gcr.io/nginx-slim:0.9` 来触发滚动更新。一旦开始滚动更新，
+就可以看到一次更新 2 个 Pod，因为 `maxUnavailable` 的当前值是 2。
+下面的输出显示了一个时间段内的结果，但并不是完整过程。`maxUnavailable` 可以是绝对数值（例如 2）或所需 Pod
+的百分比（例如 10%），绝对数是通过百分比计算结果进行四舍五入得出的。
+
+```
+kubectl get pods --watch 
+```
+
+```
+NAME    READY   STATUS    RESTARTS   AGE
+web-0   1/1     Running   0          85s
+web-1   1/1     Running   0          2m6s
+web-2   1/1     Running   0          106s
+web-3   1/1     Running   0          2m47s
+web-4   1/1     Running   0          2m27s
+web-4   1/1     Terminating   0          5m43s ----> start terminating 4
+web-3   1/1     Terminating   0          6m3s  ----> start terminating 3
+web-3   0/1     Terminating   0          6m7s
+web-3   0/1     Pending       0          0s
+web-3   0/1     Pending       0          0s
+web-4   0/1     Terminating   0          5m48s
+web-4   0/1     Terminating   0          5m48s
+web-3   0/1     ContainerCreating   0          2s
+web-3   1/1     Running             0          2s
+web-4   0/1     Pending             0          0s
+web-4   0/1     Pending             0          0s
+web-4   0/1     ContainerCreating   0          0s
+web-4   1/1     Running             0          1s
+web-2   1/1     Terminating         0          5m46s ----> start terminating 2 (only after both 4 and 3 are running)
+web-1   1/1     Terminating         0          6m6s  ----> start terminating 1
+web-2   0/1     Terminating         0          5m47s
+web-1   0/1     Terminating         0          6m7s
+web-1   0/1     Pending             0          0s
+web-1   0/1     Pending             0          0s
+web-1   0/1     ContainerCreating   0          1s
+web-1   1/1     Running             0          2s
+web-2   0/1     Pending             0          0s
+web-2   0/1     Pending             0          0s
+web-2   0/1     ContainerCreating   0          0s
+web-2   1/1     Running             0          1s
+web-0   1/1     Terminating         0          6m6s ----> start terminating 0 (only after 2 and 1 are running)
+web-0   0/1     Terminating         0          6m7s
+web-0   0/1     Pending             0          0s
+web-0   0/1     Pending             0          0s
+web-0   0/1     ContainerCreating   0          0s
+web-0   1/1     Running             0          1s
+```
+<!--
+Note that as soon as the rolling update starts, both 4 and 3 (the two highest ordinal pods) start terminating at the same time. Pods 
+with ordinal 4 and 3 may become ready at their own pace. As soon as both pods 4 and 3 are ready, pods 2 and 1 start terminating at the
+same time. When pods 2 and 1 are both running and ready, pod 0 starts terminating. 
+-->
+注意，滚动更新一开始，4 和 3（两个最高序号的 Pod）同时开始进入 `Terminating` 状态。
+Pod 4 和 3 会按照自身节奏进行更新。一旦 Pod 4 和 3 更新完毕后，Pod 2 和 1 会同时进入
+`Terminating` 状态。当 Pod 2 和 1 都准备完毕处于 `Running` 状态时，Pod 0 开始进入 `Terminating` 状态
+
+<!--
+In Kubernetes, updates to StatefulSets follow a strict ordering when updating Pods. In this example, the update starts at replica 4, then
+replica 3, then replica 2, and so on, one pod at a time. When going one pod at a time, its not possible for 3 to be running and ready 
+before 4. When `maxUnavailable` is more than 1 (in the example scenario I set `maxUnavailable` to 2), it is possible that replica 3 becomes 
+ready and running before replica 4 is ready&mdash;and that is ok. If you're a developer and you set `maxUnavailable` to more than 1, you should 
+know that this outcome is possible and you must ensure that your application is able to handle such ordering issues that occur
+if any. When you set `maxUnavailable` greater than 1, the ordering is guaranteed in between each batch of pods being updated. That guarantee
+means that pods in update batch 2 (replicas 2 and 1) cannot start updating until the pods from batch 0 (replicas 4 and 3) are ready.
+-->
+在 Kubernetes 中，StatefulSet 更新 Pod 时遵循严格的顺序。在此示例中，更新从副本 4 开始，
+然后是副本 3，然后是副本 2，以此类推，一次更新一个 Pod。当一次只更新一个 Pod 时，
+副本 3 不可能在副本 4 之前准备好进入 `Running` 状态。当 `maxUnavailable` 值
+大于 1 时（在示例场景中我设置 `maxUnavailable` 值为 2），副本 3 可能在副本 4 之前准备好并运行，
+这是没问题的。如果你是开发人员并且设置 `maxUnavailable` 值大于 1，你应该知道可能出现这种情况，
+并且如果有这种情况的话，你必须确保你的应用程序能够处理发生的此类顺序问题。当你设置 `maxUnavailable`
+值大于 1 时，更新 Pod 的批次之间会保证顺序。该保证意味着在批次 0（副本 4 和 3）中的 Pod
+准备好之前，更新批次 2（副本 2 和 1）中的 Pod 无法开始更新。
+
+<!--
+Although Kubernetes refers to these as _replicas_, your stateful application may have a different view and each pod of the StatefulSet may
+be holding completely different data than other pods. The important thing here is that updates to StatefulSets happen in batches, and you can
+now have a batch size larger than 1 (as an alpha feature).
+-->
+尽管 Kubernetes 将这些称为**副本**，但你的有状态应用程序可能不这样理解，StatefulSet 的每个
+Pod 可能持有与其他 Pod 完全不同的数据。重要的是，StatefulSet 的更新是分批进行的，
+你现在让批次大小大于 1（作为 alpha 特性）。
+
+<!--
+Also note, that the above behavior is with `podManagementPolicy: OrderedReady`. If you defined a StatefulSet as `podManagementPolicy: Parallel`,
+not only `maxUnavailable` number of replicas are terminated at the same time; `maxUnavailable` number of replicas start in `ContainerCreating`
+phase at the same time as well. This is called bursting.
+-->
+还要注意，上面的行为采用的 Pod 管理策略是 `podManagementPolicy: OrderedReady`。
+如果你的 StatefulSet 的 Pod 管理策略是 `podManagementPolicy: Parallel`，
+那么不仅是 `maxUnavailable` 数量的副本同时被终止，还会导致 `maxUnavailable` 数量的副本同时在
+`ContainerCreating` 阶段。这就是所谓的突发（Bursting）。
+
+<!--
+So, now you may have a lot of questions about:-
+- What is the behavior when you set `podManagementPolicy: Parallel`?
+- What is the behavior when `partition` to a value other than `0`?
+-->
+因此，现在你可能有很多关于以下方面的问题：
+- 当设置 `podManagementPolicy:Parallel` 时，会产生什么行为？
+- 将 `partition` 设置为非 `0` 值时会发生什么？
+
+<!--
+It might be better to try and see it for yourself. This is an alpha feature, and the Kubernetes contributors are looking for feedback on this feature. Did
+this help you achieve your stateful scenarios Did you find a bug or do you think the behavior as implemented is not intuitive or can
+break applications or catch them by surprise? Please [open an issue](https://github.com/kubernetes/kubernetes/issues) to let us know.
+-->
+自己试试看可能会更好。这是一个 alpha 特性，Kubernetes 贡献者正在寻找有关此特性的反馈。
+这是否有助于你实现有状态的场景？你是否发现了一个 bug，或者你认为实现的行为不直观易懂，
+或者它可能会破坏应用程序或让他们感到吃惊？请[登记一个 issue](https://github.com/kubernetes/kubernetes/issues)
+告知我们。
+
+<!--
+## Further reading and next steps {#next-steps}
+- [Maximum unavailable Pods](/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods)
+- [KEP for MaxUnavailable for StatefulSet](https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/961-maxunavailable-for-statefulset)
+- [Implementation](https://github.com/kubernetes/kubernetes/pull/82162/files)
+- [Enhancement Tracking Issue](https://github.com/kubernetes/enhancements/issues/961)
+-->
+## 进一步阅读和后续步骤 {#next-steps}
+- [最多不可用 Pod 数](/zh-cn/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods)
+- [KEP for MaxUnavailable for StatefulSet](https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/961-maxunavailable-for-statefulset)
+- [代码实现](https://github.com/kubernetes/kubernetes/pull/82162/files)
+- [增强跟踪 Issue](https://github.com/kubernetes/enhancements/issues/961)
\ No newline at end of file
diff --git a/content/zh/case-studies/_index.html b/content/zh-cn/case-studies/_index.html
similarity index 100%
rename from content/zh/case-studies/_index.html
rename to content/zh-cn/case-studies/_index.html
diff --git a/content/zh/case-studies/adform/adform_featured_logo.png b/content/zh-cn/case-studies/adform/adform_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/adform/adform_featured_logo.png
rename to content/zh-cn/case-studies/adform/adform_featured_logo.png
diff --git a/content/zh/case-studies/adform/index.html b/content/zh-cn/case-studies/adform/index.html
similarity index 100%
rename from content/zh/case-studies/adform/index.html
rename to content/zh-cn/case-studies/adform/index.html
diff --git a/content/zh/case-studies/adidas/adidas-featured.svg b/content/zh-cn/case-studies/adidas/adidas-featured.svg
similarity index 100%
rename from content/zh/case-studies/adidas/adidas-featured.svg
rename to content/zh-cn/case-studies/adidas/adidas-featured.svg
diff --git a/content/zh/case-studies/adidas/index.html b/content/zh-cn/case-studies/adidas/index.html
similarity index 100%
rename from content/zh/case-studies/adidas/index.html
rename to content/zh-cn/case-studies/adidas/index.html
diff --git a/content/zh/case-studies/amadeus/amadeus_featured.png b/content/zh-cn/case-studies/amadeus/amadeus_featured.png
similarity index 100%
rename from content/zh/case-studies/amadeus/amadeus_featured.png
rename to content/zh-cn/case-studies/amadeus/amadeus_featured.png
diff --git a/content/zh/case-studies/amadeus/amadeus_logo.png b/content/zh-cn/case-studies/amadeus/amadeus_logo.png
similarity index 100%
rename from content/zh/case-studies/amadeus/amadeus_logo.png
rename to content/zh-cn/case-studies/amadeus/amadeus_logo.png
diff --git a/content/zh/case-studies/amadeus/index.html b/content/zh-cn/case-studies/amadeus/index.html
similarity index 100%
rename from content/zh/case-studies/amadeus/index.html
rename to content/zh-cn/case-studies/amadeus/index.html
diff --git a/content/zh/case-studies/ancestry/ancestry_featured.png b/content/zh-cn/case-studies/ancestry/ancestry_featured.png
similarity index 100%
rename from content/zh/case-studies/ancestry/ancestry_featured.png
rename to content/zh-cn/case-studies/ancestry/ancestry_featured.png
diff --git a/content/zh/case-studies/ancestry/ancestry_logo.png b/content/zh-cn/case-studies/ancestry/ancestry_logo.png
similarity index 100%
rename from content/zh/case-studies/ancestry/ancestry_logo.png
rename to content/zh-cn/case-studies/ancestry/ancestry_logo.png
diff --git a/content/zh/case-studies/ancestry/index.html b/content/zh-cn/case-studies/ancestry/index.html
similarity index 100%
rename from content/zh/case-studies/ancestry/index.html
rename to content/zh-cn/case-studies/ancestry/index.html
diff --git a/content/zh/case-studies/ant-financial/ant-financial_featured_logo.png b/content/zh-cn/case-studies/ant-financial/ant-financial_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ant-financial/ant-financial_featured_logo.png
rename to content/zh-cn/case-studies/ant-financial/ant-financial_featured_logo.png
diff --git a/content/zh/case-studies/ant-financial/index.html b/content/zh-cn/case-studies/ant-financial/index.html
similarity index 100%
rename from content/zh/case-studies/ant-financial/index.html
rename to content/zh-cn/case-studies/ant-financial/index.html
diff --git a/content/zh/case-studies/appdirect/appdirect_featured_logo.png b/content/zh-cn/case-studies/appdirect/appdirect_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/appdirect/appdirect_featured_logo.png
rename to content/zh-cn/case-studies/appdirect/appdirect_featured_logo.png
diff --git a/content/zh/case-studies/appdirect/index.html b/content/zh-cn/case-studies/appdirect/index.html
similarity index 100%
rename from content/zh/case-studies/appdirect/index.html
rename to content/zh-cn/case-studies/appdirect/index.html
diff --git a/content/zh/case-studies/babylon/babylon_featured_logo.png b/content/zh-cn/case-studies/babylon/babylon_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/babylon/babylon_featured_logo.png
rename to content/zh-cn/case-studies/babylon/babylon_featured_logo.png
diff --git a/content/zh/case-studies/babylon/babylon_featured_logo.svg b/content/zh-cn/case-studies/babylon/babylon_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/babylon/babylon_featured_logo.svg
rename to content/zh-cn/case-studies/babylon/babylon_featured_logo.svg
diff --git a/content/zh/case-studies/babylon/index.html b/content/zh-cn/case-studies/babylon/index.html
similarity index 100%
rename from content/zh/case-studies/babylon/index.html
rename to content/zh-cn/case-studies/babylon/index.html
diff --git a/content/zh/case-studies/blablacar/blablacar_featured.png b/content/zh-cn/case-studies/blablacar/blablacar_featured.png
similarity index 100%
rename from content/zh/case-studies/blablacar/blablacar_featured.png
rename to content/zh-cn/case-studies/blablacar/blablacar_featured.png
diff --git a/content/zh/case-studies/blablacar/blablacar_logo.png b/content/zh-cn/case-studies/blablacar/blablacar_logo.png
similarity index 100%
rename from content/zh/case-studies/blablacar/blablacar_logo.png
rename to content/zh-cn/case-studies/blablacar/blablacar_logo.png
diff --git a/content/zh/case-studies/blablacar/index.html b/content/zh-cn/case-studies/blablacar/index.html
similarity index 100%
rename from content/zh/case-studies/blablacar/index.html
rename to content/zh-cn/case-studies/blablacar/index.html
diff --git a/content/zh/case-studies/blackrock/blackrock_featured.png b/content/zh-cn/case-studies/blackrock/blackrock_featured.png
similarity index 100%
rename from content/zh/case-studies/blackrock/blackrock_featured.png
rename to content/zh-cn/case-studies/blackrock/blackrock_featured.png
diff --git a/content/zh/case-studies/blackrock/blackrock_logo.png b/content/zh-cn/case-studies/blackrock/blackrock_logo.png
similarity index 100%
rename from content/zh/case-studies/blackrock/blackrock_logo.png
rename to content/zh-cn/case-studies/blackrock/blackrock_logo.png
diff --git a/content/zh/case-studies/blackrock/index.html b/content/zh-cn/case-studies/blackrock/index.html
similarity index 100%
rename from content/zh/case-studies/blackrock/index.html
rename to content/zh-cn/case-studies/blackrock/index.html
diff --git a/content/zh/case-studies/booking-com/booking.com_featured_logo.png b/content/zh-cn/case-studies/booking-com/booking.com_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/booking-com/booking.com_featured_logo.png
rename to content/zh-cn/case-studies/booking-com/booking.com_featured_logo.png
diff --git a/content/zh/case-studies/booking-com/booking.com_featured_logo.svg b/content/zh-cn/case-studies/booking-com/booking.com_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/booking-com/booking.com_featured_logo.svg
rename to content/zh-cn/case-studies/booking-com/booking.com_featured_logo.svg
diff --git a/content/zh/case-studies/booking-com/index.html b/content/zh-cn/case-studies/booking-com/index.html
similarity index 100%
rename from content/zh/case-studies/booking-com/index.html
rename to content/zh-cn/case-studies/booking-com/index.html
diff --git a/content/zh/case-studies/booz-allen/booz-allen-featured-logo.svg b/content/zh-cn/case-studies/booz-allen/booz-allen-featured-logo.svg
similarity index 100%
rename from content/zh/case-studies/booz-allen/booz-allen-featured-logo.svg
rename to content/zh-cn/case-studies/booz-allen/booz-allen-featured-logo.svg
diff --git a/content/zh/case-studies/booz-allen/booz-allen_featured_logo.png b/content/zh-cn/case-studies/booz-allen/booz-allen_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/booz-allen/booz-allen_featured_logo.png
rename to content/zh-cn/case-studies/booz-allen/booz-allen_featured_logo.png
diff --git a/content/zh/case-studies/booz-allen/index.html b/content/zh-cn/case-studies/booz-allen/index.html
similarity index 100%
rename from content/zh/case-studies/booz-allen/index.html
rename to content/zh-cn/case-studies/booz-allen/index.html
diff --git a/content/zh/case-studies/bose/bose_featured_logo.png b/content/zh-cn/case-studies/bose/bose_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/bose/bose_featured_logo.png
rename to content/zh-cn/case-studies/bose/bose_featured_logo.png
diff --git a/content/zh/case-studies/bose/index.html b/content/zh-cn/case-studies/bose/index.html
similarity index 100%
rename from content/zh/case-studies/bose/index.html
rename to content/zh-cn/case-studies/bose/index.html
diff --git a/content/zh/case-studies/box/box_featured.png b/content/zh-cn/case-studies/box/box_featured.png
similarity index 100%
rename from content/zh/case-studies/box/box_featured.png
rename to content/zh-cn/case-studies/box/box_featured.png
diff --git a/content/zh/case-studies/box/box_logo.png b/content/zh-cn/case-studies/box/box_logo.png
similarity index 100%
rename from content/zh/case-studies/box/box_logo.png
rename to content/zh-cn/case-studies/box/box_logo.png
diff --git a/content/zh/case-studies/box/box_small.png b/content/zh-cn/case-studies/box/box_small.png
similarity index 100%
rename from content/zh/case-studies/box/box_small.png
rename to content/zh-cn/case-studies/box/box_small.png
diff --git a/content/zh/case-studies/box/index.html b/content/zh-cn/case-studies/box/index.html
similarity index 100%
rename from content/zh/case-studies/box/index.html
rename to content/zh-cn/case-studies/box/index.html
diff --git a/content/zh/case-studies/box/video.png b/content/zh-cn/case-studies/box/video.png
similarity index 100%
rename from content/zh/case-studies/box/video.png
rename to content/zh-cn/case-studies/box/video.png
diff --git a/content/zh/case-studies/buffer/buffer_featured.png b/content/zh-cn/case-studies/buffer/buffer_featured.png
similarity index 100%
rename from content/zh/case-studies/buffer/buffer_featured.png
rename to content/zh-cn/case-studies/buffer/buffer_featured.png
diff --git a/content/zh/case-studies/buffer/buffer_logo.png b/content/zh-cn/case-studies/buffer/buffer_logo.png
similarity index 100%
rename from content/zh/case-studies/buffer/buffer_logo.png
rename to content/zh-cn/case-studies/buffer/buffer_logo.png
diff --git a/content/zh/case-studies/buffer/index.html b/content/zh-cn/case-studies/buffer/index.html
similarity index 100%
rename from content/zh/case-studies/buffer/index.html
rename to content/zh-cn/case-studies/buffer/index.html
diff --git a/content/zh/case-studies/capital-one/capitalone_featured_logo.png b/content/zh-cn/case-studies/capital-one/capitalone_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/capital-one/capitalone_featured_logo.png
rename to content/zh-cn/case-studies/capital-one/capitalone_featured_logo.png
diff --git a/content/zh/case-studies/capital-one/index.html b/content/zh-cn/case-studies/capital-one/index.html
similarity index 100%
rename from content/zh/case-studies/capital-one/index.html
rename to content/zh-cn/case-studies/capital-one/index.html
diff --git a/content/zh/case-studies/cern/cern_featured_logo.png b/content/zh-cn/case-studies/cern/cern_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/cern/cern_featured_logo.png
rename to content/zh-cn/case-studies/cern/cern_featured_logo.png
diff --git a/content/zh/case-studies/cern/index.html b/content/zh-cn/case-studies/cern/index.html
similarity index 100%
rename from content/zh/case-studies/cern/index.html
rename to content/zh-cn/case-studies/cern/index.html
diff --git a/content/zh/case-studies/chinaunicom/chinaunicom_featured_logo.png b/content/zh-cn/case-studies/chinaunicom/chinaunicom_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/chinaunicom/chinaunicom_featured_logo.png
rename to content/zh-cn/case-studies/chinaunicom/chinaunicom_featured_logo.png
diff --git a/content/zh/case-studies/chinaunicom/index.html b/content/zh-cn/case-studies/chinaunicom/index.html
similarity index 100%
rename from content/zh/case-studies/chinaunicom/index.html
rename to content/zh-cn/case-studies/chinaunicom/index.html
diff --git a/content/zh/case-studies/city-of-montreal/city-of-montreal_featured_logo.png b/content/zh-cn/case-studies/city-of-montreal/city-of-montreal_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/city-of-montreal/city-of-montreal_featured_logo.png
rename to content/zh-cn/case-studies/city-of-montreal/city-of-montreal_featured_logo.png
diff --git a/content/zh/case-studies/city-of-montreal/index.html b/content/zh-cn/case-studies/city-of-montreal/index.html
similarity index 100%
rename from content/zh/case-studies/city-of-montreal/index.html
rename to content/zh-cn/case-studies/city-of-montreal/index.html
diff --git a/content/zh/case-studies/crowdfire/crowdfire_featured_logo.png b/content/zh-cn/case-studies/crowdfire/crowdfire_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/crowdfire/crowdfire_featured_logo.png
rename to content/zh-cn/case-studies/crowdfire/crowdfire_featured_logo.png
diff --git a/content/zh/case-studies/crowdfire/index.html b/content/zh-cn/case-studies/crowdfire/index.html
similarity index 100%
rename from content/zh/case-studies/crowdfire/index.html
rename to content/zh-cn/case-studies/crowdfire/index.html
diff --git a/content/zh/case-studies/denso/denso_featured_logo.svg b/content/zh-cn/case-studies/denso/denso_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/denso/denso_featured_logo.svg
rename to content/zh-cn/case-studies/denso/denso_featured_logo.svg
diff --git a/content/zh/case-studies/denso/index.html b/content/zh-cn/case-studies/denso/index.html
similarity index 100%
rename from content/zh/case-studies/denso/index.html
rename to content/zh-cn/case-studies/denso/index.html
diff --git a/content/zh/case-studies/golfnow/golfnow_featured.png b/content/zh-cn/case-studies/golfnow/golfnow_featured.png
similarity index 100%
rename from content/zh/case-studies/golfnow/golfnow_featured.png
rename to content/zh-cn/case-studies/golfnow/golfnow_featured.png
diff --git a/content/zh/case-studies/golfnow/golfnow_logo.png b/content/zh-cn/case-studies/golfnow/golfnow_logo.png
similarity index 100%
rename from content/zh/case-studies/golfnow/golfnow_logo.png
rename to content/zh-cn/case-studies/golfnow/golfnow_logo.png
diff --git a/content/zh/case-studies/golfnow/index.html b/content/zh-cn/case-studies/golfnow/index.html
similarity index 100%
rename from content/zh/case-studies/golfnow/index.html
rename to content/zh-cn/case-studies/golfnow/index.html
diff --git a/content/zh/case-studies/haufegroup/haufegroup_featured.png b/content/zh-cn/case-studies/haufegroup/haufegroup_featured.png
similarity index 100%
rename from content/zh/case-studies/haufegroup/haufegroup_featured.png
rename to content/zh-cn/case-studies/haufegroup/haufegroup_featured.png
diff --git a/content/zh/case-studies/haufegroup/haufegroup_logo.png b/content/zh-cn/case-studies/haufegroup/haufegroup_logo.png
similarity index 100%
rename from content/zh/case-studies/haufegroup/haufegroup_logo.png
rename to content/zh-cn/case-studies/haufegroup/haufegroup_logo.png
diff --git a/content/zh/case-studies/haufegroup/index.html b/content/zh-cn/case-studies/haufegroup/index.html
similarity index 100%
rename from content/zh/case-studies/haufegroup/index.html
rename to content/zh-cn/case-studies/haufegroup/index.html
diff --git a/content/zh/case-studies/huawei/huawei_featured.png b/content/zh-cn/case-studies/huawei/huawei_featured.png
similarity index 100%
rename from content/zh/case-studies/huawei/huawei_featured.png
rename to content/zh-cn/case-studies/huawei/huawei_featured.png
diff --git a/content/zh/case-studies/huawei/huawei_logo.png b/content/zh-cn/case-studies/huawei/huawei_logo.png
similarity index 100%
rename from content/zh/case-studies/huawei/huawei_logo.png
rename to content/zh-cn/case-studies/huawei/huawei_logo.png
diff --git a/content/zh/case-studies/huawei/index.html b/content/zh-cn/case-studies/huawei/index.html
similarity index 100%
rename from content/zh/case-studies/huawei/index.html
rename to content/zh-cn/case-studies/huawei/index.html
diff --git a/content/zh/case-studies/ibm/ibm_featured_logo.png b/content/zh-cn/case-studies/ibm/ibm_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ibm/ibm_featured_logo.png
rename to content/zh-cn/case-studies/ibm/ibm_featured_logo.png
diff --git a/content/zh/case-studies/ibm/ibm_featured_logo.svg b/content/zh-cn/case-studies/ibm/ibm_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/ibm/ibm_featured_logo.svg
rename to content/zh-cn/case-studies/ibm/ibm_featured_logo.svg
diff --git a/content/zh/case-studies/ibm/index.html b/content/zh-cn/case-studies/ibm/index.html
similarity index 100%
rename from content/zh/case-studies/ibm/index.html
rename to content/zh-cn/case-studies/ibm/index.html
diff --git a/content/zh/case-studies/ing/index.html b/content/zh-cn/case-studies/ing/index.html
similarity index 100%
rename from content/zh/case-studies/ing/index.html
rename to content/zh-cn/case-studies/ing/index.html
diff --git a/content/zh/case-studies/ing/ing_featured_logo.png b/content/zh-cn/case-studies/ing/ing_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ing/ing_featured_logo.png
rename to content/zh-cn/case-studies/ing/ing_featured_logo.png
diff --git a/content/zh/case-studies/ing/ing_featured_logo.svg b/content/zh-cn/case-studies/ing/ing_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/ing/ing_featured_logo.svg
rename to content/zh-cn/case-studies/ing/ing_featured_logo.svg
diff --git a/content/zh/case-studies/jd-com/index.html b/content/zh-cn/case-studies/jd-com/index.html
similarity index 100%
rename from content/zh/case-studies/jd-com/index.html
rename to content/zh-cn/case-studies/jd-com/index.html
diff --git a/content/zh/case-studies/jd-com/jd-com_featured_logo.png b/content/zh-cn/case-studies/jd-com/jd-com_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/jd-com/jd-com_featured_logo.png
rename to content/zh-cn/case-studies/jd-com/jd-com_featured_logo.png
diff --git a/content/zh/case-studies/jd-com/jd.com_featured_logo.svg b/content/zh-cn/case-studies/jd-com/jd.com_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/jd-com/jd.com_featured_logo.svg
rename to content/zh-cn/case-studies/jd-com/jd.com_featured_logo.svg
diff --git a/content/zh/case-studies/naic/naic_featured_logo.png b/content/zh-cn/case-studies/naic/naic_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/naic/naic_featured_logo.png
rename to content/zh-cn/case-studies/naic/naic_featured_logo.png
diff --git a/content/zh/case-studies/nav/nav_featured_logo.png b/content/zh-cn/case-studies/nav/nav_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/nav/nav_featured_logo.png
rename to content/zh-cn/case-studies/nav/nav_featured_logo.png
diff --git a/content/zh/case-studies/nerdalize/nerdalize_featured_logo.png b/content/zh-cn/case-studies/nerdalize/nerdalize_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/nerdalize/nerdalize_featured_logo.png
rename to content/zh-cn/case-studies/nerdalize/nerdalize_featured_logo.png
diff --git a/content/zh/case-studies/netease/index.html b/content/zh-cn/case-studies/netease/index.html
similarity index 100%
rename from content/zh/case-studies/netease/index.html
rename to content/zh-cn/case-studies/netease/index.html
diff --git a/content/zh/case-studies/netease/netease_featured_logo.png b/content/zh-cn/case-studies/netease/netease_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/netease/netease_featured_logo.png
rename to content/zh-cn/case-studies/netease/netease_featured_logo.png
diff --git a/content/zh/case-studies/newyorktimes/newyorktimes_featured.png b/content/zh-cn/case-studies/newyorktimes/newyorktimes_featured.png
similarity index 100%
rename from content/zh/case-studies/newyorktimes/newyorktimes_featured.png
rename to content/zh-cn/case-studies/newyorktimes/newyorktimes_featured.png
diff --git a/content/zh/case-studies/newyorktimes/newyorktimes_logo.png b/content/zh-cn/case-studies/newyorktimes/newyorktimes_logo.png
similarity index 100%
rename from content/zh/case-studies/newyorktimes/newyorktimes_logo.png
rename to content/zh-cn/case-studies/newyorktimes/newyorktimes_logo.png
diff --git a/content/zh/case-studies/nokia/nokia_featured_logo.png b/content/zh-cn/case-studies/nokia/nokia_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/nokia/nokia_featured_logo.png
rename to content/zh-cn/case-studies/nokia/nokia_featured_logo.png
diff --git a/content/zh/case-studies/nordstrom/index.html b/content/zh-cn/case-studies/nordstrom/index.html
similarity index 100%
rename from content/zh/case-studies/nordstrom/index.html
rename to content/zh-cn/case-studies/nordstrom/index.html
diff --git a/content/zh/case-studies/nordstrom/nordstrom_featured_logo.png b/content/zh-cn/case-studies/nordstrom/nordstrom_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/nordstrom/nordstrom_featured_logo.png
rename to content/zh-cn/case-studies/nordstrom/nordstrom_featured_logo.png
diff --git a/content/zh/case-studies/northwestern-mutual/northwestern_featured_logo.png b/content/zh-cn/case-studies/northwestern-mutual/northwestern_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/northwestern-mutual/northwestern_featured_logo.png
rename to content/zh-cn/case-studies/northwestern-mutual/northwestern_featured_logo.png
diff --git a/content/zh/case-studies/ocado/ocado_featured_logo.png b/content/zh-cn/case-studies/ocado/ocado_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ocado/ocado_featured_logo.png
rename to content/zh-cn/case-studies/ocado/ocado_featured_logo.png
diff --git a/content/zh/case-studies/openAI/openai_featured.png b/content/zh-cn/case-studies/openAI/openai_featured.png
similarity index 100%
rename from content/zh/case-studies/openAI/openai_featured.png
rename to content/zh-cn/case-studies/openAI/openai_featured.png
diff --git a/content/zh/case-studies/openAI/openai_logo.png b/content/zh-cn/case-studies/openAI/openai_logo.png
similarity index 100%
rename from content/zh/case-studies/openAI/openai_logo.png
rename to content/zh-cn/case-studies/openAI/openai_logo.png
diff --git a/content/zh/case-studies/peardeck/peardeck_featured.png b/content/zh-cn/case-studies/peardeck/peardeck_featured.png
similarity index 100%
rename from content/zh/case-studies/peardeck/peardeck_featured.png
rename to content/zh-cn/case-studies/peardeck/peardeck_featured.png
diff --git a/content/zh/case-studies/peardeck/peardeck_logo.png b/content/zh-cn/case-studies/peardeck/peardeck_logo.png
similarity index 100%
rename from content/zh/case-studies/peardeck/peardeck_logo.png
rename to content/zh-cn/case-studies/peardeck/peardeck_logo.png
diff --git a/content/zh/case-studies/pearson/pearson_featured.png b/content/zh-cn/case-studies/pearson/pearson_featured.png
similarity index 100%
rename from content/zh/case-studies/pearson/pearson_featured.png
rename to content/zh-cn/case-studies/pearson/pearson_featured.png
diff --git a/content/zh/case-studies/pearson/pearson_logo.png b/content/zh-cn/case-studies/pearson/pearson_logo.png
similarity index 100%
rename from content/zh/case-studies/pearson/pearson_logo.png
rename to content/zh-cn/case-studies/pearson/pearson_logo.png
diff --git a/content/zh/case-studies/pingcap/pingcap_featured_logo.png b/content/zh-cn/case-studies/pingcap/pingcap_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/pingcap/pingcap_featured_logo.png
rename to content/zh-cn/case-studies/pingcap/pingcap_featured_logo.png
diff --git a/content/zh/case-studies/pinterest/pinterest_feature.png b/content/zh-cn/case-studies/pinterest/pinterest_feature.png
similarity index 100%
rename from content/zh/case-studies/pinterest/pinterest_feature.png
rename to content/zh-cn/case-studies/pinterest/pinterest_feature.png
diff --git a/content/zh/case-studies/pinterest/pinterest_logo.png b/content/zh-cn/case-studies/pinterest/pinterest_logo.png
similarity index 100%
rename from content/zh/case-studies/pinterest/pinterest_logo.png
rename to content/zh-cn/case-studies/pinterest/pinterest_logo.png
diff --git a/content/zh/case-studies/prowise/prowise_featured_logo.png b/content/zh-cn/case-studies/prowise/prowise_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/prowise/prowise_featured_logo.png
rename to content/zh-cn/case-studies/prowise/prowise_featured_logo.png
diff --git a/content/zh/case-studies/ricardo-ch/ricardo-ch_featured_logo.png b/content/zh-cn/case-studies/ricardo-ch/ricardo-ch_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ricardo-ch/ricardo-ch_featured_logo.png
rename to content/zh-cn/case-studies/ricardo-ch/ricardo-ch_featured_logo.png
diff --git a/content/zh/case-studies/slamtec/slamtec_featured_logo.png b/content/zh-cn/case-studies/slamtec/slamtec_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/slamtec/slamtec_featured_logo.png
rename to content/zh-cn/case-studies/slamtec/slamtec_featured_logo.png
diff --git a/content/zh/case-studies/slingtv/slingtv_featured_logo.png b/content/zh-cn/case-studies/slingtv/slingtv_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/slingtv/slingtv_featured_logo.png
rename to content/zh-cn/case-studies/slingtv/slingtv_featured_logo.png
diff --git a/content/zh/case-studies/sos/sos_featured_logo.png b/content/zh-cn/case-studies/sos/sos_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/sos/sos_featured_logo.png
rename to content/zh-cn/case-studies/sos/sos_featured_logo.png
diff --git a/content/zh/case-studies/spotify/spotify_featured_logo.png b/content/zh-cn/case-studies/spotify/spotify_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/spotify/spotify_featured_logo.png
rename to content/zh-cn/case-studies/spotify/spotify_featured_logo.png
diff --git a/content/zh/case-studies/squarespace/index.html b/content/zh-cn/case-studies/squarespace/index.html
similarity index 100%
rename from content/zh/case-studies/squarespace/index.html
rename to content/zh-cn/case-studies/squarespace/index.html
diff --git a/content/zh/case-studies/squarespace/squarespace_featured_logo.png b/content/zh-cn/case-studies/squarespace/squarespace_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/squarespace/squarespace_featured_logo.png
rename to content/zh-cn/case-studies/squarespace/squarespace_featured_logo.png
diff --git a/content/zh/case-studies/squarespace/squarespace_featured_logo.svg b/content/zh-cn/case-studies/squarespace/squarespace_featured_logo.svg
similarity index 100%
rename from content/zh/case-studies/squarespace/squarespace_featured_logo.svg
rename to content/zh-cn/case-studies/squarespace/squarespace_featured_logo.svg
diff --git a/content/zh/case-studies/thredup/thredup_featured_logo.png b/content/zh-cn/case-studies/thredup/thredup_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/thredup/thredup_featured_logo.png
rename to content/zh-cn/case-studies/thredup/thredup_featured_logo.png
diff --git a/content/zh/case-studies/vsco/vsco_featured_logo.png b/content/zh-cn/case-studies/vsco/vsco_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/vsco/vsco_featured_logo.png
rename to content/zh-cn/case-studies/vsco/vsco_featured_logo.png
diff --git a/content/zh-cn/case-studies/wikimedia/index.html b/content/zh-cn/case-studies/wikimedia/index.html
new file mode 100644
index 0000000000000..8800c5f19ee06
--- /dev/null
+++ b/content/zh-cn/case-studies/wikimedia/index.html
@@ -0,0 +1,148 @@
+---
+title: 案例研究：Wikimedia
+case_study_styles: true
+cid: caseStudies
+
+new_case_study_styles: true
+heading_title_text: Wikimedia
+use_gradient_overlay: true
+subheading: >
+  利用 Kubernetes 构建工具提升世界的维基
+case_study_details:
+  - 公司: Wikimedia
+  - 地点: 加州旧金山
+---
+<!--
+title: Wikimedia Case Study
+case_study_styles: true
+cid: caseStudies
+
+new_case_study_styles: true
+heading_title_text: Wikimedia
+use_gradient_overlay: true
+subheading: >
+  Using Kubernetes to Build Tools to Improve the World's Wikis
+case_study_details:
+  - Company: Wikimedia
+  - Location: San Francisco, CA
+-->
+
+<!--
+<p>The non-profit Wikimedia Foundation operates some of the largest collaboratively edited reference projects in the world, including Wikipedia. To help users maintain and use wikis, it runs Wikimedia Tool Labs, a hosting environment for community developers working on tools and bots to help editors and other volunteers do their work, including reducing vandalism. The community around Wikimedia Tool Labs began forming nearly 10 years ago.</p>
+-->
+<p>非营利的 Wikimedia 基金会运营着一些世界上最大的合作编辑参考项目，包括 Wikipedia。为了帮助用户维护和使用 wiki，它运行 Wikimedia 工具实验室，这是一个托管环境，为社区开发人员工作的工具和机器人，以帮助编辑和其他志愿者做他们的工作，包括减少破坏。Wikimedia 工具实验室周围的社区在近 10 年前开始形成。</p>
+
+<!--
+{{< case-studies/quote author="Yuvi Panda, operations engineer at Wikimedia Foundation and Wikimedia Tool Labs">}}
+
+<img src="/images/wikimedia_logo.png" alt="Wikimedia">
+<br>
+<br>
+"Wikimedia Tool Labs is vital for making sure wikis all around the world work as well as they possibly can. Because it's grown organically for almost 10 years, it has become an extremely challenging environment and difficult to maintain. It's like a big ball of mud — you really can't see through it. With Kubernetes, we're simplifying the environment and making it easier for developers to build the tools that make wikis run better."
+{{< /case-studies/quote >}}
+-->
+{{< case-studies/quote author="Yuvi Panda, Wikimedia 基金会和 Wikimedia 工具实验室的运维工程师">}}
+
+<img src="/images/wikimedia_logo.png" alt="Wikimedia">
+<br>
+<br>
+“Wikimedia 工具实验室对于确保世界各地的 wiki 尽可能正常运行至关重要。因为它有机地生长了近 10 年，所以它已成为一个极具挑战性且难以维护的环境。它就像一个大的泥球，你真的看不透它。借助 Kubernetes，我们正在简化环境并让开发人员更容易构建出使 wiki 更好运行的工具。”
+{{< /case-studies/quote >}}
+
+<!--
+<h2>Challenges</h2>
+-->
+<h2>挑战</h2>
+
+<!--
+<ul>
+  <li>Simplify a complex, difficult-to-manage infrastructure</li>
+  <li>Allow developers to continue writing tools and bots using existing techniques</li>
+</ul>
+-->
+<ul>
+  <li>简化复杂、难以管理的基础架构</li>
+  <li>允许开发人员使用现有技术继续编写工具和机器人</li>
+</ul>
+
+<!--
+<h2>Why Kubernetes</h2>
+-->
+<h2>为什么要使用 Kubernetes</h2>
+
+<ul>
+<!--
+  <li>Wikimedia Tool Labs chose Kubernetes because it can mimic existing workflows, while reducing complexity</li>
+-->
+  <li>Wikimedia 工具实验室之所以选择 Kubernetes，是因为它可以模仿现有的工作流程，同时降低复杂性。</li>
+</ul>
+
+<!--
+<h2>Approach</h2>
+-->
+<h2>解决方案</h2>
+
+<ul>
+<!--
+  <li>Migrate old systems and a complex infrastructure to Kubernetes</li>
+-->
+  <li>将旧系统和复杂的基础设施迁移到 Kubernetes</li>
+</ul>
+
+<!--
+<h2>Results</h2>
+-->
+<h2>结果</h2>
+
+<!--
+<ul>
+  <li>20 percent of web tools that account for more than 40 percent of web traffic now run on Kubernetes</li>
+  <li>A 25-node cluster that keeps up with each new Kubernetes release</li>
+  <li>Thousands of lines of old code have been deleted, thanks to Kubernetes</li>
+</ul>
+-->
+<ul>
+  <li>现在占 Web 流量 40% 以上的 20% Web 工具都在 Kubernetes 上运行</li>
+  <li>一个 25 节点集群可跟上每个新 Kubernetes 版本</li>
+  <li>多亏了 Kubernetes，数千行旧代码可被删除</li>
+</ul>
+
+<!--
+<h2>Using Kubernetes to provide tools for maintaining wikis</h2>
+-->
+<h2>使用 Kubernetes 提供维护 wiki 的工具</h2>
+
+<!--
+<p>Wikimedia Tool Labs is run by a staff of four-and-a-half paid employees and two volunteers. The infrastructure didn't make it easy or intuitive for developers to build bots and other tools to make wikis work more easily. Yuvi says, "It's incredibly chaotic. We have lots of Perl and Bash duct tape on top of it. Everything is super fragile."</p>
+-->
+<p>Wikimedia 工具实验室由四个半带薪员工和两名志愿者管理。基础架构无法使开发人员轻松或直观地构建机器人和其他工具，使 wiki 更易于工作。Yuvi 说，“它非常混乱，我们有很多的 Perl 和 Bash 缠绕在上面，一切都是超级脆弱。”</p>
+
+<!--
+<p>To solve the problem, Wikimedia Tool Labs migrated parts of its infrastructure to Kubernetes, in preparation for eventually moving its entire system. Yuvi said Kubernetes greatly simplifies maintenance. The goal is to allow developers creating bots and other tools to use whatever development methods they want, but make it easier for the Wikimedia Tool Labs to maintain the required infrastructure for hosting and sharing them.</p>
+-->
+<p>为了解决这个问题，Wikimedia 工具实验室将其部分基础设施迁移到了 Kubernetes，为最终迁移整个系统做准备。Yuvi 说，Kubernetes 大大简化了维护。目标是允许创建机器人和其他工具的开发人员使用他们想要的任何开发方法，但使 Wikimedia 工具实验室更容易维护托管和共享它们所需的基础结构。</p>
+
+<!--
+<p>"With Kubernetes, I've been able to remove a lot of our custom-made code, which makes everything easier to maintain. Our users' code also runs in a more stable way than previously," says Yuvi.</p>
+-->
+<p>Yuvi 说：“借助 Kubernetes，我能够删除大量我们定制的代码，这使得所有内容更易于维护，我们的用户代码也以比以前更稳定的方式运行。”</p>
+
+<!--
+<h2>Simplifying infrastructure and keeping wikis running better</h2>
+-->
+<h2>简化基础架构让 wiki 更好地运行</h2>
+
+<!--
+<p>Wikimedia Tool Labs has seen great success with the initial Kubernetes deployment. Old code is being simplified and eliminated, contributing developers don't have to change the way they write their tools and bots, and those tools and bots run in a more stable fashion than they have in the past. The paid staff and volunteers are able to better keep up with fixing issues.</p>
+-->
+<p>Wikimedia 工具实验室在最初的 Kubernetes 部署中取得了巨大成功。旧代码正在被简化和消除，使开发人员不必改变他们编写工具和机器人的方式，这些工具和机器人的运行方式比过去更稳定。带薪员工和志愿者能够更好地解决问题。</p>
+
+<!--
+<p>In the future, with a more complete migration to Kubernetes, Wikimedia Tool Labs expects to make it even easier to host and maintain the bots and tools that help run wikis across the world. The tool labs already host approximately 1,300 tools and bots from 800 volunteers, with many more being submitted every day. Twenty percent of the tool labs' web tools that account for more than 60 percent of web traffic now run on Kubernetes. The tool labs has a 25-node cluster that keeps up with each new Kubernetes release. Many existing web tools are migrating to Kubernetes.</p>
+-->
+<p>将来，随着更完整的迁移到 Kubernetes，Wikimedia 工具实验室希望更轻松地托管和维护有助于在世界各地运行 wiki 的机器人和工具。该工具实验室已经拥有来自 800 名志愿者的大约 1300 个工具和机器人，而且每天提交量会更多。占 Web 流量 60% 以上的工具实验室的 Web 工具中有 20% 现在运行在 Kubernetes 上。工具实验室有一个 25 节点的集群，可以跟上每个新的 Kubernetes 版本。许多现有的 Web 工具正在迁移到 Kubernetes。</p>
+
+<!--
+<p>"Our goal is to make sure that people all over the world can share knowledge as easily as possible. Kubernetes helps with that, by making it easier for wikis everywhere to have the tools they need to thrive," says Yuvi.</p>
+-->
+<p>Yuvi 说：“我们的目标是确保世界各地的人们能够尽可能轻松地分享知识，Kubernetes 帮助实现了这一点，它让世界各地的 wiki 更容易拥有蓬勃发展所需的工具。”</p>
diff --git a/content/zh/case-studies/wikimedia/wikimedia_featured.png b/content/zh-cn/case-studies/wikimedia/wikimedia_featured.png
similarity index 100%
rename from content/zh/case-studies/wikimedia/wikimedia_featured.png
rename to content/zh-cn/case-studies/wikimedia/wikimedia_featured.png
diff --git a/content/zh-cn/case-studies/wikimedia/wikimedia_featured.svg b/content/zh-cn/case-studies/wikimedia/wikimedia_featured.svg
new file mode 100644
index 0000000000000..5fa786aaa52ba
--- /dev/null
+++ b/content/zh-cn/case-studies/wikimedia/wikimedia_featured.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 215 127"><defs><style>.cls-1{fill:transparent;}.cls-2{fill:#900;}.cls-3{fill:#069;}.cls-4{fill:#396;}.cls-5{fill:#484848;}</style></defs><title>kubernetes.io-logos2</title><rect class="cls-1" x="-3.75123" y="-4.36563" width="223.25536" height="134.51136"/><circle id="circle3" class="cls-2" cx="107.84735" cy="21.48597" r="15.77727"/><path id="path5" class="cls-3" d="M139.7013,18.0353l-8.93976,8.9394a34.71,34.71,0,1,1-45.8277,0l-8.93975-8.93975a47.33269,47.33269,0,1,0,63.70721.00035Z"/><path id="path7" class="cls-4" d="M104.69189,46.73345,89.41109,31.45229a28.38989,28.38989,0,0,0,15.2808,49.812Zm21.59242-15.28116L111.00315,46.7331V81.26427a28.39011,28.39011,0,0,0,15.28116-49.812Z"/><path id="path9" class="cls-5" d="M170.3688,119.11393h-4.10315l-1.08337-2.69545H159.411l-1.103,2.69545h-4.10314l5.87686-13.29007h4.42955Zm-6.10686-5.00735-1.94656-4.85378-1.9648,4.85378Zm-11.848,5.00735h-3.99937V105.82386h3.999v13.29007Zm-6.49357-6.40066a6.31385,6.31385,0,0,1-.74329,3.27677,7.01233,7.01233,0,0,1-1.74987,2.003,6.32532,6.32532,0,0,1-3.99445,1.12088h-7.16393V105.82387h5.51678a14.9088,14.9088,0,0,1,2.13134.13008,9.38954,9.38954,0,0,1,1.59455.365,6.28678,6.28678,0,0,1,1.20678.52942,6.20368,6.20368,0,0,1,.89089.63,6.10431,6.10431,0,0,1,1.19346,1.31337,6.40745,6.40745,0,0,1,.81516,1.75478A7.42171,7.42171,0,0,1,145.92035,112.71327Zm-4.0758-.1725a4.43822,4.43822,0,0,0-.61812-2.5247,3.02773,3.02773,0,0,0-1.48516-1.21205,5.25783,5.25783,0,0,0-1.76775-.30678h-1.7057v7.86689h1.7057a4.88661,4.88661,0,0,0,2.7214-.74714Q141.84454,114.86915,141.84455,112.54077Zm-12.2684,6.57316H119.566V105.82386h9.84712v2.67337H123.565v2.4325h5.57919v2.67337H123.565v2.83815h6.01113Zm-13.38193,0h-3.99936v-7.70246l-3.61614,4.45935h-.3166l-3.62632-4.45935v7.70246h-3.88962V105.82386h3.63052l4.08632,4.98562,4.10524-4.98562h3.62632l-.00036,13.29007Zm-18.80965,0H93.38591V105.82386h3.99866Zm-5.76291,0h-4.8892l-5.081-6.22326v6.22326H77.65282V105.82386h3.99866v5.94978l4.81312-5.94978H90.817l-4.9467,6.22325Zm-17.34132,0h-3.999V105.82386h3.999v13.29007Zm-5.859-13.29041-5.752,13.46537h-2.32L56.898,111.455l-3.53761,7.83394H51.02114l-5.637-13.46537h4.15118l2.761,7.36272,3.16351-7.36272h2.86656l3.10567,7.36272,2.88548-7.36272Z"/></svg>
\ No newline at end of file
diff --git a/content/zh/case-studies/wikimedia/wikimedia_logo.png b/content/zh-cn/case-studies/wikimedia/wikimedia_logo.png
similarity index 100%
rename from content/zh/case-studies/wikimedia/wikimedia_logo.png
rename to content/zh-cn/case-studies/wikimedia/wikimedia_logo.png
diff --git a/content/zh/case-studies/wink/index.html b/content/zh-cn/case-studies/wink/index.html
similarity index 100%
rename from content/zh/case-studies/wink/index.html
rename to content/zh-cn/case-studies/wink/index.html
diff --git a/content/zh/case-studies/wink/wink_featured.png b/content/zh-cn/case-studies/wink/wink_featured.png
similarity index 100%
rename from content/zh/case-studies/wink/wink_featured.png
rename to content/zh-cn/case-studies/wink/wink_featured.png
diff --git a/content/zh/case-studies/wink/wink_logo.png b/content/zh-cn/case-studies/wink/wink_logo.png
similarity index 100%
rename from content/zh/case-studies/wink/wink_logo.png
rename to content/zh-cn/case-studies/wink/wink_logo.png
diff --git a/content/zh/case-studies/woorank/woorank_featured_logo.png b/content/zh-cn/case-studies/woorank/woorank_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/woorank/woorank_featured_logo.png
rename to content/zh-cn/case-studies/woorank/woorank_featured_logo.png
diff --git a/content/zh/case-studies/workiva/index.html b/content/zh-cn/case-studies/workiva/index.html
similarity index 100%
rename from content/zh/case-studies/workiva/index.html
rename to content/zh-cn/case-studies/workiva/index.html
diff --git a/content/zh/case-studies/workiva/workiva_featured_logo.png b/content/zh-cn/case-studies/workiva/workiva_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/workiva/workiva_featured_logo.png
rename to content/zh-cn/case-studies/workiva/workiva_featured_logo.png
diff --git a/content/zh/case-studies/yahoo-japan/index.html b/content/zh-cn/case-studies/yahoo-japan/index.html
similarity index 100%
rename from content/zh/case-studies/yahoo-japan/index.html
rename to content/zh-cn/case-studies/yahoo-japan/index.html
diff --git a/content/zh/case-studies/yahoo-japan/yahooJapan_logo.png b/content/zh-cn/case-studies/yahoo-japan/yahooJapan_logo.png
similarity index 100%
rename from content/zh/case-studies/yahoo-japan/yahooJapan_logo.png
rename to content/zh-cn/case-studies/yahoo-japan/yahooJapan_logo.png
diff --git a/content/zh/case-studies/ygrene/index.html b/content/zh-cn/case-studies/ygrene/index.html
similarity index 100%
rename from content/zh/case-studies/ygrene/index.html
rename to content/zh-cn/case-studies/ygrene/index.html
diff --git a/content/zh/case-studies/ygrene/ygrene_featured_logo.png b/content/zh-cn/case-studies/ygrene/ygrene_featured_logo.png
similarity index 100%
rename from content/zh/case-studies/ygrene/ygrene_featured_logo.png
rename to content/zh-cn/case-studies/ygrene/ygrene_featured_logo.png
diff --git a/content/zh/case-studies/zalando/index.html b/content/zh-cn/case-studies/zalando/index.html
similarity index 100%
rename from content/zh/case-studies/zalando/index.html
rename to content/zh-cn/case-studies/zalando/index.html
diff --git a/content/zh/case-studies/zalando/zalando_feature_logo.png b/content/zh-cn/case-studies/zalando/zalando_feature_logo.png
similarity index 100%
rename from content/zh/case-studies/zalando/zalando_feature_logo.png
rename to content/zh-cn/case-studies/zalando/zalando_feature_logo.png
diff --git a/content/zh/community/_index.html b/content/zh-cn/community/_index.html
similarity index 100%
rename from content/zh/community/_index.html
rename to content/zh-cn/community/_index.html
diff --git a/content/zh/community/code-of-conduct.md b/content/zh-cn/community/code-of-conduct.md
similarity index 83%
rename from content/zh/community/code-of-conduct.md
rename to content/zh-cn/community/code-of-conduct.md
index 98d8156770811..3dc283fec875b 100644
--- a/content/zh/community/code-of-conduct.md
+++ b/content/zh-cn/community/code-of-conduct.md
@@ -15,16 +15,16 @@ community_styles_migrated: true
 <div class="community-section" id="cncf-code-of-conduct-intro">
 <p>
 <!-- Kubernetes follows the
-<a href="https://github.com/cncf/foundation/blob/master/code-of-conduct.md">CNCF Code of Conduct</a>.
+<a href="https://github.com/cncf/foundation/blob/main/code-of-conduct.md">CNCF Code of Conduct</a>.
 The text of the CNCF CoC is replicated below, as of
 <a href="https://github.com/cncf/foundation/blob/0ce4694e5103c0c24ca90c189da81e5408a46632/code-of-conduct.md">commit 0ce4694</a>.
 If you notice that this is out of date, please
 <a href="https://github.com/kubernetes/website/issues/new">file an issue</a>. -->
 Kubernetes 遵循
-<a href="https://github.com/cncf/foundation/blob/master/code-of-conduct-languages/zh.md">CNCF 行为规范</a>。
+<a href="https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/zh.md">CNCF 行为规范</a>。
 CNCF 社区规范文本如下链接
 <a href="https://github.com/cncf/foundation/blob/0ce4694e5103c0c24ca90c189da81e5408a46632/code-of-conduct.md">commit 0ce4694</a>。
-如果您发现这个 CNCF 社区规范文本已经过时，请
+如果你发现这个 CNCF 社区规范文本已经过时，请
 <a href="https://github.com/kubernetes/website/issues/new">提交 issue</a>。
 </p>
 
@@ -35,7 +35,7 @@ the [Kubernetes Code of Conduct Committee](https://github.com/kubernetes/communi
 Your anonymity will be protected. -->
 
 如果你在活动、会议、Slack 或是其它场合发现有任何违反行为规范的行为，请联系[Kubernetes 行为规范委员会](https://github.com/kubernetes/community/tree/master/committee-code-of-conduct)<conduct@kubernetes.io>。
-我们会确保您的匿名性。
+我们会确保你的匿名性。
 </p>
 </div>
 
diff --git a/content/zh/community/static/README.md b/content/zh-cn/community/static/README.md
similarity index 100%
rename from content/zh/community/static/README.md
rename to content/zh-cn/community/static/README.md
diff --git a/content/zh-cn/community/static/cncf-code-of-conduct.md b/content/zh-cn/community/static/cncf-code-of-conduct.md
new file mode 100644
index 0000000000000..dde18750ea16f
--- /dev/null
+++ b/content/zh-cn/community/static/cncf-code-of-conduct.md
@@ -0,0 +1,39 @@
+<!-- Do not edit this file directly. Get the latest from
+     https://github.com/cncf/foundation/blob/master/code-of-conduct-languages/zh.md -->
+## 云原生计算基金会（CNCF）社区行为准则 1.0 版本
+
+### 贡献者行为准则
+
+作为这个项目的贡献者和维护者，为了建立一个开放和受欢迎的社区，
+我们保证尊重所有通过报告问题、发布功能请求、更新文档、提交拉取请求或补丁以及其他活动做出贡献的人员。
+
+我们致力于让参与此项目的每个人都不受骚扰，
+无论其经验水平、性别、性别认同和表达、性取向、残疾、个人外貌、体型、人种、种族、年龄、宗教或国籍等。
+
+不可接受的参与者行为包括：
+
+-	使用性语言或图像
+-	人身攻击
+-	挑衅、侮辱或贬低性评论
+-	公开或私下骚扰
+-	未经明确许可，发布他人的私人信息，比如地址或电子邮箱
+-	其他不道德或不专业的行为
+
+项目维护者有权利和责任删除、编辑或拒绝评论、提交、代码、维基编辑、问题和其他不符合本行为准则的贡献。
+通过采用本行为准则，项目维护者承诺将这些原则公平且一致地应用到这个项目管理的各个方面。
+不遵守或不执行行为准则的项目维护者可能被永久地从项目团队中移除。
+
+当个人代表项目或其社区时，本行为准则适用于项目空间和公共空间。
+
+如需举报侮辱、骚扰或其他不可接受的行为，
+你可发送邮件至 <conduct@kubernetes.io> 联系
+[Kubernetes行为守则委员会](https://github.com/kubernetes/community/tree/master/committee-code-of-conduct)。
+其他事务请联系CNCF项目维护专员，或发送邮件至 <mishi@linux.com> 联系我们的调解员Mishi Choudhary。
+
+本行为准则改编自《贡献者契约》（ https://contributor-covenant.org ）1.2.0 版本，
+可在 https://contributor-covenant.org/version/1/2/0/ 查看。
+
+### CNCF 活动行为准则
+
+云原生计算基金会（CNCF）活动受 Linux 基金会《[行为准则](https://events.linuxfoundation.org/code-of-conduct/)》管辖，
+该行为准则可在活动页面获得。其旨在与上述政策兼容，且包括更多关于事件回应的细节。
\ No newline at end of file
diff --git a/content/zh/docs/_index.md b/content/zh-cn/docs/_index.md
similarity index 100%
rename from content/zh/docs/_index.md
rename to content/zh-cn/docs/_index.md
diff --git a/content/zh/docs/concepts/_index.md b/content/zh-cn/docs/concepts/_index.md
similarity index 100%
rename from content/zh/docs/concepts/_index.md
rename to content/zh-cn/docs/concepts/_index.md
diff --git a/content/zh/docs/concepts/architecture/_index.md b/content/zh-cn/docs/concepts/architecture/_index.md
similarity index 100%
rename from content/zh/docs/concepts/architecture/_index.md
rename to content/zh-cn/docs/concepts/architecture/_index.md
diff --git a/content/zh/docs/concepts/architecture/cloud-controller.md b/content/zh-cn/docs/concepts/architecture/cloud-controller.md
similarity index 97%
rename from content/zh/docs/concepts/architecture/cloud-controller.md
rename to content/zh-cn/docs/concepts/architecture/cloud-controller.md
index 05caa7690f1d7..d46b7967adb8a 100644
--- a/content/zh/docs/concepts/architecture/cloud-controller.md
+++ b/content/zh-cn/docs/concepts/architecture/cloud-controller.md
@@ -318,10 +318,10 @@ To upgrade a HA control plane to use the cloud controller manager, see [Migrate
 
 Want to know how to implement your own cloud controller manager, or extend an existing project?
 -->
-[云控制器管理器的管理](/zh/docs/tasks/administer-cluster/running-cloud-controller/#cloud-controller-manager)
+[云控制器管理器的管理](/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/#cloud-controller-manager)
 给出了运行和管理云控制器管理器的指南。
 
-要升级 HA 控制平面以使用云控制器管理器，请参见 [将复制的控制平面迁移以使用云控制器管理器](/zh/docs/tasks/administer-cluster/controller-manager-leader-migration/)
+要升级 HA 控制平面以使用云控制器管理器，请参见 [将复制的控制平面迁移以使用云控制器管理器](/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration/)
 
 想要了解如何实现自己的云控制器管理器，或者对现有项目进行扩展么？
 
@@ -343,6 +343,6 @@ For more information about developing plugins, see [Developing Cloud Controller
 特定于云驱动的实现虽不是 Kubernetes 核心成分，仍要实现 `CloudProvider` 接口。
 
 关于如何开发插件的详细信息，可参考
-[开发云控制器管理器](/zh/docs/tasks/administer-cluster/developing-cloud-controller-manager/)
+[开发云控制器管理器](/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager/)
 文档。
 
diff --git a/content/zh/docs/concepts/architecture/control-plane-node-communication.md b/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
similarity index 81%
rename from content/zh/docs/concepts/architecture/control-plane-node-communication.md
rename to content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
index 8cf742e272fa0..57f05179ed68c 100644
--- a/content/zh/docs/concepts/architecture/control-plane-node-communication.md
+++ b/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
@@ -24,7 +24,7 @@ This document catalogs the communication paths between the control plane (apiser
 <!-- body -->
 <!--
 ## Node to Control Plane
-Kubernetes has a "hub-and-spoke" API pattern. All API usage from nodes (or the pods they run) terminate at the apiserver. None of the other control plane components are designed to expose remote services. The apiserver is configured to listen for remote connections on a secure HTTPS port (typically 443) with one or more forms of client [authentication](/docs/reference/access-authn-authz/authentication/) enabled.
+Kubernetes has a "hub-and-spoke" API pattern. All API usage from nodes (or the pods they run) terminates at the apiserver. None of the other control plane components are designed to expose remote services. The apiserver is configured to listen for remote connections on a secure HTTPS port (typically 443) with one or more forms of client [authentication](/docs/reference/access-authn-authz/authentication/) enabled.
 One or more forms of [authorization](/docs/reference/access-authn-authz/authorization/) should be enabled, especially if [anonymous requests](/docs/reference/access-authn-authz/authentication/#anonymous-requests) or [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens) are allowed.
 -->
 ## 节点到控制面
@@ -33,17 +33,17 @@ Kubernetes 采用的是中心辐射型（Hub-and-Spoke）API 模式。
 所有从集群（或所运行的 Pods）发出的 API 调用都终止于 API 服务器。
 其它控制面组件都没有被设计为可暴露远程服务。
 API 服务器被配置为在一个安全的 HTTPS 端口（通常为 443）上监听远程连接请求，
-并启用一种或多种形式的客户端[身份认证](/zh/docs/reference/access-authn-authz/authentication/)机制。
-一种或多种客户端[鉴权机制](/zh/docs/reference/access-authn-authz/authorization/)应该被启用，
-特别是在允许使用[匿名请求](/zh/docs/reference/access-authn-authz/authentication/#anonymous-requests)
-或[服务账号令牌](/zh/docs/reference/access-authn-authz/authentication/#service-account-tokens)的时候。
+并启用一种或多种形式的客户端[身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)机制。
+一种或多种客户端[鉴权机制](/zh-cn/docs/reference/access-authn-authz/authorization/)应该被启用，
+特别是在允许使用[匿名请求](/zh-cn/docs/reference/access-authn-authz/authentication/#anonymous-requests)
+或[服务账号令牌](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)的时候。
 
 <!--
-Nodes should be provisioned with the public root certificate for the cluster such that they can connect securely to the apiserver along with valid client credentials. A good approach is that the client credentials provided to the kubelet are in the form of a client certificate. See [kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for automated provisioning of kubelet client certificates.
+Nodes should be provisioned with the public root certificate for the cluster such that they can connect securely to the apiserver along with valid client credentials. A good approach is that the client credentials provided to the kubelet are in the form of a client certificate. See [kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for automated provisioning of kubelet client certificates.
 -->
 应该使用集群的公共根证书开通节点，这样它们就能够基于有效的客户端凭据安全地连接 API 服务器。
 一种好的方法是以客户端证书的形式将客户端凭据提供给 kubelet。
-请查看 [kubelet TLS 启动引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+请查看 [kubelet TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 以了解如何自动提供 kubelet 客户端证书。
 
 <!--
@@ -102,10 +102,10 @@ These connections terminate at the kubelet's HTTPS endpoint. By default, the api
 <!--
 To verify this connection, use the `--kubelet-certificate-authority` flag to provide the apiserver with a root certificate bundle to use to verify the kubelet's serving certificate.
 
-If that is not possible, use [SSH tunneling](/docs/concepts/architecture/master-node-communication/#ssh-tunnels) between the apiserver and kubelet if required to avoid connecting over an
+If that is not possible, use [SSH tunneling](#ssh-tunnels) between the apiserver and kubelet if required to avoid connecting over an
 untrusted or public network.
 
-Finally, [Kubelet authentication and/or authorization](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/) should be enabled to secure the kubelet API.
+Finally, [Kubelet authentication and/or authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/) should be enabled to secure the kubelet API.
 -->
 为了对这个连接进行认证，使用 `--kubelet-certificate-authority` 标志给 API
 服务器提供一个根证书包，用于 kubelet 的服务证书。
@@ -114,13 +114,13 @@ Finally, [Kubelet authentication and/or authorization](/docs/reference/command-l
 kubelet 之间使用 [SSH 隧道](#ssh-tunnels)。
 
 最后，应该启用
-[kubelet 用户认证和/或鉴权](/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
+[kubelet 用户认证和/或鉴权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
 来保护 kubelet API。
 
 <!--
 ### apiserver to nodes, pods, and services
 
-The connections from the apiserver to a node, pod, or service default to plain HTTP connections and are therefore neither authenticated nor encrypted. They can be run over a secure HTTPS connection by prefixing `https:` to the node, pod, or service name in the API URL, but they will not validate the certificate provided by the HTTPS endpoint nor provide client credentials so while the connection will be encrypted, it will not provide any guarantees of integrity. These connections **are not currently safe** to run over untrusted and/or public networks.
+The connections from the apiserver to a node, pod, or service default to plain HTTP connections and are therefore neither authenticated nor encrypted. They can be run over a secure HTTPS connection by prefixing `https:` to the node, pod, or service name in the API URL, but they will not validate the certificate provided by the HTTPS endpoint nor provide client credentials. So while the connection will be encrypted, it will not provide any guarantees of integrity. These connections **are not currently safe** to run over untrusted or public networks.
 -->
 ### API 服务器到节点、Pod 和服务
 
@@ -136,7 +136,7 @@ The connections from the apiserver to a node, pod, or service default to plain H
 Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this configuration, the apiserver initiates an SSH tunnel to each node in the cluster (connecting to the ssh server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or service through the tunnel.
 This tunnel ensures that the traffic is not exposed outside of the network in which the nodes are running.
 
-SSH tunnels are currently deprecated so you shouldn't opt to use them unless you know what you are doing. The Konnectivity service is a replacement for this communication channel.
+SSH tunnels are currently deprecated, so you shouldn't opt to use them unless you know what you are doing. The Konnectivity service is a replacement for this communication channel.
 -->
 ### SSH 隧道 {#ssh-tunnels}
 
@@ -167,6 +167,6 @@ Konnectivity 服务包含两个部分：Konnectivity 服务器和 Konnectivity 
 控制面网络和节点网络中。Konnectivity 代理建立并维持到 Konnectivity 服务器的网络连接。
 启用 Konnectivity 服务之后，所有控制面到节点的通信都通过这些连接传输。
 
-请浏览 [Konnectivity 服务任务](/zh/docs/tasks/extend-kubernetes/setup-konnectivity/)
+请浏览 [Konnectivity 服务任务](/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/)
 在你的集群中配置 Konnectivity 服务。
 
diff --git a/content/zh/docs/concepts/architecture/controller.md b/content/zh-cn/docs/concepts/architecture/controller.md
similarity index 95%
rename from content/zh/docs/concepts/architecture/controller.md
rename to content/zh-cn/docs/concepts/architecture/controller.md
index 7c11a5a0d2ab0..fecf82269aaae 100644
--- a/content/zh/docs/concepts/architecture/controller.md
+++ b/content/zh-cn/docs/concepts/architecture/controller.md
@@ -50,7 +50,7 @@ detail.
 ## 控制器模式 {#controller-pattern}
 
 一个控制器至少追踪一种类型的 Kubernetes 资源。这些
-[对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/)
+[对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/)
 有一个代表期望状态的 `spec` 字段。
 该资源的控制器负责确保其当前状态接近期望状态。
 
@@ -96,7 +96,7 @@ and eventually the work is done.
 
 Job 是一种 Kubernetes 资源，它运行一个或者多个 {{< glossary_tooltip term_id="pod" >}}，
 来执行一个任务然后停止。
-（一旦[被调度了](/zh/docs/concepts/scheduling-eviction/)，对 `kubelet` 来说 Pod
+（一旦[被调度了](/zh-cn/docs/concepts/scheduling-eviction/)，对 `kubelet` 来说 Pod
 对象就会变成了期望状态的一部分）。
 
 在集群中，当 Job 控制器拿到新任务时，它会保证一组 Node 节点上的 `kubelet`
@@ -175,7 +175,7 @@ cloud provider APIs, and other services by
 -->
 在温度计的例子中，如果房间很冷，那么某个控制器可能还会启动一个防冻加热器。
 就 Kubernetes 集群而言，控制面间接地与 IP 地址管理工具、存储服务、云驱动
-APIs 以及其他服务协作，通过[扩展 Kubernetes](/zh/docs/concepts/extend-kubernetes/)
+APIs 以及其他服务协作，通过[扩展 Kubernetes](/zh-cn/docs/concepts/extend-kubernetes/)
 来实现这点。
 
 <!--
@@ -280,9 +280,9 @@ Kubernetes 允许你运行一个稳定的控制平面，这样即使某些内置
 * Learn more about the [Kubernetes API](/docs/concepts/overview/kubernetes-api/)
 * If you want to write your own controller, see [Extension Patterns](/docs/concepts/extend-kubernetes/extend-cluster/#extension-patterns) in Extending Kubernetes.
 -->
-* 阅读 [Kubernetes 控制平面组件](/zh/docs/concepts/overview/components/#control-plane-components)
-* 了解 [Kubernetes 对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/)
+* 阅读 [Kubernetes 控制平面组件](/zh-cn/docs/concepts/overview/components/#control-plane-components)
+* 了解 [Kubernetes 对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/)
   的一些基本知识
-* 进一步学习 [Kubernetes API](/zh/docs/concepts/overview/kubernetes-api/)
+* 进一步学习 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)
 * 如果你想编写自己的控制器，请看 Kubernetes 的
-  [扩展模式](/zh/docs/concepts/extend-kubernetes/#extension-patterns)。
+  [扩展模式](/zh-cn/docs/concepts/extend-kubernetes/#extension-patterns)。
diff --git a/content/zh/docs/concepts/architecture/cri.md b/content/zh-cn/docs/concepts/architecture/cri.md
similarity index 97%
rename from content/zh/docs/concepts/architecture/cri.md
rename to content/zh-cn/docs/concepts/architecture/cri.md
index 68cd082fc0154..c0b3579578c83 100644
--- a/content/zh/docs/concepts/architecture/cri.md
+++ b/content/zh-cn/docs/concepts/architecture/cri.md
@@ -46,7 +46,7 @@ flags](/docs/reference/command-line-tools-reference/kubelet)
 -->
 当通过 gRPC 连接到容器运行时时，kubelet 充当客户端。
 运行时和镜像服务端点必须在容器运行时中可用，可以使用
-[命令行标志](/zh/docs/reference/command-line-tools-reference/kubelet)的
+[命令行标志](/zh-cn/docs/reference/command-line-tools-reference/kubelet)的
 `--image-service-endpoint` 和 `--container-runtime-endpoint`
 在 kubelet 中单独配置。
 
diff --git a/content/zh/docs/concepts/architecture/garbage-collection.md b/content/zh-cn/docs/concepts/architecture/garbage-collection.md
similarity index 85%
rename from content/zh/docs/concepts/architecture/garbage-collection.md
rename to content/zh-cn/docs/concepts/architecture/garbage-collection.md
index 7fb0eb0d3e21c..d45b98fa8feda 100644
--- a/content/zh/docs/concepts/architecture/garbage-collection.md
+++ b/content/zh-cn/docs/concepts/architecture/garbage-collection.md
@@ -32,16 +32,16 @@ allows the clean up of resources like the following:
     manager
 * [Node Lease objects](/docs/concepts/architecture/nodes/#heartbeats)
 -->
-* [失败的 Pod](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection)
-* [已完成的 Job](/zh/docs/concepts/workloads/controllers/ttlafterfinished/)
+* [失败的 Pod](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection)
+* [已完成的 Job](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/)
 * [不再存在属主引用的对象](#owners-dependents)
 * [未使用的容器和容器镜像](#containers-images)
-* [动态制备的、StorageClass 回收策略为 Delete 的 PV 卷](/zh/docs/concepts/storage/persistent-volumes/#delete)
-* [阻滞或者过期的 CertificateSigningRequest (CSRs)](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process)
+* [动态制备的、StorageClass 回收策略为 Delete 的 PV 卷](/zh-cn/docs/concepts/storage/persistent-volumes/#delete)
+* [阻滞或者过期的 CertificateSigningRequest (CSRs)](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process)
 * 在以下情形中删除了的{{<glossary_tooltip text="节点" term_id="node">}}对象：
-  * 当集群使用[云控制器管理器](/zh/docs/concepts/architecture/cloud-controller/)运行于云端时；
+  * 当集群使用[云控制器管理器](/zh-cn/docs/concepts/architecture/cloud-controller/)运行于云端时；
   * 当集群使用类似于云控制器管理器的插件运行在本地环境中时。
-* [节点租约对象](/zh/docs/concepts/architecture/nodes/#heartbeats)
+* [节点租约对象](/zh-cn/docs/concepts/architecture/nodes/#heartbeats)
 
 <!--
 ## Owners and dependents {#owners-dependents}
@@ -54,10 +54,10 @@ object. In most cases, Kubernetes manages owner references automatically.
 -->
 ## 属主与依赖   {#owners-dependents}
 
-Kubernetes 中很多对象通过[*属主引用*](/zh/docs/concepts/overview/working-with-objects/owners-dependents/)
+Kubernetes 中很多对象通过[*属主引用*](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)
 链接到彼此。属主引用（Owner Reference）可以告诉控制面哪些对象依赖于其他对象。
-Kubernetes 使用属主引用来为控制面以及其他 API 客户端在删除某对象时提供一个
-清理关联资源的机会。在大多数场合，Kubernetes 都是自动管理属主引用的。
+Kubernetes 使用属主引用来为控制面以及其他 API 客户端在删除某对象时提供一个清理关联资源的机会。
+在大多数场合，Kubernetes 都是自动管理属主引用的。
 
 <!--
 Ownership is different from the [labels and selectors](/docs/concepts/overview/working-with-objects/labels/)
@@ -69,8 +69,8 @@ to the labels, each `EndpointSlice` that is managed on behalf of a Service has
 an owner reference. Owner references help different parts of Kubernetes avoid
 interfering with objects they don’t control.
 -->
-属主关系与某些资源所使用的的[标签和选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)
-不同。例如，考虑一个创建 `EndpointSlice` 对象的 {{<glossary_tooltip text="Service" term_id="service">}}
+属主关系与某些资源所使用的[标签和选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)不同。
+例如，考虑一个创建 `EndpointSlice` 对象的 {{<glossary_tooltip text="Service" term_id="service">}}
 对象。Service 对象使用*标签*来允许控制面确定哪些 `EndpointSlice` 对象被该
 Service 使用。除了标签，每个被 Service 托管的 `EndpointSlice` 对象还有一个属主引用属性。
 属主引用可以帮助 Kubernetes 中的不同组件避免干预并非由它们控制的对象。
@@ -85,8 +85,7 @@ is subject to deletion once all owners are verified absent.
 -->
 根据设计，系统不允许出现跨名字空间的属主引用。名字空间作用域的依赖对象可以指定集群作用域或者名字空间作用域的属主。
 名字空间作用域的属主**必须**存在于依赖对象所在的同一名字空间。
-如果属主位于不同名字空间，则属主引用被视为不存在，而当检查发现所有属主都已不存在时，
-依赖对象会被删除。
+如果属主位于不同名字空间，则属主引用被视为不存在，而当检查发现所有属主都已不存在时，依赖对象会被删除。
 
 <!--
 Cluster-scoped dependents can only specify cluster-scoped owners.
@@ -127,8 +126,8 @@ two types of cascading deletion, as follows:
 ## 级联删除    {#cascading-deletion}
 
 Kubernetes 会检查并删除那些不再拥有属主引用的对象，例如在你删除了 ReplicaSet
-之后留下来的 Pod。当你删除某个对象时，你可以控制 Kubernetes 是否要通过一个称作
-级联删除（Cascading Deletion）的过程自动删除该对象的依赖对象。
+之后留下来的 Pod。当你删除某个对象时，你可以控制 Kubernetes 是否去自动删除该对象的依赖对象，
+这个过程称为 **级联删除（Cascading Deletion）**。
 级联删除有两种类型，分别如下：
 
 * 前台级联删除
@@ -150,7 +149,7 @@ owner object:
 -->
 ### 前台级联删除 {#foreground-deletion}
 
-在前台级联删除中，正在被你删除的对象首先进入 *deletion in progress* 状态。
+在前台级联删除中，正在被你删除的属主对象首先进入 *deletion in progress* 状态。
 在这种状态下，针对属主对象会发生以下事情：
 
 <!--
@@ -180,9 +179,9 @@ to learn more.
 当属主对象进入删除过程中状态后，控制器删除其依赖对象。控制器在删除完所有依赖对象之后，
 删除属主对象。这时，通过 Kubernetes API 就无法再看到该对象。
 
-在前台级联删除过程中，唯一的可能阻止属主对象被删除的依赖对象是那些带有
-`ownerReference.blockOwnerDeletion=true` 字段的对象。
-参阅[使用前台级联删除](/zh/docs/tasks/administer-cluster/use-cascading-deletion/#use-foreground-cascading-deletion)
+在前台级联删除过程中，唯一可能阻止属主对象被删除的是那些带有
+`ownerReference.blockOwnerDeletion=true` 字段的依赖对象。
+参阅[使用前台级联删除](/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/#use-foreground-cascading-deletion)
 以了解进一步的细节。
 
 <!--
@@ -202,7 +201,7 @@ to learn more.
 默认情况下，Kubernetes 使用后台级联删除方案，除非你手动设置了要使用前台删除，
 或者选择遗弃依赖对象。
 
-参阅[使用后台级联删除](/zh/docs/tasks/administer-cluster/use-cascading-deletion/#use-background-cascading-deletion)
+参阅[使用后台级联删除](/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/#use-background-cascading-deletion)
 以了解进一步的细节。
 
 <!--
@@ -216,7 +215,7 @@ to override this behaviour, see [Delete owner objects and orphan dependents](/do
 
 当 Kubernetes 删除某个属主对象时，被留下来的依赖对象被称作被遗弃的（Orphaned）对象。
 默认情况下，Kubernetes 会删除依赖对象。要了解如何重载这种默认行为，可参阅
-[删除属主对象和遗弃依赖对象](/zh/docs/tasks/administer-cluster/use-cascading-deletion/#set-orphan-deletion-policy)。
+[删除属主对象和遗弃依赖对象](/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/#set-orphan-deletion-policy)。
 
 <!--
 ## Garbage collection of unused containers and images {#containers-images}
@@ -241,8 +240,8 @@ and change the parameters related to garbage collection using the
 resource type.
 -->
 要配置对未使用容器和镜像的垃圾收集选项，可以使用一个
-[配置文件](/zh/docs/tasks/administer-cluster/kubelet-config-file/)，基于
-[`KubeletConfiguration`](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration) 
+[配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/)，基于
+[`KubeletConfiguration`](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration) 
 资源类型来调整与垃圾搜集相关的 kubelet 行为。
 
 <!--
@@ -342,8 +341,8 @@ configure garbage collection:
 你可以通过配置特定于管理资源的控制器来调整资源的垃圾收集行为。
 下面的页面为你展示如何配置垃圾收集：
 
-* [配置 Kubernetes 对象的级联删除](/zh/docs/tasks/administer-cluster/use-cascading-deletion/)
-* [配置已完成 Job 的清理](/zh/docs/concepts/workloads/controllers/ttlafterfinished/)
+* [配置 Kubernetes 对象的级联删除](/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/)
+* [配置已完成 Job 的清理](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/)
 
 <!-- * [Configuring unused container and image garbage collection](/docs/tasks/administer-cluster/reconfigure-kubelet/) -->
 
@@ -354,8 +353,8 @@ configure garbage collection:
 * Learn more about Kubernetes [finalizers](/docs/concepts/overview/working-with-objects/finalizers/).
 * Learn about the [TTL controller](/docs/concepts/workloads/controllers/ttlafterfinished/) (beta) that cleans up finished Jobs.
 -->
-* 进一步了解 [Kubernetes 对象的属主关系](/zh/docs/concepts/overview/working-with-objects/owners-dependents/)。
-* 进一步了解 Kubernetes [finalizers](/zh/docs/concepts/overview/working-with-objects/finalizers/)。
-* 进一步了解 [TTL 控制器](/zh/docs/concepts/workloads/controllers/ttlafterfinished/) (beta)，
+* 进一步了解 [Kubernetes 对象的属主关系](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)。
+* 进一步了解 Kubernetes [finalizers](/zh-cn/docs/concepts/overview/working-with-objects/finalizers/)。
+* 进一步了解 [TTL 控制器](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/) (beta)，
   该控制器负责清理已完成的 Job。
 
diff --git a/content/zh/docs/concepts/architecture/nodes.md b/content/zh-cn/docs/concepts/architecture/nodes.md
similarity index 83%
rename from content/zh/docs/concepts/architecture/nodes.md
rename to content/zh-cn/docs/concepts/architecture/nodes.md
index 625c114df402d..a57f98dc14ad0 100644
--- a/content/zh/docs/concepts/architecture/nodes.md
+++ b/content/zh-cn/docs/concepts/architecture/nodes.md
@@ -38,7 +38,7 @@ Kubernetes 通过将容器放入在节点（Node）上运行的 Pod 中来执行
 通常集群中会有若干个节点；而在一个学习用或者资源受限的环境中，你的集群中也可能
 只有一个节点。
 
-节点上的[组件](/zh/docs/concepts/overview/components/#node-components)包括
+节点上的[组件](/zh-cn/docs/concepts/overview/components/#node-components)包括
 {{< glossary_tooltip text="kubelet" term_id="kubelet" >}}、
 {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}以及
 {{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}。
@@ -110,7 +110,7 @@ The name of a Node object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 Node 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 ### Node name uniqueness
@@ -126,7 +126,7 @@ first and re-added after the update.
 -->
 ### 节点名称唯一性     {#node-name-uniqueness}
 
-节点的[名称](/zh/docs/concepts/overview/working-with-objects/names#names)用来标识 Node 对象。
+节点的[名称](/zh-cn/docs/concepts/overview/working-with-objects/names#names)用来标识 Node 对象。
 没有两个 Node 可以同时使用相同的名称。 Kubernetes 还假定名字相同的资源是同一个对象。
 就 Node 而言，隐式假定使用相同名称的实例会具有相同的状态（例如网络配置、根磁盘内容）
 和类似节点标签这类属性。这可能在节点被更改但其名称未变时导致系统状态不一致。
@@ -167,7 +167,7 @@ For self-registration, the kubelet is started with the following options:
   （逗号分隔的 `<key>=<value>:<effect>`）注册节点。当 `register-node` 为 false 时无效。
 - `--node-ip` - 节点 IP 地址。
 - `--node-labels` - 在集群中注册节点时要添加的{{< glossary_tooltip text="标签" term_id="label" >}}。
-  （参见 [NodeRestriction 准入控制插件](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction)所实施的标签限制）。
+  （参见 [NodeRestriction 准入控制插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)所实施的标签限制）。
 - `--node-status-update-frequency` - 指定 kubelet 向控制面发送状态的频率。
 
 <!--
@@ -175,8 +175,8 @@ When the [Node authorization mode](/docs/reference/access-authn-authz/node/) and
 [NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction) are enabled,
 kubelets are only authorized to create/modify their own Node resource.
 -->
-启用[Node 鉴权模式](/zh/docs/reference/access-authn-authz/node/)和
-[NodeRestriction 准入插件](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction)时，
+启用[Node 鉴权模式](/zh-cn/docs/reference/access-authn-authz/node/)和
+[NodeRestriction 准入插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)时，
 仅授权 `kubelet` 创建或修改其自己的节点资源。
 
 {{< note >}}
@@ -256,7 +256,7 @@ kubectl cordon $NODENAME
 See [Safely Drain a Node](/docs/tasks/administer-cluster/safely-drain-node/)
 for more details.
 -->
-更多细节参考[安全地腾空节点](/zh/docs/tasks/administer-cluster/safely-drain-node/)。
+更多细节参考[安全地腾空节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)。
 
 {{< note >}}
 <!--
@@ -430,7 +430,7 @@ Pods can also have {{< glossary_tooltip text="tolerations" term_id="toleration"
 them run on a Node even though it has a specific taint.
 -->
 当节点上出现问题时，Kubernetes 控制面会自动创建与影响节点的状况对应的
-[污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
+[污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
 调度器在将 Pod 指派到某 Node 时会考虑 Node 上的污点设置。
 Pod 也可以设置{{< glossary_tooltip text="容忍度" term_id="toleration" >}}，
 以便能够在设置了特定污点的 Node 上运行。
@@ -439,7 +439,7 @@ Pod 也可以设置{{< glossary_tooltip text="容忍度" term_id="toleration" >}
 See [Taint Nodes by Condition](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition)
 for more details.
 -->
-进一步的细节可参阅[根据状况为节点设置污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition)。
+进一步的细节可参阅[根据状况为节点设置污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-nodes-by-condition)。
 
 <!--
 ### Capacity and Allocatable {#capacity}
@@ -463,7 +463,7 @@ Node that is available to be consumed by normal Pods.
 You may read more about capacity and allocatable resources while learning how
 to [reserve compute resources](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) on a Node.
 -->
-可以在学习如何在节点上[预留计算资源](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+可以在学习如何在节点上[预留计算资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 的时候了解有关容量和可分配资源的更多信息。
 
 <!--
@@ -588,7 +588,7 @@ This period can be configured using the `--node-monitor-period` flag on the
 - 在节点不可达的情况下，在 Node 的 `.status` 中更新 `Ready` 状况。
   在这种情况下，节点控制器将 NodeReady 状况更新为 `Unknown` 。
 - 如果节点仍然无法访问：对于不可达节点上的所有 Pod 触发
-  [API 发起的逐出](/zh/docs/concepts/scheduling-eviction/api-eviction/)操作。
+  [API 发起的逐出](/zh-cn/docs/concepts/scheduling-eviction/api-eviction/)操作。
   默认情况下，节点控制器在将节点标记为 `Unknown` 后等待 5 分钟提交第一个驱逐请求。
 
 默认情况下，节点控制器每 5 秒检查一次节点状态，可以使用 `kube-controller-manager`
@@ -708,7 +708,7 @@ If you want to explicitly reserve resources for non-Pod processes, follow this t
 [reserve resources for system daemons](/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved).
 -->
 如果要为非 Pod 进程显式保留资源。
-请参考[为系统守护进程预留资源](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved)。
+请参考[为系统守护进程预留资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved)。
 {{< /note >}}
 
 <!--
@@ -725,9 +725,9 @@ the kubelet can use topology hints when making resource assignment decisions.
 See [Control Topology Management Policies on a Node](/docs/tasks/administer-cluster/topology-manager/)
 for more information.
 -->
-如果启用了 `TopologyManager` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+如果启用了 `TopologyManager` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 `kubelet` 可以在作出资源分配决策时使用拓扑提示。
-参考[控制节点上拓扑管理策略](/zh/docs/tasks/administer-cluster/topology-manager/)了解详细信息。
+参考[控制节点上拓扑管理策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)了解详细信息。
 
 <!-- 
 ## Graceful node shutdown {#graceful-node-shutdown}
@@ -746,14 +746,14 @@ during the node shutdown.
 kubelet 会尝试检测节点系统关闭事件并终止在节点上运行的 Pods。
 
 在节点终止期间，kubelet 保证 Pod 遵从常规的
-[Pod 终止流程](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
+[Pod 终止流程](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
 
 <!-- 
 The graceful node shutdown feature depends on systemd since it takes advantage of
 [systemd inhibitor locks](https://www.freedesktop.org/wiki/Software/systemd/inhibit/) to
 delay the node shutdown with a given duration.
 -->
-体面节点关闭特性依赖于 systemd，因为它要利用
+节点体面关闭特性依赖于 systemd，因为它要利用
 [systemd 抑制器锁](https://www.freedesktop.org/wiki/Software/systemd/inhibit/)机制，
 在给定的期限内延迟节点关闭。
 
@@ -762,7 +762,7 @@ Graceful node shutdown is controlled with the `GracefulNodeShutdown`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) which is
 enabled by default in 1.21.
 -->
-体面节点关闭特性受 `GracefulNodeShutdown`
+节点体面关闭特性受 `GracefulNodeShutdown`
 [特性门控](/docs/reference/command-line-tools-reference/feature-gates/)控制，
 在 1.21 版本中是默认启用的。
 
@@ -773,7 +773,7 @@ thus not activating the graceful node shutdown functionality.
 To activate the feature, the two kubelet config settings should be configured appropriately and set to non-zero values.
 -->
 注意，默认情况下，下面描述的两个配置选项，`shutdownGracePeriod` 和
-`shutdownGracePeriodCriticalPods` 都是被设置为 0 的，因此不会激活体面节点关闭功能。
+`shutdownGracePeriodCriticalPods` 都是被设置为 0 的，因此不会激活节点体面关闭功能。
 要激活此功能特性，这两个 kubelet 配置选项要适当配置，并设置为非零值。
 
 <!-- 
@@ -785,7 +785,7 @@ During a graceful shutdown, kubelet terminates pods in two phases:
 在体面关闭节点过程中，kubelet 分两个阶段来终止 Pod：
 
 1. 终止在节点上运行的常规 Pod。
-2. 终止在节点上运行的[关键 Pod](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
+2. 终止在节点上运行的[关键 Pod](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
 
 <!-- 
 Graceful Node Shutdown feature is configured with two [`KubeletConfiguration`](/docs/tasks/administer-cluster/kubelet-config-file/) options:
@@ -795,13 +795,13 @@ Graceful Node Shutdown feature is configured with two [`KubeletConfiguration`](/
   * Specifies the duration used to terminate [critical pods](/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical) during a node shutdown. This value should be less than `ShutdownGracePeriod`.
 -->
 节点体面关闭的特性对应两个
-[`KubeletConfiguration`](/zh/docs/tasks/administer-cluster/kubelet-config-file/) 选项：
+[`KubeletConfiguration`](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/) 选项：
 
 * `shutdownGracePeriod`：
   * 指定节点应延迟关闭的总持续时间。此时间是 Pod 体面终止的时间总和，不区分常规 Pod
-    还是[关键 Pod](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
+    还是[关键 Pod](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
 * `shutdownGracePeriodCriticalPods`：
-  * 在节点关闭期间指定用于终止[关键 Pod](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)
+  * 在节点关闭期间指定用于终止[关键 Pod](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)
     的持续时间。该值应小于 `shutdownGracePeriod`。
 
 <!--  
@@ -814,7 +814,7 @@ reserved for terminating [critical pods](/docs/tasks/administer-cluster/guarante
 例如，如果设置了 `shutdownGracePeriod=30s` 和 `shutdownGracePeriodCriticalPods=10s`，
 则 kubelet 将延迟 30 秒关闭节点。
 在关闭期间，将保留前 20（30 - 10）秒用于体面终止常规 Pod，
-而保留最后 10 秒用于终止[关键 Pod](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
+而保留最后 10 秒用于终止[关键 Pod](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical)。
 
 <!--
 When pods were evicted during the graceful node shutdown, they are marked as failed.
@@ -832,10 +832,98 @@ Message:        Pod was terminated in response to imminent node shutdown.
 ```
 {{< /note >}}
 
+<!--
+## Non Graceful node shutdown {#non-graceful-node-shutdown}
+-->
+## 节点非体面关闭 {#non-graceful-node-shutdown}
+
+{{< feature-state state="alpha" for_k8s_version="v1.24" >}}
+
+<!--
+A node shutdown action may not be detected by kubelet's Node Shutdown Mananger, 
+either because the command does not trigger the inhibitor locks mechanism used by 
+kubelet or because of a user error, i.e., the ShutdownGracePeriod and 
+ShutdownGracePeriodCriticalPods are not configured properly. Please refer to above 
+section [Graceful Node Shutdown](#graceful-node-shutdown) for more details.
+-->
+节点关闭的操作可能无法被 kubelet 的节点关闭管理器检测到，
+是因为该命令不会触发 kubelet 所使用的抑制锁定机制，或者是因为用户错误的原因，
+即 ShutdownGracePeriod 和 ShutdownGracePeriodCriticalPod 配置不正确。
+请参考以上[节点体面关闭](#graceful-node-shutdown)部分了解更多详细信息。
+
+<!--
+When a node is shutdown but not detected by kubelet's Node Shutdown Manager, the pods 
+that are part of a StatefulSet will be stuck in terminating status on 
+the shutdown node and cannot move to a new running node. This is because kubelet on 
+the shutdown node is not available to delete the pods so the StatefulSet cannot 
+create a new pod with the same name. If there are volumes used by the pods, the 
+VolumeAttachments will not be deleted from the original shutdown node so the volumes 
+used by these pods cannot be attached to a new running node. As a result, the 
+application running on the StatefulSet cannot function properly. If the original 
+shutdown node comes up, the pods will be deleted by kubelet and new pods will be 
+created on a different running node. If the original shutdown node does not come up,  
+these pods will be stuck in terminating status on the shutdown node forever.
+-->
+当某节点关闭但 kubelet 的节点关闭管理器未检测到这一事件时，
+在那个已关闭节点上、属于 StatefulSet 的 Pod 将停滞于终止状态，并且不能移动到新的运行节点上。
+这是因为已关闭节点上的 kubelet 已不存在，亦无法删除 Pod，
+因此 StatefulSet 无法创建同名的新 Pod。
+如果 Pod 使用了卷，则 VolumeAttachments 不会从原来的已关闭节点上删除，
+因此这些 Pod 所使用的卷也无法挂接到新的运行节点上。
+所以，那些以 StatefulSet 形式运行的应用无法正常工作。
+如果原来的已关闭节点被恢复，kubelet 将删除 Pod，新的 Pod 将被在不同的运行节点上创建。
+如果原来的已关闭节点没有被恢复，那些在已关闭节点上的 Pod 将永远滞留在终止状态。
+
+<!--
+To mitigate the above situation, a  user can manually add the taint `node 
+kubernetes.io/out-of-service` with either `NoExecute` or `NoSchedule` effect to 
+a Node marking it out-of-service. 
+If the `NodeOutOfServiceVolumeDetach`  [feature gate](/docs/reference/
+command-line-tools-reference/feature-gates/) is enabled on
+`kube-controller-manager`, and a Node is marked out-of-service with this taint, the 
+pods on the node will be forcefully deleted if there are no matching tolerations on
+it and volume detach operations for the pods terminating on the node will happen
+immediately. This allows the Pods on the out-of-service node to recover quickly on a
+different node. 
+-->
+为了缓解上述情况，用户可以手动将具有 `NoExecute` 或 `NoSchedule` 效果的
+`node kubernetes.io/out-of-service` 污点添加到节点上，标记其无法提供服务。
+如果在 `kube-controller-manager` 上启用了 `NodeOutOfServiceVolumeDetach` 
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+并且节点被通过污点标记为无法提供服务，如果节点 Pod 上没有设置对应的容忍度，
+那么这样的 Pod 将被强制删除，并且该在节点上被终止的 Pod 将立即进行卷分离操作。
+这样就允许那些在无法提供服务节点上的 Pod 能在其他节点上快速恢复。
+
+<!--
+During a non-graceful shutdown, Pods are terminated in the two phases:
+
+1. Force delete the Pods that do not have matching `out-of-service` tolerations.
+2. Immediately perform detach volume operation for such pods. 
+-->
+在非体面关闭期间，Pod 分两个阶段终止：
+1. 强制删除没有匹配的 `out-of-service` 容忍度的 Pod。
+2. 立即对此类 Pod 执行分离卷操作。
+
+<!--
+{{< note >}}
+- Before adding the taint `node.kubernetes.io/out-of-service` , it should be verified
+that the node is already in shutdown or power off state (not in the middle of
+restarting).
+- The user is required to manually remove the out-of-service taint after the pods are
+moved to a new node and the user has checked that the shutdown node has been
+recovered since the user was the one who originally added the taint.
+{{< /note >}}
+-->
+{{< note >}}
+- 在添加 `node.kubernetes.io/out-of-service` 污点之前，应该验证节点已经处于关闭或断电状态（而不是在重新启动中）。
+- 将 Pod 移动到新节点后，用户需要手动移除停止服务的污点，并且用户要检查关闭节点是否已恢复，因为该用户是最初添加污点的用户。
+{{< /note >}}
+
+
 <!--
 ### Pod Priority based graceful node shutdown {#pod-priority-graceful-node-shutdown}
 -->
-### 基于 Pod 优先级的体面节点关闭    {#pod-priority-graceful-node-shutdown}
+### 基于 Pod 优先级的节点体面关闭    {#pod-priority-graceful-node-shutdown}
 
 {{< feature-state state="alpha" for_k8s_version="v1.23" >}}
 
@@ -847,11 +935,11 @@ allows cluster administers to explicitly define the ordering of pods
 during graceful node shutdown based on
 [priority classes](/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass).
 -->
-为了在体面节点关闭期间提供更多的灵活性，尤其是处理关闭期间的 Pod 排序问题，
-体面节点关闭机制能够关注 Pod 的 PriorityClass 设置，前提是你已经在集群中启用了此功能特性。
+为了在节点体面关闭期间提供更多的灵活性，尤其是处理关闭期间的 Pod 排序问题，
+节点体面关闭机制能够关注 Pod 的 PriorityClass 设置，前提是你已经在集群中启用了此功能特性。
 此功能特性允许集群管理员基于 Pod
-的[优先级类（Priority Class）](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)
-显式地定义体面节点关闭期间 Pod 的处理顺序。
+的[优先级类（Priority Class）](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)
+显式地定义节点体面关闭期间 Pod 的处理顺序。
 
 <!--
 The [Graceful Node Shutdown](#graceful-node-shutdown) feature, as described
@@ -860,7 +948,7 @@ pods. If additional flexibility is needed to explicitly define the ordering of
 pods during shutdown in a more granular way, pod priority based graceful
 shutdown can be used.
 -->
-前文所述的[体面节点关闭](#graceful-node-shutdown)特性能够分两个阶段关闭 Pod，
+前文所述的[节点体面关闭](#graceful-node-shutdown)特性能够分两个阶段关闭 Pod，
 首先关闭的是非关键的 Pod，之后再处理关键 Pod。
 如果需要显式地以更细粒度定义关闭期间 Pod 的处理顺序，需要一定的灵活度，
 这时可以使用基于 Pod 优先级的体面关闭机制。
@@ -871,7 +959,7 @@ graceful node shutdown in multiple phases, each phase shutting down a
 particular priority class of pods. The kubelet can be configured with the exact
 phases and shutdown time per phase.
 -->
-当体面节点关闭能够处理 Pod 优先级时，体面节点关闭的处理可以分为多个阶段，
+当节点体面关闭能够处理 Pod 优先级时，节点体面关闭的处理可以分为多个阶段，
 每个阶段关闭特定优先级类的 Pod。kubelet 可以被配置为按确切的阶段处理 Pod，
 且每个阶段可以独立设置关闭时间。
 
@@ -881,7 +969,7 @@ Assuming the following custom pod
 in a cluster,
 -->
 假设集群中存在以下自定义的 Pod
-[优先级类](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)。
+[优先级类](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass)。
 
 | Pod 优先级类名称        | Pod 优先级类数值       |
 |-------------------------|------------------------|
@@ -894,7 +982,7 @@ in a cluster,
 Within the [kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
 the settings for `shutdownGracePeriodByPodPriority` could look like:
 -->
-在 [kubelet 配置](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)中，
+在 [kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)中，
 `shutdownGracePeriodByPodPriority` 可能看起来是这样：
 
 | Pod 优先级类数值       | 关闭期限  |
@@ -961,17 +1049,33 @@ kubelet 会直接跳到下一个优先级数值范围进行处理。
 If this feature is enabled and no configuration is provided, then no ordering
 action will be taken.
 
-Using this feature, requires enabling the
-`GracefulNodeShutdownBasedOnPodPriority` feature gate, and setting the kubelet
-config's `ShutdownGracePeriodByPodPriority` to the desired configuration
-containing the pod priority class values and their respective shutdown periods.
+Using this feature requires enabling the `GracefulNodeShutdownBasedOnPodPriority`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+, and setting `ShutdownGracePeriodByPodPriority` in the
+[kubelet config](/docs/reference/config-api/kubelet-config.v1beta1/)
+to the desired configuration containing the pod priority class values and
+their respective shutdown periods.
 -->
 如果此功能特性被启用，但没有提供配置数据，则不会出现排序操作。
 
-使用此功能特性需要启用 `GracefulNodeShutdownBasedOnPodPriority` 特性门控，
-并将 kubelet 配置中的 `shutdownGracePeriodByPodPriority` 设置为期望的配置，
+使用此功能特性需要启用 `GracefulNodeShutdownBasedOnPodPriority` 
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+并将 [kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
+中的 `shutdownGracePeriodByPodPriority` 设置为期望的配置，
 其中包含 Pod 的优先级类数值以及对应的关闭期限。
 
+<!-- 
+{{< note >}}
+The ability to take Pod priority into account during graceful node shutdown was introduced
+as an Alpha feature in Kubernetes v1.23. In Kubernetes {{< skew currentVersion >}}
+the feature is Beta and is enabled by default.
+{{< /note >}} 
+-->
+{{< note >}}
+在节点体面关闭期间考虑 Pod 优先级的能力是作为 Kubernetes v1.23 中的 Alpha 功能引入的。
+在 Kubernetes {{< skew currentVersion >}} 中该功能是 Beta 版，默认启用。
+{{< /note >}} 
+
 <!--
 Metrics `graceful_shutdown_start_time_seconds` and `graceful_shutdown_end_time_seconds`
 are emitted under the kubelet subsystem to monitor node shutdowns.
@@ -1003,7 +1107,7 @@ must be set to false.
 -->
 要在节点上启用交换内存，必须启用kubelet 的 `NodeSwap` 特性门控，
 同时使用 `--fail-swap-on` 命令行参数或者将 `failSwapOn`
-[配置](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)设置为 false。
+[配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)设置为 false。
 
 <!--
 A user can also optionally configure `memorySwap.swapBehavior` in order to
@@ -1070,10 +1174,10 @@ see [KEP-2400](https://github.com/kubernetes/enhancements/issues/2400) and its
   section of the architecture design document.
 * Read about [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/).
 -->
-* 进一步了解节点[组件](/zh/docs/concepts/overview/components/#node-components)。
+* 进一步了解节点[组件](/zh-cn/docs/concepts/overview/components/#node-components)。
 * 阅读 [Node 的 API 定义](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#node-v1-core)。
 * 阅读架构设计文档中有关
   [Node](https://git.k8s.io/community/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node)
   的章节。
-* 了解[污点和容忍度](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
+* 了解[污点和容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
 
diff --git a/content/zh/docs/concepts/cluster-administration/_index.md b/content/zh-cn/docs/concepts/cluster-administration/_index.md
similarity index 79%
rename from content/zh/docs/concepts/cluster-administration/_index.md
rename to content/zh-cn/docs/concepts/cluster-administration/_index.md
index e1e929cfa6e9b..c340a741c7a89 100644
--- a/content/zh/docs/concepts/cluster-administration/_index.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/_index.md
@@ -25,7 +25,7 @@ The cluster administration overview is for anyone creating or administering a Ku
 It assumes some familiarity with core Kubernetes [concepts](/docs/concepts/).
 -->
 集群管理概述面向任何创建和管理 Kubernetes 集群的读者人群。
-我们假设你大概了解一些核心的 Kubernetes [概念](/zh/docs/concepts/)。
+我们假设你大概了解一些核心的 Kubernetes [概念](/zh-cn/docs/concepts/)。
 
 
 <!-- body -->
@@ -40,7 +40,7 @@ Before choosing a guide, here are some considerations:
 -->
 ## 规划集群   {#planning-a-cluster}
 
-查阅[安装](/zh/docs/setup/)中的指导，获取如何规划、建立以及配置 Kubernetes
+查阅[安装](/zh-cn/docs/setup/)中的指导，获取如何规划、建立以及配置 Kubernetes
 集群的示例。本文所列的文章称为*发行版* 。
 
 {{< note >}}
@@ -68,12 +68,12 @@ Before choosing a guide, here are some considerations:
 - 你的集群是在**本地**还是**云（IaaS）** 上？Kubernetes 不能直接支持混合集群。
   作为代替，你可以建立多个集群。
 - **如果你在本地配置 Kubernetes**，需要考虑哪种
-  [网络模型](/zh/docs/concepts/cluster-administration/networking/)最适合。
+  [网络模型](/zh-cn/docs/concepts/cluster-administration/networking/)最适合。
 - 你的 Kubernetes 在**裸金属硬件**上还是**虚拟机（VMs）** 上运行？
 - 你是想**运行一个集群**，还是打算**参与开发 Kubernetes 项目代码**？
   如果是后者，请选择一个处于开发状态的发行版。
   某些发行版只提供二进制发布版，但提供更多的选择。
-- 让你自己熟悉运行一个集群所需的[组件](/zh/docs/concepts/overview/components/)。
+- 让你自己熟悉运行一个集群所需的[组件](/zh-cn/docs/concepts/overview/components/)。
 
 <!--
 ## Managing a cluster
@@ -84,9 +84,9 @@ Before choosing a guide, here are some considerations:
 -->
 ## 管理集群   {#managing-a-cluster}
 
-* 学习如何[管理节点](/zh/docs/concepts/architecture/nodes/)。
+* 学习如何[管理节点](/zh-cn/docs/concepts/architecture/nodes/)。
 
-* 学习如何设定和管理集群共享的[资源配额](/zh/docs/concepts/policy/resource-quotas/) 。
+* 学习如何设定和管理集群共享的[资源配额](/zh-cn/docs/concepts/policy/resource-quotas/) 。
 
 <!--
 ## Securing a cluster
@@ -102,35 +102,35 @@ Before choosing a guide, here are some considerations:
 -->
 ## 保护集群  {#securing-a-cluster}
 
-* [生成证书](/zh/docs/tasks/administer-cluster/certificates/)
+* [生成证书](/zh-cn/docs/tasks/administer-cluster/certificates/)
   节描述了使用不同的工具链生成证书的步骤。
-* [Kubernetes 容器环境](/zh/docs/concepts/containers/container-environment/)
+* [Kubernetes 容器环境](/zh-cn/docs/concepts/containers/container-environment/)
   描述了 Kubernetes 节点上由 Kubelet 管理的容器的环境。
-* [控制到 Kubernetes API 的访问](/zh/docs/concepts/security/controlling-access/)
+* [控制到 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access/)
   描述了如何为用户和 service accounts 建立权限许可。
-* [身份认证](/zh/docs/reference/access-authn-authz/authentication/)
+* [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
   节阐述了 Kubernetes 中的身份认证功能，包括许多认证选项。
-* [鉴权](/zh/docs/reference/access-authn-authz/authorization/)
+* [鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)
   与身份认证不同，用于控制如何处理 HTTP 请求。
-* [使用准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers)
+* [使用准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers)
   阐述了在认证和授权之后拦截到 Kubernetes API 服务的请求的插件。
-* [在 Kubernetes 集群中使用 Sysctls](/zh/docs/tasks/administer-cluster/sysctl-cluster/)
+* [在 Kubernetes 集群中使用 Sysctls](/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/)
   描述了管理员如何使用 `sysctl` 命令行工具来设置内核参数。
-* [审计](/zh/docs/tasks/debug/debug-cluster/audit/)
+* [审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)
   描述了如何与 Kubernetes 的审计日志交互。
 
 <!--
 ### Securing the kubelet
 
 * [Master-Node communication](/docs/concepts/architecture/master-node-communication/)
-* [TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+* [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 * [Kubelet authentication/authorization](/docs/admin/kubelet-authentication-authorization/)
 -->
 ### 保护 kubelet   {#securing-the-kubelet}
 
-* [主控节点通信](/zh/docs/concepts/architecture/control-plane-node-communication/)
-* [TLS 引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
-* [Kubelet 认证/授权](/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
+* [主控节点通信](/zh-cn/docs/concepts/architecture/control-plane-node-communication/)
+* [TLS 引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
+* [Kubelet 认证/授权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
 
 <!--
 ## Optional Cluster Services
@@ -140,8 +140,8 @@ Before choosing a guide, here are some considerations:
 -->
 ## 可选集群服务   {#optional-cluster-services}
 
-* [DNS 集成](/zh/docs/concepts/services-networking/dns-pod-service/)
+* [DNS 集成](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
   描述了如何将一个 DNS 名解析到一个 Kubernetes service。
-* [记录和监控集群活动](/zh/docs/concepts/cluster-administration/logging/)
+* [记录和监控集群活动](/zh-cn/docs/concepts/cluster-administration/logging/)
   阐述了 Kubernetes 的日志如何工作以及怎样实现。
 
diff --git a/content/zh/docs/concepts/cluster-administration/addons.md b/content/zh-cn/docs/concepts/cluster-administration/addons.md
similarity index 93%
rename from content/zh/docs/concepts/cluster-administration/addons.md
rename to content/zh-cn/docs/concepts/cluster-administration/addons.md
index dc8303f872b1c..0c231d5bb76b1 100644
--- a/content/zh/docs/concepts/cluster-administration/addons.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/addons.md
@@ -30,7 +30,7 @@ Add-ons 扩展了 Kubernetes 的功能。
 * [Calico](https://docs.projectcalico.org/latest/getting-started/kubernetes/) is a secure L3 networking and network policy provider.
 * [Canal](https://github.com/tigera/canal/tree/master/k8s-install) unites Flannel and Calico, providing networking and network policy.
 * [Cilium](https://github.com/cilium/cilium) is a L3 network and network policy plugin that can enforce HTTP/API/L7 policies transparently. Both routing and overlay/encapsulation mode are supported.
-* [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, Romana, or Weave.
+* [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, or Weave.
 * [Contiv](https://contivpp.io/) provides configurable networking (native L3 using BGP, overlay using vxlan, classic L2, and Cisco-SDN/ACI) for various use cases and a rich policy framework. Contiv project is fully [open sourced](https://github.com/contiv). The [installer](https://github.com/contiv/install) provides both kubeadm and non-kubeadm based installation options.
 * [Contrail](http://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), based on [Tungsten Fabric](https://tungsten.io), is an open source, multi-cloud network virtualization and policy management platform. Contrail and Tungsten Fabric are integrated with orchestration systems such as Kubernetes, OpenShift, OpenStack and Mesos, and provide isolation modes for virtual machines, containers/pods and bare metal workloads.
 * [Flannel](https://github.com/flannel-io/flannel#deploying-flannel-manually) is an overlay network provider that can be used with Kubernetes.
@@ -40,7 +40,7 @@ Add-ons 扩展了 Kubernetes 的功能。
 * [OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) is OVN based CNI controller plugin to provide cloud native based Service function chaining(SFC), Multiple OVN overlay networking, dynamic subnet creation, dynamic creation of virtual networks, VLAN Provider network, Direct provider network and pluggable with other Multi-network plugins, ideal for edge based cloud native workloads in Multi-cluster networking
 * [NSX-T](https://docs.vmware.com/en/VMware-NSX-T/2.0/nsxt_20_ncp_kubernetes.pdf) Container Plug-in (NCP) provides integration between VMware NSX-T and container orchestrators such as Kubernetes, as well as integration between NSX-T and container-based CaaS/PaaS platforms such as Pivotal Container Service (PKS) and OpenShift.
 * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst) is an SDN platform that provides policy-based networking between Kubernetes Pods and non-Kubernetes environments with visibility and security monitoring.
-* **Romana** is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy API](/docs/concepts/services-networking/network-policies/). Kubeadm add-on installation details available [here](https://github.com/romana/romana/tree/master/containerize).
+* [Romana](https://github.com/romana) is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy](/docs/concepts/services-networking/network-policies/) API.
 * [Weave Net](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) provides networking and network policy, will carry on working on both sides of a network partition, and does not require an external database.
 -->
 ## 网络和网络策略
@@ -54,7 +54,7 @@ Add-ons 扩展了 Kubernetes 的功能。
 * [Cilium](https://github.com/cilium/cilium) 是一个 L3 网络和网络策略插件，能够透明的实施 HTTP/API/L7 策略。
   同时支持路由（routing）和覆盖/封装（overlay/encapsulation）模式。
 * [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) 使 Kubernetes 无缝连接到一种 CNI 插件，
-  例如：Flannel、Calico、Canal、Romana 或者 Weave。
+  例如：Flannel、Calico、Canal 或者 Weave。
 * [Contiv](https://contivpp.io/) 为各种用例和丰富的策略框架提供可配置的网络
   （使用 BGP 的本机 L3、使用 vxlan 的覆盖、标准 L2 和 Cisco-SDN/ACI）。
   Contiv 项目完全[开源](https://github.com/contiv)。
@@ -84,9 +84,8 @@ Add-ons 扩展了 Kubernetes 的功能。
   CaaS / PaaS 平台（例如关键容器服务（PKS）和 OpenShift）之间的集成。
 * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst)
   是一个 SDN 平台，可在 Kubernetes Pods 和非 Kubernetes 环境之间提供基于策略的联网，并具有可视化和安全监控。
-* Romana 是一个 pod 网络的第三层解决方案，并支持
-  [NetworkPolicy API](/zh/docs/concepts/services-networking/network-policies/)。
-  Kubeadm add-on 安装细节可以在[这里](https://github.com/romana/romana/tree/master/containerize)找到。
+* [Romana](https://github.com/romana) 是一个 Pod 网络的第三层解决方案，并支持
+  [NetworkPolicy](/zh-cn/docs/concepts/services-networking/network-policies/) API。
 * [Weave Net](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/)
   提供在网络分组两端参与工作的网络和网络策略，并且不需要额外的数据库。
 
@@ -129,7 +128,7 @@ Add-ons 扩展了 Kubernetes 的功能。
   运行虚拟机的 add-ons。通常运行在裸机集群上。
 * [节点问题检测器](https://github.com/kubernetes/node-problem-detector) 在 Linux 节点上运行，
   并将系统问题报告为[事件](/docs/reference/kubernetes-api/cluster-resources/event-v1/)
-  或[节点状况](/zh/docs/concepts/architecture/nodes/#condition)。
+  或[节点状况](/zh-cn/docs/concepts/architecture/nodes/#condition)。
 
 <!--
 ## Legacy Add-ons
diff --git a/content/zh/docs/concepts/cluster-administration/certificates.md b/content/zh-cn/docs/concepts/cluster-administration/certificates.md
similarity index 71%
rename from content/zh/docs/concepts/cluster-administration/certificates.md
rename to content/zh-cn/docs/concepts/cluster-administration/certificates.md
index b900e77ec91d1..2297ffac053f5 100644
--- a/content/zh/docs/concepts/cluster-administration/certificates.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/certificates.md
@@ -14,5 +14,5 @@ weight: 20
 <!--
 To learn how to generate certificates for your cluster, see [Certificates](/docs/tasks/administer-cluster/certificates/).
 -->
-要了解如何为集群生成证书，参阅[证书](/zh/docs/tasks/administer-cluster/certificates/)。
+要了解如何为集群生成证书，参阅[证书](/zh-cn/docs/tasks/administer-cluster/certificates/)。
 
diff --git a/content/zh/docs/concepts/cluster-administration/flow-control.md b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md
similarity index 99%
rename from content/zh/docs/concepts/cluster-administration/flow-control.md
rename to content/zh-cn/docs/concepts/cluster-administration/flow-control.md
index cdc98c2fee278..746a7b4e3bd1a 100644
--- a/content/zh/docs/concepts/cluster-administration/flow-control.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md
@@ -86,7 +86,7 @@ command-line flags to your `kube-apiserver` invocation:
 -->
 API 优先级与公平性（APF）特性由特性门控控制，默认情况下启用。
 有关特性门控的一般性描述以及如何启用和禁用特性门控，
-请参见[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+请参见[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 APF 的特性门控称为 `APIPriorityAndFairness`。
 此特性也与某个 {{< glossary_tooltip term_id="api-group" text="API 组" >}}
 相关：
@@ -584,7 +584,7 @@ opinions of the proper content of these objects.
 就可能出现抖动。
 
 <!--
-Each `kube-apiserver` makes an inital maintenance pass over the
+Each `kube-apiserver` makes an initial maintenance pass over the
 mandatory and suggested configuration objects, and after that does
 periodic maintenance (once per minute) of those objects.
 
diff --git a/content/zh/docs/concepts/cluster-administration/logging.md b/content/zh-cn/docs/concepts/cluster-administration/logging.md
similarity index 99%
rename from content/zh/docs/concepts/cluster-administration/logging.md
rename to content/zh-cn/docs/concepts/cluster-administration/logging.md
index a4732cbe612f1..8b53c28ae3a85 100644
--- a/content/zh/docs/concepts/cluster-administration/logging.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/logging.md
@@ -233,7 +233,7 @@ They use the [`klog`](https://github.com/kubernetes/klog)
 logging library. You can find the conventions for logging severity for those
 components in the [development docs on logging](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md).
 -->
-在使用 systemd 机制的服务器上，kubelet 和容器容器运行时将日志写入到 journald 中。
+在使用 systemd 机制的服务器上，kubelet 和容器运行时将日志写入到 journald 中。
 如果没有 systemd，它们将日志写入到 `/var/log` 目录下的 `.log` 文件中。
 容器中的系统组件通常将日志写到 `/var/log` 目录，绕过了默认的日志机制。
 他们使用 [klog](https://github.com/kubernetes/klog) 日志库。
@@ -280,7 +280,7 @@ While Kubernetes does not provide a native solution for cluster-level logging, t
 <!--
 You can implement cluster-level logging by including a _node-level logging agent_ on each node. The logging agent is a dedicated tool that exposes logs or pushes logs to a backend. Commonly, the logging agent is a container that has access to a directory with log files from all of the application containers on that node.
 -->
-你可以通过在每个节点上使用 _节点级的日志记录代理_ 来实现群集级日志记录。
+你可以通过在每个节点上使用 _节点级的日志记录代理_ 来实现集群级日志记录。
 日志记录代理是一种用于暴露日志或将日志推送到后端的专用工具。
 通常，日志记录代理程序是一个容器，它可以访问包含该节点上所有应用程序容器的日志文件的目录。
 
@@ -478,7 +478,7 @@ a [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) to c
 -->
 下面是两个配置文件，可以用来实现一个带日志代理的边车容器。
 第一个文件包含用来配置 fluentd 的
-[ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)。
+[ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)。
 
 {{< codenew file="admin/logging/fluentd-sidecar-config.yaml" >}}
 
diff --git a/content/zh/docs/concepts/cluster-administration/manage-deployment.md b/content/zh-cn/docs/concepts/cluster-administration/manage-deployment.md
similarity index 96%
rename from content/zh/docs/concepts/cluster-administration/manage-deployment.md
rename to content/zh-cn/docs/concepts/cluster-administration/manage-deployment.md
index 30be88f7cc6e3..38bda5a21fb15 100644
--- a/content/zh/docs/concepts/cluster-administration/manage-deployment.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/manage-deployment.md
@@ -12,8 +12,8 @@ You've deployed your application and exposed it via a service. Now what? Kuberne
 你已经部署了应用并通过服务暴露它。然后呢？
 Kubernetes 提供了一些工具来帮助管理你的应用部署，包括扩缩容和更新。
 我们将更深入讨论的特性包括
-[配置文件](/zh/docs/concepts/configuration/overview/)和
-[标签](/zh/docs/concepts/overview/working-with-objects/labels/)。
+[配置文件](/zh-cn/docs/concepts/configuration/overview/)和
+[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)。
 
 <!-- body -->
 
@@ -85,7 +85,7 @@ A URL can also be specified as a configuration source, which is handy for deploy
 还可以使用 URL 作为配置源，便于直接使用已经提交到 Github 上的配置文件进行部署：
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/main/content/zh/examples/application/nginx/nginx-deployment.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/main/content/zh-cn/examples/application/nginx/nginx-deployment.yaml
 ```
 
 ```
@@ -239,7 +239,7 @@ persistentvolumeclaim/my-pvc created
 If you're interested in learning more about `kubectl`, go ahead and read [Command line tool (kubectl)](/docs/reference/kubectl/).
 -->
 如果你有兴趣进一步学习关于 `kubectl` 的内容，请阅读
-[命令行工具（kubectl）](/zh/docs/reference/kubectl/)。
+[命令行工具（kubectl）](/zh-cn/docs/reference/kubectl/)。
 
 <!--
 ## Using labels effectively
@@ -445,7 +445,7 @@ For more information, please see [labels](/docs/concepts/overview/working-with-o
 （用参数 `-L` 或者 `--label-columns` 标明）。
 
 想要了解更多信息，请参考
-[标签](/zh/docs/concepts/overview/working-with-objects/labels/) 和
+[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/) 和
 [`kubectl label`](/docs/reference/generated/kubectl/kubectl-commands/#label)
 命令文档。
 
@@ -476,7 +476,7 @@ metadata:
 For more information, please see [annotations](/docs/concepts/overview/working-with-objects/annotations/) and [kubectl annotate](/docs/reference/generated/kubectl/kubectl-commands/#annotate) document.
  -->
 想要了解更多信息，请参考
-[注解](/zh/docs/concepts/overview/working-with-objects/annotations/)和
+[注解](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)和
 [`kubectl annotate`](/docs/reference/generated/kubectl/kubectl-commands/#annotate)
 命令文档。
 
@@ -535,7 +535,7 @@ For more information, please see [kubectl scale](/docs/reference/generated/kubec
 想要了解更多信息，请参考
 [kubectl scale](/docs/reference/generated/kubectl/kubectl-commands/#scale)命令文档、
 [kubectl autoscale](/docs/reference/generated/kubectl/kubectl-commands/#autoscale) 命令文档和
-[水平 Pod 自动伸缩](/zh/docs/tasks/run-application/horizontal-pod-autoscale/) 文档。
+[水平 Pod 自动伸缩](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/) 文档。
 
 <!--
 ## In-place updates of resources
@@ -648,7 +648,7 @@ and
  -->
 你可以使用 `kubectl patch` 来更新 API 对象。此命令支持 JSON patch、
 JSON merge patch、以及 strategic merge patch。 请参考
-[使用 kubectl patch 更新 API 对象](/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)
+[使用 kubectl patch 更新 API 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)
 和
 [kubectl patch](/docs/reference/generated/kubectl/kubectl-commands/#patch).
 
@@ -716,14 +716,13 @@ That's it! The Deployment will declaratively update the deployed nginx applicati
  -->
 没错，就是这样！Deployment 将在后台逐步更新已经部署的 nginx 应用。
 它确保在更新过程中，只有一定数量的旧副本被开闭，并且只有一定基于所需 Pod 数量的新副本被创建。
-想要了解更多细节，请参考 [Deployment](/zh/docs/concepts/workloads/controllers/deployment/)。
+想要了解更多细节，请参考 [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-- [Learn about how to use `kubectl` for application introspection and debugging.](/docs/tasks/debug-application-cluster/debug-application-introspection/)
+- [Learn about how to use `kubectl` for application introspection and debugging.](/docs/tasks/debug/debug-application/debug-running-pod/)
 - [Configuration Best Practices and Tips](/docs/concepts/configuration/overview/)
  -->
-- 学习[如何使用 `kubectl` 观察和调试应用](/zh/docs/tasks/debug-application-cluster/debug-application-introspection/)
-- 阅读[配置最佳实践和技巧](/zh/docs/concepts/configuration/overview/)
-
+- 学习[如何使用 `kubectl` 观察和调试应用](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/)
+- 阅读[配置最佳实践和技巧](/zh-cn/docs/concepts/configuration/overview/)
diff --git a/content/zh/docs/concepts/cluster-administration/networking.md b/content/zh-cn/docs/concepts/cluster-administration/networking.md
similarity index 87%
rename from content/zh/docs/concepts/cluster-administration/networking.md
rename to content/zh-cn/docs/concepts/cluster-administration/networking.md
index 6175dc539573e..edc6866ec867f 100644
--- a/content/zh/docs/concepts/cluster-administration/networking.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/networking.md
@@ -1,10 +1,15 @@
 ---
-reviewers:
-- thockin
 title: 集群网络系统
 content_type: concept
 weight: 50
 ---
+<!--
+reviewers:
+- thockin
+title: Cluster Networking
+content_type: concept
+weight: 50
+-->
 
 <!-- overview -->
 <!--
@@ -23,9 +28,9 @@ problems to address:
 
 1. 高度耦合的容器间通信：这个已经被 {{< glossary_tooltip text="Pods" term_id="pod" >}}
    和 `localhost` 通信解决了。
-2. Pod 间通信：这个是本文档的重点要讲述的。
-3. Pod 和服务间通信：这个已经在[服务](/zh/docs/concepts/services-networking/service/)里讲述过了。
-4. 外部和服务间通信：这也已经在[服务](/zh/docs/concepts/services-networking/service/)讲述过了。
+2. Pod 间通信：本文档讲述重点。
+3. Pod 和服务间通信：由[服务](/zh-cn/docs/concepts/services-networking/service/)负责。
+4. 外部和服务间通信：也由[服务](/zh-cn/docs/concepts/services-networking/service/)负责。
 
 <!-- body -->
 
@@ -51,7 +56,7 @@ Kubernetes 的宗旨就是在应用之间共享机器。
 而 API 服务器还需要知道如何将动态端口数值插入到配置模块中，服务也需要知道如何找到对方等等。
 与其去解决这些问题，Kubernetes 选择了其他不同的方法。
 
-要了解 Kubernetes 网络模型，请参阅[此处](/zh/docs/concepts/services-networking/)。
+要了解 Kubernetes 网络模型，请参阅[此处](/zh-cn/docs/concepts/services-networking/)。
 <!--
 ## How to implement the Kubernetes networking model
 
@@ -62,7 +67,7 @@ as an introduction to various technologies and serves as a jumping-off point.
 The following networking options are sorted alphabetically - the order does not
 imply any preferential status.
 -->
-## 如何实现 Kubernetes 的网络模型
+## 如何实现 Kubernetes 的网络模型    {#how-to-implement-the-kubernetes-networking-model}
 
 有很多种方式可以实现这种网络模型，本文档并不是对各种实现技术的详细研究，
 但是希望可以作为对各种技术的详细介绍，并且成为你研究的起点。
@@ -105,7 +110,7 @@ Using this CNI plugin allows Kubernetes pods to have the same IP address inside
 
 Additionally, the CNI can be run alongside [Calico for network policy enforcement](https://docs.aws.amazon.com/eks/latest/userguide/calico.html). The AWS VPC CNI project is open source with [documentation on GitHub](https://github.com/aws/amazon-vpc-cni-k8s).
 -->
-### Kubernetes 的 AWS VPC CNI 
+### Kubernetes 的 AWS VPC CNI     {#aws-vpc-cni-for-kubernetes}
 
 [AWS VPC CNI](https://github.com/aws/amazon-vpc-cni-k8s) 为 Kubernetes 集群提供了集成的
 AWS 虚拟私有云（VPC）网络。该 CNI 插件提供了高吞吐量和可用性，低延迟以及最小的网络抖动。
@@ -113,7 +118,7 @@ AWS 虚拟私有云（VPC）网络。该 CNI 插件提供了高吞吐量和可
 这包括使用 VPC 流日志、VPC 路由策略和安全组进行网络流量隔离的功能。
 
 使用该 CNI 插件，可使 Kubernetes Pod 拥有与在 VPC 网络上相同的 IP 地址。
-CNI 将 AWS 弹性网络接口（ENI）分配给每个 Kubernetes 节点，并将每个 ENI 的辅助 IP 范围用于该节点上的 Pod 。
+CNI 将 AWS 弹性网络接口（ENI）分配给每个 Kubernetes 节点，并将每个 ENI 的辅助 IP 范围用于该节点上的 Pod。
 CNI 包含用于 ENI 和 IP 地址的预分配的控件，以便加快 Pod 的启动时间，并且能够支持多达 2000 个节点的大型集群。
 
 此外，CNI 可以与
@@ -121,20 +126,20 @@ CNI 包含用于 ENI 和 IP 地址的预分配的控件，以便加快 Pod 的
 AWS VPC CNI 项目是开源的，请查看 [GitHub 上的文档](https://github.com/aws/amazon-vpc-cni-k8s)。
 
 <!--
-### Azure CNI for Kubernetes 
+### Azure CNI for Kubernetes
 [Azure CNI](https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview) is an [open source](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) plugin that integrates Kubernetes Pods with an Azure Virtual Network (also known as VNet) providing network performance at par with VMs. Pods can connect to peered VNet and to on-premises over Express Route or site-to-site VPN and are also directly reachable from these networks. Pods can access Azure services, such as storage and SQL, that are protected by Service Endpoints or Private Link. You can use VNet security policies and routing to filter Pod traffic. The plugin assigns VNet IPs to Pods by utilizing a pool of secondary IPs pre-configured on the Network Interface of a Kubernetes node.
 
 Azure CNI is available natively in the [Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni).
 -->
-### Kubernetes 的 Azure CNI 
+### Kubernetes 的 Azure CNI     {#azure-cni-for-kubernetes}
 
 [Azure CNI](https://docs.microsoft.com/en-us/azure/virtual-network/container-networking-overview)
 是一个[开源插件](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md)，
 将 Kubernetes Pods 和 Azure 虚拟网络（也称为 VNet）集成在一起，可提供与 VM 相当的网络性能。
-Pod 可以通过 Express Route 或者 站点到站点的 VPN 来连接到对等的 VNet ，
+Pod 可以通过 Express Route 或者 站点到站点的 VPN 来连接到对等的 VNet，
 也可以从这些网络来直接访问 Pod。Pod 可以访问受服务端点或者受保护链接的 Azure 服务，比如存储和 SQL。
 你可以使用 VNet 安全策略和路由来筛选 Pod 流量。
-该插件通过利用在 Kubernetes 节点的网络接口上预分配的辅助 IP 池将 VNet 分配给 Pod 。
+该插件通过利用在 Kubernetes 节点的网络接口上预分配的辅助 IP 池将 VNet 分配给 Pod。
 
 Azure CNI 可以在
 [Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni) 中获得。
@@ -142,7 +147,7 @@ Azure CNI 可以在
 <!--
 ### Calico
 
-[Calico](https://projectcalico.docs.tigera.io/about/about-calico/) is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico supports multiple data planes including: a pure Linux eBPF dataplane, a standard Linux networking dataplane, and a Windows HNS dataplane. Calico provides a full networking stack but can also be used in conjunction with [cloud provider CNIs](https://docs.projectcalico.org/networking/determine-best-networking#calico-compatible-cni-plugins-and-cloud-provider-integrations) to provide network policy enforcement.
+[Calico](https://projectcalico.docs.tigera.io/about/about-calico/) is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico supports multiple data planes including: a pure Linux eBPF dataplane, a standard Linux networking dataplane, and a Windows HNS dataplane. Calico provides a full networking stack but can also be used in conjunction with [cloud provider CNIs](https://projectcalico.docs.tigera.io/networking/determine-best-networking#calico-compatible-cni-plugins-and-cloud-provider-integrations) to provide network policy enforcement.
 -->
 ### Calico
 
@@ -150,7 +155,8 @@ Azure CNI 可以在
 用于基于容器、虚拟机和本地主机的工作负载。
 Calico 支持多个数据面，包括：纯 Linux eBPF 的数据面、标准的 Linux 联网数据面
 以及 Windows HNS 数据面。Calico 在提供完整的联网堆栈的同时，还可与
-[云驱动 CNIs](https://docs.projectcalico.org/networking/determine-best-networking#calico-compatible-cni-plugins-and-cloud-provider-integrations) 联合使用，以保证网络策略实施。
+[云驱动 CNIs](https://projectcalico.docs.tigera.io/networking/determine-best-networking#calico-compatible-cni-plugins-and-cloud-provider-integrations)
+联合使用，以保证网络策略实施。
 
 <!--
 ### Cilium
@@ -170,18 +176,18 @@ Cilium 支持 L7/HTTP，可以在 L3-L7 上通过使用与网络分离的基于
 <!--
 ### CNI-Genie from Huawei
 
-[CNI-Genie](https://github.com/cni-genie/CNI-Genie) is a CNI plugin that enables Kubernetes to [simultaneously have access to different implementations](https://github.com/cni-genie/CNI-Genie/blob/master/docs/multiple-cni-plugins/README.md#what-cni-genie-feature-1-multiple-cni-plugins-enables) of the [Kubernetes network model](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model) in runtime. This includes any implementation that runs as a [CNI plugin](https://github.com/containernetworking/cni#3rd-party-plugins), such as [Flannel](https://github.com/coreos/flannel#flannel), [Calico](https://projectcalico.docs.tigera.io/about/about-calico/), [Weave-net](https://www.weave.works/oss/net/).
+[CNI-Genie](https://github.com/cni-genie/CNI-Genie) is a CNI plugin that enables Kubernetes to [simultaneously have access to different implementations](https://github.com/cni-genie/CNI-Genie/blob/master/docs/multiple-cni-plugins/README.md#what-cni-genie-feature-1-multiple-cni-plugins-enables) of the [Kubernetes network model](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model) in runtime. This includes any implementation that runs as a [CNI plugin](https://github.com/containernetworking/cni#3rd-party-plugins), such as [Flannel](https://github.com/flannel-io/flannel#flannel), [Calico](https://projectcalico.docs.tigera.io/about/about-calico/), [Weave-net](https://www.weave.works/oss/net/).
 
 CNI-Genie also supports [assigning multiple IP addresses to a pod](https://github.com/cni-genie/CNI-Genie/blob/master/docs/multiple-ips/README.md#feature-2-extension-cni-genie-multiple-ip-addresses-per-pod), each from a different CNI plugin.
 -->
-### 华为的 CNI-Genie
+### 华为的 CNI-Genie    {#cni-genie-from-huawei}
 
 [CNI-Genie](https://github.com/cni-genie/CNI-Genie) 是一个 CNI 插件，
 可以让 Kubernetes 在运行时使用不同的[网络模型](#the-kubernetes-network-model)的
 [实现同时被访问](https://github.com/cni-genie/CNI-Genie/blob/master/docs/multiple-cni-plugins/README.md#what-cni-genie-feature-1-multiple-cni-plugins-enables)。
 这包括以
 [CNI 插件](https://github.com/containernetworking/cni#3rd-party-plugins)运行的任何实现，比如
-[Flannel](https://github.com/coreos/flannel#flannel)、
+[Flannel](https://github.com/flannel-io/flannel#flannel)、
 [Calico](https://projectcalico.docs.tigera.io/about/about-calico/)、
 [Weave-net](https://www.weave.works/oss/net/)。
 
@@ -240,13 +246,11 @@ Kubernetes, using the [fd.io](https://fd.io/) data plane.
 ### Contiv-VPP
 [Contiv-VPP](https://contivpp.io/) 是用于 Kubernetes 的用户空间、面向性能的网络插件，使用 [fd.io](https://fd.io/) 数据平面。
 
-<!--
-### Contrail/Tungsten Fabric
+### Contrail / Tungsten Fabric
 
+<!--
 [Contrail](https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), based on [Tungsten Fabric](https://tungsten.io), is a truly open, multi-cloud network virtualization and policy management platform. Contrail and Tungsten Fabric are integrated with various orchestration systems such as Kubernetes, OpenShift, OpenStack and Mesos, and provide different isolation modes for virtual machines, containers/pods and bare metal workloads.
 -->
-### Contrail/Tungsten Fabric
-
 [Contrail](https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/)
 是基于 [Tungsten Fabric](https://tungsten.io) 的，真正开放的多云网络虚拟化和策略管理平台。
 Contrail 和 Tungsten Fabric 与各种编排系统集成在一起，例如 Kubernetes、OpenShift、OpenStack 和 Mesos，
@@ -271,7 +275,7 @@ With this toolset DANM is able to provide multiple separated network interfaces,
 它由以下几个组件构成：
 
 * 能够配置具有高级功能的 IPVLAN 接口的 CNI 插件
-* 一个内置的 IPAM 模块，能够管理多个、群集内的、不连续的 L3 网络，并按请求提供动态、静态或无 IP 分配方案
+* 一个内置的 IPAM 模块，能够管理多个、集群内的、不连续的 L3 网络，并按请求提供动态、静态或无 IP 分配方案
 * CNI 元插件能够通过自己的 CNI 或通过将任务授权给其他任何流行的 CNI 解决方案（例如 SRI-OV 或 Flannel）来实现将多个网络接口连接到容器
 * Kubernetes 控制器能够集中管理所有 Kubernetes 主机的 VxLAN 和 VLAN 接口
 * 另一个 Kubernetes 控制器扩展了 Kubernetes 的基于服务的服务发现概念，以在 Pod 的所有网络接口上工作
@@ -298,7 +302,7 @@ Kubernetes 所需要的覆盖网络。已经有许多人报告了使用 Flannel
 ### Hybridnet
 
 [Hybridnet](https://github.com/alibaba/hybridnet) 是一个为混合云设计的开源 CNI 插件，
-它为一个或多个集群中的容器提供覆盖和底层网络。 Overlay 和 underlay 容器可以在同一个节点上运行，
+它为一个或多个集群中的容器提供覆盖和底层网络。Overlay 和 underlay 容器可以在同一个节点上运行，
 并具有集群范围的双向网络连接。
 
 <!--
@@ -339,7 +343,7 @@ Jaguar 使用 vxlan 提供覆盖网络，而 Jaguar CNIPlugin 为每个 Pod 提
 ### Kube-OVN
 
 [Kube-OVN](https://github.com/alauda/kube-ovn) 是一个基于 OVN 的用于企业的 Kubernetes 网络架构。
-借助于 OVN/OVS ，它提供了一些高级覆盖网络功能，例如子网、QoS、静态 IP 分配、流量镜像、网关、
+借助于 OVN/OVS，它提供了一些高级覆盖网络功能，例如子网、QoS、静态 IP 分配、流量镜像、网关、
 基于 openflow 的网络策略和服务代理。
 
 <!--
@@ -350,7 +354,7 @@ Jaguar 使用 vxlan 提供覆盖网络，而 Jaguar CNIPlugin 为每个 Pod 提
 ### Kube-router
 
 [Kube-router](https://github.com/cloudnativelabs/kube-router) 是 Kubernetes 的专用网络解决方案，
-旨在提供高性能和易操作性。 
+旨在提供高性能和易操作性。
 Kube-router 提供了一个基于 Linux [LVS/IPVS](https://www.linuxvirtualserver.org/software/ipvs.html)
 的服务代理、一个基于 Linux 内核转发的无覆盖 Pod-to-Pod 网络解决方案和基于 iptables/ipset 的网络策略执行器。
 
@@ -363,17 +367,17 @@ Note that these instructions have only been tried very casually - it seems to
 work, but has not been thoroughly tested.  If you use this technique and
 perfect the process, please let us know.
 
-Follow the "With Linux Bridge devices" section of [this very nice
-tutorial](https://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/) from
+Follow the "With Linux Bridge devices" section of
+[this very nice tutorial](https://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/) from
 Lars Kellogg-Stedman.
 -->
 ### L2 networks and linux bridging
 
-如果你具有一个“哑”的L2网络，例如“裸机”环境中的简单交换机，则应该能够执行与上述 GCE 设置类似的操作。
+如果你具有一个“哑”的 L2 网络，例如“裸机”环境中的简单交换机，则应该能够执行与上述 GCE 设置类似的操作。
 请注意，这些说明仅是非常简单的尝试过-似乎可行，但尚未经过全面测试。
-如果您使用此技术并完善了流程，请告诉我们。
+如果你使用此技术并完善了流程，请告诉我们。
 
-根据 Lars Kellogg-Stedman 的这份非常不错的“Linux 网桥设备”
+根据 Lars Kellogg-Stedman 的这份非常不错的 “Linux 网桥设备”
 [使用说明](https://blog.oddbit.com/2014/08/11/four-ways-to-connect-a-docker/)来进行操作。
 
 <!--
@@ -397,12 +401,24 @@ Multus 支持所有[参考插件](https://github.com/containernetworking/plugins
 [Weave](https://github.com/weaveworks/weave)、
 [Cilium](https://github.com/cilium/cilium)、
 [Contiv](https://github.com/contiv/netplugin)）。
-除此之外， Multus 还支持
+除此之外，Multus 还支持
 [SRIOV](https://github.com/hustcat/sriov-cni)、
 [DPDK](https://github.com/Intel-Corp/sriov-cni)、
 [OVS-DPDK & VPP](https://github.com/intel/vhost-user-net-plugin) 的工作负载，
 以及 Kubernetes 中基于云的本机应用程序和基于 NFV 的应用程序。
 
+<!--
+### OVN4NFV-K8s-Plugin (OVN based CNI controller & plugin)
+
+[OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) is OVN based CNI controller plugin to provide cloud native based Service function chaining(SFC), Multiple OVN overlay networking, dynamic subnet creation, dynamic creation of virtual networks, VLAN Provider network, Direct provider network and pluggable with other Multi-network plugins, ideal for edge based cloud native workloads in Multi-cluster networking
+-->
+### OVN4NFV-K8s-Plugin（基于 OVN 的 CNI 控制器和插件）    {#ovn4nfv-k8s-plugin-ovn-based-cni-controller-plugin}
+
+[OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) 是基于 OVN 的
+CNI 控制器插件，提供基于云原生的服务功能链 (SFC)、多个 OVN
+覆盖网络、动态子网创建、虚拟网络的动态创建、VLAN Provider 网络、Direct Provider
+网络且可与其他多网络插件组合，非常适合多集群网络中基于边缘的云原生工作负载。
+
 <!--
 ### NSX-T
 
@@ -429,11 +445,12 @@ stateful ACLs, load-balancers etc to build different virtual networking
 topologies.  The project has a specific Kubernetes plugin and documentation
 at [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes).
 -->
-### OVN (开放式虚拟网络)
+### OVN（开放式虚拟网络）    {#ovn-open-virtual-networking}
 
 OVN 是一个由 Open vSwitch 社区开发的开源的网络虚拟化解决方案。
 它允许创建逻辑交换器、逻辑路由、状态 ACL、负载均衡等等来建立不同的虚拟网络拓扑。
-该项目有一个特定的Kubernetes插件和文档 [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)。
+该项目在 [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)
+提供特定的 Kubernetes 插件和文档。
 
 <!--
 ### Weave Net from Weaveworks
@@ -444,10 +461,10 @@ Weave Net runs as a [CNI plug-in](https://www.weave.works/docs/net/latest/cni-pl
 or stand-alone.  In either version, it doesn't require any configuration or extra code
 to run, and in both cases, the network provides one IP address per pod - as is standard for Kubernetes.
 -->
-### Weaveworks 的 Weave Net
+### Weaveworks 的 Weave Net    {#weave-net-from-weaveworks}
 
-[Weave Net](https://www.weave.works/oss/net/) 是 Kubernetes 及其
-托管应用程序的弹性且易于使用的网络系统。
+[Weave Net](https://www.weave.works/oss/net/) 为 Kubernetes
+及其托管应用提供的、弹性且易用的网络系统。
 Weave Net 可以作为 [CNI 插件](https://www.weave.works/docs/net/latest/cni-plugin/) 运行或者独立运行。
 在这两种运行方式里，都不需要任何配置或额外的代码即可运行，并且在两种情况下，
 网络都为每个 Pod 提供一个 IP 地址 -- 这是 Kubernetes 的标准配置。
@@ -456,9 +473,8 @@ Weave Net 可以作为 [CNI 插件](https://www.weave.works/docs/net/latest/cni-
 
 <!--
 The early design of the networking model and its rationale, and some future
-plans are described in more detail in the [networking design
-document](https://git.k8s.io/community/contributors/design-proposals/network/networking.md).
+plans are described in more detail in the
+[networking design document](https://git.k8s.io/community/contributors/design-proposals/network/networking.md).
 -->
-网络模型的早期设计、运行原理以及未来的一些计划，都在
-[联网设计文档](https://git.k8s.io/community/contributors/design-proposals/network/networking.md)
-里有更详细的描述。
+网络模型的早期设计、运行原理以及未来的一些计划，
+都在[联网设计文档](https://git.k8s.io/community/contributors/design-proposals/network/networking.md)里有更详细的描述。
diff --git a/content/zh/docs/concepts/cluster-administration/proxies.md b/content/zh-cn/docs/concepts/cluster-administration/proxies.md
similarity index 91%
rename from content/zh/docs/concepts/cluster-administration/proxies.md
rename to content/zh-cn/docs/concepts/cluster-administration/proxies.md
index be933ccc9cd3b..350295c4f9eff 100644
--- a/content/zh/docs/concepts/cluster-administration/proxies.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/proxies.md
@@ -36,7 +36,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - locates apiserver
     - adds authentication headers
 -->
-1. [kubectl proxy](/zh/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api)：
+1. [kubectl proxy](/zh-cn/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api)：
 
     - 运行在用户的桌面或 pod 中
     - 从本机地址到 Kubernetes apiserver 的代理
@@ -56,10 +56,10 @@ There are several different proxies you may encounter when using Kubernetes:
     - can be used to reach a Node, Pod, or Service
     - does load balancing when used to reach a Service
 -->
-2. [apiserver proxy](/zh/docs/tasks/access-application-cluster/access-cluster/#discovering-builtin-services)：
+2. [apiserver proxy](/zh-cn/docs/tasks/access-application-cluster/access-cluster/#discovering-builtin-services)：
 
     - 是一个建立在 apiserver 内部的“堡垒”
-    - 将集群外部的用户与群集 IP 相连接，这些IP是无法通过其他方式访问的
+    - 将集群外部的用户与集群 IP 相连接，这些IP是无法通过其他方式访问的
     - 运行在 apiserver 进程内
     - 客户端到代理使用 HTTPS 协议 (如果配置 apiserver 使用 HTTP 协议，则使用 HTTP 协议)
     - 通过可用信息进行选择，代理到目的地可能使用 HTTP 或 HTTPS 协议
@@ -75,7 +75,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - provides load balancing
     - is only used to reach services
 -->
-3. [kube proxy](/zh/docs/concepts/services-networking/service/#ips-and-vips)：
+3. [kube proxy](/zh-cn/docs/concepts/services-networking/service/#ips-and-vips)：
 
     - 在每个节点上运行
     - 代理 UDP、TCP 和 SCTP
diff --git a/content/zh/docs/concepts/cluster-administration/system-logs.md b/content/zh-cn/docs/concepts/cluster-administration/system-logs.md
similarity index 76%
rename from content/zh/docs/concepts/cluster-administration/system-logs.md
rename to content/zh-cn/docs/concepts/cluster-administration/system-logs.md
index 8548c82310185..2365e3bd23d6a 100644
--- a/content/zh/docs/concepts/cluster-administration/system-logs.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/system-logs.md
@@ -38,7 +38,7 @@ klog 是 Kubernetes 的日志库。
 [klog](https://github.com/kubernetes/klog) 
 为 Kubernetes 系统组件生成日志消息。
 
-有关 klog 配置的更多信息，请参见[命令行工具参考](/zh/docs/reference/command-line-tools-reference/)。
+有关 klog 配置的更多信息，请参见[命令行工具参考](/zh-cn/docs/reference/command-line-tools-reference/)。
 
 <!--
 Kubernetes is in the process of simplifying logging in its components. The
@@ -192,6 +192,82 @@ I1025 00:15:15.525108       1 example.go:116] "Example" data="This is text with
 second line.}
 ```
 
+<!-- 
+### Contextual Logging 
+-->
+### 上下文日志
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+<!-- 
+Contextual logging builds on top of structured logging. It is primarily about
+how developers use logging calls: code based on that concept is more flexible
+and supports additional use cases as described in the [Contextual Logging
+KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging). 
+-->
+上下文日志建立在结构化日志之上。
+它主要是关于开发人员如何使用日志记录调用：基于该概念的代码将更加灵活，
+并且支持在[结构化日志 KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging) 
+中描述的额外用例。
+
+<!-- 
+If developers use additional functions like `WithValues` or `WithName` in
+their components, then log entries contain additional information that gets
+passed into functions by their caller. 
+-->
+如果开发人员在他们的组件中使用额外的函数，比如 `WithValues` 或 `WithName`，
+那么日志条目将会包含额外的信息，这些信息会被调用者传递给函数。
+
+<!-- 
+Currently this is gated behind the `StructuredLogging` feature gate and
+disabled by default. The infrastructure for this was added in 1.24 without
+modifying components. The
+[`component-base/logs/example`](https://github.com/kubernetes/kubernetes/blob/v1.24.0-beta.0/staging/src/k8s.io/component-base/logs/example/cmd/logger.go)
+command demonstrates how to use the new logging calls and how a component
+behaves that supports contextual logging. 
+-->
+目前这一特性是由 `StructuredLogging` 特性门控所控制的，默认关闭。
+这个基础设施是在 1.24 中被添加的，并不需要修改组件。
+该 [`component-base/logs/example`](https://github.com/kubernetes/kubernetes/blob/v1.24.0-beta.0/staging/src/k8s.io/component-base/logs/example/cmd/logger.go)
+命令演示了如何使用新的日志记录调用以及组件如何支持上下文日志记录。
+
+```console
+$ cd $GOPATH/src/k8s.io/kubernetes/staging/src/k8s.io/component-base/logs/example/cmd/
+$ go run . --help
+...
+      --feature-gates mapStringBool  A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                     AllAlpha=true|false (ALPHA - default=false)
+                                     AllBeta=true|false (BETA - default=false)
+                                     ContextualLogging=true|false (ALPHA - default=false)
+$ go run . --feature-gates ContextualLogging=true
+...
+I0404 18:00:02.916429  451895 logger.go:94] "example/myname: runtime" foo="bar" duration="1m0s"
+I0404 18:00:02.916447  451895 logger.go:95] "example: another runtime" foo="bar" duration="1m0s"
+```
+
+<!-- 
+The `example` prefix and `foo="bar"` were added by the caller of the function
+which logs the `runtime` message and `duration="1m0s"` value, without having to
+modify that function.
+
+With contextual logging disable, `WithValues` and `WithName` do nothing and log
+calls go through the global klog logger. Therefore this additional information
+is not in the log output anymore: 
+-->
+`example` 前缀和 `foo="bar"` 会被函数的调用者添加上，
+不需修改该函数，它就会记录 `runtime` 消息和 `duration="1m0s"` 值。
+
+禁用上下文日志后，`WithValues` 和 `WithName` 什么都不会做，
+并且会通过调用全局的 klog 日志记录器记录日志。
+因此，这些附加信息不再出现在日志输出中：
+
+```console
+$ go run . --feature-gates ContextualLogging=false
+...
+I0404 18:03:31.171945  452150 logger.go:94] "runtime" duration="1m0s"
+I0404 18:03:31.171962  452150 logger.go:95] "another runtime" duration="1m0s"
+```
+
 <!--
 ### JSON log format
 -->
@@ -208,7 +284,7 @@ Not all logs are guaranteed to be written in JSON format (for example, during pr
 Field names and JSON serialization are subject to change.
 -->
 JSON 输出并不支持太多标准 klog 参数。对于不受支持的 klog 参数的列表，
-请参见[命令行工具参考](/zh/docs/reference/command-line-tools-reference/)。
+请参见[命令行工具参考](/zh-cn/docs/reference/command-line-tools-reference/)。
 
 并不是所有日志都保证写成 JSON 格式（例如，在进程启动期间）。
 如果你打算解析日志，请确保可以处理非 JSON 格式的日志行。
@@ -258,45 +334,6 @@ List of components currently supporting JSON format:
 * {{< glossary_tooltip term_id="kube-scheduler" text="kube-scheduler" >}}
 * {{< glossary_tooltip term_id="kubelet" text="kubelet" >}}
 
-<!--
-### Log sanitization
--->
-### 日志清洗    {#log-sanitization}
-
-{{< feature-state for_k8s_version="v1.20" state="alpha" >}}
-
-{{<warning >}}
-<!--
-Log sanitization might incur significant computation overhead and therefore should not be enabled in production.
--->
-日志清洗（Log Sanitization）可能会导致大量的计算开销，因此不应在生产环境中启用。
-{{< /warning >}}
-
-<!--
-The `--experimental-logging-sanitization` flag enables the klog sanitization filter.
-If enabled all log arguments are inspected for fields tagged as sensitive data (e.g. passwords, keys, tokens) and logging of these fields will be prevented.
--->
-`--experimental-logging-sanitization` 参数可用来启用 klog 清洗过滤器。
-如果启用后，将检查所有日志参数中是否有标记为敏感数据的字段（比如：密码，密钥，令牌），
-并且将阻止这些字段的记录。
-
-<!--
-List of components currently supporting log sanitization:
--->
-当前支持日志清洗的组件列表：
-
-* kube-controller-manager
-* kube-apiserver
-* kube-scheduler
-* kubelet
-
-{{< note >}}
-<!--
-The Log sanitization filter does not prevent user workload logs from leaking sensitive data.
--->
-日志清洗过滤器不会阻止用户工作负载日志泄漏敏感数据。
-{{< /note >}}
-
 <!--
 ### Log verbosity level
 
@@ -347,11 +384,13 @@ The `logrotate` tool rotates logs daily, or once the log size is greater than 10
 <!--
 * Read about the [Kubernetes Logging Architecture](/docs/concepts/cluster-administration/logging/)
 * Read about [Structured Logging](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1602-structured-logging)
+* Read about [Contextual Logging](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging)
 * Read about [deprecation of klog flags](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
 * Read about the [Conventions for logging severity](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md)
 -->
-* 阅读 [Kubernetes 日志架构](/zh/docs/concepts/cluster-administration/logging/)
+* 阅读 [Kubernetes 日志架构](/zh-cn/docs/concepts/cluster-administration/logging/)
 * 阅读[结构化日志提案（英文）](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1602-structured-logging)
+* 阅读[上下文日志提案（英文）](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging)
 * 阅读 [klog 参数的废弃（英文）](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
 * 阅读[日志严重级别约定（英文）](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md)
 
diff --git a/content/zh/docs/concepts/cluster-administration/system-metrics.md b/content/zh-cn/docs/concepts/cluster-administration/system-metrics.md
similarity index 98%
rename from content/zh/docs/concepts/cluster-administration/system-metrics.md
rename to content/zh-cn/docs/concepts/cluster-administration/system-metrics.md
index f054161998397..2f971177fedf5 100644
--- a/content/zh/docs/concepts/cluster-administration/system-metrics.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/system-metrics.md
@@ -204,7 +204,7 @@ kubelet 在驱动程序上保持打开状态。这意味着为了执行基础结
 现在，收集加速器指标的责任属于供应商，而不是 kubelet。供应商必须提供一个收集指标的容器，
 并将其公开给指标服务（例如 Prometheus）。
 
-[`DisableAcceleratorUsageMetrics` 特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[`DisableAcceleratorUsageMetrics` 特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 禁止由 kubelet 收集的指标。
 关于[何时会在默认情况下启用此功能也有一定规划](https://github.com/kubernetes/enhancements/tree/411e51027db842355bd489691af897afc1a41a5e/keps/sig-node/1867-disable-accelerator-usage-metrics#graduation-criteria)。
 
@@ -271,7 +271,7 @@ The kube-scheduler identifies the resource [requests and limits](/docs/concepts/
 - the unit of the resource if known (for example, `cores`)
 -->
 kube-scheduler 组件能够辩识各个 Pod 所配置的资源
-[请求和约束](/zh/docs/concepts/configuration/manage-resources-containers/)。
+[请求和约束](/zh-cn/docs/concepts/configuration/manage-resources-containers/)。
 在 Pod 的资源请求值或者约束值非零时，kube-scheduler 会以度量值时间序列的形式
 生成报告。该时间序列值包含以下标签：
 - 名字空间
@@ -341,4 +341,4 @@ Here is an example:
 * Read about the [Kubernetes deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-a-feature-or-behavior)
 -->
 * 阅读有关指标的 [Prometheus 文本格式](https://github.com/prometheus/docs/blob/master/content/docs/instrumenting/exposition_formats.md#text-based-format)
-* 阅读有关 [Kubernetes 弃用策略](/zh/docs/reference/using-api/deprecation-policy/#deprecating-a-feature-or-behavior)
+* 阅读有关 [Kubernetes 弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/#deprecating-a-feature-or-behavior)
diff --git a/content/zh/docs/concepts/cluster-administration/system-traces.md b/content/zh-cn/docs/concepts/cluster-administration/system-traces.md
similarity index 96%
rename from content/zh/docs/concepts/cluster-administration/system-traces.md
rename to content/zh-cn/docs/concepts/cluster-administration/system-traces.md
index 71ede2f3e77b7..2a3860a361454 100644
--- a/content/zh/docs/concepts/cluster-administration/system-traces.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/system-traces.md
@@ -114,7 +114,7 @@ with `--tracing-config-file=<path-to-config>`. This is an example config that re
 spans for 1 in 10000 requests, and uses the default OpenTelemetry endpoint:
 -->
 要启用追踪特性，需要启用 kube-apiserver 上的  `APIServerTracing`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 然后，使用 `--tracing-config-file=<<配置文件路径>` 为 kube-apiserver 提供追踪配置文件。
 下面是一个示例配置，它为万分之一的请求记录 spans，并使用了默认的 OpenTelemetry 端口。
 
@@ -132,7 +132,7 @@ For more information about the `TracingConfiguration` struct, see
 -->
 
 有关 TracingConfiguration 结构体的更多信息，请参阅 
-[API 服务器配置 API (v1alpha1)](/zh/docs/reference/config-api/apiserver-config.v1alpha1/#apiserver-k8s-io-v1alpha1-TracingConfiguration)。
+[API 服务器配置 API (v1alpha1)](/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1/#apiserver-k8s-io-v1alpha1-TracingConfiguration)。
 
 <!-- 
 ## Stability
diff --git a/content/zh/docs/concepts/configuration/_index.md b/content/zh-cn/docs/concepts/configuration/_index.md
similarity index 100%
rename from content/zh/docs/concepts/configuration/_index.md
rename to content/zh-cn/docs/concepts/configuration/_index.md
diff --git a/content/zh/docs/concepts/configuration/configmap.md b/content/zh-cn/docs/concepts/configuration/configmap.md
similarity index 96%
rename from content/zh/docs/concepts/configuration/configmap.md
rename to content/zh-cn/docs/concepts/configuration/configmap.md
index a710e08dd16ef..dc6dbf992004c 100644
--- a/content/zh/docs/concepts/configuration/configmap.md
+++ b/content/zh-cn/docs/concepts/configuration/configmap.md
@@ -73,7 +73,7 @@ The name of a ConfigMap must be a valid
 -->
 ## ConfigMap 对象
 
-ConfigMap 是一个 API [对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/)，
+ConfigMap 是一个 API [对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/)，
 让你可以存储其他对象所需要使用的配置。
 和其他 Kubernetes 对象都有一个 `spec` 不同的是，ConfigMap 使用 `data` 和
 `binaryData` 字段。这些字段能够接收键-值对作为其取值。`data` 和 `binaryData`
@@ -81,7 +81,7 @@ ConfigMap 是一个 API [对象](/zh/docs/concepts/overview/working-with-objects
 则被设计用来保存二进制数据作为 base64 编码的字串。
 
 ConfigMap 的名字必须是一个合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 Each key under the `data` or the `binaryData` field must consist of
@@ -367,7 +367,7 @@ the [KubeletConfiguration struct](/docs/reference/config-api/kubelet-config.v1be
 kubelet 组件会在每次周期性同步时检查所挂载的 ConfigMap 是否为最新。
 不过，kubelet 使用的是其本地的高速缓存来获得 ConfigMap 的当前值。
 高速缓存的类型可以通过
-[KubeletConfiguration 结构](/zh/docs/reference/config-api/kubelet-config.v1beta1/).
+[KubeletConfiguration 结构](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/).
 的 `ConfigMapAndSecretChangeDetectionStrategy` 字段来配置。
 
 <!--
@@ -395,7 +395,7 @@ ConfigMaps consumed as environment variables are not updated automatically and r
 A container using a ConfigMap as a [subPath](/docs/concepts/storage/volumes#using-subpath) volume mount will not receive ConfigMap updates.
 -->
 {{< note >}}
-使用 ConfigMap 作为 [subPath](/zh/docs/concepts/storage/volumes#using-subpath) 卷挂载的容器将不会收到 ConfigMap 的更新。
+使用 ConfigMap 作为 [subPath](/zh-cn/docs/concepts/storage/volumes#using-subpath) 卷挂载的容器将不会收到 ConfigMap 的更新。
 {{< /note >}}
 
 <!--
@@ -432,7 +432,7 @@ You can create an immutable ConfigMap by setting the `immutable` field to `true`
 For example:
 -->
 此功能特性由 `ImmutableEphemeralVolumes`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)来控制。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)来控制。
 你可以通过将 `immutable` 字段设置为 `true` 创建不可变更的 ConfigMap。
 例如：
 
@@ -465,7 +465,7 @@ to the deleted ConfigMap, it is recommended to recreate these pods.
 * Read [The Twelve-Factor App](https://12factor.net/) to understand the motivation for
   separating code from configuration.
 -->
-* 阅读 [Secret](/zh/docs/concepts/configuration/secret/)。
-* 阅读[配置 Pod 使用 ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)。
-* 阅读[修改 ConfigMap（或任何其他 Kubernetes 对象）](/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)。
+* 阅读 [Secret](/zh-cn/docs/concepts/configuration/secret/)。
+* 阅读[配置 Pod 使用 ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)。
+* 阅读[修改 ConfigMap（或任何其他 Kubernetes 对象）](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)。
 * 阅读 [Twelve-Factor 应用](https://12factor.net/zh_cn/)来了解将代码和配置分开的动机。
diff --git a/content/zh/docs/concepts/configuration/manage-resources-containers.md b/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md
similarity index 96%
rename from content/zh/docs/concepts/configuration/manage-resources-containers.md
rename to content/zh-cn/docs/concepts/configuration/manage-resources-containers.md
index 001ab761ef1cd..7c1d37f9fa3e6 100644
--- a/content/zh/docs/concepts/configuration/manage-resources-containers.md
+++ b/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md
@@ -145,8 +145,8 @@ through the Kubernetes API server.
 -->
 CPU 和内存统称为“计算资源”，或简称为“资源”。
 计算资源的数量是可测量的，可以被请求、被分配、被消耗。
-它们与 [API 资源](/zh/docs/concepts/overview/kubernetes-api/) 不同。
-API 资源（如 Pod 和 [Service](/zh/docs/concepts/services-networking/service/)）是可通过
+它们与 [API 资源](/zh-cn/docs/concepts/overview/kubernetes-api/) 不同。
+API 资源（如 Pod 和 [Service](/zh-cn/docs/concepts/services-networking/service/)）是可通过
 Kubernetes API 服务器读取和修改的对象。
 
 <!--
@@ -417,11 +417,11 @@ directly or from your monitoring tools.
 ## 监控计算和内存资源用量
 
 kubelet 会将 Pod 的资源使用情况作为 Pod
-[`status`](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)
+[`status`](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)
 的一部分来报告的。
 
-如果为集群配置了可选的[监控工具](/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)，
-则可以直接从[指标 API](/zh/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#metrics-api) 
+如果为集群配置了可选的[监控工具](/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)，
+则可以直接从[指标 API](/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#metrics-api) 
 或者监控工具获得 Pod 的资源使用情况。
 
 <!--
@@ -448,7 +448,7 @@ mount [`emptyDir`](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
 
 Pods 通常可以使用临时性本地存储来实现缓冲区、保存日志等功能。
 kubelet 可以为使用本地临时存储的 Pods 提供这种存储空间，允许后者使用
-[`emptyDir`](/zh/docs/concepts/storage/volumes/#emptydir) 类型的
+[`emptyDir`](/zh-cn/docs/concepts/storage/volumes/#emptydir) 类型的
 {{< glossary_tooltip term_id="volume" text="卷" >}}将其挂载到容器中。
 
 <!--
@@ -465,7 +465,7 @@ of ephemeral local storage a Pod can consume.
 -->
 
 kubelet 也使用此类存储来保存
-[节点层面的容器日志](/zh/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)，
+[节点层面的容器日志](/zh-cn/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)，
 容器镜像文件、以及运行中容器的可写入层。
 
 {{< caution >}}
@@ -502,7 +502,7 @@ Kubernetes 有两种方式支持节点上配置本地临时性存储：
 （kubelet）来保存数据的。
 
 kubelet 也会生成
-[节点层面的容器日志](/zh/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)，
+[节点层面的容器日志](/zh-cn/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)，
 并按临时性本地存储的方式对待之。
 
 <!--
@@ -553,7 +553,7 @@ as you like.
 无关的其他系统日志）；这个文件系统还可以是根文件系统。
 
 kubelet 也将
-[节点层面的容器日志](/zh/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)
+[节点层面的容器日志](/zh-cn/docs/concepts/cluster-administration/logging/#logging-at-the-node-level)
 写入到第一个文件系统中，并按临时性本地存储的方式对待之。
 
 同时你使用另一个由不同逻辑存储设备支持的文件系统。在这种配置下，你会告诉
@@ -587,7 +587,7 @@ than as local ephemeral storage.
 kubelet 能够度量其本地存储的用量。实现度量机制的前提是：
 
 - `LocalStorageCapacityIsolation`
-  [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+  [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
   被启用（默认状态），并且
 - 你已经对节点进行了配置，使之使用所支持的本地临时性储存配置方式之一
 
@@ -688,7 +688,7 @@ The scheduler ensures that the sum of the resource requests of the scheduled con
 当你创建一个 Pod 时，Kubernetes 调度器会为 Pod 选择一个节点来运行之。
 每个节点都有一个本地临时性存储的上限，是其可提供给 Pods 使用的总量。
 欲了解更多信息，可参考
-[节点可分配资源](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+[节点可分配资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 节。
 
 调度器会确保所调度的容器的资源请求总和不会超出节点的资源容量。
@@ -873,8 +873,8 @@ If you want to use project quotas, you should:
 
 如果你希望使用项目配额，你需要：
 
-* 在 [kubelet 配置](/zh/docs/reference/config-api/kubelet-config.v1beta1/)中使用 `featureGates` 字段 或者使用 `--feature-gates` 命令行参数
-启用 `LocalStorageCapacityIsolationFSQuotaMonitoring=true` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/) 。
+* 在 [kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)中使用 `featureGates` 字段 或者使用 `--feature-gates` 命令行参数
+启用 `LocalStorageCapacityIsolationFSQuotaMonitoring=true` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/) 。
 
 * 确保根文件系统（或者可选的运行时文件系统）启用了项目配额。所有 XFS
   文件系统都支持项目配额。
@@ -933,7 +933,7 @@ for how to advertise device plugin managed resources on each node.
 ##### 设备插件管理的资源   {#device-plugin-managed-resources}
 
 有关如何颁布在各节点上由设备插件所管理的资源，请参阅
-[设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)。
+[设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)。
 
 <!--
 ##### Other resources
@@ -1011,7 +1011,7 @@ in [scheduler policy configuration](/docs/reference/config-api/kube-scheduler-co
 集群层面的扩展资源并不绑定到具体节点。
 它们通常由调度器扩展程序（Scheduler Extenders）管理，这些程序处理资源消耗和资源配额。
 
-你可以在[调度器策略配置](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+你可以在[调度器策略配置](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 中指定由调度器扩展程序处理的扩展资源。
 
 <!--
@@ -1139,7 +1139,7 @@ to limit the number of PIDs that a given Pod can consume. See
 ## PID 限制   {#pid-limiting}
 
 进程 ID（PID）限制允许对 kubelet 进行配置，以限制给定 Pod 可以消耗的 PID 数量。
-有关信息，请参见 [PID 限制](/zh/docs/concepts/policy/pid-limiting/)。
+有关信息，请参见 [PID 限制](/zh-cn/docs/concepts/policy/pid-limiting/)。
 
 <!--
 ## Troubleshooting
@@ -1264,7 +1264,7 @@ For more information on node allocatable resources in Kubernetes, see
 -->
 字段 `.status.allocatable` 描述节点上可以用于 Pod 的资源总量（例如：15 个虚拟
 CPU、7538 MiB 内存）。关于 Kubernetes 中节点可分配资源的信息，可参阅
-[为系统守护进程预留计算资源](/zh/docs/tasks/administer-cluster/reserve-compute-resources/)。
+[为系统守护进程预留计算资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/)。
 
 <!--
 You can configure [resource quotas](/docs/concepts/policy/resource-quotas/)
@@ -1279,7 +1279,7 @@ You should also consider what access you grant to that namespace:
 **full** write access to a namespace allows someone with that access to remove any
 resource, include a configured ResourceQuota.
 -->
-你可以配置[资源配额](/zh/docs/concepts/policy/resource-quotas/)功能特性以限制每个名字空间可以使用的资源总量。
+你可以配置[资源配额](/zh-cn/docs/concepts/policy/resource-quotas/)功能特性以限制每个名字空间可以使用的资源总量。
 当某名字空间中存在 ResourceQuota 时，Kubernetes 会在该名字空间中的对象强制实施配额。
 例如，如果你为不同的团队分配名字空间，你可以为这些名字空间添加 ResourceQuota。
 设置资源配额有助于防止一个团队占用太多资源，以至于这种占用会影响其他团队。
@@ -1375,10 +1375,10 @@ memory limit (and possibly request) for that container.
 * Read about [project quotas](https://xfs.org/docs/xfsdocs-xml-dev/XFS_User_Guide/tmp/en-US/html/xfs-quotas.html) in XFS
 * Read more about the [kube-scheduler configuration reference (v1beta3)](/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 -->
-* 获取[分配内存资源给容器和 Pod ](/zh/docs/tasks/configure-pod-container/assign-memory-resource/) 的实践经验
-* 获取[分配 CPU 资源给容器和 Pod ](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/) 的实践经验
+* 获取[分配内存资源给容器和 Pod ](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/) 的实践经验
+* 获取[分配 CPU 资源给容器和 Pod ](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/) 的实践经验
 * 阅读 API 参考中 [Container](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
   和其[资源请求](/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)定义。
 * 阅读 XFS 中[配额](https://xfs.org/docs/xfsdocs-xml-dev/XFS_User_Guide/tmp/en-US/html/xfs-quotas.html)的文档
-* 进一步阅读 [kube-scheduler 配置参考 (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+* 进一步阅读 [kube-scheduler 配置参考 (v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 
diff --git a/content/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig.md b/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
similarity index 90%
rename from content/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
rename to content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
index 9ce91ed7ce4b6..c46b91d3c7b7d 100644
--- a/content/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
+++ b/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
@@ -17,7 +17,8 @@ authentication mechanisms. The `kubectl` command-line tool uses kubeconfig files
 find the information it needs to choose a cluster and communicate with the API server
 of a cluster.
 -->
-使用 kubeconfig 文件来组织有关集群、用户、命名空间和身份认证机制的信息。`kubectl` 命令行工具使用 kubeconfig 文件来查找选择集群所需的信息，并与集群的 API 服务器进行通信。
+使用 kubeconfig 文件来组织有关集群、用户、命名空间和身份认证机制的信息。
+`kubectl` 命令行工具使用 kubeconfig 文件来查找选择集群所需的信息，并与集群的 API 服务器进行通信。
 
 <!--
 {{< note >}}
@@ -27,7 +28,8 @@ It does not mean that there is a file named `kubeconfig`.
 {{< /note >}}
 -->
 {{< note >}}
-用于配置集群访问的文件称为 *kubeconfig 文件*。这是引用配置文件的通用方法。这并不意味着有一个名为 `kubeconfig` 的文件
+用于配置集群访问的文件称为“kubeconfig 文件”。
+这是引用配置文件的通用方法，并不意味着有一个名为 `kubeconfig` 的文件
 {{< /note >}}
 
 <!--
@@ -48,7 +50,7 @@ variable or by setting the
 [`-kubeconfig`](/docs/reference/generated/kubectl/kubectl/) flag.
 -->
 默认情况下，`kubectl` 在 `$HOME/.kube` 目录下查找名为 `config` 的文件。
-您可以通过设置 `KUBECONFIG` 环境变量或者设置
+你可以通过设置 `KUBECONFIG` 环境变量或者设置
 [`--kubeconfig`](/docs/reference/generated/kubectl/kubectl/)参数来指定其他 kubeconfig 文件。
 
 <!--
@@ -56,7 +58,7 @@ For step-by-step instructions on creating and specifying kubeconfig files, see
 [Configure Access to Multiple Clusters](/docs/tasks/access-application-cluster/configure-access-multiple-clusters).
 -->
 有关创建和指定 kubeconfig 文件的分步说明，请参阅
-[配置对多集群的访问](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters)。
+[配置对多集群的访问](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters)。
 
 <!-- body -->
 
@@ -69,7 +71,7 @@ For step-by-step instructions on creating and specifying kubeconfig files, see
 Suppose you have several clusters, and your users and components authenticate
 in a variety of ways. For example:
 -->
-假设您有多个集群，并且您的用户和组件以多种方式进行身份认证。比如：
+假设你有多个集群，并且你的用户和组件以多种方式进行身份认证。比如：
 
 <!--
 - A running kubelet might authenticate using certificates.
@@ -85,7 +87,7 @@ With kubeconfig files, you can organize your clusters, users, and namespaces.
 You can also define contexts to quickly and easily switch between
 clusters and namespaces.
 -->
-使用 kubeconfig 文件，您可以组织集群、用户和命名空间。您还可以定义上下文，以便在集群和命名空间之间快速轻松地切换。
+使用 kubeconfig 文件，你可以组织集群、用户和命名空间。你还可以定义上下文，以便在集群和命名空间之间快速轻松地切换。
 
 <!--
 ## Context
@@ -98,7 +100,9 @@ under a convenient name. Each context has three parameters: cluster, namespace,
 By default, the `kubectl` command-line tool uses parameters from
 the *current context* to communicate with the cluster.
 -->
-通过 kubeconfig 文件中的 *context* 元素，使用简便的名称来对访问参数进行分组。每个上下文都有三个参数：cluster、namespace 和 user。默认情况下，`kubectl` 命令行工具使用 *当前上下文* 中的参数与集群进行通信。
+通过 kubeconfig 文件中的 *context* 元素，使用简便的名称来对访问参数进行分组。
+每个 context 都有三个参数：cluster、namespace 和 user。
+默认情况下，`kubectl` 命令行工具使用 **当前上下文** 中的参数与集群进行通信。
 
 <!--
 To choose the current context:
@@ -189,7 +193,7 @@ Here are the rules that `kubectl` uses when it merges kubeconfig files:
    [Setting the KUBECONFIG environment variable](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable).
 -->
    有关设置 `KUBECONFIG` 环境变量的示例，请参阅
-   [设置 KUBECONFIG 环境变量](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)。
+   [设置 KUBECONFIG 环境变量](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)。
 
 <!--
    Otherwise, use the default kubeconfig file, `$HOME/.kube/config`, with no merging.
@@ -315,5 +319,5 @@ contexts:
 * [Configure Access to Multiple Clusters](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 * [`kubectl config`](/docs/reference/generated/kubectl/kubectl-commands#config)
 --->
-* [配置对多集群的访问](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+* [配置对多集群的访问](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 * [`kubectl config`](/docs/reference/generated/kubectl/kubectl-commands#config)
diff --git a/content/zh/docs/concepts/configuration/overview.md b/content/zh-cn/docs/concepts/configuration/overview.md
similarity index 87%
rename from content/zh/docs/concepts/configuration/overview.md
rename to content/zh-cn/docs/concepts/configuration/overview.md
index 01314daf3439a..b0d9c2a033040 100644
--- a/content/zh/docs/concepts/configuration/overview.md
+++ b/content/zh-cn/docs/concepts/configuration/overview.md
@@ -77,8 +77,8 @@ This is a living document. If you think of something that is not on this list bu
 - Don't use naked Pods (that is, Pods not bound to a [ReplicaSet](/docs/concepts/workloads/controllers/replicaset/) or [Deployment](/docs/concepts/workloads/controllers/deployment/)) if you can avoid it. Naked Pods will not be rescheduled in the event of a node failure.
 -->
 - 如果可能，不要使用独立的 Pods（即，未绑定到
-[ReplicaSet](/zh/docs/concepts/workloads/controllers/replicaset/) 或
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/) 的 Pod）。
+[ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/) 或
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/) 的 Pod）。
  如果节点发生故障，将不会重新调度独立的 Pods。
 
 <!--
@@ -86,9 +86,9 @@ This is a living document. If you think of something that is not on this list bu
 -->
 
 Deployment 既可以创建一个 ReplicaSet 来确保预期个数的 Pod 始终可用，也可以指定替换 Pod 的策略（例如
-[RollingUpdate](/zh/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment)）。
-除了一些显式的 [`restartPolicy: Never`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
-场景外，Deployment 通常比直接创建 Pod 要好得多。[Job](/zh/docs/concepts/workloads/controllers/job/) 也可能是合适的选择。
+[RollingUpdate](/zh-cn/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment)）。
+除了一些显式的 [`restartPolicy: Never`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
+场景外，Deployment 通常比直接创建 Pod 要好得多。[Job](/zh-cn/docs/concepts/workloads/controllers/job/) 也可能是合适的选择。
 
 <!--
 ## Services
@@ -99,7 +99,7 @@ Deployment 既可以创建一个 ReplicaSet 来确保预期个数的 Pod 始终
 - Create a [Service](/docs/concepts/services-networking/service/) before its corresponding backend workloads (Deployments or ReplicaSets), and before any workloads that need to access it. When Kubernetes starts a container, it provides environment variables pointing to all the Services which were running when the container was started. For example, if a Service named `foo` exists, all containers will get the following variables in their initial environment:
 -->
 - 在创建相应的后端工作负载（Deployment 或 ReplicaSet），以及在需要访问它的任何工作负载之前创建
-  [服务](/zh/docs/concepts/services-networking/service/)。
+  [服务](/zh-cn/docs/concepts/services-networking/service/)。
   当 Kubernetes 启动容器时，它提供指向启动容器时正在运行的所有服务的环境变量。
   例如，如果存在名为 `foo` 的服务，则所有容器将在其初始环境中获得以下变量。
 
@@ -118,7 +118,7 @@ Deployment 既可以创建一个 ReplicaSet 来确保预期个数的 Pod 始终
 - An optional (though strongly recommended) [cluster add-on](/docs/concepts/cluster-administration/addons/) is a DNS server.  The
 DNS server watches the Kubernetes API for new `Services` and creates a set of DNS records for each.  If DNS has been enabled throughout the cluster then all `Pods` should be able to do name resolution of `Services` automatically.
 -->
-- 一个可选（尽管强烈推荐）的[集群插件](/zh/docs/concepts/cluster-administration/addons/)
+- 一个可选（尽管强烈推荐）的[集群插件](/zh-cn/docs/concepts/cluster-administration/addons/)
   是 DNS 服务器。DNS 服务器为新的 `Services` 监视 Kubernetes API，并为每个创建一组 DNS 记录。
   如果在整个集群中启用了 DNS，则所有 `Pods` 应该能够自动对 `Services` 进行名称解析。
 
@@ -135,14 +135,14 @@ DNS server watches the Kubernetes API for new `Services` and creates a set of DN
   If you only need access to the port for debugging purposes, you can use the [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls) or [`kubectl port-forward`](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/).
 -->
   如果你只需要访问端口以进行调试，则可以使用
-  [apiserver proxy](/zh/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls)或
-  [`kubectl port-forward`](/zh/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)。
+  [apiserver proxy](/zh-cn/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls)或
+  [`kubectl port-forward`](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)。
 
 <!--
   If you explicitly need to expose a Pod's port on the node, consider using a [NodePort](/docs/concepts/services-networking/service/#type-nodeport) Service before resorting to `hostPort`.
 -->
   如果你明确需要在节点上公开 Pod 的端口，请在使用 `hostPort` 之前考虑使用
-  [NodePort](/zh/docs/concepts/services-networking/service/#type-nodeport) 服务。
+  [NodePort](/zh-cn/docs/concepts/services-networking/service/#type-nodeport) 服务。
 
 <!--
 - Avoid using `hostNetwork`, for the same reasons as `hostPort`.
@@ -154,7 +154,7 @@ DNS server watches the Kubernetes API for new `Services` and creates a set of DN
 services) (which have a `ClusterIP` of `None`) for service discovery when you don't need `kube-proxy` load balancing.
 -->
 - 当你不需要 `kube-proxy` 负载均衡时，使用
-  [无头服务](/zh/docs/concepts/services-networking/service/#headless-services)  
+  [无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)  
   (`ClusterIP` 被设置为 `None`)以便于服务发现。
 
 <!--
@@ -165,7 +165,7 @@ services) (which have a `ClusterIP` of `None`) for service discovery when you do
 <!--
 - Define and use [labels](/docs/concepts/overview/working-with-objects/labels/) that identify __semantic attributes__ of your application or Deployment, such as `{ app: myapp, tier: frontend, phase: test, deployment: v3 }`. You can use these labels to select the appropriate Pods for other resources; for example, a Service that selects all `tier: frontend` Pods, or all `phase: test` components of `app: myapp`. See the [guestbook](https://github.com/kubernetes/examples/tree/master/guestbook/) app for examples of this approach.
 -->
-- 定义并使用[标签](/zh/docs/concepts/overview/working-with-objects/labels/)来识别应用程序
+- 定义并使用[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)来识别应用程序
   或 Deployment 的 __语义属性__，例如`{ app: myapp, tier: frontend, phase: test, deployment: v3 }`。
   你可以使用这些标签为其他资源选择合适的 Pod；
   例如，一个选择所有 `tier: frontend` Pod 的服务，或者 `app: myapp` 的所有 `phase: test` 组件。
@@ -175,7 +175,7 @@ services) (which have a `ClusterIP` of `None`) for service discovery when you do
 A Service can be made to span multiple Deployments by omitting release-specific labels from its selector. [Deployments](/docs/concepts/workloads/controllers/deployment/) make it easy to update a running service without downtime.
 -->
 通过从选择器中省略特定发行版的标签，可以使服务跨越多个 Deployment。
-当你需要不停机的情况下更新正在运行的服务，可以使用[Deployment](/zh/docs/concepts/workloads/controllers/deployment/)。
+当你需要不停机的情况下更新正在运行的服务，可以使用[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
 
 <!--
 A desired state of an object is described by a Deployment, and if changes to that spec are _applied_, the deployment controller changes the actual state to the desired state at a controlled rate.
@@ -187,9 +187,9 @@ Deployment 描述了对象的期望状态，并且如果对该规范的更改被
 - Use the [Kubernetes common labels](/docs/concepts/overview/working-with-objects/common-labels/) for common use cases. These standardized labels enrich the metadata in a way that allows tools, including `kubectl` and [dashboard](/docs/tasks/access-application-cluster/web-ui-dashboard), to work in an interoperable way.
 -->
 
-- 对于常见场景，应使用 [Kubernetes 通用标签](/zh/docs/concepts/overview/working-with-objects/common-labels/)。
+- 对于常见场景，应使用 [Kubernetes 通用标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/)。
   这些标准化的标签丰富了对象的元数据，使得包括 `kubectl` 和
-  [仪表板（Dashboard）](/zh/docs/tasks/access-application-cluster/web-ui-dashboard)
+  [仪表板（Dashboard）](/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard)
   这些工具能够以可互操作的方式工作。
 
 <!--
@@ -217,13 +217,13 @@ Deployment 描述了对象的期望状态，并且如果对该规范的更改被
 - Use label selectors for `get` and `delete` operations instead of specific object names. See the sections on [label selectors](/docs/concepts/overview/working-with-objects/labels/#label-selectors) and [using labels effectively](/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively).
 -->
 - 使用标签选择器进行 `get` 和 `delete` 操作，而不是特定的对象名称。
-- 请参阅[标签选择器](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)和
-  [有效使用标签](/zh/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively)部分。
+- 请参阅[标签选择器](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)和
+  [有效使用标签](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively)部分。
 
 <!--
 - Use `kubectl run` and `kubectl expose` to quickly create single-container Deployments and Services. See [Use a Service to Access an Application in a Cluster](/docs/tasks/access-application-cluster/service-access-application-cluster/) for an example.
 -->
 - 使用`kubectl run`和`kubectl expose`来快速创建单容器部署和服务。
-  有关示例，请参阅[使用服务访问集群中的应用程序](/zh/docs/tasks/access-application-cluster/service-access-application-cluster/)。
+  有关示例，请参阅[使用服务访问集群中的应用程序](/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/)。
 
 
diff --git a/content/zh/docs/concepts/configuration/secret.md b/content/zh-cn/docs/concepts/configuration/secret.md
similarity index 88%
rename from content/zh/docs/concepts/configuration/secret.md
rename to content/zh-cn/docs/concepts/configuration/secret.md
index 917d31870348c..b67534c23848c 100644
--- a/content/zh/docs/concepts/configuration/secret.md
+++ b/content/zh-cn/docs/concepts/configuration/secret.md
@@ -35,12 +35,12 @@ Secret 是一种包含少量敏感信息例如密码、令牌或密钥的对象
 这样的信息可能会被放在 {{< glossary_tooltip term_id="pod" >}} 规约中或者镜像中。
 使用 Secret 意味着你不需要在应用程序代码中包含机密数据。
 
-<!-- 
+<!--
 Because Secrets can be created independently of the Pods that use them, there
 is less risk of the Secret (and its data) being exposed during the workflow of
 creating, viewing, and editing Pods. Kubernetes, and applications that run in
 your cluster, can also take additional precautions with Secrets, such as avoiding
-writing confidential data to nonvolatile storage.
+writing secret data to nonvolatile storage.
 
 Secrets are similar to {{< glossary_tooltip text="ConfigMaps" term_id="configmap" >}}
 but are specifically intended to hold confidential data.
@@ -61,21 +61,21 @@ Additionally, anyone who is authorized to create a Pod in a namespace can use th
 In order to safely use Secrets, take at least the following steps:
 
 1. [Enable Encryption at Rest](/docs/tasks/administer-cluster/encrypt-data/) for Secrets.
-1. Enable or configure [RBAC rules](/docs/reference/access-authn-authz/authorization/) that
-   restrict reading and writing data in Secrets. Be aware that secrets can be obtained
+1. [Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that
+   restrict reading and writing the Secret. Be aware that secrets can be obtained
    implicitly by anyone with the permission to create a Pod.
 1. Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed
    to create new Secrets or replace existing ones.
 -->
-默认情况下，Kubernetes Secret 未加密地存储在 API 服务器的底层数据存储（etcd）中。 
+默认情况下，Kubernetes Secret 未加密地存储在 API 服务器的底层数据存储（etcd）中。
 任何拥有 API 访问权限的人都可以检索或修改 Secret，任何有权访问 etcd 的人也可以。
 此外，任何有权限在命名空间中创建 Pod 的人都可以使用该访问权限读取该命名空间中的任何 Secret；
 这包括间接访问，例如创建 Deployment 的能力。
 
 为了安全地使用 Secret，请至少执行以下步骤：
 
-1. 为 Secret [启用静态加密](/zh/docs/tasks/administer-cluster/encrypt-data/)；
-1. 启用或配置 [RBAC 规则](/zh/docs/reference/access-authn-authz/authorization/)来限制读取和写入
+1. 为 Secret [启用静态加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)；
+1. [启用或配置 RBAC 规则](/zh-cn/docs/reference/access-authn-authz/authorization/)来限制读取和写入
    Secret 的数据（包括通过间接方式）。需要注意的是，被准许创建 Pod 的人也隐式地被授权获取
    Secret 内容。
 1. 在适当的情况下，还可以使用 RBAC 等机制来限制允许哪些主体创建新 Secret 或替换现有 Secret。
@@ -139,7 +139,7 @@ Here are some of your options:
   token).
 -->
 - 如果你的云原生组件需要执行身份认证来访问你所知道的、在同一 Kubernetes 集群中运行的另一个应用，
-  你可以使用 [ServiceAccount](/zh/docs/reference/access-authn-authz/authentication/#service-account-tokens)
+  你可以使用 [ServiceAccount](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)
   及其令牌来标识你的客户端身份。
 - 你可以运行的第三方工具也有很多，这些工具可以运行在集群内或集群外，提供机密数据管理。
   例如，这一工具可能是 Pod 通过 HTTPS 访问的一个服务，该服务在客户端能够正确地通过身份认证
@@ -153,9 +153,9 @@ Here are some of your options:
   trusted Pods onto nodes that provide a Trusted Platform Module, configured out-of-band.
 -->
 - 就身份认证而言，你可以为 X.509 证书实现一个定制的签名者，并使用
-  [CertificateSigningRequest](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
+  [CertificateSigningRequest](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
   来让该签名者为需要证书的 Pod 发放证书。
-- 你可以使用一个[设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
+- 你可以使用一个[设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
   来将节点本地的加密硬件暴露给特定的 Pod。例如，你可以将可信任的 Pod
   调度到提供可信平台模块（Trusted Platform Module，TPM）的节点上。
   这类节点是另行配置的。
@@ -191,9 +191,9 @@ There are several options to create a Secret:
 
 ### 创建 Secret  {#creating-a-secret}
 
-- [使用 `kubectl` 命令来创建 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
-- [基于配置文件来创建 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-config-file/)
-- [使用 kustomize 来创建 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
+- [使用 `kubectl` 命令来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
+- [基于配置文件来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/)
+- [使用 kustomize 来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
 
 <!--
 #### Constraints on Secret names and data {#restriction-names-data}
@@ -204,7 +204,7 @@ The name of a Secret object must be a valid
 #### 对 Secret 名称与数据的约束 {#restriction-names-data}
 
 Secret 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 You can specify the `data` and/or the `stringData` field when creating a
@@ -242,7 +242,7 @@ number of Secrets (or other resources) in a namespace.
 
 每个 Secret 的尺寸最多为 1MiB。施加这一限制是为了避免用户创建非常大的 Secret，
 进而导致 API 服务器和 kubelet 内存耗尽。不过创建很多小的 Secret 也可能耗尽内存。
-你可以使用[资源配额](/zh/docs/concepts/policy/resource-quotas/)来约束每个名字空间中
+你可以使用[资源配额](/zh-cn/docs/concepts/policy/resource-quotas/)来约束每个名字空间中
 Secret（或其他资源）的个数。
 
 <!--
@@ -258,6 +258,10 @@ You can edit an existing Secret using kubectl:
 kubectl edit secrets mysecret
 ```
 
+<!--
+This opens your default editor and allows you to update the base64 encoded Secret
+values in the `data` field; for example:
+-->
 这一命令会启动你的默认编辑器，允许你更新 `data` 字段中存放的 base64 编码的 Secret 值；
 例如：
 
@@ -380,7 +384,7 @@ This is an example of a Pod that mounts a Secret named `mysecret` in a volume:
 1. 更改 Pod 定义，在 `.spec.volumes[]` 下添加一个卷。根据需要为卷设置其名称，
    并将 `.spec.volumes[].secret.secretName` 字段设置为 Secret 对象的名称。
 1. 为每个需要该 Secret 的容器添加 `.spec.containers[].volumeMounts[]`。
-   并将 `.spec.containers[].volumeMounts[].readyOnly` 设置为 `true`，
+   并将 `.spec.containers[].volumeMounts[].readOnly` 设置为 `true`，
    将 `.spec.containers[].volumeMounts[].mountPath` 设置为希望 Secret
    被放置的、目前尚未被使用的路径名。
 1. 更改你的镜像或命令行，以便程序读取所设置的目录下的文件。Secret 的 `data`
@@ -434,7 +438,7 @@ Kubernetes v1.22 版本之前都会自动创建用来访问 Kubernetes API 的
 这一老的机制是基于创建可被挂载到 Pod 中的令牌 Secret 来实现的。
 在最近的版本中，包括 Kubernetes v{{< skew currentVersion >}} 中，API 凭据是直接通过
 [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
-API 来获得的，这一凭据会使用[投射卷](/zh/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume)
+API 来获得的，这一凭据会使用[投射卷](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume)
 挂载到 Pod 中。使用这种方式获得的令牌有确定的生命期，并且在挂载它们的 Pod
 被删除时自动作废。
 
@@ -443,11 +447,15 @@ You can still [manually create](/docs/tasks/configure-pod-container/configure-se
 a service account token Secret; for example, if you need a token that never expires.
 However, using the [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
 subresource to obtain a token to access the API is recommended instead.
+You can use the [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+command to obtain a token from the `TokenRequest` API.
 -->
-你仍然可以[手动创建](/zh/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token)
+你仍然可以[手动创建](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token)
 服务账号令牌。例如，当你需要一个永远都不过期的令牌时。
 不过，仍然建议使用 [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
 子资源来获得访问 API 服务器的令牌。
+你可以使用 [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+命令调用 `TokenRequest` API 获得令牌。
 {{< /note >}}
 
 <!--
@@ -456,7 +464,7 @@ subresource to obtain a token to access the API is recommended instead.
 You can also control the paths within the volume where Secret keys are projected.
 You can use the `.spec.volumes[].secret.items` field to change the target path of each key:
 -->
-#### 将 Secret 键投射到特定目录
+#### 将 Secret 键投射到特定目录 {#projection-of-secret-keys-to-specific-paths}
 
 你也可以控制 Secret 键所投射到的卷中的路径。
 你可以使用 `.spec.volumes[].secret.items` 字段来更改每个主键的目标路径：
@@ -517,7 +525,7 @@ You can also set a default mode for the entire Secret volume and override per ke
 
 For example, you can specify a default mode like this:
 -->
-#### Secret 文件的访问权限
+#### Secret 文件的访问权限 {#secret-files-permissions}
 
 你可以为某个 Secret 主键设置 POSIX 文件访问权限位。
 如果你不指定访问权限，默认会使用 `0644`。
@@ -640,7 +648,7 @@ A container using a Secret as a
 [subPath](/docs/concepts/storage/volumes#using-subpath) volume mount does not receive
 automated Secret updates.
 -->
-对于以 [subPath](/zh/docs/concepts/storage/volumes#using-subpath) 形式挂载 Secret 卷的容器而言，
+对于以 [subPath](/zh-cn/docs/concepts/storage/volumes#using-subpath) 形式挂载 Secret 卷的容器而言，
 它们无法收到自动的 Secret 更新。
 {{< /note >}}
 
@@ -652,7 +660,7 @@ the [kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/)
 -->
 Kubelet 组件会维护一个缓存，在其中保存节点上 Pod 卷中使用的 Secret 的当前主键和取值。
 你可以配置 kubelet 如何检测所缓存数值的变化。
-[kubelet 配置](/zh/docs/reference/config-api/kubelet-config.v1beta1/)中的
+[kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)中的
 `configMapAndSecretChangeDetectionStrategy` 字段控制 kubelet 所采用的策略。
 默认的策略是 `Watch`。
 
@@ -782,7 +790,7 @@ of the secret data.
 
 This is the result of commands executed inside the container from the example above:
 -->
-#### 通过环境变量使用 Secret 值
+#### 通过环境变量使用 Secret 值 {#consuming-secret-values-from-environment-variables}
 
 在通过环境变量来使用 Secret 的容器中，Secret 主键展现为普通的环境变量。
 这些变量的取值是 Secret 数据的 Base64 解码值。
@@ -862,7 +870,7 @@ You can use an `imagePullSecrets` to pass a secret that contains a Docker (or ot
 password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod.
 See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core) for more information about the `imagePullSecrets` field.
 -->
-#### 使用 imagePullSecrets
+#### 使用 imagePullSecrets {#using-imagepullsecrets-1}
 
 `imagePullSecrets` 字段是一个列表，包含对同一名字空间中 Secret 的引用。
 你可以使用 `imagePullSecrets` 将包含 Docker（或其他）镜像仓库密码的 Secret
@@ -876,9 +884,9 @@ See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "versio
 You can learn how to specify `imagePullSecrets` from the [container images](/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
 documentation.
 -->
-##### 手动设定 imagePullSecret
+##### 手动设定 imagePullSecret {#manually-specifying-an-imagepullsecret}
 
-你可以通过阅读[容器镜像](/zh/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
+你可以通过阅读[容器镜像](/zh-cn/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
 文档了解如何设置 `imagePullSecrets`。
 
 <!--
@@ -891,12 +899,12 @@ field set to that of the service account.
 See [Add ImagePullSecrets to a service account](/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
  for a detailed explanation of that process.
 -->
-##### 设置 imagePullSecrets 为自动挂载
+##### 设置 imagePullSecrets 为自动挂载 {#arranging-for-imagepullsecrets-to-be-automatically-attached}
 
 你可以手动创建 `imagePullSecret`，并在一个 ServiceAccount 中引用它。
 对使用该 ServiceAccount 创建的所有 Pod，或者默认使用该 ServiceAccount 创建的 Pod
 而言，其 `imagePullSecrets` 字段都会设置为该服务账号。
-请阅读[向服务账号添加 ImagePullSecrets](/zh/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
+请阅读[向服务账号添加 ImagePullSecrets](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
 来详细了解这一过程。
 
 <!--
@@ -919,7 +927,7 @@ Create a secret
 -->
 ## 使用场景  {#use-case}
 
-### 使用场景：作为容器环境变量
+### 使用场景：作为容器环境变量 {#use-case-as-container-environment-variables}
 
 创建 Secret：
 
@@ -970,7 +978,7 @@ spec:
 
 Create a Secret containing some SSH keys:
 -->
-### 使用场景：带 SSH 密钥的 Pod
+### 使用场景：带 SSH 密钥的 Pod {#use-case-pod-with-ssh-keys}
 
 创建包含一些 SSH 密钥的 Secret：
 
@@ -1061,7 +1069,7 @@ credentials.
 You can create a `kustomization.yaml` with a `secretGenerator` field or run
 `kubectl create secret`.
 -->
-### 使用场景：带有生产、测试环境凭据的 Pod
+### 使用场景：带有生产、测试环境凭据的 Pod {#use-case-pods-with-prod-test-credentials}
 
 这一示例所展示的一个 Pod 会使用包含生产环境凭据的 Secret，另一个 Pod
 使用包含测试环境凭据的 Secret。
@@ -1247,7 +1255,7 @@ You can make your data "hidden" by defining a key that begins with a dot.
 This key represents a dotfile or "hidden" file. For example, when the following secret
 is mounted into a volume, `secret-volume`:
 -->
-### 使用场景：在 Secret 卷中带句点的文件
+### 使用场景：在 Secret 卷中带句点的文件 {#use-case-dotfiles-in-a-secret-volume}
 
 通过定义以句点（`.`）开头的主键，你可以“隐藏”你的数据。
 这些主键代表的是以句点开头的文件或“隐藏”文件。
@@ -1308,7 +1316,7 @@ logic, and then sign some messages with an HMAC. Because it has complex
 application logic, there might be an unnoticed remote file reading exploit in
 the server, which could expose the private key to an attacker.
 -->
-### 使用场景：仅对 Pod 中一个容器可见的 Secret
+### 使用场景：仅对 Pod 中一个容器可见的 Secret {#use-case-secret-visible-to-one-container-in-a-pod}
 
 考虑一个需要处理 HTTP 请求，执行某些复杂的业务逻辑，之后使用 HMAC
 来对某些消息进行签名的程序。因为这一程序的应用逻辑很复杂，
@@ -1341,7 +1349,7 @@ the [Secret](/docs/reference/kubernetes-api/config-and-storage-resources/secret-
 resource, or certain equivalent `kubectl` command line flags (if available).
 The Secret type is used to facilitate programmatic handling of the Secret data.
 
-Kubernetes provides several builtin types for some common usage scenarios.
+Kubernetes provides several built-in types for some common usage scenarios.
 These types vary in terms of the validations performed and the constraints
 Kubernetes imposes on them.
 -->
@@ -1355,10 +1363,10 @@ Kubernetes 提供若干种内置的类型，用于一些常见的使用场景。
 针对这些类型，Kubernetes 所执行的合法性检查操作以及对其所实施的限制各不相同。
 
 <!--
-| Builtin Type | Usage |
+| Built-in Type | Usage |
 |--------------|-------|
 | `Opaque`     |  arbitrary user-defined data |
-| `kubernetes.io/service-account-token` | service account token |
+| `kubernetes.io/service-account-token` | ServiceAccount token |
 | `kubernetes.io/dockercfg` | serialized `~/.dockercfg` file |
 | `kubernetes.io/dockerconfigjson` | serialized `~/.docker/config.json` file |
 | `kubernetes.io/basic-auth` | credentials for basic authentication |
@@ -1379,14 +1387,14 @@ Kubernetes 提供若干种内置的类型，用于一些常见的使用场景。
 
 <!--
 You can define and use your own Secret type by assigning a non-empty string as the
-`type` value for a Secret object. An empty string is treated as an `Opaque` type.
+`type` value for a Secret object (an empty string is treated as an `Opaque` type).
 -->
 通过为 Secret 对象的 `type` 字段设置一个非空的字符串值，你也可以定义并使用自己
-Secret 类型。如果 `type` 值为空字符串，则被视为 `Opaque` 类型。
+Secret 类型（如果 `type` 值为空字符串，则被视为 `Opaque` 类型）。
 
 <!--
 Kubernetes doesn't impose any constraints on the type name. However, if you
-are using one of the builtin types, you must meet all the requirements defined
+are using one of the built-in types, you must meet all the requirements defined
 for that type.
 -->
 Kubernetes 并不对类型的名称作任何限制。不过，如果你要使用内置类型之一，
@@ -1433,35 +1441,70 @@ empty-secret   Opaque   0      2m6s
 
 <!--
 The `DATA` column shows the number of data items stored in the Secret.
-In this case, `0` means we have created an empty Secret.
+In this case, `0` means you have created an empty Secret.
 -->
 `DATA` 列显示 Secret 中保存的数据条目个数。
-在这个例子种，`0` 意味着我们刚刚创建了一个空的 Secret。
+在这个例子种，`0` 意味着你刚刚创建了一个空的 Secret。
 
 <!--
-###  Service account token Secrets
+### Service account token Secrets
 
 A `kubernetes.io/service-account-token` type of Secret is used to store a
-token that identifies a
+token credential that identifies a
 {{< glossary_tooltip text="service account" term_id="service-account" >}}.
+-->
+### 服务账号令牌 Secret  {#service-account-token-secrets}
+
+类型为 `kubernetes.io/service-account-token` 的 Secret
+用来存放标识某{{< glossary_tooltip text="服务账号" term_id="service-account" >}}的令牌凭据。
+
+<!--
+Since 1.22, this type of Secret is no longer used to mount credentials into Pods,
+and obtaining tokens via the [TokenRequest](/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
+API is recommended instead of using service account token Secret objects.
+Tokens obtained from the `TokenRequest` API are more secure than ones stored in Secret objects,
+because they have a bounded lifetime and are not readable by other API clients.
+You can use the [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+command to obtain a token from the `TokenRequest` API.
+-->
+从 v1.22 开始，这种类型的 Secret 不再被用来向 Pod 中加载凭据数据，
+建议通过 [TokenRequest](/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/)
+API 来获得令牌，而不是使用服务账号令牌 Secret 对象。
+通过 `TokenRequest` API 获得的令牌比保存在 Secret 对象中的令牌更加安全，
+因为这些令牌有着被限定的生命期，并且不会被其他 API 客户端读取。
+你可以使用 [`kubectl create token`](/docs/reference/generated/kubectl/kubectl-commands#-em-token-em-)
+命令调用 `TokenRequest` API 获得令牌。
+
+<!--
+You should only create a service account token Secret object
+if you can't use the `TokenRequest` API to obtain a token,
+and the security exposure of persisting a non-expiring token credential
+in a readable API object is acceptable to you.
+-->
+只有在你无法使用 `TokenRequest` API 来获取令牌，
+并且你能够接受因为将永不过期的令牌凭据写入到可读取的 API 对象而带来的安全风险时，
+才应该创建服务账号令牌 Secret 对象。
+
+<!--
 When using this Secret type, you need to ensure that the
 `kubernetes.io/service-account.name` annotation is set to an existing
-service account name. A Kubernetes
-{{< glossary_tooltip text="controller" term_id="controller" >}} fills in some
-other fields such as the `kubernetes.io/service-account.uid` annotation and the
-`token` key in the `data` field, which is  set to contain an authentication
-token.
+service account name. If you are creating both the ServiceAccount and
+the Secret objects, you should create the ServiceAccount object first.
+-->
+使用这种 Secret 类型时，你需要确保对象的注解 `kubernetes.io/service-account-name`
+被设置为某个已有的服务账号名称。
+如果你同时负责 ServiceAccount 和 Secret 对象的创建，应该先创建 ServiceAccount 对象。
+
+<!--
+
+After the Secret is created, a Kubernetes {{< glossary_tooltip text="controller" term_id="controller" >}}
+fills in some other fields such as the `kubernetes.io/service-account.uid` annotation, and the
+`token` key in the `data` field, which is set to contain an authentication token.
 
 The following example configuration declares a service account token Secret:
 -->
-### 服务账号令牌 Secret  {#service-account-token-secrets}
-
-类型为 `kubernetes.io/service-account-token` 的 Secret 用来存放标识某
-{{< glossary_tooltip text="服务账号" term_id="service-account" >}}的令牌。
-使用这种 Secret 类型时，你需要确保对象的注解 `kubernetes.io/service-account-name`
-被设置为某个已有的服务账号名称。某个 Kubernetes
-{{< glossary_tooltip text="控制器" term_id="controller" >}}会填写 Secret
-的其它字段，例如 `kubernetes.io/service-account.uid` 注解以及 `data` 字段中的
+当 Secret 对象被创建之后，某个 Kubernetes{{< glossary_tooltip text="控制器" term_id="controller" >}}会填写
+Secret 的其它字段，例如 `kubernetes.io/service-account.uid` 注解以及 `data` 字段中的
 `token` 键值，使之包含实际的令牌内容。
 
 下面的配置实例声明了一个服务账号令牌 Secret：
@@ -1494,45 +1537,33 @@ data:
 ```
 
 <!--
-When creating a `Pod`, Kubernetes automatically creates a service account
-Secret and automatically modifies your Pod to use this Secret. The service account
-token Secret contains credentials for accessing the API.
-
-The automatic creation and use of API credentials can be disabled or
-overridden if desired. However, if all you need to do is securely access the
-API server, this is the recommended workflow.
+After creating the Secret, wait for Kubernetes to populate the `token` key in the `data` field.
 -->
-Kubernetes 在创建 Pod 时会自动创建一个服务账号 Secret 并自动修改你的 Pod
-以使用该 Secret。该服务账号令牌 Secret 中包含了访问 Kubernetes API
-所需要的凭据。
-
-如果需要，可以禁止或者重载这种自动创建并使用 API 凭据的操作。
-不过，如果你仅仅是希望能够安全地访问 API 服务器，这是建议的工作方式。
+创建了 Secret 之后，等待 Kubernetes 在 `data` 字段中填充 `token` 主键。
 
 <!--
 See the [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/)
-documentation for more information on how service accounts work.
+documentation for more information on how service accounts work.  
 You can also check the `automountServiceAccountToken` field and the
 `serviceAccountName` field of the
-[`Pod`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
-for information on referencing service account from Pods.
+[`Pod`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
+for information on referencing service account credentials from within Pods.
 -->
-参考 [ServiceAccount](/zh/docs/tasks/configure-pod-container/configure-service-account/)
+参考 [ServiceAccount](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
 文档了解服务账号的工作原理。你也可以查看
 [`Pod`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
 资源中的 `automountServiceAccountToken` 和 `serviceAccountName` 字段文档，
-进一步了解从 Pod 中引用服务账号。
+进一步了解从 Pod 中引用服务账号凭据。
 
 <!--
 ### Docker config Secrets
 
 You can use one of the following `type` values to create a Secret to
-store the credentials for accessing a Docker registry for images.
+store the credentials for accessing a container image registry:
 -->
 ### Docker 配置 Secret  {#docker-config-secrets}
 
-你可以使用下面两种 `type` 值之一来创建 Secret，用以存放访问 Docker 仓库
-来下载镜像的凭据。
+你可以使用下面两种 `type` 值之一来创建 Secret，用以存放用于访问容器鏡像倉庫的凭据：
 
 - `kubernetes.io/dockercfg`
 - `kubernetes.io/dockerconfigjson`
@@ -1550,7 +1581,7 @@ Secret 的 `data` 字段中包含名为 `.dockercfg` 的主键，其对应键值
 编码的某 `~/.dockercfg` 文件的内容。
 
 <!--
-The `kubernetes/dockerconfigjson` type is designed for storing a serialized
+The `kubernetes.io/dockerconfigjson` type is designed for storing a serialized
 JSON that follows the same format rules as the `~/.docker/config.json` file
 which is a new format for `~/.dockercfg`.
 When using this Secret type, the `data` field of the Secret object must
@@ -1588,41 +1619,55 @@ If you do not want to perform the base64 encoding, you can choose to use the
 
 <!--
 When you create these types of Secrets using a manifest, the API
-server checks whether the expected key does exists in the `data` field, and
+server checks whether the expected key exists in the `data` field, and
 it verifies if the value provided can be parsed as a valid JSON. The API
 server doesn't validate if the JSON actually is a Docker config file.
 
 When you do not have a Docker config file, or you want to use `kubectl`
-to create a Docker registry Secret, you can do:
+to create a Secret for accessing a container registry, you can do:
 -->
 当你使用清单文件来创建这两类 Secret 时，API 服务器会检查 `data` 字段中是否
 存在所期望的主键，并且验证其中所提供的键值是否是合法的 JSON 数据。
 不过，API 服务器不会检查 JSON 数据本身是否是一个合法的 Docker 配置文件内容。
 
+
+当你没有 Docker 配置文件，或者你想使用 `kubectl` 创建一个 Secret
+来访问容器倉庫时，你可以这样做：
+
 ```shell
 kubectl create secret docker-registry secret-tiger-docker \
   --docker-email=tiger@acme.example \
   --docker-username=tiger \
-  --docker-password=pass113 \
+  --docker-password=pass1234 \
   --docker-server=my-registry.example:5000
 ```
 
 <!--
-This command creates a Secret of type `kubernetes.io/dockerconfigjson`.
-If you dump the `.data.dockerconfigjson` field from the new Secret and then
+That command creates a Secret of type `kubernetes.io/dockerconfigjson`.
+If you dump the `.data.dockerconfigjson` field from that new Secret and then
 decode it from base64:
 -->
 上面的命令创建一个类型为 `kubernetes.io/dockerconfigjson` 的 Secret。
 如果你对 `.data.dockerconfigjson` 内容进行转储并执行 base64 解码：
 
+```shell
+kubectl get secret secret-tiger-docker -o jsonpath='{.data.*}' | base64 -d
+```
+
+<!--
+then the output is equivalent to this JSON document (which is also a valid
+Docker configuration file):
+-->
+那么输出等价于这个 JSON 文档（这也是一个有效的 Docker 配置文件）：
+
 ```json
 {
   "auths": {
     "my-registry.example:5000": {
       "username": "tiger",
-      "password": "pass113",
-      "email": "tiger@acme.com",
-      "auth": "dGlnZXI6cGFzczExMw=="
+      "password": "pass1234",
+      "email": "tiger@acme.example",
+      "auth": "dGlnZXI6cGFzczEyMzQ="
     }
   }
 }
@@ -1642,15 +1687,15 @@ Anyone who can read that Secret can learn the registry access bearer token.
 
 The `kubernetes.io/basic-auth` type is provided for storing credentials needed
 for basic authentication. When using this Secret type, the `data` field of the
-Secret must contain the following two keys:
+Secret must contain one of the following two keys:
 
-- `username`: the user name for authentication;
-- `password`: the password or token for authentication.
+- `username`: the user name for authentication
+- `password`: the password or token for authentication
 -->
 ### 基本身份认证 Secret  {#basic-authentication-secret}
 
 `kubernetes.io/basic-auth` 类型用来存放用于基本身份认证所需的凭据信息。
-使用这种 Secret 类型时，Secret 的 `data` 字段必须包含以下两个键：
+使用这种 Secret 类型时，Secret 的 `data` 字段必须包含以下两个键之一：
 
 - `username`: 用于身份认证的用户名；
 - `password`: 用于身份认证的密码或令牌。
@@ -1660,11 +1705,11 @@ Both values for the above two keys are base64 encoded strings. You can, of
 course, provide the clear text content using the `stringData` for Secret
 creation.
 
-The following YAML is an example config for a basic authentication Secret:
+The following manifest is an example of a basic authentication Secret:
 -->
 以上两个键的键值都是 base64 编码的字符串。
 当然你也可以在创建 Secret 时使用 `stringData` 字段来提供明文形式的内容。
-下面的 YAML 是基本身份认证 Secret 的一个示例清单：
+以下清单是基本身份验证 Secret 的示例：
 
 ```yaml
 apiVersion: v1
@@ -1673,13 +1718,13 @@ metadata:
   name: secret-basic-auth
 type: kubernetes.io/basic-auth
 stringData:
-  username: admin      #  kubernetes.io/basic-auth 类型的必需字段
+  username: admin      # kubernetes.io/basic-auth 类型的必需字段
   password: t0p-Secret # kubernetes.io/basic-auth 类型的必需字段
 ```
 
 <!--
 The basic authentication Secret type is provided only for convenience.
-You can create an `Opaque` for credentials used for basic authentication.
+You can create an `Opaque` type for credentials used for basic authentication.
 However, using the defined and public Secret type (`kubernetes.io/basic-auth`) helps other
 people to understand the purpose of your Secret, and sets a convention for what key names
 to expect.
@@ -1697,7 +1742,7 @@ API 服务器会检查 Secret 配置中是否提供了所需要的主键。
 
 The builtin type `kubernetes.io/ssh-auth` is provided for storing data used in
 SSH authentication. When using this Secret type, you will have to specify a
-`ssh-privatekey` key-value pair in the `data` (or `stringData`) field.
+`ssh-privatekey` key-value pair in the `data` (or `stringData`) field
 as the SSH credential to use.
 
 The following manifest is an example of a Secret used for SSH public/private
@@ -1769,7 +1814,7 @@ The following YAML contains an example config for a TLS Secret:
 
 Kubernetes 提供一种内置的 `kubernetes.io/tls` Secret 类型，用来存放 TLS
 场合通常要使用的证书及其相关密钥。
-TLS Secret 的一种典型用法是为 [Ingress](/zh/docs/concepts/services-networking/ingress/)
+TLS Secret 的一种典型用法是为 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)
 资源配置传输过程中的数据加密，不过也可以用于其他资源或者直接在负载中使用。
 当使用此类型的 Secret 时，Secret 配置中的 `data` （或 `stringData`）字段必须包含
 `tls.key` 和 `tls.crt` 主键，尽管 API 服务器实际上并不会对每个键的取值作进一步的合法性检查。
@@ -1814,7 +1859,7 @@ kubectl create secret tls my-tls-secret \
 ```
 
 <!--
-The public/private key pair must exist beforehand. The public key certificate
+The public/private key pair must exist before hand. The public key certificate
 for `--cert` must be DER format as per
 [Section 5.1 of RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1),
 and must match the given private key for `--key` (PKCS #8 in DER format;
@@ -1851,7 +1896,7 @@ and `-------END CERTIFICATE----`.
 A bootstrap token Secret can be created by explicitly specifying the Secret
 `type` to `bootstrap.kubernetes.io/token`. This type of Secret is designed for
 tokens used during the node bootstrap process. It stores tokens used to sign
-well known ConfigMaps.
+well-known ConfigMaps.
 -->
 ### 启动引导令牌 Secret  {#bootstrap-token-secrets}
 
@@ -1890,11 +1935,11 @@ data:
 ```
 
 <!--
-A bootstrap type has the following keys specified under `data`:
+A bootstrap type Secret has the following keys specified under `data`:
 
 - `token-id`: A random 6 character string as the token identifier. Required.
 - `token-secret`: A random 16 character string as the actual token secret. Required.
-- `description1`: A human-readable string that describes what the token is
+- `description`: A human-readable string that describes what the token is
   used for. Optional.
 - `expiration`: An absolute UTC time using RFC3339 specifying when the token
   should be expired. Optional.
@@ -2031,7 +2076,7 @@ these pods.
 Although ConfigMap and Secret work similarly, Kubernetes applies some additional
 protection for Secret objects.
 -->
-## Secret 的信息安全问题
+## Secret 的信息安全问题 {#information-security-for-secrets}
 
 尽管 ConfigMap 和 Secret 的工作方式类似，但 Kubernetes 对 Secret 有一些额外的保护。
 
@@ -2096,7 +2141,7 @@ on that node.
   variable configuration so that the other containers do not have access to that
   Secret.
 -->
-### 针对开发人员的安全性建议
+### 针对开发人员的安全性建议 {#security-recommendations-for-developers}
 
 - 应用在从环境变量或卷中读取了机密信息内容之后仍要对其进行保护。例如，
   你的应用应该避免用明文的方式将 Secret 数据写入日志，或者将其传递给不可信的第三方。
@@ -2117,10 +2162,10 @@ on that node.
 - When deploying applications that interact with the Secret API, you should
   limit access using
   [authorization policies](/docs/reference/access-authn-authz/authorization/) such as
-  [RBAC]( /docs/reference/access-authn-authz/rbac/).
+  [RBAC](/docs/reference/access-authn-authz/rbac/).
 -->
-- 部署与 Secret API 交互的应用时，你应该使用 [RBAC](/zh/docs/reference/access-authn-authz/rbac/)
-  这类[鉴权策略](/zh/docs/reference/access-authn-authz/authorization/)来限制访问。
+- 部署与 Secret API 交互的应用时，你应该使用 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)
+  这类[鉴权策略](/zh-cn/docs/reference/access-authn-authz/authorization/)来限制访问。
 <!--
 - In the Kubernetes API, `watch` and `list` requests for Secrets within a namespace
   are extremely powerful capabilities. Avoid granting this access where feasible, since
@@ -2134,7 +2179,7 @@ on that node.
 <!--
 ### Security recommendations for cluster administrators
 -->
-### 针对集群管理员的安全性建议
+### 针对集群管理员的安全性建议 {#security-recommendations-for-cluster-administrators}
 
 {{< caution >}}
 <!--
@@ -2153,13 +2198,13 @@ Pod 来访问 Secret 的内容。
 - When deploying applications that interact with the Secret API, you should
   limit access using
   [authorization policies](/docs/reference/access-authn-authz/authorization/) such as
-  [RBAC]( /docs/reference/access-authn-authz/rbac/).
+  [RBAC](/docs/reference/access-authn-authz/rbac/).
 -->
 - 保留（使用 Kubernetes API）对集群中所有 Secret 对象执行 `watch` 或 `list` 操作的能力，
   这样只有特权级最高、系统级别的组件能够执行这类操作。
 - 在部署需要通过 Secret API 交互的应用时，你应该通过使用
-  [RBAC](/zh/docs/reference/access-authn-authz/rbac/)
-  这类[鉴权策略](/zh/docs/reference/access-authn-authz/authorization/)来限制访问。
+  [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)
+  这类[鉴权策略](/zh-cn/docs/reference/access-authn-authz/authorization/)来限制访问。
 <!--
 - In the API server, objects (including Secrets) are persisted into
   {{< glossary_tooltip term_id="etcd" >}}; therefore:
@@ -2176,7 +2221,7 @@ Pod 来访问 Secret 的内容。
   因此：
 
   - 只应准许集群管理员访问 etcd（包括只读访问）；
-  - 为 Secret 对象启用[静态加密](/zh/docs/tasks/administer-cluster/encrypt-data/)，
+  - 为 Secret 对象启用[静态加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)，
     这样这些 Secret 的数据就不会以明文的形式保存到
     {{< glossary_tooltip term_id="etcd" >}} 中；
   - 当 etcd 的持久化存储不再被使用时，请考虑彻底擦除存储介质；
@@ -2185,13 +2230,13 @@ Pod 来访问 Secret 的内容。
 ## {{% heading "whatsnext" %}}
 
 <!--
-- Learn how to [manage Secret using `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
-- Learn how to [manage Secret using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/)
-- Learn how to [manage Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
+- Learn how to [manage Secrets using `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
+- Learn how to [manage Secrets using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/)
+- Learn how to [manage Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
 - Read the [API reference](/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/) for `Secret`
 -->
-- 学习如何[使用 `kubectl` 管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
-- 学习如何[使用配置文件管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-config-file/)
-- 学习如何[使用 kustomize 管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
-- 阅读 [API 参考](/zh/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/)了解 `Secret`
+- 学习如何[使用 `kubectl` 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
+- 学习如何[使用配置文件管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/)
+- 学习如何[使用 kustomize 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
+- 阅读 [API 参考](/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/)了解 `Secret`
 
diff --git a/content/zh-cn/docs/concepts/configuration/windows-resource-management.md b/content/zh-cn/docs/concepts/configuration/windows-resource-management.md
new file mode 100644
index 0000000000000..4a4cefb483113
--- /dev/null
+++ b/content/zh-cn/docs/concepts/configuration/windows-resource-management.md
@@ -0,0 +1,134 @@
+---
+title: Windows 节点的资源管理
+content_type: concept
+weight: 75
+---
+<!--
+reviewers:
+- jayunit100
+- jsturtevant
+- marosset
+- perithompson
+title: Resource Management for Windows nodes
+content_type: concept
+weight: 75
+-->
+
+<!-- overview 
+This page outlines the differences in how resources are managed between Linux and Windows.
+-->
+本页概述了 Linux 和 Windows 在资源管理方式上的区别。
+
+<!-- body -->
+<!--
+On Linux nodes, {{< glossary_tooltip text="cgroups" term_id="cgroup" >}} are used
+as a pod boundary for resource control. Containers are created within that boundary for network, process and file system isolation. The Linux cgroup APIs can be used to gather CPU, I/O, and memory use statistics.
+
+In contrast, Windows uses a [_job object_](https://docs.microsoft.com/windows/win32/procthread/job-objects) per container with a system namespace filter
+to contain all processes in a container and provide logical isolation from the
+host. (Job objects are a Windows process isolation mechanism and are different from what Kubernetes refers to as a {{< glossary_tooltip term_id="job" text="Job" >}}).
+
+There is no way to run a Windows container without the namespace filtering in
+place. This means that system privileges cannot be asserted in the context of the
+host, and thus privileged containers are not available on Windows.
+Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate.
+-->
+在 Linux 节点上，{{< glossary_tooltip text="cgroup" term_id="cgroup" >}} 用作资源控制的 Pod 边界。
+在这个边界内创建容器以便于隔离网络、进程和文件系统。
+Linux cgroup API 可用于收集 CPU、I/O 和内存使用统计数据。
+
+与此相反，Windows 中每个容器对应一个[**作业对象**](https://docs.microsoft.com/zh-cn/windows/win32/procthread/job-objects)，
+与系统命名空间过滤器一起使用，将所有进程包含在一个容器中，提供与主机的逻辑隔离。
+（作业对象是一种 Windows 进程隔离机制，不同于 Kubernetes 提及的 {{< glossary_tooltip term_id="job" text="Job" >}})。
+
+如果没有命名空间过滤，就无法运行 Windows 容器。
+这意味着在主机环境中无法让系统特权生效，因此特权容器在 Windows 上不可用。
+容器不能使用来自主机的标识，因为安全帐户管理器（Security Account Manager，SAM）是独立的。
+
+<!--
+## Memory management {#resource-management-memory}
+
+Windows does not have an out-of-memory process killer as Linux does. Windows always
+treats all user-mode memory allocations as virtual, and pagefiles are mandatory.
+
+Windows nodes do not overcommit memory for processes. The
+net effect is that Windows won't reach out of memory conditions the same way Linux
+does, and processes page to disk instead of being subject to out of memory (OOM)
+termination. If memory is over-provisioned and all physical memory is exhausted,
+then paging can slow down performance.
+-->
+## 内存管理 {#resource-management-memory}
+
+Windows 不像 Linux 一样提供杀手（killer）机制，杀死内存不足的进程。
+Windows 始终将所有用户态内存分配视为虚拟内存，并强制使用页面文件（pagefile）。
+
+Windows 节点不会为进程过量使用内存。
+最终结果是 Windows 不会像 Linux 那样达到内存不足的情况，Windows 将进程页面放到磁盘，
+不会因为内存不足（OOM）而终止进程。
+如果内存配置过量且所有物理内存都已耗尽，则换页性能就会降低。
+<!--
+## CPU management {#resource-management-cpu}
+
+Windows can limit the amount of CPU time allocated for different processes but cannot
+guarantee a minimum amount of CPU time.
+
+On Windows, the kubelet supports a command-line flag to set the
+[scheduling priority](https://docs.microsoft.com/windows/win32/procthread/scheduling-priorities) of the
+kubelet process: `--windows-priorityclass`. This flag allows the kubelet process to get
+more CPU time slices when compared to other processes running on the Windows host.
+More information on the allowable values and their meaning is available at
+[Windows Priority Classes](https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities#priority-class).
+To ensure that running Pods do not starve the kubelet of CPU cycles, set this flag to `ABOVE_NORMAL_PRIORITY_CLASS` or above.
+-->
+## CPU 管理 {#resource-management-cpu}
+
+Windows 可以限制为不同进程分配的 CPU 时间长度，但无法保证最小的 CPU 时间长度。
+
+在 Windows 上，kubelet 支持使用命令行标志来设置 kubelet 进程的[调度优先级](https://docs.microsoft.com/zh-cn/windows/win32/procthread/scheduling-priorities)：
+`--windows-priorityclass`。
+与 Windows 主机上运行的其他进程相比，此标志允许 kubelet 进程获取更多的 CPU 时间片。
+有关允许值及其含义的更多信息，请访问 [Windows 优先级类](https://docs.microsoft.com/zh-cn/windows/win32/procthread/scheduling-priorities#priority-class)。
+为了确保运行的 Pod 不会耗尽 kubelet 的 CPU 时钟周期，
+要将此标志设置为 `ABOVE_NORMAL_PRIORITY_CLASS` 或更高。
+
+<!--
+## Resource reservation {#resource-reservation}
+
+To account for memory and CPU used by the operating system, the container runtime, and by
+Kubernetes host processes such as the kubelet, you can (and should) reserve
+memory and CPU resources with the  `--kube-reserved` and/or `--system-reserved` kubelet flags.
+On Windows these values are only used to calculate the node's
+[allocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) resources.
+-->
+## 资源预留 {#resource-reservation}
+
+为了满足操作系统、容器运行时和 kubelet 等 Kubernetes 主机进程使用的内存和 CPU，
+你可以（且应该）用 `--kube-reserved` 和/或 `--system-reserved` kubelet 标志来预留内存和 CPU 资源。
+在 Windows 上，这些值仅用于计算节点的[可分配](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)资源。
+
+<!--
+As you deploy workloads, set resource memory and CPU limits on containers.
+This also subtracts from `NodeAllocatable` and helps the cluster-wide scheduler in determining which pods to place on which nodes.
+
+Scheduling pods without limits may over-provision the Windows nodes and in extreme
+cases can cause the nodes to become unhealthy.
+-->
+{{< caution >}}
+在你部署工作负载时，需对容器设置内存和 CPU 资源的限制。
+这也会从 `NodeAllocatable` 中减去，帮助集群范围的调度器决定哪些 Pod 放到哪些节点上。
+
+若调度 Pod 时未设置限制值，可能对 Windows 节点过量配置资源。
+在极端情况下，这会让节点变得不健康。
+{{< /caution >}}
+
+<!--
+On Windows, a good practice is to reserve at least 2GiB of memory.
+
+To determine how much CPU to reserve,
+identify the maximum pod density for each node and monitor the CPU usage of
+the system services running there, then choose a value that meets your workload needs.
+-->
+在 Windows 上，一种好的做法是预留至少 2GiB 的内存。
+
+要决定预留多少 CPU，需明确每个节点的最大 Pod 密度，
+并监控节点上运行的系统服务的 CPU 使用率，然后选择一个满足工作负载需求的值。
diff --git a/content/zh/docs/concepts/containers/_index.md b/content/zh-cn/docs/concepts/containers/_index.md
similarity index 85%
rename from content/zh/docs/concepts/containers/_index.md
rename to content/zh-cn/docs/concepts/containers/_index.md
index c627f66f1e17a..de66ab39eab63 100644
--- a/content/zh/docs/concepts/containers/_index.md
+++ b/content/zh-cn/docs/concepts/containers/_index.md
@@ -15,16 +15,12 @@ run it.
 Containers decouple applications from underlying host infrastructure.
 This makes deployment easier in different cloud or OS environments.
 -->
-
 每个运行的容器都是可重复的；
-包含依赖环境在内的标准，意味着无论您在哪里运行它，您都会得到相同的行为。
+包含依赖环境在内的标准，意味着无论你在哪里运行它都会得到相同的行为。
 
 容器将应用程序从底层的主机设施中解耦。
 这使得在不同的云或 OS 环境中部署更加容易。
 
-
-
-
 <!-- body -->
 <!--
 ## Container images
@@ -40,7 +36,7 @@ the change, then recreate the container to start from the updated image.
 -->
 
 ## 容器镜像 {#container-images}
-[容器镜像](/zh/docs/concepts/containers/images/)是一个随时可以运行的软件包，
+[容器镜像](/zh-cn/docs/concepts/containers/images/)是一个随时可以运行的软件包，
 包含运行应用程序所需的一切：代码和它需要的所有运行时、应用程序和系统库，以及一些基本设置的默认值。
 
 根据设计，容器是不可变的：你不能更改已经运行的容器的代码。
@@ -57,7 +53,7 @@ the change, then recreate the container to start from the updated image.
 * Read about [Pods](/docs/concepts/workloads/pods/)
 -->
 
-* 进一步阅读[容器镜像](/zh/docs/concepts/containers/images/)
-* 进一步阅读 [Pods](/zh/docs/concepts/workloads/pods/)
+* 进一步阅读[容器镜像](/zh-cn/docs/concepts/containers/images/)
+* 进一步阅读 [Pods](/zh-cn/docs/concepts/workloads/pods/)
 
 
diff --git a/content/zh/docs/concepts/containers/container-environment.md b/content/zh-cn/docs/concepts/containers/container-environment.md
similarity index 87%
rename from content/zh/docs/concepts/containers/container-environment.md
rename to content/zh-cn/docs/concepts/containers/container-environment.md
index 362e9d4c1b5a5..32ed23ba503ae 100644
--- a/content/zh/docs/concepts/containers/container-environment.md
+++ b/content/zh-cn/docs/concepts/containers/container-environment.md
@@ -34,8 +34,8 @@ The Kubernetes Container environment provides several important resources to Con
 
 Kubernetes 的容器环境给容器提供了几个重要的资源：
 
-* 文件系统，其中包含一个[镜像](/zh/docs/concepts/containers/images/)
-  和一个或多个的[卷](/zh/docs/concepts/storage/volumes/)
+* 文件系统，其中包含一个[镜像](/zh-cn/docs/concepts/containers/images/)
+  和一个或多个的[卷](/zh-cn/docs/concepts/storage/volumes/)
 * 容器自身的信息
 * 集群中其他对象的信息
 
@@ -59,7 +59,7 @@ as are any environment variables specified statically in the container image.
 [`gethostname`](https://man7.org/linux/man-pages/man2/gethostname.2.html) 函数来获取。
 
 Pod 名称和命名空间可以通过
-[下行 API](/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
+[下行 API](/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)
 转换为环境变量。
 
 Pod 定义中的用户所定义的环境变量也可在容器中使用，就像在 container 镜像中静态指定的任何环境变量一样。
@@ -100,7 +100,7 @@ if [DNS addon](https://releases.k8s.io/{{< param "fullversion" >}}/cluster/addon
 * Get hands-on experience
   [attaching handlers to Container lifecycle events](/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/).
 -->
-* 学习更多有关[容器生命周期回调](/zh/docs/concepts/containers/container-lifecycle-hooks/)的知识
-* 动手[为容器生命周期事件添加处理程序](/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)
+* 学习更多有关[容器生命周期回调](/zh-cn/docs/concepts/containers/container-lifecycle-hooks/)的知识
+* 动手[为容器生命周期事件添加处理程序](/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)
 
 
diff --git a/content/zh/docs/concepts/containers/container-lifecycle-hooks.md b/content/zh-cn/docs/concepts/containers/container-lifecycle-hooks.md
similarity index 98%
rename from content/zh/docs/concepts/containers/container-lifecycle-hooks.md
rename to content/zh-cn/docs/concepts/containers/container-lifecycle-hooks.md
index 32d86af26ab97..9791183f47ab1 100644
--- a/content/zh/docs/concepts/containers/container-lifecycle-hooks.md
+++ b/content/zh-cn/docs/concepts/containers/container-lifecycle-hooks.md
@@ -80,7 +80,7 @@ A more detailed description of the termination behavior can be found in
 [Termination of Pods](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination).
 -->
 有关终止行为的更详细描述，请参见
-[终止 Pod](/zh/docs/concepts/workloads/pods/pod-lifecycle/#termination-of-pods)。
+[终止 Pod](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#termination-of-pods)。
 
 <!--
 ### Hook handler implementations
@@ -250,6 +250,6 @@ Events:
   [attaching handlers to Container lifecycle events](/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/).
 -->
 
-* 进一步了解[容器环境](/zh/docs/concepts/containers/container-environment/)
-* 动手实践，[为容器生命周期事件添加处理程序](/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)
+* 进一步了解[容器环境](/zh-cn/docs/concepts/containers/container-environment/)
+* 动手实践，[为容器生命周期事件添加处理程序](/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)
 
diff --git a/content/zh/docs/concepts/containers/images.md b/content/zh-cn/docs/concepts/containers/images.md
similarity index 95%
rename from content/zh/docs/concepts/containers/images.md
rename to content/zh-cn/docs/concepts/containers/images.md
index 12c48ef46326b..f3783775cceb2 100644
--- a/content/zh/docs/concepts/containers/images.md
+++ b/content/zh-cn/docs/concepts/containers/images.md
@@ -101,7 +101,7 @@ these values have:
 -->
 ### 镜像拉取策略   {#image-pull-policy}
 
-容器的 `imagePullPolicy` 和镜像的标签会影响 [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) 尝试拉取（下载）指定的镜像。
+容器的 `imagePullPolicy` 和镜像的标签会影响 [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) 尝试拉取（下载）指定的镜像。
 
 以下列表包含了 `imagePullPolicy` 可以设置的值，以及这些值的效果：
 
@@ -179,7 +179,7 @@ running the same code no matter what tag changes happen at the registry.
 镜像摘要唯一标识了镜像的特定版本，因此 Kubernetes 每次启动具有指定镜像名称和摘要的容器时，都会运行相同的代码。
 通过摘要指定镜像可固定你运行的代码，这样镜像仓库的变化就不会导致版本的混杂。
 
-有一些第三方的[准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
+有一些第三方的[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
 在创建 Pod（和 Pod 模板）时产生变更，这样运行的工作负载就是根据镜像摘要，而不是标签来定义的。
 无论镜像仓库上的标签发生什么变化，你都想确保你所有的工作负载都运行相同的代码，那么指定镜像摘要会很有用。
 
@@ -247,7 +247,7 @@ If you would like to always force a pull, you can do one of the following:
   当你提交 Pod 时，Kubernetes 会将策略设置为 `Always`。
 - 省略 `imagePullPolicy` 和镜像的标签；
   当你提交 Pod 时，Kubernetes 会将策略设置为 `Always`。
-- 启用准入控制器 [AlwaysPullImages](/zh/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)。
+- 启用准入控制器 [AlwaysPullImages](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)。
 
 
 <!--
@@ -260,7 +260,7 @@ state because of `ImagePullBackOff`.
 ### ImagePullBackOff
 
 当 kubelet 使用容器运行时创建 Pod 时，容器可能因为 `ImagePullBackOff` 导致状态为
-[Waiting](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-state-waiting)。
+[Waiting](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-state-waiting)。
 
 <!--
 The status `ImagePullBackOff` means that a container could not start because Kubernetes
@@ -366,7 +366,7 @@ For an example of configuring a private container image registry, see the
 task. That example uses a private registry in Docker Hub.
 -->
 有关配置私有容器镜像仓库的示例，请参阅任务
-[从私有镜像库中提取图像](/zh/docs/tasks/configure-pod-container/pull-image-private-registry)。
+[从私有镜像库中提取图像](/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry)。
 该示例使用 Docker Hub 中的私有注册表。
 
 <!--
@@ -560,7 +560,7 @@ command, you can import the credentials file as a Kubernetes
 如果你已经有 Docker 凭据文件，则可以将凭据文件导入为 Kubernetes
 {{< glossary_tooltip text="Secret" term_id="secret" >}}，
 而不是执行上面的命令。
-[基于已有的 Docker 凭据创建 Secret](/zh/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
+[基于已有的 Docker 凭据创建 Secret](/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
 解释了如何完成这一操作。
 
 <!--
@@ -628,10 +628,10 @@ will be merged.
 -->
 你需要对使用私有仓库的每个 Pod 执行以上操作。
 不过，设置该字段的过程也可以通过为
-[服务账号](/zh/docs/tasks/configure-pod-container/configure-service-account/)
+[服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
 资源设置 `imagePullSecrets` 来自动完成。
 有关详细指令可参见
-[将 ImagePullSecrets 添加到服务账号](/zh/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)。
+[将 ImagePullSecrets 添加到服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)。
 
 你也可以将此方法与节点级别的 `.docker/config.json` 配置结合使用。
 来自不同来源的凭据会被合并。
@@ -685,7 +685,7 @@ common use cases and suggested solutions.
    - Move sensitive data into a "Secret" resource, instead of packaging it in an image.
 -->
 3. 集群使用专有镜像，且有些镜像需要更严格的访问控制
-   - 确保 [AlwaysPullImages 准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)被启用。否则，所有 Pod 都可以使用所有镜像。
+   - 确保 [AlwaysPullImages 准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)被启用。否则，所有 Pod 都可以使用所有镜像。
    - 确保将敏感数据存储在 Secret 资源中，而不是将其打包在镜像里
 
 <!--
@@ -696,7 +696,7 @@ common use cases and suggested solutions.
    - The tenant adds that secret to imagePullSecrets of each namespace.
 -->
 4. 集群是多租户的并且每个租户需要自己的私有仓库
-   - 确保 [AlwaysPullImages 准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)。否则，所有租户的所有的 Pod 都可以使用所有镜像。
+   - 确保 [AlwaysPullImages 准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)。否则，所有租户的所有的 Pod 都可以使用所有镜像。
    - 为私有仓库启用鉴权
    - 为每个租户生成访问仓库的凭据，放置在 Secret 中，并将 Secrert 发布到各租户的命名空间下。
    - 租户将 Secret 添加到每个名字空间中的 imagePullSecrets
@@ -716,4 +716,4 @@ Kubelet will merge any `imagePullSecrets` into a single virtual `.docker/config.
 * Learn about [container image garbage collection](/docs/concepts/architecture/garbage-collection/#container-image-garbage-collection).
 -->
 * 阅读 [OCI Image Manifest 规范](https://github.com/opencontainers/image-spec/blob/master/manifest.md)。
-* 了解[容器镜像垃圾收集](/zh/docs/concepts/architecture/garbage-collection/#container-image-garbage-collection)。
+* 了解[容器镜像垃圾收集](/zh-cn/docs/concepts/architecture/garbage-collection/#container-image-garbage-collection)。
diff --git a/content/zh/docs/concepts/containers/runtime-class.md b/content/zh-cn/docs/concepts/containers/runtime-class.md
similarity index 77%
rename from content/zh/docs/concepts/containers/runtime-class.md
rename to content/zh-cn/docs/concepts/containers/runtime-class.md
index 63e14b435c446..5eb922eee5d31 100644
--- a/content/zh/docs/concepts/containers/runtime-class.md
+++ b/content/zh-cn/docs/concepts/containers/runtime-class.md
@@ -92,7 +92,7 @@ The configurations have a corresponding `handler` name, referenced by the Runtim
 handler must be a valid [DNS label name](/docs/concepts/overview/working-with-objects/names/#dns-label-names).
 -->
 所有这些配置都具有相应的 `handler` 名，并被 RuntimeClass 引用。
-handler 必须是有效的 [DNS 标签名](/zh/docs/concepts/overview/working-with-objects/names/#dns-label-names)。
+handler 必须是有效的 [DNS 标签名](/zh-cn/docs/concepts/overview/working-with-objects/names/#dns-label-names)。
 
 <!--
 ### 2. Create the corresponding RuntimeClass resources
@@ -113,34 +113,37 @@ RuntimeClass 资源当前只有两个重要的字段：RuntimeClass 名 (`metada
 对象定义如下所示：
 
 ```yaml
-apiVersion: node.k8s.io/v1  # RuntimeClass 定义于 node.k8s.io API 组
+# RuntimeClass 定义于 node.k8s.io API 组
+apiVersion: node.k8s.io/v1
 kind: RuntimeClass
 metadata:
-  name: myclass  # 用来引用 RuntimeClass 的名字
+  # 用来引用 RuntimeClass 的名字
   # RuntimeClass 是一个集群层面的资源
-handler: myconfiguration  # 对应的 CRI 配置的名称
+  name: myclass  
+# 对应的 CRI 配置的名称
+handler: myconfiguration
 ```
 
 <!--
 It is recommended that RuntimeClass write operations (create/update/patch/delete) be
-restricted to the cluster administrator. This is typically the default. See [Authorization
-Overview](/docs/reference/access-authn-authz/authorization/) for more details.
+restricted to the cluster administrator. This is typically the default. See 
+[Authorization Overview](/docs/reference/access-authn-authz/authorization/) for more details.
 -->
 {{< note >}}
 建议将 RuntimeClass 写操作（create、update、patch 和 delete）限定于集群管理员使用。
-通常这是默认配置。参阅[授权概述](/zh/docs/reference/access-authn-authz/authorization/)了解更多信息。
+通常这是默认配置。参阅[授权概述](/zh-cn/docs/reference/access-authn-authz/authorization/)了解更多信息。
 {{< /note >}}
 
 <!--
 ## Usage
 
-Once RuntimeClasses are configured for the cluster, using them is very simple. Specify a
-`runtimeClassName` in the Pod spec. For example:
+Once RuntimeClasses are configured for the cluster, you can specify a
+`runtimeClassName` in the Pod spec to use it. For example:
 -->
 ## 使用说明  {#usage}
 
-一旦完成集群中 RuntimeClasses 的配置，使用起来非常方便。
-在 Pod spec 中指定 `runtimeClassName` 即可。例如:
+一旦完成集群中 RuntimeClasses 的配置，
+你可以在 Pod spec 中指定 `runtimeClassName` 来使用它。例如:
 
 ```yaml
 apiVersion: v1
@@ -156,13 +159,13 @@ spec:
 This will instruct the kubelet to use the named RuntimeClass to run this pod. If the named
 RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod will enter the
 `Failed` terminal [phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase). Look for a
-corresponding [event](/docs/tasks/debug-application-cluster/debug-application-introspection/) for an
+corresponding [event](/docs/tasks/debug/debug-application/debug-running-pod/) for an
 error message.
 -->
 这一设置会告诉 kubelet 使用所指的 RuntimeClass 来运行该 pod。
 如果所指的 RuntimeClass 不存在或者 CRI 无法运行相应的 handler，
-那么 pod 将会进入 `Failed` 终止[阶段](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)。
-你可以查看相应的[事件](/zh/docs/tasks/debug-application-cluster/debug-application-introspection/)，
+那么 pod 将会进入 `Failed` 终止[阶段](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)。
+你可以查看相应的[事件](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/)，
 获取执行过程中的错误信息。
 
 <!--
@@ -179,27 +182,9 @@ For more details on setting up CRI runtimes, see [CRI installation](/docs/setup/
 ### CRI 配置   {#cri-configuration}
 
 关于如何安装 CRI 运行时，请查阅
-[CRI 安装](/zh/docs/setup/production-environment/container-runtimes/)。
+[CRI 安装](/zh-cn/docs/setup/production-environment/container-runtimes/)。
 
-#### dockershim
-
-<!--
-{{< feature-state for_k8s_version="v1.20" state="deprecated" >}}
-
-Dockershim is deprecated as of Kubernetes v1.20, and will be removed in v1.24. For more information on the deprecation,
-see [dockershim deprecation](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
--->
-Dockershim 自 Kubernetes v1.20 起已弃用，并将在 v1.24 中删除。 
-有关弃用的更多信息查看 [dockershim 弃用](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)。
-
-<!--
-RuntimeClasses with dockershim must set the runtime handler to `docker`. Dockershim does not support
-custom configurable runtime handlers.
--->
-为 dockershim 设置 RuntimeClass 时，必须将运行时处理程序设置为 `docker`。
-Dockershim 不支持自定义的可配置的运行时处理程序。
-
-#### [containerd](https://containerd.io/)
+#### {{< glossary_tooltip term_id="containerd" >}}
 
 <!--
 Runtime handlers are configured through containerd's configuration at
@@ -213,10 +198,10 @@ handler 需要配置在 runtimes 块中：
 ```
 
 <!--
-See the containerd [CRI Plugin Config Guide](https://github.com/containerd/containerd/blob/main/docs/cri/config.md) for more details.
+See containerd's [config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
+for more details:
 -->
-更详细信息，请查阅 containerd 
-[CRI 插件配置指南](https://github.com/containerd/cri/blob/master/docs/config.md)
+更详细信息，请查阅 containerd 的[配置指南](https://github.com/containerd/cri/blob/master/docs/config.md)
 
 #### [cri-o](https://cri-o.io/)
 
@@ -278,37 +263,32 @@ by each.
 与 `nodeSelector` 一样，tolerations 也在 admission 阶段与 pod 的 tolerations 合并，取二者的并集。
 
 <!--
-To learn more about configuring the node selector and tolerations, see [Assigning Pods to
-Nodes](/docs/concepts/configuration/assign-pod-node/).
+To learn more about configuring the node selector and tolerations, see 
+[Assigning Pods to Nodes](/docs/concepts/configuration/assign-pod-node/).
 -->
 更多有关 node selector 和 tolerations 的配置信息，请查阅 
-[将 Pod 分派到节点](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)。
+[将 Pod 分派到节点](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)。
 
 <!-- 
 ### Pod Overhead
  -->
 ### Pod 开销   {#pod-overhead}
 
-{{< feature-state for_k8s_version="v1.18" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 You can specify _overhead_ resources that are associated with running a Pod. Declaring overhead allows
 the cluster (including the scheduler) to account for it when making decisions about Pods and resources.  
-To use Pod overhead, you must have the PodOverhead [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-enabled (it is on by default).
 -->
 你可以指定与运行 Pod 相关的 _开销_ 资源。声明开销即允许集群（包括调度器）在决策 Pod 和资源时将其考虑在内。
-若要使用 Pod 开销特性，你必须确保 PodOverhead
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-处于启用状态（默认为启用状态）。
 
 <!--
-Pod overhead is defined in RuntimeClass through the `Overhead` fields. Through the use of these fields,
+Pod overhead is defined in RuntimeClass through the `overhead` field. Through the use of this field,
 you can specify the overhead of running pods utilizing this RuntimeClass and ensure these overheads
 are accounted for in Kubernetes.
 -->
 Pod 开销通过 RuntimeClass 的 `overhead` 字段定义。
-通过使用这些字段，你可以指定使用该 RuntimeClass 运行 Pod 时的开销并确保 Kubernetes 将这些开销计算在内。
+通过使用这个字段，你可以指定使用该 RuntimeClass 运行 Pod 时的开销并确保 Kubernetes 将这些开销计算在内。
 
 ## {{% heading "whatsnext" %}}
 
@@ -320,5 +300,5 @@ Pod 开销通过 RuntimeClass 的 `overhead` 字段定义。
 -->
 - [RuntimeClass 设计](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/585-runtime-class/README.md)
 - [RuntimeClass 调度设计](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/585-runtime-class/README.md#runtimeclass-scheduling)
-- 阅读关于 [Pod 开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/) 的概念
+- 阅读关于 [Pod 开销](/zh-cn/docs/concepts/scheduling-eviction/pod-overhead/) 的概念
 - [PodOverhead 特性设计](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead)
diff --git a/content/zh/docs/concepts/extend-kubernetes/_index.md b/content/zh-cn/docs/concepts/extend-kubernetes/_index.md
similarity index 88%
rename from content/zh/docs/concepts/extend-kubernetes/_index.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/_index.md
index e6f8d4bf86026..95b0b1cf31d19 100644
--- a/content/zh/docs/concepts/extend-kubernetes/_index.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/_index.md
@@ -79,11 +79,11 @@ Customization approaches can be broadly divided into *configuration*, which only
 
 配置文件和参数标志的说明位于在线文档的参考章节，按可执行文件组织：
 
-* [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/)
-* [kube-proxy](/zh/docs/reference/command-line-tools-reference/kube-proxy/)
-* [kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)
-* [kube-controller-manager](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
-* [kube-scheduler](/zh/docs/reference/command-line-tools-reference/kube-scheduler/).
+* [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)
+* [kube-proxy](/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/)
+* [kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)
+* [kube-controller-manager](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
+* [kube-scheduler](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/).
 
 <!--
 Flags and configuration files may not always be changeable in a hosted Kubernetes service or a distribution with managed installation. When they are changeable, they are usually only changeable by the cluster administrator. Also, they are subject to change in future Kubernetes versions, and setting them may require restarting processes. For those reasons, they should be used only when there are no other options.
@@ -97,16 +97,16 @@ Flags and configuration files may not always be changeable in a hosted Kubernete
 <!--
 *Built-in Policy APIs*, such as [ResourceQuota](/docs/concepts/policy/resource-quotas/), [PodSecurityPolicies](/docs/concepts/security/pod-security-policy/), [NetworkPolicy](/docs/concepts/services-networking/network-policies/) and Role-based Access Control ([RBAC](/docs/reference/access-authn-authz/rbac/)), are built-in Kubernetes APIs. APIs are typically used with hosted Kubernetes services and with managed Kubernetes installations. They are declarative and use the same conventions as other Kubernetes resources like pods, so new cluster configuration can be repeatable and be managed the same way as applications. And, where they are stable, they enjoy a [defined support policy](/docs/reference/using-api/deprecation-policy/) like other Kubernetes APIs. For these reasons, they are preferred over *configuration files* and *flags* where suitable.
 -->
-*内置的策略 API*，例如[ResourceQuota](/zh/docs/concepts/policy/resource-quotas/)、
-[PodSecurityPolicies](/zh/docs/concepts/security/pod-security-policy/)、
-[NetworkPolicy](/zh/docs/concepts/services-networking/network-policies/)
-和基于角色的访问控制（[RBAC](/zh/docs/reference/access-authn-authz/rbac/)）
+*内置的策略 API*，例如[ResourceQuota](/zh-cn/docs/concepts/policy/resource-quotas/)、
+[PodSecurityPolicies](/zh-cn/docs/concepts/security/pod-security-policy/)、
+[NetworkPolicy](/zh-cn/docs/concepts/services-networking/network-policies/)
+和基于角色的访问控制（[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)）
 等等都是内置的 Kubernetes API。
 API 通常用于托管的 Kubernetes 服务和受控的 Kubernetes 安装环境中。
 这些 API 是声明式的，与 Pod 这类其他 Kubernetes 资源遵从相同的约定，
 所以新的集群配置是可复用的，并且可以当作应用程序来管理。
 此外，对于稳定版本的 API 而言，它们与其他 Kubernetes API 一样，
-采纳的是一种[预定义的支持策略](/zh/docs/reference/using-api/deprecation-policy/)。
+采纳的是一种[预定义的支持策略](/zh-cn/docs/reference/using-api/deprecation-policy/)。
 出于以上原因，在条件允许的情况下，基于 API 的方案应该优先于配置文件和参数标志。
 
 <!--
@@ -178,8 +178,8 @@ Kubernetes control plane.
 在 Webhook 模式中，Kubernetes 向远程服务发起网络请求。
 在 **可执行文件插件（Binary Plugin）** 模式中，Kubernetes
 执行某个可执行文件（程序）。可执行文件插件在 kubelet （例如，
-[FlexVolume 插件](/zh/docs/concepts/storage/volumes/#flexvolume))
-和[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)）
+[FlexVolume 插件](/zh-cn/docs/concepts/storage/volumes/#flexvolume))
+和[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)）
 和 kubectl 中使用。
 
 下面的示意图中展示了这些扩展点如何与 Kubernetes 控制面交互。
@@ -217,7 +217,7 @@ This diagram shows the extension points in a Kubernetes system.
 If you are unsure where to start, this flowchart can help. Note that some solutions may involve several types of extensions.
 -->
 1. 用户通常使用 `kubectl` 与 Kubernetes API 交互。
-   [kubectl 插件](/zh/docs/tasks/extend-kubectl/kubectl-plugins/)能够扩展 kubectl 程序的行为。
+   [kubectl 插件](/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins/)能够扩展 kubectl 程序的行为。
    这些插件只会影响到每个用户的本地环境，因此无法用来强制实施整个站点范围的策略。
 
 2. API 服务器处理所有请求。API 服务器中的几种扩展点能够使用户对请求执行身份认证、
@@ -273,7 +273,7 @@ For more about Custom Resources, see the [Custom Resources concept guide](/docs/
 
 不要使用自定义资源来充当应用、用户或者监控数据的数据存储。
 
-关于自定义资源的更多信息，可参见[自定义资源概念指南](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)。
+关于自定义资源的更多信息，可参见[自定义资源概念指南](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)。
 
 <!--
 ### Combining New APIs with Automation
@@ -283,7 +283,7 @@ The combination of a custom resource API and a control loop is called the [Opera
 ### 结合使用新 API 与自动化组件 {#combinding-new-apis-with-automation}
 
 自定义资源 API 与控制回路的组合称作
-[Operator 模式](/zh/docs/concepts/extend-kubernetes/operator/)。
+[Operator 模式](/zh-cn/docs/concepts/extend-kubernetes/operator/)。
 Operator 模式用来管理特定的、通常是有状态的应用。
 这些自定义 API 和控制回路也可用来控制其他资源，如存储或策略。
 
@@ -313,14 +313,14 @@ Kubernetes has several built-in authentication methods that it supports. It can
 
 当请求到达 Kubernetes API 服务器时，首先要经过身份认证，之后是鉴权操作，
 再之后要经过若干类型的准入控制器的检查。
-参见[控制 Kubernetes API 访问](/zh/docs/concepts/security/controlling-access/)
+参见[控制 Kubernetes API 访问](/zh-cn/docs/concepts/security/controlling-access/)
 以了解此流程的细节。
 
 这些步骤中都存在扩展点。
 
 Kubernetes 提供若干内置的身份认证方法。它也可以运行在某种身份认证代理的后面，
 并且可以将来自鉴权头部的令牌发送到某个远程服务（Webhook）来执行验证操作。
-所有这些方法都在[身份认证文档](/zh/docs/reference/access-authn-authz/authentication/)
+所有这些方法都在[身份认证文档](/zh-cn/docs/reference/access-authn-authz/authentication/)
 中有详细论述。
 
 <!--
@@ -332,11 +332,11 @@ Kubernetes provides several built-in authentication methods, and an [Authenticat
 -->
 ### 身份认证    {#authentication}
 
-[身份认证](/zh/docs/reference/access-authn-authz/authentication/)负责将所有请求中
+[身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)负责将所有请求中
 的头部或证书映射到发出该请求的客户端的用户名。
 
 Kubernetes 提供若干种内置的认证方法，以及
-[认证 Webhook](/zh/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
+[认证 Webhook](/zh-cn/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
 方法以备内置方法无法满足你的要求。
 
 <!--
@@ -346,12 +346,12 @@ Kubernetes 提供若干种内置的认证方法，以及
 -->
 ### 鉴权    {#authorization}
 
-[鉴权](/zh/docs/reference/access-authn-authz/authorization/)
+[鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)
 操作负责确定特定的用户是否可以读、写 API 资源或对其执行其他操作。
 此操作仅在整个资源集合的层面进行。
 换言之，它不会基于对象的特定字段作出不同的判决。
 如果内置的鉴权选项无法满足你的需要，你可以使用
-[鉴权 Webhook](/zh/docs/reference/access-authn-authz/webhook/)来调用用户提供
+[鉴权 Webhook](/zh-cn/docs/reference/access-authn-authz/webhook/)来调用用户提供
 的代码，执行定制的鉴权操作。
 
 <!--
@@ -365,13 +365,13 @@ After a request is authorized, if it is a write operation, it also goes through
 ### 动态准入控制  {#dynamic-admission-control}
 
 请求的鉴权操作结束之后，如果请求的是写操作，还会经过
-[准入控制](/zh/docs/reference/access-authn-authz/admission-controllers/)处理步骤。
+[准入控制](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)处理步骤。
 除了内置的处理步骤，还存在一些扩展点：
 
-* [镜像策略 Webhook](/zh/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook)
+* [镜像策略 Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook)
   能够限制容器中可以运行哪些镜像。
 * 为了执行任意的准入控制，可以使用一种通用的
-  [准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) 
+  [准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) 
   机制。这类 Webhook 可以拒绝对象创建或更新请求。
 
 <!--
@@ -412,12 +412,12 @@ Different networking fabrics can be supported via node-level [Network Plugins](/
 -->
 ### 设备插件    {#device-plugins}
 
-使用[设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)，
+使用[设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)，
 节点能够发现新的节点资源（除了内置的类似 CPU 和内存这类资源）。
 
 ### 网络插件   {#network-plugins}
 
-通过节点层面的[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)，
+通过节点层面的[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)，
 可以支持不同的网络设施。
 
 <!--
@@ -442,7 +442,7 @@ the nodes chosen for a pod.
 调度器是一种特殊的控制器，负责监视 Pod 变化并将 Pod 分派给节点。
 默认的调度器可以被整体替换掉，同时继续使用其他 Kubernetes 组件。
 或者也可以在同一时刻使用
-[多个调度器](/zh/docs/tasks/extend-kubernetes/configure-multiple-schedulers/)。
+[多个调度器](/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/)。
 
 这是一项非同小可的任务，几乎绝大多数 Kubernetes
 用户都会发现其实他们不需要修改调度器。
@@ -462,11 +462,11 @@ the nodes chosen for a pod.
 * Learn about [kubectl plugins](/docs/tasks/extend-kubectl/kubectl-plugins/)
 * Learn about the [Operator pattern](/docs/concepts/extend-kubernetes/operator/)
 -->
-* 进一步了解[自定义资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
-* 了解[动态准入控制](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+* 进一步了解[自定义资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+* 了解[动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 * 进一步了解基础设施扩展
-  * [网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
-  * [设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
-* 了解 [kubectl 插件](/zh/docs/tasks/extend-kubectl/kubectl-plugins/)
-* 了解 [Operator 模式](/zh/docs/concepts/extend-kubernetes/operator/)
+  * [网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+  * [设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
+* 了解 [kubectl 插件](/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins/)
+* 了解 [Operator 模式](/zh-cn/docs/concepts/extend-kubernetes/operator/)
 
diff --git a/content/zh/docs/concepts/extend-kubernetes/api-extension/_index.md b/content/zh-cn/docs/concepts/extend-kubernetes/api-extension/_index.md
similarity index 100%
rename from content/zh/docs/concepts/extend-kubernetes/api-extension/_index.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/api-extension/_index.md
diff --git a/content/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md b/content/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md
similarity index 91%
rename from content/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md
index d2a0c6c18844e..52a0c64e7e39e 100644
--- a/content/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation.md
@@ -32,7 +32,7 @@ The aggregation layer is different from [Custom Resources](/docs/concepts/extend
 或者你自己开发的 API。
 
 聚合层不同于
-[定制资源（Custom Resources）](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)。
+[定制资源（Custom Resources）](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)。
 后者的目的是让 {{< glossary_tooltip term_id="kube-apiserver" text="kube-apiserver" >}}
 能够认识新的对象类别（Kind）。
 
@@ -83,10 +83,10 @@ If your extension API server cannot achieve that latency requirement, consider m
 
 Alternatively: learn how to [extend the Kubernetes API using Custom Resource Definitions](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/).
 -->
-* 阅读[配置聚合层](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/) 文档，
+* 阅读[配置聚合层](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/) 文档，
   了解如何在自己的环境中启用聚合器。
-* 接下来，了解[安装扩展 API 服务器](/zh/docs/tasks/extend-kubernetes/setup-extension-api-server/)，
+* 接下来，了解[安装扩展 API 服务器](/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server/)，
   开始使用聚合层。
 * 从 API 参考资料中研究关于 [APIService](/docs/reference/kubernetes-api/cluster-resources/api-service-v1/) 的内容。
 
-或者，学习如何[使用自定义资源定义扩展 Kubernetes API](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
+或者，学习如何[使用自定义资源定义扩展 Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
diff --git a/content/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources.md b/content/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
similarity index 91%
rename from content/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
index e2021c404341b..f69c13963f309 100644
--- a/content/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
@@ -37,9 +37,9 @@ collection of Pod objects.
 ## 定制资源
 
 *资源（Resource）* 是
-[Kubernetes API](/zh/docs/concepts/overview/kubernetes-api/) 中的一个端点，
+[Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/) 中的一个端点，
 其中存储的是某个类别的
-[API 对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/)
+[API 对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/)
 的一个集合。
 例如内置的 *pods* 资源包含一组 Pod 对象。
 
@@ -84,7 +84,7 @@ keep the current state of Kubernetes objects in sync with the desired state.
 The controller interprets the structured data as a record of the user's
 desired state, and continually maintains this state.
 -->
-使用[声明式 API](/zh/docs/concepts/overview/kubernetes-api/)，
+使用[声明式 API](/zh-cn/docs/concepts/overview/kubernetes-api/)，
 你可以 _声明_ 或者设定你的资源的期望状态，并尝试让 Kubernetes 对象的当前状态
 同步到其期望状态。控制器负责将结构化的数据解释为用户所期望状态的记录，并
 持续地维护该状态。
@@ -99,7 +99,7 @@ for specific applications into an extension of the Kubernetes API.
 -->
 你可以在一个运行中的集群上部署和更新定制控制器，这类操作与集群的生命周期无关。
 定制控制器可以用于任何类别的资源，不过它们与定制资源结合起来时最为有效。
-[Operator 模式](/zh/docs/concepts/extend-kubernetes/operator/)就是将定制资源
+[Operator 模式](/zh-cn/docs/concepts/extend-kubernetes/operator/)就是将定制资源
 与定制控制器相结合的。你可以使用定制控制器来将特定于某应用的领域知识组织
 起来，以编码的形式构造对 Kubernetes API 的扩展。
 
@@ -113,7 +113,7 @@ or let your API stand alone.
 ## 我是否应该向我的 Kubernetes 集群添加定制资源？
 
 在创建新的 API 时，请考虑是
-[将你的 API 与 Kubernetes 集群 API 聚合起来](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+[将你的 API 与 Kubernetes 集群 API 聚合起来](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 还是让你的 API 独立运行。
 
 <!--
@@ -133,7 +133,7 @@ or let your API stand alone.
 | 你希望可以是使用 `kubectl` 来读写你的新资源类别。 | 不要求 `kubectl` 支持。 |
 | 你希望在 Kubernetes UI （如仪表板）中和其他内置类别一起查看你的新资源类别。 | 不需要 Kubernetes UI 支持。 |
 | 你在开发新的 API。 | 你已经有一个提供 API 服务的程序并且工作良好。 |
-| 你有意愿取接受 Kubernetes 对 REST 资源路径所作的格式限制，例如 API 组和名字空间。（参阅 [API 概述](/zh/docs/concepts/overview/kubernetes-api/)） | 你需要使用一些特殊的 REST 路径以便与已经定义的 REST API 保持兼容。 |
+| 你有意愿取接受 Kubernetes 对 REST 资源路径所作的格式限制，例如 API 组和名字空间。（参阅 [API 概述](/zh-cn/docs/concepts/overview/kubernetes-api/)） | 你需要使用一些特殊的 REST 路径以便与已经定义的 REST API 保持兼容。 |
 | 你的资源可以自然地界定为集群作用域或集群中某个名字空间作用域。 | 集群作用域或名字空间作用域这种二分法很不合适；你需要对资源路径的细节进行控制。 |
 | 你希望复用 [Kubernetes API 支持特性](#common-features)。  | 你不需要这类特性。 |
 
@@ -214,7 +214,7 @@ Use a ConfigMap if any of the following apply:
 Use a [secret](/docs/concepts/configuration/secret/) for sensitive data, which is similar to a configMap but more secure.
 -->
 {{< note >}}
-请使用 [Secret](/zh/docs/concepts/configuration/secret/) 来保存敏感数据。
+请使用 [Secret](/zh-cn/docs/concepts/configuration/secret/) 来保存敏感数据。
 Secret 类似于 configMap，但更为安全。
 {{< /note >}}
 
@@ -251,7 +251,7 @@ Kubernetes provides two ways to add custom resources to your cluster:
 Kubernetes 提供了两种方式供你向集群中添加定制资源：
 
 - CRD 相对简单，创建 CRD 可以不必编程。
-- [API 聚合](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+- [API 聚合](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
   需要编程，但支持对 API 行为进行更多的控制，例如数据如何存储以及在不同 API 版本间如何转换等。
 
 <!--
@@ -267,7 +267,7 @@ Kubernetes 提供这两种选项以满足不同用户的需求，这样就既不
 
 聚合 API 指的是一些下位的 API 服务器，运行在主 API 服务器后面；主 API
 服务器以代理的方式工作。这种组织形式称作
-[API 聚合（API Aggregation，AA）](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) 。
+[API 聚合（API Aggregation，AA）](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) 。
 对用户而言，看起来仅仅是 Kubernetes API 被扩展了。
 
 CRD 允许用户创建新的资源类别同时又不必添加新的 API 服务器。
@@ -288,12 +288,12 @@ The name of a CRD object must be a valid
 -->
 ## CustomResourceDefinitions
 
-[CustomResourceDefinition](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
+[CustomResourceDefinition](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
 API 资源允许你定义定制资源。
 定义 CRD 对象的操作会使用你所设定的名字和模式定义（Schema）创建一个新的定制资源，
 Kubernetes API 负责为你的定制资源提供存储和访问服务。
 CRD 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 This frees you from writing your own API server to handle the custom resource,
@@ -327,7 +327,7 @@ making them available to all of its clients.
 Kubernetes API 主服务器能够处理诸如 *pods* 和 *services* 这些内置资源，也可以
 按通用的方式通过 [CRD](#customresourcedefinitions) 来处理定制资源。
 
-[聚合层（Aggregation Layer）](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+[聚合层（Aggregation Layer）](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 使得你可以通过编写和部署你自己的 API 服务器来为定制资源提供特殊的实现。
 主 API 服务器将针对你要处理的定制资源的请求全部委托给你自己的 API 服务器来处理，同时将这些资源
 提供给其所有客户端。
@@ -402,17 +402,17 @@ Aggregated APIs offer more advanced API features and customization of other feat
 -->
 | 特性    | 描述        | CRDs | 聚合 API       |
 | ------- | ----------- | ---- | -------------- |
-| 合法性检查 | 帮助用户避免错误，允许你独立于客户端版本演化 API。这些特性对于由很多无法同时更新的客户端的场合。| 可以。大多数验证可以使用 [OpenAPI v3.0 合法性检查](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation) 来设定。其他合法性检查操作可以通过添加[合法性检查 Webhook](/zh/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook-alpha-in-1-8-beta-in-1-9)来实现。 | 可以，可执行任何合法性检查。|
-| 默认值设置 | 同上 | 可以。可通过 [OpenAPI v3.0 合法性检查](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting)的 `default` 关键词（自 1.17 正式发布）或[更改性（Mutating）Webhook](/zh/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook)来实现（不过从 etcd 中读取老的对象时不会执行这些 Webhook）。 | 可以。 |
-| 多版本支持 | 允许通过两个 API 版本同时提供同一对象。可帮助简化类似字段更名这类 API 操作。如果你能控制客户端版本，这一特性将不再重要。 | [可以](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning)。 | 可以。 |
+| 合法性检查 | 帮助用户避免错误，允许你独立于客户端版本演化 API。这些特性对于由很多无法同时更新的客户端的场合。| 可以。大多数验证可以使用 [OpenAPI v3.0 合法性检查](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation) 来设定。其他合法性检查操作可以通过添加[合法性检查 Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook-alpha-in-1-8-beta-in-1-9)来实现。 | 可以，可执行任何合法性检查。|
+| 默认值设置 | 同上 | 可以。可通过 [OpenAPI v3.0 合法性检查](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#defaulting)的 `default` 关键词（自 1.17 正式发布）或[更改性（Mutating）Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook)来实现（不过从 etcd 中读取老的对象时不会执行这些 Webhook）。 | 可以。 |
+| 多版本支持 | 允许通过两个 API 版本同时提供同一对象。可帮助简化类似字段更名这类 API 操作。如果你能控制客户端版本，这一特性将不再重要。 | [可以](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning)。 | 可以。 |
 | 定制存储 | 支持使用具有不同性能模式的存储（例如，要使用时间序列数据库而不是键值存储），或者因安全性原因对存储进行隔离（例如对敏感信息执行加密）。 | 不可以。 | 可以。 |
-| 定制业务逻辑 | 在创建、读取、更新或删除对象时，执行任意的检查或操作。 | 可以。要使用 [Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)。 | 可以。 |
-| 支持 scale 子资源 | 允许 HorizontalPodAutoscaler 和 PodDisruptionBudget 这类子系统与你的新资源交互。 | [可以](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)。 | 可以。 |
-| 支持 status 子资源 | 允许在用户写入 spec 部分而控制器写入 status 部分时执行细粒度的访问控制。允许在对定制资源的数据进行更改时增加对象的代际（Generation）；这需要资源对 spec 和 status 部分有明确划分。| [可以](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#status-subresource)。 | 可以。 |
+| 定制业务逻辑 | 在创建、读取、更新或删除对象时，执行任意的检查或操作。 | 可以。要使用 [Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)。 | 可以。 |
+| 支持 scale 子资源 | 允许 HorizontalPodAutoscaler 和 PodDisruptionBudget 这类子系统与你的新资源交互。 | [可以](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)。 | 可以。 |
+| 支持 status 子资源 | 允许在用户写入 spec 部分而控制器写入 status 部分时执行细粒度的访问控制。允许在对定制资源的数据进行更改时增加对象的代际（Generation）；这需要资源对 spec 和 status 部分有明确划分。| [可以](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#status-subresource)。 | 可以。 |
 | 其他子资源 | 添加 CRUD 之外的操作，例如 "logs" 或 "exec"。 | 不可以。 | 可以。 |
-| strategic-merge-patch | 新的端点要支持标记了 `Content-Type: application/strategic-merge-patch+json` 的 PATCH 操作。对于更新既可在本地更改也可在服务器端更改的对象而言是有用的。要了解更多信息，可参见[使用 `kubectl patch` 来更新 API 对象](/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)。 | 不可以。 | 可以。 |
+| strategic-merge-patch | 新的端点要支持标记了 `Content-Type: application/strategic-merge-patch+json` 的 PATCH 操作。对于更新既可在本地更改也可在服务器端更改的对象而言是有用的。要了解更多信息，可参见[使用 `kubectl patch` 来更新 API 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)。 | 不可以。 | 可以。 |
 | 支持协议缓冲区 | 新的资源要支持想要使用协议缓冲区（Protocol Buffer）的客户端。 | 不可以。 | 可以。 |
-| OpenAPI Schema | 是否存在新资源类别的 OpenAPI（Swagger）Schema 可供动态从服务器上读取？是否存在机制确保只能设置被允许的字段以避免用户犯字段拼写错误？是否实施了字段类型检查（换言之，不允许在 `string` 字段设置 `int` 值）？ | 可以，依据 [OpenAPI v3.0 合法性检查](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation) 模式（1.16 中进入正式发布状态）。 | 可以。|
+| OpenAPI Schema | 是否存在新资源类别的 OpenAPI（Swagger）Schema 可供动态从服务器上读取？是否存在机制确保只能设置被允许的字段以避免用户犯字段拼写错误？是否实施了字段类型检查（换言之，不允许在 `string` 字段设置 `int` 值）？ | 可以，依据 [OpenAPI v3.0 合法性检查](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation) 模式（1.16 中进入正式发布状态）。 | 可以。|
 
 <!--
 ### Common Features
@@ -535,7 +535,7 @@ When you add a custom resource, you can access it using:
 -->
 ## 访问定制资源
 
-Kubernetes [客户端库](/zh/docs/reference/using-api/client-libraries/)可用来访问定制资源。
+Kubernetes [客户端库](/zh-cn/docs/reference/using-api/client-libraries/)可用来访问定制资源。
 并非所有客户端库都支持定制资源。_Go_ 和 _Python_ 客户端库是支持的。
 
 当你添加了新的定制资源后，可以用如下方式之一访问它们：
@@ -553,6 +553,6 @@ Kubernetes [客户端库](/zh/docs/reference/using-api/client-libraries/)可用
 * Learn how to [Extend the Kubernetes API with the aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/).
 * Learn how to [Extend the Kubernetes API with CustomResourceDefinition](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/).
 -->
-* 了解如何[使用聚合层扩展 Kubernetes API](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
-* 了解如何[使用 CustomResourceDefinition 来扩展 Kubernetes API](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
+* 了解如何[使用聚合层扩展 Kubernetes API](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+* 了解如何[使用 CustomResourceDefinition 来扩展 Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
 
diff --git a/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/_index.md b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/_index.md
similarity index 100%
rename from content/zh/docs/concepts/extend-kubernetes/compute-storage-net/_index.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/_index.md
diff --git a/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
similarity index 96%
rename from content/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
index c1f94153e0478..90a4494d0fea0 100644
--- a/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins.md
@@ -67,7 +67,7 @@ to advertise that the node has 2 "Foo" devices installed and available.
 * 设备插件的 Unix 套接字。
 * 设备插件的 API 版本。
 * `ResourceName` 是需要公布的。这里 `ResourceName` 需要遵循
-  [扩展资源命名方案](/zh/docs/concepts/configuration/manage-resources-containers/#extended-resources)，
+  [扩展资源命名方案](/zh-cn/docs/concepts/configuration/manage-resources-containers/#extended-resources)，
   类似于 `vendor-domain/resourcetype`。（比如 NVIDIA GPU 就被公布为 `nvidia.com/gpu`。）
 
 成功注册后，设备插件就向 kubelet 发送它所管理的设备列表，然后 kubelet
@@ -86,7 +86,7 @@ other resources, with the following differences:
 * Devices cannot be shared between containers.
 -->
 然后，用户可以请求设备作为 Pod 规范的一部分，
-参见[Container](/zh/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)。
+参见[Container](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)。
 请求扩展资源类似于管理请求和限制的方式，
 其他资源，有以下区别：
 
@@ -441,7 +441,7 @@ it does (for example: hotplug/hotunplug, device health changes), client is expec
 However, calling `GetAllocatableResources` endpoint is not sufficient in case of cpu and/or memory
 update and Kubelet needs to be restarted to reflect the correct resource capacity and allocatable.
 -->
-`GetAllocatableResources` 应该仅被用于评估一个节点上的[可分配的](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+`GetAllocatableResources` 应该仅被用于评估一个节点上的[可分配的](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 资源。如果目标是评估空闲/未分配的资源，此调用应该与 List() 端点一起使用。
 除非暴露给 kubelet 的底层资源发生变化 否则 `GetAllocatableResources` 得到的结果将保持不变。
 这种情况很少发生，但当发生时（例如：热插拔，设备健康状况改变），客户端应该调用 `GetAlloctableResources` 端点。
@@ -471,7 +471,7 @@ Preceding Kubernetes v1.23, to enable this feature `kubelet` must be started wit
 -->
 从 Kubernetes v1.23 开始，`GetAllocatableResources` 被默认启用。
 你可以通过关闭 `KubeletPodResourcesGetAllocatable`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/) 来禁用。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/) 来禁用。
 
 在 Kubernetes v1.23 之前，要启用这一功能，`kubelet` 必须用以下标志启动：
 
@@ -484,7 +484,7 @@ plugins report [when they register themselves to the kubelet](/docs/concepts/ext
 -->
 `ContainerDevices` 会向外提供各个设备所隶属的 NUMA 单元这类拓扑信息。
 NUMA 单元通过一个整数 ID 来标识，其取值与设备插件所报告的一致。
-[设备插件注册到 kubelet 时](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
+[设备插件注册到 kubelet 时](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
 会报告这类信息。
 
 <!--
@@ -509,7 +509,7 @@ gRPC 服务通过 `/var/lib/kubelet/pod-resources/kubelet.sock` 的 UNIX 套接
 {{< glossary_tooltip text="卷" term_id="volume" >}}的形式被挂载到设备监控代理中。
 
 对“PodResourcesLister 服务”的支持要求启用 `KubeletPodResources`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 从 Kubernetes 1.15 开始默认启用，自从 Kubernetes 1.20 开始为 v1。
 
 <!--
@@ -596,7 +596,7 @@ Here are some examples of device plugin implementations:
 * Learn about the [Topology Manager](/docs/tasks/administer-cluster/topology-manager/)
 * Read about using [hardware acceleration for TLS ingress](/blog/2019/04/24/hardware-accelerated-ssl/tls-termination-in-ingress-controllers-using-kubernetes-device-plugins-and-runtimeclass/) with Kubernetes
 -->
-* 查看[调度 GPU 资源](/zh/docs/tasks/manage-gpus/scheduling-gpus/) 来学习使用设备插件
-* 查看在上如何[公布节点上的扩展资源](/zh/docs/tasks/administer-cluster/extended-resource-node/)
-* 学习[拓扑管理器](/zh/docs/tasks/administer-cluster/topology-manager/)
-* 阅读如何在 Kubernetes 中使用 [TLS Ingress 的硬件加速](/zh/blog/2019/04/24/hardware-accelerated-ssl/tls-termination-in-ingress-controllers-using-kubernetes-device-plugins-and-runtimeclass/)
+* 查看[调度 GPU 资源](/zh-cn/docs/tasks/manage-gpus/scheduling-gpus/) 来学习使用设备插件
+* 查看在上如何[公布节点上的扩展资源](/zh-cn/docs/tasks/administer-cluster/extended-resource-node/)
+* 学习[拓扑管理器](/zh-cn/docs/tasks/administer-cluster/topology-manager/)
+* 阅读如何在 Kubernetes 中使用 [TLS Ingress 的硬件加速](/zh-cn/blog/2019/04/24/hardware-accelerated-ssl/tls-termination-in-ingress-controllers-using-kubernetes-device-plugins-and-runtimeclass/)
diff --git a/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
new file mode 100644
index 0000000000000..fea8c05193c57
--- /dev/null
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
@@ -0,0 +1,244 @@
+---
+title: 网络插件
+content_type: concept
+weight: 10
+---
+<!--
+title: Network Plugins
+content_type: concept
+weight: 10
+-->
+
+
+<!-- overview -->
+
+<!-- 
+Kubernetes {{< skew currentVersion >}} supports [Container Network Interface](https://github.com/containernetworking/cni)
+(CNI) plugins for cluster networking. You must use a CNI plugin that is compatible with your cluster and that suits your needs. Different plugins are available (both open- and closed- source) in the wider Kubernetes ecosystem. 
+-->
+Kubernetes {{< skew currentVersion >}} 支持[容器网络接口](https://github.com/containernetworking/cni) (CNI) 集群网络插件。
+你必须使用和你的集群相兼容并且满足你的需求的 CNI 插件。
+在更广泛的 Kubernetes 生态系统中你可以使用不同的插件（开源和闭源）。
+
+<!--
+A CNI plugin is required to implement the [Kubernetes network model](/docs/concepts/services-networking/#the-kubernetes-network-model).
+-->
+要实现 [Kubernetes 网络模型](/zh-cn/docs/concepts/services-networking/#the-kubernetes-network-model)，你需要一个 CNI 插件。
+
+<!-- 
+You must use a CNI plugin that is compatible with the 
+[v0.4.0](https://github.com/containernetworking/cni/blob/spec-v0.4.0/SPEC.md) or later
+releases of the CNI specification. The Kubernetes project recommends using a plugin that is
+compatible with the [v1.0.0](https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md)
+CNI specification (plugins can be compatible with multiple spec versions). 
+-->
+你必须使用与 [v0.4.0](https://github.com/containernetworking/cni/blob/spec-v0.4.0/SPEC.md)
+或更高版本的 CNI 规范相符合的 CNI 插件。
+Kubernetes 推荐使用一个兼容 [v1.0.0](https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md)
+CNI 规范的插件（插件可以兼容多个规范版本）。
+
+<!-- body -->
+
+<!--
+## Installation
+
+A Container Runtime, in the networking context, is a daemon on a node configured to provide CRI Services for kubelet. In particular, the Container Runtime must be configured to load the CNI plugins required to implement the Kubernetes network model.
+-->
+## 安装   {#installation}
+
+在网络语境中，容器运行时（Container Runtime）是在节点上的守护进程，
+被配置用来为 kubelet 提供 CRI 服务。具体而言，容器运行时必须配置为加载所需的
+CNI 插件，从而实现 Kubernetes 网络模型。
+
+{{< note >}}
+<!--
+Prior to Kubernetes 1.24, the CNI plugins could also be managed by the kubelet using the `cni-bin-dir` and `network-plugin` command-line parameters.
+These command-line parameters were removed in Kubernetes 1.24, with management of the CNI no longer in scope for kubelet.
+-->
+在 Kubernetes 1.24 之前，CNI 插件也可以由 kubelet 使用命令行参数 `cni-bin-dir`
+和 `network-plugin` 管理。Kubernetes 1.24 移除了这些命令行参数，
+CNI 的管理不再是 kubelet 的工作。
+
+<!--
+See [Troubleshooting CNI plugin-related errors](/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors/)
+if you are facing issues following the removal of dockershim.
+-->
+如果你在移除 dockershim 之后遇到问题，请参阅[排查 CNI 插件相关的错误](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors/)。
+{{< /note >}}
+
+<!--
+For specific information about how a Container Runtime manages the CNI plugins, see the documentation for that Container Runtime, for example:
+-->
+要了解容器运行时如何管理 CNI 插件的具体信息，可参见对应容器运行时的文档，例如：
+
+- [containerd](https://github.com/containerd/containerd/blob/main/script/setup/install-cni)
+- [CRI-O](https://github.com/cri-o/cri-o/blob/main/contrib/cni/README.md)
+
+<!--
+For specific information about how to install and manage a CNI plugin, see the documentation for that plugin or [networking provider](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model).
+-->
+要了解如何安装和管理 CNI 插件的具体信息，可参阅对应的插件或
+[网络驱动（Networking Provider）](/zh-cn/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model)
+的文档。
+
+<!--
+## Network Plugin Requirements
+
+For plugin developers and users who regularly build or deploy Kubernetes, the plugin may also need specific configuration to support kube-proxy.
+The iptables proxy depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.
+For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.
+If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
+-->
+## 网络插件要求   {#network-plugin-requirements}
+
+对于插件开发人员以及时常会构建并部署 Kubernetes 的用户而言，
+插件可能也需要特定的配置来支持 kube-proxy。
+iptables 代理依赖于 iptables，插件可能需要确保 iptables 能够监控容器的网络通信。
+例如，如果插件将容器连接到 Linux 网桥，插件必须将 `net/bridge/bridge-nf-call-iptables`
+sysctl 参数设置为 `1`，以确保 iptables 代理正常工作。
+如果插件不使用 Linux 网桥（而是类似于 Open vSwitch 或者其它一些机制），
+它应该确保为代理对容器通信执行正确的路由。
+
+<!--
+By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like Docker with a bridge) work correctly with the iptables proxy.
+-->
+
+默认情况下，如果未指定 kubelet 网络插件，则使用 `noop` 插件，
+该插件设置 `net/bridge/bridge-nf-call-iptables=1`，以确保简单的配置
+（如带网桥的 Docker ）与 iptables 代理正常工作。
+
+<!--
+### Loopback CNI
+
+In addition to the CNI plugin installed on the nodes for implementing the Kubernetes network model, Kubernetes also requires the container runtimes to provide a loopback interface `lo`, which is used for each sandbox (pod sandboxes, vm sandboxes, ...).
+Implementing the loopback interface can be accomplished by re-using the [CNI loopback plugin.](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go) or by developing your own code to achieve this (see [this example from CRI-O](https://github.com/cri-o/ocicni/blob/release-1.24/pkg/ocicni/util_linux.go#L91)).
+-->
+### 本地回路 CNI   {#loopback-cni}
+
+除了安装到节点上用于实现 Kubernetes 网络模型的 CNI 插件外，Kubernetes
+还需要容器运行时提供一个本地回路接口 `lo`，用于各个沙箱（Pod 沙箱、虚机沙箱……）。
+实现本地回路接口的工作可以通过复用
+[CNI 本地回路插件](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go)来实现，
+也可以通过开发自己的代码来实现
+（参阅 [CRI-O 中的示例](https://github.com/cri-o/ocicni/blob/release-1.24/pkg/ocicni/util_linux.go#L91)）。
+
+<!--
+### Support hostPort
+
+The CNI networking plugin supports `hostPort`. You can use the official [portmap](https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap)
+plugin offered by the CNI plugin team or use your own plugin with portMapping functionality.
+
+If you want to enable `hostPort` support, you must specify `portMappings capability` in your `cni-conf-dir`.
+For example:
+-->
+### 支持 hostPort   {#support-hostport}
+
+CNI 网络插件支持 `hostPort`。 你可以使用官方
+[portmap](https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap)
+插件，它由 CNI 插件团队提供，或者使用你自己的带有 portMapping 功能的插件。
+
+如果你想要启动 `hostPort` 支持，则必须在 `cni-conf-dir` 指定 `portMappings capability`。
+例如：
+
+```json
+{
+  "name": "k8s-pod-network",
+  "cniVersion": "0.3.0",
+  "plugins": [
+    {
+      "type": "calico",
+      "log_level": "info",
+      "datastore_type": "kubernetes",
+      "nodename": "127.0.0.1",
+      "ipam": {
+        "type": "host-local",
+        "subnet": "usePodCidr"
+      },
+      "policy": {
+        "type": "k8s"
+      },
+      "kubernetes": {
+        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
+      }
+    },
+    {
+      "type": "portmap",
+      "capabilities": {"portMappings": true}
+    }
+  ]
+}
+```
+
+<!--
+### Support traffic shaping
+
+**Experimental Feature**
+
+The CNI networking plugin also supports pod ingress and egress traffic shaping. You can use the official [bandwidth](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth)
+plugin offered by the CNI plugin team or use your own plugin with bandwidth control functionality.
+
+If you want to enable traffic shaping support, you must add the `bandwidth` plugin to your CNI configuration file
+(default `/etc/cni/net.d`) and ensure that the binary is included in your CNI bin dir (default `/opt/cni/bin`).
+-->
+### 支持流量整形   {#support-traffic-shaping}
+
+**实验功能**
+
+CNI 网络插件还支持 pod 入口和出口流量整形。
+你可以使用 CNI 插件团队提供的
+[bandwidth](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth)
+插件，也可以使用你自己的具有带宽控制功能的插件。
+
+如果你想要启用流量整形支持，你必须将 `bandwidth` 插件添加到 CNI 配置文件
+（默认是 `/etc/cni/net.d`）并保证该可执行文件包含在你的 CNI 的 bin
+文件夹内 (默认为 `/opt/cni/bin`)。
+
+```json
+{
+  "name": "k8s-pod-network",
+  "cniVersion": "0.3.0",
+  "plugins": [
+    {
+      "type": "calico",
+      "log_level": "info",
+      "datastore_type": "kubernetes",
+      "nodename": "127.0.0.1",
+      "ipam": {
+        "type": "host-local",
+        "subnet": "usePodCidr"
+      },
+      "policy": {
+        "type": "k8s"
+      },
+      "kubernetes": {
+        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
+      }
+    },
+    {
+      "type": "bandwidth",
+      "capabilities": {"bandwidth": true}
+    }
+  ]
+}
+```
+<!--
+Now you can add the `kubernetes.io/ingress-bandwidth` and `kubernetes.io/egress-bandwidth` annotations to your pod.
+For example:
+-->
+现在，你可以将 `kubernetes.io/ingress-bandwidth` 和 `kubernetes.io/egress-bandwidth`
+注解添加到 pod 中。例如：
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kubernetes.io/ingress-bandwidth: 1M
+    kubernetes.io/egress-bandwidth: 1M
+...
+```
+
+## {{% heading "whatsnext" %}}
+
+
+
diff --git a/content/zh/docs/concepts/extend-kubernetes/operator.md b/content/zh-cn/docs/concepts/extend-kubernetes/operator.md
similarity index 95%
rename from content/zh/docs/concepts/extend-kubernetes/operator.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/operator.md
index c9734f47988e0..54035560378db 100644
--- a/content/zh/docs/concepts/extend-kubernetes/operator.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/operator.md
@@ -19,9 +19,9 @@ to manage applications and their components. Operators follow
 Kubernetes principles, notably the [control loop](/docs/concepts/architecture/controller/).
 -->
 Operator 是 Kubernetes 的扩展软件，它利用
-[定制资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+[定制资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 管理应用及其组件。
-Operator 遵循 Kubernetes 的理念，特别是在[控制器](/zh/docs/concepts/architecture/controller/)
+Operator 遵循 Kubernetes 的理念，特别是在[控制器](/zh-cn/docs/concepts/architecture/controller/)
 方面。
 
 <!-- body -->
@@ -67,7 +67,7 @@ Kubernetes 的 {{< glossary_tooltip text="Operator 模式" term_id="operator-pat
 Kubernetes 自身代码的情况下，通过为一个或多个自定义资源关联{{< glossary_tooltip text="控制器" term_id="controller" >}}
 来扩展集群的能力。
 Operator 是 Kubernetes API 的客户端，充当
-[自定义资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+[自定义资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 的控制器。
 
 <!--
@@ -202,7 +202,7 @@ that can act as a [client for the Kubernetes API](/docs/reference/using-api/clie
 
 如果生态系统中没可以实现你目标的 Operator，你可以自己编写代码。
 
-你还可以使用任何支持 [Kubernetes API 客户端](/zh/docs/reference/using-api/client-libraries/)
+你还可以使用任何支持 [Kubernetes API 客户端](/zh-cn/docs/reference/using-api/client-libraries/)
 的语言或运行时来实现 Operator（即控制器）。
 
 <!--
@@ -212,6 +212,7 @@ Operator.
 {{% thirdparty-content %}}
 
 * [Charmed Operator Framework](https://juju.is/)
+* [Java Operator SDK](https://github.com/java-operator-sdk/java-operator-sdk)
 * [Kopf](https://github.com/nolar/kopf) (Kubernetes Operator Pythonic Framework)
 * [kubebuilder](https://book.kubebuilder.io/)
 * [KubeOps](https://buehler.github.io/dotnet-operator-sdk/) (dotnet operator SDK)
@@ -226,6 +227,7 @@ you implement yourself
 {{% thirdparty-content %}}
 
 * [Charmed Operator Framework](https://juju.is/)
+* [Java Operator SDK](https://github.com/java-operator-sdk/java-operator-sdk)
 * [Kopf](https://github.com/nolar/kopf) (Kubernetes Operator Pythonic Framework)
 * [kubebuilder](https://book.kubebuilder.io/)
 * [KubeOps](https://buehler.github.io/dotnet-operator-sdk/) (dotnet operator SDK)
@@ -246,7 +248,7 @@ you implement yourself
 -->
 
 * 阅读 {{< glossary_tooltip text="CNCF" term_id="cncf" >}} [Operator 白皮书](https://github.com/cncf/tag-app-delivery/blob/eece8f7307f2970f46f100f51932db106db46968/operator-wg/whitepaper/Operator-WhitePaper_v1-0.md)。
-* 详细了解 [定制资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+* 详细了解 [定制资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 * 在 [OperatorHub.io](https://operatorhub.io/) 上找到现成的、适合你的 Operator
 * [发布](https://operatorhub.io/)你的 Operator，让别人也可以使用
 * 阅读 [CoreOS 原始文章](https://web.archive.org/web/20170129131616/https://coreos.com/blog/introducing-operators.html)，它介绍了 Operator 模式（这是一个存档版本的原始文章）。
diff --git a/content/zh/docs/concepts/extend-kubernetes/service-catalog.md b/content/zh-cn/docs/concepts/extend-kubernetes/service-catalog.md
similarity index 98%
rename from content/zh/docs/concepts/extend-kubernetes/service-catalog.md
rename to content/zh-cn/docs/concepts/extend-kubernetes/service-catalog.md
index fe5437c1bad79..cb4eb28e40b83 100644
--- a/content/zh/docs/concepts/extend-kubernetes/service-catalog.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/service-catalog.md
@@ -66,7 +66,7 @@ It is implemented using a [CRDs-based](/docs/concepts/extend-kubernetes/api-exte
 与服务代理进行通信，并作为 Kubernetes API 服务器的中介，以便协商启动部署和获取
 应用程序使用托管服务时必须的凭据。
 
-它是[基于 CRDs](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources)
+它是[基于 CRDs](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources)
 架构实现的。
 
 ![服务目录架构](/images/docs/service-catalog-architecture.svg)
@@ -436,9 +436,9 @@ The following example describes how to map secret values into application enviro
 * Explore the [kubernetes-sigs/service-catalog](https://github.com/kubernetes-sigs/service-catalog) project.
 -->
 * 如果你熟悉 {{< glossary_tooltip text="Helm Charts" term_id="helm-chart" >}}，
-  可以[使用 Helm 安装服务目录](/zh/docs/tasks/service-catalog/install-service-catalog-using-helm/)
+  可以[使用 Helm 安装服务目录](/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-helm/)
   到 Kubernetes 集群中。或者，你可以
-  [使用 SC 工具安装服务目录](/zh/docs/tasks/service-catalog/install-service-catalog-using-sc/)。
+  [使用 SC 工具安装服务目录](/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-sc/)。
 * 查看[服务代理示例](https://github.com/openservicebrokerapi/servicebroker/blob/master/gettingStarted.md#sample-service-brokers)
 * 浏览 [kubernetes-sigs/service-catalog](https://github.com/kubernetes-sigs/service-catalog) 项目
 
diff --git a/content/zh/docs/concepts/overview/_index.md b/content/zh-cn/docs/concepts/overview/_index.md
similarity index 100%
rename from content/zh/docs/concepts/overview/_index.md
rename to content/zh-cn/docs/concepts/overview/_index.md
diff --git a/content/zh/docs/concepts/overview/components.md b/content/zh-cn/docs/concepts/overview/components.md
similarity index 74%
rename from content/zh/docs/concepts/overview/components.md
rename to content/zh-cn/docs/concepts/overview/components.md
index f67ee07b6e31d..e7f844aaa6527 100644
--- a/content/zh/docs/concepts/overview/components.md
+++ b/content/zh-cn/docs/concepts/overview/components.md
@@ -33,10 +33,10 @@ a complete and working Kubernetes cluster.
 
 -->
 <!-- overview -->
-当你部署完 Kubernetes, 即拥有了一个完整的集群。
+当你部署完 Kubernetes，便拥有了一个完整的集群。
 {{< glossary_definition term_id="cluster" length="all" prepend="一个 Kubernetes">}}
 
-本文档概述了交付正常运行的 Kubernetes 集群所需的各种组件。
+本文档概述了一个正常运行的 Kubernetes 集群所需的各种组件。
 
 {{< figure src="/images/docs/components-of-kubernetes.svg" alt="Kubernetes 的组件" caption="Kubernetes 集群的组件" class="diagram-large" >}}
 
@@ -49,8 +49,9 @@ The control plane's components make global decisions about the cluster (for exam
  -->
 ## 控制平面组件（Control Plane Components）    {#control-plane-components}
 
-控制平面的组件对集群做出全局决策(比如调度)，以及检测和响应集群事件（例如，当不满足部署的
-`replicas` 字段时，启动新的 {{< glossary_tooltip text="pod" term_id="pod">}}）。
+控制平面组件会为集群做出全局决策，比如资源的调度。
+以及检测和响应集群事件，例如当不满足部署的 `replicas` 字段时，
+要启动新的 {{< glossary_tooltip text="pod" term_id="pod">}}）。
 
 <!--
 Control plane components can be run on any machine in the cluster. However,
@@ -62,7 +63,7 @@ for an example control plane setup that runs across multiple machines.
 控制平面组件可以在集群中的任何节点上运行。
 然而，为了简单起见，设置脚本通常会在同一个计算机上启动所有控制平面组件，
 并且不会在此计算机上运行用户容器。
-请参阅[使用 kubeadm 构建高可用性集群](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/)
+请参阅[使用 kubeadm 构建高可用性集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)
 中关于跨多机器控制平面设置的示例。
 
 ### kube-apiserver
@@ -90,12 +91,12 @@ Some types of these controllers are:
   * Endpoints controller: Populates the Endpoints object (that is, joins Services & Pods).
   * Service Account & Token controllers: Create default accounts and API access tokens for new namespaces.
 -->
-这些控制器包括:
+这些控制器包括：
 
-* 节点控制器（Node Controller）: 负责在节点出现故障时进行通知和响应
-* 任务控制器（Job controller）: 监测代表一次性任务的 Job 对象，然后创建 Pods 来运行这些任务直至完成
-* 端点控制器（Endpoints Controller）: 填充端点(Endpoints)对象(即加入 Service 与 Pod)
-* 服务帐户和令牌控制器（Service Account & Token Controllers）: 为新的命名空间创建默认帐户和 API 访问令牌
+* 节点控制器（Node Controller）：负责在节点出现故障时进行通知和响应
+* 任务控制器（Job Controller）：监测代表一次性任务的 Job 对象，然后创建 Pods 来运行这些任务直至完成
+* 端点控制器（Endpoints Controller）：填充端点（Endpoints）对象（即加入 Service 与 Pod）
+* 服务帐户和令牌控制器（Service Account & Token Controllers）：为新的命名空间创建默认帐户和 API 访问令牌
 
 <!--
 ### cloud-controller-manager
@@ -118,19 +119,20 @@ The following controllers can have cloud provider dependencies:
 
 {{< glossary_definition term_id="cloud-controller-manager" length="short" >}}
 
-`cloud-controller-manager` 仅运行特定于云平台的控制回路。
-如果你在自己的环境中运行 Kubernetes，或者在本地计算机中运行学习环境，
-所部署的环境中不需要云控制器管理器。
+`cloud-controller-manager` 仅运行特定于云平台的控制器。
+因此如果你在自己的环境中运行 Kubernetes，或者在本地计算机中运行学习环境，
+所部署的集群不需要有云控制器管理器。
 
-与 `kube-controller-manager` 类似，`cloud-controller-manager` 将若干逻辑上独立的
-控制回路组合到同一个可执行文件中，供你以同一进程的方式运行。
+与 `kube-controller-manager` 类似，`cloud-controller-manager`
+将若干逻辑上独立的控制回路组合到同一个可执行文件中，
+供你以同一进程的方式运行。
 你可以对其执行水平扩容（运行不止一个副本）以提升性能或者增强容错能力。
 
 下面的控制器都包含对云平台驱动的依赖：
 
-  * 节点控制器（Node Controller）: 用于在节点终止响应后检查云提供商以确定节点是否已被删除
-  * 路由控制器（Route Controller）: 用于在底层云基础架构中设置路由
-  * 服务控制器（Service Controller）: 用于创建、更新和删除云提供商负载均衡器
+  * 节点控制器（Node Controller）：用于在节点终止响应后检查云提供商以确定节点是否已被删除
+  * 路由控制器（Route Controller）：用于在底层云基础架构中设置路由
+  * 服务控制器（Service Controller）：用于创建、更新和删除云提供商负载均衡器
 
 <!--
 ## Node Components
@@ -139,7 +141,7 @@ Node components run on every node, maintaining running pods and providing the Ku
 -->
 ## Node 组件  {#node-components}
 
-节点组件在每个节点上运行，维护运行的 Pod 并提供 Kubernetes 运行环境。
+节点组件会在每个节点上运行，负责维护运行的 Pod 并提供 Kubernetes 运行环境。
 
 ### kubelet
 
@@ -167,7 +169,7 @@ for addons belong within the `kube-system` namespace.
 ## 插件（Addons）    {#addons}
 
 插件使用 Kubernetes 资源（{{< glossary_tooltip text="DaemonSet" term_id="daemonset" >}}、
-{{< glossary_tooltip text="Deployment" term_id="deployment" >}}等）实现集群功能。
+{{< glossary_tooltip text="Deployment" term_id="deployment" >}} 等）实现集群功能。
 因为这些插件提供集群级别的功能，插件中命名空间域的资源属于 `kube-system` 命名空间。
 
 <!--
@@ -175,7 +177,7 @@ Selected addons are described below; for an extended list of available addons, p
 see [Addons](/docs/concepts/cluster-administration/addons/).
 -->
 下面描述众多插件中的几种。有关可用插件的完整列表，请参见
-[插件（Addons）](/zh/docs/concepts/cluster-administration/addons/)。
+[插件（Addons）](/zh-cn/docs/concepts/cluster-administration/addons/)。
 
 <!--
 ### DNS
@@ -189,7 +191,7 @@ Containers started by Kubernetes automatically include this DNS server in their
 ### DNS   {#dns}
 
 尽管其他插件都并非严格意义上的必需组件，但几乎所有 Kubernetes 集群都应该
-有[集群 DNS](/zh/docs/concepts/services-networking/dns-pod-service/)，
+有[集群 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)，
 因为很多示例都需要 DNS 服务。
 
 集群 DNS 是一个 DNS 服务器，和环境中的其他 DNS 服务器一起工作，它为 Kubernetes 服务提供 DNS 记录。
@@ -201,11 +203,12 @@ Kubernetes 启动的容器自动将此 DNS 服务器包含在其 DNS 搜索列
 
 [Dashboard](/docs/tasks/access-application-cluster/web-ui-dashboard/) is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage and troubleshoot applications running in the cluster, as well as the cluster itself.
 -->
-### Web 界面（仪表盘）   
+### Web 界面（仪表盘）   {#web-ui-dashboard}
 
-[Dashboard](/zh/docs/tasks/access-application-cluster/web-ui-dashboard/)
+[Dashboard](/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/)
 是 Kubernetes 集群的通用的、基于 Web 的用户界面。
-它使用户可以管理集群中运行的应用程序以及集群本身并进行故障排除。
+它使用户可以管理集群中运行的应用程序以及集群本身，
+并进行故障排除。
 
 <!--
 ### Container Resource Monitoring
@@ -213,10 +216,11 @@ Kubernetes 启动的容器自动将此 DNS 服务器包含在其 DNS 搜索列
 [Container Resource Monitoring](/docs/tasks/debug/debug-cluster/resource-usage-monitoring/) records generic time-series metrics
 about containers in a central database, and provides a UI for browsing that data.
 -->
-### 容器资源监控
+### 容器资源监控   {#container-resource-monitoring}
 
-[容器资源监控](/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)
-将关于容器的一些常见的时间序列度量值保存到一个集中的数据库中，并提供用于浏览这些数据的界面。
+[容器资源监控](/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)
+将关于容器的一些常见的时间序列度量值保存到一个集中的数据库中，
+并提供浏览这些数据的界面。
 
 <!--
 ### Cluster-level Logging
@@ -224,10 +228,11 @@ about containers in a central database, and provides a UI for browsing that data
 A [cluster-level logging](/docs/concepts/cluster-administration/logging/) mechanism is responsible for
 saving container logs to a central log store with search/browsing interface.
 -->
-### 集群层面日志
+### 集群层面日志   {#cluster-level-logging}
 
-[集群层面日志](/zh/docs/concepts/cluster-administration/logging/) 机制负责将容器的日志数据
-保存到一个集中的日志存储中，该存储能够提供搜索和浏览接口。
+[集群层面日志](/zh-cn/docs/concepts/cluster-administration/logging/) 
+机制负责将容器的日志数据保存到一个集中的日志存储中，
+这种集中日志存储提供搜索和浏览接口。
 
 ## {{% heading "whatsnext" %}}
 
@@ -237,7 +242,7 @@ saving container logs to a central log store with search/browsing interface.
 * Learn about [kube-scheduler](/docs/concepts/scheduling-eviction/kube-scheduler/)
 * Read etcd's official [documentation](https://etcd.io/docs/)
 -->
-* 进一步了解[节点](/zh/docs/concepts/architecture/nodes/)
-* 进一步了解[控制器](/zh/docs/concepts/architecture/controller/)
-* 进一步了解 [kube-scheduler](/zh/docs/concepts/scheduling-eviction/kube-scheduler/)
+* 进一步了解[节点](/zh-cn/docs/concepts/architecture/nodes/)
+* 进一步了解[控制器](/zh-cn/docs/concepts/architecture/controller/)
+* 进一步了解 [kube-scheduler](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/)
 * 阅读 etcd 官方[文档](https://etcd.io/docs/)
diff --git a/content/zh/docs/concepts/overview/kubernetes-api.md b/content/zh-cn/docs/concepts/overview/kubernetes-api.md
similarity index 76%
rename from content/zh/docs/concepts/overview/kubernetes-api.md
rename to content/zh-cn/docs/concepts/overview/kubernetes-api.md
index 61cf1a2c2ef75..ce6a1575d7820 100644
--- a/content/zh/docs/concepts/overview/kubernetes-api.md
+++ b/content/zh-cn/docs/concepts/overview/kubernetes-api.md
@@ -35,8 +35,8 @@ API 服务器负责提供 HTTP API，以供用户、集群中的不同部分和
 Kubernetes API 使你可以查询和操纵 Kubernetes API
 中对象（例如：Pod、Namespace、ConfigMap 和 Event）的状态。
 
-大部分操作都可以通过 [kubectl](/zh/docs/reference/kubectl/) 命令行接口或
-类似 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 这类命令行工具来执行，
+大部分操作都可以通过 [kubectl](/zh-cn/docs/reference/kubectl/) 命令行接口或
+类似 [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 这类命令行工具来执行，
 这些工具在背后也是调用 API。不过，你也可以使用 REST 调用来访问这些 API。
 
 <!--
@@ -44,7 +44,7 @@ Consider using one of the [client libraries](/docs/reference/using-api/client-li
 if you are writing an application using the Kubernetes API.
 -->
 如果你正在编写程序来访问 Kubernetes API，可以考虑使用
-[客户端库](/zh/docs/reference/using-api/client-libraries/)之一。
+[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)之一。
 
 <!-- body -->
 
@@ -145,29 +145,63 @@ Kubernetes 为 API 实现了一种基于 Protobuf 的序列化格式，主要用
 
 ### OpenAPI V3
 
-{{< feature-state state="alpha"  for_k8s_version="v1.23" >}}
+{{< feature-state state="beta"  for_k8s_version="v1.24" >}}
 
 <!--
-Kubernetes v1.23 offers initial support for publishing its APIs as OpenAPI v3; this is an
-alpha feature that is disabled by default.
-You can enable the alpha feature by turning on the
+Kubernetes {{< param "version" >}} offers beta support for publishing its APIs as OpenAPI v3; this is a
+beta feature that is enabled by default.
+You can disable the beta feature by turning off the
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) named `OpenAPIV3`
 for the kube-apiserver component.
 -->
-Kubernetes v1.23 提供将其 API 以 OpenAPI v3 形式发布的初始支持；这一功能特性处于 Alpha
-状态，默认被禁用。
-你可以通过为 kube-apiserver 组件启用 `OpenAPIV3`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)来启用此
-Alpha 特性。
+Kubernetes {{< param "version" >}} 提供将其 API 以 OpenAPI v3 形式发布的 beta 支持；
+这一功能特性处于 beta 状态，默认被开启。
+你可以通过为 kube-apiserver 组件关闭 `OpenAPIV3`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)来禁用此 beta 特性。
 
 <!--
-With the feature enabled, the Kubernetes API server serves an
-aggregated OpenAPI v3 spec per Kubernetes group version at the
-`/openapi/v3/apis/<group>/<version>` endpoint. Please refer to the
-table below for accepted request headers.
+A discovery endpoint `/openapi/v3` is provided to see a list of all
+group/versions available. This endpoint only returns JSON. These group/versions
+are provided in the following format:
+-->
+发现端点 `/openapi/v3` 被提供用来查看可用的所有组、版本列表。
+此列表仅返回 JSON。这些组、版本以下面的格式提供：
+```json
+{
+    "paths": {
+        ...
+        "api/v1": {
+            "serverRelativeURL": "/openapi/v3/api/v1?hash=CC0E9BFD992D8C59AEC98A1E2336F899E8318D3CF4C68944C3DEC640AF5AB52D864AC50DAA8D145B3494F75FA3CFF939FCBDDA431DAD3CA79738B297795818CF"
+        },
+        "apis/admissionregistration.k8s.io/v1": {
+            "serverRelativeURL": "/openapi/v3/apis/admissionregistration.k8s.io/v1?hash=E19CC93A116982CE5422FC42B590A8AFAD92CDE9AE4D59B5CAAD568F083AD07946E6CB5817531680BCE6E215C16973CD39003B0425F3477CFD854E89A9DB6597"
+        },
+        ...
+}
+```
+
+<!-- 
+The relative URLs are pointing to immutable OpenAPI descriptions, in
+order to improve client-side caching. The proper HTTP caching headers
+are also set by the API server for that purpose (`Expires` to 1 year in
+the future, and `Cache-Control` to `immutable`). When an obsolete URL is
+used, the API server returns a redirect to the newest URL. 
+-->
+为了改进客户端缓存，相对的 URL 会指向不可变的 OpenAPI 描述。
+为了此目的，API 服务器也会设置正确的 HTTP 缓存标头
+（`Expires` 为未来 1 年，和 `Cache-Control` 为 `immutable`）。
+当一个过时的 URL 被使用时，API 服务器会返回一个指向最新 URL 的重定向。
+
+<!-- 
+The Kubernetes API server publishes an OpenAPI v3 spec per Kubernetes
+group version at the `/openapi/v3/apis/<group>/<version>?hash=<hash>`
+endpoint.
+
+Refer to the table below for accepted request headers. 
 -->
-特性被启用时，Kubernetes API 服务器会在端点 `/openapi/v3/apis/<group>/<version>`
-提供按 Kubernetes 组版本聚合的 OpenAPI v3 规范。
+Kubernetes API 服务器会在端点 `/openapi/v3/apis/<group>/<version>?hash=<hash>`
+发布一个 Kubernetes 组版本的 OpenAPI v3 规范。
+
 请参阅下表了解可接受的请求头部。
 
 <table>
@@ -201,13 +235,6 @@ table below for accepted request headers.
   </tbody>
 </table>
 
-<!--
-A discovery endpoint `/openapi/v3` is provided to see a list of all
-group/versions available. This endpoint only returns JSON.
--->
-发现端点 `/openapi/v3` 被提供用来查看可用的所有组、版本列表。
-此列表仅返回 JSON。
-
 <!--
 ## API changes
 
@@ -230,7 +257,7 @@ Elimination of resources or fields requires following the
 -->
 一般而言，新的 API 资源和新的资源字段可以被频繁地添加进来。
 删除资源或者字段则要遵从
-[API 废弃策略](/zh/docs/reference/using-api/deprecation-policy/)。
+[API 废弃策略](/zh-cn/docs/reference/using-api/deprecation-policy/)。
 
 <!--
 Kubernetes makes a strong commitment to maintain compatibility for official Kubernetes APIs
@@ -260,7 +287,7 @@ Refer to [API versions reference](/docs/reference/using-api/#api-versioning)
 for more details on the API version level definitions.
 -->
 关于 API 版本分级的定义细节，请参阅
-[API 版本参考](/zh/docs/reference/using-api/#api-versioning)页面。
+[API 版本参考](/zh-cn/docs/reference/using-api/#api-versioning)页面。
 
 <!--
 ## API Extension
@@ -277,10 +304,10 @@ The Kubernetes API can be extended in one of two ways:
 1. You can also extend the Kubernetes API by implementing an
    [aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/).
 -->
-1. 你可以使用[自定义资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+1. 你可以使用[自定义资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
    来以声明式方式定义 API 服务器如何提供你所选择的资源 API。 
 1. 你也可以选择实现自己的
-   [聚合层](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+   [聚合层](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
    来扩展 Kubernetes API。
 
 ## {{% heading "whatsnext" %}}
@@ -296,11 +323,11 @@ The Kubernetes API can be extended in one of two ways:
   [API changes](https://git.k8s.io/community/contributors/devel/sig-architecture/api_changes.md#readme).
 -->
 - 了解如何通过添加你自己的
-  [CustomResourceDefinition](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
+  [CustomResourceDefinition](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)
   来扩展 Kubernetes API。
-- [控制 Kubernetes API 访问](/zh/docs/concepts/security/controlling-access/)页面描述了集群如何针对
+- [控制 Kubernetes API 访问](/zh-cn/docs/concepts/security/controlling-access/)页面描述了集群如何针对
   API 访问管理身份认证和鉴权。
-- 通过阅读 [API 参考](/zh/docs/reference/kubernetes-api/)了解 API 端点、资源类型以及示例。
+- 通过阅读 [API 参考](/zh-cn/docs/reference/kubernetes-api/)了解 API 端点、资源类型以及示例。
 - 阅读 [API 变更（英文）](https://git.k8s.io/community/contributors/devel/sig-architecture/api_changes.md#readme)
   以了解什么是兼容性的变更以及如何变更 API。
 
diff --git a/content/zh/docs/concepts/overview/what-is-kubernetes.md b/content/zh-cn/docs/concepts/overview/what-is-kubernetes.md
similarity index 71%
rename from content/zh/docs/concepts/overview/what-is-kubernetes.md
rename to content/zh-cn/docs/concepts/overview/what-is-kubernetes.md
index 9d2f772089de5..25feebb7fcb81 100644
--- a/content/zh/docs/concepts/overview/what-is-kubernetes.md
+++ b/content/zh-cn/docs/concepts/overview/what-is-kubernetes.md
@@ -2,7 +2,7 @@
 title: Kubernetes 是什么？
 content_type: concept
 description: >
-  Kubernetes 是一个可移植的，可扩展的开源平台，用于管理容器化的工作负载和服务，方便了声明式配置和自动化。它拥有一个庞大且快速增长的生态系统。Kubernetes 的服务，支持和工具广泛可用。
+  Kubernetes 是一个可移植、可扩展的开源平台，用于管理容器化的工作负载和服务，方便进行声明式配置和自动化。Kubernetes 拥有一个庞大且快速增长的生态系统，其服务、支持和工具的使用范围广泛。
 weight: 10
 card:
   name: concepts
@@ -31,24 +31,24 @@ This page is an overview of Kubernetes.
 <!--
 Kubernetes is a portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available.
 -->
-Kubernetes 是一个可移植的、可扩展的开源平台，用于管理容器化的工作负载和服务，可促进声明式配置和自动化。
-Kubernetes 拥有一个庞大且快速增长的生态系统。Kubernetes 的服务、支持和工具广泛可用。
+Kubernetes 是一个可移植、可扩展的开源平台，用于管理容器化的工作负载和服务，可促进声明式配置和自动化。
+Kubernetes 拥有一个庞大且快速增长的生态，其服务、支持和工具的使用范围相当广泛。
 
 <!--
 The name Kubernetes originates from Greek, meaning helmsman or pilot. K8s as an abbreviation results from counting the eight letters between the "K" and the "s". Google open-sourced the Kubernetes project in 2014. Kubernetes combines [over 15 years of Google's experience](/blog/2015/04/borg-predecessor-to-kubernetes/) running production workloads at scale with best-of-breed ideas and practices from the community.
 -->
 **Kubernetes** 这个名字源于希腊语，意为“舵手”或“飞行员”。k8s 这个缩写是因为 k 和 s 之间有八个字符的关系。
-Google 在 2014 年开源了 Kubernetes 项目。Kubernetes 建立在
-[Google 在大规模运行生产工作负载方面拥有十几年的经验](https://research.google/pubs/pub43438)
-的基础上，结合了社区中最好的想法和实践。
+Google 在 2014 年开源了 Kubernetes 项目。
+Kubernetes 建立在[Google 大规模运行生产工作负载十几年经验](https://research.google/pubs/pub43438)的基础上，
+结合了社区中最优秀的想法和实践。
 
 <!--
 ## Going back in time
 Let's take a look at why Kubernetes is so useful by going back in time.
 -->
-## 时光回溯
+## 时光回溯    {#going-back-in-time}
 
-让我们回顾一下为什么 Kubernetes 如此有用。
+让我们回顾一下为何 Kubernetes 能够裨益四方。
 
 <!--
 ![Deployment evolution](/images/docs/Container_Evolution.svg)
@@ -62,11 +62,13 @@ Early on, organizations ran applications on physical servers. There was no way t
 -->
 **传统部署时代：**
 
-早期，各个组织机构在物理服务器上运行应用程序。无法为物理服务器中的应用程序定义资源边界，这会导致资源分配问题。
-例如，如果在物理服务器上运行多个应用程序，则可能会出现一个应用程序占用大部分资源的情况，
-结果可能导致其他应用程序的性能下降。
-一种解决方案是在不同的物理服务器上运行每个应用程序，但是由于资源利用不足而无法扩展，
-并且维护许多物理服务器的成本很高。
+早期，各机构是在物理服务器上运行应用程序。
+由于无法限制在物理服务器中运行的应用程序资源使用，因此会导致资源分配问题。
+例如，如果在物理服务器上运行多个应用程序，
+则可能会出现一个应用程序占用大部分资源的情况，而导致其他应用程序的性能下降。
+一种解决方案是将每个应用程序都运行在不同的物理服务器上，
+但是当某个应用程式资源利用率不高时，剩余资源无法被分配给其他应用程式，
+而且维护许多物理服务器的成本很高。
 
 <!--
 **Virtualized deployment era:**
@@ -74,19 +76,19 @@ As a solution, virtualization was introduced. It allows you to run multiple Virt
 -->
 **虚拟化部署时代：**
 
-作为解决方案，引入了虚拟化。虚拟化技术允许你在单个物理服务器的 CPU 上运行多个虚拟机（VM）。
-虚拟化允许应用程序在 VM 之间隔离，并提供一定程度的安全，因为一个应用程序的信息
-不能被另一应用程序随意访问。
+因此，虚拟化技术被引入了。虚拟化技术允许你在单个物理服务器的 CPU 上运行多台虚拟机（VM）。
+虚拟化能使应用程序在不同 VM 之间被彼此隔离，且能提供一定程度的安全性，
+因为一个应用程序的信息不能被另一应用程序随意访问。
 
 <!--
 Virtualization allows better utilization of resources in a physical server and allows better scalability because an application can be added or updated easily, reduces hardware costs, and much more.
 
 Each VM is a full machine running all the components, including its own operating system, on top of the virtualized hardware.
 -->
-虚拟化技术能够更好地利用物理服务器上的资源，并且因为可轻松地添加或更新应用程序
-而可以实现更好的可伸缩性，降低硬件成本等等。
+虚拟化技术能够更好地利用物理服务器的资源，并且因为可轻松地添加或更新应用程序，
+而因此可以具有更高的可伸缩性，以及降低硬件成本等等的好处。
 
-每个 VM 是一台完整的计算机，在虚拟化硬件之上运行所有组件，包括其自己的操作系统。
+每个 VM 是一台完整的计算机，在虚拟化硬件之上运行所有组件，包括其自己的操作系统（OS）。
 
 <!--
 **Container deployment era:**
@@ -94,8 +96,8 @@ Containers are similar to VMs, but they have relaxed isolation properties to sha
 -->
 **容器部署时代：**
 
-容器类似于 VM，但是它们具有被放宽的隔离属性，可以在应用程序之间共享操作系统（OS）。
-因此，容器被认为是轻量级的。容器与 VM 类似，具有自己的文件系统、CPU、内存、进程空间等。
+容器类似于 VM，但是更宽松的隔离特性，使容器之间可以共享操作系统（OS）。
+因此，容器比起 VM 被认为是更轻量级的。且与 VM 类似，每个容器都具有自己的文件系统、CPU、内存、进程空间等。
 由于它们与基础架构分离，因此可以跨云和 OS 发行版本进行移植。
 
 <!--
@@ -116,16 +118,15 @@ Containers are becoming popular because they have many benefits. Some of the con
 * Resource utilization: high efficiency and density.
 -->
 * 敏捷应用程序的创建和部署：与使用 VM 镜像相比，提高了容器镜像创建的简便性和效率。
-* 持续开发、集成和部署：通过快速简单的回滚（由于镜像不可变性），支持可靠且频繁的
-  容器镜像构建和部署。
-* 关注开发与运维的分离：在构建/发布时而不是在部署时创建应用程序容器镜像，
+* 持续开发、集成和部署：通过快速简单的回滚（由于镜像不可变性），
+  提供可靠且频繁的容器镜像构建和部署。
+* 关注开发与运维的分离：在构建、发布时创建应用程序容器镜像，而不是在部署时，
   从而将应用程序与基础架构分离。
-* 可观察性：不仅可以显示操作系统级别的信息和指标，还可以显示应用程序的运行状况和其他指标信号。
-* 跨开发、测试和生产的环境一致性：在便携式计算机上与在云中相同地运行。
+* 可观察性：不仅可以显示 OS 级别的信息和指标，还可以显示应用程序的运行状况和其他指标信号。
+* 跨开发、测试和生产的环境一致性：在笔记本计算机上也可以和在云中运行一样的应用程序。
 * 跨云和操作系统发行版本的可移植性：可在 Ubuntu、RHEL、CoreOS、本地、
   Google Kubernetes Engine 和其他任何地方运行。
-* 以应用程序为中心的管理：提高抽象级别，从在虚拟硬件上运行 OS 到使用逻辑资源在
-  OS 上运行应用程序。
+* 以应用程序为中心的管理：提高抽象级别，从在虚拟硬件上运行 OS 到使用逻辑资源在 OS 上运行应用程序。
 * 松散耦合、分布式、弹性、解放的微服务：应用程序被分解成较小的独立部分，
   并且可以动态部署和管理 - 而不是在一台大型单机上整体运行。
 * 资源隔离：可预测的应用程序性能。
@@ -134,18 +135,20 @@ Containers are becoming popular because they have many benefits. Some of the con
 <!--
 ## Why you need Kubernetes and what can it do
 -->
-## 为什么需要 Kubernetes，它能做什么?
+## 为什么需要 Kubernetes，它能做什么？   {#why-you-need-kubernetes-and-what-can-it-do}
 
 <!--
 Containers are a good way to bundle and run your applications. In a production environment, you need to manage the containers that run the applications and ensure that there is no downtime. For example, if a container goes down, another container needs to start. Wouldn't it be easier if this behavior was handled by a system?
 -->
-容器是打包和运行应用程序的好方式。在生产环境中，你需要管理运行应用程序的容器，并确保不会停机。
-例如，如果一个容器发生故障，则需要启动另一个容器。如果系统处理此行为，会不会更容易？
+容器是打包和运行应用程序的好方式。在生产环境中，
+你需要管理运行着应用程序的容器，并确保服务不会下线。
+例如，如果一个容器发生故障，则你需要启动另一个容器。
+如果此行为交由给系统处理，是不是会更容易一些？
 
 <!--
 That's how Kubernetes comes to the rescue! Kubernetes provides you with a framework to run distributed systems resiliently. It takes care of your scaling requirements, failover, deployment patterns, and more. For example, Kubernetes can easily manage a canary deployment for your system.
 -->
-这就是 Kubernetes 来解决这些问题的方法！
+这就是 Kubernetes 要来做的事情！
 Kubernetes 为你提供了一个可弹性运行分布式系统的框架。
 Kubernetes 会满足你的扩展要求、故障转移、部署模式等。
 例如，Kubernetes 可以轻松管理系统的 Canary 部署。
@@ -161,7 +164,8 @@ Kubernetes can expose a container using the DNS name or using their own IP addre
 -->
 * **服务发现和负载均衡**
 
-  Kubernetes 可以使用 DNS 名称或自己的 IP 地址公开容器，如果进入容器的流量很大，
+  Kubernetes 可以使用 DNS 名称或自己的 IP 地址来曝露容器。
+  如果进入容器的流量很大，
   Kubernetes 可以负载均衡并分配网络流量，从而使部署稳定。
 
 <!--
@@ -178,8 +182,9 @@ You can describe the desired state for your deployed containers using Kubernetes
 -->
 * **自动部署和回滚**
 
-  你可以使用 Kubernetes 描述已部署容器的所需状态，它可以以受控的速率将实际状态
-  更改为期望状态。例如，你可以自动化 Kubernetes 来为你的部署创建新容器，
+  你可以使用 Kubernetes 描述已部署容器的所需状态，
+  它可以以受控的速率将实际状态更改为期望状态。
+  例如，你可以自动化 Kubernetes 来为你的部署创建新容器，
   删除现有容器并将它们的所有资源用于新容器。
 
 <!--
@@ -189,7 +194,7 @@ Kubernetes allows you to specify how much CPU and memory (RAM) each container ne
 * **自动完成装箱计算**
 
   Kubernetes 允许你指定每个容器所需 CPU 和内存（RAM）。
-  当容器指定了资源请求时，Kubernetes 可以做出更好的决策来管理容器的资源。
+  当容器指定了资源请求时，Kubernetes 可以做出更好的决策来为容器分配资源。
 
 <!--
 * **Self-healing**
@@ -197,8 +202,8 @@ Kubernetes restarts containers that fail, replaces containers, kills containers
 -->
 * **自我修复**
 
-  Kubernetes 重新启动失败的容器、替换容器、杀死不响应用户定义的
-  运行状况检查的容器，并且在准备好服务之前不将其通告给客户端。
+  Kubernetes 将重新启动失败的容器、替换容器、杀死不响应用户定义的运行状况检查的容器，
+  并且在准备好服务之前不将其通告给客户端。
 
 <!--
 * **Secret and configuration management**
@@ -212,16 +217,17 @@ Kubernetes lets you store and manage sensitive information, such as passwords, O
 <!--
 ## What Kubernetes is not
 -->
-## Kubernetes 不是什么
+## Kubernetes 不是什么   {#what-kubernetes-is-not}
 
 <!--
 Kubernetes is not a traditional, all-inclusive PaaS (Platform as a Service) system. Since Kubernetes operates at the container level rather than at the hardware level, it provides some generally applicable features common to PaaS offerings, such as deployment, scaling, load balancing, logging, and monitoring. However, Kubernetes is not monolithic, and these default solutions are optional and pluggable. Kubernetes provides the building blocks for building developer platforms, but preserves user choice and flexibility where it is important.
 -->
 Kubernetes 不是传统的、包罗万象的 PaaS（平台即服务）系统。
-由于 Kubernetes 在容器级别而不是在硬件级别运行，它提供了 PaaS 产品共有的一些普遍适用的功能，
+由于 Kubernetes 是在容器级别运行，而非在硬件级别，
+它提供了 PaaS 产品共有的一些普遍适用的功能，
 例如部署、扩展、负载均衡、日志记录和监视。
-但是，Kubernetes 不是单体系统，默认解决方案都是可选和可插拔的。
-Kubernetes 提供了构建开发人员平台的基础，但是在重要的地方保留了用户的选择和灵活性。
+但是，Kubernetes 不是单体式（monolithic）系统，那些默认解决方案都是可选、可插拔的。
+Kubernetes 为构建开发人员平台提供了基础，但是在重要的地方保留了用户选择权，能有更高的灵活性。
 
 <!--
 Kubernetes:
@@ -237,29 +243,29 @@ Kubernetes：
   Kubernetes 旨在支持极其多种多样的工作负载，包括无状态、有状态和数据处理工作负载。
   如果应用程序可以在容器中运行，那么它应该可以在 Kubernetes 上很好地运行。
 * 不部署源代码，也不构建你的应用程序。
-  持续集成(CI)、交付和部署（CI/CD）工作流取决于组织的文化和偏好以及技术要求。
-* 不提供应用程序级别的服务作为内置服务，例如中间件（例如，消息中间件）、
-  数据处理框架（例如，Spark）、数据库（例如，mysql）、缓存、集群存储系统
-  （例如，Ceph）。这样的组件可以在 Kubernetes 上运行，并且/或者可以由运行在
-  Kubernetes 上的应用程序通过可移植机制（例如，
-  [开放服务代理](https://openservicebrokerapi.org/)）来访问。
+  持续集成（CI）、交付和部署（CI/CD）工作流取决于组织的文化和偏好以及技术要求。
+* 不提供应用程序级别的服务作为内置服务，例如中间件（例如消息中间件）、
+  数据处理框架（例如 Spark）、数据库（例如 MySQL）、缓存、集群存储系统
+  （例如 Ceph）。这样的组件可以在 Kubernetes 上运行，并且/或者可以由运行在
+  Kubernetes 上的应用程序通过可移植机制
+  （例如[开放服务代理](https://openservicebrokerapi.org/)）来访问。
 <!--
 * Does not dictate logging, monitoring, or alerting solutions. It provides some integrations as proof of concept, and mechanisms to collect and export metrics.
 * Does not provide nor mandate a configuration language/system (for example, jsonnet). It provides a declarative API that may be targeted by arbitrary forms of declarative specifications.
 * Does not provide nor adopt any comprehensive machine configuration, maintenance, management, or self-healing systems.
 * Additionally, Kubernetes is not a mere orchestration system. In fact, it eliminates the need for orchestration. The technical definition of orchestration is execution of a defined workflow: first do A, then B, then C. In contrast, Kubernetes comprises a set of independent, composable control processes that continuously drive the current state towards the provided desired state. It shouldn’t matter how you get from A to C. Centralized control is also not required. This results in a system that is easier to use and more powerful, robust, resilient, and extensible.
 -->
-* 不要求日志记录、监视或警报解决方案。
-  它提供了一些集成作为概念证明，并提供了收集和导出指标的机制。
-* 不提供或不要求配置语言/系统（例如 jsonnet），它提供了声明性 API，
+* 不是日志记录、监视或警报的解决方案。
+  它集成了一些功能作为概念证明，并提供了收集和导出指标的机制。
+* 不提供也不要求配置用的语言、系统（例如 jsonnet），它提供了声明性 API，
   该声明性 API 可以由任意形式的声明性规范所构成。
 * 不提供也不采用任何全面的机器配置、维护、管理或自我修复系统。
 * 此外，Kubernetes 不仅仅是一个编排系统，实际上它消除了编排的需要。
   编排的技术定义是执行已定义的工作流程：首先执行 A，然后执行 B，再执行 C。
-  相比之下，Kubernetes 包含一组独立的、可组合的控制过程，
-  这些过程连续地将当前状态驱动到所提供的所需状态。
-  如何从 A 到 C 的方式无关紧要，也不需要集中控制，这使得系统更易于使用
-  且功能更强大、系统更健壮、更为弹性和可扩展。
+  而 Kubernetes 包含了一组独立可组合的控制过程，
+  可以连续地将当前状态驱动到所提供的预期状态。
+  你不需要在乎如何从 A 移动到 C，也不需要集中控制，这使得系统更易于使用
+  且功能更强大、系统更健壮，更为弹性和可扩展。
 
 ## {{% heading "whatsnext" %}}
 
@@ -267,5 +273,5 @@ Kubernetes：
 *   Take a look at the [Kubernetes Components](/docs/concepts/overview/components/)
 *   Ready to [Get Started](/docs/setup/)?
 -->
-* 查阅 [Kubernetes 组件](/zh/docs/concepts/overview/components/)
-* 开始 [Kubernetes 入门](/zh/docs/setup/)?
+* 查阅[Kubernetes 组件](/zh-cn/docs/concepts/overview/components/)
+* 开始[Kubernetes 的建置](/zh-cn/docs/setup/)吧！
diff --git a/content/zh/docs/concepts/overview/working-with-objects/_index.md b/content/zh-cn/docs/concepts/overview/working-with-objects/_index.md
similarity index 100%
rename from content/zh/docs/concepts/overview/working-with-objects/_index.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/_index.md
diff --git a/content/zh/docs/concepts/overview/working-with-objects/annotations.md b/content/zh-cn/docs/concepts/overview/working-with-objects/annotations.md
similarity index 92%
rename from content/zh/docs/concepts/overview/working-with-objects/annotations.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/annotations.md
index 053fbbc341d55..c8a03e0bc606e 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/annotations.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/annotations.md
@@ -37,7 +37,7 @@ Annotations, like labels, are key/value maps:
 标签可以用来选择对象和查找满足某些条件的对象集合。 相反，注解不用于标识和选择对象。
 注解中的元数据，可以很小，也可以很大，可以是结构化的，也可以是非结构化的，能够包含标签不允许的字符。
 
-注解和标签一样，是键/值对:
+注解和标签一样，是键/值对：
 
 ```json
 "metadata": {
@@ -60,7 +60,7 @@ Map 中的键和值必须是字符串。
 <!--
 Here are some examples of information that could be recorded in annotations:
 -->
-以下是一些例子，用来说明哪些信息可以使用注解来记录:
+以下是一些例子，用来说明哪些信息可以使用注解来记录：
 
 <!--
 * Fields managed by a declarative configuration layer. Attaching these fields
@@ -126,10 +126,10 @@ If the prefix is omitted, the annotation Key is presumed to be private to the us
 
 _注解（Annotations）_ 存储的形式是键/值对。有效的注解键分为两部分：
 可选的前缀和名称，以斜杠（`/`）分隔。 
-名称段是必需项，并且必须在63个字符以内，以字母数字字符（`[a-z0-9A-Z]`）开头和结尾，
+名称段是必需项，并且必须在 63 个字符以内，以字母数字字符（`[a-z0-9A-Z]`）开头和结尾，
 并允许使用破折号（`-`），下划线（`_`），点（`.`）和字母数字。 
-前缀是可选的。如果指定，则前缀必须是DNS子域：一系列由点（`.`）分隔的DNS标签，
-总计不超过253个字符，后跟斜杠（`/`）。
+前缀是可选的。如果指定，则前缀必须是 DNS 子域：一系列由点（`.`）分隔的 DNS 标签，
+总计不超过 253 个字符，后跟斜杠（`/`）。
 如果省略前缀，则假定注解键对用户是私有的。 由系统组件添加的注解
 （例如，`kube-scheduler`，`kube-controller-manager`，`kube-apiserver`，`kubectl`
 或其他第三方组件），必须为终端用户添加注解前缀。
@@ -139,7 +139,7 @@ The `kubernetes.io/` and `k8s.io/` prefixes are reserved for Kubernetes core com
 
 For example, here's the configuration file for a Pod that has the annotation `imageregistry: https://hub.docker.com/` :
 -->
-`kubernetes.io/` 和 `k8s.io/` 前缀是为Kubernetes核心组件保留的。
+`kubernetes.io/` 和 `k8s.io/` 前缀是为 Kubernetes 核心组件保留的。
 
 例如，下面是一个 Pod 的配置文件，其注解中包含 `imageregistry: https://hub.docker.com/`：
 
@@ -163,5 +163,5 @@ spec:
 <!--
 * Learn more about [Labels and Selectors](/docs/concepts/overview/working-with-objects/labels/).
 -->
-* 进一步了解[标签和选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)。
+* 进一步了解[标签和选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)。
 
diff --git a/content/zh/docs/concepts/overview/working-with-objects/common-labels.md b/content/zh-cn/docs/concepts/overview/working-with-objects/common-labels.md
similarity index 97%
rename from content/zh/docs/concepts/overview/working-with-objects/common-labels.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/common-labels.md
index 2fbf964b27804..629c3ca7da7f5 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/common-labels.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/common-labels.md
@@ -15,7 +15,8 @@ You can visualize and manage Kubernetes objects with more tools than kubectl and
 the dashboard. A common set of labels allows tools to work interoperably, describing
 objects in a common manner that all tools can understand.
 -->
-除了 kubectl 和 dashboard 之外，您可以使用其他工具来可视化和管理 Kubernetes 对象。一组通用的标签可以让多个工具之间相互操作，用所有工具都能理解的通用方式描述对象。
+除了 kubectl 和 dashboard 之外，你可以使用其他工具来可视化和管理 Kubernetes 对象。
+一组通用的标签可以让多个工具之间相互操作，用所有工具都能理解的通用方式描述对象。
 
 <!--
 In addition to supporting tooling, the recommended labels describe applications
@@ -259,4 +260,4 @@ metadata:
 <!--
 With the MySQL `StatefulSet` and `Service` you'll notice information about both MySQL and Wordpress, the broader application, are included.
 -->
-使用 MySQL `StatefulSet` 和 `Service`，您会注意到有关 MySQL 和 Wordpress 的信息，包括更广泛的应用程序。
+使用 MySQL `StatefulSet` 和 `Service`，你会注意到有关 MySQL 和 Wordpress 的信息，包括更广泛的应用程序。
diff --git a/content/zh/docs/concepts/overview/working-with-objects/field-selectors.md b/content/zh-cn/docs/concepts/overview/working-with-objects/field-selectors.md
similarity index 87%
rename from content/zh/docs/concepts/overview/working-with-objects/field-selectors.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/field-selectors.md
index bfd155fb734b2..35fc5cdda4bd2 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/field-selectors.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/field-selectors.md
@@ -11,7 +11,7 @@ weight: 60
 _Field selectors_ let you [select Kubernetes resources](/docs/concepts/overview/working-with-objects/kubernetes-objects) based on the value of one or more resource fields. Here are some example field selector queries:
 -->
 “字段选择器（Field selectors）”允许你根据一个或多个资源字段的值
-[筛选 Kubernetes 资源](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects)。
+[筛选 Kubernetes 资源](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects)。
 下面是一些使用字段选择器查询的例子：
 
 * `metadata.name=my-service`
@@ -21,7 +21,7 @@ _Field selectors_ let you [select Kubernetes resources](/docs/concepts/overview/
 <!--
 This `kubectl` command selects all Pods for which the value of the [`status.phase`](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase) field is `Running`:
 -->
-下面这个 `kubectl` 命令将筛选出 [`status.phase`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)
+下面这个 `kubectl` 命令将筛选出 [`status.phase`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)
 字段值为 `Running` 的所有 Pod：
 
 ```shell
@@ -31,7 +31,7 @@ kubectl get pods --field-selector status.phase=Running
 Field selectors are essentially resource *filters*. By default, no selectors/filters are applied, meaning that all resources of the specified type are selected. This makes the following `kubectl` queries equivalent:
 -->
 {{< note >}}
-字段选择器本质上是资源*过滤器（Filters）*。默认情况下，字段选择器/过滤器是未被应用的，
+字段选择器本质上是资源“过滤器（Filters）”。默认情况下，字段选择器/过滤器是未被应用的，
 这意味着指定类型的所有资源都会被筛选出来。
 这使得以下的两个 `kubectl` 查询是等价的：
 
@@ -67,7 +67,7 @@ You can use the `=`, `==`, and `!=` operators with field selectors (`=` and `==`
 -->
 ## 支持的操作符   {#supported-operators}
 
-你可在字段选择器中使用 `=`、`==`和 `!=` （`=` 和 `==` 的意义是相同的）操作符。
+你可在字段选择器中使用 `=`、`==` 和 `!=` （`=` 和 `==` 的意义是相同的）操作符。
 例如，下面这个 `kubectl` 命令将筛选所有不属于 `default` 命名空间的 Kubernetes 服务：
 
 ```shell
@@ -81,7 +81,7 @@ As with [label](/docs/concepts/overview/working-with-objects/labels) and other s
 -->
 ## 链式选择器   {#chained-selectors}
 
-同[标签](/zh/docs/concepts/overview/working-with-objects/labels/)和其他选择器一样，
+同[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)和其他选择器一样，
 字段选择器可以通过使用逗号分隔的列表组成一个选择链。
 下面这个 `kubectl` 命令将筛选 `status.phase` 字段不等于 `Running` 同时
 `spec.restartPolicy` 字段等于 `Always` 的所有 Pod：
diff --git a/content/zh/docs/concepts/overview/working-with-objects/finalizers.md b/content/zh-cn/docs/concepts/overview/working-with-objects/finalizers.md
similarity index 96%
rename from content/zh/docs/concepts/overview/working-with-objects/finalizers.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/finalizers.md
index 88bcad141378f..21654acda9e20 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/finalizers.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/finalizers.md
@@ -87,7 +87,7 @@ Kubernetes 清除 `pv-protection` Finalizer，控制器就会删除该卷。
 ## Owner references, labels, and finalizers {#owners-labels-finalizers}
 
 Like {{<glossary_tooltip text="labels" term_id="label">}},
-[owner references](/concepts/overview/working-with-objects/owners-dependents/)
+[owner references](/docs/concepts/overview/working-with-objects/owners-dependents/)
 describe the relationships between objects in Kubernetes, but are used for a
 different purpose. When a
 {{<glossary_tooltip text="controller" term_id="controller">}} manages objects
@@ -99,7 +99,7 @@ any Pods in the cluster with the same label.
 ## 属主引用、标签和 Finalizers {#owners-labels-finalizers}
 
 与{{<glossary_tooltip text="标签" term_id="label">}}类似，
-[属主引用](/zh/concepts/overview/working-with-objects/owners-dependents/)
+[属主引用](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)
 描述了 Kubernetes 中对象之间的关系，但它们作用不同。
 当一个{{<glossary_tooltip text="控制器" term_id="controller">}}
 管理类似于 Pod 的对象时，它使用标签来跟踪相关对象组的变化。
@@ -121,7 +121,7 @@ longer than expected without being fully deleted. In these situations, you
 should check finalizers and owner references on the target owner and dependent
 objects to troubleshoot the cause. 
 -->
-Job 控制器还为这些 Pod 添加了*属主引用*，指向创建 Pod 的 Job。
+Job 控制器还为这些 Pod 添加了“属主引用”，指向创建 Pod 的 Job。
 如果你在这些 Pod 运行的时候删除了 Job，
 Kubernetes 会使用属主引用（而不是标签）来确定集群中哪些 Pod 需要清理。
 
@@ -154,4 +154,3 @@ Finalizers 通常因为特殊原因被添加到资源上，所以强行删除它
   on the Kubernetes blog.
 -->
 * 在 Kubernetes 博客上阅读[使用 Finalizers 控制删除](/blog/2021/05/14/using-finalizers-to-control-deletion/)。
-
diff --git a/content/zh/docs/concepts/overview/working-with-objects/kubernetes-objects.md b/content/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects.md
similarity index 59%
rename from content/zh/docs/concepts/overview/working-with-objects/kubernetes-objects.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects.md
index 8d320064d1396..36c1212fcdaf9 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/kubernetes-objects.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects.md
@@ -20,42 +20,54 @@ card:
 <!--
 This page explains how Kubernetes objects are represented in the Kubernetes API, and how you can express them in `.yaml` format.
 -->
-本页说明了 Kubernetes 对象在 Kubernetes API 中是如何表示的，以及如何在 `.yaml` 格式的文件中表示。
-
+本页说明了在 Kubernetes API 中是如何表示 Kubernetes 对象的，
+以及使用 `.yaml` 格式的文件表示 Kubernetes 对象。
 
 <!-- body -->
 <!--
 ## Understanding Kubernetes Objects
 
-*Kubernetes Objects* are persistent entities in the Kubernetes system. Kubernetes uses these entities to represent the state of your cluster. Specifically, they can describe:
+*Kubernetes Objects* are persistent entities in the Kubernetes system. 
+Kubernetes uses these entities to represent the state of your cluster. 
+
+Specifically, they can describe:
 
 * What containerized applications are running (and on which nodes)
 * The resources available to those applications
 * The policies around how those applications behave, such as restart policies, upgrades, and fault-tolerance
 -->
-## 理解 Kubernetes 对象
+## 理解 Kubernetes 对象    {#kubernetes-objects}
 
 在 Kubernetes 系统中，*Kubernetes 对象* 是持久化的实体。
-Kubernetes 使用这些实体去表示整个集群的状态。特别地，它们描述了如下信息：
+Kubernetes 使用这些实体去表示整个集群的状态。
+比較特别地是，它们描述了如下信息：
 
-* 哪些容器化应用在运行（以及在哪些节点上）
+* 哪些容器化应用正在运行（以及在哪些节点上运行）
 * 可以被应用使用的资源
 * 关于应用运行时表现的策略，比如重启策略、升级策略，以及容错策略
 
 <!--
-A Kubernetes object is a "record of intent" - once you create the object, the Kubernetes system will constantly work to ensure that object exists. By creating an object, you're effectively telling the Kubernetes system what you want your cluster's workload to look like; this is your cluster's *desired state*.
-
-To work with Kubernetes objects - whether to create, modify, or delete them - you'll need to use the [Kubernetes API](/docs/concepts/overview/kubernetes-api/). When you use the `kubectl` command-line interface, for example, the CLI makes the necessary Kubernetes API calls for you. You can also use the Kubernetes API directly in your own programs using one of the [Client Libraries](/docs/reference/using-api/client-libraries/).
+A Kubernetes object is a "record of intent" - once you create the object, 
+the Kubernetes system will constantly work to ensure that object exists. 
+By creating an object, you're effectively telling the Kubernetes system what 
+you want your cluster's workload to look like; this is your cluster's *desired state*.
+
+To work with Kubernetes objects - whether to create, modify, or delete them - 
+you'll need to use the [Kubernetes API](/docs/concepts/overview/kubernetes-api/).
+When you use the `kubectl` command-line interface, for example, 
+the CLI makes the necessary Kubernetes API calls for you. 
+You can also use the Kubernetes API directly in your own programs using 
+one of the [Client Libraries](/docs/reference/using-api/client-libraries/).
 -->
-Kubernetes 对象是 “目标性记录” —— 一旦创建对象，Kubernetes 系统将持续工作以确保对象存在。
-通过创建对象，本质上是在告知 Kubernetes 系统，所需要的集群工作负载看起来是什么样子的，
-这就是 Kubernetes 集群的 **期望状态（Desired State）**。
+Kubernetes 对象是“目标性记录”——一旦创建对象，Kubernetes 系统将不断工作以确保对象存在。
+通过创建对象，你就是在告知 Kubernetes 系统，你想要的集群工作负载状态看起来应是什么样子的，
+这就是 Kubernetes 集群所谓的 **期望状态（Desired State）**。
 
 操作 Kubernetes 对象 —— 无论是创建、修改，或者删除 —— 需要使用
-[Kubernetes API](/zh/docs/concepts/overview/kubernetes-api)。
-比如，当使用 `kubectl` 命令行接口时，CLI 会执行必要的 Kubernetes API 调用，
-也可以在程序中使用
-[客户端库](/zh/docs/reference/using-api/client-libraries/)直接调用 Kubernetes API。
+[Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api)。
+比如，当使用 `kubectl` 命令行接口（CLI）时，CLI 会调用必要的 Kubernetes API；
+也可以在程序中使用[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)，
+来直接调用 Kubernetes API。
 
 <!--
 ### Object Spec and Status
@@ -69,9 +81,9 @@ its _desired state_.
 ### 对象规约（Spec）与状态（Status）    {#object-spec-and-status}
 
 几乎每个 Kubernetes 对象包含两个嵌套的对象字段，它们负责管理对象的配置：
-对象 *`spec`（规约）* 和 对象 *`status`（状态）* 。
+对象 **`spec`（规约）** 和 对象 **`status`（状态）**。
 对于具有 `spec` 的对象，你必须在创建对象时设置其内容，描述你希望对象所具有的特征：
-*期望状态（Desired State）* 。
+*期望状态（Desired State）*。
 
 <!--
 The `status` describes the _current state_ of the object, supplied and updated
@@ -80,10 +92,9 @@ by the Kubernetes system and its components. The Kubernetes
 and actively manages every object's actual state to match the desired state you
 supplied.
 -->
-`status` 描述了对象的 _当前状态（Current State）_，它是由 Kubernetes 系统和组件
-设置并更新的。在任何时刻，Kubernetes 
-{{< glossary_tooltip text="控制平面" term_id="control-plane" >}}
-都一直积极地管理着对象的实际状态，以使之与期望状态相匹配。
+`status` 描述了对象的**当前状态（Current State）**，它是由 Kubernetes 系统和组件设置并更新的。
+在任何时刻，Kubernetes {{< glossary_tooltip text="控制平面" term_id="control-plane" >}}
+都一直都在积极地管理着对象的实际状态，以使之达成期望状态。
 
 <!--
 For example: in Kubernetes, a Deployment is an object that can represent an
@@ -97,36 +108,40 @@ between spec and status by making a correction-in this case, starting
 a replacement instance.
 -->
 例如，Kubernetes 中的 Deployment 对象能够表示运行在集群中的应用。
-当创建 Deployment 时，可能需要设置 Deployment 的 `spec`，以指定该应用需要有 3 个副本运行。
-Kubernetes 系统读取 Deployment 规约，并启动我们所期望的应用的 3 个实例
-—— 更新状态以与规约相匹配。
-如果这些实例中有的失败了（一种状态变更），Kubernetes 系统通过执行修正操作
-来响应规约和状态间的不一致 —— 在这里意味着它会启动一个新的实例来替换。
+当创建 Deployment 时，可能会去设置 Deployment 的 `spec`，以指定该应用要有 3 个副本运行。
+Kubernetes 系统读取 Deployment 的 `spec`，
+并启动我们所期望的应用的 3 个实例 —— 更新状态以与规约相匹配。
+如果这些实例中有的失败了（一种状态变更），Kubernetes 系统会通过执行修正操作
+来响应 `spec` 和状态间的不一致 —— 意味着它会启动一个新的实例来替换。
 
 <!--
-For more information on the object spec, status, and metadata, see the [Kubernetes API Conventions](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md).
+For more information on the object spec, status, and metadata, see the 
+[Kubernetes API Conventions](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md).
 -->
-
 关于对象 spec、status 和 metadata 的更多信息，可参阅
 [Kubernetes API 约定](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md)。
 
 <!--
 ### Describing a Kubernetes Object
 
-When you create an object in Kubernetes, you must provide the object spec that describes its desired state, as well as some basic information about the object (such as a name). When you use the Kubernetes API to create the object (either directly or via `kubectl`), that API request must include that information as JSON in the request body. **Most often, you provide the information to `kubectl` in a .yaml file.** `kubectl` converts the information to JSON when making the API request.
+When you create an object in Kubernetes, you must provide the object spec that describes its desired state, 
+as well as some basic information about the object (such as a name). 
+When you use the Kubernetes API to create the object (either directly or via `kubectl`), 
+that API request must include that information as JSON in the request body. 
+**Most often, you provide the information to `kubectl` in a .yaml file.** `kubectl` converts the information to JSON when making the API request.
 
 Here's an example `.yaml` file that shows the required fields and object spec for a Kubernetes Deployment:
 -->
-### 描述 Kubernetes 对象
+### 描述 Kubernetes 对象    {#describing-a-kubernetes-object}
 
-创建 Kubernetes 对象时，必须提供对象的规约，用来描述该对象的期望状态，
+创建 Kubernetes 对象时，必须提供对象的 `spec`，用来描述该对象的期望状态，
 以及关于对象的一些基本信息（例如名称）。
-当使用 Kubernetes API 创建对象时（或者直接创建，或者基于`kubectl`），
-API 请求必须在请求体中包含 JSON 格式的信息。
-**大多数情况下，需要在 .yaml 文件中为 `kubectl` 提供这些信息**。
+当使用 Kubernetes API 创建对象时（直接创建，或经由 `kubectl`），
+API 请求必须在请求本体中包含 JSON 格式的信息。
+**大多数情况下，你需要提供 `.yaml` 文件为 kubectl 提供这些信息**。
 `kubectl` 在发起 API 请求时，将这些信息转换成 JSON 格式。
 
-这里有一个 `.yaml` 示例文件，展示了 Kubernetes Deployment 的必需字段和对象规约：
+这里有一个 `.yaml` 示例文件，展示了 Kubernetes Deployment 的必需字段和对象 `spec`：
 
 {{< codenew file="application/deployment.yaml" >}}
 
@@ -135,7 +150,7 @@ One way to create a Deployment using a `.yaml` file like the one above is to use
 [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands#apply) command
 in the `kubectl` command-line interface, passing the `.yaml` file as an argument. Here's an example:
 -->
-使用类似于上面的 `.yaml` 文件来创建 Deployment的一种方式是使用 `kubectl` 命令行接口（CLI）中的
+相较于上面使用 `.yaml` 文件来创建 Deployment，另一种类似的方式是使用 `kubectl` 命令行接口（CLI）中的
 [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands#apply) 命令，
 将 `.yaml` 文件作为参数。下面是一个示例：
 
@@ -146,7 +161,7 @@ kubectl apply -f https://k8s.io/examples/application/deployment.yaml
 <!--
 The output is similar to this:
 -->
-输出类似如下这样：
+输出类似下面这样：
 
 ```
 deployment.apps/nginx-deployment created
@@ -162,21 +177,24 @@ In the `.yaml` file for the Kubernetes object you want to create, you'll need to
 * `metadata` - Data that helps uniquely identify the object, including a `name` string, `UID`, and optional `namespace`
 * `spec` - What state you desire for the object
 -->
-### 必需字段  {#required-fields}
+### 必需字段    {#required-fields}
 
-在想要创建的 Kubernetes 对象对应的 `.yaml` 文件中，需要配置如下的字段：
+在想要创建的 Kubernetes 对象所对应的 `.yaml` 文件中，需要配置的字段如下：
 
 * `apiVersion` - 创建该对象所使用的 Kubernetes API 的版本
 * `kind` - 想要创建的对象的类别
-* `metadata` - 帮助唯一性标识对象的一些数据，包括一个 `name` 字符串、UID 和可选的 `namespace`
+* `metadata` - 帮助唯一性标识对象的一些数据，包括一个 `name` 字符串、`UID` 和可选的 `namespace`
 * `spec` - 你所期望的该对象的状态
 
 <!--
-The precise format of the object `spec` is different for every Kubernetes object, and contains nested fields specific to that object. The [Kubernetes API Reference](https://kubernetes.io/docs/reference/kubernetes-api/) can help you find the spec format for all of the objects you can create using Kubernetes.
+The precise format of the object `spec` is different for every Kubernetes object, 
+and contains nested fields specific to that object. 
+The [Kubernetes API Reference](https://kubernetes.io/docs/reference/kubernetes-api/) 
+can help you find the spec format for all of the objects you can create using Kubernetes.
 -->
-对象 `spec` 的精确格式对每个 Kubernetes 对象来说是不同的，包含了特定于该对象的嵌套字段。
-[Kubernetes API 参考](https://kubernetes.io/docs/reference/kubernetes-api/)
-能够帮助我们找到任何我们想创建的对象的规约格式。
+对每个 Kubernetes 对象而言，其 `spec` 之精确格式都是不同的，包含了特定于该对象的嵌套字段。
+我们能在 [Kubernetes API 参考](/zh-cn/docs/reference/kubernetes-api/)
+找到我们想要在 Kubernetes 上创建的任何对象的规约格式。
 
 <!--
 For example, see the [`spec` field](/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec)
@@ -199,7 +217,7 @@ detail the structure of that `.status` field, and its content for each different
 另一个对象规约的例子是 StatefulSet API 中的
 [`spec` 字段](/docs/reference/kubernetes-api/workload-resources/stateful-set-v1/#StatefulSetSpec)。
 对于 StatefulSet 而言，其 `.spec` 字段设置了 StatefulSet 及其期望状态。
-在 StatefulSet 的 `.spec` 内，有一个为 Pod 对象提供的[模板](/zh/docs/concepts/workloads/pods/#pod-templates)。该模板描述了 StatefulSet 控制器为了满足 StatefulSet 规约而要创建的 Pod。
+在 StatefulSet 的 `.spec` 内，有一个为 Pod 对象提供的[模板](/zh-cn/docs/concepts/workloads/pods/#pod-templates)。该模板描述了 StatefulSet 控制器为了满足 StatefulSet 规约而要创建的 Pod。
 不同类型的对象可以由不同的 `.status` 信息。API 参考页面给出了 `.status` 字段的详细结构，
 以及针对不同类型 API 对象的具体内容。
 
@@ -210,7 +228,7 @@ detail the structure of that `.status` field, and its content for each different
 * Learn about [controllers](/docs/concepts/architecture/controller/) in Kubernetes.
 * [Using the Kubernetes API](/docs/reference/using-api/) explains some more API concepts.
 -->
-* 了解最重要的 Kubernetes 基本对象，例如 [Pod](/zh/docs/concepts/workloads/pods/)。
-* 了解 Kubernetes 中的[控制器](/zh/docs/concepts/architecture/controller/)。
-* [使用 Kubernetes API](/zh/docs/reference/using-api/) 一节解释了一些 API 概念。
+* 了解最重要的 Kubernetes 基本对象，例如 [Pod](/zh-cn/docs/concepts/workloads/pods/)。
+* 了解 Kubernetes 中的[控制器](/zh-cn/docs/concepts/architecture/controller/)。
+* [使用 Kubernetes API](/zh-cn/docs/reference/using-api/) 一节解释了一些 API 概念。
 
diff --git a/content/zh/docs/concepts/overview/working-with-objects/labels.md b/content/zh-cn/docs/concepts/overview/working-with-objects/labels.md
similarity index 90%
rename from content/zh/docs/concepts/overview/working-with-objects/labels.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/labels.md
index 618b09eb12871..650eb02a4ee94 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/labels.md
@@ -40,7 +40,7 @@ and CLIs. Non-identifying information should be recorded using
 [annotations](/docs/concepts/overview/working-with-objects/annotations/).
 -->
 标签能够支持高效的查询和监听操作，对于用户界面和命令行是很理想的。
-应使用[注解](/zh/docs/concepts/overview/working-with-objects/annotations/) 记录非识别信息。
+应使用[注解](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)记录非识别信息。
 
 <!-- body -->
 
@@ -72,7 +72,7 @@ Example labels:
 <!--
 These are examples of [commonly used labels](/docs/concepts/overview/working-with-objects/common-labels/); you are free to develop your own conventions. Keep in mind that label Key must be unique for a given object.
 -->
-有一些[常用标签](/zh/docs/concepts/overview/working-with-objects/common-labels/)的例子; 你可以任意制定自己的约定。
+有一些[常用标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/)的例子；你可以任意制定自己的约定。
 请记住，标签的 Key 对于给定对象必须是唯一的。
 
 <!--
@@ -96,7 +96,7 @@ _标签_ 是键值对。有效的标签键有两个段：可选的前缀和名
 向最终用户对象添加标签的自动系统组件（例如 `kube-scheduler`、`kube-controller-manager`、
 `kube-apiserver`、`kubectl` 或其他第三方自动化工具）必须指定前缀。
 
-`kubernetes.io/` 和 `k8s.io/` 前缀是为 Kubernetes 核心组件[保留的](/zh/docs/reference/labels-annotations-taints/)。
+`kubernetes.io/` 和 `k8s.io/` 前缀是为 Kubernetes 核心组件[保留的](/zh-cn/docs/reference/labels-annotations-taints/)。
 
 <!--
 Valid label value:
@@ -109,7 +109,7 @@ Valid label value:
 
 * 必须为 63 个字符或更少（可以为空）
 * 除非标签值为空，必须以字母数字字符（`[a-z0-9A-Z]`）开头和结尾
-* 包含破折号（`-`）、下划线（`_`）、点（`.`）和字母或数字。
+* 包含破折号（`-`）、下划线（`_`）、点（`.`）和字母或数字
 
 <!--
 ## Label selectors
@@ -118,7 +118,7 @@ Unlike [names and UIDs](/docs/user-guide/identifiers), labels do not provide uni
 -->
 ## 标签选择算符   {#label-selectors}
 
-与[名称和 UID](/zh/docs/concepts/overview/working-with-objects/names/) 不同，
+与[名称和 UID](/zh-cn/docs/concepts/overview/working-with-objects/names/) 不同，
 标签不支持唯一性。通常，我们希望许多对象携带相同的标签。
 
 <!--
@@ -168,7 +168,7 @@ Three kinds of operators are admitted `=`,`==`,`!=`. The first two represent _eq
 
 _基于等值_ 或 _基于不等值_ 的需求允许按标签键和值进行过滤。
 匹配对象必须满足所有指定的标签约束，尽管它们也可能具有其他标签。
-可接受的运算符有`=`、`==` 和 `!=` 三种。 
+可接受的运算符有 `=`、`==` 和 `!=` 三种。 
 前两个表示 _相等_（并且只是同义词），而后者表示 _不相等_。例如：
 
 ```
@@ -217,7 +217,7 @@ _Set-based_ label requirements allow filtering keys according to a set of values
 ### _基于集合_ 的需求
 
 _基于集合_ 的标签需求允许你通过一组值来过滤键。
-支持三种操作符：`in`、`notin` 和 `exists` (只可以用在键标识符上)。例如：
+支持三种操作符：`in`、`notin` 和 `exists`（只可以用在键标识符上）。例如：
 
 ```
 environment in (production, qa)
@@ -241,13 +241,13 @@ Similarly the comma separator acts as an _AND_ operator. So filtering resources
 * 第四个示例选择了所有没有 `partition` 标签的资源；没有校验它的值。
 
 类似地，逗号分隔符充当 _与_ 运算符。因此，使用 `partition` 键（无论为何值）和
-`environment` 不同于 `qa` 来过滤资源可以使用 `partition, environment notin（qa)` 来实现。
+`environment` 不同于 `qa` 来过滤资源可以使用 `partition, environment notin (qa)` 来实现。
 
 <!--
 The _set-based_ label selector is a general form of equality since `environment=production` is equivalent to `environment in (production)`; similarly for `!=` and `notin`.
 -->
 _基于集合_ 的标签选择算符是相等标签选择算符的一般形式，因为 `environment=production`
-等同于 `environment in（production）`；`!=` 和 `notin` 也是类似的。
+等同于 `environment in (production)`；`!=` 和 `notin` 也是类似的。
 
 <!--
 _Set-based_ requirements can be mixed with _equality-based_ requirements. For example: `partition in (customerA, customerB),environment!=qa`.
@@ -270,8 +270,8 @@ LIST 和 WATCH 操作可以使用查询参数指定标签选择算符过滤一
 * _equality-based_ requirements: `?labelSelector=environment%3Dproduction,tier%3Dfrontend`
 * _set-based_ requirements: `?labelSelector=environment+in+%28production%2Cqa%29%2Ctier+in+%28frontend%29`
 -->
-* _基于等值_ 的需求: `?labelSelector=environment%3Dproduction,tier%3Dfrontend`
-* _基于集合_ 的需求: `?labelSelector=environment+in+%28production%2Cqa%29%2Ctier+in+%28frontend%29`
+* _基于等值_ 的需求：`?labelSelector=environment%3Dproduction,tier%3Dfrontend`
+* _基于集合_ 的需求：`?labelSelector=environment+in+%28production%2Cqa%29%2Ctier+in+%28frontend%29`
 
 <!--
 Both label selector styles can be used to list or watch resources via a REST client. For example, targeting `apiserver` with `kubectl` and using _equality-based_ one may write:
@@ -317,10 +317,10 @@ also use label selectors to specify sets of other resources, such as
 -->
 ### 在 API 对象中设置引用
 
-一些 Kubernetes 对象，例如 [`services`](/zh/docs/concepts/services-networking/service/)
-和 [`replicationcontrollers`](/zh/docs/concepts/workloads/controllers/replicationcontroller/) ，
+一些 Kubernetes 对象，例如 [`services`](/zh-cn/docs/concepts/services-networking/service/)
+和 [`replicationcontrollers`](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/) ，
 也使用了标签选择算符去指定了其他资源的集合，例如
-[pods](/zh/docs/concepts/workloads/pods/)。
+[pods](/zh-cn/docs/concepts/workloads/pods/)。
 
 <!--
 #### Service and ReplicationController
@@ -354,7 +354,7 @@ selector:
 <!---
 this selector (respectively in `json` or `yaml` format) is equivalent to `component=redis` or `component in (redis)`.
 -->
-这个选择算符(分别在 `json` 或者 `yaml` 格式中) 等价于 `component=redis` 或 `component in (redis)` 。
+这个选择算符（分别在 `json` 或者 `yaml` 格式中）等价于 `component=redis` 或 `component in (redis)`。
 
 <!--
 #### Resources that support set-based requirements
@@ -363,10 +363,10 @@ Newer resources, such as [`Job`](/docs/concepts/jobs/run-to-completion-finite-wo
 -->
 #### 支持基于集合需求的资源
 
-比较新的资源，例如 [`Job`](/zh/docs/concepts/workloads/controllers/job/)、
-[`Deployment`](/zh/docs/concepts/workloads/controllers/deployment/)、
-[`Replica Set`](/zh/docs/concepts/workloads/controllers/replicaset/) 和
-[`DaemonSet`](/zh/docs/concepts/workloads/controllers/daemonset/) ，
+比较新的资源，例如 [`Job`](/zh-cn/docs/concepts/workloads/controllers/job/)、
+[`Deployment`](/zh-cn/docs/concepts/workloads/controllers/deployment/)、
+[`Replica Set`](/zh-cn/docs/concepts/workloads/controllers/replicaset/) 和
+[`DaemonSet`](/zh-cn/docs/concepts/workloads/controllers/daemonset/)，
 也支持 _基于集合的_ 需求。
 
 ```yaml
@@ -383,7 +383,7 @@ selector:
 -->
 
 `matchLabels` 是由 `{key,value}` 对组成的映射。
-`matchLabels` 映射中的单个 `{key,value }` 等同于 `matchExpressions` 的元素，
+`matchLabels` 映射中的单个 `{key,value}` 等同于 `matchExpressions` 的元素，
 其 `key` 字段为 "key"，`operator` 为 "In"，而 `values` 数组仅包含 "value"。
 `matchExpressions` 是 Pod 选择算符需求的列表。
 有效的运算符包括 `In`、`NotIn`、`Exists` 和 `DoesNotExist`。
@@ -400,5 +400,5 @@ See the documentation on [node selection](/docs/concepts/configuration/assign-po
 #### 选择节点集
 
 通过标签进行选择的一个用例是确定节点集，方便 Pod 调度。
-有关更多信息，请参阅[选择节点](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)文档。
+有关更多信息，请参阅[选择节点](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)文档。
 
diff --git a/content/zh/docs/concepts/overview/working-with-objects/names.md b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md
similarity index 82%
rename from content/zh/docs/concepts/overview/working-with-objects/names.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/names.md
index 131ce0c6bab05..91eb354810558 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/names.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md
@@ -13,19 +13,19 @@ Every Kubernetes object also has a [_UID_](#uids) that is unique across your who
 For example, you can only have one Pod named `myapp-1234` within the same [namespace](/docs/concepts/overview/working-with-objects/namespaces/), but you can have one Pod and one Deployment that are each named `myapp-1234`.
 -->
 
-集群中的每一个对象都有一个[_名称_](#names) 来标识在同类资源中的唯一性。
+集群中的每一个对象都有一个[_名称_](#names)来标识在同类资源中的唯一性。
 
-每个 Kubernetes 对象也有一个[_UID_](#uids) 来标识在整个集群中的唯一性。
+每个 Kubernetes 对象也有一个 [_UID_](#uids) 来标识在整个集群中的唯一性。
 
-比如，在同一个[名字空间](/zh/docs/concepts/overview/working-with-objects/namespaces/)
-中有一个名为 `myapp-1234` 的 Pod, 但是可以命名一个 Pod 和一个 Deployment 同为 `myapp-1234`.
+比如，在同一个[名字空间](/zh-cn/docs/concepts/overview/working-with-objects/namespaces/)
+中有一个名为 `myapp-1234` 的 Pod，但是可以命名一个 Pod 和一个 Deployment 同为 `myapp-1234`。
 
 <!--
 For non-unique user-provided attributes, Kubernetes provides [labels](/docs/user-guide/labels) and [annotations](/docs/concepts/overview/working-with-objects/annotations/).
 -->
 对于用户提供的非唯一性的属性，Kubernetes 提供了
-[标签（Labels）](/zh/docs/concepts/working-with-objects/labels)和
-[注解（Annotation）](/zh/docs/concepts/overview/working-with-objects/annotations/)机制。
+[标签（Labels）](/zh-cn/docs/concepts/working-with-objects/labels)和
+[注解（Annotation）](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)机制。
 
 <!-- body -->
 
@@ -69,10 +69,10 @@ This means the name must:
 DNS 子域名的定义可参见 [RFC 1123](https://tools.ietf.org/html/rfc1123)。
 这一要求意味着名称必须满足如下规则：
 
-- 不能超过253个字符
-- 只能包含小写字母、数字，以及'-' 和 '.'
-- 须以字母数字开头
-- 须以字母数字结尾
+- 不能超过 253 个字符
+- 只能包含小写字母、数字，以及 '-' 和 '.'
+- 必须以字母数字开头
+- 必须以字母数字结尾
 
 <!--
 ### DNS Label Names
@@ -93,8 +93,8 @@ This means the name must:
 
 - 最多 63 个字符
 - 只能包含小写字母、数字，以及 '-'
-- 须以字母数字开头
-- 须以字母数字结尾
+- 必须以字母数字开头
+- 必须以字母数字结尾
 
 
 <!--
@@ -116,8 +116,8 @@ This means the name must:
 
 - 最多 63 个字符
 - 只能包含小写字母、数字，以及 '-'
-- 须以字母开头
-- 须以字母数字结尾
+- 必须以字母开头
+- 必须以字母数字结尾
 
 <!--
 ### Path Segment Names
@@ -134,7 +134,7 @@ not contain "/" or "%".
 <!--
 Here’s an example manifest for a Pod named `nginx-demo`.
 -->
-下面是一个名为`nginx-demo`的 Pod 的配置清单：
+下面是一个名为 `nginx-demo` 的 Pod 的配置清单：
 
 ```yaml
 apiVersion: v1
@@ -165,7 +165,7 @@ Kubernetes UIDs are universally unique identifiers (also known as UUIDs).
 UUIDs are standardized as ISO/IEC 9834-8 and as ITU-T X.667.
 -->
 Kubernetes UIDs 是全局唯一标识符（也叫 UUIDs）。
-UUIDs 是标准化的，见 ISO/IEC 9834-8 和 ITU-T X.667.  
+UUIDs 是标准化的，见 ISO/IEC 9834-8 和 ITU-T X.667。
 
 ## {{% heading "whatsnext" %}}
 
@@ -173,7 +173,7 @@ UUIDs 是标准化的，见 ISO/IEC 9834-8 和 ITU-T X.667.
 * Read about [labels](/docs/concepts/overview/working-with-objects/labels/) in Kubernetes.
 * See the [Identifiers and Names in Kubernetes](https://git.k8s.io/community/contributors/design-proposals/architecture/identifiers.md) design document.
 -->
-* 进一步了解 Kubernetes [标签](/zh/docs/concepts/overview/working-with-objects/labels/)
+* 进一步了解 Kubernetes [标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)
 * 参阅 [Kubernetes 标识符和名称](https://git.k8s.io/community/contributors/design-proposals/architecture/identifiers.md)的设计文档
 
 
diff --git a/content/zh/docs/concepts/overview/working-with-objects/namespaces.md b/content/zh-cn/docs/concepts/overview/working-with-objects/namespaces.md
similarity index 90%
rename from content/zh/docs/concepts/overview/working-with-objects/namespaces.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/namespaces.md
index e57a82a972b3d..46c3f35ac9207 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/namespaces.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/namespaces.md
@@ -49,7 +49,7 @@ resource can only be in one namespace.
 <!--
 Namespaces are a way to divide cluster resources between multiple users (via [resource quota](/docs/concepts/policy/resource-quotas/)).
 -->
-名字空间是在多个用户之间划分集群资源的一种方法（通过[资源配额](/zh/docs/concepts/policy/resource-quotas/)）。
+名字空间是在多个用户之间划分集群资源的一种方法（通过[资源配额](/zh-cn/docs/concepts/policy/resource-quotas/)）。
 
 <!--
 It is not necessary to use multiple namespaces to separate slightly different
@@ -69,7 +69,7 @@ for namespaces](/docs/tasks/administer-cluster/namespaces/).
 -->
 ## 使用名字空间
 
-名字空间的创建和删除在[名字空间的管理指南文档](/zh/docs/tasks/administer-cluster/namespaces/)描述。
+名字空间的创建和删除在[名字空间的管理指南文档](/zh-cn/docs/tasks/administer-cluster/namespaces/)描述。
 
 <!--
 Avoid creating namespaces with the prefix `kube-`, since it is reserved for Kubernetes system namespaces.
@@ -118,7 +118,7 @@ Kubernetes 会创建四个初始名字空间：
       这个名字空间的公共方面只是一种约定，而不是要求。
    * `kube-node-lease` 此名字空间用于与各个节点相关的
      [租约（Lease）](/docs/reference/kubernetes-api/cluster-resources/lease-v1/)对象。
-      节点租期允许 kubelet 发送[心跳](/zh/docs/concepts/architecture/nodes/#heartbeats)，由此控制面能够检测到节点故障。
+      节点租期允许 kubelet 发送[心跳](/zh-cn/docs/concepts/architecture/nodes/#heartbeats)，由此控制面能够检测到节点故障。
 
 <!--
 ### Setting the namespace for a request
@@ -150,7 +150,7 @@ context.
 
 ```shell
 kubectl config set-context --current --namespace=<名字空间名称>
-# 验证之
+# 验证
 kubectl config view | grep namespace:
 ```
 
@@ -161,8 +161,8 @@ When you create a [Service](/docs/user-guide/services), it creates a correspondi
 -->
 ## 名字空间和 DNS
 
-当你创建一个[服务](/zh/docs/concepts/services-networking/service/) 时，
-Kubernetes 会创建一个相应的 [DNS 条目](/zh/docs/concepts/services-networking/dns-pod-service/)。
+当你创建一个[服务](/zh-cn/docs/concepts/services-networking/service/)时，
+Kubernetes 会创建一个相应的 [DNS 条目](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 
 <!--
 This entry is of the form `<service-name>.<namespace-name>.svc.cluster.local`, which means
@@ -180,7 +180,7 @@ As a result, all namespace names must be valid
 [RFC 1123 DNS labels](/docs/concepts/overview/working-with-objects/names/#dns-label-names).
 -->
 因此，所有的名字空间名称都必须是合法的
-[RFC 1123 DNS 标签](/zh/docs/concepts/overview/working-with-objects/names/#dns-label-names)。
+[RFC 1123 DNS 标签](/zh-cn/docs/concepts/overview/working-with-objects/names/#dns-label-names)。
 
 {{< warning >}}
 <!--
@@ -206,7 +206,7 @@ TLDs](https://data.iana.org/TLD/tlds-alpha-by-domain.txt).
 -->
 为了缓解这类问题，需要将创建名字空间的权限授予可信的用户。
 如果需要，你可以额外部署第三方的安全控制机制，例如以
-[准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 的形式，阻止用户创建与公共 [TLD](https://data.iana.org/TLD/tlds-alpha-by-domain.txt)
 同名的名字空间。
 {{< /warning >}}
@@ -224,7 +224,7 @@ persistentVolumes, are not in any namespace.
 -->
 大多数 kubernetes 资源（例如 Pod、Service、副本控制器等）都位于某些名字空间中。
 但是名字空间资源本身并不在名字空间中。而且底层资源，例如
-[节点](/zh/docs/concepts/architecture/nodes/) 和持久化卷不属于任何名字空间。
+[节点](/zh-cn/docs/concepts/architecture/nodes/)和持久化卷不属于任何名字空间。
 
 <!--
 To see which Kubernetes resources are and aren't in a namespace:
@@ -255,7 +255,7 @@ The value of the label is the namespace name.
 Kubernetes 控制面会为所有名字空间设置一个不可变更的
 {{< glossary_tooltip text="标签" term_id="label" >}}
 `kubernetes.io/metadata.name`，只要 `NamespaceDefaultLabelName` 这一
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 被启用。标签的值是名字空间的名称。
 
 ## {{% heading "whatsnext" %}}
@@ -264,5 +264,5 @@ Kubernetes 控制面会为所有名字空间设置一个不可变更的
 * Learn more about [creating a new namespace](/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace).
 * Learn more about [deleting a namespace](/docs/tasks/administer-cluster/namespaces/#deleting-a-namespace).
 -->
-* 进一步了解[建立新的名字空间](/zh/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace)。
-* 进一步了解[删除名字空间](/zh/docs/tasks/administer-cluster/namespaces/#deleting-a-namespace)。
+* 进一步了解[建立新的名字空间](/zh-cn/docs/tasks/administer-cluster/namespaces/#creating-a-new-namespace)。
+* 进一步了解[删除名字空间](/zh-cn/docs/tasks/administer-cluster/namespaces/#deleting-a-namespace)。
diff --git a/content/zh/docs/concepts/overview/working-with-objects/object-management.md b/content/zh-cn/docs/concepts/overview/working-with-objects/object-management.md
similarity index 97%
rename from content/zh/docs/concepts/overview/working-with-objects/object-management.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/object-management.md
index b1dd99ca60c67..47c758d2672bc 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/object-management.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/object-management.md
@@ -325,10 +325,10 @@ Disadvantages compared to imperative object configuration:
 - [Kubectl Book](https://kubectl.docs.kubernetes.io)
 - [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 -->
-- [使用指令式命令管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-- [使用对象配置管理 Kubernetes 对象（指令式）](/zh/docs/tasks/manage-kubernetes-objects/imperative-config/)
-- [使用对象配置管理 Kubernetes 对象（声明式）](/zh/docs/tasks/manage-kubernetes-objects/declarative-config/)
-- [使用 Kustomize（声明式）管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/kustomization/)
+- [使用指令式命令管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+- [使用对象配置管理 Kubernetes 对象（指令式）](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/)
+- [使用对象配置管理 Kubernetes 对象（声明式）](/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/)
+- [使用 Kustomize（声明式）管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/)
 - [Kubectl 命令参考](/docs/reference/generated/kubectl/kubectl-commands/)
 - [Kubectl Book](https://kubectl.docs.kubernetes.io)
 - [Kubernetes API 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
diff --git a/content/zh/docs/concepts/overview/working-with-objects/owners-dependents.md b/content/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents.md
similarity index 92%
rename from content/zh/docs/concepts/overview/working-with-objects/owners-dependents.md
rename to content/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents.md
index b5e8228bd30c4..a02810877f3e5 100644
--- a/content/zh/docs/concepts/overview/working-with-objects/owners-dependents.md
+++ b/content/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents.md
@@ -18,9 +18,9 @@ In Kubernetes, some objects are *owners* of other objects. For example, a
 of their owner. 
 -->
 
-在 Kubernetes 中，一些对象是其他对象的*属主（Owner）*。
+在 Kubernetes 中，一些对象是其他对象的“属主（Owner）”。
 例如，{{<glossary_tooltip text="ReplicaSet" term_id="replica-set">}} 是一组 Pod 的属主。
-具有属主的对象是属主的*附属（Dependent）* 。
+具有属主的对象是属主的“附属（Dependent）”。
 
 <!--
 Ownership is different from the [labels and selectors](/docs/concepts/overview/working-with-objects/labels/)
@@ -31,7 +31,7 @@ to the labels, each `EndpointSlice` that is managed on behalf of a Service has
 an owner reference. Owner references help different parts of Kubernetes avoid
 interfering with objects they don’t control. 
 -->
-属主关系不同于一些资源使用的[标签和选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)机制。
+属主关系不同于一些资源使用的[标签和选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)机制。
 例如，有一个创建 `EndpointSlice` 对象的 Service，
 该 Service 使用标签来让控制平面确定，哪些 `EndpointSlice` 对象属于该 Service。
 除开标签，每个代表 Service 所管理的 `EndpointSlice` 都有一个属主引用。
@@ -56,7 +56,7 @@ automatically manage the relationships.
 Kubernetes 自动为一些对象的附属资源设置属主引用的值，
 这些对象包含 ReplicaSet、DaemonSet、Deployment、Job、CronJob、ReplicationController 等。
 你也可以通过改变这个字段的值，来手动配置这些关系。
-然而，你通常不需要这么做，你可以让 Kubernetes 自动管理附属关系。
+然而，通常不需要这么做，你可以让 Kubernetes 自动管理附属关系。
 
 <!--
 Dependent objects also have an `ownerReferences.blockOwnerDeletion` field that
@@ -132,7 +132,7 @@ bound to a Pod.
 ## 属主关系与 Finalizer   {#ownership-and-finalizers}
 
 当你告诉 Kubernetes 删除一个资源，API 服务器允许管理控制器处理该资源的任何 
-[Finalizer 规则](/zh/docs/concepts/overview/working-with-objects/finalizers/)。
+[Finalizer 规则](/zh-cn/docs/concepts/overview/working-with-objects/finalizers/)。
 {{<glossary_tooltip text="Finalizer" term_id="finalizer">}} 
 防止意外删除你的集群所依赖的、用于正常运作的资源。
 例如，如果你试图删除一个仍被 Pod 使用的 `PersistentVolume`，该资源不会被立即删除，
@@ -150,7 +150,7 @@ specify an orphan deletion policy, Kubernetes adds the `orphan` finalizer so
 that the controller ignores dependent resources after it deletes the owner
 object. 
 -->
-当你使用[前台或孤立级联删除](/zh/docs/concepts/architecture/garbage-collection/#cascading-deletion)时，
+当你使用[前台或孤立级联删除](/zh-cn/docs/concepts/architecture/garbage-collection/#cascading-deletion)时，
 Kubernetes 也会向属主资源添加 Finalizer。
 在前台删除中，会添加 `foreground` Finalizer，这样控制器必须在删除了拥有 
 `ownerReferences.blockOwnerDeletion=true` 的附属资源后，才能删除属主对象。
@@ -164,6 +164,6 @@ Kubernetes 也会向属主资源添加 Finalizer。
 * Learn about [garbage collection](/docs/concepts/architecture/garbage-collection).
 * Read the API reference for [object metadata](/docs/reference/kubernetes-api/common-definitions/object-meta/#System).
 -->
-* 了解更多关于 [Kubernetes Finalizer](/zh/docs/concepts/overview/working-with-objects/finalizers/)。
-* 了解关于[垃圾收集](/zh/docs/concepts/architecture/garbage-collection)。
+* 了解更多关于 [Kubernetes Finalizer](/zh-cn/docs/concepts/overview/working-with-objects/finalizers/)。
+* 了解关于[垃圾收集](/zh-cn/docs/concepts/architecture/garbage-collection)。
 * 阅读[对象元数据](/docs/reference/kubernetes-api/common-definitions/object-meta/#System)的 API 参考文档。
diff --git a/content/zh/docs/concepts/policy/_index.md b/content/zh-cn/docs/concepts/policy/_index.md
similarity index 100%
rename from content/zh/docs/concepts/policy/_index.md
rename to content/zh-cn/docs/concepts/policy/_index.md
diff --git a/content/zh/docs/concepts/policy/limit-range.md b/content/zh-cn/docs/concepts/policy/limit-range.md
similarity index 90%
rename from content/zh/docs/concepts/policy/limit-range.md
rename to content/zh-cn/docs/concepts/policy/limit-range.md
index 8412d9e80c43f..da2560b6a0b88 100644
--- a/content/zh/docs/concepts/policy/limit-range.md
+++ b/content/zh-cn/docs/concepts/policy/limit-range.md
@@ -11,7 +11,7 @@ By default, containers run with unbounded [compute resources](/docs/concepts/con
 With resource quotas, cluster administrators can restrict resource consumption and creation on a {{< glossary_tooltip text="namespace" term_id="namespace" >}} basis.
 Within a namespace, a Pod or Container can consume as much CPU and memory as defined by the namespace's resource quota. There is a concern that one Pod or Container could monopolize all available resources. A LimitRange is a policy to constrain resource allocations (to Pods or Containers) in a namespace.
 -->
-默认情况下， Kubernetes 集群上的容器运行使用的[计算资源](/zh/docs/concepts/configuration/manage-resources-containers/)没有限制。
+默认情况下， Kubernetes 集群上的容器运行使用的[计算资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)没有限制。
 使用资源配额，集群管理员可以以{{< glossary_tooltip text="名字空间" term_id="namespace" >}}为单位，限制其资源的使用与创建。
 在命名空间中，一个 Pod 或 Container 最多能够使用命名空间的资源配额所定义的 CPU 和内存用量。
 有人担心，一个 Pod 或 Container 会垄断所有可用的资源。
@@ -53,7 +53,7 @@ The name of a LimitRange object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 LimitRange 的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 ### Overview of Limit Range
@@ -122,10 +122,10 @@ For examples on using limits, see:
 -->
 关于使用限值的例子，可参看
 
-- [如何配置每个命名空间最小和最大的 CPU 约束](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)。
-- [如何配置每个命名空间最小和最大的内存约束](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)。
-- [如何配置每个命名空间默认的 CPU 申请值和限制值](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)。
-- [如何配置每个命名空间默认的内存申请值和限制值](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
-- [如何配置每个命名空间最小和最大存储使用量](/zh/docs/tasks/administer-cluster/limit-storage-consumption/#limitrange-to-limit-requests-for-storage)。
-- [配置每个命名空间的配额的详细例子](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)。
+- [如何配置每个命名空间最小和最大的 CPU 约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)。
+- [如何配置每个命名空间最小和最大的内存约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)。
+- [如何配置每个命名空间默认的 CPU 申请值和限制值](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)。
+- [如何配置每个命名空间默认的内存申请值和限制值](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
+- [如何配置每个命名空间最小和最大存储使用量](/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption/#limitrange-to-limit-requests-for-storage)。
+- [配置每个命名空间的配额的详细例子](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)。
 
diff --git a/content/zh/docs/concepts/policy/node-resource-managers.md b/content/zh-cn/docs/concepts/policy/node-resource-managers.md
similarity index 79%
rename from content/zh/docs/concepts/policy/node-resource-managers.md
rename to content/zh-cn/docs/concepts/policy/node-resource-managers.md
index 73f28da383a98..5636547075792 100644
--- a/content/zh/docs/concepts/policy/node-resource-managers.md
+++ b/content/zh-cn/docs/concepts/policy/node-resource-managers.md
@@ -30,7 +30,7 @@ The main manager, the Topology Manager, is a Kubelet component that co-ordinates
 The configuration of individual managers is elaborated in dedicated documents:
 -->
 主管理器，也叫拓扑管理器（Topology Manager），是一个 Kubelet 组件，
-它通过[策略](/zh/docs/tasks/administer-cluster/topology-manager/)，
+它通过[策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)，
 协调全局的资源管理过程。
 
 各个管理器的配置方式会在专项文档中详细阐述：
@@ -40,6 +40,6 @@ The configuration of individual managers is elaborated in dedicated documents:
 - [Device Manager](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager)
 - [Memory Manager Policies](/docs/tasks/administer-cluster/memory-manager/)
 -->
-- [CPU 管理器策略](/zh/docs/tasks/administer-cluster/cpu-management-policies/)
-- [设备管理器](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager)
-- [内存管理器策略](/zh/docs/tasks/administer-cluster/memory-manager/)
+- [CPU 管理器策略](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/)
+- [设备管理器](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager)
+- [内存管理器策略](/zh-cn/docs/tasks/administer-cluster/memory-manager/)
diff --git a/content/zh/docs/concepts/policy/pid-limiting.md b/content/zh-cn/docs/concepts/policy/pid-limiting.md
similarity index 94%
rename from content/zh/docs/concepts/policy/pid-limiting.md
rename to content/zh-cn/docs/concepts/policy/pid-limiting.md
index 85b1c531aaf72..61fed9674b36c 100644
--- a/content/zh/docs/concepts/policy/pid-limiting.md
+++ b/content/zh-cn/docs/concepts/policy/pid-limiting.md
@@ -105,7 +105,7 @@ and limits. However, you specify it in a different way: rather than defining a
 Pod's resource limit in the `.spec` for a Pod, you configure the limit as a
 setting on the kubelet. Pod-defined PID limits are not currently supported.
 -->
-PID 限制是与[计算资源](/zh/docs/concepts/configuration/manage-resources-containers/)
+PID 限制是与[计算资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)
 请求和限制相辅相成的一种机制。不过，你需要用一种不同的方式来设置这一限制：
 你需要将其设置到 kubelet 上而不是在 Pod 的 `.spec` 中为 Pod 设置资源限制。
 目前还不支持在 Pod 级别设置 PID 限制。
@@ -146,7 +146,7 @@ gate](/docs/reference/command-line-tools-reference/feature-gates/)
 `SupportNodePidsLimit` to work.
 -->
 在 Kubernetes 1.20 版本之前，在节点级别通过 PID 资源限制预留 PID 的能力
-需要启用[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+需要启用[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `SupportNodePidsLimit` 才行。
 {{< /note >}}
 
@@ -166,7 +166,7 @@ Kubernetes 允许你限制 Pod 中运行的进程个数。你可以在节点级
 而不是为特定的 Pod 来将其设置为资源限制。
 每个节点都可以有不同的 PID 限制设置。
 要设置限制值，你可以设置 kubelet 的命令行参数 `--pod-max-pids`，或者
-在 kubelet 的[配置文件](/zh/docs/tasks/administer-cluster/kubelet-config-file/)
+在 kubelet 的[配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/)
 中设置 `PodPidsLimit`。
 
 {{< note >}}
@@ -176,7 +176,7 @@ the [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 `SupportPodPidsLimit` to work.
 -->
 在 Kubernetes 1.20 版本之前，为 Pod 设置 PID 资源限制的能力需要启用
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `SupportNodePidsLimit` 才行。
 {{< /note >}}
 
@@ -197,7 +197,7 @@ Eviction signal value is calculated periodically and does NOT enforce the limit.
 
 你可以配置 kubelet 使之在 Pod 行为不正常或者消耗不正常数量资源的时候将其终止。
 这一特性称作驱逐。你可以针对不同的驱逐信号
-[配置资源不足的处理](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
+[配置资源不足的处理](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
 使用 `pid.available` 驱逐信号来配置 Pod 使用的 PID 个数的阈值。
 你可以设置硬性的和软性的驱逐策略。不过，即使使用硬性的驱逐策略，
 如果 PID 个数增长过快，节点仍然可能因为触及节点 PID 限制而进入一种不稳定状态。
@@ -233,6 +233,6 @@ Pod 行为不正常而没有 PID 可用。
 - 关于历史背景，请阅读
   [Kubernetes 1.14 中限制进程 ID 以提升稳定性](/blog/2019/04/15/process-id-limiting-for-stability-improvements-in-kubernetes-1.14/)
   的博文。
-- 请阅读[为容器管理资源](/zh/docs/concepts/configuration/manage-resources-containers/)。
-- 学习如何[配置资源不足情况的处理](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
+- 请阅读[为容器管理资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)。
+- 学习如何[配置资源不足情况的处理](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
 
diff --git a/content/zh/docs/concepts/policy/resource-quotas.md b/content/zh-cn/docs/concepts/policy/resource-quotas.md
similarity index 96%
rename from content/zh/docs/concepts/policy/resource-quotas.md
rename to content/zh-cn/docs/concepts/policy/resource-quotas.md
index 26837a0ede1e0..75498e16b82d3 100644
--- a/content/zh/docs/concepts/policy/resource-quotas.md
+++ b/content/zh-cn/docs/concepts/policy/resource-quotas.md
@@ -41,8 +41,7 @@ Resource quotas work like this:
 资源配额的工作方式如下：
 
 <!--
-- Different teams work in different namespaces.  Currently this is voluntary, but
-  support for making this mandatory via ACLs is planned.
+- Different teams work in different namespaces. This can be enforced with [RBAC](/docs/reference/access-authn-authz/rbac/).
 - The administrator creates one ResourceQuota for each namespace.
 - Users create resources (pods, services, etc.) in the namespace, and the quota system
   tracks usage to ensure it does not exceed hard resource limits defined in a ResourceQuota.
@@ -53,8 +52,7 @@ Resource quotas work like this:
   the `LimitRanger` admission controller to force defaults for pods that make no compute resource requirements.
   See the [walkthrough](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/) for an example of how to avoid this problem.
 -->
-- 不同的团队可以在不同的命名空间下工作，目前这是非约束性的，在未来的版本中可能会通过
-  ACL (Access Control List 访问控制列表) 来实现强制性约束。
+- 不同的团队可以在不同的命名空间下工作。这可以通过 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 强制执行。
 - 集群管理员可以为每个命名空间创建一个或多个 ResourceQuota 对象。
 - 当用户在命名空间下创建资源（如 Pod、Service 等）时，Kubernetes 的配额系统会
   跟踪集群的资源使用情况，以确保使用的资源用量不超过 ResourceQuota 中定义的硬性资源限额。
@@ -65,14 +63,14 @@ Resource quotas work like this:
   提示: 可使用 `LimitRanger` 准入控制器来为没有设置计算资源需求的 Pod 设置默认值。
   
   若想避免这类问题，请参考
-  [演练](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)示例。
+  [演练](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)示例。
 
 <!--
 The name of a ResourceQuota object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 ResourceQuota 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 Examples of policies that could be created using namespaces and quotas are:
@@ -130,7 +128,7 @@ that can be requested in a given namespace.
 ## 计算资源配额
 
 用户可以对给定命名空间下的可被请求的
-[计算资源](/zh/docs/concepts/configuration/manage-resources-containers/)
+[计算资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)
 总量进行限制。
 
 <!--
@@ -168,7 +166,7 @@ In addition to the resources mentioned above, in release 1.10, quota support for
 ### 扩展资源的资源配额
 
 除上述资源外，在 Kubernetes 1.10 版本中，还添加了对
-[扩展资源](/zh/docs/concepts/configuration/manage-resources-containers/#extended-resources)
+[扩展资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/#extended-resources)
 的支持。
 
 <!--
@@ -202,7 +200,7 @@ In addition, you can limit consumption of storage resources based on associated
 -->
 ## 存储资源配额
 
-用户可以对给定命名空间下的[存储资源](/zh/docs/concepts/storage/persistent-volumes/)
+用户可以对给定命名空间下的[存储资源](/zh-cn/docs/concepts/storage/persistent-volumes/)
 总量进行限制。
 
 此外，还可以根据相关的存储类（Storage Class）来限制存储资源的消耗。
@@ -218,9 +216,9 @@ In addition, you can limit consumption of storage resources based on associated
 | 资源名称 | 描述 |
 | --------------------- | ----------------------------------------------------------- |
 | `requests.storage` | 所有 PVC，存储资源的需求总量不能超过该值。 |
-| `persistentvolumeclaims` | 在该命名空间中所允许的 [PVC](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) 总量。 |
+| `persistentvolumeclaims` | 在该命名空间中所允许的 [PVC](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) 总量。 |
 | `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | 在所有与 `<storage-class-name>` 相关的持久卷申领中，存储请求的总和不能超过该值。 |
-| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` |  在与 storage-class-name 相关的所有持久卷申领中，命名空间中可以存在的[持久卷申领](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)总数。 |
+| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` |  在与 storage-class-name 相关的所有持久卷申领中，命名空间中可以存在的[持久卷申领](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)总数。 |
 
 <!--
 For example, if an operator wants to quota storage with `gold` storage class separate from `bronze` storage class, the operator can
@@ -258,7 +256,7 @@ Refer to [Logging Architecture](/docs/concepts/cluster-administration/logging/)
 -->
 如果所使用的是 CRI 容器运行时，容器日志会被计入临时存储配额。
 这可能会导致存储配额耗尽的 Pods 被意外地驱逐出节点。
-参考[日志架构](/zh/docs/concepts/cluster-administration/logging/)
+参考[日志架构](/zh-cn/docs/concepts/cluster-administration/logging/)
 了解详细信息。
 {{< /note >}}
 
@@ -343,7 +341,7 @@ The following types are supported:
 | 资源名称 | 描述 |
 | ------------------------------- | ------------------------------------------------- |
 | `configmaps` | 在该命名空间中允许存在的 ConfigMap 总数上限。 |
-| `persistentvolumeclaims` | 在该命名空间中允许存在的 [PVC](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) 的总数上限。 |
+| `persistentvolumeclaims` | 在该命名空间中允许存在的 [PVC](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) 的总数上限。 |
 | `pods` | 在该命名空间中允许存在的非终止状态的 Pod 总数上限。Pod 终止状态等价于 Pod 的 `.status.phase in (Failed, Succeeded)` 为真。 |
 | `replicationcontrollers` | 在该命名空间中允许存在的 ReplicationController 总数上限。 |
 | `resourcequotas` | 在该命名空间中允许存在的 ResourceQuota 总数上限。 |
@@ -396,8 +394,8 @@ Resources specified on the quota outside of the allowed set results in a validat
 | `NotTerminating` | 匹配所有 `spec.activeDeadlineSeconds` 是 nil 的 Pod。 |
 | `BestEffort` | 匹配所有 Qos 是 BestEffort 的 Pod。 |
 | `NotBestEffort` | 匹配所有 Qos 不是 BestEffort 的 Pod。 |
-| `PriorityClass` | 匹配所有引用了所指定的[优先级类](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption)的 Pods。 |
-| `CrossNamespacePodAffinity` | 匹配那些设置了跨名字空间 [（反）亲和性条件](/zh/docs/concepts/scheduling-eviction/assign-pod-node)的 Pod。 |
+| `PriorityClass` | 匹配所有引用了所指定的[优先级类](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption)的 Pods。 |
+| `CrossNamespacePodAffinity` | 匹配那些设置了跨名字空间 [（反）亲和性条件](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node)的 Pod。 |
 
 <!--
 The `BestEffort` scope restricts a quota to tracking the following resource:
@@ -485,7 +483,7 @@ Pods can be created at a specific [priority](/docs/concepts/scheduling-eviction/
 You can control a pod's consumption of system resources based on a pod's priority, by using the `scopeSelector`
 field in the quota spec.
 -->
-Pod 可以创建为特定的[优先级](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)。
+Pod 可以创建为特定的[优先级](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)。
 通过使用配额规约中的 `scopeSelector` 字段，用户可以根据 Pod 的优先级控制其系统资源消耗。
 
 <!--
@@ -1065,7 +1063,7 @@ and it is to be created in a namespace other than `kube-system`.
 - See [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765)
 -->
 - 查看[资源配额设计文档](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md)
-- 查看[如何使用资源配额的详细示例](/zh/docs/tasks/administer-cluster/quota-api-object/)。
+- 查看[如何使用资源配额的详细示例](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)。
 - 阅读[优先级类配额支持的设计文档](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/pod-priority-resourcequota.md)。
   了解更多信息。
 - 参阅 [LimitedResources](https://github.com/kubernetes/kubernetes/pull/36765)
diff --git a/content/zh/docs/concepts/scheduling-eviction/_index.md b/content/zh-cn/docs/concepts/scheduling-eviction/_index.md
similarity index 63%
rename from content/zh/docs/concepts/scheduling-eviction/_index.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/_index.md
index de33763b462e0..3919a6cfa0715 100644
--- a/content/zh/docs/concepts/scheduling-eviction/_index.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/_index.md
@@ -35,18 +35,18 @@ of terminating one or more Pods on Nodes.
 
 ## 调度
 
-* [Kubernetes 调度器](/zh/docs/concepts/scheduling-eviction/kube-scheduler/)
-* [将 Pods 指派到节点](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)
-* [Pod 开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/)
-* [污点和容忍](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)
-* [调度框架](/zh/docs/concepts/scheduling-eviction/scheduling-framework)
-* [调度器的性能调试](/zh/docs/concepts/scheduling-eviction/scheduler-perf-tuning/)
-* [扩展资源的资源装箱](/zh/docs/concepts/scheduling-eviction/resource-bin-packing/)
+* [Kubernetes 调度器](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/)
+* [将 Pods 指派到节点](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)
+* [Pod 开销](/zh-cn/docs/concepts/scheduling-eviction/pod-overhead/)
+* [污点和容忍](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)
+* [调度框架](/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework)
+* [调度器的性能调试](/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning/)
+* [扩展资源的资源装箱](/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing/)
 
 <!-- ## Pod Disruption -->
 
 ## Pod 干扰
 
-* [Pod 优先级和抢占](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
-* [节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
-* [API发起的驱逐](/zh/docs/concepts/scheduling-eviction/api-eviction/)
+* [Pod 优先级和抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* [节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* [API发起的驱逐](/zh-cn/docs/concepts/scheduling-eviction/api-eviction/)
diff --git a/content/zh/docs/concepts/scheduling-eviction/api-eviction.md b/content/zh-cn/docs/concepts/scheduling-eviction/api-eviction.md
similarity index 92%
rename from content/zh/docs/concepts/scheduling-eviction/api-eviction.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/api-eviction.md
index f51af2f678d40..4b9615951ba64 100644
--- a/content/zh/docs/concepts/scheduling-eviction/api-eviction.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/api-eviction.md
@@ -30,12 +30,12 @@ on the Pod.
 此操作创建一个 `Eviction` 对象，该对象再驱动 API 服务器终止选定的 Pod。
 
 API 发起的驱逐将遵从你的
-[`PodDisruptionBudgets`](/zh/docs/tasks/run-application/configure-pdb/)
-和 [`terminationGracePeriodSeconds`](/zh/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)
+[`PodDisruptionBudgets`](/zh-cn/docs/tasks/run-application/configure-pdb/)
+和 [`terminationGracePeriodSeconds`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)
 配置。
 
 使用 API 创建 Eviction 对象，就像对 Pod 执行策略控制的
-[`DELETE` 操作](/zh/docs/reference/kubernetes-api/workload-resources/pod-v1/#delete-delete-a-pod)
+[`DELETE` 操作](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#delete-delete-a-pod)
 
 <!--
 ## Calling the Eviction API
@@ -46,7 +46,7 @@ POST the attempted operation, similar to the following example:
 -->
 ## 调用 Eviction API
 
-你可以使用 [Kubernetes 语言客户端](/zh/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api)
+你可以使用 [Kubernetes 语言客户端](/zh-cn/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api)
 来访问 Kubernetes API 并创建 `Eviction` 对象。
 要执行此操作，你应该用 POST 发出要尝试的请求，类似于下面的示例：
 
@@ -201,6 +201,6 @@ If you notice stuck evictions, try one of the following solutions:
 * Learn about [Node-pressure Eviction](/docs/concepts/scheduling-eviction/node-pressure-eviction/).
 * Learn about [Pod Priority and Preemption](/docs/concepts/scheduling-eviction/pod-priority-preemption/).
 -->
-* 了解如何使用 [Pod 干扰预算](/zh/docs/tasks/run-application/configure-pdb/) 保护你的应用。
-* 了解[节点压力引发的驱逐](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
-* 了解 [Pod 优先级和抢占](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)。
+* 了解如何使用 [Pod 干扰预算](/zh-cn/docs/tasks/run-application/configure-pdb/) 保护你的应用。
+* 了解[节点压力引发的驱逐](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)。
+* 了解 [Pod 优先级和抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)。
diff --git a/content/zh/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
similarity index 92%
rename from content/zh/docs/concepts/scheduling-eviction/assign-pod-node.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
index a210302498ae3..c6d249d46507c 100644
--- a/content/zh/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -30,7 +30,7 @@ services that communicate a lot into the same availability zone.
 你可以约束一个 {{< glossary_tooltip text="Pod" term_id="pod" >}}
 只能在特定的{{< glossary_tooltip text="节点" term_id="node" >}}上运行。
 有几种方法可以实现这点，推荐的方法都是用
-[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)来进行选择。
+[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)来进行选择。
 通常这样的约束不是必须的，因为调度器将自动进行合理的放置（比如，将 Pod 分散到节点上，
 而不是将 Pod 放置在可用资源不足的节点上等等）。但在某些情况下，你可能需要进一步控制
 Pod 被部署到的节点。例如，确保 Pod 最终落在连接了 SSD 的机器上，
@@ -62,10 +62,10 @@ for a list of common node labels.
 -->
 ## 节点标签     {#built-in-node-labels}
 
-与很多其他 Kubernetes 对象类似，节点也有[标签](/zh/docs/concepts/overview/working-with-objects/labels/)。
-你可以[手动地添加标签](/zh/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node)。
+与很多其他 Kubernetes 对象类似，节点也有[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)。
+你可以[手动地添加标签](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node)。
 Kubernetes 也会为集群中所有节点添加一些标准的标签。
-参见[常用的标签、注解和污点](/zh/docs/reference/labels-annotations-taints/)以了解常见的节点标签。
+参见[常用的标签、注解和污点](/zh-cn/docs/reference/labels-annotations-taints/)以了解常见的节点标签。
 
 {{< note >}}
 <!--
@@ -108,7 +108,7 @@ prevents the kubelet from setting or modifying labels with a
 
 To make use of that label prefix for node isolation:
 -->
-[`NodeRestriction` 准入插件](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction)防止
+[`NodeRestriction` 准入插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)防止
 kubelet 使用 `node-restriction.kubernetes.io/` 前缀设置或修改标签。
 
 要使用该标签前缀进行节点隔离：
@@ -118,8 +118,8 @@ kubelet 使用 `node-restriction.kubernetes.io/` 前缀设置或修改标签。
 2. Add labels with the `node-restriction.kubernetes.io/` prefix to your nodes, and use those labels in your [node selectors](#nodeselector).
    For example, `example.com.node-restriction.kubernetes.io/fips=true` or `example.com.node-restriction.kubernetes.io/pci-dss=true`.
 -->
-1. 确保你在使用[节点鉴权](/zh/docs/reference/access-authn-authz/node/)机制并且已经启用了
-   [NodeRestriction 准入插件](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction)。
+1. 确保你在使用[节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)机制并且已经启用了
+   [NodeRestriction 准入插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)。
 2. 将带有 `node-restriction.kubernetes.io/` 前缀的标签添加到 Node 对象，
    然后在[节点选择器](#nodeSelector)中使用这些标签。
    例如，`example.com.node-restriction.kubernetes.io/fips=true` 或
@@ -142,7 +142,7 @@ Kubernetes 只会将 Pod 调度到拥有你所指定的每个标签的节点上
 See [Assign Pods to Nodes](/docs/tasks/configure-pod-container/assign-pods-nodes) for more
 information.
 -->
-进一步的信息可参见[将 Pod 指派给节点](/zh/docs/tasks/configure-pod-container/assign-pods-nodes)。
+进一步的信息可参见[将 Pod 指派给节点](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes)。
 
 <!--
 ## Affinity and anti-affinity
@@ -247,7 +247,7 @@ Alternatively, you can use [node taints](/docs/concepts/scheduling-eviction/tain
 to repel Pods from specific nodes.
 -->
 `NotIn` 和 `DoesNotExist` 可用来实现节点反亲和性行为。
-你也可以使用[节点污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)
+你也可以使用[节点污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)
 将 Pod 从特定节点上驱逐。
 
 {{< note >}}
@@ -279,7 +279,7 @@ satisfied.
 See [Assign Pods to Nodes using Node Affinity](/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
 for more information.
 -->
-参阅[使用节点亲和性来为 Pod 指派节点](/zh/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)，
+参阅[使用节点亲和性来为 Pod 指派节点](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)，
 以了解进一步的信息。
 
 <!--
@@ -345,11 +345,11 @@ a profile with a Node affinity, which is useful if a profile only applies to a s
 To do so, add an `addedAffinity` to the `args` field  of the [`NodeAffinity` plugin](/docs/reference/scheduling/config/#scheduling-plugins)
 in the [scheduler configuration](/docs/reference/scheduling/config/). For example:
 -->
-在配置多个[调度方案](/zh/docs/reference/scheduling/config/#multiple-profiles)时，
+在配置多个[调度方案](/zh-cn/docs/reference/scheduling/config/#multiple-profiles)时，
 你可以将某个方案与节点亲和性关联起来，如果某个调度方案仅适用于某组特殊的节点时，
 这样做是很有用的。
-要实现这点，可以在[调度器配置](/zh/docs/reference/scheduling/config/)中为
-[`NodeAffinity` 插件](/zh/docs/reference/scheduling/config/#scheduling-plugins)的
+要实现这点，可以在[调度器配置](/zh-cn/docs/reference/scheduling/config/)中为
+[`NodeAffinity` 插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins)的
 `args` 字段添加 `addedAffinity`。例如：
 
 ```yaml
@@ -397,7 +397,7 @@ does not support scheduling profiles. When the DaemonSet controller creates
 Pods, the default Kubernetes scheduler places those Pods and honors any
 `nodeAffinity` rules in the DaemonSet controller.
 -->
-DaemonSet 控制器[为 DaemonSet 创建 Pods](/zh/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler)，
+DaemonSet 控制器[为 DaemonSet 创建 Pods](/zh-cn/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler)，
 但该控制器不理会调度方案。
 DaemonSet 控制器创建 Pod 时，默认的 Kubernetes 调度器负责放置 Pod，
 并遵从 DaemonSet 控制器中奢侈的 `nodeAffinity` 规则。
@@ -434,7 +434,7 @@ Kubernetes, so Pod labels also implicitly have namespaces. Any label selectors
 for Pod labels should specify the namespaces in which Kubernetes should look for those
 labels.
 -->
-你通过[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+你通过[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)
 的形式来表达规则（Y），并可根据需要指定选关联的名字空间列表。
 Pod 在 Kubernetes 中是名字空间作用域的对象，因此 Pod 的标签也隐式地具有名字空间属性。
 针对 Pod 标签的所有标签选择算符都要指定名字空间，Kubernetes
@@ -446,7 +446,7 @@ the node label that the system uses to denote the domain. For examples, see
 [Well-Known Labels, Annotations and Taints](/docs/reference/labels-annotations-taints/).
 -->
 你会通过 `topologyKey` 来表达拓扑域（X）的概念，其取值是系统用来标示域的节点标签键。
-相关示例可参见[常用标签、注解和污点](/zh/docs/reference/labels-annotations-taints/)。
+相关示例可参见[常用标签、注解和污点](/zh-cn/docs/reference/labels-annotations-taints/)。
 
 {{< note >}}
 <!--
@@ -551,12 +551,11 @@ same zone currently running Pods with the `Security=S2` Pod label.
 并且节点具有标签 `topology.kubernetes.io/zone=R`，Pod 不能被调度到该节点上。
 
 <!--
-See the
-[design doc](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)
-for many more examples of Pod affinity and anti-affinity.
+To get yourself more familiar with the examples of Pod affinity and anti-affinity,
+refer to the [design proposal](https://github.com/kubernetes/design-proposals-archive/blob/main/scheduling/podaffinity.md).
 -->
-查阅[设计文档](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)
-以了解 Pod 亲和性与反亲和性的更多示例。
+查阅[设计文档](https://github.com/kubernetes/design-proposals-archive/blob/main/scheduling/podaffinity.md)
+以进一步熟悉 Pod 亲和性与反亲和性的示例。
 
 <!--
 You can use the `In`, `NotIn`, `Exists` and `DoesNotExist` values in the
@@ -741,7 +740,7 @@ See the [ZooKeeper tutorial](/docs/tutorials/stateful-application/zookeeper/#tol
 for an example of a StatefulSet configured with anti-affinity for high
 availability, using the same technique as this example.
 -->
-参阅 [ZooKeeper 教程](/zh/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure)
+参阅 [ZooKeeper 教程](/zh-cn/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure)
 了解一个 StatefulSet 的示例，该 StatefulSet 配置了反亲和性以实现高可用，
 所使用的是与此例相同的技术。
 
@@ -811,11 +810,11 @@ The above Pod will only run on the node `kube-01`.
 * Learn how to use [nodeSelector](/docs/tasks/configure-pod-container/assign-pods-nodes/).
 * Learn how to use [affinity and anti-affinity](/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/).
 -->
-* 进一步阅读[污点与容忍度](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)文档。
+* 进一步阅读[污点与容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)文档。
 * 阅读[节点亲和性](https://git.k8s.io/community/contributors/design-proposals/scheduling/nodeaffinity.md)
   和[Pod 间亲和性与反亲和性](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)
   的设计文档。
-* 了解[拓扑管理器](/zh/docs/tasks/administer-cluster/topology-manager/)如何参与节点层面资源分配决定。
-* 了解如何使用 [nodeSelector](/zh/docs/tasks/configure-pod-container/assign-pods-nodes/)。
-* 了解如何使用[亲和性和反亲和性](/zh/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)。
+* 了解[拓扑管理器](/zh-cn/docs/tasks/administer-cluster/topology-manager/)如何参与节点层面资源分配决定。
+* 了解如何使用 [nodeSelector](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/)。
+* 了解如何使用[亲和性和反亲和性](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)。
 
diff --git a/content/zh/docs/concepts/scheduling-eviction/kube-scheduler.md b/content/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler.md
similarity index 88%
rename from content/zh/docs/concepts/scheduling-eviction/kube-scheduler.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler.md
index 30791e6249005..067dd959fa139 100644
--- a/content/zh/docs/concepts/scheduling-eviction/kube-scheduler.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler.md
@@ -57,7 +57,7 @@ is the default scheduler for Kubernetes and runs as part of the
 kube-scheduler is designed so that, if you want and need to, you can
 write your own scheduling component and use that instead.
 -->
-[kube-scheduler](/zh/docs/reference/command-line-tools-reference/kube-scheduler/)
+[kube-scheduler](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/)
 是 Kubernetes 集群的默认调度器，并且是集群
 {{< glossary_tooltip text="控制面" term_id="control-plane" >}} 的一部分。
 如果你真的希望或者有这方面的需求，kube-scheduler 在设计上是允许
@@ -162,9 +162,9 @@ of the scheduler:
   `QueueSort`, `Filter`, `Score`, `Bind`, `Reserve`, `Permit`, and others. You
   can also configure the kube-scheduler to run different profiles.
  -->
-1. [调度策略](/zh/docs/reference/scheduling/policies) 允许你配置过滤的 _断言(Predicates)_
+1. [调度策略](/zh-cn/docs/reference/scheduling/policies) 允许你配置过滤的 _断言(Predicates)_
    和打分的 _优先级(Priorities)_ 。
-2. [调度配置](/zh/docs/reference/scheduling/config/#profiles) 允许你配置实现不同调度阶段的插件，
+2. [调度配置](/zh-cn/docs/reference/scheduling/config/#profiles) 允许你配置实现不同调度阶段的插件，
    包括：`QueueSort`, `Filter`, `Score`, `Bind`, `Reserve`, `Permit` 等等。
    你也可以配置 kube-scheduler 运行不同的配置文件。
 
@@ -178,10 +178,10 @@ of the scheduler:
 * Learn about [topology management policies](/docs/tasks/administer-cluster/topology-manager/)
 * Learn about [Pod Overhead](/docs/concepts/scheduling-eviction/pod-overhead/)
 -->
-* 阅读关于 [调度器性能调优](/zh/docs/concepts/scheduling-eviction/scheduler-perf-tuning/)
-* 阅读关于 [Pod 拓扑分布约束](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
-* 阅读关于 kube-scheduler 的 [参考文档](/zh/docs/reference/command-line-tools-reference/kube-scheduler/)
-* 阅读 [kube-scheduler 配置参考 (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
-* 了解关于 [配置多个调度器](/zh/docs/tasks/extend-kubernetes/configure-multiple-schedulers/) 的方式
-* 了解关于 [拓扑结构管理策略](/zh/docs/tasks/administer-cluster/topology-manager/)
-* 了解关于 [Pod 额外开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/)
+* 阅读关于 [调度器性能调优](/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning/)
+* 阅读关于 [Pod 拓扑分布约束](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
+* 阅读关于 kube-scheduler 的 [参考文档](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/)
+* 阅读 [kube-scheduler 配置参考 (v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+* 了解关于 [配置多个调度器](/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/) 的方式
+* 了解关于 [拓扑结构管理策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)
+* 了解关于 [Pod 额外开销](/zh-cn/docs/concepts/scheduling-eviction/pod-overhead/)
diff --git a/content/zh/docs/concepts/scheduling-eviction/node-pressure-eviction.md b/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
similarity index 98%
rename from content/zh/docs/concepts/scheduling-eviction/node-pressure-eviction.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
index 810324c0c2810..8a0910315e232 100644
--- a/content/zh/docs/concepts/scheduling-eviction/node-pressure-eviction.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
@@ -128,9 +128,9 @@ memory is reclaimable under pressure.
 -->
 `memory.available` 的值来自 cgroupfs，而不是像 `free -m` 这样的工具。
 这很重要，因为 `free -m` 在容器中不起作用，如果用户使用
-[节点可分配资源](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+[节点可分配资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 这一功能特性，资源不足的判定是基于 CGroup 层次结构中的用户 Pod 所处的局部及 CGroup 根节点作出的。
-这个[脚本](/zh/examples/admin/resource/memory-available.sh)
+这个[脚本](/zh-cn/examples/admin/resource/memory-available.sh)
 重现了 kubelet 为计算 `memory.available` 而执行的相同步骤。
 kubelet 在其计算中排除了 inactive_file（即非活动 LRU 列表上基于文件来虚拟的内存的字节数），
 因为它假定在压力下内存是可回收的。
@@ -161,7 +161,7 @@ For a list of the deprecated features, see [kubelet garbage collection deprecati
 -->
 一些 kubelet 垃圾收集功能已被弃用，以支持驱逐。
 有关已弃用功能的列表，请参阅
-[kubelet 垃圾收集弃用](/zh/docs/concepts/cluster-administration/kubelet-garbage-collection/#deprecation)。
+[kubelet 垃圾收集弃用](/zh-cn/docs/concepts/cluster-administration/kubelet-garbage-collection/#deprecation)。
 {{</note>}}
 
 <!-- 
@@ -414,7 +414,7 @@ The kubelet uses the following parameters to determine pod eviction order:
 kubelet 使用以下参数来确定 Pod 驱逐顺序：
 
 1. Pod 的资源使用是否超过其请求
-1. [Pod 优先级](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+1. [Pod 优先级](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 1. Pod 相对于请求的资源使用情况
 
 <!-- 
@@ -524,7 +524,7 @@ reclaims the quantity you specify.
 For example, the following configuration sets minimum reclaim amounts: 
 -->
 你可以使用 `--eviction-minimum-reclaim` 标志或
-[kubelet 配置文件](/zh/docs/tasks/administer-cluster/kubelet-config-file/)
+[kubelet 配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/)
 为每个资源配置最小回收量。
 当 kubelet 注意到某个资源耗尽时，它会继续回收该资源，直到回收到你所指定的数量为止。
 
@@ -772,7 +772,7 @@ to estimate or measure an optimal memory limit value for that container.
 * Check out the [Eviction API](/docs/reference/generated/kubernetes-api/{{<param "version">}}/#create-eviction-pod-v1-core)
 -->
 * 了解 [API 发起的驱逐](/docs/reference/generated/kubernetes-api/v1.23/)
-* 了解 [Pod 优先级和驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* 了解 [Pod 优先级和驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 * 了解 [PodDisruptionBudgets](/docs/tasks/run-application/configure-pdb/)
-* 了解[服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)（QoS）
+* 了解[服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)（QoS）
 * 查看[驱逐 API](/docs/reference/generated/kubernetes-api/{{<param "version">}}/#create-eviction-pod-v1-core)
diff --git a/content/zh/docs/concepts/scheduling-eviction/pod-overhead.md b/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md
similarity index 68%
rename from content/zh/docs/concepts/scheduling-eviction/pod-overhead.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md
index 6c9f119d4d9f2..046a27cd99f97 100644
--- a/content/zh/docs/concepts/scheduling-eviction/pod-overhead.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md
@@ -18,17 +18,17 @@ weight: 30
 
 <!-- overview -->
 
-{{< feature-state for_k8s_version="v1.18" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 When you run a Pod on a Node, the Pod itself takes an amount of system resources. These
 resources are additional to the resources needed to run the container(s) inside the Pod.
-_Pod Overhead_ is a feature for accounting for the resources consumed by the Pod infrastructure
-on top of the container requests & limits.
+In Kubernetes, _Pod Overhead_ is a way to account for the resources consumed by the Pod
+infrastructure on top of the container requests & limits.
 -->
 
 在节点上运行 Pod 时，Pod 本身占用大量系统资源。这些是运行 Pod 内容器所需资源之外的资源。
-_POD 开销_ 是一个特性，用于计算 Pod 基础设施在容器请求和限制之上消耗的资源。
+在 Kubernetes 中，_POD 开销_ 是一种方法，用于计算 Pod 基础设施在容器请求和限制之上消耗的资源。
 
 <!-- body -->
 
@@ -40,8 +40,8 @@ time according to the overhead associated with the Pod's
 [RuntimeClass](/docs/concepts/containers/runtime-class/).
 -->
 
-在 Kubernetes 中，Pod 的开销是根据与 Pod 的 [RuntimeClass](/zh/docs/concepts/containers/runtime-class/)
-相关联的开销在[准入](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks)时设置的。
+在 Kubernetes 中，Pod 的开销是根据与 Pod 的 [RuntimeClass](/zh-cn/docs/concepts/containers/runtime-class/)
+相关联的开销在[准入](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks)时设置的。
 
 <!--
 When Pod Overhead is enabled, the overhead is considered in addition to the sum of container
@@ -53,17 +53,14 @@ the Pod cgroup, and when carrying out Pod eviction ranking.
 类似地，kubelet 将在确定 Pod cgroups 的大小和执行 Pod 驱逐排序时也会考虑 Pod 开销。
 
 <!--
-## Enabling Pod Overhead {#set-up}
+## Configuring Pod overhead {#set-up}
 -->
-## 启用 Pod 开销 {#set-up}
+## 配置 Pod 开销 {#set-up}
 
 <!--
-You need to make sure that the `PodOverhead`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled (it is on by default as of 1.18)
-across your cluster, and a `RuntimeClass` is utilized which defines the `overhead` field.
+You need to make sure a `RuntimeClass` is utilized which defines the `overhead` field.
 -->
-你需要确保在集群中启用了 `PodOverhead` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-（在 1.18 默认是开启的），以及一个定义了 `overhead` 字段的 `RuntimeClass`。
+你需要确保使用一个定义了 `overhead` 字段的 `RuntimeClass`。
 
 <!--
 ## Usage example
@@ -71,25 +68,24 @@ across your cluster, and a `RuntimeClass` is utilized which defines the `overhea
 ## 使用示例
 
 <!--
-To use the PodOverhead feature, you need a RuntimeClass that defines the `overhead` field. As
-an example, you could use the following RuntimeClass definition with a virtualizing container runtime
-that uses around 120MiB per Pod for the virtual machine and the guest OS:
+To work with Pod overhead, you need a RuntimeClass that defines the `overhead` field. As
+an example, you could use the following RuntimeClass definition with a virtualization container
+runtime that uses around 120MiB per Pod for the virtual machine and the guest OS:
 -->
-要使用 PodOverhead 特性，需要一个定义了 `overhead` 字段的 RuntimeClass。
+要使用 Pod 开销，你需要一个定义了 `overhead` 字段的 RuntimeClass。
 作为例子，下面的 RuntimeClass 定义中包含一个虚拟化所用的容器运行时，
 RuntimeClass 如下，其中每个 Pod 大约使用 120MiB 用来运行虚拟机和寄宿操作系统：
 
 ```yaml
----
-kind: RuntimeClass
 apiVersion: node.k8s.io/v1
+kind: RuntimeClass
 metadata:
-    name: kata-fc
+  name: kata-fc
 handler: kata-fc
 overhead:
-    podFixed:
-        memory: "120Mi"
-        cpu: "250m"
+  podFixed:
+    memory: "120Mi"
+    cpu: "250m"
 ```
 
 <!--
@@ -133,7 +129,7 @@ updates the workload's PodSpec to include the `overhead` as described in the Run
 the Pod will be rejected. In the given example, since only the RuntimeClass name is specified, the admission controller mutates the Pod
 to include an `overhead`.
 -->
-在准入阶段 RuntimeClass [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
+在准入阶段 RuntimeClass [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
 更新工作负载的 PodSpec 以包含
 RuntimeClass 中定义的 `overhead`。如果 PodSpec 中已定义该字段，该 Pod 将会被拒绝。
 在这个例子中，由于只指定了 RuntimeClass 名称，所以准入控制器更新了 Pod，使之包含 `overhead`。
@@ -141,8 +137,7 @@ RuntimeClass 中定义的 `overhead`。如果 PodSpec 中已定义该字段，
 <!--
 After the RuntimeClass admission controller, you can check the updated PodSpec:
 -->
-在 RuntimeClass 准入控制器之后，可以检验一下已更新的 PodSpec:
-
+在 RuntimeClass 准入控制器进行修改后，你可以查看更新后的 PodSpec：
 ```bash
 kubectl get pod test-pod -o jsonpath='{.spec.overhead}'
 ```
@@ -156,10 +151,11 @@ map[cpu:250m memory:120Mi]
 ```
 
 <!--
-If a ResourceQuota is defined, the sum of container requests as well as the
+If a [ResourceQuota](/docs/concepts/policy/resource-quotas/) is defined, the sum of container requests as well as the
 `overhead` field are counted.
  -->
-如果定义了 ResourceQuata, 则容器请求的总量以及 `overhead` 字段都将计算在内。
+如果定义了 [ResourceQuata](/zh-cn/docs/concepts/policy/resource-quotas/), 
+则容器请求的总量以及 `overhead` 字段都将计算在内。
 
 <!--
 When the kube-scheduler is deciding which node should run a new Pod, the scheduler considers that Pod's
@@ -171,8 +167,10 @@ requests and the overhead, then looks for a node that has 2.25 CPU and 320 MiB o
 然后寻找具备 2.25 CPU 和 320 MiB 内存可用的节点。
 
 <!--
-Once a Pod is scheduled to a node, the kubelet on that node creates a new {{< glossary_tooltip text="cgroup" term_id="cgroup" >}}
-for the Pod. It is within this pod that the underlying container runtime will create containers. -->
+Once a Pod is scheduled to a node, the kubelet on that node creates a new {{< glossary_tooltip
+text="cgroup" term_id="cgroup" >}} for the Pod. It is within this pod that the underlying
+container runtime will create containers.
+-->
 一旦 Pod 被调度到了某个节点， 该节点上的 kubelet 将为该 Pod 新建一个 
 {{< glossary_tooltip text="cgroup" term_id="cgroup" >}}。 底层容器运行时将在这个
 Pod 中创建容器。
@@ -189,8 +187,8 @@ Burstable QoS），kubelet 会为与该资源（CPU 的 `cpu.cfs_quota_us` 以
 相关的 Pod cgroup 设定一个上限。该上限基于 PodSpec 中定义的容器限制总量与 `overhead` 之和。
 
 <!--
-For CPU, if the Pod is Guaranteed or Burstable QoS, the kubelet will set `cpu.shares` based on the sum of container
-requests plus the `overhead` defined in the PodSpec.
+For CPU, if the Pod is Guaranteed or Burstable QoS, the kubelet will set `cpu.shares` based on the
+sum of container requests plus the `overhead` defined in the PodSpec.
 -->
 对于 CPU，如果 Pod 的 QoS 是 Guaranteed 或者 Burstable，kubelet 会基于容器请求总量与
 PodSpec 中定义的 `overhead` 之和设置 `cpu.shares`。
@@ -199,6 +197,7 @@ PodSpec 中定义的 `overhead` 之和设置 `cpu.shares`。
 Looking at our example, verify the container requests for the workload:
 -->
 请看这个例子，验证工作负载的容器请求：
+
 ```bash
 kubectl get pod test-pod -o jsonpath='{.spec.containers[*].resources.limits}'
 ```
@@ -207,6 +206,7 @@ kubectl get pod test-pod -o jsonpath='{.spec.containers[*].resources.limits}'
 The total container requests are 2000m CPU and 200MiB of memory:
 -->
 容器请求总计 2000m CPU 和 200MiB 内存：
+
 ```
 map[cpu: 500m memory:100Mi] map[cpu:1500m memory:100Mi]
 ```
@@ -215,18 +215,19 @@ map[cpu: 500m memory:100Mi] map[cpu:1500m memory:100Mi]
 Check this against what is observed by the node:
  -->
 对照从节点观察到的情况来检查一下：
+
 ```bash
 kubectl describe node | grep test-pod -B2
 ```
 
 <!--
-The output shows 2250m CPU and 320MiB of memory are requested, which includes PodOverhead:
- -->
-该输出显示请求了 2250m CPU 以及 320MiB 内存，包含了 PodOverhead 在内：
+The output shows requests for 2250m CPU, and for 320MiB of memory. The requests include Pod overhead:
+-->
+该输出显示请求了 2250m CPU 以及 320MiB 内存。请求包含了 Pod 开销在内：
 ```
-  Namespace                   Name                CPU Requests  CPU Limits   Memory Requests  Memory Limits  AGE
-  ---------                   ----                ------------  ----------   ---------------  -------------  ---
-  default                     test-pod            2250m (56%)   2250m (56%)  320Mi (1%)       320Mi (1%)     36m
+  Namespace    Name       CPU Requests  CPU Limits   Memory Requests  Memory Limits  AGE
+  ---------    ----       ------------  ----------   ---------------  -------------  ---
+  default      test-pod   2250m (56%)   2250m (56%)  320Mi (1%)       320Mi (1%)     36m
 ```
 
 <!--
@@ -235,9 +236,10 @@ The output shows 2250m CPU and 320MiB of memory are requested, which includes Po
 ## 验证 Pod cgroup 限制
 
 <!--
-Check the Pod's memory cgroups on the node where the workload is running. In the following example, [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md)
+Check the Pod's memory cgroups on the node where the workload is running. In the following example,
+[`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md)
 is used on the node, which provides a CLI for CRI-compatible container runtimes. This is an
-advanced example to show PodOverhead behavior, and it is not expected that users should need to check
+advanced example to show Pod overhead behavior, and it is not expected that users should need to check
 cgroups directly on the node.
 
 First, on the particular node, determine the Pod identifier:
@@ -245,7 +247,7 @@ First, on the particular node, determine the Pod identifier:
 在工作负载所运行的节点上检查 Pod 的内存 cgroups。在接下来的例子中，
 将在该节点上使用具备 CRI 兼容的容器运行时命令行工具
 [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md)。
-这是一个显示 PodOverhead 行为的高级示例， 预计用户不需要直接在节点上检查 cgroups。
+这是一个显示 Pod 开销行为的高级示例， 预计用户不需要直接在节点上检查 cgroups。
 首先在特定的节点上确定该 Pod 的标识符：
 
 <!--
@@ -275,13 +277,15 @@ sudo crictl inspectp -o=json $POD_ID | grep cgroupsPath
 The resulting cgroup path includes the Pod's `pause` container. The Pod level cgroup is one directory above.
 -->
 执行结果的 cgroup 路径中包含了该 Pod 的 `pause` 容器。Pod 级别的 cgroup 在即上一层目录。
+
 ```
-        "cgroupsPath": "/kubepods/podd7f4b509-cf94-4951-9417-d1087c92a5b2/7ccf55aee35dd16aca4189c952d83487297f3cd760f1bbf09620e206e7d0c27a"
+  "cgroupsPath": "/kubepods/podd7f4b509-cf94-4951-9417-d1087c92a5b2/7ccf55aee35dd16aca4189c952d83487297f3cd760f1bbf09620e206e7d0c27a"
 ```
 
 <!--
-In this specific case, the pod cgroup path is `kubepods/podd7f4b509-cf94-4951-9417-d1087c92a5b2`. Verify the Pod level cgroup setting for memory:
- -->
+In this specific case, the pod cgroup path is `kubepods/podd7f4b509-cf94-4951-9417-d1087c92a5b2`.
+Verify the Pod level cgroup setting for memory:
+-->
 在这个例子中，该 Pod 的 cgroup 路径是 `kubepods/podd7f4b509-cf94-4951-9417-d1087c92a5b2`。
 验证内存的 Pod 级别 cgroup 设置：
 
@@ -300,6 +304,7 @@ In this specific case, the pod cgroup path is `kubepods/podd7f4b509-cf94-4951-94
 This is 320 MiB, as expected:
 -->
 和预期的一样，这一数值为 320 MiB。
+
 ```
 335544320
 ```
@@ -310,14 +315,12 @@ This is 320 MiB, as expected:
 ### 可观察性
 
 <!--
-A `kube_pod_overhead` metric is available in [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics)
-to help identify when PodOverhead is being utilized and to help observe stability of workloads
-running with a defined Overhead. This functionality is not available in the 1.9 release of
-kube-state-metrics, but is expected in a following release. Users will need to build kube-state-metrics
-from source in the meantime.
+Some `kube_pod_overhead_*` metrics are available in [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics)
+to help identify when Pod overhead is being utilized and to help observe stability of workloads
+running with a defined overhead.
 -->
 在 [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics) 中可以通过
-`kube_pod_overhead` 指标来协助确定何时使用 PodOverhead
+`kube_pod_overhead_*` 指标来协助确定何时使用 Pod 开销，
 以及协助观察以一个既定开销运行的工作负载的稳定性。
 该特性在 kube-state-metrics 的 1.9 发行版本中不可用，不过预计将在后续版本中发布。
 在此之前，用户需要从源代码构建 kube-state-metrics。
@@ -325,9 +328,9 @@ from source in the meantime.
 ## {{% heading "whatsnext" %}}
 
 <!--
-* [RuntimeClass](/docs/concepts/containers/runtime-class/)
-* [PodOverhead Design](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead)
+* Learn more about [RuntimeClass](/docs/concepts/containers/runtime-class/)
+* Read the [PodOverhead Design](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead)
+  enhancement proposal for extra context
 -->
-
-* [RuntimeClass](/zh/docs/concepts/containers/runtime-class/)
-* [PodOverhead 设计](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead)
+* 学习更多关于 [RuntimeClass](/zh-cn/docs/concepts/containers/runtime-class/) 的信息
+* 阅读 [PodOverhead 设计](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead)增强建议以获取更多上下文
diff --git a/content/zh/docs/concepts/scheduling-eviction/pod-priority-preemption.md b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
similarity index 96%
rename from content/zh/docs/concepts/scheduling-eviction/pod-priority-preemption.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
index f22065f8f921a..afa224896ad60 100644
--- a/content/zh/docs/concepts/scheduling-eviction/pod-priority-preemption.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
@@ -23,7 +23,7 @@ importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the
 scheduler tries to preempt (evict) lower priority Pods to make scheduling of the
 pending Pod possible.
 -->
-[Pod](/zh/docs/concepts/workloads/pods/) 可以有 _优先级_。
+[Pod](/zh-cn/docs/concepts/workloads/pods/) 可以有 _优先级_。
 优先级表示一个 Pod 相对于其他 Pod 的重要性。
 如果一个 Pod 无法被调度，调度程序会尝试抢占（驱逐）较低优先级的 Pod，
 以使悬决 Pod 可以被调度。
@@ -44,7 +44,7 @@ for details.
 在一个并非所有用户都是可信的集群中，恶意用户可能以最高优先级创建 Pod，
 导致其他 Pod 被驱逐或者无法被调度。
 管理员可以使用 ResourceQuota 来阻止用户创建高优先级的 Pod。
-参见[默认限制优先级消费](/zh/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default)。
+参见[默认限制优先级消费](/zh-cn/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default)。
 
 {{< /warning >}}
 
@@ -82,7 +82,7 @@ These are common classes and are used to [ensure that critical components are al
 -->
 Kubernetes 已经提供了 2 个 PriorityClass：
 `system-cluster-critical` 和 `system-node-critical`。
-这些是常见的类，用于[确保始终优先调度关键组件](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)。
+这些是常见的类，用于[确保始终优先调度关键组件](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)。
 {{< /note >}}
 
 <!-- 
@@ -103,7 +103,7 @@ PriorityClass 是一个无名称空间对象，它定义了从优先级类名称
 名称在 PriorityClass 对象元数据的 `name` 字段中指定。
 值在必填的 `value` 字段中指定。值越大，优先级越高。
 PriorityClass 对象的名称必须是有效的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)，
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)，
 并且它不能以 `system-` 为前缀。
 
 <!--  
@@ -377,7 +377,7 @@ priority Pods to zero or a small number.
 #### 被抢占牺牲者的体面终止
 
 当 Pod 被抢占时，牺牲者会得到他们的
-[体面终止期](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
+[体面终止期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
 它们可以在体面终止期内完成工作并退出。如果它们不这样做就会被杀死。
 这个体面终止期在调度程序抢占 Pod 的时间点和待处理的 Pod (P) 
 可以在节点 (N) 上调度的时间点之间划分出了一个时间跨度。
@@ -399,7 +399,7 @@ despite their PDBs being violated.
 -->
 #### 支持 PodDisruptionBudget，但不保证
 
-[PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/) 
+[PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/) 
 (PDB) 允许多副本应用程序的所有者限制因自愿性质的干扰而同时终止的 Pod 数量。
 Kubernetes 在抢占 Pod 时支持 PDB，但对 PDB 的支持是基于尽力而为原则的。
 调度器会尝试寻找不会因被抢占而违反 PDB 的牺牲者，但如果没有找到这样的牺牲者，
@@ -639,7 +639,7 @@ exceeding its requests, it won't be evicted. Another Pod with higher priority
 that exceeds its requests may be evicted.
 -->
 kubelet 使用优先级来确定
-[节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/) Pod 的顺序。
+[节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/) Pod 的顺序。
 你可以使用 QoS 类来估计 Pod 最有可能被驱逐的顺序。kubelet 根据以下因素对 Pod 进行驱逐排名：
 
   1. 对紧俏资源的使用是否超过请求值
@@ -647,7 +647,7 @@ kubelet 使用优先级来确定
   1. 相对于请求的资源使用量
 
 有关更多详细信息，请参阅
-[kubelet 驱逐时 Pod 的选择](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/#pod-selection-for-kubelet-eviction)。
+[kubelet 驱逐时 Pod 的选择](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/#pod-selection-for-kubelet-eviction)。
 
 当某 Pod 的资源用量未超过其请求时，kubelet 节点压力驱逐不会驱逐该 Pod。
 如果优先级较低的 Pod 没有超过其请求，则不会被驱逐。
@@ -663,7 +663,7 @@ kubelet 使用优先级来确定
 * Learn about [Node-pressure Eviction](/docs/concepts/scheduling-eviction/node-pressure-eviction/)
 -->
 * 阅读有关将 ResourceQuota 与 PriorityClass 结合使用的信息：
-  [默认限制优先级消费](/zh/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default)
-* 了解 [Pod 干扰](/zh/docs/concepts/workloads/pods/disruptions/)
+  [默认限制优先级消费](/zh-cn/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default)
+* 了解 [Pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/)
 * 了解 [API 发起的驱逐](/docs/reference/generated/kubernetes-api/v1.23/)
-* 了解[节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* 了解[节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing.md b/content/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing.md
new file mode 100644
index 0000000000000..42b35709b26c9
--- /dev/null
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing.md
@@ -0,0 +1,358 @@
+---
+title: 扩展资源的资源装箱
+content_type: concept
+weight: 80
+---
+<!--
+---
+reviewers:
+- bsalamat
+- k82cn
+- ahg-g
+title: Resource Bin Packing for Extended Resources
+content_type: concept
+weight: 80
+---
+-->
+
+<!-- overview -->
+
+<!--
+In the [scheduling-plugin](/docs/reference/scheduling/config/#scheduling-plugins)  `NodeResourcesFit` of kube-scheduler, there are two 
+scoring strategies that support the bin packing of resources: `MostAllocated` and `RequestedToCapacityRatio`.
+-->
+在 kube-scheduler 的[调度插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins)
+`NodeResourcesFit` 中存在两种支持资源装箱（bin packing）的策略：`MostAllocated` 和
+`RequestedToCapacityRatio`。
+
+<!-- body -->
+
+<!--
+## Enabling bin packing using MostAllocated strategy
+
+The `MostAllocated` strategy scores the nodes based on the utilization of resources, favoring the ones with higher allocation.
+For each resource type, you can set a weight to modify its influence in the node score.
+
+To set the `MostAllocated` strategy for the `NodeResourcesFit` plugin, use a
+[scheduler configuration](/docs/reference/scheduling/config) similar to the following:
+-->
+## 使用 MostAllocated 策略启用资源装箱   {#enabling-bin-packing-using-mostallocated-strategy}
+
+`MostAllocated` 策略基于资源的利用率来为节点计分，优选分配比率较高的节点。
+针对每种资源类型，你可以设置一个权重值以改变其对节点得分的影响。
+
+要为插件 `NodeResourcesFit` 设置 `MostAllocated` 策略，
+可以使用一个类似于下面这样的[调度器配置](/zh-cn/docs/reference/scheduling/config/)：
+
+```yaml
+apiVersion: kubescheduler.config.k8s.io/v1beta3
+kind: KubeSchedulerConfiguration
+profiles:
+- pluginConfig:
+  - args:
+      scoringStrategy:
+        resources:
+        - name: cpu
+          weight: 1
+        - name: memory
+          weight: 1
+        - name: intel.com/foo
+          weight: 3
+        - name: intel.com/bar
+          weight: 3
+        type: MostAllocated
+    name: NodeResourcesFit
+```
+
+<!--
+To learn more about other parameters and their default configuration, see the API documentation for 
+[`NodeResourcesFitArgs`](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs).
+-->
+要进一步了解其它参数及其默认配置，请参阅
+[`NodeResourcesFitArgs`](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
+的 API 文档。
+
+<!--
+## Enabling bin packing using RequestedToCapacityRatio
+
+The `RequestedToCapacityRatio` strategy allows the users to specify the resources along with weights for
+each resource to score nodes based on the request to capacity ratio. This
+allows users to bin pack extended resources by using appropriate parameters
+to improve the utilization of scarce resources in large clusters. It favors nodes according to a
+configured function of the allocated resources. The behavior of the `RequestedToCapacityRatio` in
+the `NodeResourcesFit` score function can be controlled by the
+[scoringStrategy](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy) field.
+Within the `scoringStrategy` field, you can configure two parameters: `requestedToCapacityRatioParam` and
+`resources`. The `shape` in `requestedToCapacityRatioParam` 
+parameter allows the user to tune the function as least requested or most 
+requested based on `utilization` and `score` values.  The `resources` parameter 
+consists of `name` of the resource to be considered during scoring and `weight` 
+specify the weight of each resource.
+-->
+## 使用 RequestedToCapacityRatio 策略来启用资源装箱 {#enabling-bin-packing-using-requestedtocapacityratio}
+
+`RequestedToCapacityRatio` 策略允许用户基于请求值与容量的比率，针对参与节点计分的每类资源设置权重。
+这一策略是的用户可以使用合适的参数来对扩展资源执行装箱操作，进而提升大规模集群中稀有资源的利用率。
+此策略根据所分配资源的一个配置函数来评价节点。
+`NodeResourcesFit` 计分函数中的 `RequestedToCapacityRatio` 可以通过字段
+[scoringStrategy](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
+来控制。
+在 `scoringStrategy` 字段中，你可以配置两个参数：`requestedToCapacityRatioParam`
+和 `resources`。`requestedToCapacityRatioParam` 参数中的 `shape`
+设置使得用户能够调整函数的算法，基于 `utilization` 和 `score` 值计算最少请求或最多请求。
+`resources` 参数中包含计分过程中需要考虑的资源的 `name`，以及用来设置每种资源权重的 `weight`。
+
+<!--
+Below is an example configuration that sets
+the bin packing behavior for extended resources `intel.com/foo` and `intel.com/bar`
+using the `requestedToCapacityRatio` field.
+-->
+下面是一个配置示例，使用 `requestedToCapacityRatio` 字段为扩展资源 `intel.com/foo`
+和 `intel.com/bar` 设置装箱行为：
+
+```yaml
+apiVersion: kubescheduler.config.k8s.io/v1beta3
+kind: KubeSchedulerConfiguration
+profiles:
+- pluginConfig:
+  - args:
+      scoringStrategy:
+        resources:
+        - name: intel.com/foo
+          weight: 3
+        - name: intel.com/bar
+          weight: 3
+        requestedToCapacityRatioParam:
+          shape:
+          - utilization: 0
+            score: 0
+          - utilization: 100
+            score: 10
+        type: RequestedToCapacityRatio
+    name: NodeResourcesFit
+```
+
+<!--
+Referencing the `KubeSchedulerConfiguration` file with the kube-scheduler 
+flag `--config=/path/to/config/file` will pass the configuration to the 
+scheduler.
+-->
+使用 kube-scheduler 标志 `--config=/path/to/config/file` 
+引用 `KubeSchedulerConfiguration` 文件，可以将配置传递给调度器。
+
+<!--
+To learn more about other parameters and their default configuration, see the API documentation for 
+[`NodeResourcesFitArgs`](/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs).
+-->
+要进一步了解其它参数及其默认配置，可以参阅
+[`NodeResourcesFitArgs`](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
+的 API 文档。
+
+<!--
+### Tuning the score function
+
+`shape` is used to specify the behavior of the `RequestedToCapacityRatio` function.
+-->
+### 调整计分函数    {#tuning-the-score-function}
+
+`shape` 用于指定 `RequestedToCapacityRatio` 函数的行为。
+
+```yaml
+shape:
+ - utilization: 0
+   score: 0
+ - utilization: 100
+   score: 10
+```
+
+<!--
+The above arguments give the node a `score` of 0 if `utilization` is 0% and 10 for
+`utilization` 100%, thus enabling bin packing behavior. To enable least
+requested the score value must be reversed as follows.
+-->
+上面的参数在 `utilization` 为 0% 时给节点评分为 0，在 `utilization` 为
+100% 时给节点评分为 10，因此启用了装箱行为。
+要启用最少请求（least requested）模式，必须按如下方式反转得分值。
+
+```yaml
+ shape:
+  - utilization: 0
+    score: 10
+  - utilization: 100
+    score: 0
+```
+
+<!--
+`resources` is an optional parameter which by defaults is set to:
+-->
+`resources` 是一个可选参数，默认情况下设置为：
+
+``` yaml
+resources:
+  - name: cpu
+    weight: 1
+  - name: memory
+    weight: 1
+```
+
+<!--
+It can be used to add extended resources as follows:
+-->
+它可以像下面这样用来添加扩展资源：
+
+```yaml
+resources:
+  - name: intel.com/foo
+    weight: 5
+  - name: cpu
+    weight: 3
+  - name: memory
+    weight: 1
+```
+
+<!--
+The `weight` parameter is optional and is set to 1 if not specified. Also, the
+`weight` cannot be set to a negative value.
+-->
+`weight` 参数是可选的，如果未指定，则设置为 1。
+同时，`weight` 不能设置为负值。
+
+<!--
+### Node scoring for capacity allocation
+
+This section is intended for those who want to understand the internal details
+of this feature.
+Below is an example of how the node score is calculated for a given set of values.
+-->
+### 节点容量分配的评分   {#node-scoring-for-capacity-allocation}
+
+本节适用于希望了解此功能的内部细节的人员。
+以下是如何针对给定的一组值来计算节点得分的示例。
+
+<!--
+Requested resources:
+-->
+请求的资源：
+
+```
+intel.com/foo : 2
+memory: 256MB
+cpu: 2
+```
+
+<!--
+Resource weights:
+-->
+资源权重：
+
+```
+intel.com/foo : 5
+memory: 1
+cpu: 3
+```
+
+```
+FunctionShapePoint {{0, 0}, {100, 10}}
+```
+
+<!--
+Node 1 spec:
+-->
+节点 1 配置：
+
+```
+可用：
+  intel.com/foo : 4
+  memory : 1 GB
+  cpu: 8
+
+已用：
+  intel.com/foo: 1
+  memory: 256MB
+  cpu: 1
+```
+
+<!--
+Node score:
+-->
+节点得分：
+
+```
+intel.com/foo  = resourceScoringFunction((2+1),4)
+               = (100 - ((4-3)*100/4)
+               = (100 - 25)
+               = 75                       # requested + used = 75% * available
+               = rawScoringFunction(75) 
+               = 7                        # floor(75/10) 
+
+memory         = resourceScoringFunction((256+256),1024)
+               = (100 -((1024-512)*100/1024))
+               = 50                       # requested + used = 50% * available
+               = rawScoringFunction(50)
+               = 5                        # floor(50/10)
+
+cpu            = resourceScoringFunction((2+1),8)
+               = (100 -((8-3)*100/8))
+               = 37.5                     # requested + used = 37.5% * available
+               = rawScoringFunction(37.5)
+               = 3                        # floor(37.5/10)
+
+NodeScore   =  (7 * 5) + (5 * 1) + (3 * 3) / (5 + 1 + 3)
+            =  5
+```
+
+<!--
+Node 2 spec:
+-->
+节点 2 配置：
+
+```
+可用：
+  intel.com/foo: 8
+  memory: 1GB
+  cpu: 8
+
+已用：
+  intel.com/foo: 2
+  memory: 512MB
+  cpu: 6
+```
+
+<!--
+Node score:
+-->
+节点得分：
+
+```
+intel.com/foo  = resourceScoringFunction((2+2),8)
+               = (100 - ((8-4)*100/8)
+               = (100 - 50)
+               = 50
+               = rawScoringFunction(50)
+               = 5
+
+memory         = resourceScoringFunction((256+512),1024)
+               = (100 -((1024-768)*100/1024))
+               = 75
+               = rawScoringFunction(75)
+               = 7
+
+cpu            = resourceScoringFunction((2+6),8)
+               = (100 -((8-8)*100/8))
+               = 100
+               = rawScoringFunction(100)
+               = 10
+
+NodeScore   =  (5 * 5) + (7 * 1) + (10 * 3) / (5 + 1 + 3)
+            =  7
+```
+
+## {{% heading "whatsnext" %}}
+
+<!--
+- Read more about the [scheduling framework](/docs/concepts/scheduling-eviction/scheduling-framework/)
+- Read more about [scheduler configuration](/docs/reference/scheduling/config/)
+-->
+- 继续阅读[调度器框架](/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework/)
+- 继续阅读[调度器配置](/zh-cn/docs/reference/scheduling/config/)
+
diff --git a/content/zh/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md b/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
similarity index 96%
rename from content/zh/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
index dd6e1da395f39..6ceffe84613c1 100644
--- a/content/zh/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
@@ -23,7 +23,7 @@ is the Kubernetes default scheduler. It is responsible for placement of Pods
 on Nodes in a cluster.
 -->
 作为 kubernetes 集群的默认调度器，
-[kube-scheduler](/zh/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler)
+[kube-scheduler](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler)
 主要负责将 Pod 调度到集群的 Node 上。
 
 <!--
@@ -85,7 +85,7 @@ To change the value, edit the
 and then restart the scheduler.
 In many cases, the configuration file can be found at `/etc/kubernetes/config/kube-scheduler.yaml`
  -->
-要修改这个值，先编辑 [kube-scheduler 的配置文件](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+要修改这个值，先编辑 [kube-scheduler 的配置文件](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 然后重启调度器。
 大多数情况下，这个配置文件是 `/etc/kubernetes/config/kube-scheduler.yaml`。
 
@@ -128,7 +128,7 @@ stops searching for more feasible nodes and moves on to the
 kube-scheduler 会将它转换为节点数的整数值。在调度期间，如果
 kube-scheduler 已确认的可调度节点数足以超过了配置的百分比数量，
 kube-scheduler 将停止继续查找可调度节点并继续进行
-[打分阶段](/zh/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler-implementation)。
+[打分阶段](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler-implementation)。
 
 <!--
 [How the scheduler iterates over Nodes](#how-the-scheduler-iterates-over-nodes)
@@ -300,4 +300,4 @@ After going over all the Nodes, it goes back to Node 1.
 
 <!-- * Check the [kube-scheduler configuration reference (v1beta3)](/docs/reference/config-api/kube-scheduler-config.v1beta3/) -->
 
-* 参见 [kube-scheduler 配置参考 (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+* 参见 [kube-scheduler 配置参考 (v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
diff --git a/content/zh/docs/concepts/scheduling-eviction/scheduling-framework.md b/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
similarity index 99%
rename from content/zh/docs/concepts/scheduling-eviction/scheduling-framework.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
index 9e0fee45ac81f..80cefde2e1266 100644
--- a/content/zh/docs/concepts/scheduling-eviction/scheduling-framework.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework.md
@@ -451,7 +451,7 @@ enabled by default.
  -->
 你可以在调度器配置中启用或禁用插件。
 如果你在使用 Kubernetes v1.18 或更高版本，大部分调度
-[插件](/zh/docs/reference/scheduling/config/#scheduling-plugins)
+[插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins)
 都在使用中且默认启用。
 
 <!--
@@ -470,6 +470,6 @@ Learn more at [multiple profiles](/docs/reference/scheduling/config/#multiple-pr
  -->
 如果你正在使用 Kubernetes v1.18 或更高版本，你可以将一组插件设置为
 一个调度器配置文件，然后定义不同的配置文件来满足各类工作负载。
-了解更多关于[多配置文件](/zh/docs/reference/scheduling/config/#multiple-profiles)。
+了解更多关于[多配置文件](/zh-cn/docs/reference/scheduling/config/#multiple-profiles)。
 
 
diff --git a/content/zh/docs/concepts/scheduling-eviction/taint-and-toleration.md b/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
similarity index 91%
rename from content/zh/docs/concepts/scheduling-eviction/taint-and-toleration.md
rename to content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
index d1d400217c7a1..39ad284a00a0f 100644
--- a/content/zh/docs/concepts/scheduling-eviction/taint-and-toleration.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration.md
@@ -11,7 +11,7 @@ is a property of {{< glossary_tooltip text="Pods" term_id="pod" >}} that *attrac
 a set of {{< glossary_tooltip text="nodes" term_id="node" >}} (either as a preference or a
 hard requirement). _Taints_ are the opposite -- they allow a node to repel a set of pods.
 -->
-[_节点亲和性_](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+[_节点亲和性_](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
 是 {{< glossary_tooltip text="Pod" term_id="pod" >}} 的一种属性，它使 Pod
 被吸引到一类特定的{{< glossary_tooltip text="节点" term_id="node" >}}
 （这可能出于一种偏好，也可能是硬性要求）。
@@ -42,7 +42,7 @@ marks that the node should not accept any pods that do not tolerate the taints.
 You add a taint to a node using [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint).
 For example,
 -->
-您可以使用命令 [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint) 给节点增加一个污点。比如，
+你可以使用命令 [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint) 给节点增加一个污点。比如，
 
 ```shell
 kubectl taint nodes node1 key1=value1:NoSchedule
@@ -75,7 +75,7 @@ You specify a toleration for a pod in the PodSpec. Both of the following tolerat
 taint created by the `kubectl taint` line above, and thus a pod with either toleration would be able
 to schedule onto `node1`:
 -->
-您可以在 PodSpec 中定义 Pod 的容忍度。
+你可以在 PodSpec 中定义 Pod 的容忍度。
 下面两个容忍度均与上面例子中使用 `kubectl taint` 命令创建的污点相匹配，
 因此如果一个 Pod 拥有其中的任何一个容忍度都能够被分配到 `node1` ：
 
@@ -140,7 +140,7 @@ This is a "preference" or "soft" version of `NoSchedule` - the system will *try*
 pod that does not tolerate the taint on the node, but it is not required. The third kind of `effect` is
 `NoExecute`, described later.
 -->
-上述例子中 `effect` 使用的值为 `NoSchedule`，您也可以使用另外一个值 `PreferNoSchedule`。
+上述例子中 `effect` 使用的值为 `NoSchedule`，你也可以使用另外一个值 `PreferNoSchedule`。
 这是“优化”或“软”版本的 `NoSchedule` —— 系统会 *尽量* 避免将 Pod 调度到存在其不能容忍污点的节点上，
 但这不是强制的。`effect` 的值还可以设置为 `NoExecute`，下文会详细描述这个值。
 
@@ -150,13 +150,12 @@ The way Kubernetes processes multiple taints and tolerations is like a filter: s
 with all of a node's taints, then ignore the ones for which the pod has a matching toleration; the
 remaining un-ignored taints have the indicated effects on the pod. In particular,
 -->
-您可以给一个节点添加多个污点，也可以给一个 Pod 添加多个容忍度设置。
+你可以给一个节点添加多个污点，也可以给一个 Pod 添加多个容忍度设置。
 Kubernetes 处理多个污点和容忍度的过程就像一个过滤器：从一个节点的所有污点开始遍历，
 过滤掉那些 Pod 中存在与之相匹配的容忍度的污点。余下未被过滤的污点的 effect 值决定了
 Pod 是否会被分配到该节点，特别是以下情况：
 
 <!--
-
 * if there is at least one un-ignored taint with effect `NoSchedule` then Kubernetes will not schedule
 the pod onto that node
 * if there is no un-ignored taint with effect `NoSchedule` but there is at least one un-ignored taint with
@@ -177,7 +176,7 @@ scheduled onto the node (if it is not yet running on the node).
 <!--
 For example, imagine you taint a node like this
 -->
-例如，假设您给一个节点添加了如下污点
+例如，假设你给一个节点添加了如下污点
 
 ```shell
 kubectl taint nodes node1 key1=value1:NoSchedule
@@ -253,7 +252,7 @@ taint is removed before that time, the pod will not be evicted.
 Taints and tolerations are a flexible way to steer pods *away* from nodes or evict
 pods that shouldn't be running. A few of the use cases are
 -->
-通过污点和容忍度，可以灵活地让 Pod *避开* 某些节点或者将 Pod 从某些节点驱逐。下面是几个使用例子：
+通过污点和容忍度，可以灵活地让 Pod **避开** 某些节点或者将 Pod 从某些节点驱逐。下面是几个使用例子：
 
 <!--
 * **Dedicated Nodes**: If you want to dedicate a set of nodes for exclusive use by
@@ -268,13 +267,13 @@ to the taint to the same set of nodes (e.g. `dedicated=groupName`), and the admi
 controller should additionally add a node affinity to require that the pods can only schedule
 onto nodes labeled with `dedicated=groupName`.
 -->
-* **专用节点**：如果您想将某些节点专门分配给特定的一组用户使用，您可以给这些节点添加一个污点（即，
+* **专用节点**：如果你想将某些节点专门分配给特定的一组用户使用，你可以给这些节点添加一个污点（即，
   `kubectl taint nodes nodename dedicated=groupName:NoSchedule`），
   然后给这组用户的 Pod 添加一个相对应的 toleration（通过编写一个自定义的
-  [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)，很容易就能做到）。
+  [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)，很容易就能做到）。
   拥有上述容忍度的 Pod 就能够被分配到上述专用节点，同时也能够被分配到集群中的其它节点。
-  如果您希望这些 Pod 只能被分配到上述专用节点，那么您还需要给这些专用节点另外添加一个和上述
- 污点类似的 label （例如：`dedicated=groupName`），同时 还要在上述准入控制器中给 Pod
+  如果你希望这些 Pod 只能被分配到上述专用节点，那么你还需要给这些专用节点另外添加一个和上述
+  污点类似的 label （例如：`dedicated=groupName`），同时 还要在上述准入控制器中给 Pod
   增加节点亲和性要求上述 Pod 只能被分配到添加了 `dedicated=groupName` 标签的节点上。
 
 <!--
@@ -307,16 +306,16 @@ manually add tolerations to your pods.
   `kubectl taint nodes nodename special=true:PreferNoSchedule`)，
   然后给使用了这类特殊硬件的 Pod 添加一个相匹配的 toleration。
   和专用节点的例子类似，添加这个容忍度的最简单的方法是使用自定义
-  [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)。
-  比如，我们推荐使用[扩展资源](/zh/docs/concepts/configuration/manage-resources-containers/#extended-resources)
+  [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)。
+  比如，我们推荐使用[扩展资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/#extended-resources)
   来表示特殊硬件，给配置了特殊硬件的节点添加污点时包含扩展资源名称，
-  然后运行一个 [ExtendedResourceToleration](/zh/docs/reference/access-authn-authz/admission-controllers/#extendedresourcetoleration)
+  然后运行一个 [ExtendedResourceToleration](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#extendedresourcetoleration)
   准入控制器。此时，因为节点已经被设置污点了，没有对应容忍度的 Pod
   不会被调度到这些节点。但当你创建一个使用了扩展资源的 Pod 时，
   `ExtendedResourceToleration` 准入控制器会自动给 Pod 加上正确的容忍度，
   这样 Pod 就会被自动调度到这些配置了特殊硬件件的节点上。
   这样就能够确保这些配置了特殊硬件的节点专门用于运行需要使用这些硬件的 Pod，
-  并且您无需手动给这些 Pod 添加容忍度。
+  并且你无需手动给这些 Pod 添加容忍度。
 
 <!--
 * **Taint based Evictions**: A per-pod-configurable eviction behavior
@@ -341,7 +340,7 @@ running on the node as follows
  * pods that tolerate the taint with a specified `tolerationSeconds` remain
    bound for the specified amount of time
 -->
-前文提到过污点的 effect 值 `NoExecute`会影响已经在节点上运行的 Pod
+前文提到过污点的 effect 值 `NoExecute` 会影响已经在节点上运行的 Pod
 
  * 如果 Pod 不能忍受 effect 值为 `NoExecute` 的污点，那么 Pod 将马上被驱逐
  * 如果 Pod 能够忍受 effect 值为 `NoExecute` 的污点，但是在容忍度定义中没有指定
@@ -396,7 +395,7 @@ as the master becoming partitioned from the nodes.
 -->
 {{< note >}}
 为了保证由于节点问题引起的 Pod 驱逐
-[速率限制](/zh/docs/concepts/architecture/nodes/)行为正常，
+[速率限制](/zh-cn/docs/concepts/architecture/nodes/)行为正常，
 系统实际上会以限定速率的方式添加污点。在像主控节点与工作节点间通信中断等场景下，
 这样做可以避免 Pod 被大量驱逐。
 {{< /note >}}
@@ -462,7 +461,7 @@ Nodes for 5 minutes after one of these problems is detected.
 
 This ensures that DaemonSet pods are never evicted due to these problems.
 -->
-[DaemonSet](/zh/docs/concepts/workloads/controllers/daemonset/) 中的 Pod 被创建时，
+[DaemonSet](/zh-cn/docs/concepts/workloads/controllers/daemonset/) 中的 Pod 被创建时，
 针对以下污点自动添加的 `NoExecute` 的容忍度将不会指定 `tolerationSeconds`：
 
   * `node.kubernetes.io/unreachable`
@@ -488,7 +487,7 @@ control plane adds the `node.kubernetes.io/memory-pressure` taint.
 -->
 
 控制平面使用节点{{<glossary_tooltip text="控制器" term_id="controller">}}自动创建
-与[节点状况](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/#node-conditions)对应的带有 `NoSchedule` 效应的污点。
+与[节点状况](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/#node-conditions)对应的带有 `NoSchedule` 效应的污点。
 
 调度器在进行调度时检查污点，而不是检查节点状况。这确保节点状况不会直接影响调度。
 例如，如果 `DiskPressure` 节点状况处于活跃状态，则控制平面
@@ -507,7 +506,7 @@ onto the affected node.
 -->
 
 对于新创建的 Pod，可以通过添加相应的 Pod 容忍度来忽略节点状况。
-控制平面还在具有除 `BestEffort` 之外的 {{<glossary_tooltip text="QoS 类" term_id="qos-class" >}}的 pod 上
+控制平面还在具有除 `BestEffort` 之外的 {{<glossary_tooltip text="QoS 类" term_id="qos-class" >}}的 Pod 上
 添加 `node.kubernetes.io/memory-pressure` 容忍度。
 这是因为 Kubernetes 将 `Guaranteed` 或 `Burstable` QoS 类中的 Pod（甚至没有设置内存请求的 Pod）
 视为能够应对内存压力，而新创建的 `BestEffort` Pod 不会被调度到受影响的节点上。
@@ -530,14 +529,14 @@ DaemonSet 控制器自动为所有守护进程添加如下 `NoSchedule` 容忍
   * `node.kubernetes.io/disk-pressure`
   * `node.kubernetes.io/pid-pressure` (1.14 或更高版本)
   * `node.kubernetes.io/unschedulable` (1.10 或更高版本)
-  * `node.kubernetes.io/network-unavailable` (*只适合主机网络配置*)
+  * `node.kubernetes.io/network-unavailable` (**只适合主机网络配置**)
 
 <!--
 Adding these tolerations ensures backward compatibility. You can also add
 arbitrary tolerations to DaemonSets.
 -->
 
-添加上述容忍度确保了向后兼容，您也可以选择自由向 DaemonSet 添加容忍度。
+添加上述容忍度确保了向后兼容，你也可以选择自由向 DaemonSet 添加容忍度。
 
 ## {{% heading "whatsnext" %}}
 
@@ -545,5 +544,5 @@ arbitrary tolerations to DaemonSets.
 * Read about [Node-pressure Eviction](/docs/concepts/scheduling-eviction/node-pressure-eviction/) and how you can configure it
 * Read about [Pod Priority](/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 -->
-* 阅读[节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)，以及如何配置其行为
-* 阅读 [Pod 优先级](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* 阅读[节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)，以及如何配置其行为
+* 阅读 [Pod 优先级](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
diff --git a/content/zh/docs/concepts/security/_index.md b/content/zh-cn/docs/concepts/security/_index.md
similarity index 100%
rename from content/zh/docs/concepts/security/_index.md
rename to content/zh-cn/docs/concepts/security/_index.md
diff --git a/content/zh/docs/concepts/security/controlling-access.md b/content/zh-cn/docs/concepts/security/controlling-access.md
similarity index 88%
rename from content/zh/docs/concepts/security/controlling-access.md
rename to content/zh-cn/docs/concepts/security/controlling-access.md
index 5946a002b6882..b8b671cb8a6ae 100644
--- a/content/zh/docs/concepts/security/controlling-access.md
+++ b/content/zh-cn/docs/concepts/security/controlling-access.md
@@ -1,6 +1,7 @@
 ---
 title: Kubernetes API 访问控制
 content_type: concept
+weight: 50
 ---
 <!--
 ---
@@ -9,6 +10,7 @@ reviewers:
 - lavalamp
 title: Controlling Access to the Kubernetes API
 content_type: concept
+weight: 50
 ---
 -->
 
@@ -28,8 +30,8 @@ authorized for API access.
 When a request reaches the API, it goes through several stages, illustrated in the
 following diagram:
 -->
-用户使用 `kubectl`、客户端库或构造 REST 请求来访问 [Kubernetes API](/zh/docs/concepts/overview/kubernetes-api/)。
-人类用户和 [Kubernetes 服务账户](/zh/docs/tasks/configure-pod-container/configure-service-account/)都可以被鉴权访问 API。
+用户使用 `kubectl`、客户端库或构造 REST 请求来访问 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)。
+人类用户和 [Kubernetes 服务账户](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)都可以被鉴权访问 API。
 当请求到达 API 时，它会经历多个阶段，如下图所示：
 
 ![Kubernetes API 请求处理步骤示意图](/images/docs/admin/access-control-overview.svg)
@@ -72,7 +74,7 @@ Authenticators are described in more detail in
 -->
 如上图步骤 **1** 所示，建立 TLS 后， HTTP 请求将进入认证（Authentication）步骤。
 集群创建脚本或者集群管理员配置 API 服务器，使之运行一个或多个身份认证组件。
-身份认证组件在[认证](/zh/docs/reference/access-authn-authz/authentication/)节中有更详细的描述。
+身份认证组件在[认证](/zh-cn/docs/reference/access-authn-authz/authentication/)节中有更详细的描述。
 
 <!--
 The input to the authentication step is the entire HTTP request; however, it typically
@@ -182,7 +184,7 @@ Kubernetes 支持多种鉴权模块，例如 ABAC 模式、RBAC 模式和 Webhoo
 如果所有模块拒绝了该请求，请求将会被拒绝（HTTP 状态码 403）。
 
 要了解更多有关 Kubernetes 鉴权的更多信息，包括有关使用支持鉴权模块创建策略的详细信息，
-请参阅[鉴权](/zh/docs/reference/access-authn-authz/authorization/)。
+请参阅[鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)。
 
 <!-- ## Admission control -->
 ## 准入控制 {#admission-control}
@@ -223,7 +225,7 @@ for the corresponding API object, and then written to the object store (shown as
 
 除了拒绝对象之外，准入控制器还可以为字段设置复杂的默认值。
 
-可用的准入控制模块在[准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)中进行了描述。
+可用的准入控制模块在[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)中进行了描述。
 
 请求通过所有准入控制器后，将使用检验例程检查对应的 API 对象，然后将其写入对象存储（如步骤 **4** 所示）。
 
@@ -241,7 +243,7 @@ For more information, see [Auditing](/docs/tasks/debug/debug-cluster/audit/).
 Kubernetes 审计提供了一套与安全相关的、按时间顺序排列的记录，其中记录了集群中的操作序列。
 集群对用户、使用 Kubernetes API 的应用程序以及控制平面本身产生的活动进行审计。
 
-更多信息请参考 [审计](/zh/docs/tasks/debug/debug-cluster/audit/).
+更多信息请参考 [审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/).
 
 <!-- ## API server ports and IPs -->
 ## API 服务器端口和 IP {#api-server-ports-and-ips}
@@ -327,23 +329,23 @@ You can learn about:
 -->
 阅读更多有关身份认证、鉴权和 API 访问控制的文档：
 
-- [认证](/zh/docs/reference/access-authn-authz/authentication/)
-   - [使用 Bootstrap 令牌进行身份认证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
-- [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
-   - [动态准入控制](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
-- [鉴权](/zh/docs/reference/access-authn-authz/authorization/)
-   - [基于角色的访问控制](/zh/docs/reference/access-authn-authz/rbac/)
-   - [基于属性的访问控制](/zh/docs/reference/access-authn-authz/abac/)
-   - [节点鉴权](/zh/docs/reference/access-authn-authz/node/)
-   - [Webhook 鉴权](/zh/docs/reference/access-authn-authz/webhook/)
-- [证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
-   - 包括 [CSR 认证](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
-     和[证书签名](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
+- [认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
+   - [使用 Bootstrap 令牌进行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
+- [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
+   - [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
+- [鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)
+   - [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
+   - [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
+   - [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
+   - [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
+- [证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
+   - 包括 [CSR 认证](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
+     和[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
 - 服务账户
-  - [开发者指导](/zh/docs/tasks/configure-pod-container/configure-service-account/)
-  - [管理](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
+  - [开发者指导](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
+  - [管理](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
 
 你可以了解
 - Pod 如何使用
-  [Secrets](/zh/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials)
+  [Secrets](/zh-cn/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials)
   获取 API 凭证.
diff --git a/content/zh/docs/concepts/security/overview.md b/content/zh-cn/docs/concepts/security/overview.md
similarity index 83%
rename from content/zh/docs/concepts/security/overview.md
rename to content/zh-cn/docs/concepts/security/overview.md
index f13c1e06f5ad2..165c339de1fc0 100644
--- a/content/zh/docs/concepts/security/overview.md
+++ b/content/zh-cn/docs/concepts/security/overview.md
@@ -5,6 +5,15 @@ description: >
 content_type: concept
 weight: 1
 ---
+<!--
+reviewers:
+- zparnold
+title: Overview of Cloud Native Security
+description: >
+  A model for thinking about Kubernetes security in the context of Cloud Native security.
+content_type: concept
+weight: 1
+-->
 
 <!-- overview -->
 <!--
@@ -27,7 +36,7 @@ This container security model provides suggestions, not proven information secur
 You can think about security in layers. The 4C's of Cloud Native security are Cloud,
 Clusters, Containers, and Code.
 -->
-## 云原生安全的 4 个 C
+## 云原生安全的 4 个 C    {#the-4c-s-of-cloud-native-security}
 
 你可以分层去考虑安全性，云原生安全的 4 个 C 分别是云（Cloud）、集群（Cluster）、容器（Container）和代码（Code）。
 
@@ -50,9 +59,13 @@ The Code layer benefits from strong base (Cloud, Cluster, Container) security la
 You cannot safeguard against poor security standards in the base layers by addressing
 security at the Code level.
 -->
-云原生安全模型的每一层都是基于下一个最外层，代码层受益于强大的基础安全层（云、集群、容器）。你无法通过在代码层解决安全问题来为基础层中糟糕的安全标准提供保护。
+云原生安全模型的每一层都是基于下一个最外层，代码层受益于强大的基础安全层（云、集群、容器）。
+你无法通过在代码层解决安全问题来为基础层中糟糕的安全标准提供保护。
 
-## 云
+<!--
+## Cloud
+-->
+## 云    {#cloud}
 
 <!--
 In many ways, the Cloud (or co-located servers, or the corporate datacenter) is the
@@ -74,9 +87,9 @@ If you are running a Kubernetes cluster on your own hardware or a different clou
 consult your documentation for security best practices.
 Here are links to some of the popular cloud providers' security documentation:
 -->
-### 云提供商安全性
+### 云提供商安全性    {#cloud-provider-security}
 
-如果您是在您自己的硬件或者其他不同的云提供商上运行 Kubernetes 集群，
+如果你是在你自己的硬件或者其他不同的云提供商上运行 Kubernetes 集群，
 请查阅相关文档来获取最好的安全实践。
 
 下面是一些比较流行的云提供商的安全性文档链接：
@@ -108,7 +121,7 @@ Network access to API Server (Control plane) | All access to the Kubernetes cont
 Network access to Nodes (nodes) | Nodes should be configured to _only_ accept connections (via network access control lists) from the control plane on the specified ports, and accept connections for services in Kubernetes of type NodePort and LoadBalancer. If possible, these nodes should not be exposed on the public internet entirely.
 Kubernetes access to Cloud Provider API | Each cloud provider needs to grant a different set of permissions to the Kubernetes control plane and nodes. It is best to provide the cluster with cloud provider access that follows the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) for the resources it needs to administer. The [Kops documentation](https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#iam-roles) provides information about IAM policies and roles.
 Access to etcd | Access to etcd (the datastore of Kubernetes) should be limited to the control plane only. Depending on your configuration, you should attempt to use etcd over TLS. More information can be found in the [etcd documentation](https://github.com/etcd-io/etcd/tree/master/Documentation).
-etcd Encryption | Wherever possible it's a good practice to encrypt all drives at rest, and since etcd holds the state of the entire cluster (including Secrets) its disk should especially be encrypted at rest.
+etcd Encryption | Wherever possible it's a good practice to encrypt all storage at rest, and since etcd holds the state of the entire cluster (including Secrets) its disk should especially be encrypted at rest.
 
 {{< /table >}}
 -->
@@ -118,13 +131,13 @@ etcd Encryption | Wherever possible it's a good practice to encrypt all drives a
 
 {{< table caption="基础设施安全" >}}
 
-Kubetnetes 基础架构关注领域 | 建议 |
+Kubernetes 基础架构关注领域 | 建议 |
 --------------------------------------------- | -------------- |
 通过网络访问 API 服务（控制平面）|所有对 Kubernetes 控制平面的访问不允许在 Internet 上公开，同时应由网络访问控制列表控制，该列表包含管理集群所需的 IP 地址集。|
 通过网络访问 Node（节点）| 节点应配置为 _仅能_ 从控制平面上通过指定端口来接受（通过网络访问控制列表）连接，以及接受 NodePort 和 LoadBalancer 类型的 Kubernetes 服务连接。如果可能的话，这些节点不应完全暴露在公共互联网上。|
 Kubernetes 访问云提供商的 API | 每个云提供商都需要向 Kubernetes 控制平面和节点授予不同的权限集。为集群提供云提供商访问权限时，最好遵循对需要管理的资源的[最小特权原则](https://en.wikipedia.org/wiki/Principle_of_least_privilege)。[Kops 文档](https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#iam-roles)提供有关 IAM 策略和角色的信息。|
 访问 etcd | 对 etcd（Kubernetes 的数据存储）的访问应仅限于控制平面。根据配置情况，你应该尝试通过 TLS 来使用 etcd。更多信息可以在 [etcd 文档](https://github.com/etcd-io/etcd/tree/master/Documentation)中找到。|
-etcd 加密 | 在所有可能的情况下，最好对所有驱动器进行静态数据加密，并且由于 etcd 拥有整个集群的状态（包括机密信息），因此其磁盘更应该进行静态数据加密。|
+etcd 加密 | 在所有可能的情况下，最好对所有存储进行静态数据加密，并且由于 etcd 拥有整个集群的状态（包括机密信息），因此其磁盘更应该进行静态数据加密。|
 
 {{< /table >}}
 
@@ -136,7 +149,7 @@ There are two areas of concern for securing Kubernetes:
 * Securing the cluster components that are configurable
 * Securing the applications which run in the cluster
 -->
-## 集群
+## 集群    {#cluster}
 
 保护 Kubernetes 有两个方面需要注意：
 
@@ -152,7 +165,7 @@ good information practices, read and follow the advice about
 -->
 ### 集群组件 {#cluster-components}
 
-如果想要保护集群免受意外或恶意的访问，采取良好的信息管理实践，请阅读并遵循有关[保护集群](/zh/docs/tasks/administer-cluster/securing-a-cluster/)的建议。
+如果想要保护集群免受意外或恶意的访问，采取良好的信息管理实践，请阅读并遵循有关[保护集群](/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/)的建议。
 
 <!--
 ### Components in the cluster (your application) {#cluster-applications}
@@ -174,22 +187,22 @@ Quality of Service (and Cluster resource management) | https://kubernetes.io/doc
 Network Policies | https://kubernetes.io/docs/concepts/services-networking/network-policies/
 TLS for Kubernetes Ingress | https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
 -->
-### 集群中的组件（您的应用） {#cluster-applications}
+### 集群中的组件（你的应用） {#cluster-applications}
 
-根据您的应用程序的受攻击面，您可能需要关注安全性的特定面，比如：
-如果您正在运行中的一个服务（A 服务）在其他资源链中很重要，并且所运行的另一工作负载（服务 B）
+根据你的应用程序的受攻击面，你可能需要关注安全性的特定面，比如：
+如果你正在运行中的一个服务（A 服务）在其他资源链中很重要，并且所运行的另一工作负载（服务 B）
 容易受到资源枯竭的攻击，则如果你不限制服务 B 的资源的话，损害服务 A 的风险就会很高。
 下表列出了安全性关注的领域和建议，用以保护 Kubernetes 中运行的工作负载：
 
 工作负载安全性关注领域         |  建议                 |
 ------------------------------ | --------------------- |
-RBAC 授权(访问 Kubernetes API) | https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
-认证方式 | https://kubernetes.io/zh/docs/concepts/security/controlling-access/
-应用程序 Secret 管理 (并在 etcd 中对其进行静态数据加密) | https://kubernetes.io/zh/docs/concepts/configuration/secret/ <br> https://kubernetes.io/zh/docs/tasks/administer-cluster/encrypt-data/
-确保 Pod 符合定义的 Pod 安全标准 | https://kubernetes.io/zh/docs/concepts/security/pod-security-standards/#policy-instantiation
-服务质量（和集群资源管理）| https://kubernetes.io/zh/docs/tasks/configure-pod-container/quality-service-pod/
-网络策略 | https://kubernetes.io/zh/docs/concepts/services-networking/network-policies/
-Kubernetes Ingress 的 TLS 支持 | https://kubernetes.io/zh/docs/concepts/services-networking/ingress/#tls
+RBAC 授权(访问 Kubernetes API) | https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/
+认证方式 | https://kubernetes.io/zh-cn/docs/concepts/security/controlling-access/
+应用程序 Secret 管理 (并在 etcd 中对其进行静态数据加密) | https://kubernetes.io/zh-cn/docs/concepts/configuration/secret/ <br> https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/encrypt-data/
+确保 Pod 符合定义的 Pod 安全标准 | https://kubernetes.io/zh-cn/docs/concepts/security/pod-security-standards/#policy-instantiation
+服务质量（和集群资源管理）| https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/
+网络策略 | https://kubernetes.io/zh-cn/docs/concepts/services-networking/network-policies/
+Kubernetes Ingress 的 TLS 支持 | https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#tls
 
 <!--
 ## Container
@@ -204,16 +217,16 @@ Image Signing and Enforcement | Sign container images to maintain a system of tr
 Disallow privileged users | When constructing containers, consult your documentation for how to create users inside of the containers that have the least level of operating system privilege necessary in order to carry out the goal of the container.
 Use container runtime with stronger isolation | Select [container runtime classes](/docs/concepts/containers/runtime-class/) that provide stronger isolation
 -->
-## 容器
+## 容器    {#container}
 
 容器安全性不在本指南的探讨范围内。下面是一些探索此主题的建议和连接：
 
 容器关注领域                   | 建议           |
 ------------------------------ | -------------- |
-容器漏洞扫描和操作系统依赖安全性 | 作为镜像构建的一部分，您应该扫描您的容器里的已知漏洞。
+容器漏洞扫描和操作系统依赖安全性 | 作为镜像构建的一部分，你应该扫描你的容器里的已知漏洞。
 镜像签名和执行 | 对容器镜像进行签名，以维护对容器内容的信任。
 禁止特权用户 | 构建容器时，请查阅文档以了解如何在具有最低操作系统特权级别的容器内部创建用户，以实现容器的目标。
-使用带有较强隔离能力的容器运行时 | 选择提供较强隔离能力的[容器运行时类](/zh/docs/concepts/containers/runtime-class/)。
+使用带有较强隔离能力的容器运行时 | 选择提供较强隔离能力的[容器运行时类](/zh-cn/docs/concepts/containers/runtime-class/)。
 <!--
 ## Code
 
@@ -221,9 +234,9 @@ Application code is one of the primary attack surfaces over which you have the m
 While securing application code is outside of the Kubernetes security topic, here
 are recommendations to protect application code:
 -->
-## 代码
+## 代码    {#code}
 
-应用程序代码是您最能够控制的主要攻击面之一，虽然保护应用程序代码不在 Kubernetes 安全主题范围内，但以下是保护应用程序代码的建议：
+应用程序代码是你最能够控制的主要攻击面之一，虽然保护应用程序代码不在 Kubernetes 安全主题范围内，但以下是保护应用程序代码的建议：
 
 <!--
 ### Code security
@@ -240,17 +253,17 @@ Dynamic probing attacks | There are a few automated tools that you can run again
 
 {{< /table >}}
 -->
-### 代码安全性
+### 代码安全性    {#code-security}
 
 {{< table caption="代码安全" >}}
 
 代码关注领域 | 建议 |
 -------------------------| -------------- |
-仅通过 TLS 访问 | 如果您的代码需要通过 TCP 通信，请提前与客户端执行 TLS 握手。除少数情况外，请加密传输中的所有内容。更进一步，加密服务之间的网络流量是一个好主意。这可以通过被称为双向 TLS 或 [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) 的过程来完成，该过程对两个证书持有服务之间的通信执行双向验证。 |
+仅通过 TLS 访问 | 如果你的代码需要通过 TCP 通信，请提前与客户端执行 TLS 握手。除少数情况外，请加密传输中的所有内容。更进一步，加密服务之间的网络流量是一个好主意。这可以通过被称为双向 TLS 或 [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) 的过程来完成，该过程对两个证书持有服务之间的通信执行双向验证。 |
 限制通信端口范围 | 此建议可能有点不言自明，但是在任何可能的情况下，你都只应公开服务上对于通信或度量收集绝对必要的端口。|
 第三方依赖性安全 | 最好定期扫描应用程序的第三方库以了解已知的安全漏洞。每种编程语言都有一个自动执行此检查的工具。 |
-静态代码分析 | 大多数语言都提供给了一种方法，来分析代码段中是否存在潜在的不安全的编码实践。只要有可能，你都应该使用自动工具执行检查，该工具可以扫描代码库以查找常见的安全错误，一些工具可以在以下连接中找到：https://owasp.org/www-community/Source_Code_Analysis_Tools |
-动态探测攻击 | 您可以对服务运行一些自动化工具，来尝试一些众所周知的服务攻击。这些攻击包括 SQL 注入、CSRF 和 XSS。[OWASP Zed Attack](https://owasp.org/www-project-zap/) 代理工具是最受欢迎的动态分析工具之一。 |
+静态代码分析 | 大多数语言都提供给了一种方法，来分析代码段中是否存在潜在的不安全的编码实践。只要有可能，你都应该使用自动工具执行检查，该工具可以扫描代码库以查找常见的安全错误，一些工具可以在以下连接中找到： https://owasp.org/www-community/Source_Code_Analysis_Tools |
+动态探测攻击 | 你可以对服务运行一些自动化工具，来尝试一些众所周知的服务攻击。这些攻击包括 SQL 注入、CSRF 和 XSS。[OWASP Zed Attack](https://owasp.org/www-project-zap/) 代理工具是最受欢迎的动态分析工具之一。 |
 
 {{< /table >}}
 
@@ -270,12 +283,12 @@ Learn about related Kubernetes security topics:
 -->
 学习了解相关的 Kubernetes 安全主题：
 
-* [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)
-* [Pod 的网络策略](/zh/docs/concepts/services-networking/network-policies/)
-* [控制对 Kubernetes API 的访问](/zh/docs/concepts/security/controlling-access/)
-* [保护您的集群](/zh/docs/tasks/administer-cluster/securing-a-cluster/)
-* 为控制面[加密通信中的数据](/zh/docs/tasks/tls/managing-tls-in-a-cluster/)
-* [加密静止状态的数据](/zh/docs/tasks/administer-cluster/encrypt-data/)
-* [Kubernetes 中的 Secret](/zh/docs/concepts/configuration/secret/)
-* [运行时类](/zh/docs/concepts/containers/runtime-class)
+* [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
+* [Pod 的网络策略](/zh-cn/docs/concepts/services-networking/network-policies/)
+* [控制对 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access/)
+* [保护你的集群](/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/)
+* 为控制面[加密通信中的数据](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/)
+* [加密静止状态的数据](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)
+* [Kubernetes 中的 Secret](/zh-cn/docs/concepts/configuration/secret/)
+* [运行时类](/zh-cn/docs/concepts/containers/runtime-class)
 
diff --git a/content/zh/docs/concepts/security/pod-security-admission.md b/content/zh-cn/docs/concepts/security/pod-security-admission.md
similarity index 79%
rename from content/zh/docs/concepts/security/pod-security-admission.md
rename to content/zh-cn/docs/concepts/security/pod-security-admission.md
index 87fddd9ddb4c6..69f629ee682a5 100644
--- a/content/zh/docs/concepts/security/pod-security-admission.md
+++ b/content/zh-cn/docs/concepts/security/pod-security-admission.md
@@ -29,11 +29,11 @@ The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-sta
 different isolation levels for Pods. These standards let you define how you want to restrict the
 behavior of pods in a clear, consistent fashion.
 -->
-Kubernetes [Pod 安全性标准（Security Standards）](/zh/docs/concepts/security/pod-security-standards/)
+Kubernetes [Pod 安全性标准（Security Standards）](/zh-cn/docs/concepts/security/pod-security-standards/)
 为 Pod 定义不同的隔离级别。这些标准能够让你以一种清晰、一致的方式定义如何限制 Pod 行为。
 
 <!--
-As a Beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
+As a beta feature, Kubernetes offers a built-in _Pod Security_ {{< glossary_tooltip
 text="admission controller" term_id="admission-controller" >}}, the successor
 to [PodSecurityPolicies](/docs/concepts/security/pod-security-policy/). Pod security restrictions
 are applied at the {{< glossary_tooltip text="namespace" term_id="namespace" >}} level when pods
@@ -41,7 +41,7 @@ are created.
 -->
 作为一项 Beta 功能特性，Kubernetes 提供一种内置的 _Pod 安全性_ 
 {{< glossary_tooltip text="准入控制器" term_id="admission-controller" >}}，
-作为 [PodSecurityPolicies](/zh/docs/concepts/security/pod-security-policy/)
+作为 [PodSecurityPolicies](/zh-cn/docs/concepts/security/pod-security-policy/)
 特性的后继演化版本。Pod 安全性限制是在 Pod 被创建时在
 {{< glossary_tooltip text="名字空间" term_id="namespace" >}}层面实施的。
 
@@ -51,45 +51,46 @@ The PodSecurityPolicy API is deprecated and will be
 [removed](/docs/reference/using-api/deprecation-guide/#v1-25) from Kubernetes in v1.25.
 -->
 PodSecurityPolicy API 已经被废弃，会在 Kubernetes v1.25 发行版中
-[移除](/zh/docs/reference/using-api/deprecation-guide/#v1-25)。
+[移除](/zh-cn/docs/reference/using-api/deprecation-guide/#v1-25)。
 {{< /note >}}
 
 <!-- body -->
 
 <!--
-## Enabling the `PodSecurity` admission plugin
+## {{% heading "prerequisites" %}}
 
-In v1.23, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is a Beta feature and is enabled by default.
+To use this mechanism, your cluster must enforce Pod Security admission.
 
-In v1.22, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-is an Alpha feature and must be enabled in `kube-apiserver` in order to use the built-in admission plugin.
+### Built-in Pod Security admission enforcement
 -->
-## 启用 `PodSecurity` 准入插件   {#enabling-the-podsecurity-admission-plugin}
+## {{% heading "prerequisites" %}}
 
-在 v1.23 中，`PodSecurity` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-是一项 Beta 功能特性，默认被启用。
+要使用此机制，你的集群必须强制执行 Pod 安全准入。
+
+### 内置 Pod 安全准入强制执行
+
+<!--
+In Kubernetes v{{< skew currentVersion >}}, the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+is a beta feature and is enabled by default. You must have this feature gate enabled.
+If you are running a different version of Kubernetes, consult the documentation for that release.
+-->
+在 Kubernetes v{{< skew currentVersion >}} 中，`PodSecurity`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)是一项 Beta 特性，
+默认被启用。你必须启用此功能门控。如果你运行的是不同版本的 Kubernetes，请查阅该版本的文档。
 
-在 v1.22 中，`PodSecurity` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-是一项 Alpha 功能特性，必须在 `kube-apiserver` 上启用才能使用内置的准入插件。
 
-```shell
---feature-gates="...,PodSecurity=true"
-```
 
 <!--
-## Alternative: installing the `PodSecurity` admission webhook {#webhook}
+### Alternative: installing the `PodSecurity` admission webhook {#webhook}
 
-For environments where the built-in `PodSecurity` admission plugin cannot be used,
-either because the cluster is older than v1.22, or the `PodSecurity` feature cannot be enabled,
-the `PodSecurity` admission logic is also available as a Beta [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook).
+The `PodSecurity` admission logic is also available as a [validating admission webhook](https://git.k8s.io/pod-security-admission/webhook). This implementation is also beta.
+For environments where the built-in `PodSecurity` admission plugin cannot be enabled, you can instead enable that logic via a validating admission webhook.
 -->
-## 替代方案：安装 `PodSecurity` 准入 Webhook   {#webhook}
+### 替代方案：安装 `PodSecurity` 准入 Webhook   {#webhook}
 
-对于无法应用内置 `PodSecurity` 准入插件的环境，无论是因为集群版本低于 v1.22，
-或者 `PodSecurity` 特性无法被启用，都可以使用 Beta 版本的
-[验证性准入 Webhook](https://git.k8s.io/pod-security-admission/webhook)。
-来使用 `PodSecurity` 准入逻辑。
+`PodSecurity` 准入逻辑也可用作[验证性准入 Webhook](https://git.k8s.io/pod-security-admission/webhook)。
+该实现也是 Beta 版本。
+对于无法启用内置 `PodSecurity` 准入插件的环境，你可以改为通过验证准入 Webhook 启用该逻辑。
 
 <!--
 A pre-built container image, certificate generation scripts, and example manifests
@@ -113,9 +114,11 @@ The generated certificate is valid for 2 years. Before it expires,
 regenerate the certificate or remove the webhook in favor of the built-in admission plugin.
 -->
 所生成的证书合法期限为 2 年。在证书过期之前，
-需要重新生成证书或者去掉 Webhook 以使用内置的准入查件。
+需要重新生成证书或者去掉 Webhook 以使用内置的准入插件。
 {{< /note >}}
 
+<!-- body -->
+
 <!--
 ## Pod Security levels
 -->
@@ -129,11 +132,11 @@ Standards](/docs/concepts/security/pod-security-standards): `privileged`, `basel
 `restricted`. Refer to the [Pod Security Standards](/docs/concepts/security/pod-security-standards)
 page for an in-depth look at those requirements.
 -->
-Pod 安全性准入插件对 Pod 的[安全性上下文](/zh/docs/tasks/configure-pod-container/security-context/)
-有一定的要求，并且依据 [Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards)
+Pod 安全性准入插件对 Pod 的[安全性上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/)
+有一定的要求，并且依据 [Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards)
 所定义的三个级别（`privileged`、`baseline` 和 `restricted`）对其他字段也有要求。
 关于这些需求的更进一步讨论，请参阅
-[Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)页面。
+[Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards/)页面。
 
 <!--
 ## Pod Security Admission labels for namespaces
@@ -167,7 +170,7 @@ Mode | Description
 模式 | 描述
 :---------|:------------
 **enforce** | 策略违例会导致 Pod 被拒绝
-**audit** | 策略违例会触发[审计日志](/zh/docs/tasks/debug/debug-cluster/audit/)中记录新事件时添加审计注解；但是 Pod 仍是被接受的。
+**audit** | 策略违例会触发[审计日志](/zh-cn/docs/tasks/debug/debug-cluster/audit/)中记录新事件时添加审计注解；但是 Pod 仍是被接受的。
 **warn** | 策略违例会触发用户可见的警告信息，但是 Pod 仍是被接受的。
 {{< /table >}}
 
@@ -188,7 +191,7 @@ For each mode, there are two labels that determine the policy used:
 pod-security.kubernetes.io/<MODE>: <LEVEL>
 
 # Optional: per-mode version label that can be used to pin the policy to the
-# version that shipped with a given Kubernetes minor version (for example v{{< skew latestVersion >}}).
+# version that shipped with a given Kubernetes minor version (for example v{{< skew currentVersion >}}).
 #
 # MODE must be one of `enforce`, `audit`, or `warn`.
 # VERSION must be a valid Kubernetes minor version, or `latest`.
@@ -202,7 +205,7 @@ pod-security.kubernetes.io/<MODE>-version: <VERSION>
 pod-security.kubernetes.io/<MODE>: <LEVEL>
 
 # 可选：针对每个模式版本的版本标签可以将策略锁定到
-# 给定 Kubernetes 小版本号所附带的版本（例如 v{{< skew latestVersion >}}）
+# 给定 Kubernetes 小版本号所附带的版本（例如 v{{< skew currentVersion >}}）
 #
 # MODE 必须是 `enforce`、`audit` 或 `warn` 之一
 # VERSION 必须是一个合法的 Kubernetes 小版本号或者 `latest`
@@ -213,7 +216,7 @@ pod-security.kubernetes.io/<MODE>-version: <VERSION>
 Check out [Enforce Pod Security Standards with Namespace Labels](/docs/tasks/configure-pod-container/enforce-standards-namespace-labels) to see example usage.
 -->
 关于用法示例，可参阅
-[使用名字空间标签来强制实施 Pod 安全标准](/zh/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)。
+[使用名字空间标签来强制实施 Pod 安全标准](/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)。
 
 <!--
 ## Workload resources and Pod templates
@@ -229,7 +232,7 @@ applied to workload resources, only to the resulting pod objects.
 ## 负载资源和 Pod 模板    {#workload-resources-and-pod-templates}
 
 Pod 通常是通过创建 {{< glossary_tooltip term_id="deployment" >}} 或
-{{< glossary_tooltip term_id="job">}} 这类[工作负载对象](/zh/docs/concepts/workloads/controllers/)
+{{< glossary_tooltip term_id="job">}} 这类[工作负载对象](/zh-cn/docs/concepts/workloads/controllers/)
 来间接创建的。工作负载对象为工作负载资源定义一个 _Pod 模板_ 和一个对应的
 负责基于该模板来创建 Pod 的{{< glossary_tooltip term_id="controller" text="控制器" >}}。
 为了尽早地捕获违例状况，`audit` 和 `warn` 模式都应用到负载资源。
@@ -247,7 +250,7 @@ Exemptions can be statically configured in the
 
 你可以为 Pod 安全性的实施设置 _豁免（Exemptions）_ 规则，
 从而允许创建一些本来会被与给定名字空间相关的策略所禁止的 Pod。
-豁免规则可以在[准入控制器配置](/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller)
+豁免规则可以在[准入控制器配置](/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller)
 中静态配置。
 
 <!--
@@ -319,9 +322,9 @@ current policy level:
 - [Enforce Pod Security Standards with Namespace Labels](/docs/tasks/configure-pod-container/enforce-standards-namespace-labels)
 - [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](/docs/tasks/configure-pod-container/migrate-from-psp)
 -->
-- [Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)
-- [强制实施 Pod 安全性标准](/zh/docs/setup/best-practices/enforcing-pod-security-standards/)
-- [通过配置内置的准入控制器强制实施 Pod 安全性标准](/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller/)
-- [使用名字空间标签来实施 Pod 安全性标准](/zh/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)
-- [从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器](/zh/docs/tasks/configure-pod-container/migrate-from-psp/)
+- [Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards/)
+- [强制实施 Pod 安全性标准](/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards/)
+- [通过配置内置的准入控制器强制实施 Pod 安全性标准](/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller/)
+- [使用名字空间标签来实施 Pod 安全性标准](/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)
+- [从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器](/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/)
 
diff --git a/content/zh-cn/docs/concepts/security/pod-security-policy.md b/content/zh-cn/docs/concepts/security/pod-security-policy.md
new file mode 100644
index 0000000000000..31137aab7f2c6
--- /dev/null
+++ b/content/zh-cn/docs/concepts/security/pod-security-policy.md
@@ -0,0 +1,1362 @@
+---
+title: Pod 安全策略
+content_type: concept
+weight: 30
+---
+
+<!--
+reviewers:
+- pweil-
+- tallclair
+title: Pod Security Policies
+content_type: concept
+weight: 30
+-->
+
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+
+{{< caution >}}
+<!--
+PodSecurityPolicy is deprecated as of Kubernetes v1.21, and **will be removed in v1.25**. We recommend migrating to
+[Pod Security Admission](/docs/concepts/security/pod-security-admission/), or a 3rd party admission plugin.
+For a migration guide, see [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](/docs/tasks/configure-pod-container/migrate-from-psp/).
+For more information on the deprecation,
+see [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/).
+-->
+PodSecurityPolicy 在 Kubernetes v1.21 版本中被弃用，**将在 v1.25 中删除**。
+我们建议迁移到 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission)，
+或者第三方的准入插件。
+若需了解迁移指南，可参阅[从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器](/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/)。
+关于弃用的更多信息，请查阅 [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)。
+{{< /caution >}}
+
+<!--
+Pod Security Policies enable fine-grained authorization of pod creation and
+updates.
+-->
+Pod 安全策略使得对 Pod 创建和更新进行细粒度的权限控制成为可能。
+
+<!-- body -->
+
+<!--
+## What is a Pod Security Policy?
+
+A _Pod Security Policy_ is a cluster-level resource that controls security
+sensitive aspects of the pod specification. The
+[PodSecurityPolicy](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy) objects
+define a set of conditions that a pod must run with in order to be accepted into
+the system, as well as defaults for the related fields. They allow an
+administrator to control the following:
+-->
+## 什么是 Pod 安全策略？   {#what-is-a-pod-security-policy}
+
+_Pod 安全策略（Pod Security Policy）_ 是集群级别的资源，它能够控制 Pod 规约
+中与安全性相关的各个方面。
+[PodSecurityPolicy](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)
+对象定义了一组 Pod 运行时必须遵循的条件及相关字段的默认值，只有 Pod 满足这些条件才会被系统接受。
+Pod 安全策略允许管理员控制如下方面：
+
+<!--
+| Control Aspect                                      | Field Names                                 |
+| ----------------------------------------------------| ------------------------------------------- |
+| Running of privileged containers                    | [`privileged`](#privileged)                                |
+| Usage of host namespaces                            | [`hostPID`, `hostIPC`](#host-namespaces)    |
+| Usage of host networking and ports                  | [`hostNetwork`, `hostPorts`](#host-namespaces) |
+| Usage of volume types                               | [`volumes`](#volumes-and-file-systems)      |
+| Usage of the host filesystem                        | [`allowedHostPaths`](#volumes-and-file-systems) |
+| Allow specific FlexVolume drivers                   | [`allowedFlexVolumes`](#flexvolume-drivers) |
+| Allocating an FSGroup that owns the pod's volumes   | [`fsGroup`](#volumes-and-file-systems)      |
+| Requiring the use of a read only root file system   | [`readOnlyRootFilesystem`](#volumes-and-file-systems) |
+| The user and group IDs of the container             | [`runAsUser`, `runAsGroup`, `supplementalGroups`](#users-and-groups) |
+| Restricting escalation to root privileges           | [`allowPrivilegeEscalation`, `defaultAllowPrivilegeEscalation`](#privilege-escalation) |
+| Linux capabilities                                  | [`defaultAddCapabilities`, `requiredDropCapabilities`, `allowedCapabilities`](#capabilities) |
+| The SELinux context of the container                | [`seLinux`](#selinux)                       |
+| The Allowed Proc Mount types for the container      | [`allowedProcMountTypes`](#allowedprocmounttypes) |
+| The AppArmor profile used by containers             | [annotations](#apparmor)                    |
+| The seccomp profile used by containers              | [annotations](#seccomp)                     |
+| The sysctl profile used by containers               | [`forbiddenSysctls`,`allowedUnsafeSysctls`](#sysctl)                      |
+-->
+| 控制的角度                          | 字段名称                          |
+| ----------------------------------- | --------------------------------- |
+| 运行特权容器                        | [`privileged`](#privileged) |
+| 使用宿主名字空间                    | [`hostPID`、`hostIPC`](#host-namespaces) |
+| 使用宿主的网络和端口                | [`hostNetwork`, `hostPorts`](#host-namespaces) |
+| 控制卷类型的使用                    | [`volumes`](#volumes-and-file-systems) |
+| 使用宿主文件系统                    | [`allowedHostPaths`](#volumes-and-file-systems) |
+| 允许使用特定的 FlexVolume 驱动      | [`allowedFlexVolumes`](#flexvolume-drivers) |
+| 分配拥有 Pod 卷的 FSGroup 账号      | [`fsGroup`](#volumes-and-file-systems)      |
+| 以只读方式访问根文件系统            | [`readOnlyRootFilesystem`](#volumes-and-file-systems) |
+| 设置容器的用户和组 ID               | [`runAsUser`, `runAsGroup`, `supplementalGroups`](#users-and-groups) |
+| 限制 root 账号特权级提升             | [`allowPrivilegeEscalation`, `defaultAllowPrivilegeEscalation`](#privilege-escalation) |
+| Linux 权能字（Capabilities）        | [`defaultAddCapabilities`, `requiredDropCapabilities`, `allowedCapabilities`](#capabilities) |
+| 设置容器的 SELinux 上下文           | [`seLinux`](#selinux)                       |
+| 指定容器可以挂载的 proc 类型        | [`allowedProcMountTypes`](#allowedprocmounttypes) |
+| 指定容器使用的 AppArmor 模版        | [annotations](#apparmor)                    |
+| 指定容器使用的 seccomp 模版         | [annotations](#seccomp)                     |
+| 指定容器使用的 sysctl 模版          | [`forbiddenSysctls`,`allowedUnsafeSysctls`](#sysctl)  | 
+
+<!--
+## Enabling Pod Security Policies
+
+Pod security policy control is implemented as an optional
+[admission controller](/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy).
+PodSecurityPolicies are enforced by
+[enabling the admission controller](/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in),
+but doing so without authorizing any policies **will prevent any pods from being created** in the
+cluster.
+-->
+## 启用 Pod 安全策略   {#enabling-pod-security-policies}
+
+Pod 安全策略实现为一种可选的[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)。
+[启用了准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in)即可强制实施
+Pod 安全策略，不过如果没有授权认可策略之前即启用准入控制器 **将导致集群中无法创建任何 Pod**。
+
+<!--
+Since the pod security policy API (`policy/v1beta1/podsecuritypolicy`) is
+enabled independently of the admission controller, for existing clusters it is
+recommended that policies are added and authorized before enabling the admission
+controller.
+-->
+由于 Pod 安全策略 API（`policy/v1beta1/podsecuritypolicy`）是独立于准入控制器
+来启用的，对于现有集群而言，建议在启用准入控制器之前先添加策略并对其授权。
+
+<!--
+## Authorizing Policies
+
+When a PodSecurityPolicy resource is created, it does nothing. In order to use
+it, the requesting user or target pod's
+[service account](/docs/tasks/configure-pod-container/configure-service-account/)
+must be authorized to use the policy, by allowing the `use` verb on the policy.
+-->
+## 授权策略    {#authorizing-policies}
+
+PodSecurityPolicy 资源被创建时，并不执行任何操作。为了使用该资源，
+需要对发出请求的用户或者目标 Pod
+的[服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)授权，
+通过允许其对策略执行 `use` 动词允许其使用该策略。
+
+<!--
+Most Kubernetes pods are not created directly by users. Instead, they are
+typically created indirectly as part of a
+[Deployment](/docs/concepts/workloads/controllers/deployment/),
+[ReplicaSet](/docs/concepts/workloads/controllers/replicaset/), or other
+templated controller via the controller manager. Granting the controller access
+to the policy would grant access for *all* pods created by that controller,
+so the preferred method for authorizing policies is to grant access to the
+pod's service account (see [example](#run-another-pod)).
+-->
+大多数 Kubernetes Pod 不是由用户直接创建的。相反，这些 Pod 是由
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)、
+[ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/)
+或者经由控制器管理器模版化的控制器创建。
+赋予控制器访问策略的权限意味着对应控制器所创建的 *所有* Pod 都可访问策略。
+因此，对策略进行授权的优先方案是为 Pod 的服务账号授予访问权限
+（参见[示例](#run-another-pod)）。
+
+<!--
+### Via RBAC
+
+[RBAC](/docs/reference/access-authn-authz/rbac/) is a standard Kubernetes
+authorization mode, and can easily be used to authorize use of policies.
+
+First, a `Role` or `ClusterRole` needs to grant access to `use` the desired
+policies. The rules to grant access look like this:
+-->
+### 通过 RBAC 授权   {#via-rbac}
+
+[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 是一种标准的 Kubernetes
+鉴权模式，可以很容易地用来授权策略访问。
+
+首先，某 `Role` 或 `ClusterRole` 需要获得使用 `use` 访问目标策略的权限。
+访问授权的规则看起来像这样：
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: <Role 名称>
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - <要授权的策略列表>
+```
+
+<!--
+Then the `(Cluster)Role` is bound to the authorized user(s):
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <binding name>
+roleRef:
+  kind: ClusterRole
+  name: <role name>
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize all service accounts in a namespace (recommended):
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:serviceaccounts:<authorized namespace>
+# Authorize specific service accounts (not recommended):
+- kind: ServiceAccount
+  name: <authorized service account name>
+  namespace: <authorized pod namespace>
+# Authorize specific users (not recommended):
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: <authorized user name>
+```
+-->
+接下来将该 `Role`（或 `ClusterRole`）绑定到授权的用户：
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <绑定名称>
+roleRef:
+  kind: ClusterRole
+  name: <角色名称>
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  # 授权命名空间下的所有服务账号（推荐）：
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:serviceaccounts:<authorized namespace>
+  # 授权特定的服务账号（不建议这样操作）：
+  - kind: ServiceAccount
+    name: <被授权的服务账号名称>
+    namespace: <被授权的 Pod 名字空间>
+  # 授权特定的用户（不建议这样操作）：
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: <被授权的用户名>
+```
+
+<!--
+If a `RoleBinding` (not a `ClusterRoleBinding`) is used, it will only grant
+usage for pods being run in the same namespace as the binding. This can be
+paired with system groups to grant access to all pods run in the namespace:
+
+```yaml
+# Authorize all service accounts in a namespace:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:serviceaccounts
+# Or equivalently, all authenticated users in a namespace:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:authenticated
+```
+-->
+如果使用的是 `RoleBinding`（而不是 `ClusterRoleBinding`），授权仅限于与该
+`RoleBinding` 处于同一名字空间中的 Pod。
+可以考虑将这种授权模式和系统组结合，对名字空间中的所有 Pod 授予访问权限。
+
+```yaml
+# 授权某名字空间中所有服务账号
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:serviceaccounts
+# 或者与此等价，授权给某名字空间中所有被认证过的用户
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:authenticated
+```
+
+<!--
+For more examples of RBAC bindings, see
+[Role Binding Examples](/docs/reference/access-authn-authz/rbac#role-binding-examples).
+For a complete example of authorizing a PodSecurityPolicy, see [below](#example).
+-->
+参阅[角色绑定示例](/zh-cn/docs/reference/access-authn-authz/rbac#role-binding-examples)查看
+RBAC 绑定的更多实例。
+参阅[下文](#example)，查看对 PodSecurityPolicy 进行授权的完整示例。
+
+<!--
+### Recommended Practice
+
+PodSecurityPolicy is being replaced by a new, simplified `PodSecurity`
+{{< glossary_tooltip text="admission controller" term_id="admission-controller" >}}.
+For more details on this change, see
+[PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/).
+Follow these guidelines to simplify migration from PodSecurityPolicy to the
+new admission controller:
+-->
+## 推荐实践   {#recommended-practice}
+
+PodSecurityPolicy 正在被一个新的、简化的 `PodSecurity`
+{{< glossary_tooltip text="准入控制器" term_id="admission-controller" >}}替代。
+有关此变更的更多详细信息，请参阅
+[PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)。
+参照下述指导，简化从 PodSecurityPolicy 迁移到新的准入控制器步骤：
+
+<!--
+1. Limit your PodSecurityPolicies to the policies defined by the
+   [Pod Security Standards](/docs/concepts/security/pod-security-standards):
+
+   - {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
+   - {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
+   - {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
+-->
+1. 将 PodSecurityPolicies 限制为
+   [Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards)所定义的策略：
+
+   - {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
+   - {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
+   - {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
+
+<!--
+2. Only bind PSPs to entire namespaces, by using the `system:serviceaccounts:<namespace>` group
+   (where `<namespace>` is the target namespace). For example:
+
+   ```yaml
+   apiVersion: rbac.authorization.k8s.io/v1
+   # This cluster role binding allows all pods in the "development" namespace to use the baseline PSP.
+   kind: ClusterRoleBinding
+   metadata:
+     name: psp-baseline-namespaces
+   roleRef:
+     kind: ClusterRole
+     name: psp-baseline
+     apiGroup: rbac.authorization.k8s.io
+   subjects:
+   - kind: Group
+     name: system:serviceaccounts:development
+     apiGroup: rbac.authorization.k8s.io
+   - kind: Group
+     name: system:serviceaccounts:canary
+     apiGroup: rbac.authorization.k8s.io
+   ```
+-->
+2. 通过配置 `system:serviceaccounts:<namespace>` 组（`<namespace>` 是目标名字空间），
+   仅将 PSP 绑定到整个命名空间。示例：
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    # 此集群角色绑定允许 "development" 名字空间中的所有 Pod 使用 baseline PSP。
+    kind: ClusterRoleBinding
+    metadata:
+      name: psp-baseline-namespaces
+    roleRef:
+      kind: ClusterRole
+      name: psp-baseline
+      apiGroup: rbac.authorization.k8s.io
+    subjects:
+    - kind: Group
+      name: system:serviceaccounts:development
+      apiGroup: rbac.authorization.k8s.io
+    - kind: Group
+      name: system:serviceaccounts:canary
+      apiGroup: rbac.authorization.k8s.io
+    ```
+
+<!--
+### Troubleshooting
+
+- The [Controller Manager](/docs/reference/command-line-tools-reference/kube-controller-manager/)
+  must be run against the secured API port and must not have superuser permissions. See
+  [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access)
+  to learn about API server access controls.  
+  If the controller manager connected through the trusted API port (also known as the
+  `localhost` listener), requests would bypass authentication and authorization modules;
+  all PodSecurityPolicy objects would be allowed, and users would be able to create grant
+  themselves the ability to create privileged containers.
+
+  For more details on configuring controller manager authorization, see
+  [Controller Roles](/docs/reference/access-authn-authz/rbac/#controller-roles).
+-->
+### 故障排查   {#troubleshooting}
+
+- [控制器管理器组件](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
+  必须运行在安全的 API 端口之上，并且不能拥有超级用户的访问权限。
+  参阅[控制 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access)以了解
+  API 服务器的访问控制。
+
+  如果控制器管理器通过可信的 API 端口连接（也称作 `localhost` 监听组件），
+  其请求会绕过身份认证和鉴权模块控制，从而导致所有 PodSecurityPolicy 对象都被允许，
+  用户亦能授予自身创建特权容器的特权。
+
+  关于配置控制器管理器鉴权的进一步细节，
+  请参阅[控制器角色](/zh-cn/docs/reference/access-authn-authz/rbac/#controller-roles)。
+
+<!--
+## Policy Order
+
+In addition to restricting pod creation and update, pod security policies can
+also be used to provide default values for many of the fields that it
+controls. When multiple policies are available, the pod security policy
+controller selects policies according to the following criteria:
+-->
+## 策略顺序  {#policy-order}
+
+除了限制 Pod 创建与更新，Pod 安全策略也可用来为其所控制的很多字段设置默认值。
+当存在多个策略对象时，Pod 安全策略控制器依据以下条件选择策略：
+
+<!--
+1. PodSecurityPolicies which allow the pod as-is, without changing defaults or
+   mutating the pod, are preferred.  The order of these non-mutating
+   PodSecurityPolicies doesn't matter.
+2. If the pod must be defaulted or mutated, the first PodSecurityPolicy
+   (ordered by name) to allow the pod is selected.
+-->
+1. 优先考虑允许 Pod 保持原样，不会更改 Pod 字段默认值或其他配置的 PodSecurityPolicy。
+   这类非更改性质的 PodSecurityPolicy 对象之间的顺序无关紧要。
+2. 如果必须要为 Pod 设置默认值或者其他配置，（按名称顺序）选择第一个允许
+   Pod 操作的 PodSecurityPolicy 对象。
+
+{{< note >}}
+<!--
+During update operations (during which mutations to pod specs are disallowed)
+only non-mutating PodSecurityPolicies are used to validate the pod.
+-->
+在更新操作期间（这时不允许更改 Pod 规约），仅使用非更改性质的
+PodSecurityPolicy 来对 Pod 执行验证操作。
+{{< /note >}}
+
+<!--
+## Example
+
+This example assumes you have a running cluster with the PodSecurityPolicy
+admission controller enabled and you have cluster admin privileges.
+-->
+## 示例   {#example}
+
+本示例假定你已经有一个启动了 PodSecurityPolicy 准入控制器的集群并且你拥有集群管理员特权。
+
+<!--
+### Set up
+
+Set up a namespace and a service account to act as for this example. We'll use
+this service account to mock a non-admin user.
+-->
+### 配置   {#set-up}
+
+为运行此示例，配置一个名字空间和一个服务账号。我们将用这个服务账号来模拟一个非管理员账号的用户。
+
+```shell
+kubectl create namespace psp-example
+kubectl create serviceaccount -n psp-example fake-user
+kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
+```
+
+<!--
+To make it clear which user we're acting as and save some typing, create 2
+aliases:
+-->
+创建两个别名，以更清晰地展示我们所使用的用户账号，同时减少一些键盘输入：
+
+```shell
+alias kubectl-admin='kubectl -n psp-example'
+alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
+```
+
+<!--
+### Create a policy and a pod
+
+Define the example PodSecurityPolicy object in a file. This is a policy that
+prevents the creation of privileged pods.
+The name of a PodSecurityPolicy object must be a valid
+[DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+-->
+### 创建一个策略和一个 Pod   {#create-a-policy-and-a-pod}
+
+在一个文件中定义一个示例的 PodSecurityPolicy 对象。
+这里的策略只是用来禁止创建有特权要求的 Pods。
+PodSecurityPolicy 对象的名称必须是合法的
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+
+{{< codenew file="policy/example-psp.yaml" >}}
+
+<!--
+And create it with kubectl:
+-->
+使用 kubectl 执行创建操作：
+
+```shell
+kubectl-admin create -f example-psp.yaml
+```
+
+<!--
+Now, as the unprivileged user, try to create a simple pod:
+-->
+现在，作为一个非特权用户，尝试创建一个简单的 Pod：
+
+```shell
+kubectl-user create -f- <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pause
+spec:
+  containers:
+    - name: pause
+      image: k8s.gcr.io/pause
+EOF
+```
+
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: []
+```
+
+<!--
+**What happened?** Although the PodSecurityPolicy was created, neither the
+pod's service account nor `fake-user` have permission to use the new policy:
+-->
+**发生了什么？** 尽管 PodSecurityPolicy 被创建，Pod 的服务账号或者
+`fake-user` 用户都没有使用该策略的权限。
+
+```shell
+kubectl-user auth can-i use podsecuritypolicy/example
+```
+
+```
+no
+```
+<!--
+Create the rolebinding to grant `fake-user` the `use` verb on the example
+policy:
+-->
+创建角色绑定，赋予 `fake-user` `use`（使用）示例策略的权限：
+
+{{< note >}}
+<!--
+This is not the recommended way! See the [next section](#run-another-pod)
+for the preferred approach.
+-->
+不建议使用这种方法！
+欲了解优先考虑的方法，请参见[下节](#run-another-pod)。
+{{< /note >}}
+
+```shell
+kubectl-admin create role psp:unprivileged \
+    --verb=use \
+    --resource=podsecuritypolicy \
+    --resource-name=example
+```
+
+输出：
+
+```
+role "psp:unprivileged" created
+```
+
+```shell
+kubectl-admin create rolebinding fake-user:psp:unprivileged \
+    --role=psp:unprivileged \
+    --serviceaccount=psp-example:fake-user
+```
+
+输出：
+
+```
+rolebinding "fake-user:psp:unprivileged" created
+```
+
+```shell
+kubectl-user auth can-i use podsecuritypolicy/example
+```
+
+输出：
+
+```
+yes
+```
+
+<!--
+Now retry creating the pod:
+-->
+现在重试创建 Pod：
+
+```shell
+kubectl-user create -f- <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pause
+spec:
+  containers:
+    - name: pause
+      image: k8s.gcr.io/pause
+EOF
+```
+<!--
+The output is similar to this
+-->
+输出类似于：
+
+```
+pod "pause" created
+```
+
+<!--
+It works as expected! But any attempts to create a privileged pod should still
+be denied:
+-->
+此次尝试不出所料地成功了！
+不过任何创建特权 Pod 的尝试还是会被拒绝：
+
+```shell
+kubectl-user create -f- <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged
+spec:
+  containers:
+    - name: pause
+      image: k8s.gcr.io/pause
+      securityContext:
+        privileged: true
+EOF
+```
+
+<!--
+The output is similar to this:
+-->
+
+输出类似于：
+```
+Error from server (Forbidden): error when creating "STDIN": pods "privileged" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
+```
+
+<!--
+Delete the pod before moving on:
+-->
+继续此例之前先删除该 Pod：
+
+```shell
+kubectl-user delete pod pause
+```
+
+<!--
+### Run another pod
+
+Let's try that again, slightly differently:
+-->
+### 运行另一个 Pod  {#run-another-pod}
+
+我们再试一次，稍微有些不同：
+
+```shell
+kubectl-user create deployment pause --image=k8s.gcr.io/pause
+```
+
+输出为：
+
+```
+deployment "pause" created
+```
+
+```shell
+kubectl-user get pods
+```
+
+输出为：
+
+```
+No resources found.
+```
+
+```shell
+kubectl-user get events | head -n 2
+```
+
+输出为：
+```
+LASTSEEN   FIRSTSEEN   COUNT     NAME              KIND         SUBOBJECT                TYPE      REASON                  SOURCE                                  MESSAGE
+1m         2m          15        pause-7774d79b5   ReplicaSet                            Warning   FailedCreate            replicaset-controller                   Error creating: pods "pause-7774d79b5-" is forbidden: no providers available to validate pod request
+```
+
+<!--
+**What happened?** We already bound the `psp:unprivileged` role for our `fake-user`,
+why are we getting the error `Error creating: pods "pause-7774d79b5-" is
+forbidden: no providers available to validate pod request`? The answer lies in
+the source - `replicaset-controller`. Fake-user successfully created the
+deployment (which successfully created a replicaset), but when the replicaset
+went to create the pod it was not authorized to use the example
+podsecuritypolicy.
+-->
+**发生了什么？** 我们已经为用户 `fake-user` 绑定了 `psp:unprivileged` 角色，
+为什么还会收到错误 `Error creating: pods "pause-7774d79b5-" is
+forbidden: no providers available to validate pod request
+（创建错误：pods "pause-7774d79b5" 被禁止：没有可用来验证 pod 请求的驱动）`？ 
+答案在于源文件 - `replicaset-controller`。
+`fake-user` 用户成功地创建了 Deployment，而后者也成功地创建了 ReplicaSet，
+不过当 ReplicaSet 创建 Pod 时，发现未被授权使用示例 PodSecurityPolicy 资源。
+
+<!--
+In order to fix this, bind the `psp:unprivileged` role to the pod's service
+account instead. In this case (since we didn't specify it) the service account
+is `default`:
+-->
+为了修复这一问题，将 `psp:unprivileged` 角色绑定到 Pod 的服务账号。
+在这里，因为我们没有给出服务账号名称，默认的服务账号是 `default`。
+
+```shell
+kubectl-admin create rolebinding default:psp:unprivileged \
+    --role=psp:unprivileged \
+    --serviceaccount=psp-example:default
+```
+
+输出为：
+
+```none
+rolebinding "default:psp:unprivileged" created
+```
+
+<!--
+Now if you give it a minute to retry, the replicaset-controller should
+eventually succeed in creating the pod:
+-->
+现在如果你给 ReplicaSet 控制器一分钟的时间来重试，该控制器最终将能够
+成功地创建 Pod：
+
+```shell
+kubectl-user get pods --watch
+```
+
+输出类似于：
+
+```none
+NAME                    READY     STATUS    RESTARTS   AGE
+pause-7774d79b5-qrgcb   0/1       Pending   0         1s
+pause-7774d79b5-qrgcb   0/1       Pending   0         1s
+pause-7774d79b5-qrgcb   0/1       ContainerCreating   0         1s
+pause-7774d79b5-qrgcb   1/1       Running   0         2s
+```
+
+<!--
+### Clean up
+
+Delete the namespace to clean up most of the example resources:
+-->
+### 清理  {#clean-up}
+
+删除名字空间即可清理大部分示例资源：
+
+```shell
+kubectl-admin delete ns psp-example
+```
+
+输出类似于：
+
+```
+namespace "psp-example" deleted
+```
+
+<!--
+Note that `PodSecurityPolicy` resources are not namespaced, and must be cleaned
+up separately:
+-->
+注意 `PodSecurityPolicy` 资源不是名字空间域的资源，必须单独清理：
+
+```shell
+kubectl-admin delete psp example
+```
+
+输出类似于：
+
+```none
+podsecuritypolicy "example" deleted
+```
+
+<!--
+### Example Policies
+
+This is the least restrictive policy you can create, equivalent to not using the
+pod security policy admission controller:
+-->
+### 示例策略  {#example-policies}
+
+下面是一个你可以创建的约束性非常弱的策略，其效果等价于没有使用 Pod 安全策略准入控制器：
+
+{{< codenew file="policy/privileged-psp.yaml" >}}
+
+<!--
+This is an example of a restrictive policy that requires users to run as an
+unprivileged user, blocks possible escalations to root, and requires use of
+several security mechanisms.
+-->
+下面是一个具有约束性的策略，要求用户以非特权账号运行，禁止可能的向 root 权限的升级，
+同时要求使用若干安全机制。
+
+{{< codenew file="policy/restricted-psp.yaml" >}}
+
+<!--
+See [Pod Security Standards](/docs/concepts/security/pod-security-standards/#policy-instantiation)
+for more examples.
+-->
+更多的示例可参考
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/#policy-instantiation)。
+
+<!--
+## Policy Reference
+
+### Privileged
+
+**Privileged** - determines if any container in a pod can enable privileged mode.
+By default a container is not allowed to access any devices on the host, but a
+"privileged" container is given access to all devices on the host. This allows
+the container nearly all the same access as processes running on the host.
+This is useful for containers that want to use linux capabilities like
+manipulating the network stack and accessing devices.
+-->
+## 策略参考    {#policy-reference}
+
+### Privileged
+
+**Privileged** - 决定是否 Pod 中的某容器可以启用特权模式。
+默认情况下，容器是不可以访问宿主上的任何设备的，不过一个“privileged（特权的）”
+容器则被授权访问宿主上所有设备。
+这种容器几乎享有宿主上运行的进程的所有访问权限。
+对于需要使用 Linux 权能字（如操控网络堆栈和访问设备）的容器而言是有用的。
+
+<!--
+### Host namespaces
+
+**HostPID** - Controls whether the pod containers can share the host process ID
+namespace. Note that when paired with ptrace this can be used to escalate
+privileges outside of the container (ptrace is forbidden by default).
+
+**HostIPC** - Controls whether the pod containers can share the host IPC
+namespace.
+
+**HostNetwork** - Controls whether the pod may use the node network
+namespace. Doing so gives the pod access to the loopback device, services
+listening on localhost, and could be used to snoop on network activity of other
+pods on the same node.
+
+**HostPorts** - Provides a list of ranges of allowable ports in the host
+network namespace. Defined as a list of `HostPortRange`, with `min`(inclusive)
+and `max`(inclusive). Defaults to no allowed host ports.
+-->
+### 宿主名字空间   {#host-namespaces}
+
+**HostPID** - 控制 Pod 中容器是否可以共享宿主上的进程 ID 空间。
+注意，如果与 `ptrace` 相结合，这种授权可能被利用，导致向容器外的特权逃逸
+（默认情况下 `ptrace` 是被禁止的）。
+
+**HostIPC** - 控制 Pod 容器是否可共享宿主上的 IPC 名字空间。
+
+**HostNetwork** - 控制是否 Pod 可以使用节点的网络名字空间。
+此类授权将允许 Pod 访问本地回路（loopback）设备、在本地主机（localhost）
+上监听的服务、还可能用来监听同一节点上其他 Pod 的网络活动。
+
+**HostPorts** -提供可以在宿主网络名字空间中可使用的端口范围列表。 
+该属性定义为一组 `HostPortRange` 对象的列表，每个对象中包含
+`min`（含）与 `max`（含）值的设置。
+默认不允许访问宿主端口。
+
+<!--
+### Volumes and file systems
+
+**Volumes** - Provides a list of allowed volume types. The allowable values
+correspond to the volume sources that are defined when creating a volume. For
+the complete list of volume types, see [Types of
+Volumes](/docs/concepts/storage/volumes/#types-of-volumes). Additionally,
+`*` may be used to allow all volume types.
+
+The **recommended minimum set** of allowed volumes for new PSPs are:
+-->
+### 卷和文件系统   {#volumes-and-file-systems}
+
+**Volumes** - 提供一组被允许的卷类型列表。可被允许的值对应于创建卷时可以设置的卷来源。
+卷类型的完整列表可参见[卷类型](/zh-cn/docs/concepts/storage/volumes/#types-of-volumes)。
+此外，`*` 可以用来允许所有卷类型。
+
+对于新的 Pod 安全策略设置而言，建议设置的卷类型的**最小列表**包含：
+
+- `configMap`
+- `downwardAPI`
+- `emptyDir`
+- `persistentVolumeClaim`
+- `secret`
+- `projected`
+
+{{< warning >}}
+<!--
+PodSecurityPolicy does not limit the types of `PersistentVolume` objects that
+may be referenced by a `PersistentVolumeClaim`, and hostPath type
+`PersistentVolumes` do not support read-only access mode. Only trusted users
+should be granted permission to create `PersistentVolume` objects.
+-->
+PodSecurityPolicy 并不限制可以被 `PersistentVolumeClaim` 所引用的
+`PersistentVolume` 对象的类型。
+此外 `hostPath` 类型的 `PersistentVolume` 不支持只读访问模式。
+应该仅赋予受信用户创建 `PersistentVolume` 对象的访问权限。
+{{< /warning >}}
+
+<!--
+**FSGroup** - Controls the supplemental group applied to some volumes.
+
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
+  minimum value of the first range as the default. Validates against all ranges.
+- *MayRunAs* - Requires at least one `range` to be specified. Allows
+  `FSGroups` to be left unset without providing a default. Validates against
+  all ranges if `FSGroups` is set.
+- *RunAsAny* - No default provided. Allows any `fsGroup` ID to be specified.
+-->
+**FSGroup** - 控制应用到某些卷上的附加用户组。
+
+- *MustRunAs* - 要求至少指定一个 `range`。
+  使用范围中的最小值作为默认值。所有 range 值都会被用来执行验证。
+- *MayRunAs* - 要求至少指定一个 `range`。
+  允许不设置 `FSGroups`，且无默认值。
+  如果 `FSGroup` 被设置，则所有 range 值都会被用来执行验证检查。
+- *RunAsAny* - 不提供默认值。允许设置任意 `fsGroup` ID 值。
+
+<!--
+**AllowedHostPaths** - This specifies a list of host paths that are allowed
+to be used by hostPath volumes. An empty list means there is no restriction on
+host paths used. This is defined as a list of objects with a single `pathPrefix`
+field, which allows hostPath volumes to mount a path that begins with an
+allowed prefix, and a `readOnly` field indicating it must be mounted read-only.
+For example:
+-->
+**AllowedHostPaths** - 设置一组宿主文件目录，这些目录项可以在 `hostPath` 卷中使用。
+列表为空意味着对所使用的宿主目录没有限制。
+此选项定义包含一个对象列表，表中对象包含 `pathPrefix` 字段，用来表示允许
+`hostPath` 卷挂载以所指定前缀开头的路径。
+对象中还包含一个 `readOnly` 字段，用来表示对应的卷必须以只读方式挂载。
+例如：
+
+<!--
+```yaml
+allowedHostPaths:
+  # This allows "/foo", "/foo/", "/foo/bar" etc., but
+  # disallows "/fool", "/etc/foo" etc.
+  # "/foo/../" is never valid.
+  - pathPrefix: "/foo"
+    readOnly: true # only allow read-only mounts
+```
+-->
+```yaml
+allowedHostPaths:
+  # 下面的设置允许 "/foo"、"/foo/"、"/foo/bar" 等路径，但禁止
+  # "/fool"、"/etc/foo" 这些路径。
+  # "/foo/../" 总会被当作非法路径。
+  - pathPrefix: "/foo"
+    readOnly: true # 仅允许只读模式挂载
+```
+
+{{< warning >}}
+<!--
+There are many ways a container with unrestricted access to the host
+filesystem can escalate privileges, including reading data from other
+containers, and abusing the credentials of system services, such as Kubelet.
+-->
+容器如果对宿主文件系统拥有不受限制的访问权限，就可以有很多种方式提升自己的特权，
+包括读取其他容器中的数据、滥用系统服务（如 `kubelet`）的凭据信息等。
+
+<!--
+Writeable hostPath directory volumes allow containers to write
+to the filesystem in ways that let them traverse the host filesystem outside the `pathPrefix`.
+`readOnly: true`, available in Kubernetes 1.11+, must be used on **all** `allowedHostPaths`
+to effectively limit access to the specified `pathPrefix`.
+-->
+由可写入的目录所构造的 `hostPath` 卷能够允许容器写入数据到宿主文件系统，
+并且在写入时避开 `pathPrefix` 所设置的目录限制。
+`readOnly: true` 这一设置在 Kubernetes 1.11 版本之后可用。
+必须针对 `allowedHostPaths` 中的 *所有* 条目设置此属性才能有效地限制容器只能访问
+`pathPrefix` 所指定的目录。
+{{< /warning >}}
+
+<!--
+**ReadOnlyRootFilesystem** - Requires that containers must run with a read-only
+root filesystem (i.e. no writable layer).
+-->
+**ReadOnlyRootFilesystem** - 要求容器必须以只读方式挂载根文件系统来运行
+（即不允许存在可写入层）。
+
+<!--
+### FlexVolume drivers
+
+This specifies a list of FlexVolume drivers that are allowed to be used
+by flexvolume. An empty list or nil means there is no restriction on the drivers.
+Please make sure [`volumes`](#volumes-and-file-systems) field contains the
+`flexVolume` volume type; no FlexVolume driver is allowed otherwise.
+
+For example:
+-->
+### FlexVolume 驱动  {#flexvolume-drivers}
+
+此配置指定一个可以被 FlexVolume 卷使用的驱动程序的列表。
+空的列表或者 nil 值意味着对驱动没有任何限制。
+请确保[`volumes`](#volumes-and-file-systems) 字段包含了 `flexVolume` 卷类型，
+否则所有 FlexVolume 驱动都被禁止。
+
+<!--
+```yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: allow-flex-volumes
+spec:
+  # ... other spec fields
+  volumes:
+    - flexVolume
+  allowedFlexVolumes:
+    - driver: example/lvm
+    - driver: example/cifs
+```
+-->
+
+```yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: allow-flex-volumes
+spec:
+  # spec 的其他字段
+  volumes:
+    - flexVolume
+  allowedFlexVolumes:
+    - driver: example/lvm
+    - driver: example/cifs
+```
+
+<!--
+### Users and groups
+
+**RunAsUser** - Controls which user ID the containers are run with.
+
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
+  minimum value of the first range as the default. Validates against all ranges.
+- *MustRunAsNonRoot* - Requires that the pod be submitted with a non-zero
+  `runAsUser` or have the `USER` directive defined (using a numeric UID) in the
+  image. Pods which have specified neither `runAsNonRoot` nor `runAsUser` settings
+  will be mutated to set `runAsNonRoot=true`, thus requiring a defined non-zero 
+  numeric `USER` directive in the container. No default provided. Setting 
+  `allowPrivilegeEscalation=false` is strongly recommended with this strategy.
+- *RunAsAny* - No default provided. Allows any `runAsUser` to be specified.
+-->
+### 用户和组    {#users-and-groups}
+
+**RunAsUser** - 控制使用哪个用户 ID 来运行容器。
+
+- *MustRunAs* - 必须至少设置一个 `range`。使用该范围内的第一个值作为默认值。
+  所有范围值都会被验证检查。
+
+- *MustRunAsNonRoot* - 要求提交的 Pod 具有非零 `runAsUser` 值，或在镜像中
+  （使用 UID 数值）定义了 `USER` 环境变量。
+  如果 Pod 既没有设置 `runAsNonRoot`，也没有设置 `runAsUser`，则该 Pod
+  会被修改以设置 `runAsNonRoot=true`，从而要求容器通过 `USER` 指令给出非零的数值形式的用户 ID。
+  此配置没有默认值。采用此配置时，强烈建议设置 `allowPrivilegeEscalation=false`。
+- *RunAsAny* - 没有提供默认值。允许指定任何 `runAsUser` 配置。
+
+<!--
+**RunAsGroup** - Controls which primary group ID the containers are run with.
+
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
+  minimum value of the first range as the default. Validates against all ranges.
+- *MayRunAs* - Does not require that RunAsGroup be specified. However, when RunAsGroup
+  is specified, they have to fall in the defined range.
+- *RunAsAny* - No default provided. Allows any `runAsGroup` to be specified.
+-->
+**RunAsGroup** - 控制运行容器时使用的主用户组 ID。
+
+- *MustRunAs* - 要求至少指定一个 `range` 值。第一个范围中的最小值作为默认值。
+  所有范围值都被用来执行验证检查。
+- *MayRunAs* - 不要求设置 `RunAsGroup`。
+  不过，如果指定了 `RunAsGroup` 被设置，所设置值必须处于所定义的范围内。
+- *RunAsAny* - 未指定默认值。允许 `runAsGroup` 设置任何值。
+
+<!--
+**SupplementalGroups** - Controls which group IDs containers add.
+
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
+  minimum value of the first range as the default. Validates against all ranges.
+- *MayRunAs* - Requires at least one `range` to be specified. Allows
+  `supplementalGroups` to be left unset without providing a default.
+  Validates against all ranges if `supplementalGroups` is set.
+- *RunAsAny* - No default provided. Allows any `supplementalGroups` to be
+  specified.
+-->
+**SupplementalGroups** - 控制容器可以添加的组 ID。
+
+- *MustRunAs* - 要求至少指定一个 `range` 值。第一个范围中的最小值用作默认值。
+  所有范围值都被用来执行验证检查。
+- *MayRunAs* - 要求至少指定一个 `range` 值。
+  允许不指定 `supplementalGroups` 且不设置默认值。
+  如果 `supplementalGroups` 被设置，则所有 range 值都被用来执行验证检查。
+- *RunAsAny* - 未指定默认值。允许为 `supplementalGroups` 设置任何值。
+
+<!--
+### Privilege Escalation
+
+These options control the `allowPrivilegeEscalation` container option. This bool
+directly controls whether the
+[`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
+flag gets set on the container process. This flag will prevent `setuid` binaries
+from changing the effective user ID, and prevent files from enabling extra
+capabilities (e.g. it will prevent the use of the `ping` tool). This behavior is
+required to effectively enforce `MustRunAsNonRoot`.
+-->
+### 特权提升   {#privilege-escalation}
+
+这一组选项控制容器的 `allowPrivilegeEscalation` 属性。该属性直接决定是否为容器进程设置
+[`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
+参数。此参数会禁止 `setuid` 属性的可执行文件更改有效用户 ID（EUID），
+并且禁止启用额外权能的文件。例如，`no_new_privs` 会禁止使用 `ping` 工具。
+如果想有效地实施 `MustRunAsNonRoot` 控制，需要配置这一选项。
+
+<!--
+**AllowPrivilegeEscalation** - Gates whether or not a user is allowed to set the
+security context of a container to `allowPrivilegeEscalation=true`. This
+defaults to allowed so as to not break setuid binaries. Setting it to `false`
+ensures that no child process of a container can gain more privileges than its parent.
+-->
+**AllowPrivilegeEscalation** - 决定是否用户可以将容器的安全上下文设置为
+`allowPrivilegeEscalation=true`。默认设置下，这样做是允许的，
+目的是避免造成现有的 `setuid` 应用无法运行。将此选项设置为 `false`
+可以确保容器的所有子进程都无法获得比父进程更多的特权。
+
+<!--
+**DefaultAllowPrivilegeEscalation** - Sets the default for the
+`allowPrivilegeEscalation` option. The default behavior without this is to allow
+privilege escalation so as to not break setuid binaries. If that behavior is not
+desired, this field can be used to default to disallow, while still permitting
+pods to request `allowPrivilegeEscalation` explicitly.
+-->
+**DefaultAllowPrivilegeEscalation** - 为 `allowPrivilegeEscalation` 选项设置默认值。
+不设置此选项时的默认行为是允许特权提升，以便运行 setuid 程序。
+如果不希望运行 setuid 程序，可以使用此字段将选项的默认值设置为禁止，
+同时仍然允许 Pod 显式地请求 `allowPrivilegeEscalation`。 
+
+<!--
+### Capabilities
+
+Linux capabilities provide a finer grained breakdown of the privileges
+traditionally associated with the superuser. Some of these capabilities can be
+used to escalate privileges or for container breakout, and may be restricted by
+the PodSecurityPolicy. For more details on Linux capabilities, see
+[capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html).
+
+The following fields take a list of capabilities, specified as the capability
+name in ALL_CAPS without the `CAP_` prefix.
+-->
+### 权能字    {#capabilities}
+
+Linux 权能字（Capabilities）将传统上与超级用户相关联的特权作了细粒度的分解。
+其中某些权能字可以用来提升特权，打破容器边界，可以通过 PodSecurityPolicy 来限制。
+关于 Linux 权能字的更多细节，可参阅
+[capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html)。
+
+下列字段都可以配置为权能字的列表。表中的每一项都是 `ALL_CAPS` 中的一个权能字名称，
+只是需要去掉 `CAP_` 前缀。
+
+<!--
+**AllowedCapabilities** - Provides a list of capabilities that are allowed to be added
+to a container. The default set of capabilities are implicitly allowed. The
+empty set means that no additional capabilities may be added beyond the default
+set. `*` can be used to allow all capabilities.
+-->
+**AllowedCapabilities** - 给出可以被添加到容器的权能字列表。
+默认的权能字集合是被隐式允许的那些。空集合意味着只能使用默认权能字集合，
+不允许添加额外的权能字。`*` 可以用来设置允许所有权能字。
+
+<!--
+**RequiredDropCapabilities** - The capabilities which must be dropped from
+containers. These capabilities are removed from the default set, and must not be
+added. Capabilities listed in `RequiredDropCapabilities` must not be included in
+`AllowedCapabilities` or `DefaultAddCapabilities`.
+-->
+**RequiredDropCapabilities** - 必须从容器中去除的权能字。
+所给的权能字会从默认权能字集合中去除，并且一定不可以添加。
+`RequiredDropCapabilities` 中列举的权能字不能出现在
+`AllowedCapabilities` 或 `DefaultAddCapabilities` 所给的列表中。
+
+<!--
+**DefaultAddCapabilities** - The capabilities which are added to containers by
+default, in addition to the runtime defaults. See the
+documentation for your container runtime for information on working with Linux capabilities.
+-->
+**DefaultAddCapabilities** - 默认添加到容器的权能字集合。
+这一集合是作为容器运行时所设值的补充。
+关于使用 Docker 容器运行引擎时默认的权能字列表，
+可参阅你的容器运行时的文档来了解使用 Linux 权能字的信息。
+
+<!--
+### SELinux
+
+- *MustRunAs* - Requires `seLinuxOptions` to be configured. Uses
+`seLinuxOptions` as the default. Validates against `seLinuxOptions`.
+- *RunAsAny* - No default provided. Allows any `seLinuxOptions` to be
+specified.
+-->
+### SELinux
+
+- *MustRunAs* - 要求必须配置 `seLinuxOptions`。默认使用 `seLinuxOptions`。
+  针对 `seLinuxOptions` 所给值执行验证检查。
+- *RunAsAny* - 没有提供默认值。允许任意指定的 `seLinuxOptions` 选项。
+
+<!--
+### AllowedProcMountTypes
+
+`allowedProcMountTypes` is a list of allowed ProcMountTypes.
+Empty or nil indicates that only the `DefaultProcMountType` may be used.
+
+`DefaultProcMount` uses the container runtime defaults for readonly and masked
+paths for /proc.  Most container runtimes mask certain paths in /proc to avoid
+accidental security exposure of special devices or information. This is denoted
+as the string `Default`.
+
+The only other ProcMountType is `UnmaskedProcMount`, which bypasses the
+default masking behavior of the container runtime and ensures the newly
+created /proc the container stays intact with no modifications. This is
+denoted as the string `Unmasked`.
+-->
+### AllowedProcMountTypes
+
+`allowedProcMountTypes` 是一组可以允许的 proc 挂载类型列表。
+空表或者 nil 值表示只能使用 `DefaultProcMountType`。
+
+`DefaultProcMount` 使用容器运行时的默认值设置来决定 `/proc` 的只读挂载模式和路径屏蔽。
+大多数容器运行时都会屏蔽 `/proc` 下面的某些路径以避免特殊设备或信息被不小心暴露给容器。
+这一配置使所有 `Default` 字符串值来表示。
+
+此外唯一的ProcMountType 是 `UnmaskedProcMount`，意味着即将绕过容器运行时的路径屏蔽行为，
+确保新创建的 `/proc` 不会被容器修改。此配置用字符串 `Unmasked` 来表示。
+
+<!--
+### AppArmor
+
+Controlled via annotations on the PodSecurityPolicy. Refer to the
+[AppArmor documentation](/docs/tutorials/security/apparmor/#podsecuritypolicy-annotations).
+-->
+### AppArmor
+
+通过 PodSecurityPolicy 上的注解来控制。
+详情请参阅
+[AppArmor 文档](/zh-cn/docs/tutorials/security/apparmor/#podsecuritypolicy-annotations)。
+
+
+<!--
+### Seccomp
+
+As of Kubernetes v1.19, you can use the `seccompProfile` field in the
+`securityContext` of Pods or containers to
+[control use of seccomp profiles](/docs/tutorials/security/seccomp/).
+In prior versions, seccomp was controlled by adding annotations to a Pod. The
+same PodSecurityPolicies can be used with either version to enforce how these
+fields or annotations are applied.
+
+**seccomp.security.alpha.kubernetes.io/defaultProfileName** - Annotation that
+specifies the default seccomp profile to apply to containers. Possible values
+are:
+-->
+### Seccomp
+
+从 Kubernetes v1.19 开始，你可以使用 Pod 或容器的 `securityContext` 中的 `seccompProfile`
+字段来[控制 seccomp 配置的使用](/zh-cn/docs/tutorials/security/seccomp/)。
+在更早的版本中，seccomp 是通过为 Pod 添加注解来控制的。
+相同的 PodSecurityPolicy 可以用于不同版本，进而控制如何应用对应的字段或注解。
+
+**seccomp.security.alpha.kubernetes.io/defaultProfileName** -
+注解用来指定为容器配置默认的 seccomp 模版。可选值为：
+
+<!--
+- `unconfined` - Seccomp is not applied to the container processes (this is the
+  default in Kubernetes), if no alternative is provided.
+- `runtime/default` - The default container runtime profile is used.
+- `docker/default` - The Docker default seccomp profile is used. Deprecated as
+  of Kubernetes 1.11. Use `runtime/default` instead.
+- `localhost/<path>` - Specify a profile as a file on the node located at
+  `<seccomp_root>/<path>`, where `<seccomp_root>` is defined via the
+  `--seccomp-profile-root` flag on the Kubelet. If the `--seccomp-profile-root`
+  flag is not defined, the default path will be used, which is
+  `<root-dir>/seccomp` where `<root-dir>` is specified by the `--root-dir` flag.
+
+  {{< note >}}
+  The `--seccomp-profile-root` flag is deprecated since Kubernetes
+  v1.19. Users are encouraged to use the default path.
+  {{< /note >}}
+
+-->
+- `unconfined` - 如果没有指定其他替代方案，Seccomp 不会被应用到容器进程上
+  （Kubernets 中的默认设置）。
+- `runtime/default` - 使用默认的容器运行时模版。
+- `docker/default` - 使用 Docker 的默认 seccomp 模版。自 1.11 版本废弃。
+  应改为使用 `runtime/default`。
+- `localhost/<路径名>` - 指定节点上路径 `<seccomp_root>/<路径名>` 下的一个文件作为其模版。
+  其中 `<seccomp_root>` 是通过 `kubelet` 的标志 `--seccomp-profile-root` 来指定的。
+  如果未定义 `--seccomp-profile-root` 标志，则使用默认的路径 `<root-dir>/seccomp`，
+  其中 `<root-dir>` 是通过 `--root-dir` 标志来设置的。
+
+  {{< note >}}
+  <!--
+  The `--seccomp-profile-root` flag is deprecated since Kubernetes
+  v1.19. Users are encouraged to use the default path.
+  -->
+  从 Kubernetes v1.19 开始，`--seccomp-profile-root` 标志已被启用。
+  用户应尝试使用默认路径。
+  {{< /note >}}
+
+<!--
+**seccomp.security.alpha.kubernetes.io/allowedProfileNames** - Annotation that
+specifies which values are allowed for the pod seccomp annotations. Specified as
+a comma-delimited list of allowed values. Possible values are those listed
+above, plus `*` to allow all profiles. Absence of this annotation means that the
+default cannot be changed.
+-->
+**seccomp.security.alpha.kubernetes.io/allowedProfileNames** - 指定可以为
+Pod seccomp 注解配置的值的注解。取值为一个可用值的列表。
+表中每项可以是上述各值之一，还可以是 `*`，用来表示允许所有的模版。
+如果没有设置此注解，意味着默认的 seccomp 模版是不可更改的。
+
+<!--
+### Sysctl
+
+By default, all safe sysctls are allowed. 
+-->
+### Sysctl
+
+默认情况下，所有的安全的 sysctl 都是被允许的。
+
+<!--
+- `forbiddenSysctls` - excludes specific sysctls. You can forbid a combination
+  of safe and unsafe sysctls in the list. To forbid setting any sysctls, use
+  `*` on its own.
+- `allowedUnsafeSysctls` - allows specific sysctls that had been disallowed by
+  the default list, so long as these are not listed in `forbiddenSysctls`.
+-->
+- `forbiddenSysctls` - 用来排除某些特定的 sysctl。
+  你可以在此列表中禁止一些安全的或者不安全的 sysctl。
+  此选项设置为 `*` 意味着禁止设置所有 sysctl。
+- `allowedUnsafeSysctls` - 用来启用那些被默认列表所禁用的 sysctl，
+  前提是所启用的 sysctl 没有被列在 `forbiddenSysctls` 中。
+
+<!--
+Refer to the [Sysctl documentation](/docs/tasks/administer-cluster/sysctl-cluster/#podsecuritypolicy).
+-->
+参阅 [Sysctl 文档](/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/#podsecuritypolicy)。
+
+## {{% heading "whatsnext" %}}
+
+<!--
+- See [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)
+  to learn about the future of pod security policy.
+
+- See [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+  for policy recommendations.
+
+- Refer to [PodSecurityPolicy reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)
+  for the API details.
+-->
+- 参阅 [PodSecurityPolicy Deprecation: Past, Present, and
+  Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)，
+  了解 Pod 安全策略的未来。
+
+- 参阅 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)，
+  了解策略建议。
+- 阅读 [PodSecurityPolicy 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)，
+  了解 API 细节。
+
diff --git a/content/zh-cn/docs/concepts/security/pod-security-standards.md b/content/zh-cn/docs/concepts/security/pod-security-standards.md
new file mode 100644
index 0000000000000..243bd9529c360
--- /dev/null
+++ b/content/zh-cn/docs/concepts/security/pod-security-standards.md
@@ -0,0 +1,655 @@
+---
+title: Pod 安全性标准
+description: >
+  详细了解 Pod 安全性标准（Pod Security Standards）中所定义的不同策略级别。
+content_type: concept
+weight: 10
+---
+<!--
+reviewers:
+- tallclair
+title: Pod Security Standards
+description: >
+  A detailed look at the different policy levels defined in the Pod Security Standards.
+content_type: concept
+weight: 10
+-->
+
+<!-- overview -->
+
+<!--
+The Pod Security Standards define three different _policies_ to broadly cover the security
+spectrum. These policies are _cumulative_ and range from highly-permissive to highly-restrictive.
+This guide outlines the requirements of each policy.
+-->
+Pod 安全性标准定义了三种不同的 **策略（Policy）**，以广泛覆盖安全应用场景。
+这些策略是 **叠加式的（Cumulative）**，安全级别从高度宽松至高度受限。
+本指南概述了每个策略的要求。
+
+<!--
+| Profile | Description |
+| ------ | ----------- |
+| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. |
+| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. |
+| <strong style="white-space: nowrap">Restricted</strong> | Heavily restricted policy, following current Pod hardening best practices. |
+-->
+| Profile | 描述 |
+| ------ | ----------- |
+| <strong style="white-space: nowrap">Privileged</strong> | 不受限制的策略，提供最大可能范围的权限许可。此策略允许已知的特权提升。 |
+| <strong style="white-space: nowrap">Baseline</strong> | 限制性最弱的策略，禁止已知的策略提升。允许使用默认的（规定最少）Pod 配置。 |
+| <strong style="white-space: nowrap">Restricted</strong> | 限制性非常强的策略，遵循当前的保护 Pod 的最佳实践。 |
+
+<!-- body -->
+
+<!--
+## Profile Details
+
+### Privileged
+-->
+## Profile 细节    {#profile-details}
+
+### Privileged
+
+<!--
+**The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is
+typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users.
+
+The Privileged policy is defined by an absence of restrictions. Allow-by-default
+mechanisms (such as gatekeeper) may be Privileged by default. In contrast, for a deny-by-default mechanism (such as Pod
+Security Policy) the Privileged policy should disable all restrictions.
+-->
+**_Privileged_ 策略是有目的地开放且完全无限制的策略。**
+此类策略通常针对由特权较高、受信任的用户所管理的系统级或基础设施级负载。
+
+Privileged 策略定义中限制较少。默认允许的（Allow-by-default）实施机制（例如 gatekeeper）
+可以缺省设置为 Privileged。
+与此不同，对于默认拒绝（Deny-by-default）的实施机制（如 Pod 安全策略）而言，
+Privileged 策略应该禁止所有限制。
+
+### Baseline
+
+<!--
+**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while
+preventing known privilege escalations.** This policy is targeted at application operators and
+developers of non-critical applications. The following listed controls should be
+enforced/disallowed:
+-->
+**_Baseline_ 策略的目标是便于常见的容器化应用采用，同时禁止已知的特权提升。**
+此策略针对的是应用运维人员和非关键性应用的开发人员。
+下面列举的控制应该被实施（禁止）：
+
+{{< note >}}
+<!--
+In this table, wildcards (`*`) indicate all elements in a list. For example,
+`spec.containers[*].securityContext` refers to the Security Context object for _all defined
+containers_. If any of the listed containers fails to meet the requirements, the entire pod will
+fail validation.
+-->
+在下述表格中，通配符（`*`）意味着一个列表中的所有元素。
+例如 `spec.containers[*].securityContext` 表示 _所定义的所有容器_ 的安全性上下文对象。
+如果所列出的任一容器不能满足要求，整个 Pod 将无法通过校验。
+{{< /note >}}
+
+<table>
+	<!-- caption style="display:none">Baseline policy specification</caption -->
+	<caption style="display:none">Baseline 策略规范</caption>
+	<tbody>
+		<tr>
+			<td>控制（Control）</td>
+			<td>策略（Policy）</td>
+		</tr>
+    		<tr>
+			<!-- <td style="white-space: nowrap">HostProcess</td> -->
+      			<td style="white-space: nowrap">HostProcess</td>
+      			<td>
+				<p><!--Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. -->
+                                Windows Pod 提供了运行 <a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力，这使得对 Windows 节点的特权访问成为可能。Baseline 策略中禁止对宿主的特权访问。{{< feature-state for_k8s_version="v1.23" state="beta" >}}
+                                </p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--Host Namespaces-->宿主名字空间</td>
+                        <td>
+				<p><!--Sharing the host namespaces must be disallowed.-->必须禁止共享宿主上的名字空间。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.hostNetwork</code></li>
+					<li><code>spec.hostPID</code></li>
+					<li><code>spec.hostIPC</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--Privileged Containers-->特权容器</td>
+			<td>
+				<p><!--Privileged Pods disable most security mechanisms and must be disallowed.-->特权 Pod 会使大多数安全性机制失效，必须被禁止。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.privileged</code></li>
+					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--Capabilities-->权能</td>
+			<td>
+				<p><!--Adding additional capabilities beyond those listed below must be disallowed.-->必须禁止添加除下列字段之外的权能。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
+					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>AUDIT_WRITE</code></li>
+					<li><code>CHOWN</code></li>
+					<li><code>DAC_OVERRIDE</code></li>
+					<li><code>FOWNER</code></li>
+					<li><code>FSETID</code></li>
+					<li><code>KILL</code></li>
+					<li><code>MKNOD</code></li>
+					<li><code>NET_BIND_SERVICE</code></li>
+					<li><code>SETFCAP</code></li>
+					<li><code>SETGID</code></li>
+					<li><code>SETPCAP</code></li>
+					<li><code>SETUID</code></li>
+					<li><code>SYS_CHROOT</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--HostPath Volumes-->HostPath 卷</td>
+			<td>
+				<p><!--HostPath volumes must be forbidden.-->必须禁止 HostPath 卷。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.volumes[*].hostPath</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+				</ul>
+			</td>
+			<td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--Host Ports-->宿主端口</td>
+			<td>
+				<p><!--HostPorts should be disallowed, or at minimum restricted to a known list.-->应该禁止使用宿主端口，或者至少限制只能使用某确定列表中的端口。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].ports[*].hostPort</code></li>
+					<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
+					<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><!--Known list-->已知列表</li>
+					<li><code>0</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">AppArmor</td>
+			<td>
+				<p><!--On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.-->在受支持的主机上，默认使用 <code>runtime/default</code> AppArmor 配置。Baseline 策略应避免覆盖或者禁用默认策略，以及限制覆盖一些配置集合的权限。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>runtime/default</code></li>
+					<li><code>localhost/*</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">SELinux</td>
+			<td>
+				<p><!--Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.-->设置 SELinux 类型的操作是被限制的，设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seLinuxOptions.type</code></li>
+					<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
+					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/""-->未定义、""</li>
+					<li><code>container_t</code></li>
+					<li><code>container_init_t</code></li>
+					<li><code>container_kvm_t</code></li>
+				</ul>
+				<hr />
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seLinuxOptions.user</code></li>
+					<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
+					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.user</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.user</code></li>
+					<li><code>spec.securityContext.seLinuxOptions.role</code></li>
+					<li><code>spec.containers[*].securityContext.seLinuxOptions.role</code></li>
+					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/""-->未定义、""</li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><code>/proc</code><!--Mount Type-->挂载类型</td>
+			<td>
+				<p><!--The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.-->要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.procMount</code></li>
+					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>Default</code></li>
+				</ul>
+			</td>
+		</tr>
+    <tr>
+  			<td>Seccomp</td>
+  			<td>
+  				<p><!--Seccomp profile must not be explicitly set to <code>Unconfined</code>.-->Seccomp 配置必须不能显式设置为 <code>Unconfined</code>。</p>
+  				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seccompProfile.type</code></li>
+					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
+					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>RuntimeDefault</code></li>
+					<li><code>Localhost</code></li>
+				</ul>
+  			</td>
+  		</tr>
+		<tr>
+			<td>Sysctls</td>
+			<td>
+				<p><!--Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.-->Sysctls 可以禁用安全机制或影响宿主上所有容器，因此除了若干“安全”的子集之外，应该被禁止。如果某 sysctl 是受容器或 Pod 的名字空间限制，且与节点上其他 Pod 或进程相隔离，可认为是安全的。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.sysctls[*].name</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>kernel.shm_rmid_forced</code></li>
+					<li><code>net.ipv4.ip_local_port_range</code></li>
+					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
+					<li><code>net.ipv4.tcp_syncookies</code></li>
+					<li><code>net.ipv4.ping_group_range</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+### Restricted
+
+<!--
+**The _Restricted_ policy is aimed at enforcing current Pod hardening best practices, at the
+expense of some compatibility.** It is targeted at operators and developers of security-critical
+applications, as well as lower-trust users. The following listed controls should be
+enforced/disallowed:
+-->
+**_Restricted_ 策略旨在实施当前保护 Pod 的最佳实践，尽管这样作可能会牺牲一些兼容性。**
+该类策略主要针对运维人员和安全性很重要的应用的开发人员，以及不太被信任的用户。
+下面列举的控制需要被实施（禁止）：
+
+{{< note >}}
+<!--
+In this table, wildcards (`*`) indicate all elements in a list. For example, 
+`spec.containers[*].securityContext` refers to the Security Context object for _all defined
+containers_. If any of the listed containers fails to meet the requirements, the entire pod will
+fail validation.
+-->
+在下述表格中，通配符（`*`）意味着一个列表中的所有元素。
+例如 `spec.containers[*].securityContext` 表示 **所定义的所有容器** 的安全性上下文对象。
+如果所列出的任一容器不能满足要求，整个 Pod 将无法通过校验。
+{{< /note >}}
+
+<table>
+	<caption style="display:none"><!--Restricted policy specification-->Restricted 策略规范</caption>
+	<tbody>
+		<tr>
+			<td width="30%"><strong><!--Control-->控制</strong></td>
+			<td><strong><!--Policy-->策略</strong></td>
+		</tr>
+		<tr>
+			<td colspan="2"><em><!--Everything from the baseline profile.-->Baseline 策略的所有要求。</em></td>
+		</tr>
+		<tr>
+      			<td style="white-space: nowrap"><!--Volume Types-->卷类型</td>
+			<td>
+				<p><!--In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.-->除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.volumes[*]</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<!--Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:--><code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值：
+				<ul>
+					<li><code>spec.volumes[*].configMap</code></li>
+					<li><code>spec.volumes[*].csi</code></li>
+					<li><code>spec.volumes[*].downwardAPI</code></li>
+					<li><code>spec.volumes[*].emptyDir</code></li>
+					<li><code>spec.volumes[*].ephemeral</code></li>
+					<li><code>spec.volumes[*].persistentVolumeClaim</code></li>
+					<li><code>spec.volumes[*].projected</code></li>
+					<li><code>spec.volumes[*].secret</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+      			<td style="white-space: nowrap"><!--Privilege Escalation (v1.8+)-->特权提升（v1.8+）</td>
+			<td>
+				<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.-->禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
+					<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->允许的取值</strong></p>
+				<ul>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+      			<td style="white-space: nowrap"><!--Running as Non-root-->以非 root 账号运行</td>
+      			<td>
+				<p><!--Containers must be required to run as non-root users.-->容器必须以非 root 账号运行。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.runAsNonRoot</code></li>
+					<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
+					<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><code>true</code></li>
+				</ul>
+				<small>
+					<!--The container fields may be undefined/<code>nil</code> if the pod-level
+					<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.-->如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 <code>true</code>，则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>。
+				</small>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><!--Running as Non-root user (v1.23+)-->非 root 用户（v1.23+）</td>
+			<td>
+				<p><!--Containers must not set <tt>runAsUser</tt> to 0-->容器不可以将 <tt>runAsUser</tt> 设置为 0</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.runAsUser</code></li>
+					<li><code>spec.containers[*].securityContext.runAsUser</code></li>
+					<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--any non-zero value-->所有的非零值</li>
+					<li><code>undefined/null</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Seccomp (v1.19+)</td>
+			<td>
+  				<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。</p>
+  				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seccompProfile.type</code></li>
+					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
+					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><code>RuntimeDefault</code></li>
+					<li><code>Localhost</code></li>
+				</ul>
+				<small>
+					<!--The container fields may be undefined/<code>nil</code> if the pod-level <code>spec.securityContext.seccompProfile.type</code> field is set appropriately.  Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container- level fields are set.-->如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code> 已设置得当，容器级别的安全上下文字段可以为 未定义/<code>nil</code>。反而言之，如果 <bold>所有的</bold> 容器级别的安全上下文字段已设置，则 Pod 级别的字段可为 未定义/<code>nil</code>。
+				</small>
+  			</td>
+		</tr>
+    		<tr>
+			<td style="white-space: nowrap"><!--Capabilities (v1.22+) -->权能（v1.22+）</td>
+      			<td>
+				<p>
+					<!--Containers must drop <code>ALL</code> capabilities, and are only permitted to add back the <code>NET_BIND_SERVICE</code> capability.-->容器必须弃用 <code>ALL</code> 权能，并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
+				</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
+					<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Any list of capabilities that includes <code>ALL</code>-->包括 <code>ALL</code> 在内的任意权能列表。</li>
+				</ul>
+				<hr />
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
+					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
+				</ul>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<ul>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><code>NET_BIND_SERVICE</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+<!--
+## Policy Instantiation
+
+Decoupling policy definition from policy instantiation allows for a common understanding and
+consistent language of policies across clusters, independent of the underlying enforcement
+mechanism.
+
+As mechanisms mature, they will be defined below on a per-policy basis. The methods of enforcement
+of individual policies are not defined here.
+-->
+## 策略实例化   {#policy-instantiation}
+
+将策略定义从策略实例中解耦出来有助于形成跨集群的策略理解和语言陈述，
+以免绑定到特定的下层实施机制。
+
+随着相关机制的成熟，这些机制会按策略分别定义在下面。特定策略的实施方法不在这里定义。
+
+<!--
+[**Pod Security Admission Controller**](/docs/concepts/security/pod-security-admission/)
+-->
+[**Pod 安全性准入控制器**](/zh-cn/docs/concepts/security/pod-security-admission/)
+
+- {{< example file="security/podsecurity-privileged.yaml" >}}Privileged 名字空间{{< /example >}}
+- {{< example file="security/podsecurity-baseline.yaml" >}}Baseline 名字空间{{< /example >}}
+- {{< example file="security/podsecurity-restricted.yaml" >}}Restricted 名字空间{{< /example >}}
+
+<!--
+[**PodSecurityPolicy**](/docs/concepts/security/pod-security-policy/) (Deprecated)
+-->
+[**PodSecurityPolicy**](/zh-cn/docs/concepts/security/pod-security-policy/) （已弃用）
+
+- {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
+- {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
+- {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
+
+<!--
+### Alternatives
+-->
+### 替代方案   {#alternatives}
+
+{{% thirdparty-content %}}
+
+<!--
+Other alternatives for enforcing policies are being developed in the Kubernetes ecosystem, such as: 
+-->
+在 Kubernetes 生态系统中还在开发一些其他的替代方案，例如：
+
+- [Kubewarden](https://github.com/kubewarden)
+- [Kyverno](https://kyverno.io/policies/pod-security/)
+- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+
+<!--
+## FAQ
+
+### Why isn't there a profile between privileged and baseline?
+-->
+## 常见问题    {#faq}
+
+### 为什么不存在介于 Privileged 和 Baseline 之间的策略类型
+
+<!--
+The three profiles defined here have a clear linear progression from most secure (restricted) to least
+secure (privileged), and cover a broad set of workloads. Privileges required above the baseline
+policy are typically very application specific, so we do not offer a standard profile in this
+niche. This is not to say that the privileged profile should always be used in this case, but that
+policies in this space need to be defined on a case-by-case basis.
+
+SIG Auth may reconsider this position in the future, should a clear need for other profiles arise.
+-->
+这里定义的三种策略框架有一个明晰的线性递进关系，从最安全（Restricted）到最不安全，
+并且覆盖了很大范围的工作负载。特权要求超出 Baseline 策略者通常是特定于应用的需求，
+所以我们没有在这个范围内提供标准框架。
+这并不意味着在这样的情形下仍然只能使用 Privileged 框架，
+只是说处于这个范围的策略需要因地制宜地定义。
+
+SIG Auth 可能会在将来考虑这个范围的框架，前提是有对其他框架的需求。
+
+<!--
+### What's the difference between a security policy and a security context?
+
+[Security Contexts](/docs/tasks/configure-pod-container/security-context/) configure Pods and
+Containers at runtime. Security contexts are defined as part of the Pod and container specifications
+in the Pod manifest, and represent parameters to the container runtime.
+-->
+### 安全策略与安全上下文的区别是什么？
+
+[安全上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/)在运行时配置 Pod
+和容器。安全上下文是在 Pod 清单中作为 Pod 和容器规约的一部分来定义的，
+所代表的是传递给容器运行时的参数。
+
+<!--
+Security profiles are control plane mechanisms to enforce specific settings in the Security Context,
+as well as other related parameters outside the Security Context. As of July 2021, 
+[Pod Security Policies](/docs/concepts/security/pod-security-policy/) are deprecated in favor of the
+built-in [Pod Security Admission Controller](/docs/concepts/security/pod-security-admission/). 
+-->
+安全策略则是控制面用来对安全上下文以及安全性上下文之外的参数实施某种设置的机制。
+在 2020 年 7 月，
+[Pod 安全性策略](/zh-cn/docs/concepts/security/pod-security-policy/)已被废弃，
+取而代之的是内置的 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)。
+
+<!--
+### What profiles should I apply to my Windows Pods?
+
+Windows in Kubernetes has some limitations and differentiators from standard Linux-based
+workloads. Specifically, the Pod SecurityContext fields [have no effect on
+Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). As
+such, no standardized Pod Security profiles currently exists.
+-->
+### 我应该为我的 Windows Pod 实施哪种框架？
+
+Kubernetes 中的 Windows 负载与标准的基于 Linux 的负载相比有一些局限性和区别。
+尤其是 Pod SecurityContext
+字段[对 Windows 不起作用](/zh-cn/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext)。
+因此，目前没有对应的标准 Pod 安全性框架。
+
+<!-- 
+If you apply the restricted profile for a Windows pod, this **may** have an impact on the pod
+at runtime. The restricted profile requires enforcing Linux-specific restrictions (such as seccomp
+profile, and disallowing privilege escalation). If the kubelet and / or its container runtime ignore
+these Linux-specific values, then the Windows pod should still work normally within the restricted
+profile. However, the lack of enforcement means that there is no additional restriction, for Pods
+that use Windows containers, compared to the baseline profile.
+-->
+如果你为一个 Windows Pod 应用了 Restricted 策略，**可能会** 对该 Pod 的运行时产生影响。
+Restricted 策略需要强制执行 Linux 特有的限制（如 seccomp Profile，并且禁止特权提升）。
+如果 kubelet 和/或其容器运行时忽略了 Linux 特有的值，那么应该不影响 Windows Pod 正常工作。
+然而，对于使用 Windows 容器的 Pod 来说，缺乏强制执行意味着相比于 Restricted 策略，没有任何额外的限制。
+
+<!--
+The use of the HostProcess flag to create a HostProcess pod should only be done in alignment with the privileged policy. Creation of a Windows HostProcess pod is blocked under the baseline and restricted policies, so any HostProcess pod should be considered privileged.
+-->
+你应该只在 Privileged 策略下使用 HostProcess 标志来创建 HostProcess Pod。
+在 Baseline 和 Restricted 策略下，创建 Windows HostProcess Pod 是被禁止的，
+因此任何 HostProcess Pod 都应该被认为是有特权的。
+
+<!--
+### What about sandboxed Pods?
+
+There is not currently an API standard that controls whether a Pod is considered sandboxed or
+not. Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata
+Containers), but there is no standard definition of what a sandboxed runtime is.
+-->
+### 沙箱（Sandboxed）Pod 怎么处理？  {#what-about-sandboxed-pods}
+
+现在还没有 API 标准来控制 Pod 是否被视作沙箱化 Pod。
+沙箱 Pod 可以通过其是否使用沙箱化运行时（如 gVisor 或 Kata Container）来辨别，
+不过目前还没有关于什么是沙箱化运行时的标准定义。
+
+<!--
+The protections necessary for sandboxed workloads can differ from others. For example, the need to
+restrict privileged permissions is lessened when the workload is isolated from the underlying
+kernel. This allows for workloads requiring heightened permissions to still be isolated.
+
+Additionally, the protection of sandboxed workloads is highly dependent on the method of
+sandboxing. As such, no single recommended policy is recommended for all sandboxed workloads.
+-->
+沙箱化负载所需要的保护可能彼此各不相同。例如，当负载与下层内核直接隔离开来时，
+限制特权化操作的许可就不那么重要。这使得那些需要更多许可权限的负载仍能被有效隔离。
+
+此外，沙箱化负载的保护高度依赖于沙箱化的实现方法。
+因此，现在还没有针对所有沙箱化负载的建议策略。
+
diff --git a/content/zh-cn/docs/concepts/security/rbac-good-practices.md b/content/zh-cn/docs/concepts/security/rbac-good-practices.md
new file mode 100644
index 0000000000000..a8ccbaca4e77e
--- /dev/null
+++ b/content/zh-cn/docs/concepts/security/rbac-good-practices.md
@@ -0,0 +1,357 @@
+---
+title: 基于角色的访问控制良好实践
+description: >
+  为集群操作人员提供的良好的 RBAC 设计原则和实践。
+content_type: concept
+weight: 60
+---
+
+<!--
+reviewers:
+title: Role Based Access Control Good Practices
+description: >
+  Principles and practices for good RBAC design for cluster operators.
+content_type: concept
+weight: 60
+-->
+
+<!-- overview -->
+
+<!--
+Kubernetes {{< glossary_tooltip text="RBAC" term_id="rbac" >}} is a key security control 
+to ensure that cluster users and workloads have only the access to resources required to 
+execute their roles. It is important to ensure that, when designing permissions for cluster
+users, the cluster administrator understands the areas where privilge escalation could occur, 
+to reduce the risk of excessive access leading to security incidents.
+
+The good practices laid out here should be read in conjunction with the general [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update).
+-->
+
+Kubernetes {{< glossary_tooltip text="RBAC" term_id="rbac" >}}
+是一项重要的安全控制措施，用于保证集群用户和工作负载只能访问履行自身角色所需的资源。
+在为集群用户设计权限时，请务必确保集群管理员知道可能发生特权提级的地方，
+降低因过多权限而导致安全事件的风险。
+
+此文档的良好实践应该与通用
+[RBAC 文档](/zh-cn/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update)一起阅读。
+
+<!-- body -->
+
+<!--
+## General good practice
+
+### Least privilege
+-->
+## 通用的良好实践 {#general-good-practice}
+
+### 最小特权  {#least-privilege}
+
+<!--
+Ideally minimal RBAC rights should be assigned to users and service accounts. Only permissions 
+explicitly required for their operation should be used. Whilst each cluster will be different, 
+some general rules that can be applied are :
+-->
+理想情况下，分配给用户和服务帐户的 RBAC 权限应该是最小的。
+仅应使用操作明确需要的权限，虽然每个集群会有所不同，但可以应用的一些常规规则：
+
+<!--
+ - Assign permissions at the namespace level where possible. Use RoleBindings as opposed to 
+   ClusterRoleBindings to give users rights only within a specific namespace.
+ - Avoid providing wildcard permissions when possible, especially to all resources.
+   As Kubernetes is an extensible system, providing wildcard access gives rights
+   not just to all object types presently in the cluster, but also to all future object types
+   which are created in the future.
+ - Administrators should not use `cluster-admin` accounts except where specifically needed. 
+   Providing a low privileged account with [impersonation rights](/docs/reference/access-authn-authz/authentication/#user-impersonation)
+   can avoid accidental modification of cluster resources.
+ - Avoid adding users to the `system:masters` group. Any user who is a member of this group 
+   bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be 
+   revoked by removing Role Bindings or Cluster Role Bindings. As an aside, if a cluster is 
+   using an authorization webhook, membership of this group also bypasses that webhook (requests 
+   from users who are members of that group are never sent to the webhook)
+-->
+- 尽可能在命名空间级别分配权限。授予用户在特定命名空间中的权限时使用 RoleBinding
+  而不是 ClusterRoleBinding。
+- 尽可能避免通过通配符设置权限，尤其是对所有资源的权限。
+  由于 Kubernetes 是一个可扩展的系统，因此通过通配符来授予访问权限不仅会授予集群中当前的所有对象类型，
+  还包含所有未来被创建的所有对象类型。
+- 管理员不应使用 `cluster-admin` 账号，除非特别需要。为低特权帐户提供
+  [伪装权限](/zh-cn/docs/reference/access-authn-authz/authentication/#user-impersonation)
+  可以避免意外修改集群资源。
+- 避免将用户添加到 `system:masters` 组。任何属于此组成员的用户都会绕过所有 RBAC 权限检查，
+  始终具有不受限制的超级用户访问权限，并且不能通过删除 `RoleBinding` 或 `ClusterRoleBinding`
+  来取消其权限。顺便说一句，如果集群是使用 Webhook 鉴权，此组的成员身份也会绕过该 
+  Webhook（来自属于该组成员的用户的请求永远不会发送到 Webhook）。
+ 
+<!--
+### Minimize distribution of privileged tokens
+-->
+### 最大限度地减少特权令牌的分发 {#minimize-distribution-of-privileged-tokens}
+
+<!--
+Ideally, pods shouldn't be assigned service accounts that have been granted powerful permissions (for example, any of the rights listed under
+[privilege escalation risks](#privilege-escalation-risks)). 
+In cases where a workload requires powerful permissions, consider the following practices:
+ - Limit the number of nodes running powerful pods. Ensure that any DaemonSets you run
+  are necessary and are run with least privilege to limit the blast radius of container escapes.
+ - Avoid running powerful pods alongside untrusted or publicly-exposed ones. Consider using 
+   [Taints and Toleration](/docs/concepts/scheduling-eviction/taint-and-toleration/), [NodeAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity), or [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) to ensure 
+   pods don't run alongside untrusted or less-trusted Pods. Pay especial attention to
+   situations where less-trustworthy Pods are not meeting the **Restricted** Pod Security Standard.
+-->
+理想情况下，不应为 Pod 分配具有强大权限（例如，在[特权提级的风险](#privilege-escalation-risks)中列出的任一权限）的服务帐户。
+如果工作负载需要比较大的权限，请考虑以下做法：
+- 限制运行此类 Pod 的节点数量。确保你运行的任何 DaemonSet 都是必需的，
+  并且以最小权限运行，以限制容器逃逸的影响范围。
+- 避免将此类 Pod 与不可信任或公开的 Pod 在一起运行。
+  考虑使用[污点和容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)、
+  [节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)或
+  [Pod 反亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)确保 
+  Pod 不会与不可信或不太受信任的 Pod 一起运行。
+  特别注意可信度不高的 Pod 不符合 **Restricted** Pod 安全标准的情况。
+<!--
+### Hardening
+
+Kubernetes defaults to providing access which may not be required in every cluster. Reviewing 
+the RBAC rights provided by default can provide opportunities for security hardening.
+In general, changes should not be made to rights provided to `system:` accounts some options 
+to harden cluster rights exist:
+-->
+### 加固 {#hardening}
+
+Kubernetes 默认提供访问权限并非是每个集群都需要的。
+审查默认提供的 RBAC 权限为安全加固提供了机会。
+一般来说，不应该更改 `system:` 帐户的某些权限，有一些方式来强化现有集群的权限：
+
+<!--
+- Review bindings for the `system:unauthenticated` group and remove where possible, as this gives 
+  access to anyone who can contact the API server at a network level.
+- Avoid the default auto-mounting of service account tokens by setting
+  `automountServiceAccountToken: false`. For more details, see
+  [using default service account token](/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server).
+  Setting this value for a Pod will overwrite the service account setting, workloads
+  which require service account tokens can still mount them.
+-->
+- 审查 `system:unauthenticated` 组的绑定，并在可能的情况下将其删除，
+  因为这会给所有能够访问 API 服务器的人以网络级别的权限。
+- 通过设置 `automountServiceAccountToken: false` 来避免服务账号令牌的默认自动挂载，
+  有关更多详细信息，请参阅[使用默认服务账号令牌](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)。
+  此参数可覆盖 Pod 服务账号设置，而需要服务账号令牌的工作负载仍可以挂载。
+
+<!--
+### Periodic review
+
+It is vital to periodically review the Kubernetes RBAC settings for redundant entries and 
+possible privilege escalations.
+If an attacker is able to create a user account with the same name as a deleted user,
+they can automatically inherit all the rights of the deleted user, especially the
+rights assigned to that user.
+ --> 
+### 定期检查  {#periodic-review}
+定期检查 Kubernetes RBAC 设置是否有冗余条目和提权可能性是至关重要的。
+如果攻击者能够创建与已删除用户同名的用户账号，
+他们可以自动继承被删除用户的所有权限，尤其是分配给该用户的权限。
+
+<!--
+## Kubernetes RBAC - privilege escalation risks {#privilege-escalation-risks}
+
+Within Kubernetes RBAC there are a number of privileges which, if granted, can allow a user or a service account
+to escalate their privileges in the cluster or affect systems outside the cluster.
+
+This section is intended to provide visibility of the areas where cluster operators 
+should take care, to ensure that they do not inadvertently allow for more access to clusters than intended.
+-->
+## Kubernetes RBAC - 权限提权的风险 {#privilege-escalation-risks}
+
+在 Kubernetes RBAC 中有许多特权，如果被授予，
+用户或服务帐户可以提升其在集群中的权限并可能影响集群外的系统。
+
+本节旨在提醒集群操作员需要注意的不同领域，
+以确保他们不会无意中授予超出预期的集群访问权限。
+
+<!--
+### Listing secrets
+
+It is generally clear that allowing `get` access on Secrets will allow a user to read their contents.
+It is also important to note that `list` and `watch` access also effectively allow for users to reveal the Secret contents.
+For example, when a List response is returned (for example, via `kubectl get secrets -A -o yaml`), the response
+includes the contents of all Secrets.
+-->
+### 列举 Secret {#listing-secrets}
+
+大家都很清楚，若允许对 Secrets 执行 `get` 访问，用户就获得了访问 Secret 内容的能力。
+同样需要注意的是：`list` 和 `watch` 访问也会授权用户获取 Secret 的内容。
+例如，当返回 List 响应时（例如，通过 
+`kubectl get secrets -A -o yaml`），响应包含所有 Secret 的内容。
+
+<!--
+### Workload creation
+
+Users who are able to create workloads (either Pods, or
+[workload resources](/docs/concepts/workloads/controllers/) that manage Pods) will
+be able to gain access to the underlying node unless restrictions based on the Kubernetes
+[Pod Security Standards](/docs/concepts/security/pod-security-standards/) are in place.
+-->
+### 工作负载的创建 {#workload-creation}
+
+能够创建工作负载的用户（Pod 或管理 Pod 的[工作负载资源](/zh-cn/docs/concepts/workloads/controllers/)） 
+能够访问下层的节点，除非基于 Kubernetes 的
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)做限制。
+
+<!--
+Users who can run privileged Pods can use that access to gain node access and potentially to
+further elevate their privileges. Where you do not fully trust a user or other principal
+with the ability to create suitably secure and isolated Pods, you should enforce either the
+**Baseline** or **Restricted** Pod Security Standard.
+You can use [Pod Security admission](/docs/concepts/security/pod-security-admission/)
+or other (third party) mechanisms to implement that enforcement.
+-->
+可以运行特权 Pod 的用户可以利用该访问权限获得节点访问权限，
+并可能进一步提升他们的特权。如果你不完全信任某用户或其他主体，
+不相信他们能够创建比较安全且相互隔离的 Pod，你应该强制实施 **Baseline**
+或 **Restricted** Pod 安全标准。
+你可以使用 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)或其他（第三方）机制来强制实施这些限制。
+
+<!--
+You can also use the deprecated [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) mechanism
+to restrict users' abilities to create privileged Pods (N.B. PodSecurityPolicy is scheduled for removal
+in version 1.25).
+-->
+你还可以使用已弃用的 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)
+机制以限制用户创建特权 Pod 的能力 （特别注意：PodSecurityPolicy 已计划在版本 1.25 中删除）。
+
+<!--
+Creating a workload in a namespace also grants indirect access to Secrets in that namespace. 
+Creating a pod in kube-system or a similarly privileged namespace can grant a user access to 
+Secrets they would not have through RBAC directly.
+-->
+在命名空间中创建工作负载还会授予对该命名空间中 Secret 的间接访问权限。
+在 kube-system 或类似特权的命名空间中创建 Pod 
+可以授予用户不需要通过 RBAC 即可获取 Secret 访问权限。
+
+<!--
+### Persistent volume creation
+
+As noted in the [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems) documentation, access to create PersistentVolumes can allow for escalation of access to the underlying host. Where access to persistent storage is required trusted administrators should create 
+PersistentVolumes, and constrained users should use PersistentVolumeClaims to access that storage.
+-->
+### 持久卷的创建 {#persistent-volume-creation}
+
+如 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/#volumes-and-file-systems) 
+文档中所述，创建 PersistentVolumes 的权限可以提权访问底层主机。
+如果需要访问 PersistentVolume，受信任的管理员应该创建 `PersistentVolume`，
+受约束的用户应该使用 `PersistentVolumeClaim` 访问该存储。
+
+<!--
+### Access to `proxy` subresource of Nodes
+
+Users with access to the proxy sub-resource of node objects have rights to the Kubelet API, 
+which allows for command execution on every pod on the node(s) which they have rights to. 
+This access bypasses audit logging and admission control, so care should be taken before 
+granting rights to this resource.
+-->
+### 访问 Node 的 `proxy` 子资源  {#access-to-proxy-subresource-of-nodes}
+
+有权访问 Node 对象的 proxy 子资源的用户有权访问 Kubelet API，
+这允许在他们有权访问的节点上的所有 Pod 上执行命令。
+此访问绕过审计日志记录和准入控制，因此在授予对此资源的权限前应小心。
+
+<!--
+### Escalate verb
+
+Generally the RBAC system prevents users from creating clusterroles with more rights than 
+they possess. The exception to this is the `escalate` verb. As noted in the [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update),
+users with this right can effectively escalate their privileges.
+-->
+### esclate 动词 {#escalate-verb}
+通常，RBAC 系统会阻止用户创建比他所拥有的更多权限的 `ClusterRole`。
+而 `escalate` 动词是个例外。如
+[RBAC 文档](/zh-cn/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update)
+中所述，拥有此权限的用户可以有效地提升他们的权限。
+
+<!--
+### Bind verb
+
+Similar to the `escalate` verb, granting users this right allows for bypass of Kubernetes 
+in-built protections against privilege escalation, allowing users to create bindings to 
+roles with rights they do not already have.
+-->
+### bind 动词  {#bind-verb}
+
+与 `escalate` 动作类似，授予此权限的用户可以绕过 Kubernetes
+对权限提升的内置保护，用户可以创建并绑定尚不具有的权限的角色。
+
+<!--
+### Impersonate verb
+
+This verb allows users to impersonate and gain the rights of other users in the cluster. 
+Care should be taken when granting it, to ensure that excessive permissions cannot be gained 
+via one of the impersonated accounts.
+-->
+### impersonate 动词 {#impersonate-verb}
+
+此动词允许用户伪装并获得集群中其他用户的权限。
+授予它时应小心，以确保通过其中一个伪装账号不会获得过多的权限。
+
+<!--
+### CSRs and certificate issuing
+
+The CSR API allows for users with `create` rights to CSRs and `update` rights on `certificatesigningrequests/approval` 
+where the signer is `kubernetes.io/kube-apiserver-client` to create new client certificates 
+which allow users to authenticate to the cluster. Those client certificates can have arbitrary 
+names including duplicates of Kubernetes system components. This will effectively allow for privilege escalation.
+-->
+### CSR 和证书颁发 {#csrs-and-certificate-issuing}
+
+CSR API 允许用户拥有 `create` CSR 的权限和 `update`
+`certificatesigningrequests/approval` 的权限，
+其中签名者是 `kubernetes.io/kube-apiserver-client`，
+通过此签名创建的客户端证书允许用户向集群进行身份验证。
+这些客户端证书可以包含任意的名称，包括 Kubernetes 系统组件的副本。
+这将有利于特权提级。
+
+<!--
+### Token request
+
+Users with `create` rights on `serviceaccounts/token` can create TokenRequests to issue 
+tokens for existing service accounts. 
+-->
+### 令牌请求 {#token-request}
+
+拥有 `serviceaccounts/token` 的 `create` 权限的用户可以创建 
+TokenRequest 来发布现有服务帐户的令牌。
+
+<!--
+### Control admission webhooks
+
+Users with control over `validatingwebhookconfigurations` or `mutatingwebhookconfigurations` 
+can control webhooks that can read any object admitted to the cluster, and in the case of 
+mutating webhooks, also mutate admitted objects.
+-->
+###  控制准入 Webhook {#control-admission-webhooks}
+
+可以控制 `validatingwebhookconfigurations` 或 `mutatingwebhookconfigurations`
+的用户可以控制能读取任何允许进入集群的对象的 webhook，
+并且在有变更 webhook 的情况下，还可以变更准入的对象。
+
+<!--
+## Kubernetes RBAC - denial of service risks {#denial-of-service-risks}
+
+### Object creation denial-of-service {#object-creation-dos}
+Users who have rights to create objects in a cluster may be able to create sufficient large 
+objects to create a denial of service condition either based on the size or number of objects, as discussed in
+[etcd used by Kubernetes is vulnerable to OOM attack](https://github.com/kubernetes/kubernetes/issues/107325). This may be
+specifically relevant in multi-tenant clusters if semi-trusted or untrusted users 
+are allowed limited access to a system.
+
+One option for mitigation of this issue would be to use [resource quotas](/docs/concepts/policy/resource-quotas/#object-count-quota)
+to limit the quantity of objects which can be created.
+-->
+## Kubernetes RBAC - 拒绝服务攻击的风险 {#denial-of-service-risks}
+
+### 对象创建拒绝服务 {#object-creation-dos}
+有权在集群中创建对象的用户根据创建对象的大小和数量可能会创建足够大的对象，
+产生拒绝服务状况，如 [Kubernetes 使用的 etcd 容易受到 OOM 攻击](https://github.com/kubernetes/kubernetes/issues/107325)中的讨论。
+允许太不受信任或者不受信任的用户对系统进行有限的访问在多租户集群中是特别重要的。
+
+缓解此问题的一种选择是使用[资源配额](/zh-cn/docs/concepts/policy/resource-quotas/#object-count-quota)以限制可以创建的对象数量。
\ No newline at end of file
diff --git a/content/zh-cn/docs/concepts/security/windows-security.md b/content/zh-cn/docs/concepts/security/windows-security.md
new file mode 100644
index 0000000000000..3cdf1090396a1
--- /dev/null
+++ b/content/zh-cn/docs/concepts/security/windows-security.md
@@ -0,0 +1,109 @@
+---
+title: Windows 节点的安全性
+content_type: concept
+weight: 40
+---
+<!--
+reviewers:
+- jayunit100
+- jsturtevant
+- marosset
+- perithompson
+  title:    Security For Windows Nodes
+  content_type: concept
+  weight: 75
+-->
+
+<!-- overview -->
+
+<!--
+This page describes security considerations and best practices specific to the Windows operating system.
+-->
+本篇介绍特定于 Windows 操作系统的安全注意事项和最佳实践。
+
+<!-- body -->
+
+<!--
+## Protection for Secret data on nodes
+-->
+## 保护节点上的 Secret 数据   {#protection-for-secret-data-on-nodes}
+
+<!--
+On Windows, data from Secrets are written out in clear text onto the node's local
+storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster
+operator, you should take both of the following additional measures:
+-->
+在 Windows 上，来自 Secret 的数据以明文形式写入节点的本地存储
+（与在 Linux 上使用 tmpfs / 内存中文件系统不同）。
+作为集群操作员，你应该采取以下两项额外措施：
+
+<!--
+1. Use file ACLs to secure the Secrets' file location.
+1. Apply volume-level encryption using [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server).
+-->
+1. 使用文件 ACL 来保护 Secret 的文件位置。
+2. 使用 [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server)
+   进行卷级加密。
+
+<!--
+## Container users
+-->
+## 容器用户   {#container-users}
+
+<!--
+[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername)
+can be specified for Windows Pods or containers to execute the container
+processes as specific user. This is roughly equivalent to
+[RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups).
+-->
+可以为 Windows Pod 或容器指定 [RunAsUsername](/zh-cn/docs/tasks/configure-pod-container/configure-runasusername)
+以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh-cn/docs/concepts/security/pod-security-policy/#users-and-groups)。
+
+<!--
+Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator.
+The differences between these two user accounts are covered in
+[When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts) within Microsoft's _Secure Windows containers_ documentation.
+-->
+Windows 容器提供两个默认用户帐户，ContainerUser 和 ContainerAdministrator。
+在微软的 Windows 容器安全文档
+[何时使用 ContainerAdmin 和 ContainerUser 用户帐户](https://docs.microsoft.com/zh-cn/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts)
+中介绍了这两个用户帐户之间的区别。
+
+<!--
+Local users can be added to container images during the container build process.
+-->
+在容器构建过程中，可以将本地用户添加到容器镜像中。
+
+{{< note >}}
+<!--
+* [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as `ContainerUser` by default
+* [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as `ContainerAdministrator` by default
+-->
+* 基于 [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) 的镜像默认以 `ContainerUser` 运行
+* 基于 [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) 的镜像默认以 `ContainerAdministrator` 运行
+{{< /note >}}
+
+<!--
+Windows containers can also run as Active Directory identities by utilizing [Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/)
+-->
+Windows 容器还可以通过使用[组管理的服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/)作为
+Active Directory 身份运行。
+
+<!--
+## Pod-level security isolation
+-->
+## Pod 级安全隔离   {#pod-level-security-isolation}
+
+<!--
+Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
+POSIX capabilities) are not supported on Windows nodes.
+-->
+Windows 节点不支持特定于 Linux 的 Pod 安全上下文机制（例如 SELinux、AppArmor、Seccomp 或自定义 POSIX 权能字）。
+
+<!--
+Privileged containers are [not supported](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext) on Windows.
+Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod) can be used on Windows to perform many of the tasks performed by privileged containers on Linux.
+-->
+Windows 上[不支持](/zh-cn/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)特权容器。
+然而，可以在 Windows 上使用 [HostProcess 容器](/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod)来执行
+Linux 上特权容器执行的许多任务。
diff --git a/content/zh/docs/concepts/services-networking/_index.md b/content/zh-cn/docs/concepts/services-networking/_index.md
similarity index 71%
rename from content/zh/docs/concepts/services-networking/_index.md
rename to content/zh-cn/docs/concepts/services-networking/_index.md
index 01d327577fe53..80c78e4b8b419 100644
--- a/content/zh/docs/concepts/services-networking/_index.md
+++ b/content/zh-cn/docs/concepts/services-networking/_index.md
@@ -7,43 +7,46 @@ description: Kubernetes 网络背后的概念和资源。
 <!--
 ## The Kubernetes network model
 
-Every [`Pod`](/docs/concepts/workloads/pods/) gets its own IP address.
+Every [`Pod`](/docs/concepts/workloads/pods/) in a cluster gets its own unique cluster-wide IP address. 
 This means you do not need to explicitly create links between `Pods` and you
 almost never need to deal with mapping container ports to host ports.  
 This creates a clean, backwards-compatible model where `Pods` can be treated
 much like VMs or physical hosts from the perspectives of port allocation,
-naming, service discovery, [load balancing](/docs/concepts/services-networking/ingress/#load-balancing), application configuration,
-and migration.
-
-Kubernetes imposes the following fundamental requirements on any networking
-implementation (barring any intentional network segmentation policies):
-
-* pods on a [node](/docs/concepts/architecture/nodes/) can communicate with all pods on all nodes without NAT
-* agents on a node (e.g. system daemons, kubelet) can communicate with all
-  pods on that node
-
-Note: For those platforms that support `Pods` running in the host network (e.g.
-Linux):
-
-* pods in the host network of a node can communicate with all pods on all
-  nodes without NAT
+naming, service discovery, [load balancing](/docs/concepts/services-networking/ingress/#load-balancing),
+application configuration, and migration.
 -->
 ## Kubernetes 网络模型   {#the-kubernetes-network-model}
 
-每一个 [`Pod`](/zh/docs/concepts/workloads/pods/) 都有它自己的IP地址，
-这就意味着你不需要显式地在 `Pod` 之间创建链接， 你几乎不需要处理容器端口到主机端口之间的映射。
+集群中每一个 [`Pod`](/zh-cn/docs/concepts/workloads/pods/) 都会获得自己的、
+独一无二的 IP 地址，
+这就意味着你不需要显式地在 `Pod` 之间创建链接，你几乎不需要处理容器端口到主机端口之间的映射。
 这将形成一个干净的、向后兼容的模型；在这个模型里，从端口分配、命名、服务发现、
-[负载均衡](/zh/docs/concepts/services-networking/ingress/#load-balancing)、应用配置和迁移的角度来看，
-`Pod` 可以被视作虚拟机或者物理主机。
+[负载均衡](/zh-cn/docs/concepts/services-networking/ingress/#load-balancing)、
+应用配置和迁移的角度来看，`Pod` 可以被视作虚拟机或者物理主机。
 
+<!--
+Kubernetes imposes the following fundamental requirements on any networking
+implementation (barring any intentional network segmentation policies):
+-->
 Kubernetes 强制要求所有网络设施都满足以下基本要求（从而排除了有意隔离网络的策略）：
 
-* [节点](/zh/docs/concepts/architecture/nodes/)上的 Pod 可以不通过 NAT 和其他任何节点上的 Pod 通信
+<!--
+* pods can communicate with all other pods on any other [node](/docs/concepts/architecture/nodes/) 
+  without NAT
+* agents on a node (e.g. system daemons, kubelet) can communicate with all
+  pods on that node
+-->
+* Pod 能够与所有其他[节点](/zh-cn/docs/concepts/architecture/nodes/)上的 Pod 通信，
+  且不需要网络地址转译（NAT）
 * 节点上的代理（比如：系统守护进程、kubelet）可以和节点上的所有 Pod 通信
 
-备注：对于支持在主机网络中运行 `Pod` 的平台（比如：Linux）：
-
-* 运行在节点主机网络里的 Pod 可以不通过 NAT 和所有节点上的 Pod 通信
+<!--
+Note: For those platforms that support `Pods` running in the host network (e.g.
+Linux), when pods are attached to the host network of a node they can still communicate 
+with all pods on all nodes without NAT.
+-->
+说明：对于支持在主机网络中运行 `Pod` 的平台（比如：Linux），
+当 Pod 挂接到节点的宿主网络上时，它们仍可以不通过 NAT 和所有节点上的 Pod 通信。
 
 <!--
 This model is not only less complex overall, but it is principally compatible
@@ -62,7 +65,8 @@ usage, but this is no different from processes in a VM.  This is called the
 如果你的任务开始是在虚拟机中运行的，你的虚拟机有一个 IP，
 可以和项目中其他虚拟机通信。这里的模型是基本相同的。
 
-Kubernetes 的 IP 地址存在于 `Pod` 范围内 - 容器共享它们的网络命名空间 - 包括它们的 IP 地址和 MAC 地址。
+Kubernetes 的 IP 地址存在于 `Pod` 范围内 —— 容器共享它们的网络命名空间 ——
+包括它们的 IP 地址和 MAC 地址。
 这就意味着 `Pod` 内的容器都可以通过 `localhost` 到达对方端口。
 这也意味着 `Pod` 内的容器需要相互协调端口的使用，但是这和虚拟机中的进程似乎没有什么不同，
 这也被称为“一个 Pod 一个 IP”模型。
@@ -90,9 +94,10 @@ Kubernetes networking addresses four concerns:
 -->
 
 Kubernetes 网络解决四方面的问题：
-- 一个 Pod 中的容器之间[通过本地回路（loopback）通信](/zh/docs/concepts/services-networking/dns-pod-service/)。
+
+- 一个 Pod 中的容器之间[通过本地回路（loopback）通信](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 - 集群网络在不同 pod 之间提供通信。
-- [Service 资源](/zh/docs/concepts/services-networking/service/)允许你
-  [对外暴露 Pods 中运行的应用程序](/zh/docs/concepts/services-networking/connect-applications-service/)，
+- [Service 资源](/zh-cn/docs/concepts/services-networking/service/)允许你
+  [向外暴露 Pods 中运行的应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)，
   以支持来自于集群外部的访问。
-- 可以使用 Services 来[发布仅供集群内部使用的服务](/zh/docs/concepts/services-networking/service-traffic-policy/)。
+- 可以使用 Services 来[发布仅供集群内部使用的服务](/zh-cn/docs/concepts/services-networking/service-traffic-policy/)。
diff --git a/content/zh/docs/concepts/services-networking/connect-applications-service.md b/content/zh-cn/docs/concepts/services-networking/connect-applications-service.md
similarity index 97%
rename from content/zh/docs/concepts/services-networking/connect-applications-service.md
rename to content/zh-cn/docs/concepts/services-networking/connect-applications-service.md
index d24745a3f0af1..16668c1e466be 100644
--- a/content/zh/docs/concepts/services-networking/connect-applications-service.md
+++ b/content/zh-cn/docs/concepts/services-networking/connect-applications-service.md
@@ -82,7 +82,7 @@ You can read more about the [Kubernetes Networking Model](/docs/concepts/cluster
 Pod 或节点上使用 IP 的方式访问到它们。
 如果你想的话，你依然可以将宿主节点的某个端口的流量转发到 Pod 中，但是出于网络模型的原因，你不必这么做。
 
-如果对此好奇，请参考 [Kubernetes 网络模型](/zh/docs/concepts/cluster-administration/networking/#the-kubernetes-network-model)。
+如果对此好奇，请参考 [Kubernetes 网络模型](/zh-cn/docs/concepts/cluster-administration/networking/#the-kubernetes-network-model)。
 
 <!--
 ## Creating a Service
@@ -193,7 +193,7 @@ about the [service proxy](/docs/concepts/services-networking/service/#virtual-ip
 
 现在，你应该能够从集群中任意节点上使用 curl 命令向 `<CLUSTER-IP>:<PORT>` 发送请求以访问 Nginx Service。
 注意 Service IP 完全是虚拟的，它从来没有走过网络，如果对它如何工作的原理感到好奇，
-可以进一步阅读[服务代理](/zh/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
+可以进一步阅读[服务代理](/zh-cn/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
 的内容。
 
 <!--
@@ -312,7 +312,7 @@ IP 分配名称的 DNS 服务器。 这里我们使用 CoreDNS 集群插件（
 所以在集群中的任何 Pod 中，你都可以使用标准方法（例如：`gethostbyname()`）与该 Service 通信。
 如果 CoreDNS 没有在运行，你可以参照
 [CoreDNS README](https://github.com/coredns/deployment/tree/master/kubernetes)
-或者[安装 CoreDNS](/zh/docs/tasks/administer-cluster/coredns/#installing-coredns) 来启用它。
+或者[安装 CoreDNS](/zh-cn/docs/tasks/administer-cluster/coredns/#installing-coredns) 来启用它。
 让我们运行另一个 curl 应用来进行测试：
 
 ```shell
@@ -357,7 +357,7 @@ You can acquire all these from the [nginx https example](https://github.com/kube
 
 * 用于 HTTPS 的自签名证书（除非已经有了一个身份证书）
 * 使用证书配置的 Nginx 服务器
-* 使 Pod 可以访问证书的 [Secret](/zh/docs/concepts/configuration/secret/)
+* 使 Pod 可以访问证书的 [Secret](/zh-cn/docs/concepts/configuration/secret/)
 
 你可以从
 [Nginx https 示例](https://github.com/kubernetes/examples/tree/master/staging/https-nginx/)获取所有上述内容。
@@ -620,6 +620,6 @@ LoadBalancer Ingress:   a320587ffd19711e5a37606cf4a74574-1142138393.us-east-1.el
 * Learn more about [Connecting a Front End to a Back End Using a Service](/docs/tasks/access-application-cluster/connecting-frontend-backend/)
 * Learn more about [Creating an External Load Balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/)
 -->
-* 进一步了解如何[使用 Service 访问集群中的应用](/zh/docs/tasks/access-application-cluster/service-access-application-cluster/)
-* 进一步了解如何[使用 Service 将前端连接到后端](/zh/docs/tasks/access-application-cluster/connecting-frontend-backend/)
-* 进一步了解如何[创建外部负载均衡器](/zh/docs/tasks/access-application-cluster/create-external-load-balancer/)
+* 进一步了解如何[使用 Service 访问集群中的应用](/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/)
+* 进一步了解如何[使用 Service 将前端连接到后端](/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend/)
+* 进一步了解如何[创建外部负载均衡器](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/)
diff --git a/content/zh/docs/concepts/services-networking/dns-pod-service.md b/content/zh-cn/docs/concepts/services-networking/dns-pod-service.md
similarity index 69%
rename from content/zh/docs/concepts/services-networking/dns-pod-service.md
rename to content/zh-cn/docs/concepts/services-networking/dns-pod-service.md
index 2b9dfeb36f434..9946a88eb3262 100644
--- a/content/zh/docs/concepts/services-networking/dns-pod-service.md
+++ b/content/zh-cn/docs/concepts/services-networking/dns-pod-service.md
@@ -15,11 +15,11 @@ weight: 20
 <!-- overview -->
 
 <!--
-Kubernetes creates DNS records for services and pods. You can contact
-services with consistent DNS names instead of IP addresses.
+Kubernetes creates DNS records for Services and Pods. You can contact
+Services with consistent DNS names instead of IP addresses.
 -->
-Kubernetes 为服务和 Pods 创建 DNS 记录。
-你可以使用一致的 DNS 名称而非 IP 地址来访问服务。
+Kubernetes 为 Service 和 Pod 创建 DNS 记录。
+你可以使用一致的 DNS 名称而非 IP 地址访问 Service。
 
 <!-- body -->
 
@@ -30,40 +30,39 @@ Kubernetes DNS schedules a DNS Pod and Service on the cluster, and configures
 the kubelets to tell individual containers to use the DNS Service's IP to
 resolve DNS names.
 -->
-## 介绍
+## 介绍 {#introduction}
 
-Kubernetes DNS 在集群上调度 DNS Pod 和服务，并配置 kubelet 以告知各个容器
-使用 DNS 服务的 IP 来解析 DNS 名称。
+Kubernetes DNS 除了在集群上调度 DNS Pod 和 Service，
+还配置 kubelet 以告知各个容器使用 DNS Service 的 IP 来解析 DNS 名称。
 
 <!--
 Every Service defined in the cluster (including the DNS server itself) is
-assigned a DNS name. By default, a client Pod's DNS search list includes the
-Pod's own namespace and the cluster's default domain.
+assigned a DNS name. By default, a client Pod's DNS search list includes the 
+Pod's own namespace and the cluster's default domain. 
 -->
 集群中定义的每个 Service （包括 DNS 服务器自身）都被赋予一个 DNS 名称。
-默认情况下，客户端 Pod 的 DNS 搜索列表会包含 Pod 自身的名字空间和集群
-的默认域。
+默认情况下，客户端 Pod 的 DNS 搜索列表会包含 Pod 自身的名字空间和集群的默认域。
 
 <!--
-### Namespaces of Services
+### Namespaces of Services 
 
-A DNS query may return different results based on the namespace of the pod making
-it. DNS queries that don't specify a namespace are limited to the pod's
-namespace. Access services in other namespaces by specifying it in the DNS query.
+A DNS query may return different results based on the namespace of the Pod making 
+it. DNS queries that don't specify a namespace are limited to the Pod's 
+namespace. Access Services in other namespaces by specifying it in the DNS query. 
 
-For example, consider a pod in a `test` namespace. A `data` service is in
-the `prod` namespace.
+For example, consider a Pod in a `test` namespace. A `data` service is in 
+the `prod` namespace. 
 
-A query for `data` returns no results, because it uses the pod's `test` namespace.
+A query for `data` returns no results, because it uses the Pod's `test` namespace. 
 
-A query for `data.prod` returns the intended result, because it specifies the
-namespace.
+A query for `data.prod` returns the intended result, because it specifies the 
+namespace. 
 -->
-### Service 的名字空间
+### Service 的名字空间 {#namespaces-of-services}
 
 DNS 查询可能因为执行查询的 Pod 所在的名字空间而返回不同的结果。
 不指定名字空间的 DNS 查询会被限制在 Pod 所在的名字空间内。
-要访问其他名字空间中的服务，需要在 DNS 查询中给出名字空间。
+要访问其他名字空间中的 Service，需要在 DNS 查询中指定名字空间。
 
 例如，假定名字空间 `test` 中存在一个 Pod，`prod` 名字空间中存在一个服务
 `data`。
@@ -73,11 +72,11 @@ Pod 查询 `data` 时没有返回结果，因为使用的是 Pod 的名字空间
 Pod 查询 `data.prod` 时则会返回预期的结果，因为查询中指定了名字空间。
 
 <!--
-DNS queries may be expanded using the pod's `/etc/resolv.conf`. Kubelet
-sets this file for each pod. For example, a query for just `data` may be
-expanded to `data.test.cluster.local`. The values of the `search` option
-are used to expand queries. To learn more about DNS queries, see
-[the `resolv.conf` manual page.](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html)
+DNS queries may be expanded using the Pod's `/etc/resolv.conf`. Kubelet 
+sets this file for each Pod. For example, a query for just `data` may be 
+expanded to `data.test.svc.cluster.local`. The values of the `search` option 
+are used to expand queries. To learn more about DNS queries, see 
+[the `resolv.conf` manual page.](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html) 
 -->
 DNS 查询可以使用 Pod 中的 `/etc/resolv.conf` 展开。kubelet 会为每个 Pod
 生成此文件。例如，对 `data` 的查询可能被展开为 `data.test.svc.cluster.local`。
@@ -91,7 +90,7 @@ options ndots:5
 ```
 
 <!--
-In summary, a pod in the _test_ namespace can successfully resolve either
+In summary, a Pod in the `test` namespace can successfully resolve either 
 `data.prod` or `data.prod.svc.cluster.local`.
 -->
 概括起来，名字空间 `test` 中的 Pod 可以成功地解析 `data.prod` 或者
@@ -116,7 +115,7 @@ considered implementation details and are subject to change without warning.
 For more up-to-date specification, see
 [Kubernetes DNS-Based Service Discovery](https://github.com/kubernetes/dns/blob/master/docs/specification.md).
 -->
-以下各节详细介绍了被支持的 DNS 记录类型和被支持的布局。
+以下各节详细介绍已支持的 DNS 记录类型和布局。
 其它布局、名称或者查询即使碰巧可以工作，也应视为实现细节，
 将来很可能被更改而且不会因此发出警告。
 有关最新规范请查看
@@ -127,28 +126,30 @@ For more up-to-date specification, see
 
 ### A/AAAA records
 
-"Normal" (not headless) Services are assigned a DNS A or AAAA record for a name of the
-form `my-svc.my-namespace.svc.cluster-domain.example`.  This resolves to the cluster IP
+"Normal" (not headless) Services are assigned a DNS A or AAAA record,
+depending on the IP family of the Service, for a name of the form
+`my-svc.my-namespace.svc.cluster-domain.example`.  This resolves to the cluster IP
 of the Service.
 
-"Headless" (without a cluster IP) Services are also assigned a DNS A record for
-a name of the form `my-svc.my-namespace.svc.cluster-domain.example`.  Unlike normal
-Services, this resolves to the set of IPs of the pods selected by the Service.
+"Headless" (without a cluster IP) Services are also assigned a DNS A or AAAA record,
+depending on the IP family of the Service, for a name of the form
+`my-svc.my-namespace.svc.cluster-domain.example`.  Unlike normal
+Services, this resolves to the set of IPs of the Pods selected by the Service.
 Clients are expected to consume the set or else use standard round-robin
 selection from the set.
 -->
-### 服务  {#services}
+### Services 
 
-#### A/AAAA 记录
+#### A/AAAA 记录 {#a-aaaa-records}
 
-“普通” 服务（除了无头服务）会以 `my-svc.my-namespace.svc.cluster-domain.example`
-这种名字的形式被分配一个 DNS A 或 AAAA 记录，取决于服务的 IP 协议族。
-该名称会解析成对应服务的集群 IP。
+“普通” Service（除了无头 Service）会以 `my-svc.my-namespace.svc.cluster-domain.example`
+这种名字的形式被分配一个 DNS A 或 AAAA 记录，取决于 Service 的 IP 协议族。
+该名称会解析成对应 Service 的集群 IP。
 
-“无头（Headless）” 服务（没有集群 IP）也会以
+“无头（Headless）” Service （没有集群 IP）也会以
 `my-svc.my-namespace.svc.cluster-domain.example` 这种名字的形式被指派一个 DNS A 或 AAAA 记录，
-具体取决于服务的 IP 协议族。
-与普通服务不同，这一记录会被解析成对应服务所选择的 Pod 集合的 IP。
+具体取决于 Service 的 IP 协议族。
+与普通 Service 不同，这一记录会被解析成对应 Service 所选择的 Pod IP 的集合。
 客户端要能够使用这组 IP，或者使用标准的轮转策略从这组 IP 中进行选择。
 
 <!--
@@ -158,20 +159,21 @@ SRV Records are created for named ports that are part of normal or [Headless
 Services](/docs/concepts/services-networking/service/#headless-services).
 For each named port, the SRV record would have the form
 `_my-port-name._my-port-protocol.my-svc.my-namespace.svc.cluster-domain.example`.
-For a regular service, this resolves to the port number and the domain name:
+For a regular Service, this resolves to the port number and the domain name:
 `my-svc.my-namespace.svc.cluster-domain.example`.
-For a headless service, this resolves to multiple answers, one for each pod
-that is backing the service, and contains the port number and the domain name of the pod
+For a headless Service, this resolves to multiple answers, one for each Pod
+that is backing the Service, and contains the port number and the domain name of the Pod
 of the form `auto-generated-name.my-svc.my-namespace.svc.cluster-domain.example`.
 -->
 #### SRV 记录  {#srv-records}
 
-Kubernetes 会为命名端口创建 SRV 记录，这些端口是普通服务或
-[无头服务](/zh/docs/concepts/services-networking/service/#headless-services)的一部分。
-对每个命名端口，SRV 记录具有 `_my-port-name._my-port-protocol.my-svc.my-namespace.svc.cluster-domain.example` 这种形式。
-对普通服务，该记录会被解析成端口号和域名：`my-svc.my-namespace.svc.cluster-domain.example`。
-对无头服务，该记录会被解析成多个结果，服务对应的每个后端 Pod 各一个；
-其中包含 Pod 端口号和形为 `auto-generated-name.my-svc.my-namespace.svc.cluster-domain.example`
+Kubernetes 根据普通 Service 或
+[Headless Service](/zh-cn/docs/concepts/services-networking/service/#headless-services)
+中的命名端口创建 SRV 记录。每个命名端口，
+SRV 记录格式为 `_my-port-name._my-port-protocol.my-svc.my-namespace.svc.cluster-domain.example`。
+普通 Service，该记录会被解析成端口号和域名：`my-svc.my-namespace.svc.cluster-domain.example`。
+无头 Service，该记录会被解析成多个结果，及该服务的每个后端 Pod 各一个 SRV 记录，
+其中包含 Pod 端口号和格式为 `auto-generated-name.my-svc.my-namespace.svc.cluster-domain.example`
 的域名。
 
 ## Pods
@@ -179,20 +181,20 @@ Kubernetes 会为命名端口创建 SRV 记录，这些端口是普通服务或
 <!--
 ### A/AAAA records
 
-In general a pod has the following DNS resolution:
+In general a Pod has the following DNS resolution:
 
 `pod-ip-address.my-namespace.pod.cluster-domain.example`.
 
-For example, if a pod in the `default` namespace has the IP address 172.17.0.3,
+For example, if a Pod in the `default` namespace has the IP address 172.17.0.3,
 and the domain name for your cluster is `cluster.local`, then the Pod has a DNS name:
 
 `172-17-0-3.default.pod.cluster.local`.
 
-Any pods exposed by a Service have the following DNS resolution available:
+Any Pods exposed by a Service have the following DNS resolution available:
 
 `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`.
 -->
-### A/AAAA 记录
+### A/AAAA 记录 {#a-aaaa-records}
 
 一般而言，Pod 会对应如下 DNS 名字解析：
 
@@ -210,11 +212,11 @@ Any pods exposed by a Service have the following DNS resolution available:
 <!--
 ### Pod's hostname and subdomain fields
 
-Currently when a pod is created, its hostname is the Pod's `metadata.name` value.
+Currently when a Pod is created, its hostname is the Pod's `metadata.name` value.
 
 The Pod spec has an optional `hostname` field, which can be used to specify the
 Pod's hostname. When specified, it takes precedence over the Pod's name to be
-the hostname of the pod. For example, given a Pod with `hostname` set to
+the hostname of the Pod. For example, given a Pod with `hostname` set to
 "`my-host`", the Pod will have its hostname set to "`my-host`".
 
 The Pod spec also has an optional `subdomain` field which can be used to specify
@@ -224,7 +226,7 @@ domain name (FQDN) "`foo.bar.my-namespace.svc.cluster-domain.example`".
 
 Example:
 -->
-### Pod 的 hostname 和 subdomain 字段
+### Pod 的 hostname 和 subdomain 字段 {#pod-s-hostname-and-subdomain-fields}
 
 当前，创建 Pod 时其主机名取自 Pod 的 `metadata.name` 值。
 
@@ -288,21 +290,21 @@ spec:
 ```
 
 <!--
-If there exists a headless service in the same namespace as the pod and with
+If there exists a headless Service in the same namespace as the Pod and with
 the same name as the subdomain, the cluster's DNS Server also returns an A or AAAA
 record for the Pod's fully qualified hostname.
 For example, given a Pod with the hostname set to "`busybox-1`" and the subdomain set to
 "`default-subdomain`", and a headless Service named "`default-subdomain`" in
-the same namespace, the pod will see its own FQDN as
+the same namespace, the Pod will see its own FQDN as
 "`busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example`". DNS serves an
-A or AAAA record at that name, pointing to the Pod's IP. Both pods "`busybox1`" and
+A or AAAA record at that name, pointing to the Pod's IP. Both Pods "`busybox1`" and
 "`busybox2`" can have their distinct A or AAAA records.
 -->
-如果某无头服务与某 Pod 在同一个名字空间中，且它们具有相同的子域名，
+如果某无头 Service 与某 Pod 在同一个名字空间中，且它们具有相同的子域名，
 集群的 DNS 服务器也会为该 Pod 的全限定主机名返回 A 记录或 AAAA 记录。
 例如，在同一个名字空间中，给定一个主机名为 “busybox-1”、
 子域名设置为 “default-subdomain” 的 Pod，和一个名称为 “`default-subdomain`”
-的无头服务，Pod 将看到自己的 FQDN 为
+的无头 Service，Pod 将看到自己的 FQDN 为
 "`busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example`"。
 DNS 会为此名字提供一个 A 记录或 AAAA 记录，指向该 Pod 的 IP。
 “`busybox1`” 和 “`busybox2`” 这两个 Pod 分别具有它们自己的 A 或 AAAA 记录。
@@ -314,18 +316,16 @@ along with its IP.
 Endpoints 对象可以为任何端点地址及其 IP 指定 `hostname`。
 
 <!--
-Because A records are not created for Pod names, `hostname` is required for the Pod's A
+Because A or AAAA records are not created for Pod names, `hostname` is required for the Pod's A or AAAA
 record to be created. A Pod with no `hostname` but with `subdomain` will only create the
-A record for the headless service (`default-subdomain.my-namespace.svc.cluster-domain.example`),
+A or AAAA record for the headless Service (`default-subdomain.my-namespace.svc.cluster-domain.example`),
 pointing to the Pod's IP address. Also, Pod needs to become ready in order to have a
 record unless `publishNotReadyAddresses=True` is set on the Service.
 -->
 {{< note >}}
-因为没有为 Pod 名称创建 A 记录或 AAAA 记录，所以要创建 Pod 的 A 记录
-或 AAAA 记录需要 `hostname`。
-
+由于不是为 Pod 名称创建 A 或 AAAA 记录的，因此 Pod 的 A 或 AAAA 需要 `hostname`。
 没有设置 `hostname` 但设置了 `subdomain` 的 Pod 只会为
-无头服务创建 A 或 AAAA 记录（`default-subdomain.my-namespace.svc.cluster-domain.example`）
+无头 Service 创建 A 或 AAAA 记录（`default-subdomain.my-namespace.svc.cluster-domain.example`）
 指向 Pod 的 IP 地址。
 另外，除非在服务上设置了 `publishNotReadyAddresses=True`，否则只有 Pod 进入就绪状态
 才会有与之对应的记录。
@@ -341,12 +341,13 @@ record unless `publishNotReadyAddresses=True` is set on the Service.
 {{< feature-state for_k8s_version="v1.22" state="stable" >}}
 
 <!--
-When a Pod is configured to have fully qualified domain name (FQDN), its hostname is the short hostname. For example, if you have a Pod with the fully qualified domain name `busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example`, then by default the `hostname` command inside that Pod returns `busybox-1` and  the `hostname -fqdn` command returns the FQDN.
+When a Pod is configured to have fully qualified domain name (FQDN), its hostname is the short hostname. For example, if you have a Pod with the fully qualified domain name `busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example`, then by default the `hostname` command inside that Pod returns `busybox-1` and  the `hostname --fqdn` command returns the FQDN.
+
+When you set `setHostnameAsFQDN: true` in the Pod spec, the kubelet writes the Pod's FQDN into the hostname for that Pod's namespace. In this case, both `hostname` and `hostname --fqdn` return the Pod's FQDN.
 -->
-**前置条件**：`SetHostnameAsFQDN`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-必须在 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
-上启用。
+当 Pod 配置为具有全限定域名 (FQDN) 时，其主机名是短主机名。
+ 例如，如果你有一个具有完全限定域名 `busybox-1.default-subdomain.my-namespace.svc.cluster-domain.example` 的 Pod，
+ 则默认情况下，该 Pod 内的 `hostname` 命令返回 `busybox-1`，而 `hostname --fqdn` 命令返回 FQDN。
 
 当你在 Pod 规约中设置了 `setHostnameAsFQDN: true` 时，kubelet 会将 Pod
 的全限定域名（FQDN）作为该 Pod 的主机名记录到 Pod 所在名字空间。
@@ -356,7 +357,7 @@ When a Pod is configured to have fully qualified domain name (FQDN), its hostnam
 <!--
 In Linux, the hostname field of the kernel (the `nodename` field of `struct utsname`) is limited to 64 characters.
 
-If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
+If a Pod enables this feature and its FQDN is longer than 64 character, it will fail to start. The Pod will remain in `Pending` status (`ContainerCreating` as seen by `kubectl`) generating error events, such as Failed to construct FQDN from Pod hostname and cluster domain, FQDN `long-FQDN` is too long (64 characters is the max, 70 characters requested). One way of improving user experience for this scenario is to create an [admission webhook controller](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) to control FQDN size when users create top level objects, for example, Deployment.
 -->
 在 Linux 中，内核的主机名字段（`struct utsname` 的 `nodename` 字段）限定
 最多 64 个字符。
@@ -364,24 +365,24 @@ If a Pod enables this feature and its FQDN is longer than 64 character, it will
 如果 Pod 启用这一特性，而其 FQDN 超出 64 字符，Pod 的启动会失败。
 Pod 会一直出于 `Pending` 状态（通过 `kubectl` 所看到的 `ContainerCreating`），
 并产生错误事件，例如
-"Failed to construct FQDN from pod hostname and cluster domain, FQDN
+"Failed to construct FQDN from Pod hostname and cluster domain, FQDN
 `long-FQDN` is too long (64 characters is the max, 70 characters requested)."
 （无法基于 Pod 主机名和集群域名构造 FQDN，FQDN `long-FQDN` 过长，至多 64
 字符，请求字符数为 70）。
 对于这种场景而言，改善用户体验的一种方式是创建一个
-[准入 Webhook 控制器](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)，
+[准入 Webhook 控制器](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)，
 在用户创建顶层对象（如 Deployment）的时候控制 FQDN 的长度。
 {{< /note >}}
 
 <!--
 ### Pod's DNS Policy
 
-DNS policies can be set on a per-pod basis. Currently Kubernetes supports the
-following pod-specific DNS policies. These policies are specified in the
+DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the
+following Pod-specific DNS policies. These policies are specified in the
 `dnsPolicy` field of a Pod Spec.
 
 - "`Default`": The Pod inherits the name resolution configuration from the node
-  that the pods run on.
+  that the Pods run on.
   See [related discussion](/docs/tasks/administer-cluster/dns-custom-nameservers)
   for more details.
 - "`ClusterFirst`": Any DNS query that does not match the configured cluster
@@ -392,10 +393,11 @@ following pod-specific DNS policies. These policies are specified in the
   for details on how DNS queries are handled in those cases.
 - "`ClusterFirstWithHostNet`": For Pods running with hostNetwork, you should
   explicitly set its DNS policy "`ClusterFirstWithHostNet`".
+  - Note: This is not supported on Windows. See [below](#dns-windows) for details
 - "`None`": It allows a Pod to ignore DNS settings from the Kubernetes
   environment. All DNS settings are supposed to be provided using the
   `dnsConfig` field in the Pod Spec.
-  See [Pod's DNS config](#pod-s-dns-config) subsection below.
+  See [Pod's DNS config](#pod-dns-config) subsection below.
 -->
 ### Pod 的 DNS 策略    {#pod-s-dns-policy}
 
@@ -403,14 +405,15 @@ DNS 策略可以逐个 Pod 来设定。目前 Kubernetes 支持以下特定 Pod
 这些策略可以在 Pod 规约中的 `dnsPolicy` 字段设置：
 
 - "`Default`": Pod 从运行所在的节点继承名称解析配置。参考
-  [相关讨论](/zh/docs/tasks/administer-cluster/dns-custom-nameservers)
+  [相关讨论](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers)
   获取更多信息。
 - "`ClusterFirst`": 与配置的集群域后缀不匹配的任何 DNS 查询（例如 "www.kubernetes.io"）
   都将转发到从节点继承的上游名称服务器。集群管理员可能配置了额外的存根域和上游 DNS 服务器。
-  参阅[相关讨论](/zh/docs/tasks/administer-cluster/dns-custom-nameservers)
+  参阅[相关讨论](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers)
   了解在这些场景中如何处理 DNS 查询的信息。
 - "`ClusterFirstWithHostNet`"：对于以 hostNetwork 方式运行的 Pod，应显式设置其 DNS 策略
   "`ClusterFirstWithHostNet`"。
+  - 注意：这在 Windows 上不支持。 有关详细信息，请参见[下文](#dns-windows)。
 - "`None`": 此设置允许 Pod 忽略 Kubernetes 环境中的 DNS 设置。Pod 会使用其 `dnsConfig` 字段
   所提供的 DNS 设置。
   参见 [Pod 的 DNS 配置](#pod-dns-config)节。
@@ -450,7 +453,7 @@ spec:
 ```
 
 <!--
-### Pod's DNS Config
+### Pod's DNS Config {#pod-dns-config}
 
 {{< feature-state for_k8s_version="v1.14" state="stable" >}}
 
@@ -535,8 +538,7 @@ kubectl exec -it dns-example -- cat /etc/resolv.conf
 <!--
 The output is similar to this:
 -->
-输出类似于
-
+输出类似于：
 ```
 nameserver fd00:79:30::a
 search default.svc.cluster-domain.example svc.cluster-domain.example cluster-domain.example
@@ -565,6 +567,41 @@ a list of search domains of up to 2048 characters.
 如果启用 kube-apiserver 和 kubelet 的特性门控 `ExpandedDNSConfig`，Kubernetes 将可以有最多 32 个 
 搜索域以及一个最多 2048 个字符的搜索域列表。
 
+<!--
+## DNS resolution on Windows nodes {#dns-windows}
+
+- ClusterFirstWithHostNet is not supported for Pods that run on Windows nodes.
+  Windows treats all names with a `.` as a FQDN and skips FQDN resolution.
+- On Windows, there are multiple DNS resolvers that can be used. As these come with
+  slightly different behaviors, using the
+  [`Resolve-DNSName`](https://docs.microsoft.com/powershell/module/dnsclient/resolve-dnsname)
+  powershell cmdlet for name query resolutions is recommended.
+- On Linux, you have a DNS suffix list, which is used after resolution of a name as fully
+  qualified has failed.
+  On Windows, you can only have 1 DNS suffix, which is the DNS suffix associated with that
+  Pod's namespace (example: `mydns.svc.cluster.local`). Windows can resolve FQDNs, Services,
+  or network name which can be resolved with this single suffix. For example, a Pod spawned
+  in the `default` namespace, will have the DNS suffix `default.svc.cluster.local`.
+  Inside a Windows Pod, you can resolve both `kubernetes.default.svc.cluster.local`
+  and `kubernetes`, but not the partially qualified names (`kubernetes.default` or
+  `kubernetes.default.svc`).
+-->
+## Windows 节点上的 DNS 解析 {#dns-windows}
+
+- 在 Windows 节点上运行的 Pod 不支持 ClusterFirstWithHostNet。
+  Windows 将所有带有 `.` 的名称视为全限定域名（FQDN）并跳过全限定域名（FQDN）解析。
+- 在 Windows 上，可以使用的 DNS 解析器有很多。
+  由于这些解析器彼此之间会有轻微的行为差别，建议使用
+  [`Resolve-DNSName`](https://docs.microsoft.com/powershell/module/dnsclient/resolve-dnsname)
+  powershell cmdlet 进行名称查询解析。
+- 在 Linux 上，有一个 DNS 后缀列表，当解析全名失败时可以使用。
+  在 Windows 上，你只能有一个 DNS 后缀，
+  即与该 Pod 的命名空间相关联的 DNS 后缀（例如：`mydns.svc.cluster.local`）。
+  Windows 可以解析全限定域名（FQDN），和使用了该 DNS 后缀的 Services 或者网络名称。
+  例如，在 `default` 命名空间中生成一个 Pod，该 Pod 会获得的 DNS 后缀为 `default.svc.cluster.local`。
+  在 Windows 的 Pod 中，你可以解析 `kubernetes.default.svc.cluster.local` 和 `kubernetes`，
+  但是不能解析部分限定名称（`kubernetes.default` 和 `kubernetes.default.svc`）。
+
 ## {{% heading "whatsnext" %}}
 
 <!--
@@ -572,5 +609,5 @@ For guidance on administering DNS configurations, check
 [Configure DNS Service](/docs/tasks/administer-cluster/dns-custom-nameservers/)
 -->
 有关管理 DNS 配置的指导，请查看
-[配置 DNS 服务](/zh/docs/tasks/administer-cluster/dns-custom-nameservers/)
+[配置 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/)
 
diff --git a/content/zh/docs/concepts/services-networking/dual-stack.md b/content/zh-cn/docs/concepts/services-networking/dual-stack.md
similarity index 59%
rename from content/zh/docs/concepts/services-networking/dual-stack.md
rename to content/zh-cn/docs/concepts/services-networking/dual-stack.md
index 8b1fb7f822b06..9476214ef3c55 100644
--- a/content/zh/docs/concepts/services-networking/dual-stack.md
+++ b/content/zh-cn/docs/concepts/services-networking/dual-stack.md
@@ -9,18 +9,17 @@ weight: 70
 ---
 
 <!--
-reviewers:
-- lachie83
-- khenidak
-- aramase
-- bridgetkromhout
 title: IPv4/IPv6 dual-stack
 feature:
   title: IPv4/IPv6 dual-stack
   description: >
     Allocation of IPv4 and IPv6 addresses to Pods and Services
-
 content_type: concept
+reviewers:
+- lachie83
+- khenidak
+- aramase
+- bridgetkromhout
 weight: 70
 -->
 
@@ -29,14 +28,16 @@ weight: 70
 {{< feature-state for_k8s_version="v1.23" state="stable" >}}
 
 <!--
- IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to {{< glossary_tooltip text="Pods" term_id="pod" >}} and {{< glossary_tooltip text="Services" term_id="service" >}}.
+IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to
+{{< glossary_tooltip text="Pods" term_id="pod" >}} and {{< glossary_tooltip text="Services" term_id="service" >}}.
 -->
 IPv4/IPv6 双协议栈网络能够将 IPv4 和 IPv6 地址分配给
 {{< glossary_tooltip text="Pod" term_id="pod" >}} 和
 {{< glossary_tooltip text="Service" term_id="service" >}}。
 
 <!--
-IPv4/IPv6 dual-stack networking is enabled by default for your Kubernetes cluster starting in 1.21, allowing the simultaneous assignment of both IPv4 and IPv6 addresses.
+IPv4/IPv6 dual-stack networking is enabled by default for your Kubernetes cluster starting in
+1.21, allowing the simultaneous assignment of both IPv4 and IPv6 addresses.
 -->
 从 1.21 版本开始，Kubernetes 集群默认启用 IPv4/IPv6 双协议栈网络，
 以支持同时分配 IPv4 和 IPv6 地址。
@@ -54,9 +55,9 @@ IPv4/IPv6 dual-stack on your Kubernetes cluster provides the following features:
 Kubernetes 集群的 IPv4/IPv6 双协议栈可提供下面的功能：
 
 <!--
-   * Dual-stack Pod networking (a single IPv4 and IPv6 address assignment per Pod)
-   * IPv4 and IPv6 enabled Services
-   * Pod off-cluster egress routing (eg. the Internet) via both IPv4 and IPv6 interfaces
+* Dual-stack Pod networking (a single IPv4 and IPv6 address assignment per Pod)
+* IPv4 and IPv6 enabled Services
+* Pod off-cluster egress routing (eg. the Internet) via both IPv4 and IPv6 interfaces
 -->
 * 双协议栈 pod 网络 (每个 pod 分配一个 IPv4 和 IPv6 地址)
 * IPv4 和 IPv6 启用的服务
@@ -73,49 +74,54 @@ The following prerequisites are needed in order to utilize IPv4/IPv6 dual-stack
 为了使用 IPv4/IPv6 双栈的 Kubernetes 集群，需要满足以下先决条件：
 
 <!--
-   * Kubernetes 1.20 or later  
-     For information about using dual-stack services with earlier
-     Kubernetes versions, refer to the documentation for that version
-     of Kubernetes.
-   * Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide Kubernetes nodes with routable IPv4/IPv6 network interfaces)
-   * A network plugin that supports dual-stack (such as Kubenet or Calico)
+* Kubernetes 1.20 or later  
+  For information about using dual-stack services with earlier
+  Kubernetes versions, refer to the documentation for that version
+  of Kubernetes.
+* Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide
+  Kubernetes nodes with routable IPv4/IPv6 network interfaces)
+* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that
+  supports dual-stack networking.
 -->
 * Kubernetes 1.20 版本或更高版本，有关更早 Kubernetes 版本的使用双栈服务的信息，
   请参考对应版本的 Kubernetes 文档。
 * 提供商支持双协议栈网络（云提供商或其他提供商必须能够为 Kubernetes
   节点提供可路由的 IPv4/IPv6 网络接口）
-* 支持双协议栈的网络插件（如 Kubenet 或 Calico）
+* 支持双协议栈的[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
 
 <!--
 ## Configure IPv4/IPv6 dual-stack
 -->
 ## 配置 IPv4/IPv6 双协议栈
 
-
 <!--
-   * kube-apiserver:
-      * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
-   * kube-controller-manager:
-      * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
-      * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
-      * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` defaults to /24 for IPv4 and /64 for IPv6
-   * kube-proxy:
-      * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
-   * kubelet:
-      * when there is no `--cloud-provider` the administrator can pass a comma-separated pair
-        of IP addresses via `--node-ip` to manually configure dual-stack `.status.addresses`
-        for that Node.
-        If a Pod runs on that node in HostNetwork mode, the Pod reports these IP addresses in its
-        `.status.podIPs` field.
-        All `podIPs` in a node match the IP family preference defined by the
-        `.status.addresses` field for that Node.
+To configure IPv4/IPv6 dual-stack, set dual-stack cluster network assignments:
+-->
+如果配置 IPv4/IPv6 双栈，请分配双栈集群网络：
+<!--
+* kube-apiserver:
+  * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
+* kube-controller-manager:
+  * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
+  * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
+  * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` defaults to /24 for IPv4 and /64 for IPv6
+* kube-proxy:
+  * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
+* kubelet:
+  * when there is no `--cloud-provider` the administrator can pass a comma-separated pair of IP
+    addresses via `--node-ip` to manually configure dual-stack `.status.addresses` for that Node.
+    If a Pod runs on that node in HostNetwork mode, the Pod reports these IP addresses in its
+    `.status.podIPs` field.
+    All `podIPs` in a node match the IP family preference defined by the `.status.addresses`
+    field for that Node.
 -->
 * kube-apiserver:
   * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
 * kube-controller-manager:
   * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>` 
   * `--service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>`
-  * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` 对于 IPv4 默认为 /24，对于 IPv6 默认为 /64
+  * `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` 对于 IPv4 默认为 /24，
+    对于 IPv6 默认为 /64
 * kube-proxy:
   * `--cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>`
 * kubelet:
@@ -128,7 +134,8 @@ The following prerequisites are needed in order to utilize IPv4/IPv6 dual-stack
 <!--
 An example of an IPv4 CIDR: `10.244.0.0/16` (though you would supply your own address range)
 
-An example of an IPv6 CIDR: `fdXY:IJKL:MNOP:15::/64` (this shows the format but is not a valid address - see [RFC 4193](https://tools.ietf.org/html/rfc4193))
+An example of an IPv6 CIDR: `fdXY:IJKL:MNOP:15::/64` (this shows the format but is not a valid
+address - see [RFC 4193](https://tools.ietf.org/html/rfc4193))
 -->
 IPv4 CIDR 的一个例子：`10.244.0.0/16`（尽管你会提供你自己的地址范围）。
 
@@ -139,31 +146,35 @@ IPv6 CIDR 的一个例子：`fdXY:IJKL:MNOP:15::/64`
 <!--
 ## Services
 -->
-## 服务
+## 服务  {#services}
 
 <!--
-You can create {{< glossary_tooltip text="Services" term_id="service" >}} which can use IPv4, IPv6, or both. 
+You can create {{< glossary_tooltip text="Services" term_id="service" >}} which can use IPv4, IPv6, or both.
 
-The address family of a Service defaults to the address family of the first service cluster IP range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver).
+The address family of a Service defaults to the address family of the first service cluster IP
+range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver).
 
 When you define a Service you can optionally configure it as dual stack. To specify the behavior you want, you
 set the `.spec.ipFamilyPolicy` field to one of the following values:
 -->
 你可以使用 IPv4 或 IPv6 地址来创建
 {{< glossary_tooltip text="Service" term_id="service" >}}。
+
 服务的地址族默认为第一个服务集群 IP 范围的地址族（通过 kube-apiserver 的
 `--service-cluster-ip-range` 参数配置）。
+
 当你定义服务时，可以选择将其配置为双栈。若要指定所需的行为，你可以设置
 `.spec.ipFamilyPolicy` 字段为以下值之一：
 
 <!--
-* `SingleStack`: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range.
+* `SingleStack`: Single-stack service. The control plane allocates a cluster IP for the Service,
+  using the first configured service cluster IP range.
 * `PreferDualStack`:
   * Allocates IPv4 and IPv6 cluster IPs for the Service.
 * `RequireDualStack`: Allocates Service `.spec.ClusterIPs` from both IPv4 and IPv6 address ranges.
-  * Selects the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family of the first element in the `.spec.ipFamilies` array.
+  * Selects the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family
+    of the first element in the `.spec.ipFamilies` array.
 -->
-
 * `SingleStack`：单栈服务。控制面使用第一个配置的服务集群 IP 范围为服务分配集群 IP。
 * `PreferDualStack`：
   * 为服务分配 IPv4 和 IPv6 集群 IP 地址。
@@ -172,14 +183,18 @@ set the `.spec.ipFamilyPolicy` field to one of the following values:
     列表中选择 `.spec.ClusterIP` 
 
 <!--
-If you would like to define which IP family to use for single stack or define the order of IP families for dual-stack, you can choose the address families by setting an optional field, `.spec.ipFamilies`, on the Service. 
+If you would like to define which IP family to use for single stack or define the order of IP
+families for dual-stack, you can choose the address families by setting an optional field,
+`.spec.ipFamilies`, on the Service. 
 -->
 如果你想要定义哪个 IP 族用于单栈或定义双栈 IP 族的顺序，可以通过设置
 服务上的可选字段 `.spec.ipFamilies` 来选择地址族。
 
 {{< note >}}
 <!--
-The `.spec.ipFamilies` field is immutable because the `.spec.ClusterIP` cannot be reallocated on a Service that already exists. If you want to change `.spec.ipFamilies`, delete and recreate the Service.
+The `.spec.ipFamilies` field is immutable because the `.spec.ClusterIP` cannot be reallocated on a
+Service that already exists. If you want to change `.spec.ipFamilies`, delete and recreate the
+Service.
 -->
 `.spec.ipFamilies` 字段是不可变的，因为系统无法为已经存在的服务重新分配
 `.spec.ClusterIP`。如果你想改变 `.spec.ipFamilies`，则需要删除并重新创建服务。
@@ -195,7 +210,6 @@ You can set `.spec.ipFamilies` to any of the following array values:
 - `["IPv6"]`
 - `["IPv4","IPv6"]` (dual stack)
 - `["IPv6","IPv4"]` (dual stack)
-
 -->
 - `["IPv4"]`
 - `["IPv6"]`
@@ -212,35 +226,46 @@ The first family you list is used for the legacy `.spec.ClusterIP` field.
 
 These examples demonstrate the behavior of various dual-stack Service configuration scenarios.
 -->
-### 双栈服务配置场景
+### 双栈服务配置场景   {#dual-stack-service-configuration-scenarios}
 
 以下示例演示多种双栈服务配置场景下的行为。
 
 <!--
 #### Dual-stack options on new Services
 -->
-#### 新服务的双栈选项
+#### 新服务的双栈选项    {#dual-stack-options-on-new-services}
 
 <!--
-1. This Service specification does not explicitly define `.spec.ipFamilyPolicy`. When you create this Service, Kubernetes assigns a cluster IP for the Service from the first configured `service-cluster-ip-range` and sets the `.spec.ipFamilyPolicy` to `SingleStack`. ([Services without selectors](/docs/concepts/services-networking/service/#services-without-selectors) and [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors will behave in this same way.)
+1. This Service specification does not explicitly define `.spec.ipFamilyPolicy`. When you create
+   this Service, Kubernetes assigns a cluster IP for the Service from the first configured
+   `service-cluster-ip-range` and sets the `.spec.ipFamilyPolicy` to `SingleStack`. ([Services
+   without selectors](/docs/concepts/services-networking/service/#services-without-selectors) and
+   [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors 
+   will behave in this same way.)
 -->
-
 1. 此服务规约中没有显式设定 `.spec.ipFamilyPolicy`。当你创建此服务时，Kubernetes
    从所配置的第一个 `service-cluster-ip-range` 种为服务分配一个集群IP，并设置
    `.spec.ipFamilyPolicy` 为 `SingleStack`。
-   （[无选择算符的服务](/zh/docs/concepts/services-networking/service/#services-without-selectors)
-   和[无头服务](/zh/docs/concepts/services-networking/service/#headless-services)的行为方式
+   （[无选择算符的服务](/zh-cn/docs/concepts/services-networking/service/#services-without-selectors)
+   和[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)的行为方式
    与此相同。）
-   
+
    {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
 
 <!--
-1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When you create this Service on a dual-stack cluster, Kubernetes assigns both IPv4 and IPv6 addresses for the service. The control plane updates the `.spec` for the Service to record the IP address assignments. The field `.spec.ClusterIPs` is the primary field, and contains both assigned IP addresses; `.spec.ClusterIP` is a secondary field with its value calculated from `.spec.ClusterIPs`.
+1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When
+   you create this Service on a dual-stack cluster, Kubernetes assigns both IPv4 and IPv6
+   addresses for the service. The control plane updates the `.spec` for the Service to record the IP
+   address assignments. The field `.spec.ClusterIPs` is the primary field, and contains both assigned 
+   IP addresses; `.spec.ClusterIP` is a secondary field with its value calculated from
+   `.spec.ClusterIPs`.
    
-      * For the `.spec.ClusterIP` field, the control plane records the IP address that is from the same address family as the first service cluster IP range. 
-      * On a single-stack cluster, the `.spec.ClusterIPs` and `.spec.ClusterIP` fields both only list one address. 
-      * On a cluster with dual-stack enabled, specifying `RequireDualStack` in `.spec.ipFamilyPolicy` behaves the same as `PreferDualStack`.
-
+   * For the `.spec.ClusterIP` field, the control plane records the IP address that is from the
+     same address family as the first service cluster IP range. 
+   * On a single-stack cluster, the `.spec.ClusterIPs` and `.spec.ClusterIP` fields both only list
+     one address. 
+   * On a cluster with dual-stack enabled, specifying `RequireDualStack` in `.spec.ipFamilyPolicy`
+     behaves the same as `PreferDualStack`.
 -->
 2. 此服务规约显式地将 `.spec.ipFamilyPolicy` 设置为 `PreferDualStack`。
    当你在双栈集群上创建此服务时，Kubernetes 会为该服务分配 IPv4 和 IPv6 地址。
@@ -258,7 +283,10 @@ These examples demonstrate the behavior of various dual-stack Service configurat
    {{< codenew file="service/networking/dual-stack-preferred-svc.yaml" >}}
 
 <!--
-1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well as defining `PreferDualStack` in `.spec.ipFamilyPolicy`. When Kubernetes assigns an IPv6 and IPv4 address in `.spec.ClusterIPs`, `.spec.ClusterIP` is set to the IPv6 address because that is the first element in the `.spec.ClusterIPs` array, overriding the default.
+1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well
+   as defining `PreferDualStack` in `.spec.ipFamilyPolicy`. When Kubernetes assigns an IPv6 and
+   IPv4 address in `.spec.ClusterIPs`, `.spec.ClusterIP` is set to the IPv6 address because that is
+   the first element in the `.spec.ClusterIPs` array, overriding the default.
 -->
 3. 下面的服务规约显式地在 `.spec.ipFamilies` 中指定 `IPv6` 和 `IPv4`，并
    将 `.spec.ipFamilyPolicy` 设定为 `PreferDualStack`。
@@ -271,16 +299,21 @@ These examples demonstrate the behavior of various dual-stack Service configurat
 <!--
 #### Dual-stack defaults on existing Services
 -->
-#### 现有服务的双栈默认值
+#### 现有服务的双栈默认值   {#dual-stack-defaults-on-existing-services}
 
 <!--
-These examples demonstrate the default behavior when dual-stack is newly enabled on a cluster where Services already exist.  (Upgrading an existing cluster to 1.21 or beyond will enable dual-stack.)
+These examples demonstrate the default behavior when dual-stack is newly enabled on a cluster
+where Services already exist. (Upgrading an existing cluster to 1.21 or beyond will enable
+dual-stack.)
 -->
 下面示例演示了在服务已经存在的集群上新启用双栈时的默认行为。
 （将现有集群升级到 1.21 或者更高版本会启用双协议栈支持。）
 
 <!--
-1. When dual-stack is enabled on a cluster, existing Services (whether `IPv4` or `IPv6`) are configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set `.spec.ipFamilies` to the address family of the existing Service. The existing Service cluster IP will be stored in `.spec.ClusterIPs`.
+1. When dual-stack is enabled on a cluster, existing Services (whether `IPv4` or `IPv6`) are
+   configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
+   `.spec.ipFamilies` to the address family of the existing Service. The existing Service cluster IP
+   will be stored in `.spec.ClusterIPs`.
 -->
 1. 在集群上启用双栈时，控制面会将现有服务（无论是 `IPv4` 还是 `IPv6`）配置
    `.spec.ipFamilyPolicy` 为 `SingleStack` 并设置 `.spec.ipFamilies`
@@ -296,7 +329,7 @@ These examples demonstrate the default behavior when dual-stack is newly enabled
    ```shell
    kubectl get svc my-service -o yaml
    ```
-   
+
    ```yaml
    apiVersion: v1
    kind: Service
@@ -323,10 +356,15 @@ These examples demonstrate the default behavior when dual-stack is newly enabled
    ```
 
 <!--
-1. When dual-stack is enabled on a cluster, existing [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors are configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set `.spec.ipFamilies` to the address family of the first service cluster IP range (configured via the `--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.ClusterIP` is set to `None`.
+1. When dual-stack is enabled on a cluster, existing
+   [headless Services](/docs/concepts/services-networking/service/#headless-services) with selectors
+   are configured by the control plane to set `.spec.ipFamilyPolicy` to `SingleStack` and set
+   `.spec.ipFamilies` to the address family of the first service cluster IP range (configured via the
+   `--service-cluster-ip-range` flag to the kube-apiserver) even though `.spec.ClusterIP` is set to
+   `None`.
 -->
 2. 在集群上启用双栈时，带有选择算符的现有
-   [无头服务](/zh/docs/concepts/services-networking/service/#headless-services)
+   [无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)
    由控制面设置 `.spec.ipFamilyPolicy` 为 `SingleStack`
    并设置 `.spec.ipFamilies` 为第一个服务集群 IP 范围的地址族（通过配置 kube-apiserver 的
    `--service-cluster-ip-range` 参数），即使 `.spec.ClusterIP` 的设置值为 `None` 也如此。
@@ -341,7 +379,7 @@ These examples demonstrate the default behavior when dual-stack is newly enabled
    ```shell
    kubectl get svc my-service -o yaml
    ```
-   
+
    ```yaml
    apiVersion: v1
    kind: Service
@@ -361,13 +399,13 @@ These examples demonstrate the default behavior when dual-stack is newly enabled
        protocol: TCP
        targetPort: 80
      selector:
-       app: MyApp  
+       app: MyApp
    ```
 
 <!--
 #### Switching Services between single-stack and dual-stack
 -->
-#### 在单栈和双栈之间切换服务
+#### 在单栈和双栈之间切换服务   {#switching-services-between-single-stack-and-dual-stack}
 
 <!--
 Services can be changed from single-stack to dual-stack and from dual-stack to single-stack.
@@ -375,14 +413,17 @@ Services can be changed from single-stack to dual-stack and from dual-stack to s
 服务可以从单栈更改为双栈，也可以从双栈更改为单栈。
 
 <!--
-1. To change a Service from single-stack to dual-stack, change `.spec.ipFamilyPolicy` from `SingleStack` to `PreferDualStack` or `RequireDualStack` as desired. When you change this Service from single-stack to dual-stack, Kubernetes assigns the missing address family so that the Service now has IPv4 and IPv6 addresses.
+1. To change a Service from single-stack to dual-stack, change `.spec.ipFamilyPolicy` from
+   `SingleStack` to `PreferDualStack` or `RequireDualStack` as desired. When you change this
+   Service from single-stack to dual-stack, Kubernetes assigns the missing address family so that the
+   Service now has IPv4 and IPv6 addresses.
 
    Edit the Service specification updating the `.spec.ipFamilyPolicy` from `SingleStack` to `PreferDualStack`.
 -->
 1. 要将服务从单栈更改为双栈，根据需要将 `.spec.ipFamilyPolicy` 从 `SingleStack` 改为
    `PreferDualStack` 或 `RequireDualStack`。
-   当你将此服务从单栈更改为双栈时，Kubernetes 将分配缺失的地址族，以便现在
-   该服务具有 IPv4 和 IPv6 地址。
+   当你将此服务从单栈更改为双栈时，Kubernetes 将分配缺失的地址族，
+   以便现在该服务具有 IPv4 和 IPv6 地址。
    编辑服务规约将 `.spec.ipFamilyPolicy` 从 `SingleStack` 改为 `PreferDualStack`。
 
    <!--
@@ -406,9 +447,12 @@ Services can be changed from single-stack to dual-stack and from dual-stack to s
    ```
 
 <!--
-1. To change a Service from dual-stack to single-stack, change `.spec.ipFamilyPolicy` from `PreferDualStack` or `RequireDualStack` to `SingleStack`. When you change this Service from dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.ClusterIPs` array, and sets `.spec.ClusterIP` to that IP address and sets `.spec.ipFamilies` to the address family of `.spec.ClusterIPs`.
+1. To change a Service from dual-stack to single-stack, change `.spec.ipFamilyPolicy` from
+   `PreferDualStack` or `RequireDualStack` to `SingleStack`. When you change this Service from
+   dual-stack to single-stack, Kubernetes retains only the first element in the `.spec.ClusterIPs`
+   array, and sets `.spec.ClusterIP` to that IP address and sets `.spec.ipFamilies` to the address
+   family of `.spec.ClusterIPs`.
 -->
-
 2. 要将服务从双栈更改为单栈，请将 `.spec.ipFamilyPolicy` 从 `PreferDualStack` 或
    `RequireDualStack` 改为 `SingleStack`。
    当你将此服务从双栈更改为单栈时，Kubernetes 只保留 `.spec.ClusterIPs`
@@ -418,24 +462,27 @@ Services can be changed from single-stack to dual-stack and from dual-stack to s
 <!--
 ### Headless Services without selector
 -->
-### 无选择算符的无头服务
+### 无选择算符的无头服务   {#headless-services-without-selector}
 
 <!--
-For [Headless Services without selectors](/docs/concepts/services-networking/service/#without-selectors) and without `.spec.ipFamilyPolicy` explicitly set, the `.spec.ipFamilyPolicy` field defaults to `RequireDualStack`.
+For [Headless Services without selectors](/docs/concepts/services-networking/service/#without-selectors)
+and without `.spec.ipFamilyPolicy` explicitly set, the `.spec.ipFamilyPolicy` field defaults
+to `RequireDualStack`.
 -->
-对于[不带选择算符的无头服务](/zh/docs/concepts/services-networking/service/#without-selectors)，
+对于[不带选择算符的无头服务](/zh-cn/docs/concepts/services-networking/service/#without-selectors)，
 若没有显式设置 `.spec.ipFamilyPolicy`，则 `.spec.ipFamilyPolicy`
 字段默认设置为 `RequireDualStack`。
 
 <!--
 ### Service type LoadBalancer
 -->
-### LoadBalancer 类型服务
+### LoadBalancer 类型服务   {#service-type-loadbalancer}
 
 <!--
 To provision a dual-stack load balancer for your Service:
-   * Set the `.spec.type` field to `LoadBalancer`
-   * Set `.spec.ipFamilyPolicy` field to `PreferDualStack` or `RequireDualStack`
+
+* Set the `.spec.type` field to `LoadBalancer`
+* Set `.spec.ipFamilyPolicy` field to `PreferDualStack` or `RequireDualStack`
 -->
 要为你的服务提供双栈负载均衡器：
 
@@ -444,7 +491,8 @@ To provision a dual-stack load balancer for your Service:
 
 {{< note >}}
 <!--
-To use a dual-stack `LoadBalancer` type Service, your cloud provider must support IPv4 and IPv6 load balancers.
+To use a dual-stack `LoadBalancer` type Service, your cloud provider must support IPv4 and IPv6
+load balancers.
 -->
 为了使用双栈的负载均衡器类型服务，你的云驱动必须支持 IPv4 和 IPv6 的负载均衡器。
 {{< /note >}}
@@ -452,10 +500,14 @@ To use a dual-stack `LoadBalancer` type Service, your cloud provider must suppor
 <!--
 ## Egress traffic
 -->
-## 出站流量
+## 出站流量    {#egress-traffic}
 
 <!--
-If you want to enable egress traffic in order to reach off-cluster destinations (eg. the public Internet) from a Pod that uses non-publicly routable IPv6 addresses, you need to enable the Pod to use a publicly routed IPv6 address via a mechanism such as transparent proxying or IP masquerading. The [ip-masq-agent](https://github.com/kubernetes-sigs/ip-masq-agent) project supports IP masquerading on dual-stack clusters.
+If you want to enable egress traffic in order to reach off-cluster destinations (eg. the public
+Internet) from a Pod that uses non-publicly routable IPv6 addresses, you need to enable the Pod to
+use a publicly routed IPv6 address via a mechanism such as transparent proxying or IP
+masquerading. The [ip-masq-agent](https://github.com/kubernetes-sigs/ip-masq-agent) project
+supports IP masquerading on dual-stack clusters.
 -->
 如果你要启用出站流量，以便使用非公开路由 IPv6 地址的 Pod 到达集群外地址
 （例如公网），则需要通过透明代理或 IP 伪装等机制使 Pod 使用公共路由的
@@ -470,11 +522,41 @@ Ensure your {{< glossary_tooltip text="CNI" term_id="cni" >}} provider supports
 确认你的 {{< glossary_tooltip text="CNI" term_id="cni" >}} 驱动支持 IPv6。
 {{< /note >}}
 
+<!--
+## Windows support
+
+Kubernetes on Windows does not support single-stack "IPv6-only" networking. However,
+dual-stack IPv4/IPv6 networking for pods and nodes with single-family services
+is supported.
+
+You can use IPv4/IPv6 dual-stack networking with `l2bridge` networks.
+-->
+## Windows 支持   {#windows-support}
+
+Windows 上的 Kubernetes 不支持单栈“仅 IPv6” 网络。 然而，
+对于 Pod 和节点而言，仅支持单栈形式服务的双栈 IPv4/IPv6 网络是被支持的。
+
+你可以使用 `l2bridge` 网络来实现 IPv4/IPv6 双栈联网。
+
+{{< note >}}
+<!--
+Overlay (VXLAN) networks on Windows **do not** support dual-stack networking.
+-->
+Windows 上的 Overlay (VXLAN) 网络**不**支持双栈网络。
+{{< /note >}}
+
+<!--
+You can read more about the different network modes for Windows within the
+[Networking on Windows](/docs/concepts/services-networking/windows-networking#network-modes) topic.
+-->
+关于 Windows 的不同网络模式，你可以进一步阅读
+[Windows 上的网络](/zh-cn/docs/concepts/services-networking/windows-networking#network-modes)。
+
 ## {{% heading "whatsnext" %}}
 
 <!--
 * [Validate IPv4/IPv6 dual-stack](/docs/tasks/network/validate-dual-stack) networking
-* [Enable dual-stack networking using kubeadm ](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
+* [Enable dual-stack networking using kubeadm](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
 -->
-* [验证 IPv4/IPv6 双协议栈](/zh/docs/tasks/network/validate-dual-stack)网络
-* [使用 kubeadm 启用双协议栈网络](/zh/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
+* [验证 IPv4/IPv6 双协议栈](/zh-cn/docs/tasks/network/validate-dual-stack)网络
+* [使用 kubeadm 启用双协议栈网络](/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)
diff --git a/content/zh/docs/concepts/services-networking/endpoint-slices.md b/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
similarity index 83%
rename from content/zh/docs/concepts/services-networking/endpoint-slices.md
rename to content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
index 447caae39c8ed..b3f094929802b 100644
--- a/content/zh/docs/concepts/services-networking/endpoint-slices.md
+++ b/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
@@ -52,11 +52,11 @@ significant amounts of network traffic and processing when Endpoints changed.
 EndpointSlices help you mitigate those issues as well as provide an extensible
 platform for additional features such as topological routing.
 -->
-由于任一服务的所有网络端点都保存在同一个 Endpoints 资源中，这类资源可能变得
-非常巨大，而这一变化会影响到 Kubernetes 组件（比如主控组件）的性能，并
-在 Endpoints 变化时产生大量的网络流量和额外的处理。
-EndpointSlice 能够帮助你缓解这一问题，还能为一些诸如拓扑路由这类的额外
-功能提供一个可扩展的平台。
+由于任一 Service 的所有网络端点都保存在同一个 Endpoints 资源中，
+这类资源可能变得非常巨大，而这一变化会影响到 Kubernetes
+组件（比如主控组件）的性能，并在 Endpoints 变化时产生大量的网络流量和额外的处理。
+EndpointSlice 能够帮助你缓解这一问题，
+还能为一些诸如拓扑路由这类的额外功能提供一个可扩展的平台。
 
 <!--
 ## Endpoint Slice resources {#endpointslice-resource}
@@ -78,13 +78,13 @@ Kubernetes Service.
 
 在 Kubernetes 中，`EndpointSlice` 包含对一组网络端点的引用。
 指定选择器后控制面会自动为设置了 {{< glossary_tooltip text="选择算符" term_id="selector" >}}
-的 Kubernetes 服务创建 EndpointSlice。
-这些 EndpointSlice 将包含对与服务选择算符匹配的所有 Pod 的引用。
-EndpointSlice 通过唯一的协议、端口号和服务名称将网络端点组织在一起。
+的 Kubernetes Service 创建 EndpointSlice。
+这些 EndpointSlice 将包含对与 Service 选择算符匹配的所有 Pod 的引用。
+EndpointSlice 通过唯一的协议、端口号和 Service 名称将网络端点组织在一起。
 EndpointSlice 的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
-例如，下面是 Kubernetes 服务 `example` 的 EndpointSlice 资源示例。
+例如，下面是 Kubernetes Service `example` 的 EndpointSlice 资源示例。
 
 ```yaml
 apiVersion: discovery.k8s.io/v1
@@ -174,8 +174,8 @@ Services will always have the `ready` condition set to `true`.
 处于运行中的 Pod，它的 `Ready` 状况被设置为 `True`，应该将此 EndpointSlice 状况也设置为 `true`。
 出于兼容性原因，当 Pod 处于终止过程中，`ready` 永远不会为 `true`。
 消费者应参考 `serving` 状况来检查处于终止中的 Pod 的就绪情况。
-该规则的唯一例外是将 `spec.publishNotReadyAddresses` 设置为 `true` 的服务。
-这些服务（Service）的端点将始终将 `ready` 状况设置为 `true`。
+该规则的唯一例外是将 `spec.publishNotReadyAddresses` 设置为 `true` 的 Service。
+这些 Service 的端点将始终将 `ready` 状况设置为 `true`。
 
 <!--
 #### Serving
@@ -252,8 +252,8 @@ EndpointSlice 中的每个端点都可以包含一定的拓扑信息。
 In the v1 API, the per endpoint `topology` was effectively removed in favor of
 the dedicated fields `nodeName` and `zone`.
 -->
-在 v1 API 中，逐个端点设置的 `topology` 实际上被去除，以鼓励使用专用
-的字段 `nodeName` 和 `zone`。
+在 v1 API 中，逐个端点设置的 `topology` 实际上被去除，
+以鼓励使用专用的字段 `nodeName` 和 `zone`。
 
 <!--
 Setting arbitrary topology fields on the `endpoint` field of an `EndpointSlice`
@@ -263,11 +263,11 @@ These fields are automatically translated between API versions. For example, the
 value of the `"topology.kubernetes.io/zone"` key in the `topology` field in
 the v1beta1 API is accessible as the `zone` field in the v1 API.
 -->
-对 `EndpointSlice` 对象的 `endpoint` 字段设置任意的拓扑结构信息这一操作已被
-废弃，不再被 v1 API 所支持。取而代之的是 v1 API 所支持的 `nodeName` 和 `zone`
+对 `EndpointSlice` 对象的 `endpoint` 字段设置任意的拓扑结构信息这一操作已被废弃，
+不再被 v1 API 所支持。取而代之的是 v1 API 所支持的 `nodeName` 和 `zone`
 这些独立的字段。这些字段可以在不同的 API 版本之间自动完成转译。
-例如，v1beta1 API 中 `topology` 字段的 `topology.kubernetes.io/zone` 取值可以
-在 v1 API 中通过 `zone` 字段访问。
+例如，v1beta1 API 中 `topology` 字段的 `topology.kubernetes.io/zone`
+取值可以在 v1 API 中通过 `zone` 字段访问。
 {{< /note >}}
 
 <!--
@@ -283,8 +283,8 @@ entities or controllers managing additional sets of EndpointSlices.
 
 通常，控制面（尤其是端点切片的 {{< glossary_tooltip text="控制器" term_id="controller" >}}）
 会创建和管理 EndpointSlice 对象。EndpointSlice 对象还有一些其他使用场景，
-例如作为服务网格（Service Mesh）的实现。这些场景都会导致有其他实体
-或者控制器负责管理额外的 EndpointSlice 集合。
+例如作为服务网格（Service Mesh）的实现。
+这些场景都会导致有其他实体或者控制器负责管理额外的 EndpointSlice 集合。
 
 <!--
 To ensure that multiple entities can manage EndpointSlices without interfering
@@ -299,8 +299,8 @@ EndpointSlices should also set a unique value for this label.
 为了确保多个实体可以管理 EndpointSlice 而且不会相互产生干扰，Kubernetes 定义了
 {{< glossary_tooltip term_id="label" text="标签" >}}
 `endpointslice.kubernetes.io/managed-by`，用来标明哪个实体在管理某个
-EndpointSlice。端点切片控制器会在自己所管理的所有 EndpointSlice 上将该标签值设置
-为 `endpointslice-controller.k8s.io`。
+EndpointSlice。端点切片控制器会在自己所管理的所有 EndpointSlice 上将该标签值设置为
+`endpointslice-controller.k8s.io`。
 管理 EndpointSlice 的其他实体也应该为此标签设置一个唯一值。
 
 <!--
@@ -313,10 +313,10 @@ label that enables simple lookups of all EndpointSlices belonging to a Service.
 -->
 ### 属主关系   {#ownership}
 
-在大多数场合下，EndpointSlice 都由某个 Service 所有，（因为）该端点切片正是
-为该服务跟踪记录其端点。这一属主关系是通过为每个 EndpointSlice 设置一个
-属主（owner）引用，同时设置 `kubernetes.io/service-name` 标签来标明的，
-目的是方便查找隶属于某服务的所有 EndpointSlice。
+在大多数场合下，EndpointSlice 都由某个 Service 所有，
+（因为）该端点切片正是为该服务跟踪记录其端点。这一属主关系是通过为每个 EndpointSlice
+设置一个属主（owner）引用，同时设置 `kubernetes.io/service-name` 标签来标明的，
+目的是方便查找隶属于某 Service 的所有 EndpointSlice。
 
 <!--
 ### EndpointSlice mirroring
@@ -328,8 +328,8 @@ resources to corresponding EndpointSlices.
 -->
 ### EndpointSlice 镜像    {#endpointslice-mirroring}
 
-在某些场合，应用会创建定制的 Endpoints 资源。为了保证这些应用不需要并发
-的更改 Endpoints 和 EndpointSlice 资源，集群的控制面将大多数 Endpoints
+在某些场合，应用会创建定制的 Endpoints 资源。为了保证这些应用不需要并发的更改
+Endpoints 和 EndpointSlice 资源，集群的控制面将大多数 Endpoints
 映射到对应的 EndpointSlice 之上。
 
 <!--
@@ -372,8 +372,8 @@ with Endpoints.
 ### EndpointSlices 的分布问题  {#distribution-of-endpointslices}
 
 每个 EndpointSlice 都有一组端口值，适用于资源内的所有端点。
-当为服务使用命名端口时，Pod 可能会就同一命名端口获得不同的端口号，因而需要
-不同的 EndpointSlice。这有点像 Endpoints 用来对子网进行分组的逻辑。
+当为 Service 使用命名端口时，Pod 可能会就同一命名端口获得不同的端口号，
+因而需要不同的 EndpointSlice。这有点像 Endpoints 用来对子网进行分组的逻辑。
 
 <!--
 The control plane tries to fill EndpointSlices as full as possible, but does not
@@ -386,11 +386,10 @@ actively rebalance them. The logic is fairly straightforward:
 3. If there's still new endpoints left to add, try to fit them into a previously
    unchanged slice and/or create new ones.
 -->
-控制面尝试尽量将 EndpointSlice 填满，不过不会主动地在若干 EndpointSlice 之间
-执行再平衡操作。这里的逻辑也是相对直接的：
+控制面尝试尽量将 EndpointSlice 填满，不过不会主动地在若干 EndpointSlice
+之间执行再平衡操作。这里的逻辑也是相对直接的：
 
-1. 列举所有现有的 EndpointSlices，移除那些不再需要的端点并更新那些已经
-   变化的端点。
+1. 列举所有现有的 EndpointSlices，移除那些不再需要的端点并更新那些已经变化的端点。
 2. 列举所有在第一步中被更改过的 EndpointSlices，用新增加的端点将其填满。
 3. 如果还有新的端点未被添加进去，尝试将这些端点添加到之前未更改的切片中，
    或者创建新切片。
@@ -403,11 +402,11 @@ this approach will create a new EndpointSlice instead of filling up the 2
 existing EndpointSlices. In other words, a single EndpointSlice creation is
 preferrable to multiple EndpointSlice updates.
 -->
-这里比较重要的是，与在 EndpointSlice 之间完成最佳的分布相比，第三步中更看重
-限制 EndpointSlice 更新的操作次数。例如，如果有 10 个端点待添加，有两个
-EndpointSlice 中各有 5 个空位，上述方法会创建一个新的 EndpointSlice 而不是
-将现有的两个 EndpointSlice 都填满。换言之，与执行多个 EndpointSlice 更新操作
-相比较，方法会优先考虑执行一个 EndpointSlice 创建操作。
+这里比较重要的是，与在 EndpointSlice 之间完成最佳的分布相比，第三步中更看重限制
+EndpointSlice 更新的操作次数。例如，如果有 10 个端点待添加，有两个 EndpointSlice
+中各有 5 个空位，上述方法会创建一个新的 EndpointSlice 而不是将现有的两个
+EndpointSlice 都填满。换言之，与执行多个 EndpointSlice 更新操作相比较，
+方法会优先考虑执行一个 EndpointSlice 创建操作。
 
 <!--
 With kube-proxy running on each Node and watching EndpointSlices, every change
@@ -416,10 +415,10 @@ every Node in the cluster. This approach is intended to limit the number of
 changes that need to be sent to every Node, even if it may result with multiple
 EndpointSlices that are not full.
 -->
-由于 kube-proxy 在每个节点上运行并监视 EndpointSlice 状态，EndpointSlice 的
-每次变更都变得相对代价较高，因为这些状态变化要传递到集群中每个节点上。
-这一方法尝试限制要发送到所有节点上的变更消息个数，即使这样做可能会导致有
-多个 EndpointSlice 没有被填满。
+由于 kube-proxy 在每个节点上运行并监视 EndpointSlice 状态，EndpointSlice
+的每次变更都变得相对代价较高，因为这些状态变化要传递到集群中每个节点上。
+这一方法尝试限制要发送到所有节点上的变更消息个数，即使这样做可能会导致有多个
+EndpointSlice 没有被填满。
 
 <!--
 In practice, this less than ideal distribution should be rare. Most changes
@@ -429,11 +428,11 @@ necessary soon anyway. Rolling updates of Deployments also provide a natural
 repacking of EndpointSlices with all Pods and their corresponding endpoints
 getting replaced.
 -->
-在实践中，上面这种并非最理想的分布是很少出现的。大多数被 EndpointSlice 控制器
-处理的变更都是足够小的，可以添加到某已有 EndpointSlice 中去的。并且，假使无法
-添加到已有的切片中，不管怎样都会快就会需要一个新的 EndpointSlice 对象。
-Deployment 的滚动更新为重新为 EndpointSlice 打包提供了一个自然的机会，所有
-Pod 及其对应的端点在这一期间都会被替换掉。
+在实践中，上面这种并非最理想的分布是很少出现的。大多数被 EndpointSlice
+控制器处理的变更都是足够小的，可以添加到某已有 EndpointSlice 中去的。
+并且，假使无法添加到已有的切片中，不管怎样都会快就会需要一个新的
+EndpointSlice 对象。Deployment 的滚动更新为重新为 EndpointSlice
+打包提供了一个自然的机会，所有 Pod 及其对应的端点在这一期间都会被替换掉。
 
 <!--
 ### Duplicate endpoints
@@ -460,5 +459,5 @@ implementation in `kube-proxy`.
 <!--
 * Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
 -->
-* 阅读[使用服务连接应用](/zh/docs/concepts/services-networking/connect-applications-service/)
+* 阅读[使用 Service 连接到应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
 
diff --git a/content/zh/docs/concepts/services-networking/ingress-controllers.md b/content/zh-cn/docs/concepts/services-networking/ingress-controllers.md
similarity index 93%
rename from content/zh/docs/concepts/services-networking/ingress-controllers.md
rename to content/zh-cn/docs/concepts/services-networking/ingress-controllers.md
index a85e07340400a..1e2d6ae078ba5 100644
--- a/content/zh/docs/concepts/services-networking/ingress-controllers.md
+++ b/content/zh-cn/docs/concepts/services-networking/ingress-controllers.md
@@ -143,13 +143,13 @@ You may deploy any number of ingress controllers using [ingress class](/docs/con
 within a cluster. Note the `.metadata.name` of your ingress class resource. When you create an ingress you would need that name to specify the `ingressClassName` field on your Ingress object (refer to [IngressSpec v1 reference](/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec). `ingressClassName` is a replacement of the older [annotation method](/docs/concepts/services-networking/ingress/#deprecated-annotation).
 -->
 你可以使用
-[Ingress 类](/zh/docs/concepts/services-networking/ingress/#ingress-class)在集群中部署任意数量的
+[Ingress 类](/zh-cn/docs/concepts/services-networking/ingress/#ingress-class)在集群中部署任意数量的
 Ingress 控制器。
 请注意你的 Ingress 类资源的 `.metadata.name` 字段。
 当你创建 Ingress 时，你需要用此字段的值来设置 Ingress 对象的 `ingressClassName` 字段（请参考
 [IngressSpec v1 reference](/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec)）。
 `ingressClassName`
-是之前的[注解](/zh/docs/concepts/services-networking/ingress/#deprecated-annotation)做法的替代。
+是之前的[注解](/zh-cn/docs/concepts/services-networking/ingress/#deprecated-annotation)做法的替代。
 
 <!--
 If you do not specify an IngressClass for an Ingress, and your cluster has exactly one IngressClass marked as default, then Kubernetes [applies](/docs/concepts/services-networking/ingress/#default-ingress-class) the cluster's default IngressClass to the Ingress.
@@ -158,11 +158,12 @@ You mark an IngressClass as default by setting the [`ingressclass.kubernetes.io/
 Ideally, all ingress controllers should fulfill this specification, but the various ingress
 controllers operate slightly differently.
 -->
-如果你不为 Ingress 指定一个 IngressClass，并且你的集群中只有一个 IngressClass 被标记为了集群默认，那么
-Kubernetes 会[应用](/zh/docs/concepts/services-networking/ingress/#default-ingress-class)此默认
+如果你不为 Ingress 指定 IngressClass，并且你的集群中只有一个 IngressClass 被标记为默认，那么
+Kubernetes 会将此集群的默认 IngressClass
+[应用](/zh-cn/docs/concepts/services-networking/ingress/#default-ingress-class)到 Ingress 上。
 IngressClass。
 你可以通过将
-[`ingressclass.kubernetes.io/is-default-class` 注解](/zh/docs/reference/labels-annotations-taints/#ingressclass-kubernetes-io-is-default-class)
+[`ingressclass.kubernetes.io/is-default-class` 注解](/zh-cn/docs/reference/labels-annotations-taints/#ingressclass-kubernetes-io-is-default-class)
 的值设置为 `"true"` 来将一个 IngressClass 标记为集群默认。
 
 理想情况下，所有 Ingress 控制器都应满足此规范，但各种 Ingress 控制器的操作略有不同。
@@ -180,6 +181,6 @@ Make sure you review your ingress controller's documentation to understand the c
 * Learn more about [Ingress](/docs/concepts/services-networking/ingress/).
 * [Set up Ingress on Minikube with the NGINX Controller](/docs/tasks/access-application-cluster/ingress-minikube).
 -->
-* 进一步了解 [Ingress](/zh/docs/concepts/services-networking/ingress/)。
-* [在 Minikube 上使用 NGINX 控制器安装 Ingress](/zh/docs/tasks/access-application-cluster/ingress-minikube)。
+* 进一步了解 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)。
+* [在 Minikube 上使用 NGINX 控制器安装 Ingress](/zh-cn/docs/tasks/access-application-cluster/ingress-minikube)。
 
diff --git a/content/zh/docs/concepts/services-networking/ingress.md b/content/zh-cn/docs/concepts/services-networking/ingress.md
similarity index 91%
rename from content/zh/docs/concepts/services-networking/ingress.md
rename to content/zh-cn/docs/concepts/services-networking/ingress.md
index 037b135c0de61..6b5bf60c38ece 100644
--- a/content/zh/docs/concepts/services-networking/ingress.md
+++ b/content/zh-cn/docs/concepts/services-networking/ingress.md
@@ -20,7 +20,7 @@ weight: 40
 
 For clarity, this guide defines the following terms:
 -->
-## 术语
+## 术语  {#terminology}
 
 为了表达更加清晰，本指南定义了以下术语：
 
@@ -36,7 +36,7 @@ For clarity, this guide defines the following terms:
   在此示例和在大多数常见的 Kubernetes 部署环境中，集群中的节点都不在公共网络中。
 * 边缘路由器（Edge Router）: 在集群中强制执行防火墙策略的路由器。可以是由云提供商管理的网关，也可以是物理硬件。
 * 集群网络（Cluster Network）: 一组逻辑的或物理的连接，根据 Kubernetes
-  [网络模型](/zh/docs/concepts/cluster-administration/networking/)在集群内实现通信。
+  [网络模型](/zh-cn/docs/concepts/cluster-administration/networking/)在集群内实现通信。
 * 服务（Service）：Kubernetes {{< glossary_tooltip term_id="service" >}}，
   使用{{< glossary_tooltip text="标签" term_id="label" >}}选择器（selectors）辨认一组 Pod。
   除非另有说明，否则假定服务只具有在集群网络中可路由的虚拟 IP。
@@ -48,10 +48,11 @@ For clarity, this guide defines the following terms:
 {{< link text="services" url="/docs/concepts/services-networking/service/" >}} within the cluster.
 Traffic routing is controlled by rules defined on the Ingress resource.
 -->
-## Ingress 是什么？
+## Ingress 是什么？  {#what-is-ingress}
 
 [Ingress](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#ingress-v1beta1-networking-k8s-io)
-公开了从集群外部到集群内[服务](/zh/docs/concepts/services-networking/service/)的 HTTP 和 HTTPS 路由。
+公开从集群外部到集群内[服务](/zh-cn/docs/concepts/services-networking/service/)的
+HTTP 和 HTTPS 路由。
 流量路由由 Ingress 资源上定义的规则控制。
 
 <!--
@@ -59,28 +60,13 @@ Here is a simple example where an Ingress sends all its traffic to one Service:
 -->
 下面是一个将所有流量都发送到同一 Service 的简单 Ingress 示例：
 
-{{< mermaid >}}
-graph LR;
-  client([客户端])-. Ingress-管理的 <br> 负载均衡器 .->ingress[Ingress];
-  ingress-->|路由规则|service[Service];
-  subgraph cluster
-  ingress;
-  service-->pod1[Pod];
-  service-->pod2[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service,pod1,pod2 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
+{{< figure src="/zh-cn/docs/images/ingress.svg" alt="ingress-diagram" class="diagram-large" caption="图. Ingress" link="https://mermaid.live/edit#pako:eNqNkstuwyAQRX8F4U0r2VHqPlSRKqt0UamLqlnaWWAYJygYLB59KMm_Fxcix-qmGwbuXA7DwAEzzQETXKutof0Ovb4vaoUQkwKUu6pi3FwXM_QSHGBt0VFFt8DRU2OWSGrKUUMlVQwMmhVLEV1Vcm9-aUksiuXRaO_CEhkv4WjBfAgG1TrGaLa-iaUw6a0DcwGI-WgOsF7zm-pN881fvRx1UDzeiFq7ghb1kgqFWiElyTjnuXVG74FkbdumefEpuNuRu_4rZ1pqQ7L5fL6YQPaPNiFuywcG9_-ihNyUkm6YSONWkjVNM8WUIyaeOJLO3clTB_KhL8NQDmVe-OJjxgZM5FhFiiFTK5zjDkxHBQ9_4zB4a-x20EGNSZhyaKmXrg7f5hSsvufUwTMXThtMWiot5Jh6p9ffimHijIezaSVoeN0uiqcfMJvf7w" >}}
 
 <!-- 
 An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name based virtual hosting. An [Ingress controller](/docs/concepts/services-networking/ingress-controllers) is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.
 -->
 Ingress 可为 Service 提供外部可访问的 URL、负载均衡流量、终止 SSL/TLS，以及基于名称的虚拟托管。
-[Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers)
+[Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)
 通常负责通过负载均衡器来实现 Ingress，尽管它也可以配置边缘路由器或其他前端来帮助处理流量。
 
 <!-- 
@@ -90,8 +76,8 @@ uses a service of type [Service.Type=NodePort](/docs/concepts/services-networkin
 -->
 Ingress 不会公开任意端口或协议。
 将 HTTP 和 HTTPS 以外的服务公开到 Internet 时，通常使用
-[Service.Type=NodePort](/zh/docs/concepts/services-networking/service/#type-nodeport)
-或 [Service.Type=LoadBalancer](/zh/docs/concepts/services-networking/service/#loadbalancer)
+[Service.Type=NodePort](/zh-cn/docs/concepts/services-networking/service/#type-nodeport)
+或 [Service.Type=LoadBalancer](/zh-cn/docs/concepts/services-networking/service/#loadbalancer)
 类型的 Service。
 
 <!--
@@ -101,7 +87,7 @@ You must have an [ingress controller](/docs/concepts/services-networking/ingress
 -->
 ## 环境准备
 
-你必须拥有一个 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers) 才能满足 Ingress 的要求。
+你必须拥有一个 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers) 才能满足 Ingress 的要求。
 仅创建 Ingress 资源本身没有任何效果。
 
 <!-- 
@@ -109,7 +95,7 @@ You may need to deploy an Ingress controller such as [ingress-nginx](https://kub
 [Ingress controllers](/docs/concepts/services-networking/ingress-controllers).
 -->
 你可能需要部署 Ingress 控制器，例如 [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/)。
-你可以从许多 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers) 中进行选择。
+你可以从许多 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers) 中进行选择。
 
 <!-- 
 Ideally, all Ingress controllers should fit the reference specification. In reality, the various Ingress
@@ -147,13 +133,13 @@ Different [Ingress controllers](/docs/concepts/services-networking/ingress-contr
  your choice of Ingress controller to learn which annotations are supported.
 -->
 Ingress 需要指定 `apiVersion`、`kind`、 `metadata`和 `spec` 字段。
-Ingress 对象的命名必须是合法的 [DNS 子域名名称](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
-关于如何使用配置文件，请参见[部署应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)、
-[配置容器](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)、
-[管理资源](/zh/docs/concepts/cluster-administration/manage-deployment/)。
+Ingress 对象的命名必须是合法的 [DNS 子域名名称](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+关于如何使用配置文件，请参见[部署应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)、
+[配置容器](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)、
+[管理资源](/zh-cn/docs/concepts/cluster-administration/manage-deployment/)。
 Ingress 经常使用注解（annotations）来配置一些选项，具体取决于 Ingress
 控制器，例如[重写目标注解](https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/rewrite/README.md)。
-不同的 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers)支持不同的注解。
+不同的 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)支持不同的注解。
 查看你所选的 Ingress 控制器的文档，以了解其支持哪些注解。
 
 <!-- 
@@ -209,7 +195,7 @@ Each HTTP rule contains the following information:
   如果提供了 `host`（例如 foo.bar.com），则 `rules` 适用于该 `host`。
 * 路径列表 paths（例如，`/testpath`）,每个路径都有一个由 `serviceName` 和 `servicePort` 定义的关联后端。
   在负载均衡器将流量定向到引用的服务之前，主机和路径都必须匹配传入请求的内容。
-* `backend`（后端）是 [Service 文档](/zh/docs/concepts/services-networking/service/)中所述的服务和端口名称的组合。
+* `backend`（后端）是 [Service 文档](/zh-cn/docs/concepts/services-networking/service/)中所述的服务和端口名称的组合。
   与规则的 `host` 和 `path` 匹配的对 Ingress 的 HTTP（和 HTTPS ）请求将发送到列出的 `backend`。
 
 <!-- 
@@ -238,7 +224,7 @@ routed to your default backend.
 没有设置规则的 Ingress 将所有流量发送到同一个默认后端，而
 `.spec.defaultBackend` 则是在这种情况下处理请求的那个默认后端。
 `defaultBackend` 通常是
-[Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers)的配置选项，而非在
+[Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)的配置选项，而非在
 Ingress 资源中指定。
 如果未设置任何的 `.spec.rules`，那么必须指定 `.spec.defaultBackend`。
 如果未设置 `defaultBackend`，那么如何处理所有与规则不匹配的流量将交由
@@ -538,7 +524,7 @@ that is used for a workload. If you used a cluster-scoped parameter then either:
 网关定义）。如果你使用集群作用域的参数，那么你必须从以下两项中选择一项执行：
 
 - 每次修改配置，集群操作团队需要批准其他团队的修改。
-- 集群操作团队定义具体的准入控制，比如 [RBAC](/zh/docs/reference/access-authn-authz/rbac/)
+- 集群操作团队定义具体的准入控制，比如 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)
   角色与角色绑定，以使得应用程序团队可以修改集群作用域的配置参数资源。
 
 <!--
@@ -699,25 +685,8 @@ down to a minimum. For example, a setup like:
 一个扇出（fanout）配置根据请求的 HTTP URI 将来自同一 IP 地址的流量路由到多个 Service。
 Ingress 允许你将负载均衡器的数量降至最低。例如，这样的设置：
 
-{{< mermaid >}}
-graph LR;
-  client([客户端])-. Ingress-管理的 <br> 负载均衡器 .->ingress[Ingress, 178.91.123.132];
-  ingress-->|/foo|service1[Service service1:4200];
-  ingress-->|/bar|service2[Service service2:8080];
-  subgraph cluster
-  ingress;
-  service1-->pod1[Pod];
-  service1-->pod2[Pod];
-  service2-->pod3[Pod];
-  service2-->pod4[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
+{{< figure src="/zh-cn/docs/images/ingressFanOut.svg" alt="ingress-fanout-diagram" class="diagram-large" caption="图. Ingress 扇出" link="https://mermaid.live/edit#pako:eNqNUslOwzAQ_RXLvYCUhMQpUFzUUzkgcUBwbHpw4klr4diR7bCo8O8k2FFbFomLPZq3jP00O1xpDpjijWHtFt09zAuFUCUFKHey8vf6NE7QrdoYsDZumGIb4Oi6NAskNeOoZJKpCgxK4oXwrFVgRyi7nCVXWZKRPMlysv5yD6Q4Xryf1Vq_WzDPooJs9egLNDbolKTpT03JzKgh3zWEztJZ0Niu9L-qZGcdmAMfj4cxvWmreba613z9C0B-AMQD-V_AdA-A4j5QZu0SatRKJhSqhZR0wjmPrDP6CeikrutQxy-Cuy2dtq9RpaU2dJKm6fzI5Glmg0VOLio4_5dLjx27hFSC015KJ2VZHtuQvY2fuHcaE43G0MaCREOow_FV5cMxHZ5-oPX75UM5avuXhXuOI9yAaZjg_aLuBl6B3RYaKDDtSw4166QrcKE-emrXcubghgunDaY1kxYizDqnH99UhakzHYykpWD9hjS--fEJoIELqQ" >}}
+
 
 <!--
 would require an Ingress such as:
@@ -770,8 +739,8 @@ you are using, you may need to create a default-http-backend
 [Service](/docs/concepts/services-networking/service/).
 -->
 {{< note >}}
-取决于你所使用的 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers)，
-你可能需要创建默认 HTTP 后端[服务](/zh/docs/concepts/services-networking/service/)。
+取决于你所使用的 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)，
+你可能需要创建默认 HTTP 后端[服务](/zh-cn/docs/concepts/services-networking/service/)。
 {{< /note >}}
 
 <!--
@@ -783,25 +752,7 @@ Name-based virtual hosts support routing HTTP traffic to multiple host names at
 
 基于名称的虚拟主机支持将针对多个主机名的 HTTP 流量路由到同一 IP 地址上。
 
-{{< mermaid >}}
-graph LR;
-  client([客户端])-. Ingress-管理的 <br> 负载均衡器 .->ingress[Ingress, 178.91.123.132];
-  ingress-->|Host: foo.bar.com|service1[Service service1:80];
-  ingress-->|Host: bar.foo.com|service2[Service service2:80];
-  subgraph cluster
-  ingress;
-  service1-->pod1[Pod];
-  service1-->pod2[Pod];
-  service2-->pod3[Pod];
-  service2-->pod4[Pod];
-  end
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-  class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s;
-  class client plain;
-  class cluster cluster;
-{{</ mermaid >}}
+{{< figure src="/zh-cn/docs/images/ingressNameBased.svg" alt="ingress-namebase-diagram" class="diagram-large" caption="图. 基于名称实现虚拟托管的 Ingress" link="https://mermaid.live/edit#pako:eNqNkl9PwyAUxb8KYS-atM1Kp05m9qSJJj4Y97jugcLtRqTQAPVPdN_dVlq3qUt8gZt7zvkBN7xjbgRgiteW1Rt0_zjLNUJcSdD-ZBn21WmcoDu9tuBcXDHN1iDQVWHnSBkmUMEU0xwsSuK5DK5l745QejFNLtMkJVmSZmT1Re9NcTz_uDXOU1QakxTMJtxUHw7ss-SQLhehQEODTsdH4l20Q-zFyc84-Y67pghv5apxHuweMuj9eS2_NiJdPhix-kMgvwQShOyYMNkJoEUYM3PuGkpUKyY1KqVSdCSEiJy35gnoqCzLvo5fpPAbOqlfI26UsXQ0Ho9nB5CnqesRGTnncPYvSqsdUvqp9KRdlI6KojjEkB0mnLgjDRONhqENBYm6oXbLV5V1y6S7-l42_LowlIN2uFm_twqOcAW2YlK0H_i9c-bYb6CCHNO2FFCyRvkc53rbWptaMA83QnpjMS2ZchBh1nizeNMcU28bGEzXkrV_pArN7Sc0rBTu" >}}
 
 <!--
 The following Ingress tells the backing load balancer to route requests based on
@@ -930,7 +881,7 @@ specific documentation to see how they handle health checks (
 -->
 值得注意的是，尽管健康检查不是通过 Ingress 直接暴露的，在 Kubernetes
 中存在并行的概念，比如
-[就绪检查](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)，
+[就绪检查](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)，
 允许你实现相同的目的。
 请检查特定控制器的说明文档（[nginx](https://git.k8s.io/ingress-nginx/README.md)、
 [GCE](https://git.k8s.io/ingress-gce/README.md#health-checks)）以了解它们是怎样处理健康检查的。
@@ -1049,7 +1000,7 @@ Please check the documentation of the relevant [Ingress controller](/docs/concep
 ## 跨可用区失败  {#failing-across-availability-zones}
 
 不同的云厂商使用不同的技术来实现跨故障域的流量分布。详情请查阅相关 Ingress 控制器的文档。
-请查看相关 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers)的文档以了解详细信息。
+请查看相关 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)的文档以了解详细信息。
 
 <!--
 ## Alternatives
@@ -1064,8 +1015,8 @@ You can expose a Service in multiple ways that don't directly involve the Ingres
 * Use [Service.Type=LoadBalancer](/docs/concepts/services-networking/service/#loadbalancer)
 * Use [Service.Type=NodePort](/docs/concepts/services-networking/service/#nodeport)
 -->
-* 使用 [Service.Type=LoadBalancer](/zh/docs/concepts/services-networking/service/#loadbalancer)
-* 使用 [Service.Type=NodePort](/zh/docs/concepts/services-networking/service/#nodeport)
+* 使用 [Service.Type=LoadBalancer](/zh-cn/docs/concepts/services-networking/service/#loadbalancer)
+* 使用 [Service.Type=NodePort](/zh-cn/docs/concepts/services-networking/service/#nodeport)
 
 ## {{% heading "whatsnext" %}}
 
@@ -1075,6 +1026,6 @@ You can expose a Service in multiple ways that don't directly involve the Ingres
 * [Set up Ingress on Minikube with the NGINX Controller](/docs/tasks/access-application-cluster/ingress-minikube/)
 -->
 * 进一步了解 [Ingress](/docs/reference/kubernetes-api/service-resources/ingress-v1/) API
-* 进一步了解 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers/)
-* [使用 NGINX 控制器在 Minikube 上安装 Ingress](/zh/docs/tasks/access-application-cluster/ingress-minikube/)
+* 进一步了解 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers/)
+* [使用 NGINX 控制器在 Minikube 上安装 Ingress](/zh-cn/docs/tasks/access-application-cluster/ingress-minikube/)
 
diff --git a/content/zh/docs/concepts/services-networking/network-policies.md b/content/zh-cn/docs/concepts/services-networking/network-policies.md
similarity index 84%
rename from content/zh/docs/concepts/services-networking/network-policies.md
rename to content/zh-cn/docs/concepts/services-networking/network-policies.md
index ff36905777dd2..88bbebdfaa417 100644
--- a/content/zh/docs/concepts/services-networking/network-policies.md
+++ b/content/zh-cn/docs/concepts/services-networking/network-policies.md
@@ -13,7 +13,7 @@ weight: 50
 <!-- overview -->
 
 <!--
-If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster.  NetworkPolicies are an application-centric construct which allow you to specify how a {{< glossary_tooltip text="pod" term_id="pod">}} is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network.
+If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster.  NetworkPolicies are an application-centric construct which allow you to specify how a {{< glossary_tooltip text="pod" term_id="pod">}} is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network. NetworkPolicies apply to a connection with a pod on one or both ends, and are not relevant to other connections.
 -->
 如果你希望在 IP 地址或端口层面（OSI 第 3 层或第 4 层）控制网络流量，
 则你可以考虑为集群中特定应用使用 Kubernetes 网络策略（NetworkPolicy）。
@@ -21,6 +21,7 @@ NetworkPolicy 是一种以应用为中心的结构，允许你设置如何允许
 {{< glossary_tooltip text="Pod" term_id="pod">}} 与网络上的各类网络“实体”
 （我们这里使用实体以避免过度使用诸如“端点”和“服务”这类常用术语，
 这些术语在 Kubernetes 中有特定含义）通信。
+NetworkPolicies 适用于一端或两端与 Pod 的连接，与其他连接无关。
 
 <!--
 The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:
@@ -57,7 +58,7 @@ Network policies are implemented by the [network plugin](/docs/concepts/extend-k
 -->
 ## 前置条件   {#prerequisites}
 
-网络策略通过[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+网络策略通过[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
 来实现。要使用网络策略，你必须使用支持 NetworkPolicy 的网络解决方案。
 创建一个 NetworkPolicy 资源对象而没有控制器来使它生效的话，是没有任何作用的。
 
@@ -67,7 +68,7 @@ Network policies are implemented by the [network plugin](/docs/concepts/extend-k
 There are two sorts of isolation for a pod: isolation for egress, and isolation for ingress.  They concern what connections may be established.  "Isolation" here is not absolute, rather it means "some restrictions apply".  The alternative, "non-isolated for $direction", means that no restrictions apply in the stated direction.  The two sorts of isolation (or not) are declared independently, and are both relevant for a connection from one pod to another.
 -->
 
-## Pod 隔离的两种类型
+## Pod 隔离的两种类型   {#the-two-sorts-of-pod-isolation}
 
 Pod 有两种隔离: 出口的隔离和入口的隔离。它们涉及到可以建立哪些连接。
 这里的“隔离”不是绝对的，而是意味着“有一些限制”。
@@ -90,7 +91,7 @@ By default, a pod is non-isolated for ingress; all inbound connections are allow
 
 默认情况下，一个 Pod 对入口是非隔离的，即所有入站连接都是被允许的。如果有任何的 NetworkPolicy
 选择该 Pod 并在其 `policyTypes` 中包含 “Ingress”，则该 Pod 被隔离入口，
-我们称这种策略适用于该 Pod 的入口。 当一个 Pod 的入口被隔离时，唯一允许进入该 Pod
+我们称这种策略适用于该 Pod 的入口。当一个 Pod 的入口被隔离时，唯一允许进入该 Pod
 的连接是来自该 Pod 节点的连接和适用于入口的 Pod 的某个 NetworkPolicy 的 `ingress`
 列表所允许的连接。这些 `ingress` 列表的效果是相加的。
 
@@ -134,7 +135,7 @@ POSTing this to the API server for your cluster will have no effect unless your
 __Mandatory Fields__: As with all other Kubernetes config, a NetworkPolicy
 needs `apiVersion`, `kind`, and `metadata` fields.  For general information
 about working with config files, see
-[Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/),
+[Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/),
 and [Object Management](/docs/concepts/overview/working-with-objects/object-management).
 
 __spec__: NetworkPolicy [spec](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) has all the information needed to define a particular network policy in the given namespace.
@@ -143,8 +144,8 @@ __podSelector__: Each NetworkPolicy includes a `podSelector` which selects the g
 -->
 __必需字段__：与所有其他的 Kubernetes 配置一样，NetworkPolicy 需要 `apiVersion`、
 `kind` 和 `metadata` 字段。关于配置文件操作的一般信息，请参考
-[使用 ConfigMap 配置容器](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/),
-和[对象管理](/zh/docs/concepts/overview/working-with-objects/object-management)。
+[配置 Pod 以使用 ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/),
+和[对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management)。
 
 __spec__：NetworkPolicy [规约](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
 中包含了在一个名字空间中定义特定网络策略所需的所有信息。
@@ -169,7 +170,7 @@ __policyTypes__: 每个 NetworkPolicy 都包含一个 `policyTypes` 列表，其
 
 __ingress__: 每个 NetworkPolicy 可包含一个 `ingress` 规则的白名单列表。
 每个规则都允许同时匹配 `from` 和 `ports` 部分的流量。示例策略中包含一条
-简单的规则： 它匹配某个特定端口，来自三个来源中的一个，第一个通过 `ipBlock`
+简单的规则：它匹配某个特定端口，来自三个来源中的一个，第一个通过 `ipBlock`
 指定，第二个通过 `namespaceSelector` 指定，第三个通过 `podSelector` 指定。
 
 __egress__: 每个 NetworkPolicy 可包含一个 `egress` 规则的白名单列表。
@@ -180,7 +181,7 @@ __egress__: 每个 NetworkPolicy 可包含一个 `egress` 规则的白名单列
 So, the example NetworkPolicy:
 
 1. isolates "role=db" pods in the "default" namespace for both ingress and egress traffic (if they weren't already isolated)
-2. (Ingress rules) allows connections to all pods in the “default” namespace with the label “role=db” on TCP port 6379 from:
+2. (Ingress rules) allows connections to all pods in the "default" namespace with the label "role=db" on TCP port 6379 from:
 
    * any pod in the "default" namespace with the label "role=frontend"
    * any pod in a namespace with the label "project=myproject"
@@ -200,10 +201,10 @@ See the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-
    * IP 地址范围为 172.17.0.0–172.17.0.255 和 172.17.2.0–172.17.255.255
      （即，除了 172.17.1.0/24 之外的所有 172.17.0.0/16）
 
-3. （Egress 规则）允许从带有 "role=db" 标签的名字空间下的任何 Pod 到 CIDR
+3. （Egress 规则）允许 “default” 命名空间中任何带有标签 “role=db” 的 Pod 到 CIDR
    10.0.0.0/24 下 5978 TCP 端口的连接。
 
-参阅[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)演练
+参阅[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)演练
 了解更多示例。
 
 <!--
@@ -227,7 +228,7 @@ Pod，应将其允许作为入站流量来源或出站流量目的地。
 __namespaceSelector__：此选择器将选择特定的名字空间，应将所有 Pod 用作其
 入站流量来源或出站流量目的地。
 
-__namespaceSelector__ *和* __podSelector__： 一个指定 `namespaceSelector`
+__namespaceSelector__ *和* __podSelector__：一个指定 `namespaceSelector`
 和 `podSelector` 的 `to`/`from` 条目选择特定名字空间中的特定 Pod。
 注意使用正确的 YAML 语法；下面的策略：
 
@@ -316,40 +317,47 @@ in that namespace.
 
 <!--
 ### Default deny all ingress traffic
-
-You can create a "default" isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
 -->
-### 默认拒绝所有入站流量
+### 默认拒绝所有入站流量   {#default-deny-all-ingress-traffic}
 
+<!--
+You can create a "default" ingress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
+-->
 你可以通过创建选择所有容器但不允许任何进入这些容器的入站流量的 NetworkPolicy
 来为名字空间创建 “default” 隔离策略。
 
 {{< codenew file="service/networking/network-policy-default-deny-ingress.yaml" >}}
 
 <!--
-This ensures that even pods that aren't selected by any other NetworkPolicy will still be isolated. This policy does not change the default egress isolation behavior.
+This ensures that even pods that aren't selected by any other NetworkPolicy will still be isolated for ingress. This policy does not affect isolation for egress from any pod.
 -->
-这样可以确保即使容器没有选择其他任何 NetworkPolicy，也仍然可以被隔离。
-此策略不会更改默认的出口隔离行为。
+这确保即使没有被任何其他 NetworkPolicy 选择的 Pod 仍将被隔离以进行入口。
+此策略不影响任何 Pod 的出口隔离。
 
 <!--
-### Default allow all ingress traffic
-
-If you want to allow all traffic to all pods in a namespace (even if policies are added that cause some pods to be treated as "isolated"), you can create a policy that explicitly allows all traffic in that namespace.
+### Allow all ingress traffic
 -->
-### 默认允许所有入站流量
+### 允许所有入站流量   {#allow-all-ingress-traffic}
 
-如果要允许所有流量进入某个名字空间中的所有 Pod（即使添加了导致某些 Pod 被视为
-“隔离”的策略），则可以创建一个策略来明确允许该名字空间中的所有流量。
+<!--
+If you want to allow all incoming connections to all pods in a namespace, you can create a policy that explicitly allows that.
+-->
+如果你想允许一个命名空间中所有 Pod 的所有入站连接，你可以创建一个明确允许的策略。
 
 {{< codenew file="service/networking/network-policy-allow-all-ingress.yaml" >}}
 
+<!--
+With this policy in place, no additional policy or policies can cause any incoming connection to those pods to be denied.  This policy has no effect on isolation for egress from any pod.
+-->
+有了这个策略，任何额外的策略都不会导致到这些 Pod 的任何入站连接被拒绝。
+此策略对任何 Pod 的出口隔离没有影响。
+
 <!--
 ### Default deny all egress traffic
 
 You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
 -->
-### 默认拒绝所有出站流量
+### 默认拒绝所有出站流量   {#default-deny-all-egress-traffic}
 
 你可以通过创建选择所有容器但不允许来自这些容器的任何出站流量的 NetworkPolicy
 来为名字空间创建 “default” 隔离策略。
@@ -358,29 +366,36 @@ You can create a "default" egress isolation policy for a namespace by creating a
 
 <!--
 This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed egress traffic. This policy does not
-change the default ingress isolation behavior.
+change the ingress isolation behavior of any pod.
 -->
 此策略可以确保即使没有被其他任何 NetworkPolicy 选择的 Pod 也不会被允许流出流量。
-此策略不会更改默认的入站流量隔离行为。
+此策略不会更改任何 Pod 的入站流量隔离行为。
 
 <!--
-### Default allow all egress traffic
-
-If you want to allow all traffic from all pods in a namespace (even if policies are added that cause some pods to be treated as "isolated"), you can create a policy that explicitly allows all egress traffic in that namespace.
+### Allow all egress traffic
 -->
-### 默认允许所有出站流量
+### 允许所有出站流量   {#allow-all-egress-traffic}
 
-如果要允许来自名字空间中所有 Pod 的所有流量（即使添加了导致某些 Pod 被视为“隔离”的策略），
-则可以创建一个策略，该策略明确允许该名字空间中的所有出站流量。
+<!--
+If you want to allow all connections from all pods in a namespace, you can create a policy that explicitly allows all outgoing connections from pods in that namespace.
+-->
+如果要允许来自命名空间中所有 Pod 的所有连接，
+则可以创建一个明确允许来自该命名空间中 Pod 的所有出站连接的策略。
 
 {{< codenew file="service/networking/network-policy-allow-all-egress.yaml" >}}
 
+<!--
+With this policy in place, no additional policy or policies can cause any outgoing connection from those pods to be denied.  This policy has no effect on isolation for ingress to any pod.
+-->
+有了这个策略，任何额外的策略都不会导致来自这些 Pod 的任何出站连接被拒绝。
+此策略对进入任何 Pod 的隔离没有影响。
+
 <!--
 ### Default deny all ingress and all egress traffic
 
 You can create a "default" policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
 -->
-### 默认拒绝所有入口和所有出站流量
+### 默认拒绝所有入站和所有出站流量   {#default-deny-all-ingress-and-all-egress-traffic}
 
 你可以为名字空间创建“默认”策略，以通过在该名字空间中创建以下 NetworkPolicy
 来阻止所有入站和出站流量。
@@ -396,7 +411,7 @@ This ensures that even pods that aren't selected by any other NetworkPolicy will
 <!--
 ## SCTP support
 -->
-## SCTP 支持
+## SCTP 支持   {#sctp-support}
 
 {{< feature-state for_k8s_version="v1.20" state="stable" >}}
 
@@ -407,7 +422,7 @@ When the feature gate is enabled, you can set the `protocol` field of a NetworkP
 作为一个稳定特性，SCTP 支持默认是被启用的。
 要在集群层面禁用 SCTP，你（或你的集群管理员）需要为 API 服务器指定
 `--feature-gates=SCTPSupport=false,...`
-来禁用 `SCTPSupport` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+来禁用 `SCTPSupport` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 启用该特性门控后，用户可以将 NetworkPolicy 的 `protocol` 字段设置为 `SCTP`。
 
 {{< note >}}
@@ -465,7 +480,10 @@ port is between the range 32000 and 32768.
 
 <!--
 The following restrictions apply when using this field:
-* As a beta feature, this is enabled by default. To disable the `endPort` field at a cluster level, you (or your cluster administrator) need to disable the `NetworkPolicyEndPort` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for the API server with `-feature-gates=NetworkPolicyEndPort=false,…`.
+* As a beta feature, this is enabled by default. To disable the `endPort` field
+  at a cluster level, you (or your cluster administrator) need to disable the
+  `NetworkPolicyEndPort` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+  for the API server with `--feature-gates=NetworkPolicyEndPort=false,…`.
 * The `endPort` field must be equal to or greater than the `port` field.
 * `endPort` can only be defined if `port` is also defined.
 * Both ports must be numeric.
@@ -474,9 +492,9 @@ The following restrictions apply when using this field:
 
 * 作为一种 Beta 阶段的特性，端口范围设定默认是被启用的。要在整个集群
   范围内禁止使用 `endPort` 字段，你（或者你的集群管理员）需要为 API
-  服务器设置 `-feature-gates=NetworkPolicyEndPort=false,...` 以禁用
+  服务器设置 `--feature-gates=NetworkPolicyEndPort=false,...` 以禁用
   `NetworkPolicyEndPort`
-  [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+  [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 * `endPort` 字段必须等于或者大于 `port` 字段的值。
 * 两个字段的设置值都只能是数字。
 
@@ -490,7 +508,7 @@ the policy will be applied only for the single `port` field.
 -->
 你的集群所使用的 {{< glossary_tooltip text="CNI" term_id="cni" >}} 插件
 必须支持在 NetworkPolicy 规约中使用 `endPort` 字段。
-如果你的[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+如果你的[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
 不支持 `endPort` 字段，而你指定了一个包含 `endPort` 字段的 NetworkPolicy，
 策略只对单个 `port` 字段生效。
 {{< /note >}}
@@ -512,7 +530,7 @@ While NetworkPolicy cannot target a namespace by its name with some object field
 standardized label to target a specific namespace.
 -->
 只要 `NamespaceDefaultLabelName`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 被启用，Kubernetes 控制面会在所有名字空间上设置一个不可变更的标签
 `kubernetes.io/metadata.name`。该标签的值是名字空间的名称。
 
@@ -522,11 +540,11 @@ standardized label to target a specific namespace.
 <!--
 ## What you can't do with network policies (at least, not yet)
 
-As of Kubernetes {{< skew latestVersion >}}, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers.  In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API.
+As of Kubernetes {{< skew currentVersion >}}, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers.  In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API.
 -->
-## 通过网络策略（至少目前还）无法完成的工作
+## 通过网络策略（至少目前还）无法完成的工作   {#what-you-can-t-do-with-network-policies-at-least-not-yet}
 
-到 Kubernetes {{< skew latestVersion >}} 为止，NetworkPolicy API 还不支持以下功能，不过
+到 Kubernetes {{< skew currentVersion >}} 为止，NetworkPolicy API 还不支持以下功能，不过
 你可能可以使用操作系统组件（如 SELinux、OpenVSwitch、IPTables 等等）
 或者第七层技术（Ingress 控制器、服务网格实现）或准入控制器来实现一些
 替代方案。
@@ -570,7 +588,7 @@ As of Kubernetes {{< skew latestVersion >}}, the following functionality does no
   walkthrough for further examples.
 - See more [recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes) for common scenarios enabled by the NetworkPolicy resource.
 -->
-- 参阅[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+- 参阅[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
   演练了解更多示例；
 - 有关 NetworkPolicy 资源所支持的常见场景的更多信息，请参见
   [此指南](https://github.com/ahmetb/kubernetes-network-policy-recipes)。
diff --git a/content/zh/docs/concepts/services-networking/service-topology.md b/content/zh-cn/docs/concepts/services-networking/service-topology.md
similarity index 96%
rename from content/zh/docs/concepts/services-networking/service-topology.md
rename to content/zh-cn/docs/concepts/services-networking/service-topology.md
index 4ab71cee415f9..e899786565dc0 100644
--- a/content/zh/docs/concepts/services-networking/service-topology.md
+++ b/content/zh-cn/docs/concepts/services-networking/service-topology.md
@@ -25,7 +25,7 @@ introduced in Kubernetes v1.21, provide similar functionality.
 -->
 此功能特性，尤其是 Alpha 阶段的 `topologyKeys` API，在 Kubernetes v1.21
 版本中已被废弃。Kubernetes v1.21 版本中引入的
-[拓扑感知的提示](/zh/docs/concepts/services-networking/topology-aware-hints/),
+[拓扑感知的提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/),
 提供类似的功能。
 {{</ note >}}
 
@@ -104,7 +104,7 @@ as the last value in the list.
 ## 使用服务拓扑 {#using-service-topology}
 
 如果集群启用了 `ServiceTopology`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 你就可以在 Service 规约中设定 `topologyKeys` 字段，从而控制其流量路由。
 此字段是 `Node` 标签的优先顺序字段，将用于在访问这个 `Service` 时对端点进行排序。
 流量会被定向到第一个标签值和源 `Node` 标签值相匹配的 `Node`。
@@ -300,6 +300,6 @@ spec:
 * Read about [enabling Service Topology](/docs/tasks/administer-cluster/enabling-service-topology)
 * Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
 -->
-* 阅读关于[启用服务拓扑](/zh/docs/tasks/administer-cluster/enabling-service-topology/)
-* 阅读[用服务连接应用程序](/zh/docs/concepts/services-networking/connect-applications-service/)
+* 阅读关于[启用服务拓扑](/zh-cn/docs/tasks/administer-cluster/enabling-service-topology/)
+* 阅读[用服务连接应用程序](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
 
diff --git a/content/zh/docs/concepts/services-networking/service-traffic-policy.md b/content/zh-cn/docs/concepts/services-networking/service-traffic-policy.md
similarity index 88%
rename from content/zh/docs/concepts/services-networking/service-traffic-policy.md
rename to content/zh-cn/docs/concepts/services-networking/service-traffic-policy.md
index dad9dcc79b21c..b291c17758d1b 100644
--- a/content/zh/docs/concepts/services-networking/service-traffic-policy.md
+++ b/content/zh-cn/docs/concepts/services-networking/service-traffic-policy.md
@@ -43,7 +43,7 @@ When the feature is enabled, you can enable the internal-only traffic policy for
 This tells kube-proxy to only use node local endpoints for cluster internal traffic.
 -->
 `ServiceInternalTrafficPolicy` 
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/) 是 Beta 功能，默认启用。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/) 是 Beta 功能，默认启用。
 启用该功能后，你就可以通过将 {{< glossary_tooltip text="Services" term_id="service" >}} 的 
 `.spec.internalTrafficPolicy` 项设置为 `Local`，
 来为它指定一个内部专用的流量策略。
@@ -99,7 +99,7 @@ When the [feature gate](/docs/reference/command-line-tools-reference/feature-gat
 kube-proxy 基于 `spec.internalTrafficPolicy` 的设置来过滤路由的目标服务端点。
 当它的值设为 `Local` 时，只选择节点本地的服务端点。
 当它的值设为 `Cluster` 或缺省时，则选择所有的服务端点。
-启用[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+启用[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `ServiceInternalTrafficPolicy` 后，
 `spec.internalTrafficPolicy` 的值默认设为 `Cluster`。
 
@@ -123,6 +123,6 @@ kube-proxy 基于 `spec.internalTrafficPolicy` 的设置来过滤路由的目标
 * Read about [Service External Traffic Policy](/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)
 * Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
 -->
-* 请阅读[拓扑感知提示](/zh/docs/concepts/services-networking/topology-aware-hints)
-* 请阅读[Service 的外部流量策略](/zh/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)
-* 请阅读[用 Service 连接应用](/zh/docs/concepts/services-networking/connect-applications-service/)
+* 请阅读[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints)
+* 请阅读[Service 的外部流量策略](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)
+* 请阅读[用 Service 连接应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
diff --git a/content/zh/docs/concepts/services-networking/service.md b/content/zh-cn/docs/concepts/services-networking/service.md
similarity index 91%
rename from content/zh/docs/concepts/services-networking/service.md
rename to content/zh-cn/docs/concepts/services-networking/service.md
index 3d2db97c3cbfb..bedb122737dd7 100644
--- a/content/zh/docs/concepts/services-networking/service.md
+++ b/content/zh-cn/docs/concepts/services-networking/service.md
@@ -1,5 +1,5 @@
 ---
-title: 服务
+title: 服务（Service）
 feature:
   title: 服务发现与负载均衡
   description: >
@@ -39,7 +39,7 @@ Kubernetes 为 Pods 提供自己的 IP 地址，并为一组 Pod 提供相同的
 ## Motivation
 
 Kubernetes {{< glossary_tooltip term_id="pod" text="Pods" >}} are created and destroyed
-to match the state of your cluster. Pods are nonpermanent resources.
+to match the desired state of your cluster. Pods are nonpermanent resources.
 If you use a {{< glossary_tooltip term_id="deployment" >}} to run your app,
 it can create and destroy Pods dynamically.
 
@@ -57,7 +57,7 @@ Enter _Services_.
 
 ## 动机
 
-创建和销毁 Kubernetes {{< glossary_tooltip term_id="pod" text="Pod" >}} 以匹配集群状态。
+创建和销毁 Kubernetes {{< glossary_tooltip term_id="pod" text="Pod" >}} 以匹配集群的期望状态。
 Pod 是非永久性资源。
 如果你使用 {{< glossary_tooltip term_id="deployment">}}
 来运行你的应用程序，则它可以动态创建和销毁 Pod。
@@ -189,13 +189,55 @@ field.
 
 <!--
 Port definitions in Pods have names, and you can reference these names in the
-`targetPort` attribute of a Service. This works even if there is a mixture
-of Pods in the Service using a single configured name, with the same network
-protocol available via different port numbers.
-This offers a lot of flexibility for deploying and evolving your Services.
-For example, you can change the port numbers that Pods expose in the next
-version of your backend software, without breaking clients.
+`targetPort` attribute of a Service. For example, we can bind the `targetPort`
+of the Service to the Pod port in the following way:
+-->
+Pod 中的端口定义是有名字的，你可以在 Service 的 `targetPort` 属性中引用这些名称。
+例如，我们可以通过以下方式将 Service 的 `targetPort` 绑定到 Pod 端口：
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  labels:
+    app.kubernetes.io/name: proxy
+spec:
+  containers:
+  - name: nginx
+    image: nginx:stable
+    ports:
+      - containerPort: 80
+        name: http-web-svc
+        
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service
+spec:
+  selector:
+    app.kubernetes.io/name: proxy
+  ports:
+  - name: name-of-service-port
+    protocol: TCP
+    port: 80
+    targetPort: http-web-svc
+```
 
+<!--
+This works even if there is a mixture of Pods in the Service using a single
+configured name, with the same network protocol available via different
+port numbers. This offers a lot of flexibility for deploying and evolving
+your Services. For example, you can change the port numbers that Pods expose
+in the next version of your backend software, without breaking clients.
+-->
+即使 Service 中使用同一配置名称混合使用多个 Pod，各 Pod 通过不同的端口号支持相同的网络协议，
+此功能也可以使用。这为 Service 的部署和演化提供了很大的灵活性。
+例如，你可以在新版本中更改 Pod 中后端软件公开的端口号，而不会破坏客户端。
+
+
+<!--
 The default protocol for Services is TCP; you can also use any other
 [supported protocol](#protocol-support).
 
@@ -203,10 +245,7 @@ As many Services need to expose more than one port, Kubernetes supports multiple
 port definitions on a Service object.
 Each port definition can have the same `protocol`, or a different one.
 -->
-Pod 中的端口定义是有名字的，你可以在服务的 `targetPort` 属性中引用这些名称。
-即使服务中使用单个配置的名称混合使用 Pod，并且通过不同的端口号提供相同的网络协议，此功能也可以使用。
-这为部署和发展服务提供了很大的灵活性。
-例如，你可以更改 Pods 在新版本的后端软件中公开的端口号，而不会破坏客户端。
+
 
 服务的默认协议是 TCP；你还可以使用任何其他[受支持的协议](#protocol-support)。
 
@@ -216,9 +255,9 @@ Pod 中的端口定义是有名字的，你可以在服务的 `targetPort` 属
 <!--
 ### Services without selectors
 
-Services most commonly abstract access to Kubernetes Pods, but they can also
-abstract other kinds of backends.
-For example:
+Services most commonly abstract access to Kubernetes Pods thanks to the selector,
+but when used with a corresponding Endpoints object and without a selector, the Service can abstract other kinds of backends, 
+including ones that run outside the cluster. For example:
 
   * You want to have an external database cluster in production, but in your
     test environment you use your own databases.
@@ -232,8 +271,10 @@ For example:
 -->
 ### 没有选择算符的 Service   {#services-without-selectors}
 
-服务最常见的是抽象化对 Kubernetes Pod 的访问，但是它们也可以抽象化其他种类的后端。
-实例:
+由于选择器的存在，服务最常见的用法是为 Kubernetes Pod 的访问提供抽象，
+但是当与相应的 Endpoints 对象一起使用且没有选择器时，
+服务也可以为其他类型的后端提供抽象，包括在集群外运行的后端。
+例如：
 
   * 希望在生产环境中使用外部的数据库集群，但测试环境使用自己的数据库。
   * 希望服务指向另一个 {{< glossary_tooltip term_id="namespace" >}} 中或其它集群中的服务。
@@ -266,6 +307,7 @@ where it's running, by adding an Endpoints object manually:
 apiVersion: v1
 kind: Endpoints
 metadata:
+  # 这里的 name 要与 Service 的名字相同
   name: my-service
 subsets:
   - addresses:
@@ -278,8 +320,17 @@ The name of the Endpoints object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 Endpoints 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
+<!--
+When you create an [Endpoints](docs/reference/kubernetes-api/service-resources/endpoints-v1/)
+object for a Service, you set the name of the new object to be the same as that
+of the Service.
+-->
+当你为某个 Service 创建一个 [Endpoints](/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1/)
+对象时，你要将新对象的名称设置为与 Service 的名称相同。
+
+{{< note >}}
 <!--
 The endpoint IPs _must not_ be: loopback (127.0.0.0/8 for IPv4, ::1/128 for IPv6), or
 link-local (169.254.0.0/16 and 224.0.0.0/24 for IPv4, fe80::/64 for IPv6).
@@ -288,7 +339,6 @@ Endpoint IP addresses cannot be the cluster IPs of other Kubernetes Services,
 because {{< glossary_tooltip term_id="kube-proxy" >}} doesn't support virtual IPs
 as a destination.
 -->
-{{< note >}}
 端点 IPs _必须不可以_ 是：本地回路（IPv4 的 127.0.0.0/8, IPv6 的 ::1/128）或
 本地链接（IPv4 的 169.254.0.0/16 和 224.0.0.0/24，IPv6 的 fe80::/64)。
 
@@ -351,7 +401,7 @@ EndpointSlices 是一种 API 资源，可以为 Endpoints 提供更可扩展的
 届时将创建其他 EndpointSlices 来存储任何其他 Endpoints。
 
 EndpointSlices 提供了附加的属性和功能，这些属性和功能在
-[EndpointSlices](/zh/docs/concepts/services-networking/endpoint-slices/)
+[EndpointSlices](/zh-cn/docs/concepts/services-networking/endpoint-slices/)
 中有详细描述。
 
 <!-- 
@@ -496,7 +546,7 @@ having traffic sent via kube-proxy to a Pod that's known to have failed.
 这与用户空间模式不同：在这种情况下，kube-proxy 将检测到与第一个 Pod 的连接已失败，
 并会自动使用其他后端 Pod 重试。
 
-你可以使用 Pod [就绪探测器](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)
+你可以使用 Pod [就绪探测器](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)
 验证后端 Pod 可以正常工作，以便 iptables 模式下的 kube-proxy 仅看到测试正常的后端。
 这样做意味着你避免将流量通过 kube-proxy 发送到已知已失败的 Pod。
 
@@ -590,6 +640,14 @@ You can also set the maximum session sticky time by setting
 来设置最大会话停留时间。
 （默认值为 10800 秒，即 3 小时）。
 
+<!--
+On Windows, setting the maximum session sticky time for Services is not supported.
+-->
+{{< note >}}
+在 Windows 上，不支持为服务设置最大会话停留时间。
+{{< /note >}}
+
+
 <!--
 ## Multi-Port Services
 
@@ -674,7 +732,7 @@ server will return a 422 HTTP status code to indicate that there's a problem.
 <!--
 You can set the `spec.externalTrafficPolicy` field to control how traffic from external sources is routed.
 Valid values are `Cluster` and `Local`. Set the field to `Cluster` to route external traffic to all ready endpoints
-and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are are no node-local
+and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are no node-local
 endpoints, the kube-proxy does not forward any traffic for the relevant Service.
 -->
 
@@ -694,7 +752,7 @@ has local endpoints and whether or not all the local endpoints are marked as ter
 -->
 
 如果你启用了 kube-proxy 的 `ProxyTerminatingEndpoints`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 kube-proxy 会检查节点是否有本地的端点，以及是否所有的本地端点都被标记为终止中。
 
 <!--
@@ -751,11 +809,7 @@ Kubernetes 支持两种基本的服务发现模式 —— 环境变量和 DNS。
 ### Environment variables
 
 When a Pod is run on a Node, the kubelet adds a set of environment variables
-for each active Service.  It supports both [Docker links
-compatible](https://docs.docker.com/userguide/dockerlinks/) variables (see
-[makeLinkVariables](https://releases.k8s.io/{{< param "githubbranch" >}}/pkg/kubelet/envvars/envvars.go#L49))
-and simpler `{SVCNAME}_SERVICE_HOST` and `{SVCNAME}_SERVICE_PORT` variables,
-where the Service name is upper-cased and dashes are converted to underscores.
+for each active Service. It adds `{SVCNAME}_SERVICE_HOST` and `{SVCNAME}_SERVICE_PORT` variables, where the Service name is upper-cased and dashes are converted to underscores. It also supports variables (see [makeLinkVariables](https://github.com/kubernetes/kubernetes/blob/dd2d12f6dc0e654c15d5db57a5f9f6ba61192726/pkg/kubelet/envvars/envvars.go#L72)) that are compatible with Docker Engine's "_[legacy container links](https://docs.docker.com/network/links/)_" feature.
 
 For example, the Service `redis-master` which exposes TCP port 6379 and has been
 allocated cluster IP address 10.0.0.11, produces the following environment
@@ -764,10 +818,10 @@ variables:
 ### 环境变量   {#environment-variables}
 
 当 Pod 运行在 `Node` 上，kubelet 会为每个活跃的 Service 添加一组环境变量。
-它同时支持 [Docker links兼容](https://docs.docker.com/userguide/dockerlinks/) 变量
-（查看 [makeLinkVariables](https://releases.k8s.io/{{< param "githubbranch" >}}/pkg/kubelet/envvars/envvars.go#L49)）、
-简单的 `{SVCNAME}_SERVICE_HOST` 和 `{SVCNAME}_SERVICE_PORT` 变量。
+kubelet 为 Pod 添加环境变量 `{SVCNAME}_SERVICE_HOST` 和 `{SVCNAME}_SERVICE_PORT`。
 这里 Service 的名称需大写，横线被转换成下划线。
+它还支持与 Docker Engine 的 "_[legacy container links](https://docs.docker.com/network/links/)_" 特性兼容的变量
+（参阅 [makeLinkVariables](https://github.com/kubernetes/kubernetes/blob/dd2d12f6dc0e654c15d5db57a5f9f6ba61192726/pkg/kubelet/envvars/envvars.go#L72)) 。
 
 举个例子，一个名称为 `redis-master` 的 Service 暴露了 TCP 端口 6379，
 同时给它分配了 Cluster IP 地址 10.0.0.11，这个 Service 生成了如下环境变量：
@@ -810,7 +864,7 @@ Services and creates a set of DNS records for each one.  If DNS has been enabled
 throughout your cluster then all Pods should automatically be able to resolve
 Services by their DNS name.
 -->
-你可以（几乎总是应该）使用[附加组件](/zh/docs/concepts/cluster-administration/addons/)
+你可以（几乎总是应该）使用[附加组件](/zh-cn/docs/concepts/cluster-administration/addons/)
 为 Kubernetes 集群设置 DNS 服务。
 
 支持集群的 DNS 服务器（例如 CoreDNS）监视 Kubernetes API 中的新服务，并为每个服务创建一组 DNS 记录。
@@ -851,7 +905,7 @@ Kubernetes 还支持命名端口的 DNS SRV（服务）记录。
 
 Kubernetes DNS 服务器是唯一的一种能够访问 `ExternalName` 类型的 Service 的方式。
 更多关于 `ExternalName` 信息可以查看
-[DNS Pod 和 Service](/zh/docs/concepts/services-networking/dns-pod-service/)。
+[DNS Pod 和 Service](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 
 <!--
 ## Headless Services  {#headless-services}
@@ -969,7 +1023,7 @@ Kubernetes `ServiceTypes` 允许指定你所需要的 Service 类型，默认是
 <!--
 You can also use [Ingress](/docs/concepts/services-networking/ingress/) to expose your Service. Ingress is not a Service type, but it acts as the entry point for your cluster. It lets you consolidate your routing rules into a single resource as it can expose multiple services under the same IP address.
 -->
-你也可以使用 [Ingress](/zh/docs/concepts/services-networking/ingress/) 来暴露自己的服务。
+你也可以使用 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/) 来暴露自己的服务。
 Ingress 不是一种服务类型，但它充当集群的入口点。
 它可以将路由规则整合到一个资源中，因为它可以在同一IP地址下公开多个服务。
 
@@ -1145,13 +1199,15 @@ securityGroupName。
 <!--
 #### Load balancers with mixed protocol types
 
-{{< feature-state for_k8s_version="v1.20" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
 By default, for LoadBalancer type of Services, when there is more than one port defined, all
 ports must have the same protocol, and the protocol must be one which is supported
 by the cloud provider.
 
-If the feature gate `MixedProtocolLBService` is enabled for the kube-apiserver it is allowed to use different protocols when there is more than one port defined.
+The feature gate `MixedProtocolLBService` (enabled by default for the kube-apiserver as of v1.24) allows the use of
+different protocols for LoadBalancer type of Services, when there is more than one port defined.
+
 -->
 #### 混合协议类型的负载均衡器
 
@@ -1160,14 +1216,16 @@ If the feature gate `MixedProtocolLBService` is enabled for the kube-apiserver i
 默认情况下，对于 LoadBalancer 类型的服务，当定义了多个端口时，所有
 端口必须具有相同的协议，并且该协议必须是受云提供商支持的协议。
 
-如果为 kube-apiserver 启用了 `MixedProtocolLBService` 特性门控，
-则当定义了多个端口时，允许使用不同的协议。
+当服务中定义了多个端口时，特性门控 `MixedProtocolLBService`（在 kube-apiserver 1.24 版本默认为启用）允许
+LoadBalancer 类型的服务使用不同的协议。
 
 <!--
-The set of protocols that can be used for LoadBalancer type of Services is still defined by the cloud provider.
+The set of protocols that can be used for LoadBalancer type of Services is still defined by the cloud provider. If a
+cloud provider does not support mixed protocols they will provide only a single protocol.
 -->
 {{< note >}}
 可用于 LoadBalancer 类型服务的协议集仍然由云提供商决定。
+如果云提供商不支持混合协议，他们将只提供单一协议。
 {{< /note >}}
 
 <!--
@@ -1175,36 +1233,34 @@ The set of protocols that can be used for LoadBalancer type of Services is still
 -->
 ### 禁用负载均衡器节点端口分配 {#load-balancer-nodeport-allocation}
 
-{{< feature-state for_k8s_version="v1.20" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 Starting in v1.20, you can optionally disable node port allocation for a Service Type=LoadBalancer by setting
 the field `spec.allocateLoadBalancerNodePorts` to `false`. This should only be used for load balancer implementations
 that route traffic directly to pods as opposed to using node ports. By default, `spec.allocateLoadBalancerNodePorts`
 is `true` and type LoadBalancer Services will continue to allocate node ports. If `spec.allocateLoadBalancerNodePorts`
-is set to `false` on an existing Service with allocated node ports, those node ports will NOT be de-allocated automatically.
+is set to `false` on an existing Service with allocated node ports, those node ports will **not** be de-allocated automatically.
 You must explicitly remove the `nodePorts` entry in every Service port to de-allocate those node ports.
-You must enable the `ServiceLBNodePortControl` feature gate to use this field.
 -->
-从 v1.20 版本开始， 你可以通过设置 `spec.allocateLoadBalancerNodePorts` 为 `false` 
+你可以通过设置 `spec.allocateLoadBalancerNodePorts` 为 `false` 
 对类型为 LoadBalancer 的服务禁用节点端口分配。
 这仅适用于直接将流量路由到 Pod 而不是使用节点端口的负载均衡器实现。
 默认情况下，`spec.allocateLoadBalancerNodePorts` 为 `true`，
 LoadBalancer 类型的服务继续分配节点端口。
 如果现有服务已被分配节点端口，将参数 `spec.allocateLoadBalancerNodePorts`
-设置为 `false` 时，这些服务上已分配置的节点端口不会被自动释放。
+设置为 `false` 时，这些服务上已分配置的节点端口**不会**被自动释放。
 你必须显式地在每个服务端口中删除 `nodePorts` 项以释放对应端口。
-你必须启用 `ServiceLBNodePortControl` 特性门控才能使用该字段。
 
 <!--
 #### Specifying class of load balancer implementation {#load-balancer-class}
 -->
 #### 设置负载均衡器实现的类别 {#load-balancer-class}
 
-{{< feature-state for_k8s_version="v1.22" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
-`spec.loadBalancerClass` enables you to use a load balancer implementation other than the cloud provider default. This feature is available from v1.21, you must enable the `ServiceLoadBalancerClass` feature gate to use this field in v1.21, and the feature gate is enabled by default from v1.22 onwards.
+`spec.loadBalancerClass` enables you to use a load balancer implementation other than the cloud provider default.
 By default, `spec.loadBalancerClass` is `nil` and a `LoadBalancer` type of Service uses
 the cloud provider's default load balancer implementation if the cluster is configured with
 a cloud provider using the `--cloud-provider` component flag. 
@@ -1216,8 +1272,6 @@ the cloud provider) will ignore Services that have this field set.
 Once set, it cannot be changed. 
 -->
 `spec.loadBalancerClass` 允许你不使用云提供商的默认负载均衡器实现，转而使用指定的负载均衡器实现。
-这个特性从 v1.21 版本开始可以使用，你在 v1.21 版本中使用这个字段必须启用 `ServiceLoadBalancerClass` 
-特性门控，这个特性门控从 v1.22 版本及以后默认打开。
 默认情况下，`.spec.loadBalancerClass` 的取值是 `nil`，如果集群使用 `--cloud-provider` 配置了云提供商，
 `LoadBalancer` 类型服务会使用云提供商的默认负载均衡器实现。
 如果设置了 `.spec.loadBalancerClass`，则假定存在某个与所指定的类相匹配的
@@ -1353,6 +1407,17 @@ metadata:
 [...]
 ```
 
+{{% /tab %}}
+{{% tab name="OCI" %}}
+
+```yaml
+[...]
+metadata:
+    name: my-service
+    annotations:
+        service.beta.kubernetes.io/oci-load-balancer-internal: true
+[...]
+```
 {{% /tab %}}
 {{< /tabs >}}
 
@@ -1681,10 +1746,10 @@ groups are modified with the following IP rules:
 -->
 
 为了获得均衡流量，请使用 DaemonSet 或指定
-[Pod 反亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+[Pod 反亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
 使其不在同一节点上。
 
-你还可以将 NLB 服务与[内部负载平衡器](/zh/docs/concepts/services-networking/service/#internal-load-balancer)
+你还可以将 NLB 服务与[内部负载平衡器](/zh-cn/docs/concepts/services-networking/service/#internal-load-balancer)
 注解一起使用。
 
 为了使客户端流量能够到达 NLB 后面的实例，使用以下 IP 规则修改了节点安全组：
@@ -1972,7 +2037,8 @@ someone else's choice.  That is an isolation failure.
 
 In order to allow you to choose a port number for your Services, we must
 ensure that no two Services can collide. Kubernetes does that by allocating each
-Service its own IP address.
+Service its own IP address from within the `service-cluster-ip-range`
+CIDR range that is configured for the API server.
 
 To ensure each Service receives a unique IP, an internal allocator atomically
 updates a global allocation map in {{< glossary_tooltip term_id="etcd" >}}
@@ -1992,8 +2058,9 @@ Kubernetes 最主要的哲学之一，是用户不应该暴露那些能够导致
 对于 Service 资源的设计，这意味着如果用户的选择有可能与他人冲突，那就不要让用户自行选择端口号。
 这是一个隔离性的失败。
 
-为了使用户能够为他们的 Service 选择一个端口号，我们必须确保不能有2个 Service 发生冲突。
-Kubernetes 通过为每个 Service 分配它们自己的 IP 地址来实现。
+为了使用户能够为他们的 Service 选择一个端口号，我们必须确保不能有 2 个 Service 发生冲突。
+Kubernetes 通过在为 API 服务器配置的 `service-cluster-ip-range` CIDR
+范围内为每个服务分配自己的 IP 地址来实现。
 
 为了保证每个 Service 被分配到一个唯一的 IP，需要一个内部的分配器能够原子地更新
 {{< glossary_tooltip term_id="etcd" >}} 中的一个全局分配映射表，
@@ -2006,6 +2073,42 @@ Kubernetes 通过为每个 Service 分配它们自己的 IP 地址来实现。
 同时 Kubernetes 会通过控制器检查不合理的分配（如管理员干预导致的）
 以及清理已被分配但不再被任何 Service 使用的 IP 地址。
 
+<!--
+#### IP address ranges for `type: ClusterIP` Services {#service-ip-static-sub-range}
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+However, there is a problem with this `ClusterIP` allocation strategy, because a user
+can also [choose their own address for the service](#choosing-your-own-ip-address).
+This could result in a conflict if the internal allocator selects the same IP address
+for another Service.
+-->
+#### `type: ClusterIP` 服务的 IP 地址范围  {#service-ip-static-sub-range}
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+但是，这种 `ClusterIP` 分配策略存在一个问题，因为用户还可以[为服务选择自己的地址](#choosing-your-own-ip-address)。
+如果内部分配器为另一个服务选择相同的 IP 地址，这可能会导致冲突。
+
+<!--
+If you enable the `ServiceIPStaticSubrange`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
+the allocation strategy divides the `ClusterIP` range into two bands, based on
+the size of the configured `service-cluster-ip-range` by using the following formula
+`min(max(16, cidrSize / 16), 256)`, described as _never less than 16 or more than 256,
+with a graduated step function between them_. Dynamic IP allocations will be preferentially
+chosen from the upper band, reducing risks of conflicts with the IPs
+assigned from the lower band.
+This allows users to use the lower band of the `service-cluster-ip-range` for their
+Services with static IPs assigned with a very low risk of running into conflicts.
+-->
+如果启用 `ServiceIPStaticSubrange`[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+分配策略根据配置的 `service-cluster-ip-range` 的大小，使用以下公式
+`min(max(16, cidrSize / 16), 256)` 进行划分，该公式可描述为
+“在不小于 16 且不大于 256 之间有一个步进量（Graduated Step）”，将
+`ClusterIP` 范围分成两段。动态 IP 分配将优先从上半段地址中选择，
+从而降低与下半段地址分配的 IP 冲突的风险。
+这允许用户将 `service-cluster-ip-range` 的下半段地址用于他们的服务，
+与所分配的静态 IP 的冲突风险非常低。
+
 <!--
 ### Service IP addresses {#ips-and-vips}
 
@@ -2259,7 +2362,7 @@ followed by the data from the client.
 * Read about [Ingress](/docs/concepts/services-networking/ingress/)
 * Read about [Endpoint Slices](/docs/concepts/services-networking/endpoint-slices/)
 -->
-* 阅读[使用服务访问应用](/zh/docs/concepts/services-networking/connect-applications-service/)
-* 阅读了解 [Ingress](/zh/docs/concepts/services-networking/ingress/)
-* 阅读了解[端点切片（Endpoint Slices）](/zh/docs/concepts/services-networking/endpoint-slices/)
+* 阅读[使用服务访问应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
+* 阅读了解 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)
+* 阅读了解[端点切片（Endpoint Slices）](/zh-cn/docs/concepts/services-networking/endpoint-slices/)
 
diff --git a/content/zh/docs/concepts/services-networking/topology-aware-hints.md b/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
similarity index 97%
rename from content/zh/docs/concepts/services-networking/topology-aware-hints.md
rename to content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
index f0b28aca2ac93..a867c2a537fb3 100644
--- a/content/zh/docs/concepts/services-networking/topology-aware-hints.md
+++ b/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
@@ -41,7 +41,7 @@ by default. To try out this feature, you have to enable the `TopologyAwareHints`
 {{< note >}}
 “拓扑感知提示”特性处于 Beta 阶段，并且默认情况下**未**启用。 
 要试用此特性，你必须启用 `TopologyAwareHints`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 {{< /note >}}
 
 <!-- body -->
@@ -117,7 +117,7 @@ as many endpoints to the zone with 2 CPU cores.
 此特性开启后，EndpointSlice 控制器负责在 EndpointSlice 上设置提示信息。
 控制器按比例给每个区域分配一定比例数量的端点。
 这个比例来源于此区域中运行节点的
-[可分配](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+[可分配](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 CPU 核心数。
 例如，如果一个区域拥有 2 CPU 核心，而另一个区域只有 1 CPU 核心，
 那控制器将给那个有 2 CPU 的区域分配两倍数量的端点。
@@ -292,4 +292,4 @@ Kubernetes 控制平面和每个节点上的 kube-proxy，在使用拓扑感知
 * Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
 -->
 
-* 参阅[通过服务连通应用](/zh/docs/concepts/services-networking/connect-applications-service/)
+* 参阅[通过服务连通应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
diff --git a/content/zh-cn/docs/concepts/services-networking/windows-networking.md b/content/zh-cn/docs/concepts/services-networking/windows-networking.md
new file mode 100644
index 0000000000000..ea2df2e8154ec
--- /dev/null
+++ b/content/zh-cn/docs/concepts/services-networking/windows-networking.md
@@ -0,0 +1,310 @@
+---
+title: Windows 网络
+content_type: concept
+weight: 75
+---
+<!--
+reviewers:
+- aravindhp
+- jayunit100
+- jsturtevant
+- marosset
+title: Networking on Windows
+content_type: concept
+weight: 75
+-->
+<!-- overview -->
+<!--
+Kubernetes supports running nodes on either Linux or Windows. You can mix both kinds of node within a single cluster.
+This page provides an overview to networking specific to the Windows operating system.
+-->
+Kubernetes 支持运行 Linux 或 Windows 节点。
+你可以在统一集群内混布这两种节点。
+本页提供了特定于 Windows 操作系统的网络概述。
+
+<!-- body -->
+<!--
+## Container networking on Windows {#networking}
+
+Networking for Windows containers is exposed through
+[CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
+Windows containers function similarly to virtual machines in regards to
+networking. Each container has a virtual network adapter (vNIC) which is connected
+to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the
+Host Compute Service (HCS) work together to create containers and attach container
+vNICs to networks. HCS is responsible for the management of containers whereas HNS
+is responsible for the management of networking resources such as:
+
+* Virtual networks (including creation of vSwitches)
+* Endpoints / vNICs
+* Namespaces
+* Policies including packet encapsulations, load-balancing rules, ACLs, and NAT rules.
+-->
+## Windows 容器网络 {#networking}
+
+Windows 容器网络通过 [CNI 插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)暴露。
+Windows 容器网络的工作方式与虚拟机类似。
+每个容器都有一个连接到 Hyper-V 虚拟交换机（vSwitch）的虚拟网络适配器（vNIC）。
+主机网络服务（Host Networking Service，HNS）和主机计算服务（Host Comute Service，HCS）
+协同创建容器并将容器 vNIC 挂接到网络。
+HCS 负责管理容器，而 HNS 负责管理以下网络资源：
+
+* 虚拟网络（包括创建 vSwitch）
+* Endpoint / vNIC
+* 命名空间
+* 包括数据包封装、负载均衡规则、ACL 和 NAT 规则在内的策略。
+
+<!--
+The Windows HNS and vSwitch implement namespacing and can
+create virtual NICs as needed for a pod or container. However, many configurations such
+as DNS, routes, and metrics are stored in the Windows registry database rather than as
+files inside `/etc`, which is how Linux stores those configurations. The Windows registry for the container
+is separate from that of the host, so concepts like mapping `/etc/resolv.conf` from
+the host into a container don't have the same effect they would on Linux. These must
+be configured using Windows APIs run in the context of that container. Therefore
+CNI implementations need to call the HNS instead of relying on file mappings to pass
+network details into the pod or container.
+-->
+Windows HNS 和 vSwitch 实现命名空间划分，且可以按需为 Pod 或容器创建虚拟 NIC。
+然而，诸如 DNS、路由和指标等许多配置将存放在 Windows 注册表数据库中，
+而不是像 Linux 将这些配置作为文件存放在 `/etc` 内。
+针对容器的 Windows 注册表与主机的注册表是分开的，因此将 `/etc/resolv.conf`
+从主机映射到一个容器的类似概念与 Linux 上的效果不同。
+这些必须使用容器环境中运行的 Windows API 进行配置。
+因此，实现 CNI 时需要调用 HNS，而不是依赖文件映射将网络详情传递到 Pod 或容器中。
+
+<!--
+## Network modes
+
+Windows supports five different networking drivers/modes: L2bridge, L2tunnel,
+Overlay (Beta), Transparent, and NAT. In a heterogeneous cluster with Windows and Linux
+worker nodes, you need to select a networking solution that is compatible on both
+Windows and Linux. The following table lists the out-of-tree plugins are supported on Windows,
+with recommendations on when to use each CNI:
+-->
+## 网络模式 {#network-mode}
+
+Windows 支持五种不同的网络驱动/模式：L2bridge、L2tunnel、Overlay (Beta)、Transparent 和 NAT。
+在 Windows 和 Linux 工作节点组成的异构集群中，你需要选择一个同时兼容 Windows 和 Linux 的网络方案。
+下表列出了 Windows 支持的树外插件，并给出了何时使用每种 CNI 的建议：
+
+<!--
+| Network Driver | Description | Container Packet Modifications | Network Plugins | Network Plugin Characteristics |
+| -------------- | ----------- | ------------------------------ | --------------- | ------------------------------ |
+| L2bridge       | Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. | MAC is rewritten to host MAC, IP may be rewritten to host IP using HNS OutboundNAT policy. | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge), [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), Flannel host-gateway uses win-bridge | win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires user-defined routes (UDR) for inter-node connectivity. |
+| L2Tunnel | This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. | MAC rewritten, IP visible on the underlay network | [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that [Azure Virtual Network provides](https://azure.microsoft.com/en-us/services/virtual-network/). For example, securely connect to Azure services or use Azure NSGs. See [azure-cni for some examples](https://docs.microsoft.com/azure/aks/concepts-network#azure-cni-advanced-networking) |
+| Overlay | Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. | Encapsulated with an outer header. | [win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay), Flannel VXLAN (uses win-overlay) | win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags)  if you are restricted on IPs in your datacenter.  This option requires [KB4489899](https://support.microsoft.com/help/4489899) on Windows Server 2019. |
+| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which enables intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.  <br/> Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. <br/> NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. |
+| NAT (*not used in Kubernetes*) | Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called [WinNAT](https://techcommunity.microsoft.com/t5/virtualization/windows-nat-winnat-capabilities-and-limitations/ba-p/382303) | MAC and IP is rewritten to host MAC/IP. | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | Included here for completeness |
+-->
+| 网络驱动 | 描述 | 容器数据包修改 | 网络插件 | 网络插件特点 |
+| -------------- | ----------- | ------------------------------ | --------------- | ------------------------------ |
+| L2bridge       | 容器挂接到一个外部 vSwitch。容器挂接到下层网络，但物理网络不需要了解容器的 MAC，因为这些 MAC 在入站/出站时被重写。 | MAC 被重写为主机 MAC，可使用 HNS OutboundNAT 策略将 IP 重写为主机 IP。 | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge)、[Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md)、Flannel host-gateway 使用 win-bridge| win-bridge 使用 L2bridge 网络模式，将容器连接到主机的下层，提供最佳性能。节点间连接需要用户定义的路由（UDR）。 |
+| L2Tunnel | 这是 L2bridge 的一种特例，但仅用在 Azure 上。所有数据包都会被发送到应用了 SDN 策略的虚拟化主机。 | MAC 被重写，IP 在下层网络上可见。| [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI 允许将容器集成到 Azure vNET，允许容器充分利用 [Azure 虚拟网络](https://azure.microsoft.com/zh-cn/services/virtual-network/)所提供的能力集合。例如，安全地连接到 Azure 服务或使用 Azure NSG。参考 [azure-cni 了解有关示例](https://docs.microsoft.com/zh-cn/azure/aks/concepts-network#azure-cni-advanced-networking)。 |
+| Overlay | 容器被赋予一个 vNIC，连接到外部 vSwitch。每个上层网络都有自己的 IP 子网，由自定义 IP 前缀进行定义。该上层网络驱动使用 VXLAN 封装。 | 用外部头进行封装。 | [win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay)、Flannel VXLAN（使用 win-overlay） | 当需要将虚拟容器网络与主机的下层隔离时（例如出于安全原因），应使用 win-overlay。如果你的数据中心的 IP 个数有限，可以将 IP 在不同的上层网络中重用（带有不同的 VNID 标记）。在 Windows Server 2019 上这个选项需要 [KB4489899](https://support.microsoft.com/zh-cn/help/4489899)。 |
+| Transparent（[ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) 的特殊用例） | 需要一个外部 vSwitch。容器挂接到一个外部 vSwitch，由后者通过逻辑网络（逻辑交换机和路由器）实现 Pod 内通信。 | 数据包通过 [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) 或 [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) 隧道进行封装，以到达其它主机上的 Pod。  <br/> 数据包基于 OVN 网络控制器提供的隧道元数据信息被转发或丢弃。<br/>南北向通信使用 NAT。 | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [通过 ansible 部署](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib)。通过 Kubernetes 策略可以实施分布式 ACL。支持 IPAM。无需 kube-proxy 即可实现负载均衡。无需 iptables/netsh 即可进行 NAT。 |
+| NAT（**Kubernetes 中未使用**） | 容器被赋予一个 vNIC，连接到内部 vSwitch。DNS/DHCP 是使用一个名为 [WinNAT 的内部组件](https://techcommunity.microsoft.com/t5/virtualization/windows-nat-winnat-capabilities-and-limitations/ba-p/382303)实现的 | MAC 和 IP 重写为主机 MAC/IP。 | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | 放在此处保持完整性。 |
+
+<!--
+As outlined above, the [Flannel](https://github.com/coreos/flannel)
+[CNI plugin](https://github.com/flannel-io/cni-plugin)
+is also [supported](https://github.com/flannel-io/cni-plugin#windows-support-experimental) on Windows via the
+[VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**Beta support** ; delegates to win-overlay)
+and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge).
+-->
+如上所述，Windows 通过 [VXLAN 网络后端](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)（**Beta 支持**；委派给 win-overlay）
+和 [host-gateway 网络后端](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw)（稳定支持；委派给 win-bridge）
+也[支持](https://github.com/flannel-io/cni-plugin#windows-support-experimental) [Flannel](https://github.com/coreos/flannel) 的 [CNI 插件](https://github.com/flannel-io/cni-plugin)。
+
+<!--
+This plugin supports delegating to one of the reference CNI plugins (win-overlay,
+win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for
+automatic node subnet lease assignment and HNS network creation. This plugin reads
+in its own configuration file (cni.conf), and aggregates it with the environment
+variables from the FlannelD generated subnet.env file. It then delegates to one of
+the reference CNI plugins for network plumbing, and sends the correct configuration
+containing the node-assigned subnet to the IPAM plugin (for example: `host-local`).
+-->
+此插件支持委派给参考 CNI 插件（win-overlay、win-bridge）之一，配合使用 Windows
+上的 Flannel 守护程序（Flanneld），以便自动分配节点子网租赁并创建 HNS 网络。
+该插件读取自己的配置文件（cni.conf），并聚合 FlannelD 生成的 subnet.env 文件中的环境变量。
+然后，委派给网络管道的参考 CNI 插件之一，并将包含节点分配子网的正确配置发送给 IPAM 插件（例如：`host-local`）。
+
+<!--
+For Node, Pod, and Service objects, the following network flows are supported for
+TCP/UDP traffic:
+
+* Pod → Pod (IP)
+* Pod → Pod (Name)
+* Pod → Service (Cluster IP)
+* Pod → Service (PQDN, but only if there are no ".")
+* Pod → Service (FQDN)
+* Pod → external (IP)
+* Pod → external (DNS)
+* Node → Pod
+* Pod → Node
+-->
+对于 Node、Pod 和 Service 对象，TCP/UDP 流量支持以下网络流：
+
+* Pod → Pod（IP）
+* Pod → Pod（名称）
+* Pod → Service（集群 IP）
+* Pod → Service（PQDN，但前提是没有 "."）
+* Pod → Service（FQDN）
+* Pod → 外部（IP）
+* Pod → 外部（DNS）
+* Node → Pod
+* Pod → Node
+
+<!--
+## IP address management (IPAM) {#ipam}
+
+The following IPAM options are supported on Windows:
+
+* [host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
+* [azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only)
+* [Windows Server IPAM](https://docs.microsoft.com/windows-server/networking/technologies/ipam/ipam-top) (fallback option if no IPAM is set)
+-->
+## IP 地址管理（IPAM） {#ipam}
+
+Windows 支持以下 IPAM 选项：
+
+* [host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
+* [azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md)（仅适用于 azure-cni）
+* [Windows Server IPAM](https://docs.microsoft.com/zh-cn/windows-server/networking/technologies/ipam/ipam-top)（未设置 IPAM 时的回滚选项）
+
+<!--
+## Load balancing and Services
+
+A Kubernetes {{< glossary_tooltip text="Service" term_id="service" >}} is an abstraction
+that defines a logical set of Pods and a means to access them over a network.
+In a cluster that includes Windows nodes, you can use the following types of Service:
+-->
+## 负载均衡和 Service {#load-balancing-and-services}
+
+Kubernetes {{< glossary_tooltip text="Service" term_id="service" >}} 是一种抽象：定义了逻辑上的一组 Pod 和一种通过网络访问这些 Pod 的方式。
+在包含 Windows 节点的集群中，你可以使用以下类别的 Service：
+
+* `NodePort`
+* `ClusterIP`
+* `LoadBalancer`
+* `ExternalName`
+
+<!--
+Windows container networking differs in some important ways from Linux networking.
+The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture)
+provides additional details and background.
+
+On Windows, you can use the following settings to configure Services and load
+balancing behavior:
+-->
+Windows 容器网络与 Linux 网络有着很重要的差异。
+更多细节和背景信息，参考 [Microsoft Windows 容器网络文档](https://docs.microsoft.com/zh-cn/virtualization/windowscontainers/container-networking/architecture)。
+
+在 Windows 上，你可以使用以下设置来配置 Service 和负载均衡行为：
+
+<!--
+{{< table caption="Windows Service Settings" >}}
+| Feature | Description | Minimum Supported Windows OS build | How to enable |
+| ------- | ----------- | -------------------------- | ------------- |
+| Session affinity | Ensures that connections from a particular client are passed to the same Pod each time. | Windows Server 2022 | Set `service.spec.sessionAffinity` to "ClientIP" |
+| Direct Server Return (DSR) | Load balancing mode where the IP address fixups and the LBNAT occurs at the container vSwitch port directly; service traffic arrives with the source IP set as the originating pod IP. | Windows Server 2019 | Set the following flags in kube-proxy: `--feature-gates="WinDSR=true" --enable-dsr=true` |
+| Preserve-Destination | Skips DNAT of service traffic, thereby preserving the virtual IP of the target service in packets reaching the backend Pod. Also disables node-node forwarding. | Windows Server, version 1903 | Set `"preserve-destination": "true"` in service annotations and enable DSR in kube-proxy. |
+| IPv4/IPv6 dual-stack networking | Native IPv4-to-IPv4 in parallel with IPv6-to-IPv6 communications to, from, and within a cluster | Windows Server 2019 | See [IPv4/IPv6 dual-stack](#ipv4ipv6-dual-stack) |
+| Client IP preservation | Ensures that source IP of incoming ingress traffic gets preserved. Also disables node-node forwarding. |  Windows Server 2019  | Set `service.spec.externalTrafficPolicy` to "Local" and enable DSR in kube-proxy |
+{{< /table >}}
+-->
+{{< table caption="Windows Service 设置" >}}
+| 功能特性 | 描述 | 支持的 Windows 操作系统最低版本 | 启用方式 |
+| ------- | ----------- | -------------------------- | ------------- |
+| 会话亲和性 | 确保每次都将来自特定客户端的连接传递到同一个 Pod。 | Windows Server 2022 | 将 `service.spec.sessionAffinity` 设为 “ClientIP” |
+| Direct Server Return (DSR) | 在负载均衡模式中 IP 地址修正和 LBNAT 直接发生在容器 vSwitch 端口；服务流量到达时源 IP 设置为原始 Pod IP。 | Windows Server 2019 | 在 kube-proxy 中设置以下标志：`--feature-gates="WinDSR=true" --enable-dsr=true` |
+| 保留目标（Preserve-Destination） | 跳过服务流量的 DNAT，从而在到达后端 Pod 的数据包中保留目标服务的虚拟 IP。也会禁用节点间的转发。 | Windows Server，version 1903 | 在服务注解中设置 `"preserve-destination": "true"` 并在 kube-proxy 中启用 DSR。 |
+| IPv4/IPv6 双栈网络 | 进出集群和集群内通信都支持原生的 IPv4 间与 IPv6 间流量 | Windows Server 2019 | 参考 [IPv4/IPv6 双栈](#ipv4ipv6-dual-stack)。 |
+| 客户端 IP 保留 | 确保入站流量的源 IP 得到保留。也会禁用节点间转发。 |  Windows Server 2019  | 将 `service.spec.externalTrafficPolicy` 设置为 “Local” 并在 kube-proxy 中启用 DSR。 |
+{{< /table >}}
+
+<!--
+There are known issue with NodePort Services on overlay networking, if the destination node is running Windows Server 2022.
+To avoid the issue entirely, you can configure the service with `externalTrafficPolicy: Local`.
+
+There are known issues with Pod to Pod connectivity on l2bridge network on Windows Server 2022 with KB5005619 or higher installed.
+To workaround the issue and restore Pod to Pod connectivity, you can disable the WinDSR feature in kube-proxy.
+
+These issues require OS fixes.
+Please follow https://github.com/microsoft/Windows-Containers/issues/204 for updates.
+-->
+{{< warning >}} 
+如果目的地节点在运行 Windows Server 2022，则上层网络的 NodePort Service 存在已知问题。
+要完全避免此问题，可以使用 `externalTrafficPolicy: Local` 配置服务。
+
+在安装了 KB5005619 的 Windows Server 2022 或更高版本上，采用 L2bridge 网络时
+Pod 间连接存在已知问题。
+要解决此问题并恢复 Pod 间连接，你可以在 kube-proxy 中禁用 WinDSR 功能。
+
+这些问题需要操作系统修复。
+有关更新，请参考 https://github.com/microsoft/Windows-Containers/issues/204。
+{{< /warning >}}
+
+<!--
+## Limitations
+
+The following networking functionality is _not_ supported on Windows nodes:
+
+* Host networking mode
+* Local NodePort access from the node itself (works for other nodes or external clients)
+* More than 64 backend pods (or unique destination addresses) for a single Service
+* IPv6 communication between Windows pods connected to overlay networks
+* Local Traffic Policy in non-DSR mode
+-->
+## 限制 {#limitations}
+
+Windows 节点**不支持**以下网络功能：
+
+* 主机网络模式
+* 从节点本身访问本地 NodePort（可以从其他节点或外部客户端进行访问）
+* 为同一 Service 提供 64 个以上后端 Pod（或不同目的地址）
+* 在连接到上层网络的 Windows Pod 之间使用 IPv6 通信
+* 非 DSR 模式中的本地流量策略（Local Traffic Policy）
+
+<!--
+* Outbound communication using the ICMP protocol via the `win-overlay`, `win-bridge`, or using the Azure-CNI plugin.\
+  Specifically, the Windows data plane ([VFP](https://www.microsoft.com/research/project/azure-virtual-filtering-platform/))
+  doesn't support ICMP packet transpositions, and this means:
+  * ICMP packets directed to destinations within the same network (such as pod to pod communication via ping) 
+    work as expected;
+  * TCP/UDP packets work as expected;
+  * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) 
+    cannot be transposed and thus will not be routed back to their source;
+  * Since TCP/UDP packets can still be transposed, you can substitute `ping <destination>` with
+    `curl <destination>` when debugging connectivity with the outside world.
+-->
+* 通过 `win-overlay`、`win-bridge` 使用 ICMP 协议，或使用 Azure-CNI 插件进行出站通信。  
+  具体而言，Windows 数据平面（[VFP](https://www.microsoft.com/research/project/azure-virtual-filtering-platform/)）不支持 ICMP 数据包转换，这意味着：
+  * 指向同一网络内目的地址的 ICMP 数据包（例如 Pod 间的 ping 通信）可正常工作；
+  * TCP/UDP 数据包可正常工作；
+  * 通过远程网络指向其它地址的 ICMP 数据包（例如通过 ping 从 Pod 到外部公网的通信）无法被转换，
+    因此无法被路由回到这些数据包的源点；
+  * 由于 TCP/UDP 数据包仍可被转换，所以在调试与外界的连接时，
+    你可以将 `ping <destination>` 替换为 `curl <destination>`。
+
+<!--
+Other limitations:
+
+* Windows reference network plugins win-bridge and win-overlay do not implement
+  [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0,
+  due to a missing `CHECK` implementation.
+* The Flannel VXLAN CNI plugin has the following limitations on Windows:
+  * Node-pod connectivity is only possible for local pods with Flannel v0.12.0 (or higher).
+  * Flannel is restricted to using VNI 4096 and UDP port 4789. See the official
+    [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
+    backend docs for more details on these parameters.
+-->
+其他限制：
+
+* 由于缺少 `CHECK` 实现，Windows 参考网络插件 win-bridge 和 win-overlay 未实现
+[CNI 规约](https://github.com/containernetworking/cni/blob/master/SPEC.md) 的 v0.4.0 版本。
+* Flannel VXLAN CNI 插件在 Windows 上有以下限制：
+  * 使用 Flannel v0.12.0（或更高版本）时，节点到 Pod 的连接仅适用于本地 Pod。
+  * Flannel 仅限于使用 VNI 4096 和 UDP 端口 4789。
+  有关这些参数的更多详细信息，请参考官方的 [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) 后端文档。
diff --git a/content/zh/docs/concepts/storage/_index.md b/content/zh-cn/docs/concepts/storage/_index.md
similarity index 100%
rename from content/zh/docs/concepts/storage/_index.md
rename to content/zh-cn/docs/concepts/storage/_index.md
diff --git a/content/zh/docs/concepts/storage/dynamic-provisioning.md b/content/zh-cn/docs/concepts/storage/dynamic-provisioning.md
similarity index 90%
rename from content/zh/docs/concepts/storage/dynamic-provisioning.md
rename to content/zh-cn/docs/concepts/storage/dynamic-provisioning.md
index 69b965545da3d..f256992599b8f 100644
--- a/content/zh/docs/concepts/storage/dynamic-provisioning.md
+++ b/content/zh-cn/docs/concepts/storage/dynamic-provisioning.md
@@ -23,7 +23,7 @@ automatically provisions storage when it is requested by users.
 动态卷供应允许按需创建存储卷。
 如果没有动态供应，集群管理员必须手动地联系他们的云或存储提供商来创建新的存储卷，
 然后在 Kubernetes 集群创建
-[`PersistentVolume` 对象](/zh/docs/concepts/storage/persistent-volumes/)来表示这些卷。
+[`PersistentVolume` 对象](/zh-cn/docs/concepts/storage/persistent-volumes/)来表示这些卷。
 动态供应功能消除了集群管理员预先配置存储的需要。 相反，它在用户请求时自动供应存储。
 
 <!-- body -->
@@ -58,7 +58,7 @@ have the ability to select from multiple storage options.
 More information on storage classes can be found
 [here](/docs/concepts/storage/storage-classes/).
 -->
-点击[这里](/zh/docs/concepts/storage/storage-classes/)查阅有关存储类的更多信息。
+点击[这里](/zh-cn/docs/concepts/storage/storage-classes/)查阅有关存储类的更多信息。
 
 <!--
 ## Enabling Dynamic Provisioning
@@ -78,7 +78,7 @@ disk-like persistent disks.
 -->
 要启用动态供应功能，集群管理员需要为用户预先创建一个或多个 `StorageClass` 对象。
 `StorageClass` 对象定义当动态供应被调用时，哪一个驱动将被使用和哪些参数将被传递给驱动。
-StorageClass 对象的名字必须是一个合法的 [DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+StorageClass 对象的名字必须是一个合法的 [DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 以下清单创建了一个 `StorageClass` 存储类 "slow"，它提供类似标准磁盘的永久磁盘。
 
 ```yaml
@@ -163,7 +163,7 @@ Dynamic provisioning can be enabled on a cluster such that all claims are
 dynamically provisioned if no storage class is specified. A cluster administrator
 can enable this behavior by:
 -->
-可以在群集上启用动态卷供应，以便在未指定存储类的情况下动态设置所有声明。
+可以在集群上启用动态卷供应，以便在未指定存储类的情况下动态设置所有声明。
 集群管理员可以通过以下方式启用此行为：
 
 <!--
@@ -172,7 +172,7 @@ can enable this behavior by:
   is enabled on the API server.
 -->
 - 标记一个 `StorageClass` 为 *默认*；
-- 确保 [`DefaultStorageClass` 准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)在 API 服务端被启用。
+- 确保 [`DefaultStorageClass` 准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)在 API 服务端被启用。
 
 <!--
 An administrator can mark a specific `StorageClass` as default by adding the
@@ -191,7 +191,7 @@ Note that there can be at most one *default* storage class on a cluster, or
 a `PersistentVolumeClaim` without `storageClassName` explicitly specified cannot
 be created.
 -->
-请注意，群集上最多只能有一个 *默认* 存储类，否则无法创建没有明确指定
+请注意，集群上最多只能有一个 *默认* 存储类，否则无法创建没有明确指定
 `storageClassName` 的 `PersistentVolumeClaim`。
 
 <!--
@@ -205,7 +205,7 @@ Zones in a Region. Single-Zone storage backends should be provisioned in the Zon
 Pods are scheduled. This can be accomplished by setting the [Volume Binding
 Mode](/docs/concepts/storage/storage-classes/#volume-binding-mode).
 -->
-在[多区域](/zh/docs/setup/best-practices/multiple-zones/)集群中，Pod 可以被分散到多个区域。
+在[多区域](/zh-cn/docs/setup/best-practices/multiple-zones/)集群中，Pod 可以被分散到多个区域。
 单区域存储后端应该被供应到 Pod 被调度到的区域。
-这可以通过设置[卷绑定模式](/zh/docs/concepts/storage/storage-classes/#volume-binding-mode)来实现。
+这可以通过设置[卷绑定模式](/zh-cn/docs/concepts/storage/storage-classes/#volume-binding-mode)来实现。
 
diff --git a/content/zh/docs/concepts/storage/ephemeral-volumes.md b/content/zh-cn/docs/concepts/storage/ephemeral-volumes.md
similarity index 83%
rename from content/zh/docs/concepts/storage/ephemeral-volumes.md
rename to content/zh-cn/docs/concepts/storage/ephemeral-volumes.md
index fde93e070b7ff..2e7c7980df35e 100644
--- a/content/zh/docs/concepts/storage/ephemeral-volumes.md
+++ b/content/zh-cn/docs/concepts/storage/ephemeral-volumes.md
@@ -23,7 +23,7 @@ with [volumes](/docs/concepts/storage/volumes/) is suggested, in
 particular PersistentVolumeClaim and PersistentVolume.
 -->
 本文档描述 Kubernetes 中的 _临时卷（Ephemeral Volume）_。
-建议先了解[卷](/zh/docs/concepts/storage/volumes/)，特别是 PersistentVolumeClaim 和 PersistentVolume。
+建议先了解[卷](/zh-cn/docs/concepts/storage/volumes/)，特别是 PersistentVolumeClaim 和 PersistentVolume。
 
 <!-- body -->
 <!--
@@ -55,7 +55,7 @@ _临时卷_ 就是为此类用例设计的。因为卷会遵从 Pod 的生命周
 Ephemeral volumes are specified _inline_ in the Pod spec, which
 simplifies application deployment and management.
 -->
-临时卷在 Pod 规范中以 _内联_ 方式定义，这简化了应用程序的部署和管理。
+临时卷在 Pod 规约中以 _内联_ 方式定义，这简化了应用程序的部署和管理。
 
 <!--
 ### Types of ephemeral volumes
@@ -80,13 +80,13 @@ different purposes:
   can be provided by all storage drivers that also support persistent volumes
 -->
 Kubernetes 为了不同的目的，支持几种不同类型的临时卷：
-- [emptyDir](/zh/docs/concepts/storage/volumes/#emptydir)：
+- [emptyDir](/zh-cn/docs/concepts/storage/volumes/#emptydir)：
   Pod 启动时为空，存储空间来自本地的 kubelet 根目录（通常是根磁盘）或内存
-- [configMap](/zh/docs/concepts/storage/volumes/#configmap)、
-  [downwardAPI](/zh/docs/concepts/storage/volumes/#downwardapi)、
-  [secret](/zh/docs/concepts/storage/volumes/#secret)：
+- [configMap](/zh-cn/docs/concepts/storage/volumes/#configmap)、
+  [downwardAPI](/zh-cn/docs/concepts/storage/volumes/#downwardapi)、
+  [secret](/zh-cn/docs/concepts/storage/volumes/#secret)：
   将不同类型的 Kubernetes 数据注入到 Pod 中
-- [CSI 临时卷](/zh/docs/concepts/storage/volumes/#csi-ephemeral-volumes)：
+- [CSI 临时卷](/zh-cn/docs/concepts/storage/volumes/#csi-ephemeral-volumes)：
   类似于前面的卷类型，但由专门[支持此特性](https://kubernetes-csi.github.io/docs/drivers.html)
   的指定
   [CSI 驱动程序](https://github.com/container-storage-interface/spec/blob/master/spec.md)提供
@@ -103,7 +103,7 @@ CSI ephemeral volumes *must* be provided by third-party CSI storage
 drivers.
 -->
 `emptyDir`、`configMap`、`downwardAPI`、`secret` 是作为
-[本地临时存储](/zh/docs/concepts/configuration/manage-resources-containers/#local-ephemeral-storage)
+[本地临时存储](/zh-cn/docs/concepts/configuration/manage-resources-containers/#local-ephemeral-storage)
 提供的。它们由各个节点上的 kubelet 管理。
 
 CSI 临时卷 *必须* 由第三方 CSI 存储驱动程序提供。
@@ -144,7 +144,7 @@ shows which drivers support ephemeral volumes.
 -->
 
 该特性需要启用参数 `CSIInlineVolume`
-[特性门控（feature gate）](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控（feature gate）](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 该参数从 Kubernetes 1.16 开始默认启用。
 
 {{< note >}}
@@ -171,7 +171,7 @@ Here's an example manifest for a Pod that uses CSI ephemeral storage:
 从概念上讲，CSI 临时卷类似于 `configMap`、`downwardAPI` 和 `secret` 类型的卷：
 其存储在每个节点本地管理，并在将 Pod 调度到节点后与其他本地资源一起创建。
 在这个阶段，Kubernetes 没有重新调度 Pods 的概念。卷创建不太可能失败，否则 Pod 启动将会受阻。
-特别是，这些卷 **不** 支持[感知存储容量的 Pod 调度](/zh/docs/concepts/storage/storage-capacity/)。
+特别是，这些卷 **不** 支持[感知存储容量的 Pod 调度](/zh-cn/docs/concepts/storage/storage-capacity/)。
 它们目前也没包括在 Pod 的存储资源使用限制中，因为 kubelet 只能对它自己管理的存储强制执行。
 
 下面是使用 CSI 临时存储的 Pod 的示例清单：
@@ -211,43 +211,36 @@ instructions.
 <!--
 ### CSI driver restrictions
 
-As a cluster administrator, you can use a [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) to control which CSI drivers can be used in a Pod, specified with the
-[`allowedCSIDrivers` field](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicyspec-v1beta1-policy).
+CSI ephemeral volumes allow users to provide `volumeAttributes`
+directly to the CSI driver as part of the Pod spec. A CSI driver
+allowing `volumeAttributes` that are typically restricted to
+administrators is NOT suitable for use in an inline ephemeral volume.
+For example, parameters that are normally defined in the StorageClass
+should not be exposed to users through the use of inline ephemeral volumes.
 -->
 
 ### CSI 驱动程序限制 {#csi-driver-restrictions}
 
-{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+CSI 临时卷允许用户直接向 CSI 驱动程序提供 `volumeAttributes`，它会作为 Pod 规约的一部分。
+允许 `volumeAttributes` 的 CSI 驱动程序通常仅限于管理员使用，不适合在内联临时卷中使用。
+例如，通常在 StorageClass 中定义的参数不应通过使用内联临时卷向用户公开。
 
 作为一个集群管理员，你可以使用
-[PodSecurityPolicy](/zh/docs/concepts/security/pod-security-policy/)
+[PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)
 来控制在 Pod 中可以使用哪些 CSI 驱动程序，
 具体则是通过 [`allowedCSIDrivers` 字段](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicyspec-v1beta1-policy)
 指定。
 
 <!--
-{{< note >}}
-PodSecurityPolicy is deprecated and will be removed in the Kubernetes v1.25 release.
-{{< /note >}}
--->
-
-{{< note >}}
-PodSecurityPolicy 已弃用，并将在 Kubernetes v1.25 版本中移除。
-{{< /note >}}
-
-
-<!--
-{{< note >}}
-CSI ephemeral volumes are only supported by a subset of CSI drivers.
-The Kubernetes CSI [Drivers list](https://kubernetes-csi.github.io/docs/drivers.html)
-shows which drivers support ephemeral volumes.
-{{< /note >}}
+Cluster administrators who need to restrict the CSI drivers that are
+allowed to be used as inline volumes within a Pod spec may do so by:
+- Removing `Ephemeral` from `volumeLifecycleModes` in the CSIDriver spec, which prevents the driver from being used as an inline ephemeral volume.
+- Using an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/) to restrict how this driver is used.
 -->
-
-{{< note >}}
-CSI 临时卷仅有 CSI 驱动程序的一个子集支持。
-Kubernetes CSI [驱动列表](https://kubernetes-csi.github.io/docs/drivers.html)显示了哪些驱动程序支持临时卷。
-{{< /note >}}
+如果集群管理员需要限制 CSI 驱动程序在 Pod 规约中被作为内联卷使用，可以这样做：
+- 从 CSIDriver 规约的 `volumeLifecycleModes` 中删除 `Ephemeral`，这可以防止驱动程序被用作内联临时卷。
+- 使用[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
+  来限制如何使用此驱动程序。
 
 <!--
 ### Generic ephemeral volumes
@@ -279,13 +272,13 @@ Example:
 在最初制备完毕时一般为空。不过通用临时卷也有一些额外的功能特性：
 
 - 存储可以是本地的，也可以是网络连接的。
-- 卷可以有固定的大小，pod不能超量使用。
+- 卷可以有固定的大小，Pod 不能超量使用。
 - 卷可能有一些初始数据，这取决于驱动程序和参数。
 - 当驱动程序支持，卷上的典型操作将被支持，包括
-  （[快照](/zh/docs/concepts/storage/volume-snapshots/)、
-  [克隆](/zh/docs/concepts/storage/volume-pvc-datasource/)、
-  [调整大小](/zh/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims)和
-  [存储容量跟踪](/zh/docs/concepts/storage/storage-capacity/)）。
+  （[快照](/zh-cn/docs/concepts/storage/volume-snapshots/)、
+  [克隆](/zh-cn/docs/concepts/storage/volume-pvc-datasource/)、
+  [调整大小](/zh-cn/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims)和
+  [存储容量跟踪](/zh-cn/docs/concepts/storage/storage-capacity/)）。
 
 示例：
 
@@ -364,7 +357,7 @@ storage classes is to delete volumes. You can create quasi-ephemeral local stora
 using a StorageClass with a reclaim policy of `retain`: the storage outlives the Pod,
 and in this case you need to ensure that volume clean up happens separately.
 -->
-就[资源所有权](/zh/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents)而言，
+就[资源所有权](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents)而言，
 拥有通用临时存储的 Pod 是提供临时存储 (ephemeral storage) 的 PersistentVolumeClaim 的所有者。
 当 Pod 被删除时，Kubernetes 垃圾收集器会删除 PVC，
 然后 PVC 通常会触发卷的删除，因为存储类的默认回收策略是删除卷。
@@ -437,36 +430,21 @@ same namespace, so that these conflicts can't occur.
 Enabling the GenericEphemeralVolume feature allows users to create
 PVCs indirectly if they can create Pods, even if they do not have
 permission to create PVCs directly. Cluster administrators must be
-aware of this. If this does not fit their security model, they have
-two choices:
+aware of this. If this does not fit their security model, they should
+use an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/) that rejects objects like Pods that have a generic ephemeral volume.
 -->
 启用 GenericEphemeralVolume 特性会导致那些没有 PVCs 创建权限的用户，
 在创建 Pods 时，被允许间接的创建 PVCs。
 集群管理员必须意识到这一点。
-如果这不符合他们的安全模型，他们有如下选择：
-
-<!--
-- Use an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/)
-  that rejects objects like Pods that have a generic ephemeral
-  volume.
-- Use a [Pod Security
-  Policy](/docs/concepts/policy/pod-security-policy/) where the
-  `volumes` list does not contain the `ephemeral` volume type
-  (deprecated in Kubernetes 1.21).
--->
-- 通过特性门控显式禁用该特性。
-- 使用一个[准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
-  拒绝包含通用临时卷的 Pods。
-- 当 `volumes` 列表不包含 `ephemeral` 卷类型时，使用
-  [Pod 安全策略](/zh/docs/concepts/policy/pod-security-policy/)。
-  （这一方式在 Kubernetes 1.21 版本已经弃用）
+如果这不符合他们的安全模型，他们应该使用一个[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
+拒绝包含通用临时卷的 Pods。
 
 <!--
 The normal [namespace quota for PVCs](/docs/concepts/policy/resource-quotas/#storage-resource-quota) still applies, so
 even if users are allowed to use this new mechanism, they cannot use
 it to circumvent other policies.
 -->
-[为 PVC 卷所设置的逐名字空间的配额](/zh/docs/concepts/policy/resource-quotas/#storage-resource-quota)
+[为 PVC 卷所设置的逐名字空间的配额](/zh-cn/docs/concepts/policy/resource-quotas/#storage-resource-quota)
 仍然有效，因此即使允许用户使用这种新机制，他们也不能使用它来规避其他策略。
 
 ## {{% heading "whatsnext" %}}
@@ -478,7 +456,7 @@ See [local ephemeral storage](/docs/concepts/configuration/manage-resources-cont
 -->
 ### kubelet 管理的临时卷 {#ephemeral-volumes-managed-by-kubelet}
 
-参阅[本地临时存储](/zh/docs/concepts/configuration/manage-resources-containers/#local-ephemeral-storage)。
+参阅[本地临时存储](/zh-cn/docs/concepts/configuration/manage-resources-containers/#local-ephemeral-storage)。
 
 <!--
 ### CSI ephemeral volumes
diff --git a/content/zh/docs/concepts/storage/persistent-volumes.md b/content/zh-cn/docs/concepts/storage/persistent-volumes.md
similarity index 88%
rename from content/zh/docs/concepts/storage/persistent-volumes.md
rename to content/zh-cn/docs/concepts/storage/persistent-volumes.md
index fdf9e6ee50d68..9d2cb53d37ac3 100644
--- a/content/zh/docs/concepts/storage/persistent-volumes.md
+++ b/content/zh-cn/docs/concepts/storage/persistent-volumes.md
@@ -32,7 +32,7 @@ weight: 20
 This document describes _persistent volumes_ in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/) is suggested.
 -->
 本文描述 Kubernetes 中的 _持久卷（Persistent Volume）_ 。
-建议先熟悉[卷（Volume）](/zh/docs/concepts/storage/volumes/)的概念。
+建议先熟悉[卷（Volume）](/zh-cn/docs/concepts/storage/volumes/)的概念。
 
 <!-- body -->
 
@@ -52,7 +52,7 @@ PersistentVolumeClaim。
 A _PersistentVolume_ (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using [Storage Classes](/docs/concepts/storage/storage-classes/). It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes, but have a lifecycle independent of any individual Pod that uses the PV. This API object captures the details of the implementation of the storage, be that NFS, iSCSI, or a cloud-provider-specific storage system.
 -->
 持久卷（PersistentVolume，PV）是集群中的一块存储，可以由管理员事先供应，或者
-使用[存储类（Storage Class）](/zh/docs/concepts/storage/storage-classes/)来动态供应。
+使用[存储类（Storage Class）](/zh-cn/docs/concepts/storage/storage-classes/)来动态供应。
 持久卷是集群资源，就像节点也是集群资源一样。PV 持久卷和普通的 Volume 一样，也是使用
 卷插件来实现的，只是它们拥有独立于任何使用 PV 的 Pod 的生命周期。
 此 API 对象中记述了存储的实现细节，无论其背后是 NFS、iSCSI 还是特定于云平台的存储系统。
@@ -77,7 +77,7 @@ See the [detailed walkthrough with working examples](/docs/tasks/configure-pod-c
 仅限于卷大小和访问模式，同时又不能将卷是如何实现的这些细节暴露给用户。
 为了满足这类需求，就有了 _存储类（StorageClass）_ 资源。
 
-参见[基于运行示例的详细演练](/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/)。
+参见[基于运行示例的详细演练](/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/)。
 
 <!--
 ## Lifecycle of a volume and claim
@@ -123,7 +123,7 @@ dynamic provisioning for themselves.
 如果管理员所创建的所有静态 PV 卷都无法与用户的 PersistentVolumeClaim 匹配，
 集群可以尝试为该 PVC 申领动态供应一个存储卷。
 这一供应操作是基于 StorageClass 来实现的：PVC 申领必须请求某个
-[存储类](/zh/docs/concepts/storage/storage-classes/)，同时集群管理员必须
+[存储类](/zh-cn/docs/concepts/storage/storage-classes/)，同时集群管理员必须
 已经创建并配置了该类，这样动态供应卷的动作才会发生。
 如果 PVC 申领指定存储类为 `""`，则相当于为自身禁止使用动态供应的卷。
 
@@ -136,11 +136,11 @@ the API server component. For more information on API server command-line flags,
 check [kube-apiserver](/docs/admin/kube-apiserver/) documentation.
 -->
 为了基于存储类完成动态的存储供应，集群管理员需要在 API 服务器上启用
-`DefaultStorageClass` [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)。
+`DefaultStorageClass` [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)。
 举例而言，可以通过保证 `DefaultStorageClass` 出现在 API 服务器组件的
 `--enable-admission-plugins` 标志值中实现这点；该标志的值可以是逗号
 分隔的有序列表。关于 API 服务器标志的更多信息，可以参考
-[kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)
+[kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)
 文档。
 
 <!--
@@ -317,7 +317,7 @@ Cinder 卷）中移除所关联的存储资产。
 动态供应的卷会继承[其 StorageClass 中设置的回收策略](#reclaim-policy)，该策略默认
 为 `Delete`。
 管理员需要根据用户的期望来配置 StorageClass；否则 PV 卷被创建之后必须要被
-编辑或者修补。参阅[更改 PV 卷的回收策略](/zh/docs/tasks/administer-cluster/change-pv-reclaim-policy/).
+编辑或者修补。参阅[更改 PV 卷的回收策略](/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy/).
 
 <!--
 #### Recycle
@@ -343,7 +343,7 @@ The custom recycler Pod template must contain a `volumes` specification, as
 shown in the example below:
 -->
 不过，管理员可以按
-[参考资料](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
+[参考资料](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
 中所述，使用 Kubernetes 控制器管理器命令行参数来配置一个定制的回收器（Recycler）
 Pod 模板。此定制的回收器 Pod 模板必须包含一个 `volumes` 规约，如下例所示：
 
@@ -374,6 +374,97 @@ However, the particular path specified in the custom recycler Pod template in th
 定制回收器 Pod 模板中在 `volumes` 部分所指定的特定路径要替换为
 正被回收的卷的路径。
 
+<!--
+### PersistentVolume deletion protection finalizer
+
+Finalizers can be added on a PersistentVolume to ensure that PersistentVolumes
+having `Delete` reclaim policy are deleted only after the backing storage are deleted.
+-->
+### PersistentVolume 删除保护 finalizer  {#persistentvolume-deletion-protection-finalizer}
+{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+
+可以在 PersistentVolume 上添加终结器（Finalizers），以确保只有在删除对应的存储后才删除具有
+`Delete` 回收策略的 PersistentVolume。
+
+<!--
+The newly introduced finalizers `kubernetes.io/pv-controller` and `external-provisioner.volume.kubernetes.io/finalizer`
+are only added to dynamically provisioned volumes.
+
+The finalizer `kubernetes.io/pv-controller` is added to in-tree plugin volumes. The following is an example
+-->
+新引入的 `kubernetes.io/pv-controller` 和 `external-provisioner.volume.kubernetes.io/finalizer`
+终结器仅会被添加到动态制备的卷上。
+
+终结器 `kubernetes.io/pv-controller` 会被添加到树内插件卷上。
+下面是一个例子：
+
+```shell
+kubectl describe pv pvc-74a498d6-3929-47e8-8c02-078c1ece4d78
+Name:            pvc-74a498d6-3929-47e8-8c02-078c1ece4d78
+Labels:          <none>
+Annotations:     kubernetes.io/createdby: vsphere-volume-dynamic-provisioner
+                 pv.kubernetes.io/bound-by-controller: yes
+                 pv.kubernetes.io/provisioned-by: kubernetes.io/vsphere-volume
+Finalizers:      [kubernetes.io/pv-protection kubernetes.io/pv-controller]
+StorageClass:    vcp-sc
+Status:          Bound
+Claim:           default/vcp-pvc-1
+Reclaim Policy:  Delete
+Access Modes:    RWO
+VolumeMode:      Filesystem
+Capacity:        1Gi
+Node Affinity:   <none>
+Message:         
+Source:
+    Type:               vSphereVolume (a Persistent Disk resource in vSphere)
+    VolumePath:         [vsanDatastore] d49c4a62-166f-ce12-c464-020077ba5d46/kubernetes-dynamic-pvc-74a498d6-3929-47e8-8c02-078c1ece4d78.vmdk
+    FSType:             ext4
+    StoragePolicyName:  vSAN Default Storage Policy
+Events:                 <none>
+```
+
+<!--
+The finalizer `external-provisioner.volume.kubernetes.io/finalizer` is added for CSI volumes.
+The following is an example:
+-->
+终结器 `external-provisioner.volume.kubernetes.io/finalizer` 会被添加到 CSI 卷上。下面是一个例子：
+
+```shell
+Name:            pvc-2f0bab97-85a8-4552-8044-eb8be45cf48d
+Labels:          <none>
+Annotations:     pv.kubernetes.io/provisioned-by: csi.vsphere.vmware.com
+Finalizers:      [kubernetes.io/pv-protection external-provisioner.volume.kubernetes.io/finalizer]
+StorageClass:    fast
+Status:          Bound
+Claim:           demo-app/nginx-logs
+Reclaim Policy:  Delete
+Access Modes:    RWO
+VolumeMode:      Filesystem
+Capacity:        200Mi
+Node Affinity:   <none>
+Message:         
+Source:
+    Type:              CSI (a Container Storage Interface (CSI) volume source)
+    Driver:            csi.vsphere.vmware.com
+    FSType:            ext4
+    VolumeHandle:      44830fa8-79b4-406b-8b58-621ba25353fd
+    ReadOnly:          false
+    VolumeAttributes:      storage.kubernetes.io/csiProvisionerIdentity=1648442357185-8081-csi.vsphere.vmware.com
+                           type=vSphere CNS Block Volume
+Events:                <none>
+```
+
+<!--
+Enabling the `CSIMigration` feature for a specific in-tree volume plugin will remove
+the `kubernetes.io/pv-controller` finalizer, while adding the `external-provisioner.volume.kubernetes.io/finalizer`
+finalizer. Similarly, disabling `CSIMigration` will remove the `external-provisioner.volume.kubernetes.io/finalizer`
+finalizer, while adding the `kubernetes.io/pv-controller` finalizer.
+-->
+为特定的树内卷插件启用 `CSIMigration` 特性将删除 `kubernetes.io/pv-controller` 终结器，
+同时添加 `external-provisioner.volume.kubernetes.io/finalizer` 终结器。
+同样，禁用 `CSIMigration` 将删除 `external-provisioner.volume.kubernetes.io/finalizer` 终结器，
+同时添加 `kubernetes.io/pv-controller` 终结器。
+
 <!--
 ### Reserving a PersistentVolume
 
@@ -393,7 +484,7 @@ The control plane still checks that [storage class](/docs/concepts/storage/stora
 -->
 绑定操作不会考虑某些卷匹配条件是否满足，包括节点亲和性等等。
 控制面仍然会检查
-[存储类](/zh/docs/concepts/storage/storage-classes/)、访问模式和所请求的
+[存储类](/zh-cn/docs/concepts/storage/storage-classes/)、访问模式和所请求的
 存储尺寸都是合法的。
 
 ```yaml
@@ -550,19 +641,7 @@ FlexVolume 卷（于 Kubernetes v1.23 弃用）可以在 Pod 重启期间调整
 -->
 #### 重设使用中 PVC 申领的大小    {#resizing-an-in-use-persistentvolumevlaim}
 
-{{< feature-state for_k8s_version="v1.15" state="beta" >}}
-
-<!--
-Expanding in-use PVCs is available as beta since Kubernetes 1.15, and as alpha since 1.11. The `ExpandInUsePersistentVolumes` feature must be enabled, which is the case automatically for many clusters for beta features. Refer to the [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) documentation for more information.
--->
-{{< note >}}
-Kubernetes 从 1.15 版本开始将调整使用中 PVC 申领大小这一能力作为 Beta
-特性支持；该特性在 1.11 版本以来处于 Alpha 阶段。
-`ExpandInUsePersistentVolumes` 特性必须被启用；在很多集群上，与此类似的
-Beta 阶段的特性是自动启用的。
-可参考[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-文档了解更多信息。
-{{< /note >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 In this case, you don't need to delete and recreate a Pod or deployment that is using an existing PVC.
@@ -640,13 +719,13 @@ Recovery from failing PVC expansion by users is available as an alpha feature si
 -->
 {{< note >}}
 Kubernetes 从 1.23 版本开始将允许用户恢复失败的 PVC 扩展这一能力作为
-alpha 特性支持。 `RecoverVolumeExpansionFailure` 必须被启用以允许使用此功能。
-可参考[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+alpha 特性支持。 `RecoverVolumeExpansionFailure` 必须被启用以允许使用此特性。
+可参考[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 文档了解更多信息。
 {{< /note >}}
 
 <!--
-If the feature gates `ExpandPersistentVolumes` and `RecoverVolumeExpansionFailure` are both
+If the feature gates `RecoverVolumeExpansionFailure` is
 enabled in your cluster, and expansion has failed for a PVC, you can retry expansion with a
 smaller size than the previously requested value. To request a new expansion attempt with a
 smaller proposed size, edit `.spec.resources` for that PVC and choose a value that is less than the
@@ -655,8 +734,8 @@ This is useful if expansion to a higher value did not succeed because of capacit
 If that has happened, or you suspect that it might have, you can retry expansion by specifying a
 size that is within the capacity limits of underlying storage provider. You can monitor status of resize operation by watching `.status.resizeStatus` and events on the PVC.
 -->
-如果集群中的特性门控 `ExpandPersistentVolumes` 和 `RecoverVolumeExpansionFailure`
-都已启用，在 PVC 的扩展发生失败时，你可以使用比先前请求的值更小的尺寸来重试扩展。
+如果集群中的特性门控 `RecoverVolumeExpansionFailure`
+已启用，在 PVC 的扩展发生失败时，你可以使用比先前请求的值更小的尺寸来重试扩展。
 要使用一个更小的尺寸尝试请求新的扩展，请编辑该 PVC 的 `.spec.resources` 并选择
 一个比你之前所尝试的值更小的值。
 如果由于容量限制而无法成功扩展至更高的值，这将很有用。
@@ -708,23 +787,23 @@ PV 持久卷是用插件的形式来实现的。Kubernetes 目前支持以下插
 * [`rbd`](/docs/concepts/storage/volumes/#rbd) - Rados Block Device (RBD) volume
 * [`vsphereVolume`](/docs/concepts/storage/volumes/#vspherevolume) - vSphere VMDK volume
 -->
-* [`awsElasticBlockStore`](/zh/docs/concepts/storage/volumes/#awselasticblockstore) - AWS 弹性块存储（EBS）
-* [`azureDisk`](/zh/docs/concepts/storage/volumes/#azuredisk) - Azure Disk
-* [`azureFile`](/zh/docs/concepts/storage/volumes/#azurefile) - Azure File
-* [`cephfs`](/zh/docs/concepts/storage/volumes/#cephfs) - CephFS volume
-* [`csi`](/zh/docs/concepts/storage/volumes/#csi) - 容器存储接口 (CSI)
-* [`fc`](/zh/docs/concepts/storage/volumes/#fc) - Fibre Channel (FC) 存储
-* [`gcePersistentDisk`](/zh/docs/concepts/storage/volumes/#gcepersistentdisk) - GCE 持久化盘
-* [`glusterfs`](/zh/docs/concepts/storage/volumes/#glusterfs) - Glusterfs 卷
-* [`hostPath`](/zh/docs/concepts/storage/volumes/#hostpath) - HostPath 卷
+* [`awsElasticBlockStore`](/zh-cn/docs/concepts/storage/volumes/#awselasticblockstore) - AWS 弹性块存储（EBS）
+* [`azureDisk`](/zh-cn/docs/concepts/storage/volumes/#azuredisk) - Azure Disk
+* [`azureFile`](/zh-cn/docs/concepts/storage/volumes/#azurefile) - Azure File
+* [`cephfs`](/zh-cn/docs/concepts/storage/volumes/#cephfs) - CephFS volume
+* [`csi`](/zh-cn/docs/concepts/storage/volumes/#csi) - 容器存储接口 (CSI)
+* [`fc`](/zh-cn/docs/concepts/storage/volumes/#fc) - Fibre Channel (FC) 存储
+* [`gcePersistentDisk`](/zh-cn/docs/concepts/storage/volumes/#gcepersistentdisk) - GCE 持久化盘
+* [`glusterfs`](/zh-cn/docs/concepts/storage/volumes/#glusterfs) - Glusterfs 卷
+* [`hostPath`](/zh-cn/docs/concepts/storage/volumes/#hostpath) - HostPath 卷
   （仅供单节点测试使用；不适用于多节点集群；
   请尝试使用 `local` 卷作为替代）
-* [`iscsi`](/zh/docs/concepts/storage/volumes/#iscsi) - iSCSI (SCSI over IP) 存储
-* [`local`](/zh/docs/concepts/storage/volumes/#local) - 节点上挂载的本地存储设备
-* [`nfs`](/zh/docs/concepts/storage/volumes/#nfs) - 网络文件系统 (NFS) 存储
-* [`portworxVolume`](/zh/docs/concepts/storage/volumes/#portworxvolume) - Portworx 卷
-* [`rbd`](/zh/docs/concepts/storage/volumes/#rbd) - Rados 块设备 (RBD) 卷
-* [`vsphereVolume`](/zh/docs/concepts/storage/volumes/#vspherevolume) - vSphere VMDK 卷
+* [`iscsi`](/zh-cn/docs/concepts/storage/volumes/#iscsi) - iSCSI (SCSI over IP) 存储
+* [`local`](/zh-cn/docs/concepts/storage/volumes/#local) - 节点上挂载的本地存储设备
+* [`nfs`](/zh-cn/docs/concepts/storage/volumes/#nfs) - 网络文件系统 (NFS) 存储
+* [`portworxVolume`](/zh-cn/docs/concepts/storage/volumes/#portworxvolume) - Portworx 卷
+* [`rbd`](/zh-cn/docs/concepts/storage/volumes/#rbd) - Rados 块设备 (RBD) 卷
+* [`vsphereVolume`](/zh-cn/docs/concepts/storage/volumes/#vspherevolume) - vSphere VMDK 卷
 
 <!-- 
 The following types of PersistentVolume are deprecated. This means that support is still available but will be removed in a future Kubernetes release.
@@ -744,7 +823,7 @@ The following types of PersistentVolume are deprecated. This means that support
 以下的持久卷已被弃用。这意味着当前仍是支持的，但是 Kubernetes 将来的发行版会将其移除。
 
 * [`cinder`](/docs/concepts/storage/volumes/#cinder) - Cinder（OpenStack 块存储）（于 v1.18 **弃用**）
-* [`flexVolume`](/zh/docs/concepts/storage/volumes/#flexVolume) - FlexVolume （于 v1.23 **弃用**）
+* [`flexVolume`](/zh-cn/docs/concepts/storage/volumes/#flexVolume) - FlexVolume （于 v1.23 **弃用**）
 * [`flocker`](/docs/concepts/storage/volumes/#flocker) - Flocker 存储（于 v1.22 **弃用**）
 * [`quobyte`](/docs/concepts/storage/volumes/#quobyte) - Quobyte 卷
 （于 v1.22 **弃用**）
@@ -775,7 +854,7 @@ The name of a PersistentVolume object must be a valid
 
 每个 PV 对象都包含 `spec` 部分和 `status` 部分，分别对应卷的规约和状态。
 PersistentVolume 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 ```yaml
 apiVersion: v1
@@ -819,7 +898,7 @@ Currently, storage size is the only resource that can be set or requested.  Futu
 一般而言，每个 PV 卷都有确定的存储容量。
 容量属性是使用 PV 对象的 `capacity` 属性来设置的。
 参考词汇表中的
-[量纲（Quantity）](/zh/docs/reference/glossary/?all=true#term-quantity)
+[量纲（Quantity）](/zh-cn/docs/reference/glossary/?all=true#term-quantity)
 词条，了解 `capacity` 字段可以接受的单位。
 
 目前，存储大小是可以设置和请求的唯一资源。
@@ -933,6 +1012,23 @@ In the CLI, the access modes are abbreviated to:
 * RWX - ReadWriteMany
 * RWOP - ReadWriteOncePod
 
+{{< note >}}
+<!--
+Kubernetes uses volume access modes to match PersistentVolumeClaims and PersistentVolumes.
+In some cases, the volume access modes also constrain where the PersistentVolume can be mounted.
+Volume access modes do **not** enforce write protection once the storage has been mounted.
+Even if the access modes are specified as ReadWriteOnce, ReadOnlyMany, or ReadWriteMany, they don't set any constraints on the volume.
+For example, even if a PersistentVolume is created as ReadOnlyMany, it is no guarantee that it will be read-only.
+If the access modes are specified as ReadWriteOncePod, the volume is constrained and can be mounted on only a single Pod.
+-->
+Kubernetes 使用卷访问模式来匹配 PersistentVolumeClaim 和 PersistentVolume。
+在某些场合下，卷访问模式也会限制 PersistentVolume 可以挂载的位置。
+卷访问模式并**不会**在存储已经被挂载的情况下为其实施写保护。
+即使访问模式设置为 ReadWriteOnce、ReadOnlyMany 或 ReadWriteMany，它们也不会对卷形成限制。
+例如，即使某个卷创建时设置为 ReadOnlyMany，也无法保证该卷是只读的。
+如果访问模式设置为 ReadWriteOncePod，则卷会被限制起来并且只能挂载到一个 Pod 上。
+{{< /note >}}
+
 <!--
 > __Important!__ A volume can only be mounted using one access mode at a time, even if it supports many.  For example, a GCEPersistentDisk can be mounted as ReadWriteOnce by a single node or ReadOnlyMany by many nodes, but not at the same time.
 -->
@@ -980,7 +1076,7 @@ to PVCs that request no particular class.
 ### 类    {#class}
 
 每个 PV 可以属于某个类（Class），通过将其 `storageClassName` 属性设置为某个
-[StorageClass](/zh/docs/concepts/storage/storage-classes/) 的名称来指定。
+[StorageClass](/zh-cn/docs/concepts/storage/storage-classes/) 的名称来指定。
 特定类的 PV 卷只能绑定到请求该类存储卷的 PVC 申领。
 未设置 `storageClassName` 的 PV 卷没有类设定，只能绑定到那些没有指定特定
 存储类的 PVC 申领。
@@ -1085,11 +1181,11 @@ For most volume types, you do not need to set this field. It is automatically po
 -->
 {{< note >}}
 对大多数类型的卷而言，你不需要设置节点亲和性字段。
-[AWS EBS](/zh/docs/concepts/storage/volumes/#awselasticblockstore)、
-[GCE PD](/zh/docs/concepts/storage/volumes/#gcepersistentdisk) 和
-[Azure Disk](/zh/docs/concepts/storage/volumes/#azuredisk) 卷类型都能
+[AWS EBS](/zh-cn/docs/concepts/storage/volumes/#awselasticblockstore)、
+[GCE PD](/zh-cn/docs/concepts/storage/volumes/#gcepersistentdisk) 和
+[Azure Disk](/zh-cn/docs/concepts/storage/volumes/#azuredisk) 卷类型都能
 自动设置相关字段。
-你需要为 [local](/zh/docs/concepts/storage/volumes/#local) 卷显式地设置
+你需要为 [local](/zh-cn/docs/concepts/storage/volumes/#local) 卷显式地设置
 此属性。
 {{< /note >}}
 
@@ -1125,7 +1221,7 @@ The name of a PersistentVolumeClaim object must be a valid
 -->
 每个 PVC 对象都有 `spec` 和 `status` 部分，分别对应申领的规约和状态。
 PersistentVolumeClaim 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 
 ```yaml
@@ -1184,7 +1280,7 @@ Claims can specify a [label selector](/docs/concepts/overview/working-with-objec
 -->
 ### 选择算符    {#selector}
 
-申领可以设置[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+申领可以设置[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)
 来进一步过滤卷集合。只有标签与选择算符相匹配的卷能够绑定到申领上。
 选择算符包含两个字段：
 
@@ -1213,7 +1309,7 @@ be bound to the PVC.
 ### 类      {#class}
 
 申领可以通过为 `storageClassName` 属性设置
-[StorageClass](/zh/docs/concepts/storage/storage-classes/) 的名称来请求特定的存储类。
+[StorageClass](/zh-cn/docs/concepts/storage/storage-classes/) 的名称来请求特定的存储类。
 只有所请求的类的 PV 卷，即 `storageClassName` 值与 PVC 设置相同的 PV 卷，
 才能绑定到 PVC 申领。
 
@@ -1231,7 +1327,7 @@ PVC 申领不必一定要请求某个类。如果 PVC 的 `storageClassName` 属
 存储类的 PV 卷（未设置注解或者注解值为 `""` 的 PersistentVolume（PV）对象在系统中不会被删除，因为这样做可能会引起数据丢失。
 未设置 `storageClassName` 的 PVC 与此大不相同，也会被集群作不同处理。
 具体筛查方式取决于
-[`DefaultStorageClass` 准入控制器插件](/zh/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)
+[`DefaultStorageClass` 准入控制器插件](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)
 是否被启用。
 
 <!--
@@ -1339,7 +1435,7 @@ See [an example of `hostPath` typed volume](/docs/tasks/configure-pod-container/
 ### 类型为 `hostpath` 的 PersistentVolume  {#persistentvolumes-typed-hostpath}
 
 `hostPath` PersistentVolume 使用节点上的文件或目录来模拟网络附加（network-attached）存储。
-相关细节可参阅[`hostPath` 卷示例](/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume)。
+相关细节可参阅[`hostPath` 卷示例](/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume)。
 
 <!--
 ## Raw Block Volume Support
@@ -1411,10 +1507,7 @@ spec:
 
 ## Volume populators and data sources
 
-Kubernetes supports custom volume populators; this alpha feature was introduced
-in Kubernetes 1.18. Kubernetes 1.22 reimplemented the mechanism with a redesigned API.
-Check that you are reading the version of the Kubernetes documentation that matches your
-cluster. {{% version-check %}}
+Kubernetes supports custom volume populators.
 To use custom volume populators, you must enable the `AnyVolumeDataSource`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for
 the kube-apiserver and kube-controller-manager.
@@ -1428,14 +1521,12 @@ gate enabled, use of the `dataSourceRef` is preferred over `dataSource`.
 
 ## 卷填充器（Populator）与数据源      {#volume-populators-and-data-sources}
 
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
 {{< note >}}
-Kubernetes 支持自定义的卷填充器；Kubernetes 1.18 版本引入了这个 alpha 特性。
-Kubernetes 1.22 使用重新设计的 API 重新实现了该机制。
-确认你正在阅读与你的集群版本一致的 Kubernetes 文档。{{% version-check %}}
-要使用自定义的卷填充器，你必须为 kube-apiserver 和 kube-controller-manager 启用 `AnyVolumeDataSource`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+Kubernetes 支持自定义的卷填充器；要使用自定义的卷填充器，你必须为
+kube-apiserver 和 kube-controller-manager 启用 `AnyVolumeDataSource`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 {{< /note >}}
 
 卷填充器利用了 PVC 规约字段 `dataSourceRef`。
@@ -1630,8 +1721,8 @@ Volume snapshot feature was added to support CSI Volume Plugins only. For detail
 To enable support for restoring a volume from a volume snapshot data source, enable the
 `VolumeSnapshotDataSource` feature gate on the apiserver and controller-manager.
 -->
-卷快照（Volume Snapshot）功能的添加仅是为了支持 CSI 卷插件。
-有关细节可参阅[卷快照](/zh/docs/concepts/storage/volume-snapshots/)文档。
+卷快照（Volume Snapshot）特性的添加仅是为了支持 CSI 卷插件。
+有关细节可参阅[卷快照](/zh-cn/docs/concepts/storage/volume-snapshots/)文档。
 
 要启用从卷快照数据源恢复数据卷的支持，可在 API 服务器和控制器管理器上启用
 `VolumeSnapshotDataSource` 特性门控。
@@ -1666,7 +1757,7 @@ spec:
 -->
 ## 卷克隆     {#volume-cloning}
 
-[卷克隆](/zh/docs/concepts/storage/volume-pvc-datasource/)功能特性仅适用于
+[卷克隆](/zh-cn/docs/concepts/storage/volume-pvc-datasource/)功能特性仅适用于
 CSI 卷插件。
 
 <!--
@@ -1747,11 +1838,11 @@ and need persistent storage, it is recommended that you use the following patter
 <!--
 * Learn more about [Creating a PersistentVolume](/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume).
 * Learn more about [Creating a PersistentVolumeClaim](/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim).
-* Read the [Persistent Storage design document](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md).
+* Read the [Persistent Storage design document](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/persistent-storage.md).
 -->
-* 进一步了解[创建持久卷](/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume).
-* 进一步学习[创建 PVC 申领](/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim).
-* 阅读[持久存储的设计文档](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md).
+* 进一步了解[创建持久卷](/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume).
+* 进一步学习[创建 PVC 申领](/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim).
+* 阅读[持久存储的设计文档](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/persistent-storage.md).
 
 <!--
 ### API references {#reference}
@@ -1767,3 +1858,4 @@ Read about the APIs described in this page:
 
 * [`PersistentVolume`](/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/)
 * [`PersistentVolumeClaim`](/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/)
+
diff --git a/content/zh/docs/concepts/storage/projected-volumes.md b/content/zh-cn/docs/concepts/storage/projected-volumes.md
similarity index 88%
rename from content/zh/docs/concepts/storage/projected-volumes.md
rename to content/zh-cn/docs/concepts/storage/projected-volumes.md
index a1cc2a3a724af..3897d5203b14c 100644
--- a/content/zh/docs/concepts/storage/projected-volumes.md
+++ b/content/zh-cn/docs/concepts/storage/projected-volumes.md
@@ -19,8 +19,8 @@ weight: 21 # just after persistent volumes
 <!--
 This document describes _projected volumes_ in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/) is suggested.
 -->
-本文档描述 Kubernet 中的*投射卷（Projected Volumes）*。
-建议先熟悉[卷](/zh/docs/concepts/storage/volumes/)概念。
+本文档描述 Kubernetes 中的*投射卷（Projected Volumes）*。
+建议先熟悉[卷](/zh-cn/docs/concepts/storage/volumes/)概念。
 
 <!-- body -->
 
@@ -42,17 +42,17 @@ Currently, the following types of volume sources can be projected:
 
 目前，以下类型的卷源可以被投射：
 
-* [`secret`](/zh/docs/concepts/storage/volumes/#secret)
-* [`downwardAPI`](/zh/docs/concepts/storage/volumes/#downwardapi)
-* [`configMap`](/zh/docs/concepts/storage/volumes/#configmap)
+* [`secret`](/zh-cn/docs/concepts/storage/volumes/#secret)
+* [`downwardAPI`](/zh-cn/docs/concepts/storage/volumes/#downwardapi)
+* [`configMap`](/zh-cn/docs/concepts/storage/volumes/#configmap)
 * [`serviceAccountToken`](#serviceaccounttoken)
 
 <!--
 All sources are required to be in the same namespace as the Pod. For more details,
-see the [all-in-one volume design document](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/all-in-one-volume.md).
+see the [all-in-one volume](https://github.com/kubernetes/design-proposals-archive/blob/main/node/all-in-one-volume.md) design document.
 -->
 所有的卷源都要求处于 Pod 所在的同一个名字空间内。进一步的详细信息，可参考
-[一体化卷设计文档](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/all-in-one-volume.md)。
+[一体化卷](https://github.com/kubernetes/design-proposals-archive/blob/main/node/all-in-one-volume.md)设计文档。
 
 <!--
 ### Example configuration with a secret, a downwardAPI, and a configMap {#example-configuration-secret-downwardapi-configmap}
@@ -92,7 +92,7 @@ into a Pod at a specified path. For example:
 -->
 ## serviceAccountToken 投射卷 {#serviceaccounttoken}
 当 `TokenRequestProjection` 特性被启用时，你可以将当前
-[服务账号](/zh/docs/reference/access-authn-authz/authentication/#service-account-tokens)
+[服务账号](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)
 的令牌注入到 Pod 中特定路径下。例如：
 
 {{< codenew file="pods/storage/projected-service-account-token.yaml" >}}
@@ -108,7 +108,7 @@ is optional and it defaults to the identifier of the API server.
 -->
 示例 Pod 中包含一个投射卷，其中包含注入的服务账号令牌。
 此 Pod 中的容器可以使用该令牌访问 Kubernetes API 服务器， 使用 
-[pod 的 ServiceAccount](/zh/docs/tasks/configure-pod-container/configure-service-account/)
+[pod 的 ServiceAccount](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
 进行身份验证。`audience` 字段包含令牌所针对的受众。
 收到令牌的主体必须使用令牌受众中所指定的某个标识符来标识自身，否则应该拒绝该令牌。
 此字段是可选的，默认值为 API 服务器的标识。
@@ -130,7 +130,7 @@ of the projected volume.
 A container using a projected volume source as a [`subPath`](/docs/concepts/storage/volumes/#using-subpath)
 volume mount will not receive updates for those volume sources.
 -->
-以 [`subPath`](/zh/docs/concepts/storage/volumes/#using-subpath)
+以 [`subPath`](/zh-cn/docs/concepts/storage/volumes/#using-subpath)
 形式使用投射卷源的容器无法收到对应卷源的更新。
 {{< /note >}}
 
@@ -140,11 +140,9 @@ volume mount will not receive updates for those volume sources.
 ## 与 SecurityContext 间的关系    {#securitycontext-interactions}
 
 <!--
-The [proposal for file permission handling in projected service account volume](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2451-service-account-token-volumes#token-volume-projection)
-enhancement introduced the projected files having the the correct owner
-permissions set.
+The [proposal](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2451-service-account-token-volumes#proposal) for file permission handling in projected service account volume enhancement introduced the projected files having the the correct owner permissions set.
 -->
-[关于在投射的服务账号卷中处理文件访问权限的提案](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2451-service-account-token-volumes#token-volume-projection)
+关于在投射的服务账号卷中处理文件访问权限的[提案](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2451-service-account-token-volumes#proposal)
 介绍了如何使得所投射的文件具有合适的属主访问权限。
 
 ### Linux
diff --git a/content/zh/docs/concepts/storage/storage-capacity.md b/content/zh-cn/docs/concepts/storage/storage-capacity.md
similarity index 70%
rename from content/zh/docs/concepts/storage/storage-capacity.md
rename to content/zh-cn/docs/concepts/storage/storage-capacity.md
index 10089b428d312..c89d98e3bce3b 100644
--- a/content/zh/docs/concepts/storage/storage-capacity.md
+++ b/content/zh-cn/docs/concepts/storage/storage-capacity.md
@@ -10,58 +10,66 @@ Storage capacity is limited and may vary depending on the node on
 which a pod runs: network-attached storage might not be accessible by
 all nodes, or storage is local to a node to begin with.
 
-{{< feature-state for_k8s_version="v1.21" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 This page describes how Kubernetes keeps track of storage capacity and
-how the scheduler uses that information to schedule Pods onto nodes
+how the scheduler uses that information to [schedule Pods](/docs/concepts/scheduling-eviction/) onto nodes
 that have access to enough storage capacity for the remaining missing
 volumes. Without storage capacity tracking, the scheduler may choose a
 node that doesn't have enough capacity to provision a volume and
 multiple scheduling retries will be needed.
-
-Tracking storage capacity is supported for {{< glossary_tooltip
-text="Container Storage Interface" term_id="csi" >}} (CSI) drivers and
-[needs to be enabled](#enabling-storage-capacity-tracking) when installing a CSI driver.
 -->
 存储容量是有限的，并且会因为运行 Pod 的节点不同而变化：
 网络存储可能并非所有节点都能够访问，或者对于某个节点存储是本地的。
 
-{{< feature-state for_k8s_version="v1.21" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 本页面描述了 Kubernetes 如何跟踪存储容量以及调度程序如何为了余下的尚未挂载的卷使用该信息将
-Pod 调度到能够访问到足够存储容量的节点上。
+[Pod 调度](/zh-cn/docs/concepts/scheduling-eviction/)到能够访问到足够存储容量的节点上。
 如果没有跟踪存储容量，调度程序可能会选择一个没有足够容量来提供卷的节点，并且需要多次调度重试。
 
-{{< glossary_tooltip text="容器存储接口" term_id="csi" >}}（CSI）驱动程序支持跟踪存储容量，
-并且在安装 CSI 驱动程序时[需要启用](#enabling-storage-capacity-tracking)该功能。
+## {{% heading "prerequisites" %}}
+
+<!--
+Kubernetes v{{< skew currentVersion >}} includes cluster-level API support for
+storage capacity tracking. To use this you must also be using a CSI driver that
+supports capacity tracking. Consult the documentation for the CSI drivers that
+you use to find out whether this support is available and, if so, how to use
+it. If you are not running Kubernetes v{{< skew currentVersion >}}, check the
+documentation for that version of Kubernetes.
+-->
+Kubernetes v{{< skew currentVersion >}} 包含了对存储容量跟踪的集群级 API 支持。
+要使用它，你还必须使用支持容量跟踪的 CSI 驱动程序。请查阅你使用的 CSI 驱动程序的文档，
+以了解此支持是否可用，如果可用，该如何使用它。如果你运行的不是
+Kubernetes v{{< skew currentVersion >}}，请查看对应版本的 Kubernetes 文档。
 
 <!-- body -->
 <!--
 ## API
 
 There are two API extensions for this feature:
-- CSIStorageCapacity objects:
+- [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/) objects:
   these get produced by a CSI driver in the namespace
   where the driver is installed. Each object contains capacity
   information for one storage class and defines which nodes have
   access to that storage.
-- [The `CSIDriverSpec.StorageCapacity` field](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#csidriverspec-v1-storage-k8s-io):
+- [The `CSIDriverSpec.StorageCapacity` field](/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1/#CSIDriverSpec):
   when set to `true`, the Kubernetes scheduler will consider storage
   capacity for volumes that use the CSI driver.
 -->
 ## API
 
 这个特性有两个 API 扩展接口：
-- CSIStorageCapacity 对象：这些对象由 CSI 驱动程序在安装驱动程序的命名空间中产生。
+- [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/) 对象：这些对象由
+  CSI 驱动程序在安装驱动程序的命名空间中产生。
   每个对象都包含一个存储类的容量信息，并定义哪些节点可以访问该存储。
-- [`CSIDriverSpec.StorageCapacity` 字段](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#csidriverspec-v1-storage-k8s-io)：
+- [`CSIDriverSpec.StorageCapacity` 字段](/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1/#CSIDriverSpec)：
   设置为 true 时，Kubernetes 调度程序将考虑使用 CSI 驱动程序的卷的存储容量。
 
 <!--
 ## Scheduling
 
 Storage capacity information is used by the Kubernetes scheduler if:
-- the `CSIStorageCapacity` feature gate is true,
 - a Pod uses a volume that has not been created yet,
 - that volume uses a {{< glossary_tooltip text="StorageClass" term_id="storage-class" >}} which references a CSI driver and
   uses `WaitForFirstConsumer` [volume binding
@@ -90,10 +98,9 @@ significant resources there.
 ## 调度
 
 如果有以下情况，存储容量信息将会被 Kubernetes 调度程序使用：
-- `CSIStorageCapacity` 特性门控被设置为 true，
 - Pod 使用的卷还没有被创建，
 - 卷使用引用了 CSI 驱动的 {{< glossary_tooltip text="StorageClass" term_id="storage-class" >}}，
-并且使用了 `WaitForFirstConsumer` [卷绑定模式](/zh/docs/concepts/storage/storage-classes/#volume-binding-mode)，
+并且使用了 `WaitForFirstConsumer` [卷绑定模式](/zh-cn/docs/concepts/storage/storage-classes/#volume-binding-mode)，
 - 驱动程序的 `CSIDriver` 对象的 `StorageCapacity` 被设置为 true。
 
 在这种情况下，调度程序仅考虑将 Pod 调度到有足够存储容量的节点上。这个检测非常简单，
@@ -102,7 +109,7 @@ significant resources there.
 对于具有 `Immediate` 卷绑定模式的卷，存储驱动程序将决定在何处创建该卷，而不取决于将使用该卷的 Pod。
 然后，调度程序将 Pod 调度到创建卷后可使用该卷的节点上。
 
-对于 [CSI 临时卷](/zh/docs/concepts/storage/volumes/#csi)，调度总是在不考虑存储容量的情况下进行。
+对于 [CSI 临时卷](/zh-cn/docs/concepts/storage/volumes/#csi)，调度总是在不考虑存储容量的情况下进行。
 这是基于这样的假设：该卷类型仅由节点本地的特殊 CSI 驱动程序使用，并且不需要大量资源。
 
 <!--
@@ -140,9 +147,7 @@ multiple volumes: one volume might have been created already in a
 topology segment which then does not have enough capacity left for
 another volume. Manual intervention is necessary to recover from this,
 for example by increasing capacity or deleting the volume that was
-already created. [Further
-work](https://github.com/kubernetes/enhancements/pull/1703) is needed
-to handle this automatically.
+already created.
 -->
 ## 限制
 
@@ -151,32 +156,12 @@ to handle this automatically.
 
 当 Pod 使用多个卷时，调度可能会永久失败：一个卷可能已经在拓扑段中创建，而该卷又没有足够的容量来创建另一个卷，
 要想从中恢复，必须要进行手动干预，比如通过增加存储容量或者删除已经创建的卷。
-需要[进一步工作](https://github.com/kubernetes/enhancements/pull/1703)来自动处理此问题。
-
-<!--
-## Enabling storage capacity tracking
-
-Storage capacity tracking is a beta feature and enabled by default in 
-a Kubernetes cluster since Kubernetes 1.21. In addition to having the
-feature enabled in the cluster, a CSI driver also has to support
-it. Please refer to the driver's documentation for details.
--->
-## 开启存储容量跟踪
-
-存储容量跟踪是一个 Beta 特性，从 Kubernetes 1.21 版本起在 Kubernetes 集群
-中默认被启用。除了在集群中启用此功能特性之外，还要求 CSI 驱动支持此特性。
-请参阅驱动的文档了解详细信息。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
- - For more information on the design, see the
+- For more information on the design, see the
 [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/1472-storage-capacity-tracking/README.md).
-- For more information on further development of this feature, see the [enhancement tracking issue #1472](https://github.com/kubernetes/enhancements/issues/1472).
-- Learn about [Kubernetes Scheduler](/docs/concepts/scheduling-eviction/kube-scheduler/)
 -->
 - 想要获得更多该设计的信息，查看
   [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/1472-storage-capacity-tracking/README.md)。
-- 有关此功能的下一步开发信息，查看
-  [enhancement tracking issue #1472](https://github.com/kubernetes/enhancements/issues/1472)。
-- 学习 [Kubernetes 调度器](/zh/docs/concepts/scheduling-eviction/kube-scheduler/)。
diff --git a/content/zh/docs/concepts/storage/storage-classes.md b/content/zh-cn/docs/concepts/storage/storage-classes.md
similarity index 98%
rename from content/zh/docs/concepts/storage/storage-classes.md
rename to content/zh-cn/docs/concepts/storage/storage-classes.md
index 9fb39ed2d4547..be1f6eca0b116 100644
--- a/content/zh/docs/concepts/storage/storage-classes.md
+++ b/content/zh-cn/docs/concepts/storage/storage-classes.md
@@ -23,8 +23,8 @@ with [volumes](/docs/concepts/storage/volumes/) and
 [persistent volumes](/docs/concepts/storage/persistent-volumes) is suggested.
 -->
 本文描述了 Kubernetes 中 StorageClass 的概念。建议先熟悉
-[卷](/zh/docs/concepts/storage/volumes/)和
-[持久卷](/zh/docs/concepts/storage/persistent-volumes)的概念。
+[卷](/zh-cn/docs/concepts/storage/volumes/)和
+[持久卷](/zh-cn/docs/concepts/storage/persistent-volumes)的概念。
 
 <!-- body -->
 
@@ -74,7 +74,7 @@ for details.
  -->
 管理员可以为没有申请绑定到特定 StorageClass 的 PVC 指定一个默认的存储类：
 更多详情请参阅
-[PersistentVolumeClaim 章节](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
+[PersistentVolumeClaim 章节](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
 
 ```yaml
 apiVersion: storage.k8s.io/v1
@@ -249,7 +249,7 @@ the class or PV, If a mount option is invalid, the PV mount fails.
 The `volumeBindingMode` field controls when [volume binding and dynamic
 provisioning](/docs/concepts/storage/persistent-volumes/#provisioning) should occur.
  -->
-`volumeBindingMode` 字段控制了[卷绑定和动态制备](/zh/docs/concepts/storage/persistent-volumes/#provisioning)
+`volumeBindingMode` 字段控制了[卷绑定和动态制备](/zh-cn/docs/concepts/storage/persistent-volumes/#provisioning)
 应该发生在什么时候。
 
 <!--
@@ -277,10 +277,10 @@ and [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-tolera
 集群管理员可以通过指定 `WaitForFirstConsumer` 模式来解决此问题。
 该模式将延迟 PersistentVolume 的绑定和制备，直到使用该 PersistentVolumeClaim 的 Pod 被创建。
 PersistentVolume 会根据 Pod 调度约束指定的拓扑来选择或制备。这些包括但不限于
-[资源需求](/zh/docs/concepts/configuration/manage-resources-containers/)、
-[节点筛选器](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)、
-[pod 亲和性和互斥性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity/)、
-以及[污点和容忍度](/zh/docs/concepts/scheduling-eviction/taint-and-toleration)。
+[资源需求](/zh-cn/docs/concepts/configuration/manage-resources-containers/)、
+[节点筛选器](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)、
+[pod 亲和性和互斥性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity/)、
+以及[污点和容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration)。
 
 <!--
 The following plugins support `WaitForFirstConsumer` with dynamic provisioning:
@@ -313,7 +313,7 @@ The following plugins support `WaitForFirstConsumer` with pre-created Persistent
 and pre-created PVs, but you'll need to look at the documentation for a specific CSI driver
 to see its supported topology keys and examples.
 -->
-动态配置和预先创建的 PV 也支持 [CSI卷](/zh/docs/concepts/storage/volumes/#csi)，
+动态配置和预先创建的 PV 也支持 [CSI卷](/zh-cn/docs/concepts/storage/volumes/#csi)，
 但是你需要查看特定 CSI 驱动程序的文档以查看其支持的拓扑键名和例子。
 
 {{< note >}}
@@ -770,7 +770,7 @@ vSphere 存储类有两种制备器
 [弃用](/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/#why-are-we-migrating-in-tree-plugins-to-csi)。
 更多关于 CSI 制备器的详情，请参阅 
 [Kubernetes vSphere CSI 驱动](https://vsphere-csi-driver.sigs.k8s.io/)
-和 [vSphereVolume CSI 迁移](/zh/docs/concepts/storage/volumes/#csi-migration-5)。
+和 [vSphereVolume CSI 迁移](/zh-cn/docs/concepts/storage/volumes/#csi-migration-5)。
 
 <!--
 #### CSI Provisioner {#vsphere-provisioner-csi}
@@ -1107,7 +1107,7 @@ parameters:
 * `location`：Azure 存储帐户位置。默认为空。
 * `storageAccount`：Azure 存储帐户名称。
   如果提供存储帐户，它必须位于与集群相同的资源组中，并且 `location`
-  是被忽略的。如果未提供存储帐户，则会在与群集相同的资源组中创建新的存储帐户。
+  是被忽略的。如果未提供存储帐户，则会在与集群相同的资源组中创建新的存储帐户。
 
 <!--
 #### Azure Disk Storage Class (starting from v1.7.2) {#azure-disk-storage-class}
@@ -1209,8 +1209,8 @@ add the `create` permission of resource `secret` for clusterrole
 `system:controller:persistent-volume-binder`.
 -->
 在存储制备期间，为挂载凭证创建一个名为 `secretName` 的 Secret。如果集群同时启用了
-[RBAC](/zh/docs/reference/access-authn-authz/rbac/) 和
-[控制器角色](/zh/docs/reference/access-authn-authz/rbac/#controller-roles)，
+[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 和
+[控制器角色](/zh-cn/docs/reference/access-authn-authz/rbac/#controller-roles)，
 为 `system:controller:persistent-volume-binder` 的 clusterrole 添加
 `Secret` 资源的 `create` 权限。
 
diff --git a/content/zh/docs/concepts/storage/storage-limits.md b/content/zh-cn/docs/concepts/storage/storage-limits.md
similarity index 93%
rename from content/zh/docs/concepts/storage/storage-limits.md
rename to content/zh-cn/docs/concepts/storage/storage-limits.md
index 14ffd377a6f51..6943ba3ed6a00 100644
--- a/content/zh/docs/concepts/storage/storage-limits.md
+++ b/content/zh-cn/docs/concepts/storage/storage-limits.md
@@ -16,22 +16,21 @@ content_type: concept
 
 <!-- overview -->
 
-<!-- This page describes the maximum number of volumes that can be attached
-to a Node for various cloud providers. -->
+<!-- 
+This page describes the maximum number of volumes that can be attached
+to a Node for various cloud providers. 
+-->
 此页面描述了各个云供应商可关联至一个节点的最大卷数。
 
-<!-- Cloud providers like Google, Amazon, and Microsoft typically have a limit on
+<!-- 
+Cloud providers like Google, Amazon, and Microsoft typically have a limit on
 how many volumes can be attached to a Node. It is important for Kubernetes to
 respect those limits. Otherwise, Pods scheduled on a Node could get stuck
-waiting for volumes to attach. -->
-
+waiting for volumes to attach. 
+-->
 谷歌、亚马逊和微软等云供应商通常对可以关联到节点的卷数量进行限制。
 Kubernetes 需要尊重这些限制。 否则，在节点上调度的 Pod 可能会卡住去等待卷的关联。
 
-
-
-
-
 <!-- body -->
 
 <!--
@@ -40,7 +39,6 @@ Kubernetes 需要尊重这些限制。 否则，在节点上调度的 Pod 可能
 The Kubernetes scheduler has default limits on the number of volumes
 that can be attached to a Node:
 -->
-
 ## Kubernetes 的默认限制
 
 The Kubernetes 调度器对关联于一个节点的卷数有默认限制：
@@ -73,20 +71,18 @@ the limit you set.
 
 The limit applies to the entire cluster, so it affects all Nodes.
 -->
-
 ## 自定义限制
 
-您可以通过设置 `KUBE_MAX_PD_VOLS` 环境变量的值来设置这些限制，然后再启动调度器。
+你可以通过设置 `KUBE_MAX_PD_VOLS` 环境变量的值来设置这些限制，然后再启动调度器。
 CSI 驱动程序可能具有不同的过程，关于如何自定义其限制请参阅相关文档。
 
-如果设置的限制高于默认限制，请谨慎使用。请参阅云提供商的文档以确保节点可支持您设置的限制。
+如果设置的限制高于默认限制，请谨慎使用。请参阅云提供商的文档以确保节点可支持你设置的限制。
 
 此限制应用于整个集群，所以它会影响所有节点。
 
 <!--
 ## Dynamic volume limits
 -->
-
 ## 动态卷限制
 
 {{< feature-state state="stable" for_k8s_version="v1.17" >}}
@@ -99,7 +95,6 @@ Dynamic volume limits are supported for following volume types.
 - Azure Disk
 - CSI
 -->
-
 以下卷类型支持动态卷限制。
 
 - Amazon EBS
@@ -111,7 +106,6 @@ Dynamic volume limits are supported for following volume types.
 For volumes managed by in-tree volume plugins, Kubernetes automatically determines the Node
 type and enforces the appropriate maximum number of volumes for the node. For example:
 -->
-
 对于由内建插件管理的卷，Kubernetes 会自动确定节点类型并确保节点上可关联的卷数目合规。 例如：
 
 <!--
@@ -132,7 +126,6 @@ Refer to the [CSI specifications](https://github.com/container-storage-interface
 
 * For volumes managed by in-tree plugins that have been migrated to a CSI driver, the maximum number of volumes will be the one reported by the CSI driver.
 -->
-
 * 在
 <a href="https://cloud.google.com/compute/">Google Compute Engine</a>环境中,
 [根据节点类型](https://cloud.google.com/compute/docs/disks/#pdnumberlimits)最多可以将127个卷关联到节点。
diff --git a/content/zh/docs/concepts/storage/volume-health-monitoring.md b/content/zh-cn/docs/concepts/storage/volume-health-monitoring.md
similarity index 98%
rename from content/zh/docs/concepts/storage/volume-health-monitoring.md
rename to content/zh-cn/docs/concepts/storage/volume-health-monitoring.md
index 0b7f5924a488a..bf1c732fd65dd 100644
--- a/content/zh/docs/concepts/storage/volume-health-monitoring.md
+++ b/content/zh-cn/docs/concepts/storage/volume-health-monitoring.md
@@ -64,7 +64,7 @@ You need to enable the `CSIVolumeHealth` [feature gate](/docs/reference/command-
 -->
 {{< note >}}
 你需要启用 `CSIVolumeHealth`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 才能在节点上使用此特性。
 {{< /note >}}
 
diff --git a/content/zh/docs/concepts/storage/volume-pvc-datasource.md b/content/zh-cn/docs/concepts/storage/volume-pvc-datasource.md
similarity index 99%
rename from content/zh/docs/concepts/storage/volume-pvc-datasource.md
rename to content/zh-cn/docs/concepts/storage/volume-pvc-datasource.md
index 06454b6234a6d..d50dcdd99c9ed 100644
--- a/content/zh/docs/concepts/storage/volume-pvc-datasource.md
+++ b/content/zh-cn/docs/concepts/storage/volume-pvc-datasource.md
@@ -21,7 +21,7 @@ weight: 60
 This document describes the concept of cloning existing CSI Volumes in Kubernetes.  Familiarity with [Volumes](/docs/concepts/storage/volumes) is suggested.
 -->
 本文档介绍 Kubernetes 中克隆现有 CSI 卷的概念。阅读前建议先熟悉
-[卷](/zh/docs/concepts/storage/volumes)。
+[卷](/zh-cn/docs/concepts/storage/volumes)。
 
 <!-- body -->
 
diff --git a/content/zh/docs/concepts/storage/volume-snapshot-classes.md b/content/zh-cn/docs/concepts/storage/volume-snapshot-classes.md
similarity index 96%
rename from content/zh/docs/concepts/storage/volume-snapshot-classes.md
rename to content/zh-cn/docs/concepts/storage/volume-snapshot-classes.md
index 8739de2d04063..47f617fe11033 100644
--- a/content/zh/docs/concepts/storage/volume-snapshot-classes.md
+++ b/content/zh-cn/docs/concepts/storage/volume-snapshot-classes.md
@@ -12,8 +12,8 @@ with [volume snapshots](/docs/concepts/storage/volume-snapshots/) and
 [storage classes](/docs/concepts/storage/storage-classes) is suggested.
 -->
 本文档描述了 Kubernetes 中 VolumeSnapshotClass 的概念。建议熟悉
-[卷快照（Volume Snapshots）](/zh/docs/concepts/storage/volume-snapshots/)和
-[存储类（Storage Class）](/zh/docs/concepts/storage/storage-classes)。
+[卷快照（Volume Snapshots）](/zh-cn/docs/concepts/storage/volume-snapshots/)和
+[存储类（Storage Class）](/zh-cn/docs/concepts/storage/storage-classes)。
 
 
 <!-- body -->
diff --git a/content/zh/docs/concepts/storage/volume-snapshots.md b/content/zh-cn/docs/concepts/storage/volume-snapshots.md
similarity index 83%
rename from content/zh/docs/concepts/storage/volume-snapshots.md
rename to content/zh-cn/docs/concepts/storage/volume-snapshots.md
index f4ded9d560d55..719bcfa2a323a 100644
--- a/content/zh/docs/concepts/storage/volume-snapshots.md
+++ b/content/zh-cn/docs/concepts/storage/volume-snapshots.md
@@ -18,7 +18,7 @@ weight: 40
 In Kubernetes, a _VolumeSnapshot_ represents a snapshot of a volume on a storage system. This document assumes that you are already familiar with Kubernetes [persistent volumes](/docs/concepts/storage/persistent-volumes/).
 -->
 在 Kubernetes 中，卷快照是一个存储系统上卷的快照，本文假设你已经熟悉了 Kubernetes
-的 [持久卷](/zh/docs/concepts/storage/persistent-volumes/)。
+的 [持久卷](/zh-cn/docs/concepts/storage/persistent-volumes/)。
 
 <!-- body -->
 
@@ -118,7 +118,7 @@ Instead of using a pre-existing snapshot, you can request that a snapshot to be
 #### 动态的 {#dynamic}
 
 可以从 `PersistentVolumeClaim` 中动态获取快照，而不用使用已经存在的快照。
-在获取快照时，[卷快照类](/zh/docs/concepts/storage/volume-snapshot-classes/)
+在获取快照时，[卷快照类](/zh-cn/docs/concepts/storage/volume-snapshot-classes/)
 指定要用的特定于存储提供程序的参数。
 
 <!--
@@ -196,7 +196,7 @@ using the attribute `volumeSnapshotClassName`. If nothing is set, then the defau
 `persistentVolumeClaimName` 是 `PersistentVolumeClaim` 数据源对快照的名称。
 这个字段是动态配置快照中的必填字段。
 
-卷快照可以通过指定 [VolumeSnapshotClass](/zh/docs/concepts/storage/volume-snapshot-classes/)
+卷快照可以通过指定 [VolumeSnapshotClass](/zh-cn/docs/concepts/storage/volume-snapshot-classes/)
 使用 `volumeSnapshotClassName` 属性来请求特定类。如果没有设置，那么使用默认类（如果有）。
 
 <!--
@@ -233,6 +233,7 @@ spec:
   driver: hostpath.csi.k8s.io
   source:
     volumeHandle: ee0cfb94-f8d4-11e9-b2d8-0242ac110002
+  sourceVolumeMode: Filesystem
   volumeSnapshotClassName: csi-hostpath-snapclass
   volumeSnapshotRef:
     name: new-snapshot-test
@@ -259,6 +260,7 @@ spec:
   driver: hostpath.csi.k8s.io
   source:
     snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002
+  sourceVolumeMode: Filesystem
   volumeSnapshotRef:
     name: new-snapshot-test
     namespace: default
@@ -268,6 +270,73 @@ spec:
 -->
 `snapshotHandle` 是存储后端创建卷的唯一标识符。对于预设置快照，这个字段是必须的。它指定此 `VolumeSnapshotContent` 表示的存储系统上的 CSI 快照 id。
 
+<!--
+`sourceVolumeMode` is the mode of the volume whose snapshot is taken. The value 
+of the `sourceVolumeMode` field can be either `Filesystem` or `Block`. If the 
+source volume mode is not specified, Kubernetes treats the snapshot as if the 
+source volume's mode is unknown.
+-->
+`sourceVolumeMode` 是创建快照的卷的模式。`sourceVolumeMode` 字段的值可以是
+`Filesystem` 或 `Block`。如果没有指定源卷模式，Kubernetes 会将快照视为未知的源卷模式。
+
+<!--
+## Converting the volume mode of a Snapshot {#convert-volume-mode}
+
+If the `VolumeSnapshots` API installed on your cluster supports the `sourceVolumeMode`
+field, then the API has the capability to prevent unauthorized users from converting
+the mode of a volume.
+
+To check if your cluster has capability for this feature, run the following command:
+-->
+## 转换快照的卷模式 {#convert-volume-mode}
+
+如果在你的集群上安装的 `VolumeSnapshots` API 支持 `sourceVolumeMode`
+字段，则该 API 可以防止未经授权的用户转换卷的模式。
+
+要检查你的集群是否具有此特性的能力，可以运行如下命令：
+
+```yaml
+$ kubectl get crd volumesnapshotcontent -o yaml
+```
+
+<!--
+If you want to allow users to create a `PersistentVolumeClaim` from an existing
+`VolumeSnapshot`, but with a different volume mode than the source, the annotation
+`snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`needs to be added to
+the `VolumeSnapshotContent` that corresponds to the `VolumeSnapshot`.
+-->
+如果你希望允许用户从现有的 `VolumeSnapshot` 创建 `PersistentVolumeClaim`，
+但是使用与源卷不同的卷模式，则需要添加注解
+`snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`
+到对应 `VolumeSnapshot` 的 `VolumeSnapshotContent` 中。
+<!--
+For pre-provisioned snapshots, `Spec.SourceVolumeMode` needs to be populated
+by the cluster administrator.
+
+An example `VolumeSnapshotContent` resource with this feature enabled would look like:
+-->
+对于预配置的快照，`Spec.SourceVolumeMode` 需要由集群管理员填充。
+
+启用此特性的 `VolumeSnapshotContent` 资源示例如下所示：
+
+```yaml
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotContent
+metadata:
+  name: new-snapshot-content-test
+  annotations:
+    - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
+spec:
+  deletionPolicy: Delete
+  driver: hostpath.csi.k8s.io
+  source:
+    snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002
+  sourceVolumeMode: Filesystem
+  volumeSnapshotRef:
+    name: new-snapshot-test
+    namespace: default
+```
+
 <!--
 ## Provisioning Volumes from Snapshots
 -->
@@ -284,4 +353,4 @@ For more details, see
 [Volume Snapshot and Restore Volume from Snapshot](/docs/concepts/storage/persistent-volumes/#volume-snapshot-and-restore-volume-from-snapshot-support).
 -->
 更多详细信息，请参阅
-[卷快照和从快照还原卷](/zh/docs/concepts/storage/persistent-volumes/#volume-snapshot-and-restore-volume-from-snapshot-support)。
+[卷快照和从快照还原卷](/zh-cn/docs/concepts/storage/persistent-volumes/#volume-snapshot-and-restore-volume-from-snapshot-support)。
diff --git a/content/zh/docs/concepts/storage/volumes.md b/content/zh-cn/docs/concepts/storage/volumes.md
similarity index 90%
rename from content/zh/docs/concepts/storage/volumes.md
rename to content/zh-cn/docs/concepts/storage/volumes.md
index 2d92dbf79cf7a..ebe50dd89705b 100644
--- a/content/zh/docs/concepts/storage/volumes.md
+++ b/content/zh-cn/docs/concepts/storage/volumes.md
@@ -25,6 +25,7 @@ but with a clean state. A second problem occurs when sharing files
 between containers running together in a `Pod`.
 The Kubernetes {{< glossary_tooltip text="volume" term_id="volume" >}} abstraction
 solves both of these problems.
+Familiarity with [Pods](/docs/concepts/workloads/pods/) is suggested.
 -->
 Container 中的文件在磁盘上是临时存放的，这给 Container 中运行的较重要的应用程序带来一些问题。
 问题之一是当容器崩溃时文件丢失。
@@ -33,10 +34,7 @@ kubelet 会重新启动容器，但容器会以干净的状态重启。
 Kubernetes {{< glossary_tooltip text="卷（Volume）" term_id="volume" >}}
 这一抽象概念能够解决这两个问题。
 
-<!--
-Familiarity with [Pods](/docs/concepts/workloads/pods/) is suggested.
--->
-阅读本文前建议你熟悉一下 [Pods](/zh/docs/concepts/workloads/pods)。 
+阅读本文前建议你熟悉一下 [Pod](/zh-cn/docs/concepts/workloads/pods)。 
 
 <!-- body -->
 
@@ -120,15 +118,21 @@ Kubernetes supports several types of Volumes:
 
 Kubernetes 支持下列类型的卷：
 
-### awsElasticBlockStore {#awselasticblockstore}
-
 <!--
+### awsElasticBlockStore (deprecated) {#awselasticblockstore}
+
+{{< feature-state for_k8s_version="v1.17" state="deprecated" >}}
+
 An `awsElasticBlockStore` volume mounts an Amazon Web Services (AWS)
 [EBS Volume](http://aws.amazon.com/ebs/) into your Pod.  Unlike
 `emptyDir`, which is erased when a Pod is removed, the contents of an EBS
 volume are persisted and the volume is unmounted. This means that an
 EBS volume can be pre-populated with data, and that data can be shared between pods.
 -->
+### awsElasticBlockStore （已弃用）   {#awselasticblockstore}
+
+{{< feature-state for_k8s_version="v1.17" state="deprecated" >}}
+
 `awsElasticBlockStore` 卷将 Amazon Web服务（AWS）[EBS 卷](https://aws.amazon.com/ebs/)
 挂载到你的 Pod 中。与 `emptyDir` 在 Pod 被删除时也被删除不同，EBS 卷的内容在删除 Pod
 时会被保留，卷只是被卸载掉了。
@@ -239,13 +243,18 @@ and the kubelet, set the `InTreePluginAWSUnregister` flag to `true`.
 要禁止控制器管理器和 kubelet 加载 `awsElasticBlockStore` 存储插件，
 请将 `InTreePluginAWSUnregister` 标志设置为 `true`。
 
-### azureDisk {#azuredisk}
-
 <!--
+### azureDisk (deprecated) {#azuredisk}
+
+{{< feature-state for_k8s_version="v1.19" state="deprecated" >}}
+
 The `azureDisk` volume type mounts a Microsoft Azure [Data Disk](https://docs.microsoft.com/en-us/azure/aks/csi-storage-drivers) into a pod.
 
 For more details, see the [`azureDisk` volume plugin](https://github.com/kubernetes/examples/tree/master/staging/volumes/azure_disk/README.md).
 -->
+### azureDisk （已弃用）   {#azuredisk}
+
+{{< feature-state for_k8s_version="v1.19" state="deprecated" >}}
 
 `azureDisk` 卷类型用来在 Pod 上挂载 Microsoft Azure
 [数据盘（Data Disk）](https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-about-disks-vhds/) 。
@@ -256,22 +265,21 @@ For more details, see the [`azureDisk` volume plugin](https://github.com/kuberne
 -->
 #### azureDisk 的 CSI 迁移  {#azuredisk-csi-migration}
 
-{{< feature-state for_k8s_version="v1.19" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 The `CSIMigration` feature for `azureDisk`, when enabled, redirects all plugin operations
 from the existing in-tree plugin to the `disk.csi.azure.com` Container
-Storage Interface (CSI) Driver. In order to use this feature, the [Azure Disk CSI
-Driver](https://github.com/kubernetes-sigs/azuredisk-csi-driver)
-must be installed on the cluster and the `CSIMigration` and `CSIMigrationAzureDisk`
-features must be enabled.
+Storage Interface (CSI) Driver. In order to use this feature, the
+[Azure Disk CSI Driver](https://github.com/kubernetes-sigs/azuredisk-csi-driver)
+must be installed on the cluster and the `CSIMigration` feature must be enabled.
 -->
 
-启用 `azureDisk` 的 `CSIMigration` 功能后，所有插件操作从现有的树内插件重定向到
+启用 `azureDisk` 的 `CSIMigration` 特性后，所有插件操作从现有的树内插件重定向到
 `disk.csi.azure.com` 容器存储接口（CSI）驱动程序。
-为了使用此功能，必须在集群中安装
+为了使用此特性，必须在集群中安装
 [Azure 磁盘 CSI 驱动程序](https://github.com/kubernetes-sigs/azuredisk-csi-driver)，
-并且 `CSIMigration` 和 `CSIMigrationAzureDisk` 功能必须被启用。
+并且 `CSIMigration` 特性必须被启用。
 
 <!--
 #### azureDisk CSI migration complete
@@ -288,14 +296,20 @@ and the kubelet, set the `InTreePluginAzureDiskUnregister` flag to `true`.
 要禁止控制器管理器和 kubelet 加载 `azureDisk` 存储插件，
 请将 `InTreePluginAzureDiskUnregister` 标志设置为 `true`。
 
-### azureFile {#azurefile}
-
 <!--
+### azureFile (deprecated) {#azurefile}
+
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+
 The `azureFile` volume type mounts a Microsoft Azure File volume (SMB 2.1 and 3.0)
 into a Pod.
 
 For more details, see the [`azureFile` volume plugin](https://github.com/kubernetes/examples/tree/master/staging/volumes/azure_file/README.md).
 -->
+### azureFile （已弃用）    {#azurefile}
+
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+
 `azureFile` 卷类型用来在 Pod 上挂载 Microsoft Azure 文件卷（File Volume）（SMB 2.1 和 3.0）。
 更多详情请参考 [`azureFile` 卷插件](https://github.com/kubernetes/examples/tree/master/staging/volumes/azure_file/README.md)。
 
@@ -314,18 +328,19 @@ Driver](https://github.com/kubernetes-sigs/azurefile-csi-driver)
 must be installed on the cluster and the `CSIMigration` and `CSIMigrationAzureFile`
 [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) must be enabled.
 -->
-启用 `azureFile` 的 `CSIMigration` 功能后，所有插件操作将从现有的树内插件重定向到
-`file.csi.azure.com` 容器存储接口（CSI）驱动程序。要使用此功能，必须在集群中安装
+启用 `azureFile` 的 `CSIMigration` 特性后，所有插件操作将从现有的树内插件重定向到
+`file.csi.azure.com` 容器存储接口（CSI）驱动程序。要使用此特性，必须在集群中安装
 [Azure 文件 CSI 驱动程序](https://github.com/kubernetes-sigs/azurefile-csi-driver)，
 并且 `CSIMigration` 和 `CSIMigrationAzureFile`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 必须被启用。
 
 <!--
-Azure File CSI driver does not support using same volume with different fsgroups, if Azurefile CSI migration is enabled, using same volume with different fsgroups won't be supported at all.
+Azure File CSI driver does not support using same volume with different fsgroups. If
+`CSIMigrationAzureFile` is enabled, using same volume with different fsgroups won't be supported at all.
 -->
 Azure 文件 CSI 驱动尚不支持为同一卷设置不同的 fsgroup。
-如果 AzureFile CSI 迁移被启用，用不同的 fsgroup 来使用同一卷也是不被支持的。
+如果 `CSIMigrationAzureFile` 特性被启用，用不同的 fsgroup 来使用同一卷也是不被支持的。
 
 <!--
 #### azureDisk CSI migration complete
@@ -370,23 +385,29 @@ See the [CephFS example](https://github.com/kubernetes/examples/tree/master/volu
 -->
 更多信息请参考 [CephFS 示例](https://github.com/kubernetes/examples/tree/master/volumes/cephfs/)。
 
-### cinder {#cinder}
+<!--
+### cinder (deprecated) {#cinder}
+-->
+### cinder （已弃用）   {#cinder}
+
+{{< feature-state for_k8s_version="v1.18" state="deprecated" >}}
 
+{{< note >}}
 <!--
 Kubernetes must be configured with the OpenStack cloud provider.
 -->
-{{< note >}}
 Kubernetes 必须配置了 OpenStack Cloud Provider。
 {{< /note >}}
 
 <!--
 The `cinder` volume type is used to mount the OpenStack Cinder volume into your pod.
-
-#### Cinder Volume Example configuration
 -->
 `cinder` 卷类型用于将 OpenStack Cinder 卷挂载到 Pod 中。
 
-#### Cinder 卷示例配置
+<!--
+#### Cinder Volume Example configuration
+-->
+#### Cinder 卷示例配置  {#cinder-volume-example-configuration}
 
 ```yaml
 apiVersion: v1
@@ -413,29 +434,31 @@ spec:
 -->
 #### OpenStack CSI 迁移
 
-{{< feature-state for_k8s_version="v1.21" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
-The `CSIMigration` feature for Cinder is enabled by default in Kubernetes 1.21.
+The `CSIMigration` feature for Cinder is enabled by default since Kubernetes 1.21.
 It redirects all plugin operations from the existing in-tree plugin to the
 `cinder.csi.openstack.org` Container Storage Interface (CSI) Driver.
 [OpenStack Cinder CSI Driver](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md)
 must be installed on the cluster.
-You can disable Cinder CSI migration for your cluster by setting the `CSIMigrationOpenStack`
-[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to `false`.
-If you disable the `CSIMigrationOpenStack` feature, the in-tree Cinder volume plugin takes responsibility
-for all aspects of Cinder volume storage management.
 -->
-Cinder 的 `CSIMigration` 功能在 Kubernetes 1.21 版本中是默认被启用的。
+自 Kubernetes 1.21 版本起，Cinder 的 `CSIMigration` 特性是默认被启用的。
 此特性会将插件的所有操作从现有的树内插件重定向到
 `cinder.csi.openstack.org` 容器存储接口（CSI）驱动程序。
-为了使用此功能，必须在集群中安装
+为了使用此特性，必须在集群中安装
 [OpenStack Cinder CSI 驱动程序](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md)，
 你可以通过设置 `CSIMigrationOpenStack`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 为 `false` 来禁止 Cinder CSI 迁移。
-如果你禁用了 `CSIMigrationOpenStack` 功能特性，则树内的 Cinder 卷插件
-会负责 Cinder 卷存储管理的方方面面。
+
+<!--
+To disable the in-tree Cinder plugin from being loaded by the controller manager
+and the kubelet, you can enable the `InTreePluginOpenStackUnregister`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/).
+-->
+要禁止控制器管理器和 kubelet 加载树内 Cinder 插件，你可以启用
+`InTreePluginOpenStackUnregister` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 
 ### configMap
 
@@ -445,7 +468,7 @@ provides a way to inject configuration data into Pods.
 The data stored in a ConfigMap object can be referenced in a volume of type
 `configMap` and then consumed by containerized applications running in a Pod.
 -->
-[`configMap`](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)
+[`configMap`](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
 卷提供了向 Pod 注入配置数据的方法。
 ConfigMap 对象中存储的数据可以被 `configMap` 类型的卷引用，然后被 Pod 中运行的容器化应用使用。
 
@@ -501,7 +524,7 @@ keyed with `log_level`.
 * Text data is exposed as files using the UTF-8 character encoding. For other character encodings, use `binaryData`.
 -->
 {{< note >}}
-* 在使用 [ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/) 之前你首先要创建它。
+* 在使用 [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/) 之前你首先要创建它。
 * 容器以 [subPath](#using-subpath) 卷挂载方式使用 ConfigMap 时，将无法接收 ConfigMap 的更新。
 * 文本数据挂载成文件时采用 UTF-8 字符编码。如果使用其他字符编码形式，可使用
   `binaryData` 字段。
@@ -527,7 +550,7 @@ receive Downward API updates.
 <!--
 See the [`downwardAPI` volume example](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)  for more details.
 -->
-更多详细信息请参考 [`downwardAPI` 卷示例](/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)。
+更多详细信息请参考 [`downwardAPI` 卷示例](/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/)。
 
 ### emptyDir
 
@@ -589,7 +612,7 @@ backed volumes are sized to 50% of the memory on a Linux host.
 -->
 
 {{< note >}}
-当启用 `SizeMemoryBackedVolumes` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+当启用 `SizeMemoryBackedVolumes` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 时，你可以为基于内存提供的卷指定大小。
 如果未指定大小，则基于内存的卷的大小为 Linux 主机上内存的 50％。
 {{< /note>}}
@@ -783,8 +806,8 @@ within the same region. In order to use this feature, the volume must be provisi
 as a PersistentVolume; referencing the volume directly from a Pod is not supported.
 -->
 [区域持久盘](https://cloud.google.com/compute/docs/disks/#repds)
-功能允许你创建能在同一区域的两个可用区中使用的持久盘。
-要使用这个功能，必须以持久卷（PersistentVolume）的方式提供卷；直接从
+特性允许你创建能在同一区域的两个可用区中使用的持久盘。
+要使用这个特性，必须以持久卷（PersistentVolume）的方式提供卷；直接从
 Pod 引用这种卷是不可以的。
 
 <!--
@@ -795,7 +818,7 @@ Before creating a PersistentVolume, you must create the PD:
 -->
 #### 手动供应基于区域 PD 的 PersistentVolume {#manually-provisioning-regional-pd-pv}
 
-使用[为 GCE PD 定义的存储类](/zh/docs/concepts/storage/storage-classes/#gce)
+使用[为 GCE PD 定义的存储类](/zh-cn/docs/concepts/storage/storage-classes/#gce)
 可以实现动态供应。在创建 PersistentVolume 之前，你首先要创建 PD。
 
 ```shell
@@ -851,11 +874,11 @@ Driver](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-drive
 must be installed on the cluster and the `CSIMigration` and `CSIMigrationGCE`
 beta features must be enabled.
 -->
-启用 GCE PD 的 `CSIMigration` 功能后，所有插件操作将从现有的树内插件重定向到
+启用 GCE PD 的 `CSIMigration` 特性后，所有插件操作将从现有的树内插件重定向到
 `pd.csi.storage.gke.io` 容器存储接口（ CSI ）驱动程序。
-为了使用此功能，必须在集群中上安装
+为了使用此特性，必须在集群中上安装
 [GCE PD CSI驱动程序](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver)，
-并且 `CSIMigration` 和 `CSIMigrationGCE` Beta 功能必须被启用。
+并且 `CSIMigration` 和 `CSIMigrationGCE` Beta 特性必须被启用。
 
 <!-- 
 #### GCE CSI migration complete
@@ -1040,7 +1063,7 @@ Watch out when using this type of volume, because:
 * 具有相同配置（例如基于同一 PodTemplate 创建）的多个 Pod
   会由于节点上文件的不同而在不同节点上有不同的行为。
 * 下层主机上创建的文件或目录只能由 root 用户写入。你需要在
-  [特权容器](/zh/docs/tasks/configure-pod-container/security-context/)
+  [特权容器](/zh-cn/docs/tasks/configure-pod-container/security-context/)
   中以 root 身份运行进程，或者修改主机上的文件权限以便容器能够写入 `hostPath` 卷。
 
 <!--
@@ -1241,7 +1264,7 @@ such as node resource requirements, node selectors, Pod affinity, and Pod anti-a
 -->
 使用 `local` 卷时，建议创建一个 StorageClass 并将其 `volumeBindingMode` 设置为
 `WaitForFirstConsumer`。要了解更多详细信息，请参考
-[local StorageClass 示例](/zh/docs/concepts/storage/storage-classes/#local)。
+[local StorageClass 示例](/zh-cn/docs/concepts/storage/storage-classes/#local)。
 延迟卷绑定的操作可以确保 Kubernetes 在为 PersistentVolumeClaim 作出绑定决策时，会评估
 Pod 可能具有的其他节点约束，例如：如节点资源需求、节点选择器、Pod亲和性和 Pod 反亲和性。
 
@@ -1301,7 +1324,7 @@ A `persistentVolumeClaim` volume is used to mount a
 are a way for users to "claim" durable storage (such as a GCE PersistentDisk or an
 iSCSI volume) without knowing the details of the particular cloud environment.
 -->
-`persistentVolumeClaim` 卷用来将[持久卷](/zh/docs/concepts/storage/persistent-volumes/)（PersistentVolume）挂载到 Pod 中。
+`persistentVolumeClaim` 卷用来将[持久卷](/zh-cn/docs/concepts/storage/persistent-volumes/)（PersistentVolume）挂载到 Pod 中。
 持久卷申领（PersistentVolumeClaim）是用户在不知道特定云环境细节的情况下“申领”持久存储（例如
 GCE PersistentDisk 或者 iSCSI 卷）的一种方法。
 
@@ -1309,7 +1332,7 @@ GCE PersistentDisk 或者 iSCSI 卷）的一种方法。
 See the [PersistentVolumes example](/docs/concepts/storage/persistent-volumes/) for more
 details.
 -->
-更多详情请参考[持久卷示例](/zh/docs/concepts/storage/persistent-volumes/)。
+更多详情请参考[持久卷示例](/zh-cn/docs/concepts/storage/persistent-volumes/)。
 
 ### portworxVolume {#portworxvolume}
 
@@ -1372,7 +1395,7 @@ For more details, see the [Portworx volume](https://github.com/kubernetes/exampl
 A projected volume maps several existing volume sources into the same
 directory. For more details, see [projected volumes](/docs/concepts/storage/projected-volumes/).
 -->
-投射卷能将若干现有的卷来源映射到同一目录上。更多详情请参考[投射卷](/zh/docs/concepts/storage/projected-volumes/)。
+投射卷能将若干现有的卷来源映射到同一目录上。更多详情请参考[投射卷](/zh-cn/docs/concepts/storage/projected-volumes/)。
 
 ### quobyte (已弃用) {#quobyte}
 
@@ -1456,11 +1479,11 @@ must be installed on the cluster and the `CSIMigration` and `csiMigrationRBD`
 [feature gates](/docs/reference/command-line-tools-reference/feature-gates/)
 must be enabled.
 -->
-启用 RBD 的 `CSIMigration` 功能后，所有插件操作从现有的树内插件重定向到
+启用 RBD 的 `CSIMigration` 特性后，所有插件操作从现有的树内插件重定向到
 `rbd.csi.ceph.com` {{<glossary_tooltip text="CSI" term_id="csi" >}} 驱动程序。
-要使用该功能，必须在集群内安装
+要使用该特性，必须在集群内安装
 [Ceph CSI 驱动](https://github.com/ceph/ceph-csi)，并启用 `CSIMigration` 和 `csiMigrationRBD` 
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 
 <!--
 As a Kubernetes cluster operator that administers storage, here are the
@@ -1502,7 +1525,7 @@ backed by tmpfs (a RAM-backed filesystem) so they are never written to
 non-volatile storage.
 -->
 `secret` 卷用来给 Pod 传递敏感信息，例如密码。你可以将 Secret 存储在 Kubernetes
-API 服务器上，然后以文件的形式挂在到 Pod 中，无需直接与 Kubernetes 耦合。
+API 服务器上，然后以文件的形式挂载到 Pod 中，无需直接与 Kubernetes 耦合。
 `secret` 卷由 tmpfs（基于 RAM 的文件系统）提供存储，因此它们永远不会被写入非易失性（持久化的）存储器。
 
 <!--
@@ -1523,7 +1546,7 @@ receive Secret updates.
 <!--
 For more details, see [Configuring Secrets](/docs/concepts/configuration/secret/).
 -->
-更多详情请参考[配置 Secrets](/zh/docs/concepts/configuration/secret/)。
+更多详情请参考[配置 Secrets](/zh-cn/docs/concepts/configuration/secret/)。
 
 ### storageOS (已弃用) {#storageos}
 
@@ -1601,15 +1624,13 @@ For more information about StorageOS, dynamic provisioning, and PersistentVolume
 关于 StorageOS 的进一步信息、动态供应和持久卷申领等等，请参考
 [StorageOS 示例](https://github.com/kubernetes/examples/blob/master/volumes/storageos)。
 
-### vsphereVolume {#vspherevolume}
+### vsphereVolume（弃用） {#vspherevolume}
 
 <!--
-You must configure the Kubernetes vSphere Cloud Provider. For cloudprovider
-configuration, refer to the [vSphere Getting Started guide](https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/).
+We recommend to use vSphere CSI out-of-tree driver instead.
 -->
 {{< note >}}
-你必须配置 Kubernetes 的 vSphere 云驱动。云驱动的配置方法请参考
-[vSphere 使用指南](https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/)。
+建议你改用 vSphere CSI 树外驱动程序。
 {{< /note >}}
 
 <!--
@@ -1620,68 +1641,6 @@ of a volume are preserved when it is unmounted. It supports both VMFS and VSAN d
 在卸载卷时，卷的内容会被保留。
 vSphereVolume 卷类型支持 VMFS 和 VSAN 数据仓库。
 
-<!--
-You must create VMDK using one of the following methods before using with Pod.
--->
-{{< caution >}}
-在挂载到 Pod 之前，你必须用下列方式之一创建 VMDK。
-{{< /caution >}}
-
-<!--
-#### Creating a VMDK volume {#creating-vmdk-volume}
-
-Choose one of the following methods to create a VMDK.
--->
-#### 创建 VMDK 卷  {#creating-vmdk-volume}
-
-选择下列方式之一创建 VMDK。
-
-{{< tabs name="tabs_volumes" >}}
-{{% tab name="使用 vmkfstools 创建" %}}
-
-首先 ssh 到 ESX，然后使用下面的命令来创建 VMDK：
-
-```shell
-vmkfstools -c 2G /vmfs/volumes/DatastoreName/volumes/myDisk.vmdk
-```
-{{% /tab %}}
-{{% tab name="使用 vmware-vdiskmanager 创建" %}}
-
-使用下面的命令创建 VMDK：
-
-```shell
-vmware-vdiskmanager -c -t 0 -s 40GB -a lsilogic myDisk.vmdk
-```
-{{% /tab %}}
-
-{{< /tabs >}}
-
-
-<!--
-#### vSphere VMDK configuration example {#vsphere-vmdk-configuration}
--->
-#### vSphere VMDK 配置示例    {#vsphere-vmdk-configuration}
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: test-vmdk
-spec:
-  containers:
-  - image: k8s.gcr.io/test-webserver
-    name: test-container
-    volumeMounts:
-    - mountPath: /test-vmdk
-      name: test-volume
-  volumes:
-  - name: test-volume
-    # 此 VMDK 卷必须已经存在
-    vsphereVolume:
-      volumePath: "[DatastoreName] volumes/myDisk"
-      fsType: ext4
-```
-
 <!--
 For more information, see the [vSphere volume](https://github.com/kubernetes/examples/tree/master/staging/volumes/vsphere) examples.
 -->
@@ -1707,13 +1666,29 @@ must be installed on the cluster and the `CSIMigration` and `CSIMigrationvSphere
 为了使用此功能特性，必须在集群中安装
 [vSphere CSI 驱动](https://github.com/kubernetes-sigs/vsphere-csi-driver)，并启用
 `CSIMigration` 和 `CSIMigrationvSphere`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 
 <!--
-This also requires minimum vSphere vCenter/ESXi Version to be 7.0u1 and minimum HW Version to be VM version 15.
+You can find additional advice on how to migrate in VMware's
+documentation page [Migrating In-Tree vSphere Volumes to vSphere Container Storage Plug-in](https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/2.0/vmware-vsphere-csp-getting-started/GUID-968D421F-D464-4E22-8127-6CB9FF54423F.html).
+-->
+你可以在 VMware 的文档页面
+[迁移树内 vSphere 卷插件到 vSphere 容器存储插件](https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/2.0/vmware-vsphere-csp-getting-started/GUID-968D421F-D464-4E22-8127-6CB9FF54423F.html)
+中找到有关如何迁移的其他建议。
+<!--
+Kubernetes v{{< skew currentVersion >}} requires that you are using vSphere 7.0u2 or later
+in order to migrate to the out-of-tree CSI driver.
+If you are running a version of Kubernetes other than v{{< skew currentVersion >}}, consult
+the documentation for that version of Kubernetes.
+If you are running Kubernetes v{{< skew currentVersion >}} and an older version of vSphere,
+consider upgrading to at least vSphere 7.0u2.
 -->
-此特性还要求 vSphere vCenter/ESXi 的版本至少为 7.0u1，且 HW 版本至少为
-VM version 15。
+为了迁移到树外 CSI 驱动程序，Kubernetes v{{< skew currentVersion >}}
+要求你使用 vSphere 7.0u2 或更高版本。
+如果你正在运行 v{{< skew currentVersion >}} 以外的 Kubernetes 版本，
+请查阅该 Kubernetes 版本的文档。
+如果你正在运行 Kubernetes v{{< skew currentVersion >}} 和旧版本的 vSphere，
+请考虑至少升级到 vSphere 7.0u2。
 
 {{< note >}}
 <!--
@@ -1767,12 +1742,12 @@ It redirects all plugin operations from the existing in-tree plugin to the
 must be installed on the cluster.
 To enable the feature, set `CSIMigrationPortworx=true` in kube-controller-manager and kubelet.
 -->
-Kubernetes 1.23 中加入了 Portworx 的 `CSIMigration` 功能，但默认不会启用，因为该功能仍处于 alpha 阶段。
-该功能会将所有的插件操作从现有的树内插件重定向到
+Kubernetes 1.23 中加入了 Portworx 的 `CSIMigration` 特性，但默认不会启用，因为该特性仍处于 alpha 阶段。
+该特性会将所有的插件操作从现有的树内插件重定向到
 `pxd.portworx.com` 容器存储接口（Container Storage Interface, CSI）驱动程序。
 集群中必须安装
 [Portworx CSI 驱动](https://docs.portworx.com/portworx-install-with-kubernetes/storage-operations/csi/)。
-要启用此功能，请在 kube-controller-manager 和 kubelet 中设置 `CSIMigrationPortworx=true`。
+要启用此特性，请在 kube-controller-manager 和 kubelet 中设置 `CSIMigrationPortworx=true`。
 
 <!--
 ## Using subPath {#using-subpath}
@@ -1900,7 +1875,7 @@ To learn about requesting space using a resource specification, see
 [how to manage resources](/docs/concepts/configuration/manage-resources-containers/).
 -->
 要了解如何使用资源规约来请求空间，可参考
-[如何管理资源](/zh/docs/concepts/configuration/manage-resources-containers/)。
+[如何管理资源](/zh-cn/docs/concepts/configuration/manage-resources-containers/)。
 
 
 <!--
@@ -1994,9 +1969,9 @@ if the driver supports that (beta feature)
 `csi` 卷可以在 Pod 中以三种方式使用：
 
 * 通过 PersistentVolumeClaim(#persistentvolumeclaim) 对象引用
-* 使用[一般性的临时卷](/zh/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volume)
+* 使用[一般性的临时卷](/zh-cn/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volume)
   （Alpha 特性）
-* 使用 [CSI 临时卷](/zh/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)，
+* 使用 [CSI 临时卷](/zh-cn/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)，
   前提是驱动支持这种用法（Beta 特性）
 
 <!--
@@ -2126,7 +2101,7 @@ You can set up your
 [PersistentVolume/PersistentVolumeClaim with raw block volume support](/docs/concepts/storage/persistent-volumes/#raw-block-volume-support) as usual, without any CSI specific changes.
 -->
 你可以和以前一样，安装自己的
-[带有原始块卷支持的 PV/PVC](/zh/docs/concepts/storage/persistent-volumes/#raw-block-volume-support)，
+[带有原始块卷支持的 PV/PVC](/zh-cn/docs/concepts/storage/persistent-volumes/#raw-block-volume-support)，
 采用 CSI 对此过程没有影响。
 
 <!--
@@ -2145,15 +2120,41 @@ for more information.
 -->
 你可以直接在 Pod 规约中配置 CSI 卷。采用这种方式配置的卷都是临时卷，
 无法在 Pod 重新启动后继续存在。
-进一步的信息可参阅[临时卷](/zh/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)。
+进一步的信息可参阅[临时卷](/zh-cn/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volume)。
 
 <!--
-For more information on how to develop a CSI driver, refer to the [kubernetes-csi
-documentation](https://kubernetes-csi.github.io/docs/)
-
+For more information on how to develop a CSI driver, refer to the
+[kubernetes-csi documentation](https://kubernetes-csi.github.io/docs/)
 -->
 有关如何开发 CSI 驱动的更多信息，请参考 [kubernetes-csi 文档](https://kubernetes-csi.github.io/docs/)。
 
+<!--
+#### Windows CSI proxy
+-->
+#### Windows CSI 代理  {#windows-csi-proxy}
+
+{{< feature-state for_k8s_version="v1.22" state="stable" >}}
+
+<!--
+CSI node plugins need to perform various privileged
+operations like scanning of disk devices and mounting of file systems. These operations
+differ for each host operating system. For Linux worker nodes, containerized CSI node
+node plugins are typically deployed as privileged containers. For Windows worker nodes,
+privileged operations for containerized CSI node plugins is supported using
+[csi-proxy](https://github.com/kubernetes-csi/csi-proxy), a community-managed,
+stand-alone binary that needs to be pre-installed on each Windows node.
+
+For more details, refer to the deployment guide of the CSI plugin you wish to deploy.
+-->
+CSI 节点插件需要执行多种特权操作，例如扫描磁盘设备和挂载文件系统等。
+这些操作在每个宿主操作系统上都是不同的。对于 Linux 工作节点而言，容器化的 CSI
+节点插件通常部署为特权容器。对于 Windows 工作节点而言，容器化 CSI
+节点插件的特权操作是通过 [csi-proxy](https://github.com/kubernetes-csi/csi-proxy)
+来支持的。csi-proxy 是一个由社区管理的、独立的可执行二进制文件，
+需要被预安装到每个 Windows 节点上。
+
+要了解更多的细节，可以参考你要部署的 CSI 插件的部署指南。
+
 <!--
 #### Migrating to CSI drivers from in-tree plugins
 -->
@@ -2170,19 +2171,30 @@ configuration changes to existing Storage Classes, PersistentVolumes or Persiste
 
 The operations and features that are supported include:
 provisioning/delete, attach/detach, mount/unmount and resizing of volumes.
-
-In-tree plugins that support `CSIMigration` and have a corresponding CSI driver implemented
-are listed in [Types of Volumes](#volume-types).
 -->
-启用 `CSIMigration` 功能后，针对现有树内插件的操作会被重定向到相应的 CSI 插件（应已安装和配置）。
+启用 `CSIMigration` 特性后，针对现有树内插件的操作会被重定向到相应的 CSI 插件（应已安装和配置）。
 因此，操作员在过渡到取代树内插件的 CSI 驱动时，无需对现有存储类、PV 或 PVC（指树内插件）进行任何配置更改。
 
-所支持的操作和功能包括：配备（Provisioning）/删除、挂接（Attach）/解挂（Detach）、
+所支持的操作和特性包括：配备（Provisioning）/删除、挂接（Attach）/解挂（Detach）、
 挂载（Mount）/卸载（Unmount）和调整卷大小。
 
+<!--
+In-tree plugins that support `CSIMigration` and have a corresponding CSI driver implemented
+are listed in [Types of Volumes](#volume-types).
+
+The following in-tree plugins support persistent storage on Windows nodes:
+-->
 上面的[卷类型](#volume-types)节列出了支持 `CSIMigration` 并已实现相应 CSI
 驱动程序的树内插件。
 
+下面是支持 Windows 节点上持久性存储的树内插件：
+
+* [`awsElasticBlockStore`](#awselasticblockstore)
+* [`azureDisk`](#azuredisk)
+* [`azureFile`](#azurefile)
+* [`gcePersistentDisk`](#gcepersistentdisk)
+* [`vsphereVolume`](#vspherevolume)
+
 ### flexVolume
 
 {{< feature-state for_k8s_version="v1.23" state="deprecated" >}}
@@ -2202,14 +2214,24 @@ FlexVolume 是一个使用基于 exec 的模型来与驱动程序对接的树外
 Pod 通过 `flexvolume` 树内插件与 FlexVolume 驱动程序交互。
 更多详情请参考 FlexVolume [README](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md#readme) 文档。
 
+<!--
+The following FlexVolume [plugins](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows),
+deployed as PowerShell scripts on the host, support Windows nodes:
+-->
+下面的 FlexVolume [插件](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)
+以 PowerShell 脚本的形式部署在宿主系统上，支持 Windows 节点：
+
+* [SMB](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~smb.cmd)
+* [iSCSI](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~iscsi.cmd)
+
+{{< note >}}
 <!--
 FlexVolume is deprecated. Using an out-of-tree CSI driver is the recommended way to integrate external storage with Kubernetes.
 
 Maintainers of FlexVolume driver should implement a CSI Driver and help to migrate users of FlexVolume drivers to CSI.
 Users of FlexVolume should move their workloads to use the equivalent CSI Driver.
 -->
-{{< note >}}
-FlexVolume 已弃用。推荐使用树外 CSI 驱动来将外部存储整合进 Kubernetes。
+FlexVolume 已被弃用。推荐使用树外 CSI 驱动来将外部存储整合进 Kubernetes。
 
 FlexVolume 驱动的维护者应开发一个 CSI 驱动并帮助用户从 FlexVolume 驱动迁移到 CSI。
 FlexVolume 用户应迁移工作负载以使用对等的 CSI 驱动。
@@ -2334,10 +2356,8 @@ sudo systemctl restart docker
 
 ## {{% heading "whatsnext" %}}
 
-
 <!--
 Follow an example of [deploying WordPress and MySQL with Persistent Volumes](/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/).
 -->
-
-参考[使用持久卷部署 WordPress 和 MySQL](/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/) 示例。
+参考[使用持久卷部署 WordPress 和 MySQL](/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/) 示例。
 
diff --git a/content/zh-cn/docs/concepts/storage/windows-storage.md b/content/zh-cn/docs/concepts/storage/windows-storage.md
new file mode 100644
index 0000000000000..697aa224775f4
--- /dev/null
+++ b/content/zh-cn/docs/concepts/storage/windows-storage.md
@@ -0,0 +1,132 @@
+---
+title: Windows 存储
+content_type: concept
+---
+<!--
+reviewers:
+- jingxu97
+- mauriciopoppe
+- jayunit100
+- jsturtevant
+- marosset
+- aravindhp
+title: Windows Storage
+content_type: concept
+-->
+
+<!-- overview -->
+<!--
+This page provides an storage overview specific to the Windows operating system.
+-->
+此页面提供特定于 Windows 操作系统的存储概述。
+<!-- body -->
+
+<!--
+## Persistent storage {#storage}
+
+Windows has a layered filesystem driver to mount container layers and create a copy
+filesystem based on NTFS. All file paths in the container are resolved only within
+the context of that container.
+-->
+## 持久存储 {#storage}
+Windows 有一个分层文件系统驱动程序用来挂载容器层和创建基于 NTFS 的文件系统拷贝。
+容器中的所有文件路径仅在该容器的上下文中解析。
+
+<!--
+* With Docker, volume mounts can only target a directory in the container, and not
+  an individual file. This limitation does not apply to containerd.
+* Volume mounts cannot project files or directories back to the host filesystem.
+* Read-only filesystems are not supported because write access is always required
+  for the Windows registry and SAM database. However, read-only volumes are supported.
+* Volume user-masks and permissions are not available. Because the SAM is not shared
+  between the host & container, there's no mapping between them. All permissions are
+  resolved within the context of the container.
+-->
+* 使用 Docker 时，卷挂载只能是容器中的目录，而不能是单个文件。此限制不适用于 containerd。
+* 卷挂载不能将文件或目录映射回宿主文件系统。
+* 不支持只读文件系统，因为 Windows 注册表和 SAM 数据库始终需要写访问权限。不过，Windows 支持只读的卷。
+* 不支持卷的用户掩码和访问许可，因为宿主与容器之间并不共享 SAM，二者之间不存在映射关系。
+  所有访问许可都是在容器上下文中解析的。
+
+<!--
+As a result, the following storage functionality is not supported on Windows nodes:
+-->
+因此，Windows 节点不支持以下存储功能：
+
+<!--
+* Volume subpath mounts: only the entire volume can be mounted in a Windows container
+* Subpath volume mounting for Secrets
+* Host mount projection
+* Read-only root filesystem (mapped volumes still support `readOnly`)
+* Block device mapping
+* Memory as the storage medium (for example, `emptyDir.medium` set to `Memory`)
+* File system features like uid/gid; per-user Linux filesystem permissions
+* Setting [secret permissions with DefaultMode](/docs/concepts/configuration/secret/#secret-files-permissions) (due to UID/GID dependency)
+* NFS based storage/volume support
+* Expanding the mounted volume (resizefs)
+-->
+* 卷子路径挂载：只能在 Windows 容器上挂载整个卷
+* Secret 的子路径挂载
+* 宿主挂载映射
+* 只读的根文件系统（映射的卷仍然支持 `readOnly`）
+* 块设备映射
+* 内存作为存储介质（例如 `emptyDir.medium` 设置为 `Memory`）
+* 类似 UID/GID、各用户不同的 Linux 文件系统访问许可等文件系统特性
+* 使用 [DefaultMode 设置 Secret 权限](/zh-cn/docs/concepts/configuration/secret/#secret-files-permissions)
+  （因为该特性依赖 UID/GID）
+* 基于 NFS 的存储和卷支持
+* 扩展已挂载卷（resizefs）
+
+<!--
+Kubernetes {{< glossary_tooltip text="volumes" term_id="volume" >}} enable complex
+applications, with data persistence and Pod volume sharing requirements, to be deployed
+on Kubernetes. Management of persistent volumes associated with a specific storage
+back-end or protocol includes actions such as provisioning/de-provisioning/resizing
+of volumes, attaching/detaching a volume to/from a Kubernetes node and
+mounting/dismounting a volume to/from individual containers in a pod that needs to
+persist data.
+-->
+使用 Kubernetes {{< glossary_tooltip text="卷" term_id="volume" >}}，
+对数据持久性和 Pod 卷共享有需求的复杂应用也可以部署到 Kubernetes 上。
+管理与特定存储后端或协议相关的持久卷时，相关的操作包括：对卷的制备（Provisioning）、
+去配（De-provisioning）和调整大小，将卷挂接到 Kubernetes 节点或从节点上解除挂接，
+将卷挂载到需要持久数据的 Pod 中的某容器上或从容器上卸载。
+
+<!--
+Volume management components are shipped as Kubernetes volume
+[plugin](/docs/concepts/storage/volumes/#types-of-volumes).
+The following broad classes of Kubernetes volume plugins are supported on Windows:
+-->
+卷管理组件作为 Kubernetes 卷[插件](/zh-cn/docs/concepts/storage/volumes/#types-of-volumes)发布。
+Windows 支持以下类型的 Kubernetes 卷插件：
+
+<!--
+* [`FlexVolume plugins`](/docs/concepts/storage/volumes/#flexVolume)
+  * Please note that FlexVolumes have been deprecated as of 1.23
+* [`CSI Plugins`](/docs/concepts/storage/volumes/#csi)
+-->
+* [`FlexVolume plugins`](/zh-cn/docs/concepts/storage/volumes/#flexVolume)
+  * 请注意自 1.23 版本起，FlexVolume 已被弃用
+* [`CSI Plugins`](/zh-cn/docs/concepts/storage/volumes/#csi)
+
+<!--
+##### In-tree volume plugins
+
+The following in-tree plugins support persistent storage on Windows nodes:
+-->
+##### 树内（In-Tree）卷插件  {#in-tree-volume-plugins}
+
+以下树内（In-Tree）插件支持 Windows 节点上的持久存储：
+
+<!--
+* [`awsElasticBlockStore`](/docs/concepts/storage/volumes/#awselasticblockstore)
+* [`azureDisk`](/docs/concepts/storage/volumes/#azuredisk)
+* [`azureFile`](/docs/concepts/storage/volumes/#azurefile)
+* [`gcePersistentDisk`](/docs/concepts/storage/volumes/#gcepersistentdisk)
+* [`vsphereVolume`](/docs/concepts/storage/volumes/#vspherevolume)
+-->
+* [`awsElasticBlockStore`](/zh-cn/docs/concepts/storage/volumes/#awselasticblockstore)
+* [`azureDisk`](/zh-cn/docs/concepts/storage/volumes/#azuredisk)
+* [`azureFile`](/zh-cn/docs/concepts/storage/volumes/#azurefile)
+* [`gcePersistentDisk`](/zh-cn/docs/concepts/storage/volumes/#gcepersistentdisk)
+* [`vsphereVolume`](/zh-cn/docs/concepts/storage/volumes/#vspherevolume)
\ No newline at end of file
diff --git a/content/zh-cn/docs/concepts/windows/_index.md b/content/zh-cn/docs/concepts/windows/_index.md
new file mode 100644
index 0000000000000..a78ddcfe75f02
--- /dev/null
+++ b/content/zh-cn/docs/concepts/windows/_index.md
@@ -0,0 +1,8 @@
+---
+title: "Kubernetes 中的 Windows"
+weight: 50
+---
+<!--
+title: "Windows in Kubernetes"
+weight: 50
+-->
diff --git a/content/zh-cn/docs/concepts/windows/intro.md b/content/zh-cn/docs/concepts/windows/intro.md
new file mode 100644
index 0000000000000..1ea44cfc3d9be
--- /dev/null
+++ b/content/zh-cn/docs/concepts/windows/intro.md
@@ -0,0 +1,721 @@
+---
+title: Kubernetes 中的 Windows 容器
+content_type: concept
+weight: 65
+---
+<!--
+reviewers:
+- jayunit100
+- jsturtevant
+- marosset
+- perithompson
+title: Windows containers in Kubernetes
+content_type: concept
+weight: 65
+-->
+
+<!-- overview -->
+<!--
+Windows applications constitute a large portion of the services and applications that
+run in many organizations. [Windows containers](https://aka.ms/windowscontainers)
+provide a way to encapsulate processes and package dependencies, making it easier
+to use DevOps practices and follow cloud native patterns for Windows applications.
+
+Organizations with investments in Windows-based applications and Linux-based
+applications don't have to look for separate orchestrators to manage their workloads,
+leading to increased operational efficiencies across their deployments, regardless
+of operating system.
+-->
+在许多组织中，所运行的很大一部分服务和应用是 Windows 应用。
+[Windows 容器](https://aka.ms/windowscontainers)提供了一种封装进程和包依赖项的方式，
+从而简化了 DevOps 实践，令 Windows 应用程序同样遵从云原生模式。
+
+对于同时投入基于 Windows 应用和 Linux 应用的组织而言，他们不必寻找不同的编排系统来管理其工作负载，
+使其跨部署的运营效率得以大幅提升，而不必关心所用的操作系统。
+
+<!-- body -->
+
+<!--
+## Windows nodes in Kubernetes
+
+To enable the orchestration of Windows containers in Kubernetes, include Windows nodes
+in your existing Linux cluster. Scheduling Windows containers in
+{{< glossary_tooltip text="Pods" term_id="pod" >}} on Kubernetes is similar to
+scheduling Linux-based containers.
+
+In order to run Windows containers, your Kubernetes cluster must include
+multiple operating systems.
+While you can only run the {{< glossary_tooltip text="control plane" term_id="control-plane" >}} on Linux,
+you can deploy worker nodes running either Windows or Linux.
+-->
+## Kubernetes 中的 Windows 节点 {#windows-nodes-in-k8s}
+
+若要在 Kubernetes 中启用对 Windows 容器的编排，可以在现有的 Linux 集群中包含 Windows 节点。
+在 Kubernetes 上调度 {{< glossary_tooltip text="Pod" term_id="pod" >}} 中的 Windows 容器与调度基于 Linux 的容器类似。
+
+为了运行 Windows 容器，你的 Kubernetes 集群必须包含多个操作系统。
+尽管你只能在 Linux 上运行{{< glossary_tooltip text="控制平面" term_id="control-plane" >}}，
+你可以部署运行 Windows 或 Linux 的工作节点。
+
+<!--
+Windows {{< glossary_tooltip text="nodes" term_id="node" >}} are
+[supported](#windows-os-version-support) provided that the operating system is
+Windows Server 2019.
+
+This document uses the term *Windows containers* to mean Windows containers with
+process isolation. Kubernetes does not support running Windows containers with
+[Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container).
+-->
+支持 Windows {{< glossary_tooltip text="节点" term_id="node" >}}的前提是操作系统为 Windows Server 2019。
+
+本文使用术语 **Windows 容器**表示具有进程隔离能力的 Windows 容器。
+Kubernetes 不支持使用
+[Hyper-V 隔离能力](https://docs.microsoft.com/zh-cn/virtualization/windowscontainers/manage-containers/hyperv-container)来运行
+Windows 容器。
+
+<!--
+## Compatibility and limitations {#limitations}
+
+Some node features are only available if you use a specific
+[container runtime](#container-runtime); others are not available on Windows nodes,
+including:
+
+* HugePages: not supported for Windows containers
+* Privileged containers: not supported for Windows containers.
+  [HostProcess Containers](/docs/tasks/configure-pod-container/create-hostprocess-pod/) offer similar functionality.
+* TerminationGracePeriod: requires containerD
+-->
+## 兼容性与局限性 {#limitations}
+
+某些节点层面的功能特性仅在使用特定[容器运行时](#container-runtime)时才可用；
+另外一些特性则在 Windows 节点上不可用，包括：
+
+* 巨页（HugePages）：Windows 容器当前不支持。
+* 特权容器：Windows 容器当前不支持。
+  [HostProcess 容器](/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod/)提供类似功能。
+* TerminationGracePeriod：需要 containerD。
+
+<!--
+Not all features of shared namespaces are supported. See [API compatibility](#api)
+for more details.
+
+See [Windows OS version compatibility](#windows-os-version-support) for details on
+the Windows versions that Kubernetes is tested against.
+
+From an API and kubectl perspective, Windows containers behave in much the same
+way as Linux-based containers. However, there are some notable differences in key
+functionality which are outlined in this section.
+-->
+Windows 节点并不支持共享命名空间的所有功能特性。
+有关更多详细信息，请参考 [API 兼容性](#api)。
+
+有关 Kubernetes 测试时所使用的 Windows 版本的详细信息，请参考 [Windows 操作系统版本兼容性](#windows-os-version-support)。
+
+从 API 和 kubectl 的角度来看，Windows 容器的行为与基于 Linux 的容器非常相似。
+然而，在本节所概述的一些关键功能上，二者存在一些显著差异。
+
+<!--
+### Comparison with Linux {#compatibility-linux-similarities}
+
+Key Kubernetes elements work the same way in Windows as they do in Linux. This
+section refers to several key workload abstractions and how they map to Windows.
+-->
+### 与 Linux 比较 {#comparison-with-Linux-similarities}
+
+Kubernetes 关键组件在 Windows 上的工作方式与在 Linux 上相同。
+本节介绍几个关键的工作负载抽象及其如何映射到 Windows。
+
+<!--
+* [Pods](/docs/concepts/workloads/pods/)
+
+  A Pod is the basic building block of Kubernetes–the smallest and simplest unit in
+  the Kubernetes object model that you create or deploy. You may not deploy Windows and
+  Linux containers in the same Pod. All containers in a Pod are scheduled onto a single
+  Node where each Node represents a specific platform and architecture. The following
+  Pod capabilities, properties and events are supported with Windows containers:
+  * Single or multiple containers per Pod with process isolation and volume sharing
+  * Pod `status` fields
+  * Readiness, liveness, and startup probes
+  * postStart & preStop container lifecycle hooks
+  * ConfigMap, Secrets: as environment variables or volumes
+  * `emptyDir` volumes
+  * Named pipe host mounts
+  * Resource limits
+  * OS field: 
+    The `.spec.os.name` field should be set to `windows` to indicate that the current Pod uses Windows containers.
+    The `IdentifyPodOS` feature gate needs to be enabled for this field to be recognized.
+
+    {{< note >}}
+    Starting from 1.24, the `IdentifyPodOS` feature gate is in Beta stage and defaults to be enabled.
+    {{< /note >}}
+
+    If the `IdentifyPodOS` feature gate is enabled and you set the `.spec.os.name` field to `windows`,
+    you must not set the following fields in the `.spec` of that Pod:  
+    In the above list, wildcards (`*`) indicate all elements in a list.
+    For example, `spec.containers[*].securityContext` refers to the SecurityContext object
+    for all containers. If any of these fields is specified, the Pod will
+    not be admited by the API server.
+-->
+* [Pod](/zh-cn/docs/concepts/workloads/pods/)
+  
+  Pod 是 Kubernetes 的基本构建块，是可以创建或部署的最小和最简单的单元。
+  你不可以在同一个 Pod 中部署 Windows 和 Linux 容器。
+  Pod 中的所有容器都调度到同一 Node 上，每个 Node 代表一个特定的平台和体系结构。
+  Windows 容器支持以下 Pod 能力、属性和事件：
+  
+  * 每个 Pod 有一个或多个容器，具有进程隔离和卷共享能力
+  * Pod `status` 字段
+  * 就绪、存活和启动探针
+  * postStart 和 preStop 容器生命周期回调
+  * ConfigMap 和 Secret：作为环境变量或卷
+  * `emptyDir` 卷
+  * 命名管道形式的主机挂载
+  * 资源限制
+  * 操作系统字段：
+
+    `.spec.os.name` 字段应设置为 `windows` 以表明当前 Pod 使用 Windows 容器。
+    需要启用 `IdentifyPodOS` 特性门控才能让这个字段被识别。
+    
+    {{< note >}} 
+    从 1.24 开始，`IdentifyPodOS` 特性门控进入 Beta 阶段，默认启用。
+    {{< /note >}}
+    
+    如果 `IdentifyPodOS` 特性门控已启用并且你将 `.spec.os.name` 字段设置为 `windows`，
+    则你不得在对应 Pod 的 `.spec` 中设置以下字段：
+    
+    * `spec.hostPID`
+    * `spec.hostIPC`
+    * `spec.securityContext.seLinuxOptions`
+    * `spec.securityContext.seccompProfile`
+    * `spec.securityContext.fsGroup`
+    * `spec.securityContext.fsGroupChangePolicy`
+    * `spec.securityContext.sysctls`
+    * `spec.shareProcessNamespace`
+    * `spec.securityContext.runAsUser`
+    * `spec.securityContext.runAsGroup`
+    * `spec.securityContext.supplementalGroups`
+    * `spec.containers[*].securityContext.seLinuxOptions`
+    * `spec.containers[*].securityContext.seccompProfile`
+    * `spec.containers[*].securityContext.capabilities`
+    * `spec.containers[*].securityContext.readOnlyRootFilesystem`
+    * `spec.containers[*].securityContext.privileged`
+    * `spec.containers[*].securityContext.allowPrivilegeEscalation`
+    * `spec.containers[*].securityContext.procMount`
+    * `spec.containers[*].securityContext.runAsUser`
+    * `spec.containers[*].securityContext.runAsGroup`
+ 
+    在上述列表中，通配符（`*`）表示列表中的所有项。
+    例如，`spec.containers[*].securityContext` 指代所有容器的 SecurityContext 对象。
+    如果指定了这些字段中的任意一个，则 API 服务器不会接受此 Pod。
+
+<!--
+* [Workload resources](/docs/concepts/workloads/controllers/) including:
+  * ReplicaSet
+  * Deployment
+  * StatefulSet
+  * DaemonSet
+  * Job
+  * CronJob
+  * ReplicationController
+* {{< glossary_tooltip text="Services" term_id="service" >}}
+  See [Load balancing and Services](#load-balancing-and-services) for more details.
+-->
+* [工作负载资源](/zh-cn/docs/concepts/workloads/controllers/)包括：
+  
+  * ReplicaSet
+  * Deployment
+  * StatefulSet
+  * DaemonSet
+  * Job
+  * CronJob
+  * ReplicationController
+
+* {{< glossary_tooltip text="Services" term_id="service" >}}
+
+  有关更多详细信息，请参考[负载均衡和 Service](#load-balancing-and-services)。
+
+<!--
+Pods, workload resources, and Services are critical elements to managing Windows
+workloads on Kubernetes. However, on their own they are not enough to enable
+the proper lifecycle management of Windows workloads in a dynamic cloud native
+environment. Kubernetes also supports:
+
+* `kubectl exec`
+* Pod and container metrics
+* {{< glossary_tooltip text="Horizontal pod autoscaling" term_id="horizontal-pod-autoscaler" >}}
+* {{< glossary_tooltip text="Resource quotas" term_id="resource-quota" >}}
+* Scheduler preemption
+-->
+Pod、工作负载资源和 Service 是在 Kubernetes 上管理 Windows 工作负载的关键元素。
+然而，它们本身还不足以在动态的云原生环境中对 Windows 工作负载进行恰当的生命周期管理。
+Kubernetes 还支持：
+
+* `kubectl exec`
+* Pod 和容器度量指标
+* {{< glossary_tooltip text="Pod 水平自动扩缩容" term_id="horizontal-pod-autoscaler" >}}
+* {{< glossary_tooltip text="资源配额" term_id="resource-quota" >}}
+* 调度器抢占
+
+<!--
+### Command line options for the kubelet {#kubelet-compatibility}
+
+Some kubelet command line options behave differently on Windows, as described below:
+-->
+### kubelet 的命令行选项 {#kubelet-compatibility}
+
+某些 kubelet 命令行选项在 Windows 上的行为不同，如下所述：
+
+<!--
+* The `--windows-priorityclass` lets you set the scheduling priority of the kubelet process
+  (see [CPU resource management](/docs/concepts/configuration/windows-resource-management/#resource-management-cpu))
+* The `--kubelet-reserve`, `--system-reserve` , and `--eviction-hard` flags update
+  [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
+* Eviction by using `--enforce-node-allocable` is not implemented
+* Eviction by using `--eviction-hard` and `--eviction-soft` are not implemented
+* When running on a Windows node the kubelet does not have memory or CPU
+  restrictions. `--kube-reserved` and `--system-reserved` only subtract from `NodeAllocatable`
+  and do not guarantee resource provided for workloads.
+  See [Resource Management for Windows nodes](/docs/concepts/configuration/windows-resource-management/#resource-reservation)
+  for more information.
+* The `MemoryPressure` Condition is not implemented
+* The kubelet does not take OOM eviction actions
+-->
+* `--windows-priorityclass` 允许你设置 kubelet 进程的调度优先级
+  （参考 [CPU 资源管理](/zh-cn/docs/concepts/configuration/windows-resource-management/#resource-management-cpu)）。
+* `--kubelet-reserve`、`--system-reserve` 和 `--eviction-hard` 标志更新
+  [NodeAllocatable](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)。
+* 未实现使用 `--enforce-node-allocable` 驱逐。
+* 未实现使用 `--eviction-hard` 和 `--eviction-soft` 驱逐。
+* 在 Windows 节点上运行时，kubelet 没有内存或 CPU 限制。
+  `--kube-reserved` 和 `--system-reserved` 仅从 `NodeAllocatable` 中减去，并且不保证为工作负载提供的资源。
+  有关更多信息，请参考 [Windows 节点的资源管理](/zh-cn/docs/concepts/configuration/windows-resource-management/#resource-reservation)。
+* 未实现 `MemoryPressure` 条件。
+* kubelet 不会执行 OOM 驱逐操作。
+
+<!--
+### API compatibility {#api}
+
+There are subtle differences in the way the Kubernetes APIs work for Windows due to the OS
+and container runtime. Some workload properties were designed for Linux, and fail to run on Windows.
+
+At a high level, these OS concepts are different:
+-->
+### API 兼容性 {#api}
+
+由于操作系统和容器运行时的缘故，Kubernetes API 在 Windows 上的工作方式存在细微差异。
+某些工作负载属性是为 Linux 设计的，无法在 Windows 上运行。
+
+从较高的层面来看，以下操作系统概念是不同的：
+
+<!--
+* Identity - Linux uses userID (UID) and groupID (GID) which
+  are represented as integer types. User and group names
+  are not canonical - they are just an alias in `/etc/groups`
+  or `/etc/passwd` back to UID+GID. Windows uses a larger binary
+  [security identifier](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) (SID)
+  which is stored in the Windows Security Access Manager (SAM) database. This
+  database is not shared between the host and containers, or between containers.
+* File permissions - Windows uses an access control list based on (SIDs), whereas
+  POSIX systems such as Linux use a bitmask based on object permissions and UID+GID,
+  plus _optional_ access control lists.
+* File paths - the convention on Windows is to use `\` instead of `/`. The Go IO
+  libraries typically accept both and just make it work, but when you're setting a
+  path or command line that's interpreted inside a container, `\` may be needed.
+-->
+* 身份 - Linux 使用 userID（UID）和 groupID（GID），表示为整数类型。
+  用户名和组名是不规范的，它们只是 `/etc/groups` 或 `/etc/passwd` 中的别名，
+  作为 UID+GID 的后备标识。
+  Windows 使用更大的二进制[安全标识符](https://docs.microsoft.com/zh-cn/windows/security/identity-protection/access-control/security-identifiers)（SID），
+  存放在 Windows 安全访问管理器（Security Access Manager，SAM）数据库中。
+  此数据库在主机和容器之间或容器之间不共享。
+* 文件权限 - Windows 使用基于 SID 的访问控制列表，
+  而像 Linux 使用基于对象权限和 UID+GID 的位掩码（POSIX 系统）以及**可选的**访问控制列表。
+* 文件路径 - Windows 上的约定是使用 `\` 而不是 `/`。
+  Go IO 库通常接受两者，能让其正常工作，但当你设置要在容器内解读的路径或命令行时，
+  可能需要用 `\`。
+
+<!--
+* Signals - Windows interactive apps handle termination differently, and can
+  implement one or more of these:
+  * A UI thread handles well-defined messages including `WM_CLOSE`.
+  * Console apps handle Ctrl-C or Ctrl-break using a Control Handler.
+  * Services register a Service Control Handler function that can accept
+    `SERVICE_CONTROL_STOP` control codes.
+Container exit codes follow the same convention where 0 is success, and nonzero is failure.
+The specific error codes may differ across Windows and Linux. However, exit codes
+passed from the Kubernetes components (kubelet, kube-proxy) are unchanged.
+-->
+* 信号 - Windows 交互式应用处理终止的方式不同，可以实现以下一种或多种：
+  * UI 线程处理包括 `WM_CLOSE` 在内准确定义的消息。
+  * 控制台应用使用控制处理程序（Control Handler）处理 Ctrl-C 或 Ctrl-Break。
+  * 服务会注册可接受 `SERVICE_CONTROL_STOP` 控制码的服务控制处理程序（Service Control Handler）函数。
+
+容器退出码遵循相同的约定，其中 0 表示成功，非零表示失败。
+具体的错误码在 Windows 和 Linux 中可能不同。
+但是，从 Kubernetes 组件（kubelet、kube-proxy）传递的退出码保持不变。
+
+<!--
+##### Field compatibility for container specifications {#compatibility-v1-pod-spec-containers}
+
+The following list documents differences between how Pod container specifications
+work between Windows and Linux:
+
+* Huge pages are not implemented in the Windows container
+  runtime, and are not available. They require [asserting a user
+  privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support)
+  that's not configurable for containers.
+* `requests.cpu` and `requests.memory` - requests are subtracted
+  from node available resources, so they can be used to avoid overprovisioning a
+  node. However, they cannot be used to guarantee resources in an overprovisioned
+  node. They should be applied to all containers as a best practice if the operator
+  wants to avoid overprovisioning entirely.
+-->
+##### 容器规范的字段兼容性 {#compatibility-v1-pod-spec-containers}
+
+以下列表记录了 Pod 容器规范在 Windows 和 Linux 之间的工作方式差异：
+
+* 巨页（Huge page）在 Windows 容器运行时中未实现，且不可用。
+  巨页需要不可为容器配置的[用户特权生效](https://docs.microsoft.com/zh-cn/windows/win32/memory/large-page-support)。
+* `requests.cpu` 和 `requests.memory` -
+  从节点可用资源中减去请求，因此请求可用于避免一个节点过量供应。
+  但是，请求不能用于保证已过量供应的节点中的资源。
+  如果运营商想要完全避免过量供应，则应将设置请求作为最佳实践应用到所有容器。
+<!--
+* `securityContext.allowPrivilegeEscalation` -
+   not possible on Windows; none of the capabilities are hooked up
+* `securityContext.capabilities` -
+   POSIX capabilities are not implemented on Windows
+* `securityContext.privileged` -
+   Windows doesn't support privileged containers
+* `securityContext.procMount` -
+   Windows doesn't have a `/proc` filesystem
+* `securityContext.readOnlyRootFilesystem` -
+   not possible on Windows; write access is required for registry & system
+   processes to run inside the container
+* `securityContext.runAsGroup` -
+   not possible on Windows as there is no GID support
+-->  
+* `securityContext.allowPrivilegeEscalation` -
+  不能在 Windows 上使用；所有权能字都无法生效。
+* `securityContext.capabilities` - POSIX 权能未在 Windows 上实现。
+* `securityContext.privileged` - Windows 不支持特权容器。
+* `securityContext.procMount` - Windows 没有 `/proc` 文件系统。
+* `securityContext.readOnlyRootFilesystem` -
+  不能在 Windows 上使用；对于容器内运行的注册表和系统进程，写入权限是必需的。
+* `securityContext.runAsGroup` - 不能在 Windows 上使用，因为不支持 GID。
+<!--
+* `securityContext.runAsNonRoot` -
+   this setting will prevent containers from running as `ContainerAdministrator`
+   which is the closest equivalent to a root user on Windows.
+* `securityContext.runAsUser` -
+   use [`runAsUserName`](/docs/tasks/configure-pod-container/configure-runasusername)
+   instead
+* `securityContext.seLinuxOptions` -
+   not possible on Windows as SELinux is Linux-specific
+* `terminationMessagePath` -
+   this has some limitations in that Windows doesn't support mapping single files. The
+   default value is `/dev/termination-log`, which does work because it does not
+   exist on Windows by default.
+-->
+* `securityContext.runAsNonRoot` - 
+  此设置将阻止以 `ContainerAdministrator` 身份运行容器，这是 Windows 上与 root 用户最接近的身份。
+* `securityContext.runAsUser` - 改用 [`runAsUserName`](/zh-cn/docs/tasks/configure-pod-container/configure-runasusername)。
+* `securityContext.seLinuxOptions` - 不能在 Windows 上使用，因为 SELinux 特定于 Linux。
+* `terminationMessagePath` - 这个字段有一些限制，因为 Windows 不支持映射单个文件。
+  默认值为 `/dev/termination-log`，因为默认情况下它在 Windows 上不存在，所以能生效。
+
+<!--
+##### Field compatibility for Pod specifications {#compatibility-v1-pod}
+
+The following list documents differences between how Pod specifications work between Windows and Linux:
+
+* `hostIPC` and `hostpid` - host namespace sharing is not possible on Windows
+* `hostNetwork` - There is no Windows OS support to share the host network
+* `dnsPolicy` - setting the Pod `dnsPolicy` to `ClusterFirstWithHostNet` is
+   not supported on Windows because host networking is not provided. Pods always
+   run with a container network.
+* `podSecurityContext` (see below)
+* `shareProcessNamespace` - this is a beta feature, and depends on Linux namespaces
+  which are not implemented on Windows. Windows cannot share process namespaces or
+  the container's root filesystem. Only the network can be shared.
+-->
+##### Pod 规范的字段兼容性 {#compatibility-v1-pod}
+
+以下列表记录了 Pod 规范在 Windows 和 Linux 之间的工作方式差异：
+
+* `hostIPC` 和 `hostpid` - 不能在 Windows 上共享主机命名空间。
+* `hostNetwork` - Windows 操作系统不支持共享主机网络。
+* `dnsPolicy` - Windows 不支持将 Pod `dnsPolicy` 设为 `ClusterFirstWithHostNet`，
+  因为未提供主机网络。Pod 始终用容器网络运行。
+* `podSecurityContext`（参见下文）
+* `shareProcessNamespace` - 这是一个 beta 版功能特性，依赖于 Windows 上未实现的 Linux 命名空间。
+  Windows 无法共享进程命名空间或容器的根文件系统（root filesystem）。
+  只能共享网络。
+<!--
+* `terminationGracePeriodSeconds` - this is not fully implemented in Docker on Windows,
+  see the [GitHub issue](https://github.com/moby/moby/issues/25982).
+  The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT,
+  then Windows waits 5 seconds by default, and finally shuts down
+  all processes using the normal Windows shutdown behavior. The 5
+  second default is actually in the Windows registry
+  [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183),
+  so it can be overridden when the container is built.
+* `volumeDevices` - this is a beta feature, and is not implemented on Windows.
+  Windows cannot attach raw block devices to pods.
+* `volumes`
+  * If you define an `emptyDir` volume, you cannot set its volume source to `memory`.
+* You cannot enable `mountPropagation` for volume mounts as this is not
+  supported on Windows.
+-->
+* `terminationGracePeriodSeconds` - 这在 Windows 上的 Docker 中没有完全实现，
+  请参考 [GitHub issue](https://github.com/moby/moby/issues/25982)。
+  目前的行为是通过 CTRL_SHUTDOWN_EVENT 发送 ENTRYPOINT 进程，然后 Windows 默认等待 5 秒，
+  最后使用正常的 Windows 关机行为终止所有进程。
+  5 秒默认值实际上位于[容器内](https://github.com/moby/moby/issues/25982#issuecomment-426441183)的 Windows 注册表中，
+  因此在构建容器时可以覆盖这个值。
+* `volumeDevices` - 这是一个 beta 版功能特性，未在 Windows 上实现。
+  Windows 无法将原始块设备挂接到 Pod。
+* `volumes`
+  * 如果你定义一个 `emptyDir` 卷，则你无法将卷源设为 `memory`。
+* 你无法为卷挂载启用 `mountPropagation`，因为这在 Windows 上不支持。
+
+<!--
+##### Field compatibility for Pod security context {#compatibility-v1-pod-spec-containers-securitycontext}
+
+None of the Pod [`securityContext`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) fields work on Windows.
+-->
+##### Pod 安全上下文的字段兼容性 {#compatibility-v1-pod-spec-containers-securitycontext}
+
+Pod 的所有 [`securityContext`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
+字段都无法在 Windows 上生效。
+
+<!--
+## Node problem detector
+
+The node problem detector (see
+[Monitor Node Health](/docs/tasks/debug/debug-cluster/monitor-node-health/))
+has preliminary support for Windows.
+For more information, visit the project's [GitHub page](https://github.com/kubernetes/node-problem-detector#windows).
+-->
+## 节点问题检测器 {#node-problem-detector}
+
+节点问题检测器（参考[节点健康监测](/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health/)）初步支持 Windows。
+有关更多信息，请访问该项目的 [GitHub 页面](https://github.com/kubernetes/node-problem-detector#windows)。
+
+<!--
+### Pause container
+
+In a Kubernetes Pod, an infrastructure or “pause” container is first created
+to host the container. In Linux, the cgroups and namespaces that make up a pod
+need a process to maintain their continued existence; the pause process provides
+this. Containers that belong to the same pod, including infrastructure and worker
+containers, share a common network endpoint (same IPv4 and / or IPv6 address, same
+network port spaces). Kubernetes uses pause containers to allow for worker containers
+crashing or restarting without losing any of the networking configuration.
+-->
+### Pause 容器 {#pause-container}
+
+在 Kubernetes Pod 中，首先创建一个基础容器或 “pause” 容器来承载容器。
+在 Linux 中，构成 Pod 的 cgroup 和命名空间维持持续存在需要一个进程；
+而 pause 进程就提供了这个功能。
+属于同一 Pod 的容器（包括基础容器和工作容器）共享一个公共网络端点
+（相同的 IPv4 和/或 IPv6 地址，相同的网络端口空间）。
+Kubernetes 使用 pause 容器以允许工作容器崩溃或重启，而不会丢失任何网络配置。
+
+<!--
+Kubernetes maintains a multi-architecture image that includes support for Windows.
+For Kubernetes v{{< skew currentVersion >}} the recommended pause image is `k8s.gcr.io/pause:3.6`.
+The [source code](https://github.com/kubernetes/kubernetes/tree/master/build/pause)
+is available on GitHub.
+
+Microsoft maintains a different multi-architecture image, with Linux and Windows
+amd64 support, that you can find as `mcr.microsoft.com/oss/kubernetes/pause:3.6`.
+This image is built from the same source as the Kubernetes maintained image but
+all of the Windows binaries are [authenticode signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode) by Microsoft.
+The Kubernetes project recommends using the Microsoft maintained image if you are
+deploying to a production or production-like environment that requires signed
+binaries.
+-->
+Kubernetes 维护一个多体系结构的镜像，包括对 Windows 的支持。
+对于 Kubernetes v{{< skew currentVersion >}}，推荐的 pause 镜像为 `k8s.gcr.io/pause:3.6`。
+可在 GitHub 上获得[源代码](https://github.com/kubernetes/kubernetes/tree/master/build/pause)。
+
+Microsoft 维护一个不同的多体系结构镜像，支持 Linux 和 Windows amd64，
+你可以找到的镜像类似 `mcr.microsoft.com/oss/kubernetes/pause:3.6`。
+此镜像的构建与 Kubernetes 维护的镜像同源，但所有 Windows 可执行文件均由
+Microsoft 进行了[验证码签名](https://docs.microsoft.com/zh-cn/windows-hardware/drivers/install/authenticode)。
+如果你正部署到一个需要签名可执行文件的生产或类生产环境，
+Kubernetes 项目建议使用 Microsoft 维护的镜像。
+
+<!--
+### Container runtimes {#container-runtime}
+
+You need to install a
+{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
+into each node in the cluster so that Pods can run there.
+
+The following container runtimes work with Windows:
+-->
+### 容器运行时 {#container-runtime}
+
+你需要将{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}安装到集群中的每个节点，
+这样 Pod 才能在这些节点上运行。
+
+以下容器运行时适用于 Windows：
+
+{{% thirdparty-content %}}
+
+<!--
+#### ContainerD
+
+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
+
+You can use {{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+
+as the container runtime for Kubernetes nodes that run Windows.
+
+Learn how to [install ContainerD on a Windows node](/docs/setup/production-environment/container-runtimes/#install-containerd).
+-->
+#### ContainerD {#containerd}
+
+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
+
+对于运行 Windows 的 Kubernetes 节点，你可以使用
+{{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+ 作为容器运行时。
+
+学习如何[在 Windows 上安装 ContainerD](/zh-cn/docs/setup/production-environment/container-runtimes/#install-containerd)。
+
+<!--
+There is a [known limitation](/docs/tasks/configure-pod-container/configure-gmsa/#gmsa-limitations)
+when using GMSA with containerd to access Windows network shares, which requires a
+kernel patch.
+-->
+{{< note >}}
+将 GMSA 和 containerd 一起用于访问 Windows
+网络共享时存在[已知限制](/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/#gmsa-limitations)，
+这需要一个内核补丁。
+{{< /note >}}
+
+<!--
+#### Mirantis Container Runtime {#mcr}
+
+[Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR) is available as a container runtime for all Windows Server 2019 and later versions.
+
+See [Install MCR on Windows Servers](https://docs.mirantis.com/mcr/20.10/install/mcr-windows.html) for more information.
+-->
+#### Mirantis 容器运行时 {#mcr}
+
+[Mirantis 容器运行时](https://docs.mirantis.com/mcr/20.10/overview.html)（MCR）
+可作为所有 Windows Server 2019 和更高版本的容器运行时。
+
+有关更多信息，请参考[在 Windows Server 上安装 MCR](https://docs.mirantis.com/mcr/20.10/install/mcr-windows.html)。
+
+<!--
+## Windows OS version compatibility {#windows-os-version-support}
+
+On Windows nodes, strict compatibility rules apply where the host OS version must
+match the container base image OS version. Only Windows containers with a container
+operating system of Windows Server 2019 are fully supported.
+
+For Kubernetes v{{< skew currentVersion >}}, operating system compatibility for Windows nodes (and Pods)
+is as follows:
+-->
+## Windows 操作系统版本兼容性 {#windows-os-version-support}
+
+在 Windows 节点上，如果主机操作系统版本必须与容器基础镜像操作系统版本匹配，
+则会应用严格的兼容性规则。
+仅 Windows Server 2019 作为容器操作系统时，才能完全支持 Windows 容器。
+
+对于 Kubernetes v{{< skew currentVersion >}}，Windows 节点（和 Pod）的操作系统兼容性如下：
+
+Windows Server LTSC release
+: Windows Server 2019
+: Windows Server 2022
+
+Windows Server SAC release
+:  Windows Server version 20H2
+
+<!--
+The Kubernetes [version-skew policy](/docs/setup/release/version-skew-policy/) also applies.
+-->
+也适用 Kubernetes [版本偏差策略](/zh-cn/releases/version-skew-policy/)。
+
+<!--
+## Getting help and troubleshooting {#troubleshooting}
+
+Your main source of help for troubleshooting your Kubernetes cluster should start
+with the [Troubleshooting](/docs/tasks/debug/)
+page.
+
+Some additional, Windows-specific troubleshooting help is included
+in this section. Logs are an important element of troubleshooting
+issues in Kubernetes. Make sure to include them any time you seek
+troubleshooting assistance from other contributors. Follow the
+instructions in the
+SIG Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs).
+-->
+## 获取帮助和故障排查 {#troubleshooting}
+
+对 Kubernetes 集群进行故障排查的主要帮助来源应始于[故障排查](/zh-cn/docs/tasks/debug/)页面。
+
+本节包括了一些其他特定于 Windows 的故障排查帮助。
+日志是解决 Kubernetes 中问题的重要元素。
+确保在任何时候向其他贡献者寻求故障排查协助时随附了日志信息。
+遵照 SIG Windows
+[日志收集贡献指南](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)中的指示说明。
+
+<!--
+### Reporting issues and feature requests
+
+If you have what looks like a bug, or you would like to
+make a feature request, please follow the [SIG Windows contributing guide](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#reporting-issues-and-feature-requests) to create a new issue.
+You should first search the list of issues in case it was
+reported previously and comment with your experience on the issue and add additional
+logs. SIG Windows channel on the Kubernetes Slack is also a great avenue to get some initial support and
+troubleshooting ideas prior to creating a ticket.
+-->
+### 报告问题和功能请求 {#report-issue-and-feature-request}
+
+如果你发现疑似 bug，或者你想提出功能请求，请按照
+[SIG Windows 贡献指南](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#reporting-issues-and-feature-requests)
+新建一个 Issue。
+你应该先搜索 issue 列表，以防之前报告过这个问题，凭你对该问题的经验添加评论，
+并随附日志信息。
+Kubernetes Slack 上的 SIG Windows 频道也是一个很好的途径，
+可以在创建工单之前获得一些初始支持和故障排查思路。
+
+## {{% heading "whatsnext" %}}
+
+<!--
+### Deployment tools
+
+The kubeadm tool helps you to deploy a Kubernetes cluster, providing the control
+plane to manage the cluster it, and nodes to run your workloads.
+[Adding Windows nodes](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
+explains how to deploy Windows nodes to your cluster using kubeadm.
+
+The Kubernetes [cluster API](https://cluster-api.sigs.k8s.io/) project also provides means to automate deployment of Windows nodes.
+-->
+### 部署工具 {#deployment-tools}
+
+kubeadm 工具帮助你部署 Kubernetes 集群，提供管理集群的控制平面以及运行工作负载的节点。
+[添加 Windows 节点](/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)阐述了如何使用
+kubeadm 将 Windows 节点部署到你的集群。
+
+Kubernetes [集群 API](https://cluster-api.sigs.k8s.io/) 项目也提供了自动部署 Windows 节点的方式。
+
+<!--
+### Windows distribution channels
+
+For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19).
+
+Information on the different Windows Server servicing channels
+including their support models can be found at
+[Windows Server servicing channels](https://docs.microsoft.com/en-us/windows-server/get-started/servicing-channels-comparison).
+-->
+### Windows 分发渠道 {#windows-distribution-channels}
+
+有关 Windows 分发渠道的详细阐述，请参考
+[Microsoft 文档](https://docs.microsoft.com/zh-cn/windows-server/get-started-19/servicing-channels-19)。
+
+有关支持模型在内的不同 Windows Server 服务渠道的信息，请参考
+[Windows Server 服务渠道](https://docs.microsoft.com/zh-cn/windows-server/get-started/servicing-channels-comparison)。
diff --git a/content/zh/docs/setup/production-environment/windows/user-guide-windows-containers.md b/content/zh-cn/docs/concepts/windows/user-guide.md
similarity index 50%
rename from content/zh/docs/setup/production-environment/windows/user-guide-windows-containers.md
rename to content/zh-cn/docs/concepts/windows/user-guide.md
index f13822c0bf7d6..49d89b946193d 100644
--- a/content/zh/docs/setup/production-environment/windows/user-guide-windows-containers.md
+++ b/content/zh-cn/docs/concepts/windows/user-guide.md
@@ -1,14 +1,13 @@
 ---
-title: Kubernetes 中 Windows 容器的调度指南
+title: Kubernetes 中的 Windows 容器调度指南
 content_type: concept
 weight: 75
 ---
-<!--
+<!-- 
 reviewers:
 - jayunit100
 - jsturtevant
 - marosset
-- perithompson
 title: Guide for scheduling Windows containers in Kubernetes
 content_type: concept
 weight: 75
@@ -16,27 +15,27 @@ weight: 75
 
 <!-- overview -->
 
-<!--
+<!-- 
 Windows applications constitute a large portion of the services and applications that run in many organizations.
-This guide walks you through the steps to configure and deploy a Windows container in Kubernetes.
+This guide walks you through the steps to configure and deploy Windows containers in Kubernetes.
 -->
-Windows 应用程序构成了许多组织中运行的服务和应用程序的很大一部分。
-本指南将引导您完成在 Kubernetes 中配置和部署 Windows 容器的步骤。
+在许多组织中运行的服务和应用程序中，Windows 应用程序构成了很大一部分。
+本指南将引导你完成在 Kubernetes 中配置和部署 Windows 容器的步骤。
 
 <!-- body -->
 
-<!--
+<!-- 
 ## Objectives
 
 * Configure an example deployment to run Windows containers on the Windows node
-* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA)
+* Highlight Windows specific funcationality in Kubernetes
 -->
-## 目标
+## 目标  {#objectives}
 
-* 配置一个示例 deployment 以在 Windows 节点上运行 Windows 容器
-* （可选）使用组托管服务帐户（GMSA）为您的 Pod 配置 Active Directory 身份
+* 配置 Deployment 样例以在 Windows 节点上运行 Windows 容器
+* 在 Kubernetes 中突出 Windows 特定的功能
 
-<!--
+<!-- 
 ## Before you begin
 
 * Create a Kubernetes cluster that includes a
@@ -46,27 +45,25 @@ behaves in much the same way for Linux and Windows containers.
 [Kubectl commands](/docs/reference/kubectl/) to interface with the cluster are identical.
 The example in the section below is provided to jumpstart your experience with Windows containers.
 -->
-## 在你开始之前
+## 在你开始之前  {#before-you-begin}
 
-* 创建一个 Kubernetes 集群，其中包括一个控制平面和
-  [运行 Windows 服务器的工作节点](/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
-* 重要的是要注意，对于 Linux 和 Windows 容器，在 Kubernetes 
-  上创建和部署服务和工作负载的行为几乎相同。
-  与集群接口的 [kubectl 命令](/zh/docs/reference/kubectl/overview/)相同。
-  提供以下部分中的示例只是为了快速启动  Windows 容器的使用体验。
+* 创建一个 Kubernetes 集群，其中包含一个控制平面和一个[运行 Windows Server 的工作节点](/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)
+* 务必请注意，在 Kubernetes 上创建和部署服务和工作负载的行为方式与 Linux 和 Windows 容器的行为方式大致相同。
+  与集群交互的 [kubectl 命令](/zh-cn/docs/reference/kubectl/)是一致的。
+  下一小节的示例旨在帮助你快速开始使用 Windows 容器。
 
-<!--
+<!-- 
 ## Getting Started: Deploying a Windows container
 
-To deploy a Windows container on Kubernetes, you must first create an example application.
-The example YAML file below creates a simple webserver application.
+The example YAML file below deploys a simple webserver application running inside a Windows container.
+
 Create a service spec named `win-webserver.yaml` with the contents below:
 -->
-## 入门：部署 Windows 容器
+## 快速开始：部署 Windows 容器  {#getting-started-deploying-a-windows-container}
+
+以下示例 YAML 文件部署了一个在 Windows 容器内运行的简单 Web 服务器的应用程序。
 
-要在 Kubernetes 上部署 Windows 容器，您必须首先创建一个示例应用程序。
-下面的示例 YAML  文件创建了一个简单的 Web 服务器应用程序。
-创建一个名为  `win-webserver.yaml`  的服务规约，其内容如下：
+创建一个名为 `win-webserver.yaml` 的 Service 规约，其内容如下：
 
 ```yaml
 apiVersion: v1
@@ -77,7 +74,7 @@ metadata:
     app: win-webserver
 spec:
   ports:
-    # the port that this service should serve on
+    # 此 Service 服务的端口
     - port: 80
       targetPort: 80
   selector:
@@ -112,35 +109,43 @@ spec:
       kubernetes.io/os: windows
 ```
 
-<!--
-Port mapping is also supported, but for simplicity in this example
-the container port 80 is exposed directly to the service.
--->
 {{< note >}}
-端口映射也是支持的，但为简单起见，在此示例中容器端口 80 直接暴露给服务。
+<!-- 
+Port mapping is also supported, but for simplicity this example exposes
+port 80 of the container directly to the Service.
+-->
+端口映射也是支持的，但为简单起见，此示例将容器的端口 80 直接暴露给服务。
 {{< /note >}}
 
-<!--
+<!-- 
 1. Check that all nodes are healthy:
+-->
+1. 检查所有节点是否健康
 
-    ```bash
-    kubectl get nodes
-    ```
+   ```bash
+   kubectl get nodes
+   ```
 
+<!-- 
 1. Deploy the service and watch for pod updates:
+-->
+1. 部署 Service 并监视 Pod 更新：
 
-    ```bash
-    kubectl apply -f win-webserver.yaml
-    kubectl get pods -o wide -w
-    ```
+   ```bash
+   kubectl apply -f win-webserver.yaml
+   kubectl get pods -o wide -w
+   ```
 
-    When the service is deployed correctly both Pods are marked as Ready. To exit the watch command, press Ctrl+C.
+   <!-- 
+   When the service is deployed correctly both Pods are marked as Ready. To exit the watch command, press Ctrl+C.
+   -->
+   当 Service 被正确部署时，两个 Pod 都被标记为就绪（Ready）。要退出 watch 命令，请按 Ctrl+C。
 
+<!-- 
 1. Check that the deployment succeeded. To verify:
 
-    * Two containers per pod on the Windows node, use `docker ps` 
-    * Two pods listed from the Linux control plane node, use `kubectl get pods` 
-    * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux control plane node 
+    * Two pods listed from the Linux control plane node, use `kubectl get pods`
+    * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux control plane node
       to check for a web server response
     * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node)
       using docker exec or kubectl exec
@@ -150,53 +155,34 @@ the container port 80 is exposed directly to the service.
     * Inbound connectivity, `curl` the NodePort from the Linux control plane node or machines outside of the cluster
     * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec
 -->
-1. 检查所有节点是否健康：
-
-   ```bash
-   kubectl get nodes
-   ```
-
-1. 部署服务并观察 pod 更新：
-
-   ```bash
-   kubectl apply -f win-webserver.yaml
-   kubectl get pods -o wide -w
-   ```
-
-   正确部署服务后，两个 Pod 都标记为“Ready”。要退出 watch 命令，请按 Ctrl + C。
+1. 检查部署是否成功。请验证：
+
+   * 使用 `kubectl get pods` 从 Linux 控制平面节点能够列出两个 Pod
+   * 跨网络的节点到 Pod 通信，从 Linux 控制平面节点上执行 `curl` 访问
+     Pod IP 的 80 端口以检查 Web 服务器响应
+   * Pod 间通信，使用 docker exec 或 kubectl exec
+     在 Pod 之间（以及跨主机，如果你有多个 Windows 节点）互 ping
+   * Service 到 Pod 的通信，在 Linux 控制平面节点以及独立的 Pod 中执行 `curl`
+     访问虚拟的服务 IP（在 `kubectl get services` 下查看）
+   * 服务发现，使用 Kubernetes [默认 DNS 后缀](/zh-cn/docs/concepts/services-networking/dns-pod-service/#services)的服务名称，
+     用 `curl` 访问服务名称
+   * 入站连接，在 Linux 控制平面节点或集群外的机器上执行 `curl` 来访问 NodePort 服务
+   * 出站连接，使用 kubectl exec，从 Pod 内部执行 `curl` 访问外部 IP
 
-1. 检查部署是否成功。验证：
-
-   * Windows 节点上每个 Pod 有两个容器，使用  `docker ps` 
-   * Linux 控制平面节点列出两个 Pod，使用  `kubectl get pods` 
-   * 跨网络的节点到 Pod 通信，从 Linux 控制平面节点 `curl` 您的 pod IPs 的端口80，以检查 Web 服务器响应
-   * Pod 到 Pod 的通信，使用 docker exec 或 kubectl exec 在 Pod 之间
-     （以及跨主机，如果你有多个 Windows 节点）进行 ping 操作
-   * 服务到 Pod 的通信，从 Linux 控制平面节点和各个 Pod 中 `curl` 虚拟服务 IP
-     （在 `kubectl get services` 下可见）
-   * 服务发现，使用 Kubernetes `curl` 服务名称
-     [默认 DNS 后缀](/zh/docs/concepts/services-networking/dns-pod-service/#services)
-   * 入站连接，从 Linux 控制平面节点或集群外部的计算机 `curl` NodePort
-   * 出站连接，使用 kubectl exec 从 Pod 内部 curl 外部 IP
-
-<!--
+{{< note >}}
+<!-- 
 Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack.
 Only Windows pods are able to access service IPs.
 -->
-{{< note >}}
-由于当前平台对 Windows 网络堆栈的限制，Windows 容器主机无法访问在其上调度的服务的 IP。只有 Windows pods 才能访问服务 IP。
+由于当前 Windows 平台的网络堆栈限制，Windows 容器主机无法访问调度到其上的 Service 的 IP。
+只有 Windows Pod 能够访问 Service IP。
 {{< /note >}}
 
-<!--
+<!-- 
 ## Observability
 
 ### Capturing logs from workloads
--->
-## 可观测性  {#observability}
-
-### 抓取来自工作负载的日志
 
-<!--
 Logs are an important element of observability; they enable users to gain insights
 into the operational aspect of workloads and are a key ingredient to troubleshooting issues.
 Because Windows containers and workloads inside Windows containers behave differently from Linux containers,
@@ -207,248 +193,245 @@ or push entries to the application event log.
 is the recommended way to monitor configured log sources inside a Windows container.
 LogMonitor supports monitoring event logs, ETW providers, and custom application logs,
 piping them to STDOUT for consumption by `kubectl logs <pod>`.
--->
-日志是可观测性的重要一环；使用日志用户可以获得对负载运行状况的洞察，
-因而日志是故障排查的一个重要手法。
-因为 Windows 容器中的 Windows 容器和负载与 Linux 容器的行为不同，
-用户很难收集日志，因此运行状态的可见性很受限。
-例如，Windows 工作负载通常被配置为将日志输出到 Windows 事件跟踪
-（Event Tracing for Windows，ETW），或者将日志条目推送到应用的事件日志中。
-[LogMonitor](https://github.com/microsoft/windows-container-tools/tree/master/LogMonitor)
-是 Microsoft 提供的一个开源工具，是监视 Windows 容器中所配置的日志源
-的推荐方式。
-LogMonitor 支持监视时间日志、ETW 提供者模块以及自定义的应用日志，
-并使用管道的方式将其输出到标准输出（stdout），以便 `kubectl logs <pod>`
-这类命令能够读取这些数据。
 
-<!--
 Follow the instructions in the LogMonitor GitHub page to copy its binaries and configuration files
 to all your containers and add the necessary entrypoints for LogMonitor to push your logs to STDOUT.
 -->
-请遵照 LogMonitor GitHub 页面上的指令，将其可执行文件和配置文件复制到
-你的所有容器中，并为其添加必要的入口点（Entrypoint），以便 LogMonitor
-能够将你的日志输出推送到标准输出（stdout）。
+## 可观察性  {#observability}
 
+### 捕捉来自工作负载的日志  {#capturing-logs-from-workloads}
 
-<!--
-## Using configurable Container usernames
+日志是可观察性的重要元素；它们使用户能够深入了解工作负载的运行情况，并且是解决问题的关键因素。
+由于 Windows 容器和 Windows 容器中的工作负载与 Linux 容器的行为不同，因此用户很难收集日志，从而限制了操作可见性。
+例如，Windows 工作负载通常配置为记录到 ETW（Windows 事件跟踪）或向应用程序事件日志推送条目。
+[LogMonitor](https://github.com/microsoft/windows-container-tools/tree/master/LogMonitor)
+是一个微软开源的工具，是监视 Windows 容器内所配置的日志源的推荐方法。
+LogMonitor 支持监视事件日志、ETW 提供程序和自定义应用程序日志，将它们传送到 STDOUT 以供 `kubectl logs <pod>` 使用。
+
+按照 LogMonitor GitHub 页面中的说明，将其二进制文件和配置文件复制到所有容器，
+并为 LogMonitor 添加必要的入口点以将日志推送到标准输出（STDOUT）。
+
+<!-- 
+## Configuring container user
 
-Starting with Kubernetes v1.16, Windows containers can be configured to run their entrypoints and processes
+### Using configurable Container usernames
+
+Windows containers can be configured to run their entrypoints and processes
 with different usernames than the image defaults.
-The way this is achieved is a bit different from the way it is done for Linux containers.
 Learn more about it [here](/docs/tasks/configure-pod-container/configure-runasusername/).
 -->
-## 使用可配置的容器用户名
+## 配置容器用户  {#configuring-container-user}
+
+### 使用可配置的容器用户名  {#using-configurable-container-usernames}
 
-从 Kubernetes v1.16 开始，可以为 Windows  容器配置与其镜像默认值不同的用户名
-来运行其入口点和进程。
-此能力的实现方式和 Linux 容器有些不同。
-在[此处](/zh/docs/tasks/configure-pod-container/configure-runasusername/)
-可了解更多信息。
+Windows 容器可以配置为使用不同于镜像默认值的用户名来运行其入口点和进程。
+[在这里](/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/)了解更多信息。
 
-<!--
-## Managing Workload Identity with Group Managed Service Accounts
+<!-- 
+### Managing Workload Identity with Group Managed Service Accounts
 
-Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA).
-Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management,
+Windows container workloads can be configured to use Group Managed Service Accounts (GMSA).
+Group Managed Service Accounts are a specific type of Active Directory account that provide automatic password management,
 simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers.
 Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA.
 Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa/).
 -->
-## 使用组托管服务帐户管理工作负载身份
+### 使用组托管服务帐户（GMSA）管理工作负载身份  {#managing-workload-identity-with-group-managed-service-accounts}
 
-从 Kubernetes v1.14 开始，可以将 Windows 容器工作负载配置为使用组托管服务帐户（GMSA）。
-组托管服务帐户是 Active Directory 帐户的一种特定类型，它提供自动密码管理，
-简化的服务主体名称（SPN）管理以及将管理委派给跨多台服务器的其他管理员的功能。
-配置了 GMSA 的容器可以访问外部 Active Directory 域资源，同时携带通过 GMSA 配置的身份。
-在[此处](/zh/docs/tasks/configure-pod-container/configure-gmsa/)了解有关为
-Windows 容器配置和使用 GMSA 的更多信息。
+Windows 容器工作负载可以配置为使用组托管服务帐户（Group Managed Service Accounts，GMSA）。
+组托管服务帐户是一种特定类型的活动目录（Active Directory）帐户，可提供自动密码管理、
+简化的服务主体名称（Service Principal Name，SPN）管理，以及将管理委派给多个服务器上的其他管理员的能力。
+配置了 GMSA 的容器可以携带使用 GMSA 配置的身份访问外部活动目录域资源。
+在[此处](/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/)了解有关为 Windows 容器配置和使用 GMSA 的更多信息。
 
-<!--
+<!-- 
 ## Taints and Tolerations
--->
-## 污点和容忍度
 
-<!--
-Users today need to use some combination of taints and node selectors in order to
-keep Linux and Windows workloads on their respective OS-specific nodes.
-This likely imposes a burden only on Windows users. The recommended approach is outlined below,
+Users need to use some combination of taints and node selectors in order to
+schedule Linux and Windows workloads to their respective OS-specific nodes.
+The recommended approach is outlined below,
 with one of its main goals being that this approach should not break compatibility for existing Linux workloads.
--->
-目前，用户需要将 Linux 和 Windows 工作负载运行在各自特定的操作系统的节点上，
-因而需要结合使用污点和节点选择算符。 这可能仅给 Windows 用户造成不便。
-推荐的方法概述如下，其主要目标之一是该方法不应破坏与现有 Linux 工作负载的兼容性。
-<!--
+
 If the `IdentifyPodOS` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is
 enabled, you can (and should) set `.spec.os.name` for a Pod to indicate the operating system
 that the containers in that Pod are designed for. For Pods that run Linux containers, set
 `.spec.os.name` to `linux`. For Pods that run Windows containers, set `.spec.os.name`
 to Windows.
+-->
+## 污点和容忍度  {#taints-and-tolerations}
+
+用户需要使用某种污点（Taint）和节点选择器的组合，以便将 Linux 和 Windows 工作负载各自调度到特定操作系统的节点。
+下面概述了推荐的方法，其主要目标之一是该方法不应破坏现有 Linux 工作负载的兼容性。
 
+如果启用了 `IdentifyPodOS` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+你可以（并且应该）将 Pod 的 `.spec.os.name` 设置为该 Pod 中的容器设计所用于的操作系统。
+对于运行 Linux 容器的 Pod，将 `.spec.os.name` 设置为 `linux`。
+对于运行 Windows 容器的 Pod，将 `.spec.os.name` 设置为 `Windows`。
+
+{{< note >}}
+<!-- 
+Starting from 1.24, the `IdentifyPodOS` feature is in Beta stage and defaults to be enabled.
+-->
+从 1.24 开始，`IdentifyPodOS` 特性处于 Beta 阶段，默认启用。
+{{< /note >}}
+
+<!-- 
 The scheduler does not use the value of `.spec.os.name` when assigning Pods to nodes. You should
 use normal Kubernetes mechanisms for
 [assigning pods to nodes](/docs/concepts/scheduling-eviction/assign-pod-node/)
 to ensure that the control plane for your cluster places pods onto nodes that are running the
 appropriate operating system.
- no effect on the scheduling of the Windows pods, so taints and tolerations and node selectors are still required
+
+The `.spec.os.name` value has no effect on the scheduling of the Windows pods,
+so taints and tolerations and node selectors are still required
  to ensure that the Windows pods land onto appropriate Windows nodes.
- -->
- {{< note >}}
-如果 `IdentifyPodOS` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)是启用的，
-你可以（并且应该）为 Pod 设置 `.spec.os.name` 以表明该 Pod
-中的容器所针对的操作系统。 对于运行 Linux 容器的 Pod，设置 
-`.spec.os.name` 为 `linux`。 对于运行 Windows 容器的 Pod，设置 `.spec.os.name`
-为 `Windows`。
-
-在将 Pod 分配给节点时，调度程序不使用 `.spec.os.name` 的值。你应该使用正常的 Kubernetes
-机制[将 Pod 分配给节点](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)，
-确保集群的控制平面将 Pod 放置到适合运行的操作系统。
-对 Windows Pod 的调度没有影响，因此仍然需要污点、容忍度以及节点选择器，
-以确保 Windows Pod 调度至合适的 Windows 节点。
- {{< /note >}}
-<!--
-### Ensuring OS-specific workloads land on the appropriate container host
 -->
-### 确保特定操作系统的工作负载落在适当的容器主机上
+调度器在将 Pod 分配到节点时并不使用 `.spec.os.name` 的值。
+你应该使用正常的 Kubernetes 机制[将 Pod 分配给节点](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)，
+以确保集群的控制平面将 Pod 放置到运行适当操作系统的节点上。
+
+`.spec.os.name` 值对 Windows Pod 的调度没有影响，
+因此仍然需要污点和容忍以及节点选择器来确保 Windows Pod 落在适当的 Windows 节点。
+
+<!-- 
+### Ensuring OS-specific workloads land on the appropriate container host
 
-<!--
 Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations.
 All Kubernetes nodes today have the following default labels:
+
+* kubernetes.io/os = [windows|linux]
+* kubernetes.io/arch = [amd64|arm64|...]
 -->
-用户可以使用污点和容忍度确保 Windows 容器可以调度在适当的主机上。目前所有 Kubernetes 节点都具有以下默认标签：
+### 确保特定于操作系统的工作负载落到合适的容器主机上  {#ensuring-os-specific-workloads-land-on-the-appropriate-container-host}
+
+用户可以使用污点（Taint）和容忍度（Toleration）确保将 Windows 容器调度至合适的主机上。
+现在，所有的 Kubernetes 节点都有以下默认标签：
 
 * kubernetes.io/os = [windows|linux]
 * kubernetes.io/arch = [amd64|arm64|...]
 
-<!--
+<!-- 
 If a Pod specification does not specify a nodeSelector like `"kubernetes.io/os": windows`,
 it is possible the Pod can be scheduled on any host, Windows or Linux.
 This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux.
 The best practice is to use a nodeSelector.
 -->
-如果 Pod 规范未指定诸如 `"kubernetes.io/os": windows` 之类的 nodeSelector，则该 Pod 
-可能会被调度到任何主机（Windows 或 Linux）上。
-这是有问题的，因为 Windows 容器只能在 Windows 上运行，而 Linux 容器只能在 Linux 上运行。
+如果 Pod 规约没有指定像 `"kubernetes.io/os": windows` 这样的 nodeSelector，
+则 Pod 可以被调度到任何主机上，Windows 或 Linux。
+这可能会有问题，因为 Windows 容器只能在 Windows 上运行，而 Linux 容器只能在 Linux 上运行。
 最佳实践是使用 nodeSelector。
 
-<!--
+<!-- 
 However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers,
 as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators.
 In those situations, you may be hesitant to make the configuration change to add nodeSelectors.
 The alternative is to use Taints. Because the kubelet can set Taints during registration,
 it could easily be modified to automatically add a taint when running on Windows only.
 -->
-但是，我们了解到，在许多情况下，用户都有既存的大量的 Linux 容器部署，以及一个现成的配置生态系统，
-例如社区 Helm charts，以及程序化 Pod 生成案例，例如 Operators。
-在这些情况下，您可能会不愿意更改配置添加 nodeSelector。替代方法是使用污点。
-由于 kubelet 可以在注册期间设置污点，因此可以轻松修改它，使其仅在 Windows 上运行时自动添加污点。
+但是，我们了解到，在许多情况下，用户已经预先存在大量 Linux 容器部署，
+以及现成配置的生态系统，例如社区中的 Helm Chart 包和程序化的 Pod 生成案例，例如 Operator。
+在这些情况下，你可能不愿更改配置来添加节点选择器。
+另一种方法是使用污点。因为 kubelet 可以在注册过程中设置污点，
+所以可以很容易地修改为，当只能在 Windows 上运行时，自动添加污点。
 
-<!--
+<!-- 
 For example:  `--register-with-taints='os=windows:NoSchedule'`
--->
-例如：`--register-with-taints='os=windows:NoSchedule'`
 
-<!--
 By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods).
-In order for a Windows Pod to be scheduled on a Windows node,
+In order for a Windows Pod to be scheduled on a Windows node, 
 it would need both the nodeSelector and the appropriate matching toleration to choose Windows.
 -->
-向所有 Windows 节点添加污点后，Kubernetes 将不会在它们上调度任何负载（包括现有的 Linux Pod）。
-为了使某 Windows Pod 调度到 Windows 节点上，该 Pod 需要 nodeSelector 和合适的匹配的容忍度设置来选择 Windows，
+例如：`--register-with-taints='os=windows:NoSchedule'`
+
+通过向所有 Windows 节点添加污点，任何负载都不会被调度到这些节点上（包括现有的 Linux Pod）。
+为了在 Windows 节点上调度 Windows Pod，它需要 nodeSelector 和匹配合适的容忍度来选择 Windows。
 
 ```yaml
 nodeSelector:
-  kubernetes.io/os: windows
-  node.kubernetes.io/windows-build: '10.0.17763'
+    kubernetes.io/os: windows
+    node.kubernetes.io/windows-build: '10.0.17763'
 tolerations:
-  - key: "os"
-    operator: "Equal"
-    value: "windows"
-    effect: "NoSchedule"
+    - key: "os"
+      operator: "Equal"
+      value: "windows"
+      effect: "NoSchedule"
 ```
 
-<!--
+<!-- 
 ### Handling multiple Windows versions in the same cluster
--->
-### 处理同一集群中的多个 Windows 版本
 
-<!--
 The Windows Server version used by each pod must match that of the node. If you want to use multiple Windows
 Server versions in the same cluster, then you should set additional node labels and nodeSelectors.
--->
-每个 Pod 使用的 Windows Server 版本必须与该节点的 Windows Server 版本相匹配。
-如果要在同一集群中使用多个 Windows Server 版本，则应该设置其他节点标签和
-nodeSelector。
 
-<!--
 Kubernetes 1.17 automatically adds a new label `node.kubernetes.io/windows-build` to simplify this.
 If you're running an older version, then it's recommended to add this label manually to Windows nodes.
--->
-Kubernetes 1.17 自动添加了一个新标签 `node.kubernetes.io/windows-build` 来简化此操作。 
-如果您运行的是旧版本，则建议手动将此标签添加到 Windows 节点。
 
-<!--
 This label reflects the Windows major, minor, and build number that need to match for compatibility.
 Here are values used today for each Windows Server version.
 -->
-此标签反映了需要兼容的 Windows 主要、次要和内部版本号。以下是当前每个
-Windows Server 版本使用的值。
+### 处理同一集群中的多个 Windows 版本  {#handling-multiple-windows-versions-in-the-same-cluster}
+
+每个 Pod 使用的 Windows Server 版本必须与节点的版本匹配。
+如果要在同一个集群中使用多个 Windows Server 版本，则应设置额外的节点标签和节点选择器。
+
+Kubernetes 1.17 自动添加了一个新标签 `node.kubernetes.io/windows-build` 来简化这一点。
+如果你运行的是旧版本，则建议手动将此标签添加到 Windows 节点。
 
-| 产品名称                             |   内部编号             |
+此标签反映了需要匹配以实现兼容性的 Windows 主要、次要和内部版本号。
+以下是目前用于每个 Windows Server 版本的值。
+
+<!-- 
+| Product Name                         |   Build Number(s)      |
+-->
+| 产品名称                              |   构建号                |
 |--------------------------------------|------------------------|
 | Windows Server 2019                  | 10.0.17763             |
-| Windows Server version 1809          | 10.0.17763             |
-| Windows Server version 1903          | 10.0.18362             |
+| Windows Server, Version 20H2         | 10.0.19042             |
+| Windows Server 2022                  | 10.0.20348             |
 
-
-<!--
+<!-- 
 ### Simplifying with RuntimeClass
--->
-### 使用 RuntimeClass 简化
 
-<!--
 [RuntimeClass] can be used to simplify the process of using taints and tolerations.
 A cluster administrator can create a `RuntimeClass` object which is used to encapsulate these taints and tolerations.
--->
-[RuntimeClass](/zh/docs/concepts/containers/runtime-class/) 可用于
-简化使用污点和容忍度的过程。
-集群管理员可以创建 `RuntimeClass` 对象，用于封装这些污点和容忍度。
 
-<!--
 1. Save this file to `runtimeClasses.yml`. It includes the appropriate `nodeSelector`
-   for the Windows OS, architecture, and version.
+for the Windows OS, architecture, and version.
 -->
-1. 将此文件保存到 `runtimeClasses.yml` 文件。
-   它包括适用于 Windows 操作系统、体系结构和版本的 `nodeSelector`。
-
-   ```yaml
-   apiVersion: node.k8s.io/v1
-   kind: RuntimeClass
-   metadata:
-     name: windows-2019
-   handler: 'docker'
-   scheduling:
-     nodeSelector:
-       kubernetes.io/os: 'windows'
-       kubernetes.io/arch: 'amd64'
-       node.kubernetes.io/windows-build: '10.0.17763'
-     tolerations:
-     - effect: NoSchedule
-       key: os
-       operator: Equal
-       value: "windows"
-   ```
+### 使用 RuntimeClass 进行简化  {#simplifying-with-runtimeclass}
 
-<!--
+[RuntimeClass] 可用于简化使用污点和容忍度的流程。
+集群管理员可以创建一个用于封装这些污点和容忍度的 `RuntimeClass` 对象。
+
+1. 将此文件保存到 `runtimeClasses.yml`。它包括针对 Windows 操作系统、架构和版本的 `nodeSelector`。
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: windows-2019
+handler: 'docker'
+scheduling:
+  nodeSelector:
+    kubernetes.io/os: 'windows'
+    kubernetes.io/arch: 'amd64'
+    node.kubernetes.io/windows-build: '10.0.17763'
+  tolerations:
+  - effect: NoSchedule
+    key: os
+    operator: Equal
+    value: "windows"
+```
+
+<!-- 
 1. Run `kubectl create -f runtimeClasses.yml` using as a cluster administrator
 1. Add `runtimeClassName: windows-2019` as appropriate to Pod specs
--->
-2. 集群管理员执行 `kubectl create -f runtimeClasses.yml` 操作
-3. 根据需要向 Pod 规约中添加 `runtimeClassName: windows-2019`
 
-<!--
 For example:
 -->
+1. 以集群管理员身份运行 `kubectl create -f runtimeClasses.yml`
+1. 根据情况，向 Pod 规约中添加 `runtimeClassName: windows-2019`
+
 例如：
 
 ```yaml
@@ -495,3 +478,5 @@ spec:
   selector:
     app: iis-2019
 ```
+
+[RuntimeClass]: https://kubernetes.io/docs/concepts/containers/runtime-class/
diff --git a/content/zh/docs/concepts/workloads/_index.md b/content/zh-cn/docs/concepts/workloads/_index.md
similarity index 84%
rename from content/zh/docs/concepts/workloads/_index.md
rename to content/zh-cn/docs/concepts/workloads/_index.md
index a61176f6609ee..5d895415d34ab 100644
--- a/content/zh/docs/concepts/workloads/_index.md
+++ b/content/zh-cn/docs/concepts/workloads/_index.md
@@ -26,7 +26,7 @@ Pod is running means that all the Pods on that node fail. Kubernetes treats that
 of failure as final: you would need to create a new Pod even if the node later recovers.
 -->
 无论你的负载是单一组件还是由多个一同工作的组件构成，在 Kubernetes 中你
-可以在一组 [Pods](/zh/docs/concepts/workloads/pods) 中运行它。
+可以在一组 [Pods](/zh-cn/docs/concepts/workloads/pods) 中运行它。
 在 Kubernetes 中，Pod 代表的是集群上处于运行状态的一组
 {{< glossary_tooltip text="容器" term_id="container" >}}。
 
@@ -37,7 +37,7 @@ For example, once a pod is running in your cluster then a critical fault on the
 all the pods on that node fail. Kubernetes treats that level of failure as final: you
 would need to create a new `Pod` to recover, even if the node later becomes healthy.
 -->
-Kubernetes Pods 有[确定的生命周期](/zh/docs/concepts/workloads/pods/pod-lifecycle/)。
+Kubernetes Pods 有[确定的生命周期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/)。
 例如，当某 Pod 在你的集群中运行时，Pod 运行所在的
 {{< glossary_tooltip text="节点" term_id="node" >}} 出现致命错误时，
 所有该节点上的 Pods 都会失败。Kubernetes 将这类失败视为最终状态：
@@ -72,15 +72,15 @@ Kubernetes 提供若干种内置的工作负载资源：
   `Pods` for that `StatefulSet`, can replicate data to other `Pods` in the same `StatefulSet`
   to improve overall resilience.
 -->
-* [Deployment](/zh/docs/concepts/workloads/controllers/deployment/) 和
-  [ReplicaSet](/zh/docs/concepts/workloads/controllers/replicaset/)
+* [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/) 和
+  [ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/)
   （替换原来的资源 {{< glossary_tooltip text="ReplicationController" term_id="replication-controller" >}}）。
   `Deployment` 很适合用来管理你的集群上的无状态应用，`Deployment` 中的所有
   `Pod` 都是相互等价的，并且在需要的时候被换掉。
-* [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)
+* [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
   让你能够运行一个或者多个以某种方式跟踪应用状态的 Pods。
   例如，如果你的负载会将数据作持久存储，你可以运行一个 `StatefulSet`，将每个
-  `Pod` 与某个 [`PersistentVolume`](/zh/docs/concepts/storage/persistent-volumes/)
+  `Pod` 与某个 [`PersistentVolume`](/zh-cn/docs/concepts/storage/persistent-volumes/)
   对应起来。你在 `StatefulSet` 中各个 `Pod` 内运行的代码可以将数据复制到同一
   `StatefulSet` 中的其它 `Pod` 中以提高整体的服务可靠性。
 <!--
@@ -95,14 +95,14 @@ Kubernetes 提供若干种内置的工作负载资源：
   define tasks that run to completion and then stop. Jobs represent one-off tasks, whereas
   `CronJobs` recur according to a schedule.
 -->
-* [DaemonSet](/zh/docs/concepts/workloads/controllers/daemonset/)
+* [DaemonSet](/zh-cn/docs/concepts/workloads/controllers/daemonset/)
   定义提供节点本地支撑设施的 `Pods`。这些 Pods 可能对于你的集群的运维是
   非常重要的，例如作为网络链接的辅助工具或者作为网络
   {{< glossary_tooltip text="插件" term_id="addons" >}}
   的一部分等等。每次你向集群中添加一个新节点时，如果该节点与某 `DaemonSet`
   的规约匹配，则控制面会为该 `DaemonSet` 调度一个 `Pod` 到该新节点上运行。
-* [Job](/zh/docs/concepts/workloads/controllers/job/) 和
-  [CronJob](/zh/docs/concepts/workloads/controllers/cron-jobs/)。
+* [Job](/zh-cn/docs/concepts/workloads/controllers/job/) 和
+  [CronJob](/zh-cn/docs/concepts/workloads/controllers/cron-jobs/)。
   定义一些一直运行到结束并停止的任务。`Job` 用来表达的是一次性的任务，而
   `CronJob` 会根据其时间规划反复运行。
 
@@ -117,7 +117,7 @@ then you can implement or install an extension that does provide that feature.
 -->
 在庞大的 Kubernetes 生态系统中，你还可以找到一些提供额外操作的第三方
 工作负载资源。通过使用
-[定制资源定义（CRD）](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)，
+[定制资源定义（CRD）](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)，
 你可以添加第三方工作负载资源，以完成原本不是 Kubernetes 核心功能的工作。
 例如，如果你希望运行一组 `Pods`，但要求所有 Pods 都可用时才执行操作
 （比如针对某种高吞吐量的分布式任务），你可以实现一个能够满足这一需求
@@ -135,18 +135,18 @@ As well as reading about each resource, you can learn about specific tasks that
 -->
 除了阅读了解每类资源外，你还可以了解与这些资源相关的任务：
 
-* [使用 Deployment 运行一个无状态的应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)
-* 以[单实例](/zh/docs/tasks/run-application/run-single-instance-stateful-application/)
-  或者[多副本集合](/zh/docs/tasks/run-application/run-replicated-stateful-application/)
+* [使用 Deployment 运行一个无状态的应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
+* 以[单实例](/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application/)
+  或者[多副本集合](/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/)
   的形式运行有状态的应用；
-* [使用 `CronJob` 运行自动化的任务](/zh/docs/tasks/job/automated-tasks-with-cron-jobs/)
+* [使用 `CronJob` 运行自动化的任务](/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/)
 
 <!--
 To learn about Kubernetes' mechanisms for separating code from configuration,
 visit [Configuration](/docs/concepts/configuration/).
 -->
 要了解 Kubernetes 将代码与配置分离的实现机制，可参阅
-[配置部分](/zh/docs/concepts/configuration/)。
+[配置部分](/zh-cn/docs/concepts/configuration/)。
 
 <!--
 There are two supporting concepts that provide backgrounds about how Kubernetes manages pods
@@ -158,9 +158,9 @@ for applications:
 -->
 关于 Kubernetes 如何为应用管理 Pods，还有两个支撑概念能够提供相关背景信息：
 
-* [垃圾收集](/zh/docs/concepts/workloads/controllers/garbage-collection/)机制负责在
+* [垃圾收集](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/)机制负责在
   对象的 _属主资源_ 被删除时在集群中清理这些对象。
-* [_Time-to-Live_ 控制器](/zh/docs/concepts/workloads/controllers/ttlafterfinished/)
+* [_Time-to-Live_ 控制器](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/)
   会在 Job 结束之后的指定时间间隔之后删除它们。
 
 <!--
@@ -169,6 +169,6 @@ a [`Service`](/docs/concepts/services-networking/service/) or, for web applicati
 using an [`Ingress`](/docs/concepts/services-networking/ingress).
 -->
 一旦你的应用处于运行状态，你就可能想要以
-[`Service`](/zh/docs/concepts/services-networking/service/)
+[`Service`](/zh-cn/docs/concepts/services-networking/service/)
 的形式使之可在互联网上访问；或者对于 Web 应用而言，使用
-[`Ingress`](/zh/docs/concepts/services-networking/ingress) 资源将其暴露到互联网上。
+[`Ingress`](/zh-cn/docs/concepts/services-networking/ingress) 资源将其暴露到互联网上。
diff --git a/content/zh/docs/concepts/workloads/controllers/_index.md b/content/zh-cn/docs/concepts/workloads/controllers/_index.md
similarity index 100%
rename from content/zh/docs/concepts/workloads/controllers/_index.md
rename to content/zh-cn/docs/concepts/workloads/controllers/_index.md
diff --git a/content/zh/docs/concepts/workloads/controllers/cron-jobs.md b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
similarity index 73%
rename from content/zh/docs/concepts/workloads/controllers/cron-jobs.md
rename to content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
index e31fa8edc36b9..ad93bcd604d5c 100644
--- a/content/zh/docs/concepts/workloads/controllers/cron-jobs.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
@@ -54,7 +54,7 @@ recommended in a production cluster.
 -->
 
 {{< caution >}}
-如 [v1 CronJob API](/zh/docs/reference/kubernetes-api/workload-resources/cron-job-v1/) 所述，官方并不支持设置时区。
+如 [v1 CronJob API](/zh-cn/docs/reference/kubernetes-api/workload-resources/cron-job-v1/) 所述，官方并不支持设置时区。
 
 Kubernetes 项目官方并不支持设置如 `CRON_TZ` 或者 `TZ` 等变量。
 `CRON_TZ` 或者 `TZ` 是用于解析和计算下一个 Job 创建时间所使用的内部库中一个实现细节。
@@ -69,7 +69,7 @@ append 11 characters to the job name provided and there is a constraint that the
 maximum length of a Job name is no more than 63 characters.
 -->
 为 CronJob 资源创建清单时，请确保所提供的名称是一个合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 名称不能超过 52 个字符。
 这是因为 CronJob 控制器将自动在提供的 Job 名称后附加 11 个字符，并且存在一个限制，
 即 Job 名称的最大长度不能超过 63 个字符。
@@ -84,7 +84,7 @@ report generation, and so on. Each of those tasks should be configured to recur
 indefinitely (for example: once a day / week / month); you can define the point
 in time within that interval when the job should start.
 -->
-## CronJob
+## CronJob    {#cronjob}
 
 CronJob 用于执行周期性的动作，例如备份、报告生成等。
 这些任务中的每一个都应该配置为周期性重复的（例如：每天/每周/每月一次）；
@@ -95,19 +95,19 @@ CronJob 用于执行周期性的动作，例如备份、报告生成等。
 
 This example CronJob manifest prints the current time and a hello message every minute:
 -->
-### 示例
+### 示例    {#example}
 
 下面的 CronJob 示例清单会在每分钟打印出当前时间和问候消息：
 
 {{< codenew file="application/job/cronjob.yaml" >}}
 
-[使用 CronJob 运行自动化任务](/zh/docs/tasks/job/automated-tasks-with-cron-jobs/)
+[使用 CronJob 运行自动化任务](/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/)
 一文会为你详细讲解此例。
 
 <!--
 ### Cron schedule syntax
 -->
-### Cron 时间表语法
+### Cron 时间表语法    {#cron-schedule-syntax}
 
 ```
 # ┌───────────── 分钟 (0 - 59)
@@ -150,6 +150,69 @@ To generate CronJob schedule expressions, you can also use web tools like [cront
 -->
 要生成 CronJob 时间表表达式，你还可以使用 [crontab.guru](https://crontab.guru/) 之类的 Web 工具。
 
+<!-- 
+## Time zones
+For CronJobs with no time zone specified, the kube-controller-manager interprets schedules relative to its local time zone.
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+If you enable the  `CronJobTimeZone` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
+you can specify a time zone for a CronJob (if you don't enable that feature gate, or if you are using a version of
+Kubernetes that does not have experimental time zone support, all CronJobs in your cluster have an unspecified
+timezone).
+
+When you have the feature enabled, you can set `spec.timeZone` to the name of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) name. For example, setting
+`spec.timeZone: "Etc/UTC"` instructs Kubernetes to interpret the schedule relative to Coordinated Universal Time.
+
+A time zone database from the Go standard library is included in the binaries and used as a fallback in case an external database is not available on the system.
+-->
+
+## 时区    {#time-zones}
+对于没有指定时区的 CronJob，kube-controller-manager 基于本地时区解释排期表（Schedule）。
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+如果启用了 `CronJobTimeZone` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+你可以为 CronJob 指定一个时区（如果你没有启用该特性门控，或者你使用的是不支持试验性时区功能的
+Kubernetes 版本，集群中所有 CronJob 的时区都是未指定的）。
+
+启用该特性后，你可以将 `spec.timeZone`
+设置为有效[时区](https://zh.wikipedia.org/wiki/%E6%97%B6%E5%8C%BA%E4%BF%A1%E6%81%AF%E6%95%B0%E6%8D%AE%E5%BA%93)名称。 
+例如，设置 `spec.timeZone: "Etc/UTC"` 指示 Kubernetes 采用 UTC 来解释排期表。
+
+Go 标准库中的时区数据库包含在二进制文件中，并用作备用数据库，以防系统上没有可用的外部数据库。
+
+
+<!--
+## Time zones
+For CronJobs with no time zone specified, the kube-controller-manager interprets schedules relative to its local time zone.
+-->
+## 时区    {#time-zones}
+对于没有指定时区的 CronJob，kube-controller-manager 会根据其本地时区来解释其排期表（schedule）。
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+<!--
+If you enable the  `CronJobTimeZone` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
+you can specify a time zone for a CronJob (if you don't enable that feature gate, or if you are using a version of
+Kubernetes that does not have experimental time zone support, all CronJobs in your cluster have an unspecified
+timezone).
+-->
+如果启用 `CronJobTimeZone` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+你可以为 CronJob 指定时区（如果你不启用该特性门控，或者如果你使用的 Kubernetes 版本不支持实验中的时区特性，
+则集群中的所有 CronJob 都属于未指定时区）。
+
+<!--
+When you have the feature enabled, you can set `spec.timeZone` to the name of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) name. For example, setting
+`spec.timeZone: "Etc/UTC"` instructs Kubernetes to interpret the schedule relative to Coordinated Universal Time.
+
+A time zone database from the Go standard library is included in the binaries and used as a fallback in case an external database is not available on the system.
+-->
+当你启用该特性时，你可以将 `spec.timeZone` 设置为有效的[时区](https://zh.wikipedia.org/wiki/%E6%97%B6%E5%8C%BA%E4%BF%A1%E6%81%AF%E6%95%B0%E6%8D%AE%E5%BA%93)名称。
+例如，设置 `spec.timeZone: "Etc/UTC"` 表示 Kubernetes
+使用协调世界时（Coordinated Universal Time）进行解释排期表。
+
+Go 标准库中的时区数据库包含在二进制文件中，并用作备用数据库，以防系统上没有外部数据库可用。
 <!--
 ## CronJob Limitations
 
@@ -157,7 +220,7 @@ A cron job creates a job object _about_ once per execution time of its schedule.
 are certain circumstances where two jobs might be created, or no job might be created. We attempt to make these rare,
 but do not completely prevent them. Therefore, jobs should be _idempotent_.
 -->
-## CronJob 限制  {#cron-job-limitations}
+## CronJob 限制    {#cronjob-limitations}
 
 CronJob 根据其计划编排，在每次该执行任务的时候大约会创建一个 Job。
 我们之所以说 "大约"，是因为在某些情况下，可能会创建两个 Job，或者不会创建任何 Job。
@@ -242,12 +305,12 @@ and use the original CronJob controller instead, one pass the `CronJobController
 flag to the {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}},
 and set this flag to `false`. For example:
 -->
-## 控制器版本   {#new-controller}
+## 控制器版本    {#new-controller}
 
 从 Kubernetes v1.21 版本开始，CronJob 控制器的第二个版本被用作默认实现。
 要禁用此默认 CronJob 控制器而使用原来的 CronJob 控制器，请在
 {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}
-中设置[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+中设置[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `CronJobControllerV2`，将此标志设置为 `false`。例如：
 
 ```
@@ -271,11 +334,11 @@ and set this flag to `false`. For example:
   object definition to understand the API for Kubernetes cron jobs.
 -->
 
-* 了解 CronJob 所依赖的 [Pods](/zh/docs/concepts/workloads/pods/) 与 [Job](/zh/docs/concepts/workloads/controllers/job/) 的概念。
+* 了解 CronJob 所依赖的 [Pod](/zh-cn/docs/concepts/workloads/pods/) 与 [Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的概念。
 * 阅读 CronJob `.spec.schedule` 字段的[格式](https://pkg.go.dev/github.com/robfig/cron/v3#hdr-CRON_Expression_Format)。
 * 有关创建和使用 CronJob 的说明及示例规约文件，请参见
-  [使用 CronJob 运行自动化任务](/zh/docs/tasks/job/automated-tasks-with-cron-jobs/)。
-* 有关自动清理失败或完成作业的说明，请参阅[自动清理作业](/zh/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
+  [使用 CronJob 运行自动化任务](/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/)。
+* 有关自动清理失败或完成作业的说明，请参阅[自动清理作业](/zh-cn/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
 * `CronJob` 是 Kubernetes REST API 的一部分，
    阅读 {{< api-reference page="workload-resources/cron-job-v1" >}}
    对象定义以了解关于该资源的 API。
diff --git a/content/zh/docs/concepts/workloads/controllers/daemonset.md b/content/zh-cn/docs/concepts/workloads/controllers/daemonset.md
similarity index 89%
rename from content/zh/docs/concepts/workloads/controllers/daemonset.md
rename to content/zh-cn/docs/concepts/workloads/controllers/daemonset.md
index d8acb65797732..40927843c6597 100644
--- a/content/zh/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/daemonset.md
@@ -91,13 +91,13 @@ section.
 
 和所有其他 Kubernetes 配置一样，DaemonSet 需要 `apiVersion`、`kind` 和 `metadata` 字段。
 有关配置文件的基本信息，参见
-[部署应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)、
-[配置容器](/zh/docs/tasks/)和
-[使用 kubectl 进行对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)
+[部署应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)、
+[配置容器](/zh-cn/docs/tasks/)和
+[使用 kubectl 进行对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)
 文档。
 
 DaemonSet 对象的名称必须是一个合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 DaemonSet 也需要一个 [`.spec`](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) 配置段。
 
@@ -120,14 +120,14 @@ A Pod Template in a DaemonSet must have a [`RestartPolicy`](/docs/concepts/workl
 
 `.spec` 中唯一必需的字段是 `.spec.template`。
 
-`.spec.template` 是一个 [Pod 模板](/zh/docs/concepts/workloads/pods/#pod-templates)。
+`.spec.template` 是一个 [Pod 模板](/zh-cn/docs/concepts/workloads/pods/#pod-templates)。
 除了它是嵌套的，因而不具有 `apiVersion` 或 `kind` 字段之外，它与
 {{< glossary_tooltip text="Pod" term_id="pod" >}} 具有相同的 schema。
 
 除了 Pod 必需字段外，在 DaemonSet 中的 Pod 模板必须指定合理的标签（查看 [Pod 选择算符](#pod-selector)）。
 
 在 DaemonSet 中的 Pod 模板必须具有一个值为 `Always` 的
-[`RestartPolicy`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)。
+[`RestartPolicy`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)。
 当该值未指定时，默认是 `Always`。
 
 <!--
@@ -145,7 +145,7 @@ unintentional orphaning of Pods, and it was found to be confusing to users.
 ### Pod 选择算符     {#pod-selector}
 
 `.spec.selector` 字段表示 Pod 选择算符，它与
-[Job](/zh/docs/concepts/workloads/controllers/job/) 的 `.spec.selector` 的作用是相同的。
+[Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的 `.spec.selector` 的作用是相同的。
 
 你必须指定与 `.spec.template` 的标签匹配的 Pod 选择算符。
 此外，一旦创建了 DaemonSet，它的 `.spec.selector` 就不能修改。
@@ -162,7 +162,7 @@ The `.spec.selector` is an object consisting of two fields:
 * `matchExpressions` - allows to build more sophisticated selectors by specifying key,
   list of values and an operator that relates the key and values.
 -->
-* `matchLabels` - 与 [ReplicationController](/zh/docs/concepts/workloads/controllers/replicationcontroller/)
+* `matchLabels` - 与 [ReplicationController](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/)
   的 `.spec.selector` 的作用相同。
 * `matchExpressions` - 允许构建更加复杂的选择器，可以通过指定 key、value
   列表以及将 key 和 value 列表关联起来的 operator。
@@ -192,9 +192,9 @@ If you do not specify either, then the DaemonSet controller will create Pods on
 ### 仅在某些节点上运行 Pod   {#running-pods-on-only-some-nodes}
 
 如果指定了 `.spec.template.spec.nodeSelector`，DaemonSet 控制器将在能够与
-[Node 选择算符](/zh/docs/concepts/scheduling-eviction/assign-pod-node/) 匹配的节点上创建 Pod。
+[Node 选择算符](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/) 匹配的节点上创建 Pod。
 类似这种情况，可以指定 `.spec.template.spec.affinity`，之后 DaemonSet 控制器
-将在能够与[节点亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)
+将在能够与[节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)
 匹配的节点上创建 Pod。
 如果根本就没有指定，则 DaemonSet Controller 将在所有节点上创建 Pod。
 
@@ -228,7 +228,7 @@ DaemonSet 确保所有符合条件的节点都运行该 Pod 的一个副本。
 
 * Pod 行为的不一致性：正常 Pod 在被创建后等待调度时处于 `Pending` 状态，
   DaemonSet Pods 创建后不会处于 `Pending` 状态下。这使用户感到困惑。
-* [Pod 抢占](/zh/docs/concepts/configuration/pod-priority-preemption/)
+* [Pod 抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
   由默认调度器处理。启用抢占后，DaemonSet 控制器将在不考虑 Pod 优先级和抢占
   的情况下制定调度决策。
 
@@ -242,7 +242,7 @@ taken into account before selecting the target host). The DaemonSet controller o
 performs these operations when creating or modifying DaemonSet pods, and no
 changes are made to the `spec.template` of the DaemonSet.
 -->
-`ScheduleDaemonSetPods` 允许您使用默认调度器而不是 DaemonSet 控制器来调度 DaemonSets，
+`ScheduleDaemonSetPods` 允许你使用默认调度器而不是 DaemonSet 控制器来调度 DaemonSets，
 方法是将 `NodeAffinity` 条件而不是 `.spec.nodeName` 条件添加到 DaemonSet Pods。
 默认调度器接下来将 Pod 绑定到目标主机。
 如果 DaemonSet Pod 的节点亲和性配置已存在，则被替换
@@ -279,7 +279,7 @@ the related features.
 -->
 ### 污点和容忍度   {#taint-and-toleration}
 
-尽管 Daemon Pods 遵循[污点和容忍度](/zh/docs/concepts/scheduling-eviction/taint-and-toleration)
+尽管 Daemon Pods 遵循[污点和容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration)
 规则，根据相关特性，控制器会自动将以下容忍度添加到 DaemonSet Pod：
 
 | 容忍度键名                               | 效果       | 版本    | 描述                                                         |
@@ -320,7 +320,7 @@ Some possible patterns for communicating with Pods in a DaemonSet are:
   访问到 Pod。客户端能通过某种方法获取节点 IP 列表，并且基于此也可以获取到相应的端口。
 
 - **DNS**：创建具有相同 Pod 选择算符的
-  [无头服务](/zh/docs/concepts/services-networking/service/#headless-services)，
+  [无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)，
   通过使用 `endpoints` 资源或从 DNS 中检索到多个 A 记录来发现 DaemonSet。
 
 - **Service**：创建具有相同 Pod 选择算符的服务，并使用该服务随机访问到某个节点上的
@@ -352,12 +352,12 @@ them according to its `updateStrategy`.
 
 You can [perform a rolling update](/docs/tasks/manage-daemon/update-daemon-set/) on a DaemonSet.
 -->
-您可以删除一个 DaemonSet。如果使用 `kubectl` 并指定 `--cascade=orphan` 选项，
+你可以删除一个 DaemonSet。如果使用 `kubectl` 并指定 `--cascade=orphan` 选项，
 则 Pod 将被保留在节点上。接下来如果创建使用相同选择算符的新 DaemonSet，
 新的 DaemonSet 会收养已有的 Pod。
 如果有 Pod 需要被替换，DaemonSet 会根据其 `updateStrategy` 来替换。
 
-你可以对 DaemonSet [执行滚动更新](/zh/docs/tasks/manage-daemon/update-daemon-set/)操作。
+你可以对 DaemonSet [执行滚动更新](/zh-cn/docs/tasks/manage-daemon/update-daemon-set/)操作。
 
 <!--
 ## Alternatives to DaemonSet
@@ -417,7 +417,7 @@ in cluster bootstrapping cases.  Also, static Pods may be deprecated in the futu
 ### 静态 Pod   {#static-pods}
 
 通过在一个指定的、受 `kubelet` 监视的目录下编写文件来创建 Pod 也是可行的。
-这类 Pod 被称为[静态 Pod](/zh/docs/tasks/configure-pod-container/static-pod/)。
+这类 Pod 被称为[静态 Pod](/zh-cn/docs/tasks/configure-pod-container/static-pod/)。
 不像 DaemonSet，静态 Pod 不受 `kubectl` 和其它 Kubernetes API 客户端管理。
 静态 Pod 不依赖于 API 服务器，这使得它们在启动引导新集群的情况下非常有用。
 此外，静态 Pod 在将来可能会被废弃。
@@ -438,7 +438,7 @@ For example, [network plugins](/docs/concepts/extend-kubernetes/compute-storage-
 -->
 ### Deployments
 
-DaemonSet 与 [Deployments](/zh/docs/concepts/workloads/controllers/deployment/) 非常类似，
+DaemonSet 与 [Deployments](/zh-cn/docs/concepts/workloads/controllers/deployment/) 非常类似，
 它们都能创建 Pod，并且 Pod 中的进程都不希望被终止（例如，Web 服务器、存储服务器）。
 
 建议为无状态的服务使用 Deployments，比如前端服务。
@@ -446,7 +446,7 @@ DaemonSet 与 [Deployments](/zh/docs/concepts/workloads/controllers/deployment/)
 当需要 Pod 副本总是运行在全部或特定主机上，并且当该 DaemonSet 提供了节点级别的功能（允许其他 Pod 在该特定节点上正确运行）时，
 应该使用 DaemonSet。
 
-例如，[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)通常包含一个以 DaemonSet 运行的组件。
+例如，[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)通常包含一个以 DaemonSet 运行的组件。
 这个 DaemonSet 组件确保它所在的节点的集群网络正常工作。
 
 ## {{% heading "whatsnext" %}}
@@ -465,14 +465,14 @@ DaemonSet 与 [Deployments](/zh/docs/concepts/workloads/controllers/deployment/)
   Read the {{< api-reference page="workload-resources/daemon-set-v1" >}}
   object definition to understand the API for daemon sets.
 -->
-* 了解 [Pods](/zh/docs/concepts/workloads/pods)。
+* 了解 [Pods](/zh-cn/docs/concepts/workloads/pods)。
   * 了解[静态 Pod](#static-pods)，这对运行 Kubernetes {{< glossary_tooltip text="控制面" term_id="control-plane" >}}组件有帮助。
 * 了解如何使用 DaemonSet
-  * [对 DaemonSet 执行滚动更新](/zh/docs/tasks/manage-daemon/update-daemon-set/)
-  * [对 DaemonSet 执行回滚](/zh/docs/tasks/manage-daemon/rollback-daemon-set/)（例如：新的版本没有达到你的预期）
-* 理解[Kubernetes 如何将 Pod 分配给节点](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)。
-* 了解[设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)和
-  [扩展（Addons）](/zh/docs/concepts/cluster-administration/addons/)，它们常以 DaemonSet 运行。
+  * [对 DaemonSet 执行滚动更新](/zh-cn/docs/tasks/manage-daemon/update-daemon-set/)
+  * [对 DaemonSet 执行回滚](/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set/)（例如：新的版本没有达到你的预期）
+* 理解[Kubernetes 如何将 Pod 分配给节点](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)。
+* 了解[设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)和
+  [扩展（Addons）](/zh-cn/docs/concepts/cluster-administration/addons/)，它们常以 DaemonSet 运行。
 * `DaemonSet` 是 Kubernetes REST API 中的顶级资源。阅读 {{< api-reference page="workload-resources/daemon-set-v1" >}}
    对象定义理解关于该资源的 API。
 
diff --git a/content/zh/docs/concepts/workloads/controllers/deployment.md b/content/zh-cn/docs/concepts/workloads/controllers/deployment.md
similarity index 98%
rename from content/zh/docs/concepts/workloads/controllers/deployment.md
rename to content/zh-cn/docs/concepts/workloads/controllers/deployment.md
index f5249b60d6043..15d5382f93fad 100644
--- a/content/zh/docs/concepts/workloads/controllers/deployment.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/deployment.md
@@ -1063,7 +1063,7 @@ Assuming [horizontal Pod autoscaling](/docs/tasks/run-application/horizontal-pod
 in your cluster, you can setup an autoscaler for your Deployment and choose the minimum and maximum number of
 Pods you want to run based on the CPU utilization of your existing Pods.
 -->
-假设集群启用了[Pod 的水平自动缩放](/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)，
+假设集群启用了[Pod 的水平自动缩放](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)，
 你可以为 Deployment 设置自动缩放器，并基于现有 Pod 的 CPU 利用率选择要运行的
 Pod 个数下限和上限。
 
@@ -1230,7 +1230,7 @@ apply multiple fixes in between pausing and resuming without triggering unnecess
 
 在你更新一个 Deployment 的时候，或者计划更新它的时候，
 你可以在触发一个或多个更新之前暂停 Deployment 的上线过程。
-当你准备行应用这些变更时，你可以重新恢复 Deployment 上线过程。
+当你准备应用这些变更时，你可以重新恢复 Deployment 上线过程。
 这样做使得你能够在暂停和恢复执行之间应用多个修补程序，而不会触发不必要的上线操作。
 
 <!--
@@ -1599,7 +1599,7 @@ number of seconds the Deployment controller waits before indicating (in the Depl
 Deployment progress has stalled.
 -->
 检测此状况的一种方法是在 Deployment 规约中指定截止时间参数：
-（[`.spec.progressDeadlineSeconds`]（#progress-deadline-seconds））。
+（[`.spec.progressDeadlineSeconds`](#progress-deadline-seconds)）。
 `.spec.progressDeadlineSeconds` 给出的是一个秒数值，Deployment 控制器在（通过 Deployment 状态）
 标示 Deployment 进展停滞之前，需要等待所给的时长。
 
@@ -1854,7 +1854,7 @@ can create multiple Deployments, one for each release, following the canary patt
 ## 金丝雀部署 {#canary-deployment}
 
 如果要使用 Deployment 向用户子集或服务器子集上线版本，
-则可以遵循[资源管理](/zh/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
+则可以遵循[资源管理](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
 所描述的金丝雀模式，创建多个 Deployment，每个版本一个。
 
 <!--
@@ -1868,8 +1868,8 @@ configuring containers, and [using kubectl to manage resources](/docs/concepts/o
 ## 编写 Deployment 规约       {#writing-a-deployment-spec}
 
 同其他 Kubernetes 配置一样， Deployment 需要 `apiVersion`，`kind` 和 `metadata` 字段。
-有关配置文件的其他信息，请参考[部署 Deployment](/zh/docs/tasks/run-application/run-stateless-application-deployment/)、
-配置容器和[使用 kubectl 管理资源](/zh/docs/concepts/overview/working-with-objects/object-management/)等相关文档。
+有关配置文件的其他信息，请参考[部署 Deployment](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)、
+配置容器和[使用 kubectl 管理资源](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)等相关文档。
 
 <!--
 The name of a Deployment object must be a valid
@@ -1878,7 +1878,7 @@ The name of a Deployment object must be a valid
 A Deployment also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 -->
 Deployment 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 Deployment 还需要 [`.spec` 部分](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)。
 
 <!--
@@ -1894,7 +1894,7 @@ The `.spec.template` and `.spec.selector` are the only required field of the `.s
 
 The `.spec.template` is a [Pod template](/docs/concepts/workloads/pods/#pod-templates). It has exactly the same schema as a {{< glossary_tooltip text="Pod" term_id="pod" >}}, except it is nested and does not have an `apiVersion` or `kind`.
 -->
-`.spec.template` 是一个 [Pod 模板](/zh/docs/concepts/workloads/pods/#pod-templates)。
+`.spec.template` 是一个 [Pod 模板](/zh-cn/docs/concepts/workloads/pods/#pod-templates)。
 它和 {{< glossary_tooltip text="Pod" term_id="pod" >}} 的语法规则完全相同。
 只是这里它是嵌套的，因此不需要 `apiVersion` 或 `kind`。
 
@@ -1909,7 +1909,7 @@ labels and an appropriate restart policy. For labels, make sure not to overlap w
 Only a [`.spec.template.spec.restartPolicy`](/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy) equal to `Always` is
 allowed, which is the default if not specified.
 -->
-只有 [`.spec.template.spec.restartPolicy`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
+只有 [`.spec.template.spec.restartPolicy`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
 等于 `Always` 才是被允许的，这也是在没有指定时的默认设置。
 
 <!--
@@ -1936,7 +1936,7 @@ then applying that manifest overwrites the manual scaling that you previously di
 If a [HorizontalPodAutoscaler](/docs/tasks/run-application/horizontal-pod-autoscale/) (or any
 similar API for horizontal scaling) is managing scaling for a Deployment, don't set `.spec.replicas`.
 -->
-如果一个 [HorizontalPodAutoscaler](/zh/docs/tasks/run-application/horizontal-pod-autoscale/)
+如果一个 [HorizontalPodAutoscaler](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/)
 （或者其他执行水平扩缩操作的类似 API）在管理 Deployment 的扩缩，
 则不要设置 `.spec.replicas`。
 
@@ -1960,7 +1960,7 @@ for the Pods targeted by this Deployment.
 ### 选择算符   {#selector}
 
 `.spec.selector` 是指定本 Deployment 的 Pod
-[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)的必需字段。
+[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)的必需字段。
 
 `.spec.selector` 必须匹配 `.spec.template.metadata.labels`，否则请求会被 API 拒绝。
 
@@ -2033,7 +2033,7 @@ replacement will be created immediately (even if the old Pod is still in a Termi
 才会创建新版本的 Pod。如果你手动删除一个 Pod，其生命周期是由 ReplicaSet 来控制的，
 后者会立即创建一个替换 Pod（即使旧的 Pod 仍然处于 Terminating 状态）。
 如果你需要一种“最多 n 个”的 Pod 个数保证，你需要考虑使用
-[StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)。
+[StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)。
 {{< /note >}}
 
 <!--
@@ -2138,7 +2138,7 @@ a Pod is considered ready, see [Container Probes](/docs/concepts/workloads/pods/
 在没有任意容器崩溃情况下的最小就绪时间，
 只有超出这个时间 Pod 才被视为可用。默认值为 0（Pod 在准备就绪后立即将被视为可用）。
 要了解何时 Pod 被视为就绪，
-可参考[容器探针](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。
+可参考[容器探针](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。
 
 <!--
 ### Revision History Limit
@@ -2192,11 +2192,11 @@ Deployment 在创建时是默认不会处于暂停状态。
 * Read about [PodDisruptionBudget](/docs/concepts/workloads/pods/disruptions/) and how
   you can use it to manage application availability during disruptions.
 -->
-* 了解 [Pod](/zh/docs/concepts/workloads/pods)。
-* [使用 Deployment 运行一个无状态应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)。
+* 了解 [Pod](/zh-cn/docs/concepts/workloads/pods)。
+* [使用 Deployment 运行一个无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)。
 * `Deployment` 是 Kubernetes REST API 中的一个顶层资源。
   阅读 {{< api-reference page="workload-resources/deployment-v1" >}}
   对象定义，以了解 Deployment 的 API 细节。
-* 阅读 [PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/)
+* 阅读 [PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/)
   了解如何使用它来在可能出现干扰的情况下管理应用的可用性。
 
diff --git a/content/zh/docs/concepts/workloads/controllers/job.md b/content/zh-cn/docs/concepts/workloads/controllers/job.md
similarity index 90%
rename from content/zh/docs/concepts/workloads/controllers/job.md
rename to content/zh-cn/docs/concepts/workloads/controllers/job.md
index 99edfabf76823..fa647a7067284 100644
--- a/content/zh/docs/concepts/workloads/controllers/job.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/job.md
@@ -33,6 +33,9 @@ The Job object will start a new Pod if the first Pod fails or is deleted (for ex
 due to a node hardware failure or a node reboot).
 
 You can also use a Job to run multiple Pods in parallel.
+
+If you want to run a Job (either a single task, or several in parallel) on a schedule,
+see [CronJob](/docs/concepts/workloads/controllers/cron-jobs/).
 -->
 Job 会创建一个或者多个 Pods，并将继续重试 Pods 的执行，直到指定数量的 Pods 成功终止。
 随着 Pods 成功结束，Job 跟踪记录成功完成的 Pods 个数。
@@ -46,7 +49,11 @@ Job 会创建一个或者多个 Pods，并将继续重试 Pods 的执行，直
 
 你也可以使用 Job 以并行的方式运行多个 Pod。
 
+如果你想按某种排期表（Schedule）运行 Job（单个任务或多个并行任务），请参阅
+[CronJob](/docs/concepts/workloads/controllers/cron-jobs/)。
+
 <!-- body -->
+
 <!--
 ## Running an example Job
 
@@ -60,26 +67,36 @@ It takes around 10s to complete.
 
 {{< codenew file="controllers/job.yaml" >}}
 
-<!--You can run the example with this command:-->
+<!--
+You can run the example with this command:
+-->
 你可以使用下面的命令来运行此示例：
 
 ```shell
 kubectl apply -f https://kubernetes.io/examples/controllers/job.yaml
 ```
 
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
 job.batch/pi created
 ```
 
-<!-- Check on the status of the Job with `kubectl`: -->
+<!--
+Check on the status of the Job with `kubectl`:
+-->
 使用 `kubectl` 来检查 Job 的状态：
 
 ```shell
 kubectl describe jobs/pi
 ```
 
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
@@ -132,6 +149,9 @@ pods=$(kubectl get pods --selector=job-name=pi --output=jsonpath='{.items[*].met
 echo $pods
 ```
 
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
@@ -139,7 +159,7 @@ pi-5rwd7
 ```
 
 <!--
-Here, the selector is the same as the selector for the Job.  The `-output=jsonpath` option specifies an expression
+Here, the selector is the same as the selector for the Job.  The `--output=jsonpath` option specifies an expression
 with the name from each Pod in the returned list.
 
 View the standard output of one of the pods:
@@ -153,12 +173,15 @@ View the standard output of one of the pods:
 kubectl logs $pods
 ```
 
-<!--The output is similar to this:-->
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
 3.1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989380952572010654858632788659361533818279682303019520353018529689957736225994138912497217752834791315155748572424541506959508295331168617278558890750983817546374649393192550604009277016711390098488240128583616035637076601047101819429555961989467678374494482553797747268471040475346462080466842590694912933136770289891521047521620569660240580381501935112533824300355876402474964732639141992726042699227967823547816360093417216412199245863150302861829745557067498385054945885869269956909272107975093029553211653449872027559602364806654991198818347977535663698074265425278625518184175746728909777727938000816470600161452491921732172147723501414419735685481613611573525521334757418494684385233239073941433345477624168625189835694855620992192221842725502542568876717904946016534668049886272327917860857843838279679766814541009538837863609506800642251252051173929848960841284886269456042419652850222106611863067442786220391949450471237137869609563643719172874677646575739624138908658326459958133904780275901
 ```
+
 <!--
 ## Writing a Job spec
 
@@ -167,12 +190,12 @@ Its name must be a valid [DNS subdomain name](/docs/concepts/overview/working-wi
 
 A Job also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 -->
-## 编写 Job 规约
+## 编写 Job 规约    {#writing-a-job-spec}
 
 与 Kubernetes 中其他资源的配置类似，Job 也需要 `apiVersion`、`kind` 和 `metadata` 字段。
-Job 的名字必须是合法的 [DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+Job 的名字必须是合法的 [DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
-Job 配置还需要一个[`.spec` 节](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)。
+Job 配置还需要一个 [`.spec` 节](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)。
 
 <!--
 ### Pod Template
@@ -186,18 +209,18 @@ labels (see [pod selector](#pod-selector)) and an appropriate restart policy.
 
 Only a [`RestartPolicy`](/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy) equal to `Never` or `OnFailure` is allowed.
 -->
-### Pod 模版
+### Pod 模版    {#pod-template}
 
 Job 的 `.spec` 中只有 `.spec.template` 是必需的字段。
 
-字段 `.spec.template` 的值是一个 [Pod 模版](/zh/docs/concepts/workloads/pods/#pod-templates)。
+字段 `.spec.template` 的值是一个 [Pod 模版](/zh-cn/docs/concepts/workloads/pods/#pod-templates)。
 其定义规范与 {{< glossary_tooltip text="Pod" term_id="pod" >}}
 完全相同，只是其中不再需要 `apiVersion` 或 `kind` 字段。
 
 除了作为 Pod 所必需的字段之外，Job 中的 Pod 模版必需设置合适的标签
-（参见[Pod 选择算符](#pod-selector)）和合适的重启策略。
+（参见 [Pod 选择算符](#pod-selector)）和合适的重启策略。
 
-Job 中 Pod 的 [`RestartPolicy`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
+Job 中 Pod 的 [`RestartPolicy`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
 只能设置为 `Never` 或 `OnFailure` 之一。
 
 <!--
@@ -219,6 +242,7 @@ There are three main types of task suitable to run as a Job:
 ### Job 的并行执行 {#parallel-jobs}
 
 适合以 Job 形式来运行的任务主要有三种：
+
 <!--
 1. Non-parallel Jobs
    - normally, only one Pod is started, unless the Pod fails.
@@ -298,7 +322,7 @@ parallelism, for a variety of reasons:
 <!--
 - For _fixed completion count_ Jobs, the actual number of pods running in parallel will not exceed the number of
   remaining completions.   Higher values of `.spec.parallelism` are effectively ignored.
-- For _work queue_ Jobs, no new Pods are started after any Pod has succeeded - remaining Pods are allowed to complete, however.
+- For _work queue_ Jobs, no new Pods are started after any Pod has succeeded -- remaining Pods are allowed to complete, however.
 - If the Job {{< glossary_tooltip term_id="controller" >}} has not had time to react.
 - If the Job controller failed to create Pods for any reason (lack of `ResourceQuota`, lack of permission, etc.),
   then there may be fewer pods than requested.
@@ -320,7 +344,7 @@ parallelism, for a variety of reasons:
 -->
 ### 完成模式   {#completion-mode}
 
-{{< feature-state for_k8s_version="v1.22" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
 Jobs with _fixed completion count_ - that is, jobs that have non null
@@ -362,7 +386,7 @@ Jobs with _fixed completion count_ - that is, jobs that have non null
 
   当每个索引都对应一个完成完成的 Pod 时，Job 被认为是已完成的。
   关于如何使用这种模式的更多信息，可参阅
-  [用带索引的 Job 执行基于静态任务分配的并行处理](/zh/docs/tasks/job/indexed-parallel-processing-static/)。
+  [用带索引的 Job 执行基于静态任务分配的并行处理](/zh-cn/docs/tasks/job/indexed-parallel-processing-static/)。
   需要注意的是，对同一索引值可能被启动的 Pod 不止一个，尽管这种情况很少发生。
   这时，只有一个会被记入完成计数中。
 
@@ -377,7 +401,7 @@ restarted locally, or else specify `.spec.template.spec.restartPolicy = "Never"`
 See [pod lifecycle](/docs/concepts/workloads/pods/pod-lifecycle/#example-states) for more information on `restartPolicy`.
 -->
 
-## 处理 Pod 和容器失效
+## 处理 Pod 和容器失效    {#handling-pod-and-container-failures}
 
 Pod 中的容器可能因为多种不同原因失效，例如因为其中的进程退出时返回值非零，
 或者容器因为超出内存约束而被杀死等等。
@@ -386,7 +410,7 @@ Pod 则继续留在当前节点，但容器会被重新运行。
 因此，你的程序需要能够处理在本地被重启的情况，或者要设置
 `.spec.template.spec.restartPolicy = "Never"`。
 关于 `restartPolicy` 的更多信息，可参阅
-[Pod 生命周期](/zh/docs/concepts/workloads/pods/pod-lifecycle/#example-states)。
+[Pod 生命周期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#example-states)。
 
 <!--
 An entire Pod can also fail, for a number of reasons, such as when the pod is kicked off the node
@@ -426,11 +450,21 @@ due to a logical error in configuration etc.
 To do so, set `.spec.backoffLimit` to specify the number of retries before
 considering a Job as failed. The back-off limit is set by default to 6. Failed
 Pods associated with the Job are recreated by the Job controller with an
-exponential back-off delay (10s, 20s, 40s ...) capped at six minutes. The
-back-off count is reset when a Job's Pod is deleted or successful without any
-other Pods for the Job failing around that time.
+exponential back-off delay (10s, 20s, 40s ...) capped at six minutes. 
+
+The number of retries is calculated in two ways:
+- The number of Pods with `.status.phase = "Failed"`.
+- When using `restartPolicy = "OnFailure"`, the number of retries in all the
+  containers of Pods with `.status.phase` equal to `Pending` or `Running`.
+
+If either of the calculations reaches the `.spec.backoffLimit`, the Job is
+considered failed.
+
+When the [`JobTrackingWithFinalizers`](#job-tracking-with-finalizers) feature is
+disabled, the number of failed Pods is only based on Pods that are still present
+in the API.
 -->
-### Pod 回退失效策略
+### Pod 回退失效策略    {#pod-backoff-failure-policy}
 
 在有些情形下，你可能希望 Job 在经历若干次重试之后直接进入失败状态，因为这很
 可能意味着遇到了配置错误。
@@ -438,7 +472,16 @@ other Pods for the Job failing around that time.
 失效回退的限制值默认为 6。
 与 Job 相关的失效的 Pod 会被 Job 控制器重建，回退重试时间将会按指数增长
 （从 10 秒、20 秒到 40 秒）最多至 6 分钟。
-当 Job 的 Pod 被删除时，或者 Pod 成功时没有其它 Pod 处于失败状态，失效回退的次数也会被重置（为 0）。
+
+计算重试次数有以下两种方法：
+- 计算 `.status.phase = "Failed"` 的 Pod 数量。
+- 当 Pod 的 `restartPolicy = "OnFailure"` 时，针对 `.status.phase` 等于 `Pending` 或
+  `Running` 的 Pod，计算其中所有容器的重试次数。
+
+如果两种方式其中一个的值达到 `.spec.backoffLimit`，则 Job 被判定为失败。
+
+当 [`JobTrackingWithFinalizers`](#job-tracking-with-finalizers) 特性被禁用时，
+失败的 Pod 数目仅基于 API 中仍然存在的 Pod。
 
 <!--
 If your job has `restartPolicy = "OnFailure"`, keep in mind that your Pod running the Job
@@ -463,7 +506,7 @@ allows you to still view the logs of completed pods to check for errors, warning
 The job object also remains after it is completed so that you can view its status.  It is up to the user to delete
 old jobs after noting their status.  Delete the job with `kubectl` (e.g. `kubectl delete jobs/pi` or `kubectl delete -f ./job.yaml`). When you delete the job using `kubectl`, all the pods it created are deleted too.
 -->
-## Job 终止与清理
+## Job 终止与清理    {#clean-up-finished-jobs-automatically}
 
 Job 完成时不会再创建新的 Pod，不过已有的 Pod [通常](#pod-backoff-failure-policy)也不会被删除。
 保留这些 Pod 使得你可以查看已完成的 Pod 的日志输出，以便检查错误、警告
@@ -531,7 +574,7 @@ Keep in mind that the `restartPolicy` applies to the Pod, and not to the Job its
 That is, the Job termination mechanisms activated with `.spec.activeDeadlineSeconds` and `.spec.backoffLimit` result in a permanent Job failure that requires manual intervention to resolve.
 -->
 注意 Job 规约和 Job 中的
-[Pod 模版规约](/zh/docs/concepts/workloads/pods/init-containers/#detailed-behavior)
+[Pod 模版规约](/zh-cn/docs/concepts/workloads/pods/init-containers/#detailed-behavior)
 都有 `activeDeadlineSeconds` 字段。
 请确保你在合适的层次设置正确的字段。
 
@@ -556,7 +599,7 @@ cleaned up by CronJobs based on the specified capacity-based cleanup policy.
 完成的 Job 通常不需要留存在系统中。在系统中一直保留它们会给 API
 服务器带来额外的压力。
 如果 Job 由某种更高级别的控制器来管理，例如
-[CronJobs](/zh/docs/concepts/workloads/controllers/cron-jobs/)，
+[CronJobs](/zh-cn/docs/concepts/workloads/controllers/cron-jobs/)，
 则 Job 可以被 CronJob 基于特定的根据容量裁定的清理策略清理掉。
 
 ### 已完成 Job 的 TTL 机制  {#ttl-mechanisms-for-finished-jobs}
@@ -578,7 +621,7 @@ be honored.
 For example:
 -->
 自动清理已完成 Job （状态为 `Complete` 或 `Failed`）的另一种方式是使用由
-[TTL 控制器](/zh/docs/concepts/workloads/controllers/ttlafterfinished/)所提供
+[TTL 控制器](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/)所提供
 的 TTL 机制。
 通过设置 Job 的 `.spec.ttlSecondsAfterFinished` 字段，可以让该控制器清理掉
 已结束的资源。
@@ -677,10 +720,10 @@ The pattern names are also links to examples and more detailed description.
 
 | 模式  | 单个 Job 对象 | Pods 数少于工作条目数？ | 直接使用应用无需修改? |
 | ----- |:-------------:|:-----------------------:|:---------------------:|
-| [每工作条目一 Pod 的队列](/zh/docs/tasks/job/coarse-parallel-processing-work-queue/) | ✓ | | 有时 |
-| [Pod 数量可变的队列](/zh/docs/tasks/job/fine-parallel-processing-work-queue/) | ✓ | ✓ |  |
-| [静态任务分派的带索引的 Job](/zh/docs/tasks/job/indexed-parallel-processing-static) | ✓ |  | ✓ |
-| [Job 模版扩展](/zh/docs/tasks/job/parallel-processing-expansion/)  |  |  | ✓ |
+| [每工作条目一 Pod 的队列](/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue/) | ✓ | | 有时 |
+| [Pod 数量可变的队列](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/) | ✓ | ✓ |  |
+| [静态任务分派的带索引的 Job](/zh-cn/docs/tasks/job/indexed-parallel-processing-static) | ✓ |  | ✓ |
+| [Job 模版扩展](/zh-cn/docs/tasks/job/parallel-processing-expansion/)  |  |  | ✓ |
 
 <!--
 When you specify completions with `.spec.completions`, each Pod created by the Job controller
@@ -703,10 +746,10 @@ Here, `W` is the number of work items.
 
 | 模式  | `.spec.completions` |  `.spec.parallelism` |
 | ----- |:-------------------:|:--------------------:|
-| [每工作条目一 Pod 的队列](/zh/docs/tasks/job/coarse-parallel-processing-work-queue/) | W | 任意值 |
-| [Pod 个数可变的队列](/zh/docs/tasks/job/fine-parallel-processing-work-queue/) | 1 | 任意值 |
-| [静态任务分派的带索引的 Job](/zh/docs/tasks/job/indexed-parallel-processing-static) | W |  | 任意值 |
-| [Job 模版扩展](/zh/docs/tasks/job/parallel-processing-expansion/) | 1 | 应该为 1 |
+| [每工作条目一 Pod 的队列](/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue/) | W | 任意值 |
+| [Pod 个数可变的队列](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/) | 1 | 任意值 |
+| [静态任务分派的带索引的 Job](/zh-cn/docs/tasks/job/indexed-parallel-processing-static) | W |  | 任意值 |
+| [Job 模版扩展](/zh-cn/docs/tasks/job/parallel-processing-expansion/) | 1 | 应该为 1 |
 
 <!--
 ## Advanced usage
@@ -717,17 +760,8 @@ Here, `W` is the number of work items.
 
 ### 挂起 Job   {#suspending-a-job}
 
-{{< feature-state for_k8s_version="v1.21" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
-{{< note >}}
-<!--
-In Kubernetes version 1.21, this feature was in alpha, which required additional
-steps to enable this feature; make sure to read the [right documentation for the
-version of Kubernetes you're using](/docs/home/supported-doc-versions/).
--->
-该特性在 Kubernetes 1.21 版本中是 Alpha 阶段，启用该特性需要额外的步骤；
-请确保你正在阅读[与集群版本一致的文档](/zh/docs/home/supported-doc-versions/)。
-{{< /note >}}
 
 <!--
 When a Job is created, the Job controller will immediately begin creating Pods
@@ -741,7 +775,7 @@ Job 被创建时，Job 控制器会马上开始执行 Pod 创建操作以满足
 不过你可能想要暂时挂起 Job 执行，或启动处于挂起状态的job，
 并拥有一个自定义控制器以后再决定什么时候开始。
 
-<!-- 
+<!--
 To suspend a Job, you can update the `.spec.suspend` field of
 the Job to true; later, when you want to resume it again, update it to false.
 Creating a Job with `.spec.suspend` set to true will create it in the suspended
@@ -807,7 +841,7 @@ Job 的 `status` 可以用来确定 Job 是否被挂起，或者曾经被挂起
 kubectl get jobs/myjob -o yaml
 ```
 
-```json
+```yaml
 apiVersion: batch/v1
 kind: Job
 # .metadata and .spec omitted
@@ -878,8 +912,8 @@ on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/
 It is enabled by default.
 -->
 {{< note >}}
-为了使用此功能，你必须在 [API 服务器](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)上启用
-`JobMutableNodeSchedulingDirectives` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+为了使用此功能，你必须在 [API 服务器](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)上启用
+`JobMutableNodeSchedulingDirectives` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 默认情况下启用。
 {{< /note >}}
 
@@ -920,7 +954,7 @@ Job 的 Pod 模板中可以更新的字段是节点亲和性、节点选择器
 
 
 <!--
-### Specifying your own Pod selector {#specifying-your-own-pod-selector}
+### Specifying your own Pod selector
 
 Normally, when you create a Job object, you do not specify `.spec.selector`.
 The system defaulting logic adds this field when the Job is created.
@@ -981,6 +1015,9 @@ Before deleting it, you make a note of what selector it uses:
 kubectl get job old -o yaml
 ```
 
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```yaml
@@ -1008,7 +1045,7 @@ the selector that the system normally generates for you automatically.
 它们也会被名为 `new` 的 Job 所控制。
 
 你需要在新 Job 中设置 `manualSelector: true`，因为你并未使用系统通常自动为你
-生成的选择算符。 
+生成的选择算符。
 
 ```yaml
 kind: Job
@@ -1034,29 +1071,31 @@ mismatch.
 
 <!--
 ### Job tracking with finalizers
+-->
+### 使用 Finalizer 追踪 Job   {#job-tracking-with-finalizers}
+
+{{< feature-state for_k8s_version="v1.23" state="beta" >}}
 
+{{< note >}}
+<!--
 In order to use this behavior, you must enable the `JobTrackingWithFinalizers`
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 on the [API server](/docs/reference/command-line-tools-reference/kube-apiserver/)
 and the [controller manager](/docs/reference/command-line-tools-reference/kube-controller-manager/).
 It is enabled by default.
+-->
+要使用该行为，你必须为 [API 服务器](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)
+和[控制器管理器](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
+启用 `JobTrackingWithFinalizers`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
+默认是启用的。
 
+<!--
 When enabled, the control plane tracks new Jobs using the behavior described
 below. Jobs created before the feature was enabled are unaffected. As a user,
 the only difference you would see is that the control plane tracking of Job
 completion is more accurate.
 -->
-### 使用 Finalizer 追踪 Job   {#job-tracking-with-finalizers}
-
-{{< feature-state for_k8s_version="v1.23" state="beta" >}}
-
-{{< note >}}
-要使用该行为，你必须为 [API 服务器](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)
-和[控制器管理器](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
-启用 `JobTrackingWithFinalizers`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
-默认是启用的。
-
 启用后，控制面基于下述行为追踪新的 Job。在启用该特性之前创建的 Job 不受影响。
 作为用户，你会看到的唯一区别是控制面对 Job 完成情况的跟踪更加准确。
 {{< /note >}}
@@ -1126,7 +1165,7 @@ Job 会重新创建新的 Pod 来替代已终止的 Pod。
 <!--
 ### Replication Controller
 
-Jobs are complementary to [Replication Controllers](/docs/user-guide/replication-controller).
+Jobs are complementary to [Replication Controllers](/docs/concepts/workloads/controllers/replicationcontroller/).
 A Replication Controller manages Pods which are not expected to terminate (e.g. web servers), and a Job
 manages Pods that are expected to terminate (e.g. batch tasks).
 
@@ -1136,11 +1175,11 @@ for pods with `RestartPolicy` equal to `OnFailure` or `Never`.
 -->
 ### 副本控制器    {#replication-controller}
 
-Job 与[副本控制器](/zh/docs/concepts/workloads/controllers/replicationcontroller/)是彼此互补的。
+Job 与[副本控制器](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/)是彼此互补的。
 副本控制器管理的是那些不希望被终止的 Pod （例如，Web 服务器），
 Job 管理的是那些希望被终止的 Pod（例如，批处理作业）。
 
-正如在 [Pod 生命期](/zh/docs/concepts/workloads/pods/pod-lifecycle/) 中讨论的，
+正如在 [Pod 生命期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/) 中讨论的，
 `Job` 仅适合于 `restartPolicy` 设置为 `OnFailure` 或 `Never` 的 Pod。
 注意：如果 `restartPolicy` 未设置，其默认值是 `Always`。
 
@@ -1151,7 +1190,7 @@ Another pattern is for a single Job to create a Pod which then creates other Pod
 of custom controller for those Pods.  This allows the most flexibility, but may be somewhat
 complicated to get started with and offers less integration with Kubernetes.
 -->
-### 单个 Job 启动控制器 Pod
+### 单个 Job 启动控制器 Pod    {#single-job-starts-controller-pod}
 
 另一种模式是用唯一的 Job 来创建 Pod，而该 Pod 负责启动其他 Pod，因此扮演了一种
 后启动 Pod 的控制器的角色。
@@ -1189,15 +1228,15 @@ object, but maintains complete control over what Pods are created and how work i
   object definition to understand the API for jobs.
 * Read about [`CronJob`](/docs/concepts/workloads/controllers/cron-jobs/), which you
   can use to define a series of Jobs that will run based on a schedule, similar to
-  the Unix tool `cron`.
+  the UNIX tool `cron`.
 -->
-* 了解 [Pods](/zh/docs/concepts/workloads/pods)。
+* 了解 [Pods](/zh-cn/docs/concepts/workloads/pods)。
 * 了解运行 Job 的不同的方式：
-  * [使用工作队列进行粗粒度并行处理](/zh/docs/tasks/job/coarse-parallel-processing-work-queue/)
-  * [使用工作队列进行精细的并行处理](/zh/docs/tasks/job/fine-parallel-processing-work-queue/)
-  * [使用索引作业完成静态工作分配下的并行处理](/zh/docs/tasks/job/indexed-parallel-processing-static/)（Beta 阶段）
-  * 基于一个模板运行多个 Job：[使用展开的方式进行并行处理](/zh/docs/tasks/job/parallel-processing-expansion/)
+  * [使用工作队列进行粗粒度并行处理](/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue/)
+  * [使用工作队列进行精细的并行处理](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/)
+  * [使用索引作业完成静态工作分配下的并行处理](/zh-cn/docs/tasks/job/indexed-parallel-processing-static/)（Beta 阶段）
+  * 基于一个模板运行多个 Job：[使用展开的方式进行并行处理](/zh-cn/docs/tasks/job/parallel-processing-expansion/)
 * 跟随[自动清理完成的 Job](#clean-up-finished-jobs-automatically) 文中的链接，了解你的集群如何清理完成和失败的任务。
 * `Job` 是 Kubernetes REST API 的一部分。阅读 {{< api-reference page="workload-resources/job-v1" >}}
    对象定义理解关于该资源的 API。
-* 阅读 [`CronJob`](/zh/docs/concepts/workloads/controllers/cron-jobs/)，它允许你定义一系列定期运行的 Job，类似于 Unix 工具 `cron`。
+* 阅读 [`CronJob`](/zh-cn/docs/concepts/workloads/controllers/cron-jobs/)，它允许你定义一系列定期运行的 Job，类似于 UNIX 工具 `cron`。
diff --git a/content/zh/docs/concepts/workloads/controllers/replicaset.md b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
similarity index 78%
rename from content/zh/docs/concepts/workloads/controllers/replicaset.md
rename to content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
index ca92f8378edaa..b55efa8345584 100644
--- a/content/zh/docs/concepts/workloads/controllers/replicaset.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
@@ -48,7 +48,7 @@ ReplicaSet's identifying information within their ownerReferences field. It's th
 knows of the state of the Pods it is maintaining and plans accordingly.
 -->
 ReplicaSet 通过 Pod 上的
-[metadata.ownerReferences](/zh/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents)
+[metadata.ownerReferences](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents)
 字段连接到附属 Pod，该字段给出当前对象的属主资源。
 ReplicaSet 所获得的 Pod 都在其 ownerReferences 字段中包含了属主 ReplicaSet
 的标识信息。正是通过这一连接，ReplicaSet 知道它所维护的 Pod 集合的状态，
@@ -56,10 +56,11 @@ ReplicaSet 所获得的 Pod 都在其 ownerReferences 字段中包含了属主 R
 
 <!--
 A ReplicaSet identifies new Pods to acquire by using its selector. If there is a Pod that has no OwnerReference or the
-OwnerReference is not a {{< glossary_tooltip term_id="controller" >}} and it matches a ReplicaSet's selector, it will be immediately acquired by said ReplicaSet.
+OwnerReference is not a {{< glossary_tooltip term_id="controller" >}} and it matches a ReplicaSet's selector, it will be immediately acquired by said
+ReplicaSet.
 -->
 ReplicaSet 使用其选择算符来辨识要获得的 Pod 集合。如果某个 Pod 没有
-OwnerReference 或者其 OwnerReference 不是一个 
+OwnerReference 或者其 OwnerReference 不是一个
 {{< glossary_tooltip text="控制器" term_id="controller" >}}，且其匹配到
 某 ReplicaSet 的选择算符，则该 Pod 立即被此 ReplicaSet 获得。
 
@@ -68,14 +69,14 @@ OwnerReference 或者其 OwnerReference 不是一个
 
 A ReplicaSet ensures that a specified number of pod replicas are running at any given
 time. However, a Deployment is a higher-level concept that manages ReplicaSets and
-provides declarative updates to pods along with a lot of other useful features.
+provides declarative updates to Pods along with a lot of other useful features.
 Therefore, we recommend using Deployments instead of directly using ReplicaSets, unless
 you require custom update orchestration or don't require updates at all.
 
 This actually means that you may never need to manipulate ReplicaSet objects:
 use a Deployment instead, and define your application in the spec section.
 -->
-## 何时使用 ReplicaSet
+## 何时使用 ReplicaSet    {#when-to-use-a-replicaset}
 
 ReplicaSet 确保任何时间都有指定数量的 Pod 副本在运行。
 然而，Deployment 是一个更高级的概念，它管理 ReplicaSet，并向 Pod
@@ -89,17 +90,16 @@ Deployment，并在 spec 部分定义你的应用。
 <!--
 ## Example
 -->
-## 示例
+## 示例    {#example}
 
 {{< codenew file="controllers/frontend.yaml" >}}
 
 <!--
-Saving this manifest into `frontend.yaml` and submitting it to a Kubernetes cluster should
-create the defined ReplicaSet and the pods that it manages.
+Saving this manifest into `frontend.yaml` and submitting it to a Kubernetes cluster will
+create the defined ReplicaSet and the Pods that it manages.
 -->
 将此清单保存到 `frontend.yaml` 中，并将其提交到 Kubernetes 集群，
-应该就能创建 yaml 文件所定义的 ReplicaSet 及其管理的 Pod。
-
+就能创建 yaml 文件所定义的 ReplicaSet 及其管理的 Pod。
 
 ```shell
 kubectl apply -f https://kubernetes.io/examples/controllers/frontend.yaml
@@ -139,25 +139,25 @@ And you will see output similar to:
 你会看到类似如下的输出：
 
 ```
-Name:		frontend
-Namespace:	default
-Selector:	tier=frontend
-Labels:		app=guestbook
-		tier=frontend
+Name:         frontend
+Namespace:    default
+Selector:     tier=frontend
+Labels:       app=guestbook
+              tier=frontend
 Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                 {"apiVersion":"apps/v1","kind":"ReplicaSet","metadata":{"annotations":{},"labels":{"app":"guestbook","tier":"frontend"},"name":"frontend",...
-Replicas:	3 current / 3 desired
-Pods Status:	3 Running / 0 Waiting / 0 Succeeded / 0 Failed
+Replicas:     3 current / 3 desired
+Pods Status:  3 Running / 0 Waiting / 0 Succeeded / 0 Failed
 Pod Template:
-  Labels:       tier=frontend
+  Labels:  tier=frontend
   Containers:
    php-redis:
-    Image:      gcr.io/google_samples/gb-frontend:v3
+    Image:        gcr.io/google_samples/gb-frontend:v3
     Port:         <none>
     Host Port:    <none>
     Environment:  <none>
-    Mounts:             <none>
-  Volumes:              <none>
+    Mounts:       <none>
+  Volumes:        <none>
 Events:
   Type    Reason            Age   From                   Message
   ----    ------            ----  ----                   -------
@@ -226,26 +226,19 @@ metadata:
 
 <!--
 ## Non-Template Pod acquisitions
-
-While you can create bare Pods with no problems, it is strongly recommended to make sure that the bare Pods do not have
-labels which match the selector of one of your ReplicaSets. The reason for this is because a ReplicaSet is not limited
-to owning Pods specified by its template - it can acquire other Pods in the manner specified in the previous sections.
 -->
-## 非模板 Pod 的获得
+## 非模板 Pod 的获得    {#non-template-pod-acquisitions}
 
 <!--
-While you can create bare Pods with no problems, it is strongly recommended to
-make sure that the bare Pods do not have labels which match the selector of
-one of your ReplicaSets. The reason for this is because a ReplicaSet is not
-limited to owning Pods specified by its template - it can acquire other Pods
-in the manner specified in the previous sections.
+While you can create bare Pods with no problems, it is strongly recommended to make sure that the bare Pods do not have
+labels which match the selector of one of your ReplicaSets. The reason for this is because a ReplicaSet is not limited
+to owning Pods specified by its template-- it can acquire other Pods in the manner specified in the previous sections.
 
-Take the previous frontend ReplicaSet example, and the Pods specified in the
-following manifest:
+Take the previous frontend ReplicaSet example, and the Pods specified in the following manifest:
 -->
-尽管你完全可以直接创建裸的 Pods，强烈建议你确保这些裸的 Pods 并不包含可能与你
-的某个 ReplicaSet 的选择算符相匹配的标签。原因在于 ReplicaSet 并不仅限于拥有
-在其模板中设置的 Pods，它还可以像前面小节中所描述的那样获得其他 Pods。
+尽管你完全可以直接创建裸的 Pod，强烈建议你确保这些裸的 Pod 并不包含可能与你的某个
+ReplicaSet 的选择算符相匹配的标签。原因在于 ReplicaSet 并不仅限于拥有在其模板中设置的
+Pod，它还可以像前面小节中所描述的那样获得其他 Pod。
 
 {{< codenew file="pods/pod-rs.yaml" >}}
 
@@ -256,11 +249,10 @@ ReplicaSet, they will immediately be acquired by it.
 Suppose you create the Pods after the frontend ReplicaSet has been deployed and has set up its initial Pod replicas to
 fulfill its replica count requirement:
 -->
-由于这些 Pod 没有控制器（Controller，或其他对象）作为其属主引用，并且
-其标签与 frontend ReplicaSet 的选择算符匹配，它们会立即被该 ReplicaSet
-获取。
+由于这些 Pod 没有控制器（Controller，或其他对象）作为其属主引用，
+并且其标签与 frontend ReplicaSet 的选择算符匹配，它们会立即被该 ReplicaSet 获取。
 
-假定你在 frontend ReplicaSet 已经被部署之后创建 Pods，并且你已经在 ReplicaSet
+假定你在 frontend ReplicaSet 已经被部署之后创建 Pod，并且你已经在 ReplicaSet
 中设置了其初始的 Pod 副本数以满足其副本计数需要：
 
 ```shell
@@ -273,8 +265,8 @@ its desired count.
 
 Fetching the Pods:
 -->
-新的 Pods 会被该 ReplicaSet 获取，并立即被 ReplicaSet 终止，因为
-它们的存在会使得 ReplicaSet 中 Pod 个数超出其期望值。
+新的 Pod 会被该 ReplicaSet 获取，并立即被 ReplicaSet 终止，
+因为它们的存在会使得 ReplicaSet 中 Pod 个数超出其期望值。
 
 取回 Pods：
 
@@ -286,9 +278,9 @@ kubectl get pods
 <!--
 The output shows that the new Pods are either already terminated, or in the process of being terminated:
 -->
-输出显示新的 Pods 或者已经被终止，或者处于终止过程中：
+输出显示新的 Pod 或者已经被终止，或者处于终止过程中：
 
-```shell
+```
 NAME             READY   STATUS        RESTARTS   AGE
 frontend-b2zdv   1/1     Running       0          10m
 frontend-vcmts   1/1     Running       0          10m
@@ -319,9 +311,9 @@ kubectl apply -f https://kubernetes.io/examples/controllers/frontend.yaml
 You shall see that the ReplicaSet has acquired the Pods and has only created new ones according to its spec until the
 number of its new Pods and the original matches its desired count. As fetching the Pods:
 -->
-你会看到 ReplicaSet 已经获得了该 Pods，并仅根据其规约创建新的 Pods，直到
-新的 Pods 和原来的 Pods 的总数达到其预期个数。
-这时取回 Pods：
+你会看到 ReplicaSet 已经获得了该 Pod，并仅根据其规约创建新的 Pod，
+直到新的 Pod 和原来的 Pod 的总数达到其预期个数。
+这时取回 Pod 列表：
 
 ```shell
 kubectl get pods
@@ -339,10 +331,13 @@ pod1             1/1     Running   0          36s
 pod2             1/1     Running   0          36s
 ```
 
+<!--
+In this manner, a ReplicaSet can own a non-homogenous set of Pods
+-->
 采用这种方式，一个 ReplicaSet 中可以包含异质的 Pods 集合。
 
 <!--
-## Writing a ReplicaSet Spec
+## Writing a ReplicaSet manifest
 
 As with all other Kubernetes API objects, a ReplicaSet needs the `apiVersion`, `kind`, and `metadata` fields.
 For ReplicaSets, the `kind` is always a ReplicaSet.
@@ -350,17 +345,18 @@ For ReplicaSets, the `kind` is always a ReplicaSet.
 The name of a ReplicaSet object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
-A ReplicaSet also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status).
+A ReplicaSet also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 -->
-## 编写 ReplicaSet 的 spec
+## 编写 ReplicaSet 的清单    {#writing-a-replicaset-manifest}
 
 与所有其他 Kubernetes API 对象一样，ReplicaSet 也需要 `apiVersion`、`kind`、和 `metadata` 字段。
 对于 ReplicaSets 而言，其 `kind` 始终是 ReplicaSet。
 
 ReplicaSet 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
-ReplicaSet 也需要 [`.spec`](https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status)
+ReplicaSet 也需要
+[`.spec`](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
 部分。
 
 <!--
@@ -373,13 +369,13 @@ Be careful not to overlap with the selectors of other controllers, lest they try
 For the template's [restart policy](/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy) field,
 `.spec.template.spec.restartPolicy`, the only allowed value is `Always`, which is the default.
 -->
-### Pod 模版
+### Pod 模版    {#pod-template}
 
-`.spec.template` 是一个[Pod 模版](/zh/docs/concepts/workloads/pods/#pod-templates)，
+`.spec.template` 是一个 [Pod 模版](/zh-cn/docs/concepts/workloads/pods/#pod-templates)，
 要求设置标签。在 `frontend.yaml` 示例中，我们指定了标签 `tier: frontend`。
 注意不要将标签与其他控制器的选择算符重叠，否则那些控制器会尝试收养此 Pod。
 
-对于模板的[重启策略](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
+对于模板的[重启策略](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
 字段，`.spec.template.spec.restartPolicy`，唯一允许的取值是 `Always`，这也是默认值.
 
 <!--
@@ -399,7 +395,7 @@ be rejected by the API.
 -->
 ### Pod 选择算符   {#pod-selector}
 
-`.spec.selector` 字段是一个[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/)。
+`.spec.selector` 字段是一个[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/)。
 如前文中[所讨论的](#how-a-replicaset-works)，这些是用来标识要被获取的 Pods
 的标签。在签名的 `frontend.yaml` 示例中，选择算符为：
 
@@ -408,17 +404,16 @@ matchLabels:
   tier: frontend
 ```
 
-在 ReplicaSet 中，`.spec.template.metadata.labels` 的值必须与 `spec.selector` 值
-相匹配，否则该配置会被 API 拒绝。
+在 ReplicaSet 中，`.spec.template.metadata.labels` 的值必须与 `spec.selector`
+值相匹配，否则该配置会被 API 拒绝。
 
 {{< note >}}
 <!--
 For 2 ReplicaSets specifying the same `.spec.selector` but different `.spec.template.metadata.labels` and `.spec.template.spec` fields, each ReplicaSet ignores the Pods created by the other ReplicaSet.
 -->
-对于设置了相同的 `.spec.selector`，但 
-`.spec.template.metadata.labels` 和 `.spec.template.spec` 字段不同的
-两个 ReplicaSet 而言，每个 ReplicaSet 都会忽略被另一个 ReplicaSet 所
-创建的 Pods。
+对于设置了相同的 `.spec.selector`，但
+`.spec.template.metadata.labels` 和 `.spec.template.spec` 字段不同的两个
+ReplicaSet 而言，每个 ReplicaSet 都会忽略被另一个 ReplicaSet 所创建的 Pods。
 {{< /note >}}
 
 <!--
@@ -434,7 +429,7 @@ If you do not specify `.spec.replicas`, then it defaults to 1.
 你可以通过设置 `.spec.replicas` 来指定要同时运行的 Pod 个数。
 ReplicaSet 创建、删除 Pods 以与此值匹配。
 
-如果你没有指定 `.spec.replicas`, 那么默认值为 1。
+如果你没有指定 `.spec.replicas`，那么默认值为 1。
 
 <!--
 ## Working with ReplicaSets
@@ -443,35 +438,37 @@ ReplicaSet 创建、删除 Pods 以与此值匹配。
 
 To delete a ReplicaSet and all of its Pods, use [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete). The [Garbage collector](/docs/concepts/workloads/controllers/garbage-collection/) automatically deletes all of the dependent Pods by default.
 
-When using the REST API or the `client-go` library, you must set `propagationPolicy` to `Background` or `Foreground` in delete option. e.g. :
+When using the REST API or the `client-go` library, you must set `propagationPolicy` to `Background` or `Foreground` in
+the -d option.
+For example:
 -->
-## 使用 ReplicaSets
+## 使用 ReplicaSets    {#working-with-replicasets}
 
-### 删除 ReplicaSet 和它的 Pod
+### 删除 ReplicaSet 和它的 Pod    {#deleting-a-replicaset-and-its-pods}
 
 要删除 ReplicaSet 和它的所有 Pod，使用
 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete) 命令。
-默认情况下，[垃圾收集器](/zh/docs/concepts/workloads/controllers/garbage-collection/)
+默认情况下，[垃圾收集器](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/)
 自动删除所有依赖的 Pod。
 
-当使用 REST API 或 `client-go` 库时，你必须在删除选项中将 `propagationPolicy`
+当使用 REST API 或 `client-go` 库时，你必须在 `-d` 选项中将 `propagationPolicy`
 设置为 `Background` 或 `Foreground`。例如：
 
 ```shell
 kubectl proxy --port=8080
 curl -X DELETE  'localhost:8080/apis/apps/v1/namespaces/default/replicasets/frontend' \
-   -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Foreground"}' \
-   -H "Content-Type: application/json"
+  -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Foreground"}' \
+  -H "Content-Type: application/json"
 ```
 
 <!--
 ### Deleting just a ReplicaSet
 
-You can delete a ReplicaSet without affecting any of its Pods using [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete) with the `-cascade=orphan` option.
+You can delete a ReplicaSet without affecting any of its Pods using [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete) with the `--cascade=orphan` option.
 When using the REST API or the `client-go` library, you must set `propagationPolicy` to `Orphan`.
 For example:
 -->
-### 只删除 ReplicaSet
+### 只删除 ReplicaSet    {#deleting-just-a-replicaset}
 
 你可以只删除 ReplicaSet 而不影响它的 Pods，方法是使用
 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete)
@@ -489,8 +486,8 @@ curl -X DELETE  'localhost:8080/apis/apps/v1/namespaces/default/replicasets/fron
 
 <!--
 Once the original is deleted, you can create a new ReplicaSet to replace it.  As long
-as the old and new `.spec.selector` are the same, then the new one will adopt the old pods.
-However, it will not make any effort to make existing pods match a new, different pod template.
+as the old and new `.spec.selector` are the same, then the new one will adopt the old Pods.
+However, it will not make any effort to make existing Pods match a new, different pod template.
 To update Pods to a new spec in a controlled way, use a
 [Deployment](/docs/concepts/workloads/controllers/deployment/#creating-a-deployment), as ReplicaSets do not support a rolling update directly.
 -->
@@ -498,20 +495,19 @@ To update Pods to a new spec in a controlled way, use a
 由于新旧 ReplicaSet 的 `.spec.selector` 是相同的，新的 ReplicaSet 将接管老的 Pod。
 但是，它不会努力使现有的 Pod 与新的、不同的 Pod 模板匹配。
 若想要以可控的方式更新 Pod 的规约，可以使用
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/#creating-a-deployment)
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/#creating-a-deployment)
 资源，因为 ReplicaSet 并不直接支持滚动更新。
 
 <!--
-### Isolating pods from a ReplicaSet
+### Isolating Pods from a ReplicaSet
 
-Pods may be removed from a ReplicaSet's target set by changing their labels. This technique may be used to remove pods 
+You can remove Pods from a ReplicaSet by changing their labels. This technique may be used to remove Pods
 from service for debugging, data recovery, etc. Pods that are removed in this way will be replaced automatically (
-  assuming that the number of replicas is not also changed).
-
+assuming that the number of replicas is not also changed).
 -->
-### 将 Pod 从 ReplicaSet 中隔离
+### 将 Pod 从 ReplicaSet 中隔离    {#isolating-pods-from-a-replicaset}
 
-可以通过改变标签来从 ReplicaSet 的目标集中移除 Pod。
+可以通过改变标签来从 ReplicaSet 中移除 Pod。
 这种技术可以用来从服务中去除 Pod，以便进行排错、数据恢复等。
 以这种方式移除的 Pod 将被自动替换（假设副本的数量没有改变）。
 
@@ -519,9 +515,9 @@ from service for debugging, data recovery, etc. Pods that are removed in this wa
 ### Scaling a ReplicaSet
 
 A ReplicaSet can be easily scaled up or down by simply updating the `.spec.replicas` field. The ReplicaSet controller
-ensures that a desired number of pods with a matching label selector are available and operational.
+ensures that a desired number of Pods with a matching label selector are available and operational.
 -->
-### 缩放 RepliaSet
+### 缩放 RepliaSet    {#scaling-a-replicaset}
 
 通过更新 `.spec.replicas` 字段，ReplicaSet 可以被轻松的进行缩放。ReplicaSet
 控制器能确保匹配标签选择器的数量的 Pod 是可用的和可操作的。
@@ -547,11 +543,10 @@ prioritize scaling down pods based on the following general algorithm:
    较小的优先被裁减掉
 3. 所处节点上副本个数较多的 Pod 优先于所处节点上副本较少者
 4. 如果 Pod 的创建时间不同，最近创建的 Pod 优先于早前创建的 Pod 被裁减。
-   （当 `LogarithmicScaleDown` 这一
-   [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+   （当 `LogarithmicScaleDown` 这一[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
    被启用时，创建时间是按整数幂级来分组的）。
 
-如果以上比较结果都相同，则随机选择。   
+如果以上比较结果都相同，则随机选择。
 
 <!--
 ### Pod deletion cost 
@@ -564,7 +559,7 @@ prioritize scaling down pods based on the following general algorithm:
 Using the [`controller.kubernetes.io/pod-deletion-cost`](/docs/reference/labels-annotations-taints/#pod-deletion-cost) 
 annotation, users can set a preference regarding which pods to remove first when downscaling a ReplicaSet.
 -->
-通过使用 [`controller.kubernetes.io/pod-deletion-cost`](/zh/docs/reference/labels-annotations-taints/#pod-deletion-cost)
+通过使用 [`controller.kubernetes.io/pod-deletion-cost`](/zh-cn/docs/reference/labels-annotations-taints/#pod-deletion-cost)
 注解，用户可以对 ReplicaSet 缩容时要先删除哪些 Pods 设置偏好。
 
 <!--
@@ -589,8 +584,7 @@ This feature is beta and enabled by default. You can disable it using the
 `PodDeletionCost` in both kube-apiserver and kube-controller-manager.
 -->
 此功能特性处于 Beta 阶段，默认被禁用。你可以通过为 kube-apiserver 和
-kube-controller-manager 设置
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+kube-controller-manager 设置[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `PodDeletionCost` 来启用此功能。
 
 {{< note >}}
@@ -601,7 +595,7 @@ kube-controller-manager 设置
 -->
 - 此机制实施时仅是尽力而为，并不能对 Pod 的删除顺序作出任何保证；
 - 用户应避免频繁更新注解值，例如根据某观测度量值来更新此注解值是应该避免的。
-  这样做会在 API 服务器上产生大量的 Pod 更新操作。 
+  这样做会在 API 服务器上产生大量的 Pod 更新操作。
 {{< /note >}}
 
 <!--
@@ -613,7 +607,7 @@ should update `controller.kubernetes.io/pod-deletion-cost` once before issuing a
 annotation to a value proportional to pod utilization level). This works if the application itself controls
 the down scaling; for example, the driver pod of a Spark deployment.
 -->
-#### 使用场景示例
+#### 使用场景示例    {#example-use-case}
 
 同一应用的不同 Pods 可能其利用率是不同的。在对应用执行缩容操作时，可能
 希望移除利用率较低的 Pods。为了避免频繁更新 Pods，应用应该在执行缩容
@@ -623,17 +617,16 @@ the down scaling; for example, the driver pod of a Spark deployment.
 是可以起作用的。
 
 <!--
-### ReplicaSet as an Horizontal Pod Autoscaler Target
+### ReplicaSet as a Horizontal Pod Autoscaler Target
 
 A ReplicaSet can also be a target for
 [Horizontal Pod Autoscalers (HPA)](/docs/tasks/run-application/horizontal-pod-autoscale/). That is,
 a ReplicaSet can be auto-scaled by an HPA. Here is an example HPA targeting
 the ReplicaSet we created in the previous example.
 -->
-### ReplicaSet 作为水平的 Pod 自动缩放器目标
+### ReplicaSet 作为水平的 Pod 自动缩放器目标    {#replicaset-as-a-horizontal-pod-autoscaler-target}
 
-ReplicaSet 也可以作为
-[水平的 Pod 缩放器 (HPA)](/zh/docs/tasks/run-application/horizontal-pod-autoscale/)
+ReplicaSet 也可以作为[水平的 Pod 缩放器 (HPA)](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/)
 的目标。也就是说，ReplicaSet 可以被 HPA 自动缩放。
 以下是 HPA 以我们在前一个示例中创建的副本集为目标的示例。
 
@@ -642,7 +635,7 @@ ReplicaSet 也可以作为
 <!--
 Saving this manifest into `hpa-rs.yaml` and submitting it to a Kubernetes cluster should
 create the defined HPA that autoscales the target ReplicaSet depending on the CPU usage
-of the replicated pods.
+of the replicated Pods.
 -->
 将这个列表保存到 `hpa-rs.yaml` 并提交到 Kubernetes 集群，就能创建它所定义的
 HPA，进而就能根据复制的 Pod 的 CPU 利用率对目标 ReplicaSet进行自动缩放。
@@ -655,7 +648,7 @@ kubectl apply -f https://k8s.io/examples/controllers/hpa-rs.yaml
 Alternatively, you can use the `kubectl autoscale` command to accomplish the same
 (and it's easier!)
 -->
-或者，可以使用 `kubectl autoscale` 命令完成相同的操作。 (而且它更简单！)
+或者，可以使用 `kubectl autoscale` 命令完成相同的操作。（而且它更简单！）
 
 ```shell
 kubectl autoscale rs frontend --max=10 --min=3 --cpu-percent=50
@@ -664,7 +657,7 @@ kubectl autoscale rs frontend --max=10 --min=3 --cpu-percent=50
 <!--
 ## Alternatives to ReplicaSet
 
-### Deployment (Recommended)
+### Deployment (recommended)
 
 [`Deployment`](/docs/concepts/workloads/controllers/deployment/) is an object which can own ReplicaSets and update
 them and their Pods via declarative, server-side rolling updates.
@@ -673,30 +666,30 @@ creation, deletion and updates. When you use Deployments you don't have to worry
 they create. Deployments own and manage their ReplicaSets.
 As such, it is recommended to use Deployments when you want ReplicaSets.
 -->
-## ReplicaSet 的替代方案
+## ReplicaSet 的替代方案    {#alternatives-to-replicaset}
 
-### Deployment （推荐）
+### Deployment（推荐）    {#deployment-recommended}
 
-[`Deployment`](/zh/docs/concepts/workloads/controllers/deployment/) 是一个
-可以拥有 ReplicaSet 并使用声明式方式在服务器端完成对 Pods 滚动更新的对象。
-尽管 ReplicaSet 可以独立使用，目前它们的主要用途是提供给 Deployment 作为
-编排 Pod 创建、删除和更新的一种机制。当使用 Deployment 时，你不必关心
-如何管理它所创建的 ReplicaSet，Deployment 拥有并管理其 ReplicaSet。
+[`Deployment`](/zh-cn/docs/concepts/workloads/controllers/deployment/) 是一个可以拥有
+ReplicaSet 并使用声明式方式在服务器端完成对 Pods 滚动更新的对象。
+尽管 ReplicaSet 可以独立使用，目前它们的主要用途是提供给 Deployment 作为编排
+Pod 创建、删除和更新的一种机制。当使用 Deployment 时，你不必关心如何管理它所创建的
+ReplicaSet，Deployment 拥有并管理其 ReplicaSet。
 因此，建议你在需要 ReplicaSet 时使用 Deployment。
 
 <!--
 ### Bare Pods
 
-Unlike the case where a user directly created Pods, a ReplicaSet replaces Pods that are deleted or terminated for any reason, such as in the case of node failure or disruptive node maintenance, such as a kernel upgrade. For this reason, we recommend that you use a ReplicaSet even if your application requires only a single Pod. Think of it similarly to a process supervisor, only it supervises multiple Pods across multiple nodes instead of individual processes on a single node. A ReplicaSet delegates local container restarts to some agent on the node (for example, Kubelet or Docker).
+Unlike the case where a user directly created Pods, a ReplicaSet replaces Pods that are deleted or terminated for any reason, such as in the case of node failure or disruptive node maintenance, such as a kernel upgrade. For this reason, we recommend that you use a ReplicaSet even if your application requires only a single Pod. Think of it similarly to a process supervisor, only it supervises multiple Pods across multiple nodes instead of individual processes on a single node. A ReplicaSet delegates local container restarts to some agent on the node such as kubelet.
 -->
-### 裸 Pod
+### 裸 Pod    {#bare-pods}
 
 与用户直接创建 Pod 的情况不同，ReplicaSet 会替换那些由于某些原因被删除或被终止的
 Pod，例如在节点故障或破坏性的节点维护（如内核升级）的情况下。
 因为这个原因，我们建议你使用 ReplicaSet，即使应用程序只需要一个 Pod。
 想像一下，ReplicaSet 类似于进程监视器，只不过它在多个节点上监视多个 Pod，
 而不是在单个节点上监视单个进程。
-ReplicaSet 将本地容器重启的任务委托给了节点上的某个代理（例如，Kubelet 或 Docker）去完成。
+ReplicaSet 将本地容器重启的任务委托给了节点上的某个代理（例如，Kubelet）去完成。
 
 <!--
 ### Job
@@ -704,24 +697,23 @@ ReplicaSet 将本地容器重启的任务委托给了节点上的某个代理（
 Use a [`Job`](/docs/concepts/workloads/controllers/job/) instead of a ReplicaSet for Pods that are expected to terminate on their own
 (that is, batch jobs).
 -->
-
 ### Job
 
-使用[`Job`](/zh/docs/concepts/workloads/controllers/job/) 代替ReplicaSet，
+使用[`Job`](/zh-cn/docs/concepts/workloads/controllers/job/) 代替 ReplicaSet，
 可以用于那些期望自行终止的 Pod。
 
 <!--
 ### DaemonSet
 
-Use a [`DaemonSet`](/docs/concepts/workloads/controllers/daemonset/) instead of a ReplicaSet for pods that provide a
-machine-level function, such as machine monitoring or machine logging.  These pods have a lifetime that is tied
-to a machine lifetime: the pod needs to be running on the machine before other pods start, and are
+Use a [`DaemonSet`](/docs/concepts/workloads/controllers/daemonset/) instead of a ReplicaSet for Pods that provide a
+machine-level function, such as machine monitoring or machine logging.  These Pods have a lifetime that is tied
+to a machine lifetime: the Pod needs to be running on the machine before other Pods start, and are
 safe to terminate when the machine is otherwise ready to be rebooted/shutdown.
 -->
 ### DaemonSet
 
 对于管理那些提供主机级别功能（如主机监控和主机日志）的容器，
-就要用 [`DaemonSet`](/zh/docs/concepts/workloads/controllers/daemonset/)
+就要用 [`DaemonSet`](/zh-cn/docs/concepts/workloads/controllers/daemonset/)
 而不用 ReplicaSet。
 这些 Pod 的寿命与主机寿命有关：这些 Pod 需要先于主机上的其他 Pod 运行，
 并且在机器准备重新启动/关闭时安全地终止。
@@ -734,9 +726,9 @@ The two serve the same purpose, and behave similarly, except that a ReplicationC
 selector requirements as described in the [labels user guide](/docs/concepts/overview/working-with-objects/labels/#label-selectors).
 As such, ReplicaSets are preferred over ReplicationControllers
 -->
-ReplicaSet 是 [ReplicationController](/zh/docs/concepts/workloads/controllers/replicationcontroller/)
+ReplicaSet 是 [ReplicationController](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/)
 的后继者。二者目的相同且行为类似，只是 ReplicationController 不支持
-[标签用户指南](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+[标签用户指南](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)
 中讨论的基于集合的选择算符需求。
 因此，相比于 ReplicationController，应优先考虑 ReplicaSet。
 
@@ -753,9 +745,13 @@ ReplicaSet 是 [ReplicationController](/zh/docs/concepts/workloads/controllers/r
 * Read about [PodDisruptionBudget](/docs/concepts/workloads/pods/disruptions/) and how
   you can use it to manage application availability during disruptions.
 -->
-* 了解 [Pods](/zh/docs/concepts/workloads/pods)。
-* 了解 [Deployments](/zh/docs/concepts/workloads/controllers/deployment/)。
-* [使用 Deployment 运行一个无状态应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)，它依赖于 ReplicaSet。
-* `ReplicaSet` 是 Kubernetes REST API 中的顶级资源。阅读 {{< api-reference page="workload-resources/replica-set-v1" >}}
-   对象定义理解关于该资源的 API。
-* 阅读[Pod 干扰预算（Disruption Budget）](/zh/docs/concepts/workloads/pods/disruptions/)，了解如何在干扰下运行高度可用的应用。
+* 了解 [Pod](/zh-cn/docs/concepts/workloads/pods)。
+* 了解 [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
+* [使用 Deployment 运行一个无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)，
+  它依赖于 ReplicaSet。
+* `ReplicaSet` 是 Kubernetes REST API 中的顶级资源。阅读
+  {{< api-reference page="workload-resources/replica-set-v1" >}}
+  对象定义理解关于该资源的 API。
+* 阅读 [Pod 干扰预算（Disruption Budget）](/zh-cn/docs/concepts/workloads/pods/disruptions/)，
+  了解如何在干扰下运行高度可用的应用。
+
diff --git a/content/zh/docs/concepts/workloads/controllers/replicationcontroller.md b/content/zh-cn/docs/concepts/workloads/controllers/replicationcontroller.md
similarity index 92%
rename from content/zh/docs/concepts/workloads/controllers/replicationcontroller.md
rename to content/zh-cn/docs/concepts/workloads/controllers/replicationcontroller.md
index f83b5d46867b2..851dafd0a0027 100644
--- a/content/zh/docs/concepts/workloads/controllers/replicationcontroller.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/replicationcontroller.md
@@ -7,7 +7,7 @@ feature:
     重新启动失败的容器，在节点死亡时替换并重新调度容器，杀死不响应用户定义的健康检查的容器，并且在它们准备好服务之前不会将它们公布给客户端。
 content_type: concept
 weight: 90
----     
+---
 
 <!--
 reviewers:
@@ -30,8 +30,8 @@ weight: 90
 A [`Deployment`](/docs/concepts/workloads/controllers/deployment/) that configures a [`ReplicaSet`](/docs/concepts/workloads/controllers/replicaset/) is now the recommended way to set up replication.
 -->
 {{< note >}}
-现在推荐使用配置 [`ReplicaSet`](/zh/docs/concepts/workloads/controllers/replicaset/) 的
-[`Deployment`](/zh/docs/concepts/workloads/controllers/deployment/) 来建立副本管理机制。
+现在推荐使用配置 [`ReplicaSet`](/zh-cn/docs/concepts/workloads/controllers/replicaset/) 的
+[`Deployment`](/zh-cn/docs/concepts/workloads/controllers/deployment/) 来建立副本管理机制。
 {{< /note >}}
 
 <!--
@@ -196,7 +196,7 @@ A ReplicationController also needs a [`.spec` section](https://git.k8s.io/commun
 与所有其它 Kubernetes 配置一样，ReplicationController 需要 `apiVersion`、
 `kind` 和 `metadata` 字段。
 有关使用配置文件的常规信息，参考
-[对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)。
+[对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)。
 
 ReplicationController 也需要一个 [`.spec` 部分](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)。
 
@@ -211,8 +211,8 @@ The `.spec.template` is a [pod template](/docs/concepts/workloads/pods/pod-overv
 
 `.spec.template` 是 `.spec` 的唯一必需字段。
 
-`.spec.template` 是一个 [Pod 模板](/zh/docs/concepts/workloads/pods/#pod-templates)。
-它的模式与 [Pod](/zh/docs/concepts/workloads/pods/) 完全相同，只是它是嵌套的，没有 `apiVersion` 或 `kind` 属性。
+`.spec.template` 是一个 [Pod 模板](/zh-cn/docs/concepts/workloads/pods/#pod-templates)。
+它的模式与 [Pod](/zh-cn/docs/concepts/workloads/pods/) 完全相同，只是它是嵌套的，没有 `apiVersion` 或 `kind` 属性。
 
 <!--
 In addition to required fields for a Pod, a pod template in a ReplicationController must specify appropriate
@@ -226,10 +226,10 @@ for example the [Kubelet](/docs/admin/kubelet/) or Docker.
 除了 Pod 所需的字段外，ReplicationController 中的 Pod 模板必须指定适当的标签和适当的重新启动策略。
 对于标签，请确保不与其他控制器重叠。参考 [Pod 选择算符](#pod-selector)。
 
-只允许 [`.spec.template.spec.restartPolicy`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy) 等于 `Always`，如果没有指定，这是默认值。
+只允许 [`.spec.template.spec.restartPolicy`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy) 等于 `Always`，如果没有指定，这是默认值。
 
 对于本地容器重启，ReplicationController 委托给节点上的代理，
-例如 [Kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) 或 Docker。
+例如 [Kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) 或 Docker。
 
 <!--
 ### Labels on the ReplicationController
@@ -242,8 +242,8 @@ different, and the `.metadata.labels` do not affect the behavior of the Replicat
 ### ReplicationController 上的标签
 
 ReplicationController 本身可以有标签 （`.metadata.labels`）。
-通常，你可以将这些设置为 `.spec.template.metadata.labels`； 
-如果没有指定 `.metadata.labels` 那么它默认为 `.spec.template.metadata.labels`。  
+通常，你可以将这些设置为 `.spec.template.metadata.labels`；
+如果没有指定 `.metadata.labels` 那么它默认为 `.spec.template.metadata.labels`。
 但是，Kubernetes 允许它们是不同的，`.metadata.labels` 不会影响 ReplicationController 的行为。
 
 <!--
@@ -256,7 +256,7 @@ deleted. This allows the ReplicationController to be replaced without affecting
 -->
 ### Pod 选择算符 {#pod-selector}
 
-`.spec.selector` 字段是一个[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)。 
+`.spec.selector` 字段是一个[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)。
 ReplicationController 管理标签与选择算符匹配的所有 Pod。
 它不区分它创建或删除的 Pod 和其他人或进程创建或删除的 Pod。
 这允许在不影响正在运行的 Pod 的情况下替换 ReplicationController。
@@ -299,7 +299,7 @@ If you do not specify `.spec.replicas`, then it defaults to 1.
 你可以通过设置 `.spec.replicas` 来指定应该同时运行多少个 Pod。
 在任何时候，处于运行状态的 Pod 个数都可能高于或者低于设定值。例如，副本个数刚刚被增加或减少时，或者一个 Pod 处于优雅终止过程中而其替代副本已经提前开始创建时。
 
-如果你没有指定 `.spec.replicas` ，那么它默认是 1。
+如果你没有指定 `.spec.replicas`，那么它默认是 1。
 
 <!--
 ## Working with ReplicationControllers
@@ -323,7 +323,7 @@ When using the REST API or [client library](/docs/reference/using-api/client-lib
 kubectl 将 ReplicationController 缩放为 0 并等待以便在删除 ReplicationController 本身之前删除每个 Pod。
 如果这个 kubectl 命令被中断，可以重新启动它。
 
-当使用 REST API 或[客户端库](/zh/docs/reference/using-api/client-libraries)时，你需要明确地执行这些步骤（缩放副本为 0、
+当使用 REST API 或[客户端库](/zh-cn/docs/reference/using-api/client-libraries)时，你需要明确地执行这些步骤（缩放副本为 0、
 等待 Pod 删除，之后删除 ReplicationController 资源）。
 
 <!--
@@ -341,7 +341,7 @@ When using the REST API or [client library](/docs/reference/using-api/client-lib
 
 使用 kubectl，为 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete) 指定 `--cascade=orphan` 选项。
 
-当使用 REST API 或客户端库(/zh/docs/reference/using-api/client-libraries)时，只需删除 ReplicationController 对象。
+当使用 REST API 或[客户端库](/zh-cn/docs/reference/using-api/client-libraries)时，只需删除 ReplicationController 对象。
 
 <!--
 Once the original is deleted, you can create a new ReplicationController to replace it.  As long
@@ -416,7 +416,7 @@ Rolling update is implemented in the client tool
 这两个 ReplicationController 将需要创建至少具有一个不同标签的 Pod，比如 Pod 主要容器的镜像标签，因为通常是镜像更新触发滚动更新。
 
 滚动更新是在客户端工具 [`kubectl rolling-update`](/docs/reference/generated/kubectl/kubectl-commands#rolling-update)
-中实现的。访问 [`kubectl rolling-update` 任务](/zh/docs/tasks/run-application/rolling-update-replication-controller/)以获得更多的具体示例。
+中实现的。访问 [`kubectl rolling-update` 任务](/zh-cn/docs/tasks/run-application/rolling-update-replication-controller/)以获得更多的具体示例。
 
 <!--
 ### Multiple release tracks
@@ -534,9 +534,9 @@ Note that we recommend using Deployments instead of directly using Replica Sets,
 
 ### ReplicaSet
 
-[`ReplicaSet`](/zh/docs/concepts/workloads/controllers/replicaset/) 是下一代 ReplicationController，
-支持新的[基于集合的标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/#set-based-requirement)。
-它主要被 [`Deployment`](/zh/docs/concepts/workloads/controllers/deployment/)
+[`ReplicaSet`](/zh-cn/docs/concepts/workloads/controllers/replicaset/) 是下一代 ReplicationController，
+支持新的[基于集合的标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#set-based-requirement)。
+它主要被 [`Deployment`](/zh-cn/docs/concepts/workloads/controllers/deployment/)
 用来作为一种编排 Pod 创建、删除及更新的机制。
 请注意，我们推荐使用 Deployment 而不是直接使用 ReplicaSet，除非
 你需要自定义更新编排或根本不需要更新。
@@ -550,7 +550,7 @@ because they are declarative, server-side, and have additional features.
 -->
 ### Deployment （推荐）
 
-[`Deployment`](/zh/docs/concepts/workloads/controllers/deployment/) 是一种更高级别的 API 对象，用于更新其底层 ReplicaSet 及其 Pod。
+[`Deployment`](/zh-cn/docs/concepts/workloads/controllers/deployment/) 是一种更高级别的 API 对象，用于更新其底层 ReplicaSet 及其 Pod。
 如果你想要这种滚动更新功能，那么推荐使用 Deployment，因为它们是声明式的、服务端的，并且具有其它特性。
 
 <!--
@@ -561,9 +561,9 @@ Unlike in the case where a user directly created pods, a ReplicationController r
 ### 裸 Pod
 
 与用户直接创建 Pod 的情况不同，ReplicationController 能够替换因某些原因
-被删除或被终止的 Pod ，例如在节点故障或中断节点维护的情况下，例如内核升级。
+被删除或被终止的 Pod，例如在节点故障或中断节点维护的情况下，例如内核升级。
 因此，我们建议你使用 ReplicationController，即使你的应用程序只需要一个 Pod。
-可以将其看作类似于进程管理器，它只管理跨多个节点的多个 Pod ，而不是单个节点上的单个进程。
+可以将其看作类似于进程管理器，它只管理跨多个节点的多个 Pod，而不是单个节点上的单个进程。
 ReplicationController 将本地容器重启委托给节点上的某个代理(例如，Kubelet 或 Docker)。
 
 <!--
@@ -575,7 +575,7 @@ Use a [`Job`](/docs/concepts/jobs/run-to-completion-finite-workloads/) instead o
 ### Job
 
 对于预期会自行终止的 Pod (即批处理任务)，使用
-[`Job`](/zh/docs/concepts/workloads/controllers/job/) 而不是 ReplicationController。
+[`Job`](/zh-cn/docs/concepts/workloads/controllers/job/) 而不是 ReplicationController。
 
 <!--
 ### DaemonSet
@@ -588,7 +588,7 @@ safe to terminate when the machine is otherwise ready to be rebooted/shutdown.
 ### DaemonSet
 
 对于提供机器级功能（例如机器监控或机器日志记录）的 Pod，
-使用 [`DaemonSet`](/zh/docs/concepts/workloads/controllers/daemonset/) 而不是
+使用 [`DaemonSet`](/zh-cn/docs/concepts/workloads/controllers/daemonset/) 而不是
 ReplicationController。
 这些 Pod 的生命期与机器的生命期绑定：它们需要在其他 Pod 启动之前在机器上运行，
 并且在机器准备重新启动或者关闭时安全地终止。
@@ -605,8 +605,8 @@ ReplicationController。
 -->
 ## {{% heading "whatsnext" %}}
 
-- 了解 [Pods](/zh/docs/concepts/workloads/pods)。
-- 了解 [Depolyment](/zh/docs/concepts/workloads/controllers/deployment/)，ReplicationController 的替代品。
+- 了解 [Pods](/zh-cn/docs/concepts/workloads/pods)。
+- 了解 [Depolyment](/zh-cn/docs/concepts/workloads/controllers/deployment/)，ReplicationController 的替代品。
 - `ReplicationController` 是 Kubernetes REST API 的一部分，阅读 {{< api-reference page="workload-resources/replication-controller-v1" >}}
   对象定义以了解 replication controllers 的 API。
 
diff --git a/content/zh/docs/concepts/workloads/controllers/statefulset.md b/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
similarity index 62%
rename from content/zh/docs/concepts/workloads/controllers/statefulset.md
rename to content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
index 26f00ae25c09d..8897131ba1d91 100644
--- a/content/zh/docs/concepts/workloads/controllers/statefulset.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/statefulset.md
@@ -27,7 +27,7 @@ StatefulSet 是用来管理有状态应用的工作负载 API 对象。
 StatefulSets are valuable for applications that require one or more of the
 following.
 -->
-## 使用 StatefulSets
+## 使用 StatefulSets   {#using-statefulsets}
 
 StatefulSets 对于需要满足以下一个或多个需求的应用程序很有价值：
 
@@ -53,8 +53,8 @@ that provides a set of stateless replicas.
 在上面描述中，“稳定的”意味着 Pod 调度或重调度的整个过程是有持久性的。
 如果应用程序不需要任何稳定的标识符或有序的部署、删除或伸缩，则应该使用
 由一组无状态的副本控制器提供的工作负载来部署应用程序，比如
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/) 或者
-[ReplicaSet](/zh/docs/concepts/workloads/controllers/replicaset/)
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/) 或者
+[ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/)
 可能更适用于你的无状态应用部署需要。
 
 <!--
@@ -77,7 +77,7 @@ that provides a set of stateless replicas.
   基于所请求的 `storage class` 来提供，或者由管理员预先提供。
 * 删除或者收缩 StatefulSet 并*不会*删除它关联的存储卷。
   这样做是为了保证数据安全，它通常比自动清除 StatefulSet 所有相关的资源更有价值。
-* StatefulSet 当前需要[无头服务](/zh/docs/concepts/services-networking/service/#headless-services)
+* StatefulSet 当前需要[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)
   来负责 Pod 的网络标识。你需要负责创建此服务。
 * 当删除 StatefulSets 时，StatefulSet 不提供任何终止 Pod 的保证。
   为了实现 StatefulSet 中的 Pod 可以有序地且体面地终止，可以在删除之前将 StatefulSet
@@ -116,13 +116,14 @@ metadata:
 spec:
   selector:
     matchLabels:
-      app: nginx # has to match .spec.template.metadata.labels
+      app: nginx # 必须匹配 .spec.template.metadata.labels
   serviceName: "nginx"
-  replicas: 3 # by default is 1
+  replicas: 3 # 默认值是 1
+  minReadySeconds: 10 # 默认值是 0
   template:
     metadata:
       labels:
-        app: nginx # has to match .spec.selector.matchLabels
+        app: nginx # 必须匹配 .spec.selector.matchLabels
     spec:
       terminationGracePeriodSeconds: 10
       containers:
@@ -161,22 +162,52 @@ The name of a StatefulSet object must be a valid
 * 名为 `nginx` 的 Headless Service 用来控制网络域名。
 * 名为 `web` 的 StatefulSet 有一个 Spec，它表明将在独立的 3 个 Pod 副本中启动 nginx 容器。
 * `volumeClaimTemplates` 将通过 PersistentVolumes 驱动提供的
-  [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/) 来提供稳定的存储。
+  [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/) 来提供稳定的存储。
 
-StatefulSet 的命名需要遵循[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)规范。
+StatefulSet 的命名需要遵循 [DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)规范。
 
 <!--
-## Pod Selector
+### Pod Selector
 -->
-## Pod 选择算符     {#pod-selector}
+### Pod 选择算符     {#pod-selector}
 
 <!--
-You must set the `.spec.selector` field of a StatefulSet to match the labels of its `.spec.template.metadata.labels`. Prior to Kubernetes 1.8, the `.spec.selector` field was defaulted when omitted. In 1.8 and later versions, failing to specify a matching Pod Selector will result in a validation error during StatefulSet creation.
+You must set the `.spec.selector` field of a StatefulSet to match the labels of its `.spec.template.metadata.labels`. Failing to specify a matching Pod Selector will result in a validation error during StatefulSet creation.
 -->
 你必须设置 StatefulSet 的 `.spec.selector` 字段，使之匹配其在
-`.spec.template.metadata.labels` 中设置的标签。在 Kubernetes 1.8 版本之前，
-被忽略 `.spec.selector` 字段会获得默认设置值。
-在 1.8 和以后的版本中，未指定匹配的 Pod 选择器将在创建 StatefulSet 期间导致验证错误。
+`.spec.template.metadata.labels` 中设置的标签。
+未指定匹配的 Pod 选择器将在创建 StatefulSet 期间导致验证错误。
+
+<!--
+### Volume Claim Templates
+
+You can set the  `.spec.volumeClaimTemplates` which can provide stable storage using [PersistentVolumes](/docs/concepts/storage/persistent-volumes/) provisioned by a PersistentVolume Provisioner.
+-->
+### 卷申领模版  {#volume-claim-templates}
+
+你可以设置 `.spec.volumeClaimTemplates`，
+它可以使用 PersistentVolume 制备程序所准备的
+[PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/) 来提供稳定的存储。
+
+<!-- ### Minimum ready seconds -->
+### 最短就绪秒数 {#minimum-ready-seconds}
+
+{{< feature-state for_k8s_version="v1.23" state="beta" >}}
+
+<!--
+`.spec.minReadySeconds` is an optional field that specifies the minimum number of seconds for which a newly
+created Pod should be ready without any of its containers crashing, for it to be considered available.
+Please note that this feature is beta and enabled by default. Please opt out by unsetting the StatefulSetMinReadySeconds flag, if you don't
+want this feature to be enabled. This field defaults to 0 (the Pod will be considered 
+available as soon as it is ready). To learn more about when a Pod is considered ready, see [Container Probes](/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+-->
+`.spec.minReadySeconds` 是一个可选字段，
+它指定新创建的 Pod 应该准备好且其任何容器不崩溃的最小秒数，以使其被视为可用。
+请注意，此功能是测试版，默认启用。如果你不希望启用此功能，
+请通过取消设置 StatefulSetMinReadySeconds 标志来选择退出。
+该字段默认为 0（Pod 准备就绪后将被视为可用）。
+要了解有关何时认为 Pod 准备就绪的更多信息，
+请参阅[容器探针](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。
 
 <!--
 ## Pod Identity
@@ -221,7 +252,7 @@ by the `serviceName` field on the StatefulSet.
 StatefulSet 中的每个 Pod 根据 StatefulSet 的名称和 Pod 的序号派生出它的主机名。
 组合主机名的格式为`$(StatefulSet 名称)-$(序号)`。
 上例将会创建三个名称分别为 `web-0、web-1、web-2` 的 Pod。
-StatefulSet 可以使用 [无头服务](/zh/docs/concepts/services-networking/service/#headless-services)
+StatefulSet 可以使用 [无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)
 控制它的 Pod 的网络域。管理域的这个服务的格式为：
 `$(服务名称).$(命名空间).svc.cluster.local`，其中 `cluster.local` 是集群域。
 一旦每个 Pod 创建成功，就会得到一个匹配的 DNS 子域，格式为：
@@ -255,7 +286,7 @@ responsible for the network identity of the pods.
 - 直接查询 Kubernetes API（比如，利用 watch 机制）而不是依赖于 DNS 查询
 - 缩短 Kubernetes DNS 驱动的缓存时长（通常这意味着修改 CoreDNS 的 ConfigMap，目前缓存时长为 30 秒）
 
-正如[限制](#limitations)中所述，你需要负责创建[无头服务](/zh/docs/concepts/services-networking/service/#headless-services)
+正如[限制](#limitations)中所述，你需要负责创建[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)
 以便为 Pod 提供网络标识。
 
 <!--
@@ -283,7 +314,7 @@ Cluster Domain will be set to `cluster.local` unless
 [otherwise configured](/docs/concepts/services-networking/dns-pod-service/#how-it-works).
 -->
 {{< note >}}
-集群域会被设置为 `cluster.local`，除非有[其他配置](/zh/docs/concepts/services-networking/dns-pod-service/)。
+集群域会被设置为 `cluster.local`，除非有[其他配置](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 {{< /note >}}
 
 <!--
@@ -301,9 +332,9 @@ This must be done manually.
 对于 StatefulSet 中定义的每个 VolumeClaimTemplate，每个 Pod 接收到一个 PersistentVolumeClaim。在上面的 nginx 示例中，每个 Pod 将会得到基于 StorageClass `my-storage-class` 提供的
 1 Gib 的 PersistentVolume。
 如果没有声明 StorageClass，就会使用默认的 StorageClass。
-当一个 Pod 被调度（重新调度）到节点上时，它的 `volumeMounts` 会挂载与其 
+当一个 Pod 被调度（重新调度）到节点上时，它的 `volumeMounts` 会挂载与其
 PersistentVolumeClaims 相关联的 PersistentVolume。
-请注意，当 Pod 或者 StatefulSet 被删除时，与 PersistentVolumeClaims 相关联的 
+请注意，当 Pod 或者 StatefulSet 被删除时，与 PersistentVolumeClaims 相关联的
 PersistentVolume 并不会被删除。要删除它必须通过手动方式来完成。
 
 <!--
@@ -340,7 +371,7 @@ The StatefulSet should not specify a `pod.Spec.TerminationGracePeriodSeconds` of
 -->
 StatefulSet 不应将 `pod.Spec.TerminationGracePeriodSeconds` 设置为 0。
 这种做法是不安全的，要强烈阻止。更多的解释请参考
-[强制删除 StatefulSet Pod](/zh/docs/tasks/run-application/force-delete-stateful-set-pod/)。
+[强制删除 StatefulSet Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
 
 <!--
 When the nginx example above is created, three Pods will be deployed in the order
@@ -351,7 +382,7 @@ web-2 is launched, web-2 will not be launched until web-0 is successfully relaun
 becomes Running and Ready.
 -->
 在上面的 nginx 示例被创建后，会按照 web-0、web-1、web-2 的顺序部署三个 Pod。
-在 web-0 进入 [Running 和 Ready](/zh/docs/concepts/workloads/pods/pod-lifecycle/)
+在 web-0 进入 [Running 和 Ready](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/)
 状态前不会部署 web-1。在 web-1 进入 Running 和 Ready 状态前不会部署 web-2。
 如果 web-1 已经处于 Running 和 Ready 状态，而 web-2 尚未部署，在此期间发生了
 web-0 运行失败，那么 web-2 将不会被部署，要等到 web-0 部署完成并进入 Running 和
@@ -372,12 +403,12 @@ until web-0 is Running and Ready.
 <!--
 ### Pod Management Policies
 
-In Kubernetes 1.7 and later, StatefulSet allows you to relax its ordering guarantees while
+StatefulSet allows you to relax its ordering guarantees while
 preserving its uniqueness and identity guarantees via its `.spec.podManagementPolicy` field.
 -->
 ### Pod 管理策略 {#pod-management-policies}
 
-在 Kubernetes 1.7 及以后的版本中，StatefulSet 允许你放宽其排序保证，
+StatefulSet 允许你放宽其排序保证，
 同时通过它的 `.spec.podManagementPolicy` 域保持其唯一性和身份保证。
 
 <!--
@@ -386,7 +417,7 @@ preserving its uniqueness and identity guarantees via its `.spec.podManagementPo
 `OrderedReady` pod management is the default for StatefulSets. It implements the behavior
 described [above](#deployment-and-scaling-guarantees).
 -->
-#### OrderedReady Pod 管理
+#### OrderedReady Pod 管理   {#orderedready-pod-management}
 
 `OrderedReady` Pod 管理是 StatefulSet 的默认设置。它实现了
 [上面](#deployment-and-scaling-guarantees)描述的功能。
@@ -436,7 +467,7 @@ StatefulSet 的 `.spec.updateStrategy` 字段让
 
 `RollingUpdate`
 : `RollingUpdate` 更新策略对 StatefulSet 中的 Pod 执行自动的滚动更新。这是默认的更新策略。
- 
+
 <!--
 ## Rolling Updates
 
@@ -446,7 +477,9 @@ in the same order as Pod termination (from the largest ordinal to the smallest),
 each Pod one at a time.
 
 The Kubernetes control plane waits until an updated Pod is Running and Ready prior
-to updating its predecessor. If you have set `.spec.minReadySeconds` (see [Minimum Ready Seconds](#minimum-ready-seconds)), the control plane additionally waits that amount of time after the Pod turns ready, before moving on.
+to updating its predecessor. If you have set `.spec.minReadySeconds` (see
+[Minimum Ready Seconds](#minimum-ready-seconds)), the control plane additionally waits that
+amount of time after the Pod turns ready, before moving on.
 -->
 ## 滚动更新 {#rolling-updates}
 
@@ -482,6 +515,47 @@ update, roll out a canary, or perform a phased roll out.
 在大多数情况下，你不需要使用分区，但如果你希望进行阶段更新、执行金丝雀或执行
 分阶段上线，则这些分区会非常有用。
 
+<!--
+### Maximum unavailable Pods
+-->
+### 最大不可用 Pod   {#maximum-unavailable-pods}
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+<!--
+You can control the maximum number of Pods that can be unavailable during an update
+by specifying the `.spec.updateStrategy.rollingUpdate.maxUnavailable` field.
+The value can be an absolute number (for example, `5`) or a percentage of desired
+Pods (for example, `10%`). Absolute number is calculated from the percentage value
+by rounding it up. This field cannot be 0. The default setting is 1.
+-->
+你可以通过指定 `.spec.updateStrategy.rollingUpdate.maxUnavailable`
+字段来控制更新期间不可用的 Pod 的最大数量。
+该值可以是绝对值（例如，“5”）或者是期望 Pod 个数的百分比（例如，`10%`）。
+绝对值是根据百分比值四舍五入计算的。
+该字段不能为 0。默认设置为 1。
+
+<!--
+This field applies to all Pods in the range `0` to `replicas - 1`. If there is any
+unavailable Pod in the range `0` to `replicas - 1`, it will be counted towards
+`maxUnavailable`.
+-->
+该字段适用于 `0` 到 `replicas - 1` 范围内的所有 Pod。
+如果在 `0` 到 `replicas - 1` 范围内存在不可用 Pod，这类 Pod 将被计入 `maxUnavailable` 值。
+
+<!--
+{{< note >}}
+The `maxUnavailable` field is in Alpha stage and it is honored only by API servers
+that are running with the `MaxUnavailableStatefulSet`
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+enabled.
+{{< /note >}}
+-->
+{{< note >}}
+`maxUnavailable` 字段处于 Alpha 阶段，仅当 API 服务器启用了 `MaxUnavailableStatefulSet`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)时才起作用。
+{{< /note >}}
+
 <!--
 ### Forced Rollback
 
@@ -496,7 +570,7 @@ StatefulSet will stop the rollout and wait.
 ### 强制回滚 {#forced-rollback}
 
 在默认 [Pod 管理策略](#pod-management-policies)(`OrderedReady`) 下使用
-[滚动更新](#rolling-updates) ，可能进入需要人工干预才能修复的损坏状态。
+[滚动更新](#rolling-updates)，可能进入需要人工干预才能修复的损坏状态。
 
 如果更新后 Pod 模板配置进入无法运行或就绪的状态（例如，由于错误的二进制文件
 或应用程序级配置错误），StatefulSet 将停止回滚并等待。
@@ -519,24 +593,173 @@ StatefulSet will then begin to recreate the Pods using the reverted template.
 恢复模板后，还必须删除 StatefulSet 尝试使用错误的配置来运行的 Pod。这样，
 StatefulSet 才会开始使用被还原的模板来重新创建 Pod。
 
+<!-- ## PersistentVolumeClaim retention -->
+## PersistentVolumeClaim 保留  {#persistentvolumeclaim-retention}
+
+{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+
 <!--
-### Minimum ready seconds
+The optional `.spec.persistentVolumeClaimRetentionPolicy` field controls if
+and how PVCs are deleted during the lifecycle of a StatefulSet. You must enable the
+`StatefulSetAutoDeletePVC` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+to use this field. Once enabled, there are two policies you can configure for each
+StatefulSet:
+-->
+在 StatefulSet 的生命周期中，可选字段
+`.spec.persistentVolumeClaimRetentionPolicy` 控制是否删除以及如何删除 PVC。
+使用该字段，你必须启用 `StatefulSetAutoDeletePVC`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
+启用后，你可以为每个 StatefulSet 配置两个策略：
 
-`.spec.minReadySeconds` is an optional field that specifies the minimum number of seconds for which a newly
-created Pod should be ready without any of its containers crashing, for it to be considered available.
-This defaults to 0 (the Pod will be considered available as soon as it is ready). To learn more about when
-a Pod is considered ready, see [Container Probes](/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+<!--
+`whenDeleted`
+: configures the volume retention behavior that applies when the StatefulSet is deleted
 
-Please note that this field only works if you enable the `StatefulSetMinReadySeconds` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/).
+`whenScaled`
+: configures the volume retention behavior that applies when the replica count of
+  the StatefulSet   is reduced; for example, when scaling down the set.
+  
+For each policy that you can configure, you can set the value to either `Delete` or `Retain`.
 -->
-### 最短就绪秒数   {#minimum-ready-seconds}
+`whenDeleted`
+: 配置删除 StatefulSet 时应用的卷保留行为
 
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+`whenScaled`
+: 配置当 StatefulSet 的副本数减少时应用的卷保留行为；例如，缩小集合时。
 
-`.spec.minReadySeconds` 是一个可选字段，用于指定新创建的 Pod 就绪（没有任何容器崩溃）后被认为可用的最小秒数。
-默认值是 0（Pod 就绪时就被认为可用）。要了解 Pod 何时被认为已就绪，请参阅[容器探针](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。 
+对于你可以配置的每个策略，你可以将值设置为 `Delete` 或 `Retain`。
 
-请注意只有当你启用 `StatefulSetMinReadySeconds` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)时，该字段才会生效。
+<!--
+`Delete`
+: The PVCs created from the StatefulSet `volumeClaimTemplate` are deleted for each Pod
+  affected by the policy. With the `whenDeleted` policy all PVCs from the
+  `volumeClaimTemplate` are deleted after their Pods have been deleted. With the
+  `whenScaled` policy, only PVCs corresponding to Pod replicas being scaled down are
+  deleted, after their Pods have been deleted.
+-->
+`Delete`
+: 对于受策略影响的每个 Pod，基于 StatefulSet 的 `volumeClaimTemplate` 字段创建的 PVC 都会被删除。
+  使用 `whenDeleted` 策略，所有来自 `volumeClaimTemplate` 的 PVC 在其 Pod 被删除后都会被删除。
+  使用 `whenScaled` 策略，只有与被缩减的 Pod 副本对应的 PVC 在其 Pod 被删除后才会被删除。
+
+<!--
+`Retain` (default)
+: PVCs from the `volumeClaimTemplate` are not affected when their Pod is
+  deleted. This is the behavior before this new feature.
+-->
+`Retain`（默认）
+: 来自 `volumeClaimTemplate` 的 PVC 在 Pod 被删除时不受影响。这是此新功能之前的行为。
+
+<!--
+Bear in mind that these policies **only** apply when Pods are being removed due to the
+StatefulSet being deleted or scaled down. For example, if a Pod associated with a StatefulSet
+fails due to node failure, and the control plane creates a replacement Pod, the StatefulSet
+retains the existing PVC.  The existing volume is unaffected, and the cluster will attach it to
+the node where the new Pod is about to launch.
+
+The default for policies is `Retain`, matching the StatefulSet behavior before this new feature.
+
+Here is an example policy.
+-->
+请记住，这些策略**仅**适用于由于 StatefulSet 被删除或被缩小而被删除的 Pod。
+例如，如果与 StatefulSet 关联的 Pod 由于节点故障而失败，
+并且控制平面创建了替换 Pod，则 StatefulSet 保留现有的 PVC。
+现有卷不受影响，集群会将其附加到新 Pod 即将启动的节点上。
+
+策略的默认值为 `Retain`，与此新功能之前的 StatefulSet 行为相匹配。
+
+这是一个示例策略。
+
+```yaml
+apiVersion: apps/v1
+kind: StatefulSet
+...
+spec:
+  persistentVolumeClaimRetentionPolicy:
+    whenDeleted: Retain
+    whenScaled: Delete
+...
+```
+
+<!--
+The StatefulSet {{<glossary_tooltip text="controller" term_id="controller">}} adds [owner
+references](/docs/concepts/overview/working-with-objects/owners-dependents/#owner-references-in-object-specifications)
+to its PVCs, which are then deleted by the {{<glossary_tooltip text="garbage collector"
+term_id="garbage-collection">}} after the Pod is terminated. This enables the Pod to
+cleanly unmount all volumes before the PVCs are deleted (and before the backing PV and
+volume are deleted, depending on the retain policy).  When you set the `whenDeleted`
+policy to `Delete`, an owner reference to the StatefulSet instance is placed on all PVCs
+associated with that StatefulSet. 
+-->
+StatefulSet {{<glossary_tooltip text="控制器" term_id="controller">}}为其 PVC 添加了
+[属主引用](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/#owner-references-in-object-specifications)，
+这些 PVC 在 Pod 终止后被{{<glossary_tooltip text="垃圾回收器" term_id="garbage-collection">}}删除。
+这使 Pod 能够在删除 PVC 之前（以及在删除后备 PV 和卷之前，取决于保留策略）干净地卸载所有卷。
+当你设置 `whenDeleted` 删除策略，对 StatefulSet 实例的属主引用放置在与该 StatefulSet 关联的所有 PVC 上。
+
+<!--
+The `whenScaled` policy must delete PVCs only when a Pod is scaled down, and not when a
+Pod is deleted for another reason. When reconciling, the StatefulSet controller compares
+its desired replica count to the actual Pods present on the cluster. Any StatefulSet Pod
+whose id greater than the replica count is condemned and marked for deletion. If the
+`whenScaled` policy is `Delete`, the condemned Pods are first set as owners to the
+associated StatefulSet template PVCs, before the Pod is deleted. This causes the PVCs
+to be garbage collected after only the condemned Pods have terminated.
+-->
+`whenScaled` 策略必须仅在 Pod 缩减时删除 PVC，而不是在 Pod 因其他原因被删除时删除。
+执行协调操作时，StatefulSet 控制器将其所需的副本数与集群上实际存在的 Pod 进行比较。
+对于 StatefulSet 中的所有 Pod 而言，如果其 ID 大于副本数，则将被废弃并标记为需要删除。
+如果 `whenScaled` 策略是 `Delete`，则在删除 Pod 之前，
+首先将已销毁的 Pod 设置为与 StatefulSet 模板 对应的 PVC 的属主。
+这会导致 PVC 仅在已废弃的 Pod 终止后被垃圾收集。
+
+<!--
+This means that if the controller crashes and restarts, no Pod will be deleted before its
+owner reference has been updated appropriate to the policy. If a condemned Pod is
+force-deleted while the controller is down, the owner reference may or may not have been
+set up, depending on when the controller crashed. It may take several reconcile loops to
+update the owner references, so some condemned Pods may have set up owner references and
+other may not. For this reason we recommend waiting for the controller to come back up,
+which will verify owner references before terminating Pods. If that is not possible, the
+operator should verify the owner references on PVCs to ensure the expected objects are
+deleted when Pods are force-deleted.
+-->
+这意味着如果控制器崩溃并重新启动，在其属主引用更新到适合策略的 Pod 之前，不会删除任何 Pod。
+如果在控制器关闭时强制删除了已废弃的 Pod，则属主引用可能已被设置，也可能未被设置，具体取决于控制器何时崩溃。
+更新属主引用可能需要几个协调循环，因此一些已废弃的 Pod 可能已经被设置了属主引用，而其他可能没有。
+出于这个原因，我们建议等待控制器恢复，控制器将在终止 Pod 之前验证属主引用。
+如果这不可行，则操作员应验证 PVC 上的属主引用，以确保在强制删除 Pod 时删除预期的对象。
+
+<!--
+### Replicas
+
+`.spec.replicas` is an optional field that specifies the number of desired Pods. It defaults to 1.
+
+Should you manually scale a deployment, example via `kubectl scale
+statefulset statefulset --replicas=X`, and then you update that StatefulSet
+based on a manifest (for example: by running `kubectl apply -f
+statefulset.yaml`), then applying that manifest overwrites the manual scaling
+that you previously did.
+-->
+### 副本数 {#replicas}
+
+`.spec.replicas` 是一个可选字段，用于指定所需 Pod 的数量。它的默认值为 1。
+
+如果你手动扩缩已部署的负载，例如通过 `kubectl scale statefulset statefulset --replicas=X`，
+然后根据清单更新 StatefulSet（例如：通过运行 `kubectl apply -f statefulset.yaml`），
+那么应用该清单的操作会覆盖你之前所做的手动缩放。
+
+<!--
+If a [HorizontalPodAutoscaler](/docs/tasks/run-application/horizontal-pod-autoscale/)
+(or any similar API for horizontal scaling) is managing scaling for a
+Statefulset, don't set `.spec.replicas`. Instead, allow the Kubernetes
+{{<glossary_tooltip text="control plane" term_id="control-plane" >}} to manage
+the `.spec.replicas` field automatically.
+-->
+如果 [HorizontalPodAutoscaler](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/)
+（或任何类似的水平缩放 API）正在管理 Statefulset 的缩放，
+请不要设置 `.spec.replicas`。
+相反，允许 Kubernetes 控制平面自动管理 `.spec.replicas` 字段。
 
 ## {{% heading "whatsnext" %}}
 
@@ -556,15 +779,15 @@ Please note that this field only works if you enable the `StatefulSetMinReadySec
 * Read about [PodDisruptionBudget](/docs/concepts/workloads/pods/disruptions/) and how
   you can use it to manage application availability during disruptions.
 -->
-* 了解 [Pods](/zh/docs/concepts/workloads/pods)。
+* 了解 [Pod](/zh-cn/docs/concepts/workloads/pods)。
 * 了解如何使用 StatefulSet
-  * 跟随示例[部署有状态应用](/zh/docs/tutorials/stateful-application/basic-stateful-set/)。
-  * 跟随示例[使用 StatefulSet 部署 Cassandra](/zh/docs/tutorials/stateful-application/cassandra/)。
-  * 跟随示例[运行多副本的有状态应用程序](/zh/docs/tasks/run-application/run-replicated-stateful-application/)。
-  * 了解如何[扩缩 StatefulSet](/zh/docs/tasks/run-application/scale-stateful-set/)。
-  * 了解[删除 StatefulSet](/zh/docs/tasks/run-application/delete-stateful-set/)涉及到的操作。
-  * 了解如何[配置 Pod 以使用卷进行存储](/zh/docs/tasks/configure-pod-container/configure-volume-storage/)。
-  * 了解如何[配置 Pod 以使用 PersistentVolume 作为存储](/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/)。
+  * 跟随示例[部署有状态应用](/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/)。
+  * 跟随示例[使用 StatefulSet 部署 Cassandra](/zh-cn/docs/tutorials/stateful-application/cassandra/)。
+  * 跟随示例[运行多副本的有状态应用程序](/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/)。
+  * 了解如何[扩缩 StatefulSet](/zh-cn/docs/tasks/run-application/scale-stateful-set/)。
+  * 了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)涉及到的操作。
+  * 了解如何[配置 Pod 以使用卷进行存储](/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage/)。
+  * 了解如何[配置 Pod 以使用 PersistentVolume 作为存储](/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/)。
 * `StatefulSet` 是 Kubernetes REST API 中的顶级资源。阅读 {{< api-reference page="workload-resources/stateful-set-v1" >}}
    对象定义理解关于该资源的 API。
-* 阅读[Pod 干扰预算（Disruption Budget）](/zh/docs/concepts/workloads/pods/disruptions/)，了解如何在干扰下运行高度可用的应用。
+* 阅读 [Pod 干扰预算（Disruption Budget）](/zh-cn/docs/concepts/workloads/pods/disruptions/)，了解如何在干扰下运行高度可用的应用。
diff --git a/content/zh/docs/concepts/workloads/controllers/ttlafterfinished.md b/content/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished.md
similarity index 91%
rename from content/zh/docs/concepts/workloads/controllers/ttlafterfinished.md
rename to content/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished.md
index 0d02b7a04be73..7887151b9aa82 100644
--- a/content/zh/docs/concepts/workloads/controllers/ttlafterfinished.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished.md
@@ -37,7 +37,7 @@ up finished Jobs (either `Complete` or `Failed`) automatically by specifying the
 
 TTL-after-finished 控制器只支持 Job。集群操作员可以通过指定 Job 的 `.spec.ttlSecondsAfterFinished`
 字段来自动清理已结束的作业（`Complete` 或 `Failed`），如
-[示例](/zh/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
+[示例](/zh-cn/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
 所示。
 
 <!--
@@ -72,9 +72,9 @@ The TTL seconds can be set at any time. Here are some examples for setting the
 -->
 * 在作业清单（manifest）中指定此字段，以便 Job 在完成后的某个时间被自动清除。
 * 将此字段设置为现有的、已完成的作业，以采用此新功能。
-* 在创建作业时使用 [mutating admission webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
+* 在创建作业时使用 [mutating admission webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
   动态设置该字段。集群管理员可以使用它对完成的作业强制执行 TTL 策略。
-* 使用 [mutating admission webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
+* 使用 [mutating admission webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
   在作业完成后动态设置该字段，并根据作业状态、标签等选择不同的 TTL 值。
 
 <!--
@@ -94,7 +94,7 @@ returns a successful API response.
 
 请注意，在创建 Job 或已经执行结束后，仍可以修改其 TTL 周期，例如 Job 的
 `.spec.ttlSecondsAfterFinished` 字段。
-但是一旦 Job 变为可被删除状态（当其 TTL 已过期时），即使您通过 API 增加其 TTL
+但是一旦 Job 变为可被删除状态（当其 TTL 已过期时），即使你通过 API 增加其 TTL
 时长得到了成功的响应，系统也不保证 Job 将被保留。
 
 <!--
@@ -123,6 +123,6 @@ very small. Please be aware of this risk when setting a non-zero TTL.
 * [Clean up Jobs automatically](/docs/concepts/workloads/controllers/jobs-run-to-completion/#clean-up-finished-jobs-automatically)
 * [Design doc](https://github.com/kubernetes/enhancements/blob/master/keps/sig-apps/592-ttl-after-finish/README.md)
 -->
-* [自动清理 Job](/zh/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
+* [自动清理 Job](/zh-cn/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically)
 * [设计文档](https://github.com/kubernetes/enhancements/blob/master/keps/sig-apps/592-ttl-after-finish/README.md)
 
diff --git a/content/zh/docs/concepts/workloads/pods/_index.md b/content/zh-cn/docs/concepts/workloads/pods/_index.md
similarity index 95%
rename from content/zh/docs/concepts/workloads/pods/_index.md
rename to content/zh-cn/docs/concepts/workloads/pods/_index.md
index 5eec324a1a0e3..12063e1e843c1 100644
--- a/content/zh/docs/concepts/workloads/pods/_index.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/_index.md
@@ -52,8 +52,8 @@ during Pod startup. You can also inject
 for debugging if your cluster offers this.
 -->
 除了应用容器，Pod 还可以包含在 Pod 启动期间运行的
-[Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)。
-你也可以在集群中支持[临时性容器](/zh/docs/concepts/workloads/pods/ephemeral-containers/)
+[Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
+你也可以在集群中支持[临时性容器](/zh-cn/docs/concepts/workloads/pods/ephemeral-containers/)
 的情况下，为调试的目的注入临时性容器。
 
 <!-- body -->
@@ -271,7 +271,7 @@ When you create the manifest for a Pod object, make sure the name specified is a
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 当你为 Pod 对象创建清单时，要确保所指定的 Pod 名称是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 
 <!--
 ### Pods and controllers
@@ -314,9 +314,9 @@ PodTemplates are specifications for creating Pods, and are included in workload
 _Pod 模板（Pod Template）_ 来替你创建 Pod 并管理它们。
 
 Pod 模板是包含在工作负载对象中的规范，用来创建 Pod。这类负载资源包括
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/)、
-[Job](/zh/docs/concepts/workloads/controllers/job/) 和
-[DaemonSets](/zh/docs/concepts/workloads/controllers/daemonset/) 等。
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)、
+[Job](/zh-cn/docs/concepts/workloads/controllers/job/) 和
+[DaemonSets](/zh-cn/docs/concepts/workloads/controllers/daemonset/) 等。
 
 <!--
 Each controller for a workload resource uses the `PodTemplate` inside the workload
@@ -462,7 +462,7 @@ Kubernetes implements shared storage and makes it available to Pods.
 Pod 中的所有容器都可以访问该共享卷，从而允许这些容器共享数据。
 卷还允许 Pod 中的持久数据保留下来，即使其中的容器需要重新启动。
 有关 Kubernetes 如何在 Pod 中实现共享存储并将其提供给 Pod 的更多信息，
-请参考[卷](/zh/docs/concepts/storage/)。
+请参考[卷](/zh-cn/docs/concepts/storage/)。
 
 <!--
 ### Pod networking
@@ -503,7 +503,7 @@ Containers within the Pod see the system hostname as being the same as the confi
 section.
 -->
 Pod 中的容器所看到的系统主机名与为 Pod 配置的 `name` 属性值相同。
-[网络](/zh/docs/concepts/cluster-administration/networking/)部分提供了更多有关此内容的信息。
+[网络](/zh-cn/docs/concepts/cluster-administration/networking/)部分提供了更多有关此内容的信息。
 
 <!--
 ## Privileged mode for containers
@@ -515,14 +515,14 @@ If your cluster has the `WindowsHostProcessContainers` feature enabled, you can
 ## 容器的特权模式     {#privileged-mode-for-containers}
 
 在 Linux 中，Pod 中的任何容器都可以使用容器规约中的
-[安全性上下文](/zh/docs/tasks/configure-pod-container/security-context/)中的
+[安全性上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/)中的
 `privileged`（Linux）参数启用特权模式。
 这对于想要使用操作系统管理权能（Capabilities，如操纵网络堆栈和访问设备）
 的容器很有用。
 
 如果你的集群启用了 `WindowsHostProcessContainers` 特性，你可以使用 Pod 规约中安全上下文的
 `windowsOptions.hostProcess` 参数来创建
-[Windows HostProcess Pod](/zh/docs/tasks/configure-pod-container/create-hostprocess-pod/)。
+[Windows HostProcess Pod](/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod/)。
 这些 Pod 中的所有容器都必须以 Windows HostProcess 容器方式运行。
 HostProcess Pod 可以直接运行在主机上，它也能像 Linux 特权容器一样，用于执行管理任务。
 
@@ -564,7 +564,7 @@ but cannot be controlled from there.
 静态 Pod 通常绑定到某个节点上的 {{< glossary_tooltip text="kubelet" term_id="kubelet" >}}。
 其主要用途是运行自托管的控制面。
 在自托管场景中，使用 `kubelet` 来管理各个独立的
-[控制面组件](/zh/docs/concepts/overview/components/#control-plane-components)。
+[控制面组件](/zh-cn/docs/concepts/overview/components/#control-plane-components)。
 
 `kubelet` 自动尝试为每个静态 Pod 在 Kubernetes API 服务器上创建一个
 {{< glossary_tooltip text="镜像 Pod" term_id="mirror-pod" >}}。
@@ -601,7 +601,7 @@ _Probe_ 是由 kubelet 对容器执行的定期诊断。要执行诊断，kubele
 - `TCPSocketAction`（由 kubelet 直接检测）
 - `HTTPGetAction`（由 kubelet 直接检测）
 
-你可以参阅 Pod 的生命周期文档中的[探针](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)部分。
+你可以参阅 Pod 的生命周期文档中的[探针](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)部分。
 
 ## {{% heading "whatsnext" %}}
 
@@ -616,11 +616,11 @@ _Probe_ 是由 kubelet 对容器执行的定期诊断。要执行诊断，kubele
   object definition describes the object in detail.
 * [The Distributed System Toolkit: Patterns for Composite Containers](/blog/2015/06/the-distributed-system-toolkit-patterns/) explains common layouts for Pods with more than one container.
 -->
-* 了解 [Pod 生命周期](/zh/docs/concepts/workloads/pods/pod-lifecycle/)
-* 了解 [RuntimeClass](/zh/docs/concepts/containers/runtime-class/)，以及如何使用它
+* 了解 [Pod 生命周期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/)
+* 了解 [RuntimeClass](/zh-cn/docs/concepts/containers/runtime-class/)，以及如何使用它
   来配置不同的 Pod 使用不同的容器运行时配置
-* 了解 [Pod 拓扑分布约束](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
-* 了解 [PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/)，以及你
+* 了解 [Pod 拓扑分布约束](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
+* 了解 [PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/)，以及你
   如何可以利用它在出现干扰因素时管理应用的可用性。
 * Pod 在 Kubernetes REST API 中是一个顶层资源。
   {{< api-reference page="workload-resources/pod-v1" >}}
diff --git a/content/zh/docs/concepts/workloads/pods/disruptions.md b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
similarity index 94%
rename from content/zh/docs/concepts/workloads/pods/disruptions.md
rename to content/zh-cn/docs/concepts/workloads/pods/disruptions.md
index 6ebb4928cac4a..24e7ac25dc418 100644
--- a/content/zh/docs/concepts/workloads/pods/disruptions.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
@@ -60,7 +60,7 @@ an application.  Examples are:
 - 云提供商或虚拟机管理程序中的故障导致的虚拟机消失
 - 内核错误
 - 节点由于集群网络隔离从集群中消失
-- 由于节点[资源不足](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)导致 pod 被驱逐。
+- 由于节点[资源不足](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)导致 pod 被驱逐。
 
 <!--
 Except for the out-of-resources condition, all these conditions
@@ -98,7 +98,7 @@ Cluster Administrator actions include:
 -->
 集群管理员操作包括：
 
-- [排空（drain）节点](/zh/docs/tasks/administer-cluster/safely-drain-node/)进行修复或升级。
+- [排空（drain）节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)进行修复或升级。
 - 从集群中排空节点以缩小集群（了解[集群自动扩缩](https://github.com/kubernetes/autoscaler/#readme)）。
 - 从节点中移除一个 Pod，以允许其他 Pod 使用该节点。
 
@@ -145,13 +145,13 @@ and [stateful](/docs/tasks/run-application/run-replicated-stateful-application/)
   or across zones (if using a
   [multi-zone cluster](/docs/setup/multiple-zones).)
 -->
-- 确保 Pod 在请求中给出[所需资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)。
+- 确保 Pod 在请求中给出[所需资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)。
 - 如果需要更高的可用性，请复制应用程序。
-  （了解有关运行多副本的[无状态](/zh/docs/tasks/run-application/run-stateless-application-deployment/)
-  和[有状态](/zh/docs/tasks/run-application/run-replicated-stateful-application/)应用程序的信息。）
+  （了解有关运行多副本的[无状态](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
+  和[有状态](/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/)应用程序的信息。）
 - 为了在运行复制应用程序时获得更高的可用性，请跨机架（使用
-  [反亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
-  或跨区域（如果使用[多区域集群](/zh/docs/setup/best-practices/multiple-zones/)）扩展应用程序。
+  [反亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  或跨区域（如果使用[多区域集群](/zh-cn/docs/setup/best-practices/multiple-zones/)）扩展应用程序。
 
 <!--
 The frequency of voluntary disruptions varies.  On a basic Kubernetes cluster, there are
@@ -170,7 +170,7 @@ in your pod spec can also cause voluntary (and involuntary) disruptions.
 实现可能导致碎片整理和紧缩节点的自愿干扰。集群
 管理员或托管提供商应该已经记录了各级别的自愿干扰（如果有的话）。
 有些配置选项，例如在 pod spec 中
-[使用 PriorityClasses](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+[使用 PriorityClasses](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 也会产生自愿（和非自愿）的干扰。
 
 <!--
@@ -213,7 +213,7 @@ instead of directly deleting pods or deployments.  Examples are the `kubectl dra
 and the Kubernetes-on-GCE cluster upgrade script (`cluster/gce/upgrade.sh`).
 -->
 集群管理员和托管提供商应该使用遵循 PodDisruptionBudgets 的接口
-（通过调用[Eviction API](/zh/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api)），
+（通过调用[Eviction API](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api)），
 而不是直接删除 Pod 或 Deployment。
 
 <!--
@@ -277,7 +277,7 @@ hornoring the
 `terminationGracePeriodSeconds` setting in its [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core).
 -->
 当使用驱逐 API 驱逐 Pod 时，Pod 会被体面地
-[终止](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)，期间会
+[终止](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)，期间会
 参考 [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
 中的 `terminationGracePeriodSeconds` 配置值。
 
@@ -315,7 +315,7 @@ Both pods go into the `terminating` state at the same time.
 This puts the cluster in this state:
 -->
 
-例如，假设集群管理员想要重启系统，升级内核版本来修复内核中的权限。
+例如，假设集群管理员想要重启系统，升级内核版本来修复内核中的缺陷。
 集群管理员首先使用 `kubectl drain` 命令尝试排空 `node-1` 节点。
 命令尝试驱逐 `pod-a` 和 `pod-x`。操作立即就成功了。
 两个 Pod 同时进入 `terminating` 状态。这时的集群处于下面的状态：
@@ -506,7 +506,7 @@ the nodes in your cluster, such as a node or system software upgrade, here are s
 * Learn about [updating a deployment](/docs/concepts/workloads/controllers/deployment/#updating-a-deployment)
   including steps to maintain its availability during the rollout.
 -->
-* 参考[配置 Pod 干扰预算](/zh/docs/tasks/run-application/configure-pdb/)中的方法来保护你的应用。
-* 进一步了解[排空节点](/zh/docs/tasks/administer-cluster/safely-drain-node/)的信息。
-* 了解[更新 Deployment](/zh/docs/concepts/workloads/controllers/deployment/#updating-a-deployment)
+* 参考[配置 Pod 干扰预算](/zh-cn/docs/tasks/run-application/configure-pdb/)中的方法来保护你的应用。
+* 进一步了解[排空节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)的信息。
+* 了解[更新 Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/#updating-a-deployment)
   的过程，包括如何在其进程中维持应用的可用性
diff --git a/content/zh/docs/concepts/workloads/pods/ephemeral-containers.md b/content/zh-cn/docs/concepts/workloads/pods/ephemeral-containers.md
similarity index 96%
rename from content/zh/docs/concepts/workloads/pods/ephemeral-containers.md
rename to content/zh-cn/docs/concepts/workloads/pods/ephemeral-containers.md
index 0535b4afe3366..a4649913043ad 100644
--- a/content/zh/docs/concepts/workloads/pods/ephemeral-containers.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/ephemeral-containers.md
@@ -124,11 +124,11 @@ sharing](/docs/tasks/configure-pod-container/share-process-namespace/) so
 you can view processes in other containers.
 -->
 使用临时容器时，启用
-[进程名字空间共享](/zh/docs/tasks/configure-pod-container/share-process-namespace/)
+[进程名字空间共享](/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/)
 很有帮助，可以查看其他容器中的进程。
 
 {{% heading "whatsnext" %}}
 <!--
 * Learn how to [debug pods using ephemeral containers](/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container).
 -->
-* 了解如何[使用临时调试容器来进行调试](/zh/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container)
+* 了解如何[使用临时调试容器来进行调试](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container)
diff --git a/content/zh/docs/concepts/workloads/pods/init-containers.md b/content/zh-cn/docs/concepts/workloads/pods/init-containers.md
similarity index 95%
rename from content/zh/docs/concepts/workloads/pods/init-containers.md
rename to content/zh-cn/docs/concepts/workloads/pods/init-containers.md
index 198111fe044db..18782f28cef39 100644
--- a/content/zh/docs/concepts/workloads/pods/init-containers.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/init-containers.md
@@ -145,8 +145,8 @@ have some advantages for start-up related code:
 * Init 容器能以不同于 Pod 内应用容器的文件系统视图运行。因此，Init 容器可以访问
   应用容器不能访问的 {{< glossary_tooltip text="Secret" term_id="secret" >}} 的权限。
 
-* 由于 Init 容器必须在应用容器启动之前运行完成，因此 Init 容器
-  提供了一种机制来阻塞或延迟应用容器的启动，直到满足了一组先决条件。
+* 由于 Init 容器必须在应用容器启动之前运行完成，因此 Init
+  容器提供了一种机制来阻塞或延迟应用容器的启动，直到满足了一组先决条件。
   一旦前置条件满足，Pod 内的所有的应用容器会并行启动。
 
 <!--
@@ -156,49 +156,42 @@ Here are some ideas for how to use init containers:
 
 * Wait for a {{< glossary_tooltip text="Service" term_id="service">}} to
   be created, using a shell one-line command like:
-  ```shell
-  for i in {1..100}; do sleep 1; if dig myservice; then exit 0; fi; done; exit 1
-  ```
-
- * Register this Pod with a remote server from the downward API with a command like:
-  ```shell
-  curl -X POST http://$MANAGEMENT_SERVICE_HOST:$MANAGEMENT_SERVICE_PORT/register -d 'instance=$(<POD_NAME>)&ip=$(<POD_IP>)'
-  ```
-* Wait for some time before starting the app container with a command like
-  ```shell
-  sleep 60
-  ```
-
-* Clone a Git repository into a {{< glossary_tooltip text="Volume" term_id="volume" >}}
-
-* Place values into a configuration file and run a template tool to dynamically
-  generate a configuration file for the main app container. For example,
-  place the `POD_IP` value in a configuration and generate the main app
-  configuration file using Jinja.
 -->
 ### 示例  {#examples}
 
 下面是一些如何使用 Init 容器的想法：
 
-* 等待一个 Service 完成创建，通过类似如下 shell 命令：
+* 等待一个 Service 完成创建，通过类似如下 Shell 命令：
 
   ```shell
   for i in {1..100}; do sleep 1; if dig myservice; then exit 0; fi; done; exit 1
   ```
 
+<!--
+* Register this Pod with a remote server from the downward API with a command like:
+-->
 * 注册这个 Pod 到远程服务器，通过在命令中调用 API，类似如下：
 
   ```shell
-  curl -X POST http://$MANAGEMENT_SERVICE_HOST:$MANAGEMENT_SERVICE_PORT/register \
-    -d 'instance=$(<POD_NAME>)&ip=$(<POD_IP>)'
+  curl -X POST http://$MANAGEMENT_SERVICE_HOST:$MANAGEMENT_SERVICE_PORT/register -d 'instance=$(<POD_NAME>)&ip=$(<POD_IP>)'
   ```
 
+<!--
+* Wait for some time before starting the app container with a command like
+-->
 * 在启动应用容器之前等一段时间，使用类似命令：
 
   ```shell
   sleep 60
   ```
+<!--
+* Clone a Git repository into a {{< glossary_tooltip text="Volume" term_id="volume" >}}
 
+* Place values into a configuration file and run a template tool to dynamically
+  generate a configuration file for the main app container. For example,
+  place the `POD_IP` value in a configuration and generate the main app
+  configuration file using Jinja.
+-->
 * 克隆 Git 仓库到{{< glossary_tooltip text="卷" term_id="volume" >}}中。
 
 * 将配置值放到配置文件中，运行模板工具为主应用容器动态地生成配置文件。
@@ -249,6 +242,7 @@ kubectl apply -f myapp.yaml
 The output is similar to this:
 -->
 输出类似于：
+
 ```
 pod/myapp-pod created
 ```
@@ -261,10 +255,12 @@ And check on its status with:
 ```shell
 kubectl get -f myapp.yaml
 ```
+
 <!--
 The output is similar to this:
 -->
 输出类似于：
+
 ```
 NAME        READY     STATUS     RESTARTS   AGE
 myapp-pod   0/1       Init:0/2   0          6m
@@ -278,10 +274,12 @@ or for more details:
 ```shell
 kubectl describe -f myapp.yaml
 ```
+
 <!--
 The output is similar to this:
 -->
 输出类似于：
+
 ```
 Name:          myapp-pod
 Namespace:     default
@@ -408,13 +406,26 @@ init containers. [What's next](#what-s-next) contains a link to a more detailed
 During Pod startup, the kubelet delays running init containers until the networking
 and storage are ready. Then the kubelet runs the Pod's init containers in the order
 they appear in the Pod's spec.
+-->
+## 具体行为 {#detailed-behavior}
+
+在 Pod 启动过程中，每个 Init 容器会在网络和数据卷初始化之后按顺序启动。
+kubelet 运行依据 Init 容器在 Pod 规约中的出现顺序依次运行之。
 
+<!--
 Each init container must exit successfully before
 the next container starts. If a container fails to start due to the runtime or
 exits with failure, it is retried according to the Pod `restartPolicy`. However,
 if the Pod `restartPolicy` is set to Always, the init containers use
 `restartPolicy` OnFailure.
+-->
+每个 Init 容器成功退出后才会启动下一个 Init 容器。
+如果某容器因为容器运行时的原因无法启动，或以错误状态退出，kubelet 会根据
+Pod 的 `restartPolicy` 策略进行重试。
+然而，如果 Pod 的 `restartPolicy` 设置为 "Always"，Init 容器失败时会使用
+`restartPolicy` 的 "OnFailure" 策略。
 
+<!--
 A Pod cannot be `Ready` until all init containers have succeeded. The ports on an
 init container are not aggregated under a Service. A Pod that is initializing
 is in the `Pending` state but should have a condition `Initialized` set to false.
@@ -422,17 +433,6 @@ is in the `Pending` state but should have a condition `Initialized` set to false
 If the Pod [restarts](#pod-restart-reasons), or is restarted, all init containers
 must execute again.
 -->
-## 具体行为 {#detailed-behavior}
-
-在 Pod 启动过程中，每个 Init 容器会在网络和数据卷初始化之后按顺序启动。
-kubelet 运行依据 Init 容器在 Pod 规约中的出现顺序依次运行之。
-
-每个 Init 容器成功退出后才会启动下一个 Init 容器。
-如果某容器因为容器运行时的原因无法启动，或以错误状态退出，kubelet 会根据
-Pod 的 `restartPolicy` 策略进行重试。
-然而，如果 Pod 的 `restartPolicy` 设置为 "Always"，Init 容器失败时会使用
-`restartPolicy` 的 "OnFailure" 策略。
-
 在所有的 Init 容器没有成功之前，Pod 将不会变成 `Ready` 状态。
 Init 容器的端口将不会在 Service 中进行聚集。正在初始化中的 Pod 处于 `Pending` 状态，
 但会将状况 `Initializing` 设置为 false。
@@ -446,11 +446,6 @@ Altering an init container image field is equivalent to restarting the Pod.
 Because init containers can be restarted, retried, or re-executed, init container
 code should be idempotent. In particular, code that writes to files on `EmptyDirs`
 should be prepared for the possibility that an output file already exists.
-
-Init containers have all of the fields of an app container. However, Kubernetes
-prohibits `readinessProbe` from being used because init containers cannot
-define readiness distinct from completion. This is enforced during validation.
-
 -->
 对 Init 容器规约的修改仅限于容器的 `image` 字段。
 更改 Init 容器的 `image` 字段，等同于重启该 Pod。
@@ -458,6 +453,11 @@ define readiness distinct from completion. This is enforced during validation.
 因为 Init 容器可能会被重启、重试或者重新执行，所以 Init 容器的代码应该是幂等的。
 特别地，基于 `emptyDirs` 写文件的代码，应该对输出文件可能已经存在做好准备。
 
+<!--
+Init containers have all of the fields of an app container. However, Kubernetes
+prohibits `readinessProbe` from being used because init containers cannot
+define readiness distinct from completion. This is enforced during validation.
+-->
 Init 容器具有应用容器的所有字段。然而 Kubernetes 禁止使用 `readinessProbe`，
 因为 Init 容器不能定义不同于完成态（Completion）的就绪态（Readiness）。
 Kubernetes 会在校验时强制执行此检查。
@@ -487,31 +487,36 @@ Init 容器一直重复失败。
 
 Given the ordering and execution for init containers, the following rules
 for resource usage apply:
+-->
+### 资源 {#resources}
+
+在给定的 Init 容器执行顺序下，资源使用适用于如下规则：
 
+<!--
 * The highest of any particular resource request or limit defined on all init
   containers is the *effective init request/limit*. If any resource has no
   resource limit specified this is considered as the highest limit.
 * The Pod's *effective request/limit* for a resource is the higher of:
   * the sum of all app containers request/limit for a resource
   * the effective init request/limit for a resource
+-->
+* 所有 Init 容器上定义的任何特定资源的 limit 或 request 的最大值，作为
+  Pod **有效初始 request/limit**。
+  如果任何资源没有指定资源限制，这被视为最高限制。
+* Pod 对资源的 **有效 limit/request** 是如下两者中的较大者：
+  * 所有应用容器对某个资源的 limit/request 之和
+  * 对某个资源的有效初始 limit/request
+
+<!--
 * Scheduling is done based on effective requests/limits, which means
   init containers can reserve resources for initialization that are not used
   during the life of the Pod.
 * The QoS (quality of service) tier of the Pod's *effective QoS tier* is the
   QoS tier for init containers and app containers alike.
 -->
-### 资源 {#resources}
-
-在给定的 Init 容器执行顺序下，资源使用适用于如下规则：
-
-* 所有 Init 容器上定义的任何特定资源的 limit 或 request 的最大值，作为 Pod *有效初始 request/limit*。
-  如果任何资源没有指定资源限制，这被视为最高限制。
-* Pod 对资源的 *有效 limit/request* 是如下两者的较大者：
-  * 所有应用容器对某个资源的 limit/request 之和
-  * 对某个资源的有效初始 limit/request
 * 基于有效 limit/request 完成调度，这意味着 Init 容器能够为初始化过程预留资源，
   这些资源在 Pod 生命周期过程中并没有被使用。
-* Pod 的 *有效 QoS 层* ，与 Init 容器和应用容器的一样。
+* Pod 的 **有效 QoS 层** ，与 Init 容器和应用容器的一样。
 
 <!--
 Quota and limits are applied based on the effective Pod request and limit.
@@ -525,17 +530,18 @@ Pod 级别的 cgroups 是基于有效 Pod 的请求和限制值，和调度器
 
 A Pod can restart, causing re-execution of init containers, for the following
 reasons:
+-->
+### Pod 重启的原因  {#pod-restart-reasons}
+
+Pod 重启会导致 Init 容器重新执行，主要有如下几个原因：
 
+<!--
 * The Pod infrastructure container is restarted. This is uncommon and would
   have to be done by someone with root access to nodes.
 * All containers in a Pod are terminated while `restartPolicy` is set to Always,
   forcing a restart, and the init container completion record has been lost due
   to garbage collection.
 -->
-### Pod 重启的原因  {#pod-restart-reasons}
-
-Pod 重启会导致 Init 容器重新执行，主要有如下几个原因：
-
 * Pod 的基础设施容器 (译者注：如 `pause` 容器) 被重启。这种情况不多见，
   必须由具备 root 权限访问节点的人员来完成。
 
@@ -549,8 +555,8 @@ applies for Kubernetes v1.20 and later. If you are using an earlier version of
 Kubernetes, consult the documentation for the version you are using.
 -->
 当 Init 容器的镜像发生改变或者 Init 容器的完成记录因为垃圾收集等原因被丢失时，
-Pod 不会被重启。这一行为适用于 Kubernetes v1.20 及更新版本。如果你在使用较早
-版本的 Kubernetes，可查阅你所使用的版本对应的文档。
+Pod 不会被重启。这一行为适用于 Kubernetes v1.20 及更新版本。
+如果你在使用较早版本的 Kubernetes，可查阅你所使用的版本对应的文档。
 
 ## {{% heading "whatsnext" %}}
 
@@ -558,5 +564,6 @@ Pod 不会被重启。这一行为适用于 Kubernetes v1.20 及更新版本。
 * Read about [creating a Pod that has an init container](/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container)
 * Learn how to [debug init containers](/docs/tasks/debug/debug-application/debug-init-containers/)
 -->
-* 阅读[创建包含 Init 容器的 Pod](/zh/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container)
-* 学习如何[调试 Init 容器](/zh/docs/tasks/debug/debug-application/debug-init-containers/)
+* 阅读[创建包含 Init 容器的 Pod](/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization/#create-a-pod-that-has-an-init-container)
+* 学习如何[调试 Init 容器](/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/)
+
diff --git a/content/zh/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
similarity index 96%
rename from content/zh/docs/concepts/workloads/pods/pod-lifecycle.md
rename to content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index 345879957334b..4c120be05a3f8 100644
--- a/content/zh/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -45,7 +45,7 @@ or is [terminated](#pod-termination).
 Pod 对象的状态包含了一组 [Pod 状况（Conditions）](#pod-conditions)。
 如果应用需要的话，你也可以向其中注入[自定义的就绪性信息](#pod-readiness-gate)。
 
-Pod 在其生命周期中只会被[调度](/zh/docs/concepts/scheduling-eviction/)一次。
+Pod 在其生命周期中只会被[调度](/zh-cn/docs/concepts/scheduling-eviction/)一次。
 一旦 Pod 被调度（分派）到某个节点，Pod 会一直在该节点运行，直到 Pod 停止或者
 被[终止](#pod-termination)。
 
@@ -66,7 +66,7 @@ are [scheduled for deletion](#pod-garbage-collection) after a timeout period.
 
 和一个个独立的应用容器一样，Pod 也被认为是相对临时性（而不是长期存在）的实体。
 Pod 会被创建、赋予一个唯一的
-ID（[UID](/zh/docs/concepts/overview/working-with-objects/names/#uids)），
+ID（[UID](/zh-cn/docs/concepts/overview/working-with-objects/names/#uids)），
 并被调度到节点，并在终止（根据重启策略）或删除之前一直运行在该节点。
 
 如果一个{{< glossary_tooltip text="节点" term_id="node" >}}死掉了，调度到该节点
@@ -182,7 +182,7 @@ There are three possible container states: `Waiting`, `Running`, and `Terminated
 ## 容器状态  {#container-states}
 
 Kubernetes 会跟踪 Pod 中每个容器的状态，就像它跟踪 Pod 总体上的[阶段](#pod-phase)一样。
-你可以使用[容器生命周期回调](/zh/docs/concepts/containers/container-lifecycle-hooks/) 
+你可以使用[容器生命周期回调](/zh-cn/docs/concepts/containers/container-lifecycle-hooks/)
 来在容器生命周期中的特定时间点触发事件。
 
 一旦{{< glossary_tooltip text="调度器" term_id="kube-scheduler" >}}将 Pod
@@ -306,7 +306,7 @@ Pod 有一个 PodStatus 对象，其中包含一个
 -->
 * `PodScheduled`：Pod 已经被调度到某节点；
 * `ContainersReady`：Pod 中所有容器都已就绪；
-* `Initialized`：所有的 [Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)
+* `Initialized`：所有的 [Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)
   都已成功完成；
 * `Ready`：Pod 可以为请求提供服务，并且应该被添加到对应服务的负载均衡池中。
 
@@ -382,8 +382,8 @@ status:
 <!--
 The Pod conditions you add must have names that meet the Kubernetes [label key format](/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set).
 -->
-你所添加的 Pod 状况名称必须满足 Kubernetes 
-[标签键名格式](/zh/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set)。
+你所添加的 Pod 状况名称必须满足 Kubernetes
+[标签键名格式](/zh-cn/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set)。
 
 <!--
 ### Status for Pod readiness {#pod-readiness-status}
@@ -401,7 +401,7 @@ write code that sets custom Pod conditions for Pod readiness.
 如果需要设置 Pod 的 `status.conditions`，应用或者
 {{< glossary_tooltip term_id="operator-pattern" text="Operators">}}
 需要使用 `PATCH` 操作。
-你可以使用 [Kubernetes 客户端库](/zh/docs/reference/using-api/client-libraries/)
+你可以使用 [Kubernetes 客户端库](/zh-cn/docs/reference/using-api/client-libraries/)
 之一来编写代码，针对 Pod 就绪态设置定制的 Pod 状况。
 
 <!--
@@ -434,7 +434,7 @@ a network request.
 -->
 ## 容器探针    {#container-probes}
 
-probe 是由 [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) 对容器执行的定期诊断。
+probe 是由 [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) 对容器执行的定期诊断。
 要执行诊断，kubelet 既可以在容器内执行代码，也可以发出一个网络请求。
 
 <!--
@@ -484,7 +484,7 @@ Each probe must define exactly one of these four mechanisms:
   [gRPC健康检查](https://grpc.io/grpc/core/md_doc_health-checking.html)。
   如果响应的状态是 "SERVING"，则认为诊断成功。
   gRPC 探针是一个 alpha 特性，只有在你启用了
-  "GRPCContainerProbe" [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gate/)时才能使用。
+  "GRPCContainerProbe" [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)时才能使用。
 
 `httpGet`
 : 对容器的 IP 地址上指定端口和路径执行 HTTP `GET` 请求。如果响应的状态码大于等于 200
@@ -573,7 +573,7 @@ For more information about how to set up a liveness, readiness, or startup probe
 see [Configure Liveness, Readiness and Startup Probes](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
 -->
 如欲了解如何设置存活态、就绪态和启动探针的进一步细节，可以参阅
-[配置存活态、就绪态和启动探针](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)。
+[配置存活态、就绪态和启动探针](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)。
 
 <!--
 #### When should you use a liveness probe?
@@ -591,11 +591,11 @@ with the Pod's `restartPolicy`.
 If you'd like your container to be killed and restarted if a probe fails, then
 specify a liveness probe, and specify a `restartPolicy` of Always or OnFailure.
 -->
-如果容器中的进程能够在遇到问题或不健康的情况下自行崩溃，则不一定需要存活态探针; 
-`kubelet` 将根据 Pod 的`restartPolicy` 自动执行修复操作。
+如果容器中的进程能够在遇到问题或不健康的情况下自行崩溃，则不一定需要存活态探针;
+`kubelet` 将根据 Pod 的 `restartPolicy` 自动执行修复操作。
 
 如果你希望容器在探测失败时被杀死并重新启动，那么请指定一个存活态探针，
-并指定`restartPolicy` 为 "`Always`" 或 "`OnFailure`"。
+并指定 `restartPolicy` 为 "`Always`" 或 "`OnFailure`"。
 
 <!--
 #### When should you use a readiness probe?
@@ -754,7 +754,7 @@ An example flow:
    如果你使用 `kubectl describe` 来查验你正在删除的 Pod，该 Pod 会显示为
    "Terminating" （正在终止）。
    在 Pod 运行所在的节点上：`kubelet` 一旦看到 Pod
-   被标记为正在终止（已经设置了体面终止限期），`kubelet` 即开始本地的 Pod 关闭过程。 
+   被标记为正在终止（已经设置了体面终止限期），`kubelet` 即开始本地的 Pod 关闭过程。
 
    <!--
    1. If one of the Pod's containers has defined a `preStop`
@@ -770,7 +770,7 @@ An example flow:
       order. If the order of shutdowns matters, consider using a `preStop` hook to synchronize.
    -->
    1. 如果 Pod 中的容器之一定义了 `preStop`
-      [回调](/zh/docs/concepts/containers/container-lifecycle-hooks)，
+      [回调](/zh-cn/docs/concepts/containers/container-lifecycle-hooks)，
       `kubelet` 开始在容器内运行该回调逻辑。如果超出体面终止限期时，`preStop` 回调逻辑
       仍在运行，`kubelet` 会请求给予该 Pod 的宽限期一次性增加 2 秒钟。
 
@@ -874,7 +874,7 @@ API 服务器直接删除 Pod 对象，这样新的与之同名的 Pod 即可以
 在节点侧，被设置为立即终止的 Pod 仍然会在被强行杀死之前获得一点点的宽限时间。
 
 如果你需要强制删除 StatefulSet 的 Pod，请参阅
-[从 StatefulSet 中删除 Pod](/zh/docs/tasks/run-application/force-delete-stateful-set-pod/)
+[从 StatefulSet 中删除 Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)
 的任务文档。
 
 <!--
@@ -915,9 +915,9 @@ This avoids a resource leak as Pods are created and terminated over time.
   the API reference documentation covering
   [`.status`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodStatus) for Pod.
 -->
-* 动手实践[为容器生命周期时间关联处理程序](/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)。
-* 动手实践[配置存活态、就绪态和启动探针](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)。
-* 进一步了解[容器生命周期回调](/zh/docs/concepts/containers/container-lifecycle-hooks/)。
+* 动手实践[为容器生命周期时间关联处理程序](/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/)。
+* 动手实践[配置存活态、就绪态和启动探针](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)。
+* 进一步了解[容器生命周期回调](/zh-cn/docs/concepts/containers/container-lifecycle-hooks/)。
 * 关于 API 中定义的有关 Pod 和容器状态的详细规范信息，
   可参阅 API 参考文档中 Pod 的 [`.status`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodStatus) 字段。
 
diff --git a/content/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints.md b/content/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
similarity index 82%
rename from content/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
rename to content/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
index ab91304c04e71..40ef623ad6b2a 100644
--- a/content/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints.md
@@ -10,19 +10,14 @@ content_type: concept
 weight: 40
 -->
 
-{{< feature-state for_k8s_version="v1.19" state="stable" >}}
-<!--
-leave this shortcode in place until the note about EvenPodsSpread is obsolete
--->
-
 <!-- overview -->
 
 <!--
 You can use _topology spread constraints_ to control how {{< glossary_tooltip text="Pods" term_id="Pod" >}} are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. This can help to achieve high availability as well as efficient resource utilization.
 -->
 你可以使用 _拓扑分布约束（Topology Spread Constraints）_ 来控制
-{{< glossary_tooltip text="Pods" term_id="Pod" >}} 在集群内故障域
-之间的分布，例如区域（Region）、可用区（Zone）、节点和其他用户自定义拓扑域。
+{{< glossary_tooltip text="Pod" term_id="Pod" >}} 在集群内故障域之间的分布，
+例如区域（Region）、可用区（Zone）、节点和其他用户自定义拓扑域。
 这样做有助于实现高可用并提升资源利用率。
 
 <!-- body -->
@@ -81,7 +76,7 @@ graph TB
 <!--
 Instead of manually applying labels, you can also reuse the [well-known labels](/docs/reference/labels-annotations-taints/) that are created and populated automatically on most clusters.
 -->
-你可以复用在大多数集群上自动创建和填充的[常用标签](/zh/docs/reference/labels-annotations-taints/)，
+你可以复用在大多数集群上自动创建和填充的[常用标签](/zh-cn/docs/reference/labels-annotations-taints/)，
 而不是手动添加标签。
 
 <!--
@@ -123,32 +118,76 @@ You can define one or multiple `topologySpreadConstraint` to instruct the kube-s
   - when `whenUnsatisfiable` equals to "DoNotSchedule", `maxSkew` is the maximum
     permitted difference between the number of matching pods in the target
     topology and the global minimum.
+    (the minimum number of pods that match the label selector in a topology domain.
+    For example, if you have 3 zones with 0, 2 and 3 matching pods respectively,
+    The global minimum is 0).
   - when `whenUnsatisfiable` equals to "ScheduleAnyway", scheduler gives higher
     precedence to topologies that would help reduce the skew.
+-->
+
+- **maxSkew** 描述 Pod 分布不均的程度。这是给定拓扑类型中任意两个拓扑域中匹配的
+  Pod 之间的最大允许差值。它必须大于零。取决于 `whenUnsatisfiable` 的取值，
+  其语义会有不同。
+  - 当 `whenUnsatisfiable` 等于 "DoNotSchedule" 时，`maxSkew` 是目标拓扑域中匹配的
+    Pod 数与全局最小值（一个拓扑域中与标签选择器匹配的 Pod 的最小数量。例如，如果你有
+    3 个区域，分别具有 0 个、2 个 和 3 个匹配的 Pod，则全局最小值为 0。）之间可存在的差异。
+  - 当 `whenUnsatisfiable` 等于 "ScheduleAnyway" 时，调度器会更为偏向能够降低偏差值的拓扑域。
+
+<!--
+- **minDomains** indicates a minimum number of eligible domains.
+  A domain is a particular instance of a topology. An eligible domain is a domain whose
+  nodes match the node selector.
+
+  - The value of `minDomains` must be greater than 0, when specified.
+  - When the number of eligible domains with match topology keys is less than `minDomains`,
+    Pod topology spread treats "global minimum" as 0, and then the calculation of `skew` is performed.
+    The "global minimum" is the minimum number of matching Pods in an eligible domain,
+    or zero if the number of eligible domains is less than `minDomains`.
+  - When the number of eligible domains with matching topology keys equals or is greater than 
+    `minDomains`, this value has no effect on scheduling.
+  - When `minDomains` is nil, the constraint behaves as if `minDomains` is 1.
+  - When `minDomains` is not nil, the value of `whenUnsatisfiable` must be "`DoNotSchedule`".
+-->
+- **minDomains** 表示符合条件的域的最小数量。域是拓扑的一个特定实例。
+  符合条件的域是其节点与节点选择器匹配的域。
+
+  - 指定的 `minDomains` 的值必须大于 0。
+  - 当符合条件的、拓扑键匹配的域的数量小于 `minDomains` 时，Pod 拓扑分布将“全局最小值”
+    （global minimum）设为 0，然后进行 `skew` 计算。“全局最小值”是一个符合条件的域中匹配
+    Pod 的最小数量，如果符合条件的域的数量小于 `minDomains`，则全局最小值为零。
+  - 当符合条件的拓扑键匹配域的个数等于或大于 `minDomains` 时，该值对调度没有影响。
+  - 当 `minDomains` 为 nil 时，约束的行为等于 `minDomains` 为 1。
+  - 当 `minDomains` 不为 nil 时，`whenUnsatisfiable` 的值必须为 "`DoNotSchedule`" 。
+
+  {{< note >}}
+  <!--
+  The `minDomains` field is an alpha field added in 1.24. You have to enable the
+  `MinDomainsInPodToplogySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+  in order to use it.
+  -->
+  `minDomains` 字段是在 1.24 版本中新增的 alpha 字段。你必须启用
+  `MinDomainsInPodToplogySpread` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)才能使用它。
+  {{< /note >}}
+
+<!--
 - **topologyKey** is the key of node labels. If two Nodes are labelled with this key and have identical values for that label, the scheduler treats both Nodes as being in the same topology. The scheduler tries to place a balanced number of Pods into each topology domain.
+
 - **whenUnsatisfiable** indicates how to deal with a Pod if it doesn't satisfy the spread constraint:
     - `DoNotSchedule` (default) tells the scheduler not to schedule it.
     - `ScheduleAnyway` tells the scheduler to still schedule it while prioritizing nodes that minimize the skew.
+
 - **labelSelector** is used to find matching Pods. Pods that match this label selector are counted to determine the number of Pods in their corresponding topology domain. See [Label Selectors](/docs/concepts/overview/working-with-objects/labels/#label-selectors) for more details.
 -->
-
-- **maxSkew** 描述 Pod 分布不均的程度。这是给定拓扑类型中任意两个拓扑域中
-  匹配的 pod 之间的最大允许差值。它必须大于零。取决于 `whenUnsatisfiable` 的
-  取值，其语义会有不同。
-  - 当 `whenUnsatisfiable` 等于 "DoNotSchedule" 时，`maxSkew` 是目标拓扑域
-    中匹配的 Pod 数与全局最小值之间可存在的差异。
-  - 当 `whenUnsatisfiable` 等于 "ScheduleAnyway" 时，调度器会更为偏向能够降低
-    偏差值的拓扑域。
 - **topologyKey** 是节点标签的键。如果两个节点使用此键标记并且具有相同的标签值，
-  则调度器会将这两个节点视为处于同一拓扑域中。调度器试图在每个拓扑域中放置数量
-  均衡的 Pod。
+  则调度器会将这两个节点视为处于同一拓扑域中。调度器试图在每个拓扑域中放置数量均衡的 Pod。
+
 - **whenUnsatisfiable** 指示如果 Pod 不满足分布约束时如何处理：
   - `DoNotSchedule`（默认）告诉调度器不要调度。
-  - `ScheduleAnyway` 告诉调度器仍然继续调度，只是根据如何能将偏差最小化来对
-    节点进行排序。
-- **labelSelector** 用于查找匹配的 pod。匹配此标签的 Pod 将被统计，以确定相应
-  拓扑域中 Pod 的数量。
-  有关详细信息，请参考[标签选择算符](/zh/docs/concepts/overview/working-with-objects/labels/#label-selectors)。
+  - `ScheduleAnyway` 告诉调度器仍然继续调度，只是根据如何能将偏差最小化来对节点进行排序。
+
+- **labelSelector** 用于查找匹配的 Pod。匹配此标签的 Pod 将被统计，
+  以确定相应拓扑域中 Pod 的数量。
+  有关详细信息，请参考[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)。
 
 <!--
 When a Pod defines more than one `topologySpreadConstraint`, those constraints are ANDed: The kube-scheduler looks for a node for the incoming Pod that satisfies all the constraints.
@@ -159,8 +198,8 @@ kube-scheduler 会为新的 Pod 寻找一个能够满足所有约束的节点。
 <!--
 You can read more about this field by running `kubectl explain Pod.spec.topologySpreadConstraints`.
 -->
-你可以执行 `kubectl explain Pod.spec.topologySpreadConstraints` 命令以
-了解关于 topologySpreadConstraints 的更多信息。
+你可以执行 `kubectl explain Pod.spec.topologySpreadConstraints`
+命令以了解关于 topologySpreadConstraints 的更多信息。
 
 <!--
 ### Example: One TopologySpreadConstraint
@@ -201,16 +240,15 @@ If we want an incoming Pod to be evenly spread with existing Pods across zones,
 `topologyKey: zone` implies the even distribution will only be applied to the nodes which have label pair "zone:&lt;any value&gt;" present. `whenUnsatisfiable: DoNotSchedule` tells the scheduler to let it stay pending if the incoming Pod can’t satisfy the constraint.
 -->
 `topologyKey: zone` 意味着均匀分布将只应用于存在标签键值对为
-"zone:&lt;any value&gt;" 的节点。
+"zone:&lt;任何值&gt;" 的节点。
 `whenUnsatisfiable: DoNotSchedule` 告诉调度器如果新的 Pod 不满足约束，
 则让它保持悬决状态。
 
 <!--
-If the scheduler placed this incoming Pod into "zoneA", the Pods distribution would become [3, 1],
-hence the actual skew is 2 (3 - 1) - which violates `maxSkew: 1`. In this example, the incoming Pod can only be placed onto "zoneB":
+If the scheduler placed this incoming Pod into "zoneA", the Pods distribution would become [3, 1], hence the actual skew is 2 (3 - 1) - which violates `maxSkew: 1`. In this example, the incoming Pod can only be placed onto "zoneB":
 -->
-如果调度器将新的 Pod 放入 "zoneA"，Pods 分布将变为 [3, 1]，因此实际的偏差
-为 2（3 - 1）。这违反了 `maxSkew: 1` 的约定。此示例中，新 Pod 只能放置在
+如果调度器将新的 Pod 放入 "zoneA"，Pods 分布将变为 [3, 1]，因此实际的偏差为
+2（3 - 1）。这违反了 `maxSkew: 1` 的约定。此示例中，新 Pod 只能放置在
 "zoneB" 上：
 
 {{<mermaid>}}
@@ -313,8 +351,8 @@ You can use 2 TopologySpreadConstraints to control the Pods spreading on both zo
 In this case, to match the first constraint, the incoming Pod can only be placed onto "zoneB"; while in terms of the second constraint, the incoming Pod can only be placed onto "node4". Then the results of 2 constraints are ANDed, so the only viable option is to place on "node4".
 -->
 在这种情况下，为了匹配第一个约束，新的 Pod 只能放置在 "zoneB" 中；而在第二个约束中，
-新的 Pod 只能放置在 "node4" 上。最后两个约束的结果加在一起，唯一可行的选择是放置
-在 "node4" 上。
+新的 Pod 只能放置在 "node4" 上。最后两个约束的结果加在一起，唯一可行的选择是放置在
+"node4" 上。
 
 <!--
 Multiple constraints can lead to conflicts. Suppose you have a 3-node cluster across 2 zones:
@@ -341,7 +379,7 @@ graph BT
 {{< /mermaid >}}
 
 <!--
-If you apply "two-constraints.yaml" to this cluster, you will notice "mypod" stays in `Pending` state. This is because: to satisfy the first constraint, "mypod" can only be put to "zoneB"; while in terms of the second constraint, "mypod" can only put to "node2". Then a joint result of "zoneB" and "node2" returns nothing.
+If you apply "two-constraints.yaml" to this cluster, you will notice "mypod" stays in `Pending` state. This is because: to satisfy the first constraint, "mypod" can only be put to "zoneB"; while in terms of the second constraint, "mypod" can only put onto "node2". Then a joint result of "zoneB" and "node2" returns nothing.
 -->
 如果对集群应用 "two-constraints.yaml"，会发现 "mypod" 处于 `Pending` 状态。
 这是因为：为了满足第一个约束，"mypod" 只能放在 "zoneB" 中，而第二个约束要求
@@ -406,7 +444,7 @@ class zoneC cluster;
 
 
 <!--
-and you know that "zoneC" must be excluded. In this case, you can compose the yaml as below, so that "mypod" will be placed onto "zoneB" instead of "zoneC". Similarly `spec.nodeSelector` is also respected.
+and you know that "zoneC" must be excluded. In this case, you can compose the yaml as below, so that "mypod" will be placed into "zoneB" instead of "zoneC". Similarly `spec.nodeSelector` is also respected.
 -->
 而且你知道 "zoneC" 必须被排除在外。在这种情况下，可以按如下方式编写 YAML，
 以便将 "mypod" 放置在 "zoneB" 上，而不是 "zoneC" 上。同样，`spec.nodeSelector`
@@ -437,7 +475,7 @@ There are some implicit conventions worth noting here:
 - The scheduler will bypass the nodes without `topologySpreadConstraints[*].topologyKey` present. This implies that:
 
   1. the Pods located on those nodes do not impact `maxSkew` calculation - in the above example, suppose "node1" does not have label "zone", then the 2 Pods will be disregarded, hence the incoming Pod will be scheduled into "zoneA".
-  2. the incoming Pod has no chances to be scheduled onto this kind of nodes - in the above example, suppose a "node5" carrying label `{zone-typo: zoneC}` joins the cluster, it will be bypassed due to the absence of label key "zone".
+  2. the incoming Pod has no chances to be scheduled onto such nodes - in the above example, suppose a "node5" carrying label `{zone-typo: zoneC}` joins the cluster, it will be bypassed due to the absence of label key "zone".
 -->
 - 只有与新的 Pod 具有相同命名空间的 Pod 才能作为匹配候选者。
 - 调度器会忽略没有 `topologySpreadConstraints[*].topologyKey` 的节点。这意味着：
@@ -452,8 +490,8 @@ There are some implicit conventions worth noting here:
 <!--
 - Be aware of what will happen if the incomingPod’s `topologySpreadConstraints[*].labelSelector` doesn’t match its own labels. In the above example, if we remove the incoming Pod’s labels, it can still be placed onto "zoneB" since the constraints are still satisfied. However, after the placement, the degree of imbalance of the cluster remains unchanged - it’s still zoneA having 2 Pods which hold label {foo:bar}, and zoneB having 1 Pod which holds label {foo:bar}. So if this is not what you expect, we recommend the workload’s `topologySpreadConstraints[*].labelSelector` to match its own labels.
 -->
-- 注意，如果新 Pod 的 `topologySpreadConstraints[*].labelSelector` 与自身的
-  标签不匹配，将会发生什么。
+- 注意，如果新 Pod 的 `topologySpreadConstraints[*].labelSelector`
+  与自身的标签不匹配，将会发生什么。
   在上面的例子中，如果移除新 Pod 上的标签，Pod 仍然可以调度到 "zoneB"，因为约束仍然满足。
   然而，在调度之后，集群的不平衡程度保持不变。zoneA 仍然有 2 个带有 {foo:bar} 标签的 Pod，
   zoneB 有 1 个带有 {foo:bar} 标签的 Pod。
@@ -471,8 +509,8 @@ topology spread constraints are applied to a Pod if, and only if:
 -->
 ### 集群级别的默认约束   {#cluster-level-default-constraints}
 
-为集群设置默认的拓扑分布约束也是可能的。默认拓扑分布约束在且仅在以下条件满足
-时才会应用到 Pod 上：
+为集群设置默认的拓扑分布约束也是可能的。
+默认拓扑分布约束在且仅在以下条件满足时才会被应用到 Pod 上：
 
 - Pod 没有在其 `.spec.topologySpreadConstraints` 设置任何约束；
 - Pod 隶属于某个服务、副本控制器、ReplicaSet 或 StatefulSet。
@@ -486,7 +524,7 @@ replication controllers, replica sets or stateful sets that the Pod belongs to.
 
 An example configuration might look like follows:
 -->
-你可以在 [调度方案（Scheduling Profile）](/zh/docs/reference/scheduling/config/#profiles)
+你可以在 [调度方案（Scheduling Profile）](/zh-cn/docs/reference/scheduling/config/#profiles)
 中将默认约束作为 `PodTopologySpread` 插件参数的一部分来设置。
 约束的设置采用[如前所述的 API](#api)，只是 `labelSelector` 必须为空。
 选择算符是根据 Pod 所属的服务、副本控制器、ReplicaSet 或 StatefulSet 来设置的。
@@ -511,16 +549,12 @@ profiles:
 
 {{< note >}}
 <!--
-The score produced by default scheduling constraints might conflict with the
-score produced by the
-[`SelectorSpread` plugin](/docs/reference/scheduling/config/#scheduling-plugins).
-It is recommended that you disable this plugin in the scheduling profile when
-using default constraints for `PodTopologySpread`.
+[`SelectorSpread` plugin](/docs/reference/scheduling/config/#scheduling-plugins)
+is disabled by default. It's recommended to use `PodTopologySpread` to achieve similar
+behavior.
 -->
-默认调度约束所生成的评分可能与
-[`SelectorSpread` 插件](/zh/docs/reference/scheduling/config/#scheduling-plugins)
-所生成的评分有冲突。
-建议你在为 `PodTopologySpread` 设置默认约束是禁用调度方案中的该插件。
+[`SelectorSpread` 插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins)默认是被禁用的。
+建议使用 `PodTopologySpread` 来实现类似的行为。
 {{< /note >}}
 
 <!--
@@ -528,18 +562,14 @@ using default constraints for `PodTopologySpread`.
 -->
 #### 内部默认约束    {#internal-default-constraints}
 
-{{< feature-state for_k8s_version="v1.20" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!--
-With the `DefaultPodTopologySpread` feature gate, enabled by default, the
-legacy `SelectorSpread` plugin is disabled.
-kube-scheduler uses the following default topology constraints for the
-`PodTopologySpread` plugin configuration:
+If you don't configure any cluster-level default constraints for pod topology spreading,
+then kube-scheduler acts as if you specified the following default topology constraints:
 -->
-当你使用了默认启用的 `DefaultPodTopologySpread` 特性门控时，原来的
-`SelectorSpread` 插件会被禁用。
-kube-scheduler 会使用下面的默认拓扑约束作为 `PodTopologySpread` 插件的
-配置：
+如果你没有为 Pod 拓扑分布配置任何集群级别的默认约束，
+kube-scheduler 的行为就像你指定了以下默认拓扑约束一样：
 
 ```yaml
 defaultConstraints:
@@ -553,9 +583,9 @@ defaultConstraints:
 
 <!--
 Also, the legacy `SelectorSpread` plugin, which provides an equivalent behavior,
-is disabled.
+is disabled by default.
 -->
-此外，原来用于提供等同行为的 `SelectorSpread` 插件也会被禁用。
+此外，原来用于提供等同行为的 `SelectorSpread` 插件默认被禁用。
 
 {{< note >}}
 <!--
diff --git a/content/zh-cn/docs/contribute/_index.md b/content/zh-cn/docs/contribute/_index.md
new file mode 100644
index 0000000000000..b21312ff8b806
--- /dev/null
+++ b/content/zh-cn/docs/contribute/_index.md
@@ -0,0 +1,315 @@
+---
+content_type: concept
+title: 为 Kubernetes 文档出一份力
+linktitle: 贡献
+main_menu: true
+no_list: true
+weight: 80
+card:
+  name: contribute
+  weight: 10
+  title: 开始为 Kubernetes 做贡献
+---
+<!--
+---
+content_type: concept
+title: Contribute to Kubernetes docs
+linktitle: Contribute
+main_menu: true
+no_list: true
+weight: 80
+card:
+  name: contribute
+  weight: 10
+  title: Start contributing to K8s
+---
+-->
+
+<!-- overview -->
+
+<!--
+*Kubernetes welcomes improvements from all contributors, new and experienced!*
+-->
+*Kubernetes 欢迎来自所有贡献者的改进，无论你是新人和有经验的贡献者！*
+
+<!--
+{{< note >}}
+To learn more about contributing to Kubernetes in general, see the
+[contributor documentation](https://www.kubernetes.dev/docs/).
+
+You can also read the
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}}
+[page](https://contribute.cncf.io/contributors/projects/#kubernetes)
+about contributing to Kubernetes.
+{{< /note >}}
+-->
+{{< note >}}
+要了解有关为 Kubernetes 做出贡献的更多信息，请参阅
+[贡献者文档](https://www.kubernetes.dev/docs/)。
+
+你还可以阅读
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}}
+关于为 Kubernetes 做贡献的[页面](https://contribute.cncf.io/contributors/projects/#kubernetes)。
+
+<!--
+This website is maintained by [Kubernetes SIG Docs](/docs/contribute/#get-involved-with-sig-docs).
+
+Kubernetes documentation contributors:
+
+- Improve existing content
+- Create new content
+- Translate the documentation
+- Manage and publish the documentation parts of the Kubernetes release cycle
+-->
+本网站由 [Kubernetes SIG Docs](/zh-cn/docs/contribute/#get-involved-with-SIG-Docs)（文档特别兴趣小组）维护。
+
+Kubernetes 文档项目的贡献者：
+
+- 改进现有内容
+- 创建新内容
+- 翻译文档
+- 管理并发布 Kubernetes 周期性发行版的文档
+
+<!-- body -->
+
+<!-- 
+## Getting started
+
+Anyone can open an issue about documentation, or contribute a change with a
+pull request (PR) to the
+[`kubernetes/website` GitHub repository](https://github.com/kubernetes/website).
+You need to be comfortable with
+[git](https://git-scm.com/) and
+[GitHub](https://lab.github.com/)
+to work effectively in the Kubernetes community.
+-->
+## 入门 {#getting-started}
+
+任何人都可以提出文档方面的问题（issue），或贡献一个变更，用拉取请求（PR）的方式提交到
+[GitHub 上的 `kubernetes/website` 仓库](https://github.com/kubernetes/website)。
+当然你需要熟练使用 [git](https://git-scm.com/) 和 [GitHub](https://lab.github.com/) 才能在 Kubernetes 社区中有效工作。
+
+<!-- 
+To get involved with documentation:
+
+1. Sign the CNCF [Contributor License Agreement](https://github.com/kubernetes/community/blob/master/CLA.md).
+2. Familiarize yourself with the [documentation repository](https://github.com/kubernetes/website)
+   and the website's [static site generator](https://gohugo.io).
+3. Make sure you understand the basic processes for
+   [opening a pull request](/docs/contribute/new-content/open-a-pr/) and
+   [reviewing changes](/docs/contribute/review/reviewing-prs/).
+-->
+如何参与文档编制：
+
+1. 签署 CNCF 的[贡献者许可协议](https://github.com/kubernetes/community/blob/master/CLA.md)。
+2. 熟悉[文档仓库](https://github.com/kubernetes/website)和网站的[静态站点生成器](https://gohugo.io)。
+3. 确保理解[发起 PR](/zh-cn/docs/contribute/new-content/open-a-pr/) 和[审查变更](/zh-cn/docs/contribute/review/reviewing-prs/)的基本流程。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart TB
+subgraph third[发起 PR]
+direction TB
+U[ ] -.-
+Q[改进现有内容] --- N[创建新内容]
+N --- O[翻译文档]
+O --- P[管理并发布 K8s<br>周期性发行版的文档]
+
+end
+
+subgraph second[评审]
+direction TB
+   T[ ] -.-
+   D[仔细查看<br>K8s/website<br>仓库] --- E[下载安装 Hugo<br>静态站点<br>生成器]
+   E --- F[了解基本的<br>GitHub 命令]
+   F --- G[评审待处理的 PR<br>并遵从变更审查<br>流程]
+end
+
+subgraph first[注册]
+    direction TB
+    S[ ] -.-
+    B[签署 CNCF<br>贡献者<br>许可协议] --- C[加入 sig-docs<br>Slack 频道] 
+    C --- V[加入 kubernetes-sig-docs<br>邮件列表]
+    V --- M[参加每周的<br>sig-docs 电话会议<br>或 slack 会议]
+end
+
+A([fa:fa-user 新的<br>贡献者]) --> first
+A --> second
+A --> third
+A --> H[提出问题!!!]
+
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class A,B,C,D,E,F,G,H,M,Q,N,O,P,V grey
+class S,T,U spacewhite
+class first,second,third white
+{{</ mermaid >}}
+
+<!-- 
+Figure 1. Getting started for a new contributor.
+
+Figure 1 outlines a roadmap for new contributors. You can follow some or all of the steps for `Sign up` and `Review`. Now you are ready to open PRs that achieve your contribution objectives with some listed under `Open PR`. Again, questions are always welcome!
+-->
+图 1. 新手入门指示。
+
+图 1 概述了新贡献者的路线图。
+你可以遵从“注册”和“评审”所述的某些或全部步骤。
+至此，你完成了发起 PR 的准备工作，
+可以通过“发起 PR” 列出的事项实现你的贡献目标。
+再次重申，欢迎随时提出问题！
+
+<!-- 
+Some tasks require more trust and more access in the Kubernetes organization.
+See [Participating in SIG Docs](/docs/contribute/participate/) for more details about
+roles and permissions.
+-->
+有些任务要求 Kubernetes 组织内更高的信任级别和访问权限。
+阅读[参与 SIG Docs 工作](/zh-cn/docs/contribute/participate/)，获取角色和权限的更多细节。
+
+<!-- 
+## Your first contribution
+
+You can prepare for your first contribution by reviewing several steps beforehand. Figure 2 outlines the steps and the details follow. 
+-->
+## 第一次贡献 {#your-first-contribution}
+
+你可以提前查阅几个步骤，来准备你的第一次贡献。
+图 2 概述了后续的步骤和细节。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR
+    subgraph second[第一次贡献]
+    direction TB
+    S[ ] -.-
+    G[查阅其他 K8s<br>成员发起的 PR] -->
+    A[检索 K8s/website<br>问题列表是否有<br>good first 一类的 PR] --> B[发起一个 PR!!]
+    end
+    subgraph first[建议的准备工作]
+    direction TB
+       T[ ] -.-
+       D[阅读贡献概述] -->E[阅读 K8s 内容<br>和风格指南]
+       E --> F[了解 Hugo 页面<br>内容类型<br>和短代码]
+    end
+    
+
+    first ----> second
+     
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class A,B,D,E,F,G grey
+class S,T spacewhite
+class first,second white
+{{</ mermaid >}}
+
+<!-- 
+Figure 2. Preparation for your first contribution.
+-->
+图 2. 第一次贡献的准备工作。
+
+<!--
+- Read the [Contribution overview](/docs/contribute/new-content/overview/) to
+  learn about the different ways you can contribute.
+- Check [`kubernetes/website` issues list](https://github.com/kubernetes/website/issues/)
+  for issues that make good entry points.
+- [Open a pull request using GitHub](/docs/contribute/new-content/open-a-pr/#changes-using-github)
+  to existing documentation and learn more about filing issues in GitHub.
+- [Review pull requests](/docs/contribute/review/reviewing-prs/) from other
+  Kubernetes community members for accuracy and language.
+- Read the Kubernetes [content](/docs/contribute/style/content-guide/) and
+  [style guides](/docs/contribute/style/style-guide/) so you can leave informed comments.
+- Learn about [page content types](/docs/contribute/style/page-content-types/)
+  and [Hugo shortcodes](/docs/contribute/style/hugo-shortcodes/).
+-->
+- 通读[贡献概述](/zh-cn/docs/contribute/new-content/)，了解参与贡献的不同方式。
+- 查看 [`kubernetes/website` 问题列表](https://github.com/kubernetes/website/issues/)，
+  检索最适合作为切入点的问题。
+- 在现有文档上，[使用 GitHub 提交 PR](/zh-cn/docs/contribute/new-content/open-a-pr/#changes-using-github)，
+  掌握在 GitHub 上登记 Issue 的方法。
+- Kubernetes 社区其他成员会[评审 PR ](/zh-cn/docs/contribute/review/reviewing-prs/)，
+  以确保文档精准和语言流畅。
+- 阅读 kubernetes 的[内容指南](/zh-cn/docs/contribute/style/content-guide/)和
+  [风格指南](/zh-cn/docs/contribute/style/style-guide/)，以发表有见地的评论。
+- 了解[页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)和 
+  [Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/)。
+
+<!--
+## Next steps
+
+- Learn to [work from a local clone](/docs/contribute/new-content/open-a-pr/#fork-the-repo)
+  of the repository.
+- Document [features in a release](/docs/contribute/new-content/new-features/).
+- Participate in [SIG Docs](/docs/contribute/participate/), and become a
+  [member or reviewer](/docs/contribute/participate/roles-and-responsibilities/).
+  
+- Start or help with a [localization](/docs/contribute/localization/).
+-->
+## 下一步 {#next-teps}
+
+- 学习在仓库的[本地克隆中工作](/zh-cn/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
+- 为[发行版的特性](/zh-cn/docs/contribute/new-content/new-features/)编写文档。
+- 加入 [SIG Docs](/zh-cn/docs/contribute/participate/)，并成为[成员或评审者](/zh-cn/docs/contribute/participate/roles-and-responsibilities/)。
+  
+- 开始或帮助[本地化](/zh-cn/docs/contribute/localization/) 工作。
+
+<!-- 
+## Get involved with SIG Docs
+
+[SIG Docs](/docs/contribute/participate/) is the group of contributors who
+publish and maintain Kubernetes documentation and the website. Getting
+involved with SIG Docs is a great way for Kubernetes contributors (feature
+development or otherwise) to have a large impact on the Kubernetes project.
+
+SIG Docs communicates with different methods:
+-->
+## 参与 SIG Docs 工作 {#get-involved-with-SIG-Docs}
+
+[SIG Docs](/zh-cn/docs/contribute/participate/) 是负责发布、维护 Kubernetes 文档的贡献者团体。
+参与 SIG Docs 是 Kubernetes 贡献者（开发者和其他人员）对 Kubernetes 项目产生重大影响力的好方式。
+
+SIG Docs 的几种沟通方式：
+<!--
+- [Join `#sig-docs` on the Kubernetes Slack instance](https://slack.k8s.io/). Make sure to
+  introduce yourself!
+- [Join the `kubernetes-sig-docs` mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-docs),
+  where broader discussions take place and official decisions are recorded.
+- Join the [SIG Docs video meeting](https://github.com/kubernetes/community/tree/master/sig-docs) held every two weeks. Meetings are always announced on `#sig-docs` and added to the [Kubernetes community meetings calendar](https://calendar.google.com/calendar/embed?src=cgnt364vd8s86hr2phapfjc6uk%40group.calendar.google.com&ctz=America/Los_Angeles). You'll need to download the [Zoom client](https://zoom.us/download) or dial in using a phone.
+- Join the SIG Docs async Slack standup meeting on those weeks when the in-person Zoom video meeting does not take place. Meetings are always announced on `#sig-docs`. You can contribute to any one of the threads up to 24 hours after meeting announcement. 
+-->
+- [加入 Kubernetes 在 Slack 上的`#sig-docs` 频道](https://slack.k8s.io/)。
+  一定记得自我介绍!
+- [加入 `kubernetes-sig-docs` 邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs),
+  这里有更广泛的讨论，和官方决策的记录。
+- 参加每两周召开一次的 [SIG Docs 视频会议](https://github.com/kubernetes/community/tree/master/sig-docs)。
+  会议总是在 `#sig-docs` 上发出公告，同时添加到
+  [Kubernetes 社区会议日历](https://calendar.google.com/calendar/embed?src=cgnt364vd8s86hr2phapfjc6uk%40group.calendar.google.com&ctz=America/Los_Angeles)。
+  你需要下载 [Zoom 客户端软件](https://zoom.us/download)，或电话拨号接入。
+- 如果有几周未召开实况 Zoom 视频会议，请参加 SIG Docs 异步 Slack 站会。
+  会议总是在 `#sig-docs` 上发出公告。
+  你可以在会议公告后 24 小时内为其中任一议题做贡献。
+
+<!--
+## Other ways to contribute
+
+- Visit the [Kubernetes community site](/community/). Participate on Twitter or Stack Overflow, learn about local Kubernetes meetups and events, and more.
+- Read the [contributor cheatsheet](https://www.kubernetes.dev/docs/contributor-cheatsheet/) to get involved with Kubernetes feature development.
+- Visit the contributor site to learn more about [Kubernetes Contributors](https://www.kubernetes.dev/) and [additional contributor resources](https://www.kubernetes.dev/resources/).
+- Submit a [blog post or case study](/docs/contribute/new-content/blogs-case-studies/).
+-->
+## 其他贡献方式 {#other-ways-to-contribute}
+
+- 访问 [Kubernetes 社区网站](/zh-cn/community/)。
+  参与 Twitter 或 Stack Overflow，了解当地的 Kubernetes 会议和活动等等。
+- 阅读[贡献者备忘单](https://github.com/kubernetes/community/tree/master/contributors/guide/contributor-cheatsheet)，
+  参与 Kubernetes 功能开发。
+- 访问贡献者网站，进一步了解有关 [Kubernetes 贡献者](https://www.kubernetes.dev/)
+  和[更多贡献者资源](https://www.kubernetes.dev/resources/)的信息。
+- 提交一篇[博客文章或案例研究](/zh-cn/docs/contribute/new-content/blogs-case-studies/)。
diff --git a/content/zh/docs/contribute/advanced.md b/content/zh-cn/docs/contribute/advanced.md
similarity index 78%
rename from content/zh/docs/contribute/advanced.md
rename to content/zh-cn/docs/contribute/advanced.md
index ccbbd6b3a0ade..7f49ce5bf8f63 100644
--- a/content/zh/docs/contribute/advanced.md
+++ b/content/zh-cn/docs/contribute/advanced.md
@@ -21,20 +21,21 @@ to learn about more ways to contribute. You need to use the Git command line
 client and other tools for some of these tasks.
 -->
 
-如果你已经了解如何[贡献新内容](/zh/docs/contribute/new-content/overview/)和
-[评阅他人工作](/zh/docs/contribute/review/reviewing-prs/)，并准备了解更多贡献的途径，
-请阅读此文。您需要使用 Git 命令行工具和其他工具做这些工作。
+如果你已经了解如何[贡献新内容](/zh-cn/docs/contribute/new-content/)和
+[评阅他人工作](/zh-cn/docs/contribute/review/reviewing-prs/)，并准备了解更多贡献的途径，
+请阅读此文。你需要使用 Git 命令行工具和其他工具做这些工作。
 
 <!-- body -->
 
 <!--
 ## Propose improvements
 
-SIG Docs [members](/docs/contribute/participate/roles-and-responsibilities/#members) can propose improvements.
+SIG Docs [members](/docs/contribute/participate/roles-and-responsibilities/#members)
+can propose improvements.
 -->
-## 提出改进建议
+## 提出改进建议   {#propose-improvements}
 
-SIG Docs 的 [成员](/zh/docs/contribute/participate/roles-and-responsibilities/#members) 可以提出改进建议。
+SIG Docs 的[成员](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#members) 可以提出改进建议。
 
 <!--
 After you've been contributing to the Kubernetes documentation for a while, you
@@ -50,8 +51,8 @@ changes. The quickest way to get answers to questions about how the documentatio
 currently works is to ask in the `#sig-docs` Slack channel on
 [kubernetes.slack.com](https://kubernetes.slack.com)
 -->
-在对 Kubernetes 文档贡献了一段时间后，你可能会对[样式指南](/zh/docs/contribute/style/style-guide/)、
-[内容指南](/zh/docs/contribute/style/content-guide/)、用于构建文档的工具链、网站样式、
+在对 Kubernetes 文档贡献了一段时间后，你可能会对[样式指南](/zh-cn/docs/contribute/style/style-guide/)、
+[内容指南](/zh-cn/docs/contribute/style/content-guide/)、用于构建文档的工具链、网站样式、
 评审和合并 PR 的流程或者文档的其他方面产生改进的想法。
 为了尽可能透明化，这些提议都需要在 SIG Docs 会议或
 [kubernetes-sig-docs 邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs)上讨论。
@@ -66,18 +67,19 @@ appropriate. For instance, an update to the style guide or the website's
 functionality might involve opening a pull request, while a change related to
 documentation testing might involve working with sig-testing.
 -->
-在进行了讨论并且 SIG 就期望的结果达成一致之后，你就能以最合理的方式处理改进建议了。例如，样式指南或网站功能的更新可能涉及 PR 的新增，而与文档测试相关的更改可能涉及 sig-testing。
+在进行了讨论并且 SIG 就期望的结果达成一致之后，你就能以最合理的方式处理改进建议了。
+例如，样式指南或网站功能的更新可能涉及 PR 的新增，而与文档测试相关的更改可能涉及 sig-testing。
 
 <!--
 ## Coordinate docs for a Kubernetes release
 
-SIG Docs [approvers](/docs/contribute/participating/#approvers) can coordinate
-docs for a Kubernetes release.
+SIG Docs [approvers](/docs/contribute/participate/roles-and-responsibilities/#approvers)
+can coordinate docs for a Kubernetes release.
 -->
-## 为 Kubernetes 版本发布协调文档工作
+## 为 Kubernetes 版本发布协调文档工作   {#coordinate-docs-for-a-kubernetes-release}
 
-SIG Docs 的[批准者（approvers）](/zh/docs/contribute/participating/#approvers) 可以为
-Kubernetes 版本发布协调文档工作。
+SIG Docs 的[批准者（approvers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers)
+可以为 Kubernetes 版本发布协调文档工作。
 
 <!--
 Each Kubernetes release is coordinated by a team of people participating in the
@@ -129,37 +131,37 @@ rotated among SIG Docs approvers.
 <!--
 ## Serve as a New Contributor Ambassador
 
-SIG Docs [approvers](/docs/contribute/participating/#approvers) can serve as
-New Contributor Ambassadors. 
+SIG Docs [approvers](/docs/contribute/participate/roles-and-responsibilities/#approvers)
+can serve as New Contributor Ambassadors.
 
-New Contributor Ambassadors work together to welcome new contributors to SIG-Docs, 
+New Contributor Ambassadors welcome new contributors to SIG-Docs,
 suggest PRs to new contributors, and mentor new contributors through their first
 few PR submissions.
 
 Responsibilities for New Contributor Ambassadors include:
 -->
 
-## 担任新的贡献者大使
+## 担任新的贡献者大使   {#serve-as-a-new-contributor-ambassador}
 
-SIG Docs [批准人（Approvers）](/zh/docs/contribute/participating/#approvers) 
+SIG Docs [批准人（Approvers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers)
 可以担任新的贡献者大使。
 
-新的贡献者大使共同努力欢迎 SIG-Docs 的新贡献者，对新贡献者的 PR 提出建议，
+新的贡献者大使欢迎 SIG-Docs 的新贡献者，对新贡献者的 PR 提出建议，
 以及在前几份 PR 提交中指导新贡献者。
 
 新的贡献者大使的职责包括：
 
 <!--
 - Being available on the [Kubernetes #sig-docs channel](https://kubernetes.slack.com) to answer questions from new contributors.
-- Working with PR wranglers to identify [good first issues](https://kubernetes.dev/docs/guide/help-wanted/#good-first-issue) for new contributors. 
-- Mentoring new contributors through their first few PRs to the docs repo. 
+- Working with PR wranglers to identify [good first issues](https://kubernetes.dev/docs/guide/help-wanted/#good-first-issue) for new contributors.
+- Mentoring new contributors through their first few PRs to the docs repo.
 - Helping new contributors create the more complex PRs they need to become Kubernetes members.
--[Sponsoring contributors](/docs/contribute/advanced/#sponsor-a-new-contributor) on their path to becoming Kubernetes members.
+- [Sponsoring contributors](/docs/contribute/advanced/#sponsor-a-new-contributor) on their path to becoming Kubernetes members.
 - Hosting a monthly meeting to help and mentor new contributors.
 -->
 - 监听 [Kubernetes #sig-docs 频道](https://kubernetes.slack.com) 上新贡献者的 Issue。
-- 与 PR 管理者合作为新参与者寻找[合适的第一个 issues](https://kubernetes.dev/docs/guide/help-wanted/#good-first-issue) 。 
-- 通过前几个 PR 指导新贡献者为文档存储库作贡献。 
+- 与 PR 管理者合作为新参与者寻找[合适的第一个 issues](https://kubernetes.dev/docs/guide/help-wanted/#good-first-issue)。
+- 通过前几个 PR 指导新贡献者为文档存储库作贡献。
 - 帮助新的贡献者创建成为 Kubernetes 成员所需的更复杂的 PR。
 - [为贡献者提供保荐](#sponsor-a-new-contributor)，使其成为 Kubernetes 成员。
 - 每月召开一次会议，帮助和指导新的贡献者。
@@ -172,22 +174,23 @@ Current New Contributor Ambassadors are announced at each SIG-Docs meeting and i
 <!--
 ## Sponsor a new contributor
 
-SIG Docs [reviewers](/docs/contribute/participating/#reviewers) can sponsor
-new contributors.
+SIG Docs [reviewers](/docs/contribute/participate/roles-and-responsibilities/#reviewers)
+can sponsor new contributors.
 -->
 ## 为新的贡献者提供保荐 {#sponsor-a-new-contributor}
 
-SIG Docs 的[评审人（Reviewers）](/zh/docs/contribute/participating/#reviewers) 可以为新的贡献者提供保荐。
+SIG Docs 的[评审人（Reviewers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#reviewers)
+可以为新的贡献者提供保荐。
 
 <!--
 After a new contributor has successfully submitted 5 substantive pull requests
 to one or more Kubernetes repositories, they are eligible to apply for
-[membership](/docs/contribute/participating#members) in the Kubernetes
-organization. The contributor's membership needs to be backed by two sponsors
-who are already reviewers.
+[membership](/docs/contribute/participate/roles-and-responsibilities/#members)
+in the Kubernetes organization. The contributor's membership needs to be
+backed by two sponsors who are already reviewers.
 -->
 新的贡献者针对一个或多个 Kubernetes 项目仓库成功提交了 5 个实质性 PR 之后，
-就有资格申请 Kubernetes 组织的[成员身份](/zh/docs/contribute/participate/roles-and-responsibilities/#members)。
+就有资格申请 Kubernetes 组织的[成员身份](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#members)。
 贡献者的成员资格需要同时得到两位评审人的保荐。
 
 <!--
@@ -212,18 +215,23 @@ can serve a term as a co-chair of SIG Docs.
 
 ### Prerequisites
 -->
-## 担任 SIG 联合主席
+## 担任 SIG 联合主席   {#sponsor-a-new-contributor}
 
-SIG Docs [成员（Members）](/zh/docs/contribute/participate/roles-and-responsibilities/#members)
+SIG Docs [成员（Members）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#members)
 可以担任 SIG Docs 的联合主席。
 
-### 前提条件
+### 前提条件   {#prerequisites}
 
 <!--
 A Kubernetes member must meet the following requirements to be a co-chair:
 
 - Understand SIG Docs workflows and tooling: git, Hugo, localization, blog subproject
-- Understand how other Kubernetes SIGs and repositories affect the SIG Docs workflow, including: [teams in k/org](https://github.com/kubernetes/org/blob/master/config/kubernetes/sig-docs/teams.yaml), the [process in k/community](https://github.com/kubernetes/community/tree/master/sig-docs), plugins in [k/test-infra](https://github.com/kubernetes/test-infra/), and the role of [SIG Architecture](https://github.com/kubernetes/community/tree/master/sig-architecture).
+- Understand how other Kubernetes SIGs and repositories affect the SIG Docs
+  workflow, including:
+  [teams in k/org](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml), the
+  [process in k/community](https://github.com/kubernetes/community/tree/main/sig-docs),
+  plugins in [k/test-infra](https://github.com/kubernetes/test-infra/), and the role of
+  [SIG Architecture](https://github.com/kubernetes/community/tree/main/sig-architecture).
   In addition, understand how the [Kubernetes docs release process](/docs/contribute/advanced/#coordinate-docs-for-a-kubernetes-release) works.
 - Approved by the SIG Docs community either directly or via lazy consensus.
 - Commit at least 5 hours per week (and often more) to the role for a minimum of 6 months
@@ -232,11 +240,11 @@ Kubernetes 成员必须满足以下要求才能成为联合主席：
 
 - 理解 SIG Docs 工作流程和工具：git、Hugo、本地化、博客子项目
 - 理解其他 Kubernetes SIG 和仓库会如何影响 SIG Docs 工作流程，包括：
-  [k/org 中的团队](https://github.com/kubernetes/org/blob/master/config/kubernetes/sig-docs/teams.yaml)、
-  [k/community 中的流程](https://github.com/kubernetes/community/tree/master/sig-docs)、
+  [k/org 中的团队](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml)、
+  [k/community 中的流程](https://github.com/kubernetes/community/tree/main/sig-docs)、
   [k/test-infra](https://github.com/kubernetes/test-infra/) 中的插件、
-  [SIG Architecture](https://github.com/kubernetes/community/tree/master/sig-architecture) 中的角色。 
-  此外，了解 [Kubernetes 文档发布流程](/docs/contribute/advanced/#coordinate-docs-for-a-kubernetes-release) 的工作原理。
+  [SIG Architecture](https://github.com/kubernetes/community/tree/main/sig-architecture) 中的角色。
+  此外，了解 [Kubernetes 文档发布流程](/zh-cn/docs/contribute/advanced/#coordinate-docs-for-a-kubernetes-release)的工作原理。
 - 由 SIG Docs 社区直接或通过惰性共识批准。
 - 在至少 6 个月的时段内，确保每周至少投入 5 个小时（通常更多）
 
@@ -247,7 +255,7 @@ The role of co-chair is primarily one of service: co-chairs handle process and p
 
 Responsibilities include:
 -->
-### 职责范围
+### 职责范围   {#responsibilities}
 
 联合主席主要提供以下服务：
 联合主席负责处理流程和政策、时间安排和召开会议、安排 PR 管理员、以及一些其他人不想做的事情，目的是增长贡献者团队。
@@ -256,7 +264,7 @@ Responsibilities include:
 
 <!--
 - Keep SIG Docs focused on maximizing developer happiness through excellent documentation
-- Exemplify the [community code of conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and hold SIG members accountable to it
+- Exemplify the [community code of conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md) and hold SIG members accountable to it
 - Learn and set best practices for the SIG by updating contribution guidelines
 - Schedule and run SIG meetings: weekly status updates, quarterly retro/planning sessions, and others as needed
 - Schedule and run doc sprints at KubeCon events and other conferences
@@ -264,7 +272,7 @@ Responsibilities include:
 - Keep the SIG running smoothly
 -->
 - 保持 SIG Docs 专注于通过出色的文档最大限度地提高开发人员的满意度
-- 以身作则，践行[社区行为准则](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)，
+- 以身作则，践行[社区行为准则](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)，
   并要求 SIG 成员对自身行为负责
 - 通过更新贡献指南，为 SIG 学习并设置最佳实践
 - 安排和举行 SIG 会议：每周状态更新，每季度回顾/计划会议以及其他需要的会议
@@ -278,15 +286,15 @@ Responsibilities include:
 
 To schedule and run effective meetings, these guidelines show what to do, how to do it, and why.
 
-**Uphold the [community code of conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)**:
+**Uphold the [community code of conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)**:
 
 - Hold respectful, inclusive discussions with respectful, inclusive language.
 -->
-### 召开高效的会议
+### 召开高效的会议   {#running-effective-meetings}
 
 为了安排和召开高效的会议，这些指南说明了如何做、怎样做以及原因。
 
-**坚持[社区行为准则](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)**：
+**坚持[社区行为准则](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)**：
 
 - 相互尊重地、包容地进行讨论。
 
@@ -332,7 +340,7 @@ For weekly meetings, copypaste the previous week's notes into the "Past meetings
 
 **Honor folks' time**:
 
-- Begin and end meetings punctually
+Begin and end meetings on time.
 -->
 **根据需要来进行协调**：
 
@@ -341,19 +349,19 @@ For weekly meetings, copypaste the previous week's notes into the "Past meetings
 
 **尊重大家的时间**:
 
-- 准时开始和结束会议
+按时开始和结束会议
 
 <!--
 **Use Zoom effectively**:
 
-- Familiarize yourself with [Zoom guidelines for Kubernetes](https://github.com/kubernetes/community/blob/master/communication/zoom-guidelines.md)
+- Familiarize yourself with [Zoom guidelines for Kubernetes](https://github.com/kubernetes/community/blob/main/communication/zoom-guidelines.md)
 - Claim the host role when you log in by entering the host key
 
 <img src="/images/docs/contribute/claim-host.png" width="75%" alt="Claiming the host role in Zoom" />
 -->
 **有效利用 Zoom**：
 
-- 熟悉 [ Kubernetes Zoom 指南](https://github.com/kubernetes/community/blob/master/communication/zoom-guidelines.md)
+- 熟悉 [ Kubernetes Zoom 指南](https://github.com/kubernetes/community/blob/main/communication/zoom-guidelines.md)
 - 输入主持人密钥登录时声明主持人角色
 
 <img src="/images/docs/contribute/claim-host.png" width="75%" alt="声明 Zoom 角色" />
@@ -362,12 +370,12 @@ For weekly meetings, copypaste the previous week's notes into the "Past meetings
 ### Recording meetings on Zoom
 
 When you're ready to start the recording, click Record to Cloud.
-    
+
 When you're ready to stop recording, click Stop.
 
 The video uploads automatically to YouTube.
 -->
-### 录制 Zoom 会议
+### 录制 Zoom 会议   {#recording-meetings-on-zoom}
 
 准备开始录制时，请单击“录制到云”。
 
diff --git a/content/zh/docs/contribute/analytics.md b/content/zh-cn/docs/contribute/analytics.md
similarity index 100%
rename from content/zh/docs/contribute/analytics.md
rename to content/zh-cn/docs/contribute/analytics.md
diff --git a/content/zh/docs/contribute/generate-ref-docs/_index.md b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
similarity index 85%
rename from content/zh/docs/contribute/generate-ref-docs/_index.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/_index.md
index fc73d84b29c84..87f08c5f6d75a 100644
--- a/content/zh/docs/contribute/generate-ref-docs/_index.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
@@ -22,5 +22,5 @@ To build the reference documentation, see the following guide:
 本节的主题是描述如何生成 Kubernetes 参考指南。
 要生成参考文档，请参考下面的指南：
 
-* [生成参考文档快速入门](/zh/docs/contribute/generate-ref-docs/quickstart/)
+* [生成参考文档快速入门](/zh-cn/docs/contribute/generate-ref-docs/quickstart/)
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/contribute-upstream.md b/content/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream.md
similarity index 90%
rename from content/zh/docs/contribute/generate-ref-docs/contribute-upstream.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream.md
index 4bf2591aba900..cbbc13cb9b27b 100644
--- a/content/zh/docs/contribute/generate-ref-docs/contribute-upstream.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream.md
@@ -27,10 +27,10 @@ API or the `kube-*` components from the upstream code, see the following instruc
 - [Generating Reference Documentation for the Kubernetes API](/docs/contribute/generate-ref-docs/kubernetes-api/)
 - [Generating Reference Documentation for the Kubernetes Components and Tools](/docs/contribute/generate-ref-docs/kubernetes-components/)
 -->
-如果您仅想从上游代码重新生成 Kubernetes API 或 `kube-*` 组件的参考文档。请参考以下说明：
+如果你仅想从上游代码重新生成 Kubernetes API 或 `kube-*` 组件的参考文档。请参考以下说明：
 
-- [生成 Kubernetes API 的参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
-- [生成 Kubernetes 组件和工具的参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)
+- [生成 Kubernetes API 的参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
+- [生成 Kubernetes 组件和工具的参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)
 
 ## {{% heading "prerequisites" %}}
 
@@ -65,7 +65,7 @@ You need to have these tools installed:
   [Creating a Pull Request](https://help.github.com/articles/creating-a-pull-request/) and
   [GitHub Standard Fork & Pull Request Workflow](https://gist.github.com/Chaser324/ce0505fbed06b947d962).
 -->
-- 您需要知道如何创建对 GitHub 代码仓库的拉取请求（Pull Request）。
+- 你需要知道如何创建对 GitHub 代码仓库的拉取请求（Pull Request）。
   通常，这涉及创建代码仓库的派生副本。
   要获取更多的信息请参考[创建 PR](https://help.github.com/articles/creating-a-pull-request/) 和
   [GitHub 标准派生和 PR 工作流程](https://gist.github.com/Chaser324/ce0505fbed06b947d962)。
@@ -87,7 +87,7 @@ creating a patch to fix it in the upstream project.
 Kubernetes API 和 `kube-*` 组件（例如 `kube-apiserver`、`kube-controller-manager`）的参考文档
 是根据[上游 Kubernetes](https://github.com/kubernetes/kubernetes/) 中的源代码自动生成的。
 
-当您在生成的文档中看到错误时，您可能需要考虑创建一个 PR 用来在上游项目中对其进行修复。
+当你在生成的文档中看到错误时，你可能需要考虑创建一个 PR 用来在上游项目中对其进行修复。
 
 <!--
 ## Cloning the Kubernetes repository
@@ -96,7 +96,7 @@ If you don't already have the kubernetes/kubernetes repository, get it now:
 -->
 ## 克隆 Kubernetes 代码仓库
 
-如果您还没有 kubernetes/kubernetes 代码仓库，请参照下列命令获取：
+如果你还没有 kubernetes/kubernetes 代码仓库，请参照下列命令获取：
 
 ```shell
 mkdir $GOPATH/src
@@ -111,7 +111,7 @@ For example, if you followed the preceding step to get the repository, your
 base directory is `$GOPATH/src/github.com/kubernetes/kubernetes.`
 The remaining steps refer to your base directory as `<k8s-base>`.
 -->
-确定您的 [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) 代码仓库克隆的根目录。
+确定你的 [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) 代码仓库克隆的根目录。
 例如，如果按照前面的步骤获取代码仓库，则你的根目录为 `$GOPATH/src/github.com/kubernetes/kubernetes`。
 接下来其余步骤将你的根目录称为 `<k8s-base>`。
 
@@ -122,7 +122,7 @@ For example, if you followed the preceding step to get the repository, your
 base directory is `$GOPATH/src/github.com/kubernetes-sigs/reference-docs.`
 The remaining steps refer to your base directory as `<rdocs-base>`.
 -->
-确定您的 [kubernetes-sigs/reference-docs](https://github.com/kubernetes-sigs/reference-docs)
+确定你的 [kubernetes-sigs/reference-docs](https://github.com/kubernetes-sigs/reference-docs)
 代码仓库克隆的根目录。
 例如，如果按照前面的步骤获取代码仓库，则你的根目录为
 `$GOPATH/src/github.com/kubernetes-sigs/reference-docs`。
@@ -146,7 +146,7 @@ The documentation for the `kube-*` components is also generated from the upstrea
 source code. You must change the code related to the component
 you want to fix in order to fix the generated documentation.
 -->
-`kube-*` 组件的文档也是从上游源代码生成的。您必须更改与要修复的组件相关的代码，才能修复生成的文档。
+`kube-*` 组件的文档也是从上游源代码生成的。你必须更改与要修复的组件相关的代码，才能修复生成的文档。
 
 <!--
 ### Making changes to the upstream source code
@@ -168,7 +168,7 @@ and make sure it is up to date:
 -->
 以下在 Kubernetes 源代码中编辑注释的示例。
 
-在您本地的 kubernetes/kubernetes 代码仓库中，检出默认分支，并确保它是最新的：
+在你本地的 kubernetes/kubernetes 代码仓库中，检出默认分支，并确保它是最新的：
 
 ```shell
 cd <k8s-base>
@@ -200,7 +200,7 @@ git status
 The output shows that you are on the master branch, and that the `types.go`
 source file has been modified:
 -->
-输出显示您在 master 分支上，`types.go` 源文件已被修改：
+输出显示你在 master 分支上，`types.go` 源文件已被修改：
 
 ```shell
 On branch master
@@ -217,7 +217,7 @@ you will do a second commit. It is important to keep your changes separated into
 ### 提交已编辑的文件
 
 运行 `git add` 和 `git commit` 命令提交到目前为止所做的更改。
-在下一步中，您将进行第二次提交，将更改分成两个提交很重要。
+在下一步中，你将进行第二次提交，将更改分成两个提交很重要。
 
 <!--
 ### Generating the OpenAPI spec and related files
@@ -254,7 +254,7 @@ This is important, because `swagger.json` is the input to the second stage of
 the doc generation process.
 -->
 查看 `api/openapi-spec/swagger.json` 的内容，以确保拼写错误已经被修正。
-例如，您可以运行 `git diff -a api/openapi-spec/swagger.json` 命令。
+例如，你可以运行 `git diff -a api/openapi-spec/swagger.json` 命令。
 这很重要，因为 `swagger.json` 是文档生成过程中第二阶段的输入。
 
 <!--
@@ -262,9 +262,9 @@ Run `git add` and `git commit` to commit your changes. Now you have two commits:
 one that contains the edited `types.go` file, and one that contains the generated OpenAPI spec
 and related files. Keep these two commits separate. That is, do not squash your commits.
 -->
-运行 `git add` 和 `git commit` 命令来提交您的更改。现在您有两个提交（commits）：
+运行 `git add` 和 `git commit` 命令来提交你的更改。现在你有两个提交（commits）：
 一种包含编辑的 `types.go` 文件，另一种包含生成的 OpenAPI 规范和相关文件。
-将这两个提交分开独立。也就是说，不要 squash 您的提交。
+将这两个提交分开独立。也就是说，不要 squash 你的提交。
 
 <!--
 Submit your changes as a
@@ -274,9 +274,9 @@ master branch of the
 Monitor your pull request, and respond to reviewer comments as needed. Continue
 to monitor your pull request until it is merged.
 -->
-将您的更改作为 [PR](https://help.github.com/articles/creating-a-pull-request/) 
+将你的更改作为 [PR](https://help.github.com/articles/creating-a-pull-request/) 
 提交到 [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) 代码仓库的 master 分支。
-关注您的 PR，并根据需要回复 reviewer 的评论。继续关注您的 PR，直到 PR 被合并为止。
+关注你的 PR，并根据需要回复 reviewer 的评论。继续关注你的 PR，直到 PR 被合并为止。
 
 <!--
 [PR 57758](https://github.com/kubernetes/kubernetes/pull/57758)
@@ -297,7 +297,7 @@ repository and in related repositories, such as
 -->
 {{< note >}}
 确定要更改的正确源文件可能很棘手。在前面的示例中，官方的源文件位于 `kubernetes/kubernetes`
-代码仓库的 `staging` 目录中。但是根据您的情况，`staging` 目录可能不是找到官方源文件的地方。
+代码仓库的 `staging` 目录中。但是根据你的情况，`staging` 目录可能不是找到官方源文件的地方。
 如果需要帮助，请阅读
 [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes/tree/master/staging)
 代码仓库和相关代码仓库
@@ -330,7 +330,7 @@ commit into the release-{{< skew prevMinorVersion >}} branch. The idea is to che
 that edited `types.go`, but not the commit that has the results of running the scripts. For instructions, see
 [Propose a Cherry Pick](https://git.k8s.io/community/contributors/devel/sig-release/cherry-picks.md).
 -->
-回想一下，您的 PR 有两个提交：一个用于编辑 `types.go`，一个用于由脚本生成的文件。
+回想一下，你的 PR 有两个提交：一个用于编辑 `types.go`，一个用于由脚本生成的文件。
 下一步是将你的第一次提交 cherrypick 到 release-{{< skew prevMinorVersion >}} 分支。
 这样做的原因是仅 cherrypick 编辑了 types.go 的提交，
 而不是具有脚本运行结果的提交。
@@ -366,7 +366,7 @@ Now add a commit to your cherry-pick pull request that has the recently generate
 and related files. Monitor your pull request until it gets merged into the
 release-{{< skew prevMinorVersion >}} branch.
 -->
-现在将提交添加到您的 Cherry-Pick PR 中，该 PR 中包含最新生成的 OpenAPI 规范和相关文件。
+现在将提交添加到你的 Cherry-Pick PR 中，该 PR 中包含最新生成的 OpenAPI 规范和相关文件。
 关注你的 PR，直到其合并到 release-{{< skew prevMinorVersion >}} 分支中为止。
 
 <!--
@@ -405,8 +405,8 @@ the API reference documentation.
 You are now ready to follow the [Generating Reference Documentation for the Kubernetes API](/docs/contribute/generate-ref-docs/kubernetes-api/) guide to generate the
 [published Kubernetes API reference documentation](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/).
 -->
-现在，您可以按照
-[生成 Kubernetes API 的参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
+现在，你可以按照
+[生成 Kubernetes API 的参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
 指南来生成
 [已发布的 Kubernetes API 参考文档](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)。
 
@@ -417,7 +417,7 @@ You are now ready to follow the [Generating Reference Documentation for the Kube
 * [Generating Reference Docs for Kubernetes Components and Tools](/docs/home/contribute/generated-reference/kubernetes-components/)
 * [Generating Reference Documentation for kubectl Commands](/docs/home/contribute/generated-reference/kubectl/)
 -->
-* [生成 Kubernetes API 的参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
-* [为 Kubernetes 组件和工具生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)
-* [生成 kubectl 命令的参考文档](/zh/docs/contribute/generate-ref-docs/kubectl/)
+* [生成 Kubernetes API 的参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
+* [为 Kubernetes 组件和工具生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)
+* [生成 kubectl 命令的参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubectl/)
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/kubectl.md b/content/zh-cn/docs/contribute/generate-ref-docs/kubectl.md
similarity index 96%
rename from content/zh/docs/contribute/generate-ref-docs/kubectl.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/kubectl.md
index cf376a312f7ed..957ca8b347ebd 100644
--- a/content/zh/docs/contribute/generate-ref-docs/kubectl.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/kubectl.md
@@ -36,7 +36,7 @@ reference page, see
 生成参考文档，如 [kubectl apply](/docs/reference/generated/kubectl/kubectl-commands#apply) 和
 [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint)。
 本主题没有讨论如何生成 [kubectl](/docs/reference/generated/kubectl/kubectl-commands/) 组件选项的参考页面。
-相关说明请参见[为 Kubernetes 组件和工具生成参考页面](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)。
+相关说明请参见[为 Kubernetes 组件和工具生成参考页面](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)。
 {{< /note >}}
 
 ## {{% heading "prerequisites" %}}
@@ -72,7 +72,7 @@ go get -u kubernetes-incubator/reference-docs
 <!-- 
 If you don't already have the kubernetes/website repository, get it now: 
 -->
-如果您还没有获取过 `kubernetes/website` 仓库，现在获取之：
+如果你还没有获取过 `kubernetes/website` 仓库，现在获取之：
 
 ```shell
 git clone https://github.com/<your-username>/website $GOPATH/src/github.com/<your-username>/website
@@ -242,7 +242,7 @@ For example, update the following variables:
 * 设置 `K8S_ROOT` 为 `<k8s-base>`。
 * 设置 `K8S_WEBROOT` 为 `<web-base>`。
 * 设置 `K8S_RELEASE` 为要构建文档的版本。
-  例如，如果您想为 Kubernetes {{< skew prevMinorVersion >}} 构建文档，
+  例如，如果你想为 Kubernetes {{< skew prevMinorVersion >}} 构建文档，
   请将 `K8S_RELEASE` 设置为 {{< skew prevMinorVersion >}}。
 
 例如：
@@ -416,7 +416,7 @@ topics will be visible in the
 对 `kubernetes/website` 仓库创建 PR。跟踪你的 PR，并根据需要回应评审人的评论。
 继续跟踪你的 PR，直到它被合入。
 
-在 PR 合入的几分钟后，你更新的参考主题将出现在[已发布文档](/zh/docs/home/)中。
+在 PR 合入的几分钟后，你更新的参考主题将出现在[已发布文档](/zh-cn/docs/home/)中。
 
 ## {{% heading "whatsnext" %}}
 
@@ -425,7 +425,7 @@ topics will be visible in the
 * [Generating Reference Documentation for Kubernetes Components and Tools](/docs/contribute/generate-ref-docs/kubernetes-components/)
 * [Generating Reference Documentation for the Kubernetes API](/docs/contribute/generate-ref-docs/kubernetes-api/)
 -->
-* [生成参考文档快速入门](/zh/docs/contribute/generate-ref-docs/quickstart/)
-* [为 Kubernetes 组件和工具生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)
-* [为 Kubernetes API 生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
+* [生成参考文档快速入门](/zh-cn/docs/contribute/generate-ref-docs/quickstart/)
+* [为 Kubernetes 组件和工具生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)
+* [为 Kubernetes API 生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/kubernetes-api.md b/content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api.md
similarity index 93%
rename from content/zh/docs/contribute/generate-ref-docs/kubernetes-api.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api.md
index 5563e174a0e2f..74fc1fe897a51 100644
--- a/content/zh/docs/contribute/generate-ref-docs/kubernetes-api.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api.md
@@ -31,9 +31,9 @@ Kubernetes API 参考文档是从
 构建的，
 且使用[kubernetes-sigs/reference-docs](https://github.com/kubernetes-sigs/reference-docs) 生成代码。
 
-如果您在生成的文档中发现错误，则需要[在上游修复](/zh/docs/contribute/generate-ref-docs/contribute-upstream/)。
+如果你在生成的文档中发现错误，则需要[在上游修复](/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream/)。
 
-如果您只需要从 [OpenAPI](https://github.com/OAI/OpenAPI-Specification) 规范中重新生成参考文档，请继续阅读此页。
+如果你只需要从 [OpenAPI](https://github.com/OAI/OpenAPI-Specification) 规范中重新生成参考文档，请继续阅读此页。
 
 ## {{% heading "prerequisites" %}}
 
@@ -135,7 +135,7 @@ Go to `<rdocs-base>`, and open the `Makefile` for editing:
 * 设置 `K8S_ROOT` 为 `<k8s-base>`.
 * 设置 `K8S_WEBROOT` 为 `<web-base>`.
 * 设置 `K8S_RELEASE` 为要构建的文档的版本。
-  例如，如果您想为 Kubernetes 1.17.0 构建文档，请将 `K8S_RELEASE` 设置为 1.17.0。
+  例如，如果你想为 Kubernetes 1.17.0 构建文档，请将 `K8S_RELEASE` 设置为 1.17.0。
 
 <!-- 
 For example: 
@@ -305,9 +305,9 @@ Submit your changes as a
 Monitor your pull request, and respond to reviewer comments as needed. Continue
 to monitor your pull request until it has been merged.
 -->
-基于你所生成的更改[创建 PR](/zh/docs/contribute/new-content/open-a-pr/)，
+基于你所生成的更改[创建 PR](/zh-cn/docs/contribute/new-content/open-a-pr/)，
 提交到 [kubernetes/website](https://github.com/kubernetes/website) 仓库。
-监视您提交的 PR，并根据需要回复 reviewer 的评论。继续监视您的 PR，直到合并为止。
+监视你提交的 PR，并根据需要回复 reviewer 的评论。继续监视你的 PR，直到合并为止。
 
 ## {{% heading "whatsnext" %}}
 
@@ -316,7 +316,7 @@ to monitor your pull request until it has been merged.
 * [Generating Reference Docs for Kubernetes Components and Tools](/docs/contribute/generate-ref-docs/kubernetes-components/)
 * [Generating Reference Documentation for kubectl Commands](/docs/contribute/generate-ref-docs/kubectl/)
 -->
-* [生成参考文档快速入门](/zh/docs/contribute/generate-ref-docs/quickstart/)
-* [为 Kubernetes 组件和工具生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)
-* [为 kubectl 命令集生成参考文档](/zh/docs/contribute/generate-ref-docs/kubectl/)
+* [生成参考文档快速入门](/zh-cn/docs/contribute/generate-ref-docs/quickstart/)
+* [为 Kubernetes 组件和工具生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)
+* [为 kubectl 命令集生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubectl/)
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/kubernetes-components.md b/content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components.md
similarity index 67%
rename from content/zh/docs/contribute/generate-ref-docs/kubernetes-components.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components.md
index 0ca9d48df6fce..a89e8d655eee8 100644
--- a/content/zh/docs/contribute/generate-ref-docs/kubernetes-components.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components.md
@@ -23,7 +23,7 @@ This page shows how to build the Kubernetes component and tool reference pages.
 Start with the [Prerequisites section](/docs/contribute/generate-ref-docs/quickstart/#before-you-begin)
 in the Reference Documentation Quickstart guide.
 -->
-阅读参考文档快速入门指南中的[准备工作](/zh/docs/contribute/generate-ref-docs/quickstart/#before-you-begin)节。
+阅读参考文档快速入门指南中的[准备工作](/zh-cn/docs/contribute/generate-ref-docs/quickstart/#before-you-begin)节。
 
 <!-- steps -->
 
@@ -31,7 +31,7 @@ in the Reference Documentation Quickstart guide.
 Follow the [Reference Documentation Quickstart](/docs/contribute/generate-ref-docs/quickstart/)
 to generate the Kubernetes component and tool reference pages.
 -->
-按照[参考文档快速入门](/zh/docs/contribute/generate-ref-docs/quickstart/)
+按照[参考文档快速入门](/zh-cn/docs/contribute/generate-ref-docs/quickstart/)
 指引，生成 Kubernetes 组件和工具的参考文档。
 
 ## {{% heading "whatsnext" %}}
@@ -43,8 +43,8 @@ to generate the Kubernetes component and tool reference pages.
 * [Contributing to the Upstream Kubernetes Project for Documentation](/docs/contribute/generate-ref-docs/contribute-upstream/)
 -->
 
-* [生成参考文档快速入门](/zh/docs/contribute/generate-ref-docs/quickstart/) 
-* [为 kubectll 命令生成参考文档](/zh/docs/contribute/generate-ref-docs/kubectl/)
-* [为 Kubernetes API 生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
-* [为上游 Kubernetes 项目做贡献以改进文档](/zh/docs/contribute/generate-ref-docs/contribute-upstream/)
+* [生成参考文档快速入门](/zh-cn/docs/contribute/generate-ref-docs/quickstart/) 
+* [为 kubectll 命令生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubectl/)
+* [为 Kubernetes API 生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
+* [为上游 Kubernetes 项目做贡献以改进文档](/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream/)
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md b/content/zh-cn/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md
similarity index 96%
rename from content/zh/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md
index 5d5cde99f8155..7954f939c003e 100644
--- a/content/zh/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/prerequisites-ref-docs.md
@@ -41,5 +41,5 @@
 
 - 你需要知道如何为一个 GitHub 仓库创建拉取请求（PR）。
   这牵涉到创建仓库的派生（fork）副本。
-  有关信息可进一步查看[基于本地副本开展工作](/zh/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
+  有关信息可进一步查看[基于本地副本开展工作](/zh-cn/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
 
diff --git a/content/zh/docs/contribute/generate-ref-docs/quickstart.md b/content/zh-cn/docs/contribute/generate-ref-docs/quickstart.md
similarity index 96%
rename from content/zh/docs/contribute/generate-ref-docs/quickstart.md
rename to content/zh-cn/docs/contribute/generate-ref-docs/quickstart.md
index 521b834153e17..7c4336aae50d3 100644
--- a/content/zh/docs/contribute/generate-ref-docs/quickstart.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/quickstart.md
@@ -57,7 +57,7 @@ see the [contributing upstream guide](/docs/contribute/generate-ref-docs/contrib
 
 {{< note>}}
 如果你希望更改构建工具和 API 参考资料，可以阅读
-[上游贡献指南](/zh/docs/contribute/generate-ref-docs/contribute-upstream).
+[上游贡献指南](/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream).
 {{< /note >}}
 
 <!--
@@ -185,7 +185,7 @@ Single page Markdown documents, imported by the tool, must adhere to
 the [Documentation Style Guide](/docs/contribute/style/style-guide/).
 -->
 通过工具导入的单页面的 Markdown 文档必须遵从
-[文档样式指南](/zh/docs/contribute/style/style-guide/)。
+[文档样式指南](/zh-cn/docs/contribute/style/style-guide/)。
 
 <!--
 ## Customizing reference.yml
@@ -385,7 +385,7 @@ topics will be visible in the
 继续监视该 PR 直到其被合并为止。
 
 当你的 PR 被合并几分钟之后，你所做的对参考文档的变更就会出现
-[发布的文档](/zh/docs/home/)上。
+[发布的文档](/zh-cn/docs/home/)上。
 
 ## {{% heading "whatsnext" %}}
 
@@ -399,7 +399,7 @@ running the build targets, see the following guides:
 -->
 要手动设置所需的构造仓库，执行构建目标，以生成各个参考文档，可参考下面的指南：
 
-* [为 Kubernetes 组件和工具生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-components/)
-* [为 kubectl 命令生成参考文档](/zh/docs/contribute/generate-ref-docs/kubectl/)
-* [为 Kubernetes API 生成参考文档](/zh/docs/contribute/generate-ref-docs/kubernetes-api/)
+* [为 Kubernetes 组件和工具生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/)
+* [为 kubectl 命令生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubectl/)
+* [为 Kubernetes API 生成参考文档](/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/)
 
diff --git a/content/zh/docs/contribute/localization.md b/content/zh-cn/docs/contribute/localization.md
similarity index 88%
rename from content/zh/docs/contribute/localization.md
rename to content/zh-cn/docs/contribute/localization.md
index 5c70568251946..9c21b55e2aa42 100644
--- a/content/zh/docs/contribute/localization.md
+++ b/content/zh-cn/docs/contribute/localization.md
@@ -7,7 +7,7 @@ card:
   weight: 50
   title: 翻译文档
 ---
-<!-- 
+<!--
 title: Localizing Kubernetes Documentation
 content_type: concept
 approvers:
@@ -23,20 +23,20 @@ card:
 
 <!-- overview -->
 
-<!-- 
-This page shows you how to [localize](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/) the docs for a different language. 
+<!--
+This page shows you how to [localize](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/) the docs for a different language.
 -->
 此页面描述如何为其他语言的文档提供
 [本地化](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/)版本。
 
 <!-- body -->
 
-<!-- 
+<!--
 ## Contribute to an existing localization
 
-You can help add or improve content to an existing localization. In [Kubernetes Slack](https://slack.k8s.io/) you'll find a channel for each localization. There is also a general [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations) where you can say hello. 
+You can help add or improve content to an existing localization. In [Kubernetes Slack](https://slack.k8s.io/) you'll find a channel for each localization. There is also a general [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations) where you can say hello.
 -->
-## 为现有的本地化做出贡献
+## 为现有的本地化做出贡献 {#contribute-to-an-existing-localization}
 
 你可以帮助添加或改进现有本地化的内容。在 [Kubernetes Slack](https://slack.k8s.io/) 中，
 你能找到每个本地化的频道。还有一个通用的
@@ -44,7 +44,7 @@ You can help add or improve content to an existing localization. In [Kubernetes
 你可以在这里打个招呼。
 
 {{< note >}}
-<!-- 
+<!--
 If you want to work on a localization that already exists, check
 this page in that localization (if it exists), rather than the
 English original. You might see extra details there.
@@ -53,18 +53,18 @@ English original. You might see extra details there.
 你可能会在那里看到额外的详细信息。
 {{< /note >}}
 
-<!-- 
+<!--
 ### Find your two-letter language code
 
 First, consult the [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php) to find your localization's two-letter language code. For example, the two-letter code for Korean is `ko`.
 
 ### Fork and clone the repo
 
-First, [create your own fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the [kubernetes/website](https://github.com/kubernetes/website) repository. 
+First, [create your own fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the [kubernetes/website](https://github.com/kubernetes/website) repository.
 
 The website content directory includes sub-directories for each language. The localization you want to help out with is inside `content/<two-letter-code>`.
 -->
-### 找到两个字母的语言代码
+### 找到两个字母的语言代码 {#find-your-two-letter-language-code}
 
 首先，有关本地化的两个字母的语言代码，请参考
 [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)。
@@ -73,7 +73,7 @@ The website content directory includes sub-directories for each language. The lo
 ### 派生（fork）并且克隆仓库 {#fork-and-clone-the-repo}
 
 首先，为 [kubernetes/website](https://github.com/kubernetes/website) 仓库
-[创建你自己的副本](/zh/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
+[创建你自己的副本](/zh-cn/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
 
 <!--
 Then, clone your fork and `cd` into it:
@@ -85,9 +85,12 @@ git clone https://github.com/<username>/website
 cd website
 ```
 
+<!--
+The website content directory includes sub-directories for each language. The localization you want to help out with is inside `content/<two-letter-code>`.
+-->
 网站内容目录包括每种语言的子目录。你想要助力的本地化位于 `content/<two-letter-code>` 中。
 
-<!-- 
+<!--
 ### Suggest changes
 
 Create or update your chosen localized page based on the English original. See
@@ -113,10 +116,10 @@ that localization. The process is very similar to proposing changes to the upstr
 
 请将拉取请求限制为单个本地化，因为在多个本地化中更改内容的拉取请求可能难以审查。
 
-按照[内容改进建议](/zh/docs/contribute/suggest-improvements/)提出对该本地化的更改。
+按照[内容改进建议](/zh-cn/docs/contribute/suggest-improvements/)提出对该本地化的更改。
 该过程与提议更改上游（英文）内容非常相似。
 
-<!--  
+<!--
 ## Start a new localization
 
 If you want the Kubernetes documentation localized into a new language, here's what
@@ -128,7 +131,7 @@ to begin a localization.
 All localization teams must be self-sustaining. The Kubernetes website is happy to host your work, but
 it's up to you to translate it and keep existing localized content current.
 -->
-## 开始新的本地化
+## 开始新的本地化 {#start-a-new-localization}
 
 如果你希望将 Kubernetes 文档本地化为一种新语言，你需要执行以下操作。
 
@@ -137,7 +140,7 @@ it's up to you to translate it and keep existing localized content current.
 所有本地化团队都必须能够自我维持。
 Kubernetes 网站很乐意托管你的作品，但要由你来翻译它并使现有的本地化内容保持最新。
 
-<!-- 
+<!--
 You'll need to know the two-letter language code for your language. Consult the
 [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php) to find your
 localization's two-letter language code. For example, the two-letter code for Korean is
@@ -160,19 +163,19 @@ Kubernetes 项目才能将你的更改发布到当前网站。
 
 SIG Docs 可以帮助你在单独的分支上工作，以便你可以逐步实现该目标。
 
-<!-- 
+<!--
 ### Find community
 
 Let Kubernetes SIG Docs know you're interested in creating a localization! Join the [SIG Docs Slack channel](https://kubernetes.slack.com/messages/sig-docs) and the [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations). Other localization teams are happy to help you get started and answer any questions you have.
 -->
-### 找到社区
+### 找到社区 {#find-community}
 
 让 Kubernetes SIG Docs 知道你有兴趣创建本地化！
 加入 [SIG Docs Slack 频道](https://kubernetes.slack.com/messages/sig-docs)
 和 [SIG Docs Localizations Slack 频道](https://kubernetes.slack.com/messages/sig-docs-localizations)。
 其他本地化团队很乐意帮助你入门并回答你的任何问题。
 
-<!-- 
+<!--
 Please also consider participating in the [SIG Docs Localization Subgroup meeting](https://github.com/kubernetes/community/tree/master/sig-docs).  The mission of the SIG Docs localization subgroup is to work across the SIG Docs localization teams to collaborate on defining and documenting the processes for creating localized contribution guides. In addition, the SIG Docs localization subgroup will look for opportunities for the creation and sharing of common tools across localization teams and also serve to identify new requirements to the SIG Docs Leadership team.  If you have questions about this meeting, please inquire on the [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations).
 
 You can also create a Slack channel for your localization in the `kubernetes/community` repository. For an example of adding a Slack channel, see the PR for [adding a channel for Persian](https://github.com/kubernetes/community/pull/4980).
@@ -189,25 +192,26 @@ SIG Docs 本地化小组的任务是与 SIG Docs 本地化团队合作，
 你还可以在 `kubernetes/community` 仓库中为你的本地化创建一个 Slack 频道。
 有关添加 Slack 频道的示例，请参阅
 [为波斯语添加频道](https://github.com/kubernetes/community/pull/4980)的 PR。
-    
-<!-- 
+
+<!--
 ### Join the Kubernetes GitHub organization
-Once you've opened a localization PR, you can become members of the Kubernetes GitHub organization. Each person on the team needs to create their own [Organization Membership Request](https://github.com/kubernetes/org/issues/new/choose) in the `kubernetes/org` repository. 
+
+Once you've opened a localization PR, you can become members of the Kubernetes GitHub organization. Each person on the team needs to create their own [Organization Membership Request](https://github.com/kubernetes/org/issues/new/choose) in the `kubernetes/org` repository.
 -->
-### 加入到 Kubernetes GitHub 组织
+### 加入到 Kubernetes GitHub 组织 {#join-the-kubernetes-github-organization}
 
 提交本地化 PR 后，你可以成为 Kubernetes GitHub 组织的成员。
 团队中的每个人都需要在 `kubernetes/org` 仓库中创建自己的
 [组织成员申请](https://github.com/kubernetes/org/issues/new/choose)。
 
-<!-- 
+<!--
 ### Add your localization team in GitHub
 
-Next, add your Kubernetes localization team to [`sig-docs/teams.yaml`](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml). For an example of adding a localization team, see the PR to add the [Spanish localization team](https://github.com/kubernetes/org/pull/685). 
+Next, add your Kubernetes localization team to [`sig-docs/teams.yaml`](https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-docs/teams.yaml). For an example of adding a localization team, see the PR to add the [Spanish localization team](https://github.com/kubernetes/org/pull/685).
 
-Members of `@kubernetes/sig-docs-**-owners` can approve PRs that change content within (and only within) your localization directory: `/content/**/`. 
+Members of `@kubernetes/sig-docs-**-owners` can approve PRs that change content within (and only within) your localization directory: `/content/**/`.
 
-The `@kubernetes/sig-docs-**-reviews` team automates review assignment for new PRs. 
+For each localization, The `@kubernetes/sig-docs-**-reviews` team automates review assignment for new PRs.
 -->
 ### 在 GitHub 中添加你的本地化团队 {#add-your-localization-team-in-github}
 
@@ -217,24 +221,24 @@ The `@kubernetes/sig-docs-**-reviews` team automates review assignment for new P
 
 `@kubernetes/sig-docs-**-owners` 成员可以批准更改对应本地化目录 `/content/**/` 中内容的 PR，并仅限这类 PR。
 
-`@kubernetes/sig-docs-**-reviews` 团队被自动分派新 PR 的审阅任务。
+对于每个本地化，`@kubernetes/sig-docs-**-reviews` 团队被自动分派新 PR 的审阅任务。
 
-<!-- 
+<!--
 Members of `@kubernetes/website-maintainers` can create new localization branches to coordinate translation efforts.
 
-Members of `website-milestone-maintainers` can use the `/milestone` [Prow command](https://prow.k8s.io/command-help) to assign a milestone to issues or PRs. 
+Members of `@kubernetes/website-milestone-maintainers` can use the `/milestone` [Prow command](https://prow.k8s.io/command-help) to assign a milestone to issues or PRs.
 -->
 `@kubernetes/website-maintainers` 成员可以创建新的本地化分支来协调翻译工作。
 
 `@kubernetes/website-milestone-maintainers` 成员可以使用 `/milestone`
 [Prow 命令](https://prow.k8s.io/command-help)为 issues 或 PR 设定里程碑。
-    
-<!-- 
+
+<!--
 ### Configure the workflow
 
 Next, add a GitHub label for your localization in the `kubernetes/test-infra` repository. A label lets you filter issues and pull requests for your specific language.
 
-For an example of adding a label, see the PR for adding the [Italian language label](https://github.com/kubernetes/test-infra/pull/11316). 
+For an example of adding a label, see the PR for adding the [Italian language label](https://github.com/kubernetes/test-infra/pull/11316).
 -->
 ### 配置工作流程 {#configure-the-workflow}
 
@@ -246,16 +250,14 @@ For an example of adding a label, see the PR for adding the [Italian language la
 你还可以在 `kubernetes/community` 仓库中为你的本地化创建一个 Slack 频道。
 有关添加 Slack 频道的示例，请参见[为印尼语和葡萄牙语添加频道](https://github.com/kubernetes/community/pull/3605)的 PR。
 
-<!-- 
+<!--
 ### Modify the site configuration
 
 The Kubernetes website uses Hugo as its web framework. The website's Hugo configuration resides in the  [`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml) file. To support a new localization, you'll need to modify `config.toml`.
 
-Add a configuration block for the new language to `config.toml`, under the existing `[languages]` block. The German block, for example, looks like: 
+Add a configuration block for the new language to `config.toml`, under the existing `[languages]` block. The German block, for example, looks like:
 -->
-## 最低要求内容 {#minimum-required-content}
-
-### 修改站点配置
+### 修改站点配置 {#configure-the-workflow}
 
 Kubernetes 网站使用 Hugo 作为其 Web 框架。网站的 Hugo 配置位于
 [`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml)文件中。
@@ -275,7 +277,7 @@ weight = 8
 ```
 
 <!--
-The value for `languageName` will be listed in language selection bar. Assign "language name in native script (language name in latin script)" to `languageName`, for example, `languageName = "한국어 (Korean)"`. `languageNameLatinScript` can be used to access the language name in latin script and use it in the theme. Assign "language name in latin script" to `languageNameLatinScript`, for example, `languageNameLatinScript ="Korean"`.
+The value for `languageName` will be listed in language selection bar. Assign "language name in native script (language name in latin script)" to `languageName`, for example, `languageName = "한국어 (Korean)"`. `languageNameLatinScript` can be used to access the language name in latin script and use it in the theme. Assign "language name in latin script" to `languageNameLatinScript`, for example, `languageNameLatinScript ="Korean"`. 
 -->
 `languageName` 的值将列在语言选择栏中。
 将 `languageName` 赋值为“本地脚本中的语言名称（拉丁脚本中的语言名称）”。
@@ -284,21 +286,21 @@ The value for `languageName` will be listed in language selection bar. Assign "l
 将 `languageNameLatinScript` 赋值为“拉丁脚本中的语言名称”。
 例如，`languageNameLatinScript ="Korean"`。
 
-<!-- 
+<!--
 When assigning a `weight` parameter for your block, find the language block with the highest weight and add 1 to that value.
 
-For more information about Hugo's multilingual support, see "[Multilingual Mode](https://gohugo.io/content-management/multilingual/)". 
+For more information about Hugo's multilingual support, see "[Multilingual Mode](https://gohugo.io/content-management/multilingual/)".
 -->
 为你的语言块分配一个 `weight` 参数时，找到权重最高的语言块并将其加 1。
 
 有关 Hugo 多语言支持的更多信息，请参阅"[多语言模式](https://gohugo.io/content-management/multilingual/)"。
 
-<!-- 
+<!--
 ### Add a new localization directory
 
-Add a language-specific subdirectory to the [`content`](https://github.com/kubernetes/website/tree/master/content) folder in the repository. For example, the two-letter code for German is `de`: 
+Add a language-specific subdirectory to the [`content`](https://github.com/kubernetes/website/tree/main/content) folder in the repository. For example, the two-letter code for German is `de`:
 -->
-### 添加一个新的本地化目录
+### 添加一个新的本地化目录 {#add-a-new-localization-directory}
 
 将特定语言的子目录添加到仓库中的
 [`content`](https://github.com/kubernetes/website/tree/main/content) 文件夹下。
@@ -308,7 +310,7 @@ Add a language-specific subdirectory to the [`content`](https://github.com/kuber
 mkdir content/de
 ```
 
-<!-- 
+<!--
 You also need to create a directory inside `data/i18n` for
 [localized strings](#site-strings-in-i18n); look at existing localizations
 for an example. To use these new strings, you must also create a symbolic link
@@ -328,28 +330,28 @@ For example, for German the strings live in `data/i18n/de/de.toml`, and
 例如，对于德语，字符串位于 `data/i18n/de/de.toml` 中，
 而 `i18n/de.toml` 是指向 `data/i18n/de/de.toml` 的符号链接。
 
-<!-- 
-### Localize the community code of conduct 
+<!--
+### Localize the community code of conduct
 
 Open a PR against the [`cncf/foundation`](https://github.com/cncf/foundation/tree/master/code-of-conduct-languages) repository to add the code of conduct in your language.
 
 -->
-### 本地化社区行为准则
+### 本地化社区行为准则 {#localize-the-community-code-of-conduct}
 
 在 [`cncf/foundation`](https://github.com/cncf/foundation/tree/master/code-of-conduct-languages)
 仓库提交 PR，添加你所用语言版本的行为准则。
 
 -->
-<!-- 
+<!--
 ### Setting up the OWNERS files
 
 To set the roles of each user contributing to the localization, create an `OWNERS` file inside the language-specific subdirectory with:
 
 - **reviewers**: A list of kubernetes teams with reviewer roles, in this case, the `sig-docs-**-reviews` team created in [Add your localization team in GitHub](#add-your-localization-team-in-github).
 - **approvers**: A list of kubernetes teams with approvers roles, in this case, the `sig-docs-**-owners` team created in [Add your localization team in GitHub](#add-your-localization-team-in-github).
-- **labels**: A list of GitHub labels to automatically apply to a PR, in this case, the language label created in [Configure the workflow](#configure-the-workflow). 
+- **labels**: A list of GitHub labels to automatically apply to a PR, in this case, the language label created in [Configure the workflow](#configure-the-workflow).
 -->
-### 设置 OWNERS 文件
+### 设置 OWNERS 文件 {#setting-up-the-owners-files}
 
 要设置每个对本地化做出贡献用户的角色，请在特定于语言的子目录内创建一个 `OWNERS` 文件，其中：
 
@@ -362,10 +364,10 @@ To set the roles of each user contributing to the localization, create an `OWNER
 - **labels**: 可以自动应用于 PR 的 GitHub 标签列表，在本例中为
   [配置工作流程](#configure-the-workflow)中创建的语言标签。
 
-<!-- 
+<!--
 More information about the `OWNERS` file can be found at [go.k8s.io/owners](https://go.k8s.io/owners).
 
-The [Spanish OWNERS file](https://git.k8s.io/website/content/es/OWNERS), with language code `es`, looks like: 
+The [Spanish OWNERS file](https://git.k8s.io/website/content/es/OWNERS), with language code `es`, looks like:
 -->
 有关 `OWNERS` 文件的更多信息，请访问[go.k8s.io/owners](https://go.k8s.io/owners)。
 
@@ -386,12 +388,12 @@ approvers:
 
 labels:
 - language/es
-``` 
+```
 
-<!-- 
+<!--
 After adding the language-specific `OWNERS` file, update the [root `OWNERS_ALIASES`](https://git.k8s.io/website/OWNERS_ALIASES) file with the new Kubernetes teams for the localization, `sig-docs-**-owners` and `sig-docs-**-reviews`.
 
-For each team, add the list of GitHub users requested in [Add your localization team in GitHub](#add-your-localization-team-in-github), in alphabetical order. 
+For each team, add the list of GitHub users requested in [Add your localization team in GitHub](#add-your-localization-team-in-github), in alphabetical order.
 -->
 添加了特定语言的 OWNERS 文件之后，使用新的 Kubernetes 本地化团队、
 `sig-docs-**-owners` 和 `sig-docs-**-reviews` 列表更新
@@ -421,7 +423,7 @@ For each team, add the list of GitHub users requested in [Add your localization
      - remyleone
 ```
 
-<!-- 
+<!--
 ### Open a pull request
 
 Next, [open a pull request](/docs/contribute/new-content/open-a-pr/#open-a-pr) (PR) to add a localization to the `kubernetes/website` repository.
@@ -432,7 +434,7 @@ For an example of adding a new localization, see the PR to enable [docs in Frenc
 -->
 ### 打开拉取请求  {#open-a-pull-request}
 
-接下来，[打开拉取请求](/zh/docs/contribute/new-content/open-a-pr/#open-a-pr)（PR）
+接下来，[打开拉取请求](/zh-cn/docs/contribute/new-content/open-a-pr/#open-a-pr)（PR）
 将本地化添加到 `kubernetes/website` 存储库。
 
 PR 必须包含所有[最低要求内容](#minimum-required-content)才能获得批准。
@@ -440,7 +442,7 @@ PR 必须包含所有[最低要求内容](#minimum-required-content)才能获得
 有关添加新本地化的示例，
 请参阅 PR 以启用[法语文档](https://github.com/kubernetes/website/pull/12548)。
 
-<!-- 
+<!--
 ### Add a localized README file
 
 To guide other localization contributors, add a new [`README-**.md`](https://help.github.com/articles/about-readmes/) to the top level of [k/website](https://github.com/kubernetes/website/), where `**` is the two-letter language code. For example, a German README file would be `README-de.md`.
@@ -448,9 +450,9 @@ To guide other localization contributors, add a new [`README-**.md`](https://hel
 Provide guidance to localization contributors in the localized `README-**.md` file. Include the same information contained in `README.md` as well as:
 
 - A point of contact for the localization project
-- Any information specific to the localization 
+- Any information specific to the localization
 -->
-### 添加本地化的 README 文件
+### 添加本地化的 README 文件 {#add-a-localized-readme-file}
 
 为了指导其他本地化贡献者，请在 [k/website](https://github.com/kubernetes/website/)
 的根目录添加一个新的 [`README-**.md`](https://help.github.com/articles/about-readmes/)，
@@ -461,14 +463,14 @@ Provide guidance to localization contributors in the localized `README-**.md` fi
 - 本地化项目的联系人
 - 任何特定于本地化的信息
 
-<!-- 
-After you create the localized README, add a link to the file from the main English `README.md`, and include contact information in English. You can provide a GitHub ID, email address, [Slack channel](https://slack.com/), or other method of contact. You must also provide a link to your localized Community Code of Conduct. 
+<!--
+After you create the localized README, add a link to the file from the main English `README.md`, and include contact information in English. You can provide a GitHub ID, email address, [Slack channel](https://slack.com/), or other method of contact. You must also provide a link to your localized Community Code of Conduct.
 -->
 创建本地化的 README 文件后，请在英语版文件 `README.md` 中添加指向该文件的链接，
 并给出英文形式的联系信息。你可以提供 GitHub ID、电子邮件地址、
 [Slack 频道](https://slack.com/)或其他联系方式。你还必须提供指向本地化的社区行为准则的链接。
 
-<!-- 
+<!--
 ### Launching your new localization
 
 Once a localization meets requirements for workflow and minimum output, SIG Docs will:
@@ -476,7 +478,7 @@ Once a localization meets requirements for workflow and minimum output, SIG Docs
 - Enable language selection on the website
 - Publicize the localization's availability through [Cloud Native Computing Foundation](https://www.cncf.io/about/) (CNCF) channels, including the [Kubernetes blog](https://kubernetes.io/blog/).
 -->
-### 启动你的新本地化
+### 启动你的新本地化 {#add-a-localized-readme-file}
 
 一旦本地化满足工作流程和最小输出的要求，SIG Docs 将：
 
@@ -484,20 +486,25 @@ Once a localization meets requirements for workflow and minimum output, SIG Docs
 - 通过[云原生计算基金会](https://www.cncf.io/about/)（CNCF）渠道，
   包括 [Kubernetes 博客](https://kubernetes.io/blog/)，来宣传本地化的可用性。
 
-<!-- 
+<!--
 ## Translating content
 
 Localizing *all* of the Kubernetes documentation is an enormous task. It's okay to start small and expand over time.
-
-At a minimum, all localizations must include: 
 -->
 ## 翻译文档 {#translating-content}
 
 本地化*所有* Kubernetes 文档是一项艰巨的任务。从小做起，循序渐进。
 
+<!--
+### Minimum required content
+
+At a minimum, all localizations must include:
+-->
+### 最低要求内容 {#minimum-required-content}
+
 所有本地化至少必须包括：
 
-<!-- 
+<!--
 Description | URLs
 -----|-----
 Home | [All heading and subheading URLs](/docs/home/)
@@ -508,16 +515,17 @@ Releases | [All heading and subheading URLs](/releases)
 -->
 描述 | 网址
 -----|-----
-主页 | [所有标题和副标题网址](/zh/docs/home/)
-安装 | [所有标题和副标题网址](/zh/docs/setup/)
-教程 | [Kubernetes 基础](/zh/docs/tutorials/kubernetes-basics/), [Hello Minikube](/zh/docs/tutorials/hello-minikube/)
+主页 | [所有标题和副标题网址](/zh-cn/docs/home/)
+安装 | [所有标题和副标题网址](/zh-cn/docs/setup/)
+教程 | [Kubernetes 基础](/zh-cn/docs/tutorials/kubernetes-basics/), [Hello Minikube](/zh-cn/docs/tutorials/hello-minikube/)
 网站字符串 | [所有网站字符串](#Site-strings-in-i18n)
 发行版本 | [所有标题和副标题 URL](/releases)
-<!-- 
-Translated documents must reside in their own `content/**/` subdirectory, but otherwise follow the same URL path as the English source. For example, to prepare the [Kubernetes Basics](/docs/tutorials/kubernetes-basics/) tutorial for translation into German, create a subfolder under the `content/de/` folder and copy the English source: 
+
+<!--
+Translated documents must reside in their own `content/**/` subdirectory, but otherwise follow the same URL path as the English source. For example, to prepare the [Kubernetes Basics](/docs/tutorials/kubernetes-basics/) tutorial for translation into German, create a subfolder under the `content/de/` folder and copy the English source:
 -->
 翻译后的文档必须保存在自己的 `content/**/` 子目录中，否则将遵循与英文源相同的 URL 路径。
-例如，要准备将 [Kubernetes 基础](/zh/docs/tutorials/kubernetes-basics/) 教程翻译为德语，
+例如，要准备将 [Kubernetes 基础](/zh-cn/docs/tutorials/kubernetes-basics/) 教程翻译为德语，
 请在 `content/de/` 文件夹下创建一个子文件夹并复制英文源：
 
 ```shell
@@ -525,24 +533,24 @@ mkdir -p content/de/docs/tutorials
 cp content/en/docs/tutorials/kubernetes-basics.md content/de/docs/tutorials/kubernetes-basics.md
 ```
 
-<!-- 
-Translation tools can speed up the translation process. For example, some editors offers plugins to quickly translate text.  
+<!--
+Translation tools can speed up the translation process. For example, some editors offers plugins to quickly translate text.
 -->
 翻译工具可以加快翻译过程。例如，某些编辑器提供了用于快速翻译文本的插件。
 
-<!-- 
-Machine-generated translation alone does not meet the minimum standard of quality and requires extensive human review to meet that standard.  
+<!--
+Machine-generated translation is insufficient on its own. Localization requires extensive human review to meet minimum standards of quality.
 -->
 {{< caution >}}
-机器生成的翻译不能达到最低质量标准，需要进行大量人工审查才能达到该标准。
+机器生成的翻译本身是不够的，本地化需要广泛的人工审核才能满足最低质量标准。
 {{< /caution >}}
 
-<!-- 
-To ensure accuracy in grammar and meaning, members of your localization team should carefully review all machine-generated translations before publishing. 
+<!--
+To ensure accuracy in grammar and meaning, members of your localization team should carefully review all machine-generated translations before publishing.
 -->
 为了确保语法和含义的准确性，本地化团队的成员应在发布之前仔细检查所有由机器生成的翻译。
 
-<!-- 
+<!--
 ### Source files
 
 Localizations must be based on the English files from a specific release targeted by the localization team.
@@ -558,9 +566,9 @@ To find source files for your target version:
     Previous version | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
     Next version | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
 
-The `master` branch holds content for the current release `{{< latest-version >}}`. The release team will create `{{< release-branch >}}` branch before the next release: v{{< skew nextMinorVersion >}}.
+The `main` branch holds content for the current release `{{< latest-version >}}`. The release team will create a `{{< release-branch >}}` branch before the next release: v{{< skew nextMinorVersion >}}.
 -->
-### 源文件
+### 源文件 {#source-files}
 
 本地化必须基于本地化团队所针对的特定发行版本中的英文文件。
 每个本地化团队可以决定要针对哪个发行版本，在下文中称作目标版本（target version）。）
@@ -580,27 +588,27 @@ The `master` branch holds content for the current release `{{< latest-version >}
 发行团队会在下一个发行版本 v{{< skew nextMinorVersion >}} 出现之前创建
 `{{< release-branch >}}` 分支。
 
-<!-- 
-### Site strings in i18n/ 
+<!--
+### Site strings in i18n
 
-Localizations must include the contents of [`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/master/i18n/en.toml) in a new language-specific file. Using German as an example: `data/i18n/de/de.toml`. 
+Localizations must include the contents of [`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/main/data/i18n/en/en.toml) in a new language-specific file. Using German as an example: `data/i18n/de/de.toml`.
 
-Add a new localization file to `i18n/`. For example, with German (`de`): 
+Add a new localization directory and file to `data/i18n/`. For example, with German (`de`):
 -->
 ### i18n/ 中的网站字符串 {#site-strings-in-i18n}
 
 本地化必须在新的语言特定文件中包含
-[`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/master/i18n/en.toml)
+[`data/i18n/en/en.toml`](https://github.com/kubernetes/website/blob/main/data/i18n/en/en.toml)
 的内容。以德语为例：`data/i18n/de/de.toml`。
 
-将新的本地化文件添加到 `i18n/`。例如德语 (`de`)：
+将新的本地化文件和目录添加到 `data/i18n/`。例如德语 (`de`)：
 
 ```bash
 mkdir -p data/i18n/de
 cp data/i18n/en/en.toml data/i18n/de/de.toml
 ```
 
-<!-- 
+<!--
 Revise the comments at the top of the file to suit your localization,
 then translate the value of each string. For example, this is the German-language
 placeholder text for the search form:
@@ -613,20 +621,20 @@ placeholder text for the search form:
 other = "Suchen"
 ```
 
-<!-- 
-Localizing site strings lets you customize site-wide text and features: for example, the legal copyright text in the footer on each page. 
+<!--
+Localizing site strings lets you customize site-wide text and features: for example, the legal copyright text in the footer on each page.
 -->
 本地化网站字符串允许你自定义网站范围的文本和特性：例如，每个页面页脚中的合法版权文本。
 
-<!-- 
+<!--
 ### Language specific style guide and glossary
 
-Some language teams have their own language-specific style guide and glossary. For example, see the [Korean Localization Guide](/ko/docs/contribute/localization_ko/). 
+Some language teams have their own language-specific style guide and glossary. For example, see the [Korean Localization Guide](/ko/docs/contribute/localization_ko/).
 -->
-### 特定语言的样式指南和词汇表
+### 特定语言的样式指南和词汇表 {#language-specific-style-guide-and-glossary}
 
 一些语言团队有自己的特定语言样式指南和词汇表。
-例如，请参见[中文本地化指南](/zh/docs/contribute/localization_zh/)。
+例如，请参见[中文本地化指南](/zh-cn/docs/contribute/localization_zh/)。
 
 <!--
 ### Language specific Zoom meetings
@@ -637,23 +645,23 @@ Per CNCF policy, the localization teams must upload their meetings to the SIG Do
 
 -->
 
-### 特定语言的 Zoom 会议
+### 特定语言的 Zoom 会议 {#language-specific-zoom-meetings}
 
-如果本地化项目需要单独的会议时间， 
-请联系 SIG Docs 联合主席或技术主管以创建新的重复 Zoom 会议和日历邀请。 
+如果本地化项目需要单独的会议时间，
+请联系 SIG Docs 联合主席或技术主管以创建新的重复 Zoom 会议和日历邀请。
 仅当团队维持在足够大的规模并需要单独的会议时才需要这样做。
 
 根据 CNCF 政策，本地化团队必须将他们的会议上传到 SIG Docs YouTube 播放列表。
 SIG Docs 联合主席或技术主管可以帮助完成该过程，直到 SIG Docs 实现自动化。
 
-<!-- 
-## Branching strategy 
+<!--
+## Branching strategy
 
 Because localization projects are highly collaborative efforts, we
 encourage teams to work in shared localization branches - especially
 when starting out and the localization is not yet live.
 
-To collaborate on a localization branch: 
+To collaborate on a localization branch:
 -->
 ### 分支策略 {#branching-strategy}
 
@@ -662,10 +670,10 @@ To collaborate on a localization branch:
 
 在本地化分支上协作需要：
 
-<!-- 
+<!--
 1. A team member of [@kubernetes/website-maintainers](https://github.com/orgs/kubernetes/teams/website-maintainers) opens a localization branch from a source branch on https://github.com/kubernetes/website.
 
-    Your team approvers joined the `@kubernetes/website-maintainers` team when you [added your localization team](#add-your-localization-team-in-github) to the [`kubernetes/org`](https://github.com/kubernetes/org) repository. 
+    Your team approvers joined the `@kubernetes/website-maintainers` team when you [added your localization team](#add-your-localization-team-in-github) to the [`kubernetes/org`](https://github.com/kubernetes/org) repository.
 
     We recommend the following branch naming scheme:
 
@@ -685,14 +693,14 @@ To collaborate on a localization branch:
    例如，一个德语本地化团队的批准人基于 Kubernetes v1.12 版本的源分支，
    直接新建了 k/website 仓库的本地化分支 `dev-1.12-de.1`。
 
-<!-- 
+<!--
 2. Individual contributors open feature branches based on the localization branch.
 
     For example, a German contributor opens a pull request with changes to `kubernetes:dev-1.12-de.1` from `username:local-branch-name`.
 
 3. Approvers review and merge feature branches into the localization branch.
 
-4. Periodically, an approver merges the localization branch to its source branch by opening and approving a new pull request. Be sure to squash the commits before approving the pull request. 
+4. Periodically, an approver merges the localization branch to its source branch by opening and approving a new pull request. Be sure to squash the commits before approving the pull request.
 -->
 2. 个人贡献者基于本地化分支创建新的特性分支
 
@@ -703,13 +711,13 @@ To collaborate on a localization branch:
 4. 批准人会定期发起并批准新的 PR，将本地化分支合并到其源分支。
    在批准 PR 之前，请确保先 squash commits。
 
-<!-- 
-Repeat steps 1-4 as needed until the localization is complete. For example, subsequent German localization branches would be: `dev-1.12-de.2`, `dev-1.12-de.3`, etc. 
+<!--
+Repeat steps 1-4 as needed until the localization is complete. For example, subsequent German localization branches would be: `dev-1.12-de.2`, `dev-1.12-de.3`, etc.
 -->
 根据需要重复步骤 1-4，直到完成本地化工作。例如，随后的德语本地化分支将是：
 `dev-1.12-de.2`、`dev-1.12-de.3`，等等。
 
-<!-- 
+<!--
 Teams must merge localized content into the same branch from which the content was sourced.
 
 For example:
@@ -735,11 +743,11 @@ If your localization branch was created from `main` branch but it is not merged
 要将本地化分支合并到新的发行分支 `{{< release-branch >}}` 中，你需要
 将你本地化分支的上游分支切换到 `{{< release-branch >}}`。
 
-<!-- 
+<!--
 At the beginning of every team milestone, it's helpful to open an issue comparing upstream changes between the previous localization branch and the current localization branch. There are two scripts for comparing upstream changes. [`upstream_changes.py`](https://github.com/kubernetes/website/tree/main/scripts#upstream_changespy) is useful for checking the changes made to a specific file. And [`diff_l10n_branches.py`](https://github.com/kubernetes/website/tree/main/scripts#diff_l10n_branchespy) is useful for creating a list of outdated files for a specific localization branch.
 
 While only approvers can open a new localization branch and merge pull requests, anyone can open a pull request for a new localization branch. No special permissions are required.
- -->
+-->
 在团队每个里程碑的开始时段，创建一个 issue 来比较先前的本地化分支
 和当前的本地化分支之间的上游变化很有帮助。
 现在有两个脚本用来比较上游的变化。
@@ -751,13 +759,13 @@ While only approvers can open a new localization branch and merge pull requests,
 虽然只有批准人才能创建新的本地化分支并合并 PR，任何人都可以
 为新的本地化分支提交一个拉取请求（PR）。不需要特殊权限。
 
-<!-- 
-For more information about working from forks or directly from the repository, see ["fork and clone the repo"](#fork-and-clone-the-repo). 
+<!--
+For more information about working from forks or directly from the repository, see ["fork and clone the repo"](#fork-and-clone-the-repo).
 -->
 有关基于派生或直接从仓库开展工作的更多信息，请参见 ["派生和克隆"](#fork-and-clone-the-repo)。
 
-<!-- 
-## Upstream contributions 
+<!--
+## Upstream contributions
 
 SIG Docs welcomes upstream contributions and corrections to the English source.
 -->
diff --git a/content/zh/docs/contribute/localization_zh.md b/content/zh-cn/docs/contribute/localization_zh.md
similarity index 88%
rename from content/zh/docs/contribute/localization_zh.md
rename to content/zh-cn/docs/contribute/localization_zh.md
index c55d03941fcda..56c2432416342 100644
--- a/content/zh/docs/contribute/localization_zh.md
+++ b/content/zh-cn/docs/contribute/localization_zh.md
@@ -6,7 +6,7 @@ content_type: concept
 <!-- overview -->
 
 本节详述文档中文本地化过程中须注意的事项。
-这里列举的内容包含了*中文本地化小组*早期给出的指导性建议和后续实践过程中积累的经验。
+这里列举的内容包含了**中文本地化小组**早期给出的指导性建议和后续实践过程中积累的经验。
 在阅读、贡献、评阅中文本地化文档的过程中，如果对本文的指南有任何改进建议，
 都请直接提出 PR。我们欢迎任何形式的补充和更正！
 
@@ -158,28 +158,19 @@ weight: 30
 通过 HTML 注释的短代码仍会被运行，因此需要额外小心。建议处理方式：
 
 ```
-<!--
-English text
--->
 {{</* note */>}}
-中文译文
-{{</* /note */>}}
-```
-
-评阅人应该不难理解中英文段落的对应关系。但是如果采用下面的方式，
-则会出现两个 `note`，因此需要避免。这是因为被注释起来的短代码仍会起作用！
-
-```
 <!--
-{{</* note */>}}
 English text
-{{</* /note */>}}
 -->
-{{</* note */>}}
 中文译文
 {{</* /note */>}}
 ```
 
+{{< note >}}
+现行风格与之前风格有些不同，这是因为较新的 Hugo 版本已经能够正确处理短代码中的注释段落。
+保持注释掉的英文与译文都在短代码内更便于维护。
+{{< /note >}}
+
 ### 译与不译
 
 #### 资源名称或字段不译
@@ -198,13 +189,13 @@ deployment 来表示名为 "Deployment" 的 API 资源类型和对象实例。
 
 #### 代码中的注释
 
-一般而言，代码中的注释需要翻译，包括存放在 `content/zh/examples/`
+一般而言，代码中的注释需要翻译，包括存放在 `content/zh-cn/examples/`
 目录下的清单文件中的注释。
 
 
 #### 出站链接
 
-如果超级链接的目标是 Kubernetes 网站之外的纯英文网页，链接中的内容*可以*不翻译。
+如果超级链接的目标是 Kubernetes 网站之外的纯英文网页，链接中的内容**可以**不翻译。
 例如：
 
 ```
@@ -214,16 +205,18 @@ Please check [installation caveats](https://acme.com/docs/v1/caveats) ...
 请参阅 [installation caveats](https://acme.com/docs/v1/caveats) ...
 ```
 
+{{< note >}}
 注意，这里的 `installation` 与 `参阅` 之间留白，因为解析后属于中英文混排的情况。
+{{< /note >}}
 
 ### 标点符号
 
-译文中标点符号要使用全角字符，除非以下两种情况：
+1. 译文中标点符号要使用全角字符，除非以下两种情况：
 
-- 标点符号是英文命令的一部分；
-- 标点符号是 Markdown 语法的一部分。
+   - 标点符号是英文命令的一部分；
+   - 标点符号是 Markdown 语法的一部分。
 
-英文排比句式中采用的逗号，在译文中要使用顿号代替，以便符合中文书写习惯。
+1. 英文排比句式中采用的逗号，在译文中要使用顿号代替，以便符合中文书写习惯。
 
 ## 更新译文
 
@@ -233,7 +226,7 @@ Please check [installation caveats](https://acme.com/docs/v1/caveats) ...
 
 为确保准确跟踪中文化版本与英文版本之间的差异，中文内容的 PR 所包含的每个页面都必须是“最新的”。
 这里的“最新”指的是对应的英文页面中的更改已全部同步到中文页面。
-如果某中文 PR 中包含对 `content/zh/docs/foo/bar.md` 的更改，且文件 `bar.md`
+如果某中文 PR 中包含对 `content/zh-cn/docs/foo/bar.md` 的更改，且文件 `bar.md`
 的上次更改日期是 `2020-10-01 01:02:03 UTC`，对应 GIT 标签 `abcd1234`，
 则 `bar.md` 应包含自 `abcd1234` 以来 `content/en/docs/foo/bar.md` 的所有变更，
 否则视此 PR 为不完整 PR，会破坏我们对上游变更的跟踪。
@@ -242,7 +235,7 @@ Please check [installation caveats](https://acme.com/docs/v1/caveats) ...
 `bar.md` 上次提交以来发生的所有变更，可使用：
 
 ```
-./scripts/lsync.sh content/zh/docs/foo/bar.md
+./scripts/lsync.sh content/zh-cn/docs/foo/bar.md
 ```
 
 ## 关于链接
@@ -273,18 +266,18 @@ Please check [installation caveats](https://acme.com/docs/v1/caveats) ...
 For more information, please check [volumes](/docs/concepts/storage/)
 ...
 -->
-更多的信息可参考[卷](/zh/docs/concepts/storage/)页面。
+更多的信息可参考[卷](/zh-cn/docs/concepts/storage/)页面。
 ```
 
 如果对应目标页面尚未本地化，建议登记一个 Issue。
 
 {{< note >}}
 Website 的仓库中 `scripts/linkchecker.py` 是一个工具，可用来检查页面中的链接。
-例如，下面的命令检查中文本地化目录 `/content/zh/docs/concepts/containers/`
+例如，下面的命令检查中文本地化目录 `/content/zh-cn/docs/concepts/containers/`
 中所有 Markdown 文件中的链接合法性：
 
-```
-./scripts/linkchecker.py -l zh -f /docs/concepts/containers/**/*.md
+```shell
+./scripts/linkchecker.py -l zh-cn -f /docs/concepts/containers/**/*.md
 ```
 {{< /note >}}
 
@@ -293,15 +286,22 @@ Website 的仓库中 `scripts/linkchecker.py` 是一个工具，可用来检查
 以下为译文 Markdown 排版格式要求：
 
 - 中英文之间留一个空格
+
   * 这里的“英文”包括以英文呈现的超级链接
-  * 这里的中文、英文都不包括标点符号
+  * 这里的中文、英文都**不包括**标点符号
+
 - 译文 Markdown 中不要使用长行，应适当断行。
+
   * 可根据需要在 80-120 列断行
   * 最好结合句子的边界断行，即一句话在一行，不必留几个字转到下一行
   * 不要在两个中文字符中间断行，因为这样会造成中文字符中间显示一个多余空格，
     如果句子太长，可以从中文与非中文符号之间断行
   * 超级链接文字一般较长，可独立成行
 
+- 英文原文中可能通过 `_text_` 或者 `*text*` 的形式用斜体突出部分字句。
+  考虑到中文斜体字非常不美观，在译文中应改为 `**译文**` 形式，
+  即用双引号语法生成加粗字句，实现突出显示效果。
+
 {{< warning >}}
 我们注意到有些贡献者可能使用了某种自动化工具，在 Markdown 英文原文中自动添加空格。
 虽然这些工具可一定程度提高效率，仍然需要提请作者注意，某些工具所作的转换可能是不对的，
@@ -309,11 +309,10 @@ Website 的仓库中 `scripts/linkchecker.py` 是一个工具，可用来检查
 甚至将超级链接中的半角井号（`#`）转换为全角，导致链接失效。
 {{< /warning >}}
 
-英文中 "you" 翻译成 "你" 不必是 “您"。
-文章内的链接用英文，例如 (#deploying)，在对应的标题上后面加上 {#deploying}
 
+## 特殊词汇
 
-## 术语
+英文中 "you" 翻译成 "你"，不必翻译为 "您" 以表现尊敬或谦卑。
 
 ### 术语拼写
 
@@ -324,14 +323,14 @@ Website 的仓库中 `scripts/linkchecker.py` 是一个工具，可用来检查
 列举所有 Pod，查看其创建时间 ...        [Yes]
 ```
 
-*第一次*使用首字母缩写时，应标注其全称和中文译文。例如：
+**第一次**使用首字母缩写时，应标注其全称和中文译文。例如：
 
 ```
 你可以创建一个 Pod 干扰预算（Pod Disruption Budget，PDB）来解决这一问题。
 所谓 PDB 实际上是 ...
 ```
 
-对于某些特定于 Kubernetes 语境的术语，也应在*第一次*出现在页面中时给出其英文原文，
+对于某些特定于 Kubernetes 语境的术语，也应在**第一次**出现在页面中时给出其英文原文，
 以便读者对照阅读。例如：
 
 ```
diff --git a/content/zh-cn/docs/contribute/new-content/_index.md b/content/zh-cn/docs/contribute/new-content/_index.md
new file mode 100644
index 0000000000000..e37acc6428c4a
--- /dev/null
+++ b/content/zh-cn/docs/contribute/new-content/_index.md
@@ -0,0 +1,200 @@
+---
+title: 贡献新内容
+content_type: 概念
+main_menu: true
+weight: 20
+---
+<!-- 
+title: Contributing new content
+content_type: concept
+main_menu: true
+weight: 20
+-->
+
+<!-- overview -->
+
+<!-- 
+This section contains information you should know before contributing new
+content. 
+-->
+
+本节包含你在贡献新内容之前需要知晓的信息。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR 
+    subgraph second[开始之前]
+    direction TB
+    S[ ] -.-
+    A[签署 CNCF CLA] --> B[选择 Git 分支]
+    B --> C[每个 PR 一种语言]
+    C --> F[检查贡献者工具]
+    end
+    subgraph first[基本知识]
+    direction TB
+       T[ ] -.-
+       D[用 markdown 编写文档<br>并用 Hugo 构建网站] --- E[GitHub 源代码]
+       E --- G['/content/../docs' 文件夹包含<br>多语言文档]
+       G --- H[评审 Hugo 页面内容<br>类型和短代码]
+    end
+    
+
+    first ----> second
+
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class A,B,C,D,E,F,G,H grey
+class S,T spacewhite
+class first,second white
+{{</ mermaid >}}
+
+<!--
+***Figure - Contributing new content preparation***
+
+The figure above depicts the information you should know
+prior to submitting new content. The information details follow.
+-->
+
+***插图 - 贡献新内容准备工作***
+
+上图描述了你在提交新内容之前需要知晓的信息。
+详细信息见下文。
+
+<!-- body -->
+<!-- 
+## Contributing basics
+
+- Write Kubernetes documentation in Markdown and build the Kubernetes site
+  using [Hugo](https://gohugo.io/).
+- Kubernetes documentation uses [CommonMark](https://commonmark.org/) as its flavor of  Markdown. 
+- The source is in [GitHub](https://github.com/kubernetes/website). You can find
+  Kubernetes documentation at `/content/en/docs/`. Some of the reference
+  documentation is automatically generated from scripts in
+  the `update-imported-docs/` directory.
+- [Page content types](/docs/contribute/style/page-content-types/) describe the
+  presentation of documentation content in Hugo.
+  -->
+
+## 基本知识
+
+- 使用 Markdown 编写 Kubernetes 文档并使用 [Hugo](https://gohugo.io/) 构建网站。
+- Kubernetes 文档使用 [CommonMark](https://commonmark.org/) 作为 Markdown 的风格。
+- 源代码位于 [GitHub](https://github.com/kubernetes/website) 仓库中。
+  你可以在 `/content/zh-cn/docs/` 目录下找到 Kubernetes 文档。
+  某些参考文档是使用位于 `update-imported-docs/` 目录下的脚本自动生成的。
+- [页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)使用 Hugo 描述文档内容的呈现。
+
+<!-- 
+- You can use [Docsy shortcodes](https://www.docsy.dev/docs/adding-content/shortcodes/) or [custom Hugo shortcodes](/docs/contribute/style/hugo-shortcodes/) to contribute to Kubernetes documentation.
+- In addition to the standard Hugo shortcodes, we use a number of
+  [custom Hugo shortcodes](/docs/contribute/style/hugo-shortcodes/) in our
+  documentation to control the presentation of content.
+- Documentation source is available in multiple languages in `/content/`. Each
+  language has its own folder with a two-letter code determined by the
+  [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php)
+  . For example, English documentation source is stored in `/content/en/docs/`.
+- For more information about contributing to documentation in multiple languages
+  or starting a new translation,
+  see [localization](/docs/contribute/localization).
+-->
+
+- 你可以使用 [Docsy 短代码](https://www.docsy.dev/docs/adding-content/shortcodes/)
+  或[定制的 Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/)贡献 Kubernetes 文档。
+- 除了标准的 Hugo 短代码外，
+  我们还在文档中使用一些[定制的 Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/)来控制内容的呈现。
+- 文档的源代码有多种语言形式，位于 `/content/` 目录下。
+  每种语言都有一个自己的目录，用两个字母表示，这两个字母是基于
+  [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)来确定的。
+  例如，英语文档的源代码位于 `/content/en/docs/` 目录下。
+- 关于为多语言文档做贡献以及如何开始新翻译的详细信息，
+  可参考[本地化文档](/zh-cn/docs/contribute/localization)。
+
+<!-- 
+## Before you begin {#before-you-begin}
+### Sign the CNCF CLA {#sign-the-cla}
+All Kubernetes contributors **must** read
+the [Contributor guide](https://github.com/kubernetes/community/blob/master/contributors/guide/README.md)
+and [sign the Contributor License Agreement (CLA)](https://github.com/kubernetes/community/blob/master/CLA.md).
+Pull requests from contributors who haven't signed the CLA fail the automated
+tests. The name and email you provide must match those found in
+your `git config`, and your git name and email must match those used for the
+CNCF CLA.
+-->
+
+## 开始之前 {#before-you-begin}
+
+### 签署 CNCF CLA {#sign-the-cla}
+
+所有 Kubernetes 贡献者**必须**阅读[贡献者指南](https://github.com/kubernetes/community/blob/master/contributors/guide/README.md)
+并[签署贡献者授权同意书 (Contributor License Agreement, CLA)](https://github.com/kubernetes/community/blob/master/CLA.md)。  
+
+若贡献者尚未签署 CLA，其发起的 PR 将无法通过自动化测试。
+你所提供的姓名和邮件地址必须与 `git config` 中配置的完全相同，
+而且你的 git 用户名和邮件地址必须与用来签署 CNCF CLA 的信息一致。
+
+<!-- 
+### Choose which Git branch to use
+
+When opening a pull request, you need to know in advance which branch to base
+your work on.
+
+Scenario | Branch
+:---------|:------------
+Existing or new English language content for the current release | `main`
+Content for a feature change release | The branch which corresponds to the major and minor version the feature change is in, using the pattern `dev-<version>`. For example, if a feature changes in the `v{{< skew nextMinorVersion >}}` release, then add documentation changes to the ``dev-{{< skew nextMinorVersion >}}`` branch.
+Content in other languages (localizations) | Use the localization's convention. See the [Localization branching strategy](/docs/contribute/localization/#branching-strategy) for more information.
+
+If you're still not sure which branch to choose, ask in `#sig-docs` on Slack.
+-->
+
+### 选择要使用的 Git 分支
+
+在发起 PR 时，你需要预先知道基于哪个分支来开展工作。
+
+场景 | 分支
+:---------|:------------
+针对当前发行版本的，对现有英文内容的修改或新的英文内容 | `main`
+ 针对功能特性变更的内容 | 分支对应于功能特性变更的主要和次要版本，分支名称采用 `dev-<version>` 的模式。例如，如果某功能特性在 `v{{< skew nextMinorVersion >}}` 版本发生变化，则对应的文档变化要添加到 `dev-{{< skew nextMinorVersion >}}` 分支。
+ 其他语言的内容（本地化） | 基于本地化团队的约定。参见[本地化分支策略](/zh-cn/docs/contribute/localization/#branching-strategy)了解更多信息。 
+
+如果你仍不能确定要选择哪个分支，请在 Slack 的 `#sig-docs` 频道上提出问题。  
+
+<!-- 
+{{< note >}} If you already submitted your pull request and you know that the
+base branch was wrong, you (and only you, the submitter) can change it. {{<
+/note >}}
+-->
+
+{{< note >}}
+如果你已经提交了 PR，并且发现所针对的分支选错了，你（且只有作为提交人的你）可以更改分支。
+{{< /note >}}
+
+<!-- 
+### Languages per PR
+
+Limit pull requests to one language per PR. If you need to make an identical
+change to the same code sample in multiple languages, open a separate PR for
+each language.
+-->
+
+### 每个 PR 牵涉的语言
+
+请确保每个 PR 仅涉及一种语言。
+如果你需要对多种语言下的同一代码示例进行相同的修改，也请为每种语言发起一个独立的 PR。
+
+<!-- 
+## Tools for contributors
+
+The [doc contributors tools](https://github.com/kubernetes/website/tree/main/content/en/docs/doc-contributor-tools)
+directory in the `kubernetes/website` repository contains tools to help your
+contribution journey go more smoothly.
+-->
+
+## 为贡献者提供的工具
+
+`kubernetes/website` 仓库的[文档贡献者工具](https://github.com/kubernetes/website/tree/main/content/zh-cn/docs/doc-contributor-tools)目录中包含了一些工具，
+有助于使你的贡献过程更为顺畅。
diff --git a/content/zh/docs/contribute/new-content/blogs-case-studies.md b/content/zh-cn/docs/contribute/new-content/blogs-case-studies.md
similarity index 71%
rename from content/zh/docs/contribute/new-content/blogs-case-studies.md
rename to content/zh-cn/docs/contribute/new-content/blogs-case-studies.md
index 71ebf83930768..aa425e2bbb753 100644
--- a/content/zh/docs/contribute/new-content/blogs-case-studies.md
+++ b/content/zh-cn/docs/contribute/new-content/blogs-case-studies.md
@@ -34,14 +34,78 @@ Anyone can write a blog post and submit it for review.
 -->
 ## Kubernetes 博客
 
-Kubernetes 博客用于项目发布新功能特性、社区报告以及其他一些可能对整个社区
-很重要的新闻。
+Kubernetes 博客用于项目发布新功能特性、
+社区报告以及其他一些可能对整个社区很重要的新闻。
 其读者包括最终用户和开发人员。
-大多数博客的内容是关于核心项目中正在发生的事情，不过我们也鼓励你提交一些
-关于生态系统中其他地方发生的事情的博客。
+大多数博客的内容是关于核心项目中正在发生的事情，
+不过我们也鼓励你提交一些有关生态系统中其他时事的博客。
 
 任何人都可以撰写博客并提交评阅。
 
+<!-- 
+### Submit a Post
+
+Blog posts should not be commercial in nature and should consist of original content that applies broadly to the Kubernetes community.
+Appropriate blog content includes:
+
+- New Kubernetes capabilities
+- Kubernetes projects updates
+- Updates from Special Interest Groups
+- Tutorials and walkthroughs
+- Thought leadership around Kubernetes
+- Kubernetes Partner OSS integration
+- **Original content only**
+-->
+### 提交博文
+
+博文不应该是商业性质的，应该包含广泛适用于 Kubernetes 社区的原创内容。
+合适的博客内容包括：
+
+- Kubernetes 新能力
+- Kubernetes 项目更新信息
+- 来自特别兴趣小组（Special Interest Groups, SIG）的更新信息
+- 教程和演练
+- 有关 Kubernetes 的纲领性理念
+- Kubernetes 合作伙伴 OSS 集成信息
+- **仅限原创内容**
+
+<!-- 
+Unsuitable content includes:
+
+- Vendor product pitches
+- Partner updates without an integration and customer story
+- Syndicated posts (language translations ok)
+-->
+
+不合适的博客内容包括：
+
+- 供应商产品推介
+- 不含集成信息和客户故事的合作伙伴更新信息
+- 已发表的博文（可刊登博文译稿）
+
+<!-- 
+To submit a blog post, follow these steps:
+
+1. [Sign the CLA](https://kubernetes.io/docs/contribute/start/#sign-the-cla) if you have not yet done so.
+1. Have a look at the Markdown format for existing blog posts in the [website repository](https://github.com/kubernetes/website/tree/master/content/en/blog/_posts).
+1. Write out your blog post in a text editor of your choice.
+1. On the same link from step 2, click the Create new file button. Paste your content into the editor. Name the file to match the proposed title of the blog post, but don’t put the date in the file name. The blog reviewers will work with you on the final file name and the date the blog will be published.
+1. When you save the file, GitHub will walk you through the pull request process.
+1. A blog post reviewer will review your submission and work with you on feedback and final details. When the blog post is approved, the blog will be scheduled for publication.
+-->
+要提交博文，你可以遵从以下步骤：
+
+1. 如果你还未签署 CLA，请先[签署 CLA](https://kubernetes.io/docs/contribute/start/#sign-the-cla)。
+2. 查阅[网站仓库](https://github.com/kubernetes/website/tree/master/content/en/blog/_posts)中现有博文的 Markdown 格式。
+3. 在你所选的文本编辑器中撰写你的博文。
+4. 在第 2 步的同一链接上，点击 **Create new file** 按钮。
+   将你的内容粘贴到编辑器中。为文件命名，使其与提议的博文标题一致，
+   但不要在文件名中写日期。
+   博客评阅者将与你一起确定最终的文件名和发表博客的日期。
+5. 保存文件时，GitHub 将引导你完成 PR 流程。
+6. 博客评阅者将评阅你提交的内容，并与你一起处理反馈和最终细节。
+   当博文被批准后，博客将排期发表。
+
 <!--
 ### Guidelines and expectations
 
@@ -55,7 +119,7 @@ Kubernetes 博客用于项目发布新功能特性、社区报告以及其他一
 - 博客内容不可以是销售用语。
   - 文章内容必须是对整个 Kubernetes 社区中很多人都有参考意义。
     例如，所提交的文章应该关注上游的 Kubernetes 项目本身，而不是某个厂商特定的配置。
-    请参阅[文档风格指南](/zh/docs/contribute/style/content-guide/#what-s-allowed)
+    请参阅[文档风格指南](/zh-cn/docs/contribute/style/content-guide/#what-s-allowed)
     以了解哪些内容是 Kubernetes 所允许的。
   - 链接应该主要指向官方的 Kubernetes 文档。
     当引用外部信息时，链接应该是多样的。
@@ -74,7 +138,7 @@ Kubernetes 博客用于项目发布新功能特性、社区报告以及其他一
 - 博客内容并非在某特定日期发表。
     - 文章会交由社区自愿者评阅。我们会尽力满足特定的时限要求，只是无法就此作出承诺。
   - Kubernetes 项目的很多核心组件会在发布窗口期内提交博客文章，导致发表时间被推迟。
-    因此，请考虑在发布周期内较为平静的时间段提交博文。
+    因此，请考虑在发布周期内较为平静的时间段提交博客文章。
   - 如果你希望就博文发表日期上进行较大范围的协调，请联系
     [CNCF 推广团队](https://www.cncf.io/about/contact/)。
     这也许是比提交博客文章更合适的一种选择。
@@ -87,6 +151,7 @@ Kubernetes 博客用于项目发布新功能特性、社区报告以及其他一
   - The components of Kubernetes are purposely modular, so tools that use existing integration points like CNI and CSI are on topic. 
   - Posts about other CNCF projects may or may not be on topic. We recommend asking the blog team before submitting a draft.
     - Many CNCF projects have their own blog. These are often a better choice for posts. There are times of major feature or milestone for a CNCF project that users would be interested in reading on the Kubernetes blog.
+  - Blog posts about contributing to the Kubernetes project should be in the [Kubernetes Contributors site](https://kubernetes.dev)
 -->
 - 博客内容应该对 Kubernetes 用户有用。
   - 与参与 Kubernetes SIGs 活动相关，或者与这类活动的结果相关的主题通常是切题的。
@@ -98,6 +163,7 @@ Kubernetes 博客用于项目发布新功能特性、社区报告以及其他一
     - 很多 CNCF 项目有自己的博客。这些博客通常是更好的选择。
       有些时候，某个 CNCF 项目的主要功能特性或者里程碑的变化可能是用户有兴趣在
       Kubernetes 博客上阅读的内容。
+  - 关于为 Kubernetes 项目做贡献的博客内容应该放在 [Kubernetes 贡献者站点](https://kubernetes.dev)上。
 <!--
 - Blog posts should be original content
   - The official blog is not for repurposing existing content from a third party as new content.
@@ -126,7 +192,7 @@ We recognize that this requirement makes the process more difficult for less-fam
 -->
 ### 提交博客的技术考虑
 
-所提交的内容应该是 Markdown 格式的，以便能够被[Hugo](https://gohugo.io/) 生成器来处理。
+所提交的内容应该是 Markdown 格式的，以便能够被 [Hugo](https://gohugo.io/) 生成器来处理。
 关于如何使用相关技术，有[很多可用的资源](https://gohugo.io/documentation/)。
 
 我们知道这一需求可能给那些对此过程不熟悉的朋友们带来不便，
@@ -141,7 +207,6 @@ To submit a blog post follow these directions:
 SIG Docs [博客子项目](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject) 负责管理博客的评阅过程。
 更多信息可参考[提交博文](https://github.com/kubernetes/community/tree/master/sig-docs/blog-subproject#submit-a-post)。
 
-
 要提交博文，你可以遵从以下指南：
 <!--
 - [Open a pull request](/docs/contribute/new-content/open-a-pr/#fork-the-repo) with a new blog post. New blog posts go under the [`content/en/blog/_posts`](https://github.com/kubernetes/website/tree/main/content/en/blog/_posts) directory.
@@ -152,7 +217,7 @@ SIG Docs [博客子项目](https://github.com/kubernetes/community/tree/master/s
   - Do **not** include dots in the filename. A name like `2020-01-01-whats-new-in-1.19.md` causes failures during a build.
   - The front matter must include the following:
 -->
-- [发起一个包含博文的 PR](/zh/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
+- [发起一个包含新博文的 PR](/zh-cn/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
   新博文要创建于 [`content/en/blog/_posts`](https://github.com/kubernetes/website/tree/main/content/en/blog/_posts) 目录下。
 
 - 确保你的博文遵从合适的命名规范，并带有下面的引言（元数据）信息：
@@ -198,6 +263,30 @@ SIG Docs [博客子项目](https://github.com/kubernetes/community/tree/master/s
   - 博客团队会对 PR 内容进行评阅，为你提供一些评语以便修订。
     之后，机器人会将你的博文合并并发表。
 
+<!-- 
+  - If the content of the blog post contains only content that is not expected to require updates to stay accurate for the reader, it can be marked as evergreen and exempted from the automatic warning about outdated content added to blog posts older than one year.
+    - To mark a blog post as evergreen, add this to the front matter:
+      
+      ```yaml
+      evergreen: true
+      ```
+    - Examples of content that should not be marked evergreen:
+      - **Tutorials** that only apply to specific releases or versions and not all future versions
+      - References to pre-GA APIs or features
+-->
+
+  - 如果博文的内容仅包含预期无需更新就能对读者保持精准的内容，
+    则可以将这篇博文标记为长期有效（evergreen），
+    且免除添加博文发表一年后内容过期的自动警告。
+    - 要将一篇博文标记为长期有效，请在引言部分添加以下标记：
+      
+      ```yaml
+      evergreen: true
+      ```
+    - 不应标记为长期有效的内容示例：
+      - 仅适用于特定发行版或版本而不是所有未来版本的**教程**
+      - 对非正式发行（Pre-GA）API 或功能特性的引用
+
 <!--
 ## Submit a case study
 
@@ -212,13 +301,11 @@ Refer to the [case study guidelines](https://github.com/cncf/foundation/blob/mas
 ## 提交案例分析
 
 案例分析用来概述组织如何使用 Kubernetes 解决现实世界的问题。
-Kubernetes 市场化团队和 {{< glossary_tooltip text="CNCF" term_id="cncf" >}} 成员
-会与你一起工作，撰写所有的案例分析。
+Kubernetes 市场化团队和 {{< glossary_tooltip text="CNCF" term_id="cncf" >}} 成员会与你一起工作，
+撰写所有的案例分析。
 
-请查看
-[现有案例分析](https://github.com/kubernetes/website/tree/main/content/en/case-studies)
-的源码。
+请查看[现有案例分析](https://github.com/kubernetes/website/tree/main/content/en/case-studies)的源码。
 
-参考[案例分析指南](https://github.com/cncf/foundation/blob/master/case-study-guidelines.md)
+参考[案例分析指南](https://github.com/cncf/foundation/blob/master/case-study-guidelines.md)，
 根据指南中的注意事项提交你的 PR 请求。
 
diff --git a/content/zh/docs/contribute/new-content/new-features.md b/content/zh-cn/docs/contribute/new-content/new-features.md
similarity index 97%
rename from content/zh/docs/contribute/new-content/new-features.md
rename to content/zh-cn/docs/contribute/new-content/new-features.md
index 031ce848fd25f..bf75186ac3ac8 100644
--- a/content/zh/docs/contribute/new-content/new-features.md
+++ b/content/zh-cn/docs/contribute/new-content/new-features.md
@@ -64,7 +64,7 @@ the techniques described in
 在你选定了某个功能特性，为其撰写文档（主笔或辅助），请在 `#sig-docs` Slack 频道、SIG Docs 的每周例会上，
 或者在功能特性对应的 PR 上提出咨询。
 如果继续工作是没有问题的，你可以使用
-[向他人的 PR 中提交](/zh/docs/contribute/review/for-approvers/#commit-into-another-persons-pr)
+[向他人的 PR 中提交](/zh-cn/docs/contribute/review/for-approvers/#commit-into-another-persons-pr)
 中描述的技术之一，参与 PR 的编辑工作。
 
 <!--
@@ -257,11 +257,11 @@ table with Alpha and Beta history intact.
 -->
 如果你在处理的功能特性处于 Alpha 或 Beta 阶段并由某特性门控控制，
 请确保在你的 PR 中，该特性门控被添加到 
-[Alpha/Beta 特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)
+[Alpha/Beta 特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)
 表格中。对于新的特性门控选项，需要为该特性门控提供一段描述。
 如果所处理的功能特性已经进入正式发布（GA）状态或者被废弃，
 请确保将其从上述表格中迁移到
-[已毕业或废弃的特性](/zh/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features)
+[已毕业或废弃的特性](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features)
 表格中，并确保迁移后保留其 Alpha、Beta 版本变迁历史。
 
 <!--
diff --git a/content/zh/docs/contribute/new-content/open-a-pr.md b/content/zh-cn/docs/contribute/new-content/open-a-pr.md
similarity index 77%
rename from content/zh/docs/contribute/new-content/open-a-pr.md
rename to content/zh-cn/docs/contribute/new-content/open-a-pr.md
index 7d2919b713769..a0dd88e8e1b67 100644
--- a/content/zh/docs/contribute/new-content/open-a-pr.md
+++ b/content/zh-cn/docs/contribute/new-content/open-a-pr.md
@@ -26,13 +26,12 @@ upcoming Kubernetes release, see
 To contribute new content pages or improve existing content pages, open a pull request (PR). Make sure you follow all the requirements in the [Before you begin](/docs/contribute/new-content/overview/#before-you-begin) section.
 -->
 {{< note >}}
-**代码开发者们**：如果你在为下一个 Kubernetes 发行版本中的某功能特性
-撰写文档，请参考[为新功能撰写文档](/zh/docs/contribute/new-content/new-features/)。
+**代码开发者们**：如果你在为下一个 Kubernetes 发行版本中的某功能特性撰写文档，
+请参考[为发行版本撰写功能特性文档](/zh-cn/docs/contribute/new-content/new-features/)。
 {{< /note >}}
 
 要贡献新的内容页面或者改进已有内容页面，请发起拉取请求（PR）。
-请确保你满足了[开始之前](/zh/docs/contribute/new-content/overview/#before-you-begin)
-节中所列举的所有要求。
+请确保你满足了[开始之前](/zh-cn/docs/contribute/new-content/#before-you-begin)一节中所列举的所有要求。
 
 <!--
 If your change is small, or you're unfamiliar with git, read [Changes using
@@ -45,16 +44,55 @@ learn how to make changes locally on your computer.
 [使用 GitHub 提交变更](#changes-using-github)以了解如何编辑页面。
 
 如果所提交的变更较大，请阅读[基于本地克隆副本开展工作](#fork-the-repo)以学习
-如何在你本地计算机上构造变更。
+如何在你本地计算机上进行修改。
 
 <!-- body -->
 
-<!--
+<!-- 
 ## Changes using GitHub
 
 If you're less experienced with git workflows, here's an easier method of
-opening a pull request.
+opening a pull request. The figure below outlines the steps and the details follow.
+-->
+## 使用 GitHub 提交变更 {#changes-using-github}
 
+如果你在 git 工作流方面欠缺经验，这里有一种发起拉取请求的更为简单的方法。
+下图勾勒了后续的步骤和细节。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR
+A([fa:fa-user 新的<br>贡献者]) --- id1[(K8s/Website<br>GitHub)]
+subgraph tasks[使用 GitHub 提交变更]
+direction TB
+    0[ ] -.-
+    1[1. 编辑此页] --> 2[2. 使用 GitHub markdown<br>编辑器进行修改]
+    2 --> 3[3. 填写 Propose file change]
+
+end
+subgraph tasks2[ ]
+direction TB
+4[4. 选择 Propose file change] --> 5[5. 选择 Create pull request] --> 6[6. 填写 Open a pull request]
+6 --> 7[7. 选择 Create pull request] 
+end
+
+id1 --> tasks --> tasks2
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef k8s fill:#326ce5,stroke:#fff,stroke-width:1px,color:#fff;
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class A,1,2,3,4,5,6,7 grey
+class 0 spacewhite
+class tasks,tasks2 white
+class id1 k8s
+{{</ mermaid >}}
+
+***插图 - 使用 GitHub 发起一个 PR 的步骤***
+
+<!--
 1.  On the page where you see the issue, select the pencil icon at the top right.
     You can also scroll to the bottom of the page and select **Edit this page**.
 2.  Make your changes in the GitHub markdown editor.
@@ -62,19 +100,21 @@ opening a pull request.
     form. In the first field, give your commit message a title. In
     the second field, provide a description.
 -->
-## 使用 GitHub 提交变更 {#changes-using-github}
-
-如果你在 git 工作流方面欠缺经验，这里有一种发起拉取请求的更为简单的方法。
 
-1. 在你发现问题的网页，选择右上角的铅笔图标。你也可以滚动到页面底端，选择
-   **编辑此页面**。
+1. 在你发现问题的网页，选择右上角的铅笔图标。
+   你也可以滚动到页面底端，选择**编辑此页**。
 2. 在 GitHub 的 Markdown 编辑器中修改内容。
-3. 在编辑器的下方，填写 **建议文件变更** 表单。
+3. 在编辑器的下方，填写 **Propose file change** 表单。
    在第一个字段中，为你的提交消息取一个标题。
    在第二个字段中，为你的提交写一些描述文字。
-
+<!-- 
+    {{< note >}}
+    Do not use any [GitHub Keywords](https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword) in your commit message. You can add those to the pull request
+    description later.
+    {{< /note >}}
+-->
    {{< note >}}
-   不要在提交消息中使用 [GitHub 关键词](https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)
+   不要在提交消息中使用 [GitHub 关键词](https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)。
    你可以在后续的 PR 描述中使用这些关键词。
    {{< /note >}}
 <!--
@@ -91,13 +131,14 @@ opening a pull request.
     details the template text asks for, then delete the extra template text.
     - Leave the **Allow edits from maintainers** checkbox selected.
 -->
-4. 选择 **Propose File Change**.
-5. 选择 **Create pull request**.
-6. 在 **Open a pull request** 屏幕上填写表单：
+4. 选择 **Propose File Change**。
+5. 选择 **Create pull request**。
+6. 出现 **Open a pull request** 界面。填写表单：
 
     - **Subject** 字段默认为提交的概要信息。你可以根据需要修改它。
-    - **Body** 字段包含更为详细的提交消息，如果你之前有填写过的话，以及一些模板文字。
-      填写模板所要求的详细信息，之后删除多余的模板文字。
+    - **Body** 字段包含更为详细的提交消息，如果你之前有填写过的话，
+      以及一些模板文字。填写模板所要求的详细信息，
+      之后删除多余的模板文字。
     - 确保 **Allow edits from maintainers** 复选框被勾选。
 
    <!--
@@ -106,11 +147,11 @@ opening a pull request.
    -->
    {{< note >}}
    PR 描述信息是帮助 PR 评阅人了解你所提议的变更的重要途径。
-   更多信息请参考[发起一个 PR](#open-a-pr).
+   更多信息请参考[发起一个 PR](#open-a-pr)。
    {{< /note >}}
 
 <!-- 7.  Select **Create pull request**.  -->
-7. 选择 **Create pull request**.
+7. 选择 **Create pull request**。
 
 <!--
 ### Addressing feedback in GitHub
@@ -159,6 +200,8 @@ If you're more experienced with git, or if your changes are larger than a few li
 work from a local fork.
 
 Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) installed on your computer. You can also use a git UI application.
+
+The figure below shows the steps to follow when you work from a local fork. The details for each step follow.
 -->
 ## 基于本地克隆副本开展工作 {#work-from-a-local-fork}
 
@@ -168,6 +211,42 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
 首先要确保你在本地计算机上安装了 [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)。
 你也可以使用 git 的带用户界面的应用。
 
+下图显示了基于本地克隆副本开展工作的步骤。
+每个步骤的细节如下。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR
+1[派生 K8s/website<br>仓库] --> 2[创建本地克隆副本<br>并指定 upstream 仓库]
+subgraph changes[你的变更]
+direction TB
+S[ ] -.-
+3[创建一个分支<br>例如: my_new_branch] --> 3a[使用文本编辑器<br>进行修改] --> 4["使用 Hugo 在本地<br>预览你的变更<br>(localhost:1313)<br>或构建容器镜像"]
+end
+subgraph changes2[提交 / 推送]
+direction TB
+T[ ] -.-
+5[提交你的变更] --> 6[将提交推送到<br>origin/my_new_branch]
+end
+
+2 --> changes --> changes2
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef k8s fill:#326ce5,stroke:#fff,stroke-width:1px,color:#fff;
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class 1,2,3,3a,4,5,6 grey
+class S,T spacewhite
+class changes,changes2 white
+{{</ mermaid >}}
+
+<!-- 
+***Figure - Working from a local fork to make your changes***
+-->
+***插图 - 使用本地克隆副本进行修改***
+
 <!--
 ### Fork the kubernetes/website repository
 
@@ -182,14 +261,16 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
 <!--
 ### Create a local clone and set the upstream
 
-3. In a terminal window, clone your fork:
+3. In a terminal window, clone your fork and update the [Docsy Hugo theme](https://github.com/google/docsy#readme):
 -->
 ### 创建一个本地克隆副本并指定 upstream 仓库
 
-3. 打开终端窗口，克隆你所派生的副本：
+3. 打开终端窗口，克隆你所派生的副本，并更新 [Docsy Hugo 主题](https://github.com/google/docsy#readme)：
 
     ```bash
     git clone git@github.com/<github_username>/website
+    cd website
+    git submodule update --init --recursive --depth 1
     ```
 
 <!--
@@ -236,7 +317,9 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
    这样可以确保你本地的仓库在开始工作前是最新的。
 
    <!--
+    {{< note >}}
     This workflow is different than the [Kubernetes Community GitHub Workflow](https://github.com/kubernetes/community/blob/master/contributors/guide/github-workflow.md). You do not need to merge your local copy of `main` with `upstream/main` before pushing updates to your fork.
+    {{< /note >}}
    -->
     {{< note >}}
     此工作流程与 [Kubernetes 社区 GitHub 工作流](https://github.com/kubernetes/community/blob/master/contributors/guide/github-workflow.md)有所不同。
@@ -262,12 +345,12 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
 
 1. 决定你要基于哪个分支来开展工作：
 
-   - 针对已有内容的改进，请使用 `upstream/main`；
-   - 针对已有功能特性的新文档内容，请使用 `upstream/main`；
+   - 针对已有内容的改进，请使用 `upstream/main`。
+   - 针对已有功能特性的新文档内容，请使用 `upstream/main`。
    - 对于本地化内容，请基于本地化的约定。
-     可参考[对 Kubernetes 文档进行本地化](/zh/docs/contribute/localization/)了解详细信息。
+     可参考[本地化 Kubernetes 文档](/zh-cn/docs/contribute/localization/)了解详细信息。
    - 对于在下一个 Kubernetes 版本中新功能特性的文档，使用独立的功能特性分支。
-     参考[为发行版本功能特性撰写文档](/zh/docs/contribute/new-content/new-features/)了解更多信息。
+     参考[为发行版本撰写功能特性文档](/zh-cn/docs/contribute/new-content/new-features/)了解更多信息。
    - 对于很多 SIG Docs 共同参与的，需较长时间才完成的任务，例如内容的重构，
      请使用为该任务创建的特性分支。
 
@@ -276,7 +359,7 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
 <!--
 2. Create a new branch based on the branch identified in step 1. This example assumes the base branch is `upstream/main`:
 -->
-2. 基于第一步中选定的分支，创建新分支。
+2. 基于第 1 步中选定的分支，创建新分支。
    下面的例子假定基础分支是 `upstream/main`：
 
     ```bash
@@ -285,11 +368,13 @@ Make sure you have [git](https://git-scm.com/book/en/v2/Getting-Started-Installi
 <!--
 3.  Make your changes using a text editor.
 -->
-3. 使用文本编辑器开始构造变更。
+
+3. 使用文本编辑器进行修改。
 
 <!--
 At any time, use the `git status` command to see what files you've changed.
 -->
+
 在任何时候，都可以使用 `git status` 命令查看你所改变了的文件列表。
 
 <!--
@@ -379,8 +464,8 @@ When you are ready to submit a pull request, commit your changes.
     ```
 
     {{< note >}}
-    不要在提交消息中使用任何 [GitHub 关键字](https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)。
-    你可以在后面创建 PR 时使用这些关键字。
+    不要在提交消息中使用任何 [GitHub 关键词](https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)。
+    你可以在后续的 PR 描述中使用这些关键词。
     {{< /note >}}
 <!--
 4. Push your local branch and its new commit to your remote fork:
@@ -404,29 +489,30 @@ You can either build the website's container image or run Hugo locally. Building
 -->
 ### 在本地预览你的变更 {#preview-locally}
 
-在推送变更或者发起 PR 之前在本地查看一下预览是个不错的注意。
+在推送变更或者发起 PR 之前在本地查看一下预览是个不错的主意。
 通过预览你可以发现构建错误或者 Markdown 格式问题。
 
-你可以构造网站的容器镜像或者在本地运行 Hugo。
-构造容器镜像的方式比较慢，不过能够显示 [Hugo 短代码（shortcodes）](/zh/docs/contribute/style/hugo-shortcodes/)，
+你可以构建网站的容器镜像或者在本地运行 Hugo。
+构建容器镜像的方式比较慢，不过能够显示 [Hugo 短代码（shortcodes）](/zh-cn/docs/contribute/style/hugo-shortcodes/)，
 因此对于调试是很有用的。
 
 {{< tabs name="tab_with_hugo" >}}
 {{% tab name="在容器内执行 Hugo" %}}
 
 <!--
-The following commmand uses Docker as the default container engine.
-You can set up the `CONTAINER_ENGINE` to override this behavior.
+{{< note >}}
+The commands below use Docker as default container engine. Set the `CONTAINER_ENGINE` environment variable to override this behaviour.
+{{< /note >}}
 -->
 {{< note >}}
 下面的命令中使用 Docker 作为默认的容器引擎。
-如果需要重载这一行为，可以设置 `CONTAINER_ENGINE`。
+如果需要重载这一行为，可以设置 `CONTAINER_ENGINE` 环境变量。
 {{< /note >}}
 
 <!--
 1.  Build the image locally:
 -->
-1. 在本地构造镜像；
+1. 在本地构建镜像：
 
       ```bash
       # 使用 docker (默认)
@@ -441,7 +527,7 @@ You can set up the `CONTAINER_ENGINE` to override this behavior.
 <!--
 2. After building the `kubernetes-hugo` image locally, build and serve the site:
 -->
-2. 在本地构造了 `kubernetes-hugo` 镜像之后，可以构造并启动网站：
+2. 在本地构建了 `kubernetes-hugo` 镜像之后，可以构建并启动网站：
 
       ```bash
       # 使用 docker (默认)
@@ -473,24 +559,37 @@ Alternately, install and use the `hugo` command on your computer:
 
 <!--
 1.  Install the [Hugo](https://gohugo.io/getting-started/installing/) version specified in [`website/netlify.toml`](https://raw.githubusercontent.com/kubernetes/website/main/netlify.toml).
-2.  In a terminal, go to your Kubernetes website repository and start the Hugo server:
+2.  If you have not updated your website repository, the `website/themes/docsy` directory is empty.
+    The site cannot build without a local copy of the theme. To update the website theme, run:
+3.  In a terminal, go to your Kubernetes website repository and start the Hugo server:
 -->
 1. 安装 [`website/netlify.toml`](https://raw.githubusercontent.com/kubernetes/website/main/netlify.toml)
    文件中指定的 [Hugo](https://gohugo.io/getting-started/installing/) 版本。
 
-2. 启动一个终端窗口，进入 Kubernetes 网站仓库目录，启动 Hugo 服务器：
+2.  如果你尚未更新你的网站仓库，则 `website/themes/docsy` 目录是空的。
+    如果本地缺少主题的副本，则该站点无法构建。
+    要更新网站主题，运行以下命令：
+
+    ```bash
+    git submodule update --init --recursive --depth 1
+    ```
+
+3. 启动一个终端窗口，进入 Kubernetes 网站仓库目录，启动 Hugo 服务器：
 
       ```bash
       cd <path_to_your_repo>/website
       hugo server
       ```
 <!--
-3.  In your browser’s address bar, enter `https://localhost:1313`.
-4.  To stop the local Hugo instance, go back to the terminal and type `Ctrl+C`,
+4.  In a web browser, navigate to `https://localhost:1313`. Hugo watches the
+    changes and rebuilds the site as needed.
+5.  To stop the local Hugo instance, go back to the terminal and type `Ctrl+C`,
     or close the terminal window.
 -->
-3. 在浏览器的地址栏输入： `https://localhost:1313`。
-4. 要停止本地 Hugo 实例，返回到终端窗口并输入 `Ctrl+C` 或者关闭终端窗口。
+4. 在浏览器的地址栏输入： `https://localhost:1313`。
+   Hugo 会监测文件的变更并根据需要重新构建网站。
+5. 要停止本地 Hugo 实例，返回到终端窗口并输入 `Ctrl+C` 或者关闭终端窗口。
+
 {{% /tab %}}
 {{< /tabs >}}
 
@@ -499,6 +598,42 @@ Alternately, install and use the `hugo` command on your computer:
 -->
 ### 从你的克隆副本向 kubernetes/website 发起拉取请求（PR） {#open-a-pr}
 
+<!-- 
+The figure below shows the steps to open a PR from your fork to the K8s/website. The details follow.
+-->
+下图显示了从你的克隆副本向 K8s/website 发起 PR 的步骤。
+详细信息如下。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR
+subgraph first[ ]
+direction TB
+1[1. 前往 K8s/website 仓库] --> 2[2. 选择 New Pull Request]
+2 --> 3[3. 选择 compare across forks]
+3 --> 4[4. 从 head repository 下拉菜单<br>选择你的克隆副本]
+end
+subgraph second [ ]
+direction TB
+5[5. 从 compare 下拉菜单<br>选择你的分支] --> 6[6. 选择 Create Pull Request]
+6 --> 7[7. 为你的 PR<br>添加一个描述]
+7 --> 8[8. 选择 Create pull request]
+end
+
+first --> second
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+class 1,2,3,4,5,6,7,8 grey
+class first,second white
+{{</ mermaid >}}
+<!-- 
+***Figure - Steps to open a PR from your fork to the K8s/website***
+-->
+***插图 - 从你的克隆副本向 K8s/website 发起一个 PR 的步骤***
+
 <!--
 1. In a web browser, go to the [`kubernetes/website`](https://github.com/kubernetes/website/) repository.
 2. Select **New Pull Request**.
@@ -527,10 +662,10 @@ Alternately, install and use the `hugo` command on your computer:
       - 如果存在一个相关联的 GitHub Issue，可以在描述中包含 `Fixes #12345` 或
         `Closes #12345`。GitHub 的自动化设施能够在当前 PR 被合并时自动关闭所提及
         的 Issue。如果有其他相关联的 PR，也可以添加对它们的链接。
-      - 如果你尤其希望获得某方面的建议，可以在描述中包含你希望评阅人思考的问题。
+      - 如果你特别希望获得某方面的建议，可以在描述中包含你希望评阅人思考的问题。
 8. 点击 **Create pull request** 按钮。
 
-   祝贺你! 你的拉取请求现在出现在 [Pull Requests](https://github.com/kubernetes/website/pulls) 列表中了！
+   祝贺你！你的拉取请求现在出现在 [Pull Requests](https://github.com/kubernetes/website/pulls) 列表中了！
 
 <!--
 After opening a PR, GitHub runs automated tests and tries to deploy a preview using [Netlify](https://www.netlify.com/).
@@ -550,7 +685,7 @@ GitHub also automatically assigns labels to a PR, to help reviewers. You can add
 GitHub 也会自动为 PR 分派一些标签，以帮助评阅人。
 如果有需要，你也可以向 PR 添加标签。
 欲了解相关详细信息，可以参考
-[添加和删除 Issue 标签](/zh/docs/contribute/review/for-approvers/#adding-and-removing-issue-labels)。
+[添加和删除 Issue 标签](/zh-cn/docs/contribute/review/for-approvers/#adding-and-removing-issue-labels)。
 
 <!--
 ### Addressing feedback locally
@@ -577,11 +712,12 @@ GitHub 也会自动为 PR 分派一些标签，以帮助评阅人。
 3. Use `git push origin <my_new_branch>` to push your changes and re-run the Netlify tests.
 -->
 2. 如果有必要，更新你的提交消息；
-3. 使用 `git push origin <my_new_branch>` 来推送你的变更，重新出发 Netlify 测试。
+3. 使用 `git push origin <my_new_branch>` 来推送你的变更，重新触发 Netlify 测试。
 
    <!--
-   If you use `git commit -m` instead of amending, you must
-   [squash your commits](#squashing-commits) before merging.
+    {{< note >}}
+      If you use `git commit -m` instead of amending, you must [squash your commits](#squashing-commits) before merging.
+    {{< /note >}}
    -->
    {{< note >}}
    如果你使用 `git commit -m` 而不是增补参数，在 PR 最终合并之前你必须
@@ -626,7 +762,7 @@ For more information, see [Git Branching - Basic Branching and Merging](https://
 {{< note >}}
 要了解更多信息，可参考
 [Git 分支管理 - 基本分支和合并](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts)、
-[高级合并](https://git-scm.com/book/en/v2/Git-Tools-Advanced-Merging)、
+[高级合并](https://git-scm.com/book/en/v2/Git-Tools-Advanced-Merging)，
 或者在 `#sig-docs` Slack 频道寻求帮助。
 {{< /note >}}
 
@@ -730,7 +866,9 @@ If another contributor commits changes to the same file in another PR, it can cr
 ### 压缩（Squashing）提交 {#squashing-commits}
 
 <!--
+{{< note >}}
 For more information, see [Git Tools - Rewriting History](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History), or ask in the `#sig-docs` Slack channel for help.
+{{< /note >}}
 -->
 {{< note >}}
 要了解更多信息，可参看
@@ -793,7 +931,9 @@ If your PR has multiple commits, you must squash them into a single commit befor
     就重设基线操作本身，我们关注 `squash` 和 `pick` 选项。
 
     <!--
+    {{< note >}}
     For more information, see [Interactive Mode](https://git-scm.com/docs/git-rebase#_interactive_mode).
+    {{< /note >}}
     -->
     {{< note >}}
     进一步的详细信息可参考 [Interactive Mode](https://git-scm.com/docs/git-rebase#_interactive_mode)。
@@ -866,17 +1006,19 @@ Most repositories use issue and PR templates. Have a look through some open
 issues and PRs to get a feel for that team's processes. Make sure to fill out
 the templates with as much detail as possible when you file issues or PRs.
 -->
-每个仓库有其自己的流程和过程。在登记 Issue 或者发起 PR 之前，记得阅读仓库的
-`README.md`、`CONTRIBUTING.md` 和 `code-of-conduct.md` 文件，如果有的话。
+每个仓库有其自己的流程和过程。在登记 Issue 或者发起 PR 之前，
+记得阅读仓库可能存在的 `README.md`、`CONTRIBUTING.md` 和
+`code-of-conduct.md` 文件。
 
-大多数仓库都有自己的 Issue 和 PR 模版。通过查看一些待解决的 Issues 和
-PR，也可以添加对它们的链接。你可以多少了解该团队的流程。
-在登记 Issue 或提出 PR 时，务必尽量填充所给的模版，多提供详细信息。
+大多数仓库都有自己的 Issue 和 PR 模板。
+通过查看一些待解决的 Issue 和 PR，
+你可以大致了解协作的流程。
+在登记 Issue 或提出 PR 时，务必尽量填充所给的模板，多提供详细信息。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
 - Read [Reviewing](/docs/contribute/reviewing/revewing-prs) to learn more about the review process.
 -->
-- 阅读[评阅](/zh/docs/contribute/review/reviewing-prs)节，学习评阅过程。
+- 阅读[评阅](/zh-cn/docs/contribute/review/reviewing-prs)节，学习评阅过程。
 
diff --git a/content/zh/docs/contribute/participate/_index.md b/content/zh-cn/docs/contribute/participate/_index.md
similarity index 88%
rename from content/zh/docs/contribute/participate/_index.md
rename to content/zh-cn/docs/contribute/participate/_index.md
index ba6ab0c738a97..42b4df0ef61c3 100644
--- a/content/zh/docs/contribute/participate/_index.md
+++ b/content/zh-cn/docs/contribute/participate/_index.md
@@ -40,8 +40,8 @@ SIG Docs 欢迎所有贡献者提供内容和审阅。任何人可以提交拉
 欢迎所有人对文档内容创建 Issue 和对正在处理中的 PR 进行评论。
 
 <!--
-You can also become a [member](/docs/contribute/participating/roles-and-responsibilities/#members),
-[reviewer](/docs/contribute/participating/roles-and-responsibilities/#reviewers), or [approver](/docs/contribute/participating/roles-and-responsibilities/#approvers). These roles require greater
+You can also become a [member](/docs/contribute/participate/roles-and-responsibilities/#members),
+[reviewer](/docs/contribute/participate/roles-and-responsibilities/#reviewers), or [approver](/docs/contribute/participate/roles-and-responsibilities/#approvers). These roles require greater
 access and entail certain responsibilities for approving and committing changes.
 See [community-membership](https://github.com/kubernetes/community/blob/master/community-membership.md)
 for more information on how membership works within the Kubernetes community.
@@ -50,9 +50,9 @@ The rest of this document outlines some unique ways these roles function within
 SIG Docs, which is responsible for maintaining one of the most public-facing
 aspects of Kubernetes - the Kubernetes website and documentation.
 -->
-你也可以成为[成员（member）](/docs/contribute/participating/roles-and-responsibilities/#members)、
-[评阅人（reviewer）](/docs/contribute/participating/roles-and-responsibilities/#reviewers) 或者
-[批准人（approver）](/docs/contribute/participating/roles-and-responsibilities/#approvers)。
+你也可以成为[成员（member）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#members)、
+[评阅人（reviewer）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#reviewers) 或者
+[批准人（approver）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers)。
 这些角色拥有更高的权限，且需要承担批准和提交变更的责任。
 有关 Kubernetes 社区中的成员如何工作的更多信息，请参见
 [社区成员身份](https://github.com/kubernetes/community/blob/master/community-membership.md)。
@@ -72,7 +72,7 @@ of the Kubernetes project as a whole and how SIG Docs works within it. See
 [Leadership](https://github.com/kubernetes/community/tree/master/sig-docs#leadership)
 for the current list of chairpersons.
 -->
-## SIG Docs 主席
+## SIG Docs 主席   {#sig-docs-chairperson}
 
 每个 SIG，包括 SIG Docs，都会选出一位或多位成员作为主席。
 主席会成为 SIG Docs 和其他 Kubernetes 组织的联络接口人。
@@ -125,7 +125,7 @@ related to GitHub issues and pull requests. The
 [Kubernetes website repository](https://github.com/kubernetes/website) uses
 two [prow plugins](https://github.com/kubernetes/test-infra/blob/master/prow/plugins):
 -->
-### OWNERS 文件和扉页
+### OWNERS 文件和扉页   {#owners-files-and-front-matter}
 
 Kubernetes 项目使用名为 prow 的自动化工具来自动处理 GitHub issue 和 PR。
 [Kubernetes website 仓库](https://github.com/kubernetes/website) 使用了两个
@@ -144,7 +144,7 @@ how prow works within the repository.
 这两个插件使用位于 `kubernetes/website` 仓库顶层的
 [OWNERS](https://github.com/kubernetes/website/blob/main/OWNERS) 文件和
 [OWNERS_ALIASES](https://github.com/kubernetes/website/blob/main/OWNERS_ALIASES)
-文件来控制 prow 在仓库范围的工作方式。 
+文件来控制 prow 在仓库范围的工作方式。
 
 <!--
 An OWNERS file contains a list of people who are SIG Docs reviewers and
@@ -153,9 +153,9 @@ can act as a reviewer or approver of files in that subdirectory and its
 descendents. For more information about OWNERS files in general, see
 [OWNERS](https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md).
 -->
-OWNERS 文件包含 SIG Docs 评阅人和批准人的列表。 
+OWNERS 文件包含 SIG Docs 评阅人和批准人的列表。
 OWNERS 文件也可以存在于子目录中，可以在子目录层级重新设置哪些人可以作为评阅人和
-批准人，并将这一设定传递到下层子目录。 
+批准人，并将这一设定传递到下层子目录。
 关于 OWNERS 的更多信息，请参考
 [OWNERS](https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md)
 文档。
@@ -206,7 +206,7 @@ SIG Docs 批准人。下面是合并的工作机制：
 - 所有 Kubernetes 成员可以通过 `/lgtm` 评论添加 `lgtm` 标签。
 - 只有 SIG Docs 批准人可以通过评论 `/approve` 合并 PR。
   某些批准人还会执行一些其他角色，例如
-  [PR 管理者](/zh/docs/contribute/participate/pr-wranglers/) 或
+  [PR 管理者](/zh-cn/docs/contribute/participate/pr-wranglers/) 或
   [SIG Docs 主席](#sig-docs-chairperson)等。
 
 ## {{% heading "whatsnext" %}}
@@ -220,6 +220,6 @@ For more information about contributing to the Kubernetes documentation, see:
 -->
 关于贡献 Kubernetes 文档的更多信息，请参考：
 
-- [贡献新内容](/zh/docs/contribute/new-content/overview/)
-- [评阅内容](/zh/docs/contribute/review/reviewing-prs)
-- [文档样式指南](/zh/docs/contribute/style/)
+- [贡献新内容](/zh-cn/docs/contribute/new-content/)
+- [评阅内容](/zh-cn/docs/contribute/review/reviewing-prs)
+- [文档样式指南](/zh-cn/docs/contribute/style/)
diff --git a/content/zh/docs/contribute/participate/pr-wranglers.md b/content/zh-cn/docs/contribute/participate/pr-wranglers.md
similarity index 67%
rename from content/zh/docs/contribute/participate/pr-wranglers.md
rename to content/zh-cn/docs/contribute/participate/pr-wranglers.md
index bf08aa770ae0a..9ec889d8cdaab 100644
--- a/content/zh/docs/contribute/participate/pr-wranglers.md
+++ b/content/zh-cn/docs/contribute/participate/pr-wranglers.md
@@ -11,15 +11,15 @@ weight: 20
 
 <!-- overview -->
 <!--
-SIG Docs [approvers](/docs/contribute/participate/roles-and-responsibilites/#approvers) take week-long shifts [managing pull requests](https://github.com/kubernetes/website/wiki/PR-Wranglers) for the repository.
+SIG Docs [approvers](/docs/contribute/participate/roles-and-responsibilities/#approvers) take week-long shifts [managing pull requests](https://github.com/kubernetes/website/wiki/PR-Wranglers) for the repository.
 
 This section covers the duties of a PR wrangler. For more information on giving good reviews, see [Reviewing changes](/docs/contribute/review/).
 -->
-SIG Docs 的[批准人（Approvers）](/zh/docs/contribute/participate/roles-and-responsibilites/#approvers)们每周轮流负责
-[管理仓库的 PRs](https://github.com/kubernetes/website/wiki/PR-Wranglers)。
+SIG Docs 的[批准人（Approvers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers)们每周轮流负责
+[管理仓库的 PR](https://github.com/kubernetes/website/wiki/PR-Wranglers)。
 
-本节介绍 PR 管理者的职责。关于如何提供较好的评审意见，可参阅
-[评审变更](/zh/docs/contribute/review/).
+本节介绍 PR 管理者的职责。关于如何提供较好的评审意见，
+可参阅[评审变更](/zh-cn/docs/contribute/review/)。
 
 
 <!-- body -->
@@ -31,42 +31,57 @@ Each day in a week-long shift as PR Wrangler:
 - Triage and tag incoming issues daily. See [Triage and categorize issues](/docs/contribute/review/for-approvers/#triage-and-categorize-issues) for guidelines on how SIG Docs uses metadata.
 - Review [open pull requests](https://github.com/kubernetes/website/pulls) for quality and adherence to the [Style](/docs/contribute/style/style-guide/) and [Content](/docs/contribute/style/content-guide/) guides.
     - Start with the smallest PRs (`size/XS`) first, and end with the largest (`size/XXL`). Review as many PRs as you can.
-- Make sure PR contributors sign the [CLA](https://github.com/kubernetes/community/blob/master/CLA.md).
-    - Use [this](https://github.com/zparnold/k8s-docs-pr-botherer) script to remind contributors that haven’t signed the CLA to do so.
-- Provide feedback on changes and ask for technical reviews from members of other SIGs.
-    - Provide inline suggestions on the PR for the proposed content changes.
-    - If you need to verify content, comment on the PR and request more details.
-    - Assign relevant `sig/` label(s).
-    - If needed, assign reviewers from the `reviewers:` block in the file's front matter.
-- Use the `/approve` comment to approve a PR for merging. Merge the PR when ready.
-    - PRs should have a `/lgtm` comment from another member before merging.
-    - Consider accepting technically accurate content that doesn't meet the [style guidelines](/docs/contribute/style/style-guide/). Open a new issue with the label `good first issue` to address style concerns.
 -->
 ## 职责 {#duties}
 在为期一周的轮值期内，PR 管理者要：
 
 - 每天对新增的 Issues 判定和打标签。参见
-  [对 Issues 进行判定和分类](/zh/docs/contribute/review/for-approvers/#triage-and-categorize-issues)
+  [对 Issues 进行判定和分类](/zh-cn/docs/contribute/review/for-approvers/#triage-and-categorize-issues)
   以了解 SIG Docs 如何使用元数据的详细信息。
 - 检查[悬决的 PR](https://github.com/kubernetes/website/pulls) 的质量并确保它们符合
-  [样式指南](/zh/docs/contribute/style/style-guide/)和
-  [内容指南](/zh/docs/contribute/style/content-guide/)要求。
+  [样式指南](/zh-cn/docs/contribute/style/style-guide/)和
+  [内容指南](/zh-cn/docs/contribute/style/content-guide/)要求。
 
   - 首先查看最小的 PR（`size/XS`），然后逐渐扩展到最大的
     PR（`size/XXL`），尽可能多地评审 PR。
+<!-- 
+- Make sure PR contributors sign the [CLA](https://github.com/kubernetes/community/blob/master/CLA.md).
+    - Use [this](https://github.com/zparnold/k8s-docs-pr-botherer) script to remind contributors that haven't signed the CLA to do so.
+- Provide feedback on changes and ask for technical reviews from members of other SIGs.
+    - Provide inline suggestions on the PR for the proposed content changes.
+    - If you need to verify content, comment on the PR and request more details.
+    - Assign relevant `sig/` label(s).
+    - If needed, assign reviewers from the `reviewers:` block in the file's front matter.
+    - You can also tag a [SIG](https://github.com/kubernetes/community/blob/master/sig-list.md) for a review by commenting `@kubernetes/<sig>-pr-reviews` on the PR.
+-->
 - 确保贡献者完成 [CLA](https://github.com/kubernetes/community/blob/master/CLA.md) 签署。
   - 使用[此脚本](https://github.com/zparnold/k8s-docs-pr-botherer)自动提醒尚未签署
     CLA 的贡献者签署 CLA。
 - 针对提供提供反馈，请求其他 SIG 的成员进行技术审核。
   - 为 PR 所建议的内容更改提供就地反馈。
-  - 如果您需要验证内容，请在 PR 上发表评论并要求贡献者提供更多细节。
+  - 如果你需要验证内容，请在 PR 上发表评论并要求贡献者提供更多细节。
   - 设置相关的 `sig/` 标签。
-  - 如果需要，从文件开头的 `reviewers:` 块中指派评阅人。
+  - 如果需要，根据文件开头的 `reviewers:` 块来指派评审人。
+  - 你也可以通过在 PR 上作出 `@kubernetes/<sig>-pr-reviews` 的评论以标记需要某个
+    [SIG](https://github.com/kubernetes/community/blob/master/sig-list.md) 来评审。
+<!-- 
+- Use the `/approve` comment to approve a PR for merging. Merge the PR when ready.
+    - PRs should have a `/lgtm` comment from another member before merging.
+    - Consider accepting technically accurate content that doesn't meet the
+      [style guidelines](/docs/contribute/style/style-guide/). As you approve the change,
+      open a new issue to address the style concern. You can usually write these style fix
+      issues as [good first issues](https://kubernetes.dev/docs/guide/help-wanted/#good-first-issue).
+    - Using style fixups as good first issues is a good way to ensure a supply of easier tasks
+      to help onboard new contributors.
+-->
 - 使用 `/approve` 评论来批准可以合并的 PR，在 PR 就绪时将其合并。
   - PR 在被合并之前，应该有来自其他成员的 `/lgtm` 评论。
   - 可以考虑接受那些技术上准确，但文风上不满足
-    [风格指南](/zh/docs/contribute/style/style-guide/)要求的 PR。
-    可以登记一个新的 Issue 来解决文档风格问题，并将其标记为 `good first issue`。
+    [风格指南](/zh-cn/docs/contribute/style/style-guide/)要求的 PR。
+    批准变更时，可以登记一个新的 Issue 来解决文档风格问题。
+    你通常可以将这些风格修复问题标记为 `good first issue`。
+  - 将风格修复事项标记为 `good first issue` 可以很好地确保向新加入的贡献者分派一些比较简单的任务，
+    这有助于接纳新的贡献者。
 
 <!--
 ### Helpful GitHub queries for wranglers
@@ -75,7 +90,7 @@ The following queries are helpful when wrangling.
 After working through these queries, the remaining list of PRs to review is usually small.
 These queries exclude localization PRs. All queries are against the main branch except the last one.
 -->
-### 对于管理人有用的 GitHub 查询
+### 对管理者有用的 GitHub 查询
 
 执行管理操作时，以下查询很有用。完成以下这些查询后，剩余的要审阅的 PR 列表通常很小。
 这些查询都不包含本地化的 PR，并仅包含主分支上的 PR（除了最后一个查询）。
@@ -164,11 +179,46 @@ To close a pull request, leave a `/close` comment on the PR.
 要关闭 PR，请在 PR 上输入 `/close` 评论。
 
 <!--
-The [`fejta-bot`](https://github.com/fejta-bot) bot marks issues as stale after 90 days of inactivity. After 30 more days it marks issues as rotten and closes them.  PR wranglers should close issues after 14-30 days of inactivity.
+The [`k8s-ci-robot`](https://github.com/k8s-ci-robot) bot marks issues as stale after 90 days of inactivity. After 30 more days it marks issues as rotten and closes them.  PR wranglers should close issues after 14-30 days of inactivity.
 -->
 {{< note >}}
-一个名为 [`fejta-bot`](https://github.com/fejta-bot) 的自动服务会在 Issue 停滞 90
+一个名为 [`k8s-ci-robot`](https://github.com/k8s-ci-robot) 的自动服务会在 Issue 停滞 90
 天后自动将其标记为过期；然后再等 30 天，如果仍然无人过问，则将其关闭。
 PR 管理者应该在 issues 处于无人过问状态 14-30 天后关闭它们。
 {{< /note >}}
 
+<!--
+## PR Wrangler shadow program
+
+In late 2021, SIG Docs introduced the PR Wrangler Shadow Program. The program was introduced to help new contributors understand the PR wrangling process.
+-->
+## PR 管理者影子计划
+
+2021 下半年，SIG Docs 推出了 PR 管理者影子计划（PR Wrangler Shadow Program）。
+该计划旨在帮助新的贡献者们了解 PR 管理流程。
+
+<!-- 
+### Become a shadow
+
+- If you are interested in shadowing as a PR wrangler, please visit the [PR Wranglers Wiki page](https://github.com/kubernetes/website/wiki/PR-Wranglers) to see the PR wrangling schedule for this year and sign up.
+
+- Kubernetes org members can edit the [PR Wranglers Wiki page](https://github.com/kubernetes/website/wiki/PR-Wranglers) and sign up to shadow an existing PR Wrangler for a week.
+
+- Others can reach out on the [#sig-docs Slack channel](https://kubernetes.slack.com/messages/sig-docs) for requesting to shadow an assigned PR Wrangler for a specific week. Feel free to reach out to Brad Topol (`@bradtopol`) or one of the [SIG Docs co-chairs/leads](https://github.com/kubernetes/community/tree/master/sig-docs#leadership).
+
+- Once you've signed up to shadow a PR Wrangler, introduce yourself to the PR Wrangler on the [Kubernetes Slack](https://slack.k8s.io).
+-->
+### 成为一名影子
+
+- 如果你有兴趣成为一名 PR 管理者的影子，请访问 [PR 管理者维基页面](https://github.com/kubernetes/website/wiki/PR-Wranglers)查看今年的 
+  PR 管理轮值表，然后注册报名。
+
+- Kubernetes 组织成员可以编辑 [PR 管理者维基页面](https://github.com/kubernetes/website/wiki/PR-Wranglers)，
+  注册成为一名现有 PR 管理者一周内的影子。
+
+- 其他人可以通过 [#sig-docs Slack 频道](https://kubernetes.slack.com/messages/sig-docs)申请成为指定 
+  PR 管理者某一周的影子。可以随时咨询 (`@bradtopol`) 或某一位
+  [SIG Docs 联席主席/主管](https://github.com/kubernetes/community/tree/master/sig-docs#leadership)。
+
+- 注册成为一名 PR 管理者的影子时，
+  请你在 [Kubernetes Slack](https://slack.k8s.io) 向这名 PR 管理者做一次自我介绍。
diff --git a/content/zh/docs/contribute/participate/roles-and-responsibilities.md b/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md
similarity index 91%
rename from content/zh/docs/contribute/participate/roles-and-responsibilities.md
rename to content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md
index 7739af7584436..fc410d58456d5 100644
--- a/content/zh/docs/contribute/participate/roles-and-responsibilities.md
+++ b/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md
@@ -62,12 +62,12 @@ For more information, see [contributing new content](/docs/contribute/new-conten
   [SIG Docs 邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs)
   上提出改进建议。
 
-在[签署了 CLA](/zh/docs/contribute/new-content/overview/#sign-the-cla) 之后，任何人还可以：
+在[签署了 CLA](/zh-cn/docs/contribute/new-content/#sign-the-cla) 之后，任何人还可以：
 
 - 发起拉取请求（PR），改进现有内容、添加新内容、撰写博客或者案例分析
 - 创建示意图、图形资产或者嵌入式的截屏和视频内容
 
-进一步的详细信息，可参见[贡献新内容](/zh/docs/contribute/new-content/)。
+进一步的详细信息，可参见[贡献新内容](/zh-cn/docs/contribute/new-content/)。
 
 <!--
 ## Members
@@ -99,7 +99,7 @@ Members can:
 - 使用 `/lgtm` 评论添加 LGTM (looks good to me（我觉得可以）) 标签到某个 PR
 
   {{< note >}}
-  使用 `/lgtm` 会触发自动化机制。如果你希望提供不拘约束力的批准意见，
+  使用 `/lgtm` 会触发自动化机制。如果你希望提供非约束性的批准意见，
   直接回复 "LGTM" 也是可以的。
   {{< /note >}}
 
@@ -134,7 +134,7 @@ After submitting at least 5 substantial pull requests and meeting the other [req
 2.  Open a GitHub issue in the [`kubernetes/org`](https://github.com/kubernetes/org/) repository. Use the **Organization Membership Request** issue template.
 -->
 1. 找到两个[评审人](#reviewers)或[批准人](#approvers)为你的成员身份提供
-   [担保](/zh/docs/contribute/advanced#sponsor-a-new-contributor)。
+   [担保](/zh-cn/docs/contribute/advanced#sponsor-a-new-contributor)。
 
    通过 [Kubernetes Slack 上的 #sig-docs 频道](https://kubernetes.slack.com) 或者
    [SIG Docs 邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs)
@@ -146,7 +146,7 @@ After submitting at least 5 substantial pull requests and meeting the other [req
    {{< /note >}}
 
 2. 在 [`kubernetes/org`](https://github.com/kubernetes/org/) 仓库
-   使用 **Organization Membership Request** Issue 模版登记一个 Issue。
+   使用 **Organization Membership Request** Issue 模板登记一个 Issue。
 
 <!--
 3.  Let your sponsors know about the GitHub issue. You can either:
@@ -174,7 +174,7 @@ After submitting at least 5 substantial pull requests and meeting the other [req
    如果你的成员请求未被接受，你会收到一些反馈。
    当处理完反馈意见之后，可以再次发起申请。
 
-4. 在你的邮件账户中接受来自 Kubernetes GitHub 组织发出的成员邀请。
+4. 登录你的邮件账户，接受来自 Kubernetes GitHub 组织发出的成员邀请。
 
     {{< note >}}
     GitHub 会将邀请发送到你的账户中所设置的默认邮件地址。
@@ -207,7 +207,7 @@ You can be a SIG Docs reviewer, or a reviewer for docs in a specific subject are
 
 评审人可以：
 
-- 执行[任何人](#anyone)和[成员](#members)节所列举的操作
+- 执行[任何人](#anyone)和[成员](#members)节区所列举的操作
 - 评审 PR 并提供具约束性的反馈信息
 
     {{< note >}}
@@ -242,14 +242,14 @@ A `/lgtm` comment from reviewer is binding and triggers automation that adds the
 如果所指派的评审人未能及时评审，其他的评审人也可以参与进来。
 你可以根据需要指派技术评审人。
 
-### 使用 `/lgtm`
+### 使用 `/lgtm`   {#using-lgtm}
 
 LGTM 代表的是 “Looks Good To Me （我觉得可以）”，用来标示某个 PR
 在技术上是准确的，可以被合并。
 所有 PR 都需要来自某评审人的 `/lgtm` 评论和来自某批准人的 `/approve`
 评论。
 
-来自评审人的 `/lgtm` 评论是具有约束性的，会触发自动化设施添加 `lgtm` 标签。
+来自评审人的 `/lgtm` 评论是具有约束性的，会触发自动化引擎添加 `lgtm` 标签。
 
 <!--
 ### Becoming a reviewer
@@ -265,7 +265,7 @@ To apply:
 你可以成为一个 SIG Docs 评审人。
 来自其他 SIG 的评审人必须为 SIG Docs 单独申请评审人资格。
 
-申请过程如下：
+申请流程如下：
 
 <!--
 1. Open a pull request that adds your GitHub user name to a section of the
@@ -283,7 +283,7 @@ If approved, a SIG Docs lead adds you to the appropriate GitHub team. Once added
 -->
 1. 发起 PR，将你的 GitHub 用户名添加到 `kubernetes/website` 仓库中
    [OWNERS_ALIASES](https://github.com/kubernetes/website/blob/main/OWNERS_ALIASES)
-   文件的特定节。
+   文件的对应节区。
 
    {{< note >}}
    如果你不确定要添加到哪个位置，可以将自己添加到 `sig-docs-en-reviews`。
@@ -292,8 +292,8 @@ If approved, a SIG Docs lead adds you to the appropriate GitHub team. Once added
 2. 将 PR 指派给一个或多个 SIG Docs 批准人（`sig-docs-{language}-owners`
    下列举的用户名）。
 
-请求被批准之后，SIG Docs Leads 之一会将你添加到合适的 GitHub 团队。
-一旦添加完成， [@k8s-ci-robot](https://github.com/kubernetes/test-infra/tree/master/prow#bots-home)
+申请被批准之后，SIG Docs Leads 之一会将你添加到合适的 GitHub 团队。
+一旦添加完成，[@k8s-ci-robot](https://github.com/kubernetes/test-infra/tree/master/prow#bots-home)
 会在处理未来的 PR 时，将 PR 指派给你或者建议你来评审某 PR。
 
 <!--
@@ -322,12 +322,12 @@ If the PR already has a `/lgtm`, or if the approver also comments with `/lgtm`,
 批准人可以执行以下操作：
 
 - 执行列举在[任何人](#anyone)、[成员](#members)和[评审人](#reviewers)节区的操作
-- 通过使用 `/approve` 评论来批准、合并 PRs，发布贡献者所贡献的内容。
+- 通过使用 `/approve` 评论来批准、合并 PR，发布贡献者所贡献的内容。
 - 就样式指南给出改进建议
 - 对文档测试给出改进建议
 - 对 Kubernetes 网站或其他工具给出改进建议
 
-如果某个 PR 已有 `/lgtm` 标签，或者批准人再回复一个 `/lgtm` ，则这个 PR 会自动合并。
+如果某个 PR 已有 `/lgtm` 标签，或者批准人再回复一个 `/lgtm`，则这个 PR 会自动合并。
 SIG Docs 批准人应该只在不需要额外的技术评审的情况下才可以标记 `/lgtm`。
 
 <!--
@@ -356,7 +356,7 @@ Approvers and SIG Docs leads are the only ones who can merge pull requests into
     不小心的合并可能会破坏整个站点。在执行合并操作时，务必小心。
     {{< /warning >}}
 
-- 确保所提议的变更满足[贡献指南](/zh/docs/contribute/style/content-guide/#contributing-content)要求
+- 确保所提议的变更满足[贡献指南](/zh-cn/docs/contribute/style/content-guide/#contributing-content)要求。
 
     如果有问题或者疑惑，可以根据需要请他人帮助评审。
 
@@ -368,7 +368,7 @@ Approvers and SIG Docs leads are the only ones who can merge pull requests into
 
 - 参与 [PR 管理者轮值排班](https://github.com/kubernetes/website/wiki/PR-Wranglers)
   执行时长为一周的 PR 管理。SIG Docs 期望所有批准人都参与到此轮值工作中。
-  更多细节可参见[做一周的 PR 管理者](/zh/docs/contribute/participate/pr-wranglers/)。
+  更多细节可参见 [PR 管理者](/zh-cn/docs/contribute/participate/pr-wranglers/)。
 
 <!--
 ### Becoming an approver
@@ -378,7 +378,7 @@ When you meet the [requirements](https://github.com/kubernetes/community/blob/ma
 ### 成为批准人  {#becoming-an-approver}
 
 当你满足[一定条件](https://github.com/kubernetes/community/blob/master/community-membership.md#approver)时，可以成为一个 SIG Docs 批准人。
-来自其他 SIGs 的批准人也必须在 SIG Docs 独立申请批准人资格。
+来自其他 SIG 的批准人也必须在 SIG Docs 独立申请批准人资格。
 
 <!--
 To apply:
@@ -406,13 +406,13 @@ If approved, a SIG Docs lead adds you to the appropriate GitHub team. Once added
 2. 将 PR 指派给一个或多个 SIG Docs 批准人。
 
 请求被批准之后，SIG Docs Leads 之一会将你添加到对应的 GitHub 团队。
-一旦添加完成， [K8s-ci-robot](https://github.com/kubernetes/test-infra/tree/master/prow#bots-home)
+一旦添加完成，[K8s-ci-robot](https://github.com/kubernetes/test-infra/tree/master/prow#bots-home)
 会在处理未来的 PR 时，将 PR 指派给你或者建议你来评审某 PR。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-- Read about [PR wrangling](/docs/contribute/participating/pr-wranglers), a role all approvers take on rotation.
+- Read about [PR wrangling](/docs/contribute/participate/pr-wranglers), a role all approvers take on rotation.
 -->
-- 阅读[管理 PR](/zh/docs/contribute/participate/pr-wranglers/)，了解所有批准人轮值的一个角色。
+- 阅读 [PR 管理者](/zh-cn/docs/contribute/participate/pr-wranglers/)，了解所有批准人轮值的角色。
 
diff --git a/content/zh/docs/contribute/review/_index.md b/content/zh-cn/docs/contribute/review/_index.md
similarity index 100%
rename from content/zh/docs/contribute/review/_index.md
rename to content/zh-cn/docs/contribute/review/_index.md
diff --git a/content/zh/docs/contribute/review/for-approvers.md b/content/zh-cn/docs/contribute/review/for-approvers.md
similarity index 97%
rename from content/zh/docs/contribute/review/for-approvers.md
rename to content/zh-cn/docs/contribute/review/for-approvers.md
index c5763a378c6b2..3192603db1538 100644
--- a/content/zh/docs/contribute/review/for-approvers.md
+++ b/content/zh-cn/docs/contribute/review/for-approvers.md
@@ -27,8 +27,8 @@ In addition to the rotation, a bot assigns reviewers and approvers
 for the PR based on the owners for the affected files.
 -->
 SIG Docs
-[评阅人（Reviewers）](/zh/docs/contribute/participate/roles-and-responsibilities/#reviewers)
-和[批准人（Approvers）](/zh/docs/contribute/participate/roles-and-responsibilities/#approvers)
+[评阅人（Reviewers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#reviewers)
+和[批准人（Approvers）](/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers)
 在对变更进行评审时需要做一些额外的事情。
 
 每周都有一个特定的文档批准人自愿负责对 PR 进行分类和评阅。
@@ -51,7 +51,7 @@ Everything described in [Reviewing a pull request](/docs/contribute/review/revie
 
 Kubernetes 文档遵循 [Kubernetes 代码评阅流程](https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md#the-code-review-process)。
 
-[评阅 PR](/zh/docs/contribute/review/reviewing-prs/) 文档中所描述的所有规程都适用，
+[评阅 PR](/zh-cn/docs/contribute/review/reviewing-prs/) 文档中所描述的所有规程都适用，
 不过评阅人和批准人还要做以下工作：
 
 <!--
@@ -74,7 +74,7 @@ when it comes to requesting technical review from code contributors.
   你可以查看 Markdown 文件的文件头，其中的 `reviewers` 字段给出了哪些人可以为文档提供技术审核。
   {{< /note >}}
 
-- 确保 PR 遵从[内容指南](/zh/docs/contribute/style/content-guide/)和[样式指南](/zh/docs/contribute/style/style-guide/)；
+- 确保 PR 遵从[内容指南](/zh-cn/docs/contribute/style/content-guide/)和[样式指南](/zh-cn/docs/contribute/style/style-guide/)；
   如果 PR 没有达到要求，指引作者阅读指南中的相关部分。
 - 适当的时候使用 GitHub **Request Changes** 选项，建议 PR 作者实施所建议的修改。
 - 当你所提供的建议被采纳后，在 GitHub 中使用 `/approve` 或 `/lgtm` Prow 命令，改变评审状态。
diff --git a/content/zh/docs/contribute/review/reviewing-prs.md b/content/zh-cn/docs/contribute/review/reviewing-prs.md
similarity index 58%
rename from content/zh/docs/contribute/review/reviewing-prs.md
rename to content/zh-cn/docs/contribute/review/reviewing-prs.md
index e420fb919a893..4fdbde162bb45 100644
--- a/content/zh/docs/contribute/review/reviewing-prs.md
+++ b/content/zh-cn/docs/contribute/review/reviewing-prs.md
@@ -1,5 +1,5 @@
 ---
-title: 评阅 PRs
+title: 评审 PR
 content_type: concept
 main_menu: true
 weight: 10
@@ -12,6 +12,7 @@ weight: 10
 -->
 
 <!-- overview -->
+
 <!--
 Anyone can review a documentation pull request. Visit the [pull requests](https://github.com/kubernetes/website/pulls) section in the Kubernetes website repository to see open pull requests.
 
@@ -22,23 +23,26 @@ It helps you learn the code base and build trust with other contributors.
 Before reviewing, it's a good idea to:
 
 - Read the  [content guide](/docs/contribute/style/content-guide/) and
-[style guide](/docs/contribute/style/style-guide/) so you can leave informed comments.
-- Understand the different [roles and responsibilities](/docs/contribute/participating/#roles-and-responsibilities) in the Kubernetes documentation community.
+  [style guide](/docs/contribute/style/style-guide/) so you can leave informed comments.
+- Understand the different
+  [roles and responsibilities](/docs/contribute/participate/roles-and-responsibilities/)
+  in the Kubernetes documentation community.
 -->
-任何人均可评阅文档的拉取请求。访问 Kubernetes 网站仓库的
-[pull requests](https://github.com/kubernetes/website/pulls)
-部分可以查看所有待处理的拉取请求（PRs）。
+任何人均可评审文档的拉取请求。
+访问 Kubernetes 网站仓库的 [pull requests](https://github.com/kubernetes/website/pulls) 部分，
+可以查看所有待处理的拉取请求（PR）。
 
-评阅文档 PR 是将你自己介绍给 Kubernetes 社区的一种很好的方式。
+评审文档 PR 是将你自己介绍给 Kubernetes 社区的一种很好的方式。
 它将有助于你学习代码库并与其他贡献者之间建立相互信任关系。
 
-在评阅之前，可以考虑：
+在评审之前，可以考虑：
 
-- 阅读[内容指南](/zh/docs/contribute/style/content-guide/)和 
-  [样式指南](/zh/docs/contribute/style/style-guide/)以便给出有价值的评论。
-- 了解 Kubernetes 文档社区中不同的[角色和职责](/zh/docs/contribute/participate/roles-and-responsibilities/)。
+- 阅读[内容指南](/zh-cn/docs/contribute/style/content-guide/)和 
+  [样式指南](/zh-cn/docs/contribute/style/style-guide/)以便给出有价值的评论。
+- 了解 Kubernetes 文档社区中不同的[角色和职责](/zh-cn/docs/contribute/participate/roles-and-responsibilities/)。
 
 <!-- body -->
+
 <!--
 ## Before you begin
 
@@ -53,21 +57,62 @@ Before you start a review:
 -->
 ## 准备工作 {#before-you-begin}
 
-在你开始评阅之前：
+在你开始评审之前：
 
-- 阅读 [CNCF 行为准则](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
-  确保你会始终遵从其中约定；
-- 保持有礼貌、体谅他人，怀助人为乐初心；
-- 评论时若给出修改建议，也要兼顾 PR 的积极方面
-- 保持同理心，多考虑他人收到评阅意见时的可能反应
-- 假定大家都是好意的，通过问问题澄清意图
-- 如果你是有经验的贡献者，请考虑和新贡献者一起合作，提高其产出质量
+- 阅读 [CNCF 行为准则](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)。
+  确保你会始终遵从其中约定。
+- 保持有礼貌、体谅他人，怀助人为乐初心。
+- 评论时若给出修改建议，也要兼顾 PR 的积极方面。
+- 保持同理心，多考虑他人收到评审意见时的可能反应。
+- 假定大家都是好意的，通过问问题澄清意图。
+- 如果你是有经验的贡献者，请考虑和新贡献者一起合作，提高其产出质量。
 
-<!--
+<!-- 
 ## Review process
 
-In general, review pull requests for content and style in English.
+In general, review pull requests for content and style in English. Figure 1 outlines the steps for the review process. The details for each step follow.
+-->
+## 评审过程  {#review-process}
+
+一般而言，应该使用英语来评审 PR 的内容和样式。
+图 1 概述了评审流程的各个步骤。
+每个步骤的详细信息如下。
+
+<!-- See https://github.com/kubernetes/website/issues/28808 for live-editor URL to this figure -->
+<!-- You can also cut/paste the mermaid code into the live editor at https://mermaid-js.github.io/mermaid-live-editor to play around with it -->
+
+{{< mermaid >}}
+flowchart LR
+    subgraph fourth[开始评审]
+    direction TB
+    S[ ] -.-
+    M[添加评论] --> N[评审变更]
+    N --> O[新手应该<br>选择 Comment]
+    end
+    subgraph third[选择 PR]
+    direction TB
+    T[ ] -.-
+    J[阅读描述<br>和评论]--> K[通过 Netlify 预览构建<br>来预览变更]
+    end
+ 
+  A[查阅待处理的 PR 清单]--> B[通过标签过滤<br>待处理的 PR]
+  B --> third --> fourth
+     
+
+classDef grey fill:#dddddd,stroke:#ffffff,stroke-width:px,color:#000000, font-size:15px;
+classDef white fill:#ffffff,stroke:#000,stroke-width:px,color:#000,font-weight:bold
+classDef spacewhite fill:#ffffff,stroke:#fff,stroke-width:0px,color:#000
+class A,B,J,K,M,N,O grey
+class S,T spacewhite
+class third,fourth white
+{{</ mermaid >}}
+
+<!-- 
+Figure 1. Review process steps.
+-->
+图 1. 评审流程步骤。
 
+<!--
 1.  Go to
     [https://github.com/kubernetes/website/pulls](https://github.com/kubernetes/website/pulls).
     You see a list of every open pull request against the Kubernetes website and
@@ -80,61 +125,74 @@ In general, review pull requests for content and style in English.
 
     Additionally, ensure the PR isn't marked as a work in progress. PRs using the `work in progress` label are not ready for review yet.
 -->
-## 评阅过程  {#review-process}
-
-一般而言，应该使用英语来评阅 PR 的内容和样式。
-
 1. 前往 [https://github.com/kubernetes/website/pulls](https://github.com/kubernetes/website/pulls)，
-   你会看到所有针对 Kubernetes 网站和文档的待处理 PRs。
+   你会看到所有针对 Kubernetes 网站和文档的待处理 PR。
 
-2. 使用以下标签（组合）对待处理 PRs 进行过滤：
+2. 使用以下标签（组合）对待处理 PR 进行过滤：
 
-    - `cncf-cla: yes` （建议）：由尚未签署 CLA 的贡献者所发起的 PRs 不可以合并。
-      参考[签署 CLA](/zh/docs/contribute/new-content/overview/#sign-the-cla) 以了解更多信息。
-    - `language/en` （建议）：仅查看英语语言的 PRs。
-    - `size/<尺寸>`：过滤特定尺寸（规模）的 PRs。如果你刚入门，可以从较小的 PR 开始。
+    - `cncf-cla: yes` （建议）：由尚未签署 CLA 的贡献者所发起的 PR 不可以合并。
+      参考[签署 CLA](/zh-cn/docs/contribute/new-content/#sign-the-cla) 以了解更多信息。
+    - `language/en` （建议）：仅查看英语语言的 PR。
+    - `size/<尺寸>`：过滤特定尺寸（规模）的 PR。
+      如果你刚入门，可以从较小的 PR 开始。
 
     此外，确保 PR 没有标记为尚未完成（Work in Progress）。
-    包含 `work in progress` 的 PRs 通常还没准备好被评阅。
+    包含 `work in progress` 的 PR 通常还没准备好被评审。
 
-<!--
+<!-- 
 3.  Once you've selected a PR to review, understand the change by:
     - Reading the PR description to understand the changes made, and read any linked issues
     - Reading any comments by other reviewers
     - Clicking the **Files changed** tab to see the files and lines changed
-    - Previewing the changes in the Netlify preview build by scrolling to the PR's build check section at the bottom of the **Conversation** tab and clicking the **deploy/netlify** line's **Details** link.
+    - Previewing the changes in the Netlify preview build by scrolling to the PR's build check section at the bottom of the **Conversation** tab.
+      Here's a screenshot (this shows GitHub's desktop site; if you're reviewing
+      on a tablet or smartphone device, the GitHub web UI is slightly different):
+      {{< figure src="/images/docs/github_netlify_deploy_preview.png" alt="GitHub pull request details including link to Netlify preview" >}}
+      To open the preview, click on the  **Details** link of the **deploy/netlify** line in the list of checks.
+-->
+3. 选定 PR 评审之后，可以通过以下方式理解所作的变更：
+
+   - 阅读 PR 描述以理解所作变更，并且阅读所有关联的 Issues。
+   - 阅读其他评审人给出的评论。
+   - 点击 **Files changed** Tab 页面，查看被改变的文件和代码行。
+   - 滚动到 **Conversation** Tab 页面下端的 PR 构建检查节区，
+     预览 Netlify 预览构建中的变更。
+     以下是一个屏幕截图（这显示了 GitHub 的桌面版外观；
+     如果你在平板电脑或智能手机设备上进行评审，
+     GitHub 的 Web UI 会略有不同）：
+     {{< figure src="/images/docs/github_netlify_deploy_preview.png" alt="GitHub PR 详细信息，包括 Netlify 预览链接" >}}
+     要打开预览，请点击 **deploy/netlify** 行的 **Details** 链接。
 
+<!--
 4.  Go to the **Files changed** tab to start your review.
     1. Click on the `+` symbol  beside the line you want to comment on.
     2. Fill in any comments you have about the line and click either **Add single comment** (if you have only one comment to make) or  **Start a review** (if you have multiple comments to make).
     3. When finished, click **Review changes** at the top of the page. Here, you can add
-       add a summary of your review (and leave some positive comments for the contributor!),
+      a summary of your review (and leave some positive comments for the contributor!),
       approve the PR, comment or request changes as needed. New contributors should always
       choose **Comment**.
 -->
-3. 选定 PR 评阅之后，可以通过以下方式理解所作的变更：
-
-   - 阅读 PR 描述以理解所作变更，并且阅读所有关联的 Issues
-   - 阅读其他评阅人给出的评论
-   - 点击 **Files changed** Tab 页面，查看被改变的文件和代码行
-   - 滚动到 **Conversation** Tab 页面下端的 PR 构建检查节区，点击
-     **deploy/netlify** 行的 **Details** 链接，预览 Netlify
-     预览构建所生成的结果
-
-4. 前往 **Files changed** Tab 页面，开始你的评阅工作
-
-   1. 点击你希望评论的行旁边的 `+` 号
-   2. 填写你对该行的评论，之后或者选择**Add single comment** （如果你只有一条评论）
-      或者 **Start a review** （如果你还有其他评论要添加）
-   3. 评论结束时，点击页面顶部的 **Review changes**。这里你可以添加你的评论结语
-      （记得留下一些正能量的评论！）、根据需要批准 PR、请求作者进一步修改等等。
+4. 前往 **Files changed** Tab 页面，开始你的评审工作。
+
+   1. 点击你希望评论的行旁边的 `+` 号。
+   2. 填写你对该行的评论，
+      之后选择 **Add single comment**（如果你只有一条评论）
+      或者 **Start a review**（如果你还有其他评论要添加）。
+   3. 评论结束时，点击页面顶部的 **Review changes**。
+      这里你可以添加你的评论结语（记得留下一些正能量的评论！）、
+      根据需要批准 PR、请求作者进一步修改等等。
       新手应该选择 **Comment**。
 
-<!--
+<!-- 
 ## Reviewing checklist
 
 When reviewing, use the following as a starting point.
+-->
+## 评审清单  {#reviewing-checklist}
+
+评审 PR 时可以从下面的条目入手。
 
+<!--
 ### Language and grammar
 
 - Are there any obvious errors in language or grammar? Is there a better way to phrase something?
@@ -144,16 +202,12 @@ When reviewing, use the following as a starting point.
 - Are there long sentences which could be shorter or less complex?
 - Are there any long paragraphs which might work better as a list or table?
 -->
-## 评阅清单  {#reviewing-checklist}
-
-评阅 PR 时可以从下面的条目入手。
-
 ### 语言和语法 {#language-and-grammar}
 
 - 是否存在明显的语言或语法错误？对某事的描述有更好的方式？
 - 是否存在一些过于复杂晦涩的用词，本可以用简单词汇来代替？
 - 是否有些用词、术语或短语可以用不带歧视性的表达方式代替？
-- 用词和大小写方面是否遵从了[样式指南](/zh/docs/contribute/style/style-guide/)？
+- 用词和大小写方面是否遵从了[样式指南](/zh-cn/docs/contribute/style/style-guide/)？
 - 是否有些句子太长，可以改得更短、更简单？
 - 是否某些段落过长，可以考虑使用列表或者表格来表达？
 
@@ -177,10 +231,6 @@ When reviewing, use the following as a starting point.
   - Does the page appear correctly in the section's side navigation (or at all)?
   - Should the page appear on the [Docs Home](/docs/home/) listing?
 - Do the changes show up in the Netlify preview? Be particularly vigilant about lists, code blocks, tables, notes and images.
-
-### Other
-
-For small issues with a PR, like typos or whitespace, prefix your comments with `nit:`.  This lets the author know the issue is non-critical.
 -->
 ### 网站 {#Website}
 
@@ -188,15 +238,20 @@ For small issues with a PR, like typos or whitespace, prefix your comments with
   如果是这样，PR 是否会导致出现新的失效链接？
   是否有其他的办法，比如改变页面标题但不改变其 slug？
 - PR 是否引入新的页面？如果是：
-  - 该页面是否使用了正确的[页面内容类型](/zh/docs/contribute/style/page-content-types/)
+  - 该页面是否使用了正确的[页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)
     及相关联的 Hugo 短代码（shortcodes）？
   - 该页面能否在对应章节的侧面导航中显示？显示得正确么？
-  - 该页面是否应出现在[网站主页面](/zh/docs/home/)的列表中？
+  - 该页面是否应出现在[网站主页面](/zh-cn/docs/home/)的列表中？
 - 变更是否正确出现在 Netlify 预览中了？
-  要对列表、代码段、表格、注释和图像等元素格外留心
+  要对列表、代码段、表格、注释和图像等元素格外留心。
 
+<!--
+### Other
+
+For small issues with a PR, like typos or whitespace, prefix your comments with `nit:`.  This lets the author know the issue is non-critical.
+-->
 ### 其他 {#other}
 
-对于 PR 中的小问题，例如拼写错误或者空格问题，可以在你的评论前面加上 `nit:`。
+对于 PR 中的小问题，例如拼写错误或者空格问题，
+可以在你的评论前面加上 `nit:`。
 这样做可以让作者知道该问题不是一个不得了的大问题。
-
diff --git a/content/zh/docs/contribute/style/_index.md b/content/zh-cn/docs/contribute/style/_index.md
similarity index 100%
rename from content/zh/docs/contribute/style/_index.md
rename to content/zh-cn/docs/contribute/style/_index.md
diff --git a/content/zh/docs/contribute/style/content-guide.md b/content/zh-cn/docs/contribute/style/content-guide.md
similarity index 79%
rename from content/zh/docs/contribute/style/content-guide.md
rename to content/zh-cn/docs/contribute/style/content-guide.md
index 1f787a1b93ec0..d506a90975064 100644
--- a/content/zh/docs/contribute/style/content-guide.md
+++ b/content/zh-cn/docs/contribute/style/content-guide.md
@@ -15,22 +15,22 @@ weight: 10
 <!--
 This page contains guidelines for Kubernetes documentation.
 
-If you have questions about what's allowed, join the #sig-docs channel in 
-[Kubernetes Slack](http://slack.k8s.io/) and ask! 
+If you have questions about what's allowed, join the #sig-docs channel in
+[Kubernetes Slack](https://slack.k8s.io/) and ask!
 
-You can register for Kubernetes Slack at http://slack.k8s.io/. 
+You can register for Kubernetes Slack at https://slack.k8s.io/.
 
 For information on creating new content for the Kubernetes
 docs, follow the [style guide](/docs/contribute/style/style-guide).
 -->
 本页包含 Kubernetes 文档的一些指南。
 
-如果你不清楚哪些事情是可以做的，请加入到 
-[Kubernetes Slack](http://slack.k8s.io/) 的 `#sig-docs` 频道提问！
-你可以在 http://slack.k8s.io 注册到 Kubernetes Slack。
+如果你不清楚哪些事情是可以做的，请加入到
+[Kubernetes Slack](https://slack.k8s.io/) 的 `#sig-docs` 频道提问！
+你可以在 https://slack.k8s.io 注册到 Kubernetes Slack。
 
 关于为 Kubernetes 文档创建新内容的更多信息，可参考
-[样式指南](/zh/docs/contribute/style/style-guide)。
+[样式指南](/zh-cn/docs/contribute/style/style-guide)。
 
 <!-- body -->
 
@@ -42,7 +42,7 @@ Source for the Kubernetes website, including the docs, resides in the
 
 Located in the `kubernetes/website/content/<language_code>/docs` folder, the
 majority of Kubernetes documentation is specific to the [Kubernetes
-project](https://github.com/kubernetes/kubernetes). 
+project](https://github.com/kubernetes/kubernetes).
 
 ## What's allowed
 
@@ -72,12 +72,12 @@ Kubernetes 网站（包括其文档）源代码位于
 ### Third party content
 
 Kubernetes documentation includes applied examples of projects in the Kubernetes project&mdash;projects that live in the [kubernetes](https://github.com/kubernetes) and
-[kubernetes-sigs](https://github.com/kubernetes-sigs) GitHub organizations. 
+[kubernetes-sigs](https://github.com/kubernetes-sigs) GitHub organizations.
 
-Links to active content in the Kubernetes project are always allowed. 
+Links to active content in the Kubernetes project are always allowed.
 
-Kubernetes requires some third party content to function. Examples include container runtimes (containerd, CRI-O, Docker), 
-[networking policy](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) (CNI plugins), [Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/), and [logging](https://kubernetes.io/docs/concepts/cluster-administration/logging/).
+Kubernetes requires some third party content to function. Examples include container runtimes (containerd, CRI-O, Docker),
+[networking policy](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) (CNI plugins), [Ingress controllers](/docs/concepts/services-networking/ingress-controllers/), and [logging](/docs/concepts/cluster-administration/logging/).
 
 Docs can link to third-party open source software (OSS) outside the Kubernetes project only if it's necessary for Kubernetes to function.
 -->
@@ -92,9 +92,9 @@ Kubernetes 文档包含 Kubernetes 项目下的多个项目的应用示例。
 
 Kubernetes 需要某些第三方内容才能正常工作。例如
 容器运行时（containerd、CRI-O、Docker），
-[联网策略](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
-（CNI 插件），[Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers/)
-以及[日志](https://kubernetes.io/zh/docs/concepts/cluster-administration/logging/)等。
+[联网策略](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+（CNI 插件），[Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers/)
+以及[日志](/zh-cn/docs/concepts/cluster-administration/logging/)等。
 
 只有对应的第三方开源软件（OSS）是运行 Kubernetes 所必需的，才可以在文档中包含
 指向这些 Kubernetes 项目之外的软件的链接。
@@ -109,7 +109,8 @@ Dual-sourced content requires double the effort (or more!) to maintain
 and grows stale more quickly.
 
 {{< note >}}
-If you're a maintainer for a Kubernetes project and need help hosting your own docs, 
+
+If you're a maintainer for a Kubernetes project and need help hosting your own docs,
 ask for help in [#sig-docs on Kubernetes Slack](https://kubernetes.slack.com/messages/C1J0BPD2M/).
 {{< /note >}}
 -->
@@ -128,15 +129,13 @@ ask for help in [#sig-docs on Kubernetes Slack](https://kubernetes.slack.com/mes
 <!--
 ### More information
 
-If you have questions about allowed content, join the [Kubernetes Slack](http://slack.k8s.io/) #sig-docs channel and ask!
+If you have questions about allowed content, join the [Kubernetes Slack](https://slack.k8s.io/) #sig-docs channel and ask!
 -->
 ### 更多信息  {#more-information}
 
-如果你对允许出现的内容有疑问，请加入到 [Kubernetes Slack](http://slack.k8s.io/)
+如果你对允许出现的内容有疑问，请加入到 [Kubernetes Slack](https://slack.k8s.io/)
 的 `#sig-docs` 频道提问！
 
 ## {{% heading "whatsnext" %}}
 
-* 阅读[样式指南](/zh/docs/contribute/style/style-guide)。
-
-
+* 阅读[样式指南](/zh-cn/docs/contribute/style/style-guide)。
diff --git a/content/zh/docs/contribute/style/content-organization.md b/content/zh-cn/docs/contribute/style/content-organization.md
similarity index 96%
rename from content/zh/docs/contribute/style/content-organization.md
rename to content/zh-cn/docs/contribute/style/content-organization.md
index eb35c80b5fb2c..247d016057a95 100644
--- a/content/zh/docs/contribute/style/content-organization.md
+++ b/content/zh-cn/docs/contribute/style/content-organization.md
@@ -159,7 +159,7 @@ One example is [Custom Hugo Shortcodes](/docs/contribute/style/hugo-shortcodes/)
 除了独立的内容页面（Markdown 文件），Hugo 还支持
 [页面包](https://gohugo.io/content-management/page-bundles/)。
 
-一个例子是[定制的 Hugo 短代码（shortcodes）](/zh/docs/contribute/style/hugo-shortcodes/)。
+一个例子是[定制的 Hugo 短代码（shortcodes）](/zh-cn/docs/contribute/style/hugo-shortcodes/)。
 它被认为是 `leaf bundle`（叶子包）。
 目录下的所有内容，包括 `index.md`，都是包的一部分。此外还包括页面间相对链接、可被处理的图像等：
 
@@ -222,7 +222,7 @@ The `SASS` source of the stylesheets for this site is stored below `src/sass` an
 * Learn about the [Content guide](/docs/contribute/style/content-guide)
 -->
 
-* 了解[定制 Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/)
-* 了解[样式指南](/zh/docs/contribute/style/style-guide)
-* 了解[内容指南](/zh/docs/contribute/style/content-guide)
+* 了解[定制 Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/)
+* 了解[样式指南](/zh-cn/docs/contribute/style/style-guide)
+* 了解[内容指南](/zh-cn/docs/contribute/style/content-guide)
 
diff --git a/content/zh/docs/contribute/style/diagram-guide.md b/content/zh-cn/docs/contribute/style/diagram-guide.md
similarity index 96%
rename from content/zh/docs/contribute/style/diagram-guide.md
rename to content/zh-cn/docs/contribute/style/diagram-guide.md
index 7a88803e45b43..010901f6dd3e6 100644
--- a/content/zh/docs/contribute/style/diagram-guide.md
+++ b/content/zh-cn/docs/contribute/style/diagram-guide.md
@@ -85,10 +85,10 @@ All you need to begin working with Mermaid is the following:
 
 * 对 Markdown 有一个基本的了解
 * 使用 Mermaid 在线编辑器
-* 使用 [Hugo 短代码（shortcode）](/zh/docs/contribute/style/hugo-shortcodes/)
+* 使用 [Hugo 短代码（shortcode）](/zh-cn/docs/contribute/style/hugo-shortcodes/)
 * 使用 [Hugo {{</* figure */>}} 短代码](https://gohugo.io/content-management/shortcodes/#figure)
-* 执行 [Hugo 本地预览](/zh/docs/contribute/new-content/open-a-pr/#preview-locally)
-* 熟悉[贡献新内容](/zh/docs/contribute/new-content/)的流程
+* 执行 [Hugo 本地预览](/zh-cn/docs/contribute/new-content/open-a-pr/#preview-locally)
+* 熟悉[贡献新内容](/zh-cn/docs/contribute/new-content/)的流程
 
 {{< note >}}
 <!--
@@ -416,7 +416,7 @@ The following lists advantages of the Inline method:
 You should use the [local](/docs/contribute/new-content/open-a-pr/#preview-locally)
 and Netlify previews to verify the diagram is properly rendered. 
 -->
-你应该使用[本地](/zh/docs/contribute/new-content/open-a-pr/#preview-locally)和 Netlify
+你应该使用[本地](/zh-cn/docs/contribute/new-content/open-a-pr/#preview-locally)和 Netlify
 预览来验证图表是可以正常渲染的。
 
 {{< caution >}}
@@ -564,7 +564,7 @@ Be sure to check that your diagram renders properly using the
 [local](/docs/contribute/new-content/open-a-pr/#preview-locally)
 and Netlify previews.
 -->
-要使用[本地](/zh/docs/contribute/new-content/open-a-pr/#preview-locally)和
+要使用[本地](/zh-cn/docs/contribute/new-content/open-a-pr/#preview-locally)和
 Netlify 预览来检查你的图表可以正常渲染。
 
 <!--
@@ -670,7 +670,7 @@ If your external drawing tool permits:
 
 * 你可以将多个 `.svg` 或 `.png` 商标、图标或图片整合到你的图表中。
   不过，你需要确保你查看了版权并遵守了 Kubernetes 文档关于使用第三方内容的
-  [指南](/zh/docs/contribute/style/content-guide/)。
+  [指南](/zh-cn/docs/contribute/style/content-guide/)。
 * 你应该将图表的源位置保存起来，以便其他贡献者访问。
   例如，你的工具可能提供指向图表文件的链接，或者你应该将源代码文件
   （例如一个 `.xml` 文件）放到某处以便其他贡献者访问。
@@ -695,7 +695,7 @@ Don't forget to check that your diagram renders correctly using the
 * 贡献者对外部工具更为熟悉
 * 图表可能需要 Mermaid 所无法提供的细节
 
-不要忘记使用[本地](/zh/docs/contribute/new-content/open-a-pr/#preview-locally)
+不要忘记使用[本地](/zh-cn/docs/contribute/new-content/open-a-pr/#preview-locally)
 和 Netlify 预览来检查你的图表可以正常渲染。
 
 <!--
@@ -728,7 +728,7 @@ page.
 -->
 ### 示例 1 - Pod 拓扑分布约束
 
-图 6 展示的是 [Pod 拓扑分布约束](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/#node-labels)
+图 6 展示的是 [Pod 拓扑分布约束](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/#node-labels)
 页面所出现的图表。
 
 {{< mermaid >}}
@@ -792,7 +792,7 @@ Figure 7 shows the diagram appearing in the [What is Ingress](/docs/concepts/ser
 -->
 ### 示例 2 - Ingress
 
-图 7 显示的是 [Ingress 是什么](/zh/docs/concepts/services-networking/ingress/#what-is-ingress)
+图 7 显示的是 [Ingress 是什么](/zh-cn/docs/concepts/services-networking/ingress/#what-is-ingress)
 页面所出现的图表。
 
 {{< mermaid >}}
@@ -860,7 +860,7 @@ K8s components to start a container.
 
 图 8 给出的是一个 Mermaid 时序图，展示启动容器时 K8s 组件间的控制流。
 
-{{< figure src="/zh/docs/images/diagram-guide-example-3.svg" alt="K8s system flow diagram" class="diagram-large" caption="Figure 8. K8s system flow diagram" link="https://mermaid-js.github.io/mermaid-live-editor/edit/#eyJjb2RlIjoiJSV7aW5pdDp7XCJ0aGVtZVwiOlwibmV1dHJhbFwifX0lJVxuc2VxdWVuY2VEaWFncmFtXG4gICAgYWN0b3IgbWVcbiAgICBwYXJ0aWNpcGFudCBhcGlTcnYgYXMgY29udHJvbCBwbGFuZTxicj48YnI-YXBpLXNlcnZlclxuICAgIHBhcnRpY2lwYW50IGV0Y2QgYXMgY29udHJvbCBwbGFuZTxicj48YnI-ZXRjZCBkYXRhc3RvcmVcbiAgICBwYXJ0aWNpcGFudCBjbnRybE1nciBhcyBjb250cm9sIHBsYW5lPGJyPjxicj5jb250cm9sbGVyPGJyPm1hbmFnZXJcbiAgICBwYXJ0aWNpcGFudCBzY2hlZCBhcyBjb250cm9sIHBsYW5lPGJyPjxicj5zY2hlZHVsZXJcbiAgICBwYXJ0aWNpcGFudCBrdWJlbGV0IGFzIG5vZGU8YnI-PGJyPmt1YmVsZXRcbiAgICBwYXJ0aWNpcGFudCBjb250YWluZXIgYXMgbm9kZTxicj48YnI-Y29udGFpbmVyPGJyPnJ1bnRpbWVcbiAgICBtZS0-PmFwaVNydjogMS4ga3ViZWN0bCBjcmVhdGUgLWYgcG9kLnlhbWxcbiAgICBhcGlTcnYtLT4-ZXRjZDogMi4gc2F2ZSBuZXcgc3RhdGVcbiAgICBjbnRybE1nci0-PmFwaVNydjogMy4gY2hlY2sgZm9yIGNoYW5nZXNcbiAgICBzY2hlZC0-PmFwaVNydjogNC4gd2F0Y2ggZm9yIHVuYXNzaWduZWQgcG9kcyhzKVxuICAgIGFwaVNydi0-PnNjaGVkOiA1LiBub3RpZnkgYWJvdXQgcG9kIHcgbm9kZW5hbWU9XCIgXCJcbiAgICBzY2hlZC0-PmFwaVNydjogNi4gYXNzaWduIHBvZCB0byBub2RlXG4gICAgYXBpU3J2LS0-PmV0Y2Q6IDcuIHNhdmUgbmV3IHN0YXRlXG4gICAga3ViZWxldC0-PmFwaVNydjogOC4gbG9vayBmb3IgbmV3bHkgYXNzaWduZWQgcG9kKHMpXG4gICAgYXBpU3J2LT4-a3ViZWxldDogOS4gYmluZCBwb2QgdG8gbm9kZVxuICAgIGt1YmVsZXQtPj5jb250YWluZXI6IDEwLiBzdGFydCBjb250YWluZXJcbiAgICBrdWJlbGV0LT4-YXBpU3J2OiAxMS4gdXBkYXRlIHBvZCBzdGF0dXNcbiAgICBhcGlTcnYtLT4-ZXRjZDogMTIuIHNhdmUgbmV3IHN0YXRlIiwibWVybWFpZCI6IntcbiAgXCJ0aGVtZVwiOiBcImRlZmF1bHRcIlxufSIsInVwZGF0ZUVkaXRvciI6ZmFsc2UsImF1dG9TeW5jIjp0cnVlLCJ1cGRhdGVEaWFncmFtIjp0cnVlfQ" >}}
+{{< figure src="/zh-cn/docs/images/diagram-guide-example-3.svg" alt="K8s system flow diagram" class="diagram-large" caption="Figure 8. K8s system flow diagram" link="https://mermaid-js.github.io/mermaid-live-editor/edit/#eyJjb2RlIjoiJSV7aW5pdDp7XCJ0aGVtZVwiOlwibmV1dHJhbFwifX0lJVxuc2VxdWVuY2VEaWFncmFtXG4gICAgYWN0b3IgbWVcbiAgICBwYXJ0aWNpcGFudCBhcGlTcnYgYXMgY29udHJvbCBwbGFuZTxicj48YnI-YXBpLXNlcnZlclxuICAgIHBhcnRpY2lwYW50IGV0Y2QgYXMgY29udHJvbCBwbGFuZTxicj48YnI-ZXRjZCBkYXRhc3RvcmVcbiAgICBwYXJ0aWNpcGFudCBjbnRybE1nciBhcyBjb250cm9sIHBsYW5lPGJyPjxicj5jb250cm9sbGVyPGJyPm1hbmFnZXJcbiAgICBwYXJ0aWNpcGFudCBzY2hlZCBhcyBjb250cm9sIHBsYW5lPGJyPjxicj5zY2hlZHVsZXJcbiAgICBwYXJ0aWNpcGFudCBrdWJlbGV0IGFzIG5vZGU8YnI-PGJyPmt1YmVsZXRcbiAgICBwYXJ0aWNpcGFudCBjb250YWluZXIgYXMgbm9kZTxicj48YnI-Y29udGFpbmVyPGJyPnJ1bnRpbWVcbiAgICBtZS0-PmFwaVNydjogMS4ga3ViZWN0bCBjcmVhdGUgLWYgcG9kLnlhbWxcbiAgICBhcGlTcnYtLT4-ZXRjZDogMi4gc2F2ZSBuZXcgc3RhdGVcbiAgICBjbnRybE1nci0-PmFwaVNydjogMy4gY2hlY2sgZm9yIGNoYW5nZXNcbiAgICBzY2hlZC0-PmFwaVNydjogNC4gd2F0Y2ggZm9yIHVuYXNzaWduZWQgcG9kcyhzKVxuICAgIGFwaVNydi0-PnNjaGVkOiA1LiBub3RpZnkgYWJvdXQgcG9kIHcgbm9kZW5hbWU9XCIgXCJcbiAgICBzY2hlZC0-PmFwaVNydjogNi4gYXNzaWduIHBvZCB0byBub2RlXG4gICAgYXBpU3J2LS0-PmV0Y2Q6IDcuIHNhdmUgbmV3IHN0YXRlXG4gICAga3ViZWxldC0-PmFwaVNydjogOC4gbG9vayBmb3IgbmV3bHkgYXNzaWduZWQgcG9kKHMpXG4gICAgYXBpU3J2LT4-a3ViZWxldDogOS4gYmluZCBwb2QgdG8gbm9kZVxuICAgIGt1YmVsZXQtPj5jb250YWluZXI6IDEwLiBzdGFydCBjb250YWluZXJcbiAgICBrdWJlbGV0LT4-YXBpU3J2OiAxMS4gdXBkYXRlIHBvZCBzdGF0dXNcbiAgICBhcGlTcnYtLT4-ZXRjZDogMTIuIHNhdmUgbmV3IHN0YXRlIiwibWVybWFpZCI6IntcbiAgXCJ0aGVtZVwiOiBcImRlZmF1bHRcIlxufSIsInVwZGF0ZUVkaXRvciI6ZmFsc2UsImF1dG9TeW5jIjp0cnVlLCJ1cGRhdGVEaWFncmFtIjp0cnVlfQ" >}}
 
 
 <!--
diff --git a/content/zh/docs/contribute/style/hugo-shortcodes/example1.md b/content/zh-cn/docs/contribute/style/hugo-shortcodes/example1.md
similarity index 100%
rename from content/zh/docs/contribute/style/hugo-shortcodes/example1.md
rename to content/zh-cn/docs/contribute/style/hugo-shortcodes/example1.md
diff --git a/content/zh/docs/contribute/style/hugo-shortcodes/example2.md b/content/zh-cn/docs/contribute/style/hugo-shortcodes/example2.md
similarity index 100%
rename from content/zh/docs/contribute/style/hugo-shortcodes/example2.md
rename to content/zh-cn/docs/contribute/style/hugo-shortcodes/example2.md
diff --git a/content/zh/docs/contribute/style/hugo-shortcodes/index.md b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
similarity index 97%
rename from content/zh/docs/contribute/style/hugo-shortcodes/index.md
rename to content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
index ef853710f0168..b351b6f5961de 100644
--- a/content/zh/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
@@ -101,7 +101,7 @@ page content.
 有两种词汇表提示：`glossary_tooltip` 和 `glossary_definition`。
 
 你可以通过加入术语词汇的短代码，来自动更新和替换相应链接中的内容
-（[我们的词汇库](/zh/docs/reference/glossary/)）
+（[我们的词汇库](/zh-cn/docs/reference/glossary/)）
 在浏览在线文档时，术语会显示为超链接的样式，当鼠标移到术语上时，其解释就会显示在提示框中。
 
 除了包含工具提示外，你还可以重用页面内容中词汇表中的定义。
@@ -457,7 +457,7 @@ usually need to add a
 to your cluster so that name resolution works.
 -->
 运行 Kubernetes 需要第三方软件。例如：你通常需要将
-[DNS 服务器](/zh/docs/tasks/administer-cluster/dns-custom-nameservers/#introduction)
+[DNS 服务器](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/#introduction)
 添加到集群中，以便名称解析工作。
 
 <!--
@@ -465,7 +465,7 @@ When we link to third-party software, or otherwise mention it,
 we follow the [content guide](/docs/contribute/style/content-guide/)
 and we also mark those third party items.
 -->
-当我们链接到第三方软件或以其他方式提及它时，我们会遵循[内容指南](/zh/docs/contribute/style/content-guide/)
+当我们链接到第三方软件或以其他方式提及它时，我们会遵循[内容指南](/zh-cn/docs/contribute/style/content-guide/)
 并标记这些第三方项目。
 
 <!--
@@ -645,7 +645,7 @@ Renders to:
 -->
 
 * 了解 [Hugo](https://gohugo.io/)。
-* 了解[撰写新的话题](/zh/docs/contribute/style/write-new-topic/)。
-* 了解[使用页面内容类型](/zh/docs/contribute/style/page-content-types/)。
-* 了解[发起 PR](/zh/docs/contribute/new-content/open-a-pr/)。
-* 了解[进阶贡献](/zh/docs/contribute/advanced/)。
+* 了解[撰写新的话题](/zh-cn/docs/contribute/style/write-new-topic/)。
+* 了解[使用页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)。
+* 了解[发起 PR](/zh-cn/docs/contribute/new-content/open-a-pr/)。
+* 了解[进阶贡献](/zh-cn/docs/contribute/advanced/)。
diff --git a/content/zh/docs/contribute/style/hugo-shortcodes/podtemplate.json b/content/zh-cn/docs/contribute/style/hugo-shortcodes/podtemplate.json
similarity index 100%
rename from content/zh/docs/contribute/style/hugo-shortcodes/podtemplate.json
rename to content/zh-cn/docs/contribute/style/hugo-shortcodes/podtemplate.json
diff --git a/content/zh/docs/contribute/style/page-content-types.md b/content/zh-cn/docs/contribute/style/page-content-types.md
similarity index 95%
rename from content/zh/docs/contribute/style/page-content-types.md
rename to content/zh-cn/docs/contribute/style/page-content-types.md
index de72b6b4c4421..2c4f11b51d8e1 100644
--- a/content/zh/docs/contribute/style/page-content-types.md
+++ b/content/zh-cn/docs/contribute/style/page-content-types.md
@@ -198,7 +198,7 @@ published example of a concept page.
 - 在 `body` 节中，详细解释对应概念；
 - 对于 `whatsnext` 节，提供一个项目符号列表（最多 5 个），帮助读者进一步学习掌握概念
 
-[注解](/zh/docs/concepts/overview/working-with-objects/annotations/)页面是一个已经
+[注解](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)页面是一个已经
 上线的概念页面的例子。
 
 <!--
@@ -271,7 +271,7 @@ An example of a published task topic is [Using an HTTP proxy to access the Kuber
 - 在 `whatsnext` 节中，使用项目符号列表（不超过 5 项），列举读者可能接下来有兴趣
   阅读的主题。
 
-已上线的任务主题示例之一是[使用 HTTP 代理来访问 Kubernetes API](/zh/docs/tasks/extend-kubernetes/http-proxy-access-api/)。
+已上线的任务主题示例之一是[使用 HTTP 代理来访问 Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api/)。
 
 <!--
 ### Tutorial
@@ -354,7 +354,7 @@ An example of a published tutorial topic is
   阅读的主题。
 
 已发布的教程主题的一个例子是
-[使用 Deployment 运行无状态应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/).
+[使用 Deployment 运行无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/).
 
 <!--
 ### Reference
@@ -395,9 +395,9 @@ Examples of published tool reference pages are:
 
 已发布的工具参考页面示例包括：
 
-- [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
-- [kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)
-- [kubectl](/zh/docs/reference/kubectl/kubectl/)
+- [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+- [kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)
+- [kubectl](/zh-cn/docs/reference/kubectl/kubectl/)
 
 ## {{% heading "whatsnext" %}}
 
@@ -406,7 +406,7 @@ Examples of published tool reference pages are:
 - Learn about the [Content guide](/docs/contribute/style/content-guide/)
 - Learn about [content organization](/docs/contribute/style/content-organization/)
 -->
-- 了解[样式指南](/zh/docs/contribute/style/style-guide/)
-- 了解[内容指南](/zh/docs/contribute/style/content-guide/)
-- 了解[内容组织](/zh/docs/contribute/style/content-organization/)
+- 了解[样式指南](/zh-cn/docs/contribute/style/style-guide/)
+- 了解[内容指南](/zh-cn/docs/contribute/style/content-guide/)
+- 了解[内容组织](/zh-cn/docs/contribute/style/content-organization/)
 
diff --git a/content/zh/docs/contribute/style/style-guide.md b/content/zh-cn/docs/contribute/style/style-guide.md
similarity index 96%
rename from content/zh/docs/contribute/style/style-guide.md
rename to content/zh-cn/docs/contribute/style/style-guide.md
index 7b51525d09dfe..83c9056f22bd3 100644
--- a/content/zh/docs/contribute/style/style-guide.md
+++ b/content/zh-cn/docs/contribute/style/style-guide.md
@@ -30,7 +30,7 @@ discussion.
 你可以自行决定，且欢迎使用 PR 来为此文档提供修改意见。
 
 关于为 Kubernetes 文档贡献新内容的更多信息，可以参考
-[文档内容指南](/zh/docs/contribute/style/content-guide/)。
+[文档内容指南](/zh-cn/docs/contribute/style/content-guide/)。
 
 样式指南的变更是 SIG Docs 团队集体决定。
 如要提议更改或新增条目，请先将其添加到下一次 SIG Docs 例会的
@@ -46,7 +46,7 @@ and representing feature state.
 -->
 {{< note >}}
 Kubernetes 文档使用带调整的 [Goldmark Markdown 解释器](https://github.com/yuin/goldmark/)
-和一些 [Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/) 来支持词汇表项、Tab
+和一些 [Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/) 来支持词汇表项、Tab
 页以及特性门控标注。
 {{< /note >}}
 
@@ -68,7 +68,7 @@ Kubernetes 文档已经被翻译为多个语种
 （参见 [本地化 READMEs](https://github.com/kubernetes/website/blob/main/README.md#localization-readmemds)）。
 
 为文档提供一种新的语言翻译的途径可以在
-[本地化 Kubernetes 文档](/zh/docs/contribute/localization/)中找到。
+[本地化 Kubernetes 文档](/zh-cn/docs/contribute/localization/)中找到。
 
 英语文档使用美国英语的拼写和语法。
 
@@ -93,8 +93,8 @@ The following examples focus on capitalization. For more information about forma
 
 ### 对 API 对象使用大写驼峰式命名法  {#use-upper-camel-case-for-api-objects}
 
-当你与指定的 API 对象进行交互时，使用 [大写驼峰式命名法](https://en.wikipedia.org/wiki/Camel_case)，也被称为帕斯卡拼写法（PascalCase）.
-你可能在 [API 参考](/docs/reference/kubernetes-api/) 中看到不同的大小写形式，
+当你与指定的 API 对象进行交互时，使用[大写驼峰式命名法](https://en.wikipedia.org/wiki/Camel_case)，也被称为帕斯卡拼写法（PascalCase）。
+你可能在 [API 参考](/zh-cn/docs/reference/kubernetes-api/)中看到不同的大小写形式，
 例如 "configMap"。在一般性的文档中，最好使用大写驼峰形式，将之称作 "ConfigMap"。
 
 在一般性地讨论 API 对象时，使用
@@ -103,8 +103,8 @@ The following examples focus on capitalization. For more information about forma
 你可以使用“资源”、“API”或者“对象”这类词汇来进一步在句子中明确所指的是
 一个 Kubernetes 资源类型。
 
-不要将 API 对象的名称切分成多个单词。例如，使用 PodTemplateList，不要
-使用 Pod Template List。
+不要将 API 对象的名称切分成多个单词。例如，使用 PodTemplateList，
+不要使用 Pod Template List。
 
 下面的例子关注的是大小写问题。关于如何格式化 API 对象的名称，
 有关详细细节可参考相关的[代码风格](#code-style-inline-code)指南。
@@ -459,8 +459,8 @@ To specify the Kubernetes version for a task or tutorial page, include `min-kube
 代码示例或者配置示例如果包含版本信息，应该与对应的文字描述一致。
 
 如果所给的信息是特定于具体版本的，需要在
-[任务模版](/zh/docs/contribute/style/page-content-types/#task)
-或[教程模版](/zh/docs/contribute/style/page-content-types/#tutorial)
+[任务模版](/zh-cn/docs/contribute/style/page-content-types/#task)
+或[教程模版](/zh-cn/docs/contribute/style/page-content-types/#tutorial)
 的 `prerequisites` 小节定义 Kubernetes 版本。
 页面保存之后，`prerequisites` 小节会显示为 **开始之前**。
 
@@ -952,7 +952,7 @@ Write Markdown-style links: `[link text](URL)`. For example: `[Hugo shortcodes](
 可以 | 不可以
 :--| :-----
 插入超级链接时给出它们所链接到的目标内容的上下文。例如：你的机器上某些端口处于开放状态。参见<a href="#check-required-ports">检查所需端口</a>了解更详细信息。| 使用有二义性的术语，如“点击这里”。例如：你的机器上某些端口处于打开状态。参见<a href="#check-required-ports">这里</a>了解详细信息。
-编写 Markdown 风格的链接：`[链接文本](URL)`。例如：`[Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/#table-captions)`，输出是[Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/#table-captions). | 编写 HTML 风格的超级链接：`<a href="/media/examples/link-element-example.css" target="_blank">访问我们的教程！</a>`，或者创建会打开新 Tab 页或新窗口的链接。例如：`[网站示例](https://example.com){target="_blank"}`。
+编写 Markdown 风格的链接：`[链接文本](URL)`。例如：`[Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/#table-captions)`，输出是[Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/#table-captions). | 编写 HTML 风格的超级链接：`<a href="/media/examples/link-element-example.css" target="_blank">访问我们的教程！</a>`，或者创建会打开新 Tab 页或新窗口的链接。例如：`[网站示例](https://example.com){target="_blank"}`。
 {{< /table >}}
 
 <!--
@@ -1015,7 +1015,7 @@ The semantic purpose of a data table is to present tabular data. Sighted users c
 表格标题可以用来给数据表提供一个描述性的标题。
 辅助技术使用 HTML 表格标题元素来在页面结构中辨识表格内容。
 
-- 请 [Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/#table-captions)
+- 请 [Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/#table-captions)
   为表格添加标题。
 
 <!--
@@ -1267,7 +1267,7 @@ These steps ... | These simple steps ...
 
 ## {{% heading "whatsnext" %}}
 
-* 了解[编写新主题](/zh/docs/contribute/style/write-new-topic/).
-* 了解[页面内容类型](/zh/docs/contribute/style/page-content-types/).
-* 了解[发起 PR](/zh/docs/contribute/new-content/open-a-pr/).
+* 了解[编写新主题](/zh-cn/docs/contribute/style/write-new-topic/)。
+* 了解[页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)。
+* 了解[发起 PR](/zh-cn/docs/contribute/new-content/open-a-pr/)。
 
diff --git a/content/zh/docs/contribute/style/write-new-topic.md b/content/zh-cn/docs/contribute/style/write-new-topic.md
similarity index 92%
rename from content/zh/docs/contribute/style/write-new-topic.md
rename to content/zh-cn/docs/contribute/style/write-new-topic.md
index bd5a2fce7235f..b9602e42d740e 100644
--- a/content/zh/docs/contribute/style/write-new-topic.md
+++ b/content/zh-cn/docs/contribute/style/write-new-topic.md
@@ -21,7 +21,7 @@ This page shows how to create a new topic for the Kubernetes docs.
 Create a fork of the Kubernetes documentation repository as described in
 [Start contributing](/docs/contribute/start/).
 -->
-如[发起 PR](/zh/docs/contribute/new-content/open-a-pr/)中所述，创建 Kubernetes 文档库的派生副本。
+如[发起 PR](/zh-cn/docs/contribute/new-content/open-a-pr/)中所述，创建 Kubernetes 文档库的派生副本。
 
 <!-- steps -->
 
@@ -46,8 +46,8 @@ Tutorial | A tutorial page shows how to accomplish a goal that ties together sev
 {{< table caption = "选择页面类型的说明" >}}
 类型 | 描述
 :--- | :----------
-概念（Concept） | 概念页面负责解释 Kubernetes 的某方面。例如，概念页面可以描述 Kubernetes Deployment 对象，并解释当部署、扩展和更新时，它作为应用程序所扮演的角色。一般来说，概念页面不包括步骤序列，而是提供任务或教程的链接。概念主题的示例可参见 <a href="/zh/docs/concepts/architecture/nodes/">节点</a>。
-任务（Task） | 任务页面展示如何完成特定任务。其目的是给读者提供一系列的步骤，让他们在阅读时可以实际执行。任务页面可长可短，前提是它始终围绕着某个主题展开。在任务页面中，可以将简短的解释与要执行的步骤混合在一起。如果需要提供较长的解释，则应在概念主题中进行。相关联的任务和概念主题应该相互链接。一个简短的任务页面的实例可参见 <a href="/zh/docs/tasks/configure-pod-container/configure-volume-storage/">配置 Pod 使用卷存储</a>。一个较长的任务页面的实例可参见 <a href="/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/">配置活跃性和就绪性探针</a>。
+概念（Concept） | 概念页面负责解释 Kubernetes 的某方面。例如，概念页面可以描述 Kubernetes Deployment 对象，并解释当部署、扩展和更新时，它作为应用程序所扮演的角色。一般来说，概念页面不包括步骤序列，而是提供任务或教程的链接。概念主题的示例可参见 <a href="/zh-cn/docs/concepts/architecture/nodes/">节点</a>。
+任务（Task） | 任务页面展示如何完成特定任务。其目的是给读者提供一系列的步骤，让他们在阅读时可以实际执行。任务页面可长可短，前提是它始终围绕着某个主题展开。在任务页面中，可以将简短的解释与要执行的步骤混合在一起。如果需要提供较长的解释，则应在概念主题中进行。相关联的任务和概念主题应该相互链接。一个简短的任务页面的实例可参见 <a href="/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage/">配置 Pod 使用卷存储</a>。一个较长的任务页面的实例可参见 <a href="/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/">配置活跃性和就绪性探针</a>。
 教程（Tutorial） | 教程页面展示如何实现某个目标，该目标将若干 Kubernetes 功能特性联系在一起。教程可能提供一些步骤序列，读者可以在阅读页面时实际执行这些步骤。或者它可以提供相关代码片段的解释。例如，教程可以提供代码示例的讲解。教程可以包括对 Kubernetes 几个关联特性的简要解释，但有关更深入的特性解释应该链接到相关概念主题。 
 {{< /table >}}
 
@@ -56,7 +56,7 @@ Use a [content type](/docs/contribute/style/page-content-types/) for each new pa
 that you write. Using page type helps ensure
 consistency among topics of a given type.
 -->
-为每个新页面选择其[内容类型](/zh/docs/contribute/style/page-content-types/)。
+为每个新页面选择其[内容类型](/zh-cn/docs/contribute/style/page-content-types/)。
 使用页面类型有助于确保给定类型的各主题之间保持一致。
 
 <!--
@@ -74,7 +74,7 @@ URL for the topic, for example:
 
 选择一个标题，确保其中包含希望搜索引擎发现的关键字。
 确定文件名时请使用标题中的单词，由连字符分隔。
-例如，标题为[Using an HTTP Proxy to Access Kubernetes API](/zh/docs/tasks/extend-kubernetes/http-proxy-access-api/)
+例如，标题为[Using an HTTP Proxy to Access Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api/)
 的主题的文件名为 `http-proxy-access-api.md`。
 你不需要在文件名中加上 "kubernetes"，因为 "kubernetes" 已经在主题的 URL 中了，
 例如：
@@ -189,10 +189,10 @@ following cases (not an exhaustive list):
 
 - 代码显示来自命令的输出，例如 `kubectl get deploy mydeployment -o json | jq '.status'`。
 - 代码不够通用，用户无法验证。例如，你可以嵌入 YAML 文件来创建一个依赖于特定
-  [FlexVolume](/zh/docs/concepts/storage/volumes#flexvolume) 实现的 Pod。
+  [FlexVolume](/zh-cn/docs/concepts/storage/volumes#flexvolume) 实现的 Pod。
 - 该代码是一个不完整的示例，因为其目的是突出展现某个大文件中的部分内容。
   例如，在描述出于某些原因定制
-  [PodSecurityPolicy](/zh/docs/tasks/administer-cluster/sysctl-cluster/#podsecuritypolicy)
+  [PodSecurityPolicy](/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/#podsecuritypolicy)
   的方法时，你可以在主题文件中直接提供一个短的代码段。
 - 由于某些其他原因，该代码不适合用户验证。
   例如，当使用 `kubectl edit` 命令描述如何将新属性添加到资源时，
@@ -285,7 +285,7 @@ For an example of a topic that uses this technique, see
 [Running a Single-Instance Stateful Application](/docs/tutorials/stateful-application/run-stateful-application/).
 -->
 有关使用此技术的主题的示例，请参见
-[运行单实例有状态的应用](/zh/docs/tasks/run-application/run-single-instance-stateful-application/)。
+[运行单实例有状态的应用](/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application/)。
 
 <!--
 ## Adding images to a topic
@@ -302,6 +302,6 @@ Put image files in the `/images` directory. The preferred image format is SVG.
 * Learn about [using page content types](/docs/contribute/style/page-content-types/).
 * Learn about [creating a pull request](/docs/contribute/new-content/open-a-pr/).
 -->
-* 了解[使用页面内容类型](/zh/docs/contribute/style/page-content-types/).
-* 了解[创建 PR](/zh/docs/contribute/new-content/open-a-pr/).
+* 了解[使用页面内容类型](/zh-cn/docs/contribute/style/page-content-types/).
+* 了解[创建 PR](/zh-cn/docs/contribute/new-content/open-a-pr/).
 
diff --git a/content/zh/docs/contribute/suggesting-improvements.md b/content/zh-cn/docs/contribute/suggesting-improvements.md
similarity index 100%
rename from content/zh/docs/contribute/suggesting-improvements.md
rename to content/zh-cn/docs/contribute/suggesting-improvements.md
diff --git a/content/zh/docs/doc-contributor-tools/linkchecker/README.md b/content/zh-cn/docs/doc-contributor-tools/linkchecker/README.md
similarity index 87%
rename from content/zh/docs/doc-contributor-tools/linkchecker/README.md
rename to content/zh-cn/docs/doc-contributor-tools/linkchecker/README.md
index 86d1c81683750..6f31aed3ab7ad 100644
--- a/content/zh/docs/doc-contributor-tools/linkchecker/README.md
+++ b/content/zh-cn/docs/doc-contributor-tools/linkchecker/README.md
@@ -1,24 +1,26 @@
-<!-- 
+<!--
 # Internal link checking tool
  -->
 # 内置链接检查工具
 
-<!-- 
+<!--
 You can use [htmltest](https://github.com/wjdp/htmltest) to check for broken links in [`/content/en/`](https://git.k8s.io/website/content/en/). This is useful when refactoring sections of content, moving pages around, or renaming files or page headers.
  -->
-你可以使用 [htmltest](https://github.com/wjdp/htmltest) 来检查 [`/content/en/`](https://git.k8s.io/website/content/en/) 下面的失效链接。这在重构章节内容、移动页面或者重命名文件或页眉时非常有用。
+你可以使用 [htmltest](https://github.com/wjdp/htmltest) 来检查
+[`/content/en/`](https://git.k8s.io/website/content/en/) 下面的失效链接。
+这在重构章节内容、移动页面或者重命名文件或页眉时非常有用。
 
-<!-- 
+<!--
 ## How the tool works
  -->
 ## 工作原理
 
-<!-- 
+<!--
 `htmltest` scans links in the generated HTML files of the kubernetes website repository. It runs using a `make` command which does the following:
  -->
 `htmltest` 会扫描 kubernetes website 仓库构建生成的 HTML 文件。通过执行 `make` 命令进行了下列操作：
 
-<!-- 
+<!--
 - Builds the site and generates output HTML in the `/public` directory of your local `kubernetes/website` repository
 - Pulls the `wdjp/htmltest` Docker image
 - Mounts your local `kubernetes/website` repository to the Docker image
@@ -29,21 +31,22 @@ You can use [htmltest](https://github.com/wjdp/htmltest) to check for broken lin
 - 挂载本地 `kubernetes/website` 仓库到 Docker 容器中
 - 扫描 `/public` 目录下生成的文件并将遇到的失效链接通过命令行打印出来
 
-<!-- 
+<!--
 ## What it does and doesn't check
  -->
 ## 哪些链接不会检查
 
-<!-- 
+<!--
 The link checker scans generated HTML files, not raw Markdown. The htmltest tool depends on a configuration file, [`.htmltest.yml`](https://git.k8s.io/website/.htmltest.yml), to determine which content to examine.
 
 The link checker scans the following:
  -->
-该链接检查器扫描生成的 HTML 文件，而非原始的 Markdown. 该 htmltest 工具依赖于一个配置文件，[`.htmltest.yml`](https://git.k8s.io/website/.htmltest.yml)，来决定检查哪些内容。
+该链接检查器扫描生成的 HTML 文件，而非原始的 Markdown. 该 htmltest 工具依赖于配置文件
+[`.htmltest.yml`](https://git.k8s.io/website/.htmltest.yml)，来决定检查哪些内容。
 
 该链接检查器扫描以下内容：
 
-<!-- 
+<!--
 - All content generated from Markdown in [`/content/en/docs`](https://git.k8s.io/website/content/en/docs/) directory, excluding:
   - Generated API references, for example https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/
 - All internal links, excluding:
@@ -56,12 +59,12 @@ The link checker scans the following:
   - 空白锚点 (`<a href="#">` 或 `[title](#)`) 以及空白目标地址  (`<a href="">` 或 `[title]()`)
   - 指向图片或其他媒体文件的内部链接
 
-<!-- 
+<!--
 The link checker does not scan the following:
  -->
 该链接检查器不会扫描以下内容：
 
-<!-- 
+<!--
 - Links included in the top and side nav bars, footer links, or links in a page's `<head>` section, such as links to CSS stylesheets, scripts, and meta information
 - Top level pages and their children, for example: `/training`, `/community`, `/case-studies/adidas`
 - Blog posts
@@ -69,34 +72,34 @@ The link checker does not scan the following:
 - Localizations
  -->
 - 包含在顶部和侧边导航栏的链接，以及页脚链接或者页面的 `<head>` 部分中的链接，例如 CSS 样式表、脚本以及元信息的链接。
-- 顶级页面及其子页面，例如： `/training`, `/community`, `/case-studies/adidas`
+- 顶级页面及其子页面，例如：`/training`、`/community`、`/case-studies/adidas`
 - 博客文章
-- API 参考文档，例如：https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/
+- API 参考文档，例如： https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/
 - 本地化内容
 
-<!-- 
+<!--
 ## Prerequisites and installation
  -->
 ## 先决条件以及安装说明
 
-<!-- 
+<!--
 You must install
  -->
 必须安装：
 * [Docker](https://docs.docker.com/get-docker/)
 * [make](https://www.gnu.org/software/make/)
- 
-<!-- 
+
+<!--
 ## Running the link checker
  -->
 ## 运行链接检查器
 
-<!-- 
+<!--
 To run the link checker:
  -->
 运行链接检查器需要：
 
-<!-- 
+<!--
 1. Navigate to the root directory of your local `kubernetes/website` repository.
 
 2. Run the following command:
@@ -109,12 +112,12 @@ To run the link checker:
   make container-internal-linkcheck
   ```
 
-<!-- 
+<!--
 ## Understanding the output
  -->
 ## 理解输出的内容
 
-<!-- 
+<!--
 If the link checker finds broken links, the output is similar to the following:
  -->
 如果链接检查器发现了失效链接，则输出内容类似如下：
@@ -125,7 +128,7 @@ tasks/access-kubernetes-api/custom-resources/index.html
   hash does not exist --- tasks/access-kubernetes-api/custom-resources/index.html --> #preserving-unknown-fields
 ```
 
-<!-- 
+<!--
 This is one set of broken links. The log adds an output for each page with broken links.
 
 In this output, the file with broken links is `tasks/access-kubernetes-api/custom-resources.md`.
@@ -138,15 +141,15 @@ One way to fix this is to:
  -->
 这是一系列失效链接。该日志附带了每个页面下的失效链接。
 
-在这部分输出中，包含失效链接的文件是 `tasks/access-kubernetes-api/custom-resources.md`.
+在这部分输出中，包含失效链接的文件是 `tasks/access-kubernetes-api/custom-resources.md`。
 
-该工具给出了一个理由：`hash does not exist`. 在大部分情况下，你可以忽略这个。
+该工具给出了一个理由：`hash does not exist`，在大部分情况下，你可以忽略这个。
 
-目标链接是 `#preserving-unknown-fields`.
+目标链接是 `#preserving-unknown-fields`。
 
 修复这个问题的一种方式是：
 
-<!-- 
+<!--
 1. Navigate to the Markdown file with a broken link.
 2. Using a text editor, do a full-text search (usually Ctrl+F or Command+F) for the broken link's URL, `#preserving-unknown-fields`.
 3. Fix the link. For a broken page hash (or _anchor_) link, check whether the topic was renamed or removed.
@@ -155,7 +158,7 @@ One way to fix this is to:
 2. 使用文本编辑器全文搜索失效链接的 URL（通常使用 Ctrl+F 或 Command+F）`#preserving-unknown-fields`.
 3. 修复该链接。对于一个失效的锚点（或者 _anchor_ ）链接，检查该主题是否已更名或者移除。
 
-<!-- 
+<!--
 Run htmltest to verify that broken links are fixed.
  -->
 运行 htmltest 来验证失效链接是否已修复。
\ No newline at end of file
diff --git a/content/zh/docs/home/_index.md b/content/zh-cn/docs/home/_index.md
similarity index 93%
rename from content/zh/docs/home/_index.md
rename to content/zh-cn/docs/home/_index.md
index ee0aaf68d7c53..738ee19bb4e3f 100644
--- a/content/zh/docs/home/_index.md
+++ b/content/zh-cn/docs/home/_index.md
@@ -62,7 +62,7 @@ overview:
 #   title: K8s Release Notes
 #   description: If you are installing Kubernetes or upgrading to the newest version, refer to the current release notes.
 #   button: "Download Kubernetes"
-#   button_path: "/zh/docs/setup/release/notes"
+#   button_path: "/zh-cn/docs/setup/release/notes"
 # - name: about
 #   title: About the documentation
 #   description: This website contains documentation for the current and previous 4 versions of Kubernetes.
@@ -71,37 +71,37 @@ cards:
   title: "了解 Kubernetes"
   description: "了解 Kubernetes 和其基础概念。"
   button: "查看概念"
-  button_path: "/zh/docs/concepts"
+  button_path: "/zh-cn/docs/concepts"
 - name: tutorials
   title: "尝试 Kubernetes"
   description: "按照教程学习如何在 Kubernetes 上部署应用。"
   button: "查看教程"
-  button_path: "/zh/docs/tutorials"
+  button_path: "/zh-cn/docs/tutorials"
 - name: setup
   title: "设置 K8s 集群"
   description: "按照你的资源情况和需求运行 Kubernetes。"
   button: "设置 Kubernetes"
-  button_path: "/zh/docs/setup"
+  button_path: "/zh-cn/docs/setup"
 - name: tasks
   title: "了解如何使用 Kubernetes"
   description: "查看常见任务以及如何使用简单步骤执行它们。"
   button: "查看任务"
-  button_path: "/zh/docs/tasks"
+  button_path: "/zh-cn/docs/tasks"
 - name: training
   title: "培训"
   description: "通过 Kubernetes 认证，助你的云原生项目成功！"
   button: "查看培训"
-  button_path: "/zh/training"
+  button_path: "/zh-cn/training"
 - name: reference
   title: 查阅参考信息 
   description: 浏览术语、命令行语法、API 资源类型和安装工具文档。
   button: 查看参考
-  button_path: /zh/docs/reference
+  button_path: /zh-cn/docs/reference
 - name: contribute
   title: 为文档作贡献
   description: 任何人，无论对该项目熟悉与否，都能贡献自己的力量。
   button: 为文档作贡献
-  button_path: /zh/docs/contribute
+  button_path: /zh-cn/docs/contribute
 - name: release-notes
   title: K8s 发布说明
   description: 如果你正在安装或升级 Kubernetes，最好参考最新的发布说明。
diff --git a/content/zh-cn/docs/home/supported-doc-versions.md b/content/zh-cn/docs/home/supported-doc-versions.md
new file mode 100644
index 0000000000000..6fc4dcf33987c
--- /dev/null
+++ b/content/zh-cn/docs/home/supported-doc-versions.md
@@ -0,0 +1,34 @@
+---
+title: Kubernetes 文档支持的版本
+content_type: custom
+layout: supported-versions
+card:
+  name: about
+  weight: 10
+  title: Kubernetes 文档支持的版本
+---
+<!--
+title: Available Documentation Versions
+content_type: custom
+layout: supported-versions
+card:
+  name: about
+  weight: 10
+  title: Available Documentation Versions
+-->
+<!-- overview -->
+
+<!-- 
+This website contains documentation for the current version of Kubernetes
+and the four previous versions of Kubernetes.
+
+The availability of documentation for a Kubernetes version is separate from whether
+that release is currently supported.
+Read [Support period](/releases/patch-releases/#support-period) to learn about
+which versions of Kubernetes are officially supported, and for how long.
+-->
+
+本网站包含当前版本和之前四个版本的 Kubernetes 文档。
+
+Kubernetes 版本的文档可用性与当前是否支持该版本是分开的。
+阅读[支持期限](/zh-cn/releases/patch-releases/#support-period)，了解官方支持 Kubernetes 的哪些版本，以及支持多长时间。
diff --git a/content/zh/docs/images/diagram-guide-example-3.svg b/content/zh-cn/docs/images/diagram-guide-example-3.svg
similarity index 100%
rename from content/zh/docs/images/diagram-guide-example-3.svg
rename to content/zh-cn/docs/images/diagram-guide-example-3.svg
diff --git a/content/zh/docs/images/ha-control-plane.svg b/content/zh-cn/docs/images/ha-control-plane.svg
similarity index 100%
rename from content/zh/docs/images/ha-control-plane.svg
rename to content/zh-cn/docs/images/ha-control-plane.svg
diff --git a/content/zh-cn/docs/images/ingress.svg b/content/zh-cn/docs/images/ingress.svg
new file mode 100644
index 0000000000000..450a0aae9b4fa
--- /dev/null
+++ b/content/zh-cn/docs/images/ingress.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 683.28125 224" style="max-width: 683.28125px;" height="224" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(464.8125,112)" id="flowchart-cluster-82" class="cluster"><rect y="-104" x="-210.46875" height="208" width="420.9375"></rect><g id="graph-divText" transform="translate(0, -90)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead118)" d="M80.015625,112L94.54296875,112C109.0703125,112,138.125,112,167.1796875,112C196.234375,112,225.2890625,112,243.98307291666666,112C262.6770833333333,112,271.0104166666667,112,275.1770833333333,112L279.34375,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead118"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service" class="edgePath LS-ingress LE-service"><path style="fill:none" marker-end="url(#arrowhead119)" d="M348.46875,112L359.6731770833333,112C370.8776041666667,112,393.2864583333333,112,415.6953125,112C438.1041666666667,112,460.5130208333333,112,471.7174479166667,112L482.921875,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead119"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service-pod1" class="edgePath LS-service LE-pod1"><path style="fill:none" marker-end="url(#arrowhead120)" d="M547.2456781914893,90L552.6396276595744,85.83333333333333C558.0335771276596,81.66666666666667,568.8214760638298,73.33333333333333,578.3820921985815,69.16666666666667C587.9427083333334,65,596.2760416666666,65,600.4427083333334,65L604.609375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead120"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service-pod2" class="edgePath LS-service LE-pod2"><path style="fill:none" marker-end="url(#arrowhead121)" d="M547.2456781914893,134L552.6396276595744,138.16666666666666C558.0335771276596,142.33333333333334,568.8214760638298,150.66666666666666,578.3820921985815,154.83333333333334C587.9427083333334,159,596.2760416666666,159,600.4427083333334,159L604.609375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead121"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,112)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(415.6953125,112)" class="edgeLabel"><g class="label" transform="translate(-42.2265625,-12)"><rect height="24" width="84.453125" ry="0" rx="0"></rect><foreignObject height="24" width="84.453125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service" id="L-L-ingress-service">routing rule</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service' L-LE-pod1" id="L-L-service-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service' L-LE-pod2" id="L-L-service-pod2"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(313.90625,112)" id="flowchart-ingress-74" class="node k8s"><rect class="label-container" height="44" width="69.125" y="-22" x="-34.5625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.5625,-12)"><foreignObject height="24" width="49.125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(627.4453125,65)" id="flowchart-pod1-79" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(518.765625,112)" id="flowchart-service-76" class="node k8s"><rect class="label-container" height="44" width="71.6875" y="-22" x="-35.84375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-25.84375,-12)"><foreignObject height="24" width="51.6875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(627.4453125,159)" id="flowchart-pod2-81" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,112)" id="flowchart-client-73" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/zh-cn/docs/images/ingressFanOut.svg b/content/zh-cn/docs/images/ingressFanOut.svg
new file mode 100644
index 0000000000000..a6bf202635164
--- /dev/null
+++ b/content/zh-cn/docs/images/ingressFanOut.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 854.515625 412" style="max-width: 854.515625px;" height="412" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(550.4296875,206)" id="flowchart-cluster-158" class="cluster"><rect y="-198" x="-296.0859375" height="396" width="592.171875"></rect><g id="graph-divText" transform="translate(0, -184)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead193)" d="M80.015625,206L94.54296875,206C109.0703125,206,138.125,206,167.1796875,206C196.234375,206,225.2890625,206,243.98307291666666,206C262.6770833333333,206,271.0104166666667,206,275.1770833333333,206L279.34375,206" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead193"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service1" class="edgePath LS-ingress LE-service1"><path style="fill:none" marker-end="url(#arrowhead194)" d="M406.0119680851064,184L423.35372340425533,172C440.6954787234043,160,475.37898936170217,136,499.54886968085106,124C523.71875,112,537.375,112,544.203125,112L551.03125,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead194"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service2" class="edgePath LS-ingress LE-service2"><path style="fill:none" marker-end="url(#arrowhead195)" d="M406.0119680851064,228L423.35372340425533,240C440.6954787234043,252,475.37898936170217,276,499.54886968085106,288C523.71875,300,537.375,300,544.203125,300L551.03125,300" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead195"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod1" class="edgePath LS-service1 LE-pod1"><path style="fill:none" marker-end="url(#arrowhead196)" d="M691.0531914893617,90L701.0182845744681,85.83333333333333C710.9833776595746,81.66666666666667,730.9135638297872,73.33333333333333,745.0453235815603,69.16666666666667C759.1770833333334,65,767.5104166666666,65,771.6770833333334,65L775.84375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead196"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod2" class="edgePath LS-service1 LE-pod2"><path style="fill:none" marker-end="url(#arrowhead197)" d="M691.0531914893617,134L701.0182845744681,138.16666666666666C710.9833776595746,142.33333333333334,730.9135638297872,150.66666666666666,745.0453235815603,154.83333333333334C759.1770833333334,159,767.5104166666666,159,771.6770833333334,159L775.84375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead197"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod3" class="edgePath LS-service2 LE-pod3"><path style="fill:none" marker-end="url(#arrowhead198)" d="M691.0531914893617,278L701.0182845744681,273.8333333333333C710.9833776595746,269.6666666666667,730.9135638297872,261.3333333333333,745.0453235815603,257.1666666666667C759.1770833333334,253,767.5104166666666,253,771.6770833333334,253L775.84375,253" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead198"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod4" class="edgePath LS-service2 LE-pod4"><path style="fill:none" marker-end="url(#arrowhead199)" d="M691.0531914893617,322L701.0182845744681,326.1666666666667C710.9833776595746,330.3333333333333,730.9135638297872,338.6666666666667,745.0453235815603,342.8333333333333C759.1770833333334,347,767.5104166666666,347,771.6770833333334,347L775.84375,347" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead199"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,206)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(510.0625,112)" class="edgeLabel"><g class="label" transform="translate(-15.7421875,-12)"><rect height="24" width="31.484375" ry="0" rx="0"></rect><foreignObject height="24" width="31.484375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service1" id="L-L-ingress-service1">/foo</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(510.0625,300)" class="edgeLabel"><g class="label" transform="translate(-15.96875,-12)"><rect height="24" width="31.9375" ry="0" rx="0"></rect><foreignObject height="24" width="31.9375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service2" id="L-L-ingress-service2">/bar</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod1" id="L-L-service1-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod2" id="L-L-service1-pod2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod3" id="L-L-service2-pod3"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod4" id="L-L-service2-pod4"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(374.21875,206)" id="flowchart-ingress-144" class="node k8s"><rect class="label-container" height="44" width="189.75" y="-22" x="-94.875" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-84.875,-12)"><foreignObject height="24" width="169.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress, 178.91.123.132</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,65)" id="flowchart-pod1-151" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(638.4375,112)" id="flowchart-service1-146" class="node k8s"><rect class="label-container" height="44" width="174.8125" y="-22" x="-87.40625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-77.40625,-12)"><foreignObject height="24" width="154.8125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service1:4200</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,159)" id="flowchart-pod2-153" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,253)" id="flowchart-pod3-155" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(638.4375,300)" id="flowchart-service2-148" class="node k8s"><rect class="label-container" height="44" width="174.8125" y="-22" x="-87.40625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-77.40625,-12)"><foreignObject height="24" width="154.8125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service2:8080</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(798.6796875,347)" id="flowchart-pod4-157" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,206)" id="flowchart-client-143" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/zh-cn/docs/images/ingressNameBased.svg b/content/zh-cn/docs/images/ingressNameBased.svg
new file mode 100644
index 0000000000000..7e1d7be98c60f
--- /dev/null
+++ b/content/zh-cn/docs/images/ingressNameBased.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 934.40625 412" style="max-width: 934.40625px;" height="412" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .cluster&gt;*{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}#graph-div .cluster span{fill:#fff!important;stroke:#bbb!important;stroke-width:2px!important;color:#326ce5!important;}</style><g><g class="output"><g class="clusters"><g style="opacity: 1;" transform="translate(590.375,206)" id="flowchart-cluster-234" class="cluster"><rect y="-198" x="-336.03125" height="396" width="672.0625"></rect><g id="graph-divText" transform="translate(0, -184)" class="label"><g transform="translate(-24.578125,-12)"><foreignObject height="24" width="49.15625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">cluster</div></foreignObject></g></g></g></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-ingress" class="edgePath LS-client LE-ingress"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead271)" d="M80.015625,206L94.54296875,206C109.0703125,206,138.125,206,167.1796875,206C196.234375,206,225.2890625,206,243.98307291666666,206C262.6770833333333,206,271.0104166666667,206,275.1770833333333,206L279.34375,206" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead271"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service1" class="edgePath LS-ingress LE-service1"><path style="fill:none" marker-end="url(#arrowhead272)" d="M417.32463430851067,184L440.83693484042556,172C464.34923537234044,160,511.3738364361702,136,549.7702515514185,124C588.1666666666666,112,617.9348958333334,112,632.8190104166666,112L647.703125,112" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead272"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-ingress-service2" class="edgePath LS-ingress LE-service2"><path style="fill:none" marker-end="url(#arrowhead273)" d="M417.32463430851067,228L440.83693484042556,240C464.34923537234044,252,511.3738364361702,276,549.7702515514185,288C588.1666666666666,300,617.9348958333334,300,632.8190104166666,300L647.703125,300" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead273"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod1" class="edgePath LS-service1 LE-pod1"><path style="fill:none" marker-end="url(#arrowhead274)" d="M775.406914893617,90L784.6281582446809,85.83333333333333C793.8494015957446,81.66666666666667,812.2918882978723,73.33333333333333,825.6797983156029,69.16666666666667C839.0677083333334,65,847.4010416666666,65,851.5677083333334,65L855.734375,65" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead274"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service1-pod2" class="edgePath LS-service1 LE-pod2"><path style="fill:none" marker-end="url(#arrowhead275)" d="M775.406914893617,134L784.6281582446809,138.16666666666666C793.8494015957446,142.33333333333334,812.2918882978723,150.66666666666666,825.6797983156029,154.83333333333334C839.0677083333334,159,847.4010416666666,159,851.5677083333334,159L855.734375,159" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead275"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod3" class="edgePath LS-service2 LE-pod3"><path style="fill:none" marker-end="url(#arrowhead276)" d="M775.406914893617,278L784.6281582446809,273.8333333333333C793.8494015957446,269.6666666666667,812.2918882978723,261.3333333333333,825.6797983156029,257.1666666666667C839.0677083333334,253,847.4010416666666,253,851.5677083333334,253L855.734375,253" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead276"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-service2-pod4" class="edgePath LS-service2 LE-pod4"><path style="fill:none" marker-end="url(#arrowhead277)" d="M775.406914893617,322L784.6281582446809,326.1666666666667C793.8494015957446,330.3333333333333,812.2918882978723,338.6666666666667,825.6797983156029,342.8333333333333C839.0677083333334,347,847.4010416666666,347,851.5677083333334,347L855.734375,347" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead277"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="translate(167.1796875,206)" class="edgeLabel"><g class="label" transform="translate(-62.1640625,-24)"><rect height="48" width="124.328125" ry="0" rx="0"></rect><foreignObject height="48" width="124.328125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-ingress" id="L-L-client-ingress">Ingress-managed <br/> load balancer</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(558.3984375,112)" class="edgeLabel"><g class="label" transform="translate(-64.3046875,-12)"><rect height="24" width="128.609375" ry="0" rx="0"></rect><foreignObject height="24" width="128.609375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service1" id="L-L-ingress-service1">Host: foo.bar.com</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(558.3984375,300)" class="edgeLabel"><g class="label" transform="translate(-64.3046875,-12)"><rect height="24" width="128.609375" ry="0" rx="0"></rect><foreignObject height="24" width="128.609375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-ingress' L-LE-service2" id="L-L-ingress-service2">Host: bar.foo.com</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod1" id="L-L-service1-pod1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service1' L-LE-pod2" id="L-L-service1-pod2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod3" id="L-L-service2-pod3"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-service2' L-LE-pod4" id="L-L-service2-pod4"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(374.21875,206)" id="flowchart-ingress-220" class="node k8s"><rect class="label-container" height="44" width="189.75" y="-22" x="-94.875" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-84.875,-12)"><foreignObject height="24" width="169.75"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Ingress, 178.91.123.132</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,65)" id="flowchart-pod1-227" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(726.71875,112)" id="flowchart-service1-222" class="node k8s"><rect class="label-container" height="44" width="158.03125" y="-22" x="-79.015625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-69.015625,-12)"><foreignObject height="24" width="138.03125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service1:80</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,159)" id="flowchart-pod2-229" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,253)" id="flowchart-pod3-231" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(726.71875,300)" id="flowchart-service2-224" class="node k8s"><rect class="label-container" height="44" width="158.03125" y="-22" x="-79.015625" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-69.015625,-12)"><foreignObject height="24" width="138.03125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Service service2:80</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(878.5703125,347)" id="flowchart-pod4-233" class="node k8s"><rect class="label-container" height="44" width="45.671875" y="-22" x="-22.8359375" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-12.8359375,-12)"><foreignObject height="24" width="25.671875"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Pod</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(44.0078125,206)" id="flowchart-client-219" class="node plain"><rect class="label-container" height="44" width="72.015625" y="-22" x="-36.0078125" ry="22" rx="22"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/zh-cn/docs/images/tutor-service-nodePort-fig01.svg b/content/zh-cn/docs/images/tutor-service-nodePort-fig01.svg
new file mode 100644
index 0000000000000..bb4d866f853f3
--- /dev/null
+++ b/content/zh-cn/docs/images/tutor-service-nodePort-fig01.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 484.78125 84" style="max-width: 484.78125px;" height="84" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}</style><g><g class="output"><g class="clusters"></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-node2" class="edgePath LS-client LE-node2"><path style="fill:none" marker-end="url(#arrowhead23)" d="M69.015625,36.50387051372273L73.18229166666667,35.753225428102276C77.34895833333333,35.00258034248182,85.68229166666667,33.50129017124091,94.015625,33.44708453891548C102.34895833333333,33.392878906590056,110.68229166666667,34.78575781318012,114.84895833333333,35.48219726647515L119.015625,36.178636719770175" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead23"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node2-client" class="edgePath LS-node2 LE-client"><path style="fill:none" marker-end="url(#arrowhead24)" d="M119.015625,47.821363280229825L114.84895833333333,48.51780273352485C110.68229166666667,49.21424218681989,102.34895833333333,50.607121093409944,94.015625,50.55291546108452C85.68229166666667,50.49870982875908,77.34895833333333,48.99741965751818,73.18229166666667,48.246774571897724L69.015625,47.49612948627727" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead24"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node2-node1" class="edgePath LS-node2 LE-node1"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead25)" d="M188.671875,32.096334444107846L195.76171875,30.080278703423204C202.8515625,28.064222962738565,217.03125,24.03211148136928,231.2109375,24.03211148136928C245.390625,24.03211148136928,259.5703125,28.064222962738565,266.66015625,30.080278703423204L273.75,32.096334444107846" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead25"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-node2" class="edgePath LS-node1 LE-node2"><path style="fill:none;stroke-width:2px;stroke-dasharray:3;" marker-end="url(#arrowhead26)" d="M273.75,51.903665555892154L266.66015625,53.919721296576796C259.5703125,55.93577703726144,245.390625,59.96788851863072,231.2109375,59.96788851863071C217.03125,59.96788851863072,202.8515625,55.93577703726144,195.76171875,53.919721296576796L188.671875,51.903665555892154" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead26"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-endpoint" class="edgePath LS-node1 LE-endpoint"><path style="fill:none" marker-end="url(#arrowhead27)" d="M343.40625,42L347.5729166666667,42C351.7395833333333,42,360.0729166666667,42,368.40625,42C376.7395833333333,42,385.0729166666667,42,389.2395833333333,42L393.40625,42" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead27"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node2" id="L-L-client-node2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node2' L-LE-client" id="L-L-node2-client"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(231.2109375,20)" class="edgeLabel"><g class="label" transform="translate(-17.5390625,-12)"><rect height="24" width="35.078125" ry="0" rx="0"></rect><foreignObject height="24" width="35.078125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node2' L-LE-node1" id="L-L-node2-node1">SNAT</span></div></foreignObject></g></g><g style="opacity: 1;" transform="translate(231.2109375,64)" class="edgeLabel"><g class="label" transform="translate(-17.5390625,-12)"><rect height="24" width="35.078125" ry="0" rx="0"></rect><foreignObject height="24" width="35.078125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-node2" id="L-L-node1-node2">SNAT</span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-endpoint" id="L-L-node1-endpoint"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(38.5078125,42)" id="flowchart-client-10" class="node plain"><rect class="label-container" height="44" width="61.015625" y="-22" x="-30.5078125" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(153.84375,42)" id="flowchart-node2-11" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 2</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(308.578125,42)" id="flowchart-node1-15" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 1</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(435.09375,42)" id="flowchart-endpoint-19" class="node k8s"><rect class="label-container" height="44" width="83.375" y="-22" x="-41.6875" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-31.6875,-12)"><foreignObject height="24" width="63.375"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Endpoint</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/zh-cn/docs/images/tutor-service-nodePort-fig02.svg b/content/zh-cn/docs/images/tutor-service-nodePort-fig02.svg
new file mode 100644
index 0000000000000..1a891575e5f58
--- /dev/null
+++ b/content/zh-cn/docs/images/tutor-service-nodePort-fig02.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 212.25 248" style="max-width: 212.25px;" height="248" aria-labelledby="chart-title-graph-div chart-desc-graph-div" role="img" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" width="100%" id="graph-div"><title id="chart-title-graph-div"></title><desc id="chart-desc-graph-div"></desc><style>#graph-div {font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}#graph-div .error-icon{fill:#552222;}#graph-div .error-text{fill:#552222;stroke:#552222;}#graph-div .edge-thickness-normal{stroke-width:2px;}#graph-div .edge-thickness-thick{stroke-width:3.5px;}#graph-div .edge-pattern-solid{stroke-dasharray:0;}#graph-div .edge-pattern-dashed{stroke-dasharray:3;}#graph-div .edge-pattern-dotted{stroke-dasharray:2;}#graph-div .marker{fill:#333333;stroke:#333333;}#graph-div .marker.cross{stroke:#333333;}#graph-div svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#graph-div .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#graph-div .cluster-label text{fill:#333;}#graph-div .cluster-label span{color:#333;}#graph-div .label text,#graph-div span{fill:#333;color:#333;}#graph-div .node rect,#graph-div .node circle,#graph-div .node ellipse,#graph-div .node polygon,#graph-div .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#graph-div .node .label{text-align:center;}#graph-div .node.clickable{cursor:pointer;}#graph-div .arrowheadPath{fill:#333333;}#graph-div .edgePath .path{stroke:#333333;stroke-width:2.0px;}#graph-div .flowchart-link{stroke:#333333;fill:none;}#graph-div .edgeLabel{background-color:#e8e8e8;text-align:center;}#graph-div .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#graph-div .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#graph-div .cluster text{fill:#333;}#graph-div .cluster span{color:#333;}#graph-div div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#graph-div :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#graph-div .plain&gt;*{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .plain span{fill:#ddd!important;stroke:#fff!important;stroke-width:4px!important;color:#000!important;}#graph-div .k8s&gt;*{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}#graph-div .k8s span{fill:#326ce5!important;stroke:#fff!important;stroke-width:4px!important;color:#fff!important;}</style><g><g class="output"><g class="clusters"></g><g class="edgePaths"><g style="opacity: 1;" id="L-client-node1" class="edgePath LS-client LE-node1"><path style="fill:none" marker-end="url(#arrowhead69)" d="M81.58909574468085,52L76.2851839539007,56.166666666666664C70.98127216312056,60.333333333333336,60.373448581560275,68.66666666666667,55.06953679078014,77C49.765625,85.33333333333333,49.765625,93.66666666666667,49.765625,97.83333333333333L49.765625,102" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead69"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-client-node2" class="edgePath LS-client LE-node2"><path style="fill:none" marker-end="url(#arrowhead70)" d="M137.59840425531914,52L142.9023160460993,56.166666666666664C148.20622783687944,60.333333333333336,158.8140514184397,68.66666666666667,164.11796320921985,77C169.421875,85.33333333333333,169.421875,93.66666666666667,169.421875,97.83333333333333L169.421875,102" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead70"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-node1-endpoint" class="edgePath LS-node1 LE-endpoint"><path style="fill:none" marker-end="url(#arrowhead71)" d="M45.084773936170215,146L44.198249113475185,150.16666666666666C43.31172429078015,154.33333333333334,41.538674645390074,162.66666666666666,41.538674645390074,171C41.538674645390074,179.33333333333334,43.31172429078015,187.66666666666666,44.19824911347518,191.83333333333334L45.084773936170215,196" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead71"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g><g style="opacity: 1;" id="L-endpoint-node1" class="edgePath LS-endpoint LE-node1"><path style="fill:none" marker-end="url(#arrowhead72)" d="M54.446476063829785,196L55.33300088652482,191.83333333333334C56.21952570921985,187.66666666666666,57.992575354609926,179.33333333333334,57.992575354609926,171C57.992575354609926,162.66666666666666,56.21952570921985,154.33333333333334,55.333000886524815,150.16666666666666L54.446476063829785,146" class="path"></path><defs><marker orient="auto" markerHeight="6" markerWidth="8" markerUnits="strokeWidth" refY="5" refX="9" viewBox="0 0 10 10" id="arrowhead72"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowheadPath" d="M 0 0 L 10 5 L 0 10 z"></path></marker></defs></g></g><g class="edgeLabels"><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node1" id="L-L-client-node1"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-client' L-LE-node2" id="L-L-client-node2"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-node1' L-LE-endpoint" id="L-L-node1-endpoint"></span></div></foreignObject></g></g><g style="opacity: 1;" transform="" class="edgeLabel"><g class="label" transform="translate(0,0)"><rect height="0" width="0" ry="0" rx="0"></rect><foreignObject height="0" width="0"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml"><span style="" class="edgeLabel L-LS-endpoint' L-LE-node1" id="L-L-endpoint-node1"></span></div></foreignObject></g></g></g><g class="nodes"><g style="opacity: 1;" transform="translate(109.59375,30)" id="flowchart-client-66" class="node plain"><rect class="label-container" height="44" width="61.015625" y="-22" x="-30.5078125" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-20.5078125,-12)"><foreignObject height="24" width="41.015625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">client</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(49.765625,124)" id="flowchart-node1-67" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 1</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(169.421875,124)" id="flowchart-node2-69" class="node k8s"><rect class="label-container" height="44" width="69.65625" y="-22" x="-34.828125" ry="0" rx="0"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-24.828125,-12)"><foreignObject height="24" width="49.65625"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">Node 2</div></foreignObject></g></g></g><g style="opacity: 1;" transform="translate(49.765625,218)" id="flowchart-endpoint-71" class="node k8s"><rect class="label-container" height="44" width="83.53125" y="-22" x="-41.765625" ry="5" rx="5"></rect><g transform="translate(0,0)" class="label"><g transform="translate(-31.765625,-12)"><foreignObject height="24" width="63.53125"><div style="display: inline-block; white-space: nowrap;" xmlns="http://www.w3.org/1999/xhtml">endpoint</div></foreignObject></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/content/zh/docs/reference/_index.md b/content/zh-cn/docs/reference/_index.md
similarity index 93%
rename from content/zh/docs/reference/_index.md
rename to content/zh-cn/docs/reference/_index.md
index 108277d9eaa37..af2a04118b625 100644
--- a/content/zh/docs/reference/_index.md
+++ b/content/zh-cn/docs/reference/_index.md
@@ -64,7 +64,7 @@ client libraries:
 -->
 ## 官方支持的客户端库
 
-如果您需要通过编程语言调用 Kubernetes API，您可以使用
+如果你需要通过编程语言调用 Kubernetes API，你可以使用
 [客户端库](/zh/docs/reference/using-api/client-libraries/)。以下是官方支持的客户端库：
 
 - [Kubernetes Go 语言客户端库](https://github.com/kubernetes/client-go/)
@@ -137,9 +137,11 @@ operator to use or manage a cluster.
 * [kube-apiserver configuration (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/)
 * [kube-apiserver configuration (v1)](/docs/reference/config-api/apiserver-config.v1/)
 * [kube-apiserver encryption (v1)](/docs/reference/config-api/apiserver-encryption.v1/)
+* [kube-apiserver event rate limit (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1/)
 * [kubelet configuration (v1alpha1)](/docs/reference/config-api/kubelet-config.v1alpha1/) and
   [kubelet configuration (v1beta1)](/docs/reference/config-api/kubelet-config.v1beta1/)
 * [kubelet credential providers (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)
+* [kubelet credential providers (v1beta1)](/docs/reference/config-api/kubelet-credentialprovider.v1beta1/)
 * [kube-scheduler configuration (v1beta2)](/docs/reference/config-api/kube-scheduler-config.v1beta2/) and
   [kube-scheduler configuration (v1beta3)](/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 * [kube-proxy configuration (v1alpha1)](/docs/reference/config-api/kube-proxy-config.v1alpha1/)
@@ -147,6 +149,7 @@ operator to use or manage a cluster.
 * [Client authentication API (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/) and
   [Client authentication API (v1)](/docs/reference/config-api/client-authentication.v1/)
 * [WebhookAdmission configuration (v1)](/docs/reference/config-api/apiserver-webhookadmission.v1/)
+* [ImagePolicy API (v1alpha1)](/docs/reference/config-api/imagepolicy.v1alpha1/)
 -->
 ## 配置 API
 
@@ -157,9 +160,11 @@ operator to use or manage a cluster.
 * [kube-apiserver 配置 (v1alpha1)](/zh/docs/reference/config-api/apiserver-config.v1alpha1/)
 * [kube-apiserver 配置 (v1)](/zh/docs/reference/config-api/apiserver-config.v1/)
 * [kube-apiserver 加密 (v1)](/zh/docs/reference/config-api/apiserver-encryption.v1/)
+* [kube-apiserver 事件速率限制 (v1alpha1)](/zh/docs/reference/config-api/apiserver-eventratelimit.v1/)
 * [kubelet 配置 (v1alpha1)](/zh/docs/reference/config-api/kubelet-config.v1alpha1/) 和
   [kubelet 配置 (v1beta1)](/zh/docs/reference/config-api/kubelet-config.v1beta1/)
 * [kubelet 凭据驱动 (v1alpha1)](/zh/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)
+* [kubelet 凭据驱动 (v1beta1)](/zh/docs/reference/config-api/kubelet-credentialprovider.v1beta1/)
 * [kube-scheduler 配置 (v1beta2)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta2/) 和
   [kube-scheduler 配置 (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 * [kube-proxy 配置 (v1alpha1)](/zh/docs/reference/config-api/kube-proxy-config.v1alpha1/)
@@ -167,6 +172,7 @@ operator to use or manage a cluster.
 * [客户端认证 API (v1beta1)](/zh/docs/reference/config-api/client-authentication.v1beta1/) 和
   [客户端认证 API (v1)](/zh/docs/reference/config-api/client-authentication.v1/)
 * [WebhookAdmission 配置 (v1)](/zh/docs/reference/config-api/apiserver-webhookadmission.v1/)
+* [ImagePolicy API (v1alpha1)](/zh/docs/reference/config-api/imagepolicy.v1alpha1/)
 
 <!--
 ## Config API for kubeadm
diff --git a/content/zh/docs/reference/access-authn-authz/_index.md b/content/zh-cn/docs/reference/access-authn-authz/_index.md
similarity index 88%
rename from content/zh/docs/reference/access-authn-authz/_index.md
rename to content/zh-cn/docs/reference/access-authn-authz/_index.md
index bd6a833b917e7..c26b1e38b21dd 100644
--- a/content/zh/docs/reference/access-authn-authz/_index.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/_index.md
@@ -37,6 +37,8 @@ Reference documentation:
 - Service accounts
   - [Developer guide](/docs/tasks/configure-pod-container/configure-service-account/)
   - [Administration](/docs/reference/access-authn-authz/service-accounts-admin/)
+- [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
+  - including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 -->
 - [身份认证](/zh/docs/reference/access-authn-authz/authentication/)
    - [使用启动引导令牌来执行身份认证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
@@ -53,4 +55,5 @@ Reference documentation:
 - 服务账号
   - [开发者指南](/zh/docs/tasks/configure-pod-container/configure-service-account/)
   - [管理文档](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
-
+- [Kubelet 认证和鉴权](/zh/docs/reference/access-authn-authz/kubelet-authn-authz/)
+  - 包括 kubelet [TLS 启动引导](/zh/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
diff --git a/content/zh/docs/reference/access-authn-authz/abac.md b/content/zh-cn/docs/reference/access-authn-authz/abac.md
similarity index 90%
rename from content/zh/docs/reference/access-authn-authz/abac.md
rename to content/zh-cn/docs/reference/access-authn-authz/abac.md
index 1c8a308556a07..6d1c6b6a172b8 100644
--- a/content/zh/docs/reference/access-authn-authz/abac.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/abac.md
@@ -1,15 +1,9 @@
 ---
-approvers:
-- erictune
-- lavalamp
-- deads2k
-- liggitt
 title: 使用 ABAC 鉴权
 content_type: concept
+weight: 80
 ---
-
 <!--
----
 reviewers:
 - erictune
 - lavalamp
@@ -18,7 +12,6 @@ reviewers:
 title: Using ABAC Authorization
 content_type: concept
 weight: 80
----
 -->
 
 <!-- overview -->
@@ -26,7 +19,8 @@ weight: 80
 <!--
 Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.
 -->
-基于属性的访问控制（Attribute-based access control - ABAC）定义了访问控制范例，其中通过使用将属性组合在一起的策略来向用户授予访问权限。
+基于属性的访问控制（Attribute-based access control - ABAC）定义了访问控制范例，
+其中通过使用将属性组合在一起的策略来向用户授予访问权限。
 
 
 
@@ -68,8 +62,7 @@ properties:
           - `/foo/*` matches all subpaths of `/foo/`.
     - `readonly`, type boolean, when true, means that the Resource-matching policy only applies to get, list, and watch operations, Non-resource-matching policy only applies to get operation.
 -->
-
-## 策略文件格式
+## 策略文件格式   {#policy-file-format}
 
 基于 `ABAC` 模式，可以这样指定策略文件 `--authorization-policy-file=SOME_FILENAME`。
 
@@ -78,15 +71,16 @@ properties:
 每一行都是一个策略对象，策略对象是具有以下属性的映射：
 
   - 版本控制属性：
-    - `apiVersion`，字符串类型：有效值为`abac.authorization.kubernetes.io/v1beta1`，允许对策略格式进行版本控制和转换。
+    - `apiVersion`，字符串类型：有效值为 `abac.authorization.kubernetes.io/v1beta1`，允许对策略格式进行版本控制和转换。
     - `kind`，字符串类型：有效值为 `Policy`，允许对策略格式进行版本控制和转换。
   - `spec` 配置为具有以下映射的属性：
     - 主体匹配属性：
       - `user`，字符串类型；来自 `--token-auth-file` 的用户字符串，如果你指定 `user`，它必须与验证用户的用户名匹配。
-      - `group`，字符串类型；如果指定 `group`，它必须与经过身份验证的用户的一个组匹配，`system:authenticated`匹配所有经过身份验证的请求。`system:unauthenticated`匹配所有未经过身份验证的请求。
+      - `group`，字符串类型；如果指定 `group`，它必须与经过身份验证的用户的一个组匹配，`system:authenticated` 匹配所有经过身份验证的请求。
+        `system:unauthenticated` 匹配所有未经过身份验证的请求。
   - 资源匹配属性：
     - `apiGroup`，字符串类型；一个 API 组。
-      - 例： `apps`, `networking.k8s.io`
+      - 例：`apps`, `networking.k8s.io`
       - 通配符：`*`匹配所有 API 组。
     - `namespace`，字符串类型；一个命名空间。
       - 例如：`kube-system`
@@ -96,7 +90,7 @@ properties:
       - 通配符：`*`匹配所有资源请求。
   - 非资源匹配属性：
     - `nonResourcePath`，字符串类型；非资源请求路径。
-      - 例如：`/version`或 `/apis`
+      - 例如：`/version` 或 `/apis`
       - 通配符：
         - `*` 匹配所有非资源请求。
         - `/foo/*` 匹配 `/foo/` 的所有子路径。
@@ -142,7 +136,7 @@ To permit a user to do anything, write a policy with the apiGroup, namespace,
 resource, and nonResourcePath properties set to `"*"`.
 -->
 
-## 鉴权算法
+## 鉴权算法   {#authorization-algorithm}
 
 请求具有与策略对象的属性对应的属性。
 
@@ -154,10 +148,7 @@ resource, and nonResourcePath properties set to `"*"`.
 
 要允许任何经过身份验证的用户执行某些操作，请将策略组属性设置为 `"system:authenticated"`。
 
-要允许任何未经身份验证的用户执行某些操作，请将策略组属性设置为 `"system:authentication"`。
-
-要允许用户执行任何操作，请使用 apiGroup，命名空间，
-资源和 nonResourcePath 属性设置为 `"*"` 的策略。
+要允许任何未经身份验证的用户执行某些操作，请将策略组属性设置为 `"system:unauthenticated"`。
 
 要允许用户执行任何操作，请使用设置为 `"*"` 的 apiGroup，namespace，resource 和 nonResourcePath 属性编写策略。
 
@@ -181,17 +172,18 @@ up the verbosity:
     kubectl --v=8 version
 -->
 
-## Kubectl
+## kubectl
 
-Kubectl 使用 api-server 的 `/api` 和 `/apis` 端点来发现服务资源类型，并使用位于 `/openapi/v2` 的模式信息来验证通过创建/更新操作发送到 API 的对象。
+kubectl 使用 api-server 的 `/api` 和 `/apis` 端点来发现服务资源类型，
+并使用位于 `/openapi/v2` 的模式信息来验证通过创建/更新操作发送到 API 的对象。
 
 当使用 ABAC 鉴权时，这些特殊资源必须显式地通过策略中的 `nonResourcePath` 属性暴露出来（参见下面的 [示例](#examples)）：
 
-* `/api`，`/api/*`，`/apis`和 `/apis/*` 用于 API 版本协商。
+* `/api`，`/api/*`，`/apis` 和 `/apis/*` 用于 API 版本协商。
 * `/version` 通过 `kubectl version` 检索服务器版本。
 * `/swaggerapi/*` 用于创建 / 更新操作。
 
-要检查涉及到特定 kubectl 操作的 HTTP 调用，您可以调整详细程度：
+要检查涉及到特定 kubectl 操作的 HTTP 调用，你可以调整详细程度：
     kubectl --v=8 version
 
 <!--
@@ -213,7 +205,6 @@ Kubectl 使用 api-server 的 `/api` 和 `/apis` 端点来发现服务资源类
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "events"}}
     ```
  -->
-
 ## 例子 {#examples}
 
 1. Alice 可以对所有资源做任何事情：
@@ -221,12 +212,12 @@ Kubectl 使用 api-server 的 `/api` 和 `/apis` 端点来发现服务资源类
     ```json
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "alice", "namespace": "*", "resource": "*", "apiGroup": "*"}}
     ```
-2. Kubelet 可以读取任何 pod：
+2. kubelet 可以读取任何 pod：
 
     ```json
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "pods", "readonly": true}}
     ```
-3. Kubelet 可以读写事件：
+3. kubelet 可以读写事件：
 
     ```json
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "events"}}
@@ -245,8 +236,8 @@ Kubectl 使用 api-server 的 `/api` 和 `/apis` 端点来发现服务资源类
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group": "system:unauthenticated", "readonly": true, "nonResourcePath": "*"}}
     ```
 -->
-
 4. Bob 可以在命名空间 `projectCaribou` 中读取 pod：
+
     ```json
     {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "bob", "namespace": "projectCaribou", "resource": "pods", "readonly": true}}
     ```
@@ -269,10 +260,9 @@ system:serviceaccount:<namespace>:<serviceaccountname>
 ```
 
 -->
-
 [完整文件示例](https://releases.k8s.io/{{< param "fullversion" >}}/pkg/auth/authorizer/abac/example_policy_file.jsonl)
 
-## 服务帐户的快速说明
+## 服务帐户的快速说明   {#a-quick-note-on-service-accounts}
 
 服务帐户自动生成用户。用户名是根据命名约定生成的：
 
diff --git a/content/zh/docs/reference/access-authn-authz/admission-controllers.md b/content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
similarity index 58%
rename from content/zh/docs/reference/access-authn-authz/admission-controllers.md
rename to content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
index b5f0976fcdb12..a64cd6d2524e2 100644
--- a/content/zh/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
@@ -21,14 +21,14 @@ weight: 30
 <!--
 This page provides an overview of Admission Controllers.
 -->
-此页面概述了准入控制器。
+此页面提供准入控制器（Admission Controllers）的概述。
 
 <!-- body -->
 
 <!--
 ## What are they?
 -->
-## 什么是准入控制插件？
+## 什么是准入控制插件？  {#what-are-they}
 
 <!--
 An admission controller is a piece of code that intercepts requests to the
@@ -38,13 +38,13 @@ is authenticated and authorized.  The controllers consist of the
 `kube-apiserver` binary, and may only be configured by the cluster
 administrator. In that list, there are two special controllers:
 MutatingAdmissionWebhook and ValidatingAdmissionWebhook.  These execute the
-mutating and validating (respectively) [admission control
-webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
+mutating and validating (respectively)
+[admission control webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
 which are configured in the API.
 -->
 准入控制器是一段代码，它会在请求通过认证和授权之后、对象被持久化之前拦截到达 API
 服务器的请求。控制器由下面的[列表](#what-does-each-admission-controller-do)组成，
-并编译进 `kube-apiserver` 二进制文件，并且只能由集群管理员配置。
+并编译进 `kube-apiserver` 可执行文件，并且只能由集群管理员配置。
 在该列表中，有两个特殊的控制器：MutatingAdmissionWebhook 和 ValidatingAdmissionWebhook。
 它们根据 API 中的配置，分别执行变更和验证
 [准入控制 webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)。
@@ -64,14 +64,14 @@ If any of the controllers in either phase reject the request, the entire
 request is rejected immediately and an error is returned to the end-user.
 -->
 准入控制器可以执行 “验证（Validating）” 和/或 “变更（Mutating）” 操作。
-变更（mutating）控制器可以根据被其接受的请求修改相关对象；验证（validating）控制器则不行。
+变更（mutating）控制器可以根据被其接受的请求更改相关对象；验证（validating）控制器则不行。
 
 准入控制器限制创建、删除、修改对象或连接到代理的请求，不限制读取对象的请求。
 
 准入控制过程分为两个阶段。第一阶段，运行变更准入控制器。第二阶段，运行验证准入控制器。
 再次提醒，某些控制器既是变更准入控制器又是验证准入控制器。
 
-如果任何一个阶段的任何控制器拒绝了该请求，则整个请求将立即被拒绝，并向终端用户返回一个错误。
+如果两个阶段之一的任何一个控制器拒绝了某请求，则整个请求将立即被拒绝，并向最终用户返回错误。
 
 <!--
 Finally, in addition to sometimes mutating the object in question, admission
@@ -82,14 +82,14 @@ corresponding reclamation or reconciliation process, as a given admission
 controller does not know for sure that a given request will pass all of the
 other admission controllers.
 -->
-最后，除了对对象进行变更外，准入控制器还可以有其它作用：将相关资源作为请求处理的一部分进行变更。
-增加使用配额就是一个典型的示例，说明了这样做的必要性。
+最后，除了对对象进行变更外，准入控制器还可能有其它副作用：将相关资源作为请求处理的一部分进行变更。
+增加配额用量就是一个典型的示例，说明了这样做的必要性。
 此类用法都需要相应的回收或回调过程，因为任一准入控制器都无法确定某个请求能否通过所有其它准入控制器。
 
 <!--
 ## Why do I need them?
 -->
-## 为什么需要准入控制器？
+## 为什么需要准入控制器？    {#why-do-i-need-them}
 
 <!--
 Many advanced features in Kubernetes require an admission controller to be enabled in order
@@ -98,23 +98,23 @@ configured with the right set of admission controllers is an incomplete server a
 support all the features you expect.
 -->
 Kubernetes 的许多高级功能都要求启用一个准入控制器，以便正确地支持该特性。
-因此，没有正确配置准入控制器的 Kubernetes API 服务器是不完整的，它无法支持你期望的所有特性。
+因此，没有正确配置准入控制器的 Kubernetes API 服务器是不完整的，它无法支持你所期望的所有特性。
 
 <!--
 ## How do I turn on an admission controller?
 -->
 
-## 如何启用一个准入控制器？
+## 如何启用一个准入控制器？  {#how-do-i-turn-on-an-admission-controller}
 
 <!--
 The Kubernetes API server flag `enable-admission-plugins` takes a comma-delimited list of admission control plugins to invoke prior to modifying objects in the cluster.
 For example, the following command line enables the `NamespaceLifecycle` and the `LimitRanger`
 admission control plugins:
 -->
-Kubernetes API 服务器的 `enable-admission-plugins` 标志接受一个用于在集群修改对象之前
-调用的（以逗号分隔的）准入控制插件顺序列表。
+Kubernetes API 服务器的 `enable-admission-plugins` 标志接受一个（以逗号分隔的）准入控制插件列表，
+这些插件会在集群修改对象之前被调用。
 
-例如，下面的命令就启用了 `NamespaceLifecycle` 和 `LimitRanger` 准入控制插件：
+例如，下面的命令启用 `NamespaceLifecycle` 和 `LimitRanger` 准入控制插件：
 
 ```shell
 kube-apiserver --enable-admission-plugins=NamespaceLifecycle,LimitRanger ...
@@ -128,7 +128,7 @@ have to modify the systemd unit file if the API server is deployed as a systemd
 service, you may modify the manifest file for the API server if Kubernetes is deployed
 in a self-hosted way.
 -->
-根据你 Kubernetes 集群的部署方式以及 API 服务器的启动方式的不同，你可能需要以不同的方式应用设置。
+根据你 Kubernetes 集群的部署方式以及 API 服务器的启动方式，你可能需要以不同的方式应用设置。
 例如，如果将 API 服务器部署为 systemd 服务，你可能需要修改 systemd 单元文件；
 如果以自托管方式部署 Kubernetes，你可能需要修改 API 服务器的清单文件。
 {{< /note >}}
@@ -138,7 +138,7 @@ in a self-hosted way.
 
 The Kubernetes API server flag `disable-admission-plugins` takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.
 -->
-## 怎么关闭准入控制器？
+## 怎么关闭准入控制器？   {#how-do-i-turn-off-an-admission-controller}
 
 Kubernetes API 服务器的 `disable-admission-plugins` 标志，会将传入的（以逗号分隔的）
 准入控制插件列表禁用，即使是默认启用的插件也会被禁用。
@@ -152,9 +152,9 @@ kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny ...
 
 To see which admission plugins are enabled:
 -->
-## 哪些插件是默认启用的？
+## 哪些插件是默认启用的？  {#which-plugins-are-enabled-by-default}
 
-下面的命令可以查看哪些插件是默认启用的：
+要查看哪些插件是被启用的：
 
 ```shell
 kube-apiserver -h | grep enable-admission-plugins
@@ -164,26 +164,25 @@ kube-apiserver -h | grep enable-admission-plugins
 In the current version, the default ones are:
 -->
 
-在目前版本中，它们是：
+在目前版本中，默认启用的插件有：
 
-```shell
-CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
+```
+CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, PodSecurity, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
 ```
 
 <!--
 ## What does each admission controller do?
-
-### AlwaysAdmit {#alwaysadmit} {{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
-
-This admission controller allows all pods into the cluster. It is deprecated because its behavior is the same as if there were no admission controller at all.
 -->
-## 每个准入控制器的作用是什么？
+## 每个准入控制器的作用是什么？  {#what-does-each-admission-controller-do}
 
-### AlwaysAdmit {#alwaysadmit} 
+### AlwaysAdmit {#alwaysadmit}
 
 {{< feature-state for_k8s_version="v1.13" state="deprecated" >}}
 
-该准入控制器会允许所有的 pod 接入集群。已废弃，因为它的行为根本就和没有准入控制器一样。
+<!--
+This admission controller allows all pods into the cluster. It is deprecated because its behavior is the same as if there were no admission controller at all.
+-->
+该准入控制器允许所有的 Pod 进入集群。此插件已被弃用，因其行为与没有准入控制器一样。
 
 ### AlwaysDeny {#alwaysdeny}
 
@@ -192,7 +191,7 @@ This admission controller allows all pods into the cluster. It is deprecated bec
 <!--
 Rejects all requests. AlwaysDeny is DEPRECATED as it has no real meaning.
 -->
-拒绝所有的请求。由于它没有实际意义，已废弃。
+拒绝所有的请求。由于它没有实际意义，已被弃用。
 
 ### AlwaysPullImages {#alwayspullimages}
 
@@ -205,58 +204,58 @@ scheduled onto the right node), without any authorization check against the imag
 is enabled, images are always pulled prior to starting containers, which means valid credentials are
 required.
 -->
-该准入控制器会修改每一个新创建的 Pod 的镜像拉取策略为 Always 。
+该准入控制器会修改每个新创建的 Pod，将其镜像拉取策略设置为 Always。
 这在多租户集群中是有用的，这样用户就可以放心，他们的私有镜像只能被那些有凭证的人使用。
-如果没有这个准入控制器，一旦镜像被拉取到节点上，任何用户的 Pod 都可以通过已了解到的镜像
-的名称（假设 Pod 被调度到正确的节点上）来使用它，而不需要对镜像进行任何授权检查。
-当启用这个准入控制器时，总是在启动容器之前拉取镜像，这意味着需要有效的凭证。
+如果没有这个准入控制器，一旦镜像被拉取到节点上，任何用户的 Pod 都可以通过已了解到的镜像的名称
+（假设 Pod 被调度到正确的节点上）来使用它，而不需要对镜像进行任何鉴权检查。
+启用这个准入控制器之后，启动容器之前必须拉取镜像，这意味着需要有效的凭证。
 
-### CertificateApproval
+### CertificateApproval {#certificateapproval}
 
 <!--
-This admission controller observes requests to 'approve' CertificateSigningRequest resources
-and performs additional authorization checks to ensure the approving user has permission 
-to approve certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+This admission controller observes requests to 'approve' CertificateSigningRequest resources and performs additional
+authorization checks to ensure the approving user has permission to `approve` certificate requests with the
+`spec.signerName` requested on the CertificateSigningRequest resource.
 -->
-
-此准入控制器获取“审批” CertificateSigningRequest 资源的请求并执行额外的授权检查，
-以确保审批请求的用户有权限审批 `spec.signerName` 请求 CertificateSigningRequest 资源的证书请求。
+此准入控制器获取“审批” CertificateSigningRequest 资源的请求并执行额外的鉴权检查，
+以确保针对设置了 `spec.signerName` 的 CertificateSigningRequest 资源而言，
+审批请求的用户有权限对证书请求执行 `approve` 操作。
 
 <!--
-See Certificate Signing Requests for more information on the permissions required 
-to perform different actions on CertificateSigningRequest resources.
+See [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/) for more
+information on the permissions required to perform different actions on CertificateSigningRequest resources.
 -->
+有关对 CertificateSigningRequest 资源执行不同操作所需权限的详细信息，
+请参阅[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)。
 
-有关对证书签名请求资源执行不同操作所需权限的详细信息，
-请参阅[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
-
-### CertificateSigning
+### CertificateSigning  {#certificatesigning}
 
 <!--
-This admission controller observes updates to the status.certificate field of CertificateSigningRequest resources 
-and performs an additional authorization checks to ensure the signing user has permission 
-to sign certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+This admission controller observes updates to the `status.certificate` field of CertificateSigningRequest resources
+and performs an additional authorization checks to ensure the signing user has permission to `sign` certificate
+requests with the `spec.signerName` requested on the CertificateSigningRequest resource.
 -->
-此准入控制器获取 CertificateSigningRequest 资源的 `status.certificate` 字段更新请求并执行额外的授权检查，
-以确保签发证书的用户有权限为 `spec.signerName` 请求 CertificateSigningRequest 资源的证书请求`签发`证书。
+此准入控制器监视对 CertificateSigningRequest 资源的 `status.certificate` 字段的更新请求，
+并执行额外的鉴权检查，以确保针对设置了 `spec.signerName` 的 CertificateSigningRequest 资源而言，
+签发证书的用户有权限对证书请求执行 `sign` 操作。
 
 <!--
-See Certificate Signing Requests for more information on the permissions required 
-to perform different actions on CertificateSigningRequest resources.
+See [Certificate Signing Requests](/docs/reference/access-authn-authz/certificate-signing-requests/) for more
+information on the permissions required to perform different actions on CertificateSigningRequest resources.
 -->
-有关对证书签名请求资源执行不同操作所需权限的详细信息，
-请参阅[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
+有关对 CertificateSigningRequest 资源执行不同操作所需权限的详细信息，
+请参阅[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)。
 
-### CertificateSubjectRestrictions 
+### CertificateSubjectRestriction {#certificatesubjectrestriction}
 
 <!--
-This admission controller observes creation of CertificateSigningRequest resources 
-that have a spec.signerName of kubernetes.io/kube-apiserver-client. It rejects any request 
-that specifies a 'group' (or 'organization attribute') of system:masters.
+This admission controller observes creation of CertificateSigningRequest resources that have a `spec.signerName`
+of `kubernetes.io/kube-apiserver-client`. It rejects any request that specifies a 'group' (or 'organization attribute')
+of `system:masters`.
 -->
-此准入控制器获取具有 `kubernetes.io/kube-apiserver-client` 的 `spec.signerName` 的
-CertificateSigningRequest 资源创建请求，
-它拒绝任何包含了 `system:masters` 一个“组”（或者“组织”）的请求。
+此准入控制器监视 `spec.signerName` 被设置为 `kubernetes.io/kube-apiserver-client` 的
+CertificateSigningRequest 资源创建请求，并拒绝所有将 “group”（或 “organization attribute”）
+设置为 `system:masters` 的请求。
 
 ### DefaultIngressClass {#defaultingressclass}
 
@@ -266,8 +265,8 @@ ingress class and automatically adds a default ingress class to them.  This way,
 request any special ingress class do not need to care about them at all and they will get the
 default one.
 -->
-该准入控制器监测没有请求任何特定 Ingress 类的 `Ingress` 对象的创建，并自动向其添加默认 Ingress 类。
-这样，没有任何特殊 Ingress 类需求的用户根本不需要关心它们，它们将获得默认 Ingress 类。
+该准入控制器监测没有请求任何特定 Ingress 类的 `Ingress` 对象创建请求，并自动向其添加默认 Ingress 类。
+这样，没有任何特殊 Ingress 类需求的用户根本不需要关心它们，他们将被设置为默认 Ingress 类。
 
 <!--
 This admission controller does not do anything when no default ingress class is configured. When more than one ingress
@@ -276,18 +275,18 @@ must revisit their `IngressClass` objects and mark only one as default (with the
 "ingressclass.kubernetes.io/is-default-class").  This admission controller ignores any `Ingress`
 updates; it acts only on creation.
 -->
-当未配置默认 Ingress 类时，此准入控制器不执行任何操作。如果将多个 Ingress 类标记为默认 Ingress 类，
-它将拒绝任何创建 `Ingress` 的操作，并显示错误。
-要修复此错误，管理员必须重新检查其 `IngressClass` 对象，并仅将其中一个标记为默认（通过注解
-"ingressclass.kubernetes.io/is-default-class"）。
-此准入控制器会忽略所有 `Ingress` 更新操作，仅响应创建操作。
+当未配置默认 Ingress 类时，此准入控制器不执行任何操作。如果有多个 Ingress 类被标记为默认 Ingress 类，
+此控制器将拒绝所有创建 `Ingress` 的操作，并返回错误信息。
+要修复此错误，管理员必须重新检查其 `IngressClass` 对象，并仅将其中一个标记为默认
+（通过注解 "ingressclass.kubernetes.io/is-default-class"）。
+此准入控制器会忽略所有 `Ingress` 更新操作，仅处理创建操作。
 
 <!--
 See the [ingress](/docs/concepts/services-networking/ingress/) documentation for more about ingress
 classes and how to mark one as default.
 -->
 关于 Ingress 类以及如何将 Ingress 类标记为默认的更多信息，请参见
-[ingress](/zh/docs/concepts/services-networking/ingress/)。
+[Ingress](/zh/docs/concepts/services-networking/ingress/) 页面。
 
 ### DefaultStorageClass {#defaultstorageclass}
 
@@ -297,9 +296,9 @@ and automatically adds a default storage class to them.
 This way, users that do not request any special storage class do not need to care about them at all and they
 will get the default one.
 -->
-该准入控制器监测没有请求任何特定存储类的 `PersistentVolumeClaim` 对象的创建，
+此准入控制器监测没有请求任何特定存储类的 `PersistentVolumeClaim` 对象的创建请求，
 并自动向其添加默认存储类。
-这样，没有任何特殊存储类需求的用户根本不需要关心它们，它们将获得默认存储类。
+这样，没有任何特殊存储类需求的用户根本不需要关心它们，它们将被设置为使用默认存储类。
 
 <!--
 This admission controller does not do anything when no default storage class is configured. When more than one storage
@@ -308,33 +307,33 @@ must revisit their `StorageClass` objects and mark only one as default.
 This admission controller ignores any `PersistentVolumeClaim` updates; it acts only on creation.
 -->
 当未配置默认存储类时，此准入控制器不执行任何操作。如果将多个存储类标记为默认存储类，
-它将拒绝任何创建 `PersistentVolumeClaim` 的操作，并显示错误。
-要修复此错误，管理员必须重新访问其 `StorageClass` 对象，并仅将其中一个标记为默认。
-此准入控制器会忽略所有 `PersistentVolumeClaim` 更新操作，仅响应创建操作。
+此控制器将拒绝所有创建 `PersistentVolumeClaim` 的请求，并返回错误信息。
+要修复此错误，管理员必须重新检查其 `StorageClass` 对象，并仅将其中一个标记为默认。
+此准入控制器会忽略所有 `PersistentVolumeClaim` 更新操作，仅处理创建操作。
 
 <!--
 See [persistent volume](/docs/concepts/storage/persistent-volumes/) documentation about persistent volume claims and
 storage classes and how to mark a storage class as default.
 -->
-关于持久化卷和存储类，以及如何将存储类标记为默认，请参见
-[持久化卷](/zh/docs/concepts/storage/persistent-volumes/)。
+关于持久卷申领和存储类，以及如何将存储类标记为默认，请参见[持久卷](/zh/docs/concepts/storage/persistent-volumes/)页面。
 
 ### DefaultTolerationSeconds {#defaulttolerationseconds}
 
 <!--
 This admission controller sets the default forgiveness toleration for pods to tolerate
 the taints `notready:NoExecute` and `unreachable:NoExecute` based on the k8s-apiserver input parameters
-`default-not-ready-toleration-seconds` and `default-unreachable-toleration-seconds` if the pods don't already
+`default-not-ready-toleration-seconds` and `default-unreachable-toleration-seconds` if the pods don't already 
 have toleration for taints `node.kubernetes.io/not-ready:NoExecute` or
 `node.kubernetes.io/unreachable:NoExecute`.
 The default value for `default-not-ready-toleration-seconds` and `default-unreachable-toleration-seconds` is 5 minutes.
 -->
-该准入控制器基于 k8s-apiserver 输入参数 `default-not-ready-toleration-seconds` 和
+此准入控制器基于 k8s-apiserver 的输入参数 `default-not-ready-toleration-seconds` 和
 `default-unreachable-toleration-seconds` 为 Pod 设置默认的容忍度，以容忍 `notready:NoExecute` 和
-`unreachable:NoExecute` 污点。
+`unreachable:NoExecute` 污点
 （如果 Pod 尚未容忍 `node.kubernetes.io/not-ready：NoExecute` 和
-`node.kubernetes.io/unreachable：NoExecute` 污点的话）
-`default-not-ready-toleration-seconds` 和 `default-unreachable-toleration-seconds` 的默认值是 5 分钟。
+`node.kubernetes.io/unreachable：NoExecute` 污点的话）。
+`default-not-ready-toleration-seconds` 和 `default-unreachable-toleration-seconds`
+的默认值是 5 分钟。
 
 ### DenyEscalatingExec {#denyescalatingexec}
 
@@ -345,9 +344,9 @@ This admission controller will deny exec and attach commands to pods that run wi
 allow host access.  This includes pods that run as privileged, have access to the host IPC namespace, and
 have access to the host PID namespace.
 -->
-该准入控制器将拒绝在由于拥有升级特权，而具备访问宿主机能力的 Pod 中执行 exec 和
-attach 命令。这包括在特权模式运行的 Pod，可以访问主机 IPC 名字空间的 Pod，
-和访问主机 PID 名字空间的 Pod 。
+此准入控制器将拒绝在由于拥有提级特权而具备访问宿主机能力的 Pod 中执行 exec 和
+attach 命令。这类 Pod 包括在特权模式运行的 Pod、可以访问主机 IPC 名字空间的 Pod、
+和访问主机 PID 名字空间的 Pod。
 
 <!--
 The DenyEscalatingExec admission plugin is deprecated.
@@ -356,10 +355,10 @@ Use of a policy-based admission plugin (like [PodSecurityPolicy](#podsecuritypol
 which can be targeted at specific users or Namespaces and also protects against creation of overly privileged Pods
 is recommended instead.
 -->
-DenyExecOnPrivileged 准入插件已被废弃。
+DenyEscalatingExec 准入插件已被弃用。
 
 建议使用基于策略的准入插件（例如 [PodSecurityPolicy](#podsecuritypolicy) 和自定义准入插件），
-该插件可以针对特定用户或名字空间，还可以防止创建权限过高的 Pod。
+这类插件可以针对特定用户或名字空间，还可以防止创建权限过高的 Pod。
 
 ### DenyExecOnPrivileged {#denyexeconprivileged} 
 
@@ -368,14 +367,14 @@ DenyExecOnPrivileged 准入插件已被废弃。
 <!--
 This admission controller will intercept all requests to exec a command in a pod if that pod has a privileged container.
 -->
-如果一个 pod 拥有一个特权容器，该准入控制器将拦截所有在该 pod 中执行 exec 命令的请求。
+如果一个 Pod 中存在特权容器，该准入控制器将拦截所有在该 Pod 中执行 exec 命令的请求。
 
 <!--
 This functionality has been merged into [DenyEscalatingExec](#denyescalatingexec).
 The DenyExecOnPrivileged admission plugin is deprecated.
 -->
 此功能已合并至 [DenyEscalatingExec](#denyescalatingexec)。
-而 DenyExecOnPrivileged 准入插件已被废弃。
+而 DenyExecOnPrivileged 准入插件已被弃用。
 
 <!--
 Use of a policy-based admission plugin (like [PodSecurityPolicy](#podsecuritypolicy) or a custom admission plugin)
@@ -383,9 +382,9 @@ which can be targeted at specific users or Namespaces and also protects against
 is recommended instead.
 -->
 建议使用基于策略的准入插件（例如 [PodSecurityPolicy](#podsecuritypolicy) 和自定义准入插件），
-该插件可以针对特定用户或名字空间，还可以防止创建权限过高的 Pod。
+这类插件可以针对特定用户或名字空间，还可以防止创建权限过高的 Pod。
 
-### DenyServiceExternalIPs
+### DenyServiceExternalIPs   {#denyserviceexternalips}
 
 <!--
 This admission controller rejects all net-new usage of the `Service` field `externalIPs`.  This
@@ -395,18 +394,20 @@ Services which use `externalIPs` and may not add new values to `externalIPs` on
 existing `Service` objects.  Existing uses of `externalIPs` are not affected,
 and users may remove values from `externalIPs` on existing `Service` objects.
 -->
-该准入控制器拒绝 `Service` 字段 `externalIPs` 的所有新规使用。 此功能非常强大（允许网络流量拦截），
-并且无法很好地受策略控制。 启用后，群集用户将无法创建使用 `externalIPs` 的新服务，也无法在现有
-`Service` 对象上向 `externalIPs` 添加新值。 `externalIPs` 的现有使用不受影响，用户可以从现有
-`Service` 对象上的 `externalIPs` 中删除值。
+此准入控制器拒绝新的 `Service` 中使用字段 `externalIPs`。
+此功能非常强大（允许网络流量拦截），并且无法很好地受策略控制。
+启用后，集群用户将无法创建使用 `externalIPs` 的新 `Service`，也无法在现有
+`Service` 对象上为 `externalIPs` 添加新值。
+`externalIPs` 的现有使用不受影响，用户可以在现有 `Service` 对象上从
+`externalIPs` 中删除值。
 
 <!--
 Most users do not need this feature at all, and cluster admins should consider disabling it.
 Clusters that do need to use this feature should consider using some custom policy to manage usage
 of it.
 -->
-大多数用户根本不需要此功能，集群管理员应考虑将其禁用。
-确实需要使用此功能的集群应考虑使用一些自定义策略来管理其的使用。
+大多数用户根本不需要此特性，集群管理员应考虑将其禁用。
+确实需要使用此特性的集群应考虑使用一些自定义策略来管理 `externalIPs` 的使用。
 
 ### EventRateLimit {#eventratelimit} 
 
@@ -416,45 +417,30 @@ of it.
 This admission controller mitigates the problem where the API server gets flooded by
 event requests. The cluster admin can specify event rate limits by:
 -->
-该准入控制器缓解了事件请求淹没 API 服务器的问题。集群管理员可以通过以下方式指定事件速率限制：
+此准入控制器缓解了事件请求淹没 API 服务器的问题。集群管理员可以通过以下方式指定事件速率限制：
 
 <!--
- * Enabling the `EventRateLimit` admission controller;
- * Referencing an `EventRateLimit` configuration file from the file provided to the API
-   server's command line flag `--admission-control-config-file`:
+* Enabling the `EventRateLimit` admission controller;
+* Referencing an `EventRateLimit` configuration file from the file provided to the API
+  server's command line flag `--admission-control-config-file`:
 -->
 * 启用 `EventRateLimit` 准入控制器；
-* 从文件中引用 `EventRateLimit` 配置文件，并提供给 API 服务器命令的
-  `--admission-control-config-file` 标志：
+* 在通过 API 服务器的命令行标志 `--admission-control-config-file` 设置的文件中，
+  引用 `EventRateLimit` 配置文件：
 
-{{< tabs name="eventratelimit_example" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: AdmissionConfiguration
-plugins:
-- name: EventRateLimit
-  path: eventconfig.yaml
-...
-```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# Deprecated in v1.17 in favor of apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: EventRateLimit
-  path: eventconfig.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
+  ```yaml
+  apiVersion: apiserver.config.k8s.io/v1
+  kind: AdmissionConfiguration
+  plugins:
+    - name: EventRateLimit
+      path: eventconfig.yaml
+  ...
+  ```
 
 <!--
 There are four types of limits that can be specified in the configuration:
 -->
-可以在配置中指定四种类型的限制：
+可以在配置中指定的限制有四种类型：
 
 <!--
  * `Server`: All event requests received by the API server share a single bucket.
@@ -464,34 +450,34 @@ There are four types of limits that can be specified in the configuration:
    involved object of the event.
 -->
 * `Server`: API 服务器收到的所有事件请求共享一个桶。
-* `Namespace`: 每个名字空间都有一个专用的桶。
-* `User`: 给每个用户都分配一个桶。
-* `SourceAndObject`: 根据事件的源和涉及对象的每种组合分配桶。
+* `Namespace`: 每个名字空间都对应一个专用的桶。
+* `User`: 为每个用户分配一个桶。
+* `SourceAndObject`: 根据事件的来源和涉及对象的各种组合分配桶。
 
 <!--
 Below is a sample `eventconfig.yaml` for such a configuration:
 -->
-下面是一个配置示例 `eventconfig.yaml`：
+下面是一个针对此配置的 `eventconfig.yaml` 示例：
 
 ```yaml
 apiVersion: eventratelimit.admission.k8s.io/v1alpha1
 kind: Configuration
 limits:
-- type: Namespace
-  qps: 50
-  burst: 100
-  cacheSize: 2000
-- type: User
-  qps: 10
-  burst: 50
+  - type: Namespace
+    qps: 50
+    burst: 100
+    cacheSize: 2000
+  - type: User
+    qps: 10
+    burst: 50
 ```
 
 <!--
-See the [EventRateLimit proposal](https://git.k8s.io/community/contributors/design-proposals/api-machinery/admission_control_event_rate_limit.md)
+See the [EventRateLimit Config API (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/)
 for more details.
 -->
 详情请参见
-[事件速率限制提案](https://git.k8s.io/community/contributors/design-proposals/api-machinery/admission_control_event_rate_limit.md)。
+[EventRateLimit 配置 API 文档（v1alpha1）](/zh/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/)。
 
 ### ExtendedResourceToleration {#extendedresourcetoleration}
 
@@ -503,30 +489,29 @@ name as the key. This admission controller, if enabled, automatically
 adds tolerations for such taints to pods requesting extended resources, so users don't have to manually
 add these tolerations.
 -->
-该插件有助于创建可扩展资源的专用节点。
-如果运营商想创建可扩展资源的专用节点（如 GPU、FPGA 等），
-那他们应该以扩展资源名称作为键名，
+此插件有助于创建带有扩展资源的专用节点。
+如果运维人员想要创建带有扩展资源（如 GPU、FPGA 等）的专用节点，他们应该以扩展资源名称作为键名，
 [为节点设置污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
-如果启用了该准入控制器，会将此类污点的容忍自动添加到请求扩展资源的 Pod 中，
-用户不必再手动添加这些容忍。
+如果启用了此准入控制器，会将此类污点的容忍度自动添加到请求扩展资源的 Pod 中，
+用户不必再手动添加这些容忍度。
 
 ### ImagePolicyWebhook {#imagepolicywebhook}
 
 <!--
 The ImagePolicyWebhook admission controller allows a backend webhook to make admission decisions.
 -->
-ImagePolicyWebhook 准入控制器允许使用一个后端的 webhook 做出准入决策。
+ImagePolicyWebhook 准入控制器允许使用后端 Webhook 做出准入决策。
 
 <!--
 #### Configuration File Format
 -->
-#### 配置文件格式
+#### 配置文件格式  {#configuration-file-format}
 
 <!--
 ImagePolicyWebhook uses a configuration file to set options for the behavior of the backend.
 This file may be json or yaml and has the following format:
 -->
-ImagePolicyWebhook 使用配置文件来为后端行为设置配置选项。该文件可以是 JSON 或 YAML，
+ImagePolicyWebhook 使用配置文件来为后端行为设置选项。该文件可以是 JSON 或 YAML，
 并具有以下格式:
 
 ```yaml
@@ -545,11 +530,9 @@ imagePolicy:
 <!--
 Reference the ImagePolicyWebhook configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
 -->
-从文件中引用 ImagePolicyWebhook 的配置文件，并将其提供给 API 服务器命令标志
-`--admission-control-config-file`：
+在通过命令行标志 `--admission-control-config-file` 为 API 服务器提供的文件中，
+引用 ImagePolicyWebhook 配置文件：
 
-{{< tabs name="imagepolicywebhook_example1" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -558,27 +541,12 @@ plugins:
   path: imagepolicyconfig.yaml
 ...
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# v1.17 中已废弃以鼓励使用 apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: ImagePolicyWebhook
-  path: imagepolicyconfig.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 <!--
 Alternatively, you can embed the configuration directly in the file:
 -->
-或者，你也可以直接将配置嵌入到文件中：
+或者，你也可以直接将配置嵌入到该文件中：
 
-{{< tabs name="imagepolicywebhook_example2" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
@@ -592,24 +560,6 @@ plugins:
       retryBackoff: 500
       defaultAllow: true
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# v1.17 中已废弃以鼓励使用 apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: ImagePolicyWebhook
-  configuration:
-    imagePolicy:
-      kubeConfigFile: <kubeconfig 文件路径>
-      allowTTL: 50
-      denyTTL: 50
-      retryBackoff: 500
-      defaultAllow: true
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 <!--
 The ImagePolicyWebhook config file must reference a
@@ -619,13 +569,13 @@ It is required that the backend communicate over TLS.
 -->
 ImagePolicyWebhook 的配置文件必须引用
 [kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
-格式的文件；该文件设置了到后端的连接参数。
-要求后端使用 TLS 进行通信。
+格式的文件；该文件用来设置与后端的连接。要求后端使用 TLS 进行通信。
 
 <!--
-The kubeconfig file's cluster field must point to the remote service, and the user field must contain the returned authorizer.
+The kubeconfig file's `cluster` field must point to the remote service, and the `user` field
+must contain the returned authorizer.
 -->
-kubeconfig 文件的 cluster 字段需要指向远端服务，user 字段需要包含已返回的授权者。
+kubeconfig 文件的 `clusters` 字段需要指向远端服务，`users` 字段需要包含已返回的授权者。
 
 <!--
 ```yaml
@@ -651,13 +601,13 @@ clusters:
 - name: name-of-remote-imagepolicy-service
   cluster:
     certificate-authority: /path/to/ca.pem    # CA 用于验证远程服务
-    server: https://images.example.com/policy # 要查询的远程服务的 URL。必须是 'https' 。
+    server: https://images.example.com/policy # 要查询的远程服务的 URL，必须是 'https'。
 
 # users 指的是 API 服务器的 Webhook 配置。
 users:
 - name: name-of-api-server
   user:
-    client-certificate: /path/to/cert.pem # webhook 准入控制器使用的证书
+    client-certificate: /path/to/cert.pem # Webhook 准入控制器使用的证书
     client-key: /path/to/key.pem          # 证书匹配的密钥
 ```
 
@@ -670,26 +620,35 @@ For additional HTTP configuration, refer to the
 文档。
 
 <!--
-#### Request Payloads
+#### Request payloads
 -->
 #### 请求载荷
 
 <!--
-When faced with an admission decision, the API Server POSTs a JSON serialized `imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action. This object contains fields describing the containers being admitted, as well as any pod annotations that match `*.image-policy.k8s.io/*`.
+When faced with an admission decision, the API Server POSTs a JSON serialized
+`imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action.
+This object contains fields describing the containers being admitted, as well as
+any pod annotations that match `*.image-policy.k8s.io/*`.
 -->
 当面对一个准入决策时，API 服务器发送一个描述操作的 JSON 序列化的
 `imagepolicy.k8s.io/v1alpha1` `ImageReview` 对象。
-该对象包含描述被审核容器的字段，以及所有匹配 `*.image-policy.k8s.io/*` 的
-Pod 注解。
+该对象包含描述被准入容器的字段，以及与 `*.image-policy.k8s.io/*` 匹配的所有 Pod 注解。
 
+{{ note }}
 <!--
-Note that webhook API objects are subject to the same versioning compatibility rules as other Kubernetes API objects. Implementers should be aware of looser compatibility promises for alpha objects and check the "apiVersion" field of the request to ensure correct deserialization. Additionally, the API Server must enable the imagepolicy.k8s.io/v1alpha1 API extensions group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
+The webhook API objects are subject to the same versioning compatibility rules
+as other Kubernetes API objects. Implementers should be aware of looser compatibility
+promises for alpha objects and check the `apiVersion` field of the request to
+ensure correct deserialization.
+Additionally, the API Server must enable the `imagepolicy.k8s.io/v1alpha1` API extensions
+group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
 -->
 注意，Webhook API 对象与其他 Kubernetes API 对象一样受制于相同的版本控制兼容性规则。
-实现者应该知道对 alpha 对象的更宽松的兼容性，并检查请求的 "apiVersion" 字段，
+实现者应该知道对 alpha 对象兼容性是相对宽松的，并检查请求的 "apiVersion" 字段，
 以确保正确的反序列化。
 此外，API 服务器必须启用 `imagepolicy.k8s.io/v1alpha1` API 扩展组
 （`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`）。
+{{ /note }}
 
 <!--
 An example request body:
@@ -718,10 +677,12 @@ An example request body:
 ```
 
 <!--
-The remote service is expected to fill the `ImageReviewStatus` field of the request and respond to either allow or disallow access. The response body's "spec" field is ignored and may be omitted. A permissive response would return:
+The remote service is expected to fill the `ImageReviewStatus` field of the request and
+respond to either allow or disallow access. The response body's `spec` field is ignored and
+may be omitted. A permissive response would return:
 -->
 远程服务将填充请求的 `ImageReviewStatus` 字段，并返回允许或不允许访问的响应。
-响应体的 "spec" 字段会被忽略，并且可以省略。一个允许访问应答会返回：
+响应体的 `spec` 字段会被忽略，并且可以被省略。一个允许访问应答会返回：
 
 ```json
 {
@@ -750,22 +711,25 @@ To disallow access, the service would return:
 ```
 
 <!--
-For further documentation refer to the `imagepolicy.v1alpha1` API objects and `plugin/pkg/admission/imagepolicy/admission.go`.
+For further documentation refer to the
+[`imagepolicy.v1alpha1` API](/docs/reference/config-api/imagepolicy.v1alpha1/).
 -->
-更多的文档，请参阅 `imagepolicy.v1alpha1` API 对象和
-`plugin/pkg/admission/imagepolicy/admission.go`。
+更多的文档，请参阅 [`imagepolicy.v1alpha1` API](/zh/docs/reference/config-api/imagepolicy.v1alpha1/)。
 
 <!--
 #### Extending with Annotations
 -->
-#### 使用注解进行扩展
+#### 使用注解进行扩展  {#extending-with-annotations}
 
 <!--
-All annotations on a Pod that match `*.image-policy.k8s.io/*` are sent to the webhook. Sending annotations allows users who are aware of the image policy backend to send extra information to it, and for different backends implementations to accept different information.
+All annotations on a Pod that match `*.image-policy.k8s.io/*` are sent to the webhook.
+Sending annotations allows users who are aware of the image policy backend to
+send extra information to it, and for different backends implementations to
+accept different information.
 -->
 一个 Pod 中匹配 `*.image-policy.k8s.io/*` 的注解都会被发送给 Webhook。
-这样做使得了解后端镜像策略的用户可以向它发送额外的信息，并为不同的后端实现
-接收不同的信息。
+这样做使得了解后端镜像策略的用户可以向它发送额外的信息，
+并让不同的后端实现接收不同的信息。
 
 <!--
 Examples of information you might put here are:
@@ -773,57 +737,53 @@ Examples of information you might put here are:
 你可以在这里输入的信息有：
 
 <!--
- * request to "break glass" to override a policy, in case of emergency.
- * a ticket number from a ticket system that documents the break-glass request
- * provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
+* request to "break glass" to override a policy, in case of emergency.
+* a ticket number from a ticket system that documents the break-glass request
+* provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
 -->
-* 在紧急情况下，请求 "break glass" 覆盖一个策略。
-* 从一个记录了 break-glass 的请求的 ticket 系统得到的一个 ticket 号码。
-* 向策略服务器提供一个提示，用于提供镜像的 imageID，以方便它进行查找。
+* 在紧急情况下，请求破例覆盖某个策略。
+* 从一个记录了破例的请求的工单（Ticket）系统得到的一个工单号码。
+* 向策略服务器提供提示信息，用于提供镜像的 imageID，以方便它进行查找。
 
 <!--
-In any case, the annotations are provided by the user and are not validated by Kubernetes in any way. In the future, if an annotation is determined to be widely useful, it may be promoted to a named field of `ImageReviewSpec`.
+In any case, the annotations are provided by the user and are not validated by Kubernetes in any way.
 -->
 在任何情况下，注解都是由用户提供的，并不会被 Kubernetes 以任何方式进行验证。
-在将来，如果一个注解确定将被广泛使用，它可能会被提升为 ImageReviewSpec 的一个命名字段。
 
-### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology}
+### LimitPodHardAntiAffinityTopology   {#limitpodhardantiaffinitytopology}
 
 <!--
 This admission controller denies any pod that defines `AntiAffinity` topology key other than
 `kubernetes.io/hostname` in `requiredDuringSchedulingRequiredDuringExecution`.
 -->
-该准入控制器拒绝（定义了 `AntiAffinity` 拓扑键的）任何 Pod
-（`requiredDuringSchedulingRequiredDuringExecution` 中的
-`kubernetes.io/hostname` 除外）。
+此准入控制器拒绝定义了 `AntiAffinity` 拓扑键的任何 Pod
+（`requiredDuringSchedulingRequiredDuringExecution` 中的 `kubernetes.io/hostname` 除外）。
 
 ### LimitRanger {#limitranger}
 
 <!--
-This admission controller will observe the incoming request and ensure that it does not violate any of the constraints
-enumerated in the `LimitRange` object in a `Namespace`.  If you are using `LimitRange` objects in
-your Kubernetes deployment, you MUST use this admission controller to enforce those constraints. LimitRanger can also
-be used to apply default resource requests to Pods that don't specify any; currently, the default LimitRanger
-applies a 0.1 CPU requirement to all Pods in the `default` namespace.
+This admission controller will observe the incoming request and ensure that it does not violate
+any of the constraints enumerated in the `LimitRange` object in a `Namespace`.  If you are using
+`LimitRange` objects in your Kubernetes deployment, you MUST use this admission controller to
+enforce those constraints. LimitRanger can also be used to apply default resource requests to Pods
+that don't specify any; currently, the default LimitRanger applies a 0.1 CPU requirement to all
+Pods in the `default` namespace.
 -->
-该准入控制器会观察传入的请求，并确保它不会违反 `Namespace` 中 `LimitRange`
-对象枚举的任何约束。
-如果你在 Kubernetes 部署中使用了 `LimitRange` 对象，则必须使用此准入控制器来
-执行这些约束。
-LimitRanger 还可以用于将默认资源请求应用到没有指定任何内容的 Pod；
-当前，默认的 LimitRanger 对 `default` 名字空间中的所有 Pod 都应用了
-0.1 CPU 的需求。
+此准入控制器会监测传入的请求，并确保请求不会违反 `Namespace` 中 `LimitRange` 对象所设置的任何约束。
+如果你在 Kubernetes 部署中使用了 `LimitRange` 对象，则必须使用此准入控制器来执行这些约束。
+LimitRanger 还可以用于将默认资源请求应用到没有设定资源约束的 Pod；
+当前，默认的 LimitRanger 对 `default` 名字空间中的所有 Pod 都设置 0.1 CPU 的需求。
 
 <!--
-See the [limitRange design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md)
-and the [example of Limit Range](/docs/tasks/configure-pod-container/limit-range/) for more details.
+See the [LimitRange API reference](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
+and the [example of LimitRange](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+for more details.
 -->
 请查看
-[limitRange 设计文档](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_limit_range.md)
-和 [LimitRange 例子](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-以了解更多细节。
+[limitRange API 文档](/zh/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)和
+[LimitRange 例子](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)以了解更多细节。
 
-### MutatingAdmissionWebhook {#mutatingadmissionwebhook} 
+### MutatingAdmissionWebhook {#mutatingadmissionwebhook}
 
 <!--
 This admission controller calls any mutating webhooks which match the request. Matching
@@ -831,8 +791,8 @@ webhooks are called in serial; each one may modify the object if it desires.
 
 This admission controller (as implied by the name) only runs in the mutating phase.
 -->
-该准入控制器调用任何与请求匹配的变更 Webhook。匹配的 Webhook 将被串行调用。
-每一个 Webhook 都可以根据需要修改对象。
+此准入控制器调用任何与请求匹配的变更（Mutating） Webhook。匹配的 Webhook 将被顺序调用。
+每一个 Webhook 都可以自由修改对象。
 
 `MutatingAdmissionWebhook`，顾名思义，仅在变更阶段运行。
 
@@ -841,42 +801,41 @@ If a webhook called by this has side effects (for example, decrementing quota) i
 *must* have a reconciliation system, as it is not guaranteed that subsequent
 webhooks or validating admission controllers will permit the request to finish.
 -->
-如果由此准入控制器调用的 Webhook 有副作用（如降低配额），
-则它 *必须* 具有协调系统，因为不能保证后续的 Webhook 和验证准入控制器都会允许完成请求。
+如果由此准入控制器调用的 Webhook 有副作用（如：减少配额），
+则它 **必须** 具有协调系统，因为不能保证后续的 Webhook 和验证准入控制器都会允许完成请求。
 
 <!--
 If you disable the MutatingAdmissionWebhook, you must also disable the
 `MutatingWebhookConfiguration` object in the `admissionregistration.k8s.io/v1`
-group/version via the `--runtime-config` flag (both are on by default in
-versions >= 1.9).
+group/version via the `--runtime-config` flag, both are on by default.
 -->
 如果你禁用了 MutatingAdmissionWebhook，那么还必须使用 `--runtime-config` 标志禁止
-`admissionregistration.k8s.io/v1` 组/版本中的 `MutatingWebhookConfiguration`
-对象（版本 >=1.9 时，这两个对象都是默认启用的）。
+`admissionregistration.k8s.io/v1` 组/版本中的 `MutatingWebhookConfiguration`，
+二者都是默认启用的。
 
 <!--
 #### Use caution when authoring and installing mutating webhooks
 -->
-#### 谨慎编写和安装变更 webhook
+#### 谨慎编写和安装变更 webhook  {#use-caution-when-authoring-and-installing-mutating-webhooks}
 
 <!--
- * Users may be confused when the objects they try to create are different from
-   what they get back.
- * Built in control loops may break when the objects they try to create are
-   different when read back.
-   * Setting originally unset fields is less likely to cause problems than
-     overwriting fields set in the original request. Avoid doing the latter.
- * Future changes to control loops for built-in resources or third-party resources
-   may break webhooks that work well today. Even when the webhook installation API
-   is finalized, not all possible webhook behaviors will be guaranteed to be supported
-   indefinitely.
+* Users may be confused when the objects they try to create are different from
+  what they get back.
+* Built in control loops may break when the objects they try to create are
+  different when read back.
+  * Setting originally unset fields is less likely to cause problems than
+    overwriting fields set in the original request. Avoid doing the latter.
+* Future changes to control loops for built-in resources or third-party resources
+  may break webhooks that work well today. Even when the webhook installation API
+  is finalized, not all possible webhook behaviors will be guaranteed to be supported
+  indefinitely.
 -->
 * 当用户尝试创建的对象与返回的对象不同时，用户可能会感到困惑。
-* 当它们回读的对象与尝试创建的对象不同，内建的控制环可能会出问题。
+* 当他们读回的对象与尝试创建的对象不同，内建的控制回路可能会出问题。
   * 与覆盖原始请求中设置的字段相比，使用原始请求未设置的字段会引起问题的可能性较小。
-    应尽量避免前面那种方式。
-* 内建资源和第三方资源的控制回路未来可能会受到破坏性的更改，使现在运行良好的 Webhook
-  无法再正常运行。即使完成了 Webhook API 安装，也不代表会为该 webhook 提供无限期的支持。
+    应尽量避免覆盖原始请求中的字段设置。
+* 内建资源和第三方资源的控制回路未来可能会出现破坏性的变更，使现在运行良好的 Webhook
+  无法再正常运行。即使完成了 Webhook API 安装，也不代表该 Webhook 会被提供无限期的支持。
 
 ### NamespaceAutoProvision {#namespaceautoprovision}
 
@@ -887,9 +846,9 @@ It creates a namespace if it cannot be found.
 This admission controller is useful in deployments that do not want to restrict creation of
 a namespace prior to its usage.
 -->
-该准入控制器会检查名字空间资源上的所有传入请求，并检查所引用的名字空间是否确实存在。
-如果找不到，它将创建一个名字空间。
-此准入控制器对于不想要求名字空间必须先创建后使用的集群部署中很有用。
+此准入控制器会检查针对名字空间域资源的所有传入请求，并检查所引用的名字空间是否确实存在。
+如果找不到所引用的名字空间，控制器将创建一个名字空间。
+此准入控制器对于不想要求名字空间必须先创建后使用的集群部署很有用。
 
 ### NamespaceExists {#namespaceexists}
 
@@ -897,26 +856,28 @@ a namespace prior to its usage.
 This admission controller checks all requests on namespaced resources other than `Namespace` itself.
 If the namespace referenced from a request doesn't exist, the request is rejected.
 -->
-该准入控制器检查除 `Namespace` 以外的名字空间作用域资源上的所有请求。
+此准入控制器检查针对名字空间作用域的资源（除 `Namespace` 自身）的所有请求。
 如果请求引用的名字空间不存在，则拒绝该请求。
 
 ### NamespaceLifecycle {#namespacelifecycle}
 
 <!--
-This admission controller enforces that a `Namespace` that is undergoing termination cannot have new objects created in it,
-and ensures that requests in a non-existent `Namespace` are rejected. This admission controller also prevents deletion of
-three system reserved namespaces `default`, `kube-system`, `kube-public`.
+This admission controller enforces that a `Namespace` that is undergoing termination cannot have
+new objects created in it, and ensures that requests in a non-existent `Namespace` are rejected.
+This admission controller also prevents deletion of three system reserved namespaces `default`,
+`kube-system`, `kube-public`.
 -->
-该准入控制器禁止在一个正在被终止的 `Namespace` 中创建新对象，并确保
-使用不存在的 `Namespace` 的请求被拒绝。
+该准入控制器禁止在一个正在被终止的 `Namespace` 中创建新对象，并确保针对不存在的
+`Namespace` 的请求被拒绝。
 该准入控制器还会禁止删除三个系统保留的名字空间，即 `default`、
 `kube-system` 和 `kube-public`。
 
 <!--
-A `Namespace` deletion kicks off a sequence of operations that remove all objects (pods, services, etc.) in that
-namespace.  In order to enforce integrity of that process, we strongly recommend running this admission controller.
+A `Namespace` deletion kicks off a sequence of operations that remove all objects (pods, services,
+etc.) in that namespace.  In order to enforce integrity of that process, we strongly recommend
+running this admission controller.
 -->
-删除 `Namespace` 会触发删除该名字空间中所有对象（Pod、Service 等）的一系列操作。
+`Namespace` 的删除操作会触发一系列删除该名字空间中所有对象（Pod、Service 等）的操作。
 为了确保这个过程的完整性，我们强烈建议启用这个准入控制器。
 
 ### NodeRestriction {#noderestriction}
@@ -926,51 +887,52 @@ This admission controller limits the `Node` and `Pod` objects a kubelet can modi
 kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
 Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
 -->
-该准入控制器限制了 kubelet 可以修改的 `Node` 和 `Pod` 对象。
+该准入控制器限制了某 kubelet 可以修改的 `Node` 和 `Pod` 对象。
 为了受到这个准入控制器的限制，kubelet 必须使用在 `system:nodes` 组中的凭证，
 并使用 `system:node:<nodeName>` 形式的用户名。
-这样，kubelet 只可修改自己的 `Node` API 对象，只能修改绑定到节点本身的 Pod 对象。
+这样，kubelet 只可修改自己的 `Node` API 对象，只能修改绑定到自身节点的 Pod 对象。
 
 <!--
-In Kubernetes 1.11+, kubelets are not allowed to update or remove taints from their `Node` API object.
+kubelets are not allowed to update or remove taints from their `Node` API object.
 
-In Kubernetes 1.13+, the `NodeRestriction` admission plugin prevents kubelets from deleting their `Node` API object,
+The `NodeRestriction` admission plugin prevents kubelets from deleting their `Node` API object,
 and enforces kubelet modification of labels under the `kubernetes.io/` or `k8s.io/` prefixes as follows:
 -->
-在 Kubernetes 1.11+ 的版本中，不允许 kubelet 从 `Node` API 对象中更新或删除污点。
+不允许 kubelet 更新或删除 `Node` API 对象的污点。
 
-在 Kubernetes 1.13+ 的版本中，`NodeRestriction` 准入插件可防止 kubelet 删除
-`Node` API 对象，并对 `kubernetes.io/` 或 `k8s.io/` 前缀标签的 kubelet
-强制进行如下修改：
+`NodeRestriction` 准入插件可防止 kubelet 删除其 `Node` API 对象，
+并对前缀为 `kubernetes.io/` 或 `k8s.io/` 的标签的修改对 kubelet 作如下限制：
 
 <!--
 * **Prevents** kubelets from adding/removing/updating labels with a `node-restriction.kubernetes.io/` prefix.
-This label prefix is reserved for administrators to label their `Node` objects for workload isolation purposes,
-and kubelets will not be allowed to modify labels with that prefix.
+  This label prefix is reserved for administrators to label their `Node` objects for workload isolation purposes,
+  and kubelets will not be allowed to modify labels with that prefix.
 * **Allows** kubelets to add/remove/update these labels and label prefixes:
 -->
-* **防止** kubelet 添加/删除/更新带有 `node-restriction.kubernetes.io/` 前缀的标签。
-  保留此前缀的标签，供管理员用来标记 Node 对象以隔离工作负载，并且不允许 kubelet
+* **禁止** kubelet 添加、删除或更新前缀为 `node-restriction.kubernetes.io/` 的标签。
+  这类前缀的标签时保留给管理员的，用以为 `Node` 对象设置标签以隔离工作负载，而不允许 kubelet
   修改带有该前缀的标签。
-* **允许** kubelet 添加/删除/更新这些和这些前缀的标签：
+* **允许** kubelet 添加、删除、更新以下标签：
   * `kubernetes.io/hostname`
   * `kubernetes.io/arch`
   * `kubernetes.io/os`
   * `beta.kubernetes.io/instance-type`
   * `node.kubernetes.io/instance-type`
   * `failure-domain.beta.kubernetes.io/region` （已弃用）
-  * `failure-domain.beta.kubernetes.io/zone`  (已弃用）
+  * `failure-domain.beta.kubernetes.io/zone` （已弃用）
   * `topology.kubernetes.io/region`
   * `topology.kubernetes.io/zone`
-  * `kubelet.kubernetes.io/`-prefixed labels
-  * `node.kubernetes.io/`-prefixed labels
+  * `kubelet.kubernetes.io/` 为前缀的标签
+  * `node.kubernetes.io/` 为前缀的标签
 
 <!--
-Use of any other labels under the `kubernetes.io` or `k8s.io` prefixes by kubelets is reserved, and may be disallowed or allowed by the `NodeRestriction` admission plugin in the future.
+Use of any other labels under the `kubernetes.io` or `k8s.io` prefixes by kubelets is reserved,
+and may be disallowed or allowed by the `NodeRestriction` admission plugin in the future.
 
-Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly.
+Future versions may add additional restrictions to ensure kubelets have the minimal set of
+permissions required to operate correctly.
 -->
-kubelet 保留 `kubernetes.io` 或 `k8s.io` 前缀的所有标签，并且将来可能会被
+以 `kubernetes.io` 或 `k8s.io` 为前缀的所有其他标签都限制 kubelet 使用，并且将来可能会被
 `NodeRestriction` 准入插件允许或禁止。
 
 将来的版本可能会增加其他限制，以确保 kubelet 具有正常运行所需的最小权限集。
@@ -984,39 +946,32 @@ This admission controller also protects the access to `metadata.ownerReferences[
 of an object, so that only users with "update" permission to the `finalizers`
 subresource of the referenced *owner* can change it.
 -->
-该准入控制器保护对 `metadata.ownerReferences` 对象的访问，以便只有对该对象具有
-“删除” 权限的用户才能对其进行更改。
+此准入控制器保护对对象的 `metadata.ownerReferences` 的访问，以便只有对该对象具有
+“delete” 权限的用户才能对其进行更改。
 该准入控制器还保护对 `metadata.ownerReferences[x].blockOwnerDeletion` 对象的访问，
-以便只有对所引用的 **属主（owner）** 的 `finalizers` 子资源具有 “更新” 
+以便只有对所引用的 **属主（owner）** 的 `finalizers` 子资源具有 “update” 
 权限的用户才能对其进行更改。
 
 ### PersistentVolumeClaimResize {#persistentvolumeclaimresize}
 
-<!--
-This admission controller implements additional validations for checking incoming `PersistentVolumeClaim` resize requests.
--->
-该准入控制器检查传入的 `PersistentVolumeClaim` 调整大小请求，对其执行额外的验证操作。
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
-{{< note >}}
 <!--
-Support for volume resizing is available as a beta feature. As a cluster administrator,
-you must ensure that the feature gate `ExpandPersistentVolumes` is set
-to `true` to enable resizing.
+This admission controller implements additional validations for checking incoming
+`PersistentVolumeClaim` resize requests.
 -->
-对调整卷大小的支持是一种 Beta 特性。作为集群管理员，你必须确保特性门控 `ExpandPersistentVolumes`
-设置为 `true` 才能启用调整大小。
-{{< /note >}}
+此准入控制器检查传入的 `PersistentVolumeClaim` 调整大小请求，对其执行额外的验证检查操作。
 
 <!--
-After enabling the `ExpandPersistentVolumes` feature gate, enabling the `PersistentVolumeClaimResize` admission
-controller is recommended, too. This admission controller prevents resizing of all claims by default unless a claim's `StorageClass`
+Enabling the `PersistentVolumeClaimResize` admission controller is recommended.
+This admission controller prevents resizing of all claims by default unless a claim's `StorageClass`
  explicitly enables resizing by setting `allowVolumeExpansion` to `true`.
 
 For example: all `PersistentVolumeClaim`s created from the following `StorageClass` support volume expansion:
 -->
-启用 `ExpandPersistentVolumes` 特性门控之后，建议将 `PersistentVolumeClaimResize`
-准入控制器也启用。除非 PVC 的 `StorageClass` 明确地将 `allowVolumeExpansion` 设置为
-`true` 来显式启用调整大小。否则，默认情况下该准入控制器会阻止所有对 PVC 大小的调整。
+建议启用 `PersistentVolumeClaimResize` 准入控制器。除非 PVC 的 `StorageClass` 明确地将
+`allowVolumeExpansion` 设置为 `true` 来显式启用调整大小。
+否则，默认情况下该准入控制器会阻止所有对 PVC 大小的调整。
 
 例如：由以下 `StorageClass` 创建的所有 `PersistentVolumeClaim` 都支持卷容量扩充：
 
@@ -1038,7 +993,7 @@ allowVolumeExpansion: true
 For more information about persistent volume claims, see [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims).
 -->
 关于持久化卷申领的更多信息，请参见
-[PersistentVolumeClaims](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
+[PersistentVolumeClaim](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
 
 ### PersistentVolumeLabel {#persistentvolumelabel} 
 
@@ -1052,15 +1007,15 @@ region and/or zone.
 If the admission controller doesn't support automatic labelling your PersistentVolumes, you
 may need to add the labels manually to prevent pods from mounting volumes from
 a different zone. PersistentVolumeLabel is DEPRECATED and labeling persistent volumes has been taken over by
-[cloud controller manager](/docs/tasks/administer-cluster/running-cloud-controller/).
+the {{< glossary_tooltip text="cloud-controller-manager" term_id="cloud-controller-manager" >}}.
 Starting from 1.11, this admission controller is disabled by default.
 -->
-该准入控制器会自动将区（region）或区域（zone）标签附加到由云提供商（如 GCE、AWS）
-定义的 PersistentVolume。这有助于确保 Pod 和 PersistentVolume 位于相同的区或区域。
+此准入控制器会自动将由云提供商（如 GCE、AWS）定义的区（region）或区域（zone）
+标签附加到 PersistentVolume 上。这有助于确保 Pod 和 PersistentVolume 位于相同的区或区域。
 如果准入控制器不支持为 PersistentVolumes 自动添加标签，那你可能需要手动添加标签，
 以防止 Pod 挂载其他区域的卷。
-PersistentVolumeLabel 已被废弃，标记持久卷已由
-[云管理控制器](/zh/docs/tasks/administer-cluster/running-cloud-controller/)接管。
+PersistentVolumeLabel 已被弃用，为持久卷添加标签的操作已由
+{{< glossary_tooltip text="云管理控制器" term_id="cloud-controller-manager" >}}接管。
 从 1.11 开始，默认情况下禁用此准入控制器。
 
 ### PodNodeSelector {#podnodeselector}
@@ -1068,70 +1023,56 @@ PersistentVolumeLabel 已被废弃，标记持久卷已由
 {{< feature-state for_k8s_version="v1.5" state="alpha" >}}
 
 <!--
-This admission controller defaults and limits what node selectors may be used within a namespace by reading a namespace annotation and a global configuration.
+This admission controller defaults and limits what node selectors may be used within a namespace
+by reading a namespace annotation and a global configuration.
 -->
-该准入控制器通过读取名字空间注解和全局配置，来为名字空间中可以使用的节点选择器
-设置默认值并实施限制。
+此准入控制器通过读取名字空间注解和全局配置，来为名字空间中可以使用的节点选择器设置默认值并实施限制。
 
 <!--
-#### Configuration File Format
+#### Configuration file format
 
 `PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
 Note that the configuration file format will move to a versioned file in a future release.
 This file may be json or yaml and has the following format:
 -->
-#### 配置文件格式
+#### 配置文件格式    {#configuration-file-format-podnodeselector}
 
-`PodNodeSelector` 使用配置文件来设置后端行为的选项。
-请注意，配置文件格式将在将来某个版本中改为版本化文件。
+`PodNodeSelector` 使用配置文件来设置后端行为的选项。请注意，配置文件格式将在将来某个版本中改为版本化文件。
 该文件可以是 JSON 或 YAML，格式如下：
 
 ```yaml
 podNodeSelectorPluginConfig:
- clusterDefaultNodeSelector: name-of-node-selector
- namespace1: name-of-node-selector
- namespace2: name-of-node-selector
+  clusterDefaultNodeSelector: name-of-node-selector
+  namespace1: name-of-node-selector
+  namespace2: name-of-node-selector
 ```
 
 <!--
-Reference the `PodNodeSelector` configuration file from the file provided to the API server's command line flag `--admission-control-config-file`:
+Reference the `PodNodeSelector` configuration file from the file provided to the API server's
+command line flag `--admission-control-config-file`:
 -->
-基于提供给 API 服务器命令行标志 `--admission-control-config-file` 的文件名，
-从文件中引用 `PodNodeSelector` 配置文件：
+通过 API 服务器命令行标志 `--admission-control-config-file` 为 API 服务器提供的文件中，
+需要引用 `PodNodeSelector` 配置文件：
 
-{{< tabs name="podnodeselector_example1" >}}
-{{% tab name="apiserver.config.k8s.io/v1" %}}
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
 plugins:
-- name: PodNodeSelector
-  path: podnodeselector.yaml
+  - name: PodNodeSelector
+    path: podnodeselector.yaml
 ...
 ```
-{{% /tab %}}
-{{% tab name="apiserver.k8s.io/v1alpha1" %}}
-```yaml
-# 在 v1.17 中废弃，以鼓励使用 apiserver.config.k8s.io/v1
-apiVersion: apiserver.k8s.io/v1alpha1
-kind: AdmissionConfiguration
-plugins:
-- name: PodNodeSelector
-  path: podnodeselector.yaml
-...
-```
-{{% /tab %}}
-{{< /tabs >}}
 
 <!--
 #### Configuration Annotation Format
 
-`PodNodeSelector` uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.
+`PodNodeSelector` uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign
+node selectors to namespaces.
 -->
-#### 配置注解格式
+#### 配置注解格式   {#configuration-annotation-format}
 
-`PodNodeSelector` 使用键为 `scheduler.alpha.kubernetes.io/node-selector` 的注解
-为名字空间设置节点选择算符。
+`PodNodeSelector` 使用键为 `scheduler.alpha.kubernetes.io/node-selector`
+的注解为名字空间设置节点选择算符。
 
 ```yaml
 apiVersion: v1
@@ -1144,28 +1085,30 @@ metadata:
 
 <!--
 #### Internal Behavior
+
 This admission controller has the following behavior:
 -->
-#### 内部行为
+#### 内部行为   {#internal-behavior}
 
-该准入控制器行为如下：
+此准入控制器行为如下：
 
 <!--
-1. If the `Namespace` has an annotation with a key `scheduler.alpha.kubernetes.io/node-selector`, use its value as the
-node selector.
-2. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the `PodNodeSelector`
-plugin configuration file as the node selector.
-3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts result in rejection.
-4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the plugin configuration file.
-Conflicts result in rejection.
+1. If the `Namespace` has an annotation with a key `scheduler.alpha.kubernetes.io/node-selector`,
+   use its value as the node selector.
+2. If the namespace lacks such an annotation, use the `clusterDefaultNodeSelector` defined in the
+   `PodNodeSelector` plugin configuration file as the node selector.
+3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts
+   result in rejection.
+4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the
+   plugin configuration file. Conflicts result in rejection.
 -->
 1. 如果 `Namespace` 的注解带有键 `scheduler.alpha.kubernetes.io/node-selector`，
    则将其值用作节点选择算符。
 2. 如果名字空间缺少此类注解，则使用 `PodNodeSelector` 插件配置文件中定义的
    `clusterDefaultNodeSelector` 作为节点选择算符。
-3. 评估 Pod 节点选择算符和名字空间节点选择算符是否存在冲突。存在冲突将导致拒绝。
+3. 评估 Pod 节点选择算符和名字空间节点选择算符是否存在冲突。存在冲突将拒绝 Pod。
 4. 评估 Pod 节点选择算符和特定于名字空间的被允许的选择算符所定义的插件配置文件是否存在冲突。
-   存在冲突将导致拒绝。
+   存在冲突将导致拒绝 Pod。
 
 {{< note >}}
 <!--
@@ -1189,8 +1132,8 @@ determines if it should be admitted based on the requested security context and
 See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
 for more information.
 -->
-这是下节已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
-此准入控制器负责在创建和修改 Pod 时根据请求的安全上下文和
+这是下节所讨论的已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
+此准入控制器负责在创建和修改 Pod 时，根据请求的安全上下文和
 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)
 来确定是否可以执行请求。
 
@@ -1212,31 +1155,33 @@ See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) d
 for more information.
 -->
 查看 [Pod 安全策略文档](/zh/docs/concepts/security/pod-security-policy/)
-了解更多细节。
+进一步了解其间细节。
 
 ### PodTolerationRestriction {#podtolerationrestriction}
 
 {{< feature-state for_k8s_version="v1.7" state="alpha" >}}
 
 <!--
-The PodTolerationRestriction admission controller verifies any conflict between tolerations of a pod and the tolerations of its namespace.
+The PodTolerationRestriction admission controller verifies any conflict between tolerations of a
+pod and the tolerations of its namespace.
 It rejects the pod request if there is a conflict.
 It then merges the tolerations annotated on the namespace into the tolerations of the pod.
 The resulting tolerations are checked against a list of allowed tolerations annotated to the namespace.
 If the check succeeds, the pod request is admitted otherwise it is rejected.
 -->
-准入控制器 PodTolerationRestriction 检查 Pod 的容忍度与其名字空间的容忍度之间
-是否存在冲突。如果存在冲突，则拒绝 Pod 请求。
-然后，它将名字空间的容忍度合并到 Pod 的容忍度中，之后根据名字空间的容忍度
-白名单检查所得到的容忍度结果。如果检查成功，则将接受 Pod 请求，否则拒绝该请求。
+准入控制器 PodTolerationRestriction 检查 Pod 的容忍度与其名字空间的容忍度之间是否存在冲突。
+如果存在冲突，则拒绝 Pod 请求。
+控制器接下来会将名字空间的容忍度合并到 Pod 的容忍度中，
+根据名字空间的容忍度白名单检查所得到的容忍度结果。
+如果检查成功，则将接受 Pod 请求，否则拒绝该请求。
 
 <!--
 If the namespace of the pod does not have any associated default tolerations or allowed
 tolerations annotated, the cluster-level default tolerations or cluster-level list of allowed tolerations are used
 instead if they are specified.
 -->
-如果 Pod 的名字空间没有任何关联的默认容忍度或容忍度白名单，则使用集群级别的
-默认容忍度或容忍度白名单（如果有的话）。
+如果 Pod 的名字空间没有任何关联的默认容忍度或容忍度白名单，
+则使用集群级别的默认容忍度或容忍度白名单（如果有的话）。
 
 <!--
 Tolerations to a namespace are assigned via the `scheduler.alpha.kubernetes.io/defaultTolerations` annotation key.
@@ -1244,7 +1189,7 @@ The list of allowed tolerations can be added via the `scheduler.alpha.kubernetes
 
 Example for namespace annotations:
 -->
-名字空间的容忍度通过注解健 `scheduler.alpha.kubernetes.io/defaultTolerations`
+名字空间的容忍度通过注解键 `scheduler.alpha.kubernetes.io/defaultTolerations`
 来设置。可接受的容忍度可以通过 `scheduler.alpha.kubernetes.io/tolerationsWhitelist`
 注解键来添加。
 
@@ -1263,7 +1208,9 @@ metadata:
 <!--
 ### Priority {#priority}
 
-The priority admission controller uses the `priorityClassName` field and populates the integer value of the priority. If the priority class is not found, the Pod is rejected.
+The priority admission controller uses the `priorityClassName` field and populates the integer
+value of the priority.
+If the priority class is not found, the Pod is rejected.
 -->
 ### 优先级 {#priority}
 
@@ -1273,21 +1220,22 @@ The priority admission controller uses the `priorityClassName` field and populat
 ### ResourceQuota {#resourcequota}
 
 <!--
-This admission controller will observe the incoming request and ensure that it does not violate any of the constraints
-enumerated in the `ResourceQuota` object in a `Namespace`.  If you are using `ResourceQuota`
-objects in your Kubernetes deployment, you MUST use this admission controller to enforce quota constraints.
+This admission controller will observe the incoming request and ensure that it does not violate
+any of the constraints enumerated in the `ResourceQuota` object in a `Namespace`.  If you are
+using `ResourceQuota` objects in your Kubernetes deployment, you MUST use this admission
+controller to enforce quota constraints.
 -->
-该准入控制器会监测传入的请求，并确保它不违反任何一个 `Namespace` 中的 `ResourceQuota`
-对象中枚举出来的约束。
-如果你在 Kubernetes 部署中使用了 `ResourceQuota`，你必须使用这个准入控制器来强制
-执行配额限制。
+此准入控制器会监测传入的请求，并确保它不违反任何一个 `Namespace` 中的 `ResourceQuota`
+对象中列举的约束。如果你在 Kubernetes 部署中使用了 `ResourceQuota`，
+则必须使用这个准入控制器来强制执行配额限制。
 
 <!--
-See the [resourceQuota design doc](https://git.k8s.io/community/contributors/design-proposals/resource-management/admission_control_resource_quota.md) and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for more details.
+See the [ResourceQuota API reference](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
+and the [example of Resource Quota](/docs/concepts/policy/resource-quotas/) for more details.
 -->
-请查看
-[resourceQuota 设计文档](https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md)和 [Resource Quota 例子](/zh/docs/concepts/policy/resource-quotas/)
-了解更多细节。
+请参阅
+[resourceQuota API 参考](/zh/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
+和 [Resource Quota 例子](/zh/docs/concepts/policy/resource-quotas/)了解更多细节。
 
 
 <!--
@@ -1295,34 +1243,26 @@ See the [resourceQuota design doc](https://git.k8s.io/community/contributors/des
 
 {{< feature-state for_k8s_version="v1.20" state="stable" >}}
 
-If you enable the `PodOverhead` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/), and define a RuntimeClass with [Pod overhead](/docs/concepts/scheduling-eviction/pod-overhead/) configured, this admission controller checks incoming
-Pods. When enabled, this admission controller rejects any Pod create requests that have the overhead already set.
-For Pods that have a  RuntimeClass is configured and selected in their `.spec`, this admission controller sets `.spec.overhead` in the Pod based on the value defined in the corresponding RuntimeClass.
-
-{{< note >}}
-The `.spec.overhead` field for Pod and the `.overhead` field for RuntimeClass are both in beta. If you do not enable the `PodOverhead` feature gate, all Pods are treated as if `.spec.overhead` is unset.
-{{< /note >}}
+If you define a RuntimeClass with [Pod overhead](/docs/concepts/scheduling-eviction/pod-overhead/)
+configured, this admission controller checks incoming Pods.
+When enabled, this admission controller rejects any Pod create requests
+that have the overhead already set.
+For Pods that have a RuntimeClass configured and selected in their `.spec`,
+this admission controller sets `.spec.overhead` in the Pod based on the value
+defined in the corresponding RuntimeClass.
 
 See also [Pod Overhead](/docs/concepts/scheduling-eviction/pod-overhead/)
 for more information.
 -->
 ### RuntimeClass {#runtimeclass}
 
-+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
 
-如果你开启 `PodOverhead`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/),
-并且通过 [Pod 开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/)
-配置来定义一个 RuntimeClass，这个准入控制器会检查新的 Pod。
-当启用的时候，这个准入控制器会拒绝任何 overhead 字段已经设置的 Pod。
+如果你所定义的 RuntimeClass 包含 [Pod 开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/)，
+这个准入控制器会检查新的 Pod。被启用后，此准入控制器会拒绝所有已经设置了 overhead 字段的 Pod 创建请求。
 对于配置了 RuntimeClass 并在其 `.spec` 中选定 RuntimeClass 的 Pod，
 此准入控制器会根据相应 RuntimeClass 中定义的值为 Pod 设置 `.spec.overhead`。
 
-{{< note >}}
-Pod 的 `.spec.overhead` 字段和 RuntimeClass 的 `.overhead` 字段均为处于 beta 版本。
-如果你未启用 `PodOverhead` 特性门控，则所有 Pod 均被视为未设置 `.spec.overhead`。
-{{< /note >}}
-
 详情请参见 [Pod 开销](/zh/docs/concepts/scheduling-eviction/pod-overhead/)。
 
 ### SecurityContextDeny {#securitycontextdeny}
@@ -1340,14 +1280,13 @@ then you could use this admission controller to restrict the set of values a sec
 See [Pod Security Standards](/docs/concepts/security/pod-security-standards/) for more context on restricting
 pod privileges.
 -->
-该准入控制器将拒绝任何试图设置特定提升
+此准入控制器将拒绝任何试图设置特定提升
 [SecurityContext](/zh/docs/tasks/configure-pod-container/security-context/)
-字段的 Pod，正如任务
-[为 Pod 或 Container 配置安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)
-中所展示的那样。
-如果集群没有使用 [Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)、
-[PodSecurityPolicies](/zh/docs/concepts/security/pod-security-policy/)，
-也没有任何外部执行机制，那么你可以使用此准入控制器来限制安全上下文所能获取的值集。
+中某些字段的 Pod，正如任务[为 Pod 或 Container 配置安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)
+中所展示的那样。如果集群没有使用
+[Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)、
+[PodSecurityPolicy](/zh/docs/concepts/security/pod-security-policy/)，
+也没有任何外部强制机制，那么你可以使用此准入控制器来限制安全上下文所能获取的值集。
 
 有关限制 Pod 权限的更多内容，请参阅 
 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)。
@@ -1357,14 +1296,15 @@ pod privileges.
 <!--
 This admission controller implements automation for
 [serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/).
-We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects.
+We strongly recommend using this admission controller if you intend to make use of Kubernetes
+`ServiceAccount` objects.
 -->
 此准入控制器实现了
 [ServiceAccount](/zh/docs/tasks/configure-pod-container/configure-service-account/)
 的自动化。
 如果你打算使用 Kubernetes 的 ServiceAccount 对象，我们强烈建议你使用这个准入控制器。
 
-### StorageObjectInUseProtection
+### StorageObjectInUseProtection   {#storageobjectinuseprotection}
 
 <!--
 The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection`
@@ -1376,24 +1316,24 @@ Refer to the
 for more detailed information.
 -->
 `StorageObjectInUseProtection` 插件将 `kubernetes.io/pvc-protection` 或
-`kubernetes.io/pv-protection` finalizers 添加到新创建的持久化卷声明（PVC）
-或持久化卷（PV）中。
-如果用户尝试删除 PVC/PV，除非 PVC/PV 的保护控制器移除 finalizers，否则
-PVC/PV 不会被删除。
-有关更多详细信息，请参考
+`kubernetes.io/pv-protection` finalizers 添加到新创建的持久卷申领（PVC）
+或持久卷（PV）中。如果用户尝试删除 PVC/PV，除非 PVC/PV 的保护控制器移除 finalizers，
+否则 PVC/PV 不会被删除。有关更多详细信息，请参考
 [保护使用中的存储对象](/zh/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection)。
 
-### TaintNodesByCondition {#taintnodesbycondition} 
+### TaintNodesByCondition {#taintnodesbycondition}
 
 {{< feature-state for_k8s_version="v1.17" state="stable" >}}
 
 <!--
-This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods to be scheduled on new Nodes before their taints were updated to accurately reflect their reported conditions.
+This admission controller {{< glossary_tooltip text="taints" term_id="taint" >}} newly created
+Nodes as `NotReady` and `NoSchedule`. That tainting avoids a race condition that could cause Pods
+to be scheduled on new Nodes before their taints were updated to accurately reflect their reported
+conditions.
 -->
-该准入控制器为新创建的节点添加 `NotReady` 和 `NoSchedule` 
-{{< glossary_tooltip text="污点" term_id="taint" >}}。
-这些污点能够避免一些竞态条件的发生，这类静态条件可能导致 Pod 在更新节点污点以准确
-反映其所报告状况之前，就被调度到新节点上。
+该准入控制器为新创建的节点添加 `NotReady` 和 `NoSchedule` {{< glossary_tooltip text="污点" term_id="taint" >}}。
+这些污点能够避免一些竞态条件的发生，而这类竞态条件可能导致 Pod
+在更新节点污点以准确反映其所报告状况之前，就被调度到新节点上。
 
 ### ValidatingAdmissionWebhook {#validatingadmissionwebhook} 
 
@@ -1403,18 +1343,18 @@ webhooks are called in parallel; if any of them rejects the request, the request
 fails. This admission controller only runs in the validation phase; the webhooks it calls may not
 mutate the object, as opposed to the webhooks called by the `MutatingAdmissionWebhook` admission controller.
 -->
-该准入控制器调用与请求匹配的所有验证 Webhook。
+此准入控制器调用与请求匹配的所有验证性 Webhook。
 匹配的 Webhook 将被并行调用。如果其中任何一个拒绝请求，则整个请求将失败。
-该准入控制器仅在验证（Validating）阶段运行；与 `MutatingAdmissionWebhook` 准入控制器
-所调用的 Webhook 相反，它调用的 Webhook 应该不会使对象出现变更。
+该准入控制器仅在验证（Validating）阶段运行；与 `MutatingAdmissionWebhook`
+准入控制器所调用的 Webhook 相反，它调用的 Webhook 不可以变更对象。
 
 <!--
 If a webhook called by this has side effects (for example, decrementing quota) it
 *must* have a reconciliation system, as it is not guaranteed that subsequent
 webhooks or other validating admission controllers will permit the request to finish.
 -->
-如果以此方式调用的 Webhook 有其它作用（如，降低配额），则它必须具有协调机制。
-这是因为无法保证后续的 Webhook 或其他有效的准入控制器都允许请求完成。
+如果以此方式调用的 Webhook 有其它副作用（如：减少配额），则它必须具有协调机制。
+这是因为无法保证后续的 Webhook 或其他验证性准入控制器都允许请求完成。
 
 <!--
 If you disable the ValidatingAdmissionWebhook, you must also disable the
@@ -1423,14 +1363,17 @@ group/version via the `--runtime-config` flag (both are on by default in
 versions 1.9 and later).
 -->
 如果你禁用了 ValidatingAdmissionWebhook，还必须通过 `--runtime-config` 标志来禁用
-`admissionregistration.k8s.io/v1` 组/版本中的  `ValidatingWebhookConfiguration`
-对象（默认情况下在 1.9 版和更高版本中均处于启用状态）。
-
+`admissionregistration.k8s.io/v1` 组/版本中的 `ValidatingWebhookConfiguration`
+对象（默认情况下在 v1.9 和更高版本中均处于启用状态）。
 
 <!--
 ## Is there a recommended set of admission controllers to use?
 
-Yes. The recommended admission controllers are enabled by default (shown [here](/docs/reference/command-line-tools-reference/kube-apiserver/#options)), so you do not need to explicitly specify them. You can enable additional admission controllers beyond the default set using the `--enable-admission-plugins` flag (**order doesn't matter**).
+Yes. The recommended admission controllers are enabled by default
+(shown [here](/docs/reference/command-line-tools-reference/kube-apiserver/#options)),
+so you do not need to explicitly specify them.
+You can enable additional admission controllers beyond the default set using the
+`--enable-admission-plugins` flag (**order doesn't matter**).
 -->
 ## 有推荐的准入控制器吗？
 
@@ -1439,10 +1382,3 @@ Yes. The recommended admission controllers are enabled by default (shown [here](
 因此，你无需显式指定它们。
 你可以使用 `--enable-admission-plugins` 标志（ **顺序不重要** ）来启用默认设置以外的其他准入控制器。
 
-{{< note >}}
-<!--
-`--admission-control` was deprecated in 1.10 and replaced with `--enable-admission-plugins`.
--->
-`--admission-control` 在 1.10 中已废弃，由 `--enable-admission-plugins` 取代。
-{{< /note >}}
-
diff --git a/content/zh/docs/reference/access-authn-authz/authentication.md b/content/zh-cn/docs/reference/access-authn-authz/authentication.md
similarity index 89%
rename from content/zh/docs/reference/access-authn-authz/authentication.md
rename to content/zh-cn/docs/reference/access-authn-authz/authentication.md
index 5bde8a2a4098b..c9b05082b0906 100644
--- a/content/zh/docs/reference/access-authn-authz/authentication.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/authentication.md
@@ -47,7 +47,7 @@ Kubernetes 假定普通用户是由一个与集群无关的服务通过以下方
 - 类似 Keystone 或者 Google Accounts 这类用户数据库
 - 包含用户名和密码列表的文件
 
-有鉴于此，_Kubernetes 并不包含用来代表普通用户账号的对象_。
+有鉴于此，**Kubernetes 并不包含用来代表普通用户账号的对象**。
 普通用户的信息无法通过 API 调用添加到集群中。
 
 <!--
@@ -61,12 +61,13 @@ resource. For more details, refer to the normal users topic in
 [certificate request](/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user)
 for more details about this.
 -->
-尽管无法通过 API 调用来添加普通用户，Kubernetes 仍然认为能够提供由集群的证书
-机构签名的合法证书的用户是通过身份认证的用户。基于这样的配置，Kubernetes
-使用证书中的 'subject' 的通用名称（Common Name）字段（例如，"/CN=bob"）来
-确定用户名。接下来，基于角色访问控制（RBAC）子系统会确定用户是否有权针对
-某资源执行特定的操作。进一步的细节可参阅
-[证书请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user)
+尽管无法通过 API 调用来添加普通用户，
+Kubernetes 仍然认为能够提供由集群的证书机构签名的合法证书的用户是通过身份认证的用户。
+基于这样的配置，Kubernetes 使用证书中的 'subject' 的通用名称（Common Name）字段
+（例如，"/CN=bob"）来确定用户名。
+接下来，基于角色访问控制（RBAC）子系统会确定用户是否有权针对某资源执行特定的操作。
+进一步的细节可参阅
+[证书请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user)
 下普通用户主题。
 
 <!--
@@ -83,15 +84,13 @@ of the control plane, must authenticate when making requests to the API server,
 or be treated as an anonymous user.
 -->
 与此不同，服务账号是 Kubernetes API 所管理的用户。它们被绑定到特定的名字空间，
-或者由 API 服务器自动创建，或者通过 API 调用创建。服务账号与一组以 Secret 保存
-的凭据相关，这些凭据会被挂载到 Pod 中，从而允许集群内的进程访问 Kubernetes
-API。
+或者由 API 服务器自动创建，或者通过 API 调用创建。服务账号与一组以 Secret
+保存的凭据相关，这些凭据会被挂载到 Pod 中，从而允许集群内的进程访问 Kubernetes API。
 
-API 请求则或者与某普通用户相关联，或者与某服务账号相关联，亦或者被视作
-[匿名请求](#anonymous-requests)。这意味着集群内外的每个进程在向 API 服务器发起
-请求时都必须通过身份认证，否则会被视作匿名用户。这里的进程可以是在某工作站上
-输入 `kubectl` 命令的操作人员，也可以是节点上的 `kubelet` 组件，还可以是控制面
-的成员。
+API 请求则或者与某普通用户相关联，或者与某服务账号相关联，
+亦或者被视作[匿名请求](#anonymous-requests)。这意味着集群内外的每个进程在向 API
+服务器发起请求时都必须通过身份认证，否则会被视作匿名用户。这里的进程可以是在某工作站上输入
+`kubectl` 命令的操作人员，也可以是节点上的 `kubelet` 组件，还可以是控制面的成员。
 
 <!--
 ## Authentication strategies
@@ -116,8 +115,8 @@ Kubernetes 通过身份认证插件利用客户端证书、持有者令牌（Bea
 * 用户 ID：用来辩识最终用户的字符串，旨在比用户名有更好的一致性和唯一性。
 * 用户组：取值为一组字符串，其中各个字符串用来标明用户是某个命名的用户逻辑集合的成员。
   常见的值可能是 `system:masters` 或者 `devops-team` 等。
-* 附加字段：一组额外的键-值映射，键是字符串，值是一组字符串；用来保存一些鉴权组件可能
-  觉得有用的额外信息。
+* 附加字段：一组额外的键-值映射，键是字符串，值是一组字符串；
+  用来保存一些鉴权组件可能觉得有用的额外信息。
 
 <!--
 All values are opaque to the authentication system and only hold significance
@@ -128,9 +127,8 @@ You can enable multiple authentication methods at once. You should usually use a
 - service account tokens for service accounts
 - at least one other method for user authentication.
 -->
-所有（属性）值对于身份认证系统而言都是不透明的，只有被
-[鉴权组件](/zh/docs/reference/access-authn-authz/authorization/)
-解释过之后才有意义。
+所有（属性）值对于身份认证系统而言都是不透明的，
+只有被[鉴权组件](/zh-cn/docs/reference/access-authn-authz/authorization/)解释过之后才有意义。
 
 你可以同时启用多种身份认证方法，并且你通常会至少使用两种方法：
 
@@ -148,14 +146,14 @@ Integrations with other authentication protocols (LDAP, SAML, Kerberos, alternat
 can be accomplished using an [authenticating proxy](#authenticating-proxy) or the
 [authentication webhook](#webhook-token-authentication).
 -->
-当集群中启用了多个身份认证模块时，第一个成功地对请求完成身份认证的模块会
-直接做出评估决定。API 服务器并不保证身份认证模块的运行顺序。
+当集群中启用了多个身份认证模块时，第一个成功地对请求完成身份认证的模块会直接做出评估决定。
+API 服务器并不保证身份认证模块的运行顺序。
 
 对于所有通过身份认证的用户，`system:authenticated` 组都会被添加到其组列表中。
 
-与其它身份认证协议（LDAP、SAML、Kerberos、X509 的替代模式等等）都可以通过
-使用一个[身份认证代理](#authenticating-proxy)或
-[身份认证 Webhoook](#webhook-token-authentication)来实现。
+与其它身份认证协议（LDAP、SAML、Kerberos、X509 的替代模式等等）
+都可以通过使用一个[身份认证代理](#authenticating-proxy)或[身份认证 Webhoook](#webhook-token-authentication)
+来实现。
 
 <!--
 ### X509 Client Certs
@@ -174,8 +172,8 @@ For example, using the `openssl` command line tool to generate a certificate sig
 
 通过给 API 服务器传递 `--client-ca-file=SOMEFILE` 选项，就可以启动客户端证书身份认证。
 所引用的文件必须包含一个或者多个证书机构，用来验证向 API 服务器提供的客户端证书。
-如果提供了客户端证书并且证书被验证通过，则 subject 中的公共名称（Common Name）就被
-作为请求的用户名。
+如果提供了客户端证书并且证书被验证通过，则 subject 中的公共名称（Common Name）
+就被作为请求的用户名。
 自 Kubernetes 1.4 开始，客户端证书还可以通过证书的 organization 字段标明用户的组成员信息。
 要包含用户的多个组成员信息，可以在证书种包含多个 organization 字段。
 
@@ -193,7 +191,7 @@ See [Managing Certificates](/docs/tasks/administer-cluster/certificates/) for ho
 此命令将使用用户名 `jbeda` 生成一个证书签名请求（CSR），且该用户属于 "app" 和
 "app2" 两个用户组。
 
-参阅[管理证书](/zh/docs/tasks/administer-cluster/certificates/)了解如何生成客户端证书。
+参阅[管理证书](/zh-cn/docs/tasks/administer-cluster/certificates/)了解如何生成客户端证书。
 
 <!--
 ### Static Token File
@@ -206,21 +204,16 @@ followed by optional group names.
 -->
 ### 静态令牌文件  {#static-token-file}
 
-当 API 服务器的命令行设置了 `--token-auth-file=SOMEFILE` 选项时，会从文件中
-读取持有者令牌。目前，令牌会长期有效，并且在不重启 API 服务器的情况下
-无法更改令牌列表。
+当 API 服务器的命令行设置了 `--token-auth-file=SOMEFILE` 选项时，会从文件中读取持有者令牌。
+目前，令牌会长期有效，并且在不重启 API 服务器的情况下无法更改令牌列表。
 
 令牌文件是一个 CSV 文件，包含至少 3 个列：令牌、用户名和用户的 UID。
 其余列被视为可选的组名。
 
+{{< note >}}
 <!--
 If you have more than one group the column must be double quoted e.g.
-
-```conf
-token,user,uid,"group1,group2,group3"
-```
 -->
-{{< note >}}
 如果要设置的组名不止一个，则对应的列必须用双引号括起来，例如
 
 ```conf
@@ -241,12 +234,10 @@ header as shown below.
 -->
 #### 在请求中放入持有者令牌   {#putting-a-bearer-token-in-a-request}
 
-当使用持有者令牌来对某 HTTP 客户端执行身份认证时，API 服务器希望看到
-一个名为 `Authorization` 的 HTTP 头，其值格式为 `Bearer <token>`。
-持有者令牌必须是一个可以放入 HTTP 头部值字段的字符序列，至多可使用
-HTTP 的编码和引用机制。
-例如：如果持有者令牌为 `31ada4fd-adec-460c-809a-9e56ceb75269`，则其
-出现在 HTTP 头部时如下所示：
+当使用持有者令牌来对某 HTTP 客户端执行身份认证时，API 服务器希望看到一个名为
+`Authorization` 的 HTTP 头，其值格式为 `Bearer <token>`。
+持有者令牌必须是一个可以放入 HTTP 头部值字段的字符序列，至多可使用 HTTP 的编码和引用机制。
+例如：如果持有者令牌为 `31ada4fd-adec-460c-809a-9e56ceb75269`，则其出现在 HTTP 头部时如下所示：
 
 ```http
 Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
@@ -267,7 +258,7 @@ dynamically managed and created. Controller Manager contains a TokenCleaner
 controller that deletes bootstrap tokens as they expire.
 -->
 为了支持平滑地启动引导新的集群，Kubernetes 包含了一种动态管理的持有者令牌类型，
-称作 *启动引导令牌（Bootstrap Token）*。
+称作 **启动引导令牌（Bootstrap Token）**。
 这些令牌以 Secret 的形式保存在 `kube-system` 名字空间中，可以被动态管理和创建。
 控制器管理器包含的 `TokenCleaner` 控制器能够在启动引导令牌过期时将其删除。
 
@@ -276,8 +267,8 @@ The tokens are of the form `[a-z0-9]{6}.[a-z0-9]{16}`.  The first component is a
 Token ID and the second component is the Token Secret.  You specify the token
 in an HTTP header as follows:
 -->
-这些令牌的格式为 `[a-z0-9]{6}.[a-z0-9]{16}`。第一个部分是令牌的 ID；第二个部分
-是令牌的 Secret。你可以用如下所示的方式来在 HTTP 头部设置令牌：
+这些令牌的格式为 `[a-z0-9]{6}.[a-z0-9]{16}`。第一个部分是令牌的 ID；
+第二个部分是令牌的 Secret。你可以用如下所示的方式来在 HTTP 头部设置令牌：
 
 ```http
 Authorization: Bearer 781292.db7bc3a58fc5f07e
@@ -290,8 +281,7 @@ the TokenCleaner controller via the `-controllers` flag on the Controller
 Manager.  This is done with something like `-controllers=*,tokencleaner`.
 `kubeadm` will do this for you if you are using it to bootstrap a cluster.
 -->
-你必须在 API 服务器上设置 `--enable-bootstrap-token-auth` 标志来启用基于启动
-引导令牌的身份认证组件。
+你必须在 API 服务器上设置 `--enable-bootstrap-token-auth` 标志来启用基于启动引导令牌的身份认证组件。
 你必须通过控制器管理器的 `--controllers` 标志来启用 TokenCleaner 控制器；
 这可以通过类似 `--controllers=*,tokencleaner` 这种设置来做到。
 如果你使用 `kubeadm` 来启动引导新的集群，该工具会帮你完成这些设置。
@@ -306,17 +296,16 @@ cluster.
 -->
 身份认证组件的认证结果为 `system:bootstrap:<令牌 ID>`，该用户属于
 `system:bootstrappers` 用户组。
-这里的用户名和组设置都是有意设计成这样，其目的是阻止用户在启动引导集群之后
-继续使用这些令牌。
-这里的用户名和组名可以用来（并且已经被 `kubeadm` 用来）构造合适的鉴权
-策略，以完成启动引导新集群的工作。
+这里的用户名和组设置都是有意设计成这样，其目的是阻止用户在启动引导集群之后继续使用这些令牌。
+这里的用户名和组名可以用来（并且已经被 `kubeadm` 用来）构造合适的鉴权策略，
+以完成启动引导新集群的工作。
 
 <!--
 Please see [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) for in depth
 documentation on the Bootstrap Token authenticator and controllers along with
 how to manage these tokens with `kubeadm`.
 -->
-请参阅[启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
+请参阅[启动引导令牌](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
 以了解关于启动引导令牌身份认证组件与控制器的更深入的信息，以及如何使用
 `kubeadm` 来管理这些令牌。
 
@@ -332,8 +321,8 @@ If unspecified, the API server's TLS private key will be used.
 -->
 ### 服务账号令牌   {#service-account-tokens}
 
-服务账号（Service Account）是一种自动被启用的用户认证机制，使用经过签名的
-持有者令牌来验证请求。该插件可接受两个可选参数：
+服务账号（Service Account）是一种自动被启用的用户认证机制，使用经过签名的持有者令牌来验证请求。
+该插件可接受两个可选参数：
 
 * `--service-account-key-file` 一个包含用来为持有者令牌签名的 PEM 编码密钥。
   若未指定，则使用 API 服务器的 TLS 私钥。
@@ -348,15 +337,15 @@ talk to the API server. Accounts may be explicitly associated with pods using th
 `serviceAccountName` field of a `PodSpec`.
 -->
 服务账号通常由 API 服务器自动创建并通过 `ServiceAccount`
-[准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
+[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
 关联到集群中运行的 Pod 上。
 持有者令牌会挂载到 Pod 中可预知的位置，允许集群内进程与 API 服务器通信。
 服务账号也可以使用 Pod 规约的 `serviceAccountName` 字段显式地关联到 Pod 上。
 
+{{< note >}}
 <!--
 `serviceAccountName` is usually omitted because this is done automatically.
 -->
-{{< note >}}
 `serviceAccountName` 通常会被忽略，因为关联关系是自动建立的。
 {{< /note >}}
 
@@ -385,10 +374,10 @@ Kubernetes API. To manually create a service account, use the `kubectl create
 serviceaccount (NAME)` command. This creates a service account in the current
 namespace and an associated secret.
 -->
-在集群外部使用服务账号持有者令牌也是完全合法的，且可用来为长时间运行的、需要与
-Kubernetes  API 服务器通信的任务创建标识。要手动创建服务账号，可以使用
-`kubectl create serviceaccount <名称>` 命令。此命令会在当前的名字空间中生成一个
-服务账号和一个与之关联的 Secret。
+在集群外部使用服务账号持有者令牌也是完全合法的，且可用来为长时间运行的、需要与 Kubernetes
+API 服务器通信的任务创建标识。要手动创建服务账号，可以使用
+`kubectl create serviceaccount <名称>` 命令。
+此命令会在当前的名字空间中生成一个服务账号和一个与之关联的 Secret。
 
 ```bash
 kubectl create serviceaccount jenkins
@@ -420,8 +409,7 @@ secrets:
 The created secret holds the public CA of the API server and a signed JSON Web
 Token (JWT).
 -->
-所创建的 Secret 中会保存 API 服务器的公开的 CA 证书和一个已签名的 JSON Web
-令牌（JWT）。
+所创建的 Secret 中会保存 API 服务器的公开的 CA 证书和一个已签名的 JSON Web 令牌（JWT）。
 
 ```bash
 kubectl get secret jenkins-token-1yvwg -o yaml
@@ -452,10 +440,10 @@ metadata:
 type: kubernetes.io/service-account-token
 ```
 
+{{< note >}}
 <!--
 Values are base64 encoded because secrets are always base64 encoded.
 -->
-{{< note >}}
 字段值是按 Base64 编码的，这是因为 Secret 数据总是采用 Base64 编码来存储。
 {{< /note >}}
 
@@ -481,8 +469,8 @@ when granting permissions to service accounts and read capabilities for secrets.
 服务账号被身份认证后，所确定的用户名为 `system:serviceaccount:<名字空间>:<服务账号>`，
 并被分配到用户组 `system:serviceaccounts` 和 `system:serviceaccounts:<名字空间>`。
 
-警告：由于服务账号令牌保存在 Secret 对象中，任何能够读取这些 Secret 的用户
-都可以被认证为对应的服务账号。在为用户授予访问服务账号的权限时，以及对 Secret
+警告：由于服务账号令牌保存在 Secret 对象中，任何能够读取这些 Secret
+的用户都可以被认证为对应的服务账号。在为用户授予访问服务账号的权限时，以及对 Secret
 的读权限时，要格外小心。
 
 <!--
@@ -511,8 +499,8 @@ as a bearer token.  See [above](#putting-a-bearer-token-in-a-request) for how th
 is included in a request.
 -->
 要识别用户，身份认证组件使用 OAuth2
-[令牌响应](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)
-中的 `id_token`（而非 `access_token`）作为持有者令牌。
+[令牌响应](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)中的
+`id_token`（而非 `access_token`）作为持有者令牌。
 关于如何在请求中设置令牌，可参见[前文](#putting-a-bearer-token-in-a-request)。
 
 {{< mermaid >}}
@@ -626,9 +614,8 @@ wish to utilize multiple OAuth clients should explore providers which support th
 `azp` (authorized party) claim, a mechanism for allowing one client to issue
 tokens on behalf of another.
 -->
-很重要的一点是，API 服务器并非一个 OAuth2 客户端，相反，它只能被配置为
-信任某一个令牌发放者。这使得使用公共服务（如 Google）的用户可以不信任发放给
-第三方的凭据。
+很重要的一点是，API 服务器并非一个 OAuth2 客户端，相反，它只能被配置为信任某一个令牌发放者。
+这使得使用公共服务（如 Google）的用户可以不信任发放给第三方的凭据。
 如果管理员希望使用多个 OAuth 客户端，他们应该研究一下那些支持 `azp`
 （Authorized Party，被授权方）申领的服务。
 `azp` 是一种允许某客户端代替另一客户端发放令牌的机制。
@@ -643,8 +630,8 @@ CloudFoundry [UAA](https://github.com/cloudfoundry/uaa), or
 Tremolo Security's [OpenUnison](https://openunison.github.io/).
 -->
 Kubernetes 并未提供 OpenID Connect 的身份服务。
-你可以使用现有的公共的 OpenID Connect 身份服务（例如 Google 或者
-[其他服务](https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/openid-connect-providers)）。
+你可以使用现有的公共的 OpenID Connect 身份服务
+（例如 Google 或者[其他服务](https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/openid-connect-providers)）。
 或者，你也可以选择自己运行一个身份服务，例如
 CoreOS [dex](https://github.com/coreos/dex)、
 [Keycloak](https://github.com/keycloak/keycloak)、
@@ -672,12 +659,10 @@ Or you can use [this similar script](https://raw.githubusercontent.com/TremoloSe
 关于上述第三条需求，即要求具备 CA 签名的证书，有一些额外的注意事项。
 如果你部署了自己的身份服务，而不是使用云厂商（如 Google 或 Microsoft）所提供的服务，
 你必须对身份服务的 Web 服务器证书进行签名，签名所用证书的 `CA` 标志要设置为
-`TRUE`，即使用的是自签名证书。这是因为 GoLang 的 TLS 客户端实现对证书验证
-标准方面有非常严格的要求。如果你手头没有现成的 CA 证书，可以使用 CoreOS
+`TRUE`，即使用的是自签名证书。这是因为 GoLang 的 TLS 客户端实现对证书验证标准方面有非常严格的要求。如果你手头没有现成的 CA 证书，可以使用 CoreOS
 团队所开发的[这个脚本](https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh)
 来创建一个简单的 CA 和被签了名的证书与密钥对。
-或者你也可以使用
-[这个类似的脚本](https://raw.githubusercontent.com/TremoloSecurity/openunison-qs-kubernetes/master/src/main/bash/makessl.sh)，
+或者你也可以使用[这个类似的脚本](https://raw.githubusercontent.com/TremoloSecurity/openunison-qs-kubernetes/master/src/main/bash/makessl.sh)，
 生成一个合法期更长、密钥尺寸更大的 SHA256 证书。
 
 <!--
@@ -700,10 +685,10 @@ Providers that don't return an `id_token` as part of their refresh token respons
 -->
 #### 使用 kubectl   {#using-kubectl}
 
-##### 选项一 - OIDC 身份认证组件
+##### 选项一：OIDC 身份认证组件
 
-第一种方案是使用 kubectl 的 `oidc` 身份认证组件，该组件将 `id_token` 设置
-为所有请求的持有者令牌，并且在令牌过期时自动刷新。在你登录到你的身份服务之后，
+第一种方案是使用 kubectl 的 `oidc` 身份认证组件，该组件将 `id_token` 设置为所有请求的持有者令牌，
+并且在令牌过期时自动刷新。在你登录到你的身份服务之后，
 可以使用 kubectl 来添加你的 `id_token`、`refresh_token`、`client_id` 和
 `client_secret`，以配置该插件。
 
@@ -769,7 +754,7 @@ Once your `id_token` expires, `kubectl` will attempt to refresh your `id_token`
 
 The `kubectl` command lets you pass in a token using the `--token` option. Copy and paste the `id_token` into this option:
 -->
-##### 选项二 - 使用 `--token` 选项
+##### 选项二：使用 `--token` 选项
 
 `kubectl` 命令允许你使用 `--token` 选项传递一个令牌。
 你可以将 `id_token` 的内容复制粘贴过来，作为此标志的取值：
@@ -790,8 +775,8 @@ Webhook authentication is a hook for verifying bearer tokens.
 
 Webhook 身份认证是一种用来验证持有者令牌的回调机制。
 
-* `--authentication-token-webhook-config-file` 指向一个配置文件，其中描述
-  如何访问远程的 Webhook 服务。
+* `--authentication-token-webhook-config-file` 指向一个配置文件，
+  其中描述如何访问远程的 Webhook 服务。
 * `--authentication-token-webhook-cache-ttl` 用来设定身份认证决定的缓存时间。
   默认时长为 2 分钟。
 
@@ -800,7 +785,7 @@ The configuration file uses the [kubeconfig](/docs/concepts/configuration/organi
 file format. Within the file, `clusters` refers to the remote service and
 `users` refers to the API server webhook. An example would be:
 -->
-配置文件使用 [kubeconfig](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+配置文件使用 [kubeconfig](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 文件的格式。文件中，`clusters` 指代远程服务，`users` 指代远程 API 服务
 Webhook。下面是一个例子：
 
@@ -865,11 +850,10 @@ contexts:
 When a client attempts to authenticate with the API server using a bearer token as discussed [above](#putting-a-bearer-token-in-a-request),
 the authentication webhook POSTs a JSON-serialized `TokenReview` object containing the token to the remote service.
 -->
-当客户端尝试在 API 服务器上使用持有者令牌完成身份认证（
-如[前](#putting-a-bearer-token-in-a-request)所述）时，
+当客户端尝试在 API 服务器上使用持有者令牌完成身份认证
+（如[前](#putting-a-bearer-token-in-a-request)所述）时，
 身份认证 Webhook 会用 POST 请求发送一个 JSON 序列化的对象到远程服务。
-该对象是 `TokenReview` 对象，
-其中包含持有者令牌。
+该对象是 `TokenReview` 对象，其中包含持有者令牌。
 Kubernetes 不会强制请求提供此 HTTP 头部。
 
 <!--
@@ -877,10 +861,10 @@ Note that webhook API objects are subject to the same [versioning compatibility
 Implementers should check the `apiVersion` field of the request to ensure correct deserialization,
 and **must** respond with a `TokenReview` object of the same version as the request.
 -->
-要注意的是，Webhook API 对象和其他 Kubernetes API 对象一样，也要受到同一
-[版本兼容规则](/zh/docs/concepts/overview/kubernetes-api/)约束。
+要注意的是，Webhook API 对象和其他 Kubernetes API 对象一样，
+也要受到同一[版本兼容规则](/zh-cn/docs/concepts/overview/kubernetes-api/)约束。
 实现者应检查请求的 `apiVersion` 字段以确保正确的反序列化，
-并且**必须**以与请求相同版本的 `TokenReview` 对象进行响应。
+并且 **必须** 以与请求相同版本的 `TokenReview` 对象进行响应。
 
 
 {{< tabs name="TokenReview_request" >}}
@@ -891,7 +875,8 @@ The Kubernetes API server defaults to sending `authentication.k8s.io/v1beta1` to
 To opt into receiving `authentication.k8s.io/v1` token reviews, the API server must be started with `--authentication-token-webhook-version=v1`.
 -->
 Kubernetes API 服务器默认发送 `authentication.k8s.io/v1beta1` 令牌以实现向后兼容性。
-要选择接收 `authentication.k8s.io/v1` 令牌认证，API 服务器必须以 `--authentication-token-webhook-version=v1` 启动。
+要选择接收 `authentication.k8s.io/v1` 令牌认证，API 服务器必须带着参数
+`--authentication-token-webhook-version=v1` 启动。
 {{< /note >}}
 
 ```yaml
@@ -944,7 +929,7 @@ A successful validation of the bearer token would return:
 远程服务预计会填写请求的 `status` 字段以指示登录成功。
 响应正文的 `spec` 字段被忽略并且可以省略。
 远程服务必须使用它收到的相同 `TokenReview` API 版本返回响应。
-承载令牌的成功验证将返回：
+持有者令牌的成功验证将返回：
 
 {{< tabs name="TokenReview_response_success" >}}
 {{% tab name="authentication.k8s.io/v1" %}}
@@ -1066,22 +1051,24 @@ API 服务器可以配置成从请求的头部字段值（如 `X-Remote-User`）
 * `--requestheader-group-headers` 1.6+. Optional, case-insensitive. "X-Remote-Group" is suggested. Header names to check, in order, for the user's groups. All values in all specified headers are used as group names.
 * `--requestheader-extra-headers-prefix` 1.6+. Optional, case-insensitive. "X-Remote-Extra-" is suggested. Header prefixes to look for to determine extra information about the user (typically used by the configured authorization plugin). Any headers beginning with any of the specified prefixes have the prefix removed. The remainder of the header name is lowercased and [percent-decoded](https://tools.ietf.org/html/rfc3986#section-2.1) and becomes the extra key, and the header value is the extra value.
 -->
-* `--requestheader-username-headers` 必需字段，大小写不敏感。用来设置要获得用户身份所要检查的头部字段名称列表（有序）。第一个包含数值的字段会被用来提取用户名。
+* `--requestheader-username-headers` 必需字段，大小写不敏感。
+  用来设置要获得用户身份所要检查的头部字段名称列表（有序）。
+  第一个包含数值的字段会被用来提取用户名。
 * `--requestheader-group-headers` 可选字段，在 Kubernetes 1.6 版本以后支持，大小写不敏感。
   建议设置为 "X-Remote-Group"。用来指定一组头部字段名称列表，以供检查用户所属的组名称。
   所找到的全部头部字段的取值都会被用作用户组名。
 * `--requestheader-extra-headers-prefix` 可选字段，在 Kubernetes 1.6 版本以后支持，大小写不敏感。
-  建议设置为 "X-Remote-Extra-"。用来设置一个头部字段的前缀字符串，API 服务器会基于所给
-  前缀来查找与用户有关的一些额外信息。这些额外信息通常用于所配置的鉴权插件。
-  API 服务器会将与所给前缀匹配的头部字段过滤出来，去掉其前缀部分，将剩余部分
-  转换为小写字符串并在必要时执行[百分号解码](https://tools.ietf.org/html/rfc3986#section-2.1)
-  后，构造新的附加信息字段键名。原来的头部字段值直接作为附加信息字段的值。
+  建议设置为 "X-Remote-Extra-"。用来设置一个头部字段的前缀字符串，
+  API 服务器会基于所给前缀来查找与用户有关的一些额外信息。这些额外信息通常用于所配置的鉴权插件。
+  API 服务器会将与所给前缀匹配的头部字段过滤出来，去掉其前缀部分，将剩余部分转换为小写字符串，
+  并在必要时执行[百分号解码](https://tools.ietf.org/html/rfc3986#section-2.1)后，
+  构造新的附加信息字段键名。原来的头部字段值直接作为附加信息字段的值。
 
+{{< note >}}
 <!--
 Prior to 1.11.3 (and 1.10.7, 1.9.11), the extra key could only contain characters which were [legal in HTTP header labels](https://tools.ietf.org/html/rfc7230#section-3.2.6).
 For example, with this configuration:
 -->
-{{< note >}}
 在 1.13.3 版本之前（包括 1.10.7、1.9.11），附加字段的键名只能包含
 [HTTP 头部标签的合法字符](https://tools.ietf.org/html/rfc7230#section-3.2.6)。
 {{< /note >}}
@@ -1137,17 +1124,16 @@ the risks and the mechanisms to protect the CA's usage.
 * `--requestheader-allowed-names` Optional. List of Common Name values (CNs). If set, a valid client certificate with a CN in the specified list must be presented before the request headers are checked for user names. If empty, any CN is allowed.
 -->
 为了防范头部信息侦听，在请求中的头部字段被检视之前，
-身份认证代理需要向 API 服务器提供一份合法的客户端证书，
-供后者使用所给的 CA 来执行验证。
-警告：*不要* 在不同的上下文中复用 CA 证书，除非你清楚这样做的风险是什么以及
-应如何保护 CA 用法的机制。
+身份认证代理需要向 API 服务器提供一份合法的客户端证书，供后者使用所给的 CA 来执行验证。
+警告：**不要** 在不同的上下文中复用 CA 证书，除非你清楚这样做的风险是什么以及应如何保护
+CA 用法的机制。
 
 * `--requestheader-client-ca-file` 必需字段，给出 PEM 编码的证书包。
   在检查请求的头部字段以提取用户名信息之前，必须提供一个合法的客户端证书，
   且该证书要能够被所给文件中的机构所验证。
 * `--requestheader-allowed-names` 可选字段，用来给出一组公共名称（CN）。
-  如果此标志被设置，则在检视请求中的头部以提取用户信息之前，必须提供
-  包含此列表中所给的 CN 名的、合法的客户端证书。
+  如果此标志被设置，则在检视请求中的头部以提取用户信息之前，
+  必须提供包含此列表中所给的 CN 名的、合法的客户端证书。
 
 <!--
 ## Anonymous requests
@@ -1158,9 +1144,9 @@ treated as anonymous requests, and given a username of `system:anonymous` and a
 -->
 ## 匿名请求   {#anonymous-requests}
 
-启用匿名请求支持之后，如果请求没有被已配置的其他身份认证方法拒绝，则被视作
-匿名请求（Anonymous Requests）。这类请求获得用户名 `system:anonymous` 和
-对应的用户组 `system:unauthenticated`。
+启用匿名请求支持之后，如果请求没有被已配置的其他身份认证方法拒绝，
+则被视作匿名请求（Anonymous Requests）。这类请求获得用户名 `system:anonymous`
+和对应的用户组 `system:unauthenticated`。
 
 <!--
 For example, on a server with token authentication configured, and anonymous access enabled,
@@ -1170,9 +1156,8 @@ A request providing no bearer token would be treated as an anonymous request.
 In 1.5.1-1.5.x, anonymous access is disabled by default, and can be enabled by
 passing the `--anonymous-auth=true` option to the API server.
 -->
-例如，在一个配置了令牌身份认证且启用了匿名访问的服务器上，如果请求提供了非法的
-持有者令牌，则会返回 `401 Unauthorized` 错误。
-如果请求没有提供持有者令牌，则被视为匿名请求。
+例如，在一个配置了令牌身份认证且启用了匿名访问的服务器上，如果请求提供了非法的持有者令牌，
+则会返回 `401 Unauthorized` 错误。如果请求没有提供持有者令牌，则被视为匿名请求。
 
 在 1.5.1-1.5.x 版本中，匿名访问默认情况下是被禁用的，可以通过为 API 服务器设定
 `--anonymous-auth=true` 来启用。
@@ -1186,8 +1171,8 @@ that grant access to the `*` user or `*` group do not include anonymous users.
 -->
 在 1.6 及之后版本中，如果所使用的鉴权模式不是 `AlwaysAllow`，则匿名访问默认是被启用的。
 从 1.6 版本开始，ABAC 和 RBAC 鉴权模块要求对 `system:anonymous` 用户或者
-`system:unauthenticated` 用户组执行显式的权限判定，所以之前的为 `*` 用户或
-`*` 用户组赋予访问权限的策略规则都不再包含匿名用户。
+`system:unauthenticated` 用户组执行显式的权限判定，所以之前的为用户 `*` 或用户组
+`*` 赋予访问权限的策略规则都不再包含匿名用户。
 
 <!--
 ## User impersonation
@@ -1214,10 +1199,10 @@ to the impersonated user info.
 * Request user info is replaced with impersonation values.
 * Request is evaluated, authorization acts on impersonated user info.
 -->
-带伪装的请求首先会被身份认证识别为发出请求的用户，之后会切换到使用被伪装的用户
-的用户信息。
+带伪装的请求首先会被身份认证识别为发出请求的用户，
+之后会切换到使用被伪装的用户的用户信息。
 
-* 用户发起 API 调用时 _同时_ 提供自身的凭据和伪装头部字段信息
+* 用户发起 API 调用时 **同时** 提供自身的凭据和伪装头部字段信息
 * API 服务器对用户执行身份认证
 * API 服务器确认通过认证的用户具有伪装特权
 * 请求用户的信息被替换成伪装字段的值
@@ -1238,19 +1223,17 @@ The following HTTP headers can be used to performing an impersonation request:
   可选字段；要求 "Impersonate-User" 必须被设置。
 * `Impersonate-Extra-<附加名称>`：一个动态的头部字段，用来设置与用户相关的附加字段。
   此字段可选；要求 "Impersonate-User" 被设置。为了能够以一致的形式保留，
-  `<附加名称>`部分必须是小写字符，如果有任何字符不是
-  [合法的 HTTP 头部标签字符](https://tools.ietf.org/html/rfc7230#section-3.2.6)，
+  `<附加名称>`部分必须是小写字符，
+  如果有任何字符不是[合法的 HTTP 头部标签字符](https://tools.ietf.org/html/rfc7230#section-3.2.6)，
   则必须是 utf8 字符，且转换为[百分号编码](https://tools.ietf.org/html/rfc3986#section-2.1)。
 * `Impersonate-Uid`：一个唯一标识符，用来表示所伪装的用户。此头部可选。
-  如果设置，则要求 "Impersonate-User" 也存在。
-  Kubernetes 对此字符串没有格式要求。
+  如果设置，则要求 "Impersonate-User" 也存在。Kubernetes 对此字符串没有格式要求。
 
+{{< note >}}
 <!--
 Prior to 1.11.3 (and 1.10.7, 1.9.11), `( extra name )` could only contain characters which were [legal in HTTP header labels](https://tools.ietf.org/html/rfc7230#section-3.2.6).
 -->
-{{< note >}}
-在 1.11.3 版本之前（以及 1.10.7、1.9.11），`<附加名称>` 只能包含
-合法的 HTTP 标签字符。
+在 1.11.3 版本之前（以及 1.10.7、1.9.11），`<附加名称>` 只能包含合法的 HTTP 标签字符。
 {{< /note >}}
 
 {{< note >}}
@@ -1379,31 +1362,45 @@ kind: ClusterRole
 metadata:
   name: limited-impersonator
 rules:
-# 可以伪装成用户 "jane.doe@example.com"
-- apiGroups: [""]
-  resources: ["users"]
-  verbs: ["impersonate"]
-  resourceNames: ["jane.doe@example.com"]
-
-# 可以伪装成用户组 "developers" 和 "admins"
-- apiGroups: [""]
-  resources: ["groups"]
-  verbs: ["impersonate"]
-  resourceNames: ["developers","admins"]
-
-# 可以将附加字段 "scopes" 伪装成 "view" 和 "development"
-- apiGroups: ["authentication.k8s.io"]
-  resources: ["userextras/scopes"]
-  verbs: ["impersonate"]
-  resourceNames: ["view", "development"]
-
-# 可以伪装 UID "06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"
-- apiGroups: ["authentication.k8s.io"]
-  resources: ["uids"]
-  verbs: ["impersonate"]
-  resourceNames: ["06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"]
+  # 可以伪装成用户 "jane.doe@example.com"
+  - apiGroups: [""]
+    resources: ["users"]
+    verbs: ["impersonate"]
+    resourceNames: ["jane.doe@example.com"]
+  
+  # 可以伪装成用户组 "developers" 和 "admins"
+  - apiGroups: [""]
+    resources: ["groups"]
+    verbs: ["impersonate"]
+    resourceNames: ["developers","admins"]
+  
+  # 可以将附加字段 "scopes" 伪装成 "view" 和 "development"
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["userextras/scopes"]
+    verbs: ["impersonate"]
+    resourceNames: ["view", "development"]
+  
+  # 可以伪装 UID "06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["uids"]
+    verbs: ["impersonate"]
+    resourceNames: ["06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"]
 ```
 
+{{< note >}}
+<!--
+Impersonating a user or group allows you to perform any action as if you were that user or group;
+for that reason, impersonation is not namespace scoped.
+If you want to allow impersonation using Kubernetes RBAC, 
+this requires using a `ClusterRole` and a `ClusterRoleBinding`,
+not a `Role` and `RoleBinding`.
+-->
+基于伪装成一个用户或用户组的能力，你可以执行任何操作，好像你就是那个用户或用户组一样。
+出于这一原因，伪装操作是不受名字空间约束的。
+如果你希望允许使用 Kubernetes RBAC 来执行身份伪装，就需要使用 `ClusterRole`
+和 `ClusterRoleBinding`，而不是 `Role` 或 `RoleBinding`。
+{{< /note >}}
+
 <!--
 ## client-go credential plugins
 -->
@@ -1421,11 +1418,11 @@ protocol specific logic, then returns opaque credentials to use. Almost all cred
 use cases require a server side component with support for the [webhook token authenticator](#webhook-token-authentication)
 to interpret the credential format produced by the client plugin.
 -->
-`k8s.io/client-go` 及使用它的工具（如 `kubectl` 和 `kubelet`）可以执行某个外部
-命令来获得用户的凭据信息。
+`k8s.io/client-go` 及使用它的工具（如 `kubectl` 和 `kubelet`）
+可以执行某个外部命令来获得用户的凭据信息。
 
-这一特性的目的是便于客户端与 `k8s.io/client-go` 并不支持的身份认证协议（LDAP、
-Kerberos、OAuth2、SAML 等）继承。
+这一特性的目的是便于客户端与 `k8s.io/client-go` 并不支持的身份认证协议
+（LDAP、Kerberos、OAuth2、SAML 等）继承。
 插件实现特定于协议的逻辑，之后返回不透明的凭据以供使用。
 几乎所有的凭据插件使用场景中都需要在服务器端存在一个支持
 [Webhook 令牌身份认证组件](#webhook-token-authentication)的模块，
@@ -1441,10 +1438,10 @@ to install a credential plugin on their workstation.
 -->
 ### 示例应用场景   {#example-use-case}
 
-在一个假想的应用场景中，某组织运行这一个外部的服务，能够将特定用户的已签名的
-令牌转换成 LDAP 凭据。此服务还能够对
-[Webhook 令牌身份认证组件](#webhook-token-authentication)的请求做出响应以
-验证所提供的令牌。用户需要在自己的工作站上安装一个凭据插件。
+在一个假想的应用场景中，某组织运行这一个外部的服务，能够将特定用户的已签名的令牌转换成
+LDAP 凭据。此服务还能够对
+[Webhook 令牌身份认证组件](#webhook-token-authentication)的请求做出响应以验证所提供的令牌。
+用户需要在自己的工作站上安装一个凭据插件。
 
 <!--
 To authenticate against the API:
@@ -1460,8 +1457,8 @@ To authenticate against the API:
 * 用户发出 `kubectl` 命令。
 * 凭据插件提示用户输入 LDAP 凭据，并与外部服务交互，获得令牌。
 * 凭据插件将令牌返回该 client-go，后者将其用作持有者令牌提交给 API 服务器。
-* API 服务器使用[Webhook 令牌身份认证组件](#webhook-token-authentication)向
-  外部服务发出 `TokenReview` 请求。
+* API 服务器使用 [Webhook 令牌身份认证组件](#webhook-token-authentication)向外部服务发出
+  `TokenReview` 请求。
 * 外部服务检查令牌上的签名，返回用户的用户名和用户组信息。
 
 <!--
@@ -1472,7 +1469,7 @@ as part of the user fields.
 -->
 ### 配置  {#configuration}
 
-凭据插件通过 [kubectl 配置文件](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+凭据插件通过 [kubectl 配置文件](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 来作为 user 字段的一部分设置。
 
 {{< tabs name="exec_plugin_kubeconfig_example_1" >}}
@@ -1562,7 +1559,6 @@ users:
       command: "example-client-go-exec-plugin"
 
       # 解析 ExecCredentials 资源时使用的 API 版本。必需。
-      #
       # 插件返回的 API 版本必需与这里列出的版本匹配。
       #
       # 要与支持多个版本的工具（如 client.authentication.k8s.io/v1beta1）集成，
@@ -1706,7 +1702,6 @@ users:
       command: "example-client-go-exec-plugin"
 
       # 解析 ExecCredentials 资源时使用的 API 版本。必需。
-      #
       # 插件返回的 API 版本必需与这里列出的版本匹配。
       #
       # 要与支持多个版本的工具（如 client.authentication.k8s.io/v1）集成，
@@ -1823,7 +1818,7 @@ and required in `client.authentication.k8s.io/v1`.
 输入对象中的 `spec.interactive` 字段来确定是否提供了 `stdin`。
 插件的 `stdin` 需求（即，为了能够让插件成功运行，是否 `stdin` 是可选的、
 必须提供的或者从不会被使用的）是通过 
-[kubeconfig](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 中的 `user.exec.interactiveMode` 来声明的（参见下面的表格了解合法值）。
 字段 `user.exec.interactiveMode` 在 `client.authentication.k8s.io/v1beta1`
 中是可选的，在 `client.authentication.k8s.io/v1` 中是必需的。
@@ -1848,7 +1843,7 @@ and required in `client.authentication.k8s.io/v1`.
 To use bearer token credentials, the plugin returns a token in the status of the
 [`ExecCredential`](/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential)
 -->
-与使用持有者令牌凭据，插件在 [`ExecCredential`](/zh/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential)
+与使用持有者令牌凭据，插件在 [`ExecCredential`](/zh-cn/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredential)
 的状态中返回一个令牌：
 
 {{< tabs name="exec_plugin_ExecCredential_example_1" >}}
@@ -1933,8 +1928,7 @@ Presence or absence of an expiry has the following impact:
 - If an expiry is omitted, the bearer token and TLS credentials are cached until
   the server responds with a 401 HTTP status code or until the process exits.
 -->
-作为一种可选方案，响应中还可以包含以
-[RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339)
+作为一种可选方案，响应中还可以包含以 [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339)
 时间戳格式给出的证书到期时间。
 证书到期时间的有无会有如下影响：
 
@@ -1979,7 +1973,7 @@ credential acquisition logic.
 The following `ExecCredential` manifest describes a cluster information sample.
 -->
 为了让 exec 插件能够获得特定与集群的信息，可以在
-[kubeconfig](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 中的 `user.exec` 设置 `provideClusterInfo`。
 这一特定于集群的信息就会通过 `KUBERNETES_EXEC_INFO` 环境变量传递给插件。
 此环境变量中的信息可以用来执行特定于集群的凭据获取逻辑。
@@ -2034,6 +2028,6 @@ The following `ExecCredential` manifest describes a cluster information sample.
 * Read the [client authentication reference (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/)
 * Read the [client authentication reference (v1)](/docs/reference/config-api/client-authentication.v1/)
 -->
-* 阅读[客户端认证参考文档 (v1beta1)](/zh/docs/reference/config-api/client-authentication.v1beta1/)
-* 阅读[客户端认证参考文档 (v1)](/zh/docs/reference/config-api/client-authentication.v1/)
+* 阅读[客户端认证参考文档 (v1beta1)](/zh-cn/docs/reference/config-api/client-authentication.v1beta1/)
+* 阅读[客户端认证参考文档 (v1)](/zh-cn/docs/reference/config-api/client-authentication.v1/)
 
diff --git a/content/zh/docs/reference/access-authn-authz/authorization.md b/content/zh-cn/docs/reference/access-authn-authz/authorization.md
similarity index 100%
rename from content/zh/docs/reference/access-authn-authz/authorization.md
rename to content/zh-cn/docs/reference/access-authn-authz/authorization.md
diff --git a/content/zh/docs/reference/access-authn-authz/bootstrap-tokens.md b/content/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens.md
similarity index 92%
rename from content/zh/docs/reference/access-authn-authz/bootstrap-tokens.md
rename to content/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens.md
index 0960a967165ab..961517d5ad815 100644
--- a/content/zh/docs/reference/access-authn-authz/bootstrap-tokens.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens.md
@@ -21,14 +21,14 @@ creating new clusters or joining new nodes to an existing cluster.  It was built
 to support [kubeadm](/docs/reference/setup-tools/kubeadm/), but can be used in other contexts
 for users that wish to start clusters without `kubeadm`. It is also built to
 work, via RBAC policy, with the
-[Kubelet TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) system.
+[Kubelet TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) system.
 -->
 启动引导令牌是一种简单的持有者令牌（Bearer Token），这种令牌是在新建集群
 或者在现有集群中添加新节点时使用的。
-它被设计成能够支持 [`kubeadm`](/zh/docs/reference/setup-tools/kubeadm/)，
+它被设计成能够支持 [`kubeadm`](/zh-cn/docs/reference/setup-tools/kubeadm/)，
 但是也可以被用在其他的案例中以便用户在不使用 `kubeadm` 的情况下启动集群。
 它也被设计成可以通过 RBAC 策略，结合
-[Kubelet TLS 启动引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+[Kubelet TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 系统进行工作。
 
 <!-- body -->
@@ -108,12 +108,16 @@ controller on the controller manager.
 
 过期的令牌可以通过启用控制器管理器中的 `tokencleaner` 控制器来删除。
 
+```
+--controllers=*,tokencleaner
+```
+
 <!--
 ## Bootstrap Token Secret Format
 
 Each valid token is backed by a secret in the `kube-system` namespace.  You can
 find the full design doc
-[here](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md).
+[here](https://github.com/kubernetes/design-proposals-archive/blob/main/cluster-lifecycle/bootstrap-discovery.md).
 
 Here is what the secret looks like.
 -->
@@ -121,7 +125,7 @@ Here is what the secret looks like.
 
 每个合法的令牌背后对应着 `kube-system` 名字空间中的某个 Secret 对象。
 你可以从
-[这里](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md)
+[这里](https://github.com/kubernetes/design-proposals-archive/blob/main/cluster-lifecycle/bootstrap-discovery.md)
 找到完整设计文档。
 
 这是 Secret 看起来的样子。
@@ -142,10 +146,11 @@ stringData:
 
   # 令牌 ID 和秘密信息，必需。
   token-id: 07401b
-  token-secret: base64(f395accd246ae52d)
+  token-secret: f395accd246ae52d
 
   # 可选的过期时间字段
-  expiration: "2017-03-10T03:22:11Z"
+  expiration: 2017-03-10T03:22:11Z
+
   # 允许的用法
   usage-bootstrap-authentication: "true"
   usage-bootstrap-signing: "true"
@@ -197,7 +202,7 @@ You can use the `kubeadm` tool to manage tokens on a running cluster. See the
 ## 使用 `kubeadm` 管理令牌   {#token-management-with-kubeadm}
 
 你可以使用 `kubeadm` 工具管理运行中集群上的令牌。
-参见 [kubeadm token 文档](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/)
+参见 [kubeadm token 文档](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/)
 以了解详细信息。
 
 <!--
@@ -259,7 +264,7 @@ data:
 ```
 
 <!--
-The `kubeconfig` member of the ConfigMap is a config file with just the cluster
+The `kubeconfig` member of the ConfigMap is a config file with only the cluster
 information filled out.  The key thing being communicated here is the
 `certificate-authority-data`.  This may be expanded in the future.
 -->
@@ -280,7 +285,7 @@ is used.
 `kubeconfig` 的载荷进行编码。完成编码的载荷会被插入到两个句点中间，形成完整的
 JWS。你可以使用完整的令牌（比如 `07401b.f395accd246ae52d`）作为共享密钥，
 通过 `HS256` 方式 (HMAC-SHA256) 对 JWS 进行校验。
-用户 _必须_ 确保使用了 HS256。
+用户**必须**确保使用了 HS256。
 
 {{< warning >}}
 <!--
@@ -298,6 +303,6 @@ client relying on the signature to bootstrap TLS trust.
 Consult the [kubeadm implementation details](/docs/reference/setup-tools/kubeadm/implementation-details/)
 section for more information.
 -->
-参考 [kubeadm 实现细节](/zh/docs/reference/setup-tools/kubeadm/implementation-details/)
+参考 [kubeadm 实现细节](/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details/)
 了解更多信息。
 
diff --git a/content/zh/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests.md
similarity index 100%
rename from content/zh/docs/reference/access-authn-authz/certificate-signing-requests.md
rename to content/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests.md
diff --git a/content/zh/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
similarity index 100%
rename from content/zh/docs/reference/access-authn-authz/extensible-admission-controllers.md
rename to content/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers.md
diff --git a/content/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md b/content/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz.md
similarity index 100%
rename from content/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md
rename to content/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz.md
diff --git a/content/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md b/content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
similarity index 94%
rename from content/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md
rename to content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
index 62aff4d4c20db..05a3a8d81ba21 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
@@ -132,7 +132,7 @@ In the bootstrap initialization process, the following occurs:
 9. Certificate is created for the kubelet
 -->
 1. kubelet 启动
-2. kubelet 看到自己 *没有* 对应的 `kubeconfig` 文件
+2. kubelet 看到自己**没有**对应的 `kubeconfig` 文件
 3. kubelet 搜索并发现 `bootstrap-kubeconfig` 文件
 4. kubelet 读取该启动引导文件，从中获得 API 服务器的 URL 和用途有限的
    一个“令牌（Token）”
@@ -302,10 +302,10 @@ requests related to certificate provisioning. With RBAC in place, scoping the
 tokens to a group allows for great flexibility. For example, you could disable a
 particular bootstrap group's access when you are done provisioning the nodes.
 -->
-随着这个功能特性的逐渐成熟，你需要确保令牌绑定到某基于角色的的访问控制（RBAC）
+随着这个功能特性的逐渐成熟，你需要确保令牌绑定到某基于角色的访问控制（RBAC）
 策略上，从而严格限制请求（使用[启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)）
-仅限于客户端申请提供证书。当 RBAC 被配置启用时，可以将令牌限制到某个组，从而
-提高灵活性。例如，你可以在准备节点期间禁止某特定启动引导组的访问。
+仅限于客户端申请提供证书。当 RBAC 被配置启用时，可以将令牌限制到某个组，
+从而提高灵活性。例如，你可以在准备节点期间禁止某特定启动引导组的访问。
 
 <!--
 #### Bootstrap tokens
@@ -338,7 +338,7 @@ for TLS bootstrapping.
 -->
 从 kubelet 的角度，所有令牌看起来都很像，没有特别的含义。
 从 kube-apiserver 服务器的角度，启动引导令牌是很特殊的。
-根据其 `type`、`namespace` 和 `name`，kube-apiserver 能够将认作特殊的令牌，
+根据其 `type`、`namespace` 和 `name`，kube-apiserver 能够将其认作特殊的令牌，
 并授予携带该令牌的任何人特殊的启动引导权限，换言之，将其视为
 `system:bootstrappers` 组的成员。这就满足了 TLS 启动引导的基本需求。
 
@@ -366,8 +366,8 @@ systems). There are multiple ways you can generate a token. For example:
 #### 令牌认证文件    {#token-authentication-file}
 
 kube-apiserver 能够将令牌视作身份认证依据。
-这些令牌可以是任意数据，但必须表示为基于某安全的随机数生成器而得到的
-至少 128 位混沌数据。这里的随机数生成器可以是现代 Linux 系统上的
+这些令牌可以是任意数据，但必须表示为基于某安全的随机数生成器而得到的至少
+128 位混沌数据。这里的随机数生成器可以是现代 Linux 系统上的
 `/dev/urandom`。生成令牌的方式有很多种。例如：
 
 ```shell
@@ -380,10 +380,10 @@ will generate tokens that look like `02b50b05283e98dd0fd71db496ef01e8`.
 The token file should look like the following example, where the first three
 values can be anything and the quoted group name should be as depicted:
 -->
-上面的命令会生成类似于 `02b50b05283e98dd0fd71db496ef01e8` 这样的令牌。 
+上面的命令会生成类似于 `02b50b05283e98dd0fd71db496ef01e8` 这样的令牌。
 
-令牌文件看起来是下面的例子这样，其中前面三个值可以是任何值，用引号括起来
-的组名称则只能用例子中给的值。
+令牌文件看起来是下面的例子这样，其中前面三个值可以是任何值，
+用引号括起来的组名称则只能用例子中给的值。
 
 ```console
 02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:bootstrappers"
@@ -413,7 +413,7 @@ To do this, you only need to create a `ClusterRoleBinding` that binds the `syste
 -->
 ### 授权 kubelet 创建 CSR    {#authorize-kubelet-to-create-csr}
 
-现在启动引导节点被身份认证为 `system:bootstrapping` 组的成员，它需要被 _授权_
+现在启动引导节点被身份认证为 `system:bootstrapping` 组的成员，它需要被**授权**
 创建证书签名请求（CSR）并在证书被签名之后将其取回。
 幸运的是，Kubernetes 提供了一个 `ClusterRole`，其中精确地封装了这些许可，
 `system:node-bootstrapper`。
@@ -491,7 +491,7 @@ To provide the Kubernetes CA key and certificate to kube-controller-manager, use
 由于这些被签名的证书反过来会被 kubelet 用来在 kube-apiserver 执行普通的
 kubelet 身份认证，很重要的一点是为控制器管理器所提供的 CA 也被 kube-apiserver
 信任用来执行身份认证。CA 密钥和证书是通过 kube-apiserver 的标志
-`--client-ca-file=FILENAME`（例如，`--client-ca-file=/var/lib/kubernetes/ca.pem`)，
+`--client-ca-file=FILENAME`（例如，`--client-ca-file=/var/lib/kubernetes/ca.pem`），
 来设定的，正如 kube-apiserver 配置节所述。
 
 要将 Kubernetes CA 密钥和证书提供给 kube-controller-manager，可使用以下标志：
@@ -593,18 +593,18 @@ roleRef:
 <!--
 The `csrapproving` controller that ships as part of
 [kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled
-by default. The controller uses the [`SubjectAccessReview`
-API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
+by default. The controller uses the
+[`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
 determine if a given user is authorized to request a CSR, then approves based on
 the authorization outcome. To prevent conflicts with other approvers, the
 builtin approver doesn't explicitly deny CSRs. It only ignores unauthorized
 requests. The controller also prunes expired certificates as part of garbage
 collection.
 -->
-作为 [kube-controller-manager](/zh/docs/reference/generated/kube-controller-manager/)
+作为 [kube-controller-manager](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
 的一部分的 `csrapproving` 控制器是自动被启用的。
 该控制器使用 [`SubjectAccessReview` API](/zh/docs/reference/access-authn-authz/authorization/#checking-api-access)
-来确定是否某给定用户被授权请求 CSR，之后基于鉴权结果执行批复操作。
+来确定给定用户是否被授权请求 CSR，之后基于鉴权结果执行批复操作。
 为了避免与其它批复组件发生冲突，内置的批复组件不会显式地拒绝任何 CSRs。
 该组件仅是忽略未被授权的请求。
 控制器也会作为垃圾收集的一部分清除已过期的证书。
@@ -612,7 +612,7 @@ collection.
 <!--
 ## kubelet configuration
 
-Finally, with the control plane properly set up and all of the necessary authentication and authorization in place, we can configure the kubelet.
+Finally, with the control plane nodes properly set up and all of the necessary authentication and authorization in place, we can configure the kubelet.
 -->
 ## kubelet 配置   {#kubelet-configuration}
 
@@ -678,7 +678,7 @@ The important elements to note are:
 
 * `certificate-authority`：指向 CA 文件的路径，用来对 kube-apiserver 所出示
   的服务器证书进行验证
-* `server`： 用来访问 kube-apiserver 的 URL
+* `server`：用来访问 kube-apiserver 的 URL
 * `token`：要使用的令牌
 
 <!--
@@ -733,7 +733,7 @@ uses to authenticate to kube-apiserver.
 -->
 ### 客户和服务证书   {#client-and-serving-certificates}
 
-前文所述的内容都与 kubelet _客户端_ 证书相关，尤其是 kubelet 用来向
+前文所述的内容都与 kubelet **客户端**证书相关，尤其是 kubelet 用来向
 kube-apiserver 认证自身身份的证书。
 
 <!--
@@ -744,7 +744,7 @@ To secure these, the kubelet can do one of:
 * create self-signed key and certificate, if a key and certificate are not provided
 * request serving certificates from the cluster server, via the CSR API
 -->
-kubelet 也可以使用 _服务（Serving）_ 证书。kubelet 自身向外提供一个
+kubelet 也可以使用**服务（Serving）**证书。kubelet 自身向外提供一个
 HTTPS 末端，包含若干功能特性。要保证这些末端的安全性，kubelet 可以执行以下操作
 之一：
 
@@ -814,9 +814,9 @@ controller, or manually approve the serving certificate requests.
 -->
 Kubernetes 核心中所实现的 CSR 批复控制器出于
 [安全原因](https://github.com/kubernetes/community/pull/1982)
-并不会自动批复节点的 _服务_ 证书。
-要使用 `RotateKubeletServerCertificate` 功能特性，集群运维人员需要运行一个
-定制的控制器或者手动批复服务证书的请求。
+并不会自动批复节点的**服务**证书。
+要使用 `RotateKubeletServerCertificate` 功能特性，
+集群运维人员需要运行一个定制的控制器或者手动批复服务证书的请求。
 
 <!--
 A deployment-specific approval process for kubelet serving certificates should typically only approve CSRs which:
@@ -833,11 +833,11 @@ A deployment-specific approval process for kubelet serving certificates should t
 
 1. 由节点发出的请求（确保 `spec.username` 字段形式为 `system:node:<nodeName>`
    且 `spec.groups` 包含 `system:nodes`）
-2. 请求中包含服务证书用法（确保 `spec.usages` 中包含 `server auth`，可选地也可 
-   包含 `digital signature` 和 `key encipherment`，且不包含其它用法）
+2. 请求中包含服务证书用法（确保 `spec.usages` 中包含 `server auth`，可选地也可包含
+   `digital signature` 和 `key encipherment`，且不包含其它用法）
 3. 仅包含隶属于请求节点的 IP 和 DNS 的 `subjectAltNames`，没有 URI 和 Email
-   形式的 `subjectAltNames`（解析 `spec.request` 中的 x509 证书签名请求可以
-   检查 `subjectAltNames`）
+   形式的 `subjectAltNames`（解析 `spec.request` 中的 x509 证书签名请求可以检查
+   `subjectAltNames`）
 {{< /note >}}
 
 <!--
@@ -849,10 +849,9 @@ is part of the Kubernetes control plane and runs on every node, but may also inc
 -->
 ## 其它身份认证组件   {#other-authenticating-components}
 
-本文所描述的所有 TLS 启动引导内容都与 kubelet 相关。不过，其它组件也可能需要
-直接与 kube-apiserver 直接通信。容易想到的是 kube-proxy，同样隶属于
-Kubernetes 的控制面并且运行在所有节点之上，不过也可能包含一些其它负责
-监控或者联网的组件。
+本文所描述的所有 TLS 启动引导内容都与 kubelet 相关。不过，其它组件也可能需要直接与
+kube-apiserver 直接通信。容易想到的是 kube-proxy，同样隶属于
+Kubernetes 的控制面并且运行在所有节点之上，不过也可能包含一些其它负责监控或者联网的组件。
 
 <!--
 Like the kubelet, these other components also require a method of authenticating to kube-apiserver.
@@ -865,13 +864,12 @@ You have several options for generating these credentials:
 * The old way: Create and distribute certificates the same way you did for kubelet before TLS bootstrapping
 * DaemonSet: Since the kubelet itself is loaded on each node, and is sufficient to start base services, you can run kube-proxy and other node-specific services not as a standalone process, but rather as a daemonset in the `kube-system` namespace. Since it will be in-cluster, you can give it a proper service account with appropriate permissions to perform its activities. This may be the simplest way to configure such services.
 -->
-* 较老的方式：和 kubelet 在 TLS 启动引导之前所做的一样，用类似的方式
-  创建和分发证书
+* 较老的方式：和 kubelet 在 TLS 启动引导之前所做的一样，用类似的方式创建和分发证书。
 * DaemonSet：由于 kubelet 自身被加载到所有节点之上，并且有足够能力来启动基本服务，
   你可以运行将 kube-proxy 和其它特定节点的服务作为 `kube-system` 名字空间中的
-  DaemonSet 来执行，而不是独立的进程。由于 DaemonSet 位于集群内部，你可以为其
-  指派一个合适的服务账户，使之具有适当的访问权限来完成其使命。这也许是配置此类
-  服务的最简单的方法。
+  DaemonSet 来执行，而不是独立的进程。由于 DaemonSet 位于集群内部，
+  你可以为其指派一个合适的服务账户，使之具有适当的访问权限来完成其使命。
+  这也许是配置此类服务的最简单的方法。
 
 <!--
 ## kubectl approval
@@ -894,13 +892,12 @@ list CSRs with `kubectl get csr` and describe one in detail with `kubectl
 describe csr <name>`. An administrator can approve or deny a CSR with `kubectl
 certificate approve <name>` and `kubectl certificate deny <name>`.
 -->
-签名控制器并不会立即对所有证书请求执行签名操作。相反，它会等待这些请求被某
-具有适当特权的用户标记为 “Approved（已批准）”状态。
-这一流程有意允许由外部批复控制器来自动执行的批复，或者由控制器管理器内置的
-批复控制器来自动批复。
+签名控制器并不会立即对所有证书请求执行签名操作。相反，
+它会等待这些请求被某具有适当特权的用户标记为 “Approved（已批准）”状态。
+这一流程有意允许由外部批复控制器来自动执行的批复，
+或者由控制器管理器内置的批复控制器来自动批复。
 不过，集群管理员也可以使用 `kubectl` 来手动批准证书请求。
 管理员可以通过 `kubectl get csr` 来列举所有的 CSR，使用
 `kubectl descsribe csr <name>` 来描述某个 CSR 的细节。
 管理员可以使用 `kubectl certificate approve <name` 来批准某 CSR，或者
 `kubectl certificate deny <name>` 来拒绝某 CSR。
-
diff --git a/content/zh/docs/reference/access-authn-authz/node.md b/content/zh-cn/docs/reference/access-authn-authz/node.md
similarity index 97%
rename from content/zh/docs/reference/access-authn-authz/node.md
rename to content/zh-cn/docs/reference/access-authn-authz/node.md
index 72f8545fe62c4..2a9753860dc46 100644
--- a/content/zh/docs/reference/access-authn-authz/node.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/node.md
@@ -90,12 +90,12 @@ have the minimal set of permissions required to operate correctly.
 -->
 
 为了获得节点鉴权器的授权，kubelet 必须使用一个凭证以表示它在 `system:nodes` 组中，用户名为 `system:node:<nodeName>`。
-上述的组名和用户名格式要与 [kubelet TLS 启动引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)过程中为每个 kubelet 创建的标识相匹配。
+上述的组名和用户名格式要与 [kubelet TLS 启动引导](/zh/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)过程中为每个 kubelet 创建的标识相匹配。
 <!--
 In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as
 being in the `system:nodes` group, with a username of `system:node:<nodeName>`.
 This group and user name format match the identity created for each kubelet as part of
-[kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/).
+[kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/).
 -->
 
 要启用节点授权器，请使用 `--authorization-mode = Node` 启动 apiserver。
diff --git a/content/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards.md b/content/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
similarity index 99%
rename from content/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
rename to content/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
index 97f66636298b3..67c7ccd03e883 100644
--- a/content/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards.md
@@ -20,7 +20,7 @@ The tables below enumerate the configuration parameters on
 and/or validates pods, and how the configuration values map to the
 [Pod Security Standards](/docs/concepts/security/pod-security-standards/).
 -->
-下面的表格列举了[PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/)
+下面的表格列举了 [PodSecurityPolicy](/zh/docs/concepts/security/pod-security-policy/)
 对象上的配置参数，这些字段是否会变更或检查 Pod 配置，以及这些配置值如何映射到
 [Pod 安全性标准（Pod Security Standards）](/zh/docs/concepts/security/pod-security-standards/)
 之上。
@@ -30,7 +30,7 @@ For each applicable parameter, the allowed values for the
 [Baseline](/docs/concepts/security/pod-security-standards/#baseline) and
 [Restricted](/docs/concepts/security/pod-security-standards/#restricted) profiles are listed.
 Anything outside the allowed values for those profiles would fall under the
-[Privileged](/docs/concepts/security/pod-security-standards/#priveleged) profile. "No opinion"
+[Privileged](/docs/concepts/security/pod-security-standards/#privileged) profile. "No opinion"
 means all values are allowed under all Pod Security Standards.
 -->
 对于每个可应用的参数，表格中给出了
@@ -38,7 +38,7 @@ means all values are allowed under all Pod Security Standards.
 [Restricted](/zh/docs/concepts/security/pod-security-standards/#restricted)
 配置下可接受的取值。
 对这两种配置而言不可接受的取值均归入
-[Privileged](/zh/docs/concepts/security/pod-security-standards/#priveleged)
+[Privileged](/zh/docs/concepts/security/pod-security-standards/#privileged)
 配置下。“无意见”意味着对所有 Pod 安全性标准而言所有取值都可接受。
 
 <!--
diff --git a/content/zh/docs/reference/access-authn-authz/rbac.md b/content/zh-cn/docs/reference/access-authn-authz/rbac.md
similarity index 80%
rename from content/zh/docs/reference/access-authn-authz/rbac.md
rename to content/zh-cn/docs/reference/access-authn-authz/rbac.md
index 454d81f86ad18..96991885cd6dc 100644
--- a/content/zh/docs/reference/access-authn-authz/rbac.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/rbac.md
@@ -1,6 +1,7 @@
 ---
 title: 使用 RBAC 鉴权
 content_type: concept
+aliases: [/zh/rbac/]
 weight: 70
 ---
 
@@ -11,6 +12,7 @@ reviewers:
 - liggitt
 title: Using RBAC Authorization
 content_type: concept
+aliases: [/rbac/]
 weight: 70
 -->
 
@@ -25,7 +27,7 @@ network resources based on the roles of individual users within your organizatio
 <!-- body -->
 <!--
 RBAC authorization uses the `rbac.authorization.k8s.io`
-{{< glossary_tooltip text="API Group" term_id="api-group" >}} to drive authorization
+{{< glossary_tooltip text="API group" term_id="api-group" >}} to drive authorization
 decisions, allowing you to dynamically configure policies through the Kubernetes API.
 -->
 RBAC 鉴权机制使用 `rbac.authorization.k8s.io`
@@ -34,12 +36,17 @@ RBAC 鉴权机制使用 `rbac.authorization.k8s.io`
 
 <!--
 To enable RBAC, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
-with the `-authorization-mode` flag set to a comma-separated list that includes `RBAC`;
+with the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`;
 for example:
 -->
 要启用 RBAC，在启动 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
 时将 `--authorization-mode` 参数设置为一个逗号分隔的列表并确保其中包含 `RBAC`。
 
+<!--
+```shell
+kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
+```
+-->
 ```shell
 kube-apiserver --authorization-mode=Example,RBAC --<其他选项> --<其他选项>
 ```
@@ -123,11 +130,24 @@ ClusterRole 有若干用法。你可以用它来：
 Here's an example Role in the "default" namespace that can be used to grant read access to
 {{< glossary_tooltip text="pods" term_id="pod" >}}:
 -->
-#### Role 示例
+#### Role 示例 {#role-example}
 
 下面是一个位于 "default" 名字空间的 Role 的示例，可用来授予对
 {{< glossary_tooltip text="pods" term_id="pod" >}} 的读访问权限：
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: pod-reader
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -144,16 +164,16 @@ rules:
 #### ClusterRole example
 
 A ClusterRole can be used to grant the same permissions as a Role.
-Because they are cluster-scoped, you can also use them to grant access to:
+Because ClusterRoles are cluster-scoped, you can also use them to grant access to:
 
 * cluster-scoped resources (like {{< glossary_tooltip text="nodes" term_id="node" >}})
 * non-resource endpoints (like `/healthz`)
 * namespaced resources (like Pods), across all namespaces
 
   For example: you can use a ClusterRole to allow a particular user to run
-  `kubectl get pods -all-namespaces`
+  `kubectl get pods --all-namespaces`
 -->
-###  ClusterRole 示例
+###  ClusterRole 示例 {#clusterrole-example}
 
 ClusterRole 可以和 Role 相同完成授权。
 因为 ClusterRole 属于集群范围，所以它也可以为以下资源授予访问权限：
@@ -173,6 +193,22 @@ or across all namespaces (depending on how it is [bound](#rolebinding-and-cluste
 {{< glossary_tooltip text="Secret" term_id="secret" >}} 授予读访问权限，
 或者跨名字空间的访问权限（取决于该角色是如何[绑定](#rolebinding-and-clusterrolebinding)的）：
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: secret-reader
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing Secret
+  # objects is "secrets"
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -181,7 +217,7 @@ metadata:
   name: secret-reader
 rules:
 - apiGroups: [""]
-  # 在 HTTP 层面，用来访问 Secret 对象的资源的名称为 "secrets"
+  # 在 HTTP 层面，用来访问 Secret 资源的名称为 "secrets"
   resources: ["secrets"]
   verbs: ["get", "watch", "list"]
 ```
@@ -236,9 +272,31 @@ This allows "jane" to read pods in the "default" namespace.
 下面的例子中的 RoleBinding 将 "pod-reader" Role 授予在 "default" 名字空间中的用户 "jane"。
 这样，用户 "jane" 就具有了读取 "default" 名字空间中 pods 的权限。
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+# This role binding allows "jane" to read pods in the "default" namespace.
+# You need to already have a Role named "pod-reader" in that namespace.
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: default
+subjects:
+# You can specify more than one "subject"
+- kind: User
+  name: jane # "name" is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  # "roleRef" specifies the binding to a Role / ClusterRole
+  kind: Role #this must be Role or ClusterRole
+  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 # 此角色绑定允许 "jane" 读取 "default" 名字空间中的 Pods
+# 你需要在该命名空间中有一个名为 “pod-reader” 的 Role
 kind: RoleBinding
 metadata:
   name: read-pods
@@ -251,7 +309,7 @@ subjects:
 roleRef:
   # "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
   kind: Role # 此字段必须是 Role 或 ClusterRole
-  name: pod-reader     # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
+  name: pod-reader # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
   apiGroup: rbac.authorization.k8s.io
 ```
 
@@ -273,6 +331,28 @@ RoleBinding 所在名字空间的资源。这种引用使得你可以跨整个
 区分大小写）只能访问 "development" 名字空间中的 Secrets 对象，因为 RoleBinding
 所在的名字空间（由其 metadata 决定）是 "development"。
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+# This role binding allows "dave" to read secrets in the "development" namespace.
+# You need to already have a ClusterRole named "secret-reader".
+kind: RoleBinding
+metadata:
+  name: read-secrets
+  #
+  # The namespace of the RoleBinding determines where the permissions are granted.
+  # This only grants permissions within the "development" namespace.
+  namespace: development
+subjects:
+- kind: User
+  name: dave # Name is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 # 此角色绑定使得用户 "dave" 能够读取 "development" 名字空间中的 Secrets
@@ -306,6 +386,23 @@ secrets in any namespace.
 下面的 ClusterRoleBinding 允许 "manager" 组内的所有用户访问任何名字空间中的
 Secrets。
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: ClusterRoleBinding
+metadata:
+  name: read-secrets-global
+subjects:
+- kind: Group
+  name: manager # Name is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 # 此集群角色绑定允许 “manager” 组中的任何人访问任何名字空间中的 secrets
@@ -337,20 +434,24 @@ There are two reasons for this restriction:
 这种限制有两个主要原因：
 
 <!--
+1. Making `roleRef` immutable allows granting someone `update` permission on an existing binding
+object, so that they can manage the list of subjects, without being able to change
+the role that is granted to those subjects.
+-->
+1. 将 `roleRef` 设置为不可以改变，这使得可以为用户授予对现有绑定对象的 `update` 权限，
+   这样可以让他们管理主体列表，同时不能更改被授予这些主体的角色。
+<!--
+
 1. A binding to a different role is a fundamentally different binding.
 Requiring a binding to be deleted/recreated in order to change the `roleRef`
 ensures the full list of subjects in the binding is intended to be granted
 the new role (as opposed to enabling or accidentally modifying only the roleRef
-without verifying all of the existing subjects should be given the new role's permissions).
-2. Making `roleRef` immutable allows giving `update` permission on an existing binding object
-to a user, which lets them manage the list of subjects, without being able to change the
-role that is granted to those subjects.
+without verifying all of the existing subjects should be given the new role's
+permissions).
 -->
 1. 针对不同角色的绑定是完全不一样的绑定。要求通过删除/重建绑定来更改 `roleRef`,
    这样可以确保要赋予绑定的所有主体会被授予新的角色（而不是在允许或者不小心修改
    了 `roleRef` 的情况下导致所有现有主体未经验证即被授予新角色对应的权限）。
-1. 将 `roleRef` 设置为不可以改变，这使得可以为用户授予对现有绑定对象的 `update` 权限，
-   这样可以让他们管理主体列表，同时不能更改被授予这些主体的角色。
 
 <!--
 The `kubectl auth reconcile` command-line utility creates or updates a manifest file containing RBAC objects,
@@ -362,16 +463,17 @@ See [command usage and examples](#kubectl-auth-reconcile) for more information.
 更多相关信息请参照[命令用法和示例](#kubectl-auth-reconcile)
 
 <!--
-### Referring to Resources
+### Referring to resources
+-->
+### 对资源的引用    {#referring-to-resources}
 
+<!--
 In the Kubernetes API, most resources are represented and accessed using a string representation of
 their object name, such as `pods` for a Pod. RBAC refers to resources using exactly the same
 name that appears in the URL for the relevant API endpoint.
 Some Kubernetes APIs involve a
 _subresource_, such as the logs for a Pod. A request for a Pod's logs looks like:
 -->
-### 对资源的引用    {#referring-to-resources}
-
 在 Kubernetes API 中，大多数资源都是使用对象名称的字符串表示来呈现与访问的。
 例如，对于 Pod 应使用 "pods"。
 RBAC 使用对应 API 端点的 URL 中呈现的名字来引用资源。
@@ -415,6 +517,7 @@ Here is an example that restricts its subject to only `get` or `update` a
 下面的例子中限制可以 "get" 和 "update" 一个名为 `my-configmap` 的
 {{< glossary_tooltip term_id="ConfigMap" >}}：
 
+<!--
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -423,7 +526,23 @@ metadata:
   name: configmap-updater
 rules:
 - apiGroups: [""]
-  # 在 HTTP 层面，用来访问 ConfigMap 的资源的名称为 "configmaps"
+  #
+  # at the HTTP level, the name of the resource for accessing ConfigMap
+  # objects is "configmaps"
+  resources: ["configmaps"]
+  resourceNames: ["my-configmap"]
+  verbs: ["update", "get"]
+```
+-->
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: configmap-updater
+rules:
+- apiGroups: [""]
+  # 在 HTTP 层面，用来访问 ConfigMap 资源的名称为 "configmaps"
   resources: ["configmaps"]
   resourceNames: ["my-configmap"]
   verbs: ["update", "get"]
@@ -465,6 +584,19 @@ Here is an example aggregated ClusterRole:
 
 下面是一个聚合 ClusterRole 的示例：
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.example.com/aggregate-to-monitoring: "true"
+rules: [] # The control plane automatically fills in the rules
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -488,6 +620,22 @@ ClusterRole labeled `rbac.example.com/aggregate-to-monitoring: true`.
 下面的例子中，通过创建一个标签同样为 `rbac.example.com/aggregate-to-monitoring: true`
 的 ClusterRole，新的规则可被添加到 "monitoring" ClusterRole 中。
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring-endpoints
+  labels:
+    rbac.example.com/aggregate-to-monitoring: "true"
+# When you create the "monitoring-endpoints" ClusterRole,
+# the rules below will be added to the "monitoring" ClusterRole.
+rules:
+- apiGroups: [""]
+  resources: ["services", "endpoints", "pods"]
+  verbs: ["get", "list", "watch"]
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -513,7 +661,7 @@ For example: the following ClusterRoles let the "admin" and "edit" default roles
 named CronTab, whereas the "view" role can perform only read actions on CronTab resources.
 You can assume that CronTab objects are named `"crontabs"` in URLs as seen by the API server.
 -->
-默认的[面向用户的角色](#default-roles-and-role-bindings) 使用 ClusterRole 聚合。
+默认的[面向用户的角色](#default-roles-and-role-bindings)使用 ClusterRole 聚合。
 这使得作为集群管理员的你可以为扩展默认规则，包括为定制资源设置规则，
 比如通过 CustomResourceDefinitions 或聚合 API 服务器提供的定制资源。
 
@@ -521,6 +669,34 @@ You can assume that CronTab objects are named `"crontabs"` in URLs as seen by th
  "view" 角色对 CronTab 资源拥有读操作权限。
 你可以假定 CronTab 对象在 API 服务器所看到的 URL 中被命名为 `"crontabs"`。
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: aggregate-cron-tabs-edit
+  labels:
+    # Add these permissions to the "admin" and "edit" default roles.
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups: ["stable.example.com"]
+  resources: ["crontabs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aggregate-cron-tabs-view
+  labels:
+    # Add these permissions to the "view" default role.
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["stable.example.com"]
+  resources: ["crontabs"]
+  verbs: ["get", "list", "watch"]
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -549,7 +725,7 @@ rules:
 ```
 
 <!--
-#### Role Examples
+#### Role examples
 
 The following examples are excerpts from Role or ClusterRole objects, showing only
 the `rules` section.
@@ -564,10 +740,21 @@ Allow reading `"pods"` resources in the core
 允许读取在核心 {{< glossary_tooltip text="API 组" term_id="api-group" >}}下的
 `"Pods"`：
 
+<!--
 ```yaml
 rules:
 - apiGroups: [""]
-  # 在 HTTP 层面，用来访问 Pod 的资源的名称为 "pods"
+  #
+  # at the HTTP level, the name of the resource for accessing Pod
+  # objects is "pods"
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+```
+-->
+```yaml
+rules:
+- apiGroups: [""]
+  # 在 HTTP 层面，用来访问 Pod 资源的名称为 "pods"
   resources: ["pods"]
   verbs: ["get", "list", "watch"]
 ```
@@ -576,12 +763,25 @@ rules:
 Allow reading/writing Deployments (at the HTTP level: objects with `"deployments"`
 in the resource part of their URL) in the `"apps"` API groups:
 -->
-允许读/写在 `"apps"` API 组中的 Deployment（在 HTTP 层面，对应
-URL 中资源部分为 "deployments"）：
+允许在 `"apps"` API 组中读/写 Deployment（在 HTTP 层面，对应 URL
+中资源部分为 `"deployments"`）：
 
+<!--
+```yaml
+rules:
+- apiGroups: ["apps"]
+  #
+  # at the HTTP level, the name of the resource for accessing Deployment
+  # objects is "deployments"
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+```
+-->
 ```yaml
 rules:
 - apiGroups: ["apps"]
+  #
+  # 在 HTTP 层面，用来访问 Deployment 资源的名称为 "deployments"
   resources: ["deployments"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ```
@@ -590,15 +790,33 @@ rules:
 Allow reading Pods in the core API group, as well as reading or writing Job
 resources in the `"batch"` API group:
 -->
-允许读取核心 API 组中的 "pods" 和读/写 `"batch"` API 组中的
-"jobs"：
+允许读取核心 API 组中的 Pod 和读/写 `"batch"` API 组中的 Job 资源：
 
+<!--
+```yaml
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing Pod
+  # objects is "pods"
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  #
+  # at the HTTP level, the name of the resource for accessing Job
+  # objects is "jobs"
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+```
+-->
 ```yaml
 rules:
 - apiGroups: [""]
+  # 在 HTTP 层面，用来访问 Pod 资源的名称为 "pods"
   resources: ["pods"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["batch"]
+  # 在 HTTP 层面，用来访问 Job 资源的名称为 "jobs"
   resources: ["jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ```
@@ -610,9 +828,22 @@ RoleBinding to limit to a single ConfigMap in a single namespace):
 允许读取名称为 "my-config" 的 ConfigMap（需要通过 RoleBinding 绑定以
 限制为某名字空间中特定的 ConfigMap）：
 
+<!--
+```yaml
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing ConfigMap
+  # objects is "configmaps"
+  resources: ["configmaps"]
+  resourceNames: ["my-config"]
+  verbs: ["get"]
+```
+-->
 ```yaml
 rules:
 - apiGroups: [""]
+  # 在 HTTP 层面，用来访问 ConfigMap 资源的名称为 "configmaps"
   resources: ["configmaps"]
   resourceNames: ["my-config"]
   verbs: ["get"]
@@ -623,12 +854,24 @@ Allow reading the resource `"nodes"` in the core group (because a
 Node is cluster-scoped, this must be in a ClusterRole bound with a
 ClusterRoleBinding to be effective):
 -->
-允许读取在核心组中的 "nodes" 资源（因为 `Node` 是集群作用域的，所以需要
+允许读取在核心组中的 `"nodes"` 资源（因为 `Node` 是集群作用域的，所以需要
 ClusterRole 绑定到 ClusterRoleBinding 才生效）：
 
+<!--
+```yaml
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing Node
+  # objects is "nodes"
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+```
+-->
 ```yaml
 rules:
 - apiGroups: [""]
+  # 在 HTTP 层面，用来访问 Node 资源的名称为 "nodes"
   resources: ["nodes"]
   verbs: ["get", "list", "watch"]
 ```
@@ -641,14 +884,21 @@ to be effective):
 允许针对非资源端点 `/healthz` 和其子路径上发起 GET 和 POST 请求
 （必须在 ClusterRole 绑定 ClusterRoleBinding 才生效）：
 
+<!--
+```yaml
+rules:
+- nonResourceURLs: ["/healthz", "/healthz/*"] # '*' in a nonResourceURL is a suffix glob match
+  verbs: ["get", "post"]
+```
+-->
 ```yaml
 rules:
-  - nonResourceURLs: ["/healthz", "/healthz/*"] # nonResourceURL 中的 '*' 是一个全局通配符
-    verbs: ["get", "post"]
+- nonResourceURLs: ["/healthz", "/healthz/*"] # nonResourceURL 中的 '*' 是一个全局通配符
+  verbs: ["get", "post"]
 ```
 
 <!--
-### Referring to Subjects
+### Referring to subjects
 
 A RoleBinding or ClusterRoleBinding binds a role to subjects.
 Subjects can be groups, users or
@@ -662,7 +912,7 @@ so that authentication produces usernames in the format you want.
 -->
 ### 对主体的引用   {#referring-to-subjects}
 
-RoleBinding 或者 ClusterRoleBinding 可绑定角色到某 *主体（Subject）*上。
+RoleBinding 或者 ClusterRoleBinding 可绑定角色到某 **主体（Subject）** 上。
 主体可以是组，用户或者
 {{< glossary_tooltip text="服务账户" term_id="service-account" >}}。
 
@@ -692,8 +942,8 @@ In Kubernetes, Authenticator modules provide group information.
 Groups, like users, are represented as strings, and that string has no format requirements,
 other than that the prefix `system:` is reserved.
 
-[Service Accounts](/docs/tasks/configure-pod-container/configure-service-account/) have usernames with the `system:serviceaccount:` prefix and belong
-to groups with the `system:serviceaccounts:` prefix.
+[ServiceAccounts](/docs/tasks/configure-pod-container/configure-service-account/) have names prefixed
+with `system:serviceaccount:`, and belong to groups that have names prefixed with `system:serviceaccounts:`.
 -->
 在 Kubernetes 中，鉴权模块提供用户组信息。
 与用户名一样，用户组名也用字符串来表示，而且对该字符串没有格式要求，
@@ -713,7 +963,7 @@ to groups with the `system:serviceaccounts:` prefix.
 {{< /note >}}
 
 <!--
-#### Role Binding Examples
+#### RoleBinding examples {#role-binding-examples}
 
 The following examples are `RoleBinding` excerpts that only
 show the `subjects` section.
@@ -828,7 +1078,7 @@ Many of these are `system:` prefixed, which indicates that the resource is direc
 managed by the cluster control plane.
 All of the default ClusterRoles and ClusterRoleBindings are labeled with `kubernetes.io/bootstrapping=rbac-defaults`.
 -->
-## 默认 Roles 和 Role Bindings
+## 默认 Roles 和 Role Bindings {#default-roles-and-role-bindings}
 
 API 服务器创建一组默认的 ClusterRole 和 ClusterRoleBinding 对象。
 这其中许多是以 `system:` 为前缀的，用以标识对应资源是直接由集群控制面管理的。
@@ -844,7 +1094,7 @@ Modifications to these resources can result in non-functional clusters.
 -->
 在修改名称包含 `system:` 前缀的 ClusterRole 和 ClusterRoleBinding
 时要格外小心。
-对这些资源的更改可能导致集群无法继续工作。
+对这些资源的更改可能导致集群无法正常运作。
 {{< /caution >}}
 
 <!--
@@ -853,7 +1103,7 @@ Modifications to these resources can result in non-functional clusters.
 At each start-up, the API server updates default cluster roles with any missing permissions,
 and updates default cluster role bindings with any missing subjects.
 This allows the cluster to repair accidental modifications, and helps to keep roles and role bindings
-up-to-date as permissions and subjects change in new releases.
+up-to-date as permissions and subjects change in new Kubernetes releases.
 
 To opt out of this reconciliation, set the `rbac.authorization.kubernetes.io/autoupdate`
 annotation on a default cluster role or rolebinding to `false`.
@@ -877,14 +1127,14 @@ Auto-reconciliation is enabled by default if the RBAC authorizer is active.
 <!--
 ### API discovery roles {#discovery-roles}
 
-Default role bindings authorize unauthenticated and authenticated users to read API information that is deemed safe to be publicly accessible (including CustomResourceDefinitions). To disable anonymous unauthenticated access add `--anonymous-auth=false` to the API server configuration.
+Default role bindings authorize unauthenticated and authenticated users to read API information that is deemed safe to be publicly accessible (including CustomResourceDefinitions). To disable anonymous unauthenticated access, add `--anonymous-auth=false` to the API server configuration.
 
 To view the configuration of these roles via `kubectl` run:
 -->
 ### API 发现角色  {#discovery-roles}
 
 无论是经过身份验证的还是未经过身份验证的用户，默认的角色绑定都授权他们读取被认为
-是可安全地公开访问的 API（ 包括 CustomResourceDefinitions）。
+是可安全地公开访问的 API（包括 CustomResourceDefinitions）。
 如果要禁用匿名的未经过身份验证的用户访问，请在 API 服务器配置中中添加
 `--anonymous-auth=false` 的配置选项。
 
@@ -900,19 +1150,17 @@ If you edit that ClusterRole, your changes will be overwritten on API server res
 via [auto-reconciliation](#auto-reconciliation). To avoid that overwriting,
 either do not manually edit the role, or disable auto-reconciliation.
 -->
-如果你编辑该 ClusterRole，你所作的变更会被 API 服务器在重启时自动覆盖，这是通过
-[自动协商](#auto-reconciliation)机制完成的。要避免这类覆盖操作，
+如果你编辑该 ClusterRole，你所作的变更会被 API 服务器在重启时自动覆盖，
+这是通过[自动协商](#auto-reconciliation)机制完成的。要避免这类覆盖操作，
 要么不要手动编辑这些角色，要么禁止自动协商机制。
 {{< /note >}}
 
 <table>
-<caption>
 <!--
-Kubernetes RBAC API discovery roles
+<caption>Kubernetes RBAC API discovery roles</caption>
 -->
-Kubernetes RBAC API 发现角色
-</caption>
-<colgroup><col width="25%"><col width="25%"><col></colgroup>
+<caption>Kubernetes RBAC API 发现角色</caption>
+<colgroup><col style="width: 25%;" /><col style="width: 25%;" /><col /></colgroup>
 <thead>
 <tr>
 <!--
@@ -928,44 +1176,44 @@ Kubernetes RBAC API 发现角色
 <tbody>
 <tr>
 <td><b>system:basic-user</b></td>
-<!-- 
+<!--
 <td><b>system:authenticated</b> group</td>
 -->
 <td><b>system:authenticated</b> 组</td>
 <td>
-<!-- 
-Allows a user read-only access to basic information about themselves. 
-Prior to 1.14, this role was also bound to <tt>system:unauthenticated</tt> by default.
+<!--
+Allows a user read-only access to basic information about themselves.
+Prior to v1.14, this role was also bound to <tt>system:unauthenticated</tt> by default.
 -->
-允许用户以只读的方式去访问他们自己的基本信息。在 1.14 版本之前，这个角色在默认情况下也绑定在 <tt>system:unauthenticated</tt> 上。
+允许用户以只读的方式去访问他们自己的基本信息。在 v1.14 版本之前，这个角色在默认情况下也绑定在 <tt>system:unauthenticated</tt> 上。
 </td>
 </tr>
 <tr>
 <td><b>system:discovery</b></td>
-<!-- 
+<!--
 <td><b>system:authenticated</b> group</td>
 -->
 <td><b>system:authenticated</b> 组</td>
 <td>
-<!-- 
-Allows read-only access to API discovery endpoints needed to discover and negotiate an API level. 
-Prior to 1.14, this role was also bound to <tt>system:unauthenticated</tt> by default.
+<!--
+Allows read-only access to API discovery endpoints needed to discover and negotiate an API level.
+Prior to v1.14, this role was also bound to <tt>system:unauthenticated</tt> by default.
 -->
 允许以只读方式访问 API 发现端点，这些端点用来发现和协商 API 级别。
-在 1.14 版本之前，这个角色在默认情况下绑定在 <tt>system:unauthenticated</tt> 上。
+在 v1.14 版本之前，这个角色在默认情况下绑定在 <tt>system:unauthenticated</tt> 上。
 </td>
 </tr>
 <tr>
 <td><b>system:public-info-viewer</b></td>
-<!-- 
+<!--
 <td><b>system:authenticated</b> and <b>system:unauthenticated</b> groups</td>
 -->
 <td><b>system:authenticated</b> 和 <b>system:unauthenticated</b> 组</td>
 <td>
-<!-- 
+<!--
 Allows read-only access to non-sensitive information about the cluster. Introduced in Kubernetes v1.14.
 -->
-允许对集群的非敏感信息进行只读访问，它是在 1.14 版本中引入的。
+允许对集群的非敏感信息进行只读访问，它是在 v1.14 版本中引入的。
 </td>
 </tr>
 </tbody>
@@ -1003,7 +1251,7 @@ metadata:
 ```
 
 <table>
-<colgroup><col width="25%"><col width="25%"><col></colgroup>
+<colgroup><col style="width: 25%;" /><col style="width: 25%;" /><col /></colgroup>
 <thead>
 <tr>
 <!--
@@ -1024,27 +1272,27 @@ metadata:
 -->
 <td><b>system:masters</b> 组</td>
 <td>
-<!-- 
+<!--
 Allows super-user access to perform any action on any resource.
 When used in a <b>ClusterRoleBinding</b>, it gives full control over every resource in the cluster and in all namespaces.
-When used in a <b>RoleBinding</b>, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
+When used in a <b>RoleBinding</b>, it gives full control over every resource in the role binding's namespace, including the namespace itself.
 -->
 允许超级用户在平台上的任何资源上执行所有操作。
 当在 <b>ClusterRoleBinding</b> 中使用时，可以授权对集群中以及所有名字空间中的全部资源进行完全控制。
-当在 <b>RoleBinding</b> 中使用时，可以授权控制 RoleBinding 所在名字空间中的所有资源，包括名字空间本身。
+当在 <b>RoleBinding</b> 中使用时，可以授权控制角色绑定所在名字空间中的所有资源，包括名字空间本身。
 </td>
 </tr>
 <tr>
 <td><b>admin</b></td>
-<!-- 
+<!--
 <td>None</td>
 --->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows admin access, intended to be granted within a namespace using a <b>RoleBinding</b>.
 If used in a <b>RoleBinding</b>, allows read/write access to most resources in a namespace,
-including the ability to create roles and rolebindings within the namespace.
+including the ability to create roles and role bindings within the namespace.
 This role does not allow write access to resource quota or to the namespace itself.
 This role also does not allow write access to Endpoints in clusters created
 using Kubernetes v1.22+. More information is available in the
@@ -1056,17 +1304,17 @@ using Kubernetes v1.22+. More information is available in the
 包括创建角色和角色绑定的能力。
 此角色不允许对资源配额或者名字空间本身进行写操作。
 此角色也不允许对 Kubernetes v1.22+ 创建的 Endpoints 进行写操作。
-更多信息参阅[“Endpoints 写权限”小节](#write-access-for-endpoints)。
+更多信息参阅 [“Endpoints 写权限”小节](#write-access-for-endpoints)。
 </td>
 </tr>
 <tr>
 <td><b>edit</b></td>
-<!-- 
+<!--
 <td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows read/write access to most objects in a namespace.
 This role does not allow viewing or modifying roles or role bindings.
 However, this role allows accessing Secrets and running Pods as any ServiceAccount in
@@ -1081,17 +1329,17 @@ clusters created using Kubernetes v1.22+. More information is available in the
 不过，此角色可以访问 Secret，以名字空间中任何 ServiceAccount 的身份运行 Pods，
 所以可以用来了解名字空间内所有服务账户的 API 访问级别。
 此角色也不允许对 Kubernetes v1.22+ 创建的 Endpoints 进行写操作。
-更多信息参阅[“Endpoints 写操作”小节](#write-access-for-endpoints)。
+更多信息参阅 [“Endpoints 写操作”小节](#write-access-for-endpoints)。
 </td>
 </tr>
 <tr>
 <td><b>view</b></td>
-<!-- 
+<!--
 <td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows read-only access to see most objects in a namespace.
 It does not allow viewing roles or rolebindings.
 -->
@@ -1102,7 +1350,7 @@ It does not allow viewing roles or rolebindings.
 This role does not allow viewing Secrets, since reading
 the contents of Secrets enables access to ServiceAccount credentials
 in the namespace, which would allow API access as any ServiceAccount
-in the namespace (a form of privilege escalation). 
+in the namespace (a form of privilege escalation).
 -->
 此角色不允许查看 Secrets，因为读取 Secret 的内容意味着可以访问名字空间中
 ServiceAccount 的凭据信息，进而允许利用名字空间中任何 ServiceAccount 的
@@ -1118,7 +1366,7 @@ ServiceAccount 的凭据信息，进而允许利用名字空间中任何 Service
 ### 核心组件角色   {#core-component-roles}
 
 <table>
-<colgroup><col width="25%"><col width="25%"><col></colgroup>
+<colgroup><col style="width: 25%;" /><col style="width: 25%;" /><col /></colgroup>
 <thead>
 <tr>
 <!--
@@ -1134,12 +1382,12 @@ ServiceAccount 的凭据信息，进而允许利用名字空间中任何 Service
 <tbody>
 <tr>
 <td><b>system:kube-scheduler</b></td>
-<!-- 
-<td><b>system:kube-scheduler</b> user</td> 
+<!--
+<td><b>system:kube-scheduler</b> user</td>
 -->
 <td><b>system:kube-scheduler</b> 用户</td>
 <td>
-<!-- 
+<!--
 Allows access to the resources required by the {{< glossary_tooltip term_id="kube-scheduler" text="scheduler" >}} component.
 -->
 允许访问 {{< glossary_tooltip term_id="kube-scheduler" text="scheduler" >}}
@@ -1148,8 +1396,8 @@ Allows access to the resources required by the {{< glossary_tooltip term_id="kub
 </tr>
 <tr>
 <td><b>system:volume-scheduler</b></td>
-<!-- 
-<td><b>system:kube-scheduler</b> user</td> 
+<!--
+<td><b>system:kube-scheduler</b> user</td>
 -->
 <td><b>system:kube-scheduler</b> 用户</td>
 <td>
@@ -1161,23 +1409,23 @@ Allows access to the volume resources required by the kube-scheduler component.
 </tr>
 <tr>
 <td><b>system:kube-controller-manager</b></td>
-<!-- 
-<td><b>system:kube-controller-manager</b> user</td> 
+<!--
+<td><b>system:kube-controller-manager</b> user</td>
 -->
 <td><b>system:kube-controller-manager</b> 用户</td>
 <td>
-<!-- 
+<!--
 Allows access to the resources required by the {{< glossary_tooltip term_id="kube-controller-manager" text="controller manager" >}} component.
 The permissions required by individual controllers are detailed in the <a href="#controller-roles">controller roles</a>.
 -->
 允许访问{{< glossary_tooltip term_id="kube-controller-manager" text="控制器管理器" >}}
 组件所需要的资源。
-各个控制回路所需要的权限在<a href="#controller-roles">控制器角色</a> 详述。
+各个控制回路所需要的权限在<a href="#controller-roles">控制器角色</a>详述。
 </td>
 </tr>
 <tr>
 <td><b>system:node</b></td>
-<!-- 
+<!--
 <td>None</td>
 -->
 <td>无</td>
@@ -1187,17 +1435,17 @@ Allows access to resources required by the kubelet, <b>including read access to
 -->
 允许访问 kubelet 所需要的资源，<b>包括对所有 Secret 的读操作和对所有 Pod 状态对象的写操作。</b>
 
-<!--  
-You should use the <a href="/docs/reference/access-authn-authz/node/">Node authorizer</a> and 
-<a href="/docs/reference/access-authn-authz/admission-controllers/#noderestriction">NodeRestriction admission plugin</a> 
+<!--
+You should use the <a href="/docs/reference/access-authn-authz/node/">Node authorizer</a> and
+<a href="/docs/reference/access-authn-authz/admission-controllers/#noderestriction">NodeRestriction admission plugin</a>
 instead of the <tt>system:node</tt> role, and allow granting API access to kubelets based on the Pods scheduled to run on them.
 -->
-你应该使用 <a href="/zh/docs/reference/access-authn-authz/node/">Node 鉴权组件</a> 和
-<a href="/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction">NodeRestriction 准入插件</a>
-而不是 <tt>system:node</tt> 角色。同时基于 kubelet 上调度执行的 Pod 来授权
+你应该使用 <a href="/zh/docs/reference/access-authn-authz/node/">Node 鉴权组件</a>和
+<a href="/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction">NodeRestriction 准入插件</a>而不是
+<tt>system:node</tt> 角色。同时基于 kubelet 上调度执行的 Pod 来授权
 kubelet 对 API 的访问。
 
-<!--  
+<!--
 The <tt>system:node</tt> role only exists for compatibility with Kubernetes clusters upgraded from versions prior to v1.8.
 -->
 <tt>system:node</tt> 角色的意义仅是为了与从 v1.8 之前版本升级而来的集群兼容。
@@ -1220,13 +1468,13 @@ The <tt>system:node</tt> role only exists for compatibility with Kubernetes clus
 ### 其他组件角色    {#other-component-roles}
 
 <table>
-<colgroup><col width="25%"><col width="25%"><col></colgroup>
+<colgroup><col style="width: 25%;" /><col style="width: 25%;" /><col /></colgroup>
 <thead>
 <tr>
-<!-- 
+<!--
 <th>Default ClusterRole</th>
 <th>Default ClusterRoleBinding</th>
-<th>Description</th> 
+<th>Description</th>
 -->
 <th>默认 ClusterRole</th>
 <th>默认 ClusterRoleBinding</th>
@@ -1236,12 +1484,12 @@ The <tt>system:node</tt> role only exists for compatibility with Kubernetes clus
 <tbody>
 <tr>
 <td><b>system:auth-delegator</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows delegated authentication and authorization checks.
 This is commonly used by add-on API servers for unified authentication and authorization.
 -->
@@ -1251,8 +1499,8 @@ This is commonly used by add-on API servers for unified authentication and autho
 </tr>
 <tr>
 <td><b>system:heapster</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
@@ -1264,8 +1512,8 @@ Role for the <a href="https://github.com/kubernetes/heapster">Heapster</a> compo
 </tr>
 <tr>
 <td><b>system:kube-aggregator</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <!-- td>Role for the <a href="https://github.com/kubernetes/kube-aggregator">kube-aggregator</a> component.</td -->
@@ -1273,52 +1521,50 @@ Role for the <a href="https://github.com/kubernetes/heapster">Heapster</a> compo
 </tr>
 <tr>
 <td><b>system:kube-dns</b></td>
-<td>
 <!--
-<b>kube-dns</b> service account in the <b>kube-system</b> namespace</td 
+<td><b>kube-dns</b> service account in the <b>kube-system</b> namespace</td>
 -->
-在 <b>kube-system</b> 名字空间中的 <b>kube-dns</b> 服务账户</td>
+<td>在 <b>kube-system</b> 名字空间中的 <b>kube-dns</b> 服务账户</td>
 <!-- td>Role for the <a href="/docs/concepts/services-networking/dns-pod-service/">kube-dns</a> component.</td -->
-<td>为 <a href="/docs/concepts/services-networking/dns-pod-service/">kube-dns</a> 组件定义的角色。
-</td>
+<td>为 <a href="/docs/concepts/services-networking/dns-pod-service/">kube-dns</a> 组件定义的角色。</td>
 </tr>
 <tr>
 <td><b>system:kubelet-api-admin</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows full access to the kubelet API.
 -->
 允许 kubelet API 的完全访问权限。
 </td>
-</tr>  
+</tr>
 <tr>
 <td><b>system:node-bootstrapper</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows access to the resources required to perform
-<a href="/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/">Kubelet TLS bootstrapping</a>.
+<a href="/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/">Kubelet TLS bootstrapping</a>.
 -->
 允许访问执行
-<a href="/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/">kubelet TLS 启动引导</a>
+<a href="/zh/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/">kubelet TLS 启动引导</a>
 所需要的资源。
 </td>
 </tr>
 <tr>
 <td><b>system:node-problem-detector</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Role for the <a href="https://github.com/kubernetes/node-problem-detector">node-problem-detector</a> component.
 -->
 为 <a href="https://github.com/kubernetes/node-problem-detector">node-problem-detector</a> 组件定义的角色。
@@ -1326,30 +1572,30 @@ Role for the <a href="https://github.com/kubernetes/node-problem-detector">node-
 </tr>
 <tr>
 <td><b>system:persistent-volume-provisioner</b></td>
-<!-- 
-<td>None</td> 
+<!--
+<td>None</td>
 -->
 <td>无</td>
 <td>
-<!-- 
+<!--
 Allows access to the resources required by most <a href="/docs/concepts/storage/persistent-volumes/#dynamic">dynamic volume provisioners</a>.
 -->
 允许访问大部分
-<a href="/zh/docs/concepts/storage/persistent-volumes/#dynamic">动态卷驱动
-</a>
-所需要的资源。</td>
+<a href="/zh/docs/concepts/storage/persistent-volumes/#dynamic">动态卷驱动</a>
+所需要的资源。
+</td>
 </tr>
 <tr>
 <td><b>system:monitoring</b></td>
-<!-- 
+<!--
 <td><b>system:monitoring</b> group</td>
 -->
 <td><b>system:monitoring</b> 组</td>
 <td>
 <!--
-Allows read access to control-plane monitoring endpoints 
-(i.e. {{< glossary_tooltip term_id="kube-apiserver" text="kube-apiserver" >}} liveness and readiness endpoints 
-(<tt>/healthz</tt>, <tt>/livez</tt>, <tt>/readyz</tt>), the individual health-check endpoints 
+Allows read access to control-plane monitoring endpoints
+(i.e. {{< glossary_tooltip term_id="kube-apiserver" text="kube-apiserver" >}} liveness and readiness endpoints
+(<tt>/healthz</tt>, <tt>/livez</tt>, <tt>/readyz</tt>), the individual health-check endpoints
 (<tt>/healthz/*</tt>, <tt>/livez/*</tt>, <tt>/readyz/*</tt>),  and <tt>/metrics</tt>).
  Note that individual health check endpoints and the metric endpoint may expose sensitive information.
 -->
@@ -1368,10 +1614,10 @@ Allows read access to control-plane monitoring endpoints
 The Kubernetes {{< glossary_tooltip term_id="kube-controller-manager" text="controller manager" >}} runs
 {{< glossary_tooltip term_id="controller" text="controllers" >}} that are built in to the Kubernetes
 control plane.
-When invoked with `-use-service-account-credentials`, kube-controller-manager starts each controller
+When invoked with `--use-service-account-credentials`, kube-controller-manager starts each controller
 using a separate service account.
 Corresponding roles exist for each built-in controller, prefixed with `system:controller:`.
-If the controller manager is not started with `-use-service-account-credentials`, it runs all control loops
+If the controller manager is not started with `--use-service-account-credentials`, it runs all control loops
 using its own credential, which must be granted all the relevant roles.
 These roles include:
 -->
@@ -1379,12 +1625,12 @@ These roles include:
 
 Kubernetes {{< glossary_tooltip term_id="kube-controller-manager" text="控制器管理器" >}}
 运行内建于 Kubernetes 控制面的{{< glossary_tooltip term_id="controller" text="控制器" >}}。
-当使用 `--use-service-account-credentials` 参数启动时, kube-controller-manager
+当使用 `--use-service-account-credentials` 参数启动时，kube-controller-manager
 使用单独的服务账户来启动每个控制器。
 每个内置控制器都有相应的、前缀为 `system:controller:` 的角色。
 如果控制管理器启动时未设置 `--use-service-account-credentials`，
 它使用自己的身份凭据来运行所有的控制器，该身份必须被授予所有相关的角色。
-这些角色包括:
+这些角色包括：
 
 * `system:controller:attachdetach-controller`
 * `system:controller:certificate-controller`
@@ -1415,12 +1661,12 @@ Kubernetes {{< glossary_tooltip term_id="kube-controller-manager" text="控制
 * `system:controller:ttl-controller`
 
 <!--
-## Privilege Escalation Prevention and Bootstrapping
+## Privilege escalation prevention and bootstrapping
 
 The RBAC API prevents users from escalating privileges by editing roles or role bindings.
 Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use.
 -->
-## 初始化与预防权限提升
+## 初始化与预防权限提升 {#privilege-escalation-prevention-and-bootstrapping}
 
 RBAC API 会阻止用户通过编辑角色或者角色绑定来提升权限。
 由于这一点是在 API 级别实现的，所以在 RBAC 鉴权组件未启用的状态下依然可以正常工作。
@@ -1434,7 +1680,7 @@ You can only create/update a role if at least one of the following things is tru
 (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
 2. You are granted explicit permission to perform the `escalate` verb on the `roles` or `clusterroles` resource in the `rbac.authorization.k8s.io` API group.
 -->
-### 对角色创建或更新的限制
+### 对角色创建或更新的限制 {#restrictions-on-role-creation-or-update}
 
 只有在符合下列条件之一的情况下，你才能创建/更新角色:
 
@@ -1470,7 +1716,7 @@ You can only create/update a role binding if you already have all the permission
 For example, if `user-1` does not have the ability to list Secrets cluster-wide, they cannot create a ClusterRoleBinding
 to a role that grants that permission. To allow a user to create/update role bindings:
 -->
-### 对角色绑定创建或更新的限制
+### 对角色绑定创建或更新的限制 {#restrictions-on-role-binding-creation-or-update}
 
 只有你已经具有了所引用的角色中包含的全部权限时，或者你被授权在所引用的角色上执行 `bind`
 动词时，你才可以创建或更新角色绑定。这里的权限与角色绑定的作用域相同。
@@ -1495,6 +1741,37 @@ For example, this ClusterRole and RoleBinding would allow `user-1` to grant othe
 例如，下面的 ClusterRole 和 RoleBinding 将允许用户 `user-1` 把名字空间 `user-1-namespace`
 中的 `admin`、`edit` 和 `view` 角色赋予其他用户：
 
+<!--
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: role-grantor
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["create"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles"]
+  verbs: ["bind"]
+  # omit resourceNames to allow binding any ClusterRole
+  resourceNames: ["admin","edit","view"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: role-grantor-binding
+  namespace: user-1-namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: role-grantor
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: user-1
+```
+-->
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -1529,33 +1806,32 @@ subjects:
 When bootstrapping the first roles and role bindings, it is necessary for the initial user to grant permissions they do not yet have.
 To bootstrap initial roles and role bindings:
 
-* Use a credential with the `system:masters` group, which is bound to the `cluster-admin` super-user role by the default bindings.
-* If your API server runs with the insecure port enabled (`-insecure-port`), you can also make API calls via that port, which does not enforce authentication or authorization.
+* Use a credential with the "system:masters" group, which is bound to the "cluster-admin" super-user role by the default bindings.
+* If your API server runs with the insecure port enabled (`--insecure-port`), you can also make API calls via that port, which does not enforce authentication or authorization.
 -->
 当启动引导第一个角色和角色绑定时，需要为初始用户授予他们尚未拥有的权限。
 对初始角色和角色绑定进行初始化时需要：
 
 * 使用用户组为 `system:masters` 的凭据，该用户组由默认绑定关联到 `cluster-admin`
   这个超级用户角色。
-* 如果你的 API 服务器启动时启用了不安全端口（使用 `--insecure-port`）, 你也可以通过
-  该端口调用 API ，这样的操作会绕过身份验证或鉴权。
+* 如果你的 API 服务器启动时启用了不安全端口（使用 `--insecure-port`），你也可以通过
+  该端口调用 API，这样的操作会绕过身份验证或鉴权。
 
 <!--
-## Command-line Utilities
+## Command-line utilities
+-->
+## 一些命令行工具 {#command-line-utilities}
 
 ### `kubectl create role`
 
-Creates a `Role` object defining permissions within a single namespace. Examples:
+<!--
+Creates a Role object defining permissions within a single namespace. Examples:
 
 * Create a Role named "pod-reader" that allows users to perform `get`, `watch` and `list` on pods:
 -->
-## 一些命令行工具
-
-### `kubectl create role`
-
 创建 Role 对象，定义在某一名字空间中的权限。例如:
 
-* 创建名称为 "pod-reader" 的 Role 对象，允许用户对 Pods 执行 `get`、`watch` 和 `list` 操作：
+* 创建名称为 “pod-reader” 的 Role 对象，允许用户对 Pods 执行 `get`、`watch` 和 `list` 操作：
 
   ```shell
   kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
@@ -1564,16 +1840,16 @@ Creates a `Role` object defining permissions within a single namespace. Examples
 <!--
 * Create a Role named "pod-reader" with resourceNames specified:
 -->
-* 创建名称为 "pod-reader" 的 Role 对象并指定 `resourceNames`：
+* 创建名称为 “pod-reader” 的 Role 对象并指定 `resourceNames`：
 
   ```shell
   kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
   ```
 
 <!--
-* Create a `Role` named "foo" with apiGroups specified:
+* Create a Role named "foo" with apiGroups specified:
 -->
-* 创建名为 "foo" 的 Role 对象并指定 `apiGroups`：
+* 创建名为 “foo” 的 Role 对象并指定 `apiGroups`：
 
   ```shell
   kubectl create role foo --verb=get,list,watch --resource=replicasets.apps
@@ -1582,7 +1858,7 @@ Creates a `Role` object defining permissions within a single namespace. Examples
 <!--
 * Create a Role named "foo" with subresource permissions:
 -->
-* 创建名为 "foo" 的 Role 对象并指定子资源权限:
+* 创建名为 “foo” 的 Role 对象并指定子资源权限:
 
   ```shell
   kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
@@ -1591,7 +1867,7 @@ Creates a `Role` object defining permissions within a single namespace. Examples
 <!--
 * Create a Role named "my-component-lease-holder" with permissions to get/update a resource with a specific name:
 -->
-* 创建名为 "my-component-lease-holder" 的 Role 对象，使其具有对特定名称的
+* 创建名为 “my-component-lease-holder” 的 Role 对象，使其具有对特定名称的
   资源执行 get/update 的权限：
 
   ```shell
@@ -1607,7 +1883,7 @@ Creates a ClusterRole. Examples:
 -->
 创建 ClusterRole 对象。例如：
 
-* 创建名称为 "pod-reader" 的 ClusterRole`对象，允许用户对 Pods 对象执行 `get`、
+* 创建名称为 “pod-reader” 的 ClusterRole 对象，允许用户对 Pods 对象执行 `get`、
   `watch` 和 `list` 操作：
 
   ```shell
@@ -1617,7 +1893,7 @@ Creates a ClusterRole. Examples:
 <!--
 * Create a ClusterRole named "pod-reader" with resourceNames specified:
 -->
-* 创建名为 "pod-reader" 的 ClusterRole 对象并指定 `resourceNames`：
+* 创建名为 “pod-reader” 的 ClusterRole 对象并指定 `resourceNames`：
 
   ```shell
   kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
@@ -1626,7 +1902,7 @@ Creates a ClusterRole. Examples:
 <!--
 * Create a ClusterRole named "foo" with apiGroups specified:
 -->
-* 创建名为 "foo" 的 ClusterRole 对象并指定 `apiGroups`：
+* 创建名为 “foo” 的 ClusterRole 对象并指定 `apiGroups`：
 
   ```shell
   kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps
@@ -1635,7 +1911,7 @@ Creates a ClusterRole. Examples:
 <!--
 * Create a ClusterRole named "foo" with subresource permissions:
 -->
-* 创建名为 "foo" 的 ClusterRole 对象并指定子资源:
+* 创建名为 “foo” 的 ClusterRole 对象并指定子资源:
 
   ```shell
   kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
@@ -1644,7 +1920,7 @@ Creates a ClusterRole. Examples:
 <!--
 * Create a ClusterRole named "foo" with nonResourceURL specified:
 -->
-* 创建名为 "foo" 的 ClusterRole 对象并指定 `nonResourceURL`：
+* 创建名为 “foo” 的 ClusterRole 对象并指定 `nonResourceURL`：
 
   ```shell
   kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
@@ -1653,7 +1929,7 @@ Creates a ClusterRole. Examples:
 <!--
 * Create a ClusterRole named "monitoring" with an aggregationRule specified:
 -->
-* 创建名为 "monitoring" 的 ClusterRole 对象并指定 `aggregationRule`：
+* 创建名为 “monitoring” 的 ClusterRole 对象并指定 `aggregationRule`：
 
   ```shell
   kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
@@ -1668,7 +1944,7 @@ Grants a Role or ClusterRole within a specific namespace. Examples:
 -->
 在特定的名字空间中对 `Role` 或 `ClusterRole` 授权。例如：
 
-* 在名字空间 "acme" 中，将名为 `admin` 的 ClusterRole 中的权限授予名称 "bob" 的用户:
+* 在名字空间 “acme” 中，将名为 `admin` 的 ClusterRole 中的权限授予名称 “bob” 的用户:
 
   ```shell
   kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme
@@ -1677,7 +1953,7 @@ Grants a Role or ClusterRole within a specific namespace. Examples:
 <!--
 * Within the namespace "acme", grant the permissions in the "view" ClusterRole to the service account in the namespace "acme" named "myapp":
 -->
-* 在名字空间 "acme" 中，将名为 `view` 的 ClusterRole 中的权限授予名字空间 "acme"
+* 在名字空间 “acme” 中，将名为 `view` 的 ClusterRole 中的权限授予名字空间 “acme”
   中名为 `myapp` 的服务账户：
 
   ```shell
@@ -1687,8 +1963,8 @@ Grants a Role or ClusterRole within a specific namespace. Examples:
 <!--
 * Within the namespace "acme", grant the permissions in the "view" ClusterRole to a service account in the namespace "myappnamespace" named "myapp":
 -->
-* 在名字空间 "acme" 中，将名为 `view` 的 ClusterRole 对象中的权限授予名字空间
-  "myappnamespace" 中名称为 `myapp` 的服务账户：
+* 在名字空间 “acme” 中，将名为 `view` 的 ClusterRole 对象中的权限授予名字空间
+  “myappnamespace” 中名称为 `myapp` 的服务账户：
 
   ```shell
   kubectl create rolebinding myappnamespace-myapp-view-binding --clusterrole=view --serviceaccount=myappnamespace:myapp --namespace=acme
@@ -1704,7 +1980,7 @@ Grants a ClusterRole across the entire cluster (all namespaces). Examples:
 在整个集群（所有名字空间）中用 ClusterRole 授权。例如：
 
 * 在整个集群范围，将名为 `cluster-admin` 的 ClusterRole 中定义的权限授予名为
-  "root" 用户：
+  “root” 用户：
 
   ```shell
   kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
@@ -1714,7 +1990,7 @@ Grants a ClusterRole across the entire cluster (all namespaces). Examples:
 * Across the entire cluster, grant the permissions in the "system:node-proxier" ClusterRole to a user named "system:kube-proxy":
 -->
 * 在整个集群范围内，将名为 `system:node-proxier` 的 ClusterRole 的权限授予名为
-  "system:kube-proxy" 的用户：
+  “system:kube-proxy” 的用户：
 
   ```shell
   kubectl create clusterrolebinding kube-proxy-binding --clusterrole=system:node-proxier --user=system:kube-proxy
@@ -1723,8 +1999,8 @@ Grants a ClusterRole across the entire cluster (all namespaces). Examples:
 <!--
 * Across the entire cluster, grant the permissions in the "view" ClusterRole to a service account named "myapp" in the namespace "acme":
 -->
-* 在整个集群范围内，将名为 `view` 的 ClusterRole 中定义的权限授予 "acme" 名字空间中
-  名为 "myapp" 的服务账户：
+* 在整个集群范围内，将名为 `view` 的 ClusterRole 中定义的权限授予 “acme” 名字空间中
+  名为 “myapp” 的服务账户：
 
   ```shell
   kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp
@@ -1762,7 +2038,7 @@ Examples:
 * 测试应用 RBAC 对象的清单文件，显示将要进行的更改：
 
   ```shell
-  kubectl auth reconcile -f my-rbac-rules.yaml --dry-run
+  kubectl auth reconcile -f my-rbac-rules.yaml --dry-run=client
   ```
 
 <!--
@@ -1777,27 +2053,23 @@ Examples:
 <!--
 * Apply a manifest file of RBAC objects, removing any extra permissions (in roles) and any extra subjects (in bindings):
 -->
-* 应用 RBAC 对象的清单文件, 删除角色中的额外权限和绑定中的其他主体：
+* 应用 RBAC 对象的清单文件，删除角色中的额外权限和绑定中的其他主体：
 
   ```shell
   kubectl auth reconcile -f my-rbac-rules.yaml --remove-extra-subjects --remove-extra-permissions
   ```
 
 <!--
-See the CLI help for detailed usage.
--->
-查看 CLI 帮助获取详细的用法。
-
-<!--
-## ServiceAccount Permissions
+## ServiceAccount permissions {#service-account-permissions}
 
 Default RBAC policies grant scoped permissions to control-plane components, nodes,
 and controllers, but grant *no permissions* to service accounts outside the `kube-system` namespace
 (beyond discovery permissions given to all authenticated users).
 
-This allows you to grant particular roles to particular service accounts as needed.
+This allows you to grant particular roles to particular ServiceAccounts as needed.
 Fine-grained role bindings provide greater security, but require more effort to administrate.
-Broader grants can give unnecessary (and potentially escalating) API access to service accounts, but are easier to administrate.
+Broader grants can give unnecessary (and potentially escalating) API access to
+ServiceAccounts, but are easier to administrate.
 -->
 ## 服务账户权限   {#service-account-permissions}
 
@@ -1805,9 +2077,9 @@ Broader grants can give unnecessary (and potentially escalating) API access to s
 但是不会对 `kube-system` 名字空间之外的服务账户授予权限。
 （除了授予所有已认证用户的发现权限）
 
-这使得你可以根据需要向特定服务账户授予特定权限。
+这使得你可以根据需要向特定 ServiceAccount 授予特定权限。
 细粒度的角色绑定可带来更好的安全性，但需要更多精力管理。
-粗粒度的授权可能导致服务账户被授予不必要的 API 访问权限（甚至导致潜在的权限提升），
+粗粒度的授权可能导致 ServiceAccount 被授予不必要的 API 访问权限（甚至导致潜在的权限提升），
 但更易于管理。
 
 <!--
@@ -1826,9 +2098,9 @@ In order from most secure to least secure, the approaches are:
    For example, grant read-only permission within "my-namespace" to the "my-sa" service account:
    -->
    这要求应用在其 Pod 规约中指定 `serviceAccountName`，
-   并额外创建服务账户（包括通过 API、应用程序清单、`kubectl create serviceaccount` 等）。  
+   并额外创建服务账户（包括通过 API、应用程序清单、`kubectl create serviceaccount` 等）。
 
-   例如，在名字空间 "my-namespace" 中授予服务账户 "my-sa" 只读权限：
+   例如，在名字空间 “my-namespace” 中授予服务账户 “my-sa” 只读权限：
 
    ```shell
    kubectl create rolebinding my-sa-view \
@@ -1840,7 +2112,7 @@ In order from most secure to least secure, the approaches are:
 <!--
 2. Grant a role to the "default" service account in a namespace
 -->
-2. 将角色授予某名字空间中的 "default" 服务账户
+2. 将角色授予某名字空间中的 “default” 服务账户
 
    <!--
    If an application does not specify a `serviceAccountName`, it uses the "default" service account.
@@ -1852,7 +2124,7 @@ In order from most secure to least secure, the approaches are:
 
    For example, grant read-only permission within "my-namespace" to the "default" service account:
    -->
-   如果某应用没有指定 `serviceAccountName`，那么它将使用 "default" 服务账户。
+   如果某应用没有指定 `serviceAccountName`，那么它将使用 “default” 服务账户。
 
    {{< note >}}
    "default" 服务账户所具有的权限会被授予给名字空间中所有未指定
@@ -1874,20 +2146,20 @@ In order from most secure to least secure, the approaches are:
    To allow those add-ons to run with super-user access, grant cluster-admin
    permissions to the "default" service account in the `kube-system` namespace.
 
-   {{< note >}}
+   {{< caution >}}
    Enabling this means the `kube-system` namespace contains Secrets
-   that grant super-user access to the API.
-   {{< /note >}}
+   that grant super-user access to your cluster's API.
+   {{< /caution >}}
    -->
-   许多[插件组件](/zh/docs/concepts/cluster-administration/addons/) 在 `kube-system`
-   名字空间以 "default" 服务账户运行。
+   许多[插件组件](/zh/docs/concepts/cluster-administration/addons/)在 `kube-system`
+   名字空间以 “default” 服务账户运行。
    要允许这些插件组件以超级用户权限运行，需要将集群的 `cluster-admin` 权限授予
-   `kube-system` 名字空间中的 "default" 服务账户。
+   `kube-system` 名字空间中的 “default” 服务账户。
 
-   {{< note >}}
-   启用这一配置意味着在 `kube-system` 名字空间中包含以超级用户账号来访问 API
+   {{< caution >}}
+   启用这一配置意味着在 `kube-system` 名字空间中包含以超级用户账号来访问集群 API
    的 Secrets。
-   {{< /note >}}
+   {{< /caution >}}
 
    ```shell
    kubectl create clusterrolebinding add-on-cluster-admin \
@@ -1907,7 +2179,7 @@ In order from most secure to least secure, the approaches are:
    如果你想要名字空间中所有应用都具有某角色，无论它们使用的什么服务账户，
    可以将角色授予该名字空间的服务账户组。
 
-   例如，在名字空间 "my-namespace" 中的只读权限授予该名字空间中的所有服务账户：
+   例如，在名字空间 “my-namespace” 中的只读权限授予该名字空间中的所有服务账户：
 
    ```shell
    kubectl create rolebinding serviceaccounts-view \
@@ -1949,7 +2221,7 @@ In order from most secure to least secure, the approaches are:
 -->
 5. 授予超级用户访问权限给集群范围内的所有服务帐户（强烈不鼓励）
 
-   如果你不关心如何区分权限，你可以将超级用户访问权限授予所有服务账户。
+   如果你不在乎如何区分权限，你可以将超级用户访问权限授予所有服务账户。
 
    {{< warning >}}
    这样做会允许所有应用都对你的集群拥有完全的访问权限，并将允许所有能够读取
@@ -1978,19 +2250,16 @@ guidance for restricting this access in existing clusters.
 
 If you want new clusters to retain this level of access in the aggregated roles,
 you can create the following ClusterRole:
-
-{{< codenew file="access/endpoints-aggregated.yaml" >}}
 -->
 ## Endpoints 写权限 {#write-access-for-endpoints}
 
 在 Kubernetes v1.22 之前版本创建的集群里，
-"edit" 和 "admin" 聚合角色包含对 Endpoints 的写权限。
+“edit” 和 “admin” 聚合角色包含对 Endpoints 的写权限。
 作为 [CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675) 的缓解措施，
 此访问权限不包含在 Kubernetes 1.22 以及更高版本集群的聚合角色里。
 
 升级到 Kubernetes v1.22 版本的现有集群不会包括此变化。
-[CVE 公告](https://github.com/kubernetes/kubernetes/issues/103675)
-包含了在现有集群里限制此访问权限的指引。
+[CVE 公告](https://github.com/kubernetes/kubernetes/issues/103675)包含了在现有集群里限制此访问权限的指引。
 
 如果你希望在新集群的聚合角色里保留此访问权限，你可以创建下面的 ClusterRole：
 
@@ -2010,7 +2279,7 @@ and controllers, but grant *no permissions* to service accounts outside the `kub
 While far more secure, this can be disruptive to existing workloads expecting to automatically receive API permissions.
 Here are two approaches for managing this transition:
 -->
-## 从 ABAC 升级
+## 从 ABAC 升级 {#upgrading-from-abac}
 
 原来运行较老版本 Kubernetes 的集群通常会使用限制宽松的 ABAC 策略，
 包括授予所有服务帐户全权访问 API 的能力。
@@ -2023,19 +2292,19 @@ Here are two approaches for managing this transition:
 这里有两种方法来完成这种转换:
 
 <!--
-### Parallel Authorizers
+### Parallel authorizers
 
 Run both the RBAC and ABAC authorizers, and specify a policy file that contains
-[the legacy ABAC policy](/docs/reference/access-authn-authz/abac/#policy-file-format):
+the [legacy ABAC policy](/docs/reference/access-authn-authz/abac/#policy-file-format):
 -->
 ### 并行鉴权    {#parallel-authorizers}
 
-同时运行 RBAC 和 ABAC 鉴权模式, 并指定包含
+同时运行 RBAC 和 ABAC 鉴权模式，并指定包含
 [现有的 ABAC 策略](/zh/docs/reference/access-authn-authz/abac/#policy-file-format)
 的策略文件：
 
 ```shell
---authorization-mode=RBAC,ABAC --authorization-policy-file=mypolicy.json
+--authorization-mode=...,RBAC,ABAC --authorization-policy-file=mypolicy.json
 ```
 
 <!--
@@ -2049,30 +2318,30 @@ RBAC 鉴权组件尝试对该 API 请求鉴权。如果 RBAC 也拒绝了该 API
 鉴权组件。这意味着被 RBAC 或 ABAC 策略所允许的任何请求都是被允许的请求。
 
 <!--
-When the apiserver is run with a log level of 5 or higher for the RBAC component
-(`--vmodule=rbac*=5` or `--v=5`), you can see RBAC details in the apiserver log
-(prefixed with `RBAC:`).
+When the kube-apiserver is run with a log level of 5 or higher for the RBAC component
+(`--vmodule=rbac*=5` or `--v=5`), you can see RBAC denials in the API server log
+(prefixed with `RBAC`).
 You can use that information to determine which roles need to be granted to which users, groups, or service accounts.
 -->
-如果 API 服务器启动时，RBAC 组件的日志级别为 5 或更高（`--vmodule=rbac*=5` 或 `--v=5`），
-你可以在 API 服务器的日志中看到 RBAC 的细节 （前缀 `RBAC:`）
+如果 kube-apiserver 启动时，RBAC 组件的日志级别为 5 或更高（`--vmodule=rbac*=5` 或 `--v=5`），
+你可以在 API 服务器的日志中看到 RBAC  拒绝的细节（前缀 `RBAC`）
 你可以使用这些信息来确定需要将哪些角色授予哪些用户、组或服务帐户。
 
 <!--
 Once you have [granted roles to service accounts](#service-account-permissions) and workloads
 are running with no RBAC denial messages in the server logs, you can remove the ABAC authorizer.
 -->
-一旦你[将角色授予服务账户](#service-account-permissions) ，工作负载运行时
-在服务器日志中没有出现 RBAC 拒绝消息，就可以删除 ABAC 鉴权器。
+一旦你[将角色授予服务账户](#service-account-permissions)且工作负载运行时，
+服务器日志中没有出现 RBAC 拒绝消息，就可以删除 ABAC 鉴权器。
 
 <!--
-### Permissive RBAC Permissions
+### Permissive RBAC permissions
 
-You can replicate a permissive policy using RBAC role bindings.
+You can replicate a permissive ABAC policy using RBAC role bindings.
 -->
 ### 宽松的 RBAC 权限   {#permissive-rbac-permissions}
 
-你可以使用 RBAC 角色绑定在多个场合使用宽松的策略。
+你可以使用 RBAC 角色绑定复制宽松的 ABAC 策略。
 
 {{< warning >}}
 <!--
@@ -2084,7 +2353,6 @@ This is not a recommended policy.
 下面的策略允许 **所有** 服务帐户充当集群管理员。
 容器中运行的所有应用程序都会自动收到服务帐户的凭据，可以对 API 执行任何操作，
 包括查看 Secrets 和修改权限。这一策略是不被推荐的。
-{{< /warning >}}
 
 ```shell
 kubectl create clusterrolebinding permissive-binding \
@@ -2093,10 +2361,10 @@ kubectl create clusterrolebinding permissive-binding \
   --user=kubelet \
   --group=system:serviceaccounts
 ```
+{{< /warning >}}
 
 <!--
 After you have transitioned to use RBAC, you should adjust the access controls
 for your cluster to ensure that these meet your information security needs.
 -->
 在你完成到 RBAC 的迁移后，应该调整集群的访问控制，确保相关的策略满足你的信息安全需求。
-
diff --git a/content/zh/docs/reference/access-authn-authz/service-accounts-admin.md b/content/zh-cn/docs/reference/access-authn-authz/service-accounts-admin.md
similarity index 100%
rename from content/zh/docs/reference/access-authn-authz/service-accounts-admin.md
rename to content/zh-cn/docs/reference/access-authn-authz/service-accounts-admin.md
diff --git a/content/zh/docs/reference/access-authn-authz/webhook.md b/content/zh-cn/docs/reference/access-authn-authz/webhook.md
similarity index 83%
rename from content/zh/docs/reference/access-authn-authz/webhook.md
rename to content/zh-cn/docs/reference/access-authn-authz/webhook.md
index 0ef1e6a18d19c..29032a7353b72 100644
--- a/content/zh/docs/reference/access-authn-authz/webhook.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/webhook.md
@@ -1,15 +1,9 @@
 ---
-reviewers:
-- erictune
-- lavalamp
-- deads2k
-- liggitt
 title: Webhook 模式
 content_type: concept
 weight: 95
 ---
 <!--
----
 reviewers:
 - erictune
 - lavalamp
@@ -18,7 +12,6 @@ reviewers:
 title: Webhook Mode
 content_type: concept
 weight: 95
----
 -->
 
 <!-- overview -->
@@ -38,7 +31,7 @@ service when determining user privileges.
 <!--
 ## Configuration File Format
 -->
-## 配置文件格式
+## 配置文件格式 {#configuration-file-format}
 
 <!--
 Mode `Webhook` requires a file for HTTP configuration, specify by the
@@ -51,7 +44,8 @@ The configuration file uses the [kubeconfig](/docs/tasks/access-application-clus
 file format. Within the file "users" refers to the API Server webhook and
 "clusters" refers to the remote service.
 -->
-配置文件的格式使用 [kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)。在文件中，"users" 代表着 API 服务器的 webhook，而 "cluster" 代表着远程服务。
+配置文件的格式使用 [kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)。
+在该文件中，“users” 代表着 API 服务器的 webhook，而 “cluster” 代表着远程服务。
 
 <!--
 A configuration example which uses HTTPS client auth:
@@ -122,7 +116,7 @@ contexts:
 <!--
 ## Request Payloads
 -->
-## 请求载荷
+## 请求载荷 {#request-payloads}
 
 <!--
 When faced with an authorization decision, the API Server POSTs a JSON-
@@ -131,7 +125,8 @@ action. This object contains fields describing the user attempting to make the
 request, and either details about the resource being accessed or requests
 attributes.
 -->
-在做认证决策时，API 服务器会 POST 一个 JSON 序列化的 `authorization.k8s.io/v1beta1` `SubjectAccessReview` 对象来描述这个动作。这个对象包含了描述用户请求的字段，同时也包含了需要被访问资源或请求特征的具体信息。
+在做认证决策时，API 服务器会 POST 一个 JSON 序列化的 `authorization.k8s.io/v1beta1` `SubjectAccessReview`
+对象来描述这个动作。这个对象包含了描述用户请求的字段，同时也包含了需要被访问资源或请求特征的具体信息。
 
 <!--
 Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/concepts/overview/kubernetes-api/)
@@ -140,7 +135,9 @@ compatibility promises for beta objects and check the "apiVersion" field of the
 request to ensure correct deserialization. Additionally, the API Server must
 enable the `authorization.k8s.io/v1beta1` API extensions group (`--runtime-config=authorization.k8s.io/v1beta1=true`).
 -->
-需要注意的是 webhook API 对象与其他 Kubernetes API 对象一样都同样都服从[版本兼容规则](/zh/docs/concepts/overview/kubernetes-api/)。实施人员应该了解 beta 对象的更宽松的兼容性承诺，同时确认请求的 "apiVersion" 字段能被正确地反序列化。此外，API 服务器还必须启用 `authorization.k8s.io/v1beta1` API 扩展组 (`--runtime-config=authorization.k8s.io/v1beta1=true`)。
+需要注意的是 webhook API 对象与其他 Kubernetes API 对象一样都同样都遵从[版本兼容规则](/zh/docs/concepts/overview/kubernetes-api/)。
+实施人员应该了解 beta 对象的更宽松的兼容性承诺，同时确认请求的 "apiVersion" 字段能被正确地反序列化。
+此外，API 服务器还必须启用 `authorization.k8s.io/v1beta1` API 扩展组 (`--runtime-config=authorization.k8s.io/v1beta1=true`)。
 
 <!--
 An example request body:
@@ -173,6 +170,7 @@ the request and respond to either allow or disallow access. The response body's
 `spec` field is ignored and may be omitted. A permissive response would return:
 -->
 期待远程服务填充请求的 `status` 字段并响应允许或禁止访问。响应主体的 `spec` 字段被忽略，可以省略。允许的响应将返回:
+
 ```json
 {
   "apiVersion": "authorization.k8s.io/v1beta1",
@@ -195,7 +193,8 @@ authorizers are configured, they are given a chance to allow the request.
 If there are no other authorizers, or none of them allow the request, the
 request is forbidden. The webhook would return:
 -->
-在大多数情况下，第一种方法是首选方法，它指示授权 webhook 不允许或对请求"无意见"，但是，如果配置了其他授权者，则可以给他们机会允许请求。如果没有其他授权者，或者没有一个授权者，则该请求被禁止。webhook 将返回:
+在大多数情况下，第一种方法是首选方法，它指示授权 webhook 不允许或对请求 “无意见”。
+但是，如果配置了其他授权者，则可以给他们机会允许请求。如果没有其他授权者，或者没有一个授权者，则该请求被禁止。webhook 将返回：
 
 ```json
 {
@@ -214,7 +213,7 @@ configured authorizers. This should only be used by webhooks that have
 detailed knowledge of the full authorizer configuration of the cluster.
 The webhook would return:
 -->
-第二种方法立即拒绝其他配置的授权者进行短路评估。仅应由对集群的完整授权者配置有详细了解的 webhook 使用。webhook 将返回:
+第二种方法立即拒绝其他配置的授权者进行短路评估。仅应由对集群的完整授权者配置有详细了解的 webhook 使用。webhook 将返回：
 
 ```json
 {
@@ -252,16 +251,16 @@ Access to non-resource paths are sent as:
 ```
 
 <!--
-Non-resource paths include: `/api`, `/apis`, `/metrics`, `/resetMetrics`,
-`/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, and
+Non-resource paths include: `/api`, `/apis`, `/metrics`,
+`/logs`, `/debug`, `/healthz`, `/livez`, `/openapi/v2`, `/readyz`, and
 `/version.` Clients require access to `/api`, `/api/*`, `/apis`, `/apis/*`,
 and `/version` to discover what resources and versions are present on the server.
 Access to other non-resource paths can be disallowed without restricting access
 to the REST api.
 -->
-非资源类的路径包括：`/api`, `/apis`, `/metrics`, `/resetMetrics`,
-`/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, 和
-`/version`。客户端需要访问 `/api`, `/api/*`, `/apis`, `/apis/*`, 和 `/version` 以便
+非资源类的路径包括：`/api`、`/apis`、`/metrics`、`/logs`、`/debug`、
+`/healthz`、`/livez`、`/openapi/v2`、`/readyz`、和 `/version`。
+客户端需要访问 `/api`、`/api/*`、`/apis`、`/apis/*` 和 `/version` 以便
 能发现服务器上有什么资源和版本。对于其他非资源类的路径访问在没有 REST API 访问限制的情况下拒绝。
 
 <!--
diff --git a/content/zh/docs/reference/command-line-tools-reference/_index.md b/content/zh-cn/docs/reference/command-line-tools-reference/_index.md
similarity index 100%
rename from content/zh/docs/reference/command-line-tools-reference/_index.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/_index.md
diff --git a/content/zh/docs/reference/command-line-tools-reference/feature-gates.md b/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates.md
similarity index 91%
rename from content/zh/docs/reference/command-line-tools-reference/feature-gates.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/feature-gates.md
index 10e288d7fad37..4b7197fc603fc 100644
--- a/content/zh/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates.md
@@ -109,10 +109,9 @@ different Kubernetes components.
 | `APIServerIdentity` | `false` | Alpha | 1.20 | |
 | `APIServerTracing` | `false` | Alpha | 1.22 | |
 | `AllowInsecureBackendProxy` | `true` | Beta | 1.17 | |
-| `AnyVolumeDataSource` | `false` | Alpha | 1.18 | |
+| `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 |
+| `AnyVolumeDataSource` | `true` | Beta | 1.24 | |
 | `AppArmor` | `true` | Beta | 1.4 | |
-| `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 |
-| `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | |
 | `CPUManager` | `false` | Alpha | 1.8 | 1.9 |
 | `CPUManager` | `true` | Beta | 1.10 | |
 | `CPUManagerPolicyAlphaOptions` | `false` | Alpha | 1.23 | |
@@ -126,31 +125,21 @@ different Kubernetes components.
 | `CSIMigrationAWS` | `false` | Alpha | 1.14 | 1.16 |
 | `CSIMigrationAWS` | `false` | Beta | 1.17 | 1.22 |
 | `CSIMigrationAWS` | `true` | Beta | 1.23 | |
-| `CSIMigrationAzureDisk` | `false` | Alpha | 1.15 | 1.18 |
-| `CSIMigrationAzureDisk` | `false` | Beta | 1.19 | 1.22 |
-| `CSIMigrationAzureDisk` | `true` | Beta | 1.23 | |
 | `CSIMigrationAzureFile` | `false` | Alpha | 1.15 | 1.19 |
-| `CSIMigrationAzureFile` | `false` | Beta | 1.21 | |
+| `CSIMigrationAzureFile` | `false` | Beta | 1.21 | 1.23 |
+| `CSIMigrationAzureFile` | `true` | Beta | 1.24 | |
 | `CSIMigrationGCE` | `false` | Alpha | 1.14 | 1.16 |
 | `CSIMigrationGCE` | `false` | Beta | 1.17 | 1.22 |
 | `CSIMigrationGCE` | `true` | Beta | 1.23 | |
-| `CSIMigrationOpenStack` | `false` | Alpha | 1.14 | 1.17 |
-| `CSIMigrationOpenStack` | `true` | Beta | 1.18 | |
 | `CSIMigrationvSphere` | `false` | Beta | 1.19 | |
 | `CSIMigrationPortworx` | `false` | Alpha | 1.23 | |
 | `csiMigrationRBD` | `false` | Alpha | 1.23 | |
-| `CSIStorageCapacity` | `false` | Alpha | 1.19 | 1.20 |
-| `CSIStorageCapacity` | `true` | Beta | 1.21 | |
 | `CSIVolumeHealth` | `false` | Alpha | 1.21 | |
-| `CSRDuration` | `true` | Beta | 1.22 | |
-| `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 |
-| `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | |
+| `ContextualLogging` | `false` | Alpha | 1.24 | |
 | `CustomCPUCFSQuotaPeriod` | `false` | Alpha | 1.12 | |
 | `CustomResourceValidationExpressions` | `false` | Alpha | 1.23 | |
 | `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 |
 | `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | |
-| `DefaultPodTopologySpread` | `false` | Alpha | 1.19 | 1.19 |
-| `DefaultPodTopologySpread` | `true` | Beta | 1.20 | |
 | `DelegateFSGroupToCSIDriver` | `false` | Alpha | 1.22 | 1.22 |
 | `DelegateFSGroupToCSIDriver` | `true` | Beta | 1.23 | |
 | `DevicePlugins` | `false` | Alpha | 1.8 | 1.9 |
@@ -160,31 +149,25 @@ different Kubernetes components.
 | `DisableCloudProviders` | `false` | Alpha | 1.22 | |
 | `DisableKubeletCloudCredentialProviders` | `false` | Alpha | 1.23 | |
 | `DownwardAPIHugePages` | `false` | Alpha | 1.20 | 1.20 |
-| `DownwardAPIHugePages` | `false` | Beta | 1.21 | |
-| `EfficientWatchResumption` | `false` | Alpha | 1.20 | 1.20 |
-| `EfficientWatchResumption` | `true` | Beta | 1.21 | |
+| `DownwardAPIHugePages` | `false` | Beta | 1.21 | 1.21 |
+| `DownwardAPIHugePages` | `true` | Beta | 1.22 | |
 | `EndpointSliceTerminatingCondition` | `false` | Alpha | 1.20 | 1.21 |
 | `EndpointSliceTerminatingCondition` | `true` | Beta | 1.22 | |
 | `EphemeralContainers` | `false` | Alpha | 1.16 | 1.22 |
 | `EphemeralContainers` | `true` | Beta | 1.23 | |
-| `ExpandCSIVolumes` | `false` | Alpha | 1.14 | 1.15 |
-| `ExpandCSIVolumes` | `true` | Beta | 1.16 | |
 | `ExpandedDNSConfig` | `false` | Alpha | 1.22 | |
-| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.14 |
-| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.15 | |
-| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 |
-| `ExpandPersistentVolumes` | `true` | Beta | 1.11 | |
 | `ExperimentalHostUserNamespaceDefaulting` | `false` | Beta | 1.5 | |
 | `GracefulNodeShutdown` | `false` | Alpha | 1.20 | 1.20 |
 | `GracefulNodeShutdown` | `true` | Beta | 1.21 | |
-| `GracefulNodeShutdownBasedOnPodPriority` | `false` | Alpha | 1.23 | |
-| `GRPCContainerProbe` | `false` | Alpha | 1.23 | |
-| `HonorPVReclaimPolicy` | `false` | Alpha | 1.23 | |
+| `GracefulNodeShutdownBasedOnPodPriority` | `false` | Alpha | 1.23 | 1.23 |
+| `GracefulNodeShutdownBasedOnPodPriority` | `true` | Beta | 1.24 | |
+| `GRPCContainerProbe` | `false` | Alpha | 1.23 | 1.23 |
+| `GRPCContainerProbe` | `true` | Beta | 1.24 | |
+| `HonorPVReclaimPolicy` | `false` | Alpha | 1.23 |  |
 | `HPAContainerMetrics` | `false` | Alpha | 1.20 | |
 | `HPAScaleToZero` | `false` | Alpha | 1.16 | |
-| `IdentifyPodOS` | `false` | Alpha | 1.23 | |
-| `IndexedJob` | `false` | Alpha | 1.21 | 1.21 |
-| `IndexedJob` | `true` | Beta | 1.22 | |
+| `IdentifyPodOS` | `false` | Alpha | 1.23 | 1.23 |
+| `IdentifyPodOS` | `true` | Beta | 1.24 | |
 | `InTreePluginAWSUnregister` | `false` | Alpha | 1.21 | |
 | `InTreePluginAzureDiskUnregister` | `false` | Alpha | 1.21 | |
 | `InTreePluginAzureFileUnregister` | `false` | Alpha | 1.21 | |
@@ -194,42 +177,44 @@ different Kubernetes components.
 | `InTreePluginRBDUnregister` | `false` | Alpha | 1.23 | |
 | `InTreePluginvSphereUnregister` | `false` | Alpha | 1.21 | |
 | `JobMutableNodeSchedulingDirectives` | `true` | Beta | 1.23 | |
-| `JobReadyPods` | `false` | Alpha | 1.23 | |
+| `JobReadyPods` | `false` | Alpha | 1.23 | 1.23 |
+| `JobReadyPods` | `true` | Beta | 1.24 | |
 | `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 |
-| `JobTrackingWithFinalizers` | `true` | Beta | 1.23 | |
-| `KubeletCredentialProviders` | `false` | Alpha | 1.20 | |
+| `JobTrackingWithFinalizers` | `true` | Beta | 1.23 | 1.23 |
+| `JobTrackingWithFinalizers` | `false` | Beta | 1.24 | |
+| `KubeletCredentialProviders` | `false` | Alpha | 1.20 | 1.23 |
+| `KubeletCredentialProviders` | `true` | Beta | 1.24 | |
 | `KubeletInUserNamespace` | `false` | Alpha | 1.22 | |
 | `KubeletPodResources` | `false` | Alpha | 1.13 | 1.14 |
 | `KubeletPodResources` | `true` | Beta | 1.15 | |
 | `KubeletPodResourcesGetAllocatable` | `false` | Alpha | 1.21 | 1.22 |
-| `KubeletPodResourcesGetAllocatable` | `false` | Beta | 1.23 | |
+| `KubeletPodResourcesGetAllocatable` | `true` | Beta | 1.23 | |
 | `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 |
 | `LocalStorageCapacityIsolation` | `true` | Beta | 1.10 | |
 | `LocalStorageCapacityIsolationFSQuotaMonitoring` | `false` | Alpha | 1.15 | |
 | `LogarithmicScaleDown` | `false` | Alpha | 1.21 | 1.21 |
 | `LogarithmicScaleDown` | `true` | Beta | 1.22 | |
+| `MaxUnavailableStatefulSet` | `false` | Alpha | 1.24 | |
 | `MemoryManager` | `false` | Alpha | 1.21 | 1.21 |
 | `MemoryManager` | `true` | Beta | 1.22 | |
 | `MemoryQoS` | `false` | Alpha | 1.22 | |
-| `MixedProtocolLBService` | `false` | Alpha | 1.20 | |
+| `MinDomainsInPodTopologySpread` | `false` | Alpha | 1.24 | |
+| `MixedProtocolLBService` | `false` | Alpha | 1.20 | 1.23 |
+| `MixedProtocolLBService` | `true` | Beta | 1.24 | |
 | `NetworkPolicyEndPort` | `false` | Alpha | 1.21 | 1.21 |
 | `NetworkPolicyEndPort` | `true` | Beta | 1.22 |  |
+| `NetworkPolicyStatus` | `false` | Alpha | 1.24 |  |
 | `NodeSwap` | `false` | Alpha | 1.22 | |
-| `NonPreemptingPriority` | `false` | Alpha | 1.15 | 1.18 |
-| `NonPreemptingPriority` | `true` | Beta | 1.19 | |
-| `OpenAPIEnums` | `false` | Alpha | 1.23 | |
-| `OpenAPIV3` | `false` | Alpha | 1.23 | |
+| `NodeOutOfServiceVolumeDetach` | `false` | Alpha | 1.24 | |
+| `OpenAPIEnums` | `false` | Alpha | 1.23 | 1.23 |
+| `OpenAPIEnums` | `true` | Beta | 1.24 | |
+| `OpenAPIV3` | `false` | Alpha | 1.23 | 1.23 |
+| `OpenAPIV3` | `true` | Beta | 1.24 | |
 | `PodAndContainerStatsFromCRI` | `false` | Alpha | 1.23 | |
-| `PodAffinityNamespaceSelector` | `false` | Alpha | 1.21 | 1.21 |
-| `PodAffinityNamespaceSelector` | `true` | Beta | 1.22 | |
 | `PodDeletionCost` | `false` | Alpha | 1.21 | 1.21 |
 | `PodDeletionCost` | `true` | Beta | 1.22 | |
-| `PodOverhead` | `false` | Alpha | 1.16 | 1.17 |
-| `PodOverhead` | `true` | Beta | 1.18 | |
 | `PodSecurity` | `false` | Alpha | 1.22 | 1.22 |
 | `PodSecurity` | `true` | Beta | 1.23 | |
-| `PreferNominatedNode` | `false` | Alpha | 1.21 | 1.21 |
-| `PreferNominatedNode` | `true` | Beta | 1.22 | |
 | `ProbeTerminationGracePeriod` | `false` | Alpha | 1.21 | 1.21 |
 | `ProbeTerminationGracePeriod` | `false` | Beta | 1.22 | |
 | `ProcMountType` | `false` | Alpha | 1.12 | |
@@ -239,17 +224,13 @@ different Kubernetes components.
 | `RecoverVolumeExpansionFailure` | `false` | Alpha | 1.23 | |
 | `RemainingItemCount` | `false` | Alpha | 1.15 | 1.15 |
 | `RemainingItemCount` | `true` | Beta | 1.16 | |
-| `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 |
-| `RemoveSelfLink` | `true` | Beta | 1.20 | |
 | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
 | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
 | `SeccompDefault` | `false` | Alpha | 1.22 | |
+| `ServerSideFieldValidation` | `false` | Alpha | 1.23 | - |
 | `ServiceInternalTrafficPolicy` | `false` | Alpha | 1.21 | 1.21 |
 | `ServiceInternalTrafficPolicy` | `true` | Beta | 1.22 | |
-| `ServiceLBNodePortControl` | `false` | Alpha | 1.20 | 1.21 |
-| `ServiceLBNodePortControl` | `true` | Beta | 1.22 | |
-| `ServiceLoadBalancerClass` | `false` | Alpha | 1.21 | 1.21 |
-| `ServiceLoadBalancerClass` | `true` | Beta | 1.22 | |
+| `ServiceIPStaticSubrange` | `false` | Alpha | 1.24 | |
 | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
 | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
 | `StatefulSetAutoDeletePVC` | `false` | Alpha | 1.22 | |
@@ -258,10 +239,9 @@ different Kubernetes components.
 | `StorageVersionAPI` | `false` | Alpha | 1.20 | |
 | `StorageVersionHash` | `false` | Alpha | 1.14 | 1.14 |
 | `StorageVersionHash` | `true` | Beta | 1.15 | |
-| `SuspendJob` | `false` | Alpha | 1.21 | 1.21 |
-| `SuspendJob` | `true` | Beta | 1.22 | |
 | `TopologyAwareHints` | `false` | Alpha | 1.21 | 1.22 |
-| `TopologyAwareHints` | `false` | Beta | 1.23 | |
+| `TopologyAwareHints` | `false` | Beta | 1.23 | 1.23 |
+| `TopologyAwareHints` | `true` | Beta | 1.24 | |
 | `TopologyManager` | `false` | Alpha | 1.16 | 1.17 |
 | `TopologyManager` | `true` | Beta | 1.18 | |
 | `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - |
@@ -269,7 +249,7 @@ different Kubernetes components.
 | `WinOverlay` | `false` | Alpha | 1.14 | 1.19 |
 | `WinOverlay` | `true` | Beta | 1.20 | |
 | `WindowsHostProcessContainers` | `false` | Alpha | 1.22 | 1.22 |
-| `WindowsHostProcessContainers` | `false` | Beta | 1.23 | |
+| `WindowsHostProcessContainers` | `true` | Beta | 1.23 | |
 {{< /table >}}
 
 <!--
@@ -309,7 +289,10 @@ different Kubernetes components.
 | `BoundServiceAccountTokenVolume` | `true` | GA | 1.22 | - |
 | `ConfigurableFSGroupPolicy` | `false` | Alpha | 1.18 | 1.19 |
 | `ConfigurableFSGroupPolicy` | `true` | Beta | 1.20 | 1.22 |
-| `ConfigurableFSGroupPolicy` | `true` | GA | 1.23 | |
+| `ConfigurableFSGroupPolicy` | `true` | GA | 1.23 | - |
+| `ControllerManagerLeaderMigration` | `false` | Alpha | 1.21 | 1.21 |
+| `ControllerManagerLeaderMigration` | `true` | Beta | 1.22 | 1.23 |
+| `ControllerManagerLeaderMigration` | `true` | GA | 1.24 | - |
 | `CRIContainerLogRotation` | `false` | Alpha | 1.10 | 1.10 |
 | `CRIContainerLogRotation` | `true` | Beta | 1.11 | 1.20 |
 | `CRIContainerLogRotation` | `true` | GA | 1.21 | - |
@@ -318,34 +301,47 @@ different Kubernetes components.
 | `CSIBlockVolume` | `true` | GA | 1.18 | - |
 | `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 |
 | `CSIDriverRegistry` | `true` | Beta | 1.14 | 1.17 |
-| `CSIDriverRegistry` | `true` | GA | 1.18 | |
+| `CSIDriverRegistry` | `true` | GA | 1.18 | - |
 | `CSIMigrationAWSComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationAWSComplete` | - | Deprecated | 1.21 | - |
+| `CSIMigrationAzureDisk` | `false` | Alpha | 1.15 | 1.18 |
+| `CSIMigrationAzureDisk` | `false` | Beta | 1.19 | 1.22 |
+| `CSIMigrationAzureDisk` | `true` | Beta | 1.23 | 1.23 |
+| `CSIMigrationAzureDisk` | `true` | GA | 1.24 | |
 | `CSIMigrationAzureDiskComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationAzureDiskComplete` | - | Deprecated | 1.21 | - |
 | `CSIMigrationAzureFileComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationAzureFileComplete` | - | Deprecated |  1.21 | - |
 | `CSIMigrationGCEComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationGCEComplete` | - | Deprecated | 1.21 | - |
+| `CSIMigrationOpenStack` | `false` | Alpha | 1.14 | 1.17 |
+| `CSIMigrationOpenStack` | `true` | Beta | 1.18 | 1.23 |
+| `CSIMigrationOpenStack` | `true` | GA | 1.24 | |
 | `CSIMigrationOpenStackComplete` | `false` | Alpha | 1.17 | 1.20 |
 | `CSIMigrationOpenStackComplete` | - | Deprecated | 1.21 | - |
 | `CSIMigrationvSphereComplete` | `false` | Beta | 1.19 | 1.21 |
 | `CSIMigrationvSphereComplete` | - | Deprecated | 1.22 | - |
 | `CSINodeInfo` | `false` | Alpha | 1.12 | 1.13 |
 | `CSINodeInfo` | `true` | Beta | 1.14 | 1.16 |
-| `CSINodeInfo` | `true` | GA | 1.17 | |
+| `CSINodeInfo` | `true` | GA | 1.17 | - |
 | `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 |
 | `CSIPersistentVolume` | `true` | Beta | 1.10 | 1.12 |
 | `CSIPersistentVolume` | `true` | GA | 1.13 | - |
 | `CSIServiceAccountToken` | `false` | Alpha | 1.20 | 1.20 |
 | `CSIServiceAccountToken` | `true` | Beta | 1.21 | 1.21 |
-| `CSIServiceAccountToken` | `true` | GA | 1.22 | |
+| `CSIServiceAccountToken` | `true` | GA | 1.22 | - |
+| `CSIStorageCapacity` | `false` | Alpha | 1.19 | 1.20 |
+| `CSIStorageCapacity` | `true` | Beta | 1.21 | 1.23 |
+| `CSIStorageCapacity` | `true` | GA | 1.24 | - |
 | `CSIVolumeFSGroupPolicy` | `false` | Alpha | 1.19 | 1.19 |
 | `CSIVolumeFSGroupPolicy` | `true` | Beta | 1.20 | 1.22 |
 | `CSIVolumeFSGroupPolicy` | `true` | GA | 1.23 | |
+| `CSRDuration` | `true` | Beta | 1.22 | 1.23 |
+| `CSRDuration` | `true` | GA | 1.24 | - |
 | `CronJobControllerV2` | `false` | Alpha | 1.20 | 1.20 |
 | `CronJobControllerV2` | `true` | Beta | 1.21 | 1.21 |
 | `CronJobControllerV2` | `true` | GA | 1.22 | - |
+| `CronJobTimeZone` | `false` | Alpha | 1.24 | |
 | `CustomPodDNS` | `false` | Alpha | 1.9 | 1.9 |
 | `CustomPodDNS` | `true` | Beta| 1.10 | 1.13 |
 | `CustomPodDNS` | `true` | GA | 1.14 | - |
@@ -364,6 +360,9 @@ different Kubernetes components.
 | `CustomResourceWebhookConversion` | `false` | Alpha | 1.13 | 1.14 |
 | `CustomResourceWebhookConversion` | `true` | Beta | 1.15 | 1.15 |
 | `CustomResourceWebhookConversion` | `true` | GA | 1.16 | - |
+| `DefaultPodTopologySpread` | `false` | Alpha | 1.19 | 1.19 |
+| `DefaultPodTopologySpread` | `true` | Beta | 1.20 | 1.23 |
+| `DefaultPodTopologySpread` | `true` | GA | 1.24 | - |
 | `DryRun` | `false` | Alpha | 1.12 | 1.12 |
 | `DryRun` | `true` | Beta | 1.13 | 1.18 |
 | `DryRun` | `true` | GA | 1.19 | - |
@@ -376,13 +375,16 @@ different Kubernetes components.
 | `DynamicProvisioningScheduling` | - | Deprecated| 1.12 | - |
 | `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 |
 | `DynamicVolumeProvisioning` | `true` | GA | 1.8 | - |
+| `EfficientWatchResumption` | `false` | Alpha | 1.20 | 1.20 |
+| `EfficientWatchResumption` | `true` | Beta | 1.21 | 1.23 |
+| `EfficientWatchResumption` | `true` | GA | 1.24 | - |
 | `EnableAggregatedDiscoveryTimeout` | `true` | Deprecated | 1.16 | - |
 | `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | 1.14 |
 | `EnableEquivalenceClassCache` | - | Deprecated | 1.15 | - |
 | `EndpointSlice` | `false` | Alpha | 1.16 | 1.16 |
 | `EndpointSlice` | `false` | Beta | 1.17 | 1.17 |
 | `EndpointSlice` | `true` | Beta | 1.18 | 1.20 |
-| `EndpointSlice` | `true` | GA | 1.21 | -  |
+| `EndpointSlice` | `true` | GA | 1.21 | - |
 | `EndpointSliceNodeName` | `false` | Alpha | 1.20 | 1.20 |
 | `EndpointSliceNodeName` | `true` | GA | 1.21 | - |
 | `EndpointSliceProxying` | `false` | Alpha | 1.18 | 1.18 |
@@ -392,6 +394,15 @@ different Kubernetes components.
 | `EvenPodsSpread` | `true` | Beta | 1.18 | 1.18 |
 | `EvenPodsSpread` | `true` | GA | 1.19 | - |
 | `ExecProbeTimeout` | `true` | GA | 1.20 | - |
+| `ExpandCSIVolumes` | `false` | Alpha | 1.14 | 1.15 |
+| `ExpandCSIVolumes` | `true` | Beta | 1.16 | 1.23 |
+| `ExpandCSIVolumes` | `true` | GA | 1.24 | - |
+| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.14 |
+| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.15 | 1.23 |
+| `ExpandInUsePersistentVolumes` | `true` | GA | 1.24 | - |
+| `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 |
+| `ExpandPersistentVolumes` | `true` | Beta | 1.11 | 1.23 |
+| `ExpandPersistentVolumes` | `true` | GA | 1.24 |- |
 | `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | 1.12 |
 | `ExperimentalCriticalPodAnnotation` | `false` | Deprecated | 1.13 | - |
 | `ExternalPolicyForExternalIP` | `true` | GA | 1.18 | - |
@@ -408,17 +419,20 @@ different Kubernetes components.
 | `HugePages` | `true` | GA | 1.14 | - |
 | `HyperVContainer` | `false` | Alpha | 1.10 | 1.19 |
 | `HyperVContainer` | `false` | Deprecated | 1.20 | - |
+| `IPv6DualStack` | `false` | Alpha | 1.15 | 1.20 |
+| `IPv6DualStack` | `true` | Beta | 1.21 | 1.22 |
+| `IPv6DualStack` | `true` | GA | 1.23 | - |
 | `ImmutableEphemeralVolumes` | `false` | Alpha | 1.18 | 1.18 |
 | `ImmutableEphemeralVolumes` | `true` | Beta | 1.19 | 1.20 |
 | `ImmutableEphemeralVolumes` | `true` | GA | 1.21 | |
+| `IndexedJob` | `false` | Alpha | 1.21 | 1.21 |
+| `IndexedJob` | `true` | Beta | 1.22 | 1.23 |
+| `IndexedJob` | `true` | GA | 1.24 | - |
 | `IngressClassNamespacedParams` | `false` | Alpha | 1.21 | 1.21 |
 | `IngressClassNamespacedParams` | `true` | Beta | 1.22 | 1.22 |
 | `IngressClassNamespacedParams` | `true` | GA | 1.23 | - |
 | `Initializers` | `false` | Alpha | 1.7 | 1.13 |
 | `Initializers` | - | Deprecated | 1.14 | - |
-| `IPv6DualStack` | `false` | Alpha | 1.15 | 1.20 |
-| `IPv6DualStack` | `true` | Beta | 1.21 | 1.22 |
-| `IPv6DualStack` | `true` | GA | 1.23 | - |
 | `KubeletConfigFile` | `false` | Alpha | 1.8 | 1.9 |
 | `KubeletConfigFile` | - | Deprecated | 1.10 | - |
 | `KubeletPluginsWatcher` | `false` | Alpha | 1.11 | 1.11 |
@@ -427,27 +441,37 @@ different Kubernetes components.
 | `LegacyNodeRoleBehavior` | `false` | Alpha | 1.16 | 1.18 |
 | `LegacyNodeRoleBehavior` | `true` | Beta | 1.19 | 1.20 |
 | `LegacyNodeRoleBehavior` | `false` | GA | 1.21 | - |
+| `LegacyServiceAccountTokenNoAutoGeneration` | `true` | Beta | 1.24 | |
 | `MountContainers` | `false` | Alpha | 1.9 | 1.16 |
 | `MountContainers` | `false` | Deprecated | 1.17 | - |
 | `MountPropagation` | `false` | Alpha | 1.8 | 1.9 |
 | `MountPropagation` | `true` | Beta | 1.10 | 1.11 |
 | `MountPropagation` | `true` | GA | 1.12 | - |
+| `NamespaceDefaultLabelName` | `true` | Beta | 1.21 | 1.21 |
+| `NamespaceDefaultLabelName` | `true` | GA | 1.22 | - |
 | `NodeDisruptionExclusion` | `false` | Alpha | 1.16 | 1.18 |
 | `NodeDisruptionExclusion` | `true` | Beta | 1.19 | 1.20 |
 | `NodeDisruptionExclusion` | `true` | GA | 1.21 | - |
 | `NodeLease` | `false` | Alpha | 1.12 | 1.13 |
 | `NodeLease` | `true` | Beta | 1.14 | 1.16 |
 | `NodeLease` | `true` | GA | 1.17 | - |
-| `NamespaceDefaultLabelName` | `true` | Beta | 1.21 | 1.21 |
-| `NamespaceDefaultLabelName` | `true` | GA | 1.22 | - |
+| `NonPreemptingPriority` | `false` | Alpha | 1.15 | 1.18 |
+| `NonPreemptingPriority` | `true` | Beta | 1.19 | 1.23 |
+| `NonPreemptingPriority` | `true` | GA | 1.24 | - |
 | `PVCProtection` | `false` | Alpha | 1.9 | 1.9 |
 | `PVCProtection` | - | Deprecated | 1.10 | - |
 | `PersistentLocalVolumes` | `false` | Alpha | 1.7 | 1.9 |
 | `PersistentLocalVolumes` | `true` | Beta | 1.10 | 1.13 |
 | `PersistentLocalVolumes` | `true` | GA | 1.14 | - |
+| `PodAffinityNamespaceSelector` | `false` | Alpha | 1.21 | 1.21 |
+| `PodAffinityNamespaceSelector` | `true` | Beta | 1.22 | 1.23 |
+| `PodAffinityNamespaceSelector` | `true` | GA | 1.24 | - |
 | `PodDisruptionBudget` | `false` | Alpha | 1.3 | 1.4 |
 | `PodDisruptionBudget` | `true` | Beta | 1.5 | 1.20 |
 | `PodDisruptionBudget` | `true` | GA | 1.21 | - |
+| `PodOverhead` | `false` | Alpha | 1.16 | 1.17 |
+| `PodOverhead` | `true` | Beta | 1.18 | 1.23 |
+| `PodOverhead` | `true` | GA | 1.24 | - |
 | `PodPriority` | `false` | Alpha | 1.8 | 1.10 |
 | `PodPriority` | `true` | Beta | 1.11 | 1.13 |
 | `PodPriority` | `true` | GA | 1.14 | - |
@@ -457,6 +481,12 @@ different Kubernetes components.
 | `PodShareProcessNamespace` | `false` | Alpha | 1.10 | 1.11 |
 | `PodShareProcessNamespace` | `true` | Beta | 1.12 | 1.16 |
 | `PodShareProcessNamespace` | `true` | GA | 1.17 | - |
+| `PreferNominatedNode` | `false` | Alpha | 1.21 | 1.21 |
+| `PreferNominatedNode` | `true` | Beta | 1.22 | 1.23 |
+| `PreferNominatedNode` | `true` | GA | 1.24 | - |
+| `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 |
+| `RemoveSelfLink` | `true` | Beta | 1.20 | 1.23 |
+| `RemoveSelfLink` | `true` | GA | 1.24 | - |
 | `RequestManagement` | `false` | Alpha | 1.15 | 1.16 |
 | `RequestManagement` | - | Deprecated | 1.17 | - |
 | `ResourceLimitsPriorityFunction` | `false` | Alpha | 1.9 | 1.18 |
@@ -486,13 +516,18 @@ different Kubernetes components.
 | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 |
 | `ServerSideApply` | `true` | Beta | 1.16 | 1.21 |
 | `ServerSideApply` | `true` | GA | 1.22 | - |
-| `ServerSideFieldValidation` | `false` | Alpha | 1.23 | - |
 | `ServiceAccountIssuerDiscovery` | `false` | Alpha | 1.18 | 1.19 |
 | `ServiceAccountIssuerDiscovery` | `true` | Beta | 1.20 | 1.20 |
 | `ServiceAccountIssuerDiscovery` | `true` | GA | 1.21 | - |
 | `ServiceAppProtocol` | `false` | Alpha | 1.18 | 1.18 |
 | `ServiceAppProtocol` | `true` | Beta | 1.19 | 1.19 |
 | `ServiceAppProtocol` | `true` | GA | 1.20 | - |
+| `ServiceLBNodePortControl` | `false` | Alpha | 1.20 | 1.21 |
+| `ServiceLBNodePortControl` | `true` | Beta | 1.22 | 1.23 |
+| `ServiceLBNodePortControl` | `true` | GA | 1.24 | - |
+| `ServiceLoadBalancerClass` | `false` | Alpha | 1.21 | 1.21 |
+| `ServiceLoadBalancerClass` | `true` | Beta | 1.22 | 1.23 |
+| `ServiceLoadBalancerClass` | `true` | GA | 1.24 | - |
 | `ServiceLoadBalancerFinalizer` | `false` | Alpha | 1.15 | 1.15 |
 | `ServiceLoadBalancerFinalizer` | `true` | Beta | 1.16 | 1.16 |
 | `ServiceLoadBalancerFinalizer` | `true` | GA | 1.17 | - |
@@ -523,8 +558,11 @@ different Kubernetes components.
 | `SupportPodPidsLimit` | `false` | Alpha | 1.10 | 1.13 |
 | `SupportPodPidsLimit` | `true` | Beta | 1.14 | 1.19 |
 | `SupportPodPidsLimit` | `true` | GA | 1.20 | - |
+| `SuspendJob` | `false` | Alpha | 1.21 | 1.21 |
+| `SuspendJob` | `true` | Beta | 1.22 | 1.23 |
+| `SuspendJob` | `true` | GA | 1.24 | - |
 | `Sysctls` | `true` | Beta | 1.11 | 1.20 |
-| `Sysctls` | `true` | GA | 1.21 | |
+| `Sysctls` | `true` | GA | 1.21 | - |
 | `TTLAfterFinished` | `false` | Alpha | 1.12 | 1.20 |
 | `TTLAfterFinished` | `true` | Beta | 1.21 | 1.22 |
 | `TTLAfterFinished` | `true` | GA | 1.23 | - |
@@ -990,11 +1028,14 @@ Each feature gate is designed for enabling/disabling a specific feature:
   for fsGroups when mounting a volume in a Pod. See
   [Configure volume permission and ownership change policy for Pods](/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods)
   for more details.
+- `ContextualLogging`: When you enable this feature gate, Kubernetes components that support
+  contextual logging add extra detail to log output.
 - `ControllerManagerLeaderMigration`: Enables leader migration for
   `kube-controller-manager` and `cloud-controller-manager`.
 - `CronJobControllerV2`: Use an alternative implementation of the
   {{< glossary_tooltip text="CronJob" term_id="cronjob" >}} controller. Otherwise,
   version 1 of the same controller is selected.
+- `CronJobTimeZone`: Allow the use of the `timeZone` optional field in [CronJobs](/docs/concepts/workloads/controllers/cron-jobs/)
 -->
 - `CSIVolumeFSGroupPolicy`：允许 CSIDrivers 使用 `fsGroupPolicy` 字段. 
   该字段能控制由 CSIDriver 创建的卷在挂载这些卷时是否支持卷所有权和权限修改。
@@ -1003,10 +1044,13 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `ConfigurableFSGroupPolicy`：在 Pod 中挂载卷时，允许用户为 fsGroup
   配置卷访问权限和属主变更策略。请参见
   [为 Pod 配置卷访问权限和属主变更策略](/zh/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods)。
+- `ContextualLogging`：当你启用这个特性门控，支持日志上下文记录的 Kubernetes
+  组件会为日志输出添加额外的详细内容。
 - `ControllerManagerLeaderMigration`：为 `kube-controller-manager` 和 `cloud-controller-manager`
   开启领导者迁移功能。
 - `CronJobControllerV2`：使用 {{< glossary_tooltip text="CronJob" term_id="cronjob" >}}
   控制器的一种替代实现。否则，系统会选择同一控制器的 v1 版本。
+- `CronJobTimeZone`：允许在 [CronJobs](/zh/docs/concepts/workloads/controllers/cron-jobs/) 中使用 `timeZone` 可选字段。
 <!--
 - `CustomCPUCFSQuotaPeriod`: Enable nodes to change `cpuCFSQuotaPeriod` in
   [kubelet config](/docs/tasks/administer-cluster/kubelet-config-file/).
@@ -1094,8 +1138,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
   以便测试验证、合并和修改，同时避免提交更改。
 - `DynamicAuditing`：在 v1.19 版本前用于启用动态审计。
 <!--
-- `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. See
-  [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/).
+- `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. The
+  feature is no longer supported outside of supported skew policy. The feature
+  gate was removed from kubelet in 1.24. See [Reconfigure kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/).
 - `DynamicProvisioningScheduling`: Extend the default scheduler to be aware of
   volume topology and handle PV provisioning.
   This feature is superseded by the `VolumeScheduling` feature completely in v1.12.
@@ -1107,8 +1152,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `EnableAggregatedDiscoveryTimeout`: Enable the five second
   timeout on aggregated discovery calls.
 -->
-- `DynamicKubeletConfig`：启用 kubelet 的动态配置。请参阅
-  [重新配置 kubelet](/zh/docs/tasks/administer-cluster/reconfigure-kubelet/)。
+- `DynamicKubeletConfig`：启用 kubelet 的动态配置。
+  除偏差策略场景外，不再支持该功能。该特性门控在 kubelet 1.24 版本中已被移除。
+  请参阅[重新配置 kubelet](/zh/docs/tasks/administer-cluster/reconfigure-kubelet/)。
 - `DynamicProvisioningScheduling`：扩展默认调度器以了解卷拓扑并处理 PV 配置。
   此特性已在 v1.12 中完全被 `VolumeScheduling` 特性取代。
 - `DynamicVolumeProvisioning`：启用持久化卷到 Pod
@@ -1221,6 +1267,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
   when shutting down a node gracefully.
 - `GRPCContainerProbe`: Enables the gRPC probe method for {Liveness,Readiness,Startup}Probe. See [Configure Liveness, Readiness and Startup Probes](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe).
 - `HonorPVReclaimPolicy`: Honor persistent volume reclaim policy when it is `Delete` irrespective of PV-PVC deletion ordering.
+For more details, check the
+  [PersistentVolume deletion protection finalizer](/docs/concepts/storage/persistent-volumes/#persistentvolume-deletion-protection-finalizer)
+  documentation.
 -->
 - `GracefulNodeShutdownBasedOnPodPriority`：允许 kubelet 在体面终止节点时检查
   Pod 的优先级。
@@ -1228,6 +1277,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
   参阅[配置活跃态、就绪态和启动探针](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)。
 - `HonorPVReclaimPolicy`：无论 PV 和 PVC 的删除顺序如何，当持久卷申领的策略为 `Delete`
   时，确保这种策略得到处理。
+  更多详细信息，请参阅 [PersistentVolume 删除保护 finalizer](/zh/docs/concepts/storage/persistent-volumes/#persistentvolume-deletion-protection-finalizer)文档。
 <!--
 - `HPAContainerMetrics`: Enable the `HorizontalPodAutoscaler` to scale based on
   metrics from individual containers in target pods.
@@ -1360,6 +1410,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `LegacyNodeRoleBehavior`: When disabled, legacy behavior in service load balancers and
   node disruption will ignore the `node-role.kubernetes.io/master` label in favor of the
   feature-specific labels provided by `NodeDisruptionExclusion` and `ServiceNodeExclusion`.
+- `LegacyServiceAccountTokenNoAutoGeneration`: Stop auto-generation of Secret-based
+  [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens).
 -->
 - `KubeletPodResources`：启用 kubelet 上 Pod 资源 GRPC 端点。更多详细信息，
   请参见[支持设备监控](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/compute-device-assignment.md)。
@@ -1370,6 +1422,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `LegacyNodeRoleBehavior`：禁用此门控时，服务负载均衡器中和节点干扰中的原先行为会忽略
   `node-role.kubernetes.io/master` 标签，使用 `NodeDisruptionExclusion` 和
   `ServiceNodeExclusion` 对应特性所提供的标签。
+- `LegacyServiceAccountTokenNoAutoGeneration`：停止基于 Secret 的自动生成
+  [服务账号令牌](/zh/docs/reference/access-authn-authz/authentication/#service-account-tokens).
 <!--
 - `LocalStorageCapacityIsolation`: Enable the consumption of
   [local ephemeral storage](/docs/concepts/configuration/manage-resources-containers/)
@@ -1396,9 +1450,15 @@ Each feature gate is designed for enabling/disabling a specific feature:
 <!--
 - `LogarithmicScaleDown`: Enable semi-random selection of pods to evict on controller scaledown
   based on logarithmic bucketing of pod timestamps.
+- `MaxUnavailableStatefulSet`: Enables setting the `maxUnavailable` field for the
+  [rolling update strategy](/docs/concepts/workloads/controllers/statefulset/#rolling-updates)
+  of a StatefulSet. The field specifies the maximum number of Pods
+  that can be unavailable during the update.
 - `MemoryManager`: Allows setting memory affinity for a container based on
   NUMA topology.
 - `MemoryQoS`: Enable memory protection and usage throttle on pod / container using cgroup v2 memory controller.
+- `MinDomainsInPodTopologySpread`: Enable `minDomains` in Pod
+  [topology spread constraints](/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
 - `MixedProtocolLBService`: Enable using different protocols in the same `LoadBalancer` type
   Service instance.
 - `MountContainers`: Enable using utility containers on host as
@@ -1406,8 +1466,13 @@ Each feature gate is designed for enabling/disabling a specific feature:
 -->
 - `LogarithmicScaleDown`：启用 Pod 的半随机（semi-random）选择，控制器将根据 Pod
   时间戳的对数桶按比例缩小去驱逐 Pod。
-- `MemoryManager`: 允许基于 NUMA 拓扑为容器设置内存亲和性。
-- `MemoryQoS`: 使用 cgroup v2 内存控制器在 pod / 容器上启用内存保护和使用限制。
+- `MaxUnavailableStatefulSet`：启用为 StatefulSet
+  的[滚动更新策略](/zh/docs/concepts/workloads/controllers/statefulset/#rolling-updates)设置
+  `maxUnavailable` 字段。该字段指定更新过程中不可用 Pod 个数的上限。
+- `MemoryManager`：允许基于 NUMA 拓扑为容器设置内存亲和性。
+- `MemoryQoS`：使用 cgroup v2 内存控制器在 pod / 容器上启用内存保护和使用限制。
+- `MinDomainsInPodTopologySpread`：启用 Pod 的 `minDomains`
+  [拓扑分布约束](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
 - `MixedProtocolLBService`：允许在同一 `LoadBalancer` 类型的 Service 实例中使用不同的协议。
 - `MountContainers`：允许使用主机上的工具容器作为卷挂载程序。
 <!--
@@ -1415,7 +1480,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
   For more details, please see [mount propagation](/docs/concepts/storage/volumes/#mount-propagation).
 - `NamespaceDefaultLabelName`: Configure the API Server to set an immutable {{< glossary_tooltip text="label" term_id="label" >}}
   `kubernetes.io/metadata.name` on all namespaces, containing the namespace name.
-- `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects, allowing the selection of a port range instead of a single port.
+- `NetworkPolicyEndPort`: Enable use of the field `endPort` in NetworkPolicy objects,
+  allowing the selection of a port range instead of a single port.
+- `NetworkPolicyStatus`: Enable the `status` subresource for NetworkPolicy objects.
 - `NodeDisruptionExclusion`: Enable use of the node label `node.kubernetes.io/exclude-disruption`
   which prevents nodes from being evacuated during zone failures.
 - `NodeLease`: Enable the new Lease API to report node heartbeats, which could be used as a node health signal.
@@ -1425,10 +1492,16 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `NamespaceDefaultLabelName`：配置 API 服务器以在所有名字空间上设置一个不可变的
   {{< glossary_tooltip text="标签" term_id="label" >}} `kubernetes.io/metadata.name`，
   也包括名字空间。
+- `NetworkPolicyEndPort`：在 NetworkPolicy 对象中启用 `endPort` 以允许选择端口范围而不是单个端口。
+- `NetworkPolicyStatus`：为 NetworkPolicy 对象启用 `status` 子资源。
 - `NodeDisruptionExclusion`：启用节点标签 `node.kubernetes.io/exclude-disruption`，
   以防止在可用区发生故障期间驱逐节点。
 - `NodeLease`：启用新的 Lease（租期）API 以报告节点心跳，可用作节点运行状况信号。
 <!--
+- `NodeOutOfServiceVolumeDetach`: When a Node is marked out-of-service using the
+  `node.kubernetes.io/out-of-service` taint, Pods on the node will be forcefully deleted
+   if they can not tolerate this taint, and the volume detach operations for Pods terminating
+   on the node will happen immediately. The deleted Pods can recover quickly on different nodes.
 - `NodeSwap`: Enable the kubelet to allocate swap memory for Kubernetes workloads on a node.
   Must be used with `KubeletConfiguration.failSwapOn` set to false.
   For more details, please see [swap memory](/docs/concepts/architecture/nodes/#swap-memory)
@@ -1439,6 +1512,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `PVCProtection`: Enable the prevention of a PersistentVolumeClaim (PVC) from
   being deleted when it is still used by any Pod.
 -->
+- `NodeOutOfServiceVolumeDetach`：当使用 `node.kubernetes.io/out-of-service`
+  污点将节点标记为停止服务时，节点上不能容忍这个污点的 Pod 将被强制删除，
+  并且该在节点上被终止的 Pod 将立即进行卷分离操作。
 - `NodeSwap`: 启用 kubelet 为节点上的 Kubernetes 工作负载分配交换内存的能力。
   必须将 `KubeletConfiguration.failSwapOn` 设置为 false 的情况下才能使用。
   更多详细信息，请参见[交换内存](/zh/docs/concepts/architecture/nodes/#swap-memory)。
@@ -1524,8 +1600,10 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `RemainingItemCount`: Allow the API servers to show a count of remaining
   items in the response to a
   [chunking list request](/docs/reference/using-api/api-concepts/#retrieving-large-results-sets-in-chunks).
-- `RemoveSelfLink`: Deprecates and removes `selfLink` from ObjectMeta and
-  ListMeta.
+- `RemoveSelfLink`: Sets the `.metadata.selfLink` field to blank (empty string) for all
+  objects and collections. This field has been deprecated since the Kubernetes v1.16
+  release. When this feature is enabled, the `.metadata.selfLink` field remains part of
+  the Kubernetes API, but is always unset.
 - `RequestManagement`: Enables managing request concurrency with prioritization and fairness
   at each API server. Deprecated by `APIPriorityAndFairness` since 1.17.
 -->
@@ -1535,7 +1613,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `RemainingItemCount`：允许 API 服务器在
   [分块列表请求](/zh/docs/reference/using-api/api-concepts/#retrieving-large-results-sets-in-chunks)
   的响应中显示剩余条目的个数。
-- `RemoveSelfLink`：将 ObjectMeta 和 ListMeta 中的 `selfLink` 字段废弃并删除。
+- `RemoveSelfLink`：将所有对象和集合的 `.metadata.selfLink` 字段设置为空（空字符串）。
+  该字段自 Kubernetes v1.16 版本以来已被弃用。
+  启用此功能后，`.metadata.selfLink` 字段仍然是 Kubernetes API 的一部分，但始终未设置。
 - `RequestManagement`：允许在每个 API 服务器上通过优先级和公平性管理请求并发性。
   自 1.17 以来已被 `APIPriorityAndFairness` 替代。
 <!--
@@ -1562,19 +1642,19 @@ Each feature gate is designed for enabling/disabling a specific feature:
   以了解更多细节。
 <!--
 - `RotateKubeletClientCertificate`: Enable the rotation of the client TLS certificate on the kubelet.
-  See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
+  See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration) for more details.
 - `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet.
-  See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)
+  See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)
   for more details.
 - `RunAsGroup`: Enable control over the primary group ID set on the init
   processes of containers.
 -->
 - `RotateKubeletClientCertificate`：在 kubelet 上启用客户端 TLS 证书的轮换。
   更多详细信息，请参见
-  [kubelet 配置](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)。
+  [kubelet 配置](/zh/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)。
 - `RotateKubeletServerCertificate`：在 kubelet 上启用服务器 TLS 证书的轮换。
   更多详细信息，请参见
-  [kubelet 配置](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)。
+  [kubelet 配置](/zh/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)。
 - `RunAsGroup`：启用对容器初始化过程中设置的主要组 ID 的控制。
 <!--
 - `RuntimeClass`: Enable the [RuntimeClass](/docs/concepts/containers/runtime-class/) feature
@@ -1627,6 +1707,12 @@ Each feature gate is designed for enabling/disabling a specific feature:
   topology of the cluster. See
   [ServiceTopology](/docs/concepts/services-networking/service-topology/)
   for more details.
+- `ServiceIPStaticSubrange`: Enables a strategy for Services ClusterIP allocations, whereby the
+  ClusterIP range is subdivided. Dynamic allocated ClusterIP addresses will be allocated preferently
+  from the upper range allowing users to assign static ClusterIPs from the lower range with a low
+  risk of collision. See
+  [Avoiding collisions](/docs/concepts/services-networking/service/#avoiding-collisions)
+  for more details.
 -->
 - `ServiceLoadBalancerClass`: 为服务启用 `loadBalancerClass` 字段。 
   有关更多信息，请参见[指定负载均衡器实现类](/zh/docs/concepts/services-networking/service/#load-balancer-class)。
@@ -1636,6 +1722,9 @@ Each feature gate is designed for enabling/disabling a specific feature:
   标签，则可以排除该节点。
 - `ServiceTopology`：启用服务拓扑可以让一个服务基于集群的节点拓扑进行流量路由。
   有关更多详细信息，请参见[服务拓扑](/zh/docs/concepts/services-networking/service-topology/)。
+- `ServiceIPStaticSubrange`：启用服务 ClusterIP 分配策略，从而细分 ClusterIP 范围。
+  动态分配的 ClusterIP 地址将优先从较高范围分配，以低冲突风险允许用户从较低范围分配静态 ClusterIP。
+  更多详细信息请参阅[避免冲突](/zh/docs/concepts/services-networking/service/#avoiding-collisions)
 <!--
 - `SetHostnameAsFQDN`: Enable the ability of setting Fully Qualified Domain
   Name(FQDN) as the hostname of a pod. See
@@ -1801,7 +1890,16 @@ Each feature gate is designed for enabling/disabling a specific feature:
 <!--
 * The [deprecation policy](/docs/reference/using-api/deprecation-policy/) for Kubernetes explains
   the project's approach to removing features and components.
+* Since Kubernetes 1.24, new beta APIs are not enabled by default.  When enabling a beta
+  feature, you will also need to enable any associated API resources.
+  For example, to enable a particular resource like
+  `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`.
+  See [API Versioning](/docs/reference/using-api/#api-versioning) for more details on the command line flags.
 -->
 * Kubernetes 的[弃用策略](/zh/docs/reference/using-api/deprecation-policy/)
   介绍了项目针对已移除特性和组件的处理方法。
-
+* 从 Kubernetes 1.24 开始，默认不启用新的 beta API。
+  启用 beta 功能时，还需要启用所有关联的 API 资源。
+  例如：要启用一个特定资源，如 `storage.k8s.io/v1beta1/csistoragecapacities`，
+  请设置 `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`。
+  有关命令行标志的更多详细信息，请参阅 [API 版本控制](/zh/docs/reference/using-api/#api-versioning)。
diff --git a/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
similarity index 86%
rename from content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
index 74e3868e4b3e6..26bef87ba7cd3 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kube-apiserver.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
@@ -10,7 +10,7 @@ The file is auto-generated from the Go source code of the component using a gene
 [generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
 to generate the reference documentation, please read
 [Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
-To update the reference conent, please follow the 
+To update the reference conent, please follow the
 [Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
 guide. You can file document formatting bugs against the
 [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
@@ -18,15 +18,15 @@ guide. You can file document formatting bugs against the
 
 ## {{% heading "synopsis" %}}
 
-
-<!-- 
+<!--
 The Kubernetes API server validates and configures data
 for the api objects which include pods, services, replicationcontrollers, and
 others. The API Server services REST operations and provides the frontend to the
 cluster's shared state through which all other components interact.
 -->
+
 Kubernetes API 服务器验证并配置 API 对象的数据，
-这些对象包括 pods、services、replicationcontrollers 等。 
+这些对象包括 pods、services、replicationcontrollers 等。
 API 服务器为 REST 操作提供服务，并为集群的共享状态提供前端，
 所有其他组件都通过该前端进行交互。
 
@@ -43,18 +43,6 @@ kube-apiserver [flags]
 </colgroup>
 <tbody>
 
-<tr>
-<td colspan="2">--add-dir-header</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, adds the file directory to the header of the log messages
--->
-<p>如果为 true，则将文件目录添加到日志消息的标题中</p>
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--admission-control-config-file string</td>
 </tr>
@@ -96,12 +84,11 @@ the host's default interface will be used.
 The map from metric-label to value allow-list of this label. The key's format is &lt;MetricName&gt;,&lt;LabelName&gt;. The value's format is &lt;allowed_value&gt;,&lt;allowed_value&gt;...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' metric2,label1='v1,v2,v3'.
 -->
 允许使用的指标标签到指标值的映射列表。键的格式为 &lt;MetricName&gt;,&lt;LabelName&gt;.
-值的格式为 &lt;allowed_value&gt;,&lt;allowed_value&gt;...。 
+值的格式为 &lt;allowed_value&gt;,&lt;allowed_value&gt;...。
 例如：<code>metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' metric2,label1='v1,v2,v3'</code>。
 </p></td>
 </tr>
 
-
 <tr>
 <td colspan="2">--allow-privileged</td>
 </tr>
@@ -110,19 +97,7 @@ The map from metric-label to value allow-list of this label. The key's format is
 <!--
 If true, allow privileged containers. [default=false]
 -->
-如果为 true, 将允许特权容器。[默认值=false]
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--alsologtostderr</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-log to standard error as well as files
--->
-在向文件输出日志的同时，也将日志写到标准输出。
+如果为 true，将允许特权容器。[默认值=false]
 </td>
 </tr>
 
@@ -156,27 +131,13 @@ of these audiences. If the --service-account-issuer flag is configured
 and this flag is not, this field defaults to a single element list 
 containing the issuer URL.
 -->
-API 的标识符。 
-服务帐户令牌验证者将验证针对 API 使用的令牌是否已绑定到这些受众中的至少一个。 
+API 的标识符。
+服务帐户令牌验证者将验证针对 API 使用的令牌是否已绑定到这些受众中的至少一个。
 如果配置了 <code>--service-account-issuer</code> 标志，但未配置此标志，
 则此字段默认为包含发布者 URL 的单个元素列表。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--apiserver-count int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The number of apiservers running in the cluster, must be a positive number. 
-(In use when --endpoint-reconciler-type=master-count is enabled.)
--->
-集群中运行的 API 服务器数量，必须为正数。
-（在启用 --endpoint-reconciler-type=master-count 时使用。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--audit-log-batch-buffer-size int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：10000</td>
 </tr>
@@ -299,9 +260,10 @@ The maximum number of days to retain old audit log files based on the timestamp
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The maximum number of old audit log files to retain.
+The maximum number of old audit log files to retain. Setting a value of 0 will mean there's no restriction on the number of files.
 -->
 要保留的旧的审计日志文件个数上限。
+将值设置为 0 表示对文件个数没有限制。
 </td>
 </tr>
 
@@ -630,7 +592,7 @@ The API version of the authentication.k8s.io TokenReview to send to and expect f
 </tr>
 
 <tr>
-<td colspan="2">--authorization-mode stringSlice&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："AlwaysAllow"</td>
+<td colspan="2">--authorization-mode strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："AlwaysAllow"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -837,7 +799,7 @@ CORS 允许的来源清单，以逗号分隔。
 <!--
 Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration.
 -->
-对污点 NotReady:NoExecute 的容忍时长（以秒计）。 
+对污点 NotReady:NoExecute 的容忍时长（以秒计）。
 默认情况下这一容忍度会被添加到尚未具有此容忍度的每个 pod 中。
 </td>
 </tr>
@@ -871,7 +833,7 @@ that do not have a default watch size set.
 </tr>
 
 <tr>
-<td colspan="2">--delete-collection-workers int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值： 1</td>
+<td colspan="2">--delete-collection-workers int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -912,7 +874,6 @@ This flag provides an escape hatch for misbehaving metrics. You must provide the
 </td>
 </tr>
 
-
 <tr>
 <td colspan="2">--egress-selector-config-file string</td>
 </tr>
@@ -926,7 +887,7 @@ File with apiserver egress selector configuration.
 </tr>
 
 <tr>
-<td colspan="2">--enable-admission-plugins stringSlice</td>
+<td colspan="2">--enable-admission-plugins strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1015,9 +976,10 @@ The file containing configuration for encryption providers to be used for storin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use an endpoint reconciler (master-count, lease, none)
+Use an endpoint reconciler (master-count, lease, none) master-count is deprecated, and will be removed in a future version.
 -->
 使用端点协调器（<code>master-count</code>、<code>lease</code> 或 <code>none</code>）。
+<code>master-count</code> 已弃用，并将在未来版本中删除。
 </td>
 </tr>
 
@@ -1159,18 +1121,6 @@ Amount of time to retain events.
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--experimental-logging-sanitization</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).<br/>Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.
--->
-[试验性功能] 启用此标志时，被标记为敏感的字段（密码、密钥、令牌）都不会被日志输出。<br/>
-运行时的日志清理可能会引入相当程度的计算开销，因此不应该在产品环境中启用。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--external-hostname string</td>
 </tr>
@@ -1198,96 +1148,99 @@ APIServerIdentity=true|false (ALPHA - default=false)<br/>
 APIServerTracing=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>
+AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
 CPUManager=true|false (BETA - default=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br>
+CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
 CSIInlineVolume=true|false (BETA - default=true)<br/>
 CSIMigration=true|false (BETA - default=true)<br/>
-CSIMigrationAWS=true|false (BETA - default=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - default=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - default=false)<br/>
-CSIMigrationGCE=true|false (BETA - default=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - default=true)<br/>
+CSIMigrationAWS=true|false (BETA - default=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - default=true)<br/>
+CSIMigrationGCE=true|false (BETA - default=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
 CSIMigrationvSphere=true|false (BETA - default=false)<br/>
-CSIStorageCapacity=true|false (BETA - default=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - default=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
-CSRDuration=true|false (BETA - default=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - default=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - default=true)<br/>
+ContextualLogging=true|false (ALPHA - default=false)<br/>
+CronJobTimeZone=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>
-DefaultPodTopologySpread=true|false (BETA - default=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - default=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
 DevicePlugins=true|false (BETA - default=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>
 DisableCloudProviders=true|false (ALPHA - default=false)<br/>
-DownwardAPIHugePages=true|false (BETA - default=false)<br/>
-EfficientWatchResumption=true|false (BETA - default=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
+DownwardAPIHugePages=true|false (BETA - default=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
-EphemeralContainers=true|false (ALPHA - default=false)<br/>
-ExpandCSIVolumes=true|false (BETA - default=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - default=true)<br/>
+EphemeralContainers=true|false (BETA - default=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
-GenericEphemeralVolume=true|false (BETA - default=true)<br/>
+GRPCContainerProbe=true|false (BETA - default=true)<br/>
 GracefulNodeShutdown=true|false (BETA - default=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
-IPv6DualStack=true|false (BETA - default=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>
+IdentifyPodOS=true|false (BETA - default=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>
-InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>
-InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>I
+nTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
-IndexedJob=true|false (BETA - default=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - default=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - default=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - default=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
+JobReadyPods=true|false (BETA - default=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>
+KubeletCredentialProviders=true|false (BETA - default=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
 LogarithmicScaleDown=true|false (BETA - default=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
 MemoryManager=true|false (BETA - default=true)<br/>
 MemoryQoS=true|false (ALPHA - default=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - default=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>
+MixedProtocolLBService=true|false (BETA - default=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - default=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
 NodeSwap=true|false (ALPHA - default=false)<br/>
-NonPreemptingPriority=true|false (BETA - default=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - default=true)<br/>
+OpenAPIEnums=true|false (BETA - default=true)<br/>
+OpenAPIV3=true|false (BETA - default=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
 PodDeletionCost=true|false (BETA - default=true)<br/>
-PodOverhead=true|false (BETA - default=true)<br/>
-PodSecurity=true|false (ALPHA - default=false)<br/>
-PreferNominatedNode=true|false (BETA - default=true)<br/>
+PodSecurity=true|false (BETA - default=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
-RemoveSelfLink=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
 SeccompDefault=true|false (ALPHA - default=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - default=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - default=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - default=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
-SuspendJob=true|false (BETA - default=true)<br/>
-TTLAfterFinished=true|false (BETA - default=true)<br/>
-TopologyAwareHints=true|false (ALPHA - default=false)<br/>
+TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - default=false)
+WindowsHostProcessContainers=true|false (BETA - default=true)
 -->
 <p>一组 key=value 对，用来描述测试性/试验性功能的特性门控。可选项有：
 APIListChunking=true|false (BETA - 默认值=true)<br/>
@@ -1297,96 +1250,99 @@ APIServerIdentity=true|false (ALPHA - 默认值=false)<br/>
 APIServerTracing=true|false (ALPHA - 默认值=false)<br/>
 AllAlpha=true|false (ALPHA - 默认值=false)<br/>
 AllBeta=true|false (BETA - 默认值=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - 默认值=false)<br/>
+AnyVolumeDataSource=true|false (BETA - 默认值=true)<br/>
 AppArmor=true|false (BETA - 默认值=true)<br/>
 CPUManager=true|false (BETA - 默认值=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - 默认值=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)<br>
+CPUManagerPolicyBetaOptions=true|false (BETA - 默认值=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - 默认值=true)<br/>
 CSIInlineVolume=true|false (BETA - 默认值=true)<br/>
 CSIMigration=true|false (BETA - 默认值=true)<br/>
-CSIMigrationAWS=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值=false)<br/>
-CSIMigrationGCE=true|false (BETA - 默认值=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAWS=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - 默认值=true)<br/>
+CSIMigrationGCE=true|false (BETA - 默认值=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - 默认值=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - 默认值=false)<br/>
 CSIMigrationvSphere=true|false (BETA - 默认值=false)<br/>
-CSIStorageCapacity=true|false (BETA - 默认值=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - 默认值=false)<br/>
-CSRDuration=true|false (BETA - 默认值=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - 默认值=true)<br/>
+ContextualLogging=true|false (ALPHA - 默认值=false)<br/>
+CronJobTimeZone=true|false (ALPHA - 默认值=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - 默认值=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - 默认值=true)<br/>
-默认值PodTopologySpread=true|false (BETA - 默认值=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - 默认值=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - 默认值=true)<br/>
 DevicePlugins=true|false (BETA - 默认值=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - 默认值=true)<br/>
 DisableCloudProviders=true|false (ALPHA - 默认值=false)<br/>
-DownwardAPIHugePages=true|false (BETA - 默认值=false)<br/>
-EfficientWatchResumption=true|false (BETA - 默认值=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+DownwardAPIHugePages=true|false (BETA - 默认值=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - 默认值=true)<br/>
-EphemeralContainers=true|false (ALPHA - 默认值=false)<br/>
-ExpandCSIVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - 默认值=true)<br/>
+EphemeralContainers=true|false (BETA - 默认值=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - 默认值=false)<br/>
-ExperimentalHostUserNamespace默认值ing=true|false (BETA - 默认值=false)<br/>
-GenericEphemeralVolume=true|false (BETA - 默认值=true)<br/>
+ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)<br/>
+GRPCContainerProbe=true|false (BETA - 默认值=true)<br/>
 GracefulNodeShutdown=true|false (BETA - 默认值=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - 默认值=false)<br/>
 HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>
-IPv6DualStack=true|false (BETA - 默认值=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - 默认值=false)<br/>
+IdentifyPodOS=true|false (BETA - 默认值=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginGCEUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)<br/>I
+nTreePluginGCEUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)<br/>
-IndexedJob=true|false (BETA - 默认值=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - 默认值=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - 默认值=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值=true)<br/>
+JobReadyPods=true|false (BETA - 默认值=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - 默认值=false)<br/>
+KubeletCredentialProviders=true|false (BETA - 默认值=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - 默认值=false)<br/>
 KubeletPodResources=true|false (BETA - 默认值=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - 默认值=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>
 LogarithmicScaleDown=true|false (BETA - 默认值=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - 默认值=false)<br/>
 MemoryManager=true|false (BETA - 默认值=true)<br/>
 MemoryQoS=true|false (ALPHA - 默认值=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - 默认值=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - 默认值=false)<br/>
+MixedProtocolLBService=true|false (BETA - 默认值=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - 默认值=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - 默认值=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值=false)<br/>
 NodeSwap=true|false (ALPHA - 默认值=false)<br/>
-NonPreemptingPriority=true|false (BETA - 默认值=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - 默认值=true)<br/>
+OpenAPIEnums=true|false (BETA - 默认值=true)<br/>
+OpenAPIV3=true|false (BETA - 默认值=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值=false)<br/>
 PodDeletionCost=true|false (BETA - 默认值=true)<br/>
-PodOverhead=true|false (BETA - 默认值=true)<br/>
-PodSecurity=true|false (ALPHA - 默认值=false)<br/>
-PreferNominatedNode=true|false (BETA - 默认值=true)<br/>
+PodSecurity=true|false (BETA - 默认值=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - 默认值=false)<br/>
 ProcMountType=true|false (ALPHA - 默认值=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - 默认值=false)<br/>
 QOSReserved=true|false (ALPHA - 默认值=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - 默认值=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值=false)<br/>
 RemainingItemCount=true|false (BETA - 默认值=true)<br/>
-RemoveSelfLink=true|false (BETA - 默认值=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>
 Seccomp默认值=true|false (ALPHA - 默认值=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - 默认值=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - 默认值=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - 默认值=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - 默认值=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - 默认值=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - 默认值=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - 默认值=true)<br/>
 StorageVersionAPI=true|false (ALPHA - 默认值=false)<br/>
 StorageVersionHash=true|false (BETA - 默认值=true)<br/>
-SuspendJob=true|false (BETA - 默认值=true)<br/>
-TTLAfterFinished=true|false (BETA - 默认值=true)<br/>
-TopologyAwareHints=true|false (ALPHA - 默认值=false)<br/>
+TopologyAwareHints=true|false (BETA - 默认值=true)<br/>
 TopologyManager=true|false (BETA - 默认值=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - 默认值=false)<br/>
 WinDSR=true|false (ALPHA - 默认值=false)<br/>
 WinOverlay=true|false (BETA - 默认值=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - 默认值=false)</p>
+WindowsHostProcessContainers=true|false (BETA - 默认值=true)</p>
 </td>
 </tr>
 
@@ -1407,10 +1363,10 @@ Max is .02 (1/50 requests); .001 (1/1000) is a recommended starting point.
 -->
 为防止 HTTP/2 客户端卡在单个 API 服务器上，可启用随机关闭连接（GOAWAY）。
 客户端的其他运行中请求将不会受到影响，并且客户端将重新连接，
-可能会在再次通过负载平衡器后登陆到其他 API 服务器上。 
-此参数设置将发送 GOAWAY 的请求的比例。 
-具有单个 API 服务器或不使用负载平衡器的群集不应启用此功能。 
-最小值为0（关闭），最大值为 .02（1/50 请求）； 建议使用 .001（1/1000）。
+可能会在再次通过负载平衡器后登陆到其他 API 服务器上。
+此参数设置将发送 GOAWAY 的请求的比例。
+具有单个 API 服务器或不使用负载平衡器的集群不应启用此功能。
+最小值为0（关闭），最大值为 .02（1/50 请求）；建议使用 .001（1/1000）。
 </td>
 </tr>
 
@@ -1573,56 +1529,6 @@ post-start hooks will complete successfully and therefore return true.
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--log-backtrace-at traceLocation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：<tt>:0</tt></td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-when logging hits line file:N, emit a stack trace
--->
-当日志机制执行到'文件 :N'时，生成堆栈跟踪。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, write log files in this directory
--->
-如果为非空，则在此目录中写入日志文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, use this log file
--->
-如果为非空，使用此值作为日志文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1800</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Defines the maximum size a log file can grow to. Unit is megabytes. 
-If the value is 0, the maximum file size is unlimited.
--->
-定义日志文件可以增长到的最大大小。单位为兆字节。
-如果值为 0，则最大文件大小为无限制。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--log-flush-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5s</td>
 </tr>
@@ -1641,26 +1547,14 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets the log format. Permitted formats: "text".<br/>Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.<br/>Non-default choices are currently alpha and subject to change without warning.
+Sets the log format. Permitted formats: &quot;text&quot;.<br/>Non-default formats don't honor these flags: --add-dir-header, --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-headers, --stderrthreshold, --vmodule.<br/>Non-default choices are currently alpha and subject to change without warning.
 -->
-设置日志格式。允许的格式："text"。<br/>
-非默认格式不支持以下标志：<code>--add-dir-header</code>、<code>--alsologtostderr</code>、<code>--log-backtrace-at</code>、<code>--log-dir</code>、<code>--log-file</code>、<code>--log-file-max-size</code>、<code>--logtostderr</code>、<code>--one-output</code>、<code>-skip-headers</code>、<code>-skip-log-headers</code>、<code>--stderrthreshold</code>、<code>-vmodule</code> 和 <code>--log-flush-frequency</code>。<br/>
+设置日志格式。允许的格式：&quot;text&quot;。<br/>
+非默认格式不支持以下标志：<code>--add-dir-header</code>、<code>--alsologtostderr</code>、<code>--log-backtrace-at</code>、<code>--log-dir</code>、<code>--log-file</code>、<code>--log-file-max-size</code>、<code>--logtostderr</code>、<code>--one-output</code>、<code>-skip-headers</code>、<code>-skip-log-headers</code>、<code>--stderrthreshold</code>、<code>-vmodule</code>。<br/>
 当前非默认选择为 alpha，会随时更改而不会发出警告。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-log to standard error instead of files
--->
-在标准错误而不是文件中输出日志记录。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--master-service-namespace string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："default"</td>
 </tr>
@@ -1823,11 +1717,11 @@ Repeat this flag to specify multiple claims.
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 Comma-separated list of allowed JOSE asymmetric signing algorithms. 
-JWTs with a 'alg' header value not in this list will be rejected. 
+JWTs with a supported 'alg' header values are: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512.
 Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.
 -->
 允许的 JOSE 非对称签名算法的逗号分隔列表。
-若 JWT 所带的 "alg" 标头值不在列表中，则该 JWT 将被拒绝。
+具有收支持 "alg" 标头值的 JWTs 有：RS256、RS384、RS512、ES256、ES384、ES512、PS256、PS384、PS512。
 取值依据 RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1 定义。
 </td>
 </tr>
@@ -1865,20 +1759,7 @@ If not provided, username claims other than 'email' are prefixed
 </tr>
 
 <tr>
-<td colspan="2">--one-output</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level
--->
-此标志为真时，日志只会被写入到其原生的严重性级别中（而不是同时写到所有较低
-严重性级别中）。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--permit-address-sharing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：false</td>
+<td colspan="2">--permit-address-sharing</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
@@ -1891,7 +1772,7 @@ If true, only write logs to their native severity level (vs also writing to each
 </tr>
 
 <tr>
-<td colspan="2">--permit-port-sharing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：false</td>
+<td colspan="2">--permit-port-sharing</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1966,7 +1847,7 @@ open before timing it out. This is the default request timeout for
 requests but may be overridden by flags such as --min-request-timeout 
 for specific types of requests.
 -->
-可选字段，指示处理程序在超时之前必须保持打开请求的持续时间。 
+可选字段，指示处理程序在超时之前必须保持打开请求的持续时间。
 这是请求的默认请求超时，但对于特定类型的请求，可能会被
 <code>--min-request-timeout</code>等标志覆盖。
 </td>
@@ -2123,9 +2004,9 @@ and all are used to determine which issuers are accepted.
 颁发者将在已办法令牌的 "iss" 声明中检查此标识符。
 此值为字符串或 URI。
 如果根据 OpenID Discovery 1.0 规范检查此选项不是有效的 URI，则即使特性门控设置为 true，
-ServiceAccountIssuerDiscovery 功能也将保持禁用状态。 
-强烈建议该值符合 OpenID 规范：https://openid.net/specs/openid-connect-discovery-1_0.html。 
-实践中，这意味着 service-account-issuer 取值必须是 HTTPS URL。 
+ServiceAccountIssuerDiscovery 功能也将保持禁用状态。
+强烈建议该值符合 OpenID 规范： https://openid.net/specs/openid-connect-discovery-1_0.html 。
+实践中，这意味着 service-account-issuer 取值必须是 HTTPS URL。
 还强烈建议此 URL 能够在 {service-account-issuer}/.well-known/openid-configuration
 处提供 OpenID 发现文档。
 当此值被多次指定时，第一次的值用于生成令牌，所有的值用于确定接受哪些发行人。
@@ -2141,13 +2022,11 @@ ServiceAccountIssuerDiscovery 功能也将保持禁用状态。
 Overrides the URI for the JSON Web Key Set in the discovery doc served at 
 /.well-known/openid-configuration. This flag is useful if the discovery 
 docand key set are served to relying parties from a URL other than the 
-API server's external (as auto-detected or overridden with external-hostname). 
-Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled.
+API server's external (as auto-detected or overridden with external-hostname).
 -->
 覆盖 <code>/.well-known/openid-configuration</code> 提供的发现文档中 JSON Web 密钥集的 URI。
 如果发现文档和密钥集是通过 API 服务器外部
 （而非自动检测到或被外部主机名覆盖）之外的 URL 提供给依赖方的，则此标志很有用。
-仅在启用 ServiceAccountIssuerDiscovery 特性门控的情况下有效。
 </td>
 </tr>
 
@@ -2161,12 +2040,12 @@ File containing PEM-encoded x509 RSA or ECDSA private or public keys,
 used to verify ServiceAccount tokens. The specified file can contain 
 multiple keys, and the flag can be specified multiple times with 
 different files. If unspecified, --tls-private-key-file is used. 
-Must be specified when --service-account-signing-key is provided
+Must be specified when --service-account-signing-key-file is provided
 -->
 包含 PEM 编码的 x509 RSA 或 ECDSA 私钥或公钥的文件，用于验证 ServiceAccount 令牌。
 指定的文件可以包含多个键，并且可以使用不同的文件多次指定标志。
 如果未指定，则使用 <code>--tls-private-key-file</code>。
-提供 <code>--service-account-signing-key</code> 时必须指定。
+提供 <code>--service-account-signing-key-file</code> 时必须指定。
 </td>
 </tr>
 
@@ -2279,38 +2158,18 @@ This can be used to allow load balancer to stop sending traffic to this server.
 </tr>
 
 <tr>
-<td colspan="2">--skip-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid header prefixes in the log messages
--->
-如果为 true，日志消息中避免标题前缀。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--skip-log-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid headers when opening log files
--->
-如果为 true，则在打开日志文件时避免标题。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--stderrthreshold int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：2</td>
+<td colspan="2">--shutdown-send-retry-after</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-logs at or above this threshold go to stderr
+If true the HTTP Server will continue listening until all non long running request(s) in flight have been drained, 
+during this window all incoming requests will be rejected with a status code 429 and a 'Retry-After' response header, 
+in addition 'Connection: close' response header is set in order to tear down the TCP connection when idle.
 -->
-将达到或超过此阈值的日志写到标准错误输出
+值为 true 表示 HTTP 服务器将继续监听直到耗尽所有非长时间运行的请求，
+在此期间，所有传入请求将被拒绝，状态码为 429，响应头为 &quot;Retry-After&quot;，
+此外，设置 &quot;Connection: close&quot; 响应头是为了在空闲时断开 TCP 链接。
 </td>
 </tr>
 
@@ -2350,11 +2209,10 @@ List of directives for HSTS, comma separated. If this list is empty, then HSTS d
 -->
 为 HSTS 所设置的指令列表，用逗号分隔。
 如果此列表为空，则不会添加 HSTS 指令。
-例如： 'max-age=31536000,includeSubDomains,preload'
+例如：'max-age=31536000,includeSubDomains,preload'
 </p></td>
 </tr>
 
-
 <tr>
 <td colspan="2">--tls-cert-file string</td>
 </tr>
@@ -2383,15 +2241,17 @@ the public address and saved to the directory specified by --cert-dir.
 Comma-separated list of cipher suites for the server. 
 If omitted, the default Go cipher suites will be used. 
 <br/>Preferred values:
-TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.<br/>
+TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.<br/>
 Insecure values: 
-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
 -->
 服务器的密码套件的列表，以逗号分隔。如果省略，将使用默认的 Go 密码套件。
 <br/>首选值：
-TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_GCM_SHA256、 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
+TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384。
 不安全的值有：
-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_RC4_128_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_RC4_128_SHA、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_RC4_128_SHA。
+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_RC4_128_SHA、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_RC4_128_SHA、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_RC4_128_SHA。
 </td>
 </tr>
 
@@ -2420,7 +2280,7 @@ File containing the default x509 private key matching --tls-cert-file.
 </tr>
 
 <tr>
-<td colspan="2">--tls-sni-cert-key string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值： []</td>
+<td colspan="2">--tls-sni-cert-key string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：[]</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -2494,14 +2354,15 @@ Print version information and quit
 </tr>
 
 <tr>
-<td colspan="2">--vmodule &lt;用逗号分隔的多个 'pattern=N' 配置字符串&gt;</td>
+<td colspan="2">--vmodule pattern=N,...</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 comma-separated list of pattern=N settings for file-filtered logging
+(only works for text log format)
 -->
-以逗号分隔的 <code>pattern=N</code> 设置列表，用于文件过滤的日志记录。
+以逗号分隔的 <code>pattern=N</code> 设置列表，用于文件过滤的日志记录（仅适用于 text 日志格式）。
 </td>
 </tr>
 
@@ -2547,4 +2408,3 @@ heuristics, others default to default-watch-cache-size
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/command-line-tools-reference/kube-controller-manager.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager.md
similarity index 85%
rename from content/zh/docs/reference/command-line-tools-reference/kube-controller-manager.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager.md
index 19037bd19b89c..69d31090b9530 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kube-controller-manager.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager.md
@@ -48,18 +48,6 @@ kube-controller-manager [flags]
 </colgroup>
 <tbody>
 
-<tr>
-<td colspan="2">--add-dir-header</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, adds the file directory to the header of the log messages
--->
-若为 true，将文件目录添加到日志消息的头部。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--allocate-node-cidrs</td>
 </tr>
@@ -73,7 +61,7 @@ Should CIDRs for Pods be allocated and set on the cloud provider.
 </tr>
 
 <tr>
-<td colspan="2">--allow-metric-labels stringToString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：""</td>
+<td colspan="2">--allow-metric-labels stringToString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：[]</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
@@ -89,18 +77,6 @@ metric2,label='v1,v2,v3'</code>。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--alsologtostderr</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-log to standard error as well as files
--->
-在向文件输出日志的同时，也将日志写到标准输出。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--attach-detach-reconcile-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1m0s</td>
 </tr>
@@ -232,7 +208,7 @@ Path to the file containing Azure container registry configuration information.
 </tr>
 
 <tr>
-<td colspan="2">--bind-address ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.0.0.0</td>
+<td colspan="2">--bind-address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.0.0.0</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -511,6 +487,19 @@ The number of endpoint syncing operations that will be done concurrently. Larger
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--concurrent-ephemeralvolume-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+The number of ephemeral volume syncing operations that will be done concurrently. Larger number = faster ephemeral volume updating, but more CPU (and network) load
+-->
+可以并发执行的 EphemeralVolume 同步操作个数。数值越大意味着更快的 EphemeralVolume 更新操作，
+同时也意味着更大的 CPU （和网络）压力。
+</td>
+</tr>
+
 <tr>
 <td colspan="2">--concurrent-gc-syncs int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：20</td>
 </tr>
@@ -676,7 +665,7 @@ Interval between starting controller managers.
 </tr>
 
 <tr>
-<td colspan="2">--controllers strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：<code>[*]</code></td>
+<td colspan="2">--controllers strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：<code>*</code></td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -690,18 +679,6 @@ A list of controllers to enable. '*' enables all on-by-default controllers, 'foo
 默认禁用的控制器有：bootstrapsigner 和 tokencleaner。</td>
 </tr>
 
-<tr>
-<td colspan="2">--deployment-controller-sync-period duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：30s</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Period for syncing the deployments.
--->
-Deployment 资源的同步周期。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--disable-attach-detach-reconcile-sync</td>
 </tr>
@@ -822,19 +799,6 @@ The length of endpoint slice updates batching period. Processing of pod changes
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--experimental-logging-sanitization</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).<br/>Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.
--->
-[试验性功能] 当启用此标志时，被标记为敏感的字段（密码、密钥、令牌）不会被日志输出。<br/>
-运行时的日志清理操作可能会引入相当程度的计算开销，因此不应在生产环境中启用。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--external-cloud-volume-plugin string</td>
 </tr>
@@ -864,96 +828,99 @@ APIServerIdentity=true|false (ALPHA - default=false)<br/>
 APIServerTracing=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>
+AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
 CPUManager=true|false (BETA - default=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
 CSIInlineVolume=true|false (BETA - default=true)<br/>
 CSIMigration=true|false (BETA - default=true)<br/>
-CSIMigrationAWS=true|false (BETA - default=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - default=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - default=false)<br/>
-CSIMigrationGCE=true|false (BETA - default=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - default=true)<br/>
+CSIMigrationAWS=true|false (BETA - default=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - default=true)<br/>
+CSIMigrationGCE=true|false (BETA - default=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
 CSIMigrationvSphere=true|false (BETA - default=false)<br/>
-CSIStorageCapacity=true|false (BETA - default=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - default=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
-CSRDuration=true|false (BETA - default=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - default=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - default=true)<br/>
+ContextualLogging=true|false (ALPHA - default=false)<br/>
+CronJobTimeZone=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>
-DefaultPodTopologySpread=true|false (BETA - default=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - default=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
 DevicePlugins=true|false (BETA - default=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>
 DisableCloudProviders=true|false (ALPHA - default=false)<br/>
-DownwardAPIHugePages=true|false (BETA - default=false)<br/>
-EfficientWatchResumption=true|false (BETA - default=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
+DownwardAPIHugePages=true|false (BETA - default=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
-EphemeralContainers=true|false (ALPHA - default=false)<br/>
-ExpandCSIVolumes=true|false (BETA - default=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - default=true)<br/>
+EphemeralContainers=true|false (BETA - default=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
-GenericEphemeralVolume=true|false (BETA - default=true)<br/>
+GRPCContainerProbe=true|false (BETA - default=true)<br/>
 GracefulNodeShutdown=true|false (BETA - default=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
-IPv6DualStack=true|false (BETA - default=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>
+IdentifyPodOS=true|false (BETA - default=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
-IndexedJob=true|false (BETA - default=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - default=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - default=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - default=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
+JobReadyPods=true|false (BETA - default=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>
+KubeletCredentialProviders=true|false (BETA - default=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
 LogarithmicScaleDown=true|false (BETA - default=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
 MemoryManager=true|false (BETA - default=true)<br/>
 MemoryQoS=true|false (ALPHA - default=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - default=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>
+MixedProtocolLBService=true|false (BETA - default=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - default=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
 NodeSwap=true|false (ALPHA - default=false)<br/>
-NonPreemptingPriority=true|false (BETA - default=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - default=true)<br/>
+OpenAPIEnums=true|false (BETA - default=true)<br/>
+OpenAPIV3=true|false (BETA - default=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
 PodDeletionCost=true|false (BETA - default=true)<br/>
-PodOverhead=true|false (BETA - default=true)<br/>
-PodSecurity=true|false (ALPHA - default=false)<br/>
-PreferNominatedNode=true|false (BETA - default=true)<br/>
+PodSecurity=true|false (BETA - default=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
-RemoveSelfLink=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
 SeccompDefault=true|false (ALPHA - default=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - default=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - default=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - default=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
-SuspendJob=true|false (BETA - default=true)<br/>
-TTLAfterFinished=true|false (BETA - default=true)<br/>
-TopologyAwareHints=true|false (ALPHA - default=false)<br/>
+TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - default=false)
+WindowsHostProcessContainers=true|false (BETA - default=true)
 -->
 一组 key=value 对，用来描述测试性/试验性功能的特性门控（Feature Gate）。可选项有：
 APIListChunking=true|false (BETA - 默认值=true)<br/>
@@ -963,96 +930,99 @@ APIServerIdentity=true|false (ALPHA - 默认值=false)<br/>
 APIServerTracing=true|false (ALPHA - 默认值=false)<br/>
 AllAlpha=true|false (ALPHA - 默认值=false)<br/>
 AllBeta=true|false (BETA - 默认值=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - 默认值=false)<br/>
+AnyVolumeDataSource=true|false (BETA - 默认值=true)<br/>
 AppArmor=true|false (BETA - 默认值=true)<br/>
 CPUManager=true|false (BETA - 默认值=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - 默认值=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - 默认值=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - 默认值=true)<br/>
 CSIInlineVolume=true|false (BETA - 默认值=true)<br/>
 CSIMigration=true|false (BETA - 默认值=true)<br/>
-CSIMigrationAWS=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值=false)<br/>
-CSIMigrationGCE=true|false (BETA - 默认值=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAWS=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - 默认值=true)<br/>
+CSIMigrationGCE=true|false (BETA - 默认值=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - 默认值=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - 默认值=false)<br/>
 CSIMigrationvSphere=true|false (BETA - 默认值=false)<br/>
-CSIStorageCapacity=true|false (BETA - 默认值=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - 默认值=false)<br/>
-CSRDuration=true|false (BETA - 默认值=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - 默认值=true)<br/>
+ContextualLogging=true|false (ALPHA - 默认值=false)<br/>
+CronJobTimeZone=true|false (ALPHA - 默认值=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - 默认值=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - 默认值=true)<br/>
-默认值PodTopologySpread=true|false (BETA - 默认值=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - 默认值=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - 默认值=true)<br/>
 DevicePlugins=true|false (BETA - 默认值=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - 默认值=true)<br/>
 DisableCloudProviders=true|false (ALPHA - 默认值=false)<br/>
-DownwardAPIHugePages=true|false (BETA - 默认值=false)<br/>
-EfficientWatchResumption=true|false (BETA - 默认值=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+DownwardAPIHugePages=true|false (BETA - 默认值=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - 默认值=true)<br/>
-EphemeralContainers=true|false (ALPHA - 默认值=false)<br/>
-ExpandCSIVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - 默认值=true)<br/>
+EphemeralContainers=true|false (BETA - 默认值=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - 默认值=false)<br/>
-ExperimentalHostUserNamespace默认值ing=true|false (BETA - 默认值=false)<br/>
-GenericEphemeralVolume=true|false (BETA - 默认值=true)<br/>
+ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)<br/>
+GRPCContainerProbe=true|false (BETA - 默认值=true)<br/>
 GracefulNodeShutdown=true|false (BETA - 默认值=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - 默认值=false)<br/>
 HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>
-IPv6DualStack=true|false (BETA - 默认值=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - 默认值=false)<br/>
+IdentifyPodOS=true|false (BETA - 默认值=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginGCEUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)<br/>
-IndexedJob=true|false (BETA - 默认值=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - 默认值=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - 默认值=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值=true)<br/>
+JobReadyPods=true|false (BETA - 默认值=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - 默认值=false)<br/>
+KubeletCredentialProviders=true|false (BETA - 默认值=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - 默认值=false)<br/>
 KubeletPodResources=true|false (BETA - 默认值=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - 默认值=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>
 LogarithmicScaleDown=true|false (BETA - 默认值=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - 默认值=false)<br/>
 MemoryManager=true|false (BETA - 默认值=true)<br/>
 MemoryQoS=true|false (ALPHA - 默认值=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - 默认值=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - 默认值=false)<br/>
+MixedProtocolLBService=true|false (BETA - 默认值=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - 默认值=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - 默认值=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值=false)<br/>
 NodeSwap=true|false (ALPHA - 默认值=false)<br/>
-NonPreemptingPriority=true|false (BETA - 默认值=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - 默认值=true)<br/>
+OpenAPIEnums=true|false (BETA - 默认值=true)<br/>
+OpenAPIV3=true|false (BETA - 默认值=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值=false)<br/>
 PodDeletionCost=true|false (BETA - 默认值=true)<br/>
-PodOverhead=true|false (BETA - 默认值=true)<br/>
-PodSecurity=true|false (ALPHA - 默认值=false)<br/>
-PreferNominatedNode=true|false (BETA - 默认值=true)<br/>
+PodSecurity=true|false (BETA - 默认值=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - 默认值=false)<br/>
 ProcMountType=true|false (ALPHA - 默认值=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - 默认值=false)<br/>
 QOSReserved=true|false (ALPHA - 默认值=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - 默认值=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值=false)<br/>
 RemainingItemCount=true|false (BETA - 默认值=true)<br/>
-RemoveSelfLink=true|false (BETA - 默认值=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>
-Seccomp默认值=true|false (ALPHA - 默认值=false)<br/>
+SeccompDefault=true|false (ALPHA - 默认值=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - 默认值=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - 默认值=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - 默认值=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - 默认值=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - 默认值=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - 默认值=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - 默认值=true)<br/>
 StorageVersionAPI=true|false (ALPHA - 默认值=false)<br/>
 StorageVersionHash=true|false (BETA - 默认值=true)<br/>
-SuspendJob=true|false (BETA - 默认值=true)<br/>
-TTLAfterFinished=true|false (BETA - 默认值=true)<br/>
-TopologyAwareHints=true|false (ALPHA - 默认值=false)<br/>
+TopologyAwareHints=true|false (BETA - 默认值=true)<br/>
 TopologyManager=true|false (BETA - 默认值=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - 默认值=false)<br/>
 WinDSR=true|false (ALPHA - 默认值=false)<br/>
 WinOverlay=true|false (BETA - 默认值=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - 默认值=false)
+WindowsHostProcessContainers=true|false (BETA - 默认值=true)
 </p>
 </td>
 </tr>
@@ -1181,7 +1151,7 @@ Content type of requests sent to apiserver.
 </tr>
 
 <tr>
-<td colspan="2">--kube-api-qps float32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：20</td>
+<td colspan="2">--kube-api-qps float&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：20</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1267,10 +1237,10 @@ The interval between attempts by the acting master to renew a leadership slot be
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'.
+The type of resource object that is used for locking during leader election. Supported options are 'leases', 'endpointsleases' and 'configmapsleases'.
 -->
-在领导者选举期间用于锁定的资源对象的类型。 支持的选项为 "endpoints"、
-"configmaps"、"leases"、"endpointsleases" 和 "configmapsleases"。
+在领导者选举期间用于锁定的资源对象的类型。 支持的选项为
+"leases"、"endpointsleases" 和 "configmapsleases"。
 </td>
 </tr>
 
@@ -1326,56 +1296,6 @@ Path to the config file for controller leader migration, or empty to use the val
 </p></td>
 </tr>
 
-
-<tr>
-<td colspan="2">--log-backtrace-at traceLocation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：<code>:0</code></td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-when logging hits line file:N, emit a stack trace
--->
-当执行到 <code>file:N</code> 所给的文件和代码行时，日志机制会生成一个调用栈快照。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, write log files in this directory.
--->
-此标志为非空字符串时，日志文件会写入到所给的目录中。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, use this log file
--->
-此标志为非空字符串时，意味着日志会写入到所给的文件中。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1800</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.
--->
-定义日志文件大小的上限。单位是兆字节（MB）。
-若此值为 0，则不对日志文件尺寸进行约束。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--log-flush-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5s</td>
 </tr>
@@ -1394,31 +1314,19 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets the log format. Permitted formats: "text".<br/>Non-default formats don't honor these flags: --add_dir_header, --alsologtostderr, --log_backtrace_at, --log_dir, --log_file, --log_file_max_size, --logtostderr, --one_output, --skip_headers, --skip_log_headers, --stderrthreshold, --vmodule, --log-flush-frequency.<br/>Non-default choices are currently alpha and subject to change without warning.
+Sets the log format. Permitted formats: &quot;text&quot;.<br/>Non-default formats don't honor these flags: --add-dir-header, --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-headers, --stderrthreshold, --vmodule.<br/>Non-default choices are currently alpha and subject to change without warning.
 -->
-设置日志格式。允许的格式："text"。
+设置日志格式。允许的格式：&quot;text&quot;。
 <br/>非默认格式不支持以下标志：<code>--add-dir-header</code>、
-<code>--alsologtostderr</code>》、<code>--log-backtrace-at</code>、
+<code>--alsologtostderr</code>、<code>--log-backtrace-at</code>、
 <code>--log-dir</code>、<code>--log-file</code>、<code>--log-file-max-size</code>、
 <code>--logtostderr</code>、<code>--one-output</code>、<code>--skip-headers</code>、
 <code>--skip-log-headers</code>、<code>--stderrthreshold</code>、
-<code>--vmodule</code>、<code>--log-flush-frequency</code>。
+<code>--vmodule</code>。
 <br/>当前非默认选项为 Alpha 阶段，如有更改，恕不另行通知。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-log to standard error instead of files
--->
-将日志写出到标准错误输出（stderr）而不是写入到日志文件。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--master string</td>
 </tr>
@@ -1492,10 +1400,10 @@ EndpointSlice 更改的处理将延迟此持续时间，
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The maximum number of endpoints that will be added to an EndpointSlice by the EndpointSliceMirroring controller. More endpoints per slice will result in less endpoint slices, but larger resources.
+The maximum number of endpoints that will be added to an EndpointSlice by the EndpointSliceMirroring controller. More endpoints per slice will result in less endpoint slices, but larger resources. Defaults to 100.
 -->
 EndpointSliceMirroring 控制器将添加到 EndpointSlice 的最大端点数。
-每个分片的端点越多，端点分片越少，但资源越大。
+每个分片的端点越多，端点分片越少，但资源越大。默认为 100。
 </td>
 </tr>
 
@@ -1548,15 +1456,15 @@ Mask size for IPv6 node cidr in dual-stack cluster. Default is 64.
 </tr>
 
 <tr>
-<td colspan="2">--node-eviction-rate float32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.1</td>
+<td colspan="2">--node-eviction-rate float&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.1</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 Number of nodes per second on which pods are deleted in case of node failure when a zone is healthy (see --unhealthy-zone-threshold for definition of healthy/unhealthy). Zone refers to entire cluster in non-multizone clusters.
 -->
-当某区域变得不健康，节点失效时，每秒钟可以从此标志所设定的节点
-个数上删除 Pods。请参阅 <code>--unhealthy-zone-threshold</code> 
+当某区域健康时，在节点故障的情况下每秒删除 Pods 的节点数。
+请参阅 <code>--unhealthy-zone-threshold</code>
 以了解“健康”的判定标准。这里的区域（zone）在集群并不跨多个区域时
 指的是整个集群。
 </td>
@@ -1601,29 +1509,17 @@ Amount of time which we allow starting Node to be unresponsive before marking it
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--one-output</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level
--->
-如果此标志为 true，则仅将日志写入其自身的严重性级别（而不是同时写入更低的严重性级别中）。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--permit-address-sharing</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state.
+If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state. [default=false]
 -->
 如果此标志为 true，则在绑定端口时使用 <code>SO_REUSEADDR</code>。
 这就意味着可以同时绑定到 <code>0.0.0.0</code> 和特定的 IP 地址，
-并且避免等待内核释放处于 <code>TIME_WAITE</code> 状态的套接字。
+并且避免等待内核释放处于 <code>TIME_WAITE</code> 状态的套接字。[默认值=false]。
 </p></td>
 </tr>
 
@@ -1637,7 +1533,7 @@ If true, SO_REUSEADDR will be used when binding the port. This allows binding to
 If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false]
 -->
 如果为 true，则在绑定端口时将使用 <code>SO_REUSEPORT</code>，
-这允许多个实例在同一地址和端口上进行绑定。
+这允许多个实例在同一地址和端口上进行绑定。[默认值=false]。
 </td>
 </tr>
 
@@ -1722,7 +1618,7 @@ The file path to a pod definition used as a template for HostPath persistent vol
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The file path to a pod definition used as a template for HostPath persistent volume recycling. This is for development and testing only and will not work in a multi-node cluster.
+The file path to a pod definition used as a template for NFS persistent volume recycling
 -->
 对 NFS 卷执行回收利用时，用作模版的 Pod 定义文件所在路径。
 </td>
@@ -1759,7 +1655,8 @@ The period for syncing persistent volumes and persistent volume claims
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.-->
+List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed.
+-->
 标志值是客户端证书中的 Common Names 列表。其中所列的名称可以通过
 <code>--requestheader-username-headers</code> 所设置的 HTTP 头部来提供用户名。
 如果此标志值为空表，则被 <code>--requestheader-client-ca-file</code>
@@ -1921,42 +1818,6 @@ The previous version for which you want to show hidden metrics. Only the previou
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--skip-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid header prefixes in the log messages
--->
-若此标志为 true，则在日志消息中避免写入头部前缀信息。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--skip-log-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid headers when opening log files
--->
-若此标志为 true，则在写入日志文件时避免写入头部信息。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--stderrthreshold severity&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：2</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-logs at or above this threshold go to stderr
--->
-等于或大于此阈值的日志信息会被写入到标准错误输出（stderr）。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--terminated-pod-gc-threshold int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：12500</td>
 </tr>
@@ -1992,11 +1853,11 @@ File containing the default x509 Certificate for HTTPS. (CA cert, if any, concat
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.<br/>Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.<br/>Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
+Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.<br/>Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.<br/>Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
 -->
 供服务器使用的加密包的逗号分隔列表。若忽略此标志，则使用 Go 语言默认的加密包。<br/>
-可选值包括：TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384. 
-<br/>不安全的值: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_RC4_128_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_RC4_128_SHA、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_RC4_128_SHA
+可选值包括：TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305、TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384。
+<br/>不安全的值: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_RC4_128_SHA、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_RC4_128_SHA、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_RC4_128_SHA。
 </td>
 </tr>
 
@@ -2026,12 +1887,12 @@ File containing the default x509 private key matching --tls-cert-file.
 </tr>
 
 <tr>
-<td colspan="2">--tls-sni-cert-key namedCertKey&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：[]</td>
+<td colspan="2">--tls-sni-cert-key string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com".
+A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: &quot;example.crt,example.key&quot; or &quot;foo.crt,foo.key:*.foo.com,foo.com&quot;.
 -->
 X509 证书和私钥文件路径的耦对。作为可选项，可以添加域名模式的列表，
 其中每个域名模式都是可以带通配片段前缀的全限定域名（FQDN）。
@@ -2092,14 +1953,14 @@ Print version information and quit
 </tr>
 
 <tr>
-<td colspan="2">--vmodule &lt;<!--comma-separated 'pattern=N' settings-->逗号分隔的 'pattern=N' 配置值&gt;</td>
+<td colspan="2">--vmodule pattern=N,...</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Comma-separated list of pattern=N settings for file-filtered logging
+comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
 -->
-由逗号分隔的列表，每一项都是 pattern=N 格式，用来执行根据文件过滤的日志行为。
+由逗号分隔的列表，每一项都是 pattern=N 格式，用来执行根据文件过滤的日志行为（仅适用于 text 日志格式）。
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/command-line-tools-reference/kube-proxy.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-proxy.md
similarity index 68%
rename from content/zh/docs/reference/command-line-tools-reference/kube-proxy.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/kube-proxy.md
index 0eff062d25f5d..3484f8c4da843 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kube-proxy.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-proxy.md
@@ -54,15 +54,16 @@ kube-proxy [flags]
 <tbody>
 
 <tr>
-<td colspan="2">--add-dir-header</td>
+<td colspan="2">--add_dir_header</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
 If true, adds the file directory to the header of the log messages
 -->
-若此标志为 true，则将文件目录添加到日志消息的头部。
-</p></td>
+如果为 true，将文件目录添加到日志消息的头部
+</p>
+</td>
 </tr>
 
 <tr>
@@ -73,35 +74,22 @@ If true, adds the file directory to the header of the log messages
 <!--
 log to standard error as well as files
 -->
-将日志输出到文件时也输出到标准错误输出（stderr）。
-</p></td>
-</tr>
-
-<tr>
-<td colspan="2">--azure-container-registry-config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-Path to the file containing Azure container registry configuration information.
--->
-包含 Azure 容器仓库配置信息的文件的路径。
+设置为 true 表示将日志输出到文件的同时输出到 stderr
 </p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--bind-address 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.0.0.0</td>
+<td colspan="2">--bind-address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.0.0.0</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces)
+The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 interfaces and '::' for all IPv6 interfaces). This parameter is ignored if a config file is specified by --config.
 -->
-代理服务器要使用的 IP 地址（设置为 '0.0.0.0' 表示要使用所有 IPv4 接口；
-设置为 '::' 表示使用所有 IPv6 接口）。
-</p>
-</td>
+代理服务器的 IP 地址（所有 IPv4 接口设置为 “0.0.0.0”，所有 IPv6 接口设置为 “::”）。
+如果配置文件由 <code>--config</code> 指定，则忽略此参数。
+</p></td>
 </tr>
 
 <tr>
@@ -112,20 +100,17 @@ The IP address for the proxy server to serve on (set to '0.0.0.0' for all IPv4 i
 <!--
 If true kube-proxy will treat failure to bind to a port as fatal and exit
 -->
-若此标志为 true，kube-proxy 会将无法绑定端口的失败操作视为致命错误并退出。
+如果为 true，kube-proxy 会将无法绑定端口的失败操作视为致命错误并退出。
 </p></td>
 </tr>
 
 <tr>
-<td colspan="2">--boot-id-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："/proc/sys/kernel/random/boot_id"</td>
+<td colspan="2">--boot_id_file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："/proc/sys/kernel/random/boot_id"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-Comma-separated list of files to check for boot-id. Use the first one that exists.
--->
-用来检查 Boot-ID 的文件名，用逗号隔开。
-第一个存在的文件会被使用。
+<!-- Comma-separated list of files to check for boot-id. Use the first one that exists. -->
+逗号分隔的文件列表，用于检查 boot-id。使用第一个存在的文件。
 </p></td>
 </tr>
 
@@ -148,11 +133,14 @@ If true cleanup iptables and ipvs rules and exit.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-The CIDR range of pods in the cluster. When configured, traffic sent to a Service cluster IP from outside this range will be masqueraded and traffic sent from pods to an external LoadBalancer IP will be directed to the respective cluster IP instead
+The CIDR range of pods in the cluster. When configured, traffic sent to a Service cluster IP from outside this range will be masqueraded and traffic sent from pods to an external LoadBalancer IP will be directed to the respective cluster IP instead. For dual-stack clusters, a comma-separated list is accepted with at least one CIDR per IP family (IPv4 and IPv6). This parameter is ignored if a config file is specified by --config.
 -->
 集群中 Pod 的 CIDR 范围。配置后，将从该范围之外发送到服务集群 IP
-的流量被伪装，从 Pod 发送到外部 LoadBalancer IP 的流量将被重定向
-到相应的集群 IP。
+的流量被伪装，从 Pod 发送到外部 LoadBalancer IP
+的流量将被重定向到相应的集群 IP。
+对于双协议栈集群，接受一个逗号分隔的列表，
+每个 IP 协议族（IPv4 和 IPv6）至少包含一个 CIDR。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
@@ -243,20 +231,23 @@ Idle timeout for established TCP connections (0 to leave as-is)
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!-- Mode to use to detect local traffic -->
+<!--
+Mode to use to detect local traffic. This parameter is ignored if a config file is specified by --config.
+-->
 用于检测本地流量的模式。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--feature-gates &lt;<!--comma-separated 'key=True|False' pairs-->逗号分隔的 'key=True|False' 对’&gt;</td>
+<td colspan="2">--feature-gates &lt;<!--comma-separated 'key=True|False' pairs-->逗号分隔的 'key=True|False' 对&gt;</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-<br/>
+A set of key=value pairs that describe feature gates for alpha/experimental features. Options are
+:<br/>
 APIListChunking=true|false (BETA - default=true)<br/>
 APIPriorityAndFairness=true|false (BETA - default=true)<br/>
 APIResponseCompression=true|false (BETA - default=true)<br/>
@@ -264,98 +255,101 @@ APIServerIdentity=true|false (ALPHA - default=false)<br/>
 APIServerTracing=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>
+AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
 CPUManager=true|false (BETA - default=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
 CSIInlineVolume=true|false (BETA - default=true)<br/>
 CSIMigration=true|false (BETA - default=true)<br/>
-CSIMigrationAWS=true|false (BETA - default=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - default=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - default=false)<br/>
-CSIMigrationGCE=true|false (BETA - default=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - default=true)<br/>
+CSIMigrationAWS=true|false (BETA - default=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - default=true)<br/>
+CSIMigrationGCE=true|false (BETA - default=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
 CSIMigrationvSphere=true|false (BETA - default=false)<br/>
-CSIStorageCapacity=true|false (BETA - default=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - default=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
-CSRDuration=true|false (BETA - default=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - default=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - default=true)<br/>
+CronJobTimeZone=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>
-DefaultPodTopologySpread=true|false (BETA - default=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - default=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
 DevicePlugins=true|false (BETA - default=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>
 DisableCloudProviders=true|false (ALPHA - default=false)<br/>
-DownwardAPIHugePages=true|false (BETA - default=false)<br/>
-EfficientWatchResumption=true|false (BETA - default=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
+DownwardAPIHugePages=true|false (BETA - default=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
-EphemeralContainers=true|false (ALPHA - default=false)<br/>
-ExpandCSIVolumes=true|false (BETA - default=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - default=true)<br/>
+EphemeralContainers=true|false (BETA - default=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
-GenericEphemeralVolume=true|false (BETA - default=true)<br/>
+GRPCContainerProbe=true|false (BETA - default=true)<br/>
 GracefulNodeShutdown=true|false (BETA - default=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
-IPv6DualStack=true|false (BETA - default=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>
+IdentifyPodOS=true|false (BETA - default=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
-IndexedJob=true|false (BETA - default=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - default=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - default=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - default=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
+JobReadyPods=true|false (BETA - default=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>
+KubeletCredentialProviders=true|false (BETA - default=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
 LogarithmicScaleDown=true|false (BETA - default=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
 MemoryManager=true|false (BETA - default=true)<br/>
 MemoryQoS=true|false (ALPHA - default=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - default=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>
+MixedProtocolLBService=true|false (BETA - default=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - default=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
 NodeSwap=true|false (ALPHA - default=false)<br/>
-NonPreemptingPriority=true|false (BETA - default=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - default=true)<br/>
+OpenAPIEnums=true|false (BETA - default=true)<br/>
+OpenAPIV3=true|false (BETA - default=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
 PodDeletionCost=true|false (BETA - default=true)<br/>
-PodOverhead=true|false (BETA - default=true)<br/>
-PodSecurity=true|false (ALPHA - default=false)<br/>
-PreferNominatedNode=true|false (BETA - default=true)<br/>
+PodSecurity=true|false (BETA - default=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
-RemoveSelfLink=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
 SeccompDefault=true|false (ALPHA - default=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - default=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - default=true)<br/>1
 SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - default=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
-SuspendJob=true|false (BETA - default=true)<br/>
-TTLAfterFinished=true|false (BETA - default=true)<br/>
-TopologyAwareHints=true|false (ALPHA - default=false)<br/>
+TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - default=false)
+WindowsHostProcessContainers=true|false (BETA - default=true)
+This parameter is ignored if a config file is specified by --config.
 -->
-一组键=值（key=value）对，描述了 alpha/experimental 的特征。可选项有：
+一组键=值（key=value）对，描述了 alpha/experimental 的特征。可选项有：<br/>
 APIListChunking=true|false (BETA - 默认值=true)<br/>
 APIPriorityAndFairness=true|false (BETA - 默认值=true)<br/>
 APIResponseCompression=true|false (BETA - 默认值=true)<br/>
@@ -363,96 +357,99 @@ APIServerIdentity=true|false (ALPHA - 默认值=false)<br/>
 APIServerTracing=true|false (ALPHA - 默认值=false)<br/>
 AllAlpha=true|false (ALPHA - 默认值=false)<br/>
 AllBeta=true|false (BETA - 默认值=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - 默认值=false)<br/>
+AnyVolumeDataSource=true|false (BETA - 默认值=true)<br/>
 AppArmor=true|false (BETA - 默认值=true)<br/>
 CPUManager=true|false (BETA - 默认值=true)<br/>
-CPUManagerPolicyOptions=true|false (ALPHA - 默认值=false)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - 默认值=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - 默认值=true)<br/>
 CSIInlineVolume=true|false (BETA - 默认值=true)<br/>
 CSIMigration=true|false (BETA - 默认值=true)<br/>
-CSIMigrationAWS=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值=false)<br/>
-CSIMigrationGCE=true|false (BETA - 默认值=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAWS=true|false (BETA - 默认值=true)<br/>
+CSIMigrationAzureFile=true|false (BETA - 默认值=true)<br/>
+CSIMigrationGCE=true|false (BETA - 默认值=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - 默认值=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - 默认值=false)<br/>
 CSIMigrationvSphere=true|false (BETA - 默认值=false)<br/>
-CSIStorageCapacity=true|false (BETA - 默认值=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - 默认值=false)<br/>
-CSRDuration=true|false (BETA - 默认值=true)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
-ControllerManagerLeaderMigration=true|false (BETA - 默认值=true)<br/>
+CronJobTimeZone=true|false (ALPHA - 默认值=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - 默认值=false)<br/>
 DaemonSetUpdateSurge=true|false (BETA - 默认值=true)<br/>
-DefaultPodTopologySpread=true|false (BETA - 默认值=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (ALPHA - 默认值=false)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - 默认值=true)<br/>
 DevicePlugins=true|false (BETA - 默认值=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - 默认值=true)<br/>
 DisableCloudProviders=true|false (ALPHA - 默认值=false)<br/>
-DownwardAPIHugePages=true|false (BETA - 默认值=false)<br/>
-EfficientWatchResumption=true|false (BETA - 默认值=true)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+DownwardAPIHugePages=true|false (BETA - 默认值=true)<br/>
 EndpointSliceTerminatingCondition=true|false (BETA - 默认值=true)<br/>
-EphemeralContainers=true|false (ALPHA - 默认值=false)<br/>
-ExpandCSIVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - 默认值=true)<br/>
+EphemeralContainers=true|false (BETA - 默认值=true)<br/>
 ExpandedDNSConfig=true|false (ALPHA - 默认值=false)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)<br/>
-GenericEphemeralVolume=true|false (BETA - 默认值=true)<br/>
+GRPCContainerProbe=true|false (BETA - 默认值=true)<br/>
 GracefulNodeShutdown=true|false (BETA - 默认值=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - 默认值=false)<br/>
 HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>
-IPv6DualStack=true|false (BETA - 默认值=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - 默认值=false)<br/>
+IdentifyPodOS=true|false (BETA - 默认值=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginGCEUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - 默认值=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)<br/>
-IndexedJob=true|false (BETA - 默认值=true)<br/>
-IngressClassNamespacedParams=true|false (BETA - 默认值=true)<br/>
-JobTrackingWithFinalizers=true|false (ALPHA - 默认值=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
+JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值=true)<br/>
+JobReadyPods=true|false (BETA - 默认值=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - 默认值=false)<br/>
+KubeletCredentialProviders=true|false (BETA - 默认值=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - 默认值=false)<br/>
 KubeletPodResources=true|false (BETA - 默认值=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - 默认值=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>
 LogarithmicScaleDown=true|false (BETA - 默认值=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - 默认值=false)<br/>
 MemoryManager=true|false (BETA - 默认值=true)<br/>
 MemoryQoS=true|false (ALPHA - 默认值=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - 默认值=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - 默认值=false)<br/>
+MixedProtocolLBService=true|false (BETA - 默认值=true)<br/>
 NetworkPolicyEndPort=true|false (BETA - 默认值=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - 默认值=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值=false)<br/>
 NodeSwap=true|false (ALPHA - 默认值=false)<br/>
-NonPreemptingPriority=true|false (BETA - 默认值=true)<br/>
-PodAffinityNamespaceSelector=true|false (BETA - 默认值=true)<br/>
+OpenAPIEnums=true|false (BETA - 默认值=true)<br/>
+OpenAPIV3=true|false (BETA - 默认值=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值=false)<br/>
 PodDeletionCost=true|false (BETA - 默认值=true)<br/>
-PodOverhead=true|false (BETA - 默认值=true)<br/>
-PodSecurity=true|false (ALPHA - 默认值=false)<br/>
-PreferNominatedNode=true|false (BETA - 默认值=true)<br/>
+PodSecurity=true|false (BETA - 默认值=true)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - 默认值=false)<br/>
 ProcMountType=true|false (ALPHA - 默认值=false)<br/>
 ProxyTerminatingEndpoints=true|false (ALPHA - 默认值=false)<br/>
 QOSReserved=true|false (ALPHA - 默认值=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - 默认值=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值=false)<br/>
 RemainingItemCount=true|false (BETA - 默认值=true)<br/>
-RemoveSelfLink=true|false (BETA - 默认值=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>
 SeccompDefault=true|false (ALPHA - 默认值=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - 默认值=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - 默认值=false)<br/>
 ServiceInternalTrafficPolicy=true|false (BETA - 默认值=true)<br/>
-ServiceLBNodePortControl=true|false (BETA - 默认值=true)<br/>
-ServiceLoadBalancerClass=true|false (BETA - 默认值=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - 默认值=true)<br/>
-StatefulSetMinReadySeconds=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - 默认值=true)<br/>
 StorageVersionAPI=true|false (ALPHA - 默认值=false)<br/>
 StorageVersionHash=true|false (BETA - 默认值=true)<br/>
-SuspendJob=true|false (BETA - 默认值=true)<br/>
-TTLAfterFinished=true|false (BETA - 默认值=true)<br/>
-TopologyAwareHints=true|false (ALPHA - 默认值=false)<br/>
+TopologyAwareHints=true|false (BETA - 默认值=true)<br/>
 TopologyManager=true|false (BETA - 默认值=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - 默认值=false)<br/>
 WinDSR=true|false (ALPHA - 默认值=false)<br/>
 WinOverlay=true|false (BETA - 默认值=true)<br/>
-WindowsHostProcessContainers=true|false (ALPHA - 默认值=false)
+WindowsHostProcessContainers=true|false (BETA - 默认值=true)
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
@@ -463,13 +460,12 @@ WindowsHostProcessContainers=true|false (ALPHA - 默认值=false)
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--  
-The IP address with port for the health check server to serve on 
-(set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). 
-Set empty to disable.
+The IP address with port for the health check server to serve on (set to '0.0.0.0:10256' for all IPv4 interfaces and '[::]:10256' for all IPv6 interfaces). Set empty to disable. This parameter is ignored if a config file is specified by --config.
 -->
 服务健康状态检查的 IP 地址和端口（设置为 '0.0.0.0:10256' 表示使用所有
 IPv4 接口，设置为 '[::]:10256' 表示使用所有 IPv6 接口）；
 设置为空则禁用。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
@@ -699,72 +695,62 @@ Path to kubeconfig file with authorization information (the master location is s
 </tr>
 
 <tr>
-<td colspan="2">--log-backtrace-at &lt;<!--a string in the form 'file:N'-->形式为 'file:N' 的字符串&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: :0</td>
+<td colspan="2">--log_backtrace_at &lt;<!--a string in the form 'file:N'-->“file:N” 格式的字符串&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
 when logging hits line file:N, emit a stack trace
 -->
-当日志逻辑执行到文件 file 的第 N 行时，输出调用堆栈跟踪。
+当日志命中 file:N，触发一次堆栈追踪
 </p></td>
-
 </tr>
 
 <tr>
-<td colspan="2">--log-dir string</td>
+<td colspan="2">--log_dir string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-If non-empty, write log files in this directory
--->
-若此标志费控，则将日志文件写入到此标志所给的目录下。
-</p>
-</td>
+<!-- If non-empty, write log files in this directory -->
+如果非空，则在此目录中写入日志文件
+</p></td>
 </tr>
 
 <tr>
-<td colspan="2">--log-file string</td>
+<td colspan="2">--log_file string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-If non-empty, use this log file
--->
-若此标志非空，则该字符串作为日志文件名。
+<!-- If non-empty, use this log file -->
+如果非空，使用此日志文件
 </p></td>
 </tr>
 
 <tr>
-<td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1800</td>
+<td colspan="2">--log_file_max_size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1800</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.
--->
-定义日志文件可增长到的最大尺寸。单位是兆字节（MB）。
-如果此值为 0，则最大文件大小无限制。
+<!-- Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum ile size is unlimited. -->
+定义日志文件可以增长到的最大大小。单位是兆字节。
+如果值为 0，则最大文件大小不受限制。
 </p></td>
 </tr>
 
-
 <tr>
-<td colspan="2">--log-flush-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5s
-</td>
+<td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Maximum number of seconds between log flushes
--->
-两次日志刷新之间的最大秒数。
+<p>
+<!-- log to standard error instead of files -->
+日志输出到 stderr 而不是文件。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--machine-id-file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："/etc/machine-id,/var/lib/dbus/machine-id"</td>
+<td colspan="2">--machine_id_file string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："/etc/machine-id,/var/lib/dbus/machine-id"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
@@ -809,13 +795,12 @@ Kubernetes API 服务器的地址（覆盖 kubeconfig 中的相关值）。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-The IP address with port for the metrics server to serve on 
-(set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). 
-Set empty to disable.
+The IP address with port for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to disable. This parameter is ignored if a config file is specified by --config.
 -->
 metrics 服务器要使用的 IP 地址和端口
 （设置为 '0.0.0.0:10249' 则使用所有 IPv4 接口，设置为 '[::]:10249' 则使用所有 IPv6 接口）
 设置为空则禁用。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
@@ -826,25 +811,23 @@ metrics 服务器要使用的 IP 地址和端口
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.This parameter is ignored if a config file is specified by --config.
 -->
 一个字符串值，指定用于 NodePort 服务的地址。
 值可以是有效的 IP 块（例如 1.2.3.0/24, 1.2.3.4/32）。
 默认的空字符串切片（[]）表示使用所有本地地址。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--one-output</td>
+<td colspan="2">--one_output</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level)
--->
-若此标志为 true，则仅将日志写入到其原本的严重性级别之下
-（而不是将其写入到所有更低严重性级别中）。
+<!-- If true, only write logs to their native severity level (vs also writing to each lower severity level) -->
+如果为 true，则仅将日志写入本地的严重性级别（而不是写入每个较低的严重性级别）
 </p></td>
 </tr>
 
@@ -854,38 +837,68 @@ If true, only write logs to their native severity level (vs also writing to each
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
+The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]. This parameter is ignored if a config file is specified by --config.
 -->
 kube-proxy 进程中的 oom-score-adj 值，必须在 [-1000,1000] 范围内。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--pod-bridge-interface string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+A bridge interface name in the cluster. Kube-proxy considers traffic as local if originating from an interface which matches the value. This argument should be set if DetectLocalMode is set to BridgeInterface.
+-->
+集群中的一个桥接接口名称。
+Kube-proxy 将来自与该值匹配的桥接接口的流量视为本地流量。
+如果 DetectLocalMode 设置为 BridgeInterface，则应设置该参数。
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--pod-interface-name-prefix string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+An interface prefix in the cluster. Kube-proxy considers traffic as local if originating from interfaces that match the given prefix. This argument should be set if DetectLocalMode is set to InterfaceNamePrefix.
+-->
+集群中的一个接口前缀。
+Kube-proxy 将来自与给定前缀匹配的接口的流量视为本地流量。
+如果 DetectLocalMode 设置为 InterfaceNamePrefix，则应设置该参数。
+</td>
+</tr>
+
 <tr>
 <td colspan="2">--profiling</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-If true enables profiling via web interface on /debug/pprof handler.
+If true enables profiling via web interface on /debug/pprof handler. This parameter is ignored if a config file is specified by --config.
 -->
 如果为 true，则通过 Web 接口 <code>/debug/pprof</code> 启用性能分析。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--proxy-mode string</td>
+<td colspan="2">--proxy-mode ProxyMode</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--
-Which proxy mode to use: 'userspace' (older) or 'iptables' (faster) or 'ipvs'. If blank, use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
+Which proxy mode to use: 'iptables' (Linux-only), 'ipvs' (Linux-only), 'kernelspace' (Windows-only), or 'userspace' (Linux/Windows, deprecated). The default value is 'iptables' on Linux and 'userspace' on Windows.This parameter is ignored if a config file is specified by --config.
 -->
-使用哪种代理模式：'userspace'（较旧）或 'iptables'（较快）或 'ipvs'。
-如果为空，使用最佳可用代理（当前为 iptables）。
-如果选择了 iptables 代理（无论是否为显式设置），但系统的内核或
-iptables 版本较低，总是会回退到 userspace 代理。
+使用哪种代理模式：'iptables'（仅 Linux）、'ipvs'（仅 Linux）、'kernelspace'（仅 Linux）
+或者 'userspace'（Linux/Windows, 已弃用）。
+Linux 系统上的默认值是 'iptables'，Windows 系统上的默认值是 'userspace'。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
@@ -911,38 +924,35 @@ Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusi
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
 <!--  
-The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is &lt;major&gt;.&lt;minor&gt;, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that.
+The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is &lt;major&gt;.&lt;minor&gt;, e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that.This parameter is ignored if a config file is specified by --config.
 -->
 要显示隐藏指标的先前版本。 
 仅先前的次要版本有意义，不允许其他值。
 格式为 &lt;major&gt;.&lt;minor&gt; ，例如：'1.16'。 
 这种格式的目的是确保你有机会注意到下一个发行版是否隐藏了其他指标，
 而不是在之后将其永久删除时感到惊讶。
+如果配置文件由 --config 指定，则忽略此参数。
 </p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--skip-headers</td>
+<td colspan="2">--skip_headers</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-If true, avoid header prefixes in the log messages
--->
-若此标志为 true，则避免在日志消息中包含头部前缀。
+<!-- If true, avoid header prefixes in the log messages -->
+如果为 true，则避免在日志消息中使用头部前缀
 </p></td>
 </tr>
 
 <tr>
-<td colspan="2">--skip-log-headers</td>
+<td colspan="2">--skip_log_headers</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-If true, avoid headers when opening log files
--->
-如果此标志为 true，则避免在打开日志文件时使用头部。
+<!-- If true, avoid headers when opening log files -->
+如果为 true，则在打开日志文件时避免使用头部
 </p></td>
 </tr>
 
@@ -951,10 +961,8 @@ If true, avoid headers when opening log files
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-logs at or above this threshold go to stderr
--->
-如果日志消息处于或者高于此阈值所设置的级别，则将其输出到标准错误输出（stderr）。
+<!-- logs at or above this threshold go to stderr -->
+设置严重程度达到或超过此阈值的日志输出到标准错误输出。
 </p></td>
 </tr>
 
@@ -977,10 +985,8 @@ How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-number for the log level verbosity
--->
-用来设置日志详细程度的数值。
+<!-- number for the log level verbosity -->
+设置日志级别详细程度的数值。
 </p></td>
 </tr>
 
@@ -998,15 +1004,12 @@ Print version information and quit
 </tr>
 
 <tr>
-<td colspan="2">--vmodule &lt;<!--comma-separated 'pattern=N' settings-->逗号分隔的 'pattern=N' 设置’&gt;</td>
+<td colspan="2">--vmodule &lt;<!--comma-separated 'pattern=N' settings-->逗号分割的 “pattern=N” 设置&gt;</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
-<!--
-comma-separated list of pattern=N settings for file-filtered logging
--->
-用逗号分隔的列表，其中每一项为 'pattern=N' 格式。
-用来支持基于文件过滤的日志机制。
+<!-- comma-separated list of pattern=N settings for file-filtered logging -->
+以逗号分割的 pattern=N 设置的列表，用于文件过滤日志
 </p></td>
 </tr>
 
diff --git a/content/zh/docs/reference/command-line-tools-reference/kube-scheduler.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler.md
similarity index 60%
rename from content/zh/docs/reference/command-line-tools-reference/kube-scheduler.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler.md
index dbb9eb3cfa211..28fb4f2a61bc0 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kube-scheduler.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler.md
@@ -2,7 +2,6 @@
 title: kube-scheduler
 content_type: tool-reference
 weight: 30
-auto_generated: true
 ---
 <!-- 
 title: kube-scheduler
@@ -20,15 +19,15 @@ each Pod in the scheduling queue according to constraints and available
 resources. The scheduler then ranks each valid Node and binds the Pod to a
 suitable Node. Multiple different schedulers may be used within a cluster;
 kube-scheduler is the reference implementation.
-See [scheduling](/docs/concepts/scheduling-eviction/)
+See [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/)
 for more information about scheduling and the kube-scheduler component.
 -->
 Kubernetes 调度器是一个控制面进程，负责将 Pods 指派到节点上。
 调度器基于约束和可用资源为调度队列中每个 Pod 确定其可合法放置的节点。
 调度器之后对所有合法的节点进行排序，将 Pod 绑定到一个合适的节点。
 在同一个集群中可以使用多个不同的调度器；kube-scheduler 是其参考实现。
-参阅[调度](/zh/docs/concepts/scheduling-eviction/)
-以获得关于调度和 kube-scheduler 组件的更多信息。
+参阅[调度](/zh/docs/concepts/scheduling-eviction/)以获得关于调度和
+kube-scheduler 组件的更多信息。
 
 ```
 kube-scheduler [flags]
@@ -44,71 +43,23 @@ kube-scheduler [flags]
 </colgroup>
 <tbody>
 
-<tr>
-<td colspan="2">--add-dir-header</td>
-</tr>
-<tr><td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- 
-If true, adds the file directory to the header of the log messages
--->
-如果为 true，则将文件目录添加到日志消息的头部
-</td>
-</tr>
-
-<tr><td colspan="2">--address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："0.0.0.0"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- 
-DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 or :: for listening in all interfaces and IP families). See --bind-address instead. This parameter is ignored if a config file is specified in --config.
--->
-已弃用： 要监听 --port 端口的 IP 地址（将其设置为 0.0.0.0 或者 :: 用于监听所有接口和 IP族）。 
-请参阅 --bind-address。
-如果在 --config 中指定了一个配置文件，这个参数将被忽略。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--algorithm-provider string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: the scheduling algorithm provider to use, this sets the default plugins for component config profiles. Choose one of: ClusterAutoscalerProvider | DefaultProvider
--->
-已弃用： 要使用的调度算法驱动，此标志设置组件配置框架的默认插件。
-可选值：ClusterAutoscalerProvider | DefaultProvider
-</td>
-</tr>
 
 <tr>
 <td colspan="2">--allow-metric-labels stringToString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default-->默认值： []</td>
+<!--Default-->默认值：[]</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 The map from metric-label to value allow-list of this label. The key's format is &lt;MetricName&gt;,&lt;LabelName&gt;. The value's format is &lt;allowed_value&gt;,&lt;allowed_value&gt;...e.g. metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' metric2,label1='v1,v2,v3'.
 -->
-这个键值映射表设置 度量标签 所允许设置的值。
+这个键值映射表设置度量标签所允许设置的值。
 其中键的格式是 &lt;MetricName&gt;,&lt;LabelName&gt;。
 值的格式是 &lt;allowed_value&gt;,&lt;allowed_value&gt;。
 例如：metric1,label1='v1,v2,v3', metric1,label2='v1,v2,v3' metric2,label1='v1,v2,v3'。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--alsologtostderr</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-log to standard error as well as files
--->
-日志记录到标准错误以及文件
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--authentication-kubeconfig string</td>
 </tr>
@@ -168,7 +119,7 @@ If true, failures to look up missing authentication configuration from the clust
 <!--
 A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
 -->
-在授权过程中跳过的 HTTP 路径列表，即在不联系 'core'  kubernetes 服务器的情况下被授权的 HTTP 路径。
+在授权过程中跳过的 HTTP 路径列表，即在不联系 “core” kubernetes 服务器的情况下被授权的 HTTP 路径。
 </td>
 </tr>
 
@@ -194,7 +145,7 @@ Kubernetes 核心服务器的 kubeconfig 文件。这是可选的。
 <!--
 The duration to cache 'authorized' responses from the webhook authorizer.
 -->
-缓存来自 Webhook 授权者的 'authorized' 响应的持续时间。
+缓存来自 Webhook 授权者的 “authorized” 响应的持续时间。
 </td>
 </tr>
 
@@ -206,7 +157,7 @@ The duration to cache 'authorized' responses from the webhook authorizer.
 <!--
 The duration to cache 'unauthorized' responses from the webhook authorizer.
 -->
-缓存来自 Webhook 授权者的 'unauthorized' 响应的持续时间。
+缓存来自 Webhook 授权者的 “unauthorized” 响应的持续时间。
 </td>
 </tr>
 
@@ -232,7 +183,7 @@ The IP address on which to listen for the --secure-port port. The associated int
 -->
 监听 --secure-port 端口的 IP 地址。
 集群的其余部分以及 CLI/ Web 客户端必须可以访问关联的接口。
-如果为空，将使用所有接口（0.0.0.0 表示使用所有 IPv4 接口，"::" 表示使用所有 IPv6 接口）。
+如果为空，将使用所有接口（0.0.0.0 表示使用所有 IPv4 接口，“::” 表示使用所有 IPv6 接口）。
 如果为空或未指定地址 (0.0.0.0 或 ::)，所有接口将被使用。
 </td>
 </tr>
@@ -269,22 +220,14 @@ If set, any request presenting a client certificate signed by one of the authori
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path to the configuration file. The following flags can overwrite fields in this file:<br/>
---algorithm-provider<br/>
---policy-config-file<br/>
---policy-configmap<br/>
---policy-configmap-namespace
+The path to the configuration file. 
 -->
-配置文件的路径。以下标志会覆盖此文件中的值：<br/>
---algorithm-provider<br/>
---policy-config-file<br/>
---policy-configmap<br/>
---policy-configmap-namespace
+配置文件的路径。
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--contention-profiling&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default-->默认值: true</td>
+<td colspan="2">--contention-profiling&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default-->默认值：true</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -309,19 +252,6 @@ This flag provides an escape hatch for misbehaving metrics. You must provide the
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--experimental-logging-sanitization</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).<br/>Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.
--->
-[试验性功能] 当启用此标志时，标记为敏感的字段（密码、密钥、令牌）等不会被日志
-输出。<br/>
-运行时的日志清理操作可能引入相当程度的计算开销，因此不应在生产环境中启用。
-</td>
-</tr>
 
 <tr>
 <td colspan="2">--feature-gates &lt;<!--comma-separated 'key=True|False' pairs-->逗号分隔的 'key=True|False' 对&gt;</td>
@@ -334,213 +264,204 @@ APIListChunking=true|false (BETA - default=true)<br/>
 APIPriorityAndFairness=true|false (BETA - default=true)<br/>
 APIResponseCompression=true|false (BETA - default=true)<br/>
 APIServerIdentity=true|false (ALPHA - default=false)<br/>
+APIServerTracing=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - default=false)<br/>
+AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
-BalanceAttachedNodeVolumes=true|false (ALPHA - default=false)<br/>
-BoundServiceAccountTokenVolume=true|false (BETA - default=true)<br/>
 CPUManager=true|false (BETA - default=true)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
 CSIInlineVolume=true|false (BETA - default=true)<br/>
 CSIMigration=true|false (BETA - default=true)<br/>
 CSIMigrationAWS=true|false (BETA - default=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - default=false)<br/>
 CSIMigrationAzureFile=true|false (BETA - default=false)<br/>
-CSIMigrationGCE=true|false (BETA - default=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - default=true)<br/>
+CSIMigrationGCE=true|false (BETA - default=true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>
+CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
 CSIMigrationvSphere=true|false (BETA - default=false)<br/>
-CSIMigrationvSphereComplete=true|false (BETA - default=false)<br/>
-CSIServiceAccountToken=true|false (BETA - default=true)<br/>
-CSIStorageCapacity=true|false (BETA - default=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - default=true)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - default=true)<br/>
-ControllerManagerLeaderMigration=true|false (ALPHA - default=false)<br/>
-CronJobControllerV2=true|false (BETA - default=true)<br/>
+ContextualLogging=true|false (ALPHA - default=false)<br/>
+CronJobTimeZone=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
-DaemonSetUpdateSurge=true|false (ALPHA - default=false)<br/>
-DefaultPodTopologySpread=true|false (BETA - default=true)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>
+DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
 DevicePlugins=true|false (BETA - default=true)<br/>
 DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>
-DownwardAPIHugePages=true|false (BETA - default=false)<br/>
-DynamicKubeletConfig=true|false (BETA - default=true)<br/>
-EfficientWatchResumption=true|false (BETA - default=true)<br/>
-EndpointSliceProxying=true|false (BETA - default=true)<br/>
-EndpointSliceTerminatingCondition=true|false (ALPHA - default=false)<br/>
-EphemeralContainers=true|false (ALPHA - default=false)<br/>
-ExpandCSIVolumes=true|false (BETA - default=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - default=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - default=true)<br/>
+DisableCloudProviders=true|false (ALPHA - default=false)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
+DownwardAPIHugePages=true|false (BETA - default=true)<br/>
+EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
+EphemeralContainers=true|false (BETA - default=true)<br/>
+ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
-GenericEphemeralVolume=true|false (BETA - default=true)<br/>
+GRPCContainerProbe=true|false (BETA - default=true)<br/>
 GracefulNodeShutdown=true|false (BETA - default=true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
-HugePageStorageMediumSize=true|false (BETA - default=true)<br/>
-IPv6DualStack=true|false (BETA - default=true)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>
+IdentifyPodOS=true|false (BETA - default=true)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginGCEUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginOpenStackUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
-IndexedJob=true|false (ALPHA - default=false)<br/>
-IngressClassNamespacedParams=true|false (ALPHA - default=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - default=false)<br/>
+obMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
+JobReadyPods=true|false (BETA - default=true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>
+KubeletCredentialProviders=true|false (BETA - default=true)<br/>
+KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - default=false)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
-LogarithmicScaleDown=true|false (ALPHA - default=false)<br/>
-MemoryManager=true|false (ALPHA - default=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - default=false)<br/>
-NamespaceDefaultLabelName=true|false (BETA - default=true)<br/>
-NetworkPolicyEndPort=true|false (ALPHA - default=false)<br/>
-NonPreemptingPriority=true|false (BETA - default=true)<br/>
-PodAffinityNamespaceSelector=true|false (ALPHA - default=false)<br/>
-PodDeletionCost=true|false (ALPHA - default=false)<br/>
-PodOverhead=true|false (BETA - default=true)<br/>
-PreferNominatedNode=true|false (ALPHA - default=false)<br/>
-ProbeTerminationGracePeriod=true|false (ALPHA - default=false)<br/>
+LogarithmicScaleDown=true|false (BETA - default=true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
+MemoryManager=true|false (BETA - default=true)<br/>
+MemoryQoS=true|false (ALPHA - default=false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>
+MixedProtocolLBService=true|false (BETA - default=true)<br/>
+NetworkPolicyEndPort=true|false (BETA - default=true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
+NodeSwap=true|false (ALPHA - default=false)<br/>
+OpenAPIEnums=true|false (BETA - default=true)<br/>
+OpenAPIV3=true|false (BETA - default=true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
+PodDeletionCost=true|false (BETA - default=true)<br/>
+PodSecurity=true|false (BETA - default=true)<br/>
+ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
+ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
+ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
-RemoveSelfLink=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
-ServerSideApply=true|false (BETA - default=true)<br/>
-ServiceInternalTrafficPolicy=true|false (ALPHA - default=false)<br/>
-ServiceLBNodePortControl=true|false (ALPHA - default=false)<br/>
-ServiceLoadBalancerClass=true|false (ALPHA - default=false)<br/>
-ServiceTopology=true|false (ALPHA - default=false)<br/>
-SetHostnameAsFQDN=true|false (BETA - default=true)<br/>
-SizeMemoryBackedVolumes=true|false (ALPHA - default=false)<br/>
+SeccompDefault=true|false (ALPHA - default=false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>
+ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
+SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
-SuspendJob=true|false (ALPHA - default=false)<br/>
-TTLAfterFinished=true|false (BETA - default=true)<br/>
-TopologyAwareHints=true|false (ALPHA - default=false)<br/>
+TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
-ValidateProxyRedirects=true|false (BETA - default=true)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
-WarningHeaders=true|false (BETA - default=true)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsEndpointSliceProxying=true|false (BETA - default=true)
+WindowsHostProcessContainers=true|false (BETA - default=true)
 -->
 一组 key=value 对，描述了 alpha/experimental 特征开关。选项包括：<br/>
-A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>
-APIListChunking=true|false (BETA - 默认值=true)<br/>
-APIPriorityAndFairness=true|false (BETA - 默认值=true)<br/>
-APIResponseCompression=true|false (BETA - 默认值=true)<br/>
-APIServerIdentity=true|false (ALPHA - 默认值=false)<br/>
-AllAlpha=true|false (ALPHA - 默认值=false)<br/>
-AllBeta=true|false (BETA - 默认值=false)<br/>
-AnyVolumeDataSource=true|false (ALPHA - 默认值=false)<br/>
-AppArmor=true|false (BETA - 默认值=true)<br/>
-BalanceAttachedNodeVolumes=true|false (ALPHA - 默认值=false)<br/>
-BoundServiceAccountTokenVolume=true|false (BETA - 默认值=true)<br/>
-CPUManager=true|false (BETA - 默认值=true)<br/>
-CSIInlineVolume=true|false (BETA - 默认值=true)<br/>
-CSIMigration=true|false (BETA - 默认值=true)<br/>
-CSIMigrationAWS=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureDisk=true|false (BETA - 默认值=false)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值=false)<br/>
-CSIMigrationGCE=true|false (BETA - 默认值=false)<br/>
-CSIMigrationOpenStack=true|false (BETA - 默认值=true)<br/>
-CSIMigrationvSphere=true|false (BETA - 默认值=false)<br/>
-CSIMigrationvSphereComplete=true|false (BETA - 默认值=false)<br/>
-CSIServiceAccountToken=true|false (BETA - 默认值=true)<br/>
-CSIStorageCapacity=true|false (BETA - 默认值=true)<br/>
-CSIVolumeFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
-CSIVolumeHealth=true|false (ALPHA - 默认值=false)<br/>
-ConfigurableFSGroupPolicy=true|false (BETA - 默认值=true)<br/>
-ControllerManagerLeaderMigration=true|false (ALPHA - 默认值=false)<br/>
-CronJobControllerV2=true|false (BETA - 默认值=true)<br/>
-CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>
-DaemonSetUpdateSurge=true|false (ALPHA - 默认值=false)<br/>
-DefaultPodTopologySpread=true|false (BETA - 默认值=true)<br/>
-DevicePlugins=true|false (BETA - 默认值=true)<br/>
-DisableAcceleratorUsageMetrics=true|false (BETA - 默认值=true)<br/>
-DownwardAPIHugePages=true|false (BETA - 默认值=false)<br/>
-DynamicKubeletConfig=true|false (BETA - 默认值=true)<br/>
-EfficientWatchResumption=true|false (BETA - 默认值=true)<br/>
-EndpointSliceProxying=true|false (BETA - 默认值=true)<br/>
-EndpointSliceTerminatingCondition=true|false (ALPHA - 默认值=false)<br/>
-EphemeralContainers=true|false (ALPHA - 默认值=false)<br/>
-ExpandCSIVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandInUsePersistentVolumes=true|false (BETA - 默认值=true)<br/>
-ExpandPersistentVolumes=true|false (BETA - 默认值=true)<br/>
-ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)<br/>
-GenericEphemeralVolume=true|false (BETA - 默认值=true)<br/>
-GracefulNodeShutdown=true|false (BETA - 默认值=true)<br/>
-HPAContainerMetrics=true|false (ALPHA - 默认值=false)<br/>
-HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>
-HugePageStorageMediumSize=true|false (BETA - 默认值=true)<br/>
-IPv6DualStack=true|false (BETA - 默认值=true)<br/>
-InTreePluginAWSUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginGCEUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值=false)<br/>
-InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)<br/>
-IndexedJob=true|false (ALPHA - 默认值=false)<br/>
-IngressClassNamespacedParams=true|false (ALPHA - 默认值=false)<br/>
-KubeletCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
-KubeletPodResources=true|false (BETA - 默认值=true)<br/>
-KubeletPodResourcesGetAllocatable=true|false (ALPHA - 默认值=false)<br/>
-LocalStorageCapacityIsolation=true|false (BETA - 默认值=true)<br/>
-LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>
-LogarithmicScaleDown=true|false (ALPHA - 默认值=false)<br/>
-MemoryManager=true|false (ALPHA - 默认值=false)<br/>
-MixedProtocolLBService=true|false (ALPHA - 默认值=false)<br/>
-NamespaceDefaultLabelName=true|false (BETA - 默认值=true)<br/>
-NetworkPolicyEndPort=true|false (ALPHA - 默认值=false)<br/>
-NonPreemptingPriority=true|false (BETA - 默认值=true)<br/>
-PodAffinityNamespaceSelector=true|false (ALPHA - 默认值=false)<br/>
-PodDeletionCost=true|false (ALPHA - 默认值=false)<br/>
-PodOverhead=true|false (BETA - 默认值=true)<br/>
-PreferNominatedNode=true|false (ALPHA - 默认值=false)<br/>
-ProbeTerminationGracePeriod=true|false (ALPHA - 默认值=false)<br/>
-ProcMountType=true|false (ALPHA - 默认值=false)<br/>
-QOSReserved=true|false (ALPHA - 默认值=false)<br/>
-RemainingItemCount=true|false (BETA - 默认值=true)<br/>
-RemoveSelfLink=true|false (BETA - 默认值=true)<br/>
-RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>
-ServerSideApply=true|false (BETA - 默认值=true)<br/>
-ServiceInternalTrafficPolicy=true|false (ALPHA - 默认值=false)<br/>
-ServiceLBNodePortControl=true|false (ALPHA - 默认值=false)<br/>
-ServiceLoadBalancerClass=true|false (ALPHA - 默认值=false)<br/>
-ServiceTopology=true|false (ALPHA - 默认值=false)<br/>
-SetHostnameAsFQDN=true|false (BETA - 默认值=true)<br/>
-SizeMemoryBackedVolumes=true|false (ALPHA - 默认值=false)<br/>
-StorageVersionAPI=true|false (ALPHA - 默认值=false)<br/>
-StorageVersionHash=true|false (BETA - 默认值=true)<br/>
-SuspendJob=true|false (ALPHA - 默认值=false)<br/>
-TTLAfterFinished=true|false (BETA - 默认值=true)<br/>
-TopologyAwareHints=true|false (ALPHA - 默认值=false)<br/>
-TopologyManager=true|false (BETA - 默认值=true)<br/>
-ValidateProxyRedirects=true|false (BETA - 默认值=true)<br/>
-VolumeCapacityPriority=true|false (ALPHA - 默认值=false)<br/>
-WarningHeaders=true|false (BETA - 默认值=true)<br/>
-WinDSR=true|false (ALPHA - 默认值=false)<br/>
-WinOverlay=true|false (BETA - 默认值=true)<br/>
-WindowsEndpointSliceProxying=true|false (BETA - 默认值=true)
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--hard-pod-affinity-symmetric-weight int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. --hard-pod-affinity-symmetric-weight represents the weight of implicit PreferredDuringScheduling affinity rule. Must be in the range 0-100.This parameter is ignored if a config file is specified in --config.
--->
-已弃用: RequiredDuringScheduling 亲和性是不对称的，但是存在与每个
-RequiredDuringScheduling 关联性规则相对应的隐式 PreferredDuringScheduling 关联性规则。
-<code>--hard-pod-affinity-symmetric-weight</code> 代表隐式 PreferredDuringScheduling
-关联性规则的权重。权重必须在 0-100 范围内。
-如果 --config 指定了一个配置文件，那么这个参数将被忽略。
+APIListChunking=true|false (BETA - 默认值为 true)<br/>
+APIPriorityAndFairness=true|false (BETA - 默认值为 true)<br/>
+APIResponseCompression=true|false (BETA - 默认值为 true)<br/>
+APIServerIdentity=true|false (ALPHA - 默认值为 false)<br/>
+APIServerTracing=true|false (ALPHA - 默认值为 false)<br/>
+AllAlpha=true|false (ALPHA - 默认值为 false)<br/>
+AllBeta=true|false (BETA - 默认值为 false)<br/>
+AnyVolumeDataSource=true|false (BETA - 默认值为 true)<br/>
+AppArmor=true|false (BETA - 默认值为 true)<br/>
+CPUManager=true|false (BETA - 默认值为 true)<br/>
+CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值为 false)<br/>
+CPUManagerPolicyBetaOptions=true|false (BETA - 默认值为 true)<br/>
+CPUManagerPolicyOptions=true|false (BETA - 默认值为 true)<br/>
+CSIInlineVolume=true|false (BETA - 默认值为 true)<br/>
+CSIMigration=true|false (BETA - 默认值为 true)<br/>
+CSIMigrationAWS=true|false (BETA - 默认值为 false)<br/>
+CSIMigrationAzureFile=true|false (BETA - 默认值为 false)<br/>
+CSIMigrationGCE=true|false (BETA - 默认值为 true)<br/>
+CSIMigrationPortworx=true|false (ALPHA - 默认值为 false)<br/>
+CSIMigrationRBD=true|false (ALPHA - 默认值为 false)<br/>
+CSIMigrationvSphere=true|false (BETA - 默认值为 false)<br/>
+CSIVolumeHealth=true|false (ALPHA - 默认值为 false)<br/>
+ContextualLogging=true|false (ALPHA - 默认值为 false)<br/>
+CronJobTimeZone=true|false (ALPHA - 默认值为 false)<br/>
+CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值为 false)<br/>
+CustomResourceValidationExpressions=true|false (ALPHA - 默认值为 false)<br/>
+DaemonSetUpdateSurge=true|false (BETA - 默认值为 true)<br/>
+DelegateFSGroupToCSIDriver=true|false (BETA - 默认值为 true)<br/>
+DevicePlugins=true|false (BETA - 默认值为 true)<br/>
+DisableAcceleratorUsageMetrics=true|false (BETA - 默认值为 true)<br/>
+DisableCloudProviders=true|false (ALPHA - 默认值为 false)<br/>
+DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值为 false)<br/>
+DownwardAPIHugePages=true|false (BETA - 默认值为 true)<br/>
+EndpointSliceTerminatingCondition=true|false (BETA - 默认值为 true)<br/>
+EphemeralContainers=true|false (BETA - 默认值为 true)<br/>
+ExpandedDNSConfig=true|false (ALPHA - 默认值为 false)<br/>
+ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值为 false)<br/>
+GRPCContainerProbe=true|false (BETA - 默认值为 true)<br/>
+GracefulNodeShutdown=true|false (BETA - 默认值为 true)<br/>
+GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值为 true)<br/>
+HPAContainerMetrics=true|false (ALPHA - 默认值为 false)<br/>
+HPAScaleToZero=true|false (ALPHA - 默认值为 false)<br/>
+HonorPVReclaimPolicy=true|false (ALPHA - 默认值为 false)<br/>
+IdentifyPodOS=true|false (BETA - 默认值为 true)<br/>
+InTreePluginAWSUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginGCEUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginOpenStackUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginPortworxUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginRBDUnregister=true|false (ALPHA - 默认值为 false)<br/>
+InTreePluginvSphereUnregister=true|false (ALPHA - 默认值为 false)<br/>
+obMutableNodeSchedulingDirectives=true|false (BETA - 默认值为 true)<br/>
+JobReadyPods=true|false (BETA - 默认值为 true)<br/>
+JobTrackingWithFinalizers=true|false (BETA - 默认值为 false)<br/>
+KubeletCredentialProviders=true|false (BETA - 默认值为 true)<br/>
+KubeletInUserNamespace=true|false (ALPHA - 默认值为 false)<br/>
+KubeletPodResources=true|false (BETA - 默认值为 true)<br/>
+KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值为 true)<br/>
+LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值为 true)<br/>
+LocalStorageCapacityIsolation=true|false (BETA - 默认值为 true)<br/>
+LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值为 false)<br/>
+LogarithmicScaleDown=true|false (BETA - 默认值为 true)<br/>
+MaxUnavailableStatefulSet=true|false (ALPHA - 默认值为 false)<br/>
+MemoryManager=true|false (BETA - 默认值为 true)<br/>
+MemoryQoS=true|false (ALPHA - 默认值为 false)<br/>
+MinDomainsInPodTopologySpread=true|false (ALPHA - 默认值为 false)<br/>
+MixedProtocolLBService=true|false (BETA - 默认值为 true)<br/>
+NetworkPolicyEndPort=true|false (BETA - 默认值为 true)<br/>
+NetworkPolicyStatus=true|false (ALPHA - 默认值为 false)<br/>
+NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值为 false)<br/>
+NodeSwap=true|false (ALPHA - 默认值为 false)<br/>
+OpenAPIEnums=true|false (BETA - 默认值为 true)<br/>
+OpenAPIV3=true|false (BETA - 默认值为 true)<br/>
+PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值为 false)<br/>
+PodDeletionCost=true|false (BETA - 默认值为 true)<br/>
+PodSecurity=true|false (BETA - 默认值为 true)<br/>
+ProbeTerminationGracePeriod=true|false (BETA - 默认值为 false)<br/>
+ProcMountType=true|false (ALPHA - 默认值为 false)<br/>
+ProxyTerminatingEndpoints=true|false (ALPHA - 默认值为 false)<br/>
+QOSReserved=true|false (ALPHA - 默认值为 false)<br/>
+ReadWriteOncePod=true|false (ALPHA - 默认值为 false)<br/>
+RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值为 false)<br/>
+RemainingItemCount=true|false (BETA - 默认值为 true)<br/>
+RotateKubeletServerCertificate=true|false (BETA - 默认值为 true)<br/>
+SeccompDefault=true|false (ALPHA - 默认值为 false)<br/>
+ServerSideFieldValidation=true|false (ALPHA - 默认值为 false)<br/>
+ServiceIPStaticSubrange=true|false (ALPHA - 默认值为 false)<br/>
+ServiceInternalTrafficPolicy=true|false (BETA - 默认值为 true)<br/>
+SizeMemoryBackedVolumes=true|false (BETA - 默认值为 true)<br/>
+StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值为 false)<br/>
+StatefulSetMinReadySeconds=true|false (BETA - 默认值为 true)<br/>
+StorageVersionAPI=true|false (ALPHA - 默认值为 false)<br/>
+StorageVersionHash=true|false (BETA - 默认值为 true)<br/>
+TopologyAwareHints=true|false (BETA - 默认值为 true)<br/>
+TopologyManager=true|false (BETA - 默认值为 true)<br/>
+VolumeCapacityPriority=true|false (ALPHA - 默认值为 false)<br/>
+WinDSR=true|false (ALPHA - 默认值为 false)<br/>
+WinOverlay=true|false (BETA - 默认值为 true)<br/>
+WindowsHostProcessContainers=true|false (BETA - 默认值为 true)
 </td>
 </tr>
 
@@ -595,7 +516,7 @@ DEPRECATED: content type of requests sent to apiserver. This parameter is ignore
 </tr>
 
 <tr>
-<td colspan="2">--kube-api-qps float32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：50</td>
+<td colspan="2">--kube-api-qps float&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：50</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -666,10 +587,9 @@ The interval between attempts by the acting master to renew a leadership slot be
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The type of resource object that is used for locking during leader election. Supported options are 'endpoints', 'configmaps', 'leases', 'endpointsleases' and 'configmapsleases'.
+The type of resource object that is used for locking during leader election. Supported options are 'leases', 'endpointsleases' and 'configmapsleases'.
 -->
-在领导者选举期间用于锁定的资源对象的类型。支持的选项是 `endpoints`、
-`configmaps`、`leases`、`endpointleases` 和 `configmapsleases`。
+在领导者选举期间用于锁定的资源对象的类型。支持的选项有 `leases`、`endpointleases` 和 `configmapsleases`。
 </td>
 </tr>
 
@@ -736,55 +656,6 @@ DEPRECATED: define the namespace of the lock object. Will be removed in favor of
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--log-backtrace-at &lt;a string in the form 'file:N'&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default:-->默认值: 0</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-when logging hits line file:N, emit a stack trace
--->
-当记录命中行文件 <code>file</code> 的第 <code>N</code> 行时输出堆栈跟踪。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, write log files in this directory
--->
-如果为非空，则在此目录中写入日志文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, use this log file
--->
-如果为非空，则使用此文件作为日志文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：1800</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.
--->
-定义日志文件可以增长到的最大值。单位为兆字节。
-如果值为 0，则最大文件大小为无限制。
-</td>
-</tr>
 
 <tr>
 <td colspan="2">--log-flush-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5s</td>
@@ -804,19 +675,19 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets the log format. Permitted formats: &quot;json&quot;, &quot;text&quot;.<br/>
+Sets the log format. Permitted formats: &quot;text&quot;.<br/>
 Non-default formats don't honor these flags: --add-dir-header, --alsologtostderr, --log-backtrace-at, 
 --log-dir, --log-file, --log-file-max-size, 
 --logtostderr, --one-output, --skip-headers, --skip-log-headers, 
---stderrthreshold, --vmodule, --log-flush-frequency.<br/>
+--stderrthreshold, --vmodule.<br/>
 Non-default choices are currently alpha and subject to change without warning.
 -->
-设置日志格式。可选格式：“json”，“text”。<br/>
+设置日志格式。可选格式：“text”。<br/>
 采用非默认格式时，以下标识不会生效：
 --add-dir-header, --alsologtostderr, --log-backtrace-at, 
 --log-dir, --log-file, --log-file-max-size, 
 --logtostderr, --one-output, --skip-headers, --skip-log-headers, 
---stderrthreshold, --vmodule, --log-flush-frequency.<br/>
+--stderrthreshold, --vmodule.<br/>
 非默认选项目前处于 Alpha 阶段，有可能会出现变更且无事先警告。
 </td>
 </tr>
@@ -845,18 +716,6 @@ Kubernetes API 服务器的地址（覆盖 kubeconfig 中的任何值）。
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--one-output</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level)
--->
-若此标志为 true，则日志仅写入其自身的严重性级别，而不会写入所有较低严重性级别。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--permit-address-sharing</td>
 </tr>
@@ -868,7 +727,7 @@ If true, SO_REUSEADDR will be used when binding the port. This allows binding to
 如果为 true，在绑定端口时将使用 SO_REUSEADDR。
 这将允许同时绑定诸如 0.0.0.0 这类通配符 IP和特定 IP，
 并且它避免等待内核释放处于 TIME_WAIT 状态的套接字。
-默认值： false
+默认值：false
 </td>
 </tr>
 
@@ -881,69 +740,30 @@ If true, SO_REUSEADDR will be used when binding the port. This allows binding to
 If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false]
 -->
 如果此标志为 true，在绑定端口时会使用 SO_REUSEPORT，从而允许不止一个
-实例绑定到同一地址和端口。 
+实例绑定到同一地址和端口。
 默认值：false
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--policy-config-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: file with scheduler policy configuration. This file is used if policy ConfigMap is not provided or --use-legacy-policy-config=true. Note: The scheduler will fail if this is combined with Plugin configs
--->
-已弃用：包含调度器策略配置的文件。
-当策略 ConfigMap 为提供时，或者 <code>--use-legacy-policy-config=true</code> 时使用此文件。
-注意：当此标志与插件配置一起使用时，调度器会失败。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--policy-configmap string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: name of the ConfigMap object that contains scheduler's policy configuration. It must exist in the system namespace before scheduler initialization if --use-legacy-policy-config=false. The config must be provided as the value of an element in 'Data' map with the key='policy.cfg'. Note: The scheduler will fail if this is combined with Plugin configs
--->
-已弃用: 包含调度器策略配置的 ConfigMap 对象的名称。
-如果 --use-legacy-policy-config=false，则它必须在调度器初始化之前存在于
-系统命名空间中。配置数据必须对应 'data' 映射中键名为 'policy.cfg' 的元素的值。
-注意：如果与插件配置一起使用，调度器会失败。
-</td>
-</tr>
 
-<tr>
-<td colspan="2">--policy-configmap-namespace string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："kube-system"</td>
+<td colspan="2">--pod-max-in-unschedulable-pods-duration duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：5m0s</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-DEPRECATED: the namespace where policy ConfigMap is located. The kube-system namespace will be used if this is not provided or is empty. Note: The scheduler will fail if this is combined with Plugin configs
+DEPRECATED: the maximum time a pod can stay in unschedulablePods. If a pod stays in unschedulablePods for longer than this value, the pod will be moved from unschedulablePods to backoffQ or activeQ. This flag is deprecated and will be removed in 1.2.
 -->
-已弃用: 策略 ConfigMap 所在的名字空间。如果未提供或为空，则将使用 kube-system 名字空间。
-注意：如果与插件配置一起使用，调度器会失败。
-</td>
-</tr>
+已弃用：Pod 可以在 unschedulablePods 中停留的最长时间。
+如果 Pod 在 unschedulablePods 中停留的时间超过此值，则该 pod 将被从
+unschedulablePods 移动到 backoffQ 或 activeQ。
+此标志已弃用，将在 1.2 中删除。
 
-<tr>
-<td colspan="2">--port int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：10251</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve plain HTTP at all. See --secure-port instead. This parameter is ignored if a config file is specified in --config.
--->
-已弃用： 在没有身份验证和鉴权的情况下不安全地为 HTTP 服务的端口。
-如果为 0，则根本不提供 HTTP。请参见 --secure-port。
-如果 --config 指定了一个配置文件，这个参数将被忽略。
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--profiling&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值： true</td>
+<td colspan="2">--profiling&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -986,7 +806,7 @@ Root certificate bundle to use to verify client certificates on incoming request
 
 <tr>
 <td colspan="2">--requestheader-extra-headers-prefix strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default:-->默认值: "x-remote-extra-"</td>
+<!--Default:-->默认值："x-remote-extra-"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -999,7 +819,7 @@ List of request header prefixes to inspect. X-Remote-Extra- is suggested.
 
 <tr>
 <td colspan="2">--requestheader-group-headers strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default:-->默认值: "x-remote-group"</td>
+<!--Default:-->默认值："x-remote-group"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1012,7 +832,7 @@ List of request headers to inspect for groups. X-Remote-Group is suggested.
 
 <tr>
 <td colspan="2">--requestheader-username-headers strings&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default:-->默认值: "x-remote-user"</td>
+<!--Default:-->默认值："x-remote-user"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1023,21 +843,6 @@ List of request headers to inspect for usernames. X-Remote-User is common.
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--scheduler-name string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->
-默认值："default-scheduler"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- 
-DEPRECATED: name of the scheduler, used to select which pods will be processed by this scheduler, based on pod's &quot;spec.schedulerName&quot;. This parameter is ignored if a config file is specified in --config.
--->
-已弃用: 调度器名称，用于根据 Pod 的 “spec.schedulerName” 选择此
-调度器将处理的 Pod。
-如果 --config 指定了一个配置文件，那么这个参数将被忽略
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--secure-port int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：10259</td>
 </tr>
@@ -1065,41 +870,6 @@ The previous version for which you want to show hidden metrics. Only the previou
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--skip-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid header prefixes in the log messages
--->
-如果为 true，日志消息中不再写入头部前缀。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--skip-log-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, avoid headers when opening log files
--->
-如果为 true，则在打开日志文件时忽略其头部。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--stderrthreshold int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：2</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-logs at or above this threshold go to stderr
--->
-达到或超过此阈值的日志会被写入到标准错误输出。
-</td>
-</tr>
 
 <tr>
 <td colspan="2">--tls-cert-file string</td>
@@ -1109,7 +879,7 @@ logs at or above this threshold go to stderr
 <!--
 File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
 -->
-包含默认的 HTTPS x509 证书的文件。（CA证书（如果有）在服务器证书之后并置）。
+包含默认的 HTTPS x509 证书的文件。（如果有 CA 证书，在服务器证书之后并置）。
 如果启用了 HTTPS 服务，并且未提供 <code>--tls-cert-file</code> 和
 <code>--tls-private-key-file</code>，则会为公共地址生成一个自签名证书和密钥，
 并将其保存到 <code>--cert-dir</code> 指定的目录中。
@@ -1174,20 +944,7 @@ A pair of x509 certificate and private key file paths, optionally suffixed with
 如果未提供域名匹配模式，则提取证书名称。
 非通配符匹配优先于通配符匹配，显式域名匹配优先于提取而来的名称。
 若有多个密钥/证书对，可多次使用 <code>--tls-sni-cert-key</code>。
-例子: "example.crt,example.key" 或者 "foo.crt,foo.key:*.foo.com,foo.com"。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--use-legacy-policy-config</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-DEPRECATED: when set to true, scheduler will ignore policy ConfigMap and uses policy config file. Note: The scheduler will fail if this is combined with Plugin configs
--->
-已弃用：设置为 true 时，调度程序将忽略策略 ConfigMap 并使用策略配置文件。
-注意：当此标志与插件配置一起使用时，调度器会失败。
+例如: "example.crt,example.key" 或者 "foo.crt,foo.key:*.foo.com,foo.com"。
 </td>
 </tr>
 
@@ -1216,14 +973,14 @@ Print version information and quit
 </tr>
 
 <tr>
-<td colspan="2">--vmodule &lt;<!--comma-separated 'pattern=N' settings-->逗号分隔的 ‘模式=N’ 配置列表&gt;</td>
+<td colspan="2">--vmodule pattern=N,...</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-comma-separated list of pattern=N settings for file-filtered logging
+comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
 -->
-以逗号分隔的 ‘模式=N’ 设置列表，用于文件过滤的日志记录。
+以逗号分隔的 “pattern=N” 设置列表，用于文件过滤的日志记录（仅适用于文本日志格式）。
 </td>
 </tr>
 
@@ -1235,7 +992,7 @@ comma-separated list of pattern=N settings for file-filtered logging
 <!--
 If set, write the configuration values to this file and exit.
 -->
-如果已设置，将配置值写入此文件并退出。
+如果设置此参数，将配置值写入此文件并退出。
 </td>
 </tr>
 
@@ -1244,5 +1001,3 @@ If set, write the configuration values to this file and exit.
 
 
 
-
-
diff --git a/content/zh/docs/reference/command-line-tools-reference/kubelet.md b/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
similarity index 66%
rename from content/zh/docs/reference/command-line-tools-reference/kubelet.md
rename to content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
index 7d127e479f7ba..fc7f1f31ef796 100644
--- a/content/zh/docs/reference/command-line-tools-reference/kubelet.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
@@ -8,15 +8,19 @@ weight: 28
 
 
 <!--
-The kubelet is the primary "node agent" that runs on each
-node. It can register the node with the apiserver using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider.
+The kubelet is the primary "node agent" that runs on each node. It can
+register the node with the apiserver using one of: the hostname; a flag to
+override the hostname; or specific logic for a cloud provider.
 -->
 kubelet 是在每个 Node 节点上运行的主要 “节点代理”。它可以使用以下之一向 apiserver 注册：
 主机名（hostname）；覆盖主机名的参数；某云驱动的特定逻辑。
 
 <!--
 The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object
-that describes a pod. The kubelet takes a set of PodSpecs that are provided through various mechanisms (primarily through the apiserver) and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn't manage containers which were not created by Kubernetes.
+that describes a pod. The kubelet takes a set of PodSpecs that are provided
+through various mechanisms (primarily through the apiserver) and ensures that
+the containers described in those PodSpecs are running and healthy. The
+kubelet doesn't manage containers which were not created by Kubernetes.
 -->
 kubelet 是基于 PodSpec 来工作的。每个 PodSpec 是一个描述 Pod 的 YAML 或 JSON 对象。
 kubelet 接受通过各种机制（主要是通过 apiserver）提供的一组 PodSpec，并确保这些
@@ -24,27 +28,32 @@ PodSpec 中描述的容器处于运行状态且运行状况良好。
 kubelet 不管理不是由 Kubernetes 创建的容器。
 
 <!--
-Other than from an PodSpec from the apiserver, there are three ways that a container manifest can be provided to the Kubelet.
+Other than from a PodSpec from the apiserver, there are three ways that a
+container manifest can be provided to the Kubelet.
 -->
 除了来自 apiserver 的 PodSpec 之外，还可以通过以下三种方式将容器清单（manifest）提供给 kubelet。
 
 <!--
-File: Path passed as a flag on the command line. Files under this path will be monitored periodically for updates. The monitoring period is 20s by default and is configurable via a flag.
+- File: Path passed as a flag on the command line. Files under this path will be
+  monitored periodically for updates. The monitoring period is 20s by default
+  and is configurable via a flag.
 -->
-文件（File）：利用命令行参数传递路径。kubelet 周期性地监视此路径下的文件是否有更新。
-监视周期默认为 20s，且可通过参数进行配置。
+- 文件（File）：利用命令行参数传递路径。kubelet 周期性地监视此路径下的文件是否有更新。
+  监视周期默认为 20s，且可通过参数进行配置。
 
 <!--
-HTTP endpoint: HTTP endpoint passed as a parameter on the command line. This endpoint is checked every 20 seconds (also configurable with a flag).
+- HTTP endpoint: HTTP endpoint passed as a parameter on the command line. This
+  endpoint is checked every 20 seconds (also configurable with a flag).
 -->
-HTTP 端点（HTTP endpoint）：利用命令行参数指定 HTTP 端点。
-此端点的监视周期默认为 20 秒，也可以使用参数进行配置。
+- HTTP 端点（HTTP endpoint）：利用命令行参数指定 HTTP 端点。
+  此端点的监视周期默认为 20 秒，也可以使用参数进行配置。
 
 <!--
-HTTP server: The kubelet can also listen for HTTP and respond to a simple API (underspec'd currently) to submit a new manifest.
+- HTTP server: The kubelet can also listen for HTTP and respond to a simple API
+  (underspec'd currently) to submit a new manifest.
 -->
-HTTP 服务器（HTTP server）：kubelet 还可以侦听 HTTP 并响应简单的 API
-（目前没有完整规范）来提交新的清单。
+- HTTP 服务器（HTTP server）：kubelet 还可以侦听 HTTP 并响应简单的 API
+  （目前没有完整规范）来提交新的清单。
 
 ```
 kubelet [flags]
@@ -65,9 +74,10 @@ kubelet [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If true, adds the file directory to the header
+If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 设置为 true 表示将文件目录添加到日志消息的头部
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -77,11 +87,12 @@ If true, adds the file directory to the header
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address for the Kubelet to serve on (set to <code>0.0.0.0</code> for all IPv4 interfaces and <code>::</code> for all IPv6 interfaces)  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The IP address for the Kubelet to serve on (set to <code>0.0.0.0</code> for all IPv4 interfaces and <code>::</code> for all IPv6 interfaces)  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 用来提供服务的 IP 地址（设置为<code>0.0.0.0</code> 表示使用所有 IPv4 接口，
-设置为 <code>::</code> 表示使用所有 IPv6 接口）。已弃用：应在 <code>--config</code> 所给的
-配置文件中进行设置。（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+设置为 <code>::</code> 表示使用所有 IPv6 接口）。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -91,11 +102,11 @@ kubelet 用来提供服务的 IP 地址（设置为<code>0.0.0.0</code> 表示
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in <code>*</code>). Use these at your own risk. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in <code>*</code>). Use these at your own risk. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-用逗号分隔的字符串序列设置允许使用的非安全的 sysctls 或 sysctl 模式（以 <code>*</code> 结尾) 。
-使用此参数时风险自担。已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+用逗号分隔的字符串序列设置允许使用的非安全的 sysctls 或 sysctl 模式（以 <code>*</code> 结尾）。
+使用此参数时风险自担。（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -105,9 +116,10 @@ Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-log to standard error as well as files
+Log to standard error as well as files (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 设置为 true 表示将日志输出到文件的同时输出到 stderr
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -117,12 +129,12 @@ log to standard error as well as files
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of <code>system:anonymous</code>, and a group name of <code>system:unauthenticated</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of <code>system:anonymous</code>, and a group name of <code>system:unauthenticated</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置为 true 表示 kubelet 服务器可以接受匿名请求。未被任何认证组件拒绝的请求将被视为匿名请求。
 匿名请求的用户名为 <code>system:anonymous</code>，用户组为 <code>system:unauthenticated</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -132,11 +144,11 @@ Enables anonymous requests to the Kubelet server. Requests that are not rejected
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use the TokenReview API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Use the TokenReview API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 使用 <code>TokenReview</code> API 对持有者令牌进行身份认证。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -146,11 +158,11 @@ Use the TokenReview API to determine authentication for bearer tokens. (DEPRECAT
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The duration to cache responses from the webhook token authenticator. (default 2m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The duration to cache responses from the webhook token authenticator. (default 2m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 对 Webhook 令牌认证组件所返回的响应的缓存时间。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -160,13 +172,13 @@ The duration to cache responses from the webhook token authenticator. (default 2
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Authorization mode for Kubelet server. Valid options are <code>AlwaysAllow</code> or <code>Webhook</code>. <code>Webhook</code> mode uses the <code>SubjectAccessReview</code> API to determine authorization. (default "AlwaysAllow" when <code>--config</code> flag is not provided; "Webhook" when <code>--config</code> flag presents.) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Authorization mode for Kubelet server. Valid options are <code>AlwaysAllow</code> or <code>Webhook</code>. <code>Webhook</code> mode uses the <code>SubjectAccessReview</code> API to determine authorization. (default "AlwaysAllow" when <code>--config</code> flag is not provided; "Webhook" when <code>--config</code> flag presents.) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 服务器的鉴权模式。可选值包括：<code>AlwaysAllow</code>、<code>Webhook</code>。<code>Webhook</code> 模式使用 <code>SubjectAccessReview</code> API 鉴权。
 当 <code>--config</code> 参数未被设置时，默认值为 <code>AlwaysAllow</code>，当使用了
 <code>--config</code> 时，默认值为 <code>Webhook</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -176,11 +188,11 @@ kubelet 服务器的鉴权模式。可选值包括：<code>AlwaysAllow</code>、
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The duration to cache 'authorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The duration to cache 'authorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 对 Webhook 认证组件所返回的 “Authorized（已授权）” 应答的缓存时间。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -190,12 +202,12 @@ The duration to cache 'authorized' responses from the webhook authorizer. (DEPRE
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The duration to cache 'unauthorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The duration to cache 'unauthorized' responses from the webhook authorizer. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 对 Webhook 认证组件所返回的 “Unauthorized（未授权）” 应答的缓存时间。
 <code>--config</code> 时，默认值为 <code>Webhook</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -246,12 +258,12 @@ TLS 证书所在的目录。如果设置了 <code>--tls-cert-file</code> 和 <co
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Driver that the kubelet uses to manipulate cgroups on the host.  Possible values: <code>cgroupfs</code>, <code>systemd</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Driver that the kubelet uses to manipulate cgroups on the host.  Possible values: <code>cgroupfs</code>, <code>systemd</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 用来操作本机 cgroup 时使用的驱动程序。支持的选项包括 <code>cgroupfs</code>
 和 <code>systemd</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -261,12 +273,12 @@ kubelet 用来操作本机 cgroup 时使用的驱动程序。支持的选项包
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 可选的选项，为 Pod 设置根 cgroup。容器运行时会尽可能使用此配置。
 默认值 <code>""</code> 意味着将使用容器运行时的默认设置。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -276,24 +288,11 @@ Optional root cgroup to use for pods. This is handled by the container runtime o
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 启用创建 QoS cgroup 层次结构。此值为 true 时 kubelet 为 QoS 和 Pod 创建顶级的 cgroup。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--chaos-chance float</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If &gt; 0.0, introduce random client errors and latency. Intended for testing. (DEPRECATED: will be removed in a future version.)
--->
-如果此值大于 0.0，则引入随机客户端错误和延迟。用于测试。
-已启用：将在未来版本中移除。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -303,12 +302,12 @@ If &gt; 0.0, introduce random client errors and latency. Intended for testing. (
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 如果设置了此参数，则使用对应文件中机构之一检查请求中所携带的客户端证书。
 若客户端证书通过身份认证，则其对应身份为其证书中所设置的 CommonName。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -345,15 +344,15 @@ The provider for cloud services. Set to empty string for running with no cloud p
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Comma-separated list of DNS server IP address. This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst". Note: all DNS servers appearing in the list MUST serve the same set of records otherwise name resolution within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted for name resolution. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Comma-separated list of DNS server IP address. This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst". Note: all DNS servers appearing in the list MUST serve the same set of records otherwise name resolution within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted for name resolution. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 DNS 服务器的 IP 地址，以逗号分隔。此标志值用于 Pod 中设置了 “<code>dnsPolicy=ClusterFirst</code>”
 时为容器提供 DNS 服务。注意：列表中出现的所有 DNS 服务器必须包含相同的记录组，
 否则集群中的名称解析可能无法正常工作。至于名称解析过程中会牵涉到哪些 DNS 服务器，
 这一点无法保证。
 <code>--config</code> 时，默认值为 <code>Webhook</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -363,13 +362,13 @@ DNS 服务器的 IP 地址，以逗号分隔。此标志值用于 Pod 中设置
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 集群的域名。如果设置了此值，kubelet 除了将主机的搜索域配置到所有容器之外，还会为其
 配置所搜这里指定的域名。
 <code>--config</code> 时，默认值为 <code>Webhook</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -379,11 +378,12 @@ Domain for this cluster. If set, kubelet will configure all containers to search
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; A comma-separated list of full paths of directories in which to search for CNI plugin binaries. This docker-specific flag only works when container-runtime is set to <code>docker</code>.
+A comma-separated list of full paths of directories in which to search for CNI plugin binaries. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)
 -->
-&lt;警告：alpha 特性&gt; 此值为以逗号分隔的完整路径列表。
+此值为以逗号分隔的完整路径列表。
 kubelet 将在所指定路径中搜索 CNI 插件的可执行文件。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -393,10 +393,11 @@ kubelet 将在所指定路径中搜索 CNI 插件的可执行文件。
 <tr>                                            
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; The full path of the directory in which CNI should store cache files. This docker-specific flag only works when container-runtime is set to <code>docker</code>.
+The full path of the directory in which CNI should store cache files. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)
 -->
-&lt;警告：alpha 特性&gt; 此值为一个目录的全路径名。CNI 将在其中缓存文件。
+此值为一个目录的全路径名。CNI 将在其中缓存文件。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -406,10 +407,11 @@ kubelet 将在所指定路径中搜索 CNI 插件的可执行文件。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; The full path of the directory in which to search for CNI config files. This docker-specific flag only works when container-runtime is set to <code>docker</code>.
+&lt;Warning: Alpha feature&gt; The full path of the directory in which to search for CNI config files. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)
 -->
 &lt;警告：alpha 特性&gt; 此值为某目录的全路径名。kubelet 将在其中搜索 CNI 配置文件。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -433,12 +435,12 @@ kubelet 将从此标志所指的文件中加载其初始配置。此路径可以
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Set the maximum number of container log files that can be present for a container. The number must be &ge; 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Set the maximum number of container log files that can be present for a container. The number must be &ge; 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置容器的日志文件个数上限。此值必须不小于 2。
 此标志只能与 <code>--container-runtime=remote</code> 标志一起使用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>    
 
@@ -448,12 +450,12 @@ Set the maximum number of container log files that can be present for a containe
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Set the maximum size (e.g. 10Mi) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Set the maximum size (e.g. 10Mi) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置容器日志文件在轮换生成新文件时之前的最大值（例如，<code>10Mi</code>）。
 此标志只能与 <code>--container-runtime=remote</code> 标志一起使用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -490,11 +492,11 @@ Windows 系统上的 npipe 和 TCP 端点。例如：
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 当启用了性能分析时，启用锁竞争分析。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -504,11 +506,11 @@ Enable lock contention profiling, if profiling is enabled (DEPRECATED: This para
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enable CPU CFS quota enforcement for containers that specify CPU limits (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enable CPU CFS quota enforcement for containers that specify CPU limits (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 为设置了 CPU 限制的容器启用 CPU CFS 配额保障。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -518,11 +520,11 @@ Enable CPU CFS quota enforcement for containers that specify CPU limits (DEPRECA
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Linux Kernel default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Linux Kernel default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-设置 CPU CFS 配额周期 <code>cpu.cfs_period_us</code>。默认使用 Linux 内核所设置的默认值 。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+设置 CPU CFS 配额周期 <code>cpu.cfs_period_us</code>。默认使用 Linux 内核所设置的默认值。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -532,11 +534,11 @@ Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Lin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (default "none") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (default "none") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 要使用的 CPU 管理器策略。可选值包括：<code>none</code> 和 <code>static</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -546,12 +548,12 @@ CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (d
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; CPU Manager reconciliation period. Examples: <code>10s</code>, or <code>1m</code>. If not supplied, defaults to node status update frequency. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+&lt;Warning: Alpha feature&gt; CPU Manager reconciliation period. Examples: <code>10s</code>, or <code>1m</code>. If not supplied, defaults to node status update frequency. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 &lt;警告：alpha 特性&gt; 设置 CPU 管理器的调和时间。例如：<code>10s</code> 或者 <code>1m</code>。
 如果未设置，默认使用节点状态更新频率。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -561,10 +563,11 @@ CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (d
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use this for the <code>docker</code> endpoint to communicate with. This docker-specific flag only works when container-runtime is set to <code>docker</code>.
+Use this for the <code>docker</code> endpoint to communicate with. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)
 -->
 使用这里的端点与 docker 端点通信。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -594,9 +597,11 @@ kubelet 使用此目录来保存所下载的配置，跟踪配置运行状况。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations.
+Enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 启用 Attach/Detach 控制器来挂接和摘除调度到该节点的卷，同时禁用 kubelet 执行挂接和摘除操作。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -606,11 +611,11 @@ Enables the Attach/Detach controller to manage attachment/detachment of volumes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enables server endpoints for log collection and local running of containers and commands (default true) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enables server endpoints for log collection and local running of containers and commands. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 启用服务器上用于日志收集和在本地运行容器和命令的端点。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -620,11 +625,11 @@ Enables server endpoints for log collection and local running of containers and
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 启用 kubelet 服务器。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -634,16 +639,16 @@ Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the c
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用逗号分隔的列表，包含由 kubelet 强制执行的节点可分配资源级别。
 可选配置为：<code>none</code>、<code>pods</code>、<code>system-reserved</code> 和 <code>kube-reserved</code>。
 在设置 <code>system-reserved</code> 和 <code>kube-reserved</code> 这两个值时，同时要求设置
 <code>--system-reserved-cgroup</code> 和 <code>--kube-reserved-cgroup</code> 这两个参数。
 如果设置为 <code>none</code>，则不需要设置其他参数。
-<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/reserve-compute-resources/">参考相关文档</a>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+<a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/">参考相关文档</a>。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -653,12 +658,12 @@ A comma separated list of levels of node allocatable enforcement to be enforced
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding <code>--event-qps</code>. Only used if <code>--event-qps</code> &gt; 0. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Maximum size of a bursty event records, temporarily allows event records to burst to this number, while still not exceeding <code>--event-qps</code>. Only used if <code>--event-qps</code> &gt; 0. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 事件记录的个数的突发峰值上限，在遵从 <code>--event-qps</code> 阈值约束的前提下
 临时允许事件记录达到此数目。仅在 <code>--event-qps</code> 大于 0 时使用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -668,11 +673,11 @@ Maximum size of a bursty event records, temporarily allows event records to burs
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If &gt; <code>0</code>, limit event creations per second to this value. If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If &gt; <code>0</code>, limit event creations per second to this value. If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置大于 0 的值表示限制每秒可生成的事件数量。设置为 0 表示不限制。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -682,13 +687,13 @@ If &gt; <code>0</code>, limit event creations per second to this value. If <code
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of eviction thresholds (e.g. <code>memory.available<1Gi</code>) that if met would trigger a pod eviction. On a Linux node, the default value also includes <code>nodefs.inodesFree<5%</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of eviction thresholds (e.g. <code>memory.available<1Gi</code>) that if met would trigger a pod eviction. On a Linux node, the default value also includes <code>nodefs.inodesFree<5%</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 触发 Pod 驱逐操作的一组硬性门限（例如：<code>memory.available&lt;1Gi</code>
-（内存可用值小于 1 G））设置。在 Linux 节点上，默认值还包括
+（内存可用值小于 1G）设置。在 Linux 节点上，默认值还包括
 <code>nodefs.inodesFree<5%</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -698,12 +703,12 @@ A set of eviction thresholds (e.g. <code>memory.available<1Gi</code>) that if me
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. If negative, defer to pod specified value. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. If negative, defer to pod specified value. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 响应满足软性驱逐阈值（Soft Eviction Threshold）而终止 Pod 时使用的最长宽限期（以秒为单位）。
 如果设置为负数，则遵循 Pod 的指定值。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -713,12 +718,12 @@ Maximum allowed grace period (in seconds) to use when terminating pods in respon
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of minimum reclaims (e.g. <code>imagefs.available=2Gi</code>) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of minimum reclaims (e.g. <code>imagefs.available=2Gi</code>) that describes the minimum amount of resource the kubelet will reclaim when performing a pod eviction if that resource is under pressure. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 当某资源压力过大时，kubelet 将执行 Pod 驱逐操作。
 此参数设置软性驱逐操作需要回收的资源的最小数量（例如：<code>imagefs.available=2Gi</code>）。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -728,11 +733,11 @@ A set of minimum reclaims (e.g. <code>imagefs.available=2Gi</code>) that describ
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 在驱逐压力状况解除之前的最长等待时间。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -742,12 +747,12 @@ kubelet 在驱逐压力状况解除之前的最长等待时间。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of eviction thresholds (e.g. <code>memory.available>1.5Gi</code>) that if met over a corresponding grace period would trigger a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of eviction thresholds (e.g. <code>memory.available>1.5Gi</code>) that if met over a corresponding grace period would trigger a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置一组驱逐阈值（例如：<code>memory.available&lt;1.5Gi</code>）。
 如果在相应的宽限期内达到该阈值，则会触发 Pod 驱逐操作。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -757,12 +762,12 @@ A set of eviction thresholds (e.g. <code>memory.available>1.5Gi</code>) that if
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of eviction grace periods (e.g. <code>memory.available=1m30s</code>) that correspond to how long a soft eviction threshold must hold before triggering a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of eviction grace periods (e.g. <code>memory.available=1m30s</code>) that correspond to how long a soft eviction threshold must hold before triggering a pod eviction. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置一组驱逐宽限期（例如，<code>memory.available=1m30s</code>），对应于触发软性 Pod
 驱逐操作之前软性驱逐阈值所需持续的时间长短。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -793,18 +798,6 @@ When set to <code>true</code>, Hard eviction thresholds will be ignored while ca
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--experimental-bootstrap-kubeconfig string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-(DEPRECATED: Use --bootstrap-kubeconfig)
--->
-已弃用：应使用 <code>--bootstrap-kubeconfig</code> 标志
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--experimental-check-node-capabilities-before-mount</td>
 </tr>
@@ -825,13 +818,13 @@ When set to <code>true</code>, Hard eviction thresholds will be ignored while ca
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. This flag will be removed in 1.24 or later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. This flag will be removed in 1.24 or later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置为 true 表示 kubelet 将会集成内核的 memcg 通知机制而不是使用轮询机制来
 判断是否达到了内存驱逐阈值。
 此标志将在 1.24 或更高版本移除。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -841,13 +834,13 @@ If enabled, the kubelet will integrate with the kernel memcg notification to det
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 [试验性功能] 启用此标志之后，kubelet 会避免将标记为敏感的字段（密码、密钥、令牌等）
 写入日志中。运行时的日志清理可能会带来相当的计算开销，因此不应该在
 产品环境中启用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </tr>
 
 <tr>
@@ -869,11 +862,11 @@ If enabled, the kubelet will integrate with the kernel memcg notification to det
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Makes the Kubelet fail to start if swap is enabled on the node. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Makes the Kubelet fail to start if swap is enabled on the node. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置为 true 表示如果主机启用了交换分区，kubelet 将直接失败。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -970,7 +963,7 @@ WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
 WindowsHostProcessContainers=true|false (BETA - default=true)<br/>
 csiMigrationRBD=true|false (ALPHA - default=false)<br/>
-(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)</td>
+(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 -->
 用于 alpha 实验性特性的特性开关组，每个开关以 key=value 形式表示。当前可用开关包括：</br>
 APIListChunking=true|false (BETA - 默认值为 true)<br/>
@@ -1072,11 +1065,11 @@ csiMigrationRBD=true|false (ALPHA - 默认值为 false)<br/>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Duration between checking config files for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Duration between checking config files for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 检查配置文件中新数据的时间间隔。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1086,13 +1079,13 @@ Duration between checking config files for new data. (DEPRECATED: This parameter
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-How should the kubelet setup hairpin NAT. This allows endpoints of a Service to load balance back to themselves if they should try to access their own Service. Valid values are <code>promiscuous-bridge</code>, <code>hairpin-veth</code> and <code>none</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+How should the kubelet setup hairpin NAT. This allows endpoints of a Service to load balance back to themselves if they should try to access their own Service. Valid values are <code>promiscuous-bridge</code>, <code>hairpin-veth</code> and <code>none</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置 kubelet 执行发夹模式（hairpin）网络地址转译的方式。
 该模式允许后端端点对其自身服务的访问能够再次经由负载均衡转发回自身。
 可选项包括 <code>promiscuous-bridge</code>、<code>hairpin-veth</code> 和 <code>none</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1102,12 +1095,12 @@ How should the kubelet setup hairpin NAT. This allows endpoints of a Service to
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address for the healthz server to serve on (set to <code>0.0.0.0</code> for all IPv4 interfaces and <code>::</code> for all IPv6 interfaces). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The IP address for the healthz server to serve on (set to <code>0.0.0.0</code> for all IPv4 interfaces and <code>::</code> for all IPv6 interfaces). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用于运行 healthz 服务器的 IP 地址（设置为 <code>0.0.0.0</code> 表示使用所有 IPv4 接口，
 设置为 <code>::</code> 表示使用所有 IPv6 接口。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1117,11 +1110,11 @@ The IP address for the healthz server to serve on (set to <code>0.0.0.0</code> f
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The port of the localhost healthz endpoint (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The port of the localhost healthz endpoint (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 本地 healthz 端点使用的端口（设置为 0 表示禁用）。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1151,29 +1144,17 @@ If non-empty, will use this string as identification instead of the actual hostn
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--housekeeping-interval duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>10s</code>-->默认值：<code>10s</code></td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Interval between container housekeepings (default 10s)
--->
-清理容器操作的时间间隔。
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--http-check-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>20s</code>-->默认值：<code>20s</code></td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Duration between checking HTTP for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Duration between checking HTTP for new data. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 HTTP 服务以获取新数据的时间间隔。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1206,12 +1187,12 @@ The path to the credential provider plugin config file.</td>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The percent of disk usage after which image garbage collection is always run. Values must be within the range [0, 100], To disable image garbage collection, set to 100.   (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The percent of disk usage after which image garbage collection is always run. Values must be within the range [0, 100], To disable image garbage collection, set to 100.   (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 镜像垃圾回收上限。磁盘使用空间达到该百分比时，镜像垃圾回收将持续工作。
 值必须在 [0，100] 范围内。要禁用镜像垃圾回收，请设置为 100。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1221,12 +1202,12 @@ The percent of disk usage after which image garbage collection is always run. Va
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Values must be within the range [0, 100] and should not be larger than that of <code>--image-gc-high-threshold</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. Values must be within the range [0, 100] and should not be larger than that of <code>--image-gc-high-threshold</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 镜像垃圾回收下限。磁盘使用空间在达到该百分比之前，镜像垃圾回收操作不会运行。
 值必须在 [0，100] 范围内，并且不得大于 <code>--image-gc-high-threshold</code>的值。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1236,10 +1217,11 @@ The percent of disk usage before which image garbage collection is never run. Lo
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If no pulling progress is made before this deadline, the image pulling will be cancelled. This docker-specific flag only works when container-runtime is set to <code>docker</code>.
+If no pulling progress is made before this deadline, the image pulling will be cancelled. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)
 -->
 如果在该参数值所设置的期限之前没有拉取镜像的进展，镜像拉取操作将被取消。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -1263,11 +1245,11 @@ If no pulling progress is made before this deadline, the image pulling will be c
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The bit of the <code>fwmark</code> space to mark packets for dropping. Must be within the range [0, 31]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The bit of the <code>fwmark</code> space to mark packets for dropping. Must be within the range [0, 31]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 标记数据包将被丢弃的 fwmark 位设置。必须在 [0，31] 范围内。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1277,12 +1259,12 @@ The bit of the <code>fwmark</code> space to mark packets for dropping. Must be w
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The bit of the <code>fwmark</code> space to mark packets for SNAT. Must be within the range [0, 31]. Please match this parameter with corresponding parameter in <code>kube-proxy</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The bit of the <code>fwmark</code> space to mark packets for SNAT. Must be within the range [0, 31]. Please match this parameter with corresponding parameter in <code>kube-proxy</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 标记数据包将进行 SNAT 的 fwmark 空间位设置。必须在 [0，31] 范围内。
 请将此参数与 <code>kube-proxy</code> 中的相应参数匹配。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1305,12 +1287,12 @@ Keep terminated pod volumes mounted to the node after the pod terminates. Can be
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 若启用，则 kubelet 将与内核中的 memcg 通知机制集成，不再使用轮询的方式来判定
 是否 Pod 达到内存驱逐阈值。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1320,11 +1302,11 @@ If enabled, the kubelet will integrate with the kernel memcg notification to det
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Burst to use while talking with kubernetes apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Burst to use while talking with kubernetes apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 每秒发送到 apiserver 的突发请求数量上限。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1334,11 +1316,11 @@ Burst to use while talking with kubernetes apiserver. (DEPRECATED: This paramete
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Content type of requests sent to apiserver. (default "application/vnd.kubernetes.protobuf") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Content type of requests sent to apiserver. (default "application/vnd.kubernetes.protobuf") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 发送到 apiserver 的请求的内容类型。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1348,13 +1330,13 @@ Content type of requests sent to apiserver. (default "application/vnd.kubernetes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-QPS to use while talking with kubernetes API server. The number must be &gt;= 0. If 0 will use default QPS (5). Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+QPS to use while talking with kubernetes API server. The number must be &gt;= 0. If 0 will use default QPS (5). Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 与 apiserver 通信的每秒查询个数（QPS）。
-此值必须 &gt;= 0。如果为 0， 则使用默认 QPS（5）。
+此值必须 &gt;= 0。如果为 0，则使用默认 QPS（5）。
 不包含事件和节点心跳 api，它们的速率限制是由一组不同的标志所控制。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1364,14 +1346,14 @@ QPS to use while talking with kubernetes API server. The number must be &gt;= 0.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of <code><resource name>=<resource quantity></code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for kubernetes system components. Currently <code>cpu</code>, <code>memory</code> and local <code>ephemeral-storage</code> for root file system are supported. See <a href="http://kubernetes.io/docs/user-guide/compute-resources">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-kubernetes 系统预留的资源配置，以一组 <code>资源名称=资源数量</code> 格式表示。
+kubernetes 系统预留的资源配置，以一组 <code>&lt;资源名称&gt;=&lt;资源数量&gt;</code> 格式表示。
 （例如：<code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>）。
 当前支持 <code>cpu</code>、<code>memory</code> 和用于根文件系统的 <code>ephemeral-storage</code>。
-请参阅<a href="http://kubernetes.io/zh/docs/concepts/configuration/manage-resources-containers/">相关文档</a>获取更多信息。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+请参阅<a href="https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/">这里</a>获取更多信息。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1381,12 +1363,12 @@ kubernetes 系统预留的资源配置，以一组 <code>资源名称=资源数
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Absolute name of the top level cgroup that is used to manage kubernetes components for which compute resources were reserved via <code>--kube-reserved</code> flag. Ex. <code>/kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Absolute name of the top level cgroup that is used to manage kubernetes components for which compute resources were reserved via <code>--kube-reserved</code> flag. Ex. <code>/kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 给出某个顶层 cgroup 绝对名称，该 cgroup 用于管理通过标志 <code>--kube-reserved</code>
 为 kubernetes 组件所预留的计算资源。例如：<code>"/kube-reserved"</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1409,11 +1391,11 @@ kubeconfig 配置文件的路径，指定如何连接到 API 服务器。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用于创建和运行 kubelet 的 cgroup 的绝对名称。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1435,11 +1417,11 @@ Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED:
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 形式为 <code>&lt;file&gt;:&lt;N&gt;</code>。
 当日志逻辑执行到命中 &lt;file&gt; 的第 &lt;N&gt; 行时，转储调用堆栈。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1449,10 +1431,10 @@ When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED:
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If non-empty, write log files in this directory. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+If non-empty, write log files in this directory. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 如果此值为非空，则在所指定的目录中写入日志文件。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1462,9 +1444,10 @@ If non-empty, write log files in this directory. (DEPRECATED: will be removed in
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If non-empty, use this log file
+If non-empty, use this log file. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 如果此值非空，使用所给字符串作为日志文件名。
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1474,10 +1457,10 @@ If non-empty, use this log file
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 设置日志文件的最大值。单位为兆字节（M）。如果值为 0，则表示文件大小无限制。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1499,12 +1482,12 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[Experimental] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+[Experimental] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 [实验性特性]在具有拆分输出流的 JSON 格式中，可以将信息消息缓冲一段时间以提高性能。
 零字节的默认值禁用缓冲。大小可以指定为字节数（512）、1000 的倍数（1K）、1024 的倍数（2Ki） 或这些（3M、4G、5Mi、6Gi）的幂。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1514,12 +1497,12 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[Experimental] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+[Experimental] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-[实验性特性]以 JSON 格式，将错误消息写入 stderr，将 info 消息写入 stdout。 
+[实验性特性]以 JSON 格式，将错误消息写入 stderr，将 info 消息写入 stdout。
 默认是将单个流写入标准输出。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1529,16 +1512,16 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br/>Non-default formats don't honor these flags: <code>--add-dir-header</code>, <code>--alsologtostderr</code>, <code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>, <code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip_headers</code>, <code>--skip_log_headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>.<br/>Non-default choices are currently alpha and subject to change without warning. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br/>Non-default formats don't honor these flags: <code>--add-dir-header</code>, <code>--alsologtostderr</code>, <code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>, <code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip_headers</code>, <code>--skip_log_headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>.<br/>Non-default choices are currently alpha and subject to change without warning. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置日志文件格式。可以设置的格式有：<code>"text"</code>、<code>"json"</code>。
-非默认的格式不会使用以下标志的配置：<code>--add-dir-header</code>, <code>--alsologtostderr</code>,
-<code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>,
-<code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip-headers</code>,
-<code>--skip-log-headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>。
+非默认的格式不会使用以下标志的配置：<code>--add-dir-header</code>、<code>--alsologtostderr</code>、
+<code>--log-backtrace-at</code>、<code>--log-dir</code>、<code>--log-file</code>,
+<code>--log-file-max-size</code>、<code>--logtostderr</code>、<code>--skip-headers</code>、
+<code>--skip-log-headers</code>、<code>--stderrthreshold</code>、<code>--log-flush-frequency</code>。
 非默认选项的其它值都应视为 Alpha 特性，将来出现更改时不会额外警告。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1548,11 +1531,11 @@ Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-log to standard error instead of files. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+log to standard error instead of files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 日志输出到 stderr 而不是文件。
 （已弃用：将会在未来的版本删除，
-<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1562,11 +1545,11 @@ log to standard error instead of files. (DEPRECATED: will be removed in a future
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If true, kubelet will ensure <code>iptables</code> utility rules are present on host. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If true, kubelet will ensure <code>iptables</code> utility rules are present on host. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置为 true 表示 kubelet 将确保 <code>iptables</code> 规则在主机上存在。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1576,11 +1559,11 @@ If true, kubelet will ensure <code>iptables</code> utility rules are present on
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-URL for accessing additional Pod specifications to run (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+URL for accessing additional Pod specifications to run (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用于访问要运行的其他 Pod 规范的 URL。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1590,15 +1573,16 @@ URL for accessing additional Pod specifications to run (DEPRECATED: This paramet
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Comma-separated list of HTTP headers to use when accessing the URL provided to <code>--manifest-url</code>. Multiple headers with the same name will be added in the same order provided. This flag can be repeatedly invoked. For example: <code>--manifest-url-header 'a:hello,b:again,c:world' --manifest-url-header 'b:beautiful'</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Comma-separated list of HTTP headers to use when accessing the URL provided to <code>--manifest-url</code>. Multiple headers with the same name will be added in the same order provided. This flag can be repeatedly invoked. For example: <code>--manifest-url-header 'a:hello,b:again,c:world' --manifest-url-header 'b:beautiful'</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 取值为由 HTTP 头部组成的逗号分隔列表，在访问 <code>--manifest-url</code> 所给出的 URL 时使用。
 名称相同的多个头部将按所列的顺序添加。该参数可以多次使用。例如：
 <code>--manifest-url-header 'a:hello,b:again,c:world' --manifest-url-header 'b:beautiful'</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
+
 <tr>
 <td colspan="2">--master-service-namespace string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>default</code>-->默认值：<code>default</code></td>
 </tr>
@@ -1618,11 +1602,11 @@ kubelet 向 Pod 注入 Kubernetes 主控服务信息时使用的命名空间。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Number of files that can be opened by Kubelet process. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Number of files that can be opened by Kubelet process. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 进程可以打开的最大文件数量。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1632,11 +1616,11 @@ kubelet 进程可以打开的最大文件数量。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Number of Pods that can run on this Kubelet. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Number of Pods that can run on this Kubelet. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 此 kubelet 能运行的 Pod 最大数量。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1650,8 +1634,8 @@ Maximum number of old instances of containers to retain globally. Each container
 -->
 设置全局可保留的已停止容器实例个数上限。
 每个实例会占用一些磁盘空间。要禁用，请设置为负数。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+已弃用：改用 <code>--eviction-hard</code> 或 <code>--eviction-soft</code>。
+此标志将在未来的版本中删除。
 </td>
 </tr>
 
@@ -1661,11 +1645,11 @@ Maximum number of old instances of containers to retain globally. Each container
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Maximum number of old instances to retain per container. Each container takes up some disk space. (DEPRECATED: Use --eviction-hard or --eviction-soft instead. Will be removed in a future version.)
+Maximum number of old instances to retain per container.  Each container takes up some disk space. (DEPRECATED: Use <code>--eviction-hard</code> or <code>--eviction-soft</code> instead. Will be removed in a future version.)
 -->
 每个已停止容器可以保留的的最大实例数量。每个容器占用一些磁盘空间。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+已弃用：改用 <code>--eviction-hard</code> 或 <code>--eviction-soft</code>。
+此标志将在未来的版本中删除。
 </td>
 </tr>
 
@@ -1675,11 +1659,11 @@ Maximum number of old instances to retain per container. Each container takes up
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Memory Manager policy to use. Possible values: <code>'None'</code>, <code>'Static'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Memory Manager policy to use. Possible values: <code>'None'</code>, <code>'Static'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-内存管理器策略使用。可选值：<code>'None'</code>, <code>'Static'</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+内存管理器策略使用。可选值：<code>'None'</code>、<code>'Static'</code>。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1689,10 +1673,10 @@ Memory Manager policy to use. Possible values: <code>'None'</code>, <code>'Stati
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Minimum age for a finished container before it is garbage collected.  Examples: '300ms', '10s' or '2h45m' (DEPRECATED: Use --eviction-hard or --eviction-soft instead. Will be removed in a future version.)
+Minimum age for a finished container before it is garbage collected. Examples: <code>'300ms'</code>, <code>'10s'</code> or <code>'2h45m'</code> (DEPRECATED: Use <code>--eviction-hard</code> or <code>--eviction-soft</code> instead. Will be removed in a future version.)
 -->
 已结束的容器在被垃圾回收清理之前的最少存活时间。
-例如：<code>300ms</code>、<code>10s</code> 或者 <code>2h45m</code>。
+例如：<code>'300ms'</code>、<code>'10s'</code> 或者 <code>'2h45m'</code>。
 已弃用：请改用 <code>--eviction-hard</code> 或者 <code>--eviction-soft</code>。
 此标志将在未来的版本中删除。
 </td>
@@ -1704,12 +1688,12 @@ Minimum age for a finished container before it is garbage collected.  Examples:
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Minimum age for an unused image before it is garbage collected.  Examples: <code>300ms</code>, <code>10s</code> or <code>2h45m</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Minimum age for an unused image before it is garbage collected. Examples: <code>'300ms'</code>, <code>'10s'</code> or <code>'2h45m'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-不再使用的镜像在被垃圾回收清理之前的最少存活时间。
-例如：<code>300ms</code>、<code>10s</code> 或者 <code>2h45m</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+已结束的容器在被垃圾回收清理之前的最少存活时间。
+例如：<code>'300ms'</code>、<code>'10s'</code> 或者 <code>'2h45m'</code>。
+已弃用：这个参数应该通过 Kubelet 的 <code>--config</code> 标志指定的配置文件来设置。
+（<a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
 </td>
 </tr>
 
@@ -1719,10 +1703,11 @@ Minimum age for an unused image before it is garbage collected.  Examples: <code
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-<Warning: Alpha feature> The name of the network plugin to be invoked for various events in kubelet/pod lifecycle. This docker-specific flag only works when container-runtime is set to docker.
+The name of the network plugin to be invoked for various events in kubelet/pod lifecycle. This docker-specific flag only works when container-runtime is set to <code>docker</code>. (DEPRECATED: will be removed along with dockershim.)<
 -->
-&lt;警告：alpha 特性&gt; 设置 kubelet/Pod 生命周期中各种事件调用的网络插件的名称。
+设置 kubelet/Pod 生命周期中各种事件调用的网络插件的名称。
 仅当容器运行环境设置为 <code>docker</code> 时，此特定于 docker 的参数才有效。
+（已弃用：将会随着 dockershim 一起删除。）
 </td>
 </tr>
 
@@ -1782,11 +1767,11 @@ IP address (or comma-separated dual-stack IP addresses) of the node. If unset, k
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The maximum number of images to report in <code>node.status.images</code>. If <code>-1</code> is specified, no cap will be applied. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The maximum number of images to report in <code>node.status.images</code>. If <code>-1</code> is specified, no cap will be applied. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 在 <code>node.status.images</code> 中可以报告的最大镜像数量。如果指定为 -1，则不设上限。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1796,12 +1781,12 @@ The maximum number of images to report in <code>node.status.images</code>. If <c
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in Node controller. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with <code>nodeMonitorGracePeriod</code> in Node controller. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 指定 kubelet 向主控节点汇报节点状态的时间间隔。注意：更改此常量时请务必谨慎，
 它必须与节点控制器中的 <code>nodeMonitorGracePeriod</code> 一起使用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1815,8 +1800,7 @@ Traffic to IPs outside this range will use IP masquerade. Set to '0.0.0.0/0' to
 -->
 kubelet 向该 IP 段之外的 IP 地址发送的流量将使用 IP 伪装技术。
 设置为 <code>0.0.0.0/0</code> 则不使用伪装。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：将在未来的版本中删除。）
 </td>
 </tr>
 
@@ -1826,12 +1810,12 @@ kubelet 向该 IP 段之外的 IP 地址发送的流量将使用 IP 伪装技术
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+If true, only write logs to their native severity level (vs also writing to each lower severity level). (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 如果设置此标志为 <code>true</code>，则仅将日志写入其原来的严重性级别中，
 而不是同时将其写入更低严重性级别中。
-已弃用：将在未来的版本中删除，
-（<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+已弃用：将在未来的版本中删除。
+（<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -1841,11 +1825,11 @@ If true, only write logs to their native severity level (vs also writing to each
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000] (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The <code>oom-score-adj</code> value for kubelet process. Values must be within the range [-1000, 1000]. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 进程的 oom-score-adj 参数值。有效范围为 <code>[-1000，1000]</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1855,12 +1839,12 @@ kubelet 进程的 oom-score-adj 参数值。有效范围为 <code>[-1000，1000]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. For IPv6, the maximum number of IP's allocated is 65536 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. For IPv6, the maximum number of IP's allocated is 65536 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用于给 Pod 分配 IP 地址的 CIDR 地址池，仅在独立运行模式下使用。
 在集群模式下，CIDR 设置是从主服务器获取的。对于 IPv6，分配的 IP 的最大数量为 65536。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1885,12 +1869,12 @@ The CIDR to use for pod IP addresses, only used in standalone mode. In cluster m
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to the directory containing static pod files to run, or the path to a single static pod file. Files starting with dots will be ignored. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Path to the directory containing static pod files to run, or the path to a single static pod file. Files starting with dots will be ignored. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置包含要运行的静态 Pod 的文件的路径，或单个静态 Pod 文件的路径。以点（<code>.</code>）
 开头的文件将被忽略。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1900,11 +1884,11 @@ Path to the directory containing static pod files to run, or the path to a singl
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Set the maximum number of processes per pod.  If <code>-1</code>, the kubelet defaults to the node allocatable PID capacity. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Set the maximum number of processes per pod. If <code>-1</code>, the kubelet defaults to the node allocatable PID capacity. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置每个 Pod 中的最大进程数目。如果为 -1，则 kubelet 使用节点可分配的 PID 容量作为默认值。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1914,13 +1898,13 @@ Set the maximum number of processes per pod.  If <code>-1</code>, the kubelet de
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Number of Pods per core that can run on this Kubelet. The total number of Pods on this Kubelet cannot exceed <code>--max-pods</code>, so <code>--max-pods</code> will be used if this calculation results in a larger number of Pods allowed on the Kubelet. A value of <code>0</code> disables this limit. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Number of Pods per core that can run on this kubelet. The total number of pods on this kubelet cannot exceed <code>--max-pods</code>, so <code>--max-pods</code> will be used if this calculation results in a larger number of pods allowed on the kubelet. A value of <code>0</code> disables this limit. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 在每个处理器核上可运行的 Pod 数量。此 kubelet 上的 Pod 总数不能超过
 <code>--max-pods</code> 标志值。因此，如果此计算结果导致在 kubelet 
 上允许更多数量的 Pod，则使用 <code>--max-pods</code> 值。值为 0 表示不作限制。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1930,11 +1914,11 @@ kubelet 在每个处理器核上可运行的 Pod 数量。此 kubelet 上的 Pod
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The port for the Kubelet to serve on. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The port for the kubelet to serve on. (DEPRECATED: This parameter should be set via the config file specified by the kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 服务监听的本机端口号。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1944,12 +1928,12 @@ kubelet 服务监听的本机端口号。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Default kubelet behaviour for kernel tuning. If set, kubelet errors if any of kernel tunables is different than kubelet defaults. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置 kubelet 的默认内核调整行为。如果已设置该参数，当任何内核可调参数与
 kubelet 默认值不同时，kubelet 都会出错。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1959,11 +1943,11 @@ kubelet 默认值不同时，kubelet 都会出错。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Unique identifier for identifying the node in a machine database, i.e cloud provider. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Unique identifier for identifying the node in a machine database, i.e cloud provider. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置主机数据库（即，云驱动）中用来标识节点的唯一标识。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1973,13 +1957,13 @@ Unique identifier for identifying the node in a machine database, i.e cloud prov
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; A set of <code><resource name>=<percentage></code> (e.g. <code>memory=50%</code>) pairs that describe how pod resource requests are reserved at the QoS level. Currently only memory is supported. Requires the <code>QOSReserved</code> feature gate to be enabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+&lt;Warning: Alpha feature&gt; A set of <code>&lt;resource name&gt;=&lt;percentage&gt;</code> (e.g. <code>memory=50%</code>) pairs that describe how pod resource requests are reserved at the QoS level. Currently only <code>memory</code> is supported. Requires the <code>QOSReserved</code> feature gate to be enabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 &lt;警告：alpha 特性&gt; 设置在指定的 QoS 级别预留的 Pod 资源请求，以一组
 <code>"资源名称=百分比"</code> 的形式进行设置，例如 <code>memory=50%</code>。
 当前仅支持内存（memory）。要求启用 <code>QOSReserved</code> 特性门控。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1989,11 +1973,11 @@ Unique identifier for identifying the node in a machine database, i.e cloud prov
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The read-only port for the Kubelet to serve on with no authentication/authorization (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The read-only port for the kubelet to serve on with no authentication/authorization (set to <code>0</code> to disable). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 可以在没有身份验证/鉴权的情况下提供只读服务的端口（设置为 0 表示禁用）。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2016,12 +2000,12 @@ If true, when panics occur crash. Intended for testing. (DEPRECATED: will be rem
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 向 API 服务器注册节点，如果未提供 <code>--kubeconfig</code>，此标志无关紧要，
 因为 Kubelet 没有 API 服务器可注册。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2044,11 +2028,12 @@ Register the node as schedulable. Won't have any effect if <code>--register-node
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Register the node with the given list of taints (comma separated <code><key>=<value>:<effect></code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: will be removed in a future version)
+Register the node with the given list of taints (comma separated <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置本节点的污点标记，格式为 <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>，
 以逗号分隔。当 <code>--register-node</code> 为 false 时此标志无效。
-已弃用：将在未来版本中移除。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2058,12 +2043,12 @@ Register the node with the given list of taints (comma separated <code><key>=<va
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding <code>--registry-qps</code>. Only used if <code>--registry-qps > 0</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding <code>--registry-qps</code>. Only used if <code>--registry-qps</code> is greater than 0. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置突发性镜像拉取的个数上限，在不超过 <code>--registration-qps</code> 设置值的前提下
 暂时允许此参数所给的镜像拉取个数。仅在 <code>--registry-qps</code> 大于 0 时使用。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2073,11 +2058,11 @@ Maximum size of a bursty pulls, temporarily allows pulls to burst to this number
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If &gt; 0, limit registry pull QPS to this value.  If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If &gt; 0, limit registry pull QPS to this value.  If <code>0</code>, unlimited. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 如此值大于 0，可用来限制镜像仓库的 QPS 上限。设置为 0，表示不受限制。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2087,13 +2072,13 @@ If &gt; 0, limit registry pull QPS to this value.  If <code>0</code>, unlimited.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A comma-separated list of CPUs or CPU ranges that are reserved for system and kubernetes usage. This specific list will supersede cpu counts in <code>--system-reserved</code> and <code>--kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A comma-separated list of CPUs or CPU ranges that are reserved for system and kubernetes usage. This specific list will supersede cpu counts in <code>--system-reserved</code> and <code>--kube-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用逗号分隔的一组 CPU 或 CPU 范围列表，给出为系统和 Kubernetes 保留使用的 CPU。
 此列表所给出的设置优先于通过 <code>--system-reserved</code> 和
 <code>--kube-reskube-reserved</code> 所保留的 CPU 个数配置。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2103,13 +2088,13 @@ A comma-separated list of CPUs or CPU ranges that are reserved for system and ku
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A comma-separated list of memory reservations for NUMA nodes. (e.g. <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>). The total sum for each memory type should be equal to the sum of <code>--kube-reserved</code>, <code>--system-reserved</code> and <code>--eviction-threshold</code>. See https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/#reserved-memory-flag for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A comma-separated list of memory reservations for NUMA nodes. (e.g. <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>). The total sum for each memory type should be equal to the sum of <code>--kube-reserved</code>, <code>--system-reserved</code> and <code>--eviction-threshold</code>. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/#reserved-memory-flag">here</a> for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-以逗号分隔的 NUMA 节点内存预留列表。（例如 <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>）。 
+以逗号分隔的 NUMA 节点内存预留列表。（例如 <code>--reserved-memory 0:memory=1Gi,hugepages-1M=2Gi --reserved-memory 1:memory=2Gi</code>）。
 每种内存类型的总和应该等于<code>--kube-reserved</code>、<code>--system-reserved</code>和<code>--eviction-threshold</之和 代码>。
 <a href="https://kubernetes.io/docs/tasks/administer-cluster/memory-manager/#reserved-memory-flag">了解更多详细信息。</a>
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2119,11 +2104,11 @@ A comma-separated list of memory reservations for NUMA nodes. (e.g. <code>--rese
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Resolver configuration file used as the basis for the container DNS resolution configuration. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Resolver configuration file used as the basis for the container DNS resolution configuration. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 名字解析服务的配置文件名，用作容器 DNS 解析配置的基础。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2145,12 +2130,12 @@ Directory path for managing kubelet files (volume mounts, etc).
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Beta feature&gt; Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+&lt;Warning: Beta feature&gt; Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 &lt;警告：Beta 特性&gt; 设置当客户端证书即将过期时 kubelet 自动从
 <code>kube-apiserver</code> 请求新的证书进行轮换。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2160,13 +2145,13 @@ Directory path for managing kubelet files (volume mounts, etc).
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Auto-request and rotate the kubelet serving certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Auto-request and rotate the kubelet serving certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 当 kubelet 的服务证书即将过期时自动从 kube-apiserver 请求新的证书进行轮换。
 要求启用 <code>RotateKubeletServerCertificate</code> 特性门控，以及对提交的
 <code>CertificateSigningRequest</code> 对象进行批复（Approve）操作。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2176,12 +2161,12 @@ Auto-request and rotate the kubelet serving certificates by requesting new certi
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)<
 -->
-设置为 true 表示从本地清单或远程 URL 创建完 Pod 后立即退出 kubelet 进程。
+设置为 <code>true</code> 表示从本地清单或远程 URL 创建完 Pod 后立即退出 kubelet 进程。
 与 <code>--enable-server</code> 标志互斥。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2203,26 +2188,25 @@ Optional absolute name of cgroups to create and run the runtime in.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Timeout of all runtime requests except long running request - <code>pull</code>, <code>logs</code>, <code>exec</code> and <code>attach</code>. When timeout exceeded, kubelet will cancel the request, throw out an error and retry later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Timeout of all runtime requests except long running request - <code>pull</code>, <code>logs</code>, <code>exec</code> and <code>attach</code>. When timeout exceeded, kubelet will cancel the request, throw out an error and retry later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置除了长时间运行的请求（包括 <code>pull</code>、<code>logs</code>、<code>exec</code>
 和 <code>attach</code> 等操作）之外的其他运行时请求的超时时间。
 到达超时时间时，请求会被取消，抛出一个错误并会等待重试。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--seccomp-profile-root string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>/var/lib/kubelet/seccomp</code>-->默认值：<code>/var/lib/kubelet/seccomp</code></td>
+<td colspan="2">--seccomp-default RuntimeDefault</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-&lt;Warning: Alpha feature&gt; Directory path for seccomp profiles. (DEPRECATED: will be removed in 1.24 or later, in favor of using the <code><root-dir>/seccomp</code> directory)
+<!-- 
+&lt;Warning: Alpha feature&gt; Enable the use of <code>RuntimeDefault</code> as the default seccomp profile for all workloads. The <code>SeccompDefault</code> feature gate must be enabled to allow this flag, which is disabled by default.
 -->
-&lt;警告：alpha 特性&gt; seccomp 配置文件目录。
-已弃用：将在 1.23 或更高版本中移除，以使用 <code>&lt;root-dir&gt;/seccomp</code> 目录。
+&lt;警告：alpha 特性&gt; 启用 <code>RuntimeDefault</code> 作为所有工作负载的默认 seccomp 配置文件。<code>SeccompDefault</code> 特性门控必须启用以允许此标志，默认情况下禁用。
 </td>
 </tr>
 
@@ -2232,12 +2216,12 @@ Timeout of all runtime requests except long running request - <code>pull</code>,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version &lt; 1.9 or an <code>aufs</code> storage backend. Issue #10959 has more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Pull images one at a time. We recommend *not* changing the default value on nodes that run docker daemon with version &lt; 1.9 or an <code>aufs</code> storage backend. Issue #10959 has more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 逐一拉取镜像。建议 *不要* 在 docker 守护进程版本低于 1.9 或启用了 Aufs 存储后端的节点上
 更改默认值。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2247,10 +2231,10 @@ Pull images one at a time. We recommend *not* changing the default value on node
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If true, avoid header prefixes in the log messages. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+If <code>true</code>, avoid header prefixes in the log messages. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
-设置为 true 时在日志消息中去掉标头前缀。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+设置为 <code>true</code> 时在日志消息中去掉标头前缀。
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -2260,10 +2244,10 @@ If true, avoid header prefixes in the log messages. (DEPRECATED: will be removed
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If true, avoid headers when opening log files. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+If <code>true</code>, avoid headers when opening log files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
-设置为 true，打开日志文件时去掉标头。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+设置为 <code>true</code>，打开日志文件时去掉标头。
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -2273,10 +2257,10 @@ If true, avoid headers when opening log files. (DEPRECATED: will be removed in a
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
 -->
 设置严重程度达到或超过此阈值的日志输出到标准错误输出。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>）
+（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
 </td>
 </tr>
 
@@ -2286,13 +2270,13 @@ logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Maximum time a streaming connection can be idle before the connection is automatically closed. <code>0</code> indicates no timeout. Example: <code>5m</code>. Note: All connections to the kubelet server have a maximum duration of 4 hours.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Maximum time a streaming connection can be idle before the connection is automatically closed. <code>0</code> indicates no timeout. Example: <code>5m</code>. Note: All connections to the kubelet server have a maximum duration of 4 hours.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置流连接在自动关闭之前可以空闲的最长时间。0 表示没有超时限制。
 例如：<code>5m</code>。
 注意：与 kubelet 服务器的所有连接最长持续时间为 4 小时。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2302,11 +2286,11 @@ Maximum time a streaming connection can be idle before the connection is automat
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Max period between synchronizing running containers and config. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Max period between synchronizing running containers and config. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 在运行中的容器与其配置之间执行同步操作的最长时间间隔。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2316,12 +2300,12 @@ Max period between synchronizing running containers and config. (DEPRECATED: Thi
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under <code>/</code>. Empty for no container. Rolling back the flag requires a reboot. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Optional absolute name of cgroups in which to place all non-kernel processes that are not already inside a cgroup under <code>'/'</code>. Empty for no container. Rolling back the flag requires a reboot. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 此标志值为一个 cgroup 的绝对名称，用于所有尚未放置在根目录下某 cgroup 内的非内核进程。
 空值表示不指定 cgroup。回滚该参数需要重启机器。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2331,15 +2315,15 @@ Optional absolute name of cgroups in which to place all non-kernel processes tha
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of <code><resource name>=<resource quantity></code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for non-kubernetes components. Currently only <code>cpu</code> and <code>memory</code> are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+A set of <code>&lt;resource name&gt;=&lt;resource quantity&gt;</code> (e.g. <code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>) pairs that describe resources reserved for non-kubernetes components. Currently only <code>cpu</code> and <code>memory</code> are supported. See <a href="http://kubernetes.io/docs/user-guide/compute-resources">here</a> for more detail. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 系统预留的资源配置，以一组 <code>资源名称=资源数量</code> 的格式表示，
 （例如：<code>cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid='100'</code>）。
 目前仅支持 <code>cpu</code> 和 <code>memory</code> 的设置。
 更多细节可参考
-<a href="http://kubernetes.io/zh/docs/concepts/configuration/manage-resources-containers/">相关文档</a>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+<a href="http://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/">相关文档</a>。
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2349,13 +2333,13 @@ A set of <code><resource name>=<resource quantity></code> (e.g. <code>cpu=200m,m
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via <code>--system-reserved</code> flag. Ex. <code>/system-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Absolute name of the top level cgroup that is used to manage non-kubernetes components for which compute resources were reserved via <code>--system-reserved</code> flag. Ex. <code>/system-reserved</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 此标志给出一个顶层 cgroup 绝对名称，该 cgroup 用于管理非 kubernetes 组件，
 这些组件的计算资源通过 <code>--system-reserved</code> 标志进行预留。
 例如 <code>"/system-reserved"</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2365,15 +2349,15 @@ Absolute name of the top level cgroup that is used to manage non-kubernetes comp
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If <code>--tls-cert-file</code> and <code>--tls-private-key-file</code> are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to <code>--cert-dir</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If <code>--tls-cert-file</code> and <code>--tls-private-key-file</code> are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to <code>--cert-dir</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 包含 x509 证书的文件路径，用于 HTTPS 认证。
 如果有中间证书，则中间证书要串接在在服务器证书之后。
 如果未提供 <code>--tls-cert-file</code> 和 <code>--tls-private-key-file</code>，
 kubelet 会为公开地址生成自签名证书和密钥，并将其保存到通过
 <code>--cert-dir</code> 指定的目录中。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2388,15 +2372,15 @@ Preferred values:
 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384<br/>
 Insecure values:
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
-(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 服务器端加密算法列表，以逗号分隔。如果不设置，则使用 Go 语言加密包的默认算法列表。<br/>
 首选算法：
 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384 <br/>
 不安全算法：
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2406,12 +2390,12 @@ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_E
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Minimum TLS version supported. Possible values: <code>VersionTLS10</code>, <code>VersionTLS11</code>, <code>VersionTLS12</code>, <code>VersionTLS13</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Minimum TLS version supported. Possible values: <code>VersionTLS10</code>, <code>VersionTLS11</code>, <code>VersionTLS12</code>, <code>VersionTLS13</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置支持的最小 TLS 版本号，可选的版本号包括：<code>VersionTLS10</code>、
 <code>VersionTLS11</code>、<code>VersionTLS12</code> 和 <code>VersionTLS13</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2421,11 +2405,11 @@ Minimum TLS version supported. Possible values: <code>VersionTLS10</code>, <code
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-File containing x509 private key matching <code>--tls-cert-file</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+File containing x509 private key matching <code>--tls-cert-file</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 包含与 <code>--tls-cert-file</code> 对应的 x509 私钥文件路径。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2435,12 +2419,12 @@ File containing x509 private key matching <code>--tls-cert-file</code>. (DEPRECA
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Topology Manager policy to use. Possible values: <code>none</code>, <code>best-effort</code>, <code>restricted</code>, <code>single-numa-node</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Topology Manager policy to use. Possible values: <code>'none'</code>, <code>'best-effort'</code>, <code>'restricted'</code>, <code>'single-numa-node'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置拓扑管理策略（Topology Manager policy）。可选值包括：<code>none</code>、
 <code>best-effort</code>、<code>restricted</code> 和 <code>single-numa-node</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2450,13 +2434,13 @@ Topology Manager policy to use. Possible values: <code>none</code>, <code>best-e
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: 'container' (default), 'pod'. (default "container") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: <code>'container'</code>, <code>'pod'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 拓扑提示信息使用范围。拓扑管理器从提示提供者（Hints Providers）处收集提示信息，
 并将其应用到所定义的范围以确保 Pod 准入。
 可选值包括：<code>container</code>（默认）、<code>pod</code>。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2502,11 +2486,11 @@ Comma-separated list of <code>pattern=N</code> settings for file-filtered loggin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The full path of the directory in which to search for additional third party volume plugins. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+The full path of the directory in which to search for additional third party volume plugins. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用来搜索第三方存储卷插件的目录。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -2516,12 +2500,12 @@ The full path of the directory in which to search for additional third party vol
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes. To disable volume calculations, set to <code>0</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
+Specifies interval for kubelet to calculate and cache the volume disk usage for all pods and volumes. To disable volume calculations, set to <code>0</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 指定 kubelet 计算和缓存所有 Pod 和卷的磁盘用量总值的时间间隔。要禁用磁盘用量计算，
 请设置为 0。
-已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-（<a href="https://kubernetes.io/zh/docs/tasks/administer-cluster/kubelet-config-file/">进一步了解</a>）
+（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 </tbody>
diff --git a/content/zh/docs/reference/config-api/_index.md b/content/zh-cn/docs/reference/config-api/_index.md
similarity index 100%
rename from content/zh/docs/reference/config-api/_index.md
rename to content/zh-cn/docs/reference/config-api/_index.md
diff --git a/content/zh/docs/reference/config-api/apiserver-audit.v1.md b/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
similarity index 83%
rename from content/zh/docs/reference/config-api/apiserver-audit.v1.md
rename to content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
index 245096e999ba1..e7bc19c4f68d0 100644
--- a/content/zh/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
@@ -34,7 +34,9 @@ auto_generated: true
 <!--
 Event captures all the information that can be included in an API audit log.
 -->
+<p>
 Event 结构包含可出现在 API 审计日志中的所有信息。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -48,16 +50,20 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 </td>
 <td>
    <!--AuditLevel at which event was generated-->
+   <p>
    生成事件所对应的审计级别。
+   </p>
 </td>
 </tr>
     
 <tr><td><code>auditID</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/types#UID"><code>k8s.io/apimachinery/pkg/types.UID</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/types#UID"><code>k8s.io/apimachinery/pkg/types.UID</code></a>
 </td>
 <td>
    <!--Unique audit ID, generated for each request.-->
+   <p>
    为每个请求所生成的唯一审计 ID。
+   </p>
 </td>
 </tr>
     
@@ -66,7 +72,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 </td>
 <td>
    <!--Stage of the request handling when this event instance was generated.-->
+   <p>
    生成此事件时请求的处理阶段。
+   </p>
 </td>
 </tr>
     
@@ -75,7 +83,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 </td>
 <td>
    <!--RequestURI is the request URI as sent by the client to a server.-->
+   <p>
    requestURI 是客户端发送到服务器端的请求 URI。
+   </p>
 </td>
 </tr>
     
@@ -86,7 +96,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <td>
    <!--Verb is the kubernetes verb associated with the request.
    For non-resource requests, this is the lower-cased HTTP method.-->
+   <p>
    verb 是与请求对应的 Kubernetes 动词。对于非资源请求，此字段为 HTTP 方法的小写形式。
+   </p>
 </td>
 </tr>
     
@@ -95,7 +107,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 </td>
 <td>
    <!--Authenticated user information.-->
+   <p>
    关于认证用户的信息。
+   </p>
 </td>
 </tr>
 
@@ -104,7 +118,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 </td>
 <td>
    <!--Impersonated user information.-->
+   <p>
    关于所伪装（impersonated）的用户的信息。
+   </p>
 </td>
 </tr>
 
@@ -112,8 +128,37 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <code>[]string</code>
 </td>
 <td>
-   <!--Source IPs, from where the request originated and intermediate proxies.-->
+   <!--
+   Source IPs, from where the request originated and intermediate proxies.
+   The source IPs are listed from (in order):
+   -->
+   <p>
    发起请求和中间代理的源 IP 地址。
+   源 IP 从以下（按顺序）列出：
+   </p>
+<ol>
+<li>
+<!--
+X-Forwarded-For request header IPs
+-->
+X-Forwarded-For 请求标头 IP
+</li>
+<li>
+<!--
+X-Real-Ip header, if not present in the X-Forwarded-For list
+-->
+X-Real-Ip 标头，如果 X-Forwarded-For 列表中不存在
+</li>
+<li>
+<!--
+The remote address for the connection, if it doesn't match the last
+IP in the list up to here (X-Forwarded-For or X-Real-Ip).
+Note: All but the last IP can be arbitrarily set by the client.
+-->
+连接的远程地址，如果它无法与此处列表中的最后一个 IP（X-Forwarded-For 或 X-Real-Ip）匹配。
+注意：除最后一个 IP 外的所有 IP 均可由客户端任意设置。
+</li>
+</ol>
 </td>
 </tr>
 
@@ -124,8 +169,10 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <td>
    <!--UserAgent records the user agent string reported by the client.
    Note that the UserAgent is provided by the client, and must not be trusted.-->
+   <p>
    userAgent 中记录客户端所报告的用户代理（User Agent）字符串。
    注意 userAgent 信息是由客户端提供的，一定不要信任。
+   </p>
 </td>
 </tr>
 
@@ -135,7 +182,9 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <td>
    <!-- Object reference this request is targeted at.
    Does not apply for List-type requests, or non-resource requests.-->
+   <p>
    此请求所指向的对象引用。对于 List 类型的请求或者非资源请求，此字段可忽略。
+   </p>
 </td>
 </tr>
 
@@ -146,40 +195,46 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
    <!--The response status, populated even when the ResponseObject is not a Status type.
    For successful responses, this will only include the Code and StatusSuccess.
    For non-status type error responses, this will be auto-populated with the error Message.-->
+   <p>
    响应的状态，当 responseObject 不是 Status 类型时被赋值。
    对于成功的请求，此字段仅包含 code 和 statusSuccess。
    对于非 Status 类型的错误响应，此字段会被自动赋值为出错信息。
+   </p>
 </td>
 </tr>
 
 <tr><td><code>requestObject</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
 </td>
 <td>
    <!--API object from the request, in JSON format. The RequestObject is recorded as-is in the request
 (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
 merging. It is an external versioned object type, and may not be a valid object on its own.
 Omitted for non-resource requests.  Only logged at Request Level and higher.-->
+   <p>
    来自请求的 API 对象，以 JSON 格式呈现。requestObject 在请求中按原样记录
    （可能会采用 JSON 重新编码），之后会进入版本转换、默认值填充、准入控制以及
    配置信息合并等阶段。此对象为外部版本化的对象类型，甚至其自身可能并不是一个
    合法的对象。对于非资源请求，此字段被忽略。
-   只有当审计级别为 Request 或更高的时候才会记录。   
+   只有当审计级别为 Request 或更高的时候才会记录。 
+   </p>  
 </td>
 </tr>
     
   
 <tr><td><code>responseObject</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
 </td>
 <td>
    <!--API object returned in the response, in JSON. The ResponseObject is recorded after conversion
 to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged
 at Response Level.-->
+   <p>
    响应中包含的 API 对象，以 JSON 格式呈现。requestObject 是在被转换为外部类型
    并序列化为 JSON 格式之后才被记录的。
    对于非资源请求，此字段会被忽略。
    只有审计级别为 Response 时才会记录。
+   </p>
 </td>
 </tr>
 
@@ -188,7 +243,9 @@ at Response Level.-->
 </td>
 <td>
    <!--Time the request reached the apiserver.-->
+   <p>
    请求到达 API 服务器时的时间。
+   </p>
 </td>
 </tr>
 
@@ -197,7 +254,9 @@ at Response Level.-->
 </td>
 <td>
    <!--Time the request reached current audit stage.-->
+   <p>
    请求到达当前审计阶段时的时间。
+   </p>
 </td>
 </tr>
 
@@ -211,6 +270,7 @@ at Response Level.-->
    to the metadata.annotations of the submitted object. Keys should uniquely identify the informing
    component to avoid name collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values
    should be short. Annotations are included in the Metadata level.-->
+   <p>
    annotations 是一个无结构的键-值映射，其中保存的是一个审计事件。
    该事件可以由请求处理链路上的插件来设置，包括身份认证插件、鉴权插件以及
    准入控制插件等。
@@ -220,6 +280,7 @@ at Response Level.-->
    （例如 podsecuritypolicy.admission.k8s.io/policy）。
    映射中的键值应该比较简洁。
    当审计级别为 Metadata 时会包含 annotations 字段。
+   </p>
 </td>
 </tr>
 </tbody>
@@ -230,7 +291,9 @@ at Response Level.-->
 <!--    
 EventList is a list of audit Events.
 -->
+<p>
 EventList 是审计事件（Event）的列表。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -270,7 +333,9 @@ EventList 是审计事件（Event）的列表。
 Policy defines the configuration of audit logging, and the rules for how different request
 categories are logged.
 -->
+<p>
 Policy 定义的是审计日志的配置以及不同类型请求的日志记录规则。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -284,7 +349,9 @@ Policy 定义的是审计日志的配置以及不同类型请求的日志记录
 </td>
 <td>
    <!--ObjectMeta is included for interoperability with API infrastructure.Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.-->
+   <p>
    包含 <code>metadata</code> 字段是为了便于与 API 基础设施之间实现互操作。
+   </p>
    参考 Kubernetes API 文档了解 <code>metadata</code> 字段的详细信息。
 </td>
 </tr>
@@ -297,11 +364,13 @@ Policy 定义的是审计日志的配置以及不同类型请求的日志记录
 A request may match multiple rules, in which case the FIRST matching rule is used.
 The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
 PolicyRules are strictly ordered.-->
+   <p>
    字段 rules 设置请求要被记录的审计级别（level）。
    每个请求可能会与多条规则相匹配；发生这种状况时遵从第一条匹配规则。
    默认的审计级别是 None，不过可以在列表的末尾使用一条全抓（catch-all）规则
    重载其设置。
    列表中的规则（PolicyRule）是严格有序的。
+   </p>
 </td>
 </tr>
 
@@ -311,9 +380,34 @@ PolicyRules are strictly ordered.-->
 <td>
    <!--OmitStages is a list of stages for which no events are created. Note that this can also
    be specified per rule in which case the union of both are omitted.-->
+   <p>
    字段 omitStages 是一个阶段（Stage）列表，其中包含无须生成事件的阶段。
    注意这一选项也可以通过每条规则来设置。
    审计组件最终会忽略出现在 omitStages 中阶段，也会忽略规则中的阶段。
+   </p>
+</td>
+</tr>
+
+
+<tr>
+<td>
+<code>omitManagedFields</code><br/>
+<code>bool</code>
+</td>
+<td>
+<!--
+OmitManagedFields indicates whether to omit the managed fields of the request
+and response bodies from being written to the API audit log.
+This is used as a global default - a value of 'true' will omit the managed fileds,
+otherwise the managed fields will be included in the API audit log.
+Note that this can also be specified per rule in which case the value specified
+in a rule will override the global default.
+-->
+<p>
+omitManagedFields 标明将请求和响应主体写入 API 审计日志时，是否省略其托管字段。
+此字段值用作全局默认值 - 'true' 值将省略托管字段，否则托管字段将包含在 API 审计日志中。
+请注意，也可以按规则指定此值，在这种情况下，规则中指定的值将覆盖全局默认值。
+</p>
 </td>
 </tr>
 </tbody>
@@ -324,7 +418,9 @@ PolicyRules are strictly ordered.-->
 <!--
 PolicyList is a list of audit Policies.
 -->
+<p>
 PolicyList 是由审计策略（Policy）组成的列表。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -363,7 +459,9 @@ PolicyList 是由审计策略（Policy）组成的列表。
 <!--
 GroupResources represents resource kinds in an API group.
 -->
+<p>
 GroupResources 代表的是某 API 组中的资源类别。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -384,28 +482,39 @@ GroupResources 代表的是某 API 组中的资源类别。
 <code>[]string</code>
 </td>
 <td>
-   <!--Resources is a list of resources this rule applies to.
-
+<!--
+Resources is a list of resources this rule applies to.
 For example:
 'pods' matches pods.
 'pods/log' matches the log subresource of pods.
 '&lowast;' matches all resources and their subresources.
 'pods/&lowast;' matches all subresources of pods.
-'&lowast;/scale' matches all scale subresources.-->
-   字段 resources 是此规则所适用的资源的列表。<br/>
+'&lowast;/scale' matches all scale subresources.
+-->
+   <p>
+   字段 resources 是此规则所适用的资源的列表。
+   </p>
+   <br/>
+   <p>
    例如：<br/>
    'pods' 匹配 Pods；<br/>
    'pods/log' 匹配 Pods 的 log 子资源；<br/>
    '&lowast;' 匹配所有资源及其子资源；<br/>
    'pods/&lowast;' 匹配 Pods 的所有子资源；<br/>
    '&lowast;/scale' 匹配所有的 scale 子资源。<br/><br/>
+   </p>
 
    <!--If wildcard is present, the validation rule will ensure resources do not
    overlap with each other.
 
    An empty list implies all resources and subresources in this API groups apply.-->
-   如果存在通配符，则合法性检查逻辑会确保 resources 中的条目不会彼此重叠。<br/>
+   <p>
+   如果存在通配符，则合法性检查逻辑会确保 resources 中的条目不会彼此重叠。
+   </p>
+   <br/>
+   <p>
    空的列表意味着规则适用于该 API 组中的所有资源及其子资源。
+   </p>
 </td>
 </tr>
 
@@ -416,9 +525,11 @@ For example:
    <!--ResourceNames is a list of resource instance names that the policy matches.
    Using this field requires Resources to be specified.
    An empty list implies that every instance of the resource is matched.-->
+   <p>
    字段 resourceNames 是策略将匹配的资源实例名称列表。
    使用此字段时，<code>resources</code> 必须指定。
    空的 resourceNames 列表意味着资源的所有实例都会匹配到此策略。
+   </p>
 </td>
 </tr>
 </tbody>
@@ -442,7 +553,9 @@ For example:
 <!--
 Level defines the amount of information logged during auditing
 -->
+<p>
 Level 定义的是审计过程中在日志内记录的信息量。
+</p>
 
 ## `ObjectReference`     {#audit-k8s-io-v1-ObjectReference}
 
@@ -456,7 +569,9 @@ Level 定义的是审计过程中在日志内记录的信息量。
 <!--
 ObjectReference contains enough information to let you inspect or modify the referred object.
 -->
+<p>
 ObjectReference 包含的是用来检查或修改所引用对象时将需要的全部信息。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -487,7 +602,7 @@ ObjectReference 包含的是用来检查或修改所引用对象时将需要的
 </tr>
 
 <tr><td><code>uid</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/types#UID"><code>k8s.io/apimachinery/pkg/types.UID</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/types#UID"><code>k8s.io/apimachinery/pkg/types.UID</code></a>
 </td>
 <td>
    <span class="text-muted"><!--No description provided.-->资源对象的唯一标识（UID）。</span>
@@ -500,8 +615,10 @@ ObjectReference 包含的是用来检查或修改所引用对象时将需要的
 <td>
    <!--APIGroup is the name of the API group that contains the referred object.
    The empty string represents the core API group.-->
+   <p>
    字段 apiGroup 给出包含所引用对象的 API 组的名称。
    空字符串代表 <code>core</code> API 组。
+   </p>
 </td>
 </tr>
 
@@ -510,7 +627,9 @@ ObjectReference 包含的是用来检查或修改所引用对象时将需要的
 </td>
 <td>
    <!--APIVersion is the version of the API group that contains the referred object.-->
+   <p>
    字段 apiVersion 是包含所引用对象的 API 组的版本。
+   </p>
 </td>
 </tr>
 
@@ -545,8 +664,10 @@ ObjectReference 包含的是用来检查或修改所引用对象时将需要的
 PolicyRule maps requests based off metadata to an audit Level.
 Requests must match the rules of every field (an intersection of rules).
 -->
+<p>
 PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别。
 请求必须与每个字段所定义的规则都匹配（即 rules 的交集）才被视为匹配。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -557,7 +678,9 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 </td>
 <td>
    <!--The Level that requests matching this rule are recorded at.-->
+   <p>
    与此规则匹配的请求所对应的日志记录级别（Level）。
+   </p>
 </td>
 </tr>
 
@@ -567,8 +690,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <td>
    <!--The users (by authenticated user name) this rule applies to.
    An empty list implies every user.-->
+   <p>
    根据身份认证所确定的用户名的列表，给出此规则所适用的用户。
    空列表意味着适用于所有用户。
+   </p>
 </td>
 </tr>
 
@@ -579,8 +704,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
    <!--The user groups this rule applies to. A user is considered matching
    if it is a member of any of the UserGroups.
    An empty list implies every user group.-->
+   <p>
    此规则所适用的用户组的列表。如果用户是所列用户组中任一用户组的成员，则视为匹配。
    空列表意味着适用于所有用户组。
+   </p>
 </td>
 </tr>
 
@@ -590,8 +717,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <td>
    <!--The verbs that match this rule.
    An empty list implies every verb.-->
+   <p>
    此规则所适用的动词（verb）列表。
    空列表意味着适用于所有动词。
+   </p>
 </td>
 </tr>
 
@@ -600,8 +729,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 </td>
 <td>
    <!--Resources that this rule matches. An empty list implies all kinds in all API groups.-->
+   <p>
    此规则所适用的资源类别列表。
    空列表意味着适用于 API 组中的所有资源类别。
+   </p>
 </td>
 </tr>
 
@@ -610,12 +741,14 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 </td>
 <td>
    <!--Namespaces that this rule matches.
-   The empty string "" matches non-namespaced resources.
+   The empty string &quot;&quot; matches non-namespaced resources.
    An empty list implies every namespace.-->
    </td>
+   <p>
    此规则所适用的名字空间列表。
-   空字符串（""）意味着适用于非名字空间作用域的资源。
+   空字符串（&quot;&quot;）意味着适用于非名字空间作用域的资源。
    空列表意味着适用于所有名字空间。
+   </p>
 </tr>
 
 <tr><td><code>nonResourceURLs</code><br/>
@@ -627,11 +760,13 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
    Examples:
    "/metrics" - Log requests for apiserver metrics
    "/healthz&lowast;" - Log all health checks-->
+   <p>
    字段 nonResourceURLs 给出一组需要被审计的 URL 路径。
    允许使用 &lowast;，但只能作为路径中最后一个完整分段。<br/>
    例如：<br/>
    "/metrics" - 记录对 API 服务器度量值（metrics）的所有请求；<br/>
    "/healthz&lowast;" - 记录所有健康检查请求。
+   </p>
 </td>
 </tr>
 
@@ -642,12 +777,44 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
    <!--OmitStages is a list of stages for which no events are created. Note that this can also
    be specified policy wide in which case the union of both are omitted.
    An empty list means no restrictions will apply.-->
+   <p>
    字段 omitStages 是一个阶段（Stage）列表，针对所列的阶段服务器不会生成审计事件。
    注意这一选项也可以在策略（Policy）级别指定。服务器审计组件会忽略
    omitStages 中给出的阶段，也会忽略策略中给出的阶段。
    空列表意味着不对阶段作任何限制。
-</td>
-</tr>
+   </p>
+</td>
+</tr>
+
+
+ <tr>
+ <td><code>omitManagedFields</code><br/>
+ <code>bool</code>
+ </td>
+ <td>
+ <!--
+ OmitManagedFields indicates whether to omit the managed fields of the request
+ and response bodies from being written to the API audit log.
+ a value of 'true' will drop the managed fields from the API audit log
+ a value of 'false' indicates that the managed fileds should be included in the API audit log
+ Note that the value, if specified, in this rule will override the global default
+ If a value is not specified then the global default specified in
+ Policy.OmitManagedFields will stand.
+ -->
+ <p>
+ omitManagedFields 决定将请求和响应主体写入 API 审计日志时，是否省略其托管字段。
+ </p>
+ <ul>
+ <li>值为 'true' 将从 API 审计日志中删除托管字段</li>
+ <li>
+ 值为 'false' 表示托管字段应包含在 API 审计日志中
+ 请注意，如果指定此规则中的值将覆盖全局默认值。
+ 如果未指定，则使用 policy.omitManagedFields 中指定的全局默认值。
+ </li>
+ </ul>
+ </td>
+ </tr>
+
 </tbody>
 </table>
 
@@ -670,5 +837,7 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <!--
 Stage defines the stages in request handling that audit events may be generated.
 -->
+<p>
 Stage 定义在请求处理过程中可以生成审计事件的阶段。
+</p>
 
diff --git a/content/zh/docs/reference/config-api/apiserver-config.v1.md b/content/zh-cn/docs/reference/config-api/apiserver-config.v1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/apiserver-config.v1.md
rename to content/zh-cn/docs/reference/config-api/apiserver-config.v1.md
diff --git a/content/zh/docs/reference/config-api/apiserver-config.v1alpha1.md b/content/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/apiserver-config.v1alpha1.md
rename to content/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1.md
diff --git a/content/zh/docs/reference/config-api/apiserver-encryption.v1.md b/content/zh-cn/docs/reference/config-api/apiserver-encryption.v1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/apiserver-encryption.v1.md
rename to content/zh-cn/docs/reference/config-api/apiserver-encryption.v1.md
diff --git a/content/zh-cn/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md b/content/zh-cn/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md
new file mode 100644
index 0000000000000..32503d37fb6e1
--- /dev/null
+++ b/content/zh-cn/docs/reference/config-api/apiserver-eventratelimit.v1alpha1.md
@@ -0,0 +1,152 @@
+---
+title: Event Rate Limit Configuration (v1alpha1)
+content_type: tool-reference
+package: eventratelimit.admission.k8s.io/v1alpha1
+---
+
+<!--
+## Resource Types
+-->
+## 资源类型  {#resource-types}
+
+- [Configuration](#eventratelimit-admission-k8s-io-v1alpha1-Configuration)
+
+## `Configuration`     {#eventratelimit-admission-k8s-io-v1alpha1-Configuration}
+
+<!--
+<p>Configuration provides configuration for the EventRateLimit admission
+controller.</p>
+-->
+<p>Configuration 为 EventRateLimit 准入控制器提供配置数据。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>eventratelimit.admission.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>Configuration</code></td></tr>
+
+<tr><td><code>limits</code> <B>[Required]</B><br/>
+<a href="#eventratelimit-admission-k8s-io-v1alpha1-Limit"><code>[]Limit</code></a>
+</td>
+<td>
+  <!--
+   <p>limits are the limits to place on event queries received.
+Limits can be placed on events received server-wide, per namespace,
+per user, and per source+object.
+At least one limit is required.</p>
+  -->
+  <p>limits 是为所接收到的事件查询设置的限制。可以针对服务器端接收到的事件设置限制，
+按逐个名字空间、逐个用户、或逐个来源+对象组合的方式均可以。
+至少需要设置一种限制。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `Limit`     {#eventratelimit-admission-k8s-io-v1alpha1-Limit}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [Configuration](#eventratelimit-admission-k8s-io-v1alpha1-Configuration)
+
+<!--
+<p>Limit is the configuration for a particular limit type</p>
+-->
+<p>Limit 是为特定限制类型提供的配置数据。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>type</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#eventratelimit-admission-k8s-io-v1alpha1-LimitType"><code>LimitType</code></a>
+</td>
+<td>
+  <!--
+   <p>type is the type of limit to which this configuration applies</p>
+  -->
+  <p>type 是此配置所适用的限制的类型。</p>
+</td>
+</tr>
+<tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
+</td>
+<td>
+  <!--
+   <p>qps is the number of event queries per second that are allowed for this
+type of limit. The qps and burst fields are used together to determine if
+a particular event query is accepted. The qps determines how many queries
+are accepted once the burst amount of queries has been exhausted.</p>
+  -->
+   <p>qps 是针对此类型的限制每秒钟所允许的事件查询次数。qps 和 burst
+字段一起用来确定是否特定的事件查询会被接受。qps 确定的是当超出查询数量的
+burst 值时可以接受的查询个数。</p>
+</td>
+</tr>
+<tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
+</td>
+<td>
+  <!--
+   <p>burst is the burst number of event queries that are allowed for this type
+of limit. The qps and burst fields are used together to determine if a
+particular event query is accepted. The burst determines the maximum size
+of the allowance granted for a particular bucket. For example, if the burst
+is 10 and the qps is 3, then the admission control will accept 10 queries
+before blocking any queries. Every second, 3 more queries will be allowed.
+If some of that allowance is not used, then it will roll over to the next
+second, until the maximum allowance of 10 is reached.</p>
+  -->
+   <p>burst 是针对此类型限制的突发事件查询数量。qps 和 burst 字段一起使用可用来确定特定的事件查询是否被接受。
+burst 字段确定针对特定的事件桶（bucket）可以接受的规模上限。
+例如，如果 burst 是 10，qps 是 3，那么准入控制器会在接收 10 个查询之后阻塞所有查询。
+每秒钟可以额外允许 3 个查询。如果这一限额未被用尽，则剩余的限额会被顺延到下一秒钟，
+直到再次达到 10 个限额的上限。</p>
+</td>
+</tr>
+<tr><td><code>cacheSize</code><br/>
+<code>int32</code>
+</td>
+<td>
+  <!--
+   <p>cacheSize is the size of the LRU cache for this type of limit. If a bucket
+is evicted from the cache, then the allowance for that bucket is reset. If
+more queries are later received for an evicted bucket, then that bucket
+will re-enter the cache with a clean slate, giving that bucket a full
+allowance of burst queries.</p>
+<p>The default cache size is 4096.</p>
+<p>If limitType is 'server', then cacheSize is ignored.</p>
+  -->
+   <p>cacheSize 是此类型限制的 LRU 缓存的规模。如果某个事件桶（bucket）被从缓存中剔除，
+该事件桶所对应的限额也会被重置。如果后来再次收到针对某个已被剔除的事件桶的查询，
+则该事件桶会重新以干净的状态进入缓存，因而获得全量的突发查询配额。</p>
+  <p>默认的缓存大小是 4096。</p>
+  <p>如果 limitType 是 “server”，则 cacheSize 设置会被忽略。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LimitType`     {#eventratelimit-admission-k8s-io-v1alpha1-LimitType}
+
+<!--
+(Alias of `string`)
+
+**Appears in:**
+-->
+（`string` 类型的别名）
+
+**出现在：**
+
+- [Limit](#eventratelimit-admission-k8s-io-v1alpha1-Limit)
+
+<!--
+<p>LimitType is the type of the limit (e.g., per-namespace)</p>
+-->
+<p>LimitType 是限制类型（例如：per-namespace）。</p>
+
+
diff --git a/content/zh/docs/reference/config-api/apiserver-webhookadmission.v1.md b/content/zh-cn/docs/reference/config-api/apiserver-webhookadmission.v1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/apiserver-webhookadmission.v1.md
rename to content/zh-cn/docs/reference/config-api/apiserver-webhookadmission.v1.md
diff --git a/content/zh/docs/reference/config-api/client-authentication.v1.md b/content/zh-cn/docs/reference/config-api/client-authentication.v1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/client-authentication.v1.md
rename to content/zh-cn/docs/reference/config-api/client-authentication.v1.md
diff --git a/content/zh/docs/reference/config-api/client-authentication.v1beta1.md b/content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md
similarity index 100%
rename from content/zh/docs/reference/config-api/client-authentication.v1beta1.md
rename to content/zh-cn/docs/reference/config-api/client-authentication.v1beta1.md
diff --git a/content/zh-cn/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/zh-cn/docs/reference/config-api/imagepolicy.v1alpha1.md
new file mode 100644
index 0000000000000..9c02384d349f8
--- /dev/null
+++ b/content/zh-cn/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -0,0 +1,210 @@
+---
+title: Image Policy API (v1alpha1)
+content_type: tool-reference
+package: imagepolicy.k8s.io/v1alpha1
+---
+
+<!--
+## Resource Types
+-->
+## 资源类型   {#resource-types}
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+## `ImageReview`     {#imagepolicy-k8s-io-v1alpha1-ImageReview}
+
+<!--
+<p>ImageReview checks if the set of images in a pod are allowed.</p>
+-->
+<p>ImageReview 检查某个 Pod 中是否可以使用某些镜像。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>apiVersion</code><br/>string</td><td><code>imagepolicy.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>ImageReview</code></td></tr>
+
+<tr><td><code>metadata</code><br/>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
+</td>
+<td>
+  <!--
+   <p>Standard object's metadata.
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p>
+Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.</td>
+  -->
+  <p>标准的对象元数据。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p>
+  参阅 Kubernetes API 文档了解 <code>metadata</code> 字段的内容。
+</td>
+
+</tr>
+<tr><td><code>spec</code> <B>[必需]</B><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec"><code>ImageReviewSpec</code></a>
+</td>
+<td>
+  <!--
+   <p>Spec holds information about the pod being evaluated</p>
+  -->
+  <p>spec 中包含与被评估的 Pod 相关的信息。</p>
+</td>
+</tr>
+<tr><td><code>status</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus"><code>ImageReviewStatus</code></a>
+</td>
+<td>
+  <!--
+   <p>Status is filled in by the backend and indicates whether the pod should be allowed.</p>
+  -->
+  <p>status 由后台负责填充，用来标明 Pod 是否会被准入。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewContainerSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [ImageReviewSpec](#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec)
+
+<!--
+<p>ImageReviewContainerSpec is a description of a container within the pod creation request.</p>
+-->
+<p>ImageReviewContainerSpec 是对 Pod 创建请求中的某容器的描述。</p>
+
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>image</code><br/>
+<code>string</code>
+</td>
+<td>
+  <!--
+   <p>This can be in the form image:tag or image@SHA:012345679abcdef.</p>
+  -->
+  <p>此字段的格式可以是 image:tag 或 image@SHA:012345679abcdef。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+<!--
+<p>ImageReviewSpec is a description of the pod creation request.</p>
+-->
+<p>ImageReviewSpec 是对 Pod 创建请求的描述。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>containers</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec"><code>[]ImageReviewContainerSpec</code></a>
+</td>
+<td>
+  <!--
+   <p>Containers is a list of a subset of the information in each container of the Pod being created.</p>
+  -->
+  <p>containers 是一个列表，其中包含正被创建的 Pod 中各容器的信息子集。</p>
+</td>
+</tr>
+<tr><td><code>annotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+  <!--
+   <p>Annotations is a list of key-value pairs extracted from the Pod's annotations.
+It only includes keys which match the pattern <code>*.image-policy.k8s.io/*</code>.
+It is up to each webhook backend to determine how to interpret these annotations, if at all.</p>
+  -->
+  <p>annotations 是一个键值对列表，内容抽取自 Pod 的注解（annotations）。
+其中仅包含与模式 <code>*.image-policy.k8s.io/*</code> 匹配的键。
+每个 Webhook 后端要负责决定如何解释这些注解（如果有的话）。</p>
+
+</td>
+</tr>
+<tr><td><code>namespace</code><br/>
+<code>string</code>
+</td>
+<td>
+  <!--
+   <p>Namespace is the namespace the pod is being created in.</p>
+  -->
+  <p>namespace 是 Pod 创建所针对的名字空间。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewStatus`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+<!--
+<p>ImageReviewStatus is the result of the review for the pod creation request.</p>
+-->
+<p>ImageReviewStatus 是针对 Pod 创建请求所作的评估结果。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>allowed</code> <B>[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+  <!--
+   <p>Allowed indicates that all images were allowed to be run.</p>
+  -->
+  <p>allowed 表明所有镜像都可以被运行。</p>
+</td>
+</tr>
+<tr><td><code>reason</code><br/>
+<code>string</code>
+</td>
+<td>
+  <!--
+   <p>Reason should be empty unless Allowed is false in which case it
+may contain a short description of what is wrong.  Kubernetes
+may truncate excessively long errors when displaying to the user.</p>
+  -->
+  <p>若 <code>allowed</code> 不是 false，<code>reason</code> 应该为空。
+否则其中应包含出错信息的简短描述。Kubernetes 在向用户展示此信息时可能会截断过长的错误文字。</p>
+</td>
+</tr>
+<tr><td><code>auditAnnotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+  <!--
+   <p>AuditAnnotations will be added to the attributes object of the
+admission controller request using 'AddAnnotation'.  The keys should
+be prefix-less (i.e., the admission controller will add an
+appropriate prefix).</p>
+  -->
+  <p>auditAnnotations 会被通过 <code>AddAnnotation</code> 添加到准入控制器的 attributes 对象上。
+注解键应该不含前缀，换言之，准入控制器会添加合适的前缀。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/config-api/kube-proxy-config.v1alpha1.md b/content/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1.md
similarity index 52%
rename from content/zh/docs/reference/config-api/kube-proxy-config.v1alpha1.md
rename to content/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1.md
index 1c89395b51001..d0c388f054b77 100644
--- a/content/zh/docs/reference/config-api/kube-proxy-config.v1alpha1.md
+++ b/content/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1.md
@@ -41,7 +41,8 @@ KubeProxyConfiguration 包含用来配置 Kubernetes 代理服务器的所有配
    <!--
    featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
    -->
-   featureGates 是一个功能特性名称到布尔值的映射表，用来启用或者禁用测试性质的功能特性。
+   <p><code>featureGates</code> 字段是一个功能特性名称到布尔值的映射表，
+   用来启用或者禁用测试性质的功能特性。</p>
 </td>
 </tr>
 <tr><td><code>bindAddress</code> <B><!--[Required]-->[必需]</B><br/>
@@ -52,8 +53,8 @@ KubeProxyConfiguration 包含用来配置 Kubernetes 代理服务器的所有配
    bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
 for all interfaces)
    -->
-   bindAddress 是代理服务器提供服务时所用 IP 地址（设置为 0.0.0.0
-时意味着在所有网络接口上提供服务）。
+   <p><code>bindAddress</code> 字段是代理服务器提供服务时所用 IP 地址（设置为 0.0.0.0
+时意味着在所有网络接口上提供服务）。</p>
 </td>
 </tr>
 <tr><td><code>healthzBindAddress</code> <B><!--[Required]-->[必需]</B><br/>
@@ -64,8 +65,8 @@ for all interfaces)
    healthzBindAddress is the IP address and port for the health check server to serve on,
 defaulting to 0.0.0.0:10256
    -->
-   healthzBindAddress 是健康状态检查服务器提供服务时所使用的的 IP 地址和端口，
-   默认设置为 '0.0.0.0:10256'。
+   <p><code>healthzBindAddress</code> 字段是健康状态检查服务器提供服务时所使用的的 IP 地址和端口，
+   默认设置为 '0.0.0.0:10256'。</p>
 </td>
 </tr>
 <tr><td><code>metricsBindAddress</code> <B><!--[Required]-->[必需]</B><br/>
@@ -76,8 +77,8 @@ defaulting to 0.0.0.0:10256
    metricsBindAddress is the IP address and port for the metrics server to serve on,
 defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
    -->
-   metricsBindAddress 是度量值服务器提供服务时所使用的的 IP 地址和端口，
-   默认设置为 '127.0.0.1:10249'（设置为 0.0.0.0 意味着在所有接口上提供服务）。
+   <p><code>metricsBindAddress</code> 字段是度量值服务器提供服务时所使用的的 IP 地址和端口，
+   默认设置为 '127.0.0.1:10249'（设置为 0.0.0.0 意味着在所有接口上提供服务）。</p>
 </td>
 </tr>
 <tr><td><code>bindAddressHardFail</code> <B><!--[Required]-->[必需]</B><br/>
@@ -87,7 +88,8 @@ defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
    <!--
    bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit
    -->
-   bindAddressHardFail 设置为 true 时，kube-proxy 将无法绑定到某端口这类问题视为致命错误并直接退出。
+   <p><code>bindAddressHardFail</code> 字段设置为 true 时，
+   kube-proxy 将无法绑定到某端口这类问题视为致命错误并直接退出。</p>
 </td>
 </tr>
 <tr><td><code>enableProfiling</code> <B><!--[Required]-->[必需]</B><br/>
@@ -98,8 +100,8 @@ defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
    enableProfiling enables profiling via web interface on /debug/pprof handler.
 Profiling handlers will be handled by metrics server.
    -->
-   enableProfiling 通过 '/debug/pprof' 处理程序在 Web 界面上启用性能分析。
-   性能分析处理程序将由度量值服务器执行。
+   <p><code>enableProfiling</code> 字段通过 '/debug/pprof' 处理程序在 Web 界面上启用性能分析。
+   性能分析处理程序将由度量值服务器执行。</p>
 </td>
 </tr>
 <tr><td><code>clusterCIDR</code> <B><!--[Required]-->[必需]</B><br/>
@@ -111,8 +113,9 @@ Profiling handlers will be handled by metrics server.
 bridge traffic coming from outside of the cluster. If not provided,
 no off-cluster bridging will be performed.
    -->
-   clusterCIDR 是集群中 Pods 所使用的 CIDR 范围。这一地址范围用于对来自集群外的请求
-   流量进行桥接。如果未设置，则 kube-proxy 不会对非集群内部的流量做桥接。
+   <p><code>clusterCIDR</code> 字段是集群中 Pods 所使用的 CIDR 范围。
+   这一地址范围用于对来自集群外的请求流量进行桥接。
+   如果未设置，则 kube-proxy 不会对非集群内部的流量做桥接。</p>
 </td>
 </tr>
 <tr><td><code>hostnameOverride</code> <B><!--[Required]-->[必需]</B><br/>
@@ -122,7 +125,8 @@ no off-cluster bridging will be performed.
    <!--
    hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
    -->
-   hostnameOverride 非空时，所给的字符串（而不是实际的主机名）将被用作 kube-proxy 的标识。
+   <p><code>hostnameOverride</code> 字段非空时，
+   所给的字符串（而不是实际的主机名）将被用作 kube-proxy 的标识。</p>
 </td>
 </tr>
 <tr><td><code>clientConnection</code> <B><!--[Required]-->[必需]</B><br/>
@@ -133,7 +137,8 @@ no off-cluster bridging will be performed.
    clientConnection specifies the kubeconfig file and client connection settings for the proxy
 server to use when communicating with the apiserver.
    -->
-   clientConnection 给出代理服务器与 API 服务器通信时要使用的 kubeconfig 文件和客户端链接设置。
+   <p><code>clientConnection</code> 字段给出代理服务器与 API
+   服务器通信时要使用的 kubeconfig 文件和客户端链接设置。</p>
 </td>
 </tr>
 <tr><td><code>iptables</code> <B><!--[Required]-->[必需]</B><br/>
@@ -143,7 +148,7 @@ server to use when communicating with the apiserver.
    <!--
    iptables contains iptables-related configuration options.
    -->
-   iptables 字段包含与 iptables 相关的配置选项。
+   <p><code>iptables</code> 字段字段包含与 iptables 相关的配置选项。</p>
 </td>
 </tr>
 <tr><td><code>ipvs</code> <B><!--[Required]-->[必需]</B><br/>
@@ -153,7 +158,7 @@ server to use when communicating with the apiserver.
    <!--
    ipvs contains ipvs-related configuration options.
    -->
-   ipvs 中包含与 ipvs 相关的配置选项。
+   <p><code>ipvs</code> 字段中包含与 ipvs 相关的配置选项。</p>
 </td>
 </tr>
 <tr><td><code>oomScoreAdj</code> <B><!--[Required]-->[必需]</B><br/>
@@ -164,8 +169,8 @@ server to use when communicating with the apiserver.
    oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
 the range [-1000, 1000]
    -->
-   oomScoreAdj 是为 kube-proxy 进程所设置的 oom-score-adj 值。
-   此设置值必须介于 [-1000, 1000] 范围内。
+   <p><code>oomScoreAdj</code> 字段是为 kube-proxy 进程所设置的 oom-score-adj 值。
+   此设置值必须介于 [-1000, 1000] 范围内。</p>
 </td>
 </tr>
 <tr><td><code>mode</code> <B><!--[Required]-->[必需]</B><br/>
@@ -175,7 +180,7 @@ the range [-1000, 1000]
    <!--
    mode specifies which proxy mode to use.
    -->
-   mode 用来设置将使用的代理模式。
+   <p><code>mode</code> 字段用来设置将使用的代理模式。</p>
 </td>
 </tr>
 <tr><td><code>portRange</code> <B><!--[Required]-->[必需]</B><br/>
@@ -186,20 +191,20 @@ the range [-1000, 1000]
    portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
 in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
    -->
-   portRange 是主机端口的范围，形式为 ‘beginPort-endPort’（包含边界），
-   用来设置代理服务所使用的端口。如果未指定（即‘0-0’），则代理服务会随机选择端口号。
+   <p><code>portRange</code> 字段是主机端口的范围，形式为 ‘beginPort-endPort’（包含边界），
+   用来设置代理服务所使用的端口。如果未指定（即‘0-0’），则代理服务会随机选择端口号。</p>
 </td>
 </tr>
 <tr><td><code>udpIdleTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
 Must be greater than 0. Only applicable for proxyMode=userspace.
    -->
-   udpIdleTimeout 用来设置 UDP 链接保持活跃的时长（例如，'250ms'、'2s'）。
-   此值必须大于 0。此字段仅适用于 mode 值为 'userspace' 的场合。
+   <p><code>udpIdleTimeout</code> 字段用来设置 UDP 链接保持活跃的时长（例如，'250ms'、'2s'）。
+   此值必须大于 0。此字段仅适用于 mode 值为 'userspace' 的场合。</p>
 </td>
 </tr>
 <tr><td><code>conntrack</code> <B><!--[Required]-->[必需]</B><br/>
@@ -209,18 +214,18 @@ Must be greater than 0. Only applicable for proxyMode=userspace.
    <!--
    conntrack contains conntrack-related configuration options.
    -->
-   conntrack 包含与 conntrack 相关的配置选项。
+   <p><code>conntrack</code> 字段包含与 conntrack 相关的配置选项。</p>
 </td>
 </tr>
 <tr><td><code>configSyncPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
 than 0.
    -->
-   configSyncPeriod 是从 API 服务器刷新配置的频率。此值必须大于 0。
+   <p><code>configSyncPeriod</code> 字段是从 API 服务器刷新配置的频率。此值必须大于 0。</p>
 </td>
 </tr>
 <tr><td><code>nodePortAddresses</code> <B><!--[Required]-->[必需]</B><br/>
@@ -236,13 +241,15 @@ If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface f
 If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node.
 An empty string slice is meant to select all network interfaces.
    -->
-   nodePortAddresses 是 kube-proxy 进程的 <code>--nodeport-addresses</code> 命令行参数设置。
+   <p><code>nodePortAddresses</code> 字段是 kube-proxy 进程的
+   <code>--nodeport-addresses</code> 命令行参数设置。
    此值必须是合法的 IP 段。所给的 IP 段会作为参数来选择 NodePort 类型服务所使用的接口。
    如果有人希望将本地主机（Localhost）上的服务暴露给本地访问，同时暴露在某些其他网络接口上
    以实现某种目标，可以使用 IP 段的列表。
-   如果此值被设置为 "127.0.0.0/8"，则 kube-proxy 将仅为 NodePort 服务选择本地回路（loopback）接口。
+   如果此值被设置为 &quot;127.0.0.0/8&quot;，则 kube-proxy 将仅为 NodePort
+   服务选择本地回路（loopback）接口。
    如果此值被设置为非零的 IP 段，则 kube-proxy 会对 IP 作过滤，仅使用适用于当前节点的 IP 地址。
-   空的字符串列表意味着选择所有网络接口。
+   空的字符串列表意味着选择所有网络接口。</p>
 </td>
 </tr>
 <tr><td><code>winkernel</code> <B><!--[Required]-->[必需]</B><br/>
@@ -252,7 +259,7 @@ An empty string slice is meant to select all network interfaces.
    <!--
    winkernel contains winkernel-related configuration options.
    -->
-   winkernel 包含与 winkernel 相关的配置选项。
+   <p><code>winkernel</code> 字段包含与 winkernel 相关的配置选项。</p>
 </td>
 </tr>
 <tr><td><code>showHiddenMetricsForVersion</code> <B><!--[Required]-->[必需]</B><br/>
@@ -262,8 +269,8 @@ An empty string slice is meant to select all network interfaces.
    <!--
    ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.
    -->
-   showHiddenMetricsForVersion 给出的是一个 Kubernetes 版本号字符串，用来设置你希望
-   显示隐藏度量值的版本。
+   <p><code>showHiddenMetricsForVersion</code> 字段给出的是一个 Kubernetes 版本号字符串，
+   用来设置你希望显示隐藏度量值的版本。</p>
 </td>
 </tr>
 <tr><td><code>detectLocalMode</code> <B><!--[Required]-->[必需]</B><br/>
@@ -273,7 +280,66 @@ An empty string slice is meant to select all network interfaces.
    <!--
    DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
    -->
-   detectLocalMode 用来确定检测本地流量的方式，默认为 LocalModeClusterCIDR。
+   <p><code>detectLocalMode</code> 字段用来确定检测本地流量的方式，默认为 LocalModeClusterCIDR。</p>
+</td>
+</tr>
+<tr><td><code>detectLocal</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubeproxy-config-k8s-io-v1alpha1-DetectLocalConfiguration"><code>DetectLocalConfiguration</code></a>
+</td>
+<td>
+<!--
+DetectLocal contains optional configuration settings related to DetectLocalMode.
+-->
+   <p><code>detectLocal</code> 字段包含与 DetectLocalMode 相关的可选配置设置。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `DetectLocalConfiguration`     {#kubeproxy-config-k8s-io-v1alpha1-DetectLocalConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
+
+<!--
+DetectLocalConfiguration contains optional settings related to DetectLocalMode option
+-->
+DetectLocalConfiguration 包含与 DetectLocalMode 选项相关的可选设置。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>bridgeInterface</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+BridgeInterface is a string argument which represents a single bridge interface name.
+Kube-proxy considers traffic as local if originating from this given bridge.
+This argument should be set if DetectLocalMode is set to LocalModeBridgeInterface.
+-->
+   <p><code>bridgeInterface</code> 字段是一个表示单个桥接接口名称的字符串参数。
+   Kube-proxy 将来自这个给定桥接接口的流量视为本地流量。
+   如果 DetectLocalMode 设置为 LocalModeBridgeInterface，则应设置该参数。</p>
+</td>
+</tr>
+<tr><td><code>interfaceNamePrefix</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+InterfaceNamePrefix is a string argument which represents a single interface prefix name.
+Kube-proxy considers traffic as local if originating from one or more interfaces which match
+the given prefix. This argument should be set if DetectLocalMode is set to LocalModeInterfaceNamePrefix.
+-->
+   <p><code>interfaceNamePrefix</code> 字段是一个表示单个接口前缀名称的字符串参数。
+   Kube-proxy 将来自一个或多个与给定前缀匹配的接口流量视为本地流量。
+   如果 DetectLocalMode 设置为 LocalModeInterfaceNamePrefix，则应设置该参数。</p>
 </td>
 </tr>
 </tbody>
@@ -306,8 +372,8 @@ KubeProxyConntrackConfiguration 包含为 Kubernetes 代理服务器提供的 co
    maxPerCore is the maximum number of NAT connections to track
 per CPU core (0 to leave the limit as-is and ignore min).
    -->
-   maxPerCore 是每个 CPU 核所跟踪的 NAT 链接个数上限
-   （0 意味着保留当前上限限制并忽略 min 字段设置值）。
+   <p><code>maxPerCore</code> 字段是每个 CPU 核所跟踪的 NAT 链接个数上限
+   （0 意味着保留当前上限限制并忽略 min 字段设置值）。</p>
 </td>
 </tr>
 <tr><td><code>min</code> <B><!--[Required]-->[必需]</B><br/>
@@ -318,24 +384,24 @@ per CPU core (0 to leave the limit as-is and ignore min).
    min is the minimum value of connect-tracking records to allocate,
 regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).
    -->
-   min 给出要分配的链接跟踪记录个数下限。
-   设置此值时会忽略 maxPerCore 的值（将 maxPerCore 设置为 0 时不会调整上限值）。
+   <p><code>min</code> 字段给出要分配的链接跟踪记录个数下限。
+   设置此值时会忽略 maxPerCore 的值（将 maxPerCore 设置为 0 时不会调整上限值）。</p>
 </td>
 </tr>
 <tr><td><code>tcpEstablishedTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    tcpEstablishedTimeout is how long an idle TCP connection will be kept open
 (e.g. '2s').  Must be greater than 0 to set.
    -->
-   tcpEstablishedTimeout 给出空闲 TCP 连接的保留时间（例如，'2s'）。
-   此值必须大于 0。
+   <p><code>tcpEstablishedTimeout</code> 字段给出空闲 TCP 连接的保留时间（例如，'2s'）。
+   此值必须大于 0。</p>
 </td>
 </tr>
 <tr><td><code>tcpCloseWaitTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
@@ -343,9 +409,9 @@ regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).
 in CLOSE_WAIT state will remain in the conntrack
 table. (e.g. '60s'). Must be greater than 0 to set.
    -->
-   tcpCloseWaitTimeout 用来设置空闲的、处于 CLOSE_WAIT 状态的 conntrack 条目
+   <p><code>tcpCloseWaitTimeout</code> 字段用来设置空闲的、处于 CLOSE_WAIT 状态的 conntrack 条目
    保留在 conntrack 表中的时间长度（例如，'60s'）。
-   此设置值必须大于 0。
+   此设置值必须大于 0。</p>
 </td>
 </tr>
 </tbody>
@@ -378,8 +444,8 @@ KubeProxyIPTablesConfiguration 包含用于 Kubernetes 代理服务器的、与
    masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
 the pure iptables proxy mode. Values must be within the range [0, 31].
    -->
-   masqueradeBit 是 iptables fwmark 空间中的具体一位，用来在纯 iptables 代理模式下
-   设置 SNAT。此值必须介于 [0, 31]（含边界值）。
+   <p><code>masqueradeBit</code> 字段是 iptables fwmark 空间中的具体一位，
+   用来在纯 iptables 代理模式下设置 SNAT。此值必须介于 [0, 31]（含边界值）。</p>
 </td>
 </tr>
 <tr><td><code>masqueradeAll</code> <B><!--[Required]-->[必需]</B><br/>
@@ -389,30 +455,31 @@ the pure iptables proxy mode. Values must be within the range [0, 31].
    <!--
    masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
    -->
-   masqueradeAll 用来通知 kube-proxy 在使用纯 iptables 代理模式时对所有流量执行
-   SNAT 操作。
+   <p><code>masqueradeAll</code> 字段用来通知 kube-proxy
+   在使用纯 iptables 代理模式时对所有流量执行 SNAT 操作。</p>
 </td>
 </tr>
 <tr><td><code>syncPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
 '2h22m').  Must be greater than 0.
    -->
-   syncPeriod 给出 iptables 规则的刷新周期（例如，'5s'、'1m'、'2h22m'）。
-   此值必须大于 0。
+   <p><code>syncPeriod</code> 字段给出 iptables
+   规则的刷新周期（例如，'5s'、'1m'、'2h22m'）。此值必须大于 0。</p>
 </td>
 </tr>
 <tr><td><code>minSyncPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').
    -->
-   minSyncPeriod 给出 iptables 规则被刷新的最小周期（例如，'5s'、'1m'、'2h22m'）。
+   <p><code>minSyncPeriod</code> 字段给出 iptables
+   规则被刷新的最小周期（例如，'5s'、'1m'、'2h22m'）。</p>
 </td>
 </tr>
 </tbody>
@@ -438,25 +505,25 @@ KubeProxyIPVSConfiguration 包含用于 Kubernetes 代理服务器的、与 ipvs
 <tbody>
  
 <tr><td><code>syncPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m',
 '2h22m').  Must be greater than 0.
    -->
-   syncPeriod 给出 ipvs 规则的刷新周期（例如，'5s'、'1m'、'2h22m'）。
-   此值必须大于 0。
+   <p><code>syncPeriod</code> 字段给出 ipvs 规则的刷新周期（例如，'5s'、'1m'、'2h22m'）。
+   此值必须大于 0。</p>
 </td>
 </tr>
 <tr><td><code>minSyncPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m').
    -->
-   minSyncPeriod 给出 ipvs 规则被刷新的最小周期（例如，'5s'、'1m'、'2h22m'）。
+   <p><code>minSyncPeriod</code> 字段给出 ipvs 规则被刷新的最小周期（例如，'5s'、'1m'、'2h22m'）。</p>
 </td>
 </tr>
 <tr><td><code>scheduler</code> <B><!--[Required]-->[必需]</B><br/>
@@ -466,7 +533,7 @@ KubeProxyIPVSConfiguration 包含用于 Kubernetes 代理服务器的、与 ipvs
    <!--
    ipvs scheduler
    -->
-   IPVS 调度器。
+   <p>IPVS 调度器。</p>
 </td>
 </tr>
 <tr><td><code>excludeCIDRs</code> <B><!--[Required]-->[必需]</B><br/>
@@ -477,7 +544,7 @@ KubeProxyIPVSConfiguration 包含用于 Kubernetes 代理服务器的、与 ipvs
    excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch
 when cleaning up ipvs services.
    -->
-   excludeCIDRs 取值为一个 CIDR 列表，ipvs 代理程序在清理 IPVS 服务时不应触碰这些 IP 地址。
+   <p><code>excludeCIDRs</code> 字段取值为一个 CIDR 列表，ipvs 代理程序在清理 IPVS 服务时不应触碰这些 IP 地址。</p>
 </td>
 </tr>
 <tr><td><code>strictARP</code> <B><!--[Required]-->[必需]</B><br/>
@@ -488,44 +555,44 @@ when cleaning up ipvs services.
    strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries
 from kube-ipvs0 interface
    -->
-   strictARP 用来配置 arp_ignore 和 arp_announce，以避免（错误地）响应来自 kube-ipvs0 接口的
-   ARP 查询请求。
+   <p><code>strictARP</code> 字段用来配置 arp_ignore 和 arp_announce，以避免（错误地）响应来自 kube-ipvs0 接口的
+   ARP 查询请求。</p>
 </td>
 </tr>
 <tr><td><code>tcpTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    tcpTimeout is the timeout value used for idle IPVS TCP sessions.
 The default value is 0, which preserves the current timeout value on the system.
    -->
-   tcpTimeout 是用于设置空闲 IPVS TCP 会话的超时值。
-   默认值为 0，意味着使用系统上当前的超时值设置。
+   <p><code>tcpTimeout</code> 字段是用于设置空闲 IPVS TCP 会话的超时值。
+   默认值为 0，意味着使用系统上当前的超时值设置。</p>
 </td>
 </tr>
 <tr><td><code>tcpFinTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN.
 The default value is 0, which preserves the current timeout value on the system.
    -->
-   tcpFinTimeout 用来设置 IPVS TCP 会话在收到 FIN 之后的超时值。
-   默认值为 0，意味着使用系统上当前的超时值设置。
+   <p><code>tcpFinTimeout</code> 字段用来设置 IPVS TCP 会话在收到 FIN 之后的超时值。
+   默认值为 0，意味着使用系统上当前的超时值设置。</p>
 </td>
 </tr>
 <tr><td><code>udpTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    udpTimeout is the timeout value used for IPVS UDP packets.
 The default value is 0, which preserves the current timeout value on the system.
    -->
-   udpTimeout 用来设置 IPVS UDP 包的超时值。
-   默认值为 0，意味着使用系统上当前的超时值设置。
+   <p><code>udpTimeout</code> 字段用来设置 IPVS UDP 包的超时值。
+   默认值为 0，意味着使用系统上当前的超时值设置。</p>
 </td>
 </tr>
 </tbody>
@@ -558,7 +625,7 @@ KubeProxyWinkernelConfiguration 包含 Kubernetes 代理服务器的 Windows/HNS
    networkName is the name of the network kube-proxy will use
 to create endpoints and policies
    -->
-   networkName 是 kube-proxy 用来创建端点和策略的网络名称。
+   <p><code>networkName</code> 字段是 kube-proxy 用来创建端点和策略的网络名称。</p>
 </td>
 </tr>
 <tr><td><code>sourceVip</code> <B><!--[Required]-->[必需]</B><br/>
@@ -569,7 +636,7 @@ to create endpoints and policies
    sourceVip is the IP address of the source VIP endoint used for
 NAT when loadbalancing
    -->
-   sourceVip 是执行负载均衡时进行 NAT 转换所使用的源端 VIP 端点 IP 地址。
+   <p><code>sourceVip</code> 字段是执行负载均衡时进行 NAT 转换所使用的源端 VIP 端点 IP 地址。</p>
 </td>
 </tr>
 <tr><td><code>enableDSR</code> <B><!--[Required]-->[必需]</B><br/>
@@ -580,7 +647,31 @@ NAT when loadbalancing
    enableDSR tells kube-proxy whether HNS policies should be created
 with DSR
    -->
-   enableDSR 通知 kube-proxy 是否使用 DSR 来创建 HNS 策略。
+   <p><code>enableDSR</code> 字段通知 kube-proxy 是否使用 DSR 来创建 HNS 策略。</p>
+</td>
+</tr>
+<tr><td><code>rootHnsEndpointName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+RootHnsEndpointName is the name of hnsendpoint that is attached to
+l2bridge for root network namespace
+-->
+   <p><code>rootHnsEndpointName</code>
+   字段是附加到用于根网络命名空间二层桥接的 hnsendpoint 的名称。</p>
+</td>
+</tr>
+<tr><td><code>forwardHealthCheckVip</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+<!--
+ForwardHealthCheckVip forwards service VIP for health check port on
+Windows
+-->
+   <p><code>forwardHealthCheckVip</code>
+   字段为 Windows 上的健康检查端口转发服务 VIP。</p>
 </td>
 </tr>
 </tbody>
@@ -665,6 +756,12 @@ this always falls back to the userspace proxy.
 
 - [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
 
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+
+- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
+
 <!--
 ClientConnectionConfiguration contains details for constructing a client.
 -->
@@ -681,7 +778,7 @@ ClientConnectionConfiguration 包含构造客户端所需要的细节信息。
    <!--
    kubeconfig is the path to a KubeConfig file.
    -->
-   kubeconfig 是指向一个 KubeConfig 文件的路径。
+   <p><code>kubeconfig</code> 字段是指向一个 KubeConfig 文件的路径。</p>
 </td>
 </tr>
 <tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/>
@@ -692,9 +789,9 @@ ClientConnectionConfiguration 包含构造客户端所需要的细节信息。
    acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
 default value of 'application/json'. This field will control all connections to the server used by a particular client.
    -->
-   acceptContentTypes 定义客户端在连接到服务器时所发送的 Accept 头部字段。
+   <p><code>acceptContentTypes</code> 字段定义客户端在连接到服务器时所发送的 Accept 头部字段。
    此设置值会覆盖默认配置 'application/json'。
-   此字段会控制某特定客户端与指定服务器的所有链接。
+   此字段会控制某特定客户端与指定服务器的所有链接。</p>
 </td>
 </tr>
 <tr><td><code>contentType</code> <B><!--[Required]-->[必需]</B><br/>
@@ -704,7 +801,7 @@ default value of 'application/json'. This field will control all connections to
    <!--
    contentType is the content type used when sending data to the server from this client.
    -->
-   contentType 是从此客户端向服务器发送数据时使用的内容类型（Content Type）。
+   <p><code>contentType</code> 字段是从此客户端向服务器发送数据时使用的内容类型（Content Type）。</p>
 </td>
 </tr>
 <tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
@@ -714,7 +811,7 @@ default value of 'application/json'. This field will control all connections to
    <!--
    qps controls the number of queries per second allowed for this connection.
    -->
-   qps 控制此连接上每秒钟可以发送的查询请求个数。
+   <p><code>qps</code> 字段控制此连接上每秒钟可以发送的查询请求个数。</p>
 </td>
 </tr>
 <tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
@@ -724,7 +821,55 @@ default value of 'application/json'. This field will control all connections to
    <!--
    burst allows extra queries to accumulate when a client is exceeding its rate.
    -->
-   允许客户端超出其速率限制时可以临时累积的额外查询个数。
+   <p><code>burst</code> 字段允许客户端超出其速率限制时可以临时累积的额外查询个数。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `DebuggingConfiguration`     {#DebuggingConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+
+- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
+
+<!--
+DebuggingConfiguration holds configuration for Debugging related features.
+-->
+DebuggingConfiguration 包含调试相关功能的配置。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>enableProfiling</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+<!--
+enableProfiling enables profiling via web interface host:port/debug/pprof/
+-->
+   <p><code>enableProfiling</code> 字段通过位于 <code>host:port/debug/pprof/</code>
+   的 Web 接口启用性能分析。</p>
+</td>
+</tr>
+<tr><td><code>enableContentionProfiling</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+<!--
+enableContentionProfiling enables lock contention profiling, if
+enableProfiling is true.
+-->
+   <p><code>enableContentionProfiling</code> 字段在 <code>enableProfiling</code>
+   为 true 时允许执行锁竞争分析。</p>
 </td>
 </tr>
 </tbody>
@@ -754,7 +899,7 @@ FormatOptions 包含不同日志记录格式的配置选项。
    <!--
    [Experimental] JSON contains options for logging format "json".
    -->
-   [实验特性] json 字段包含 “JSON” 日志格式的配置选项。
+   <p>[实验特性] <code>json</code> 字段包含 &quot;JSON&quot; 日志格式的配置选项。</p>
 </td>
 </tr>
 </tbody>
@@ -772,7 +917,7 @@ FormatOptions 包含不同日志记录格式的配置选项。
 <!--
 JSONOptions contains options for logging format "json".
 -->
-JSONOptions 包含“json”日志格式的配置选项。
+JSONOptions 包含 &quot;json&quot; 日志格式的配置选项。
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -788,8 +933,8 @@ JSONOptions 包含“json”日志格式的配置选项。
 info messages go to stdout, with buffering. The default is to write
 both to stdout, without buffering.
    -->
-   [实验特性] splitStream 将信息类型的信息输出到标准输出，错误信息重定向到标准
-   错误输出，并提供缓存。默认行为是将二者都输出到标准输出且不提供缓存。
+   <p>[实验特性] <code>splitStream</code> 字段将信息类型的信息输出到标准输出，错误信息重定向到标准
+   错误输出，并提供缓存。默认行为是将二者都输出到标准输出且不提供缓存。</p>
 </td>
 </tr>
 <tr><td><code>infoBufferSize</code> <B><!--[Required]-->[必需]</B><br/>
@@ -800,8 +945,220 @@ both to stdout, without buffering.
    [Experimental] InfoBufferSize sets the size of the info stream when
 using split streams. The default is zero, which disables buffering.
    -->
-   [实验特性] infoBufferSize 设置在使用分离数据流时 info 数据流的缓冲区大小。
-   默认值为 0，意味着不提供缓存。
+   <p>[实验特性] <code>infoBufferSize</code> 字段设置在使用分离数据流时 info 数据流的缓冲区大小。
+   默认值为 0，意味着不提供缓存。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LeaderElectionConfiguration`     {#LeaderElectionConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+
+- [GenericControllerManagerConfiguration](#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration)
+
+<!--
+LeaderElectionConfiguration defines the configuration of leader election
+clients for components that can run with leader election enabled.
+-->
+LeaderElectionConfiguration 为能够支持领导者选举的组件定义其领导者选举客户端的配置。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>leaderElect</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+<!--
+leaderElect enables a leader election client to gain leadership
+before executing the main loop. Enable this when running replicated
+components for high availability.
+-->
+   <p>
+   <code>leaderElect</code> 字段允许领导者选举客户端在进入主循环执行之前先获得领导者角色。
+   运行多副本组件时启用此功能有助于提高可用性。
+   </p>
+</td>
+</tr>
+<tr><td><code>leaseDuration</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+leaseDuration is the duration that non-leader candidates will wait
+after observing a leadership renewal until attempting to acquire
+leadership of a led but unrenewed leader slot. This is effectively the
+maximum duration that a leader can be stopped before it is replaced
+by another candidate. This is only applicable if leader election is
+enabled.
+-->
+   <p>
+   <code>leaseDuration</code> 字段是非领导角色候选者在观察到需要领导席位更新时要等待的时间；
+   只有经过所设置时长才可以尝试去获得一个仍处于领导状态但需要被刷新的席位。
+   这里的设置值本质上意味着某个领导者在被另一个候选者替换掉之前可以停止运行的最长时长。
+   只有当启用了领导者选举时此字段有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>renewDeadline</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+renewDeadline is the interval between attempts by the acting master to
+renew a leadership slot before it stops leading. This must be less
+than or equal to the lease duration. This is only applicable if leader
+election is enabled.
+-->
+   <p>
+   <code>renewDeadline</code> 字段设置的是当前领导者在停止扮演领导角色之前需要刷新领导状态的时间间隔。
+   此值必须小于或等于租约期限的长度。只有到启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>retryPeriod</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+retryPeriod is the duration the clients should wait between attempting
+acquisition and renewal of a leadership. This is only applicable if
+leader election is enabled.
+-->
+   <p>
+   <code>retryPeriod</code> 字段是客户端在连续两次尝试获得或者刷新领导状态之间需要等待的时长。
+   只有当启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>resourceLock</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+resourceLock indicates the resource object type that will be used to lock
+during leader election cycles.
+-->
+   <p><code>resourceLock</code> 字段给出在领导者选举期间要作为锁来使用的资源对象类型。</p>
+</td>
+</tr>
+<tr><td><code>resourceName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+resourceName indicates the name of resource object that will be used to lock
+during leader election cycles.
+-->
+   <p><code>resourceName</code> 字段给出在领导者选举期间要作为锁来使用的资源对象名称。</p>
+</td>
+</tr>
+<tr><td><code>resourceNamespace</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+resourceNamespace indicates the namespace of resource object that will be used to lock
+during leader election cycles.
+-->
+   <p><code>resourceNamespace</code> 字段给出在领导者选举期间要作为锁来使用的资源对象所在名字空间。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LoggingConfiguration`     {#LoggingConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+<!--
+LoggingConfiguration contains logging options
+Refer <a href="https://github.com/kubernetes/component-base/blob/master/logs/options.go">Logs Options</a> for more information.
+-->
+LoggingConfiguration 包含日志选项。
+参考 [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) 以了解更多信息。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>format</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+Format Flag specifies the structure of log messages.
+default value of format is <code>text</code>
+-->
+   <p><code>format</code> 字段设置日志消息的结构。默认的格式取值为 <code>text</code>。</p>
+</td>
+</tr>
+<tr><td><code>flushFrequency</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/time#Duration"><code>time.Duration</code></a>
+</td>
+<td>
+<!--
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log
+flushes.  Ignored if the selected logging backend writes log
+messages without buffering.
+-->
+   <p>对日志进行清洗的最大间隔纳秒数（例如，1s = 1000000000）。
+   如果所选的日志后端在写入日志消息时不提供缓存，则此配置会被忽略。</p>
+</td>
+</tr>
+<tr><td><code>verbosity</code> <B><!--[Required]-->[必需]</B><br/>
+<code>uint32</code>
+</td>
+<td>
+<!--
+Verbosity is the threshold that determines which log messages are
+logged. Default is zero which logs only the most important
+messages. Higher values enable additional messages. Error messages
+are always logged.
+-->
+   <p><code>verbosity</code> 字段用来确定日志消息记录的详细程度阈值。
+   默认值为 0，意味着仅记录最重要的消息。
+   数值越大，额外的消息越多。错误消息总是被记录下来。</p>
+</td>
+</tr>
+<tr><td><code>vmodule</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#VModuleConfiguration"><code>VModuleConfiguration</code></a>
+</td>
+<td>
+<!--
+VModule overrides the verbosity threshold for individual files.
+Only supported for &quot;text&quot; log format.
+-->
+   <p><code>vmodule</code> 字段会在单个文件层面重载 verbosity 阈值的设置。
+   这一选项仅支持 &quot;text&quot; 日志格式。</p>
+</td>
+</tr>
+<tr><td><code>options</code> <B>[Required]</B><br/>
+<a href="#FormatOptions"><code>FormatOptions</code></a>
+</td>
+<td>
+<!--
+[Experimental] Options holds additional parameters that are specific
+to the different logging formats. Only the options for the selected
+format get used, but all of them get validated.
+-->
+   <p>[实验特性] <code>options</code> 字段中包含特定于不同日志格式的配置参数。
+   只有针对所选格式的选项会被使用，但是合法性检查时会查看所有选项配置。</p>
 </td>
 </tr>
 </tbody>
@@ -816,9 +1173,12 @@ using split streams. The default is zero, which disables buffering.
 -->
 （`[]k8s.io/component-base/config/v1alpha1.VModuleItem` 的别名）
 
+**出现在：**
+
+- [LoggingConfiguration](#LoggingConfiguration)
+
 <!--
 VModuleConfiguration is a collection of individual file names or patterns
 and the corresponding verbosity threshold.
 -->
 VModuleConfiguration 是一组文件名或文件名模式，及其对应的日志详尽程度阈值配置。
-
diff --git a/content/zh/docs/reference/config-api/kube-scheduler-config.v1beta2.md b/content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta2.md
similarity index 68%
rename from content/zh/docs/reference/config-api/kube-scheduler-config.v1beta2.md
rename to content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta2.md
index 6a2ab78655af2..91a427ae40225 100644
--- a/content/zh/docs/reference/config-api/kube-scheduler-config.v1beta2.md
+++ b/content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta2.md
@@ -26,13 +26,440 @@ auto_generated: true
 - [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta2-PodTopologySpreadArgs)
 - [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta2-VolumeBindingArgs)
 
+
+## `ClientConnectionConfiguration`     {#ClientConnectionConfiguration}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+<!--
+ClientConnectionConfiguration contains details for constructing a client.
+-->
+<p>ClientConnectionConfiguration 中包含用来构造客户端所需的细节。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+  
+<tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   kubeconfig is the path to a KubeConfig file.
+   -->
+   <p>此字段为指向某 KubeConfig 文件的路径。</p>
+</td>
+</tr>
+<tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
+default value of 'application/json'. This field will control all connections to the server used by a particular client.
+   -->
+   <p><code>acceptContentTypes</code> 定义的是客户端与服务器建立连接时要发送的Accept 头部，
+   这里的设置值会覆盖默认值 "application/json"。
+   此字段会影响某特定客户端与服务器的所有连接。</p>
+</td>
+</tr>
+<tr><td><code>contentType</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   contentType is the content type used when sending data to the server from this client.
+   -->
+   <p>
+   <code>contentType</code> 包含的是此客户端向服务器发送数据时使用的内容类型（Content Type）。
+   </p>
+</td>
+</tr>
+<tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
+<code>float32</code>
+</td>
+<td>
+   <!--
+   qps controls the number of queries per second allowed for this connection.
+   -->
+   <p><code>qps</code> 控制此连接允许的每秒查询次数。</p>
+</td>
+</tr>
+<tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
+</td>
+<td>
+   <!--
+   burst allows extra queries to accumulate when a client is exceeding its rate.
+   -->
+   <p><code>burst</code> 允许在客户端超出其速率限制时可以累积的额外查询个数。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `DebuggingConfiguration`     {#DebuggingConfiguration}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+<!--
+DebuggingConfiguration holds configuration for Debugging related features.
+-->
+<p>DebuggingConfiguration 保存与调试功能相关的配置。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+  
+<tr><td><code>enableProfiling</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   enableProfiling enables profiling via web interface host:port/debug/pprof/
+   -->
+   <p>此字段允许通过 Web 接口 host:port/debug/pprof/ 执行性能分析。</p>
+</td>
+</tr>
+<tr><td><code>enableContentionProfiling</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   enableContentionProfiling enables lock contention profiling, if
+enableProfiling is true.
+   -->
+   <p>此字段在 <code>enableProfiling</code> 为 true 时允许执行锁竞争分析。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `FormatOptions`     {#FormatOptions}
+    
+<!--
+**Appears in:**
+-->
+
+<!--
+FormatOptions contains options for the different logging formats.
+-->
+<p>FormatOptions 中包含不同日志格式的配置选项。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>json</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#JSONOptions"><code>JSONOptions</code></a>
+</td>
+<td>
+   <!--
+   [Experimental] JSON contains options for logging format "json".
+   -->
+   <p>[实验特性] <code>json</code> 字段包含为 &quot;json&quot; 日志格式提供的配置选项。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `JSONOptions`     {#JSONOptions}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [FormatOptions](#FormatOptions)
+
+<!--
+JSONOptions contains options for logging format "json".
+-->
+<p>JSONOptions 包含为 &quot;json&quot; 日志格式所设置的配置选项。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>splitStream</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   [Experimental] SplitStream redirects error messages to stderr while
+info messages go to stdout, with buffering. The default is to write
+both to stdout, without buffering.
+   -->
+   <p>[实验特性] 此字段将错误信息重定向到标准错误输出（stderr），
+   将提示消息重定向到标准输出（stdout），并且支持缓存。
+   默认配置为将二者都输出到标准输出（stdout），且不提供缓存。</p>
+</td>
+</tr>
+<tr><td><code>infoBufferSize</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
+</td>
+<td>
+   <!--
+   [Experimental] InfoBufferSize sets the size of the info stream when
+using split streams. The default is zero, which disables buffering.
+   -->
+   <p>
+   [实验特性] <code>infoBufferSize</code> 用来在分离数据流场景是设置提示信息数据流的大小。
+   默认值为 0，意味着禁止缓存。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LeaderElectionConfiguration`     {#LeaderElectionConfiguration}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+<!--
+LeaderElectionConfiguration defines the configuration of leader election
+clients for components that can run with leader election enabled.
+-->
+<p>
+LeaderElectionConfiguration 为能够支持领导者选举的组件定义其领导者选举客户端的配置。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+  
+<tr><td><code>leaderElect</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   leaderElect enables a leader election client to gain leadership
+before executing the main loop. Enable this when running replicated
+components for high availability.
+   -->
+   <p><code>leaderElect</code> 允许领导者选举客户端在进入主循环执行之前先获得领导者角色。
+   运行多副本组件时启用此功能有助于提高可用性。
+   </p>
+</td>
+</tr>
+<tr><td><code>leaseDuration</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   leaseDuration is the duration that non-leader candidates will wait
+after observing a leadership renewal until attempting to acquire
+leadership of a led but unrenewed leader slot. This is effectively the
+maximum duration that a leader can be stopped before it is replaced
+by another candidate. This is only applicable if leader election is
+enabled.
+   -->
+   <p>
+   <code>leaseDuration</code> 是非领导角色候选者在观察到需要领导席位更新时要等待的时间；
+   只有经过所设置时长才可以尝试去获得一个仍处于领导状态但需要被刷新的席位。
+   这里的设置值本质上意味着某个领导者在被另一个候选者替换掉之前可以停止运行的最长时长。
+   只有当启用了领导者选举时此字段有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>renewDeadline</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   renewDeadline is the interval between attempts by the acting master to
+renew a leadership slot before it stops leading. This must be less
+than or equal to the lease duration. This is only applicable if leader
+election is enabled.
+   -->
+   <p>
+   <code>renewDeadline</code> 设置的是当前领导者在停止扮演领导角色之前需要刷新领导状态的时间间隔。
+   此值必须小于或等于租约期限的长度。只有到启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>retryPeriod</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   retryPeriod is the duration the clients should wait between attempting
+acquisition and renewal of a leadership. This is only applicable if
+leader election is enabled.
+   -->
+   <p>
+   <code>retryPeriod</code> 是客户端在连续两次尝试获得或者刷新领导状态之间需要等待的时长。
+   只有当启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>resourceLock</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceLock indicates the resource object type that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象类型。</p>
+</td>
+</tr>
+<tr><td><code>resourceName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceName indicates the name of resource object that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象名称。</p>
+</td>
+</tr>
+<tr><td><code>resourceNamespace</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceName indicates the namespace of resource object that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象所在名字空间。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+
+## `LoggingConfiguration`     {#LoggingConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+<!--
+LoggingConfiguration contains logging options
+Refer <a href="https://github.com/kubernetes/component-base/blob/master/logs/options.go">Logs Options</a> for more information.
+-->
+<p>
+LoggingConfiguration 包含日志选项。
+参考 [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) 以了解更多信息。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>format</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+Format Flag specifies the structure of log messages.
+default value of format is <code>text</code>
+-->
+   <p><code>format</code> 设置日志消息的结构。默认的格式取值为 <code>text</code>。</p>
+</td>
+</tr>
+<tr><td><code>flushFrequency</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/time#Duration"><code>time.Duration</code></a>
+</td>
+<td>
+<!--
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log
+flushes.  Ignored if the selected logging backend writes log
+messages without buffering.
+-->
+   <p>对日志进行清洗的最大间隔纳秒数（例如，1s = 1000000000）。
+   如果所选的日志后端在写入日志消息时不提供缓存，则此配置会被忽略。</p>
+</td>
+</tr>
+<tr><td><code>verbosity</code> <B><!--[Required]-->[必需]</B><br/>
+<code>uint32</code>
+</td>
+<td>
+<!--
+Verbosity is the threshold that determines which log messages are
+logged. Default is zero which logs only the most important
+messages. Higher values enable additional messages. Error messages
+are always logged.
+-->
+   <p><code>verbosity</code> 用来确定日志消息记录的详细程度阈值。默认值为 0，
+   意味着仅记录最重要的消息。数值越大，额外的消息越多。错误消息总是被记录下来。</p>
+</td>
+</tr>
+<tr><td><code>vmodule</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#VModuleConfiguration"><code>VModuleConfiguration</code></a>
+</td>
+<td>
+<!--
+VModule overrides the verbosity threshold for individual files.
+Only supported for &quot;text&quot; log format.
+-->
+   <p><code>vmodule</code> 会在单个文件层面重载 verbosity 阈值的设置。
+   这一选项仅支持 &quot;text&quot; 日志格式。</p>
+</td>
+</tr>
+<tr><td><code>options</code> <B>[Required]</B><br/>
+<a href="#FormatOptions"><code>FormatOptions</code></a>
+</td>
+<td>
+<!--
+[Experimental] Options holds additional parameters that are specific
+to the different logging formats. Only the options for the selected
+format get used, but all of them get validated.
+-->
+   <p>[实验特性] <code>options</code> 中包含特定于不同日志格式的配置参数。
+   只有针对所选格式的选项会被使用，但是合法性检查时会查看所有选项配置。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `VModuleConfiguration`     {#VModuleConfiguration}
+
+ <!--
+(Alias of `[]k8s.io/component-base/config/v1alpha1.VModuleItem`)
+
+**Appears in:**
+-->
+（`[]k8s.io/component-base/config/v1alpha1.VModuleItem` 的别名)
+
+**出现在：**
+
+- [LoggingConfiguration](#LoggingConfiguration)
+
+<!--
+VModuleConfiguration is a collection of individual file names or patterns
+and the corresponding verbosity threshold.
+-->
+<p>VModuleConfiguration 是一组文件名（通配符）及其对应的日志详尽程度阈值。</p>
+
+
+
 ## `DefaultPreemptionArgs`     {#kubescheduler-config-k8s-io-v1beta2-DefaultPreemptionArgs}
     
 <!--
 DefaultPreemptionArgs holds arguments used to configure the
 DefaultPreemption plugin.
 -->
-DefaultPreemptionArgs 包含用来配置 DefaultPreemption 插件的参数。
+<p>DefaultPreemptionArgs 包含用来配置 DefaultPreemption 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -52,8 +479,8 @@ shortlist when dry running preemption as a percentage of number of nodes.
 Must be in the range [0, 100]. Defaults to 10% of the cluster size if
 unspecified.
    -->
-   此字段为试运行抢占时 shortlist 中候选节点数的下限，数值为节点数的百分比。
-字段值必须介于 [0, 100] 之间。未指定时默认值为整个集群规模的 10%。
+   <p>此字段为试运行抢占时 shortlist 中候选节点数的下限，数值为节点数的百分比。
+   字段值必须介于 [0, 100] 之间。未指定时默认值为整个集群规模的 10%。</p>
 </td>
 </tr>
 <tr><td><code>minCandidateNodesAbsolute</code> <B><!--[Required]-->[必需]</B><br/>
@@ -69,11 +496,10 @@ We say "likely" because there are other factors such as PDB violations
 that play a role in the number of candidates shortlisted. Must be at least
 0 nodes. Defaults to 100 nodes if unspecified.
    -->
-   <p>此字段设置 shortlist 中候选节点的绝对下限。用于试运行抢占而列举的
-候选节点个数近似于通过下面的公式计算的：</p>
-<p>候选节点数 = max(节点数 * minCandidateNodesPercentage, minCandidateNodesAbsolute)</p>
-<p>之所以说是“近似于”是因为存在一些类似于 PDB 违例这种因素，会影响到进入 shortlist
-中候选节点的个数。取值至少为 0 节点。若未设置默认为 100 节点。</p>
+   <p>此字段设置 shortlist 中候选节点的绝对下限。用于试运行抢占而列举的候选节点个数近似于通过下面的公式计算的：</p>
+   <p>候选节点数 = max(节点数 * minCandidateNodesPercentage, minCandidateNodesAbsolute)</p>
+   <p>之所以说是&quot;近似于&quot;是因为存在一些类似于 PDB 违例这种因素，会影响到进入 shortlist中候选节点的个数。
+   取值至少为 0 节点。若未设置默认为 100 节点。</p>
 </td>
 </tr>
 </tbody>
@@ -84,7 +510,7 @@ that play a role in the number of candidates shortlisted. Must be at least
 <!--
 InterPodAffinityArgs holds arguments used to configure the InterPodAffinity plugin.
 -->
-InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。
+<p>InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -101,8 +527,8 @@ InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。
    HardPodAffinityWeight is the scoring weight for existing pods with a
 matching hard affinity to the incoming pod.
    -->
-   此字段是一个计分权重值。针对新增的 Pod，要对现存的、带有与新 Pod 匹配的
-硬性亲和性设置的 Pod 计算亲和性得分。
+   <p>此字段是一个计分权重值。针对新增的 Pod，
+   要对现存的、带有与新 Pod 匹配的硬性亲和性设置的 Pod 计算亲和性得分。</p>
 </td>
 </tr>
 </tbody>
@@ -113,7 +539,7 @@ matching hard affinity to the incoming pod.
 <!--
 KubeSchedulerConfiguration configures a scheduler
 -->
-KubeSchedulerConfiguration 用来配置调度器。
+<p>KubeSchedulerConfiguration 用来配置调度器。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -129,8 +555,8 @@ KubeSchedulerConfiguration 用来配置调度器。
    <!--
    Parallelism defines the amount of parallelism in algorithms for scheduling a Pods. Must be greater than 0. Defaults to 16
    -->
-   此字段设置为调度 Pod 而执行算法时的并发度。此值必须大于 0。
-默认值为 16。
+   <p>此字段设置为调度 Pod 而执行算法时的并发度。此值必须大于 0。
+   默认值为 16。</p>
 </td>
 </tr>
 <tr><td><code>leaderElection</code> <B><!--[Required]-->[必需]</B><br/>
@@ -140,7 +566,7 @@ KubeSchedulerConfiguration 用来配置调度器。
    <!--
    LeaderElection defines the configuration of leader election client.
    -->
-   此字段用来定义领导者选举客户端的配置。
+   <p>此字段用来定义领导者选举客户端的配置。</p>
 </td>
 </tr>
 <tr><td><code>clientConnection</code> <B><!--[Required]-->[必需]</B><br/>
@@ -151,8 +577,7 @@ KubeSchedulerConfiguration 用来配置调度器。
    ClientConnection specifies the kubeconfig file and client connection
 settings for the proxy server to use when communicating with the apiserver.
    -->
-   此字段为与 API 服务器通信时使用的代理服务器设置 kubeconfig 文件和客户端
-连接配置。
+   <p>此字段为与 API 服务器通信时使用的代理服务器设置 kubeconfig 文件和客户端连接配置。</p>
 </td>
 </tr>
 <tr><td><code>healthzBindAddress</code> <B><!--[Required]-->[必需]</B><br/>
@@ -164,10 +589,9 @@ settings for the proxy server to use when communicating with the apiserver.
 Only empty address or port 0 is allowed. Anything else will fail validation.
 HealthzBindAddress is the IP address and port for the health check server to serve on.
    -->
-   <code>healthzBindAddress</code> 是健康检查服务器提供服务所用的 IP 地址和端口。
-   注意：<code>healthzBindAddress</code> 和 <code>metricsBindAddress</code>
-这两个字段都已被弃用。
-只可以设置空地址或者端口 0。其他设置值都无法通过合法性检查。
+   <p><code>healthzBindAddress</code> 是健康检查服务器提供服务所用的 IP 地址和端口。
+   注意：<code>healthzBindAddress</code> 和 <code>metricsBindAddress</code>这两个字段都已被弃用。
+   只可以设置空地址或者端口 0。其他设置值都无法通过合法性检查。</p>
 </td>
 </tr>
 <tr><td><code>metricsBindAddress</code> <B><!--[Required]-->[必需]</B><br/>
@@ -177,17 +601,22 @@ HealthzBindAddress is the IP address and port for the health check server to ser
    <!--
    MetricsBindAddress is the IP address and port for the metrics server to serve on.
    -->
-   <code>metricsBindAddress</code> 是度量值服务器提供服务所用的 IP 地址和端口。
+   <p><code>metricsBindAddress</code> 是度量值服务器提供服务所用的 IP 地址和端口。</p>
 </td>
 </tr>
 <tr><td><code>DebuggingConfiguration</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#DebuggingConfiguration"><code>DebuggingConfiguration</code></a>
 </td>
+<!--
+(Members of <code>DebuggingConfiguration</code> are embedded into this type.)
+-->
 <td>（<code>DebuggingConfiguration</code> 的成员被内嵌到此类型中）
    <!--
    DebuggingConfiguration holds configuration for Debugging related features
+   TODO: We might wanna make this a substruct like Debugging componentbaseconfigv1alpha1.DebuggingConfiguration
    -->
-   此字段设置与调试相关功能特性的配置。
+   <p>此字段设置与调试相关功能特性的配置。
+   TODO：我们可能想把它做成一个子结构，像调试 component-base/config/v1alpha1.DebuggingConfiguration 一样。</p>
 </td>
 </tr>
 <tr><td><code>percentageOfNodesToScore</code> <B><!--[Required]-->[必需]</B><br/>
@@ -204,12 +633,13 @@ then scheduler stops finding further feasible nodes once it finds 150 feasible o
 When the value is 0, default percentage (5%--50% based on the size of the cluster) of the
 nodes will be scored.
    -->
-   此字段为所有节点的百分比，一旦调度器找到所设置比例的、能够运行 Pod 的节点，
-则停止在集群中继续寻找更合适的节点。这一配置有助于提高调度器的性能。调度器
-总会尝试寻找至少 "minFeasibleNodesToFind" 个可行节点，无论此字段的取值如何。
-例如：当集群规模为 500 个节点，而此字段的取值为 30，则调度器在找到 150 个合适
-的节点后会停止继续寻找合适的节点。当此值为 0 时，调度器会使用默认节点数百分比（基于集群规模
-确定的值，在 5% 到 50% 之间）来执行打分操作。
+   <p>此字段为所有节点的百分比，一旦调度器找到所设置比例的、能够运行 Pod 的节点，
+   则停止在集群中继续寻找更合适的节点。这一配置有助于提高调度器的性能。
+   调度器总会尝试寻找至少 &quot;minFeasibleNodesToFind&quot; 个可行节点，无论此字段的取值如何。
+   例如：当集群规模为 500 个节点，而此字段的取值为 30，
+   则调度器在找到 150 个合适的节点后会停止继续寻找合适的节点。
+   当此值为 0 时，调度器会使用默认节点数百分比（基于集群规模确定的值，在 5% 到 50% 之间）来执行打分操作。
+   </p>
 </td>
 </tr>
 <tr><td><code>podInitialBackoffSeconds</code> <B><!--[Required]-->[必需]</B><br/>
@@ -221,8 +651,8 @@ nodes will be scored.
 If specified, it must be greater than 0. If this value is null, the default value (1s)
 will be used.
    -->
-   此字段设置不可调度 Pod 的初始回退秒数。如果设置了此字段，其取值必须大于零。
-若此值为 null，则使用默认值（1s）。
+   <p>此字段设置不可调度 Pod 的初始回退秒数。如果设置了此字段，其取值必须大于零。
+   若此值为 null，则使用默认值（1s）。</p>
 </td>
 </tr>
 <tr><td><code>podMaxBackoffSeconds</code> <B><!--[Required]-->[必需]</B><br/>
@@ -234,8 +664,9 @@ will be used.
 If specified, it must be greater than podInitialBackoffSeconds. If this value is null,
 the default value (10s) will be used.
    -->
-   此字段设置不可调度的 Pod 的最大回退秒数。如果设置了此字段，则其值必须大于
-podInitialBackoffSeconds 字段值。如果此值设置为 null，则使用默认值（10s）。
+   <p>此字段设置不可调度的 Pod 的最大回退秒数。如果设置了此字段，
+   则其值必须大于 podInitialBackoffSeconds 字段值。如果此值设置为 null，则使用默认值（10s）。
+   </p>
 </td>
 </tr>
 <tr><td><code>profiles</code> <B><!--[Required]-->[必需]</B><br/>
@@ -248,9 +679,10 @@ choose to be scheduled under a particular profile by setting its associated
 scheduler name. Pods that don't specify any scheduler name are scheduled
 with the "default-scheduler" profile, if present here.
    -->
-   此字段为 kube-scheduler 所支持的方案（profiles）。Pod 可以通过设置其对应
-的调度器名称来选择使用特定的方案。未指定调度器名称的 Pod 会使用
-“default-scheduler”方案来调度，如果存在的话。
+   <p>此字段为 kube-scheduler 所支持的方案（profiles）。
+   Pod 可以通过设置其对应的调度器名称来选择使用特定的方案。
+   未指定调度器名称的 Pod 会使用 &quot;default-scheduler&quot; 方案来调度，如果存在的话。
+   </p>
 </td>
 </tr>
 <tr><td><code>extenders</code> <B><!--[Required]-->[必需]</B><br/>
@@ -261,8 +693,9 @@ with the "default-scheduler" profile, if present here.
    Extenders are the list of scheduler extenders, each holding the values of how to communicate
 with the extender. These extenders are shared by all scheduler profiles.
    -->
-   此字段为调度器扩展模块（Extender）的列表，每个元素包含如何与某扩展模块
-通信的配置信息。所有调度器模仿会共享此扩展模块列表。
+   <p>此字段为调度器扩展模块（Extender）的列表，
+   每个元素包含如何与某扩展模块通信的配置信息。
+   所有调度器模仿会共享此扩展模块列表。</p>
 </td>
 </tr>
 </tbody>
@@ -273,7 +706,7 @@ with the extender. These extenders are shared by all scheduler profiles.
 <!--
 NodeAffinityArgs holds arguments to configure the NodeAffinity plugin.
 -->
-NodeAffinityArgs 中包含配置 NodeAffinity 插件的参数。
+<p>NodeAffinityArgs 中包含配置 NodeAffinity 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -294,11 +727,12 @@ match).
 When AddedAffinity is used, some Pods with affinity requirements that match
 a specific Node (such as Daemonset Pods) might remain unschedulable.
    -->
-   <code>addedAffinity</code> 会作为附加的亲和性属性添加到所有 Pod 的
-规约中指定的 NodeAffinity 中。换言之，节点需要同时满足 addedAffinity
-和 .spec.nodeAffinity。默认情况下，addedAffinity 为空（与所有节点匹配）。
-使用了 addedAffinity 时，某些带有已经能够与某特定节点匹配的亲和性需求
-的 Pod （例如 DaemonSet Pod）可能会继续呈现不可调度状态。
+   <p>
+   <code>addedAffinity</code> 会作为附加的亲和性属性添加到所有 Pod 的规约中指定的 NodeAffinity 中。
+   换言之，节点需要同时满足 addedAffinity 和 .spec.nodeAffinity。默认情况下，addedAffinity 为空（与所有节点匹配）。
+   使用了 addedAffinity 时，某些带有已经能够与某特定节点匹配的亲和性需求的
+   Pod （例如 DaemonSet Pod）可能会继续呈现不可调度状态。
+   </p>
 </td>
 </tr>
 </tbody>
@@ -309,7 +743,7 @@ a specific Node (such as Daemonset Pods) might remain unschedulable.
 <!--
 NodeResourcesBalancedAllocationArgs holds arguments used to configure NodeResourcesBalancedAllocation plugin.
 -->
-NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllocation 插件的参数。
+<p>NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllocation 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -325,7 +759,7 @@ NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllo
    <!--
    Resources to be managed, the default is "cpu" and "memory" if not specified.
    -->
-   要管理的资源；如果未设置，则默认值为 "cpu" 和 "memory"。
+   <p>要管理的资源；如果未设置，则默认值为 &quot;cpu&quot; 和 &quot;memory&quot;。</p>
 </td>
 </tr>
 </tbody>
@@ -336,7 +770,7 @@ NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllo
 <!--
 NodeResourcesFitArgs holds arguments used to configure the NodeResourcesFit plugin.
 -->
-NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。
+<p>NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -353,7 +787,7 @@ NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。
    IgnoredResources is the list of resources that NodeResources fit filter
 should ignore. This doesn't apply to scoring.
    -->
-   此字段为 NodeResources 匹配过滤器要忽略的资源列表。此列表不影响节点打分。
+   <p>此字段为 NodeResources 匹配过滤器要忽略的资源列表。此列表不影响节点打分。</p>
 </td>
 </tr>
 <tr><td><code>ignoredResourceGroups</code> <B><!--[Required]-->[必需]</B><br/>
@@ -366,10 +800,10 @@ e.g. if group is ["example.com"], it will ignore all resource names that begin
 with "example.com", such as "example.com/aaa" and "example.com/bbb".
 A resource group name can't contain '/'. This doesn't apply to scoring.
    -->
-   此字段定义 NodeResources 匹配过滤器要忽略的资源组列表。
-例如，如果配置值为 ["example.com"]，则以 "example.com" 开头的资源名（如
-"example.com/aaa" 和 "example.com/bbb"）都会被忽略。
-资源组名称中不可以包含 '/'。此设置不影响节点的打分。
+   <p>此字段定义 NodeResources 匹配过滤器要忽略的资源组列表。
+   例如，如果配置值为 [&quot;example.com&quot;]，则以 &quot;example.com&quot;
+   开头的资源名（如&quot;example.com/aaa&quot; 和 &quot;example.com/bbb&quot;）都会被忽略。
+   资源组名称中不可以包含 '/'。此设置不影响节点的打分。</p>
 </td>
 </tr>
 <tr><td><code>scoringStrategy</code> <B><!--[Required]-->[必需]</B><br/>
@@ -380,8 +814,8 @@ A resource group name can't contain '/'. This doesn't apply to scoring.
    ScoringStrategy selects the node resource scoring strategy.
 The default strategy is LeastAllocated with an equal "cpu" and "memory" weight.
    -->
-   此字段用来选择节点资源打分策略。默认的策略为 LeastAllocated，且 "cpu" 和
-"memory" 的权重相同。
+   <p>此字段用来选择节点资源打分策略。默认的策略为 LeastAllocated，
+   且 &quot;cpu&quot; 和&quot;memory&quot; 的权重相同。</p>
 </td>
 </tr>
 </tbody>
@@ -392,7 +826,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "memory" weight.
 <!--
 PodTopologySpreadArgs holds arguments used to configure the PodTopologySpread plugin.
 -->
-PodTopologySpreadArgs 包含用来配置 PodTopologySpread 插件的参数。
+<p>PodTopologySpreadArgs 包含用来配置 PodTopologySpread 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -413,11 +847,11 @@ deduced from the Pod's membership to Services, ReplicationControllers,
 ReplicaSets or StatefulSets.
 When not empty, .defaultingType must be "List".
    -->
-   此字段针对未定义 <code>.spec.topologySpreadConstraints</code> 的 Pod，
-为其提供拓扑分布约束。<code>.defaultConstraints[&lowast;].labelSelectors</code>
-必须为空，因为这一信息要从 Pod 所属的 Service、ReplicationController、
-ReplicaSet 或 StatefulSet 来推导。
-此字段不为空时，<code>.defaultingType</code> 必须为 "List"。
+   <p>此字段针对未定义 <code>.spec.topologySpreadConstraints</code> 的 Pod，
+   为其提供拓扑分布约束。<code>.defaultConstraints[&lowast;].labelSelectors</code>必须为空，
+   因为这一信息要从 Pod 所属的 Service、ReplicationController、
+   ReplicaSet 或 StatefulSet 来推导。
+   此字段不为空时，<code>.defaultingType</code> 必须为 &quot;List&quot;。</p>
 </td>
 </tr>
 <tr><td><code>defaultingType</code><br/>
@@ -434,13 +868,13 @@ ReplicaSet 或 StatefulSet 来推导。
    and to "System" if enabled.-->
    <p>
    <code>defaultingType</code> 决定如何推导 <code>.defaultConstraints</code>。
-可选值为 "System" 或 "List"。
+   可选值为 &quot;System&quot; 或 &quot;List&quot;。
    </p>
    <ul>
-     <li>"System"：使用 Kubernetes 定义的约束，将 Pod 分布到不同节点和可用区；</li>
-     <li>"List"：使用 <code>.defaultConstraints</code> 中定义的约束。</li>
+     <li>&quot;System&quot;：使用 Kubernetes 定义的约束，将 Pod 分布到不同节点和可用区；</li>
+     <li>&quot;List&quot;：使用 <code>.defaultConstraints</code> 中定义的约束。</li>
    </ul>
-   <p>当特性门控 DefaultPodTopologySpread 被禁用时，默认值为 "list"；反之，默认值为 "System"。</p>
+   <p>当特性门控 DefaultPodTopologySpread 被禁用时，默认值为 &quot;list&quot;；反之，默认值为 &quot;System&quot;。</p>
 </td>
 </tr>
 </tbody>
@@ -451,7 +885,7 @@ ReplicaSet 或 StatefulSet 来推导。
 <!--
 VolumeBindingArgs holds arguments used to configure the VolumeBinding plugin.
 -->
-VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。
+<p>VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -469,8 +903,8 @@ VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。
 Value must be non-negative integer. The value zero indicates no waiting.
 If this value is nil, the default value (600) will be used.
    -->
-   此字段设置卷绑定操作的超时秒数。字段值必须是非负数。
-取值为 0 意味着不等待。如果此值为 null，则使用默认值（600）。
+   <p>此字段设置卷绑定操作的超时秒数。字段值必须是非负数。
+   取值为 0 意味着不等待。如果此值为 null，则使用默认值（600）。</p>
 </td>
 </tr>
 <tr><td><code>shape</code><br/>
@@ -490,17 +924,16 @@ The default shape points are:
 2) 10 for 100 utilization
 All points must be sorted in increasing order by utilization.
    -->
-   <p><code>shape</code> 用来设置打分函数曲线所使用的计分点，这些计分点
-用来基于静态制备的 PV 卷的利用率为节点打分。
-卷的利用率是计算得来的，将 Pod 所请求的总的存储空间大小除以每个节点
-上可用的总的卷容量。每个计分点包含利用率（范围从 0 到 100）和其对应
-的得分（范围从 0 到 10）。你可以通过为不同的使用率值设置不同的得分来
-反转优先级：</p>
+   <p><code>shape</code> 用来设置打分函数曲线所使用的计分点，
+   这些计分点用来基于静态制备的 PV 卷的利用率为节点打分。
+   卷的利用率是计算得来的，将 Pod 所请求的总的存储空间大小除以每个节点上可用的总的卷容量。
+   每个计分点包含利用率（范围从 0 到 100）和其对应的得分（范围从 0 到 10）。
+   你可以通过为不同的使用率值设置不同的得分来反转优先级：</p>
    <p>默认的曲线计分点为：</p>
-   <ul>
+   <ol>
      <li>利用率为 0 时得分为 0；</li>
      <li>利用率为 100 时得分为 10。</li>
-   </ul>
+   </ol>
    <p>所有计分点必须按利用率值的升序来排序。</p>
 </td>
 </tr>
@@ -520,751 +953,407 @@ All points must be sorted in increasing order by utilization.
 Extender holds the parameters used to communicate with the extender. If a verb is unspecified/empty,
 it is assumed that the extender chose not to provide that extension.
 -->
-Extender 包含与扩展模块（Extender）通信所用的参数。
-如果未指定 verb 或者 verb 为空，则假定对应的扩展模块选择不提供该扩展功能。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>urlPrefix</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   URLPrefix at which the extender is available
-   -->
-   用来访问扩展模块的 URL 前缀。
-</td>
-</tr>
-<tr><td><code>filterVerb</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
-   -->
-   filter 调用所使用的动词，如果不支持过滤操作则为空。
-此动词会在向扩展模块发送 filter 调用时追加到 urlPrefix 后面。
-</td>
-</tr>
-<tr><td><code>preemptVerb</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
-   -->
-   preempt 调用所使用的动词，如果不支持抢占操作则为空。
-此动词会在向扩展模块发送 preempt 调用时追加到 urlPrefix 后面。
-</td>
-</tr>
-<tr><td><code>prioritizeVerb</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
-   -->
-   prioritize 调用所使用的动词，如果不支持 prioritize 操作则为空。
-此动词会在向扩展模块发送 prioritize 调用时追加到 urlPrefix 后面。
-</td>
-</tr>
-<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int64</code>
-</td>
-<td>
-   <!--
-   The numeric multiplier for the node scores that the prioritize call generates.
-The weight should be a positive integer
-   -->
-   针对 prioritize 调用所生成的节点分数要使用的数值系数。
-weight 值必须是正整数。
-</td>
-</tr>
-<tr><td><code>bindVerb</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender.
-If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender
-can implement this function.
-   -->
-   bind 调用所使用的动词，如果不支持 bind 操作则为空。
-此动词会在向扩展模块发送 bind 调用时追加到 urlPrefix 后面。
-如果扩展模块实现了此方法，扩展模块要负责将 Pod 绑定到 API 服务器。
-只有一个扩展模块可以实现此函数。
-</td>
-</tr>
-<tr><td><code>enableHTTPS</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   EnableHTTPS specifies whether https should be used to communicate with the extender
-   -->
-   此字段设置是否需要使用 HTTPS 来与扩展模块通信。
-</td>
-</tr>
-<tr><td><code>tlsConfig</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-ExtenderTLSConfig"><code>ExtenderTLSConfig</code></a>
-</td>
-<td>
-   <!--
-   TLSConfig specifies the transport layer security config
-   -->
-   此字段设置传输层安全性（TLS）配置。
-</td>
-</tr>
-<tr><td><code>httpTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
-   <!--
-   HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize
-timeout is ignored, k8s/other extenders priorities are used to select the node.
-   -->
-   此字段给出扩展模块功能调用的超时值。filter 操作超时会导致 Pod 无法被调度。
-prioritize 操作超时会被忽略，Kubernetes 或者其他扩展模块所给出的优先级值
-会被用来选择节点。
-</td>
-</tr>
-<tr><td><code>nodeCacheCapable</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   NodeCacheCapable specifies that the extender is capable of caching node information,
-so the scheduler should only send minimal information about the eligible nodes
-assuming that the extender already cached full details of all nodes in the cluster
-   -->
-   此字段指示扩展模块可以缓存节点信息，从而调度器应该发送关于可选节点的最少信息，
-假定扩展模块已经缓存了集群中所有节点的全部详细信息。
-</td>
-</tr>
-<tr><td><code>managedResources</code><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-ExtenderManagedResource"><code>[]ExtenderManagedResource</code></a>
-</td>
-<td>
-   <!--
-   ManagedResources is a list of extended resources that are managed by
-this extender.
-- A pod will be sent to the extender on the Filter, Prioritize and Bind
-  (if the extender is the binder) phases iff the pod requests at least
-  one of the extended resources in this list. If empty or unspecified,
-  all pods will be sent to this extender.
-- If IgnoredByScheduler is set to true for a resource, kube-scheduler
-  will skip checking the resource in predicates.
-   -->
-   <p><code>managedResources</code> 是一个由此扩展模块所管理的扩展资源的列表。</p>
-   <ul>
-     <li>如果某 Pod 请求了此列表中的至少一个扩展资源，则 Pod 会在 filter、
-prioritize 和 bind （如果扩展模块可以执行绑定操作）阶段被发送到该扩展模块。
-若此字段为空或未设置，则所有 Pod 都会发送到此扩展模块。</li>
-     <li>如果某资源上设置了 <code>ignoredByScheduler</code> 为 true，则 kube-scheduler
-会在断言阶段略过对该资源的检查。</li>
-   </ul>
-</td>
-</tr>
-<tr><td><code>ignorable</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   Ignorable specifies if the extender is ignorable, i.e. scheduling should not
-fail when the extender returns an error or is not reachable.
-   -->
-   此字段用来设置扩展模块是否是可忽略的。换言之，当扩展模块返回错误或者
-完全不可达时，调度操作不应失败。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ExtenderManagedResource`     {#kubescheduler-config-k8s-io-v1beta2-ExtenderManagedResource}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [Extender](#kubescheduler-config-k8s-io-v1beta2-Extender)
-
-<!--
-ExtenderManagedResource describes the arguments of extended resources
-managed by an extender.
--->
-ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-    
-<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Name is the extended resource name.
-   -->
-   扩展资源的名称。
-</td>
-</tr>
-<tr><td><code>ignoredByScheduler</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   IgnoredByScheduler indicates whether kube-scheduler should ignore this
-resource when applying predicates.
-   -->
-   此字段标明 kube-scheduler 是否应在应用断言时忽略此资源。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ExtenderTLSConfig`     {#kubescheduler-config-k8s-io-v1beta2-ExtenderTLSConfig}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [Extender](#kubescheduler-config-k8s-io-v1beta2-Extender)
-
-<!--
-ExtenderTLSConfig contains settings to enable TLS with extender
--->
-ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数。
+<p>Extender 包含与扩展模块（Extender）通信所用的参数。
+如果未指定 verb 或者 verb 为空，则假定对应的扩展模块选择不提供该扩展功能。</p>
 
 <table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>insecure</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   Server should be accessed without verifying the TLS certificate. For testing only.
-   -->
-   访问服务器时不需要检查 TLS 证书。此配置仅针对测试用途。
-</td>
-</tr>
-<tr><td><code>serverName</code> <B><!--[Required]-->[必需]</B><br/>
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+  
+<tr><td><code>urlPrefix</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   ServerName is passed to the server for SNI and is used in the client to check server
-certificates against. If ServerName is empty, the hostname used to contact the
-server is used.
+   URLPrefix at which the extender is available
    -->
-   <code>serverName</code> 会被发送到服务器端，作为 SNI 标志；客户端会使用
-此设置来检查服务器证书。如果 <code>serverName</code> 为空，则会使用联系
-服务器时所用的主机名。
+   <p>用来访问扩展模块的 URL 前缀。</p>
 </td>
 </tr>
-<tr><td><code>certFile</code> <B><!--[Required]-->[必需]</B><br/>
+<tr><td><code>filterVerb</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   Server requires TLS client certificate authentication
+   Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
    -->
-   服务器端所要求的 TLS 客户端证书认证。
+   <p>filter 调用所使用的动词，如果不支持过滤操作则为空。
+   此动词会在向扩展模块发送 filter 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
-<tr><td><code>keyFile</code> <B><!--[Required]-->[必需]</B><br/>
+<tr><td><code>preemptVerb</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   Server requires TLS client certificate authentication
+   Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
    -->
-   服务器端所要求的 TLS 客户端秘钥认证。
+   <p>preempt 调用所使用的动词，如果不支持抢占操作则为空。
+   此动词会在向扩展模块发送 preempt 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
-<tr><td><code>caFile</code> <B><!--[Required]-->[必需]</B><br/>
+<tr><td><code>prioritizeVerb</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   Trusted root certificates for server
+   Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
    -->
-   服务器端可信任的根证书。
+   <p>prioritize 调用所使用的动词，如果不支持 prioritize 操作则为空。
+   此动词会在向扩展模块发送 prioritize 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
-<tr><td><code>certData</code> <B><!--[Required]-->[必需]</B><br/>
-<code>[]byte</code>
+<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int64</code>
 </td>
 <td>
    <!--
-   CertData holds PEM-encoded bytes (typically read from a client certificate file).
-CertData takes precedence over CertFile
+   The numeric multiplier for the node scores that the prioritize call generates.
+The weight should be a positive integer
    -->
-   <code>certData</code> 包含 PEM 编码的字节流（通常从某客户端证书文件读入）。
-此字段优先级高于 certFile 字段。
+   <p>针对 prioritize 调用所生成的节点分数要使用的数值系数。
+   weight 值必须是正整数。</p>
 </td>
 </tr>
-<tr><td><code>keyData</code> <B><!--[Required]-->[必需]</B><br/>
-<code>[]byte</code>
+<tr><td><code>bindVerb</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
-KeyData takes precedence over KeyFile
+   Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender.
+If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender
+can implement this function.
    -->
-   <code>keyData</code> 包含 PEM 编码的字节流（通常从某客户端证书秘钥文件读入）。
-此字段优先级高于 keyFile 字段。
+   <p>bind 调用所使用的动词，如果不支持 bind 操作则为空。
+   此动词会在向扩展模块发送 bind 调用时追加到 urlPrefix 后面。
+   如果扩展模块实现了此方法，扩展模块要负责将 Pod 绑定到 API 服务器。
+   只有一个扩展模块可以实现此函数。</p>
 </td>
 </tr>
-<tr><td><code>caData</code> <B><!--[Required]-->[必需]</B><br/>
-<code>[]byte</code>
+<tr><td><code>enableHTTPS</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
 </td>
 <td>
    <!--
-   CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
-CAData takes precedence over CAFile
+   EnableHTTPS specifies whether https should be used to communicate with the extender
    -->
-   <code>caData</code> 包含 PEM 编码的字节流（通常从某根证书包文件读入）。
-此字段优先级高于 caFile 字段。
+   <p>此字段设置是否需要使用 HTTPS 来与扩展模块通信。</p>
 </td>
 </tr>
-</tbody>
-</table>
-
-## `KubeSchedulerProfile`     {#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
-
-<!--
-KubeSchedulerProfile is a scheduling profile.
--->
-KubeSchedulerProfile 是一个调度方案。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>schedulerName</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>tlsConfig</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-ExtenderTLSConfig"><code>ExtenderTLSConfig</code></a>
 </td>
 <td>
    <!--
-   schedulername is the name of the scheduler associated to this profile.
-if schedulername matches with the pod's "spec.schedulername", then the pod
-is scheduled with this profile.
+   TLSConfig specifies the transport layer security config
    -->
-   <code>schedulerName</code> 是与此调度方案相关联的调度器的名称。
-如果 <code>schedulerName</code> 与 Pod 的 <code>spec.schedulerName</code>
-匹配，则该 Pod 会使用此方案来调度。
+   <p>此字段设置传输层安全性（TLS）配置。</p>
 </td>
 </tr>
-<tr><td><code>plugins</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-Plugins"><code>Plugins</code></a>
+<tr><td><code>httpTimeout</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
-   Plugins specify the set of plugins that should be enabled or disabled.
-Enabled plugins are the ones that should be enabled in addition to the
-default plugins. Disabled plugins are any of the default plugins that
-should be disabled.
-When no enabled or disabled plugin is specified for an extension point,
-default plugins for that extension point will be used if there is any.
-If a QueueSort plugin is specified, the same QueueSort Plugin and
-PluginConfig must be specified for all profiles.
+   HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize
+timeout is ignored, k8s/other extenders priorities are used to select the node.
    -->
-   <p><code>plugins</code> 设置一组应该被启用或禁止的插件。
-被启用的插件是指除了默认插件之外需要被启用的插件。被禁止的插件
-是指需要被禁用的默认插件。</p>
-   <p>如果针对某个扩展点没有设置被启用或被禁止的插件，则使用该扩展点
-的默认插件（如果有的话）。如果设置了 QueueSort 插件，则同一个 QueueSort
-插件和 <code>pluginConfig</code> 要被设置到所有调度方案之上。</p>
+   <p>此字段给出扩展模块功能调用的超时值。filter 操作超时会导致 Pod 无法被调度。
+   prioritize 操作超时会被忽略，Kubernetes 或者其他扩展模块所给出的优先级值会被用来选择节点。
+   </p>
 </td>
 </tr>
-<tr><td><code>pluginConfig</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginConfig"><code>[]PluginConfig</code></a>
+<tr><td><code>nodeCacheCapable</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
 </td>
 <td>
    <!--
-   PluginConfig is an optional set of custom plugin arguments for each plugin.
-Omitting config args for a plugin is equivalent to using the default config
-for that plugin.
+   NodeCacheCapable specifies that the extender is capable of caching node information,
+so the scheduler should only send minimal information about the eligible nodes
+assuming that the extender already cached full details of all nodes in the cluster
    -->
-   <code>pluginConfig</code> 是为每个插件提供的一组可选的定制插件参数。
-如果忽略了插件的配置参数，则意味着使用该插件的默认配置。
-</td>
+   <p>此字段指示扩展模块可以缓存节点信息，从而调度器应该发送关于可选节点的最少信息，
+   假定扩展模块已经缓存了集群中所有节点的全部详细信息。</p>
 </td>
 </tr>
-</tbody>
-</table>
-
-## `Plugin`     {#kubescheduler-config-k8s-io-v1beta2-Plugin}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [PluginSet](#kubescheduler-config-k8s-io-v1beta2-PluginSet)
-
-<!--
-Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.
--->
-Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用于评分（Score）插件。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>managedResources</code><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-ExtenderManagedResource"><code>[]ExtenderManagedResource</code></a>
 </td>
 <td>
    <!--
-   Name defines the name of plugin
+   ManagedResources is a list of extended resources that are managed by
+this extender.
+- A pod will be sent to the extender on the Filter, Prioritize and Bind
+  (if the extender is the binder) phases iff the pod requests at least
+  one of the extended resources in this list. If empty or unspecified,
+  all pods will be sent to this extender.
+- If IgnoredByScheduler is set to true for a resource, kube-scheduler
+  will skip checking the resource in predicates.
    -->
-   插件的名称。
+   <p><code>managedResources</code> 是一个由此扩展模块所管理的扩展资源的列表。</p>
+   <ul>
+     <li>如果某 Pod 请求了此列表中的至少一个扩展资源，则 Pod 会在 filter、
+     prioritize 和 bind （如果扩展模块可以执行绑定操作）阶段被发送到该扩展模块。
+     若此字段为空或未设置，则所有 Pod 都会发送到此扩展模块。</li>
+     <li>如果某资源上设置了 <code>ignoredByScheduler</code> 为 true，则 kube-scheduler
+     会在断言阶段略过对该资源的检查。</li>
+   </ul>
 </td>
 </tr>
-<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>ignorable</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
 </td>
 <td>
    <!--
-   Weight defines the weight of plugin, only used for Score plugins.
+   Ignorable specifies if the extender is ignorable, i.e. scheduling should not
+fail when the extender returns an error or is not reachable.
    -->
-   插件的权重；仅适用于评分（Score）插件。
+   <p>此字段用来设置扩展模块是否是可忽略的。
+   换言之，当扩展模块返回错误或者完全不可达时，调度操作不应失败。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `PluginConfig`     {#kubescheduler-config-k8s-io-v1beta2-PluginConfig}
+## `ExtenderManagedResource`     {#kubescheduler-config-k8s-io-v1beta2-ExtenderManagedResource}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile)
+- [Extender](#kubescheduler-config-k8s-io-v1beta2-Extender)
 
 <!--
-PluginConfig specifies arguments that should be passed to a plugin at the time of initialization.
-A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure.
-It is up to the plugin to process these Args.
+ExtenderManagedResource describes the arguments of extended resources
+managed by an extender.
 -->
-PluginConfig 给出初始化阶段要传递给插件的参数。
-在多个扩展点被调用的插件仅会被初始化一次。
-参数可以是任意结构。插件负责处理这里所传的参数。
+<p>ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
-  
+    
 <tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   Name defines the name of plugin being configured
-   -->
-   <code>name</code> 是所配置的插件的名称。
-</td>
-</tr>
-<tr><td><code>args</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/runtime/#RawExtension"><code>k8s.io/apimachinery/pkg/runtime.RawExtension</code></a>
-</td>
-<td>
-   <!--
-   Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.
-   -->
-   <code>args</code> 定义在初始化阶段要传递给插件的参数。参数可以为任意结构。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `PluginSet`     {#kubescheduler-config-k8s-io-v1beta2-PluginSet}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [Plugins](#kubescheduler-config-k8s-io-v1beta2-Plugins)
-
-<!--
-PluginSet specifies enabled and disabled plugins for an extension point.
-If an array is empty, missing, or nil, default plugins at that extension point will be used.
--->
-PluginSet 为某扩展点设置要启用或禁用的插件。
-如果数组为空，或者取值为 null，则使用该扩展点的默认插件集合。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>enabled</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-Plugin"><code>[]Plugin</code></a>
-</td>
-<td>
-   <!--
-   Enabled specifies plugins that should be enabled in addition to default plugins.
-If the default plugin is also configured in the scheduler config file, the weight of plugin will
-be overridden accordingly.
-These are called after default plugins and in the same order specified here.
+   Name is the extended resource name.
    -->
-   <code>enabled</code> 设置在默认插件之外要启用的插件。如果在调度器的配置
-文件中也配置了默认插件，则对应插件的权重会被覆盖。
-此处所设置的插件会在默认插件之后被调用，调用顺序与数组中元素顺序相同。
+   <p>扩展资源的名称。</p>
 </td>
 </tr>
-<tr><td><code>disabled</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-Plugin"><code>[]Plugin</code></a>
+<tr><td><code>ignoredByScheduler</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
 </td>
 <td>
    <!--
-   Disabled specifies default plugins that should be disabled.
-When all default plugins need to be disabled, an array containing only one "&lowast;" should be provided.
+   IgnoredByScheduler indicates whether kube-scheduler should ignore this
+resource when applying predicates.
    -->
-   <code>disabled</code> 设置要被禁用的默认插件。
-如果需要禁用所有的默认插件，应该提供仅包含一个元素 "&lowast;" 的数组。
+   <p>此字段标明 kube-scheduler 是否应在应用断言时忽略此资源。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `Plugins`     {#kubescheduler-config-k8s-io-v1beta2-Plugins}
+## `ExtenderTLSConfig`     {#kubescheduler-config-k8s-io-v1beta2-ExtenderTLSConfig}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile)
+- [Extender](#kubescheduler-config-k8s-io-v1beta2-Extender)
 
 <!--
-Plugins include multiple extension points. When specified, the list of plugins for
-a particular extension point are the only ones enabled. If an extension point is
-omitted from the config, then the default set of plugins is used for that extension point.
-Enabled plugins are called in the order specified here, after default plugins. If they need to
-be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.
+ExtenderTLSConfig contains settings to enable TLS with extender
 -->
-Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定扩展点所启用
-的所有插件都在这一列表中。
-如果配置中不包含某个扩展点，则使用该扩展点的默认插件集合。
-被启用的插件的调用顺序与这里指定的顺序相同，都在默认插件之后调用。
-如果它们需要在默认插件之前调用，则需要先行禁止默认插件，之后在这里
-按期望的顺序重新启用。
+<p>ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>queueSort</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
-</td>
-<td>
-   <!--
-   QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.
-   -->
-   <code>queueSort</code> 是一个在对调度队列中 Pod 排序时要调用的插件列表。
-</td>
-</tr>
-<tr><td><code>preFilter</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
-</td>
-<td>
-   <!--
-   PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework.
-   -->
-   <code>preFilter</code> 是一个在调度框架中“PreFilter（预过滤）”扩展点上要
-调用的插件列表。
-</td>
-</tr>
-<tr><td><code>filter</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
-</td>
-<td>
-   <!--
-   Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.
-   -->
-   <code>filter</code> 是一个在需要过滤掉无法运行 Pod 的节点时被调用的插件列表。
-</td>
-</tr>
-<tr><td><code>postFilter</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
-</td>
-<td>
-   <!--
-   PostFilter is a list of plugins that are invoked after filtering phase, but only when no feasible nodes were found for the pod.
-   -->
-   <code>postFilter</code> 是一个在过滤阶段结束后会被调用的插件列表；
-这里的插件只有在找不到合适的节点来运行 Pod 时才会被调用。
-</td>
-</tr>
-<tr><td><code>preScore</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>insecure</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
 </td>
 <td>
    <!--
-   PreScore is a list of plugins that are invoked before scoring.
+   Server should be accessed without verifying the TLS certificate. For testing only.
    -->
-   <code>preScore</code> 是一个在打分之前要调用的插件列表。
+   <p>访问服务器时不需要检查 TLS 证书。此配置仅针对测试用途。</p>
 </td>
 </tr>
-<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>serverName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.
+   ServerName is passed to the server for SNI and is used in the client to check server
+certificates against. If ServerName is empty, the hostname used to contact the
+server is used.
    -->
-   <code>score</code> 是一个在对已经通过过滤阶段的节点进行排序时调用的插件的列表。
+   <p><code>serverName</code> 会被发送到服务器端，作为 SNI 标志；
+   客户端会使用此设置来检查服务器证书。
+   如果 <code>serverName</code> 为空，则会使用联系服务器时所用的主机名。
+   </p>
 </td>
 </tr>
-<tr><td><code>reserve</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>certFile</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   Reserve is a list of plugins invoked when reserving/unreserving resources
-after a node is assigned to run the pod.
+   Server requires TLS client certificate authentication
    -->
-   <code>reserve</code> 是一组在运行 Pod 的节点已被选定后，需要预留或者释放资源时调用的插件的列表。
+   <p>服务器端所要求的 TLS 客户端证书认证。</p>
 </td>
 </tr>
-<tr><td><code>permit</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>keyFile</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.
+   Server requires TLS client certificate authentication
    -->
-   <code>permit</code> 是一个用来控制 Pod 绑定关系的插件列表。这些插件可以
-禁止或者延迟 Pod 的绑定。
+   <p>服务器端所要求的 TLS 客户端秘钥认证。</p>
 </td>
 </tr>
-<tr><td><code>preBind</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>caFile</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   PreBind is a list of plugins that should be invoked before a pod is bound.
+   Trusted root certificates for server
    -->
-   <code>preBind</code> 是一个在 Pod 被绑定到某节点之前要被调用的插件的列表。
+   <p>服务器端可信任的根证书。</p>
 </td>
 </tr>
-<tr><td><code>bind</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>certData</code> <B><!--[Required]-->[必需]</B><br/>
+<code>[]byte</code>
 </td>
 <td>
    <!--
-   Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework.
-The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.
+   CertData holds PEM-encoded bytes (typically read from a client certificate file).
+CertData takes precedence over CertFile
    -->
-   <code>bind</code> 是一个在调度框架中“Bind（绑定）”扩展点上要调用的
-插件的列表。调度器按顺序调用这些插件。只要其中某个插件返回成功，则调度器
-就略过余下的插件。
+   <p><code>certData</code> 包含 PEM 编码的字节流（通常从某客户端证书文件读入）。
+   此字段优先级高于 certFile 字段。</p>
 </td>
 </tr>
-<tr><td><code>postBind</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>keyData</code> <B><!--[Required]-->[必需]</B><br/>
+<code>[]byte</code>
 </td>
 <td>
    <!--
-   PostBind is a list of plugins that should be invoked after a pod is successfully bound.
+   KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
+KeyData takes precedence over KeyFile
    -->
-   <code>postBind</code> 是一个在 Pod 已经被成功绑定之后要调用的插件的列表。
+   <p><code>keyData</code> 包含 PEM 编码的字节流（通常从某客户端证书秘钥文件读入）。
+   此字段优先级高于 keyFile 字段。</p>
 </td>
 </tr>
-<tr><td><code>multiPoint</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+<tr><td><code>caData</code> <B><!--[Required]-->[必需]</B><br/>
+<code>[]byte</code>
 </td>
 <td>
    <!--
-   MultiPoint is a simplified config section to enable plugins for all valid extension points.
+   CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
+CAData takes precedence over CAFile
    -->
-   <p><code>multiPoint</code> 是一个简化的配置段落，用来为所有合法的扩展点启用插件。
+   <p><code>caData</code> 包含 PEM 编码的字节流（通常从某根证书包文件读入）。
+   此字段优先级高于 caFile 字段。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `PodTopologySpreadConstraintsDefaulting`     {#kubescheduler-config-k8s-io-v1beta2-PodTopologySpreadConstraintsDefaulting}
-
- <!--
-(Alias of `string`)
-
-**Appears in:**
--->
-（`string` 类型的别名）
-
-**出现在：**
-   
-- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta2-PodTopologySpreadArgs)
-
-<!--
-PodTopologySpreadConstraintsDefaulting defines how to set default constraints
-for the PodTopologySpread plugin.
--->
-PodTopologySpreadConstraintsDefaulting 定义如何为 PodTopologySpread 插件
-设置默认的约束。
-
-## `RequestedToCapacityRatioParam`     {#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam}
+## `KubeSchedulerProfile`     {#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
 
 <!--
-RequestedToCapacityRatioParam define RequestedToCapacityRatio parameters
+KubeSchedulerProfile is a scheduling profile.
 -->
-RequestedToCapacityRatioParam 结构定义 RequestedToCapacityRatio 的参数。
+<p>KubeSchedulerProfile 是一个调度方案。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>shape</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-UtilizationShapePoint"><code>[]UtilizationShapePoint</code></a>
+<tr><td><code>schedulerName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   Shape is a list of points defining the scoring function shape.
+   schedulername is the name of the scheduler associated to this profile.
+if schedulername matches with the pod's "spec.schedulername", then the pod
+is scheduled with this profile.
+   -->
+   <p><code>schedulerName</code> 是与此调度方案相关联的调度器的名称。
+   如果 <code>schedulerName</code> 与 Pod 的 <code>spec.schedulerName</code>
+   匹配，则该 Pod 会使用此方案来调度。</p>
+</td>
+</tr>
+<tr><td><code>plugins</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-Plugins"><code>Plugins</code></a>
+</td>
+<td>
+   <!--
+   Plugins specify the set of plugins that should be enabled or disabled.
+Enabled plugins are the ones that should be enabled in addition to the
+default plugins. Disabled plugins are any of the default plugins that
+should be disabled.
+When no enabled or disabled plugin is specified for an extension point,
+default plugins for that extension point will be used if there is any.
+If a QueueSort plugin is specified, the same QueueSort Plugin and
+PluginConfig must be specified for all profiles.
+   -->
+   <p><code>plugins</code> 设置一组应该被启用或禁止的插件。
+   被启用的插件是指除了默认插件之外需要被启用的插件。
+   被禁止的插件是指需要被禁用的默认插件。</p>
+   <p>如果针对某个扩展点没有设置被启用或被禁止的插件，
+   则使用该扩展点的默认插件（如果有的话）。如果设置了 QueueSort 插件，则同一个 QueueSort
+   插件和 <code>pluginConfig</code> 要被设置到所有调度方案之上。</p>
+</td>
+</tr>
+<tr><td><code>pluginConfig</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginConfig"><code>[]PluginConfig</code></a>
+</td>
+<td>
+   <!--
+   PluginConfig is an optional set of custom plugin arguments for each plugin.
+Omitting config args for a plugin is equivalent to using the default config
+for that plugin.
    -->
-   <code>shape</code> 是一个定义评分函数曲线的计分点的列表。
+   <p><code>pluginConfig</code> 是为每个插件提供的一组可选的定制插件参数。
+   如果忽略了插件的配置参数，则意味着使用该插件的默认配置。</p>
+</td>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ResourceSpec`     {#kubescheduler-config-k8s-io-v1beta2-ResourceSpec}
+## `Plugin`     {#kubescheduler-config-k8s-io-v1beta2-Plugin}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta2-NodeResourcesBalancedAllocationArgs)
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
+- [PluginSet](#kubescheduler-config-k8s-io-v1beta2-PluginSet)
 
 <!--
-ResourceSpec represents a single resource.
+Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.
 -->
-ResourceSpec 用来代表某个资源。
+<p>Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用于评分（Score）插件。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -1275,460 +1364,478 @@ ResourceSpec 用来代表某个资源。
 </td>
 <td>
    <!--
-   Name of the resource.
+   Name defines the name of plugin
    -->
-   资源名称。
+   <p>插件的名称。</p>
 </td>
 </tr>
 <tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int64</code>
+<code>int32</code>
 </td>
 <td>
    <!--
-   Weight of the resource.
+   Weight defines the weight of plugin, only used for Score plugins.
    -->
-   资源权重。
+   <p>插件的权重；仅适用于评分（Score）插件。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ScoringStrategy`     {#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy}
+## `PluginConfig`     {#kubescheduler-config-k8s-io-v1beta2-PluginConfig}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta2-NodeResourcesFitArgs)
+- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile)
 
 <!--
-ScoringStrategy define ScoringStrategyType for node resource plugin
+PluginConfig specifies arguments that should be passed to a plugin at the time of initialization.
+A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure.
+It is up to the plugin to process these Args.
 -->
-ScoringStrategy 为节点资源插件定义 ScoringStrategyType。
+<p>PluginConfig 给出初始化阶段要传递给插件的参数。
+在多个扩展点被调用的插件仅会被初始化一次。
+参数可以是任意结构。插件负责处理这里所传的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>type</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-ScoringStrategyType"><code>ScoringStrategyType</code></a>
-</td>
-<td>
-   <!--
-   Type selects which strategy to run.
-   -->
-   <code>type</code> 用来选择要运行的策略。
-</td>
-</tr>
-<tr><td><code>resources</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-ResourceSpec"><code>[]ResourceSpec</code></a>
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   Resources to consider when scoring.
-The default resource set includes "cpu" and "memory" with an equal weight.
-Allowed weights go from 1 to 100.
-Weight defaults to 1 if not specified or explicitly set to 0.
+   Name defines the name of plugin being configured
    -->
-   <p><code>resources</code> 设置在评分时要考虑的资源。</p>
-   <p>默认的资源集合包含 "cpu" 和 "memory"，且二者权重相同。</p>
-   <p>权重的取值范围为 1 到 100。</p>
-   <p>当权重未设置或者显式设置为 0 时，意味着使用默认值 1。</p>
+   <p><code>name</code> 是所配置的插件的名称。</p>
 </td>
 </tr>
-<tr><td><code>requestedToCapacityRatio</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam"><code>RequestedToCapacityRatioParam</code></a>
+<tr><td><code>args</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime/#RawExtension"><code>k8s.io/apimachinery/pkg/runtime.RawExtension</code></a>
 </td>
 <td>
    <!--
-   Arguments specific to RequestedToCapacityRatio strategy.
+   Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.
    -->
-   特定于 RequestedToCapacityRatio 策略的参数。
+   <p><code>args</code> 定义在初始化阶段要传递给插件的参数。参数可以为任意结构。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ScoringStrategyType`     {#kubescheduler-config-k8s-io-v1beta2-ScoringStrategyType}
-
- <!--
-(Alias of `string`)
-
-**Appears in:**
--->
-（`string` 数据类型的别名）
-
-**出现在：**
-   
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
-
-<!--
-ScoringStrategyType the type of scoring strategy used in NodeResourcesFit plugin.
--->
-ScoringStrategyType 是 NodeResourcesFit 插件所使用的的评分策略类型。
-
-## `UtilizationShapePoint`     {#kubescheduler-config-k8s-io-v1beta2-UtilizationShapePoint}
+## `PluginSet`     {#kubescheduler-config-k8s-io-v1beta2-PluginSet}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta2-VolumeBindingArgs)
-- [RequestedToCapacityRatioParam](#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam)
+- [Plugins](#kubescheduler-config-k8s-io-v1beta2-Plugins)
 
 <!--
-UtilizationShapePoint represents single point of priority function shape.
+PluginSet specifies enabled and disabled plugins for an extension point.
+If an array is empty, missing, or nil, default plugins at that extension point will be used.
 -->
-UtilizationShapePoint 代表的是优先级函数曲线中的一个评分点。
+<p>PluginSet 为某扩展点设置要启用或禁用的插件。
+如果数组为空，或者取值为 null，则使用该扩展点的默认插件集合。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>utilization</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>enabled</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-Plugin"><code>[]Plugin</code></a>
 </td>
 <td>
    <!--
-   Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
+   Enabled specifies plugins that should be enabled in addition to default plugins.
+If the default plugin is also configured in the scheduler config file, the weight of plugin will
+be overridden accordingly.
+These are called after default plugins and in the same order specified here.
    -->
-   利用率（x 轴）。合法值为 0 到 100。完全被利用的节点映射到 100。
+   <p><code>enabled</code> 设置在默认插件之外要启用的插件。
+   如果在调度器的配置文件中也配置了默认插件，则对应插件的权重会被覆盖。
+   此处所设置的插件会在默认插件之后被调用，调用顺序与数组中元素顺序相同。</p>
 </td>
 </tr>
-<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>disabled</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-Plugin"><code>[]Plugin</code></a>
 </td>
 <td>
    <!--
-   Score assigned to given utilization (y axis). Valid values are 0 to 10.
+   Disabled specifies default plugins that should be disabled.
+When all default plugins need to be disabled, an array containing only one "&lowast;" should be provided.
    -->
-   分配给指定利用率的分值（y 轴）。合法值为 0 到 10。
+   <p><code>disabled</code> 设置要被禁用的默认插件。
+   如果需要禁用所有的默认插件，应该提供仅包含一个元素 &quot;&lowast;&quot; 的数组。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ClientConnectionConfiguration`     {#ClientConnectionConfiguration}
+## `Plugins`     {#kubescheduler-config-k8s-io-v1beta2-Plugins}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+- [KubeSchedulerProfile](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerProfile)
 
 <!--
-ClientConnectionConfiguration contains details for constructing a client.
+Plugins include multiple extension points. When specified, the list of plugins for
+a particular extension point are the only ones enabled. If an extension point is
+omitted from the config, then the default set of plugins is used for that extension point.
+Enabled plugins are called in the order specified here, after default plugins. If they need to
+be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.
 -->
-ClientConnectionConfiguration 中包含用来构造一个客户端所需的细节。
+<p>Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定扩展点所启用的所有插件都在这一列表中。
+如果配置中不包含某个扩展点，则使用该扩展点的默认插件集合。
+被启用的插件的调用顺序与这里指定的顺序相同，都在默认插件之后调用。
+如果它们需要在默认插件之前调用，则需要先行禁止默认插件，之后在这里按期望的顺序重新启用。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>queueSort</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+</td>
+<td>
+   <!--
+   QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.
+   -->
+   <p><code>queueSort</code> 是一个在对调度队列中 Pod 排序时要调用的插件列表。</p>
+</td>
+</tr>
+<tr><td><code>preFilter</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+</td>
+<td>
+   <!--
+   PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework.
+   -->
+   <p><code>preFilter</code> 是一个在调度框架中“PreFilter（预过滤）”扩展点上要调用的插件列表。</p>
+</td>
+</tr>
+<tr><td><code>filter</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+</td>
+<td>
+   <!--
+   Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.
+   -->
+   <p><code>filter</code> 是一个在需要过滤掉无法运行 Pod 的节点时被调用的插件列表。</p>
+</td>
+</tr>
+<tr><td><code>postFilter</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+</td>
+<td>
+   <!--
+   PostFilter is a list of plugins that are invoked after filtering phase, but only when no feasible nodes were found for the pod.
+   -->
+   <p><code>postFilter</code> 是一个在过滤阶段结束后会被调用的插件列表；
+   这里的插件只有在找不到合适的节点来运行 Pod 时才会被调用。</p>
+</td>
+</tr>
+<tr><td><code>preScore</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   kubeconfig is the path to a KubeConfig file.
+   PreScore is a list of plugins that are invoked before scoring.
    -->
-   此字段为指向某 KubeConfig 文件的路径。
+   <p><code>preScore</code> 是一个在打分之前要调用的插件列表。</p>
 </td>
 </tr>
-<tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
-default value of 'application/json'. This field will control all connections to the server used by a particular client.
+   Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.
    -->
-   <code>acceptContentTypes</code> 定义的是客户端与服务器建立连接时要发送的
-Accept 头部；这里的设置值会覆盖默认值 "application/json"。
-此字段会影响某特定客户端与服务器的所有连接。
+   <p><code>score</code> 是一个在对已经通过过滤阶段的节点进行排序时调用的插件的列表。</p>
 </td>
 </tr>
-<tr><td><code>contentType</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>reserve</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   contentType is the content type used when sending data to the server from this client.
+   Reserve is a list of plugins invoked when reserving/unreserving resources
+after a node is assigned to run the pod.
    -->
-   <code>contentType</code> 包含的是此客户端向服务器发送数据时使用的
-内容类型（Content Type）。
+   <p><code>reserve</code> 是一组在运行 Pod 的节点已被选定后，需要预留或者释放资源时调用的插件的列表。</p>
 </td>
 </tr>
-<tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
-<code>float32</code>
+<tr><td><code>permit</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   qps controls the number of queries per second allowed for this connection.
+   Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.
    -->
-   <code>qps</code> 控制的是此连接上每秒可以发送的查询个数。
+   <p><code>permit</code> 是一个用来控制 Pod 绑定关系的插件列表。
+   这些插件可以禁止或者延迟 Pod 的绑定。</p>
 </td>
 </tr>
-<tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>preBind</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   burst allows extra queries to accumulate when a client is exceeding its rate.
+   PreBind is a list of plugins that should be invoked before a pod is bound.
    -->
-   <code>burst</code> 允许在客户端超出其速率限制时可以累积的额外查询个数。
+   <p><code>preBind</code> 是一个在 Pod 被绑定到某节点之前要被调用的插件的列表。</p>
 </td>
 </tr>
-</tbody>
-</table>
-
-## `DebuggingConfiguration`     {#DebuggingConfiguration}
-    
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
-
-<!--
-DebuggingConfiguration holds configuration for Debugging related features.
--->
-DebuggingConfiguration 保存与调试功能相关的配置。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-  
-<tr><td><code>enableProfiling</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
+<tr><td><code>bind</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   enableProfiling enables profiling via web interface host:port/debug/pprof/
+   Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework.
+The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.
    -->
-   此字段允许通过 Web 接口 host:port/debug/pprof/ 执行性能分析。
+   <p><code>bind</code> 是一个在调度框架中&quot;Bind（绑定）&quot;扩展点上要调用的插件的列表。
+   调度器按顺序调用这些插件。只要其中某个插件返回成功，则调度器就略过余下的插件。</p>
 </td>
 </tr>
-<tr><td><code>enableContentionProfiling</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
+<tr><td><code>postBind</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
 </td>
 <td>
    <!--
-   enableContentionProfiling enables lock contention profiling, if
-enableProfiling is true.
+   PostBind is a list of plugins that should be invoked after a pod is successfully bound.
+   -->
+   <p><code>postBind</code> 是一个在 Pod 已经被成功绑定之后要调用的插件的列表。</p>
+</td>
+</tr>
+<tr><td><code>multiPoint</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-PluginSet"><code>PluginSet</code></a>
+</td>
+<td>
+   <!--
+   MultiPoint is a simplified config section to enable plugins for all valid extension points.
    -->
-   此字段在 <code>enableProfiling</code> 为 true 时允许执行锁竞争分析。
+   <p><code>multiPoint</code> 是一个简化的配置段落，用来为所有合法的扩展点启用插件。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `FormatOptions`     {#FormatOptions}
+## `PodTopologySpreadConstraintsDefaulting`     {#kubescheduler-config-k8s-io-v1beta2-PodTopologySpreadConstraintsDefaulting}
+
+ <!--
+(Alias of `string`)
+
+**Appears in:**
+-->
+（`string` 类型的别名）
+
+**出现在：**
+   
+- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta2-PodTopologySpreadArgs)
+
+<!--
+PodTopologySpreadConstraintsDefaulting defines how to set default constraints
+for the PodTopologySpread plugin.
+-->
+<p>PodTopologySpreadConstraintsDefaulting 定义如何为
+PodTopologySpread 插件设置默认的约束。</p>
+
+## `RequestedToCapacityRatioParam`     {#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam}
     
 <!--
 **Appears in:**
 -->
+**出现在：**
+
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
 
 <!--
-FormatOptions contains options for the different logging formats.
+RequestedToCapacityRatioParam define RequestedToCapacityRatio parameters
 -->
-FormatOptions 中包含不同日志格式的配置选项。
+<p>RequestedToCapacityRatioParam 结构定义 RequestedToCapacityRatio 的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
-    
-<tr><td><code>json</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#JSONOptions"><code>JSONOptions</code></a>
+  
+<tr><td><code>shape</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-UtilizationShapePoint"><code>[]UtilizationShapePoint</code></a>
 </td>
 <td>
    <!--
-   [Experimental] JSON contains options for logging format "json".
+   Shape is a list of points defining the scoring function shape.
    -->
-   [实验特性] <code>json</code> 字段包含为 "json" 日志格式提供的配置选项。
+   <p><code>shape</code> 是一个定义评分函数曲线的计分点的列表。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `JSONOptions`     {#JSONOptions}
-
+## `ResourceSpec`     {#kubescheduler-config-k8s-io-v1beta2-ResourceSpec}
+    
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [FormatOptions](#FormatOptions)
+- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta2-NodeResourcesBalancedAllocationArgs)
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
 
 <!--
-JSONOptions contains options for logging format "json".
+ResourceSpec represents a single resource.
 -->
-JSONOptions 包含为 "json" 日志格式所设置的配置选项。
+<p>ResourceSpec 用来代表某个资源。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
-    
-<tr><td><code>splitStream</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
+  
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
 </td>
 <td>
    <!--
-   [Experimental] SplitStream redirects error messages to stderr while
-info messages go to stdout, with buffering. The default is to write
-both to stdout, without buffering.
+   Name of the resource.
    -->
-   [实验特性] 此字段将错误信息重定向到标准错误输出（stderr），将提示消息
-重定向到标准输出（stdout），并且支持缓存。默认配置为将二者都输出到
-标准输出（stdout），且不提供缓存。
+   <p>资源名称。</p>
 </td>
 </tr>
-<tr><td><code>infoBufferSize</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
+<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int64</code>
 </td>
 <td>
    <!--
-   [Experimental] InfoBufferSize sets the size of the info stream when
-using split streams. The default is zero, which disables buffering.
+   Weight of the resource.
    -->
-   [实验特性] <code>infoBufferSize</code> 用来在分离数据流场景是设置提示
-信息数据流的大小。默认值为 0，意味着禁止缓存。
+   <p>资源权重。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `LeaderElectionConfiguration`     {#LeaderElectionConfiguration}
+## `ScoringStrategy`     {#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy}
     
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta2-NodeResourcesFitArgs)
 
 <!--
-LeaderElectionConfiguration defines the configuration of leader election
-clients for components that can run with leader election enabled.
+ScoringStrategy define ScoringStrategyType for node resource plugin
 -->
-LeaderElectionConfiguration 为能够支持领导者选举的组件定义其领导者选举
-客户端的配置。
+<p>ScoringStrategy 为节点资源插件定义 ScoringStrategyType。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
   
-<tr><td><code>leaderElect</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   leaderElect enables a leader election client to gain leadership
-before executing the main loop. Enable this when running replicated
-components for high availability.
-   -->
-   <code>leaderElect</code> 启用领导者选举客户端，从而在进入主循环执行之前
-先要获得领导者角色。当运行多副本组件时启用此功能有助于提高可用性。
-</td>
-</tr>
-<tr><td><code>leaseDuration</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
-   <!--
-   leaseDuration is the duration that non-leader candidates will wait
-after observing a leadership renewal until attempting to acquire
-leadership of a led but unrenewed leader slot. This is effectively the
-maximum duration that a leader can be stopped before it is replaced
-by another candidate. This is only applicable if leader election is
-enabled.
-   -->
-   <code>leaseDuration</code> 是非领导角色候选者在观察到需要领导席位更新时
-要等待的时间；只有经过所设置时长才可以尝试去获得一个仍处于领导状态但需要
-被刷新的席位。这里的设置值本质上意味着某个领导者在被另一个候选者替换掉
-之前可以停止运行的最长时长。只有当启用了领导者选举时此字段有意义。
-</td>
-</tr>
-<tr><td><code>renewDeadline</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<tr><td><code>type</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-ScoringStrategyType"><code>ScoringStrategyType</code></a>
 </td>
 <td>
    <!--
-   renewDeadline is the interval between attempts by the acting master to
-renew a leadership slot before it stops leading. This must be less
-than or equal to the lease duration. This is only applicable if leader
-election is enabled.
+   Type selects which strategy to run.
    -->
-   <code>renewDeadline</code> 设置的是当前领导者在停止扮演领导角色之前
-需要刷新领导状态的时间间隔。此值必须小于或等于租约期限的长度。
-只有到启用了领导者选举时此字段才有意义。
+   <p><code>type</code> 用来选择要运行的策略。</p>
 </td>
 </tr>
-<tr><td><code>retryPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<tr><td><code>resources</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-ResourceSpec"><code>[]ResourceSpec</code></a>
 </td>
 <td>
    <!--
-   retryPeriod is the duration the clients should wait between attempting
-acquisition and renewal of a leadership. This is only applicable if
-leader election is enabled.
+   Resources to consider when scoring.
+The default resource set includes "cpu" and "memory" with an equal weight.
+Allowed weights go from 1 to 100.
+Weight defaults to 1 if not specified or explicitly set to 0.
    -->
-   <code>retryPeriod</code> 是客户端在连续两次尝试获得或者刷新领导状态
-之间需要等待的时长。只有当启用了领导者选举时此字段才有意义。
+   <p><code>resources</code> 设置在评分时要考虑的资源。</p>
+   <p>默认的资源集合包含 &quot;cpu&quot; 和 &quot;memory&quot;，且二者权重相同。</p>
+   <p>权重的取值范围为 1 到 100。</p>
+   <p>当权重未设置或者显式设置为 0 时，意味着使用默认值 1。</p>
 </td>
 </tr>
-<tr><td><code>resourceLock</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>requestedToCapacityRatio</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam"><code>RequestedToCapacityRatioParam</code></a>
 </td>
 <td>
    <!--
-   resourceLock indicates the resource object type that will be used to lock
-during leader election cycles.
+   Arguments specific to RequestedToCapacityRatio strategy.
    -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象类型。
+   <p>特定于 RequestedToCapacityRatio 策略的参数。</p>
 </td>
 </tr>
-<tr><td><code>resourceName</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+</tbody>
+</table>
+
+## `ScoringStrategyType`     {#kubescheduler-config-k8s-io-v1beta2-ScoringStrategyType}
+
+ <!--
+(Alias of `string`)
+
+**Appears in:**
+-->
+（`string` 数据类型的别名）
+
+**出现在：**
+   
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta2-ScoringStrategy)
+
+<!--
+ScoringStrategyType the type of scoring strategy used in NodeResourcesFit plugin.
+-->
+<p>ScoringStrategyType 是 NodeResourcesFit 插件所使用的的评分策略类型。</p>
+
+## `UtilizationShapePoint`     {#kubescheduler-config-k8s-io-v1beta2-UtilizationShapePoint}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta2-VolumeBindingArgs)
+- [RequestedToCapacityRatioParam](#kubescheduler-config-k8s-io-v1beta2-RequestedToCapacityRatioParam)
+
+<!--
+UtilizationShapePoint represents single point of priority function shape.
+-->
+<p>UtilizationShapePoint 代表的是优先级函数曲线中的一个评分点。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+  
+<tr><td><code>utilization</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
 </td>
 <td>
    <!--
-   resourceName indicates the name of resource object that will be used to lock
-during leader election cycles.
+   Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
    -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象名称。
+   <p>利用率（x 轴）。合法值为 0 到 100。完全被利用的节点映射到 100。</p>
 </td>
 </tr>
-<tr><td><code>resourceNamespace</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
 </td>
 <td>
    <!--
-   resourceName indicates the namespace of resource object that will be used to lock
-during leader election cycles.
+   Score assigned to given utilization (y axis). Valid values are 0 to 10.
    -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象所在名字空间。
+   <p>分配给指定利用率的分值（y 轴）。合法值为 0 到 10。</p>
 </td>
 </tr>
 </tbody>
 </table>
-
-## `VModuleConfiguration`     {#VModuleConfiguration}
-
- <!--
-(Alias of `[]k8s.io/component-base/config/v1alpha1.VModuleItem`)
-
-**Appears in:**
--->
-（`[]k8s.io/component-base/config/v1alpha1.VModuleItem` 的别名)
-
-<!--
-VModuleConfiguration is a collection of individual file names or patterns
-and the corresponding verbosity threshold.
--->
-VModuleConfiguration 是一组文件名（通配符）及其对应的日志详尽程度阈值。
-
diff --git a/content/zh/docs/reference/config-api/kube-scheduler-config.v1beta3.md b/content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3.md
similarity index 68%
rename from content/zh/docs/reference/config-api/kube-scheduler-config.v1beta3.md
rename to content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3.md
index d20017253ff4a..a886979a82fe0 100644
--- a/content/zh/docs/reference/config-api/kube-scheduler-config.v1beta3.md
+++ b/content/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3.md
@@ -25,13 +25,444 @@ auto_generated: true
 - [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs)
 - [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs)
 
+## `ClientConnectionConfiguration`     {#ClientConnectionConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+
+<!--
+ClientConnectionConfiguration contains details for constructing a client.
+-->
+<p>ClientConnectionConfiguration 中包含用来构造客户端所需的细节。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   kubeconfig is the path to a KubeConfig file.
+   -->
+   <p>此字段为指向 KubeConfig 文件的路径。</p>
+</td>
+</tr>
+<tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
+default value of 'application/json'. This field will control all connections to the server used by a particular client.
+   -->
+   <p>
+   <code>acceptContentTypes</code> 定义的是客户端与服务器建立连接时要发送的 Accept 头部，
+   这里的设置值会覆盖默认值 "application/json"。此字段会影响某特定客户端与服务器的所有连接。
+   </p>
+</td>
+</tr>
+<tr><td><code>contentType</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   contentType is the content type used when sending data to the server from this client.
+   -->
+   <p>
+   <code>contentType</code> 包含的是此客户端向服务器发送数据时使用的内容类型（Content Type）。
+   </p>
+</td>
+</tr>
+<tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
+<code>float32</code>
+</td>
+<td>
+   <!--
+   qps controls the number of queries per second allowed for this connection.
+   -->
+   <p><code>qps</code> 控制此连接允许的每秒查询次数。</p>
+</td>
+</tr>
+<tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
+</td>
+<td>
+   <!--
+   burst allows extra queries to accumulate when a client is exceeding its rate.
+   -->
+   <p><code>burst</code> 允许在客户端超出其速率限制时可以累积的额外查询个数。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `DebuggingConfiguration`     {#DebuggingConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+
+<!--
+DebuggingConfiguration holds configuration for Debugging related features.
+-->
+<p>DebuggingConfiguration 保存与调试功能相关的配置。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>enableProfiling</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   enableProfiling enables profiling via web interface host:port/debug/pprof/
+   -->
+   <p>此字段允许通过 Web 接口 host:port/debug/pprof/ 执行性能分析。</p>
+</td>
+</tr>
+<tr><td><code>enableContentionProfiling</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   enableContentionProfiling enables lock contention profiling, if
+enableProfiling is true.
+   -->
+   <p>此字段在 <code>enableProfiling</code> 为 true 时允许执行锁竞争分析。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `FormatOptions`     {#FormatOptions}
+
+<!--
+**Appears in:**
+-->
+
+<!--
+FormatOptions contains options for the different logging formats.
+-->
+<p>FormatOptions 中包含不同日志格式的配置选项。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>json</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#JSONOptions"><code>JSONOptions</code></a>
+</td>
+<td>
+   <!--
+   [Experimental] JSON contains options for logging format &quot;json&quot;.
+   -->
+   <p>[实验特性] <code>json</code> 字段包含为 &quot;json&quot; 日志格式提供的配置选项。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `JSONOptions`     {#JSONOptions}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [FormatOptions](#FormatOptions)
+
+<!--
+JSONOptions contains options for logging format &quot;json&quot;.
+-->
+<p>JSONOptions 包含为 &quot;json&quot; 日志格式所设置的配置选项。</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>splitStream</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   [Experimental] SplitStream redirects error messages to stderr while
+info messages go to stdout, with buffering. The default is to write
+both to stdout, without buffering.
+   -->
+   <p>[实验特性] 此字段将错误信息重定向到标准错误输出（stderr），
+   将提示消息重定向到标准输出（stdout），并且支持缓存。
+   默认配置为将二者都输出到标准输出（stdout），且不提供缓存。</p>
+</td>
+</tr>
+<tr><td><code>infoBufferSize</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
+</td>
+<td>
+   <!--
+   [Experimental] InfoBufferSize sets the size of the info stream when
+using split streams. The default is zero, which disables buffering.
+   -->
+   <p>
+   [实验特性] <code>infoBufferSize</code> 用来在分离数据流场景是设置提示信息数据流的大小。
+   默认值为 0，意味着禁止缓存。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LeaderElectionConfiguration`     {#LeaderElectionConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+
+<!--
+LeaderElectionConfiguration defines the configuration of leader election
+clients for components that can run with leader election enabled.
+-->
+<p>
+LeaderElectionConfiguration 为能够支持领导者选举的组件定义其领导者选举客户端的配置。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>leaderElect</code> <B><!--[Required]-->[必需]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <!--
+   leaderElect enables a leader election client to gain leadership
+before executing the main loop. Enable this when running replicated
+components for high availability.
+   -->
+   <p>
+   <code>leaderElect</code> 允许领导者选举客户端在进入主循环执行之前先获得领导者角色。
+   运行多副本组件时启用此功能有助于提高可用性。
+   </p>
+</td>
+</tr>
+<tr><td><code>leaseDuration</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   leaseDuration is the duration that non-leader candidates will wait
+after observing a leadership renewal until attempting to acquire
+leadership of a led but unrenewed leader slot. This is effectively the
+maximum duration that a leader can be stopped before it is replaced
+by another candidate. This is only applicable if leader election is
+enabled.
+   -->
+   <p>
+   <code>leaseDuration</code> 是非领导角色候选者在观察到需要领导席位更新时要等待的时间；
+   只有经过所设置时长才可以尝试去获得一个仍处于领导状态但需要被刷新的席位。
+   这里的设置值本质上意味着某个领导者在被另一个候选者替换掉之前可以停止运行的最长时长。
+   只有当启用了领导者选举时此字段有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>renewDeadline</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   renewDeadline is the interval between attempts by the acting master to
+renew a leadership slot before it stops leading. This must be less
+than or equal to the lease duration. This is only applicable if leader
+election is enabled.
+   -->
+   <p>
+   <code>renewDeadline</code> 设置的是当前领导者在停止扮演领导角色之前需要刷新领导状态的时间间隔。
+   此值必须小于或等于租约期限的长度。只有到启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>retryPeriod</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+   <!--
+   retryPeriod is the duration the clients should wait between attempting
+acquisition and renewal of a leadership. This is only applicable if
+leader election is enabled.
+   -->
+   <p>
+   <code>retryPeriod</code> 是客户端在连续两次尝试获得或者刷新领导状态之间需要等待的时长。
+   只有当启用了领导者选举时此字段才有意义。
+   </p>
+</td>
+</tr>
+<tr><td><code>resourceLock</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceLock indicates the resource object type that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象类型。</p>
+</td>
+</tr>
+<tr><td><code>resourceName</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceName indicates the name of resource object that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象名称。</p>
+</td>
+</tr>
+<tr><td><code>resourceNamespace</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <!--
+   resourceName indicates the namespace of resource object that will be used to lock
+during leader election cycles.
+   -->
+   <p>此字段给出在领导者选举期间要作为锁来使用的资源对象所在名字空间。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `LoggingConfiguration`     {#LoggingConfiguration}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+<!--
+LoggingConfiguration contains logging options
+Refer <a href="https://github.com/kubernetes/component-base/blob/master/logs/options.go">Logs Options</a> for more information.
+-->
+<p>
+LoggingConfiguration 包含日志选项。
+参考 [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) 以了解更多信息。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>format</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+Format Flag specifies the structure of log messages.
+default value of format is <code>text</code>
+-->
+   <p><code>format</code> 设置日志消息的结构。默认的格式取值为 <code>text</code>。</p>
+</td>
+</tr>
+<tr><td><code>flushFrequency</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/time#Duration"><code>time.Duration</code></a>
+</td>
+<td>
+<!--
+Maximum number of nanoseconds (i.e. 1s = 1000000000) between log
+flushes.  Ignored if the selected logging backend writes log
+messages without buffering.
+-->
+   <p>对日志进行清洗的最大间隔纳秒数（例如，1s = 1000000000）。
+   如果所选的日志后端在写入日志消息时不提供缓存，则此配置会被忽略。</p>
+</td>
+</tr>
+<tr><td><code>verbosity</code> <B><!--[Required]-->[必需]</B><br/>
+<code>uint32</code>
+</td>
+<td>
+<!--
+Verbosity is the threshold that determines which log messages are
+logged. Default is zero which logs only the most important
+messages. Higher values enable additional messages. Error messages
+are always logged.
+-->
+   <p><code>verbosity</code> 用来确定日志消息记录的详细程度阈值。
+   默认值为 0，意味着仅记录最重要的消息。
+   数值越大，额外的消息越多。错误消息总是被记录下来。</p>
+</td>
+</tr>
+<tr><td><code>vmodule</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#VModuleConfiguration"><code>VModuleConfiguration</code></a>
+</td>
+<td>
+<!--
+VModule overrides the verbosity threshold for individual files.
+Only supported for &quot;text&quot; log format.
+-->
+   <p><code>vmodule</code> 会在单个文件层面重载 verbosity 阈值的设置。
+   这一选项仅支持 &quot;text&quot; 日志格式。</p>
+</td>
+</tr>
+<tr><td><code>options</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#FormatOptions"><code>FormatOptions</code></a>
+</td>
+<td>
+<!--
+[Experimental] Options holds additional parameters that are specific
+to the different logging formats. Only the options for the selected
+format get used, but all of them get validated.
+-->
+   <p>[实验特性] <code>options</code> 中包含特定于不同日志格式的配置参数。
+   只有针对所选格式的选项会被使用，但是合法性检查时会查看所有选项配置。</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `VModuleConfiguration`     {#VModuleConfiguration}
+
+<!--
+(Alias of `[]k8s.io/component-base/config/v1alpha1.VModuleItem`)
+
+**Appears in:**
+-->
+
+（`[]k8s.io/component-base/config/v1alpha1.VModuleItem` 的别名)
+
+**出现在：**
+
+- [LoggingConfiguration](#LoggingConfiguration)
+
+<!--
+VModuleConfiguration is a collection of individual file names or patterns
+and the corresponding verbosity threshold.
+-->
+<p>VModuleConfiguration 是一组文件名（通配符）及其对应的日志详尽程度阈值。</p>
+
 ## `DefaultPreemptionArgs`     {#kubescheduler-config-k8s-io-v1beta3-DefaultPreemptionArgs}
 
 <!--
 DefaultPreemptionArgs holds arguments used to configure the
 DefaultPreemption plugin.
 -->
-DefaultPreemptionArgs 包含用来配置 DefaultPreemption 插件的参数。
+<p>DefaultPreemptionArgs 包含用来配置 DefaultPreemption 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -50,8 +481,8 @@ shortlist when dry running preemption as a percentage of number of nodes.
 Must be in the range [0, 100]. Defaults to 10% of the cluster size if
 unspecified.
    -->
-   此字段为试运行抢占时 shortlist 中候选节点数的下限，数值为节点数的百分比。
-字段值必须介于 [0, 100] 之间。未指定时默认值为整个集群规模的 10%。
+   <p>此字段为试运行抢占时 shortlist 中候选节点数的下限，数值为节点数的百分比。
+   字段值必须介于 [0, 100] 之间。未指定时默认值为整个集群规模的 10%。</p>
 </td>
 </tr>
 <tr><td><code>minCandidateNodesAbsolute</code> <B><!--[Required]-->[必需]</B><br/>
@@ -67,11 +498,12 @@ We say "likely" because there are other factors such as PDB violations
 that play a role in the number of candidates shortlisted. Must be at least
 0 nodes. Defaults to 100 nodes if unspecified.
    -->
-   此字段设置 shortlist 中候选节点的绝对下限。用于试运行抢占而列举的
-候选节点个数近似于通过下面的公式计算的：<br/>
-候选节点数 = max(节点数 * minCandidateNodesPercentage, minCandidateNodesAbsolute)
-之所以说是“近似于”是因为存在一些类似于 PDB 违例这种因素，会影响到进入 shortlist
-中候选节点的个数。取值至少为 0 节点。若未设置默认为 100 节点。
+   <p>此字段设置 shortlist 中候选节点的绝对下限。
+   用于试运行抢占而列举的候选节点个数近似于通过下面的公式计算的：<br/>
+   候选节点数 = max(节点数 * minCandidateNodesPercentage, minCandidateNodesAbsolute)
+   之所以说是&quot;近似于&quot;是因为存在一些类似于 PDB 违例这种因素，
+   会影响到进入 shortlist中候选节点的个数。
+   取值至少为 0 节点。若未设置默认为 100 节点。</p>
 </td>
 </tr>
 </tbody>
@@ -82,7 +514,7 @@ that play a role in the number of candidates shortlisted. Must be at least
 <!--
 InterPodAffinityArgs holds arguments used to configure the InterPodAffinity plugin.
 -->
-InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。
+<p>InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -99,8 +531,9 @@ InterPodAffinityArgs 包含用来配置 InterPodAffinity 插件的参数。
    HardPodAffinityWeight is the scoring weight for existing pods with a
 matching hard affinity to the incoming pod.
    -->
-   此字段是一个计分权重值。针对新增的 Pod，要对现存的、带有与新 Pod 匹配的
-硬性亲和性设置的 Pods 计算亲和性得分。
+   <p>此字段是一个计分权重值。针对新增的 Pod，要对现存的、
+   带有与新 Pod 匹配的硬性亲和性设置的 Pods 计算亲和性得分。
+   </p>
 </td>
 </tr>
 </tbody>
@@ -111,7 +544,7 @@ matching hard affinity to the incoming pod.
 <!--
 KubeSchedulerConfiguration configures a scheduler
 -->
-KubeSchedulerConfiguration 用来配置调度器。
+<p>KubeSchedulerConfiguration 用来配置调度器。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -127,8 +560,9 @@ KubeSchedulerConfiguration 用来配置调度器。
    <!--
    Parallelism defines the amount of parallelism in algorithms for scheduling a Pods. Must be greater than 0. Defaults to 16
    -->
-   此字段设置为调度 Pod 而执行算法时的并发度。此值必须大于 0。
-默认值为 16。
+   <p>
+   此字段设置为调度 Pod 而执行算法时的并发度。此值必须大于 0。默认值为 16。
+   </p>
 </td>
 </tr>
 <tr><td><code>leaderElection</code> <B><!--[Required]-->[必需]</B><br/>
@@ -138,7 +572,7 @@ KubeSchedulerConfiguration 用来配置调度器。
    <!--
    LeaderElection defines the configuration of leader election client.
    -->
-   此字段用来定义领导者选举客户端的配置。
+   <p>此字段用来定义领导者选举客户端的配置。</p>
 </td>
 </tr>
 <tr><td><code>clientConnection</code> <B><!--[Required]-->[必需]</B><br/>
@@ -149,18 +583,22 @@ KubeSchedulerConfiguration 用来配置调度器。
    ClientConnection specifies the kubeconfig file and client connection
 settings for the proxy server to use when communicating with the apiserver.
    -->
-   此字段为与 API 服务器通信时使用的代理服务器设置 kubeconfig 文件和客户端
-连接配置。
+   <p>此字段为与 API 服务器通信时使用的代理服务器设置 kubeconfig 文件和客户端连接配置。</p>
 </td>
 </tr>
 <tr><td><code>DebuggingConfiguration</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#DebuggingConfiguration"><code>DebuggingConfiguration</code></a>
 </td>
+<!--
+(Members of <code>DebuggingConfiguration</code> are embedded into this type.)
+-->
 <td>（<code>DebuggingConfiguration</code> 的成员被内嵌到此类型中）
    <!--
    DebuggingConfiguration holds configuration for Debugging related features
+   TODO: We might wanna make this a substruct like Debugging componentbaseconfigv1alpha1.DebuggingConfiguration
    -->
-   此字段设置与调试相关功能特性的配置。
+   <p>此字段设置与调试相关功能特性的配置。
+   TODO：我们可能想把它做成一个子结构，像调试 component-base/config/v1alpha1.DebuggingConfiguration 一样。</p>
 </td>
 </tr>
 <tr><td><code>percentageOfNodesToScore</code> <B><!--[Required]-->[必需]</B><br/>
@@ -177,12 +615,14 @@ then scheduler stops finding further feasible nodes once it finds 150 feasible o
 When the value is 0, default percentage (5%--50% based on the size of the cluster) of the
 nodes will be scored.
    -->
+   <p>
    此字段为所有节点的百分比，一旦调度器找到所设置比例的、能够运行 Pod 的节点，
-则停止在集群中继续寻找更合适的节点。这一配置有助于提高调度器的性能。调度器
-总会尝试寻找至少 "minFeasibleNodesToFind" 个可行节点，无论此字段的取值如何。
-例如：当集群规模为 500 个节点，而此字段的取值为 30，则调度器在找到 150 个合适
-的节点后会停止继续寻找合适的节点。当此值为 0 时，调度器会使用默认节点数百分比（基于集群规模
-确定的值，在 5% 到 50% 之间）来执行打分操作。
+   则停止在集群中继续寻找更合适的节点。这一配置有助于提高调度器的性能。
+   调度器总会尝试寻找至少 &quot;minFeasibleNodesToFind&quot; 个可行节点，无论此字段的取值如何。
+   例如：当集群规模为 500 个节点，而此字段的取值为 30，
+   则调度器在找到 150 个合适的节点后会停止继续寻找合适的节点。当此值为 0 时，
+   调度器会使用默认节点数百分比（基于集群规模确定的值，在 5% 到 50% 之间）来执行打分操作。
+   </p>
 </td>
 </tr>
 <tr><td><code>podInitialBackoffSeconds</code> <B><!--[Required]-->[必需]</B><br/>
@@ -194,8 +634,8 @@ nodes will be scored.
 If specified, it must be greater than 0. If this value is null, the default value (1s)
 will be used.
    -->
-   此字段设置不可调度 Pod 的初始回退秒数。如果设置了此字段，其取值必须大于零。
-若此值为 null，则使用默认值（1s）。
+   <p>此字段设置不可调度 Pod 的初始回退秒数。如果设置了此字段，其取值必须大于零。
+   若此值为 null，则使用默认值（1s）。</p>
 </td>
 </tr>
 <tr><td><code>podMaxBackoffSeconds</code> <B><!--[Required]-->[必需]</B><br/>
@@ -207,8 +647,9 @@ will be used.
 If specified, it must be greater than podInitialBackoffSeconds. If this value is null,
 the default value (10s) will be used.
    -->
-   此字段设置不可调度的 Pod 的最大回退秒数。如果设置了此字段，则其值必须大于
-podInitialBackoffSeconds 字段值。如果此值设置为 null，则使用默认值（10s）。
+   <p>此字段设置不可调度的 Pod 的最大回退秒数。
+   如果设置了此字段，则其值必须大于 podInitialBackoffSeconds 字段值。
+   如果此值设置为 null，则使用默认值（10s）。</p>
 </td>
 </tr>
 <tr><td><code>profiles</code> <B><!--[Required]-->[必需]</B><br/>
@@ -221,9 +662,10 @@ choose to be scheduled under a particular profile by setting its associated
 scheduler name. Pods that don't specify any scheduler name are scheduled
 with the "default-scheduler" profile, if present here.
    -->
-   此字段为 kube-scheduler 所支持的方案（profiles）。Pod 可以通过设置其对应
-的调度器名称来选择使用特定的方案。未指定调度器名称的 Pod 会使用
-“default-scheduler”方案来调度，如果存在的话。
+   <p>此字段为 kube-scheduler 所支持的方案（profiles）。
+   Pod 可以通过设置其对应的调度器名称来选择使用特定的方案。
+   未指定调度器名称的 Pod 会使用&quot;default-scheduler&quot;方案来调度，如果存在的话。
+   </p>
 </td>
 </tr>
 <tr><td><code>extenders</code> <B><!--[Required]-->[必需]</B><br/>
@@ -234,8 +676,9 @@ with the "default-scheduler" profile, if present here.
    Extenders are the list of scheduler extenders, each holding the values of how to communicate
 with the extender. These extenders are shared by all scheduler profiles.
    -->
-   此字段为调度器扩展模块（Extender）的列表，每个元素包含如何与某扩展模块
-通信的配置信息。所有调度器模仿会共享此扩展模块列表。
+   <p>此字段为调度器扩展模块（Extender）的列表，
+   每个元素包含如何与某扩展模块通信的配置信息。
+   所有调度器模仿会共享此扩展模块列表。</p>
 </td>
 </tr>
 </tbody>
@@ -246,7 +689,7 @@ with the extender. These extenders are shared by all scheduler profiles.
 <!--
 NodeAffinityArgs holds arguments to configure the NodeAffinity plugin.
 -->
-NodeAffinityArgs 中包含配置 NodeAffinity 插件的参数。
+<p>NodeAffinityArgs 中包含配置 NodeAffinity 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -267,11 +710,12 @@ match).
 When AddedAffinity is used, some Pods with affinity requirements that match
 a specific Node (such as Daemonset Pods) might remain unschedulable.
    -->
-   <code>addedAffinity</code> 会作为附加的亲和性属性添加到所有 Pod 的
-规约中指定的 NodeAffinity 中。换言之，节点需要同时满足 addedAffinity
-和 .spec.nodeAffinity。默认情况下，addedAffinity 为空（与所有节点匹配）。
-使用了 addedAffinity 时，某些带有已经能够与某特定节点匹配的亲和性需求
-的 Pod （例如 DaemonSet Pod）可能会继续呈现不可调度状态。
+   <p>
+   <code>addedAffinity</code> 会作为附加的亲和性属性添加到所有 Pod 的规约中指定的 NodeAffinity 中。
+   换言之，节点需要同时满足 addedAffinity 和 .spec.nodeAffinity。
+   默认情况下，addedAffinity 为空（与所有节点匹配）。使用了 addedAffinity 时，
+   某些带有已经能够与某特定节点匹配的亲和性需求的 Pod （例如 DaemonSet Pod）可能会继续呈现不可调度状态。
+   </p>
 </td>
 </tr>
 </tbody>
@@ -282,7 +726,7 @@ a specific Node (such as Daemonset Pods) might remain unschedulable.
 <!--
 NodeResourcesBalancedAllocationArgs holds arguments used to configure NodeResourcesBalancedAllocation plugin.
 -->
-NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllocation 插件的参数。
+<p>NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllocation 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -298,7 +742,7 @@ NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllo
    <!--
    Resources to be managed, the default is "cpu" and "memory" if not specified.
    -->
-   要管理的资源；如果未设置，则默认值为 "cpu" 和 "memory"。
+   <p>要管理的资源；如果未设置，则默认值为 &quot;cpu&quot; 和 &quot;memory&quot;。</p>
 </td>
 </tr>
 </tbody>
@@ -309,7 +753,7 @@ NodeResourcesBalancedAllocationArgs 包含用来配置 NodeResourcesBalancedAllo
 <!--
 NodeResourcesFitArgs holds arguments used to configure the NodeResourcesFit plugin.
 -->
-NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。
+<p>NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -326,7 +770,7 @@ NodeResourcesFitArgs 包含用来配置 NodeResourcesFit 插件的参数。
    IgnoredResources is the list of resources that NodeResources fit filter
 should ignore. This doesn't apply to scoring.
    -->
-   此字段为 NodeResources 匹配过滤器要忽略的资源列表。此列表不影响节点打分。
+   <p>此字段为 NodeResources 匹配过滤器要忽略的资源列表。此列表不影响节点打分。</p>
 </td>
 </tr>
 <tr><td><code>ignoredResourceGroups</code> <B><!--[Required]-->[必需]</B><br/>
@@ -339,10 +783,11 @@ e.g. if group is ["example.com"], it will ignore all resource names that begin
 with "example.com", such as "example.com/aaa" and "example.com/bbb".
 A resource group name can't contain '/'. This doesn't apply to scoring.
    -->
-   此字段定义 NodeResources 匹配过滤器要忽略的资源组列表。
-例如，如果配置值为 ["example.com"]，则以 "example.com" 开头的资源名（如
-"example.com/aaa" 和 "example.com/bbb"）都会被忽略。
-资源组名称中不可以包含 '/'。此设置不影响节点的打分。
+   <p>此字段定义 NodeResources 匹配过滤器要忽略的资源组列表。
+   例如，如果配置值为 [&quot;example.com&quot;]，
+   则以 &quot;example.com&quot; 开头的资源名
+   （如&quot;example.com/aaa&quot; 和 &quot;example.com/bbb&quot;）都会被忽略。
+   资源组名称中不可以包含 '/'。此设置不影响节点的打分。</p>
 </td>
 </tr>
 <tr><td><code>scoringStrategy</code> <B><!--[Required]-->[必需]</B><br/>
@@ -353,8 +798,8 @@ A resource group name can't contain '/'. This doesn't apply to scoring.
    ScoringStrategy selects the node resource scoring strategy.
 The default strategy is LeastAllocated with an equal "cpu" and "memory" weight.
    -->
-   此字段用来选择节点资源打分策略。默认的策略为 LeastAllocated，且 "cpu" 和
-"memory" 的权重相同。
+   <p>此字段用来选择节点资源打分策略。默认的策略为 LeastAllocated，
+   且 &quot;cpu&quot; 和 &quot;memory&quot; 的权重相同。</p>
 </td>
 </tr>
 </tbody>
@@ -365,7 +810,7 @@ The default strategy is LeastAllocated with an equal "cpu" and "memory" weight.
 <!--
 PodTopologySpreadArgs holds arguments used to configure the PodTopologySpread plugin.
 -->
-PodTopologySpreadArgs 包含用来配置 PodTopologySpread 插件的参数。
+<p>PodTopologySpreadArgs 包含用来配置 PodTopologySpread 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -386,11 +831,10 @@ deduced from the Pod's membership to Services, ReplicationControllers,
 ReplicaSets or StatefulSets.
 When not empty, .defaultingType must be "List".
    -->
-   此字段针对未定义 <code>.spec.topologySpreadConstraints</code> 的 Pod，
-为其提供拓扑分布约束。<code>.defaultConstraints[&lowast;].labelSelectors</code>
-必须为空，因为这一信息要从 Pod 所属的 Service、ReplicationController、
-ReplicaSet 或 StatefulSet 来推导。
-此字段不为空时，<code>.defaultingType</code> 必须为 "List"。
+   <p>此字段针对未定义 <code>.spec.topologySpreadConstraints</code> 的 Pod，
+   为其提供拓扑分布约束。<code>.defaultConstraints[&lowast;].labelSelectors</code>必须为空，
+   因为这一信息要从 Pod 所属的 Service、ReplicationController、ReplicaSet 或 StatefulSet 来推导。
+   此字段不为空时，<code>.defaultingType</code> 必须为 &quot;List&quot;。</p>
 </td>
 </tr>
 <tr><td><code>defaultingType</code><br/>
@@ -403,16 +847,15 @@ of "System" or "List".
 - "System": Use kubernetes defined constraints that spread Pods among
   Nodes and Zones.
 - "List": Use constraints defined in .defaultConstraints.
-Defaults to "List" if feature gate DefaultPodTopologySpread is disabled
-and to "System" if enabled.
+Defaults to &quot;System&quot;.
    -->
    <p><code>defaultingType</code> 决定如何推导 <code>.defaultConstraints</code>。
-可选值为 "System" 或 "List"。</p>
+   可选值为 &quot;System&quot; 或 &quot;List&quot;。</p>
    <ul>
-     <li>"System"：使用 Kubernetes 定义的约束，将 Pod 分布到不同节点和可用区；</li>
-     <li>"List"：使用 <code>.defaultConstraints</code> 中定义的约束。</li>
+     <li>&quot;System&quot;：使用 Kubernetes 定义的约束，将 Pod 分布到不同节点和可用区；</li>
+     <li>&quot;List&quot;：使用 <code>.defaultConstraints</code> 中定义的约束。</li>
    </ul>
-   <p>当特性门控 DefaultPodTopologySpread 被禁用时，默认值为 "list"；反之，默认值为 "System"。</p>
+   <p>默认值为 "System"。</p>
 </td>
 </tr>
 </tbody>
@@ -423,7 +866,7 @@ and to "System" if enabled.
 <!--
 VolumeBindingArgs holds arguments used to configure the VolumeBinding plugin.
 -->
-VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。
+<p>VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -441,8 +884,8 @@ VolumeBindingArgs 包含用来配置 VolumeBinding 插件的参数。
 Value must be non-negative integer. The value zero indicates no waiting.
 If this value is nil, the default value (600) will be used.
    -->
-   此字段设置卷绑定操作的超时秒数。字段值必须是非负数。
-取值为 0 意味着不等待。如果此值为 null，则使用默认值（600）。
+   <p>此字段设置卷绑定操作的超时秒数。字段值必须是非负数。
+   取值为 0 意味着不等待。如果此值为 null，则使用默认值（600）。</p>
 </td>
 </tr>
 <tr><td><code>shape</code><br/>
@@ -462,17 +905,17 @@ The default shape points are:
 2) 10 for 100 utilization
 All points must be sorted in increasing order by utilization.
    -->
-   <p><code>shape</code> 用来设置打分函数曲线所使用的计分点，这些计分点
-用来基于静态制备的 PV 卷的利用率为节点打分。
-卷的利用率是计算得来的，将 Pod 所请求的总的存储空间大小除以每个节点
-上可用的总的卷容量。每个计分点包含利用率（范围从 0 到 100）和其对应
-的得分（范围从 0 到 10）。你可以通过为不同的使用率值设置不同的得分来
-反转优先级：</p>
+   <p><code>shape</code> 用来设置打分函数曲线所使用的计分点，
+   这些计分点用来基于静态制备的 PV 卷的利用率为节点打分。
+   卷的利用率是计算得来的，
+   将 Pod 所请求的总的存储空间大小除以每个节点上可用的总的卷容量。
+   每个计分点包含利用率（范围从 0 到 100）和其对应的得分（范围从 0 到 10）。
+   你可以通过为不同的使用率值设置不同的得分来反转优先级：</p>
    <p>默认的曲线计分点为：</p>
-   <ul>
+   <ol>
      <li>利用率为 0 时得分为 0；</li>
      <li>利用率为 100 时得分为 10。</li>
-   </ul>
+   </ol>
    <p>所有计分点必须按利用率值的升序来排序。</p>
 </td>
 </tr>
@@ -492,8 +935,8 @@ All points must be sorted in increasing order by utilization.
 Extender holds the parameters used to communicate with the extender. If a verb is unspecified/empty,
 it is assumed that the extender chose not to provide that extension.
 -->
-Extender 包含与扩展模块（Extender）通信所用的参数。
-如果未指定 verb 或者 verb 为空，则假定对应的扩展模块选择不提供该扩展功能。
+<p>Extender 包含与扩展模块（Extender）通信所用的参数。
+如果未指定 verb 或者 verb 为空，则假定对应的扩展模块选择不提供该扩展功能。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -506,7 +949,7 @@ Extender 包含与扩展模块（Extender）通信所用的参数。
    <!--
    URLPrefix at which the extender is available
    -->
-   用来访问扩展模块的 URL 前缀。
+   <p>用来访问扩展模块的 URL 前缀。</p>
 </td>
 </tr>
 <tr><td><code>filterVerb</code> <B><!--[Required]-->[必需]</B><br/>
@@ -516,8 +959,8 @@ Extender 包含与扩展模块（Extender）通信所用的参数。
    <!--
    Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
    -->
-   filter 调用所使用的动词，如果不支持过滤操作则为空。
-此动词会在向扩展模块发送 filter 调用时追加到 urlPrefix 后面。
+   <p>filter 调用所使用的动词，如果不支持过滤操作则为空。
+   此动词会在向扩展模块发送 filter 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
 <tr><td><code>preemptVerb</code> <B><!--[Required]-->[必需]</B><br/>
@@ -527,8 +970,8 @@ Extender 包含与扩展模块（Extender）通信所用的参数。
    <!--
    Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
    -->
-   preempt 调用所使用的动词，如果不支持过滤操作则为空。
-此动词会在向扩展模块发送 preempt 调用时追加到 urlPrefix 后面。
+   <p>preempt 调用所使用的动词，如果不支持过滤操作则为空。
+   此动词会在向扩展模块发送 preempt 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
 <tr><td><code>prioritizeVerb</code> <B><!--[Required]-->[必需]</B><br/>
@@ -538,8 +981,8 @@ Extender 包含与扩展模块（Extender）通信所用的参数。
    <!--
    Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
    -->
-   prioritize 调用所使用的动词，如果不支持过滤操作则为空。
-此动词会在向扩展模块发送 prioritize 调用时追加到 urlPrefix 后面。
+   <p>prioritize 调用所使用的动词，如果不支持过滤操作则为空。
+   此动词会在向扩展模块发送 prioritize 调用时追加到 urlPrefix 后面。</p>
 </td>
 </tr>
 <tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
@@ -550,8 +993,8 @@ Extender 包含与扩展模块（Extender）通信所用的参数。
    The numeric multiplier for the node scores that the prioritize call generates.
 The weight should be a positive integer
    -->
-   针对 prioritize 调用所生成的节点分数要使用的数值系数。
-weight 值必须是正整数。
+   <p>针对 prioritize 调用所生成的节点分数要使用的数值系数。
+   weight 值必须是正整数。</p>
 </td>
 </tr>
 <tr><td><code>bindVerb</code> <B><!--[Required]-->[必需]</B><br/>
@@ -563,10 +1006,10 @@ weight 值必须是正整数。
 If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender
 can implement this function.
    -->
-   bind 调用所使用的动词，如果不支持过滤操作则为空。
-此动词会在向扩展模块发送 bind 调用时追加到 urlPrefix 后面。
-如果扩展模块实现了此方法，扩展模块要负责将 Pod 绑定到 API 服务器。
-只有一个扩展模块可以实现此函数。
+   <p>bind 调用所使用的动词，如果不支持过滤操作则为空。
+   此动词会在向扩展模块发送 bind 调用时追加到 urlPrefix 后面。
+   如果扩展模块实现了此方法，扩展模块要负责将 Pod 绑定到 API 服务器。
+   只有一个扩展模块可以实现此函数。</p>
 </td>
 </tr>
 <tr><td><code>enableHTTPS</code> <B><!--[Required]-->[必需]</B><br/>
@@ -576,7 +1019,7 @@ can implement this function.
    <!--
    EnableHTTPS specifies whether https should be used to communicate with the extender
    -->
-   此字段设置是否需要使用 HTTPS 来与扩展模块通信。
+   <p>此字段设置是否需要使用 HTTPS 来与扩展模块通信。</p>
 </td>
 </tr>
 <tr><td><code>tlsConfig</code> <B><!--[Required]-->[必需]</B><br/>
@@ -586,20 +1029,20 @@ can implement this function.
    <!--
    TLSConfig specifies the transport layer security config
    -->
-   此字段设置传输层安全性（TLS）配置。
+   <p>此字段设置传输层安全性（TLS）配置。</p>
 </td>
 </tr>
 <tr><td><code>httpTimeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
    HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize
 timeout is ignored, k8s/other extenders priorities are used to select the node.
    -->
-   此字段给出扩展模块功能调用的超时值。filter 操作超时会导致 Pod 无法被调度。
-prioritize 操作超时会被忽略，Kubernetes 或者其他扩展模块所给出的优先级值
-会被用来选择节点。
+   <p>此字段给出扩展模块功能调用的超时值。filter 操作超时会导致 Pod 无法被调度。
+   prioritize 操作超时会被忽略，
+   Kubernetes 或者其他扩展模块所给出的优先级值会被用来选择节点。</p>
 </td>
 </tr>
 <tr><td><code>nodeCacheCapable</code> <B><!--[Required]-->[必需]</B><br/>
@@ -611,8 +1054,8 @@ prioritize 操作超时会被忽略，Kubernetes 或者其他扩展模块所给
 so the scheduler should only send minimal information about the eligible nodes
 assuming that the extender already cached full details of all nodes in the cluster
    -->
-   此字段指示扩展模块可以缓存节点信息，从而调度器应该发送关于可选节点的最少信息，
-假定扩展模块已经缓存了集群中所有节点的全部详细信息。
+   <p>此字段指示扩展模块可以缓存节点信息，从而调度器应该发送关于可选节点的最少信息，
+   假定扩展模块已经缓存了集群中所有节点的全部详细信息。</p>
 </td>
 </tr>
 <tr><td><code>managedResources</code><br/>
@@ -632,9 +1075,9 @@ this extender.
    <p><code>managedResources</code> 是一个由此扩展模块所管理的扩展资源的列表。</p>
    <ul>
      <li>如果某 Pod 请求了此列表中的至少一个扩展资源，则 Pod 会在 filter、
-prioritize 和 bind （如果扩展模块可以执行绑定操作）阶段被发送到该扩展模块。</li>
+      prioritize 和 bind （如果扩展模块可以执行绑定操作）阶段被发送到该扩展模块。</li>
      <li>如果某资源上设置了 <code>ignoredByScheduler</code> 为 true，则 kube-scheduler
-会在断言阶段略过对该资源的检查。</li>
+      会在断言阶段略过对该资源的检查。</li>
    </ul>
 </td>
 </tr>
@@ -646,8 +1089,8 @@ prioritize 和 bind （如果扩展模块可以执行绑定操作）阶段被发
    Ignorable specifies if the extender is ignorable, i.e. scheduling should not
 fail when the extender returns an error or is not reachable.
    -->
-   此字段用来设置扩展模块是否是可忽略的。换言之，当扩展模块返回错误或者
-完全不可达时，调度操作不应失败。
+   <p>此字段用来设置扩展模块是否是可忽略的。
+   换言之，当扩展模块返回错误或者完全不可达时，调度操作不应失败。</p>
 </td>
 </tr>
 </tbody>
@@ -666,7 +1109,7 @@ fail when the extender returns an error or is not reachable.
 ExtenderManagedResource describes the arguments of extended resources
 managed by an extender.
 -->
-ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数。
+<p>ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -679,7 +1122,7 @@ ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数
    <!--
    Name is the extended resource name.
    -->
-   扩展资源的名称。
+   <p>扩展资源的名称。</p>
 </td>
 </tr>
 <tr><td><code>ignoredByScheduler</code> <B><!--[Required]-->[必需]</B><br/>
@@ -690,7 +1133,7 @@ ExtenderManagedResource 描述某扩展模块所管理的扩展资源的参数
    IgnoredByScheduler indicates whether kube-scheduler should ignore this
 resource when applying predicates.
    -->
-   此字段标明 kube-scheduler 是否应在应用断言时忽略此资源。
+   <p>此字段标明 kube-scheduler 是否应在应用断言时忽略此资源。</p>
 </td>
 </tr>
 </tbody>
@@ -708,7 +1151,7 @@ resource when applying predicates.
 <!--
 ExtenderTLSConfig contains settings to enable TLS with extender
 -->
-ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数。
+<p>ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -721,7 +1164,7 @@ ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数
    <!--
    Server should be accessed without verifying the TLS certificate. For testing only.
    -->
-   访问服务器时不需要检查 TLS 证书。此配置仅针对测试用途。
+   <p>访问服务器时不需要检查 TLS 证书。此配置仅针对测试用途。</p>
 </td>
 </tr>
 <tr><td><code>serverName</code> <B><!--[Required]-->[必需]</B><br/>
@@ -733,9 +1176,10 @@ ExtenderTLSConfig 包含启用与扩展模块间 TLS 传输所需的配置参数
 certificates against. If ServerName is empty, the hostname used to contact the
 server is used.
    -->
-   <code>serverName</code> 会被发送到服务器端，作为 SNI 标志；客户端会使用
-此设置来检查服务器证书。如果 <code>serverName</code> 为空，则会使用联系
-服务器时所用的主机名。
+   <p><code>serverName</code> 会被发送到服务器端，作为 SNI 标志；
+   客户端会使用此设置来检查服务器证书。
+   如果 <code>serverName</code> 为空，则会使用联系服务器时所用的主机名。
+   </p>
 </td>
 </tr>
 <tr><td><code>certFile</code> <B><!--[Required]-->[必需]</B><br/>
@@ -745,7 +1189,7 @@ server is used.
    <!--
    Server requires TLS client certificate authentication
    -->
-   服务器端所要求的 TLS 客户端证书认证。
+   <p>服务器端所要求的 TLS 客户端证书认证。</p>
 </td>
 </tr>
 <tr><td><code>keyFile</code> <B><!--[Required]-->[必需]</B><br/>
@@ -755,7 +1199,7 @@ server is used.
    <!--
    Server requires TLS client certificate authentication
    -->
-   服务器端所要求的 TLS 客户端秘钥认证。
+   <p>服务器端所要求的 TLS 客户端秘钥认证。</p>
 </td>
 </tr>
 <tr><td><code>caFile</code> <B><!--[Required]-->[必需]</B><br/>
@@ -765,7 +1209,7 @@ server is used.
    <!--
    Trusted root certificates for server
    -->
-   服务器端被信任的根证书。
+   <p>服务器端被信任的根证书。</p>
 </td>
 </tr>
 <tr><td><code>certData</code> <B><!--[Required]-->[必需]</B><br/>
@@ -776,8 +1220,8 @@ server is used.
    CertData holds PEM-encoded bytes (typically read from a client certificate file).
 CertData takes precedence over CertFile
    -->
-   <code>certData</code> 包含 PEM 编码的字节流（通常从某客户端证书文件读入）。
-此字段优先级高于 certFile 字段。
+   <p><code>certData</code> 包含 PEM 编码的字节流（通常从某客户端证书文件读入）。
+   此字段优先级高于 certFile 字段。</p>
 </td>
 </tr>
 <tr><td><code>keyData</code> <B><!--[Required]-->[必需]</B><br/>
@@ -788,8 +1232,8 @@ CertData takes precedence over CertFile
    KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
 KeyData takes precedence over KeyFile
    -->
-   <code>keyData</code> 包含 PEM 编码的字节流（通常从某客户端证书秘钥文件读入）。
-此字段优先级高于 keyFile 字段。
+   <p><code>keyData</code> 包含 PEM 编码的字节流（通常从某客户端证书秘钥文件读入）。
+   此字段优先级高于 keyFile 字段。</p>
 </td>
 </tr>
 <tr><td><code>caData</code> <B><!--[Required]-->[必需]</B><br/>
@@ -800,8 +1244,8 @@ KeyData takes precedence over KeyFile
    CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
 CAData takes precedence over CAFile
    -->
-   <code>caData</code> 包含 PEM 编码的字节流（通常从某根证书包文件读入）。
-此字段优先级高于 caFile 字段。
+   <p><code>caData</code> 包含 PEM 编码的字节流（通常从某根证书包文件读入）。
+   此字段优先级高于 caFile 字段。</p>
 </td>
 </tr>
 </tbody>
@@ -819,7 +1263,7 @@ CAData takes precedence over CAFile
 <!--
 KubeSchedulerProfile is a scheduling profile.
 -->
-KubeSchedulerProfile 是一个调度方案。
+<p>KubeSchedulerProfile 是一个调度方案。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -834,9 +1278,9 @@ KubeSchedulerProfile 是一个调度方案。
 if schedulername matches with the pod's "spec.schedulername", then the pod
 is scheduled with this profile.
    -->
-   <code>schedulerName</code> 是与此调度方案相关联的调度器的名称。
-如果 <code>schedulerName</code> 与 Pod 的 <code>spec.schedulerName</code>
-匹配，则该 Pod 会使用此方案来调度。
+   <p><code>schedulerName</code> 是与此调度方案相关联的调度器的名称。
+   如果 <code>schedulerName</code> 与 Pod 的 <code>spec.schedulerName</code>匹配，
+   则该 Pod 会使用此方案来调度。</p>
 </td>
 </tr>
 <tr><td><code>plugins</code> <B><!--[Required]-->[必需]</B><br/>
@@ -854,11 +1298,12 @@ If a QueueSort plugin is specified, the same QueueSort Plugin and
 PluginConfig must be specified for all profiles.
    -->
    <p><code>plugins</code> 设置一组应该被启用或禁止的插件。
-被启用的插件是指除了默认插件之外需要被启用的插件。被禁止的插件
-是指需要被禁用的默认插件。</p>
-   <p>如果针对某个扩展点没有设置被启用或被禁止的插件，则使用该扩展点
-的默认插件（如果有的话）。如果设置了 QueueSort 插件，则同一个 QueueSort
-插件和 <code>pluginConfig</code> 要被设置到所有调度方案之上。</p>
+   被启用的插件是指除了默认插件之外需要被启用的插件。
+   被禁止的插件是指需要被禁用的默认插件。</p>
+   <p>如果针对某个扩展点没有设置被启用或被禁止的插件，
+   则使用该扩展点的默认插件（如果有的话）。如果设置了 QueueSort 插件，
+   则同一个 QueueSort 插件和 <code>pluginConfig</code> 要被设置到所有调度方案之上。
+   </p>
 </td>
 </tr>
 <tr><td><code>pluginConfig</code> <B><!--[Required]-->[必需]</B><br/>
@@ -870,8 +1315,8 @@ PluginConfig must be specified for all profiles.
 Omitting config args for a plugin is equivalent to using the default config
 for that plugin.
    -->
-   <code>pluginConfig</code> 是为每个插件提供的一组可选的定制插件参数。
-如果忽略了插件的配置参数，则意味着使用该插件的默认配置。
+   <p><code>pluginConfig</code> 是为每个插件提供的一组可选的定制插件参数。
+   如果忽略了插件的配置参数，则意味着使用该插件的默认配置。</p>
 </td>
 </tr>
 </tbody>
@@ -889,7 +1334,7 @@ for that plugin.
 <!--
 Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.
 -->
-Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用于评分（Score）插件。
+<p>Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用于评分（Score）插件。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -902,7 +1347,7 @@ Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用
    <!--
    Name defines the name of plugin
    -->
-   插件的名称。
+   <p>插件的名称。</p>
 </td>
 </tr>
 <tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
@@ -912,7 +1357,7 @@ Plugin 指定插件的名称及其权重（如果适用的话）。权重仅用
    <!--
    Weight defines the weight of plugin, only used for Score plugins.
    -->
-   插件的权重；仅适用于评分（Score）插件。
+   <p>插件的权重；仅适用于评分（Score）插件。</p>
 </td>
 </tr>
 </tbody>
@@ -932,9 +1377,9 @@ PluginConfig specifies arguments that should be passed to a plugin at the time o
 A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure.
 It is up to the plugin to process these Args.
 -->
-PluginConfig 给出初始化阶段要传递给插件的参数。
+<p>PluginConfig 给出初始化阶段要传递给插件的参数。
 在多个扩展点被调用的插件仅会被初始化一次。
-参数可以是任意结构。插件负责处理这里所传的参数。
+参数可以是任意结构。插件负责处理这里所传的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -947,17 +1392,17 @@ PluginConfig 给出初始化阶段要传递给插件的参数。
    <!--
    Name defines the name of plugin being configured
    -->
-   <code>name</code> 是所配置的插件的名称。
+   <p><code>name</code> 是所配置的插件的名称。</p>
 </td>
 </tr>
 <tr><td><code>args</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/runtime/#RawExtension"><code>k8s.io/apimachinery/pkg/runtime.RawExtension</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime/#RawExtension"><code>k8s.io/apimachinery/pkg/runtime.RawExtension</code></a>
 </td>
 <td>
    <!--
    Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.
    -->
-   <code>args</code> 定义在初始化阶段要传递给插件的参数。参数可以为任意结构。
+   <p><code>args</code> 定义在初始化阶段要传递给插件的参数。参数可以为任意结构。</p>
 </td>
 </tr>
 </tbody>
@@ -976,8 +1421,8 @@ PluginConfig 给出初始化阶段要传递给插件的参数。
 PluginSet specifies enabled and disabled plugins for an extension point.
 If an array is empty, missing, or nil, default plugins at that extension point will be used.
 -->
-PluginSet 为某扩展点设置要启用或禁用的插件。
-如果数组为空，或者取值为 null，则使用该扩展点的默认插件集合。
+<p>PluginSet 为某扩展点设置要启用或禁用的插件。
+如果数组为空，或者取值为 null，则使用该扩展点的默认插件集合。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -993,9 +1438,9 @@ If the default plugin is also configured in the scheduler config file, the weigh
 be overridden accordingly.
 These are called after default plugins and in the same order specified here.
    -->
-   <code>enabled</code> 设置在默认插件之外要启用的插件。如果在调度器的配置
-文件中也配置了默认插件，则对应插件的权重会被覆盖。
-此处所设置的插件会在默认插件之后被调用，调用顺序与数组中元素顺序相同。
+   <p><code>enabled</code> 设置在默认插件之外要启用的插件。
+   如果在调度器的配置文件中也配置了默认插件，则对应插件的权重会被覆盖。
+   此处所设置的插件会在默认插件之后被调用，调用顺序与数组中元素顺序相同。</p>
 </td>
 </tr>
 <tr><td><code>disabled</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1006,8 +1451,8 @@ These are called after default plugins and in the same order specified here.
    Disabled specifies default plugins that should be disabled.
 When all default plugins need to be disabled, an array containing only one "&lowast;" should be provided.
    -->
-   <code>disabled</code> 设置要被禁用的默认插件。
-如果需要禁用所有的默认插件，应该提供仅包含一个元素 "&lowast;" 的数组。
+   <p><code>disabled</code> 设置要被禁用的默认插件。
+   如果需要禁用所有的默认插件，应该提供仅包含一个元素 "&lowast;" 的数组。</p>
 </td>
 </tr>
 </tbody>
@@ -1029,12 +1474,12 @@ omitted from the config, then the default set of plugins is used for that extens
 Enabled plugins are called in the order specified here, after default plugins. If they need to
 be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.
 -->
-Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定扩展点所启用
-的所有插件都在这一列表中。
+<p>Plugins 结构中包含多个扩展点。当此结构被设置时，
+针对特定扩展点所启用的所有插件都在这一列表中。
 如果配置中不包含某个扩展点，则使用该扩展点的默认插件集合。
 被启用的插件的调用顺序与这里指定的顺序相同，都在默认插件之后调用。
-如果它们需要在默认插件之前调用，则需要先行禁止默认插件，之后在这里
-按期望的顺序重新启用。
+如果它们需要在默认插件之前调用，则需要先行禁止默认插件，
+之后在这里按期望的顺序重新启用。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -1047,7 +1492,7 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.
    -->
-   <code>queueSort</code> 是一个在对调度队列中 Pod 排序时要调用的插件列表。
+   <p><code>queueSort</code> 是一个在对调度队列中 Pod 排序时要调用的插件列表。</p>
 </td>
 </tr>
 <tr><td><code>preFilter</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1057,8 +1502,8 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework.
    -->
-   <code>preFilter</code> 是一个在调度框架中“PreFilter（预过滤）”扩展点上要
-调用的插件列表。
+   <p><code>preFilter</code> 是一个在调度框架中&quot;PreFilter（预过滤）&quot;扩展点上要
+   调用的插件列表。</p>
 </td>
 </tr>
 <tr><td><code>filter</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1068,7 +1513,7 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.
    -->
-   <code>filter</code> 是一个在需要过滤掉无法运行 Pod 的节点时被调用的插件列表。
+   <p><code>filter</code> 是一个在需要过滤掉无法运行 Pod 的节点时被调用的插件列表。</p>
 </td>
 </tr>
 <tr><td><code>postFilter</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1078,8 +1523,8 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    PostFilter is a list of plugins that are invoked after filtering phase, but only when no feasible nodes were found for the pod.
    -->
-   <code>postFilter</code> 是一个在过滤阶段结束后会被调用的插件列表；
-这里的插件只有在找不到合适的节点来运行 Pod 时才会被调用。
+   <p><code>postFilter</code> 是一个在过滤阶段结束后会被调用的插件列表；
+   这里的插件只有在找不到合适的节点来运行 Pod 时才会被调用。</p>
 </td>
 </tr>
 <tr><td><code>preScore</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1089,7 +1534,7 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    PreScore is a list of plugins that are invoked before scoring.
    -->
-   <code>preScore</code> 是一个在打分之前要调用的插件列表。
+   <p><code>preScore</code> 是一个在打分之前要调用的插件列表。</p>
 </td>
 </tr>
 <tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1099,7 +1544,7 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    <!--
    Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.
    -->
-   <code>score</code> 是一个在对已经通过过滤阶段的节点进行排序时调用的插件的列表。
+   <p><code>score</code> 是一个在对已经通过过滤阶段的节点进行排序时调用的插件的列表。</p>
 </td>
 </tr>
 <tr><td><code>reserve</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1110,7 +1555,7 @@ Plugins 结构中包含多个扩展点。当此结构被设置时，针对特定
    Reserve is a list of plugins invoked when reserving/unreserving resources
 after a node is assigned to run the pod.
    -->
-   <code>reserve</code> 是一组在运行 Pod 的节点已被选定后，需要预留或者释放资源时调用的插件的列表。
+   <p><code>reserve</code> 是一组在运行 Pod 的节点已被选定后，需要预留或者释放资源时调用的插件的列表。</p>
 </td>
 </tr>
 <tr><td><code>permit</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1120,8 +1565,8 @@ after a node is assigned to run the pod.
    <!--
    Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.
    -->
-   <code>permit</code> 是一个用来控制 Pod 绑定关系的插件列表。这些插件可以
-禁止或者延迟 Pod 的绑定。
+   <p><code>permit</code> 是一个用来控制 Pod 绑定关系的插件列表。
+   这些插件可以禁止或者延迟 Pod 的绑定。</p>
 </td>
 </tr>
 <tr><td><code>preBind</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1131,7 +1576,7 @@ after a node is assigned to run the pod.
    <!--
    PreBind is a list of plugins that should be invoked before a pod is bound.
    -->
-   <code>preBind</code> 是一个在 Pod 被绑定到某节点之前要被调用的插件的列表。
+   <p><code>preBind</code> 是一个在 Pod 被绑定到某节点之前要被调用的插件的列表。</p>
 </td>
 </tr>
 <tr><td><code>bind</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1142,9 +1587,10 @@ after a node is assigned to run the pod.
    Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework.
 The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.
    -->
-   <code>bind</code> 是一个在调度框架中“Bind（绑定）”扩展点上要调用的
-插件的列表。调度器按顺序调用这些插件。只要其中某个插件返回成功，则调度器
-就略过余下的插件。
+   <p>
+   <code>bind</code> 是一个在调度框架中&quot;Bind（绑定）&quot;扩展点上要调用的插件的列表。
+   调度器按顺序调用这些插件。只要其中某个插件返回成功，则调度器就略过余下的插件。
+   </p>
 </td>
 </tr>
 <tr><td><code>postBind</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1154,7 +1600,7 @@ The scheduler call these plugins in order. Scheduler skips the rest of these plu
    <!--
    PostBind is a list of plugins that should be invoked after a pod is successfully bound.
    -->
-   <code>postBind</code> 是一个在 Pod 已经被成功绑定之后要调用的插件的列表。
+   <p><code>postBind</code> 是一个在 Pod 已经被成功绑定之后要调用的插件的列表。</p>
 </td>
 </tr>
 <tr><td><code>multiPoint</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1169,11 +1615,11 @@ The same is true for disabling "&lowast;" through MultiPoint (no default plugins
 Plugins can still be disabled through their individual extension points.
    -->
    <p><code>multiPoint</code> 是一个简化的配置段落，用来为所有合法的扩展点启用插件。
-通过 <code>multiPoint</code> 启用的插件会自动注册到插件所实现的每个独立的扩展点上。
-通过 <code>multiPoint</code> 禁用的插件会禁用对应的操作行为。
-通过 <code>multiPoint</code> 所禁止的 "&lowast;" 也是如此，意味着所有默认
-插件都不会被自动注册。
-插件也可以通过各个独立的扩展点来禁用。</p>
+   通过 <code>multiPoint</code> 启用的插件会自动注册到插件所实现的每个独立的扩展点上。
+   通过 <code>multiPoint</code> 禁用的插件会禁用对应的操作行为。
+   通过 <code>multiPoint</code> 所禁止的 &quot;&lowast;&quot; 
+   也是如此，意味着所有默认插件都不会被自动注册。
+   插件也可以通过各个独立的扩展点来禁用。</p>
    <!--
 In terms of precedence, plugin config follows this basic hierarchy
   1. Specific extension points
@@ -1195,548 +1641,221 @@ plugin through MultiPoint. This follows the same behavior as all other extension
    <p>这意味着优先序较高的插件会先被运行，并且覆盖 <code>multiPoint</code> 中的任何配置。</p>
    <p>用户显式配置的插件也会比默认插件优先序高。</p>
    <p>在这样的层次结构设计之下，<code>enabled</code> 的优先序高于 <code>disabled</code>。
-例如，某插件同时出现在 <code>multiPoint.enabled</code> 和 <code>multiPoint.disalbed</code> 时，
-该插件会被启用。类似的，同时设置 <code>multiPoint.disabled = '&lowast;'</code>
-和 <code>multiPoint.enabled = pluginA</code> 时，插件 pluginA 仍然会被注册。
-这一设计与所有其他扩展点的配置行为是相符的。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `PodTopologySpreadConstraintsDefaulting`     {#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadConstraintsDefaulting}
-
-<!--
-(Alias of `string`)
-
-**Appears in:**
--->
-（`string` 类型的别名）
-
-**出现在：**
-
-- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs)
-
-<!--
-PodTopologySpreadConstraintsDefaulting defines how to set default constraints
-for the PodTopologySpread plugin.
--->
-PodTopologySpreadConstraintsDefaulting 定义如何为 PodTopologySpread 插件
-设置默认的约束。
-
-## `RequestedToCapacityRatioParam`     {#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam}
-
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
-
-<!--
-RequestedToCapacityRatioParam define RequestedToCapacityRatio parameters
--->
-RequestedToCapacityRatioParam 结构定义 RequestedToCapacityRatio 的参数。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-
-<tr><td><code>shape</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta3-UtilizationShapePoint"><code>[]UtilizationShapePoint</code></a>
-</td>
-<td>
-   <!--
-   Shape is a list of points defining the scoring function shape.
-   -->
-   <code>shape</code> 是一个定义评分函数曲线的计分点的列表。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ResourceSpec`     {#kubescheduler-config-k8s-io-v1beta3-ResourceSpec}
-
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesBalancedAllocationArgs)
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
-
-<!--
-ResourceSpec represents a single resource.
--->
-ResourceSpec 用来代表某个资源。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-
-<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   Name of the resource.
-   -->
-   资源名称。
-</td>
-</tr>
-<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int64</code>
-</td>
-<td>
-   <!--
-   Weight of the resource.
-   -->
-   资源权重。
-</td>
-</tr>
-</tbody>
-</table>
-
-## `ScoringStrategy`     {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy}
-
-<!--
-**Appears in:**
--->
-**出现在：**
-
-- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
-
-<!--
-ScoringStrategy define ScoringStrategyType for node resource plugin
--->
-ScoringStrategy 为节点资源插件定义 ScoringStrategyType。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-
-<tr><td><code>type</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta3-ScoringStrategyType"><code>ScoringStrategyType</code></a>
-</td>
-<td>
-   <!--
-   Type selects which strategy to run.
-   -->
-   <code>type</code> 用来选择要运行的策略。
-</td>
-</tr>
-<tr><td><code>resources</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta3-ResourceSpec"><code>[]ResourceSpec</code></a>
-</td>
-<td>
-   <!--
-   Resources to consider when scoring.
-The default resource set includes "cpu" and "memory" with an equal weight.
-Allowed weights go from 1 to 100.
-Weight defaults to 1 if not specified or explicitly set to 0.
-   -->
-   <p><code>resources</code> 设置在评分时要考虑的资源。</p>
-   <p>默认的资源集合包含 "cpu" 和 "memory"，且二者权重相同。</p>
-   <p>权重的取值范围为 1 到 100。</p>
-   <p>当权重未设置或者显式设置为 0 时，意味着使用默认值 1。</p>
-</td>
-</tr>
-<tr><td><code>requestedToCapacityRatio</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam"><code>RequestedToCapacityRatioParam</code></a>
-</td>
-<td>
-   <!--
-   Arguments specific to RequestedToCapacityRatio strategy.
-   -->
-   特定于 RequestedToCapacityRatio 策略的参数。
+   例如，某插件同时出现在 <code>multiPoint.enabled</code> 和 <code>multiPoint.disalbed</code> 时，
+   该插件会被启用。类似的，
+   同时设置 <code>multiPoint.disabled = '&lowast;'</code>和 <code>multiPoint.enabled = pluginA</code> 时，
+   插件 pluginA 仍然会被注册。这一设计与所有其他扩展点的配置行为是相符的。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ScoringStrategyType`     {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategyType}
+## `PodTopologySpreadConstraintsDefaulting`     {#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadConstraintsDefaulting}
 
 <!--
 (Alias of `string`)
 
 **Appears in:**
 -->
-（`string` 数据类型的别名）
+（`string` 类型的别名）
 
 **出现在：**
 
-- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
+- [PodTopologySpreadArgs](#kubescheduler-config-k8s-io-v1beta3-PodTopologySpreadArgs)
 
 <!--
-ScoringStrategyType the type of scoring strategy used in NodeResourcesFit plugin.
+PodTopologySpreadConstraintsDefaulting defines how to set default constraints
+for the PodTopologySpread plugin.
 -->
-ScoringStrategyType 是 NodeResourcesFit 插件所使用的的评分策略类型。
+<p>PodTopologySpreadConstraintsDefaulting
+定义如何为 PodTopologySpread 插件设置默认的约束。</p>
 
-## `UtilizationShapePoint`     {#kubescheduler-config-k8s-io-v1beta3-UtilizationShapePoint}
+## `RequestedToCapacityRatioParam`     {#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam}
 
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs)
-- [RequestedToCapacityRatioParam](#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam)
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
 
 <!--
-UtilizationShapePoint represents single point of priority function shape.
+RequestedToCapacityRatioParam define RequestedToCapacityRatio parameters
 -->
-UtilizationShapePoint 代表的是优先级函数曲线中的一个评分点。
+<p>RequestedToCapacityRatioParam 结构定义 RequestedToCapacityRatio 的参数。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>utilization</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
-</td>
-<td>
-   <!--
-   Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
-   -->
-   利用率（x 轴）。合法值为 0 到 100。完全被利用的节点映射到 100。
-</td>
-</tr>
-<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>shape</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta3-UtilizationShapePoint"><code>[]UtilizationShapePoint</code></a>
 </td>
 <td>
    <!--
-   Score assigned to given utilization (y axis). Valid values are 0 to 10.
+   Shape is a list of points defining the scoring function shape.
    -->
-   分配给指定利用率的分值（y 轴）。合法值为 0 到 10。
+   <p><code>shape</code> 是一个定义评分函数曲线的计分点的列表。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `ClientConnectionConfiguration`     {#ClientConnectionConfiguration}
+## `ResourceSpec`     {#kubescheduler-config-k8s-io-v1beta3-ResourceSpec}
 
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+- [NodeResourcesBalancedAllocationArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesBalancedAllocationArgs)
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
 
 <!--
-ClientConnectionConfiguration contains details for constructing a client.
+ResourceSpec represents a single resource.
 -->
-ClientConnectionConfiguration 中包含用来构造一个客户端所需的细节。
+<p>ResourceSpec 用来代表某个资源。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   kubeconfig is the path to a KubeConfig file.
-   -->
-   此字段为指向某 KubeConfig 文件的路径。
-</td>
-</tr>
-<tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
-default value of 'application/json'. This field will control all connections to the server used by a particular client.
-   -->
-   <code>acceptContentTypes</code> 定义的是客户端与服务器建立连接时要发送的
-Accept 头部；这里的设置值会覆盖默认值 "application/json"。
-此字段会影响某特定客户端与服务器的所有连接。
-</td>
-</tr>
-<tr><td><code>contentType</code> <B><!--[Required]-->[必需]</B><br/>
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
    <!--
-   contentType is the content type used when sending data to the server from this client.
-   -->
-   <code>contentType</code> 包含的是此客户端向服务器发送数据时使用的
-内容类型（Content Type）。
-</td>
-</tr>
-<tr><td><code>qps</code> <B><!--[Required]-->[必需]</B><br/>
-<code>float32</code>
-</td>
-<td>
-   <!--
-   qps controls the number of queries per second allowed for this connection.
+   Name of the resource.
    -->
-   <code>qps</code> 控制的是此连接上每秒可以发送的查询个数。
+   <p>资源名称。</p>
 </td>
 </tr>
-<tr><td><code>burst</code> <B><!--[Required]-->[必需]</B><br/>
-<code>int32</code>
+<tr><td><code>weight</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int64</code>
 </td>
 <td>
    <!--
-   burst allows extra queries to accumulate when a client is exceeding its rate.
+   Weight of the resource.
    -->
-   <code>burst</code> 允许在客户端超出其速率限制时可以累积的额外查询个数。
+   <p>资源权重。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `DebuggingConfiguration`     {#DebuggingConfiguration}
+## `ScoringStrategy`     {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy}
 
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
+- [NodeResourcesFitArgs](#kubescheduler-config-k8s-io-v1beta3-NodeResourcesFitArgs)
 
 <!--
-DebuggingConfiguration holds configuration for Debugging related features.
+ScoringStrategy define ScoringStrategyType for node resource plugin
 -->
-DebuggingConfiguration 保存与调试功能相关的配置。
+<p>ScoringStrategy 为节点资源插件定义 ScoringStrategyType。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>enableProfiling</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
+<tr><td><code>type</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta3-ScoringStrategyType"><code>ScoringStrategyType</code></a>
 </td>
 <td>
    <!--
-   enableProfiling enables profiling via web interface host:port/debug/pprof/
+   Type selects which strategy to run.
    -->
-   此字段允许通过 Web 接口 host:port/debug/pprof/ 执行性能分析。
+   <p><code>type</code> 用来选择要运行的策略。</p>
 </td>
 </tr>
-<tr><td><code>enableContentionProfiling</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
+<tr><td><code>resources</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta3-ResourceSpec"><code>[]ResourceSpec</code></a>
 </td>
 <td>
    <!--
-   enableContentionProfiling enables lock contention profiling, if
-enableProfiling is true.
+   Resources to consider when scoring.
+The default resource set includes "cpu" and "memory" with an equal weight.
+Allowed weights go from 1 to 100.
+Weight defaults to 1 if not specified or explicitly set to 0.
    -->
-   此字段在 <code>enableProfiling</code> 为 true 时允许执行锁竞争分析。
+   <p><code>resources</code> 设置在评分时要考虑的资源。</p>
+   <p>默认的资源集合包含 &quot;cpu&quot; 和 &quot;memory&quot;，且二者权重相同。</p>
+   <p>权重的取值范围为 1 到 100。</p>
+   <p>当权重未设置或者显式设置为 0 时，意味着使用默认值 1。</p>
 </td>
 </tr>
-</tbody>
-</table>
-
-## `FormatOptions`     {#FormatOptions}
-
-<!--
-**Appears in:**
--->
-
-<!--
-FormatOptions contains options for the different logging formats.
--->
-FormatOptions 中包含不同日志格式的配置选项。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-
-<tr><td><code>json</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#JSONOptions"><code>JSONOptions</code></a>
+<tr><td><code>requestedToCapacityRatio</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam"><code>RequestedToCapacityRatioParam</code></a>
 </td>
 <td>
    <!--
-   [Experimental] JSON contains options for logging format "json".
+   Arguments specific to RequestedToCapacityRatio strategy.
    -->
-   [实验特性] <code>json</code> 字段包含为 "json" 日志格式提供的配置选项。
+   <p>特定于 RequestedToCapacityRatio 策略的参数。</p>
 </td>
 </tr>
 </tbody>
 </table>
 
-## `JSONOptions`     {#JSONOptions}
+## `ScoringStrategyType`     {#kubescheduler-config-k8s-io-v1beta3-ScoringStrategyType}
 
 <!--
+(Alias of `string`)
+
 **Appears in:**
 -->
+（`string` 数据类型的别名）
+
 **出现在：**
 
-- [FormatOptions](#FormatOptions)
+- [ScoringStrategy](#kubescheduler-config-k8s-io-v1beta3-ScoringStrategy)
 
 <!--
-JSONOptions contains options for logging format "json".
+ScoringStrategyType the type of scoring strategy used in NodeResourcesFit plugin.
 -->
-JSONOptions 包含为 "json" 日志格式所设置的配置选项。
-
-<table class="table">
-<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
-<tbody>
-
-<tr><td><code>splitStream</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   [Experimental] SplitStream redirects error messages to stderr while
-info messages go to stdout, with buffering. The default is to write
-both to stdout, without buffering.
-   -->
-   [实验特性] 此字段将错误信息重定向到标准错误输出（stderr），将提示消息
-重定向到标准输出（stdout），并且支持缓存。默认配置为将二者都输出到
-标准输出（stdout），且不提供缓存。
-</td>
-</tr>
-<tr><td><code>infoBufferSize</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#QuantityValue"><code>k8s.io/apimachinery/pkg/api/resource.QuantityValue</code></a>
-</td>
-<td>
-   <!--
-   [Experimental] InfoBufferSize sets the size of the info stream when
-using split streams. The default is zero, which disables buffering.
-   -->
-   [实验特性] <code>infoBufferSize</code> 用来在分离数据流场景是设置提示
-信息数据流的大小。默认值为 0，意味着禁止缓存。
-</td>
-</tr>
-</tbody>
-</table>
+<p>ScoringStrategyType 是 NodeResourcesFit 插件所使用的的评分策略类型。</p>
 
-## `LeaderElectionConfiguration`     {#LeaderElectionConfiguration}
+## `UtilizationShapePoint`     {#kubescheduler-config-k8s-io-v1beta3-UtilizationShapePoint}
 
 <!--
 **Appears in:**
 -->
 **出现在：**
 
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta2-KubeSchedulerConfiguration)
-- [KubeSchedulerConfiguration](#kubescheduler-config-k8s-io-v1beta3-KubeSchedulerConfiguration)
+- [VolumeBindingArgs](#kubescheduler-config-k8s-io-v1beta3-VolumeBindingArgs)
+- [RequestedToCapacityRatioParam](#kubescheduler-config-k8s-io-v1beta3-RequestedToCapacityRatioParam)
 
 <!--
-LeaderElectionConfiguration defines the configuration of leader election
-clients for components that can run with leader election enabled.
+UtilizationShapePoint represents single point of priority function shape.
 -->
-LeaderElectionConfiguration 为能够支持领导者选举的组件定义其领导者选举
-客户端的配置。
+<p>UtilizationShapePoint 代表的是优先级函数曲线中的一个评分点。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>leaderElect</code> <B><!--[Required]-->[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-   <!--
-   leaderElect enables a leader election client to gain leadership
-before executing the main loop. Enable this when running replicated
-components for high availability.
-   -->
-   <code>leaderElect</code> 启用领导者选举客户端，从而在进入主循环执行之前
-先要获得领导者角色。当运行多副本组件时启用此功能有助于提高可用性。
-</td>
-</tr>
-<tr><td><code>leaseDuration</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
-   <!--
-   leaseDuration is the duration that non-leader candidates will wait
-after observing a leadership renewal until attempting to acquire
-leadership of a led but unrenewed leader slot. This is effectively the
-maximum duration that a leader can be stopped before it is replaced
-by another candidate. This is only applicable if leader election is
-enabled.
-   -->
-   <code>leaseDuration</code> 是非领导角色候选者在观察到需要领导席位更新时
-要等待的时间；只有经过所设置时长才可以尝试去获得一个仍处于领导状态但需要
-被刷新的席位。这里的设置值本质上意味着某个领导者在被另一个候选者替换掉
-之前可以停止运行的最长时长。只有当启用了领导者选举时此字段有意义。
-</td>
-</tr>
-<tr><td><code>renewDeadline</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
-   <!--
-   renewDeadline is the interval between attempts by the acting master to
-renew a leadership slot before it stops leading. This must be less
-than or equal to the lease duration. This is only applicable if leader
-election is enabled.
-   -->
-   <code>renewDeadline</code> 设置的是当前领导者在停止扮演领导角色之前
-需要刷新领导状态的时间间隔。此值必须小于或等于租约期限的长度。
-只有到启用了领导者选举时此字段才有意义。
-</td>
-</tr>
-<tr><td><code>retryPeriod</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
-</td>
-<td>
-   <!--
-   retryPeriod is the duration the clients should wait between attempting
-acquisition and renewal of a leadership. This is only applicable if
-leader election is enabled.
-   -->
-   <code>retryPeriod</code> 是客户端在连续两次尝试获得或者刷新领导状态
-之间需要等待的时长。只有当启用了领导者选举时此字段才有意义。
-</td>
-</tr>
-<tr><td><code>resourceLock</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
-</td>
-<td>
-   <!--
-   resourceLock indicates the resource object type that will be used to lock
-during leader election cycles.
-   -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象类型。
-</td>
-</tr>
-<tr><td><code>resourceName</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>utilization</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
 </td>
 <td>
    <!--
-   resourceName indicates the name of resource object that will be used to lock
-during leader election cycles.
+   Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
    -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象名称。
+   <p>利用率（x 轴）。合法值为 0 到 100。完全被利用的节点映射到 100。</p>
 </td>
 </tr>
-<tr><td><code>resourceNamespace</code> <B><!--[Required]-->[必需]</B><br/>
-<code>string</code>
+<tr><td><code>score</code> <B><!--[Required]-->[必需]</B><br/>
+<code>int32</code>
 </td>
 <td>
    <!--
-   resourceName indicates the namespace of resource object that will be used to lock
-during leader election cycles.
+   Score assigned to given utilization (y axis). Valid values are 0 to 10.
    -->
-   此字段给出在领导者选举期间要作为锁来使用的资源对象所在名字空间。
+   <p>分配给指定利用率的分值（y 轴）。合法值为 0 到 10。</p>
 </td>
 </tr>
 </tbody>
 </table>
-
-## `VModuleConfiguration`     {#VModuleConfiguration}
-
-<!--
-(Alias of `[]k8s.io/component-base/config/v1alpha1.VModuleItem`)
-
-**Appears in:**
--->
-
-（`[]k8s.io/component-base/config/v1alpha1.VModuleItem` 的别名)
-
-<!--
-VModuleConfiguration is a collection of individual file names or patterns
-and the corresponding verbosity threshold.
--->
-VModuleConfiguration 是一组文件名（通配符）及其对应的日志详尽程度阈值。
-
diff --git a/content/zh/docs/reference/config-api/kubeadm-config.v1beta2.md b/content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta2.md
similarity index 94%
rename from content/zh/docs/reference/config-api/kubeadm-config.v1beta2.md
rename to content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta2.md
index a1a8bee01c16f..bc37e362a7e16 100644
--- a/content/zh/docs/reference/config-api/kubeadm-config.v1beta2.md
+++ b/content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta2.md
@@ -292,7 +292,7 @@ https://godoc.org/k8s.io/kubelet/config/v1beta1#KubeletConfiguration。</p>
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">criSocket</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;/var/run/dockershim.sock&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">taints</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span>- <span style="color:#000;font-weight:bold">key</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;kubeadmNode&#34;</span><span style="color:#bbb">
-</span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;master&#34;</span><span style="color:#bbb">
+</span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;someValue&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">      </span><span style="color:#000;font-weight:bold">effect</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;NoSchedule&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">kubeletExtraArgs</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">v</span>:<span style="color:#bbb"> </span><span style="color:#099">4</span><span style="color:#bbb">
@@ -445,7 +445,7 @@ node only (e.g. the node IP).</p>
 </td>
 <td>
    <!--
-   <p><code>etcd</code> holds the configuration for etcd.</p>
+   <p><code>etcd</code> holds configuration for etcd.</p>
    -->
    <p><code>etcd</code> 中包含 etcd 服务的配置。</p>
 </td>
@@ -633,7 +633,7 @@ ConfigMap 中，之后在新的控制面实例添加到集群或者现有控制
 <tr><td><code>kind</code><br/>string</td><td><code>ClusterStatus</code></td></tr>
   
 <tr><td><code>apiEndpoints</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="#kubeadm-k8s-io-v1beta2-APIEndpoint"><code>map[string]APIEndpoint</code></a>
+<a href="#kubeadm-k8s-io-v1beta2-APIEndpoint"><code>map[string]github.com/tengqm/kubeconfig/config/kubeadm/v1beta2.APIEndpoint</code></a>
 </td>
 <td>
    <!--
@@ -693,7 +693,7 @@ This information IS NOT uploaded to the kubeadm cluster ConfigMap, partly becaus
 <td>
    <!--
    <p><code>localAPIEndpoint</code> represents the endpoint of the API server instance that's deployed on this control plane node.
-In HA setups, this differs from <code>ClusterConfiguration.controlPlaneEndpoint</code> in the sense that <code>controlPlaneEndpoint</code>
+In HA setups, this differs from <code>ClusterConfiguration.controlPlaneEndpoint</code> in the sense that ControlPlaneEndpoint
 is the global endpoint for the cluster, which then load-balances the requests to each individual API server. This
 configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible
 on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process
@@ -831,7 +831,7 @@ APIEndpoint 结构包含某节点上部署的 API 服务器的配置元素。
    <p><code>bindPort</code> sets the secure port for the API Server to bind to.
 Defaults to 6443.</p>
    -->
-   <code>bindPort</code> 设置 API 服务器要绑定到的安全端口。默认值为 6443。
+   <p><code>bindPort</code> 设置 API 服务器要绑定到的安全端口。默认值为 6443。</p>
 </td>
 </tr>
 </tbody>
@@ -848,7 +848,7 @@ Defaults to 6443.</p>
 
 <p>
 <!--
-APIServer holds settings necessary for API server deployments in the cluster
+APIServer holds settings necessary for API server deployments in the cluster.
 -->
 APIServer 包含集群中 API 服务器部署所必需的设置。
 </p>
@@ -860,8 +860,17 @@ APIServer 包含集群中 API 服务器部署所必需的设置。
 <tr><td><code>ControlPlaneComponent</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta2-ControlPlaneComponent"><code>ControlPlaneComponent</code></a>
 </td>
-<td>（<code>ControlPlaneComponent</code> 结构的字段被嵌入到此类型中）
-   <span class="text-muted">无描述</span>
+<td>
+<!--
+(Members of <code>ControlPlaneComponent</code> are embedded into this type.)
+-->
+（<code>ControlPlaneComponent</code> 结构的字段被嵌入到此类型中）
+   <span class="text-muted">
+   <!--
+   No description provided.
+   -->
+   无描述
+   </span>
 </tr>
 <tr><td><code>certSANs</code> <B><!--[Required]-->[必需]</B><br/>
 <code>[]string</code>
@@ -875,7 +884,7 @@ signing certificate.</p>
 </td>
 </tr>
 <tr><td><code>timeoutForControlPlane</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--
@@ -926,12 +935,12 @@ for, so other administrators can know its purpose.</p-->
 </td>
 </tr>
 <tr><td><code>ttl</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
-   <!--p><code>ttl</code> defines the time to live for this token. Defaults to <code>24h</code>.
+   <!--p><code>ttl</code> defines the time to live for this token. Defaults to '24h'.
 <code>expires</code> and <code>ttl</code> are mutually exclusive.</p-->
-   <p><code>ttl</code> 定义此令牌的声明周期。默认为 <code>24h</code>。
+   <p><code>ttl</code> 定义此令牌的声明周期。默认为 '24h'。
 <code>expires</code> 和 <code>ttl</code> 是互斥的。</p>
 </td>
 </tr>
@@ -1006,10 +1015,10 @@ BootstrapTokenDiscovery 用来设置基于引导令牌的服务发现选项。
 <td>
 <p>
    <!--
-   <code>apiServerEndpoint</p> is an IP or domain name to the API server from which
+   <code>apiServerEndpoint</code> is an IP or domain name to the API server from which
 information will be fetched.
    -->
-   <code>apiServerEndpoint</p> 为 API 服务器的 IP 地址或者域名，从该端点可以获得集群信息。
+   <code>apiServerEndpoint</code> 为 API 服务器的 IP 地址或者域名，从该端点可以获得集群信息。
 </p>
 </td>
 </tr>
@@ -1022,14 +1031,13 @@ information will be fetched.
    <code>caCertHashes</code> specifies a set of public key pins to verify when token-based discovery
 is used. The root CA found during discovery must match one of these values.
 Specifying an empty set disables root CA pinning, which can be unsafe.
-Each hash is specified as &quot;&lt;type&gt;:&lt;value&gt;&quot;, where the only currently supported type is
-&quot;sha256&quot;. This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI)
+Each hash is specified as &quot;<\!-- raw HTML omitted -->:<!-- raw HTML omitted --\>&quot;, where the only currently supported type is &quot;sha256&quot;. This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI)
 object in DER-encoded ASN.1. These hashes can be calculated using, for example, OpenSSL.
    -->
    <code>caCertHashes</code> 设置一组在基于令牌来发现服务时要验证的公钥指纹。
 发现过程中获得的根 CA 必须与这里的数值之一匹配。
 设置为空集合意味着禁用根 CA 指纹，因而可能是不安全的。
-每个哈希值的形式为 "&lt;type&gt;:&lt;value&gt;"，当前唯一支持的 type 为
+每个哈希值的形式为 &quot;:&quot;，当前唯一支持的 type 为
 &quot;sha256&quot;。
 哈希值为主体公钥信息（Subject Public Key Info，SPKI）对象的 SHA-256
 哈希值（十六进制编码），形式为 DER 编码的 ASN.1。
@@ -1046,9 +1054,9 @@ object in DER-encoded ASN.1. These hashes can be calculated using, for example,
 <code>caCertHashes</code>. This can weaken the security of kubeadm since other nodes can
 impersonate the control-plane.</p>
    -->
-   <code>unsafeSkipCAVerification</code> 允许在使用基于令牌的服务发现时不使用
+   <p><code>unsafeSkipCAVerification</code> 允许在使用基于令牌的服务发现时不使用
 <code>caCertHashes</code> 来执行 CA 验证。这会弱化 kubeadm 的安全性，
-因为其他节点可以伪装成控制面。
+因为其他节点可以伪装成控制面。</p>
 </td>
 </tr>
 </tbody>
@@ -1063,11 +1071,11 @@ impersonate the control-plane.</p>
 
 - [BootstrapToken](#kubeadm-k8s-io-v1beta2-BootstrapToken)
 
-<!--p>BootstrapTokenString is a token of the format <code>abcdef.abcdef0123456789</code> that is used
+<!--p>BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
 for both validation of the practically of the API server from a joining node's point
 of view and as an authentication method for the node in the bootstrap phase of
 &quot;kubeadm join&quot;. This token is and should be short-lived.</p-->
-<p>BootstrapTokenString 形式为 <code>abcdef.abcdef0123456789</code> 的一个令牌，
+<p>BootstrapTokenString 形式为 'abcdef.abcdef0123456789' 的一个令牌，
 用来从加入集群的节点角度验证 API 服务器的身份，或者 &quot;kubeadm join&quot;
 在节点启动引导是作为一种身份认证方法。
 此令牌的生命期是短暂的，并且应该如此。</p>
@@ -1120,7 +1128,7 @@ ControlPlaneComponent 中包含对集群中所有控制面组件都适用的设
 <td>
 <p>
    <!--
-   <code>extraArgs</code> is an extra set of flags to pass to the control plane component.
+   <code>extraArgs</code> is an extra set of flags to pass to a control plane component.
 A key in this map is the flag name as it appears on the command line except
 without leading dash(es).
    -->
@@ -1135,9 +1143,10 @@ without leading dash(es).
 <td>
 <p>
    <!--
-   <code>extraVolumes</code> is an extra set of host volumes, mounted to the control plane component.
+   <code>extraVolumes</code> is an extra set of host volumes mounted to the control plane
+   component.
    -->
-   <code>extraVolumes</code> 是一组额外的主机卷，需要挂载到控制面组件中。
+   <code>extraVolumes</code> 是一组额外被挂载到控制面组件中的主机卷。
 </p>
 </td>
 </tr>
@@ -1178,7 +1187,9 @@ DNS 结构定义要在集群中使用的 DNS 插件。
 <tr><td><code>ImageMeta</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta2-ImageMeta"><code>ImageMeta</code></a>
 </td>
-<td>（<code>ImageMeta</code> 的成员被内嵌到此类型中）。
+<td>
+<!--(Members of <code>ImageMeta</code> are embedded into this type.)-->
+（<code>ImageMeta</code> 的成员被内嵌到此类型中）。
 <p>
    <!--
    <code>imageMeta</code> allows to customize the image used for the DNS component.
@@ -1263,9 +1274,10 @@ cluster information.
 <p>
    <!--
    <code>tlsBootstrapToken</code> is a token used for TLS bootstrapping.
-If <code>bootstrapToken</code> is set, this field is defaulted to <code>.bootstrapToken.token</code>, but
-can be overridden. If <code>file<code> is set, this field &lowast;&lowast;must be set&lowast;&lowast; in case the KubeConfigFile
-does not contain any other authentication information
+If <code>bootstrapToken</code> is set, this field is defaulted to <code>.bootstrapToken.token</code>,
+but can be overridden.
+If <code>file</code> is set, this field <strong>must be set</strong> in case the KubeConfigFile does not
+contain any other authentication information.
    -->
    <code>tlsBootstrapToken</code> 是 TLS 启动引导过程中使用的令牌。
 如果设置了 <code>bootstrapToken</code>，则此字段默认值为 <code>.bootstrapToken.token</code>，
@@ -1276,7 +1288,7 @@ does not contain any other authentication information
 </td>
 </tr>
 <tr><td><code>timeout</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
 <p>
@@ -1368,7 +1380,7 @@ kubeadm 不清楚证书文件的存放位置，因此必须单独提供证书信
 </td>
 <td>
    <!--
-   <p><code>endpoints</code> contains the list of etcd members.</p>
+   <p><code>endpoints</code> of etcd members.</p>
    -->
    <p><code>endpoints</code> 包含一组 etcd 成员的列表。</p>
 </td>
@@ -1469,8 +1481,8 @@ file from which to load cluster information.</p>
 <code>string</code>
 </td>
 <td>
-   <!--p><code>name</code> is the name of the volume inside the Pod template.</p-->
-   <p><code>name</code> 为卷在 Pod 模板中的名称。</p>
+   <!--p><code>name</code> of the volume inside the Pod template.</p-->
+   <p><code>name</code> 字段为卷在 Pod 模板中的名称。</p>
 </td>
 </tr>
 <tr><td><code>hostPath</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1485,8 +1497,8 @@ file from which to load cluster information.</p>
 <code>string</code>
 </td>
 <td>
-   <!--p><code>mountPath</code> is the path inside the Pod where <code>hostPath</code> will be mounted.</p-->
-   <p><code>mountPath</code> 是 <code>hostPath</code> 在 Pod 内挂载的路径。</p>
+   <!--p><code>mountPath</code>is the path inside the Pod where hostPath volume will be mounted.</p-->
+   <p><code>mountPath</code> 是 hostPath 在 Pod 内挂载的路径。</p>
 </td>
 </tr>
 <tr><td><code>readOnly</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1501,8 +1513,8 @@ file from which to load cluster information.</p>
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
 </td>
 <td>
-   <!--p><code>pathType</code> is the type of the <code>hostPath</code>.</p-->
-   <p><code>pathType</code> 是 <code>hostPath</code> 的类型。</p>
+   <!--p><code>pathType</code> is the type of the HostPath.</p-->
+   <p><code>pathType</code> 是 hostPath 的类型。</p>
 </td>
 </tr>
 </tbody>
@@ -1533,7 +1545,7 @@ originated from the Kubernetes/Kubernetes release process</p-->
 </td>
 <td>
    <!--p><code>imageRepository</code> sets the container registry to pull images from.
-If not set, the <code>imageRepository</code> defined in ClusterConfiguration will be used instead.</p-->
+If not set, the <code>imageRepository</code> defined in ClusterConfiguration will be used.</p-->
    <p><code>imageRepository</code> 设置镜像拉取所用的容器仓库。
 若未设置，则使用 ClusterConfiguration 中的 <code>imageRepository</code>。</p>
 </td>
@@ -1542,9 +1554,9 @@ If not set, the <code>imageRepository</code> defined in ClusterConfiguration wil
 <code>string</code>
 </td>
 <td>
-   <!--p><code>imageTag</code> allows to specify a tag for the image.
-In case this value is set, kubeadm does not change automatically the version of
-the above components during upgrades.</p-->
+   <!--p><code>imageTag</code> allows for specifying a tag for the image.
+In case this value is set, kubeadm does not change automatically the
+version of the above components during upgrades.</p-->
    <p><code>imageTag</code> 允许用户设置镜像的标签。
 如果设置了此字段，则 kubeadm 不再在集群升级时自动更改组件的版本。</p>
 </td>
@@ -1617,7 +1629,11 @@ Secret 中的证书的秘钥。对应的加密秘钥在 InitConfiguration 结构
 <tr><td><code>ImageMeta</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta2-ImageMeta"><code>ImageMeta</code></a>
 </td>
-<td>（<code>ImageMeta</code> 结构的字段被嵌入到此类型中。）
+<td>
+<!--
+(Members of <code>ImageMeta</code> are embedded into this type.)
+-->
+（<code>ImageMeta</code> 结构的字段被嵌入到此类型中。）
    <!--
    <p>ImageMeta allows to customize the container used for etcd.</p>
    -->
@@ -1642,11 +1658,11 @@ Defaults to &quot;/var/lib/etcd&quot;.</p>
 <td>
    <!--
    <p><code>extraArgs</code> are extra arguments provided to the etcd binary when run
-inside a static Pod. A key in this map is the flag name as it appears on the
+inside a static pod. A key in this map is the flag name as it appears on the
 command line except without leading dash(es).</p>
    -->
    <p><code>extraArgs</code> 是为 etcd 可执行文件提供的额外参数，用于在静态
-Pod 中运行 etcd。映射中的每一个键对应命令行上的一个标志参数，只是去掉了前置的连字符。</p>
+pod 中运行 etcd。映射中的每一个键对应命令行上的一个标志参数，只是去掉了前置的连字符。</p>
 </td>
 </tr>
 <tr><td><code>serverCertSANs</code> <B><!--[Required]-->[必需]</B><br/>
@@ -1654,7 +1670,7 @@ Pod 中运行 etcd。映射中的每一个键对应命令行上的一个标志
 </td>
 <td>
    <!--
-   <p><code>serverCertSANs</code> sets extra Subject Alternative Names (SANs) for the etcd
+   <p>code>serverCertSANs</code> sets extra Subject Alternative Names (SANs) for the etcd
 server signing certificate.</p>
    -->
    <p><code>serverCertSANs</code> 为 etcd 服务器的签名证书设置额外的主体替代名
@@ -1699,9 +1715,9 @@ signing certificate.</p>
 </td>
 <td>
    <!--
-   <p><code>serviceSubnet</code> is the subnet used by Kubernetes Services. Defaults to &quot;10.96.0.0/12&quot;.</p>
+   <p><code>serviceSubnet</code> is the subnet used by kubernetes Services. Defaults to &quot;10.96.0.0/12&quot;.</p>
    -->
-   <p><code>serviceSubnet</code> 是 Kubernetes 服务所使用的的子网。
+   <p><code>serviceSubnet</code> 是 kubernetes 服务所使用的的子网。
 默认值为 &quot;10.96.0.0/12&quot;。</p>
 </td>
 </tr>
@@ -1717,8 +1733,8 @@ signing certificate.</p>
 <code>string</code>
 </td>
 <td>
-   <!--p><code>dnsDomain</code> is the DNS domain used by Kubernetes Services. Defaults to &quot;cluster.local&quot;.</p-->
-   <p><code>dnsDomain</code> 是 Kubernetes 服务所使用的的 DNS 域名。
+   <!--p><code>dnsDomain</code> is the DNS domain used by kubernetes Services. Defaults to &quot;cluster.local&quot;.</p-->
+   <p><code>dnsDomain</code> 是 kubernetes 服务所使用的的 DNS 域名。
 默认值为 &quot;cluster.local&quot;。</p>
 </td>
 </tr>
@@ -1751,13 +1767,13 @@ node to the cluster, either via &quot;kubeadm init&quot; or &quot;kubeadm join&q
 </td>
 <td>
    <!--
-   <p><code>name</code> is the <code>.metadata.name</code> field of the Node API object that will be created in this
+   <p><code>name</code> is the <code>.Metadata.Name</code> field of the Node API object that will be created in this
 <code>kubeadm init</code> or <code>kubeadm join</code> operation.
 This field is also used in the <code>CommonName</code> field of the kubelet's client certificate to
 the API server.
 Defaults to the hostname of the node if not provided.</p>
    -->
-   <p><code>name</code> 是 Node API 对象的 <code>.metadata.name</code> 字段值；
+   <p><code>name</code> 是 Node API 对象的 <code>.Metadata.Name</code> 字段值；
 该 API 对象会在此 <code>kubeadm init</code> 或 <code>kubeadm join</code> 操作期间创建。
 在提交给 API 服务器的 kubelet 客户端证书中，此字段也用作其 <code>CommonName</code>。
 如果未指定则默认为节点的主机名。</p>
@@ -1768,29 +1784,28 @@ Defaults to the hostname of the node if not provided.</p>
 </td>
 <td>
    <!--
-   <p><code>criSocket</code> is used to retrieve container runtime info.
-This information will be annotated to the Node API object, for later re-use</p>
+   <p><code>criSocket</code> is used to retrieve container runtime information. This information will
+be annotated to the Node API object, for later re-use.</p>
    -->
    <p><code>criSocket</code> 用来读取容器运行时的信息。
-此信息会被以注解的方式添加到 Node API 对象至上，用于后续用途。</p>
+此信息会被以注解的方式添加到 Node API 对象之上，用于后续用途。</p>
 </td>
 </tr>
 <tr><td><code>taints</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#taint-v1-core"><code>[]core/v1.Taint</code></a>
 </td>
 <td>
-   <!--
-   <p><code>tains</code> specifies the taints the Node API object should be registered with.
-If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted to
-<code>taints: [&quot;node-role.kubernetes.io/master:&quot;&quot;]</code>.
-If you don't want to taint your control-plane node, set this field to an empty slice,
-i.e. <code>taints: []</code> in the YAML file. This field is solely used for Node registration.</p>
-   -->
+<!--
+   <p><code>taints</code> specifies the taints the Node API object should be registered with.
+If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted with
+a control-plane taint for control-plane nodes. If you don't want to taint your control-plane
+node, set this field to an empty list, i.e. <code>taints: []</code>, in the YAML file. This field is
+solely used for Node registration.</p>
+-->
    <p><code>tains</code> 设定 Node API 对象被注册时要附带的污点。
-若未设置此字段（即字段值为 null）, 在 <code>kubeadm init</code> 期间，节点与控制面之间的通信。
-默认值为污点默认设置为 <code>taints: [&quot;node-role.kubernetes.io/master:&quot;&quot;]</code>。
-如果你不希望为控制面节点设置污点，可以在 YAML 中将此字段设置为空的列表，即
-<code>taints: []</code>。 此字段仅用在 Node 注册期间。</p>
+若未设置此字段（即字段值为 null），在 <code>kubeadm init</code> 期间，默认为控制平面节点添加控制平面污点。
+如果你不想污染你的控制平面节点，可以将此字段设置为空列表（即 YAML 文件中的 <code>taints: []</code>），
+这个字段只用于节点注册。</p>
 </td>
 </tr>
 <tr><td><code>kubeletExtraArgs</code> <B><!--[Required]-->[必需]</B><br/>
diff --git a/content/zh/docs/reference/config-api/kubeadm-config.v1beta3.md b/content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3.md
similarity index 95%
rename from content/zh/docs/reference/config-api/kubeadm-config.v1beta3.md
rename to content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3.md
index c51bf4a3ef03b..ef491a424eeea 100644
--- a/content/zh/docs/reference/config-api/kubeadm-config.v1beta3.md
+++ b/content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3.md
@@ -78,7 +78,7 @@ BootstrapToken&lowast; 结构。</li>
 <ul>
 <li>kubeadm v1.15.x 及更新的版本可以用来从 v1beta1 迁移到 v1beta2 版本；</li>
 <li>kubeadm v1.22.x 及更新的版本不再支持 v1beta1 和更老的 API，但可以用来
-从 v1beta2 迁移到 v1beta3。</li
+从 v1beta2 迁移到 v1beta3。</li>
 </ul>
 
 <!--
@@ -202,47 +202,52 @@ use it e.g. to customize the API server advertise address.</p>
 使用这个类型可以完成定制 API 服务器公告地址这类操作。</li>
 </ul>
 
-<pre><code>apiVersion: kubeadm.k8s.io/v1beta3
-kind: ClusterConfiguration
-networking:
-  ...
-etcd:
-  ...
-apiServer:
-  extraArgs:
-    ...
-  extraVolumes:
-    ...
-...
-</code></pre>
+<pre style="background-color:#fff"><span style="color:#000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>kubeadm.k8s.io/v1beta3<span style="color:#bbb">
+</span><span style="color:#bbb"></span><span style="color:#000;font-weight:bold">kind</span>:<span style="color:#bbb"> </span>ClusterConfiguration<span style="color:#bbb">
+</span><span style="color:#bbb"></span><span style="color:#000;font-weight:bold">networking</span>:<span style="color:#bbb">
+</span><span style="color:#bbb">  </span>...<span style="color:#bbb">
+</span><span style="color:#bbb"></span><span style="color:#000;font-weight:bold">etcd</span>:<span style="color:#bbb">
+</span><span style="color:#bbb">  </span>...<span style="color:#bbb">
+</span><span style="color:#bbb"></span><span style="color:#000;font-weight:bold">apiServer</span>:<span style="color:#bbb">
+</span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">extraArgs</span>:<span style="color:#bbb">
+</span><span style="color:#bbb">    </span>...<span style="color:#bbb">
+</span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">extraVolumes</span>:<span style="color:#bbb">
+</span><span style="color:#bbb">    </span>...<span style="color:#bbb">
+</span><span style="color:#bbb"></span>...<span style="color:#bbb">
+</span></pre>
 
 <!--
 <p>The ClusterConfiguration type should be used to configure cluster-wide settings,
 including settings for:</p>
 <ul>
 <li>
-<p>Networking, that holds configuration for the networking topology of the cluster; use it e.g. to customize
+<p><code>networking</code> that holds configuration for the networking topology of the cluster; use it e.g. to customize
 Pod subnet or services subnet.</p>
 </li>
 -->
 <p>类型 `ClusterConfiguration` 用来定制集群范围的设置，具体包括以下设置：</p>
 
 <ul>
-<li><code>networking</code>：其中包含集群的网络拓扑配置。使用这一部分可以定制 Pod 的
-子网或者 Service 的子网。</li>
+<li><p><code>networking</code>：其中包含集群的网络拓扑配置。使用这一部分可以定制 Pod 的
+子网或者 Service 的子网。</p>
+</li>
 <!--
 <li>
-<p>Etcd configurations; use it e.g. to customize the local etcd or to configure the API server
+<p><code>etcd</code>: use it e.g. to customize the local etcd or to configure the API server
 for using an external etcd cluster.</p>
 </li>
 <li>
 <p>kube-apiserver, kube-scheduler, kube-controller-manager configurations; use it to customize control-plane
 components by adding customized setting or overriding kubeadm default settings.</p>
 -->
-<li><code>etcd</code>：etcd 数据库的配置。例如使用这个部分可以定制本地 etcd 或者配置 API 服务器
-使用一个外部的 etcd 集群。</li>
-<li><code>kube-apiserver</code>、<code>kube-scheduler</code>、<code>kube-controller-manager</code>
-配置：这些部分可以通过添加定制的设置或者重载 kubeadm 的默认设置来定制控制面组件。</li>
+<li>
+<p><code>etcd</code>：etcd 数据库的配置。例如使用这个部分可以定制本地 etcd 或者配置 API 服务器
+使用一个外部的 etcd 集群。</p>
+</li>
+<li>
+<p><code>kube-apiserver</code>、<code>kube-scheduler</code>、<code>kube-controller-manager</code>
+配置：这些部分可以通过添加定制的设置或者重载 kubeadm 的默认设置来定制控制面组件。</p>
+</li>
 </ul>
 
 <pre style="background-color:#fff"><span style="color:#000;font-weight:bold">apiVersion</span>:<span style="color:#bbb"> </span>kubeproxy.config.k8s.io/v1alpha1<span style="color:#bbb">
@@ -308,7 +313,7 @@ https://godoc.org/k8s.io/kubelet/config/v1beta1#KubeletConfiguration。</p>
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">criSocket</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;/var/run/dockershim.sock&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">taints</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">  </span>- <span style="color:#000;font-weight:bold">key</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;kubeadmNode&#34;</span><span style="color:#bbb">
-</span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;master&#34;</span><span style="color:#bbb">
+</span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">value</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;someValue&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">effect</span>:<span style="color:#bbb"> </span><span style="color:#d14">&#34;NoSchedule&#34;</span><span style="color:#bbb">
 </span><span style="color:#bbb">  </span><span style="color:#000;font-weight:bold">kubeletExtraArgs</span>:<span style="color:#bbb">
 </span><span style="color:#bbb">    </span><span style="color:#000;font-weight:bold">v</span>:<span style="color:#bbb"> </span><span style="color:#099">4</span><span style="color:#bbb">
@@ -471,9 +476,9 @@ node only (e.g. the node ip).</p>
 </td>
 <td>
    <!--
-   `networking` holds configuration for the networking topology of the cluster.
+   <p><code>networking</code> holds configuration for the networking topology of the cluster.</p>
    -->
-   <code>networking</code> 字段包含集群的网络拓扑配置。
+   <p><code>networking</code> 字段包含集群的网络拓扑配置。</p>
 </td>
 </tr>
 <tr><td><code>kubernetesVersion</code><br/>
@@ -495,8 +500,8 @@ node only (e.g. the node ip).</p>
 It can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
 In case the <code>controlPlaneEndpoint</code> is not specified, the <code>advertiseAddress</code> + <code>bindPort</code>
 are used; in case the <code>controlPlaneEndpoint</code> is specified but without a TCP port,
-the `bindPort` is used.
-Possible usages are:<p>
+the <code>bindPort</code> is used.
+Possible usages are:</p>
    -->
    <p><code>controlPlaneEndpoint</code> 为控制面设置一个稳定的 IP 地址或 DNS 名称。
 取值可以是一个合法的 IP 地址或者 RFC-1123 形式的 DNS 子域名，二者均可以带一个
@@ -768,7 +773,7 @@ Defaults to &quot;/etc/kubernetes/pki/ca.crt&quot;.
 </p>
 </td>
 </tr>
-<tr><td><code>discovery</code> <B><!--<!--[Required]-->[必需]-->[必需]</B><br/>
+<tr><td><code>discovery</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta3-Discovery"><code>Discovery</code></a>
 </td>
 <td>
@@ -1032,7 +1037,7 @@ impersonate the control-plane.
 <!--
 ControlPlaneComponent holds settings common to control plane component of the cluster
 -->
-ControlPlaneComponent 中包含对集群中所有控制面组件都适用的设置。
+<p>ControlPlaneComponent 中包含对集群中所有控制面组件都适用的设置。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -1080,16 +1085,20 @@ without leading dash(es).
 <!--
 DNS defines the DNS addon that should be used in the cluster
 -->
-DNS 结构定义要在集群中使用的 DNS 插件。
+<p>DNS 结构定义要在集群中使用的 DNS 插件。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>ImageMeta</code> <B><!--<!--[Required]-->[必需]-->[必需]</B><br/>
+<tr><td><code>ImageMeta</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta3-ImageMeta"><code>ImageMeta</code></a>
 </td>
-<td>（<code>ImageMeta</code> 的成员被内嵌到此类型中）。
+<td>
+<!--
+(Members of <code>ImageMeta</code> are embedded into this type.)
+-->
+（<code>ImageMeta</code> 的成员被内嵌到此类型中）。
 <p>
    <!--
    <code>imageMeta</code> allows to customize the image used for the DNS component.
@@ -1113,7 +1122,7 @@ DNS 结构定义要在集群中使用的 DNS 插件。
 <!--
 Discovery specifies the options for the kubelet to use during the TLS Bootstrap process.
 -->
-Discovery 设置 TLS 启动引导过程中 kubelet 要使用的配置选项。
+<p>Discovery 设置 TLS 启动引导过程中 kubelet 要使用的配置选项。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -1194,7 +1203,7 @@ does not contain any other authentication information
 <!--
 Etcd contains elements describing Etcd configuration.
 -->
-Etcd 包含用来描述 etcd 配置的元素。
+<p>Etcd 包含用来描述 etcd 配置的元素。</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -1244,14 +1253,15 @@ Etcd 包含用来描述 etcd 配置的元素。
 ExternalEtcd describes an external etcd cluster.
 Kubeadm has no knowledge of where certificate files live and they must be supplied.
 -->
-ExternalEtcd 描述外部 etcd 集群。
+<p>ExternalEtcd 描述外部 etcd 集群。
 kubeadm 不清楚证书文件的存放位置，因此必须单独提供证书信息。
+</p>
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
 <tbody>
 
-<tr><td><code>endpoints</code> <B><!--<!--[Required]-->[必需]-->[必需]</B><br/>
+<tr><td><code>endpoints</code> <B><!--[Required]-->[必需]</B><br/>
 <code>[]string</code>
 </td>
 <td>
@@ -1261,7 +1271,7 @@ kubeadm 不清楚证书文件的存放位置，因此必须单独提供证书信
    <p><code>endpoints</code> 包含一组 etcd 成员的列表。</p>
 </td>
 </tr>
-<tr><td><code>caFile</code> <B><!--<!--[Required]-->[必需]-->[必需]</B><br/>
+<tr><td><code>caFile</code> <B><!--[Required]-->[必需]</B><br/>
 <code>string</code>
 </td>
 <td>
@@ -1498,7 +1508,11 @@ Secret 中的证书的秘钥。对应的加密秘钥在 InitConfiguration 结构
 <tr><td><code>ImageMeta</code> <B><!--[Required]-->[必需]</B><br/>
 <a href="#kubeadm-k8s-io-v1beta3-ImageMeta"><code>ImageMeta</code></a>
 </td>
-<td>（<code>ImageMeta</code> 结构的字段被嵌入到此类型中。）
+<td>
+<!--
+(Members of <code>ImageMeta</code> are embedded into this type.)
+-->
+（<code>ImageMeta</code> 结构的字段被嵌入到此类型中。）
    <!--p>ImageMeta allows to customize the container used for etcd.</p-->
    <p>ImageMeta 允许用户为 etcd 定制要使用的容器。</p>
 </td>
@@ -1641,15 +1655,17 @@ This information will be annotated to the Node API object, for later re-use</p--
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#taint-v1-core"><code>[]core/v1.Taint</code></a>
 </td>
 <td>
-   <!--p><code>tains</code> specifies the taints the Node API object should be registered with.
-If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted to
-<code>taints: [&quot;node-role.kubernetes.io/master:&quot;&quot;]</code>.
-If you don't want to taint your control-plane node, set this field to an empty slice,
-i.e. <code>taints: []</code> in the YAML file. This field is solely used for Node registration.</p-->
+<!--
+   <p><code>tains</code> specifies the taints the Node API object should be registered with.
+If this field is unset, i.e. nil, in the <code>kubeadm init</code> process it will be defaulted
+with a control-plane taint for control-plane nodes.
+If you don't want to taint your control-plane node, set this field to an empty list,
+i.e. <code>taints: []</code> in the YAML file. This field is solely used for Node registration.</p>
+-->
    <p><code>tains</code> 设定 Node API 对象被注册时要附带的污点。
-若未设置此字段（即字段值为 null）, 在 <code>kubeadm init</code> 期间，节点与控制面之间的通信。默认值为污点默认设置为 <code>taints: [&quot;node-role.kubernetes.io/master:&quot;&quot;]</code>。
-如果你不希望为控制面节点设置污点，可以在 YAML 中将此字段设置为空的列表，即
-<code>taints: []</code>。 此字段仅用在 Node 注册期间。</p>
+若未设置此字段（即字段值为 null），在 <code>kubeadm init</code> 期间，默认为控制平面节点添加控制平面污点。
+如果你不想污染你的控制平面节点，可以将此字段设置为空列表（即 YAML 文件中的 <code>taints: []</code>），
+这个字段只用于节点注册。</p>
 </td>
 </tr>
 <tr><td><code>kubeletExtraArgs</code><br/>
@@ -1782,7 +1798,7 @@ for, so other administrators can know its purpose.</p-->
 </td>
 </tr>
 <tr><td><code>ttl</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--p><code>ttl</code> defines the time to live for this token. Defaults to <code>24h</code>.
@@ -1796,7 +1812,7 @@ for, so other administrators can know its purpose.</p-->
 </td>
 <td>
    <!--p><code>expires</code> specifies the timestamp when this token expires. Defaults to being set
-dynamically at runtime based on the <code>ttl</code>. <code>expires</code> and <code>ttl</code> are mutually exclusive.</p-->
+dynamically at runtime based on the <code>ttl</code>. <code>expires</code> and <code>ttl</code> are mutually exclusive.</p>-->
    <p><code>expires</code> 设置此令牌过期的时间戳。默认为在运行时基于
 <code>ttl</code> 来决定。
 <code>expires</code> 和 <code>ttl</code> 是互斥的。</p>
diff --git a/content/zh/docs/reference/config-api/kubelet-config.v1alpha1.md b/content/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1.md
similarity index 87%
rename from content/zh/docs/reference/config-api/kubelet-config.v1alpha1.md
rename to content/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1.md
index ad7e4908f40e0..9a62ac5ec62a7 100644
--- a/content/zh/docs/reference/config-api/kubelet-config.v1alpha1.md
+++ b/content/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1.md
@@ -26,8 +26,6 @@ auto_generated: true
 -->
 **出现在：**
 
-- [LoggingConfiguration](#LoggingConfiguration)
-
 <!--
 FormatOptions contains options for the different logging formats.
 -->
@@ -41,8 +39,8 @@ FormatOptions 包含为不同类型日志格式提供的选项。
 <a href="#JSONOptions"><code>JSONOptions</code></a>
 </td>
 <td>
-   <!--[Experimental] JSON contains options for logging format "json".-->
-   [试验特性] <code>json</code> 中包含 "json" 日志格式的选项。
+   <!--[Experimental] JSON contains options for logging format &quot;json&quot;.-->
+   [试验特性] <code>json</code> 中包含 &quot;json&quot; 日志格式的选项。
 </td>
 </tr>
 </tbody>
@@ -58,9 +56,9 @@ FormatOptions 包含为不同类型日志格式提供的选项。
 - [FormatOptions](#FormatOptions)
 
 <!--
-JSONOptions contains options for logging format "json".
+JSONOptions contains options for logging format &quot;json&quot;.
 -->
-JSONOptions 包含用于 "json" 日志格式的选项。
+JSONOptions 包含用于 &quot;json&quot; 日志格式的选项。
 
 <table class="table">
 <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@@ -104,8 +102,6 @@ using split streams. The default is zero, which disables buffering.-->
 -->
 **出现在：**
 
-- [LoggingConfiguration](#LoggingConfiguration)
-
 <!--
 VModuleConfiguration is a collection of individual file names or patterns
 and the corresponding verbosity threshold.
@@ -194,13 +190,15 @@ to provide credentials. Images are expected to contain the registry domain
 and URL path.
 Each entry in matchImages is a pattern which can optionally contain a port and a path.
 Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like '&lowast;.k8s.io' or 'k8s.&lowast;.io', and top-level-domains such as 'k8s.&lowast;'.
-Matching partial subdomains like 'app&lowast;.k8s.io' is also supported. Each glob can only match
-a single subdomain segment, so &lowast;.io does not match &lowast;.k8s.io.
+as subdomains like <code>*.k8s.io</code> or <code>k8s.*.io</code>, and top-level-domains such as <code>k8s.*</code>.
+Matching partial subdomains like <code>app*.k8s.io</code> is also supported. Each glob can only match
+a single subdomain segment, so <code>*.io</code> does not match <code>*.k8s.io</code>.
 A match exists between an image and a matchImage when all of the below are true:
-- Both contain the same number of domain parts and each part matches.
-- The URL path of an imageMatch must be a prefix of the target image URL path.
-- If the imageMatch contains a port, then the port must match in the image as well.
+<ul>
+<li>Both contain the same number of domain parts and each part matches.</li>
+<li>The URL path of an imageMatch must be a prefix of the target image URL path.</li>
+<li>If the imageMatch contains a port, then the port must match in the image as well.</li>
+</ul>
 Example values of matchImages:
   - 123456789.dkr.ecr.us-east-1.amazonaws.com
   - &lowast;.azurecr.io
@@ -213,9 +211,9 @@ Example values of matchImages:
 镜像应该包含镜像库域名和 URL 路径。</p>
 <p><code>matchImages</code> 中的每个条目都是一个模式字符串，其中可以包含端口号和路径。
 域名部分可以包含统配符，但端口或路径部分不可以。通配符可以用作子域名，例如
-'&lowast;.k8s.io' 或 'k8s.&lowast;.io'，以及顶级域名，如 'k8s.&lowast;'。</p>
-<p>对类似 'app&lowast;.k8s.io' 这类部分子域名的匹配也是支持的。
-每个通配符只能用来匹配一个子域名段，所以 '&lowast;.io' 不会匹配 '&lowast;.k8s.io'。</p>
+<code>*.k8s.io</code> 或 <code>k8s.*.io</code>，以及顶级域名，如 <code>k8s.*</code>。</p>
+<p>对类似 <code>app*.k8s.io</code> 这类部分子域名的匹配也是支持的。
+每个通配符只能用来匹配一个子域名段，所以 <code>*.io</code> 不会匹配 <code>*.k8s.io</code>。</p>
 <p>镜像与 <code>matchImages</code> 之间存在匹配时，以下条件都要满足：</p>
 <ul>
   <li>二者均包含相同个数的域名部分，并且每个域名部分都对应匹配；</li>
@@ -224,17 +222,17 @@ Example values of matchImages:
 </ul>
 <p><code>matchImages</code> 的一些示例如下：</p>
 <ul>
-  <li>123456789.dkr.ecr.us-east-1.amazonaws.com</li>
-  <li>&lowast;.azurecr.io</li>
-  <li>gcr.io</li>
-  <li>&lowast;.&lowast;.registry.io</li>
-  <li>registry.io:8080/path</li>
+<li><code>123456789.dkr.ecr.us-east-1.amazonaws.com</code></li>
+<li><code>*.azurecr.io</code></li>
+<li><code>gcr.io</code></li>
+<li><code>*.*.registry.io</code></li>
+<li><code>registry.io:8080/path</code></li>
 </ul>
 </td>
 </tr>
 
 <tr><td><code>defaultCacheDuration</code> <B>[必需]</B><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--defaultCacheDuration is the default duration the plugin will cache credentials in-memory
diff --git a/content/zh/docs/reference/config-api/kubelet-config.v1beta1.md b/content/zh-cn/docs/reference/config-api/kubelet-config.v1beta1.md
similarity index 65%
rename from content/zh/docs/reference/config-api/kubelet-config.v1beta1.md
rename to content/zh-cn/docs/reference/config-api/kubelet-config.v1beta1.md
index 0c1bfab0b2f52..15864fe93d192 100644
--- a/content/zh/docs/reference/config-api/kubelet-config.v1beta1.md
+++ b/content/zh-cn/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -2,7 +2,6 @@
 title: Kubelet 配置 (v1beta1)
 content_type: tool-reference
 package: kubelet.config.k8s.io/v1beta1
-auto_generated: true
 ---
 
 <!--
@@ -17,9 +16,50 @@ auto_generated: true
 -->
 ## 资源类型
 
+- [CredentialProviderConfig](#kubelet-config-k8s-io-v1beta1-CredentialProviderConfig)
 - [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
 - [SerializedNodeConfigSource](#kubelet-config-k8s-io-v1beta1-SerializedNodeConfigSource)
 
+## `CredentialProviderConfig`     {#kubelet-config-k8s-io-v1beta1-CredentialProviderConfig}
+
+<!--
+CredentialProviderConfig is the configuration containing information about
+each exec credential provider. Kubelet reads this configuration from disk and enables
+each provider as specified by the CredentialProvider type.
+-->
+CredentialProviderConfig 包含有关每个 exec 凭据提供者的配置信息。
+Kubelet 从磁盘上读取这些配置信息，并根据 CredentialProvider 类型启用各个提供者。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>kubelet.config.k8s.io/v1beta1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderConfig</code></td></tr>
+    
+  
+<tr><td><code>providers</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubelet-config-k8s-io-v1beta1-CredentialProvider"><code>[]CredentialProvider</code></a>
+</td>
+<td>
+<!--
+providers is a list of credential provider plugins that will be enabled by the kubelet.
+Multiple providers may match against a single image, in which case credentials
+from all providers will be returned to the kubelet. If multiple providers are called
+for a single image, the results are combined. If providers return overlapping
+auth keys, the value from the provider earlier in this list is used.
+-->
+   <p>
+   <code>providers</code> 是一组凭据提供者插件，这些插件会被 kubelet 启用。
+   多个提供者可以匹配到同一镜像上，这时，来自所有提供者的凭据信息都会返回给 kubelet。
+   如果针对同一镜像调用了多个提供者，则结果会被组合起来。如果提供者返回的认证主键有重复，
+   列表中先出现的提供者所返回的值将被使用。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
 ## `KubeletConfiguration`     {#kubelet-config-k8s-io-v1beta1-KubeletConfiguration}
 
 <!--
@@ -39,14 +79,9 @@ KubeletConfiguration 中包含 Kubelet 的配置。
 <td>
    <!--enableServer enables Kubelet's secured server.
 Note: Kubelet's insecure port is controlled by the readOnlyPort option.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: true-->
   <p><code>enableServer</code> 会启用 kubelet 的安全服务器。</p>
   <p>注意：kubelet 的不安全端口由 <code>readOnlyPort</code> 选项控制。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能会影响到与 kubelet 服务器交互的组件。</p>
   <p>默认值：<code>true</code></p>
 </td>
 </tr>
@@ -57,77 +92,47 @@ Default: true-->
 <td>
    <!--staticPodPath is the path to the directory containing local (static) pods to
 run, or the path to a single static pod file.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-the set of static pods specified at the new path may be different than the
-ones the Kubelet initially started with, and this may disrupt your node.
-Default: ""-->
+Default: &quot;&quot;-->
   <p><code>staticPodPath</code> 是指向要运行的本地（静态）Pod 的目录，
 或者指向某个静态 Pod 文件的路径。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑新路径下所给的静态 Pod 集合可能与 kubelet
-启动时所看到的集合不同，而这一差别可能会扰乱节点状态。</p>
-  <p>默认值：""</p>
+  <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
 
 <tr><td><code>syncFrequency</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--syncFrequency is the max period between synchronizing running
 containers and config.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-shortening this duration may have a negative performance impact, especially
-as the number of Pods on the node increases. Alternatively, increasing this
-duration will result in longer refresh times for ConfigMaps and Secrets.
-Default: "1m"-->
+Default: &quot;1m&quot;-->
   <p><code>syncFrequency</code> 是对运行中的容器和配置进行同步的最长周期。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短这一同步周期可能会带来负面的性能影响，
-尤其当节点上 Pod 个数增加时。相反，增加此周期长度时可能会导致 ConfigMap、
-Secret 这类资源未被及时更新。</p>
-  <p>默认值："1m"</p>
+  <p>默认值：&quot;1m&quot;</p>
 </td>
 </tr>
 
 <tr><td><code>fileCheckFrequency</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--fileCheckFrequency is the duration between checking config files for
 new data.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-shortening the duration will cause the Kubelet to reload local Static Pod
-configurations more frequently, which may have a negative performance impact.
-Default: "20s"-->
+Default: &quot;20s&quot;-->
   <p><code>fileCheckFrequency</code> 是对配置文件中新数据进行检查的时间间隔值。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短此时长会导致 kubelet 更为频繁地重新加载其静态 Pod 配置，
-而这会带来负面的性能影响。</p>
-  <p>默认值："20s"</p>
+  <p>默认值：&quot;20s&quot;</p>
 </td>
 </tr>
 
 <tr><td><code>httpCheckFrequency</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
   <!--
    httpCheckFrequency is the duration between checking http for new data.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-shortening the duration will cause the Kubelet to poll staticPodURL more
-frequently, which may have a negative performance impact.
-Default: "20s"
+Default: &quot;20s&quot;
   -->
   <p><code>httpCheckFrequency</code> 是对 HTTP 服务器上新数据进行检查的时间间隔值。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短此时长会导致 kubelet 更为频繁地轮询
-<code>staticPodURL</code>，而这会带来负面的性能影响。</p>
-  <p>默认值："20s"</p>
+  <p>默认值：&quot;20s&quot;</p>
 </td>
 </tr>
 
@@ -136,17 +141,10 @@ Default: "20s"
 </td>
 <td>
   <!--staticPodURL is the URL for accessing static pods to run.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-the set of static pods specified at the new URL may be different than the
-ones the Kubelet initially started with, and this may disrupt your node.
-Default: ""
+Default: &quot;&quot;
   -->
   <p><code>staticPodURL</code> 是访问要运行的静态 Pod 的 URL 地址。
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，新的 URL 上包含的静态 Pod 集合可能与 kubelet
-初始启动时看到的不同，而这种差异可能会扰乱节点状态。</p>
-  <p>默认值：""</p>
+  <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
 
@@ -156,16 +154,10 @@ Default: ""
 <td>
    <!--
    staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt the ability to read the latest set of static pods from StaticPodURL.
 Default: nil
    -->
    <p><code>staticPodURLHeader</code>是一个由字符串组成的映射表，其中包含的 HTTP
 头部信息用于访问<code>podURL</code>。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，要考虑可能导致无法从<code>staticPodURL</code>
-读取最新的静态 Pod 集合。</p>
   <p>默认值：nil</p>
 </td>
 </tr>
@@ -177,15 +169,10 @@ Default: nil
    <!--
    address is the IP address for the Kubelet to serve on (set to 0.0.0.0
 for all interfaces).
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: &quot;0.0.0.0&quot;
    -->
    <p><code>address</code> 是 kubelet 提供服务所用的 IP 地址（设置为 0.0.0.0
 使用所有网络接口提供服务）。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
   <p>默认值：&quot;0.0.0.0&quot;</p>
 </td>
 </tr>
@@ -197,15 +184,10 @@ Default: &quot;0.0.0.0&quot;
    <!--
    port is the port for the Kubelet to serve on.
 The port number must be between 1 and 65535, inclusive.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: 10250
    -->
    <p><code>port</code> 是 kubelet 用来提供服务所使用的端口号。
 这一端口号必须介于 1 到 65535 之间，包含 1 和 65535。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
   <p>默认值：10250</p>
 </td>
 </tr>
@@ -218,16 +200,11 @@ Default: 10250
 no authentication/authorization.
 The port number must be between 1 and 65535, inclusive.
 Setting this field to 0 disables the read-only service.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: 0 (disabled)
    -->
    <p><code>readOnlyPort</code> 是 kubelet 用来提供服务所使用的只读端口号。
 此端口上的服务不支持身份认证或鉴权。这一端口号必须介于 1 到 65535 之间，
 包含 1 和 65535。将此字段设置为 0 会禁用只读服务。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
    <p>默认值：0（禁用）</p>
 </td>
 </tr>
@@ -241,17 +218,12 @@ if any, concatenated after server cert). If tlsCertFile and
 tlsPrivateKeyFile are not provided, a self-signed certificate
 and key are generated for the public address and saved to the directory
 passed to the Kubelet's --cert-dir flag.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default:&quot;quot;
   -->
   <p><code>tlsCertFile</code>是包含 HTTPS 所需要的 x509 证书的文件
 （如果有 CA 证书，会串接到服务器证书之后）。如果<code>tlsCertFile</code>
 和<code>tlsPrivateKeyFile</code>都没有设置，则系统会为节点的公开地址生成自签名的证书和私钥，
 并将其保存到 kubelet <code>--cert-dir</code>参数所指定的目录下。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
   <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -261,15 +233,10 @@ Default:&quot;quot;
 </td>
 <td>
    <!--tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: &quot;&quot;
    -->
    <p><code>tlsPrivateKeyFile</code>是一个包含与<code>tlsCertFile</code>
 证书匹配的 X509 私钥的文件。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
   <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -280,15 +247,10 @@ Default: &quot;&quot;
 <td>
    <!--tlsCipherSuites is the list of allowed cipher suites for the server.
 Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: nil
    -->
    <p><code>tlsCipherSuites</code>是一个字符串列表，其中包含服务器所接受的加密包名称。
 列表中的每个值来自于<code>tls</code>包中定义的常数（https://golang.org/pkg/crypto/tls/#pkg-constants）。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰到与 kubelet 服务器交互的组件。</p>
   <p>默认值：nil</p>
 </td>
 </tr>
@@ -299,15 +261,10 @@ Default: nil
 <td>
    <!--tlsMinVersion is the minimum TLS version supported.
 Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: &quot;&quot;
    -->
    <p><code>tlsMinVersion</code>给出所支持的最小 TLS 版本。
 字段取值来自于<code>tls</code>包中的常数定义（https://golang.org/pkg/crypto/tls/#pkg-constants）。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰到与 kubelet 服务器交互的组件。</p>
   <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -319,17 +276,10 @@ Default: &quot;&quot;
    <!--rotateCertificates enables client certificate rotation. The Kubelet will request a
 new certificate from the certificates.k8s.io API. This requires an approver to approve the
 certificate signing requests.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-disabling it may disrupt the Kubelet's ability to authenticate with the API server
-after the current certificate expires.
 Default: false
    -->
    <p><code>rotateCertificates</code>用来启用客户端证书轮换。kubelet 会调用
 <code>certificates.k8s.io</code> API 来请求新的证书。需要有一个批复人批准证书签名请求。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑禁用此行为时可能导致 kubelet 无法在当前证书过期时向
-API 服务器执行身份认证。</p>
   <p>默认值：false</code>
 </td>
 </tr>
@@ -343,20 +293,12 @@ signing a serving certificate, the Kubelet will request a certificate from
 the 'certificates.k8s.io' API. This requires an approver to approve the
 certificate signing requests (CSR). The RotateKubeletServerCertificate feature
 must be enabled when setting this field.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-disabling it will stop the renewal of Kubelet server certificates, which can
-disrupt components that interact with the Kubelet server in the long term,
-due to certificate expiration.
 Default: false
    -->
    <p><code>serverTLSBootstrap</code>用来启用服务器证书引导。系统不再使用自签名的服务证书，
 kubelet 会调用<code>certificates.k8s.io</code> API 来请求证书。
 需要有一个批复人来批准证书签名请求（CSR）。
 设置此字段时，<code>RotateKubeletServerCertificate</code>特性必须被启用。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑禁用此特性会导致 kubelet 的服务器证书无法被续约，
-长期上这会干扰到与 kubelet 服务器交互的组件，因为证书会过期。</p>
   <p>默认值：false</p>
 </td>
 </tr>
@@ -366,26 +308,21 @@ kubelet 会调用<code>certificates.k8s.io</code> API 来请求证书。
 </td>
 <td>
    <!--authentication specifies how requests to the Kubelet's server are authenticated.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Defaults:
   anonymous:
     enabled: false
   webhook:
     enabled: true
-    cacheTTL: "2m"
+    cacheTTL: &quot;2m&quot;
    -->
    <p><code>authorization</code>设置发送给 kubelet 服务器的请求是如何进行身份认证的。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
   <p>默认值：</p>
   <pre><code>
   anonymous:
     enabled: false
   webhook:
     enabled: true
-    cacheTTL: "2m"
+    cacheTTL: &quot;2m&quot;
   </code></pre>
 </td>
 </tr>
@@ -395,24 +332,19 @@ Defaults:
 </td>
 <td>
    <!--authorization specifies how requests to the Kubelet's server are authorized.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Defaults:
   mode: Webhook
   webhook:
-    cacheAuthorizedTTL: "5m"
-    cacheUnauthorizedTTL: "30s"</td>
+    cacheAuthorizedTTL: &quot;5m&quot;
+    cacheUnauthorizedTTL: &quot;30s&quot;</td>
    -->
    <p><code>authorization</code>设置发送给 kubelet 服务器的请求是如何进行鉴权的。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能会干扰到与 kubelet 服务器交互的组件。</p>
   <p>默认值：</p>
   <pre><code>
   mode: Webhook
   webhook:
-    cacheAuthorizedTTL: "5m"
-    cacheUnauthorizedTTL: "30s"
+    cacheAuthorizedTTL: &quot;5m&quot;
+    cacheUnauthorizedTTL: &quot;30s&quot;
   </code></pre>
 </td>
 </tr>
@@ -424,16 +356,10 @@ Defaults:
    <!--registryPullQPS is the limit of registry pulls per second.
 The value must not be a negative number.
 Setting it to 0 means no limit.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic produced
-by image pulls.
 Default: 5
    -->
    <p><code>registryPullQPS</code>是每秒钟可以执行的镜像仓库拉取操作限值。
 此值必须不能为负数。将其设置为 0 表示没有限值。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这类更新可能会因为镜像拉取所产生的流量变化而导致集群可扩缩能力问题。</p>
   <p>默认值：5</code>
 </td>
 </tr>
@@ -446,17 +372,11 @@ Default: 5
 pulls to burst to this number, while still not exceeding registryPullQPS.
 The value must not be a negative number.
 Only used if registryPullQPS is greater than 0.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic produced
-by image pulls.
 Default: 10
    -->
    <p><code>registryBurst</code>是突发性镜像拉取的上限值，允许镜像拉取临时上升到所指定数量，
 不过仍然不超过<code>registryPullQPS</code>所设置的约束。此值必须是非负值。
 只有<code>registryPullQPS</code>参数值大于 0 时才会使用此设置。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能因为镜像拉取所造成的流量变化，导致集群可扩缩能力受影响。</p>
   <p>默认值：10</p>
 </td>
 </tr>
@@ -467,16 +387,10 @@ Default: 10
 <td>
    <!--eventRecordQPS is the maximum event creations per second. If 0, there
 is no limit enforced. The value cannot be a negative number.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic produced by
-event creations.
 Default: 5
    -->
    <p><code>eventRecordQPS</code>设置每秒钟可创建的事件个数上限。如果此值为 0，
 则表示没有限制。此值不能设置为负数。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能因为生成事件所造成的流量变化，导致集群可扩缩能力受影响。</p>
   <p>默认值：5</p>
 </td>
 </tr>
@@ -485,21 +399,16 @@ Default: 5
 <code>int32</code>
 </td>
 <td>
-   <!--eventBurst is the maximum size of a burst of event creations, temporarily
+   <!--
+eventBurst is the maximum size of a burst of event creations, temporarily
 allows event creations to burst to this number, while still not exceeding
 eventRecordQPS. This field canot be a negative number and it is only used
-when eventRecordQPS > 0.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic produced by
-event creations.
+when eventRecordQPS &gt; 0.
 Default: 10
    -->
    <p><code>eventBurst</code>是突发性事件创建的上限值，允许事件创建临时上升到所指定数量，
 不过仍然不超过<code>eventRecordQPS</code>所设置的约束。此值必须是非负值，
-且只有<code>eventRecordQPS</code>大于 0 时才会使用此设置。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能因为事件创建所造成的流量变化，导致集群可扩缩能力受影响。</p>
+且只有<code>eventRecordQPS</code> &gt; 0 时才会使用此设置。</p>
   <p>默认值：10</p>
 </td>
 </tr>
@@ -511,16 +420,11 @@ Default: 10
    <!--enableDebuggingHandlers enables server endpoints for log access
 and local running of containers and commands, including the exec,
 attach, logs, and portforward features.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-disabling it may disrupt components that interact with the Kubelet server.
 Default: true
    -->
    <p><code>enableDebuggingHandlers</code>启用服务器上用来访问日志、
 在本地运行容器和命令的端点，包括<code>exec</code>、<code>attach</code>、
 <code>logs</code>和<code>portforward</code>等功能。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑禁用此能力可能干扰到与 kubelet 服务器交互的组件。</p>
   <p>默认值：true</p>
 </td>
 </tr>
@@ -529,16 +433,12 @@ Default: true
 <code>bool</code>
 </td>
 <td>
-   <!--enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-enabling it may carry a performance impact.
+   <!--
+enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true.
 Default: false
    -->
    <p><code>enableContentionProfiling</code>用于启用锁竞争性能分析，
 仅用于<code>enableDebuggingHandlers</code>为<code>true</code>的场合。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑启用此分析可能隐含着一定的性能影响。</p>
   <p>默认值：false</code>
 </td>
 </tr>
@@ -547,17 +447,13 @@ Default: false
 <code>int32</code>
 </td>
 <td>
-   <!--healthzPort is the port of the localhost healthz endpoint (set to 0 to disable).
+   <!--
+healthzPort is the port of the localhost healthz endpoint (set to 0 to disable).
 A valid number is between 1 and 65535.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that monitor Kubelet health.
 Default: 10248
    -->
    <p><code>healthzPort</code>是本地主机上提供<code>healthz</code>端点的端口
 （设置值为 0 时表示禁止）。合法值介于 1 和 65535 之间。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰到监控 kubelet 健康状况的组件。</p>
   <p>默认值：10248</p>
 </td>
 </tr>
@@ -566,15 +462,11 @@ Default: 10248
 <code>string</code>
 </td>
 <td>
-   <!--healthzBindAddress is the IP address for the healthz server to serve on.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that monitor Kubelet health.
+   <!--
+healthzBindAddress is the IP address for the healthz server to serve on.
 Default: &quot;127.0.0.1&quot;
    -->
    <p><code>healthzBindAddress<code>是<code>healthz</code>服务器用来提供服务的 IP 地址。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能影响到监测 kubelet 健康状况的组件。</p>
   <p>默认值：&quot;127.0.0.1&quot;</p>
 </td>
 </tr>
@@ -585,15 +477,10 @@ Default: &quot;127.0.0.1&quot;
 <td>
    <!--oomScoreAdj is The oom-score-adj value for kubelet process. Values
 must be within the range [-1000, 1000].
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the stability of nodes under memory pressure.
 Default: -999
    -->
    <p><code>oomScoreAdj</code> 是为 kubelet 进程设置的<code>oom-score-adj</code>值。
 所设置的取值要在 [-1000, 1000] 范围之内。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能影响到内存压力较大时节点的稳定性。</p>
    <p>默认值：-999</p>
 </td>
 </tr>
@@ -605,14 +492,10 @@ Default: -999
    <!--clusterDomain is the DNS domain for this cluster. If set, kubelet will
 configure all containers to search this domain in addition to the
 host's search domains.
-Dynamic Kubelet Config (deprecated, default disabled): Dynamically updating this field is not recommended,
-as it should be kept in sync with the rest of the cluster.
 Default: &quot;&quot;
    -->
    <p><code>clusterDomain</code>是集群的 DNS 域名。如果设置了此字段，kubelet
 会配置所有容器，使之在搜索主机的搜索域的同时也搜索这里指定的 DNS 域。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用，默认为关闭）：
-不建议动态更新此字段，因为这一设置值要与整个集群中的其他组件保持一致。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -624,43 +507,30 @@ Default: &quot;&quot;
    <!--clusterDNS is a list of IP addresses for the cluster DNS server. If set,
 kubelet will configure all containers to use this for DNS resolution
 instead of the host's DNS servers.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changes will only take effect on Pods created after the update. Draining
-the node is recommended before changing this field.
 Default: nil
   -->
   <p><code>clusterDNS</code>是集群 DNS 服务器的 IP 地址的列表。
 如果设置了，kubelet 将会配置所有容器使用这里的 IP 地址而不是宿主系统上的 DNS
 服务器来完成 DNS 解析。
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑变更仅会对更新后创建的 Pod 起作用。建议在更改此字段之前腾空节点。</p>
   <p>默认值：nil</p>
 </td>
 </tr>
 
 <tr><td><code>streamingConnectionIdleTimeout</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--streamingConnectionIdleTimeout is the maximum time a streaming connection
 can be idle before the connection is automatically closed.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact components that rely on infrequent updates over streaming
-connections to the Kubelet server.
 Default: &quot;4h&quot;
    -->
    <p><code>streamingConnectionIdleTimeout</code>设置流式连接在被自动关闭之前可以空闲的最长时间。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能影响到依赖于通过与 kubelet
-服务器间流式连接来接受非频繁更新事件的组件。</p>
    <p>默认值：&quot;4h&quot;</p>
 </td>
 </tr>
 
 <tr><td><code>nodeStatusUpdateFrequency</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--nodeStatusUpdateFrequency is the frequency that kubelet computes node
@@ -668,28 +538,18 @@ status. If node lease feature is not enabled, it is also the frequency that
 kubelet posts node status to master.
 Note: When node lease feature is not enabled, be cautious when changing the
 constant, it must work with nodeMonitorGracePeriod in nodecontroller.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact node scalability, and also that the node controller's
-nodeMonitorGracePeriod must be set to N*NodeStatusUpdateFrequency,
-where N is the number of retries before the node controller marks
-the node unhealthy.
 Default: &quot;10s&quot;
    -->
    <p><code>nodeStatusUpdateFrequency</code>是 kubelet 计算节点状态的频率。
 如果未启用节点租约特性，这一字段设置的也是 kubelet 向控制面投递节点状态的频率。</p>
    <p>注意：如果节点租约特性未被启用，更改此参数设置时要非常小心，
 所设置的参数值必须与节点控制器的<code>nodeMonitorGracePeriod</code>协同。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑变更可能影响节点的可扩缩性。还要注意节点控制器的
-<code>nodeMonitorGracePeriod</code>必须设置为<code>N&lowast;nodeStatusUpdateFrequency</code>，
-其中<code>N</code>是节点控制器标记节点不健康之前执行重试的次数。</p>
    <p>默认值：&quot;10s&quot;</p>
 </td>
 </tr>
 
 <tr><td><code>nodeStatusReportFrequency</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--nodeStatusReportFrequency is the frequency that kubelet posts node
@@ -723,10 +583,6 @@ If the lease expires, the node can be considered unhealthy.
 The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal
 interval may be set based on the lease duration.
 The field value must be greater than 0.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-decreasing the duration may reduce tolerance for issues that temporarily prevent
-the Kubelet from renewing the lease (e.g. a short-lived network issue).
 Default: 40
    -->
    <p><code>nodeLeaseDurationSeconds</code>是 kubelet 会在其对应的 Lease 对象上设置的时长值。
@@ -735,27 +591,19 @@ Default: 40
    <p>如果租约过期，则节点可被视作不健康。根据 KEP-0009 约定，目前的租约每 10 秒钟续约一次。
 在将来，租约的续约时间间隔可能会根据租约的时长来设置。</p>
    <p>此字段的取值必须大于零。</p>
-  <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短租约期限可能降低节点对那些暂时导致 kubelet
-无法续约的问题的容忍度（例如，时延很短的网络问题）。</p>
   <p>默认值：40</p>
 </td>
 </tr>
 
 <tr><td><code>imageMinimumGCAge</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--imageMinimumGCAge is the minimum age for an unused image before it is
-garbage collected. If DynamicKubeletConfig (deprecated; default off)
-is on, when dynamically updating this field, consider that  it may trigger or
-delay garbage collection, and may change the image overhead on the node.
+garbage collected. 
 Default: &quot;2m&quot;
    -->
    <p><code>imageMinimumGCAge</code>是对未使用镜像进行垃圾搜集之前允许其存在的时长。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这种变更可能触发垃圾收集或者延迟垃圾收集，
-并且可能影响节点上镜像的额外开销。</p>
    <p>默认值：&quot;2m&quot;</p>
 </td>
 </tr>
@@ -769,19 +617,12 @@ image garbage collection is always run. The percent is calculated by
 dividing this field value by 100, so this field must be between 0 and
 100, inclusive. When specified, the value must be greater than
 imageGCLowThresholdPercent.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay garbage collection, and may change the image overhead
-on the node.
 Default: 85
    -->
    <p><code>imageGCHighThresholdPercent</code>所给的是镜像的磁盘用量百分数，
 一旦镜像用量超过此阈值，则镜像垃圾收集会一直运行。百分比是用这里的值除以 100
 得到的，所以此字段取值必须介于 0 和 100 之间，包括 0 和 100。如果设置了此字段，
 则取值必须大于<code>imageGCLowThresholdPercent</code>取值。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这种变更可能触发垃圾收集或者延迟垃圾收集，
-并且可能影响节点上镜像的额外开销。</p>
    <p>默认值：85</p>
 </td>
 </tr>
@@ -795,37 +636,25 @@ image garbage collection is never run. Lowest disk usage to garbage
 collect to. The percent is calculated by dividing this field value by 100,
 so the field value must be between 0 and 100, inclusive. When specified, the
 value must be less than imageGCHighThresholdPercent.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay garbage collection, and may change the image overhead
-on the node.
 Default: 80
    -->
    <p><code>imageGCLowThresholdPercent</code>所给的是镜像的磁盘用量百分数，
 镜像用量低于此阈值时不会执行镜像垃圾收集操作。垃圾收集操作也将此作为最低磁盘用量边界。
 百分比是用这里的值除以 100 得到的，所以此字段取值必须介于 0 和 100 之间，包括 0 和 100。
 如果设置了此字段，则取值必须小于<code>imageGCHighThresholdPercent</code>取值。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这种变更可能触发垃圾收集或者延迟垃圾收集，
-并且可能影响节点上镜像的额外开销。</p>
    <p>默认值：80</p>
 </td>
 </tr>
 
 <tr><td><code>volumeStatsAggPeriod</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--volumeStatsAggPeriod is the frequency for calculating and caching volume
 disk usage for all pods.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-shortening the period may carry a performance impact.
 Default: &quot;1m&quot;
    -->
    <p><code>volumeStatsAggPeriod</code>是计算和缓存所有 Pod 磁盘用量的频率。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短此周期长度可能产生性能影响。</p>
    <p>默认值：&quot;1m&quot;</p>
 </td>
 </tr>
@@ -835,13 +664,9 @@ Default: &quot;1m&quot;
 </td>
 <td>
    <!--kubeletCgroups is the absolute name of cgroups to isolate the kubelet in
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
-Default: ""
+Default: &quot;&quot;
    -->
    <p><code>kubeletCgroups</code>是用来隔离 kubelet 的控制组（CGroup）的绝对名称。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -854,15 +679,11 @@ Default: ""
 all non-kernel processes that are not already in a container. Empty
 for no container. Rolling back the flag requires a reboot.
 The cgroupRoot must be specified if this field is not empty.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;&qout;
    -->
    <p><code>systemCgroups</code>是用来放置那些未被容器化的、非内核的进程的控制组
-(CGroup）的绝对名称。设置为空字符串表示没有这类容器。回滚此字段设置需要重启节点。
+（CGroup）的绝对名称。设置为空字符串表示没有这类容器。回滚此字段设置需要重启节点。
 当此字段非空时，必须设置<code>cgroupRoot</code>字段。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -873,15 +694,9 @@ Default: &quot;&qout;
 <td>
    <!--cgroupRoot is the root cgroup to use for pods. This is handled by the
 container runtime on a best effort basis.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
-Default: ""
    -->
-   <p><code>cgroupRoot</code>是用来运行 Pod 的控制组 (CGroup）。
+   <p><code>cgroupRoot</code>是用来运行 Pod 的控制组（CGroup）。
 容器运行时会尽可能处理此字段的设置值。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
-   <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
 
@@ -892,15 +707,11 @@ Default: ""
    <!--cgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes
 and all Burstable and BestEffort Pods are brought up under their specific top level
 QoS CGroup.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: true
    -->
    <p><code>cgroupsPerQOS</code>用来启用基于 QoS 的控制组（CGroup）层次结构：
 顶层的控制组用于不同 QoS 类，所有<code>Burstable</code>和<code>BestEffort</code> Pod
 都会被放置到对应的顶级 QoS 控制组下。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：true</p>
 </td>
 </tr>
@@ -911,14 +722,10 @@ Default: true
 <td>
    <!--cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs
 or systemd).
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;cgroupfs&quot;
    -->
-   <p><code>cgroupDriver</code>是 kubelet 用来操控宿主系统上控制组 (CGroup）
+   <p><code>cgroupDriver</code>是 kubelet 用来操控宿主系统上控制组（CGroup）
 的驱动程序（cgroupfs 或 systemd）。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;cgroupfs&quot;</p>
 </td>
 </tr>
@@ -929,14 +736,10 @@ Default: &quot;cgroupfs&quot;
 <td>
    <!--cpuManagerPolicy is the name of the policy to use.
 Requires the CPUManager feature gate to be enabled.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;None&quot;
    -->
    <p><code>cpuManagerPolicy</code>是要使用的策略名称。需要启用<code>CPUManager</code>
 特性门控。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;None&quot;</p>
 </td>
 </tr>
@@ -947,36 +750,26 @@ Default: &quot;None&quot;
 <td>
    <!--cpuManagerPolicyOptions is a set of key=value which 	allows to set extra options
 to fine tune the behaviour of the cpu manager policies.
-Requires  both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled.
-Dynamic Kubelet Config (beta): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
+Requires  both the &quot;CPUManager&quot; and &quot;CPUManagerPolicyOptions&quot; feature gates to be enabled.
 Default: nil
    -->
    <p><code>cpuManagerPolicyOptions</code>是一组<code>key=value</code>键值映射，
 容许通过额外的选项来精细调整 CPU 管理器策略的行为。需要<code>CPUManager</code>和
 <code>CPUManagerPolicyOptions</code>两个特性门控都被启用。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
 
 <tr><td><code>cpuManagerReconcilePeriod</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager.
 Requires the CPUManager feature gate to be enabled.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-shortening the period may carry a performance impact.
-Default: "10s"
+Default: &quot;10s&quot;
    -->
    <p><code>cpuManagerReconcilePeriod</code>是 CPU 管理器的协调周期时长。
 需要启用<code>CPUManager</code>特性门控。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短周期时长可能带来的性能影响。</p>
    <p>默认值：&quot;10s&quot;</p>
 </td>
 </tr>
@@ -987,14 +780,10 @@ Default: "10s"
 <td>
    <!--memoryManagerPolicy is the name of the policy to use by memory manager.
 Requires the MemoryManager feature gate to be enabled.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;none&quot;
    -->
    <p><code>memoryManagerPolicy</code>是内存管理器要使用的策略的名称。
 要求启用<code>MemoryManager</code>特性门控。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;none&quot;</p>
 </td>
 </tr>
@@ -1016,8 +805,6 @@ resources;</li>
 of CPU and device resources.</li>
 </ul>
 <p>Policies other than &quot;none&quot; require the TopologyManager feature gate to be enabled.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;none&quot;</p>
   -->
    <p><code>topologyManagerPolicy</code>是要使用的拓扑管理器策略名称。合法值包括：</p> 
@@ -1028,8 +815,6 @@ Default: &quot;none&quot;</p>
     <li><code>single-numa-node</code>：kubelet 仅允许在 CPU 和设备资源上对齐到同一 NUMA 节点的 Pod。</li>
    </ul>
    <p>如果策略不是 &quot;none&quot;，则要求启用<code>TopologyManager</code>特性门控。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：&quot;none&quot;</p>
 </td>
 </tr>
@@ -1068,34 +853,25 @@ the minimum percentage of a resource reserved for exclusive use by the
 guaranteed QoS tier.
 Currently supported resources: &quot;memory&quot;
 Requires the QOSReserved feature gate to be enabled.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: nil
    -->
    <p><code>qosReserved</code>是一组从资源名称到百分比值的映射，用来为<code>Guaranteed</code>
 QoS 类型的负载预留供其独占使用的资源百分比。目前支持的资源为：&quot;memory&quot;。
 需要启用<code>QOSReserved</code>特性门控。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-更新此字段时需要对整个节点执行重启。最安全的做法是确保此值与本地配置相同。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
 
 <tr><td><code>runtimeRequestTimeout</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--runtimeRequestTimeout is the timeout for all runtime requests except long running
 requests - pull, logs, exec and attach.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may disrupt components that interact with the Kubelet server.
 Default: &quot;2m&quot;
    -->
    <p><code>runtimeRequestTimeout</code>用来设置除长期运行的请求（<code>pull</code>、
 <code>logs</code>、<code>exec</code>和<code>attach</code>）之外所有运行时请求的超时时长。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能干扰与 kubelet 服务器交互的组件。</p>
    <p>默认值：&quot;2m&quot;</p>
 </td>
 </tr>
@@ -1123,15 +899,10 @@ themselves if they should try to access their own Service. Values:</p-->
    </ul>
    <!--Generally, one must set <code>--hairpin-mode=hairpin-veth to</code> achieve hairpin NAT,
 because promiscuous-bridge assumes the existence of a container bridge named cbr0.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may require a node reboot, depending on the network plugin.
 Default: &quot;promiscuous-bridge&quot;
     -->
    <p>一般而言，用户必须设置<code>--hairpin-mode=hairpin-veth</code>才能实现发夹模式的网络地址转译
 （NAT），因为混杂模式的网桥要求存在一个名为<code>cbr0</code>的容器网桥。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑取决于网络插件，可能需要重启节点。</p>
    <p>默认值：&quot;promiscuous-bridge&quot;</p>
 </td>
 </tr>
@@ -1142,20 +913,9 @@ Default: &quot;promiscuous-bridge&quot;
 <td>
    <!--maxPods is the maximum number of Pods that can run on this Kubelet.
 The value must be a non-negative integer.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changes may cause Pods to fail admission on Kubelet restart, and may change
-the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting
-future scheduling decisions. Increasing this value may also decrease performance,
-as more Pods can be packed into a single node.
 Default: 110
    -->
    <p><code>maxPods</code>是此 kubelet 上课运行的 Pod 个数上限。此值必须为非负整数。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑变更可能导致 kubelet 重启时 Pod 无法被准入，
-而且可能改变<code>Node.status.capacity[v1.ResourcePods]</code>中报告的数值，
-从而影响将来的调度决策。增大此个数值也可能会降低性能，因为会有更多的 Pod
-塞到同一节点运行。</p>
    <p>默认值：110</p>
 </td>
 </tr>
@@ -1166,15 +926,10 @@ Default: 110
 <td>
    <!--podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode.
 In cluster mode, this is obtained from the control plane.
-Dynamic Kubelet Config (deprecated): This field should always be set to the empty default.
-It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config.
 Default: &quot;&quot;
    -->
    <p><code>podCIDR</code>是用来设置 Pod IP 地址的 CIDR 值，仅用于独立部署模式。
 运行于集群模式时，这一数值会从控制面获得。</p>
-   <p><code>DynamicKubeletConfig</code> （已弃用）：
-此字段应该总是设置为默认的空字符串值。并且仅用来设置独立运行的 kubelet，
-因为这种 kubelet 模式下无法利用动态 kubelet 配置能力。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -1184,14 +939,9 @@ Default: &quot;&quot;
 </td>
 <td>
    <!--podPidsLimit is the maximum number of PIDs in any pod.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-lowering it may prevent container processes from forking after the change.
 Default: -1
    -->
    <p><code>podPidsLimit</code>是每个 Pod 中可使用的 PID 个数上限。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑减小此值可能会导致变更后无法创建容器进程。</p>
    <p>默认值：-1</p>
 </td>
 </tr>
@@ -1202,17 +952,11 @@ Default: -1
 <td>
    <!--resolvConf is the resolver configuration file used as the basis
 for the container DNS resolution configuration.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changes will only take effect on Pods created after the update. Draining
-the node is recommended before changing this field.
 If set to the empty string, will override the default and effectively disable DNS lookups.
 Default: "/etc/resolv.conf"
    -->
    <p><code>resolvConf</code>是一个域名解析配置文件，用作容器 DNS 解析配置的基础。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑变更仅会对更新完成后所创建的 Pod 起作用。
-建议在变更此字段之前先腾空节点。如果此值设置为空字符串，则会覆盖 DNS 解析的默认配置，
+   <p>如果此值设置为空字符串，则会覆盖 DNS 解析的默认配置，
 本质上相当于禁用了 DNS 查询。</p>
    <p>默认值：&quot;/etc/resolv.conf&quot;</p>
 </td>
@@ -1238,37 +982,25 @@ Default: false
 <td>
    <!--cpuCFSQuota enables CPU CFS quota enforcement for containers that
 specify CPU limits.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-disabling it may reduce node stability.
 Default: true
    -->
    <p><code>cpuCFSQuota</code>允许为设置了 CPU 限制的容器实施 CPU CFS 配额约束。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑禁止此功能可能会降低节点稳定性。</p>
    <p>默认值：true</p>
 </td>
 </tr>
 
 <tr><td><code>cpuCFSQuotaPeriod</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`.
 The value must be between 1 us and 1 second, inclusive.
 Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-limits set for containers will result in different cpu.cfs_quota settings. This
-will trigger container restarts on the node being reconfigured.
 Default: &quot;100ms&quot;
    -->
    <p><code>cpuCFSQuotaPeriod</code>设置 CPU CFS 配额周期值，<code>cpu.cfs_period_us</code>。
 此值需要介于 1 微秒和 1 秒之间，包含 1 微秒和 1 秒。
 此功能要求启用<code>CustomCPUCFSQuotaPeriod</code>特性门控被启用。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑为容器所设置的限制值可能导致<code>cpu.cfs_period_us</code>
-设置发生变化。这一变化会在节点被重新配置时触发容器重启。</p>
    <p>默认值：&quot;100ms&quot;</p>
 </td>
 </tr>
@@ -1280,16 +1012,11 @@ Default: &quot;100ms&quot;
    <!--nodeStatusMaxImages caps the number of images reported in Node.status.images.
 The value must be greater than -2.
 Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-different values can be reported on node status.
 Default: 50
    -->
    <p><code>nodeStatusMaxImages</code>限制<code>Node.status.images</code>中报告的镜像数量。
 此值必须大于 -2。</p>
    <p>注意：如果设置为 -1，则不会对镜像数量做限制；如果设置为 0，则不会返回任何镜像。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑节点状态中可能报告不同的数值。</p>
    <p>默认值：50</p>
 </td>
 </tr>
@@ -1300,14 +1027,9 @@ Default: 50
 <td>
    <!--maxOpenFiles is Number of files that can be opened by Kubelet process.
 The value must be a non-negative number.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the ability of the Kubelet to interact with the node's filesystem.
 Default: 1000000
    -->
    <p><code>maxOpenFiles</code>是 kubelet 进程可以打开的文件个数。此值必须不能为负数。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能影响到 kubelet 与节点文件系统间交互的能力。</p>
    <p>默认值：1000000</p>
 </td>
 </tr>
@@ -1317,18 +1039,9 @@ Default: 1000000
 </td>
 <td>
    <!--contentType is contentType of requests sent to apiserver.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the ability for the Kubelet to communicate with the API server.
-If the Kubelet loses contact with the API server due to a change to this field,
-the change cannot be reverted via dynamic Kubelet config.
-Default: "application/vnd.kubernetes.protobuf"
+Default: &quot;application/vnd.kubernetes.protobuf&quot;
    -->
    <p><code>contentType</code>是向 API 服务器发送请求时使用的内容类型。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这样做可能影响 kubelet 与 API 服务器通信的能力。
-如果 kubelet 因为此字段的变更而失去与 API 服务器间的连接，
-则之前所作的变更无法通过动态 kubelet 配置来实现回退。</p>
    <p>默认值：&quot;application/vnd.kubernetes.protobuf&quot;</p>
 </td>
 </tr>
@@ -1338,15 +1051,9 @@ Default: "application/vnd.kubernetes.protobuf"
 </td>
 <td>
    <!--kubeAPIQPS is the QPS to use while talking with kubernetes apiserver.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic the Kubelet
-sends to the API server.
 Default: 5
    -->
    <p><code>kubeAPIQPS</code>设置与 Kubernetes API 服务器通信时要使用的 QPS（每秒查询数）。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能因为 kubelet 与 API 服务器之间流量的变化而影响集群扩缩能力。</p>
    <p>默认值：5</p>
 </td>
 </tr>
@@ -1357,16 +1064,10 @@ Default: 5
 <td>
    <!--kubeAPIBurst is the burst to allow while talking with kubernetes API server.
 This field cannot be a negative number.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact scalability by changing the amount of traffic the Kubelet
-sends to the API server.
 Default: 10
    -->
    <p><code>kubeAPIBurst</code>设置与 Kubernetes API 服务器通信时突发的流量级别。
 此字段取值不可以是负数。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能因为 kubelet 与 API 服务器之间流量的变化而影响集群扩缩能力。</p>
    <p>默认值：10</p>
 </td>
 </tr>
@@ -1379,16 +1080,11 @@ Default: 10
 at a time. We recommend &lowast;not&lowast; changing the default value on nodes that
 run docker daemon with version  < 1.9 or an Aufs storage backend.
 Issue #10959 has more details.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the performance of image pulls.
 Default: true
    -->
    <p><code>serializeImagePulls</code>被启用时会通知 kubelet 每次仅拉取一个镜像。
 我们建议<em>不要</em>在所运行的 docker 守护进程版本低于 1.9、使用 aufs
 存储后端的节点上更改默认值。详细信息可参见 Issue #10959。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能会影响镜像拉取的性能。</p>
    <p>默认值：true</p>
 </td>
 </tr>
@@ -1400,26 +1096,21 @@ Default: true
    <!--evictionHard is a map of signal names to quantities that defines hard eviction thresholds. 
 For example: <code>{&quot;memory.available&quot;: &quot;300Mi&quot;}</code>.
 To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions.
 Default:
-  memory.available:  "100Mi"
-  nodefs.available:  "10%"
-  nodefs.inodesFree: "5%"
-  imagefs.available: "15%"
+   memory.available:  &quot;100Mi&quot;
+   nodefs.available:  &quot;10%&quot;
+   nodefs.inodesFree: &quot;5%&quot;
+   imagefs.available: &quot;15%&quot;
    -->
    <p><code>evictionHard</code>是一个映射，是从信号名称到定义硬性驱逐阈值的映射。
 例如：<code>{&quot;memory.available&quot;: &quot;300Mi&quot;}</code>。
 如果希望显式地禁用，可以在任意资源上将其阈值设置为 0% 或 100%。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能会触发或延迟 Pod 驱逐操作。</p>
    <p>默认值：</p>
    <code><pre>
-  memory.available:  "100Mi"
-  nodefs.available:  "10%"
-  nodefs.inodesFree: "5%"
-  imagefs.available: "15%"
+   memory.available:  &quot;100Mi&quot;
+   nodefs.available:  &quot;10%&quot;
+   nodefs.inodesFree: &quot;5%&quot;
+   imagefs.available: &quot;15%&quot;
   </pre></code>
 </td>
 </tr>
@@ -1430,17 +1121,10 @@ Default:
 <td>
    <!--evictionSoft is a map of signal names to quantities that defines soft eviction thresholds.
 For example: <code>{&quot;memory.available&quot;: &quot;300Mi&quot;}</code>.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions, and may change the allocatable reported
-by the node.
 Default: nil
    -->
    <p><code>evictionSoft</code>是一个映射，是从信号名称到定义软性驱逐阈值的映射。
 例如：<code>{&quot;memory.available&quot;: &quot;300Mi&quot;}</code>。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能会触发或延迟 Pod 驱逐操作，
-并且可能造成节点所报告的可分配资源数量发生变化。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
@@ -1451,34 +1135,24 @@ Default: nil
 <td>
    <!--evictionSoftGracePeriod is a map of signal names to quantities that defines grace
 periods for each soft eviction signal. For example: <code>{&quot;memory.available&quot;: &quot;30s&quot;}</code>.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger or delay Pod evictions.
 Default: nil
    -->
    <p><code>evictionSoftGracePeriod</code>是一个映射，是从信号名称到每个软性驱逐信号的宽限期限。
 例如：<code>{&quot;memory.available&quot;: &quot;30s&quot;}</code>。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能会触发或延迟 Pod 驱逐操作。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
 
 <tr><td><code>evictionPressureTransitionPeriod</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--evictionPressureTransitionPeriod is the duration for which the kubelet has to wait
 before transitioning out of an eviction pressure condition.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-lowering it may decrease the stability of the node when the node is overcommitted.
 Default: &quot;5m&quot;
    -->
    <p><code>evictionPressureTransitionPeriod</code>设置 kubelet
 离开驱逐压力状况之前必须要等待的时长。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑减少此字段值可能会在节点过量分配时降低节点稳定性。</p>
    <p>默认值：&quot;5m&quot;</p>
 </td>
 </tr>
@@ -1493,10 +1167,6 @@ effectively caps the Pod's terminationGracePeriodSeconds value during soft evict
 Note: Due to issue #64530, the behavior has a bug where this value currently just
 overrides the grace period during soft eviction, which can increase the grace
 period from what is set on the Pod. This bug will be fixed in a future release.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-lowering it decreases the amount of time Pods will have to gracefully clean
-up before being killed during a soft eviction.
 Default: 0
    -->
    <p><code>evictionMaxPodGracePeriod</code>是指达到软性逐出阈值而引起 Pod 终止时，
@@ -1505,9 +1175,6 @@ Pod 可以获得的<code>terminationGracePeriodSeconds</code>。</p>
    <p>注意：由于 Issue #64530 的原因，系统中存在一个缺陷，即此处所设置的值会在软性逐出时覆盖
 Pod 的宽限期设置，从而有可能增加 Pod 上原本设置的宽限期限时长。
 这个缺陷会在未来版本中修复。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短此宽限期限值会导致软性逐出期间 Pod
-在被杀死之前用来体面地完成清理工作可用的时间。</p>
    <p>默认值：0</p>
 </td>
 </tr>
@@ -1520,16 +1187,11 @@ Pod 的宽限期设置，从而有可能增加 Pod 上原本设置的宽限期
 which describe the minimum amount of a given resource the kubelet will reclaim when
 performing a pod eviction while that resource is under pressure.
 For example: <code>{&quot;imagefs.available&quot;: &quot;2Gi&quot;}</code>.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may change how well eviction can manage resource pressure.
 Default: nil
    -->
    <p><code>evictionMinimumReclaim</code>是一个映射，定义信号名称与最小回收量数值之间的关系。
 最小回收量指的是资源压力较大而执行 Pod 驱逐操作时，kubelet 对给定资源的最小回收量。
 例如：<code>{&quot;imagefs.available&quot;: &quot;2Gi&quot;}</code>。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这可能会改变驱逐操作应对资源压力的效果。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
@@ -1541,20 +1203,10 @@ Default: nil
    <!--podsPerCore is the maximum number of pods per core. Cannot exceed maxPods.
 The value must be a non-negative integer.
 If 0, there is no limit on the number of Pods.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changes may cause Pods to fail admission on Kubelet restart, and may change
-the value reported in `Node.status.capacity.pods`, thus affecting
-future scheduling decisions. Increasing this value may also decrease performance,
-as more Pods can be packed into a single node.
 Default: 0
    -->
    <p><code>podsPerCore</code>设置的是每个核上 Pod 个数上限。此值不能超过<code>maxPods</code>。
 所设值必须是非负整数。如果设置为 0，则意味着对 Pod 个数没有限制。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑变更可能导致 kubelet 重启时 Pod 无法被准入，
-还可能导致<code>Node.status.capacity.pods</code>所报告的数值发生变化，
-进而影响到将来的调度决策。增大此值也会降低性能，因为在同一个处理器核上需要运行更多的 Pod。</p>
    <p>默认值：0</p>
 </td>
 </tr>
@@ -1566,24 +1218,15 @@ Default: 0
    <!--enableControllerAttachDetach enables the Attach/Detach controller to
 manage attachment/detachment of volumes scheduled to this node, and
 disables kubelet from executing any attach/detach operations.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-changing which component is responsible for volume management on a live node
-may result in volumes refusing to detach if the node is not drained prior to
-the update, and if Pods are scheduled to the node before the
-volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the
-Kubelet. In general, it is safest to leave this value set the same as local config.
+Note: attaching/detaching CSI volumes is not supported by the kubelet,
+so this option needs to be true for that use case.
 Default: true
    -->
    <p><code>enableControllerAttachDetach</code>用来允许 Attach/Detach
 控制器管理调度到本节点的卷的挂接（attachment）和解除挂接（detachement），
 并且禁止 kubelet 执行任何 attach/detach 操作。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑在运行中的节点上更改由哪个组件来负责卷管理时，
-这一变更可能导致节点在被更新前尚未腾空时卷无法被解除挂接。
-如果 kubelet 尚未更新<code>volumes.kubernetes.io/controller-managed-attach-detach</code>
-注解时 Pod 已经被调度到了该节点，节点上的卷也会无法解除挂接。
-一般而言，最安全的做法是将此字段设置为与本地配置相同的值。</p>
+   <p>注意：kubelet 不支持挂接 CSI 卷和解除挂接，
+因此对于该用例，此选项必须为 true。</p>
    <p>默认值：true</p>
 </td>
 </tr>
@@ -1595,18 +1238,11 @@ Default: true
    <!--protectKernelDefaults, if true, causes the Kubelet to error if kernel
 flags are not as it expects. Otherwise the Kubelet will attempt to modify
 kernel flags to match its expectation.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as
-Kubelet expects.
 Default: false
    -->
    <p><code>protectKernelDefaults</code>设置为<code>true</code>时，会令 kubelet
 在发现内核参数与预期不符时出错退出。若此字段设置为<code>false</code>，则 kubelet
 会尝试更改内核参数以满足其预期。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑启用此设置会在内核参数与 kubelet 预期不匹配时导致
-kubelet 进入崩溃循环（Crash-Loop）状态。</p>
    <p>默认值：false</p>
 </td>
 </tr>
@@ -1619,18 +1255,12 @@ kubelet 进入崩溃循环（Crash-Loop）状态。</p>
 are present on host.
 These rules will serve as utility rules for various components, e.g. kube-proxy.
 The rules will be created based on iptablesMasqueradeBit and iptablesDropBit.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-disabling it will prevent the Kubelet from healing locally misconfigured iptables rules.
 Default: true
    -->
    <p><code>makeIPTablesUtilChains</code>设置为<code>true</code>时，相当于允许 kubelet
 确保一组 iptables 规则存在于宿主机上。这些规则会为不同的组件（例如 kube-proxy）
 提供工具性质的规则。它们是基于<code>iptablesMasqueradeBit</code>和<code>iptablesDropBit</code>
 来创建的。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑禁用此行为会导致 kubelet 无法在本地 iptables
-规则出错时实现自愈。</p>
    <p>默认值：true</p>
 </td>
 </tr>
@@ -1643,18 +1273,11 @@ Default: true
 Values must be within the range [0, 31]. Must be different from other mark bits.
 Warning: Please match the value of the corresponding parameter in kube-proxy.
 TODO: clean up IPTablesMasqueradeBit in kube-proxy.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it needs to be coordinated with other components, like kube-proxy, and the update
-will only be effective if MakeIPTablesUtilChains is enabled.
 Default: 14
    -->
    <p><code>iptablesMasqueradeBit</code>是 iptables fwmark 空间中用来为 SNAT
 作标记的位。此值必须介于<code>[0, 31]</code>区间，必须与其他标记位不同。</p>
    <p>警告：请确保此值设置与 kube-proxy 中对应的参数设置取值相同。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑此处的变更要与其他组件（如 kube-proxy）相应的变更协调一致。
-只有当<code>makeIPTablesUtilChains</code>能力被启用时，这里的更新才会起作用。</p>
    <p>默认值：14</p>
 </td>
 </tr>
@@ -1665,17 +1288,10 @@ Default: 14
 <td>
    <!--iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets.
 Values must be within the range [0, 31]. Must be different from other mark bits.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it needs to be coordinated with other components, like kube-proxy, and the update
-will only be effective if MakeIPTablesUtilChains is enabled.
 Default: 15
    -->
    <p><code>iptablesDropBit</code>是 iptables fwmark 空间中用来标记丢弃包的数据位。
 此值必须介于<code>[0, 31]</code>区间，必须与其他标记位不同。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑此处的变更要与其他组件（如 kube-proxy）相应的变更协调一致。
-只有当<code>makeIPTablesUtilChains</code>能力被启用时，这里的更新才会起作用。</p>
    <p>默认值：15</p>
 </td>
 </tr>
@@ -1686,22 +1302,12 @@ Default: 15
 <td>
    <!--featureGates is a map of feature names to bools that enable or disable experimental
 features. This field modifies piecemeal the built-in default values from
-"k8s.io/kubernetes/pkg/features/kube_features.go".
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider the
-documentation for the features you are enabling or disabling. While we
-encourage feature developers to make it possible to dynamically enable
-and disable features, some changes may require node reboots, and some
-features may require careful coordination to retroactively disable.
+&quot;k8s.io/kubernetes/pkg/features/kube_features.go&quot;.
 Default: nil
    -->
    <p><code>featureGates</code>是一个从功能特性名称到布尔值的映射，用来启用或禁用实验性的功能。
 此字段可逐条更改文件 &quot;k8s.io/kubernetes/pkg/features/kube_features.go&quot;
 中所给的内置默认值。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑你所启用或禁止的功能特性的文档。
-尽管我们鼓励功能特性的开发人员使动态启用或禁用功能特性成为可能，
-某些变更可能要求重新启动节点，某些特性可能要求在从启用到禁用切换时作出精细的协调。</p>
    <p>默认值：nil</p>
 </td>
 </tr>
@@ -1711,14 +1317,9 @@ Default: nil
 </td>
 <td>
    <!--failSwapOn tells the Kubelet to fail to start if swap is enabled on the node.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-setting it to true will cause the Kubelet to crash-loop if swap is enabled.
 Default: true
    -->
    <p><code>failSwapOn</code>通知 kubelet 在节点上启用交换分区时拒绝启动。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑缩短此周期长度可能产生性能影响。</p>
    <p>默认值：true</p>
 </td>
 </tr>
@@ -1739,15 +1340,10 @@ Default: true
 <td>
    <!--containerLogMaxSize is a quantity defining the maximum size of the container log
 file before it is rotated. For example: &quot;5Mi&quot; or &quot;256Ki&quot;.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may trigger log rotation.
 Default: &quot;10Mi&quot;
    -->
    <p><code>containerLogMaxSize</code>是定义容器日志文件被轮转之前可以到达的最大尺寸。
 例如：&quot;5Mi&quot; 或 &quot;256Ki&quot;。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能会触发日志轮转。</p>
    <p>默认值：&quot;10Mi&quot;</p>
 </td>
 </tr>
@@ -1758,14 +1354,9 @@ Default: &quot;10Mi&quot;
 <td>
    <!--containerLogMaxFiles specifies the maximum number of container log files that can
 be present for a container.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-lowering it may cause log files to be deleted.
 Default: 5
    -->
    <p><code>containerLogMaxFiles</code>设置每个容器可以存在的日志文件个数上限。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑降低此值可能导致日志文件被删除。</p>
    <p>默认值：&quot;5&quot;</p>
 </td>
 </tr>
@@ -1803,20 +1394,12 @@ managers are running. Valid values include:</p>
 pairs that describe resources reserved for non-kubernetes components.
 Currently only cpu and memory are supported.
 See http://kubernetes.io/docs/user-guide/compute-resources for more detail.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may not be possible to increase the reserved resources, because this
-requires resizing cgroups. Always look for a NodeAllocatableEnforced event
-after updating this field to ensure that the update was successful.
 Default: nil
    -->
    <p><code>systemReserved</code>是一组<code>资源名称=资源数量</code>对，
 用来描述为非 Kubernetes 组件预留的资源（例如：'cpu=200m,memory=150G'）。</p>
-   <p>目前仅支持 CPU 和内存。更多细节可参见 http://kubernetes.io/zh/docs/user-guide/compute-resources。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑增加预留资源也许是不可能的，因为需要改变控制组大小。
-在更改了此字段之后，应该总是关注<code>NodeAllocatableEnforced</code>事件，
-以确保更新是成功的。</p>
+   <p>目前仅支持 CPU 和内存。更多细节可参见
+   https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/ 。</p>
    <p>默认值：Nil</p>
 </td>
 </tr>
@@ -1830,21 +1413,12 @@ that describe resources reserved for kubernetes system components.
 Currently cpu, memory and local storage for root file system are supported.
 See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 for more details.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may not be possible to increase the reserved resources, because this
-requires resizing cgroups. Always look for a NodeAllocatableEnforced event
-after updating this field to ensure that the update was successful.
 Default: nil
    -->
    <p><code>kubeReserved</code>是一组<code>资源名称=资源数量</code>对，
 用来描述为 Kubernetes 系统组件预留的资源（例如：'cpu=200m,memory=150G'）。
 目前支持 CPU、内存和根文件系统的本地存储。
 更多细节可参见 https://kubernetes.io/zh/docs/concepts/configuration/manage-resources-containers/。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑增加预留资源也许是不可能的，因为需要改变控制组大小。
-在更改了此字段之后，应该总是关注<code>NodeAllocatableEnforced</code>事件，
-以确保更新是成功的。</p>
    <p>默认值：Nil</p>
 </td>
 </tr>
@@ -1893,18 +1467,14 @@ Default: &quot;&quot;
 <td>
    <!--systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce <code>systemReserved</code> compute resource reservation for OS system daemons.
-Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md)
+Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 doc for more information.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: &quot;&quot;
    -->
    <p><code>systemReservedCgroup</code>帮助 kubelet 识别用来为 OS 系统级守护进程实施
 <code>systemReserved</code>计算资源预留时使用的顶级控制组（CGroup）。
-参考[Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md)
+参考 <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 以了解详细信息。</p>
-   <p><code>DynamicKubeletConfig</code>（已弃用）：
-此字段更新时需要整个节点重启。最安全的做法是保持此值与本地配置相同。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -1916,18 +1486,14 @@ Default: &quot;&quot;
 <td>
    <!--kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used
 to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons.
-Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md)
+Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 doc for more information.
-Dynamic Kubelet Config (deprecated): This field should not be updated without a full node
-reboot. It is safest to keep this value the same as the local config.
 Default: ""
    -->
    <p><code>kubeReservedCgroup</code> 帮助 kubelet 识别用来为 Kubernetes 节点系统级守护进程实施
 <code>kubeReserved</code>计算资源预留时使用的顶级控制组（CGroup）。
-参阅<a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
+参阅 <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 了解进一步的信息。</p>
-   <p><code>DynamicKubeletConfig</code>（已弃用）：
-此字段更新时需要整个节点重启。最安全的做法是保持此值与本地配置相同。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -1945,13 +1511,6 @@ When <code>kube-reserved</code> is in the list, kubeReservedCgroup must be speci
 This field is supported only when <code>cgroupsPerQOS</code> is set to true.
 Refer to <a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 for more information.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-removing enforcements may reduce the stability of the node. Alternatively, adding
-enforcements may reduce the stability of components which were using more than
-the reserved amount of resources; for example, enforcing kube-reserved may cause
-Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved
-may cause system daemons to OOM if they use more than the reserved resources.
 Default: [&quot;pods&quot;]
    -->
    <p>此标志设置 kubelet 需要执行的各类节点可分配资源策略。此字段接受一组选项列表。
@@ -1963,11 +1522,6 @@ Default: [&quot;pods&quot;]
    <p>这个字段只有在<code>cgroupsPerQOS</code>被设置为<code>true</code>才被支持。</p>
    <p>参阅<a href="https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md">Node Allocatable</a>
 了解进一步的信息。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑去掉此机制可能会降低节点稳定性。
-反之，添加此机制可能会降低原来使用资源超出预留量的组件的稳定性。
-例如，实施 kube-reserved 在 kubelet 使用资源超出预留量时可能导致 kubelet 发生 OOM，
-而实施 system-reserved 机制可能导致使用资源超出预留量的系统守护进程发生 OOM。</p>
    <p>默认值：[&quot;pods&quot;]</p>
 </td>
 </tr>
@@ -1996,14 +1550,9 @@ Default: []
 <td>
    <!--volumePluginDir is the full path of the directory in which to search
 for additional third party volume plugins.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that changing
-the volumePluginDir may disrupt workloads relying on third party volume plugins.
 Default: &quot;/usr/libexec/kubernetes/kubelet-plugins/volume/exec/&quot;
    -->
    <p><code>volumePluginDir</code>是用来搜索其他第三方卷插件的目录的路径。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑更改<code>volumePluginDir</code>可能干扰使用第三方卷插件的负载。</p>
    <p>默认值：&quot;/usr/libexec/kubernetes/kubelet-plugins/volume/exec/&quot;</p>
 </td>
 </tr>
@@ -2014,15 +1563,10 @@ Default: &quot;/usr/libexec/kubernetes/kubelet-plugins/volume/exec/&quot;
 <td>
    <!--providerID, if set, sets the unique ID of the instance that an external
 provider (i.e. cloudprovider) can use to identify a specific node.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the ability of the Kubelet to interact with cloud providers.
 Default: &quot;quot;
    -->
    <p><code>providerID</code>字段被设置时，指定的是一个外部提供者（即云驱动）实例的唯一 ID，
 该提供者可用来唯一性地标识特定节点。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑可能影响到 kubelet 与云驱动之间进行交互的能力。</p>
    <p>默认值：&quot;&quot;</p>
 </td>
 </tr>
@@ -2034,15 +1578,10 @@ Default: &quot;quot;
    <!--kernelMemcgNotification, if set, instructs the the kubelet to integrate with the
 kernel memcg notification for determining if memory eviction thresholds are
 exceeded rather than polling.
-If DynamicKubeletConfig (deprecated; default off) is on, when
-dynamically updating this field, consider that
-it may impact the way Kubelet interacts with the kernel.
 Default: false
    -->
    <p><code>kernelMemcgNotification</code>字段如果被设置了，会告知 kubelet 集成内核的
 memcg 通知机制来确定是否超出内存逐出阈值，而不是使用轮询机制来判定。</p>
-   <p>当 <code>DynamicKubeletConfig</code> （已弃用，默认为关闭）被启用时，
-如果动态更新了此字段，请考虑这样做可能影响到 kubelet 与内核的交互方式。</p>
    <p>默认值：false</p>
 </td>
 </tr>
@@ -2078,7 +1617,7 @@ Default: true
 </tr>
 
 <tr><td><code>shutdownGracePeriod</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--shutdownGracePeriod specifies the total duration that the node should delay the
@@ -2092,7 +1631,7 @@ Pod 提供的宽限期限的总时长。</p>
 </tr>
 
 <tr><td><code>shutdownGracePeriodCriticalPods</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--shutdownGracePeriodCriticalPods specifies the duration used to terminate critical
@@ -2115,14 +1654,18 @@ Pod 的时长。此时长要短于<code>shutdownGracePeriod</code>。
 <a href="#kubelet-config-k8s-io-v1beta1-ShutdownGracePeriodByPodPriority"><code>[]ShutdownGracePeriodByPodPriority</code></a>
 </td>
 <td>
-   <!--shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based
+   <!--
+   shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based
 on their associated priority class value.
 When a shutdown request is received, the Kubelet will initiate shutdown on all pods
 running on the node with a grace period that depends on the priority of the pod,
 and then wait for all pods to exit.
 Each entry in the array represents the graceful shutdown time a pod with a priority
 class value that lies in the range of that value and the next higher entry in the
-list when the node is shutting down.-->
+list when the node is shutting down.
+For example, to allow critical pods 10s to shutdown, priority&gt;=10000 pods 20s to
+shutdown, and all remaining pods 30s to shutdown.
+-->
    <p><code>shutdownGracePeriodByPodPriority</code>设置基于 Pod
 相关的优先级类值而确定的体面关闭时间。当 kubelet 收到关闭请求的时候，kubelet
 会针对节点上运行的所有 Pod 发起关闭操作，这些关闭操作会根据 Pod 的优先级确定其宽限期限，
@@ -2140,6 +1683,15 @@ list when the node is shutting down.-->
    <li>priority: 0
    shutdownGracePeriodSeconds: 30</li>
    </ul>
+<!--
+The time the Kubelet will wait before exiting will at most be the maximum of all
+shutdownGracePeriodSeconds for each priority class range represented on the node.
+When all pods have exited or reached their grace periods, the Kubelet will release
+the shutdown inhibit lock.
+Requires the GracefulNodeShutdown feature gate to be enabled.
+This configuration must be empty if either ShutdownGracePeriod or ShutdownGracePeriodCriticalPods is set.
+Default: nil
+-->
    <p>在退出之前，kubelet 要等待的时间上限为节点上所有优先级类的
 <code>shutdownGracePeriodSeconds</code>的最大值。
 当所有 Pod 都退出或者到达其宽限期限时，kubelet 会释放关闭防护锁。
@@ -2314,6 +1866,202 @@ SerializedNodeConfigSource 允许对 `v1.NodeConfigSource` 执行序列化操作
 </tbody>
 </table>
 
+## `CredentialProvider`     {#kubelet-config-k8s-io-v1beta1-CredentialProvider}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [CredentialProviderConfig](#kubelet-config-k8s-io-v1beta1-CredentialProviderConfig)
+
+<!--
+CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only
+invoked when an image being pulled matches the images handled by the plugin (see matchImages).
+-->
+CredentialProvider 代表的是要被 kubelet 调用的一个 exec 插件。
+这一插件只会在所拉取的镜像与该插件所处理的镜像匹配时才会被调用（参见 <code>matchImages</code>）。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+name is the required name of the credential provider. It must match the name of the
+provider executable as seen by the kubelet. The executable must be in the kubelet's
+bin directory (set by the --image-credential-provider-bin-dir flag).
+-->
+   <p>
+   <code>name</code> 是凭据提供者的名称（必需）。此名称必须与 kubelet
+   所看到的提供者可执行文件的名称匹配。可执行文件必须位于 kubelet 的 
+   <code>bin</code> 目录（通过 <code>--image-credential-provider-bin-dir</code> 设置）下。
+   </p>
+</td>
+</tr>
+<tr><td><code>matchImages</code> <B><!--[Required]-->[必需]</B><br/>
+<code>[]string</code>
+</td>
+<td>
+<!--
+matchImages is a required list of strings used to match against images in order to
+determine if this provider should be invoked. If one of the strings matches the
+requested image from the kubelet, the plugin will be invoked and given a chance
+to provide credentials. Images are expected to contain the registry domain
+and URL path.
+-->
+<p><code>matchImages</code> 是一个必须设置的字符串列表，用来匹配镜像以便确定是否要调用此提供者。
+如果字符串之一与 kubelet 所请求的镜像匹配，则此插件会被调用并给予提供凭证的机会。
+镜像应该包含镜像库域名和 URL 路径。</p>
+<!--
+Each entry in matchImages is a pattern which can optionally contain a port and a path.
+Globs can be used in the domain, but not in the port or the path. Globs are supported
+as subdomains like '<em>.k8s.io' or 'k8s.</em>.io', and top-level-domains such as 'k8s.<em>'.
+Matching partial subdomains like 'app</em>.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
+-->
+<p><code>matchImages</code> 中的每个条目都是一个模式字符串，其中可以包含端口号和路径。
+域名部分可以包含统配符，但端口或路径部分不可以。通配符可以用作子域名，例如
+'*.k8s.io' 或 'k8s.*.io'，以及顶级域名，如 'k8s.*'。</p>
+<p>对类似 'app*.k8s.io' 这类部分子域名的匹配也是支持的。
+每个通配符只能用来匹配一个子域名段，所以 '*.io' 不会匹配 '*.k8s.io'。</p>
+<!--
+A match exists between an image and a matchImage when all of the below are true:
+-->
+<p>镜像与 <code>matchImages</code> 之间存在匹配时，以下条件都要满足：</p>
+<ul>
+<!--
+<li>Both contain the same number of domain parts and each part matches.</li>
+<li>The URL path of an imageMatch must be a prefix of the target image URL path.</li>
+<li>If the imageMatch contains a port, then the port must match in the image as well.</li>
+-->
+  <li>二者均包含相同个数的域名部分，并且每个域名部分都对应匹配；</li>
+  <li><code>matchImages</code> 条目中的 URL 路径部分必须是目标镜像的 URL 路径的前缀；</li>
+  <li>如果 <code>matchImages</code> 条目中包含端口号，则端口号也必须与镜像端口号匹配。</li>
+</ul>
+<!--
+Example values of matchImages:
+-->
+<p><code>matchImages</code> 的一些示例如下：</p>
+<ul>
+<li>123456789.dkr.ecr.us-east-1.amazonaws.com</li>
+<li>*.azurecr.io</li>
+<li>gcr.io</li>
+<li><em>.</em>.registry.io</li>
+<li>registry.io:8080/path</li>
+</ul>
+</td>
+</tr>
+<tr><td><code>defaultCacheDuration</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+defaultCacheDuration is the default duration the plugin will cache credentials in-memory
+if a cache duration is not provided in the plugin response. This field is required.
+-->
+   <p>
+   <code>defaultCacheDuration</code> 是插件在内存中缓存凭据的默认时长，
+   在插件响应中没有给出缓存时长时，使用这里设置的值。此字段是必需的。
+   </p>
+</td>
+</tr>
+<tr><td><code>apiVersion</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse
+MUST use the same encoding version as the input. Current supported values are:
+-->
+   <p>
+   要求 exec 插件 CredentialProviderRequest 请求的输入版本。
+   所返回的 CredentialProviderResponse 必须使用与输入相同的编码版本。当前支持的值有：
+   </p>
+<ul>
+<li>credentialprovider.kubelet.k8s.io/v1beta1</li>
+</ul>
+</td>
+</tr>
+<tr><td><code>args</code><br/>
+<code>[]string</code>
+</td>
+<td>
+<!--
+Arguments to pass to the command when executing it.
+-->
+   <p>在执行插件可执行文件时要传递给命令的参数。</p>
+</td>
+</tr>
+<tr><td><code>env</code><br/>
+<a href="#kubelet-config-k8s-io-v1beta1-ExecEnvVar"><code>[]ExecEnvVar</code></a>
+</td>
+<td>
+<!--
+Env defines additional environment variables to expose to the process. These
+are unioned with the host's environment, as well as variables client-go uses
+to pass argument to the plugin.
+-->
+   <p>
+   <code>env</code> 定义要提供给插件进程的额外的环境变量。
+   这些环境变量会与主机上的其他环境变量以及 client-go 所使用的环境变量组合起来，
+   一起传递给插件。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ExecEnvVar`     {#kubelet-config-k8s-io-v1beta1-ExecEnvVar}
+
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [CredentialProvider](#kubelet-config-k8s-io-v1beta1-CredentialProvider)
+
+<!--
+ExecEnvVar is used for setting environment variables when executing an exec-based
+credential plugin.
+-->
+ExecEnvVar 用来在执行基于 exec 的凭据插件时设置环境变量。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <span class="text-muted">
+   <!--
+   No description provided.
+   -->
+   无描述
+   </span>
+</td>
+</tr>
+<tr><td><code>value</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <span class="text-muted">
+   <!--
+   No description provided.
+   -->
+   无描述
+   </span>
+</td>
+</tr>
+</tbody>
+</table>
+
+
 ## `KubeletAnonymousAuthentication`     {#kubelet-config-k8s-io-v1beta1-KubeletAnonymousAuthentication}
 
 <!--
@@ -2467,7 +2215,7 @@ API 来提供持有者令牌身份认证。</p>
 </tr>
 
 <tr><td><code>cacheTTL</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--cacheTTL enables caching of authentication results-->
@@ -2491,7 +2239,7 @@ API 来提供持有者令牌身份认证。</p>
 <tbody>
 
 <tr><td><code>cacheAuthorizedTTL</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--cacheAuthorizedTTL is the duration to cache 'authorized' responses from the
@@ -2501,7 +2249,7 @@ webhook authorizer.-->
 </td>
 </tr>
 <tr><td><code>cacheUnauthorizedTTL</code><br/>
-<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
 </td>
 <td>
    <!--cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from
@@ -2787,14 +2535,17 @@ default value of format is `text`-->
 </tr>
 
 <tr><td><code>flushFrequency</code> <B>[必需]</B><br/>
-<a href="https://godoc.org/time#Duration"><code>time.Duration</code></a>
+<a href="https://pkg.go.dev/time#Duration"><code>time.Duration</code></a>
 </td>
 <td>
   <p>
-  <!--Maximum number of seconds between log flushes. Ignored if the
-selected logging backend writes log messages without buffering.-->
-  对日志进行清洗的最大间隔秒数。如果所选的日志后端在写入日志消息时不提供缓存，
-则此配置会被忽略。
+  <!--
+   Maximum number of nanoseconds (i.e. 1s = 1000000000) between log
+   flushes.  Ignored if the selected logging backend writes log
+   messages without buffering.
+  -->
+   对日志进行清洗的最大间隔纳秒数（例如，1s = 1000000000）。
+   如果所选的日志后端在写入日志消息时不提供缓存，则此配置会被忽略。
   </p>
 </td>
 </tr>
@@ -2827,19 +2578,6 @@ Only supported for &quot;text&quot; log format.-->
 </td>
 </tr>
 
-<tr><td><code>sanitization</code> <B>[必需]</B><br/>
-<code>bool</code>
-</td>
-<td>
-  <p>
-  <!--[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens).
-Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.)-->
-  [试验功能] 当启用此选项时，被标记为敏感的字段（密码、秘钥、令牌）不会被日志记录。
-运行时日志过滤功能可能会引入非常大的计算开销，因此在生产环境中不应启用。
-  </p>
-</td>
-</tr>
-
 <tr><td><code>options</code> <B>[必需]</B><br/>
 <a href="#FormatOptions"><code>FormatOptions</code></a>
 </td>
diff --git a/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md b/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md
new file mode 100644
index 0000000000000..cf3287b09abb3
--- /dev/null
+++ b/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1alpha1.md
@@ -0,0 +1,253 @@
+---
+title: Kubelet CredentialProvider (v1alpha1)
+content_type: tool-reference
+package: credentialprovider.kubelet.k8s.io/v1alpha1
+---
+<!--
+title: Kubelet CredentialProvider (v1alpha1)
+content_type: tool-reference
+package: credentialprovider.kubelet.k8s.io/v1alpha1
+auto_generated: true
+-->
+
+<!--
+## Resource Types
+-->
+## 资源类型   {#resource-types}
+
+- [CredentialProviderRequest](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderRequest)
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
+
+## `CredentialProviderRequest`     {#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderRequest}
+
+<!--
+CredentialProviderRequest includes the image that the kubelet requires authentication for.
+Kubelet will pass this request object to the plugin via stdin. In general, plugins should
+prefer responding with the same apiVersion they were sent.
+-->
+<p>
+CredentialProviderRequest 包含 kubelet 需要进行身份验证的镜像。
+Kubelet 会通过标准输入将此请求对象传递给插件。一般来说，插件倾向于用它们所收到的相同的 apiVersion 来响应。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>credentialprovider.kubelet.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderRequest</code></td></tr>
+    
+  
+<tr><td><code>image</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   image is the container image that is being pulled as part of the
+credential provider plugin request. Plugins may optionally parse the image
+to extract any information required to fetch credentials.
+-->
+   <p>
+   <code>image</code> 是容器镜像，作为凭据提供程序插件请求的一部分。
+   插件可以有选择地解析镜像以提取获取凭据所需的任何信息。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `CredentialProviderResponse`     {#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse}
+
+<!--    
+CredentialProviderResponse holds credentials that the kubelet should use for the specified
+image provided in the original request. Kubelet will read the response from the plugin via stdout.
+This response should be set to the same apiVersion as CredentialProviderRequest.
+-->
+<p>
+CredentialProviderResponse 持有 kubelet 应用于原始请求中提供的指定镜像的凭据。
+kubelet 将通过标准输出读取插件的响应。此响应的 apiVersion 值应设置为与 CredentialProviderRequest 中 apiVersion 值相同。
+</p>
+
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>credentialprovider.kubelet.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderResponse</code></td></tr>
+    
+  
+<tr><td><code>cacheKeyType</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#credentialprovider-kubelet-k8s-io-v1alpha1-PluginCacheKeyType"><code>PluginCacheKeyType</code></a>
+</td>
+<td>
+<!--
+cacheKeyType indiciates the type of caching key to use based on the image provided
+in the request. There are three valid values for the cache key type: Image, Registry, and
+Global. If an invalid value is specified, the response will NOT be used by the kubelet.
+-->
+   <p>
+   <code>cacheKeyType</code> 表明基于请求中所给镜像而要使用的缓存键类型。缓存键类型有三个有效值：
+   Image、Registry 和 Global。如果指定了无效值，则 kubelet 不会使用该响应。
+   </p>
+</td>
+</tr>
+<tr><td><code>cacheDuration</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+cacheDuration indicates the duration the provided credentials should be cached for.
+The kubelet will use this field to set the in-memory cache duration for credentials
+in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in
+CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
+-->
+   <p>
+   <code>cacheDuration</code> 表示所提供的凭据应该被缓存的时间。kubelet 使用这个字段为
+   <code>auth</code> 中的凭据设置内存中数据的缓存时间。如果为空，kubelet 将使用 CredentialProviderConfig
+   中提供的 defaultCacheDuration。如果设置为 0，kubelet 将不会缓存所提供的 <code>auth</code> 数据。
+   </p>
+</td>
+</tr>
+<tr><td><code>auth</code><br/>
+<a href="#credentialprovider-kubelet-k8s-io-v1alpha1-AuthConfig"><code>map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1.AuthConfig</code></a>
+</td>
+<td>
+<!--
+   auth is a map containing authentication information passed into the kubelet.
+Each key is a match image string (more on this below). The corresponding authConfig value
+should be valid for all images that match against this key. A plugin should set
+this field to null if no valid credentials can be returned for the requested image.
+-->
+   <p>
+   <code>auth</code> 是一个映射，其中包含传递到 kubelet 的身份验证信息。
+   每个键都是一个匹配镜像字符串（下面将对此进行详细介绍）。相应的 authConfig 值应该对所有与此键匹配的镜像有效。
+   如果不能为请求的镜像返回有效的凭据，插件应将此字段设置为 null。
+   </p>
+<!--
+Each key in the map is a pattern which can optionally contain a port and a path.
+Globs can be used in the domain, but not in the port or the path. Globs are supported
+as subdomains like '<em>.k8s.io' or 'k8s.</em>.io', and top-level-domains such as 'k8s.<em>'.
+Matching partial subdomains like 'app</em>.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
+-->
+   <p>
+   映射中每个键值都是一个正则表达式，可以选择包含端口和路径。
+   域名部分可以包含通配符，但在端口或路径中不能使用通配符。
+   支持通配符作为子域，如 <code>*.k8s.io</code> 或 <code>k8s.*.io</code>，以及顶级域，如 <code>k8s.*</code>。
+   还支持匹配部分子域，如 <code>app*.k8s.io</code>。每个通配符只能匹配一个子域段，
+   因此 <code>*.io</code> 不匹配 <code>*.k8s.io</code>。
+   </p>
+<!--
+<p>The kubelet will match images against the key when all of the below are true:</p>
+<ul>
+<li>Both contain the same number of domain parts and each part matches.</li>
+<li>The URL path of an imageMatch must be a prefix of the target image URL path.</li>
+<li>If the imageMatch contains a port, then the port must match in the image as well.</li>
+</ul>
+-->
+   <p>
+   当满足以下所有条件时，kubelet 会将镜像与键值匹配：
+   </p>
+   <ul>
+    <li>两者都包含相同数量的域部分，并且每个部分都匹配。</li>
+    <li><code>imageMatch</code> 的 URL 路径必须是目标镜像的 URL 路径的前缀。</li>
+    <li>如果 <code>imageMatch</code> 包含端口，则该端口也必须在镜像中匹配。</li>
+   </ul>
+<!--
+<p>When multiple keys are returned, the kubelet will traverse all keys in reverse order so that:</p>
+<ul>
+<li>longer keys come before shorter keys with the same prefix</li>
+<li>non-wildcard keys come before wildcard keys with the same prefix.</li>
+</ul>
+-->
+   <p>
+   当返回多个键（key）时，kubelet 会倒序遍历所有键，这样：
+   </p>
+   <ul>
+    <li>具有相同前缀的较长键位于较短键之前</li>
+    <li>具有相同前缀的非通配符键位于通配符键之前。</li>
+   </ul>
+<!--
+<p>For any given match, the kubelet will attempt an image pull with the provided credentials,
+stopping after the first successfully authenticated pull.</p>
+<p>Example keys:</p>
+-->
+   <p>
+   对于任何给定的匹配，kubelet 将尝试使用提供的凭据进行镜像拉取，并在第一次成功验证后停止拉取。
+   </p>
+   <p>键值示例：</p>
+<ul>
+<li>123456789.dkr.ecr.us-east-1.amazonaws.com</li>
+<li>*.azurecr.io</li>
+<li>gcr.io</li>
+<li><em>.</em>.registry.io</li>
+<li>registry.io:8080/path</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `AuthConfig`     {#credentialprovider-kubelet-k8s-io-v1alpha1-AuthConfig}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
+
+<!--
+<p>AuthConfig contains authentication information for a container registry.
+Only username/password based authentication is supported today, but more authentication
+mechanisms may be added in the future.</p>
+-->
+AuthConfig 包含容器仓库的身份验证信息。目前仅支持基于用户名/密码的身份验证，但未来可能会添加更多身份验证机制。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>username</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   <p>username is the username used for authenticating to the container registry
+An empty username is valid.</p>
+-->
+   <p>
+   <code>username</code> 是用于向容器仓库进行身份验证的用户名。空的用户名是合法的。
+   </p>
+</td>
+</tr>
+<tr><td><code>password</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   <p>password is the password used for authenticating to the container registry
+An empty password is valid.</p>
+-->
+   <p>
+   <code>password</code> 是用于向容器仓库进行身份验证的密码。空密码是合法的。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `PluginCacheKeyType`     {#credentialprovider-kubelet-k8s-io-v1alpha1-PluginCacheKeyType}
+
+<!--    
+(Alias of `string`)
+
+**Appears in:**
+-->
+（<code>string</code> 数据类型的别名）
+
+**出现在：**
+
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1alpha1-CredentialProviderResponse)
\ No newline at end of file
diff --git a/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md b/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md
new file mode 100644
index 0000000000000..3bf2430a76bac
--- /dev/null
+++ b/content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1beta1.md
@@ -0,0 +1,253 @@
+---
+title: Kubelet CredentialProvider (v1beta1)
+content_type: tool-reference
+package: credentialprovider.kubelet.k8s.io/v1beta1
+---
+<!--
+title: Kubelet CredentialProvider (v1beta1)
+content_type: tool-reference
+package: credentialprovider.kubelet.k8s.io/v1beta1
+auto_generated: true
+-->
+
+<!--
+## Resource Types
+-->
+## 资源类型   {#resource-types}
+
+- [CredentialProviderRequest](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderRequest)
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
+
+## `CredentialProviderRequest`     {#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderRequest}
+
+<!--
+CredentialProviderRequest includes the image that the kubelet requires authentication for.
+Kubelet will pass this request object to the plugin via stdin. In general, plugins should
+prefer responding with the same apiVersion they were sent.
+-->
+<p>
+CredentialProviderRequest 包含 kubelet 需要进行身份验证的镜像。
+Kubelet 会通过标准输入将此请求对象传递给插件。一般来说，插件倾向于用它们所收到的相同的 apiVersion 来响应。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>credentialprovider.kubelet.k8s.io/v1beta1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderRequest</code></td></tr>
+    
+  
+<tr><td><code>image</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   image is the container image that is being pulled as part of the
+credential provider plugin request. Plugins may optionally parse the image
+to extract any information required to fetch credentials.
+-->
+   <p>
+   <code>image</code> 是容器镜像，作为凭据提供程序插件请求的一部分。
+   插件可以有选择地解析镜像以提取获取凭据所需的任何信息。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `CredentialProviderResponse`     {#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse}
+
+<!--    
+CredentialProviderResponse holds credentials that the kubelet should use for the specified
+image provided in the original request. Kubelet will read the response from the plugin via stdout.
+This response should be set to the same apiVersion as CredentialProviderRequest.
+-->
+<p>
+CredentialProviderResponse 持有 kubelet 应用于原始请求中提供的指定镜像的凭据。
+kubelet 将通过标准输出读取插件的响应。此响应的 apiVersion 值应设置为与 CredentialProviderRequest 中 apiVersion 值相同。
+</p>
+
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>credentialprovider.kubelet.k8s.io/v1beta1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderResponse</code></td></tr>
+    
+  
+<tr><td><code>cacheKeyType</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#credentialprovider-kubelet-k8s-io-v1beta1-PluginCacheKeyType"><code>PluginCacheKeyType</code></a>
+</td>
+<td>
+<!--
+cacheKeyType indiciates the type of caching key to use based on the image provided
+in the request. There are three valid values for the cache key type: Image, Registry, and
+Global. If an invalid value is specified, the response will NOT be used by the kubelet.
+-->
+   <p>
+   <code>cacheKeyType</code> 表明基于请求中所给镜像而要使用的缓存键类型。缓存键类型有三个有效值：
+   Image、Registry 和 Global。如果指定了无效值，则 kubelet 不会使用该响应。
+   </p>
+</td>
+</tr>
+<tr><td><code>cacheDuration</code><br/>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
+</td>
+<td>
+<!--
+cacheDuration indicates the duration the provided credentials should be cached for.
+The kubelet will use this field to set the in-memory cache duration for credentials
+in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in
+CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
+-->
+   <p>
+   <code>cacheDuration</code> 表示所提供的凭据应该被缓存的时间。kubelet 使用这个字段为
+   <code>auth</code> 中的凭据设置内存中数据的缓存时间。如果为空，kubelet 将使用 CredentialProviderConfig
+   中提供的 defaultCacheDuration。如果设置为 0，kubelet 将不会缓存所提供的 <code>auth</code> 数据。
+   </p>
+</td>
+</tr>
+<tr><td><code>auth</code><br/>
+<a href="#credentialprovider-kubelet-k8s-io-v1beta1-AuthConfig"><code>map[string]k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1.AuthConfig</code></a>
+</td>
+<td>
+<!--
+   auth is a map containing authentication information passed into the kubelet.
+Each key is a match image string (more on this below). The corresponding authConfig value
+should be valid for all images that match against this key. A plugin should set
+this field to null if no valid credentials can be returned for the requested image.
+-->
+   <p>
+   <code>auth</code> 是一个映射，其中包含传递到 kubelet 的身份验证信息。
+   每个键都是一个匹配镜像字符串（下面将对此进行详细介绍）。相应的 authConfig 值应该对所有与此键匹配的镜像有效。
+   如果不能为请求的镜像返回有效的凭据，插件应将此字段设置为 null。
+   </p>
+<!--
+Each key in the map is a pattern which can optionally contain a port and a path.
+Globs can be used in the domain, but not in the port or the path. Globs are supported
+as subdomains like '<em>.k8s.io' or 'k8s.</em>.io', and top-level-domains such as 'k8s.<em>'.
+Matching partial subdomains like 'app</em>.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so *.io does not match *.k8s.io.
+-->
+   <p>
+   映射中每个键值都是一个正则表达式，可以选择包含端口和路径。
+   域名部分可以包含通配符，但在端口或路径中不能使用通配符。
+   支持通配符作为子域，如 <code>*.k8s.io</code> 或 <code>k8s.*.io</code>，以及顶级域，如 <code>k8s.*</code>。
+   还支持匹配部分子域，如 <code>app*.k8s.io</code>。每个通配符只能匹配一个子域段，
+   因此 <code>*.io</code> 不匹配 <code>*.k8s.io</code>。
+   </p>
+<!--
+<p>The kubelet will match images against the key when all of the below are true:</p>
+<ul>
+<li>Both contain the same number of domain parts and each part matches.</li>
+<li>The URL path of an imageMatch must be a prefix of the target image URL path.</li>
+<li>If the imageMatch contains a port, then the port must match in the image as well.</li>
+</ul>
+-->
+   <p>
+   当满足以下所有条件时，kubelet 会将镜像与键值匹配：
+   </p>
+   <ul>
+    <li>两者都包含相同数量的域部分，并且每个部分都匹配。</li>
+    <li><code>imageMatch</code> 的 URL 路径必须是目标镜像的 URL 路径的前缀。</li>
+    <li>如果 <code>imageMatch</code> 包含端口，则该端口也必须在镜像中匹配。</li>
+   </ul>
+<!--
+<p>When multiple keys are returned, the kubelet will traverse all keys in reverse order so that:</p>
+<ul>
+<li>longer keys come before shorter keys with the same prefix</li>
+<li>non-wildcard keys come before wildcard keys with the same prefix.</li>
+</ul>
+-->
+   <p>
+   当返回多个键（key）时，kubelet 会倒序遍历所有键，这样：
+   </p>
+   <ul>
+    <li>具有相同前缀的较长键位于较短键之前</li>
+    <li>具有相同前缀的非通配符键位于通配符键之前。</li>
+   </ul>
+<!--
+<p>For any given match, the kubelet will attempt an image pull with the provided credentials,
+stopping after the first successfully authenticated pull.</p>
+<p>Example keys:</p>
+-->
+   <p>
+   对于任何给定的匹配，kubelet 将尝试使用提供的凭据进行镜像拉取，并在第一次成功验证后停止拉取。
+   </p>
+   <p>键值示例：</p>
+<ul>
+<li>123456789.dkr.ecr.us-east-1.amazonaws.com</li>
+<li>*.azurecr.io</li>
+<li>gcr.io</li>
+<li><em>.</em>.registry.io</li>
+<li>registry.io:8080/path</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `AuthConfig`     {#credentialprovider-kubelet-k8s-io-v1beta1-AuthConfig}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
+
+<!--
+<p>AuthConfig contains authentication information for a container registry.
+Only username/password based authentication is supported today, but more authentication
+mechanisms may be added in the future.</p>
+-->
+AuthConfig 包含容器仓库的身份验证信息。目前仅支持基于用户名/密码的身份验证，但未来可能会添加更多身份验证机制。
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>username</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   <p>username is the username used for authenticating to the container registry
+An empty username is valid.</p>
+-->
+   <p>
+   <code>username</code> 是用于向容器仓库进行身份验证的用户名。空的用户名是合法的。
+   </p>
+</td>
+</tr>
+<tr><td><code>password</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<!--
+   <p>password is the password used for authenticating to the container registry
+An empty password is valid.</p>
+-->
+   <p>
+   <code>password</code> 是用于向容器仓库进行身份验证的密码。空密码是合法的。
+   </p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `PluginCacheKeyType`     {#credentialprovider-kubelet-k8s-io-v1beta1-PluginCacheKeyType}
+
+<!--    
+(Alias of `string`)
+
+**Appears in:**
+-->
+（<code>string</code> 数据类型的别名）
+
+**出现在：**
+
+- [CredentialProviderResponse](#credentialprovider-kubelet-k8s-io-v1beta1-CredentialProviderResponse)
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/addons.md b/content/zh-cn/docs/reference/glossary/addons.md
similarity index 72%
rename from content/zh/docs/reference/glossary/addons.md
rename to content/zh-cn/docs/reference/glossary/addons.md
index 31fc1f0098243..3fd0546714e34 100644
--- a/content/zh/docs/reference/glossary/addons.md
+++ b/content/zh-cn/docs/reference/glossary/addons.md
@@ -2,7 +2,7 @@
 title: 附加组件（Add-ons）
 id: addons
 date: 2019-12-15
-full_link: /zh/docs/concepts/cluster-administration/addons/
+full_link: /zh-cn/docs/concepts/cluster-administration/addons/
 short_description: >
   扩展 Kubernetes 功能的资源。
 
@@ -37,4 +37,4 @@ tags:
 <!-- 
 [Installing addons](/docs/concepts/cluster-administration/addons/) explains more about using add-ons with your cluster, and lists some popular add-ons.
 -->
-[安装附加组件](/zh/docs/concepts/cluster-administration/addons/) 阐释了更多关于如何在集群内使用附加组件，并列出了一些流行的附加组件。
+[安装附加组件](/zh-cn/docs/concepts/cluster-administration/addons/) 阐释了更多关于如何在集群内使用附加组件，并列出了一些流行的附加组件。
diff --git a/content/zh/docs/reference/glossary/admission-controller.md b/content/zh-cn/docs/reference/glossary/admission-controller.md
similarity index 88%
rename from content/zh/docs/reference/glossary/admission-controller.md
rename to content/zh-cn/docs/reference/glossary/admission-controller.md
index 22567c4861c49..90e63e52b152f 100644
--- a/content/zh/docs/reference/glossary/admission-controller.md
+++ b/content/zh-cn/docs/reference/glossary/admission-controller.md
@@ -2,7 +2,7 @@
 title: 准入控制器（Admission Controller）
 id: admission-controller
 date: 2019-06-28
-full_link: /zh/docs/reference/access-authn-authz/admission-controllers/
+full_link: /zh-cn/docs/reference/access-authn-authz/admission-controllers/
 short_description: >
  在对象持久化之前拦截 Kubernetes Api 服务器请求的一段代码
 aka:
@@ -47,4 +47,4 @@ validating controllers may not.
 准入控制器可针对 Kubernetes Api 服务器进行配置，可以执行验证，变更或两者都执行。任何准入控制器都可以拒绝访问请求。
 变更（mutating）控制器可以修改其允许的对象，验证（validating）控制器则不可以。
 
-* [Kubernetes 文档中的准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
\ No newline at end of file
+* [Kubernetes 文档中的准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/affinity.md b/content/zh-cn/docs/reference/glossary/affinity.md
similarity index 89%
rename from content/zh/docs/reference/glossary/affinity.md
rename to content/zh-cn/docs/reference/glossary/affinity.md
index b3450ed02fc50..44aa0ab6cac43 100644
--- a/content/zh/docs/reference/glossary/affinity.md
+++ b/content/zh-cn/docs/reference/glossary/affinity.md
@@ -36,8 +36,8 @@ There are two kinds of affinity:
 * [node affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
 * [pod-to-pod affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)
 -->
-* [节点亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
-* [Pod 间亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)
+* [节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
+* [Pod 间亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)
 
 <!--
 The rules are defined using the Kubernetes {{< glossary_tooltip term_id="label" text="labels">}},
diff --git a/content/zh/docs/reference/glossary/aggregation-layer.md b/content/zh-cn/docs/reference/glossary/aggregation-layer.md
similarity index 64%
rename from content/zh/docs/reference/glossary/aggregation-layer.md
rename to content/zh-cn/docs/reference/glossary/aggregation-layer.md
index 9ad14962cfbe8..ad2f62e8bad28 100644
--- a/content/zh/docs/reference/glossary/aggregation-layer.md
+++ b/content/zh-cn/docs/reference/glossary/aggregation-layer.md
@@ -2,9 +2,9 @@
 title: 聚合层（Aggregation Layer）
 id: aggregation-layer
 date: 2018-10-08
-full_link: /zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/
+full_link: /zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/
 short_description: >
-  聚合层允许您在自己的集群上安装额外的 Kubernetes 风格的 API。
+  聚合层允许你在自己的集群上安装额外的 Kubernetes 风格的 API。
 
 aka: 
 tags:
@@ -36,7 +36,7 @@ tags:
  The aggregation layer lets you install additional Kubernetes-style APIs in your cluster.
 -->
 
-聚合层允许您在自己的集群上安装额外的 Kubernetes 风格的 API。
+聚合层允许你在自己的集群上安装额外的 Kubernetes 风格的 API。
 
 <!--more-->
  
@@ -45,4 +45,5 @@ tags:
 When you've configured the {{< glossary_tooltip text="Kubernetes API Server" term_id="kube-apiserver" >}} to [support additional APIs](/docs/tasks/extend-kubernetes/configure-aggregation-layer/), you can add `APIService` objects to "claim" a URL path in the Kubernetes API.
 -->
 
-当您配置了 {{< glossary_tooltip text="Kubernetes API Server" term_id="kube-apiserver" >}} 来 [支持额外的 API](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/)，您就可以在 Kubernetes API 中增加 `APIService` 对象来  "申领（Claim）" 一个 URL 路径。 
+当你配置了 {{< glossary_tooltip text="Kubernetes API Server" term_id="kube-apiserver" >}} 来 [支持额外的 API](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/)，
+你就可以在 Kubernetes API 中增加 `APIService` 对象来  "申领（Claim）" 一个 URL 路径。 
diff --git a/content/zh/docs/reference/glossary/annotation.md b/content/zh-cn/docs/reference/glossary/annotation.md
similarity index 94%
rename from content/zh/docs/reference/glossary/annotation.md
rename to content/zh-cn/docs/reference/glossary/annotation.md
index a305352e32a48..5554aafbbca0b 100644
--- a/content/zh/docs/reference/glossary/annotation.md
+++ b/content/zh-cn/docs/reference/glossary/annotation.md
@@ -2,7 +2,7 @@
 title: 注解（Annotation）
 id: annotation
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/annotations/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/annotations/
 short_description: >
   注解是以键值对的形式给资源对象附加随机的无法标识的元数据。
 
diff --git a/content/zh/docs/reference/glossary/api-eviction.md b/content/zh-cn/docs/reference/glossary/api-eviction.md
similarity index 82%
rename from content/zh/docs/reference/glossary/api-eviction.md
rename to content/zh-cn/docs/reference/glossary/api-eviction.md
index 0f1aabd435cf4..4ed41b8648f00 100644
--- a/content/zh/docs/reference/glossary/api-eviction.md
+++ b/content/zh-cn/docs/reference/glossary/api-eviction.md
@@ -2,7 +2,7 @@
 title: API 发起的驱逐
 id: api-eviction
 date: 2021-04-27
-full_link: /zh/docs/concepts/scheduling-eviction/pod-eviction/#api-eviction
+full_link: /zh-cn/docs/concepts/scheduling-eviction/pod-eviction/#api-eviction
 short_description: >
   API 发起的驱逐是一个先调用 Eviction API 创建驱逐对象，再由该对象体面地中止 Pod 的过程。
 aka:
@@ -46,13 +46,13 @@ API-initiated eviction is not the same as [node-pressure eviction](/docs/concept
 你可以通过 kube-apiserver 的客户端，比如 `kubectl drain` 这样的命令，直接调用 Eviction API 发起驱逐。
 当 `Eviction` 对象创建出来之后，该对象将驱动 API 服务器终止选定的Pod。
 
-API 发起的驱逐取决于你配置的 [`PodDisruptionBudgets`](/zh/docs/tasks/run-application/configure-pdb/)
-和 [`terminationGracePeriodSeconds`](/zh/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)。
+API 发起的驱逐取决于你配置的 [`PodDisruptionBudgets`](/zh-cn/docs/tasks/run-application/configure-pdb/)
+和 [`terminationGracePeriodSeconds`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle#pod-termination)。
 
 API 发起的驱逐不同于
-[节点压力引发的驱逐](/zh/docs/concepts/scheduling-eviction/eviction/#kubelet-eviction)。
+[节点压力引发的驱逐](/zh-cn/docs/concepts/scheduling-eviction/eviction/#kubelet-eviction)。
 
 <!--
 * See [API-initiated eviction](/docs/concepts/scheduling-eviction/api-eviction/) for more information.
 -->
-* 有关详细信息，请参阅 [API 发起的驱逐](/zh/docs/concepts/scheduling-eviction/api-eviction/)。
\ No newline at end of file
+* 有关详细信息，请参阅 [API 发起的驱逐](/zh-cn/docs/concepts/scheduling-eviction/api-eviction/)。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/api-group.md b/content/zh-cn/docs/reference/glossary/api-group.md
similarity index 86%
rename from content/zh/docs/reference/glossary/api-group.md
rename to content/zh-cn/docs/reference/glossary/api-group.md
index a219943be7fd2..42006b5e90c3e 100644
--- a/content/zh/docs/reference/glossary/api-group.md
+++ b/content/zh-cn/docs/reference/glossary/api-group.md
@@ -2,7 +2,7 @@
 title: API Group
 id: api-group
 date: 2019-09-02
-full_link: /zh/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning
+full_link: /zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning
 short_description: >
   Kubernetes API 中的一组相关路径
 
@@ -47,4 +47,4 @@ API group 在 REST 路径和序列化对象的 `apiVersion` 字段中指定。
 <!-- 
 * Read [API Group](/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning) for more information. 
 -->
-* 阅读 [API Group](/zh/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning) 了解更多信息。
+* 阅读 [API Group](/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning) 了解更多信息。
diff --git a/content/zh/docs/reference/glossary/app-container.md b/content/zh-cn/docs/reference/glossary/app-container.md
similarity index 96%
rename from content/zh/docs/reference/glossary/app-container.md
rename to content/zh-cn/docs/reference/glossary/app-container.md
index 3773e1c1b83cc..3980937a9d810 100644
--- a/content/zh/docs/reference/glossary/app-container.md
+++ b/content/zh-cn/docs/reference/glossary/app-container.md
@@ -42,6 +42,6 @@ once the application container has started.
 If a pod doesn't have any init containers configured, all the containers in that pod are app containers.
 -->
 
-初始化容器使您可以分离对于{{< glossary_tooltip text="工作负载" term_id="workload" >}}
+初始化容器使你可以分离对于{{< glossary_tooltip text="工作负载" term_id="workload" >}}
 整体而言很重要的初始化细节，并且一旦应用容器启动，它不需要继续运行。
 如果 pod 没有配置任何初始化容器，则该 pod 中的所有容器都是应用程序容器。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/application-architect.md b/content/zh-cn/docs/reference/glossary/application-architect.md
similarity index 100%
rename from content/zh/docs/reference/glossary/application-architect.md
rename to content/zh-cn/docs/reference/glossary/application-architect.md
diff --git a/content/zh/docs/reference/glossary/application-developer.md b/content/zh-cn/docs/reference/glossary/application-developer.md
similarity index 100%
rename from content/zh/docs/reference/glossary/application-developer.md
rename to content/zh-cn/docs/reference/glossary/application-developer.md
diff --git a/content/zh/docs/reference/glossary/applications.md b/content/zh-cn/docs/reference/glossary/applications.md
similarity index 100%
rename from content/zh/docs/reference/glossary/applications.md
rename to content/zh-cn/docs/reference/glossary/applications.md
diff --git a/content/zh/docs/reference/glossary/approver.md b/content/zh-cn/docs/reference/glossary/approver.md
similarity index 100%
rename from content/zh/docs/reference/glossary/approver.md
rename to content/zh-cn/docs/reference/glossary/approver.md
diff --git a/content/zh/docs/reference/glossary/cadvisor.md b/content/zh-cn/docs/reference/glossary/cadvisor.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cadvisor.md
rename to content/zh-cn/docs/reference/glossary/cadvisor.md
diff --git a/content/zh/docs/reference/glossary/certificate.md b/content/zh-cn/docs/reference/glossary/certificate.md
similarity index 94%
rename from content/zh/docs/reference/glossary/certificate.md
rename to content/zh-cn/docs/reference/glossary/certificate.md
index 05b50e37dc615..7de6715c1662c 100644
--- a/content/zh/docs/reference/glossary/certificate.md
+++ b/content/zh-cn/docs/reference/glossary/certificate.md
@@ -2,7 +2,7 @@
 title: 证书（Certificate）
 id: certificate
 date: 2018-04-12
-full_link: /zh/docs/tasks/tls/managing-tls-in-a-cluster/
+full_link: /zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/
 short_description: >
   证书是个安全加密文件，用来确认对 Kubernetes 集群访问的合法性。
 
diff --git a/content/zh/docs/reference/glossary/cgroup.md b/content/zh-cn/docs/reference/glossary/cgroup.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cgroup.md
rename to content/zh-cn/docs/reference/glossary/cgroup.md
diff --git a/content/zh/docs/reference/glossary/cidr.md b/content/zh-cn/docs/reference/glossary/cidr.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cidr.md
rename to content/zh-cn/docs/reference/glossary/cidr.md
diff --git a/content/zh/docs/reference/glossary/cla.md b/content/zh-cn/docs/reference/glossary/cla.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cla.md
rename to content/zh-cn/docs/reference/glossary/cla.md
diff --git a/content/zh/docs/reference/glossary/cloud-controller-manager.md b/content/zh-cn/docs/reference/glossary/cloud-controller-manager.md
similarity index 83%
rename from content/zh/docs/reference/glossary/cloud-controller-manager.md
rename to content/zh-cn/docs/reference/glossary/cloud-controller-manager.md
index 3d33b8c7fe97b..72c581453c496 100644
--- a/content/zh/docs/reference/glossary/cloud-controller-manager.md
+++ b/content/zh-cn/docs/reference/glossary/cloud-controller-manager.md
@@ -2,7 +2,7 @@
 title: 云控制器管理器（Cloud Controller Manager）
 id: cloud-controller-manager
 date: 2018-04-12
-full_link: /zh/docs/concepts/architecture/cloud-controller/
+full_link: /zh-cn/docs/concepts/architecture/cloud-controller/
 short_description: >
   将 Kubernetes 与第三方云提供商进行集成的控制面组件。
 
@@ -33,18 +33,17 @@ that embeds cloud-specific control logic. The cloud controller manager lets you
 cluster into your cloud provider's API, and separates out the components that interact
 with that cloud platform from components that only interact with your cluster.
 -->
-云控制器管理器是指嵌入特定云的控制逻辑的
+`cloud-controller-manager` 是指嵌入特定云的控制逻辑之
 {{< glossary_tooltip text="控制平面" term_id="control-plane" >}}组件。
-云控制器管理器使得你可以将你的集群连接到云提供商的 API 之上，
+`cloud-controller-manager` 允许你将你的集群连接到云提供商的 API 之上，
 并将与该云平台交互的组件同与你的集群交互的组件分离开来。
 
 <!--more--> 
-
 <!--
 By decoupling the interoperability logic between Kubernetes and the underlying cloud
 infrastructure, the cloud-controller-manager component enables cloud providers to release
 features at a different pace compared to the main Kubernetes project.
 -->
 通过分离 Kubernetes 和底层云基础设置之间的互操作性逻辑，
-云控制器管理器组件使云提供商能够以不同于 Kubernetes 主项目的
+`cloud-controller-manager` 组件使云提供商能够以不同于 Kubernetes 主项目的
 步调发布新特征。
diff --git a/content/zh/docs/reference/glossary/cloud-provider.md b/content/zh-cn/docs/reference/glossary/cloud-provider.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cloud-provider.md
rename to content/zh-cn/docs/reference/glossary/cloud-provider.md
diff --git a/content/zh/docs/reference/glossary/cluster-architect.md b/content/zh-cn/docs/reference/glossary/cluster-architect.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cluster-architect.md
rename to content/zh-cn/docs/reference/glossary/cluster-architect.md
diff --git a/content/zh/docs/reference/glossary/cluster-infrastructure.md b/content/zh-cn/docs/reference/glossary/cluster-infrastructure.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cluster-infrastructure.md
rename to content/zh-cn/docs/reference/glossary/cluster-infrastructure.md
diff --git a/content/zh/docs/reference/glossary/cluster-operations.md b/content/zh-cn/docs/reference/glossary/cluster-operations.md
similarity index 94%
rename from content/zh/docs/reference/glossary/cluster-operations.md
rename to content/zh-cn/docs/reference/glossary/cluster-operations.md
index 43a9bba4b0310..4067984ac57d5 100644
--- a/content/zh/docs/reference/glossary/cluster-operations.md
+++ b/content/zh-cn/docs/reference/glossary/cluster-operations.md
@@ -38,5 +38,5 @@ scale the cluster; performing software upgrades; implementing security
 controls; adding or removing storage; configuring cluster networking;
 managing cluster-wide observability; and responding to events.
 -->															  
-群集操作工作的示例包括：部署新节点来扩容集群；执行软件升级；实施安全控制；
+集群操作工作的示例包括：部署新节点来扩容集群；执行软件升级；实施安全控制；
 添加或删除存储；配置集群网络；管理集群范围的可观测性；响应集群事件。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/cluster-operator.md b/content/zh-cn/docs/reference/glossary/cluster-operator.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cluster-operator.md
rename to content/zh-cn/docs/reference/glossary/cluster-operator.md
diff --git a/content/zh/docs/reference/glossary/cluster.md b/content/zh-cn/docs/reference/glossary/cluster.md
similarity index 69%
rename from content/zh/docs/reference/glossary/cluster.md
rename to content/zh-cn/docs/reference/glossary/cluster.md
index 74d48ff2c2641..07b79c5f96072 100644
--- a/content/zh/docs/reference/glossary/cluster.md
+++ b/content/zh-cn/docs/reference/glossary/cluster.md
@@ -4,7 +4,7 @@ id: cluster
 date: 2019-06-15
 full_link: 
 short_description: >
-   集群由一组被称作节点的机器组成。这些节点上运行 Kubernetes 所管理的容器化应用。集群具有至少一个工作节点。 
+   集群由一组被称作节点的机器组成。这些节点上运行 Kubernetes 所管理的容器化应用。集群具有至少一个工作节点。
 
 aka: 
 tags:
@@ -32,8 +32,9 @@ tags:
 A set of worker machines, called {{< glossary_tooltip text="nodes" term_id="node" >}},
 that run containerized applications. Every cluster has at least one worker node.
 -->
-集群由一组被称作节点的机器组成。这些节点上运行 Kubernetes 所管理的容器化应用。集群具有至少一个工作节点。
-
+集群是由一组被称作{{< glossary_tooltip text="节点（node）" term_id="node" >}}的机器组成，
+这些节点上会运行由 Kubernetes 所管理的容器化应用。
+且每个集群至少有一个工作节点。
 <!--more-->
 <!-- 
 The worker node(s) host the {{< glossary_tooltip text="Pods" term_id="pod" >}} that are
@@ -43,5 +44,7 @@ nodes and the Pods in the cluster. In production environments, the control plane
 runs across multiple computers and a cluster usually runs multiple nodes, providing
 fault-tolerance and high availability.
 -->
-工作节点托管作为应用负载的组件的 Pod 。控制平面管理集群中的工作节点和 Pod 。
-为集群提供故障转移和高可用性，这些控制平面一般跨多主机运行，集群跨多个节点运行。
+工作节点会托管所谓的 Pods，而 Pod 就是作为应用负载的组件。
+控制平面管理集群中的工作节点和 Pods。
+为集群提供故障转移和高可用性，
+这些控制平面一般跨多主机运行，而集群也会跨多个节点运行。
diff --git a/content/zh/docs/reference/glossary/cncf.md b/content/zh-cn/docs/reference/glossary/cncf.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cncf.md
rename to content/zh-cn/docs/reference/glossary/cncf.md
diff --git a/content/zh/docs/reference/glossary/cni.md b/content/zh-cn/docs/reference/glossary/cni.md
similarity index 81%
rename from content/zh/docs/reference/glossary/cni.md
rename to content/zh-cn/docs/reference/glossary/cni.md
index 64febe02151e4..5f87815cb5df2 100644
--- a/content/zh/docs/reference/glossary/cni.md
+++ b/content/zh-cn/docs/reference/glossary/cni.md
@@ -2,7 +2,7 @@
 title: 容器网络接口（CNI）
 id: cni
 date: 2018-05-25
-full_link: /zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni
+full_link: /zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni
 short_description: >
     容器网络接口 (CNI) 插件是遵循 appc/CNI 协议的一类网络插件。
 
@@ -41,4 +41,4 @@ tags:
 * For information on Kubernetes and CNI, see ["Network plugins"](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni).
 -->
 
-* 想了解 Kubernetes 和 CNI 请参考 ["网络插件"](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni)。
+* 想了解 Kubernetes 和 CNI 请参考 ["网络插件"](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni)。
diff --git a/content/zh/docs/reference/glossary/code-contributor.md b/content/zh-cn/docs/reference/glossary/code-contributor.md
similarity index 100%
rename from content/zh/docs/reference/glossary/code-contributor.md
rename to content/zh-cn/docs/reference/glossary/code-contributor.md
diff --git a/content/zh/docs/reference/glossary/configmap.md b/content/zh-cn/docs/reference/glossary/configmap.md
similarity index 91%
rename from content/zh/docs/reference/glossary/configmap.md
rename to content/zh-cn/docs/reference/glossary/configmap.md
index be80c84f614cc..b90382e5182ea 100644
--- a/content/zh/docs/reference/glossary/configmap.md
+++ b/content/zh-cn/docs/reference/glossary/configmap.md
@@ -2,7 +2,7 @@
 title: ConfigMap
 id: configmap
 date: 2018-04-12
-full_link: /zh/docs/tasks/configure-pod-container/configure-pod-configmap/
+full_link: /zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/
 short_description: >
   ConfigMap 是一种 API 对象，用来将非机密性的数据保存到键值对中。使用时可以用作环境变量、命令行参数或者存储卷中的配置文件。
    
@@ -41,4 +41,4 @@ environment variables, command-line arguments, or as configuration files in a
 A ConfigMap allows you to decouple environment-specific configuration from your {{< glossary_tooltip text="container images" term_id="image" >}}, so that your applications are easily portable.
 -->
 
-ConfigMap 将您的环境配置信息和 {{< glossary_tooltip text="容器镜像" term_id="image" >}} 解耦，便于应用配置的修改。
+ConfigMap 将你的环境配置信息和 {{< glossary_tooltip text="容器镜像" term_id="image" >}} 解耦，便于应用配置的修改。
diff --git a/content/zh/docs/reference/glossary/container-env-variables.md b/content/zh-cn/docs/reference/glossary/container-env-variables.md
similarity index 96%
rename from content/zh/docs/reference/glossary/container-env-variables.md
rename to content/zh-cn/docs/reference/glossary/container-env-variables.md
index e8796a12bdd5f..134b0c0c7e95b 100644
--- a/content/zh/docs/reference/glossary/container-env-variables.md
+++ b/content/zh-cn/docs/reference/glossary/container-env-variables.md
@@ -2,7 +2,7 @@
 title: 容器环境变量（Container Environment Variables）
 id: container-env-variables
 date: 2018-04-12
-full_link: /zh/docs/concepts/containers/container-environment/
+full_link: /zh-cn/docs/concepts/containers/container-environment/
 short_description: >
   容器环境变量提供了 name=value 形式的、运行容器化应用所必须的一些重要信息。
 
diff --git a/content/zh/docs/reference/glossary/container-lifecycle-hooks.md b/content/zh-cn/docs/reference/glossary/container-lifecycle-hooks.md
similarity index 94%
rename from content/zh/docs/reference/glossary/container-lifecycle-hooks.md
rename to content/zh-cn/docs/reference/glossary/container-lifecycle-hooks.md
index 6a43d283c96d6..1823b66b4c93c 100644
--- a/content/zh/docs/reference/glossary/container-lifecycle-hooks.md
+++ b/content/zh-cn/docs/reference/glossary/container-lifecycle-hooks.md
@@ -2,7 +2,7 @@
 title: 容器生命周期钩子（Container Lifecycle Hooks）
 id: container-lifecycle-hooks
 date: 2018-10-08
-full_link: /zh/docs/concepts/containers/container-lifecycle-hooks/
+full_link: /zh-cn/docs/concepts/containers/container-lifecycle-hooks/
 short_description: >
   生命周期钩子暴露容器管理生命周期中的事件，允许用户在事件发生时运行代码。
 
diff --git a/content/zh/docs/reference/glossary/container-runtime-interface.md b/content/zh-cn/docs/reference/glossary/container-runtime-interface.md
similarity index 90%
rename from content/zh/docs/reference/glossary/container-runtime-interface.md
rename to content/zh-cn/docs/reference/glossary/container-runtime-interface.md
index 39bc8d0017f1b..b902dc5da00cd 100644
--- a/content/zh/docs/reference/glossary/container-runtime-interface.md
+++ b/content/zh-cn/docs/reference/glossary/container-runtime-interface.md
@@ -2,7 +2,7 @@
 title: 容器运行时接口
 id: container-runtime-interface
 date: 2021-11-24
-full_link: /zh/docs/concepts/architecture/cri
+full_link: /zh-cn/docs/concepts/architecture/cri
 short_description: >
   kubelet 和容器运行时之间通信的主要协议。
 
@@ -37,6 +37,6 @@ The Kubernetes Container Runtime Interface (CRI) defines the main
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
 -->
 Kubernetes 容器运行时接口（CRI）定义了主要 [gRPC](https://grpc.io) 协议，
-用于[集群组件](/zh/docs/concepts/overview/components/#node-components)
+用于[集群组件](/zh-cn/docs/concepts/overview/components/#node-components)
 {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} 和
 {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/container-runtime.md b/content/zh-cn/docs/reference/glossary/container-runtime.md
similarity index 85%
rename from content/zh/docs/reference/glossary/container-runtime.md
rename to content/zh-cn/docs/reference/glossary/container-runtime.md
index 36a0caf4164aa..4eaf10627ef38 100644
--- a/content/zh/docs/reference/glossary/container-runtime.md
+++ b/content/zh-cn/docs/reference/glossary/container-runtime.md
@@ -2,7 +2,7 @@
 title: 容器运行时（Container Runtime）
 id: container-runtime
 date: 2019-06-05
-full_link: /zh/docs/setup/production-environment/container-runtimes
+full_link: /zh-cn/docs/setup/production-environment/container-runtimes
 short_description: >
  容器运行时是负责运行容器的软件。
 
@@ -41,8 +41,9 @@ Kubernetes supports container runtimes such sa
 and any other implementation of the [Kubernetes CRI (Container Runtime
 Interface)](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md).
 -->
-Kubernetes 支持容器运行时，例如
+Kubernetes 支持许多容器运行环境，例如
 {{< glossary_tooltip term_id="docker">}}、
-{{< glossary_tooltip term_id="containerd" >}}、{{< glossary_tooltip term_id="cri-o" >}}
+{{< glossary_tooltip term_id="containerd" >}}、
+{{< glossary_tooltip term_id="cri-o" >}}
 以及 [Kubernetes CRI (容器运行环境接口)](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md)
 的其他任何实现。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/container.md b/content/zh-cn/docs/reference/glossary/container.md
similarity index 93%
rename from content/zh/docs/reference/glossary/container.md
rename to content/zh-cn/docs/reference/glossary/container.md
index 450a8af998f1c..1ca18e3ca49dc 100644
--- a/content/zh/docs/reference/glossary/container.md
+++ b/content/zh-cn/docs/reference/glossary/container.md
@@ -2,7 +2,7 @@
 title: 容器（Container）
 id: container
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/what-is-kubernetes/#why-containers
+full_link: /zh-cn/docs/concepts/overview/what-is-kubernetes/#why-containers
 short_description: >
   容器是可移植、可执行的轻量级的镜像，镜像中包含软件及其相关依赖。
 
diff --git a/content/zh/docs/reference/glossary/containerd.md b/content/zh-cn/docs/reference/glossary/containerd.md
similarity index 100%
rename from content/zh/docs/reference/glossary/containerd.md
rename to content/zh-cn/docs/reference/glossary/containerd.md
diff --git a/content/zh/docs/reference/glossary/contributor.md b/content/zh-cn/docs/reference/glossary/contributor.md
similarity index 100%
rename from content/zh/docs/reference/glossary/contributor.md
rename to content/zh-cn/docs/reference/glossary/contributor.md
diff --git a/content/zh/docs/reference/glossary/control-plane.md b/content/zh-cn/docs/reference/glossary/control-plane.md
similarity index 100%
rename from content/zh/docs/reference/glossary/control-plane.md
rename to content/zh-cn/docs/reference/glossary/control-plane.md
diff --git a/content/zh/docs/reference/glossary/controller.md b/content/zh-cn/docs/reference/glossary/controller.md
similarity index 97%
rename from content/zh/docs/reference/glossary/controller.md
rename to content/zh-cn/docs/reference/glossary/controller.md
index e60b710603b75..a0c0c02bcef78 100644
--- a/content/zh/docs/reference/glossary/controller.md
+++ b/content/zh-cn/docs/reference/glossary/controller.md
@@ -2,7 +2,7 @@
 title: 控制器（Controller）
 id: controller
 date: 2018-04-12
-full_link: /zh/docs/concepts/architecture/controller/
+full_link: /zh-cn/docs/concepts/architecture/controller/
 short_description: >
   控制器通过 apiserver 监控集群的公共状态，并致力于将当前状态转变为期望的状态。
 
diff --git a/content/zh/docs/reference/glossary/cri-o.md b/content/zh-cn/docs/reference/glossary/cri-o.md
similarity index 100%
rename from content/zh/docs/reference/glossary/cri-o.md
rename to content/zh-cn/docs/reference/glossary/cri-o.md
diff --git a/content/zh/docs/reference/glossary/cri.md b/content/zh-cn/docs/reference/glossary/cri.md
similarity index 93%
rename from content/zh/docs/reference/glossary/cri.md
rename to content/zh-cn/docs/reference/glossary/cri.md
index 8c8da979e989c..24450960d07e9 100644
--- a/content/zh/docs/reference/glossary/cri.md
+++ b/content/zh-cn/docs/reference/glossary/cri.md
@@ -2,7 +2,7 @@
 title: 容器运行时接口（CRI）
 id: cri
 date: 2019-03-07
-full_link: /zh/docs/concepts/overview/components/#container-runtime
+full_link: /zh-cn/docs/concepts/overview/components/#container-runtime
 short_description: >
   一组与 kubelet 集成的容器运行时 API 
 
diff --git a/content/zh/docs/reference/glossary/cronjob.md b/content/zh-cn/docs/reference/glossary/cronjob.md
similarity index 84%
rename from content/zh/docs/reference/glossary/cronjob.md
rename to content/zh-cn/docs/reference/glossary/cronjob.md
index fe16d58762b45..487731fe31f3b 100644
--- a/content/zh/docs/reference/glossary/cronjob.md
+++ b/content/zh-cn/docs/reference/glossary/cronjob.md
@@ -2,7 +2,7 @@
 title: 周期调度任务（CronJob）
 id: cronjob
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/cron-jobs/
+full_link: /zh-cn/docs/concepts/workloads/controllers/cron-jobs/
 short_description: >
   周期调度的任务（作业）。
 
@@ -32,7 +32,7 @@ tags:
  Manages a [Job](/docs/concepts/workloads/controllers/job/) that runs on a periodic schedule.
 -->
 
- 管理定期运行的 [任务](/zh/docs/concepts/workloads/controllers/job/)。
+ 管理定期运行的 [任务](/zh-cn/docs/concepts/workloads/controllers/job/)。
 
 <!--more--> 
 
diff --git a/content/zh/docs/reference/glossary/csi.md b/content/zh-cn/docs/reference/glossary/csi.md
similarity index 92%
rename from content/zh/docs/reference/glossary/csi.md
rename to content/zh-cn/docs/reference/glossary/csi.md
index 89bb66cafdd29..d430ef3ecacc9 100644
--- a/content/zh/docs/reference/glossary/csi.md
+++ b/content/zh-cn/docs/reference/glossary/csi.md
@@ -2,7 +2,7 @@
 title: 容器存储接口（Container Storage Interface，CSI）
 id: csi
 date: 2018-06-25
-full_link: /zh/docs/concepts/storage/volumes/#csi
+full_link: /zh-cn/docs/concepts/storage/volumes/#csi
 short_description: >
     容器存储接口 （CSI）定义了存储系统暴露给容器的标准接口。
 
@@ -48,5 +48,5 @@ CSI 允许存储驱动提供商为 Kubernetes 创建定制化的存储插件，
 [将它部署到你的集群上](https://kubernetes-csi.github.io/docs/deploying.html)。
 然后你才能创建使用该 CSI 驱动的 {{< glossary_tooltip text="Storage Class" term_id="storage-class" >}} 。
 
-* [Kubernetes 文档中关于 CSI 的描述](/zh/docs/concepts/storage/volumes/#csi)
+* [Kubernetes 文档中关于 CSI 的描述](/zh-cn/docs/concepts/storage/volumes/#csi)
 * [可用的 CSI 驱动列表](https://kubernetes-csi.github.io/docs/drivers.html)
diff --git a/content/zh/docs/reference/glossary/customresourcedefinition.md b/content/zh-cn/docs/reference/glossary/customresourcedefinition.md
similarity index 70%
rename from content/zh/docs/reference/glossary/customresourcedefinition.md
rename to content/zh-cn/docs/reference/glossary/customresourcedefinition.md
index ee0548e78d4a0..2d63482c3e692 100644
--- a/content/zh/docs/reference/glossary/customresourcedefinition.md
+++ b/content/zh-cn/docs/reference/glossary/customresourcedefinition.md
@@ -2,9 +2,9 @@
 title: CustomResourceDefinition
 id: CustomResourceDefinition
 date: 2018-04-12
-full_link: /zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
+full_link: /zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
 short_description: >
-  通过定制化的代码给您的 Kubernetes API 服务器增加资源对象，而无需编译完整的定制 API 服务器。
+  通过定制化的代码给你的 Kubernetes API 服务器增加资源对象，而无需编译完整的定制 API 服务器。
 
 aka: 
 tags:
@@ -33,7 +33,7 @@ tags:
  Custom code that defines a resource to add to your Kubernetes API server without building a complete custom server.
 -->
 
- 通过定制化的代码给您的 Kubernetes API 服务器增加资源对象，而无需编译完整的定制 API 服务器。
+ 通过定制化的代码给你的 Kubernetes API 服务器增加资源对象，而无需编译完整的定制 API 服务器。
 
 <!--more--> 
 
@@ -41,5 +41,6 @@ tags:
 Custom Resource Definitions let you extend the Kubernetes API for your environment if the publicly supported API resources can't meet your needs. 
 -->
 
-当 Kubernetes 公开支持的 API 资源不能满足您的需要时，定制资源对象（Custom Resource Definitions）让您可以在您的环境上扩展 Kubernetes API。
+当 Kubernetes 公开支持的 API 资源不能满足你的需要时，
+定制资源对象（Custom Resource Definitions）让你可以在你的环境上扩展 Kubernetes API。
 
diff --git a/content/zh/docs/reference/glossary/daemonset.md b/content/zh-cn/docs/reference/glossary/daemonset.md
similarity index 94%
rename from content/zh/docs/reference/glossary/daemonset.md
rename to content/zh-cn/docs/reference/glossary/daemonset.md
index 5f35ae5012458..70960117433c6 100644
--- a/content/zh/docs/reference/glossary/daemonset.md
+++ b/content/zh-cn/docs/reference/glossary/daemonset.md
@@ -2,7 +2,7 @@
 title: DaemonSet
 id: daemonset
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/daemonset/
+full_link: /zh-cn/docs/concepts/workloads/controllers/daemonset/
 short_description: >
   确保 Pod 的副本在集群中的一组节点上运行。
 
diff --git a/content/zh/docs/reference/glossary/data-plane.md b/content/zh-cn/docs/reference/glossary/data-plane.md
similarity index 100%
rename from content/zh/docs/reference/glossary/data-plane.md
rename to content/zh-cn/docs/reference/glossary/data-plane.md
diff --git a/content/zh/docs/reference/glossary/deployment.md b/content/zh-cn/docs/reference/glossary/deployment.md
similarity index 94%
rename from content/zh/docs/reference/glossary/deployment.md
rename to content/zh-cn/docs/reference/glossary/deployment.md
index ca52523e46348..e09f6805813f6 100644
--- a/content/zh/docs/reference/glossary/deployment.md
+++ b/content/zh-cn/docs/reference/glossary/deployment.md
@@ -2,7 +2,7 @@
 title: Deployment
 id: deployment
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/deployment/
+full_link: /zh-cn/docs/concepts/workloads/controllers/deployment/
 short_description: >
   Deployment 是管理应用副本的 API 对象。
 
diff --git a/content/zh/docs/reference/glossary/developer.md b/content/zh-cn/docs/reference/glossary/developer.md
similarity index 100%
rename from content/zh/docs/reference/glossary/developer.md
rename to content/zh-cn/docs/reference/glossary/developer.md
diff --git a/content/zh/docs/reference/glossary/device-plugin.md b/content/zh-cn/docs/reference/glossary/device-plugin.md
similarity index 89%
rename from content/zh/docs/reference/glossary/device-plugin.md
rename to content/zh-cn/docs/reference/glossary/device-plugin.md
index 30664b8c31a6e..9bbecf8d1dd87 100644
--- a/content/zh/docs/reference/glossary/device-plugin.md
+++ b/content/zh-cn/docs/reference/glossary/device-plugin.md
@@ -2,7 +2,7 @@
 title: 设备插件（Device Plugin）
 id: device-plugin
 date: 2019-02-02
-full_link: /zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/
+full_link: /zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/
 short_description: >
   一种软件扩展，可以使 Pod 访问由特定厂商初始化或者安装的设备。
 aka:
@@ -49,4 +49,4 @@ See
 [Device Plugins](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)
 for more information.
 -->
-更多信息请查阅[设备插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/) 
\ No newline at end of file
+更多信息请查阅[设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/) 
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/disruption.md b/content/zh-cn/docs/reference/glossary/disruption.md
similarity index 73%
rename from content/zh/docs/reference/glossary/disruption.md
rename to content/zh-cn/docs/reference/glossary/disruption.md
index 2b59797a3966f..aa4fca945c0e3 100644
--- a/content/zh/docs/reference/glossary/disruption.md
+++ b/content/zh-cn/docs/reference/glossary/disruption.md
@@ -2,7 +2,7 @@
 title: 干扰（Disruption）
 id: disruption
 date: 2019-09-10
-full_link: /zh/docs/concepts/workloads/pods/disruptions/
+full_link: /zh-cn/docs/concepts/workloads/pods/disruptions/
 short_description: >
    导致 Pod 服务停止的事件。
 aka:
@@ -41,7 +41,7 @@ Kubernetes terms that an _involuntary disruption_.
 
 See [Disruptions](/docs/concepts/workloads/pods/disruptions/) for more information.
  -->
-如果您作为一个集群操作人员，销毁了一个从属于某个应用的 Pod, Kubernetes 视之为 _自愿干扰（Voluntary Disruption）_。如果由于节点故障
-或者影响更大区域故障的断电导致 Pod 离线，kubernetes 视之为 _非愿干扰（Involuntary Disruption）_。
+如果你作为一个集群操作人员，销毁了一个从属于某个应用的 Pod, Kubernetes 视之为**自愿干扰（Voluntary Disruption）**。
+如果由于节点故障 或者影响更大区域故障的断电导致 Pod 离线，kubernetes 视之为**非愿干扰（Involuntary Disruption）**。
 
-更多信息请查阅[Disruptions](/zh/docs/concepts/workloads/pods/disruptions/)
\ No newline at end of file
+更多信息请查阅[Disruptions](/zh-cn/docs/concepts/workloads/pods/disruptions/)
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/docker.md b/content/zh-cn/docs/reference/glossary/docker.md
similarity index 95%
rename from content/zh/docs/reference/glossary/docker.md
rename to content/zh-cn/docs/reference/glossary/docker.md
index bec6c834f2f7e..78ac4c9f5051e 100644
--- a/content/zh/docs/reference/glossary/docker.md
+++ b/content/zh-cn/docs/reference/glossary/docker.md
@@ -2,7 +2,7 @@
 title: Docker
 id: docker
 date: 2018-04-12
-full_link: /zh/docs/reference/kubectl/docker-cli-to-kubectl/
+full_link: /zh-cn/docs/reference/kubectl/docker-cli-to-kubectl/
 short_description: >
   Docker 是一种可以提供操作系统级别虚拟化（也称作容器）的软件技术。
 
diff --git a/content/zh-cn/docs/reference/glossary/dockershim.md b/content/zh-cn/docs/reference/glossary/dockershim.md
new file mode 100644
index 0000000000000..b12b08d54a4dd
--- /dev/null
+++ b/content/zh-cn/docs/reference/glossary/dockershim.md
@@ -0,0 +1,40 @@
+---
+title: Dockershim
+id: dockershim
+date: 2022-04-15
+full_link: /zh-cn/dockershim
+short_description: >
+   dockershim 是 Kubernetes v1.23 及之前版本中的一个组件，Kubernetes 系统组件通过它与 Docker Engine 通信。
+
+aka:
+tags:
+- fundamental
+---
+
+<!--
+title: Dockershim
+id: dockershim
+date: 2022-04-15
+full_link: /dockershim
+short_description: >
+   A component of Kubernetes v1.23 and earlier, which allows Kubernetes system components to communicate with Docker Engine.
+
+aka:
+tags:
+- fundamental
+-->
+
+<!--
+The dockershim is a component of Kubernetes version 1.23 and earlier. It allows the kubelet
+to communicate with {{< glossary_tooltip text="Docker Engine" term_id="docker" >}}.
+-->
+
+dockershim 是 Kubernetes v1.23 及之前版本中的一个组件。
+Kubernetes 系统组件通过它与 {{< glossary_tooltip text="Docker Engine" term_id="docker" >}} 通信。
+
+<!--more-->
+<!--
+Starting with version 1.24, dockershim has been removed from Kubernetes. For more information, see [Dockershim FAQ](/dockershim).
+-->
+从 Kubernetes v1.24 开始，dockershim 已从 Kubernetes 中移除.
+想了解更多信息，可参考[移除 Dockershim 的常见问题](/zh-cn/dockershim)。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/downstream.md b/content/zh-cn/docs/reference/glossary/downstream.md
similarity index 86%
rename from content/zh/docs/reference/glossary/downstream.md
rename to content/zh-cn/docs/reference/glossary/downstream.md
index cba0229cb95b0..154e1f04790f3 100644
--- a/content/zh/docs/reference/glossary/downstream.md
+++ b/content/zh-cn/docs/reference/glossary/downstream.md
@@ -27,7 +27,7 @@ tags:
 -->
 
 <!--
-May refer to: code in the Kubernetes ecosystem that depends upon the core Kubernetes codebase or a forked repo.
+ May refer to: code in the Kubernetes ecosystem that depends upon the core Kubernetes codebase or a forked repo.
 -->
 
 可以指：Kubernetes 生态系统中依赖于核心 Kubernetes 代码库或分支代码库的代码。
@@ -39,6 +39,6 @@ May refer to: code in the Kubernetes ecosystem that depends upon the core Kubern
 * In **GitHub** or **git**: The convention is to refer to a forked repo as *downstream*, whereas the source repo is considered *upstream*.
 -->
 
-* 在 **Kubernetes 社区**中：*下游(downstream)* 在人们交流中常用来表示那些依赖核心 Kubernetes 代码库的生态系统、代码或者第三方工具。例如，Kubernete 的一个新特性可以被*下游(downstream)* 应用采用，以提升它们的功能性。
+* 在 **Kubernetes 社区**中：*下游(downstream)* 在人们交流中常用来表示那些依赖核心 Kubernetes 代码库的生态系统、代码或者第三方工具。例如，Kubernetes 的一个新特性可以被*下游(downstream)* 应用采用，以提升它们的功能性。
 * 在 **GitHub** 或 **git** 中：约定用*下游(downstream)* 表示分支代码库，源代码库被认为是*上游(upstream)*。
 
diff --git a/content/zh/docs/reference/glossary/dynamic-volume-provisioning.md b/content/zh-cn/docs/reference/glossary/dynamic-volume-provisioning.md
similarity index 96%
rename from content/zh/docs/reference/glossary/dynamic-volume-provisioning.md
rename to content/zh-cn/docs/reference/glossary/dynamic-volume-provisioning.md
index 5606af15a4c4b..a4f8212ba87bf 100644
--- a/content/zh/docs/reference/glossary/dynamic-volume-provisioning.md
+++ b/content/zh-cn/docs/reference/glossary/dynamic-volume-provisioning.md
@@ -2,7 +2,7 @@
 title: 动态卷供应（Dynamic Volume Provisioning）
 id: dynamicvolumeprovisioning
 date: 2018-04-12
-full_link: /zh/docs/concepts/storage/dynamic-provisioning/
+full_link: /zh-cn/docs/concepts/storage/dynamic-provisioning/
 short_description: >
   允许用户请求自动创建存储卷。
 
diff --git a/content/zh/docs/reference/glossary/endpoint-slice.md b/content/zh-cn/docs/reference/glossary/endpoint-slice.md
similarity index 94%
rename from content/zh/docs/reference/glossary/endpoint-slice.md
rename to content/zh-cn/docs/reference/glossary/endpoint-slice.md
index dcfc35e308fca..f08f9adf4bdef 100644
--- a/content/zh/docs/reference/glossary/endpoint-slice.md
+++ b/content/zh-cn/docs/reference/glossary/endpoint-slice.md
@@ -2,7 +2,7 @@
 title: EndpointSlice
 id: endpoint-slice
 date: 2018-04-12
-full_link: /zh/docs/concepts/services-networking/endpoint-slices/
+full_link: /zh-cn/docs/concepts/services-networking/endpoint-slices/
 short_description: >
   一种将网络端点与 Kubernetes 资源组合在一起的方法。
 
diff --git a/content/zh/docs/reference/glossary/endpoint.md b/content/zh-cn/docs/reference/glossary/endpoint.md
similarity index 100%
rename from content/zh/docs/reference/glossary/endpoint.md
rename to content/zh-cn/docs/reference/glossary/endpoint.md
diff --git a/content/zh/docs/reference/glossary/ephemeral-container.md b/content/zh-cn/docs/reference/glossary/ephemeral-container.md
similarity index 85%
rename from content/zh/docs/reference/glossary/ephemeral-container.md
rename to content/zh-cn/docs/reference/glossary/ephemeral-container.md
index d937404797ccb..08161758998c4 100644
--- a/content/zh/docs/reference/glossary/ephemeral-container.md
+++ b/content/zh-cn/docs/reference/glossary/ephemeral-container.md
@@ -2,14 +2,14 @@
 title: 临时容器（Ephemeral Container）
 id: ephemeral-container
 date: 2019-08-26
-full_link: /zh/docs/concepts/workloads/pods/ephemeral-containers/
+full_link: /zh-cn/docs/concepts/workloads/pods/ephemeral-containers/
 short_description: >
-  您可以在 Pod 中临时运行的一种容器类型
+  你可以在 Pod 中临时运行的一种容器类型
 aka:
 tags:
 - fundamental
 ---
-  您可以在 {{< glossary_tooltip term_id="pod" >}} 中临时运行的一种 {{< glossary_tooltip term_id="container" >}} 类型。
+  你可以在 {{< glossary_tooltip term_id="pod" >}} 中临时运行的一种 {{< glossary_tooltip term_id="container" >}} 类型。
 
 <!--
 ---
diff --git a/content/zh/docs/reference/glossary/etcd.md b/content/zh-cn/docs/reference/glossary/etcd.md
similarity index 67%
rename from content/zh/docs/reference/glossary/etcd.md
rename to content/zh-cn/docs/reference/glossary/etcd.md
index 9dec928b29fab..8929d62f171f6 100644
--- a/content/zh/docs/reference/glossary/etcd.md
+++ b/content/zh-cn/docs/reference/glossary/etcd.md
@@ -2,7 +2,7 @@
 title: etcd
 id: etcd
 date: 2018-04-12
-full_link: /zh/docs/tasks/administer-cluster/configure-upgrade-etcd/
+full_link: /zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/
 short_description: >
   etcd 是兼具一致性和高可用性的键值数据库，用作保存 Kubernetes 所有集群数据的后台数据库。
 
@@ -32,7 +32,7 @@ tags:
  Consistent and highly-available key value store used as Kubernetes' backing store for all cluster data.
 -->
 
-etcd 是兼具一致性和高可用性的键值数据库，可以作为保存 Kubernetes 所有集群数据的后台数据库。
+`etcd` 是兼顾一致性与高可用性的键值数据库，可以作为保存 Kubernetes 所有集群数据的后台数据库。
 
 <!--more--> 
 <!--
@@ -40,9 +40,9 @@ If your Kubernetes cluster uses etcd as its backing store, make sure you have a
 [back up](/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster) plan
 for those data.
 -->	
-您的 Kubernetes 集群的 etcd 数据库通常需要有个备份计划。
+你的 Kubernetes 集群的 `etcd` 数据库通常需要有个[备份](/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster)计划。
 <!--
 You can find in-depth information about etcd in the official [documentation](https://etcd.io/docs/).
 -->
 
-要了解 etcd 更深层次的信息，请参考 [etcd 文档](https://etcd.io/docs/)。
+如果想要更深入的了解 `etcd`，请参考 [etcd 文档](https://etcd.io/docs/)。
diff --git a/content/zh/docs/reference/glossary/event.md b/content/zh-cn/docs/reference/glossary/event.md
similarity index 96%
rename from content/zh/docs/reference/glossary/event.md
rename to content/zh-cn/docs/reference/glossary/event.md
index 37d143e60b461..6c74215300c41 100644
--- a/content/zh/docs/reference/glossary/event.md
+++ b/content/zh-cn/docs/reference/glossary/event.md
@@ -51,6 +51,6 @@ Events should be treated as informative, best-effort, supplemental data.
 In Kubernetes, [auditing](/docs/tasks/debug/debug-cluster/audit/) generates a different kind of
 Event record (API group `audit.k8s.io`).
 -->
-在 Kubernetes 中，[审计](/zh/docs/tasks/debug/debug-cluster/audit/)
+在 Kubernetes 中，[审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)
 机制会生成一种不同种类的 Event 记录（API 组为 `audit.k8s.io`）。
 
diff --git a/content/zh/docs/reference/glossary/eviction.md b/content/zh-cn/docs/reference/glossary/eviction.md
similarity index 81%
rename from content/zh/docs/reference/glossary/eviction.md
rename to content/zh-cn/docs/reference/glossary/eviction.md
index 30666ca2b1f5d..142b9fa6028cd 100644
--- a/content/zh/docs/reference/glossary/eviction.md
+++ b/content/zh-cn/docs/reference/glossary/eviction.md
@@ -2,7 +2,7 @@
 title: 驱逐
 id: eviction
 date: 2021-05-08
-full_link: /zh/docs/concepts/scheduling-eviction/
+full_link: /zh-cn/docs/concepts/scheduling-eviction/
 short_description: >
     终止节点上一个或多个 Pod 的过程。
 aka:
@@ -33,6 +33,6 @@ There are two kinds of eviction:
 * [API-initiated eviction](/docs/reference/generated/kubernetes-api/v1.23/)
 -->
 驱逐的两种类型
-* [节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+* [节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)
 * [API 发起的驱逐](/docs/reference/generated/kubernetes-api/v1.23/)
 
diff --git a/content/zh/docs/reference/glossary/extensions.md b/content/zh-cn/docs/reference/glossary/extensions.md
similarity index 88%
rename from content/zh/docs/reference/glossary/extensions.md
rename to content/zh-cn/docs/reference/glossary/extensions.md
index bec430f31ddb2..ae33b45a2ef00 100644
--- a/content/zh/docs/reference/glossary/extensions.md
+++ b/content/zh-cn/docs/reference/glossary/extensions.md
@@ -2,7 +2,7 @@
 title: 扩展组件（Extensions）
 id: Extensions
 date: 2019-02-01
-full_link: /zh/docs/concepts/extend-kubernetes/extend-cluster/#extensions
+full_link: /zh-cn/docs/concepts/extend-kubernetes/extend-cluster/#extensions
 short_description: >
   扩展组件是扩展并与 Kubernetes 深度集成以支持新型硬件的软件组件。
 aka:
@@ -37,5 +37,5 @@ Many cluster administrators use a hosted or distribution instance of Kubernetes.
 
 许多集群管理员会使用托管的 Kubernetes 或其某种发行包，这些集群预装了扩展。
 因此，大多数 Kubernetes 用户将不需要
-安装[扩展组件](/zh/docs/concepts/extend-kubernetes/extend-cluster/#extensions)，
+安装[扩展组件](/zh-cn/docs/concepts/extend-kubernetes/extend-cluster/#extensions)，
 需要编写新的扩展组件的用户就更少了。
diff --git a/content/zh/docs/reference/glossary/finalizer.md b/content/zh-cn/docs/reference/glossary/finalizer.md
similarity index 94%
rename from content/zh/docs/reference/glossary/finalizer.md
rename to content/zh-cn/docs/reference/glossary/finalizer.md
index 82b462784cc9b..2de7c100737f6 100644
--- a/content/zh/docs/reference/glossary/finalizer.md
+++ b/content/zh-cn/docs/reference/glossary/finalizer.md
@@ -2,7 +2,7 @@
 title: Finalizer
 id: finalizer
 date: 2021-07-07
-full_link: /zh/docs/concepts/overview/working-with-objects/finalizers/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/finalizers/
 short_description: >
   一个带有命名空间的键，告诉 Kubernetes 等到特定的条件被满足后，
   再完全删除被标记为删除的资源。
@@ -17,7 +17,7 @@ tags:
 title: Finalizer
 id: finalizer
 date: 2021-07-07
-full_link: /zh/docs/concepts/overview/working-with-objects/finalizers/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/finalizers/
 short_description: >
   A namespaced key that tells Kubernetes to wait until specific conditions are met
   before it fully deletes an object marked for deletion.
diff --git a/content/zh/docs/reference/glossary/flexvolume.md b/content/zh-cn/docs/reference/glossary/flexvolume.md
similarity index 94%
rename from content/zh/docs/reference/glossary/flexvolume.md
rename to content/zh-cn/docs/reference/glossary/flexvolume.md
index e0f15afb4c77d..c00fd059223d4 100644
--- a/content/zh/docs/reference/glossary/flexvolume.md
+++ b/content/zh-cn/docs/reference/glossary/flexvolume.md
@@ -2,7 +2,7 @@
 title: FlexVolume
 id: flexvolume
 date: 2018-06-25
-full_link: /zh/docs/concepts/storage/volumes/#flexvolume
+full_link: /zh-cn/docs/concepts/storage/volumes/#flexvolume
 short_description: >
   FlexVolume 是一个已弃用的接口，用于创建树外卷插件。
   {{< glossary_tooltip text="容器存储接口（CSI）" term_id="csi" >}}
@@ -47,6 +47,6 @@ FlexVolume 驱动程序的二进制文件和依赖项必须安装在主机上。
 * [More information on FlexVolumes](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md)
 * [Volume Plugin FAQ for Storage Vendors](https://github.com/kubernetes/community/blob/master/sig-storage/volume-plugin-faq.md) 
 -->
-* [Kubernetes 文档中的 Flexvolume](/zh/docs/concepts/storage/volumes/#flexvolume)
+* [Kubernetes 文档中的 Flexvolume](/zh-cn/docs/concepts/storage/volumes/#flexvolume)
 * [更多关于 Flexvolumes 的信息](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-storage/flexvolume.md)
 * [存储供应商的卷插件 FAQ](https://github.com/kubernetes/community/blob/master/sig-storage/volume-plugin-faq.md)
diff --git a/content/zh/docs/reference/glossary/garbage-collection.md b/content/zh-cn/docs/reference/glossary/garbage-collection.md
similarity index 73%
rename from content/zh/docs/reference/glossary/garbage-collection.md
rename to content/zh-cn/docs/reference/glossary/garbage-collection.md
index effc51483ccf6..f6ca64f58d061 100644
--- a/content/zh/docs/reference/glossary/garbage-collection.md
+++ b/content/zh-cn/docs/reference/glossary/garbage-collection.md
@@ -2,7 +2,7 @@
 title: 垃圾收集
 id: garbage-collection
 date: 2021-07-07
-full_link: /zh/docs/concepts/workloads/controllers/garbage-collection/
+full_link: /zh-cn/docs/concepts/workloads/controllers/garbage-collection/
 short_description: >
   Kubernetes 用于清理集群资源的各种机制的统称。
 
@@ -42,8 +42,8 @@ Kubernetes uses garbage collection to clean up resources like [unused containers
 that have expired or failed.
 -->
 Kubernetes 使用垃圾收集机制来清理资源，例如：
-[未使用的容器和镜像](/zh/docs/concepts/workloads/controllers/garbage-collection/#containers-images)、
-[失败的 Pod](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection)、
-[目标资源拥有的对象](/zh/docs/concepts/overview/working-with-objects/owners-dependents/)、
-[已完成的 Job](/zh/docs/concepts/workloads/controllers/ttlafterfinished/)、
+[未使用的容器和镜像](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/#containers-images)、
+[失败的 Pod](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection)、
+[目标资源拥有的对象](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)、
+[已完成的 Job](/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/)、
 过期或出错的资源。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/helm-chart.md b/content/zh-cn/docs/reference/glossary/helm-chart.md
similarity index 100%
rename from content/zh/docs/reference/glossary/helm-chart.md
rename to content/zh-cn/docs/reference/glossary/helm-chart.md
diff --git a/content/zh/docs/reference/glossary/horizontal-pod-autoscaler.md b/content/zh-cn/docs/reference/glossary/horizontal-pod-autoscaler.md
similarity index 95%
rename from content/zh/docs/reference/glossary/horizontal-pod-autoscaler.md
rename to content/zh-cn/docs/reference/glossary/horizontal-pod-autoscaler.md
index 45e5033a5a3fd..49b18de3eecce 100644
--- a/content/zh/docs/reference/glossary/horizontal-pod-autoscaler.md
+++ b/content/zh-cn/docs/reference/glossary/horizontal-pod-autoscaler.md
@@ -2,7 +2,7 @@
 title: Pod 水平自动扩缩器（Horizontal Pod Autoscaler）
 id: horizontal-pod-autoscaler
 date: 2018-04-12
-full_link: /zh/docs/tasks/run-application/horizontal-pod-autoscale/
+full_link: /zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/
 short_description: >
   Pod 水平自动扩缩器（Horizontal Pod Autoscaler）是一种 API 资源，它根据目标 CPU 利用率或自定义度量目标扩缩 Pod 副本的数量。
 
diff --git a/content/zh/docs/reference/glossary/host-aliases.md b/content/zh-cn/docs/reference/glossary/host-aliases.md
similarity index 92%
rename from content/zh/docs/reference/glossary/host-aliases.md
rename to content/zh-cn/docs/reference/glossary/host-aliases.md
index c2be10bee2b41..df01a76b4ae1f 100644
--- a/content/zh/docs/reference/glossary/host-aliases.md
+++ b/content/zh-cn/docs/reference/glossary/host-aliases.md
@@ -2,7 +2,7 @@
 title: HostAliases
 id: HostAliases
 date: 2019-01-31
-full_link: /docs/reference/generated/kubernetes-api/{{< param "version" >}}/#hostalias-v1-core
+full_link: /zh-cn/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#hostalias-v1-core
 short_description: >
   主机别名 (HostAliases) 是一组 IP 地址和主机名的映射，用于注入到 Pod 内的 hosts 文件。
 
@@ -10,10 +10,7 @@ aka:
 tags:
 - operation
 ---
- 主机别名 (HostAliases) 是一组 IP 地址和主机名的映射，用于注入到 {{< glossary_tooltip text="Pod" term_id="pod" >}} 内的 hosts 文件。
-
 <!--
----
 title: HostAliases
 id: HostAliases
 date: 2019-01-31
@@ -24,9 +21,13 @@ short_description: >
 aka:
 tags:
 - operation
----
+-->
+
+<!--
  A HostAliases is a mapping between the IP address and hostname to be injected into a {{< glossary_tooltip text="Pod" term_id="pod" >}}'s hosts file.
 -->
+ 主机别名 (HostAliases) 是一组 IP 地址和主机名的映射，用于注入到 {{< glossary_tooltip text="Pod" term_id="pod" >}} 内的 hosts 文件。
+
 
 <!--more-->
 
diff --git a/content/zh/docs/reference/glossary/image.md b/content/zh-cn/docs/reference/glossary/image.md
similarity index 100%
rename from content/zh/docs/reference/glossary/image.md
rename to content/zh-cn/docs/reference/glossary/image.md
diff --git a/content/zh/docs/reference/glossary/index.md b/content/zh-cn/docs/reference/glossary/index.md
similarity index 100%
rename from content/zh/docs/reference/glossary/index.md
rename to content/zh-cn/docs/reference/glossary/index.md
diff --git a/content/zh/docs/reference/glossary/ingress.md b/content/zh-cn/docs/reference/glossary/ingress.md
similarity index 93%
rename from content/zh/docs/reference/glossary/ingress.md
rename to content/zh-cn/docs/reference/glossary/ingress.md
index 2b0874157412e..e48b9948a1990 100644
--- a/content/zh/docs/reference/glossary/ingress.md
+++ b/content/zh-cn/docs/reference/glossary/ingress.md
@@ -2,7 +2,7 @@
 title: Ingress
 id: ingress
 date: 2018-04-12
-full_link: /zh/docs/concepts/services-networking/ingress/
+full_link: /zh-cn/docs/concepts/services-networking/ingress/
 short_description: >
   Ingress 是对集群中服务的外部访问进行管理的 API 对象，典型的访问方式是 HTTP。
 
diff --git a/content/zh/docs/reference/glossary/init-container.md b/content/zh-cn/docs/reference/glossary/init-container.md
similarity index 100%
rename from content/zh/docs/reference/glossary/init-container.md
rename to content/zh-cn/docs/reference/glossary/init-container.md
diff --git a/content/zh/docs/reference/glossary/istio.md b/content/zh-cn/docs/reference/glossary/istio.md
similarity index 100%
rename from content/zh/docs/reference/glossary/istio.md
rename to content/zh-cn/docs/reference/glossary/istio.md
diff --git a/content/zh/docs/reference/glossary/job.md b/content/zh-cn/docs/reference/glossary/job.md
similarity index 94%
rename from content/zh/docs/reference/glossary/job.md
rename to content/zh-cn/docs/reference/glossary/job.md
index aa557297be310..220f8111449ef 100644
--- a/content/zh/docs/reference/glossary/job.md
+++ b/content/zh-cn/docs/reference/glossary/job.md
@@ -2,7 +2,7 @@
 title: Job
 id: job
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/job/
+full_link: /zh-cn/docs/concepts/workloads/controllers/job/
 short_description: >
   Job 是需要运行完成的确定性的或批量的任务。
 
diff --git a/content/zh/docs/reference/glossary/kops.md b/content/zh-cn/docs/reference/glossary/kops.md
similarity index 91%
rename from content/zh/docs/reference/glossary/kops.md
rename to content/zh-cn/docs/reference/glossary/kops.md
index d3241b763edc0..1719e2a8a67ce 100644
--- a/content/zh/docs/reference/glossary/kops.md
+++ b/content/zh-cn/docs/reference/glossary/kops.md
@@ -56,7 +56,7 @@ Support for using kops with GCE and VMware vSphere are in alpha.
   * The ability to directly provision, or to generate Terraform manifests
 -->
 
-`kops` 为您的集群提供了：
+`kops` 为你的集群提供了：
 
   * 全自动化安装
   * 基于 DNS 的集群标识
@@ -69,4 +69,5 @@ Support for using kops with GCE and VMware vSphere are in alpha.
 You can also build your own cluster using {{< glossary_tooltip term_id="kubeadm" >}} as a building block. `kops` builds on the kubeadm work.
 -->
 
-您也可以将自己的集群作为一个构造块，使用 {{< glossary_tooltip term_id="kubeadm" >}} 构造集群。`kops` 是建立在 kubeadm 之上的。
+你也可以将自己的集群作为一个构造块，使用 {{< glossary_tooltip term_id="kubeadm" >}} 构造集群。
+`kops` 是建立在 kubeadm 之上的。
diff --git a/content/zh-cn/docs/reference/glossary/kube-apiserver.md b/content/zh-cn/docs/reference/glossary/kube-apiserver.md
new file mode 100644
index 0000000000000..7e93998ecd1f3
--- /dev/null
+++ b/content/zh-cn/docs/reference/glossary/kube-apiserver.md
@@ -0,0 +1,48 @@
+---
+title: API 服务器
+id: kube-apiserver
+date: 2018-04-12
+full_link: /zh-cn/docs/concepts/overview/components/#kube-apiserver
+short_description: >
+  提供 Kubernetes API 服务的控制面组件。
+
+aka:
+- kube-apiserver
+tags:
+- architecture
+- fundamental
+---
+<!--
+title: API server
+id: kube-apiserver
+date: 2018-04-12
+full_link: /docs/concepts/overview/components/#kube-apiserver
+short_description: >
+  Control plane component that serves the Kubernetes API.
+
+aka:
+- kube-apiserver
+tags:
+- architecture
+- fundamental
+-->
+
+<!--
+ The API server is a component of the Kubernetes
+{{< glossary_tooltip text="control plane" term_id="control-plane" >}} that exposes the Kubernetes API.
+The API server is the front end for the Kubernetes control plane.
+-->
+API 服务器是 Kubernetes {{< glossary_tooltip text="控制平面" term_id="control-plane" >}}的组件，
+该组件负责公开了 Kubernetes API，负责处理接受请求的工作。
+API 服务器是 Kubernetes 控制平面的前端。
+
+<!--more-->
+
+<!--
+The main implementation of a Kubernetes API server is [kube-apiserver](/docs/reference/generated/kube-apiserver/).
+kube-apiserver is designed to scale horizontally&mdash;that is, it scales by deploying more instances.
+You can run several instances of kube-apiserver and balance traffic between those instances.
+-->
+Kubernetes API 服务器的主要实现是 [kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)。
+`kube-apiserver` 设计上考虑了水平扩缩，也就是说，它可通过部署多个实例来进行扩缩。
+你可以运行 `kube-apiserver` 的多个实例，并在这些实例之间平衡流量。
diff --git a/content/zh-cn/docs/reference/glossary/kube-controller-manager.md b/content/zh-cn/docs/reference/glossary/kube-controller-manager.md
new file mode 100644
index 0000000000000..132a05936b2cc
--- /dev/null
+++ b/content/zh-cn/docs/reference/glossary/kube-controller-manager.md
@@ -0,0 +1,46 @@
+---
+title: kube-controller-manager
+id: kube-controller-manager
+date: 2018-04-12
+full_link: /zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/
+short_description: >
+  主节点上运行控制器的组件。
+
+aka: 
+tags:
+- architecture
+- fundamental
+---
+<!--
+title: kube-controller-manager
+id: kube-controller-manager
+date: 2018-04-12
+full_link: /docs/reference/command-line-tools-reference/kube-controller-manager/
+short_description: >
+  Component on the master that runs controllers.
+
+aka: 
+tags:
+- architecture
+- fundamental
+-->
+
+<!--
+ Control plane component that runs
+ {{< glossary_tooltip text="controller" term_id="controller" >}} processes.
+-->
+[kube-controller-manager](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
+是{{< glossary_tooltip text="控制平面" term_id="control-plane" >}}的组件，
+负责运行{{< glossary_tooltip text="控制器" term_id="controller" >}}进程。
+
+<!--more-->
+
+<!--
+Logically, each {{< glossary_tooltip text="controller" term_id="controller" >}}
+is a separate process, but to reduce complexity,
+they are all compiled into a single binary and run in a single process.
+--> 
+从逻辑上讲，
+每个{{< glossary_tooltip text="控制器" term_id="controller" >}}都是一个单独的进程，
+但是为了降低复杂性，它们都被编译到同一个可执行文件，并在同一个进程中运行。
+
diff --git a/content/zh-cn/docs/reference/glossary/kube-proxy.md b/content/zh-cn/docs/reference/glossary/kube-proxy.md
new file mode 100644
index 0000000000000..ef7b661715896
--- /dev/null
+++ b/content/zh-cn/docs/reference/glossary/kube-proxy.md
@@ -0,0 +1,53 @@
+---
+title: kube-proxy
+id: kube-proxy
+date: 2018-04-12
+full_link: /zh-cn/docs/reference/command-line-tools-reference/kube-proxy/
+short_description: >
+  `kube-proxy` 是集群中每个节点上运行的网络代理。
+
+aka:
+tags:
+- fundamental
+- networking
+---
+<!-- ---
+title: kube-proxy
+id: kube-proxy
+date: 2018-04-12
+full_link: /zh-cn/docs/reference/command-line-tools-reference/kube-proxy/
+short_description: >
+  `kube-proxy` is a network proxy that runs on each node in the cluster.
+
+aka:
+tags:
+- fundamental
+- networking
+--- -->
+ <!--
+ kube-proxy is a network proxy that runs on each
+ {{< glossary_tooltip text="node" term_id="node" >}} in your cluster,
+ implementing part of the Kubernetes
+ {{< glossary_tooltip term_id="service">}} concept.
+ -->
+[kube-proxy](/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/)
+是集群中每个{{< glossary_tooltip text="节点（node）" term_id="node" >}}所上运行的网络代理，
+实现 Kubernetes {{< glossary_tooltip term_id="service">}} 概念的一部分。
+
+<!--more-->
+
+<!-- 
+[kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/)
+maintains network rules on nodes. These network rules allow network
+communication to your Pods from network sessions inside or outside of
+your cluster.
+-->
+kube-proxy 维护节点上的一些网络规则，
+这些网络规则会允许从集群内部或外部的网络会话与 Pod 进行网络通信。
+
+<!-- 
+kube-proxy uses the operating system packet filtering layer if there is one
+and it's available. Otherwise, kube-proxy forwards the traffic itself. 
+-->
+如果操作系统提供了可用的数据包过滤层，则 kube-proxy 会通过它来实现网络规则。
+否则，kube-proxy 仅做流量转发。
diff --git a/content/zh/docs/reference/glossary/kube-scheduler.md b/content/zh-cn/docs/reference/glossary/kube-scheduler.md
similarity index 64%
rename from content/zh/docs/reference/glossary/kube-scheduler.md
rename to content/zh-cn/docs/reference/glossary/kube-scheduler.md
index 9d6a1842fb60c..f9c6ecdaf816b 100644
--- a/content/zh/docs/reference/glossary/kube-scheduler.md
+++ b/content/zh-cn/docs/reference/glossary/kube-scheduler.md
@@ -2,7 +2,7 @@
 title: kube-scheduler
 id: kube-scheduler
 date: 2018-04-12
-full_link: /zh/docs/reference/command-line-tools-reference/kube-scheduler/
+full_link: /zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/
 short_description: >
   控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。
 
@@ -33,7 +33,9 @@ Control plane component that watches for newly created
 {{< glossary_tooltip term_id="node" text="node">}}, and selects a node for them
 to run on.-->
 
-  控制平面组件，负责监视新创建的、未指定运行{{< glossary_tooltip term_id="node" text="节点（node）">}}的 {{< glossary_tooltip term_id="pod" text="Pods" >}}，选择节点让 Pod 在上面运行。
+  `kube-scheduler` 是{{< glossary_tooltip text="控制平面" term_id="control-plane" >}}的组件，
+  负责监视新创建的、未指定运行{{< glossary_tooltip term_id="node" text="节点（node）">}}的 {{< glossary_tooltip term_id="pod" text="Pods" >}}，
+  并选择节点来让 Pod 在上面运行。
 
 <!--more--> 
 
@@ -41,4 +43,5 @@ to run on.-->
 Factors taken into account for scheduling decisions include individual and collective resource requirements,  hardware/software/policy constraints, affinity and anti-affinity specifications, data locality, inter-workload interference and deadlines.
 -->
 
-调度决策考虑的因素包括单个 Pod 和 Pod 集合的资源需求、硬件/软件/策略约束、亲和性和反亲和性规范、数据位置、工作负载间的干扰和最后时限。
+调度决策考虑的因素包括单个 Pod 及 Pods 集合的资源需求、软硬件及策略约束、
+亲和性及反亲和性规范、数据位置、工作负载间的干扰及最后时限。
diff --git a/content/zh/docs/reference/glossary/kubeadm.md b/content/zh-cn/docs/reference/glossary/kubeadm.md
similarity index 92%
rename from content/zh/docs/reference/glossary/kubeadm.md
rename to content/zh-cn/docs/reference/glossary/kubeadm.md
index f565376100a89..106edda93c66b 100644
--- a/content/zh/docs/reference/glossary/kubeadm.md
+++ b/content/zh-cn/docs/reference/glossary/kubeadm.md
@@ -2,7 +2,7 @@
 title: Kubeadm
 id: kubeadm
 date: 2018-04-12
-full_link: /zh/docs/setup/production-environment/tools/kubeadm/
+full_link: /zh-cn/docs/setup/production-environment/tools/kubeadm/
 short_description: >
   用来快速安装 Kubernetes 并搭建安全稳定的集群的工具。
 
diff --git a/content/zh/docs/reference/glossary/kubectl.md b/content/zh-cn/docs/reference/glossary/kubectl.md
similarity index 100%
rename from content/zh/docs/reference/glossary/kubectl.md
rename to content/zh-cn/docs/reference/glossary/kubectl.md
diff --git a/content/zh/docs/reference/glossary/kubelet.md b/content/zh-cn/docs/reference/glossary/kubelet.md
similarity index 75%
rename from content/zh/docs/reference/glossary/kubelet.md
rename to content/zh-cn/docs/reference/glossary/kubelet.md
index a00971e224619..41b4dea14bbbd 100644
--- a/content/zh/docs/reference/glossary/kubelet.md
+++ b/content/zh-cn/docs/reference/glossary/kubelet.md
@@ -2,14 +2,13 @@
 title: Kubelet
 id: kubelet
 date: 2018-04-12
-full_link: /docs/reference/generated/kubelet
+full_link: /zh-cn/docs/reference/generated/kubelet
 short_description: >
   一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。
 
-aka: 
+aka:
 tags:
 - fundamental
-- core-object
 ---
 <!--
 title: Kubelet
@@ -19,25 +18,24 @@ full_link: /docs/reference/generated/kubelet
 short_description: >
   An agent that runs on each node in the cluster. It makes sure that containers are running in a pod.
 
-aka: 
+aka:
 tags:
 - fundamental
-- core-object
 -->
 
 <!--
  An agent that runs on each {{< glossary_tooltip text="node" term_id="node" >}} in the cluster. It makes sure that {{< glossary_tooltip text="containers" term_id="container" >}} are running in a {{< glossary_tooltip text="Pod" term_id="pod" >}}.
 -->
-一个在集群中每个{{< glossary_tooltip text="节点（node）" term_id="node" >}}上运行的代理。
-它保证{{< glossary_tooltip text="容器（containers）" term_id="container" >}}都
-运行在 {{< glossary_tooltip text="Pod" term_id="pod" >}} 中。
+`kubelet` 会在集群中每个{{< glossary_tooltip text="节点（node）" term_id="node" >}}上运行。
+它保证{{< glossary_tooltip text="容器（containers）" term_id="container" >}}都运行在
+{{< glossary_tooltip text="Pod" term_id="pod" >}} 中。
 
-<!--more--> 
+<!--more-->
 
 <!--
 The kubelet takes a set of PodSpecs that are provided through various mechanisms and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn't manage containers which were not created by Kubernetes.
 -->
-kubelet 接收一组通过各类机制提供给它的 PodSpecs，确保这些 PodSpecs
-中描述的容器处于运行状态且健康。
+kubelet 接收一组通过各类机制提供给它的 PodSpecs，
+确保这些 PodSpecs 中描述的容器处于运行状态且健康。
 kubelet 不会管理不是由 Kubernetes 创建的容器。
 
diff --git a/content/zh/docs/reference/glossary/kubernetes-api.md b/content/zh-cn/docs/reference/glossary/kubernetes-api.md
similarity index 96%
rename from content/zh/docs/reference/glossary/kubernetes-api.md
rename to content/zh-cn/docs/reference/glossary/kubernetes-api.md
index 060ddf93cd48e..0a6c096a420dd 100644
--- a/content/zh/docs/reference/glossary/kubernetes-api.md
+++ b/content/zh-cn/docs/reference/glossary/kubernetes-api.md
@@ -2,7 +2,7 @@
 title: Kubernetes API
 id: kubernetes-api
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/kubernetes-api/
+full_link: /zh-cn/docs/concepts/overview/kubernetes-api/
 short_description: >
   Kubernetes API 是通过 RESTful 接口提供 Kubernetes 功能服务并负责集群状态存储的应用程序。
 
diff --git a/content/zh/docs/reference/glossary/label.md b/content/zh-cn/docs/reference/glossary/label.md
similarity index 93%
rename from content/zh/docs/reference/glossary/label.md
rename to content/zh-cn/docs/reference/glossary/label.md
index f2c661cc44bbb..e0654faa26a1f 100644
--- a/content/zh/docs/reference/glossary/label.md
+++ b/content/zh-cn/docs/reference/glossary/label.md
@@ -2,7 +2,7 @@
 title: 标签（Label）
 id: label
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/labels/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/labels/
 short_description: >
   用来为对象设置可标识的属性标记；这些标记对用户而言是有意义且重要的。
 
diff --git a/content/zh/docs/reference/glossary/limitrange.md b/content/zh-cn/docs/reference/glossary/limitrange.md
similarity index 100%
rename from content/zh/docs/reference/glossary/limitrange.md
rename to content/zh-cn/docs/reference/glossary/limitrange.md
diff --git a/content/zh/docs/reference/glossary/logging.md b/content/zh-cn/docs/reference/glossary/logging.md
similarity index 82%
rename from content/zh/docs/reference/glossary/logging.md
rename to content/zh-cn/docs/reference/glossary/logging.md
index 8a88fe527e288..17e490de2768b 100644
--- a/content/zh/docs/reference/glossary/logging.md
+++ b/content/zh-cn/docs/reference/glossary/logging.md
@@ -2,7 +2,7 @@
 title: 日志（Logging）
 id: logging
 date: 2019-04-04
-full_link: /zh/docs/concepts/cluster-administration/logging/
+full_link: /zh-cn/docs/concepts/cluster-administration/logging/
 short_description: >
   日志是集群或应用程序记录的事件列表。
 
@@ -18,7 +18,7 @@ tags:
 title: Logging
 id: logging
 date: 2019-04-04
-full_link: /zh/docs/concepts/cluster-administration/logging/
+full_link: /zh-cn/docs/concepts/cluster-administration/logging/
 short_description: >
   Logs are the list of events that are logged by cluster or application.
 
@@ -36,4 +36,4 @@ tags:
 Application and systems logs can help you understand what is happening inside your cluster. The logs are particularly useful for debugging problems and monitoring cluster activity. 
 -->
 
-应用程序和系统日志可以帮助您了解集群内部发生的情况。日志对于调试问题和监视集群活动非常有用。
\ No newline at end of file
+应用程序和系统日志可以帮助你了解集群内部发生的情况。日志对于调试问题和监视集群活动非常有用。
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/managed-service.md b/content/zh-cn/docs/reference/glossary/managed-service.md
similarity index 94%
rename from content/zh/docs/reference/glossary/managed-service.md
rename to content/zh-cn/docs/reference/glossary/managed-service.md
index 567736f091da8..d115469431fde 100644
--- a/content/zh/docs/reference/glossary/managed-service.md
+++ b/content/zh-cn/docs/reference/glossary/managed-service.md
@@ -40,7 +40,7 @@ list, provision, and bind with Managed Services offered by
 -->
 托管服务的一些例子有 AWS EC2、Azure SQL 数据库和 GCP Pub/Sub 等，
 不过它们也可以是可以被某应用使用的任何软件交付件。
-[服务目录](/zh/docs/concepts/extend-kubernetes/service-catalog/)
+[服务目录](/zh-cn/docs/concepts/extend-kubernetes/service-catalog/)
 提供了一种方法用来列举、制备和绑定到
 {{< glossary_tooltip text="服务代理商（Service Brokers）" term_id="service-broker" >}}
 所提供的托管服务。
diff --git a/content/zh/docs/reference/glossary/manifest.md b/content/zh-cn/docs/reference/glossary/manifest.md
similarity index 100%
rename from content/zh/docs/reference/glossary/manifest.md
rename to content/zh-cn/docs/reference/glossary/manifest.md
diff --git a/content/zh/docs/reference/glossary/master.md b/content/zh-cn/docs/reference/glossary/master.md
similarity index 100%
rename from content/zh/docs/reference/glossary/master.md
rename to content/zh-cn/docs/reference/glossary/master.md
diff --git a/content/zh/docs/reference/glossary/member.md b/content/zh-cn/docs/reference/glossary/member.md
similarity index 100%
rename from content/zh/docs/reference/glossary/member.md
rename to content/zh-cn/docs/reference/glossary/member.md
diff --git a/content/zh/docs/reference/glossary/minikube.md b/content/zh-cn/docs/reference/glossary/minikube.md
similarity index 91%
rename from content/zh/docs/reference/glossary/minikube.md
rename to content/zh-cn/docs/reference/glossary/minikube.md
index 4d834cd8075e3..b688f968220c9 100644
--- a/content/zh/docs/reference/glossary/minikube.md
+++ b/content/zh-cn/docs/reference/glossary/minikube.md
@@ -44,4 +44,4 @@ You can use Minikube to
 
 Minikube 在用户计算机上的一个虚拟机内运行单节点 Kubernetes 集群。
 你可以使用 Minikube 
-[在学习环境中尝试 Kubernetes](/zh/docs/setup/learning-environment/).
+[在学习环境中尝试 Kubernetes](/zh-cn/docs/setup/learning-environment/).
diff --git a/content/zh/docs/reference/glossary/mirror-pod.md b/content/zh-cn/docs/reference/glossary/mirror-pod.md
similarity index 100%
rename from content/zh/docs/reference/glossary/mirror-pod.md
rename to content/zh-cn/docs/reference/glossary/mirror-pod.md
diff --git a/content/zh/docs/reference/glossary/name.md b/content/zh-cn/docs/reference/glossary/name.md
similarity index 93%
rename from content/zh/docs/reference/glossary/name.md
rename to content/zh-cn/docs/reference/glossary/name.md
index 6c6dd2b15c9bc..984b85f1f73a2 100644
--- a/content/zh/docs/reference/glossary/name.md
+++ b/content/zh-cn/docs/reference/glossary/name.md
@@ -2,7 +2,7 @@
 title: 名称（Name）
 id: name
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/names/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/names/
 short_description: >
   客户端提供的字符串，用来指代资源 URL 中的对象，如 `/api/v1/pods/some-name`。
 
diff --git a/content/zh/docs/reference/glossary/namespace.md b/content/zh-cn/docs/reference/glossary/namespace.md
similarity index 95%
rename from content/zh/docs/reference/glossary/namespace.md
rename to content/zh-cn/docs/reference/glossary/namespace.md
index 5934d748fe79b..b2033d2a03792 100644
--- a/content/zh/docs/reference/glossary/namespace.md
+++ b/content/zh-cn/docs/reference/glossary/namespace.md
@@ -2,7 +2,7 @@
 title: 名字空间（Namespace）
 id: namespace
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/namespaces/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/namespaces/
 short_description: >
   名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。
 
diff --git a/content/zh/docs/reference/glossary/network-policy.md b/content/zh-cn/docs/reference/glossary/network-policy.md
similarity index 72%
rename from content/zh/docs/reference/glossary/network-policy.md
rename to content/zh-cn/docs/reference/glossary/network-policy.md
index 10cc5f6b64199..69c8f50319355 100644
--- a/content/zh/docs/reference/glossary/network-policy.md
+++ b/content/zh-cn/docs/reference/glossary/network-policy.md
@@ -2,7 +2,7 @@
 title: 网络策略
 id: network-policy
 date: 2018-04-12
-full_link: /zh/docs/concepts/services-networking/network-policies/
+full_link: /zh-cn/docs/concepts/services-networking/network-policies/
 short_description: >
   网络策略是一种规范，规定了允许 Pod 组之间、Pod 与其他网络端点之间以怎样的方式进行通信。
 
@@ -41,4 +41,7 @@ tags:
 Network Policies help you declaratively configure which Pods are allowed to connect to each other, which namespaces are allowed to communicate, and more specifically which port numbers to enforce each policy on. `NetworkPolicy` resources use labels to select Pods and define rules which specify what traffic is allowed to the selected Pods. Network Policies are implemented by a supported network plugin provided by a network provider. Be aware that creating a network resource without a controller to implement it will have no effect.
 -->
 
-网络策略帮助您声明式地配置允许哪些 Pod 之间接、哪些命名空间之间允许进行通信，并具体配置了哪些端口号来执行各个策略。`NetworkPolicy` 资源使用标签来选择 Pod，并定义了所选 Pod 可以接受什么样的流量。网络策略由网络提供商提供的并被 Kubernetes 支持的网络插件实现。请注意，当没有控制器实现网络资源时，创建网络资源将不会生效。
+网络策略帮助你声明式地配置允许哪些 Pod 之间、哪些命名空间之间允许进行通信，
+并具体配置了哪些端口号来执行各个策略。`NetworkPolicy` 资源使用标签来选择 Pod，
+并定义了所选 Pod 可以接受什么样的流量。网络策略由网络提供商提供的并被 Kubernetes 支持的网络插件实现。
+请注意，当没有控制器实现网络资源时，创建网络资源将不会生效。
diff --git a/content/zh/docs/reference/glossary/node-pressure-eviction.md b/content/zh-cn/docs/reference/glossary/node-pressure-eviction.md
similarity index 95%
rename from content/zh/docs/reference/glossary/node-pressure-eviction.md
rename to content/zh-cn/docs/reference/glossary/node-pressure-eviction.md
index c5faa5f135177..ad2108e9d8df7 100644
--- a/content/zh/docs/reference/glossary/node-pressure-eviction.md
+++ b/content/zh-cn/docs/reference/glossary/node-pressure-eviction.md
@@ -2,7 +2,7 @@
 title: 节点压力驱逐
 id: node-pressure-eviction
 date: 2021-05-13
-full_link: /zh/docs/concepts/scheduling-eviction/node-pressure-eviction/
+full_link: /zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/
 short_description: >
   节点压力驱逐是 kubelet 主动使 Pod 失败以回收节点上的资源的过程。
 aka:
diff --git a/content/zh/docs/reference/glossary/node.md b/content/zh-cn/docs/reference/glossary/node.md
similarity index 93%
rename from content/zh/docs/reference/glossary/node.md
rename to content/zh-cn/docs/reference/glossary/node.md
index d9ac8a9deb4a0..be28602caccd2 100644
--- a/content/zh/docs/reference/glossary/node.md
+++ b/content/zh-cn/docs/reference/glossary/node.md
@@ -2,7 +2,7 @@
 title: 节点（Node）
 id: node
 date: 2018-04-12
-full_link: /zh/docs/concepts/architecture/nodes/
+full_link: /zh-cn/docs/concepts/architecture/nodes/
 short_description: >
   Kubernetes 中的工作机器称作节点。
 
@@ -15,7 +15,7 @@ tags:
 title: Node
 id: node
 date: 2018-04-12
-full_link: /zh/docs/concepts/architecture/nodes/
+full_link: /zh-cn/docs/concepts/architecture/nodes/
 short_description: >
   A node is a worker machine in Kubernetes.
 
diff --git a/content/zh/docs/reference/glossary/object.md b/content/zh-cn/docs/reference/glossary/object.md
similarity index 93%
rename from content/zh/docs/reference/glossary/object.md
rename to content/zh-cn/docs/reference/glossary/object.md
index 99576b5665887..0a5a07d10a4fe 100644
--- a/content/zh/docs/reference/glossary/object.md
+++ b/content/zh-cn/docs/reference/glossary/object.md
@@ -2,7 +2,7 @@
 title: 对象（Object）
 id: object
 date: 2020-10-12
-full_link: /zh/docs/concepts/overview/working-with-objects/kubernetes-objects/#kubernetes-objects
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#kubernetes-objects
 short_description: >
    Kubernetes 系统中的实体, 代表了集群的部分状态。
 aka: 
diff --git a/content/zh/docs/reference/glossary/operator-pattern.md b/content/zh-cn/docs/reference/glossary/operator-pattern.md
similarity index 90%
rename from content/zh/docs/reference/glossary/operator-pattern.md
rename to content/zh-cn/docs/reference/glossary/operator-pattern.md
index c6da67025704a..21751ab4ab3a9 100644
--- a/content/zh/docs/reference/glossary/operator-pattern.md
+++ b/content/zh-cn/docs/reference/glossary/operator-pattern.md
@@ -2,7 +2,7 @@
 title: Operator 模式
 id: operator-pattern
 date: 2019-05-21
-full_link: /zh/docs/concepts/extend-kubernetes/operator/
+full_link: /zh-cn/docs/concepts/extend-kubernetes/operator/
 short_description: >
   一种用于管理自定义资源的专用控制器
 
@@ -28,7 +28,7 @@ The [operator pattern](/docs/concepts/extend-kubernetes/operator/) is a system
 design that links a {{< glossary_tooltip term_id="controller" >}} to one or more custom
 resources.
 -->
-[operator 模式](/zh/docs/concepts/extend-kubernetes/operator/) 是一种系统设计, 
+[operator 模式](/zh-cn/docs/concepts/extend-kubernetes/operator/) 是一种系统设计, 
 将 {{< glossary_tooltip term_id="controller" >}} 关联到一个或多个自定义资源。
 <!--more-->
 
diff --git a/content/zh/docs/reference/glossary/persistent-volume-claim.md b/content/zh-cn/docs/reference/glossary/persistent-volume-claim.md
similarity index 96%
rename from content/zh/docs/reference/glossary/persistent-volume-claim.md
rename to content/zh-cn/docs/reference/glossary/persistent-volume-claim.md
index f5ab57a3e8eb4..4eb2e49e2bc6c 100644
--- a/content/zh/docs/reference/glossary/persistent-volume-claim.md
+++ b/content/zh-cn/docs/reference/glossary/persistent-volume-claim.md
@@ -2,7 +2,7 @@
 title: 持久卷申领（Persistent Volume Claim）
 id: persistent-volume-claim
 date: 2018-04-12
-full_link: /zh/docs/concepts/storage/persistent-volumes/
+full_link: /zh-cn/docs/concepts/storage/persistent-volumes/
 short_description: >
   声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。
 
diff --git a/content/zh/docs/reference/glossary/persistent-volume.md b/content/zh-cn/docs/reference/glossary/persistent-volume.md
similarity index 96%
rename from content/zh/docs/reference/glossary/persistent-volume.md
rename to content/zh-cn/docs/reference/glossary/persistent-volume.md
index 671e3a8bf3eee..8bcd24d6a82b2 100644
--- a/content/zh/docs/reference/glossary/persistent-volume.md
+++ b/content/zh-cn/docs/reference/glossary/persistent-volume.md
@@ -2,7 +2,7 @@
 title: 持久卷（Persistent Volume）
 id: persistent-volume
 date: 2018-04-12
-full_link: /zh/docs/concepts/storage/persistent-volumes/
+full_link: /zh-cn/docs/concepts/storage/persistent-volumes/
 short_description: >
   持久卷是代表集群中一块存储空间的 API 对象。 它是通用的、可插拔的、并且不受单个 Pod 生命周期约束的持久化资源。
 
diff --git a/content/zh/docs/reference/glossary/platform-developer.md b/content/zh-cn/docs/reference/glossary/platform-developer.md
similarity index 86%
rename from content/zh/docs/reference/glossary/platform-developer.md
rename to content/zh-cn/docs/reference/glossary/platform-developer.md
index 41e8b99995d06..a03cf67d81c91 100644
--- a/content/zh/docs/reference/glossary/platform-developer.md
+++ b/content/zh-cn/docs/reference/glossary/platform-developer.md
@@ -41,8 +41,8 @@ develop extensions which are contributed to the Kubernetes community.
 Others develop closed-source commercial or site-specific extensions.
 -->
 
-平台开发人员可以使用[定制资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
-或[使用汇聚层扩展 Kubernetes API](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+平台开发人员可以使用[定制资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+或[使用汇聚层扩展 Kubernetes API](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 来为其 Kubernetes 实例增加功能，特别是为其应用程序添加功能。
 一些平台开发人员也是 kubernetes {{< glossary_tooltip text="贡献者" term_id="contributor" >}}，
 他们会开发贡献给 Kubernetes 社区的扩展。
diff --git a/content/zh/docs/reference/glossary/pod-disruption-budget.md b/content/zh-cn/docs/reference/glossary/pod-disruption-budget.md
similarity index 89%
rename from content/zh/docs/reference/glossary/pod-disruption-budget.md
rename to content/zh-cn/docs/reference/glossary/pod-disruption-budget.md
index 444bec87e35c5..32077d48cd72e 100644
--- a/content/zh/docs/reference/glossary/pod-disruption-budget.md
+++ b/content/zh-cn/docs/reference/glossary/pod-disruption-budget.md
@@ -1,7 +1,7 @@
 ---
 id: pod-disruption-budget
 title: Pod Disruption Budget
-full-link: /zh/docs/concepts/workloads/pods/disruptions/
+full-link: /zh-cn/docs/concepts/workloads/pods/disruptions/
 date: 2019-02-12
 short_description: >
  Pod Disruption Budget 是这样一种对象：它保证在主动中断（ voluntary disruptions）时，多实例应用的 {{< glossary_tooltip text="Pod" term_id="pod" >}} 不会少于一定的数量。
@@ -43,7 +43,7 @@ tags:
  Involuntary disruptions cannot be prevented by PDBs; however they 
  do count against the budget.
 -->
- [Pod 干扰预算（Pod Disruption Budget，PDB）](/zh/docs/concepts/workloads/pods/disruptions/)
+ [Pod 干扰预算（Pod Disruption Budget，PDB）](/zh-cn/docs/concepts/workloads/pods/disruptions/)
  使应用所有者能够为多实例应用创建一个对象，来确保一定数量的具有指定标签的 Pod 在任何时候都不会被主动驱逐。
  <!--more--> 
 PDB 无法防止非主动的中断，但是会计入预算（budget）。
diff --git a/content/zh/docs/reference/glossary/pod-disruption.md b/content/zh-cn/docs/reference/glossary/pod-disruption.md
similarity index 90%
rename from content/zh/docs/reference/glossary/pod-disruption.md
rename to content/zh-cn/docs/reference/glossary/pod-disruption.md
index 5ea9d70b10137..39b8ce8d83994 100644
--- a/content/zh/docs/reference/glossary/pod-disruption.md
+++ b/content/zh-cn/docs/reference/glossary/pod-disruption.md
@@ -37,7 +37,7 @@ tags:
 Pods on Nodes are terminated either voluntarily or involuntarily. 
 -->
 
-[pod 干扰](/zh/docs/concepts/workloads/pods/disruptions/) 是指节点上的 pod 被自愿或非自愿终止的过程。
+[pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/) 是指节点上的 pod 被自愿或非自愿终止的过程。
 
 <!--more--> 
 
diff --git a/content/zh/docs/reference/glossary/pod-lifecycle.md b/content/zh-cn/docs/reference/glossary/pod-lifecycle.md
similarity index 89%
rename from content/zh/docs/reference/glossary/pod-lifecycle.md
rename to content/zh-cn/docs/reference/glossary/pod-lifecycle.md
index d83ca39ad0bd2..8eff328c4d730 100644
--- a/content/zh/docs/reference/glossary/pod-lifecycle.md
+++ b/content/zh-cn/docs/reference/glossary/pod-lifecycle.md
@@ -2,7 +2,7 @@
 title: Pod 生命周期
 id: pod-lifecycle
 date: 2019-02-17
-full-link: /zh/docs/concepts/workloads/pods/pod-lifecycle/
+full-link: /zh-cn/docs/concepts/workloads/pods/pod-lifecycle/
 related:
  - pod
  - container
@@ -36,7 +36,7 @@ A high-level summary of what phase the Pod is in within its lifecyle.
 <!--
 The [Pod Lifecycle](/docs/concepts/workloads/pods/pod-lifecycle/) is defined by the states or phases of a Pod. There are five possible Pod phases: Pending, Running, Succeeded, Failed, and Unknown. A high-level description of the Pod state is summarized in the [PodStatus](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podstatus-v1-core) `phase` field.
 -->
-[Pod 生命周期](/zh/docs/concepts/workloads/pods/pod-lifecycle/) 是关于 Pod
+[Pod 生命周期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/) 是关于 Pod
 处于哪个阶段的概述。包含了下面5种可能的的阶段: Running、Pending、Succeeded、
 Failed、Unknown。关于 Pod 的阶段的更高级描述请查阅
 [PodStatus](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podstatus-v1-core) `phase` 字段。
diff --git a/content/zh/docs/reference/glossary/pod-priority.md b/content/zh-cn/docs/reference/glossary/pod-priority.md
similarity index 85%
rename from content/zh/docs/reference/glossary/pod-priority.md
rename to content/zh-cn/docs/reference/glossary/pod-priority.md
index d029d0593cfdc..1ddc48e1a84c4 100644
--- a/content/zh/docs/reference/glossary/pod-priority.md
+++ b/content/zh-cn/docs/reference/glossary/pod-priority.md
@@ -2,7 +2,7 @@
 title: Pod 优先级（Pod Priority）
 id: pod-priority
 date: 2019-01-31
-full_link: /zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority
+full_link: /zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority
 short_description: >
   Pod 优先级表示一个 Pod 相对于其他 Pod 的重要性。
 
@@ -34,7 +34,7 @@ tags:
 <!--
 [Pod Priority](/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) gives the ability to set scheduling priority of a Pod to be higher and lower than other Pods — an important feature for production clusters workload.
 -->
-[Pod 优先级](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)
+[Pod 优先级](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)
 允许用户为 Pod 设置高于或低于其他 Pod 的优先级 -- 这对于生产集群
 工作负载而言是一个重要的特性。
 
diff --git a/content/zh/docs/reference/glossary/pod-security-policy.md b/content/zh-cn/docs/reference/glossary/pod-security-policy.md
similarity index 89%
rename from content/zh/docs/reference/glossary/pod-security-policy.md
rename to content/zh-cn/docs/reference/glossary/pod-security-policy.md
index f80416fb44991..db491739304b4 100644
--- a/content/zh/docs/reference/glossary/pod-security-policy.md
+++ b/content/zh-cn/docs/reference/glossary/pod-security-policy.md
@@ -2,7 +2,7 @@
 title: Pod 安全策略
 id: pod-security-policy
 date: 2018-04-12
-full_link: /zh/docs/concepts/security/pod-security-policy/
+full_link: /zh-cn/docs/concepts/security/pod-security-policy/
 short_description: >
   为 Pod 的创建和更新操作启用细粒度的授权。
 
@@ -47,5 +47,5 @@ Pod 安全策略是集群级别的资源，它控制着 Pod 规约中的安全
 PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25. We recommend migrating to [Pod Security Admission](/docs/concepts/security/pod-security-admission/), or a 3rd party admission plugin.
 -->
 PodSecurityPolicy 自 Kubernetes v1.21 起已弃用，并将在 v1.25 中删除。 
-我们建议迁移到 [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)或第三方准入插件。
+我们建议迁移到 [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)或第三方准入插件。
 
diff --git a/content/zh/docs/reference/glossary/pod.md b/content/zh-cn/docs/reference/glossary/pod.md
similarity index 95%
rename from content/zh/docs/reference/glossary/pod.md
rename to content/zh-cn/docs/reference/glossary/pod.md
index 873ec90e62723..eee257a43d56a 100644
--- a/content/zh/docs/reference/glossary/pod.md
+++ b/content/zh-cn/docs/reference/glossary/pod.md
@@ -4,7 +4,7 @@ id: pod
 date: 2018-04-12
 full_link: /docs/concepts/workloads/pods/pod-overview/
 short_description: >
-  Pod 表示您的集群上一组正在运行的容器。
+  Pod 表示你的集群上一组正在运行的容器。
 
 aka: 
 tags:
diff --git a/content/zh/docs/reference/glossary/preemption.md b/content/zh-cn/docs/reference/glossary/preemption.md
similarity index 88%
rename from content/zh/docs/reference/glossary/preemption.md
rename to content/zh-cn/docs/reference/glossary/preemption.md
index 328d0abfaca2b..7875e60d0bb6d 100644
--- a/content/zh/docs/reference/glossary/preemption.md
+++ b/content/zh-cn/docs/reference/glossary/preemption.md
@@ -2,7 +2,7 @@
 title: 抢占（Preemption）
 id: preemption
 date: 2019-01-31
-full_link: /zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption
+full_link: /zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption
 short_description: >
   Kubernetes 中的抢占逻辑通过驱逐节点上的低优先级 Pod 来帮助悬决的
   Pod 找到合适的节点。
@@ -37,6 +37,6 @@ Kubernetes 中的抢占逻辑通过驱逐{{< glossary_tooltip term_id="node" >}}
 If a Pod cannot be scheduled, the scheduler tries to [preempt](/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption) lower priority Pods to make scheduling of the pending Pod possible.
 -->
 如果一个 Pod 无法调度，调度器会尝试
-[抢占](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption)
+[抢占](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/#preemption)
 较低优先级的 Pod，以使得悬决的 Pod 有可能被调度。
 
diff --git a/content/zh/docs/reference/glossary/proxy.md b/content/zh-cn/docs/reference/glossary/proxy.md
similarity index 88%
rename from content/zh/docs/reference/glossary/proxy.md
rename to content/zh-cn/docs/reference/glossary/proxy.md
index c9d4ff0bea79a..b186dd606531a 100644
--- a/content/zh/docs/reference/glossary/proxy.md
+++ b/content/zh-cn/docs/reference/glossary/proxy.md
@@ -43,7 +43,7 @@ actual server's reply to the client.
 network proxy that runs on each node in your cluster, implementing part of
 the Kubernetes {{< glossary_tooltip term_id="service">}} concept.
 -->
-[kube-proxy](/zh/docs/reference/command-line-tools-reference/kube-proxy/) 是集群中每个节点上运行的网络代理，实现了部分 Kubernetes {{< glossary_tooltip term_id="service">}} 概念。
+[kube-proxy](/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/) 是集群中每个节点上运行的网络代理，实现了部分 Kubernetes {{< glossary_tooltip term_id="service">}} 概念。
 
 <!--
 You can run kube-proxy as a plain userland proxy service. If your operating
diff --git a/content/zh/docs/reference/glossary/qos-class.md b/content/zh-cn/docs/reference/glossary/qos-class.md
similarity index 100%
rename from content/zh/docs/reference/glossary/qos-class.md
rename to content/zh-cn/docs/reference/glossary/qos-class.md
diff --git a/content/zh/docs/reference/glossary/quantity.md b/content/zh-cn/docs/reference/glossary/quantity.md
similarity index 100%
rename from content/zh/docs/reference/glossary/quantity.md
rename to content/zh-cn/docs/reference/glossary/quantity.md
diff --git a/content/zh/docs/reference/glossary/rbac.md b/content/zh-cn/docs/reference/glossary/rbac.md
similarity index 90%
rename from content/zh/docs/reference/glossary/rbac.md
rename to content/zh-cn/docs/reference/glossary/rbac.md
index d0a8eaf88a794..cb12f7dcef417 100644
--- a/content/zh/docs/reference/glossary/rbac.md
+++ b/content/zh-cn/docs/reference/glossary/rbac.md
@@ -2,7 +2,7 @@
 title: 基于角色的访问控制（RBAC）
 id: rbac
 date: 2018-04-12
-full_link: /zh/docs/reference/access-authn-authz/rbac/
+full_link: /zh-cn/docs/reference/access-authn-authz/rbac/
 short_description: >
   管理授权决策，允许管理员通过 Kubernetes API 动态配置访问策略。
 
@@ -17,7 +17,7 @@ tags:
 title: RBAC (Role-Based Access Control)
 id: rbac
 date: 2018-04-12
-full_link: /zh/docs/reference/access-authn-authz/rbac/
+full_link: /zh-cn/docs/reference/access-authn-authz/rbac/
 short_description: >
   Manages authorization decisions, allowing admins to dynamically configure access policies through the Kubernetes API.
 
diff --git a/content/zh/docs/reference/glossary/replica-set.md b/content/zh-cn/docs/reference/glossary/replica-set.md
similarity index 89%
rename from content/zh/docs/reference/glossary/replica-set.md
rename to content/zh-cn/docs/reference/glossary/replica-set.md
index 40378c25557b2..14534cfdf183a 100644
--- a/content/zh/docs/reference/glossary/replica-set.md
+++ b/content/zh-cn/docs/reference/glossary/replica-set.md
@@ -2,7 +2,7 @@
 title: ReplicaSet
 id: replica-set
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/replicaset/
+full_link: /zh-cn/docs/concepts/workloads/controllers/replicaset/
 short_description: >
   ReplicaSet 是下一代副本控制器。
 
@@ -18,7 +18,7 @@ tags:
 title: ReplicaSet
 id: replica-set
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/replicaset/
+full_link: /zh-cn/docs/concepts/workloads/controllers/replicaset/
 short_description: >
   ReplicaSet is the next-generation Replication Controller.
 
diff --git a/content/zh/docs/reference/glossary/replication-controller.md b/content/zh-cn/docs/reference/glossary/replication-controller.md
similarity index 100%
rename from content/zh/docs/reference/glossary/replication-controller.md
rename to content/zh-cn/docs/reference/glossary/replication-controller.md
diff --git a/content/zh/docs/reference/glossary/resource-quota.md b/content/zh-cn/docs/reference/glossary/resource-quota.md
similarity index 90%
rename from content/zh/docs/reference/glossary/resource-quota.md
rename to content/zh-cn/docs/reference/glossary/resource-quota.md
index 4e35800abeb24..2355db178cdd5 100644
--- a/content/zh/docs/reference/glossary/resource-quota.md
+++ b/content/zh-cn/docs/reference/glossary/resource-quota.md
@@ -2,7 +2,7 @@
 title: 资源配额（Resource Quotas）
 id: resource-quota
 date: 2018-04-12
-full_link: /zh/docs/concepts/policy/resource-quotas/
+full_link: /zh-cn/docs/concepts/policy/resource-quotas/
 short_description: >
   资源配额提供了限制每个命名空间的资源消耗总和的约束。
 
@@ -18,7 +18,7 @@ tags:
 title: Resource Quotas
 id: resource-quota
 date: 2018-04-12
-full_link: /zh/docs/concepts/policy/resource-quotas/
+full_link: /zh-cn/docs/concepts/policy/resource-quotas/
 short_description: >
   Provides constraints that limit aggregate resource consumption per namespace.
 
diff --git a/content/zh/docs/reference/glossary/reviewer.md b/content/zh-cn/docs/reference/glossary/reviewer.md
similarity index 100%
rename from content/zh/docs/reference/glossary/reviewer.md
rename to content/zh-cn/docs/reference/glossary/reviewer.md
diff --git a/content/zh/docs/reference/glossary/secret.md b/content/zh-cn/docs/reference/glossary/secret.md
similarity index 82%
rename from content/zh/docs/reference/glossary/secret.md
rename to content/zh-cn/docs/reference/glossary/secret.md
index 9eb093ac6a65a..07153ab7d9efe 100644
--- a/content/zh/docs/reference/glossary/secret.md
+++ b/content/zh-cn/docs/reference/glossary/secret.md
@@ -2,7 +2,7 @@
 title: Secret
 id: secret
 date: 2018-04-12
-full_link: /zh/docs/concepts/configuration/secret/
+full_link: /zh-cn/docs/concepts/configuration/secret/
 short_description: >
   Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。
 
@@ -42,6 +42,6 @@ Allows for more control over how sensitive information is used and reduces the r
 
 Secret 允许用户对如何使用敏感信息进行更多的控制，并减少信息意外暴露的风险。
 默认情况下，Secret 值被编码为 base64 字符串并以非加密的形式存储，但可以配置为
-[静态加密（Encrypt at rest）](/zh/docs/tasks/administer-cluster/encrypt-data/#ensure-all-secrets-are-encrypted)。
+[静态加密（Encrypt at rest）](/zh-cn/docs/tasks/administer-cluster/encrypt-data/#ensure-all-secrets-are-encrypted)。
 {{< glossary_tooltip text="Pod" term_id="pod" >}} 通过挂载卷中的文件的方式引用 Secret，或者通过 kubelet 为 pod 拉取镜像时引用。
-Secret 非常适合机密数据使用，而 [ConfigMaps](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/) 适用于非机密数据。
+Secret 非常适合机密数据使用，而 [ConfigMaps](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/) 适用于非机密数据。
diff --git a/content/zh/docs/reference/glossary/security-context.md b/content/zh-cn/docs/reference/glossary/security-context.md
similarity index 95%
rename from content/zh/docs/reference/glossary/security-context.md
rename to content/zh-cn/docs/reference/glossary/security-context.md
index 864e6937353fb..586096ffbd6da 100644
--- a/content/zh/docs/reference/glossary/security-context.md
+++ b/content/zh-cn/docs/reference/glossary/security-context.md
@@ -2,7 +2,7 @@
 title: 安全上下文（Security Context）
 id: security-context
 date: 2018-04-12
-full_link: /zh/docs/tasks/configure-pod-container/security-context/
+full_link: /zh-cn/docs/tasks/configure-pod-container/security-context/
 short_description: >
   securityContext 字段定义 Pod 或容器的特权和访问控制设置，包括运行时 UID 和 GID。
 
diff --git a/content/zh/docs/reference/glossary/selector.md b/content/zh-cn/docs/reference/glossary/selector.md
similarity index 92%
rename from content/zh/docs/reference/glossary/selector.md
rename to content/zh-cn/docs/reference/glossary/selector.md
index 7a1343090f8f1..309419fab4a95 100644
--- a/content/zh/docs/reference/glossary/selector.md
+++ b/content/zh-cn/docs/reference/glossary/selector.md
@@ -2,7 +2,7 @@
 title: 选择算符（Selector）
 id: selector
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/labels/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/labels/
 short_description: >
   选择算符允许用户通过标签对一组资源对象进行筛选过滤。
 
diff --git a/content/zh/docs/reference/glossary/service-account.md b/content/zh-cn/docs/reference/glossary/service-account.md
similarity index 94%
rename from content/zh/docs/reference/glossary/service-account.md
rename to content/zh-cn/docs/reference/glossary/service-account.md
index e54a4ef98b48e..62c88b0c32b35 100644
--- a/content/zh/docs/reference/glossary/service-account.md
+++ b/content/zh-cn/docs/reference/glossary/service-account.md
@@ -2,7 +2,7 @@
 title: ServiceAccount
 id: service-account
 date: 2018-04-12
-full_link: /zh/docs/tasks/configure-pod-container/configure-service-account/
+full_link: /zh-cn/docs/tasks/configure-pod-container/configure-service-account/
 short_description: >
   为在 Pod 中运行的进程提供标识。
 
diff --git a/content/zh/docs/reference/glossary/service-broker.md b/content/zh-cn/docs/reference/glossary/service-broker.md
similarity index 88%
rename from content/zh/docs/reference/glossary/service-broker.md
rename to content/zh-cn/docs/reference/glossary/service-broker.md
index b8afe97d7015a..4e477b4edc434 100644
--- a/content/zh/docs/reference/glossary/service-broker.md
+++ b/content/zh-cn/docs/reference/glossary/service-broker.md
@@ -44,4 +44,4 @@ list, provision, and bind with Managed Services offered by Service Brokers.
 {{< glossary_tooltip text="服务代理（Service Brokers）" term_id="service-broker">}}会实现
 [开放服务代理 API 规范](https://github.com/openservicebrokerapi/servicebroker/blob/v2.13/spec.md)
 并为应用提供使用其托管服务的标准接口。
-[服务目录（Service Catalog）](/zh/docs/concepts/extend-kubernetes/service-catalog/)则提供一种方法，用来列举、供应和绑定服务代理商所提供的托管服务。
+[服务目录（Service Catalog）](/zh-cn/docs/concepts/extend-kubernetes/service-catalog/)则提供一种方法，用来列举、供应和绑定服务代理商所提供的托管服务。
diff --git a/content/zh/docs/reference/glossary/service-catalog.md b/content/zh-cn/docs/reference/glossary/service-catalog.md
similarity index 100%
rename from content/zh/docs/reference/glossary/service-catalog.md
rename to content/zh-cn/docs/reference/glossary/service-catalog.md
diff --git a/content/zh/docs/reference/glossary/service.md b/content/zh-cn/docs/reference/glossary/service.md
similarity index 95%
rename from content/zh/docs/reference/glossary/service.md
rename to content/zh-cn/docs/reference/glossary/service.md
index fb611558b5151..7c4a3c58d638c 100644
--- a/content/zh/docs/reference/glossary/service.md
+++ b/content/zh-cn/docs/reference/glossary/service.md
@@ -2,7 +2,7 @@
 title: 服务（Service）
 id: service
 date: 2018-04-12
-full_link: /zh/docs/concepts/services-networking/service/
+full_link: /zh-cn/docs/concepts/services-networking/service/
 short_description: >
   将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。
 
diff --git a/content/zh/docs/reference/glossary/shuffle-sharding.md b/content/zh-cn/docs/reference/glossary/shuffle-sharding.md
similarity index 100%
rename from content/zh/docs/reference/glossary/shuffle-sharding.md
rename to content/zh-cn/docs/reference/glossary/shuffle-sharding.md
diff --git a/content/zh/docs/reference/glossary/sig.md b/content/zh-cn/docs/reference/glossary/sig.md
similarity index 100%
rename from content/zh/docs/reference/glossary/sig.md
rename to content/zh-cn/docs/reference/glossary/sig.md
diff --git a/content/zh/docs/reference/glossary/statefulset.md b/content/zh-cn/docs/reference/glossary/statefulset.md
similarity index 97%
rename from content/zh/docs/reference/glossary/statefulset.md
rename to content/zh-cn/docs/reference/glossary/statefulset.md
index 6e796d9419b74..e94318e78ae13 100644
--- a/content/zh/docs/reference/glossary/statefulset.md
+++ b/content/zh-cn/docs/reference/glossary/statefulset.md
@@ -2,7 +2,7 @@
 title: StatefulSet
 id: statefulset
 date: 2018-04-12
-full_link: /zh/docs/concepts/workloads/controllers/statefulset/
+full_link: /zh-cn/docs/concepts/workloads/controllers/statefulset/
 short_description: >
   StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。
 aka: 
diff --git a/content/zh/docs/reference/glossary/static-pod.md b/content/zh-cn/docs/reference/glossary/static-pod.md
similarity index 92%
rename from content/zh/docs/reference/glossary/static-pod.md
rename to content/zh-cn/docs/reference/glossary/static-pod.md
index e785a96a8593c..fd9103c322a2a 100644
--- a/content/zh/docs/reference/glossary/static-pod.md
+++ b/content/zh-cn/docs/reference/glossary/static-pod.md
@@ -2,7 +2,7 @@
 title: 静态 Pod（Static Pod）
 id: static-pod
 date: 2019-02-12
-full_link: /zh/docs/tasks/configure-pod-container/static-pod/
+full_link: /zh-cn/docs/tasks/configure-pod-container/static-pod/
 short_description: >
   静态Pod（Static Pod）是指由特定节点上的 kubelet 守护进程直接管理的 Pod。
 
diff --git a/content/zh/docs/reference/glossary/storage-class.md b/content/zh-cn/docs/reference/glossary/storage-class.md
similarity index 96%
rename from content/zh/docs/reference/glossary/storage-class.md
rename to content/zh-cn/docs/reference/glossary/storage-class.md
index 1ad1834b1504e..b0fc008df7ddd 100644
--- a/content/zh/docs/reference/glossary/storage-class.md
+++ b/content/zh-cn/docs/reference/glossary/storage-class.md
@@ -2,7 +2,7 @@
 title: StorageClass
 id: storageclass
 date: 2018-04-12
-full_link: /zh/docs/concepts/storage/storage-classes/
+full_link: /zh-cn/docs/concepts/storage/storage-classes/
 short_description: >
   StorageClass 是管理员用来描述可用的不同存储类型的一种方法。
 
diff --git a/content/zh/docs/reference/glossary/sysctl.md b/content/zh-cn/docs/reference/glossary/sysctl.md
similarity index 95%
rename from content/zh/docs/reference/glossary/sysctl.md
rename to content/zh-cn/docs/reference/glossary/sysctl.md
index b987583df790b..1c35bc662b74d 100644
--- a/content/zh/docs/reference/glossary/sysctl.md
+++ b/content/zh-cn/docs/reference/glossary/sysctl.md
@@ -2,7 +2,7 @@
 title: sysctl
 id: sysctl
 date: 2019-02-12
-full_link: /zh/docs/tasks/administer-cluster/sysctl-cluster/
+full_link: /zh-cn/docs/tasks/administer-cluster/sysctl-cluster/
 short_description: >
   用于获取和设置 Unix 内核参数的接口
 
diff --git a/content/zh/docs/reference/glossary/taint.md b/content/zh-cn/docs/reference/glossary/taint.md
similarity index 95%
rename from content/zh/docs/reference/glossary/taint.md
rename to content/zh-cn/docs/reference/glossary/taint.md
index 8961ce205d029..65040d6bbe77f 100644
--- a/content/zh/docs/reference/glossary/taint.md
+++ b/content/zh-cn/docs/reference/glossary/taint.md
@@ -2,7 +2,7 @@
 title: 污点（Taint）
 id: taint
 date: 2019-01-11
-full_link: /zh/docs/concepts/scheduling-eviction/taint-and-toleration/
+full_link: /zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/
 short_description: >
   污点是一种一个核心对象，包含三个必需的属性：key、value 和 effect。
   污点会阻止在节点或节点组上调度 Pod。
diff --git a/content/zh/docs/reference/glossary/toleration.md b/content/zh-cn/docs/reference/glossary/toleration.md
similarity index 96%
rename from content/zh/docs/reference/glossary/toleration.md
rename to content/zh-cn/docs/reference/glossary/toleration.md
index 963d75b94cf0e..d42ff66958964 100644
--- a/content/zh/docs/reference/glossary/toleration.md
+++ b/content/zh-cn/docs/reference/glossary/toleration.md
@@ -2,7 +2,7 @@
 title: 容忍度（Toleration）
 id: toleration
 date: 2019-01-11
-full_link: /zh/docs/concepts/scheduling-eviction/taint-and-toleration/
+full_link: /zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/
 short_description: >
   一个核心对象，由三个必需的属性组成：key、value 和 effect。
   容忍度允许将 Pod 调度到具有对应污点的节点或节点组上。
diff --git a/content/zh/docs/reference/glossary/uid.md b/content/zh-cn/docs/reference/glossary/uid.md
similarity index 92%
rename from content/zh/docs/reference/glossary/uid.md
rename to content/zh-cn/docs/reference/glossary/uid.md
index 74faf6d1e7660..13d5433ac16ca 100644
--- a/content/zh/docs/reference/glossary/uid.md
+++ b/content/zh-cn/docs/reference/glossary/uid.md
@@ -2,7 +2,7 @@
 title: UID
 id: uid
 date: 2018-04-12
-full_link: /zh/docs/concepts/overview/working-with-objects/names/
+full_link: /zh-cn/docs/concepts/overview/working-with-objects/names/
 short_description: >
   由 Kubernetes 系统生成、用来唯一标识对象的字符串。
 
diff --git a/content/zh/docs/reference/glossary/upstream.md b/content/zh-cn/docs/reference/glossary/upstream.md
similarity index 100%
rename from content/zh/docs/reference/glossary/upstream.md
rename to content/zh-cn/docs/reference/glossary/upstream.md
diff --git a/content/zh/docs/reference/glossary/userns.md b/content/zh-cn/docs/reference/glossary/userns.md
similarity index 100%
rename from content/zh/docs/reference/glossary/userns.md
rename to content/zh-cn/docs/reference/glossary/userns.md
diff --git a/content/zh/docs/reference/glossary/volume-plugin.md b/content/zh-cn/docs/reference/glossary/volume-plugin.md
similarity index 94%
rename from content/zh/docs/reference/glossary/volume-plugin.md
rename to content/zh-cn/docs/reference/glossary/volume-plugin.md
index b04b8d8fbc127..1071b0439011e 100644
--- a/content/zh/docs/reference/glossary/volume-plugin.md
+++ b/content/zh-cn/docs/reference/glossary/volume-plugin.md
@@ -40,7 +40,7 @@ tags:
 A Volume Plugin lets you attach and mount storage volumes for use by a {{< glossary_tooltip text="Pod" term_id="pod" >}}. Volume plugins can be _in tree_ or _out of tree_. _In tree_ plugins are part of the Kubernetes code repository and follow its release cycle. _Out of tree_ plugins are developed independently.
 -->
 
-卷插件让您能给 {{< glossary_tooltip text="Pod" term_id="pod" >}} 附加和挂载存储卷。
+卷插件让你能给 {{< glossary_tooltip text="Pod" term_id="pod" >}} 附加和挂载存储卷。
 卷插件既可以是 _in tree_ 也可以是 _out of tree_ 。_in tree_ 插件是 Kubernetes 代码库的一部分，
 并遵循其发布周期。而 _Out of tree_ 插件则是独立开发的。
 
diff --git a/content/zh/docs/reference/glossary/volume.md b/content/zh-cn/docs/reference/glossary/volume.md
similarity index 92%
rename from content/zh/docs/reference/glossary/volume.md
rename to content/zh-cn/docs/reference/glossary/volume.md
index 7ef39eee2fd33..9159e275caa57 100644
--- a/content/zh/docs/reference/glossary/volume.md
+++ b/content/zh-cn/docs/reference/glossary/volume.md
@@ -2,7 +2,7 @@
 title: 卷（Volume）
 id: volume
 date: 2018-04-12
-full_link: /zh/docs/concepts/storage/volumes/
+full_link: /zh-cn/docs/concepts/storage/volumes/
 short_description: >
   包含可被 Pod 中容器访问的数据的目录。
 
@@ -47,4 +47,4 @@ A Kubernetes volume lives as long as the Pod that encloses it. Consequently, a v
 <!--
 See [storage](/docs/concepts/storage/) for more information.
 -->
-更多信息可参考[storage](/zh/docs/concepts/storage/)
\ No newline at end of file
+更多信息可参考[storage](/zh-cn/docs/concepts/storage/)
\ No newline at end of file
diff --git a/content/zh/docs/reference/glossary/wg.md b/content/zh-cn/docs/reference/glossary/wg.md
similarity index 100%
rename from content/zh/docs/reference/glossary/wg.md
rename to content/zh-cn/docs/reference/glossary/wg.md
diff --git a/content/zh/docs/reference/glossary/workload.md b/content/zh-cn/docs/reference/glossary/workload.md
similarity index 96%
rename from content/zh/docs/reference/glossary/workload.md
rename to content/zh-cn/docs/reference/glossary/workload.md
index 394b42bd1c993..68cd860a831f1 100644
--- a/content/zh/docs/reference/glossary/workload.md
+++ b/content/zh-cn/docs/reference/glossary/workload.md
@@ -2,7 +2,7 @@
 title: 工作负载（Workload）
 id: workloads
 date: 2019-02-13
-full_link: /zh/docs/concepts/workloads/
+full_link: /zh-cn/docs/concepts/workloads/
 short_description: >
    工作负载是在 Kubernetes 上运行的应用程序。
 
diff --git a/content/zh/docs/reference/issues-security/_index.md b/content/zh-cn/docs/reference/issues-security/_index.md
similarity index 100%
rename from content/zh/docs/reference/issues-security/_index.md
rename to content/zh-cn/docs/reference/issues-security/_index.md
diff --git a/content/zh/docs/reference/issues-security/issues.md b/content/zh-cn/docs/reference/issues-security/issues.md
similarity index 86%
rename from content/zh/docs/reference/issues-security/issues.md
rename to content/zh-cn/docs/reference/issues-security/issues.md
index 23a015a519d03..45a248990ca48 100644
--- a/content/zh/docs/reference/issues-security/issues.md
+++ b/content/zh-cn/docs/reference/issues-security/issues.md
@@ -1,6 +1,7 @@
 ---
 title: Kubernetes 问题追踪
 weight: 10
+aliases: [/zh-cn/cve/, /zh-cn/cves/]
 ---
 
 <!--
@@ -13,7 +14,7 @@ aliases: [/cve/,/cves/]
 To report a security issue, please follow the [Kubernetes security disclosure process](/docs/reference/issues-security/security/#report-a-vulnerability).
 -->
 要报告安全问题，请遵循
-[Kubernetes 安全问题公开流程](/zh/docs/reference/issues-security/security/#report-a-vulnerability)。
+[Kubernetes 安全问题公开流程](/zh-cn/docs/reference/issues-security/security/#report-a-vulnerability)。
 
 <!--
 Work on Kubernetes code and public issues are tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/).
@@ -29,6 +30,6 @@ Work on Kubernetes code and public issues are tracked using [GitHub Issues](http
 <!--
 Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list.
 -->
-与安全性相关的公告请发送到
+与安全性相关的公告将发送到
 [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce)
 邮件列表。
diff --git a/content/zh/docs/reference/issues-security/security.md b/content/zh-cn/docs/reference/issues-security/security.md
similarity index 68%
rename from content/zh/docs/reference/issues-security/security.md
rename to content/zh-cn/docs/reference/issues-security/security.md
index 3124098682040..4cdc9d07e77bb 100644
--- a/content/zh/docs/reference/issues-security/security.md
+++ b/content/zh-cn/docs/reference/issues-security/security.md
@@ -1,5 +1,6 @@
 ---
 title: Kubernetes 安全和信息披露
+aliases: [/zh-cn/security/]
 content_type: concept
 weight: 20
 ---
@@ -27,7 +28,7 @@ This page describes Kubernetes security and disclosure information.
 <!--
 ## Security Announcements
 -->
-## 安全公告
+## 安全公告 {#security-announcements}
 
 <!--
 Join the [kubernetes-security-announce](https://groups.google.com/forum/#!forum/kubernetes-security-announce) group for emails about security and major API announcements.
@@ -37,28 +38,28 @@ Join the [kubernetes-security-announce](https://groups.google.com/forum/#!forum/
 <!--
 ## Report a Vulnerability
 -->
-## 报告一个漏洞
+## 报告一个漏洞 {#report-a-vulnerability}
 
 <!--
-We’re extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
+We're extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
 -->
 我们非常感谢向 Kubernetes 开源社区报告漏洞的安全研究人员和用户。
 所有的报告都由社区志愿者进行彻底调查。
 
 <!--
-To make a report, please email the private [security@kubernetes.io](mailto:security@kubernetes.io) list with the security details and the details expected for [all Kubernetes bug reports](https://git.k8s.io/kubernetes/.github/ISSUE_TEMPLATE/bug-report.md).
+To make a report, submit your vulnerability to the [Kubernetes bug bounty program](https://hackerone.com/kubernetes). This allows triage and handling of the vulnerability with standardized response times.
 -->
-如需报告，请连同安全细节以及预期的[所有 Kubernetes bug 报告](https://git.k8s.io/kubernetes/.github/ISSUE_TEMPLATE/bug-report.md)
-详细信息电子邮件到[security@kubernetes.io](mailto:security@kubernetes.io)列表。
+如需报告，请将你的漏洞提交给 [Kubernetes 漏洞赏金计划](https://hackerone.com/kubernetes)。
+这样做可以使得社区能够在标准化的响应时间内对漏洞进行分类和处理。
 
 <!--
 You can also email the private [security@kubernetes.io](mailto:security@kubernetes.io) list with the security details and the details expected for [all Kubernetes bug reports](https://github.com/kubernetes/kubernetes/blob/master/.github/ISSUE_TEMPLATE/bug-report.yaml).
-
 -->
 你还可以通过电子邮件向私有 [security@kubernetes.io](mailto:security@kubernetes.io)
 列表发送电子邮件，邮件中应该包含
 [所有 Kubernetes 错误报告](https://github.com/kubernetes/kubernetes/blob/master/.github/ISSUE_TEMPLATE/bug-report.yaml)
 所需的详细信息。
+
 <!--
 You may encrypt your email to this list using the GPG keys of the [Security Response Committee members](https://git.k8s.io/security/README.md#product-security-committee-psc). Encryption using GPG is NOT required to make a disclosure.
 -->
@@ -68,45 +69,45 @@ GPG 密钥加密你的发往邮件列表的邮件。揭示问题时不需要使
 <!--
 ### When Should I Report a Vulnerability?
 -->
-### 我应该在什么时候报告漏洞？
+### 我应该在什么时候报告漏洞？ {#when-should-i-report-a-vulnerability}
 
 <!--
 - You think you discovered a potential security vulnerability in Kubernetes
 - You are unsure how a vulnerability affects Kubernetes
 - You think you discovered a vulnerability in another project that Kubernetes depends on
-   - For projects with their own vulnerability reporting and disclosure process, please report it directly there
+  - For projects with their own vulnerability reporting and disclosure process, please report it directly there
 -->
 - 你认为在 Kubernetes 中发现了一个潜在的安全漏洞
 - 你不确定漏洞如何影响 Kubernetes
 - 你认为你在 Kubernetes 依赖的另一个项目中发现了一个漏洞
-- 对于具有漏洞报告和披露流程的项目，请直接在该项目处报告
+  - 对于具有漏洞报告和披露流程的项目，请直接在该项目处报告
 
 <!--
 ### When Should I NOT Report a Vulnerability?
 -->
-### 我什么时候不应该报告漏洞？
+### 我什么时候不应该报告漏洞？ {#when-should-i-not-report-a-vulnerability}
 
 <!--
 - You need help tuning Kubernetes components for security
 - You need help applying security related updates
 - Your issue is not security related
 -->
-- 你需要帮助调整 Kubernetes 组件的安全性
-- 你需要帮助应用与安全相关的更新
+- 你需要调整 Kubernetes 组件安全性的帮助
+- 你需要应用与安全相关更新的帮助
 - 你的问题与安全无关
 
 <!--
 ## Security Vulnerability Response
 -->
-## 安全漏洞响应
+## 安全漏洞响应 {#security-vulnerability-response}
 
 <!--
 Each report is acknowledged and analyzed by Security Response Committee members within 3 working days. This will set off the [Security Release Process](https://git.k8s.io/security/security-release-process.md#disclosures).
 -->
-每个报告在 3 个工作日内由安全响应委员会成员确认和分析。这将启动[安全发布过程](https://git.k8s.io/sig-release/security-release-process-documentation/security-release-process.md#disclosures)。
+每个报告在 3 个工作日内由安全响应委员会成员确认和分析，这将启动[安全发布过程](https://git.k8s.io/sig-release/security-release-process-documentation/security-release-process.md#disclosures)。
 
 <!--
-Any vulnerability information shared with Product Security Team stays within Kubernetes project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+Any vulnerability information shared with Security Response Committee stays within Kubernetes project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
 -->
 与安全响应委员会共享的任何漏洞信息都保留在 Kubernetes 项目中，除非有必要修复该问题，否则不会传播到其他项目。
 
@@ -118,7 +119,7 @@ As the security issue moves from triage, to identified fix, to release planning
 <!--
 ## Public Disclosure Timing
 -->
-## 公开披露时间
+## 公开披露时间 {#public-disclosure-timing}
 
 <!--
 A public disclosure date is negotiated by the Kubernetes Security Response Committee and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available.
@@ -132,7 +133,8 @@ It is reasonable to delay disclosure when the bug or the fix is not yet fully un
 当 bug 或其修复还没有被完全理解，解决方案没有经过良好的测试，或者为了处理供应商协调问题时，延迟披露是合理的。
 
 <!--
-The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. As a basic default, we expect report date to disclosure date to be on the order of 7 days. The Kubernetes product security team holds the final say when setting a disclosure date.
+The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. The Kubernetes Security Response Committee holds the final say when setting a disclosure date.
 -->
-信息披露的时间范围从即时（尤其是已经公开的）到几周。作为一个基本的约定，我们希望报告日期到披露日期的间隔是 7 天。在设置披露日期时，Kubernetes 产品安全团队拥有最终决定权。
-
+信息披露的时间范围从即时（尤其是已经公开的）到几周不等。
+对于具有直接缓解措施的漏洞，我们希望报告日期到披露日期的间隔是 7 天。
+在设置披露日期方面，Kubernetes 安全响应委员会拥有最终决定权。
diff --git a/content/zh/docs/reference/kubectl/overview.md b/content/zh-cn/docs/reference/kubectl/_index.md
similarity index 70%
rename from content/zh/docs/reference/kubectl/overview.md
rename to content/zh-cn/docs/reference/kubectl/_index.md
index ddc83e853695d..787a20d7377e8 100644
--- a/content/zh/docs/reference/kubectl/overview.md
+++ b/content/zh-cn/docs/reference/kubectl/_index.md
@@ -1,62 +1,73 @@
 ---
-reviewers:
-- hw-qiaolei
-title: kubectl 概述
-content_type: concept
-weight: 20
+title: 命令行工具 (kubectl)
+content_type: reference
+weight: 60
+no_list: true
 card:
   name: reference
   weight: 20
 ---
 <!--
-reviewers:
-- bgrant0607
-- hw-qiaolei
-title: Overview of kubectl
-content_type: concept
-weight: 20
+title: Command line tool (kubectl)
+content_type: reference
+weight: 60
+no_list: true
 card:
   name: reference
   weight: 20
 -->
-
 <!-- overview -->
+<!--
+{{< glossary_definition prepend="Kubernetes provides a" term_id="kubectl" length="short" >}}
+-->
+{{< glossary_definition prepend="Kubernetes 提供" term_id="kubectl" length="short" >}}
+
+<!--
+This tool is named `kubectl`.
+-->
+这个工具叫做 `kubectl`。
 
 <!--
-The kubectl command line tool lets you control Kubernetes clusters.
 For configuration, `kubectl` looks for a file named `config` in the `$HOME/.kube` directory.
 You can specify other [kubeconfig](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
-files by setting the KUBECONFIG environment variable or by setting the
+files by setting the `KUBECONFIG` environment variable or by setting the
 [`--kubeconfig`](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) flag.
 -->
-你可以使用 Kubectl 命令行工具管理 Kubernetes 集群。
-`kubectl` 在 `$HOME/.kube` 目录中查找一个名为 `config` 的配置文件。
-你可以通过设置 KUBECONFIG 环境变量或设置
-[`--kubeconfig`](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
-参数来指定其它 [kubeconfig](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/) 文件。
+`针对配置信息，`kubectl` 在 `$HOME/.kube` 目录中查找一个名为 `config` 的配置文件。
+你可以通过设置 `KUBECONFIG` 环境变量或设置
+[`--kubeconfig`](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+参数来指定其它 [kubeconfig](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/) 文件。
 
 <!--
 This overview covers `kubectl` syntax, describes the command operations, and provides common examples.
 For details about each command, including all the supported flags and subcommands, see the
 [kubectl](/docs/reference/generated/kubectl/kubectl-commands/) reference documentation.
-For installation instructions see [installing kubectl](/docs/tasks/tools/install-kubectl/).
 -->
 本文概述了 `kubectl` 语法和命令操作描述，并提供了常见的示例。
 有关每个命令的详细信息，包括所有受支持的参数和子命令，
 请参阅 [kubectl](/docs/reference/generated/kubectl/kubectl-commands/) 参考文档。
-有关安装说明，请参见[安装 kubectl](/zh/docs/tasks/tools/install-kubectl/) 。
-
-<!-- body -->
 
 <!--
-## Syntax
+For installation instructions, see [Installing kubectl](/docs/tasks/tools/#kubectl);
+for a quick guide, see the [cheat sheet](/docs/reference/kubectl/cheatsheet/).
+If you're used to using the `docker` command-line tool, [`kubectl` for Docker Users](/docs/reference/kubectl/docker-cli-to-kubectl/)
+explains some equivalent commands for Kubernetes.
 -->
-## 语法
+有关安装说明，请参见[安装 kubectl](/zh-cn/docs/tasks/tools/#kubectl)；
+如需快速指南，请参见[备忘单](/zh-cn/docs/reference/kubectl/cheatsheet/)。
+如果你更习惯使用 `docker` 命令行工具，
+[Docker 用户的 `kubectl`](/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl/)
+介绍了一些 Kubernetes 的等价命令。
 
+<!-- body -->
 <!--
+## Syntax
+
 Use the following syntax to run `kubectl` commands from your terminal window:
 -->
-使用以下语法 `kubectl` 从终端窗口运行命令：
+## 语法
+
+使用以下语法从终端窗口运行 `kubectl` 命令：
 
 ```shell
 kubectl [command] [TYPE] [NAME] [flags]
@@ -68,34 +79,36 @@ where `command`, `TYPE`, `NAME`, and `flags` are:
 其中 `command`、`TYPE`、`NAME` 和 `flags` 分别是：
 
 <!--
-* `command`: Specifies the operation that you want to perform on one or more resources, for example `create`, `get`, `describe`, `delete`.
+* `command`: Specifies the operation that you want to perform on one or more resources, 
+for example `create`, `get`, `describe`, `delete`.
 
-* `TYPE`: Specifies the [resource type](#resource-types). Resource types are case-insensitive and you can specify the singular, plural, or abbreviated forms. For example, the following commands produce the same output:
+* `TYPE`: Specifies the [resource type](#resource-types). Resource types are case-insensitive and
+  you can specify the singular, plural, or abbreviated forms.
+  For example, the following commands produce the same output:
 -->
 * `command`：指定要对一个或多个资源执行的操作，例如 `create`、`get`、`describe`、`delete`。
 
-* `TYPE`：指定[资源类型](#资源类型)。资源类型不区分大小写，
-  可以指定单数、复数或缩写形式。例如，以下命令输出相同的结果:
+* `TYPE`：指定[资源类型](#resource-types)。资源类型不区分大小写，
+  可以指定单数、复数或缩写形式。例如，以下命令输出相同的结果：
 
-  ```shell
-  kubectl get pod pod1
-  kubectl get pods pod1
-  kubectl get po pod1
-  ```
+   ```shell
+   kubectl get pod pod1
+   kubectl get pods pod1
+   kubectl get po pod1
+   ```
 
 <!--
 * `NAME`: Specifies the name of the resource. Names are case-sensitive. If the name is omitted, details for all resources are displayed, for example `kubectl get pods`.
 
    When performing an operation on multiple resources, you can specify each resource by type and name or specify one or more files:
 -->
-
 * `NAME`：指定资源的名称。名称区分大小写。
-  如果省略名称，则显示所有资源的详细信息 `kubectl get pods`。
+  如果省略名称，则显示所有资源的详细信息。例如：`kubectl get pods`。
 
   在对多个资源执行操作时，你可以按类型和名称指定每个资源，或指定一个或多个文件：
 
-  <!--
-   * To specify resources by type and name:
+<!--
+  * To specify resources by type and name:
 
       * To group resources if they are all the same type:  `TYPE1 name1 name2 name<#>`.<br/>
       Example: `kubectl get pod example-pod1 example-pod2`
@@ -105,43 +118,111 @@ where `command`, `TYPE`, `NAME`, and `flags` are:
 
    * To specify resources with one or more files:  `-f file1 -f file2 -f file<#>`
 
-      * [Use YAML rather than JSON](/docs/concepts/configuration/overview/#general-configuration-tips)
-        since YAML tends to be more user-friendly, especially for configuration files.<br/>
+      * [Use YAML rather than JSON](/docs/concepts/configuration/overview/#general-configuration-tips) since YAML tends to be more user-friendly, especially for configuration files.<br/>
      Example: `kubectl get -f ./pod.yaml`
-  -->
-  * 要按类型和名称指定资源：
-
-      * 要对所有类型相同的资源进行分组，请执行以下操作：`TYPE1 name1 name2 name<#>`。
-
-        例子：`kubectl get pod example-pod1 example-pod2`
+-->
+ * 要按类型和名称指定资源：
 
-      * 分别指定多个资源类型：`TYPE1/name1 TYPE1/name2 TYPE2/name3 TYPE<#>/name<#>`。
+  * 要对所有类型相同的资源进行分组，请执行以下操作：`TYPE1 name1 name2 name<#>`。<br/>
+    例子：`kubectl get pod example-pod1 example-pod2`
 
-        例子：`kubectl get pod/example-pod1 replicationcontroller/example-rc1`
+  * 分别指定多个资源类型：`TYPE1/name1 TYPE1/name2 TYPE2/name3 TYPE<#>/name<#>`。<br/>
+    例子：`kubectl get pod/example-pod1 replicationcontroller/example-rc1`
 
-  * 用一个或多个文件指定资源：`-f file1 -f file2 -f file<#>`
+ * 用一个或多个文件指定资源：`-f file1 -f file2 -f file<#>`
 
-    * [使用 YAML 而不是 JSON](/zh/docs/concepts/configuration/overview/#general-configuration-tips)
-      因为 YAML 更容易使用，特别是用于配置文件时。
-      例子：`kubectl get -f ./pod.yaml`
+  * [使用 YAML 而不是 JSON](/zh-cn/docs/concepts/configuration/overview/#general-configuration-tips)，
+    因为 YAML 对用户更友好, 特别是对于配置文件。<br/>
+    例子：`kubectl get -f ./pod.yaml`
 
 <!--
-* `flags`: Specifies optional flags. For example, you can use the `-s` or `--server` flags to specify the address and port of the Kubernetes API server.
+* `flags`: Specifies optional flags. For example, you can use the `-s` or `--server` flags to specify the address and port of the Kubernetes API server.<br/>
 -->
-* `flags`: 指定可选的参数。例如，可以使用 `-s` 或 `-server` 参数指定
+* `flags`： 指定可选的参数。例如，可以使用 `-s` 或 `--server` 参数指定
   Kubernetes API 服务器的地址和端口。
 
-{{< caution >}}
 <!--
 Flags that you specify from the command line override default values and any corresponding environment variables.
 -->
+{{< caution >}}
 从命令行指定的参数会覆盖默认值和任何相应的环境变量。
 {{< /caution >}}
 
 <!--
 If you need help, run `kubectl help` from the terminal window.
 -->
-如果你需要帮助，从终端窗口运行 `kubectl help` 。
+如果你需要帮助，在终端窗口中运行 `kubectl help`。
+
+<!--
+## In-cluster authentication and namespace overrides
+-->
+## 集群内身份验证和命名空间覆盖
+
+<!--
+By default `kubectl` will first determine if it is running within a pod, and thus in a cluster. It starts by checking for the `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` environment variables and the existence of a service account token file at `/var/run/secrets/kubernetes.io/serviceaccount/token`. If all three are found in-cluster authentication is assumed.
+-->
+默认情况下，`kubectl` 命令首先确定它是否在 Pod 中运行，从而被视为在集群中运行。
+它首先检查 `KUBERNETES_SERVICE_HOST` 和 `KUBERNETES_SERVICE_PORT` 环境变量以及
+`/var/run/secrets/kubernetes.io/serviceaccount/token` 中是否存在服务帐户令牌文件。
+如果三个条件都被满足，则假定在集群内进行身份验证。
+
+<!--
+To maintain backwards compatibility, if the `POD_NAMESPACE` environment variable is set during in-cluster authentication it will override the default namespace from the service account token. Any manifests or tools relying on namespace defaulting will be affected by this.
+-->
+为保持向后兼容性，如果在集群内身份验证期间设置了 `POD_NAMESPACE`
+环境变量，它将覆盖服务帐户令牌中的默认命名空间。
+任何依赖默认命名空间的清单或工具都会受到影响。
+
+<!--
+**`POD_NAMESPACE` environment variable**
+-->
+**`POD_NAMESPACE` 环境变量**
+
+<!--
+If the `POD_NAMESPACE` environment variable is set, cli operations on namespaced resources will default to the variable value. For example, if the variable is set to `seattle`, `kubectl get pods` would return pods in the `seattle` namespace. This is because pods are a namespaced resource, and no namespace was provided in the command. Review the output of `kubectl api-resources` to determine if a resource is namespaced. 
+-->
+如果设置了 `POD_NAMESPACE` 环境变量，对命名空间资源的 CLI 操作对象将使用该变量值作为默认值。
+例如，如果该变量设置为 `seattle`，`kubectl get pods` 将返回 `seattle` 命名空间中的 Pod。
+这是因为 Pod 是一个命名空间资源，且命令中没有提供命名空间。
+
+<!--
+Explicit use of `--namespace <value>` overrides this behavior.
+-->
+直接使用 `--namespace <value>` 会覆盖此行为。
+
+<!--
+**How kubectl handles ServiceAccount tokens**
+-->
+**kubectl 如何处理 ServiceAccount 令牌**
+
+<!--
+If:
+* there is Kubernetes service account token file mounted at
+  `/var/run/secrets/kubernetes.io/serviceaccount/token`, and
+* the `KUBERNETES_SERVICE_HOST` environment variable is set, and
+* the `KUBERNETES_SERVICE_PORT` environment variable is set, and
+* you don't explicitly specify a namespace on the kubectl command line
+-->
+假设：
+* 有 Kubernetes 服务帐户令牌文件挂载在
+  `/var/run/secrets/kubernetes.io/serviceaccount/token` 上，并且
+* 设置了 `KUBERNETES_SERVICE_HOST` 环境变量，并且
+* 设置了 `KUBERNETES_SERVICE_PORT` 环境变量，并且
+* 你没有在 kubectl 命令行上明确指定命名空间。
+
+<!--
+then kubectl assumes it is running in your cluster. The kubectl tool looks up the
+namespace of that ServiceAccount (this is the same as the namespace of the Pod)
+and acts against that namespace. This is different from what happens outside of a
+cluster; when kubectl runs outside a cluster and you don't specify a namespace,
+the kubectl command acts against the `default` namespace.
+-->
+然后 kubectl 假定它正在你的集群中运行。
+kubectl 工具查找该 ServiceAccount 的命名空间
+（该命名空间与 Pod 的命名空间相同）并针对该命名空间进行操作。
+这与集群外运行的情况不同；
+当 kubectl 在集群外运行并且你没有指定命名空间时，
+kubectl 命令会针对 `default` 命名空间进行操作。
 
 <!--
 ## Operations
@@ -160,6 +241,14 @@ Operation       | Syntax    |       Description
 `annotate`    | <code>kubectl annotate (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | Add or update the annotations of one or more resources.
 `api-resources`    | `kubectl api-resources [flags]` | List the API resources that are available.
 `api-versions`    | `kubectl api-versions [flags]` | List the API versions that are available.
+-->
+操作             | 语法      |       描述
+-------------------- | -------------------- | --------------------
+`alpha`    | `kubectl alpha SUBCOMMAND [flags]` | 列出与 alpha 特性对应的可用命令，这些特性在 Kubernetes 集群中默认情况下是不启用的。
+`annotate`    | <code>kubectl annotate (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 添加或更新一个或多个资源的注解。
+`api-resources`    | `kubectl api-resources [flags]` | 列出可用的 API 资源。
+`api-versions`    | `kubectl api-versions [flags]` | 列出可用的 API 版本。
+<!--
 `apply`            | `kubectl apply -f FILENAME [flags]`| Apply a configuration change to a resource from a file or stdin.
 `attach`        | `kubectl attach POD -c CONTAINER [-i] [-t] [flags]` | Attach to a running container either to view the output stream or interact with the container (stdin).
 `auth`    | `kubectl auth [flags] [options]` | Inspect authorization.
@@ -168,13 +257,32 @@ Operation       | Syntax    |       Description
 `cluster-info`    | `kubectl cluster-info [flags]` | Display endpoint information about the master and services in the cluster.
 `completion`    | `kubectl completion SHELL [options]` | Output shell completion code for the specified shell (bash or zsh).
 `config`        | `kubectl config SUBCOMMAND [flags]` | Modifies kubeconfig files. See the individual subcommands for details.
-`convert`    | `kubectl convert -f FILENAME [options]` | Convert config files between different API versions. Both YAML and JSON formats are accepted.
+-->
+`apply`            | `kubectl apply -f FILENAME [flags]`| 从文件或 stdin 对资源应用配置更改。
+`attach`        | `kubectl attach POD -c CONTAINER [-i] [-t] [flags]` | 挂接到正在运行的容器，查看输出流或与容器（stdin）交互。
+`auth`    | `kubectl auth [flags] [options]` | 检查授权。
+`autoscale`    | <code>kubectl autoscale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags]</code> | 自动扩缩由副本控制器管理的一组 pod。
+`certificate`    | `kubectl certificate SUBCOMMAND [options]` | 修改证书资源。
+`cluster-info`    | `kubectl cluster-info [flags]` | 显示有关集群中主服务器和服务的端口信息。
+`completion`    | `kubectl completion SHELL [options]` | 为指定的 Shell（Bash 或 Zsh）输出 Shell 补齐代码。
+`config`        | `kubectl config SUBCOMMAND [flags]` | 修改 kubeconfig 文件。有关详细信息，请参阅各个子命令。
+<!--
+`convert`    | `kubectl convert -f FILENAME [options]` | Convert config files between different API versions. Both YAML and JSON formats are accepted. Note - requires `kubectl-convert` plugin to be installed.
 `cordon`    | `kubectl cordon NODE [options]` | Mark node as unschedulable.
 `cp`    | `kubectl cp <file-spec-src> <file-spec-dest> [options]` | Copy files and directories to and from containers.
 `create`        | `kubectl create -f FILENAME [flags]` | Create one or more resources from a file or stdin.
 `delete`        | <code>kubectl delete (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label &#124; --all]) [flags]</code> | Delete resources either from a file, stdin, or specifying label selectors, names, resource selectors, or resources.
 `describe`    | <code>kubectl describe (-f FILENAME &#124; TYPE [NAME_PREFIX &#124; /NAME &#124; -l label]) [flags]</code> | Display the detailed state of one or more resources.
 `diff`        | `kubectl diff -f FILENAME [flags]`| Diff file or stdin against live configuration.
+-->
+`convert`    | `kubectl convert -f FILENAME [options]` | 在不同的 API 版本之间转换配置文件。配置文件可以是 YAML 或 JSON 格式。注意 - 需要安装 `kubectl-convert` 插件。
+`cordon`    | `kubectl cordon NODE [options]` | 将节点标记为不可调度。
+`cp`    | `kubectl cp <file-spec-src> <file-spec-dest> [options]` | 从容器复制文件、目录或将文件、目录复制到容器。
+`create`        | `kubectl create -f FILENAME [flags]` | 从文件或 stdin 创建一个或多个资源。
+`delete`        |  <code>kubectl delete (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label &#124; --all]) [flags]</code> |  基于文件、标准输入或通过指定标签选择器、名称、资源选择器或资源本身，删除资源。
+`describe`    | <code>kubectl describe (-f FILENAME &#124; TYPE [NAME_PREFIX &#124; /NAME &#124; -l label]) [flags]</code> | 显示一个或多个资源的详细状态。
+`diff`        | `kubectl diff -f FILENAME [flags]`| 在当前起作用的配置和文件或标准输之间作对比 (**BETA**)
+<!--
 `drain`    | `kubectl drain NODE [options]` | Drain node in preparation for maintenance.
 `edit`        | <code>kubectl edit (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [flags]</code> | Edit and update the definition of one or more resources on the server by using the default editor.
 `exec`        | `kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]]` | Execute a command against a container in a pod.
@@ -182,6 +290,15 @@ Operation       | Syntax    |       Description
 `expose`        | <code>kubectl expose (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--port=port] [--protocol=TCP&#124;UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags]</code> | Expose a replication controller, service, or pod as a new Kubernetes service.
 `get`        | <code>kubectl get (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label]) [--watch] [--sort-by=FIELD] [[-o &#124; --output]=OUTPUT_FORMAT] [flags]</code> | List one or more resources.
 `kustomize`    | `kubectl kustomize <dir> [flags] [options]` | List a set of API resources generated from instructions in a kustomization.yaml file. The argument must be the path to the directory containing the file, or a git repository URL with a path suffix specifying same with respect to the repository root.
+-->
+`drain`    | `kubectl drain NODE [options]` | 腾空节点以准备维护。
+`edit`        | <code>kubectl edit (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [flags]</code> | 使用默认编辑器编辑和更新服务器上一个或多个资源的定义。
+`exec`        | `kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]]` | 对 Pod 中的容器执行命令。
+`explain`    | `kubectl explain  [--recursive=false] [flags]` | 获取多种资源的文档。例如 Pod、Node、Service 等。
+`expose`        | <code>kubectl expose (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--port=port] [--protocol=TCP&#124;UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags]</code> | 将副本控制器、服务或 Pod 作为新的 Kubernetes 服务暴露。
+`get`        | <code>kubectl get (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label]) [--watch] [--sort-by=FIELD] [[-o &#124; --output]=OUTPUT_FORMAT] [flags]</code> | 列出一个或多个资源。
+`kustomize`    | <code>kubectl kustomize <dir> [flags] [options]` </code> | 列出从 kustomization.yaml 文件中的指令生成的一组 API 资源。参数必须是包含文件的目录的路径，或者是 git 存储库 URL，其路径后缀相对于存储库根目录指定了相同的路径。
+<!--
 `label`        | <code>kubectl label (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | Add or update the labels of one or more resources.
 `logs`        | `kubectl logs POD [-c CONTAINER] [--follow] [flags]` | Print the logs for a container in a pod.
 `options`    | `kubectl options` | List of global command-line options, which apply to all commands.
@@ -192,6 +309,18 @@ Operation       | Syntax    |       Description
 `replace`        | `kubectl replace -f FILENAME` | Replace a resource from a file or stdin.
 `rollout`    | `kubectl rollout SUBCOMMAND [options]` | Manage the rollout of a resource. Valid resource types include: deployments, daemonsets and statefulsets.
 `run`        | <code>kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server&#124;client&#124;none] [--overrides=inline-json] [flags]</code> | Run a specified image on the cluster.
+-->
+`label`        | <code>kubectl label (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 添加或更新一个或多个资源的标签。
+`logs`        | `kubectl logs POD [-c CONTAINER] [--follow] [flags]` |  打印 Pod 中容器的日志。
+`options`    | `kubectl options` | 全局命令行选项列表，这些选项适用于所有命令。
+`patch`        | <code>kubectl patch (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --patch PATCH [flags]</code> | 使用策略合并流程更新资源的一个或多个字段。
+`plugin`    | `kubectl plugin [flags] [options]` | 提供用于与插件交互的实用程序。
+`port-forward`    | `kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [flags]` | 将一个或多个本地端口转发到一个 Pod。
+`proxy`        | `kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [flags]` | 运行访问 Kubernetes API 服务器的代理。
+`replace`        | `kubectl replace -f FILENAME` |  基于文件或标准输入替换资源。
+`rollout`    | `kubectl rollout SUBCOMMAND [options]` | 管理资源的上线。有效的资源类型包括：Deployment、 DaemonSet 和 StatefulSet。
+`run`        | <code>kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server &#124; client &#124; none] [--overrides=inline-json] [flags]</code> | 在集群上运行指定的镜像。
+<!--
 `scale`        | <code>kubectl scale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --replicas=COUNT [--resource-version=version] [--current-replicas=count] [flags]</code> | Update the size of the specified replication controller.
 `set`    | `kubectl set SUBCOMMAND [options]` | Configure application resources.
 `taint`    | `kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N [options]` | Update the taints on one or more nodes.
@@ -200,69 +329,29 @@ Operation       | Syntax    |       Description
 `version`        | `kubectl version [--client] [flags]` | Display the Kubernetes version running on the client and server.
 `wait`    | <code>kubectl wait ([-f FILENAME] &#124; resource.group/resource.name &#124; resource.group [(-l label &#124; --all)]) [--for=delete&#124;--for condition=available] [options]</code> | Experimental: Wait for a specific condition on one or many resources.
 -->
-
-操作             | 语法      |       描述
--------------------- | -------------------- | --------------------
-`alpha`    | `kubectl alpha SUBCOMMAND [flags]` | 列出与 alpha 特性对应的可用命令，这些特性在 Kubernetes 集群中默认情况下是不启用的。
-`annotate`    | <code>kubectl annotate (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 添加或更新一个或多个资源的注解。
-`api-resources`    | `kubectl api-resources [flags]` | 列出可用的 API 资源。
-`api-versions`    | `kubectl api-versions [flags]` | 列出可用的 API 版本。
-`apply`            | `kubectl apply -f FILENAME [flags]`| 从文件或 stdin 对资源应用配置更改。
-`attach`        | `kubectl attach POD -c CONTAINER [-i] [-t] [flags]` | 附加到正在运行的容器，查看输出流或与容器（stdin）交互。
-`auth`    | `kubectl auth [flags] [options]` | 检查授权。
-`autoscale`    | <code>kubectl autoscale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags]</code> | 自动伸缩由副本控制器管理的一组 pod。
-`certificate`    | `kubectl certificate SUBCOMMAND [options]` | 修改证书资源。
-`cluster-info`    | `kubectl cluster-info [flags]` | 显示有关集群中主服务器和服务的端口信息。
-`completion`    | `kubectl completion SHELL [options]` | 为指定的 shell （bash 或 zsh）输出 shell 补齐代码。
-`config`        | `kubectl config SUBCOMMAND [flags]` | 修改 kubeconfig 文件。有关详细信息，请参阅各个子命令。
-`convert`    | `kubectl convert -f FILENAME [options]` | 在不同的 API 版本之间转换配置文件。配置文件可以是 YAML 或 JSON 格式。
-`cordon`    | `kubectl cordon NODE [options]` | 将节点标记为不可调度。
-`cp`    | `kubectl cp <file-spec-src> <file-spec-dest> [options]` | 在容器之间复制文件和目录。
-`create`        | `kubectl create -f FILENAME [flags]` | 从文件或 stdin 创建一个或多个资源。
-`delete`        | <code>kubectl delete (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label &#124; --all]) [flags]</code> | 从文件、标准输入或指定标签选择器、名称、资源选择器或资源中删除资源。
-`describe`    | <code>kubectl describe (-f FILENAME &#124; TYPE [NAME_PREFIX &#124; /NAME &#124; -l label]) [flags]</code> | 显示一个或多个资源的详细状态。
-`diff`        | `kubectl diff -f FILENAME [flags]`| 将 live 配置和文件或标准输入做对比 (**BETA**)
-`drain`    | `kubectl drain NODE [options]` | 腾空节点以准备维护。
-`edit`        | <code>kubectl edit (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [flags]</code> | 使用默认编辑器编辑和更新服务器上一个或多个资源的定义。
-`exec`        | `kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]]` | 对 pod 中的容器执行命令。
-`explain`    | `kubectl explain  [--recursive=false] [flags]` | 获取多种资源的文档。例如 pod, node, service 等。
-`expose`        | <code>kubectl expose (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--port=port] [--protocol=TCP&#124;UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags]</code> | 将副本控制器、服务或 pod 作为新的 Kubernetes 服务暴露。
-`get`        | <code>kubectl get (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label]) [--watch] [--sort-by=FIELD] [[-o &#124; --output]=OUTPUT_FORMAT] [flags]</code> | 列出一个或多个资源。
-`kustomize`    | `kubectl kustomize <dir> [flags] [options]` | 列出从 kustomization.yaml 文件中的指令生成的一组 API 资源。参数必须是包含文件的目录的路径，或者是 git 存储库 URL，其路径后缀相对于存储库根目录指定了相同的路径。
-`label`        | <code>kubectl label (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 添加或更新一个或多个资源的标签。
-`logs`        | `kubectl logs POD [-c CONTAINER] [--follow] [flags]` | 在 pod 中打印容器的日志。
-`options`    | `kubectl options` | 全局命令行选项列表，适用于所有命令。
-`patch`        | <code>kubectl patch (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --patch PATCH [flags]</code> | 使用策略合并 patch 程序更新资源的一个或多个字段。
-`plugin`    | `kubectl plugin [flags] [options]` | 提供用于与插件交互的实用程序。
-`port-forward`    | `kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [flags]` | 将一个或多个本地端口转发到一个 pod。
-`proxy`        | `kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [flags]` | 运行 Kubernetes API 服务器的代理。
-`replace`        | `kubectl replace -f FILENAME` | 从文件或标准输入中替换资源。
-`rollout`    | `kubectl rollout SUBCOMMAND [options]` | 管理资源的部署。有效的资源类型包括：Deployments, DaemonSets 和 StatefulSets。
-`run`        | <code>kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server &#124; client &#124; none] [--overrides=inline-json] [flags]</code> | 在集群上运行指定的镜像。
 `scale`        | <code>kubectl scale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --replicas=COUNT [--resource-version=version] [--current-replicas=count] [flags]</code> | 更新指定副本控制器的大小。
-`set`    | `kubectl set SUBCOMMAND [options]` | 配置应用程序资源。
+`set`    | `kubectl set SUBCOMMAND [options]` | 配置应用资源。
 `taint`    | `kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N [options]` | 更新一个或多个节点上的污点。
-`top`    | `kubectl top [flags] [options]` | 显示资源（CPU/内存/存储）的使用情况。
+`top`    | `kubectl top [flags] [options]` | 显示资源（CPU、内存、存储）的使用情况。
 `uncordon`    | `kubectl uncordon NODE [options]` | 将节点标记为可调度。
 `version`        | `kubectl version [--client] [flags]` | 显示运行在客户端和服务器上的 Kubernetes 版本。
-`wait`    | <code>kubectl wait ([-f FILENAME] &#124; resource.group/resource.name &#124; resource.group [(-l label &#124; --all)]) [--for=delete&#124;--for condition=available] [options]</code> | 实验性：等待一种或多种资源的特定条件。
-
+`wait`    | <code>kubectl wait ([-f FILENAME] &#124; resource.group/resource.name &#124; resource.group [(-l label &#124; --all)]) [--for=delete&#124;--for condition=available] [options]</code> | 实验特性：等待一种或多种资源的特定状况。
 
 <!--
 To learn more about command operations, see the [kubectl](/docs/reference/kubectl/kubectl/) reference documentation.
 -->
-了解更多有关命令操作的信息，请参阅 [kubectl](/zh/docs/reference/kubectl/kubectl/) 参考文档。
+了解更多有关命令操作的信息，
+请参阅 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 参考文档。
 
 <!--
 ## Resource types
 -->
-
 ## 资源类型
 
 <!--
-The following table includes a list of all the supported resource types and their abbreviated aliases:
+The following table includes a list of all the supported resource types and their abbreviated aliases.
 -->
-下表列出所有受支持的资源类型及其缩写别名:
+下表列出所有受支持的资源类型及其缩写别名。
 
 <!--
 (This output can be retrieved from `kubectl api-resources`, and was accurate as of Kubernetes 1.19.1.)
@@ -272,62 +361,6 @@ The following table includes a list of all the supported resource types and thei
 <!--
 | NAME | SHORTNAMES | APIGROUP | NAMESPACED | KIND |
 |---|---|---|---|---|
-| `bindings` | | | true | Binding |
-| `componentstatuses` | `cs` | | false | ComponentStatus |
-| `configmaps` | `cm` | | true | ConfigMap |
-| `endpoints` | `ep` | | true | Endpoints |
-| `events` | `ev` | | true | Event |
-| `limitranges` | `limits` | | true | LimitRange |
-| `namespaces` | `ns` | | false | Namespace |
-| `nodes` | `no` | | false | Node |
-| `persistentvolumeclaims` | `pvc` | | true | PersistentVolumeClaim |
-| `persistentvolumes` | `pv` | | false | PersistentVolume |
-| `pods` | `po` | | true | Pod |
-| `podtemplates` | | | true | PodTemplate |
-| `replicationcontrollers` | `rc` | | true | ReplicationController |
-| `resourcequotas` | `quota` | | true | ResourceQuota |
-| `secrets` | | | true | Secret |
-| `serviceaccounts` | `sa` | | true | ServiceAccount |
-| `services` | `svc` | | true | Service |
-| `mutatingwebhookconfigurations` | | admissionregistration.k8s.io | false | MutatingWebhookConfiguration |
-| `validatingwebhookconfigurations` | | admissionregistration.k8s.io | false | ValidatingWebhookConfiguration |
-| `customresourcedefinitions` | `crd,crds` | apiextensions.k8s.io | false | CustomResourceDefinition |
-| `apiservices` | | apiregistration.k8s.io | false | APIService |
-| `controllerrevisions` | | apps | true | ControllerRevision |
-| `daemonsets` | `ds` | apps | true | DaemonSet |
-| `deployments` | `deploy` | apps | true | Deployment |
-| `replicasets` | `rs` | apps | true | ReplicaSet |
-| `statefulsets` | `sts` | apps | true | StatefulSet |
-| `tokenreviews` | | authentication.k8s.io | false | TokenReview |
-| `localsubjectaccessreviews` | | authorization.k8s.io | true | LocalSubjectAccessReview |
-| `selfsubjectaccessreviews` | | authorization.k8s.io | false | SelfSubjectAccessReview |
-| `selfsubjectrulesreviews` | | authorization.k8s.io | false | SelfSubjectRulesReview |
-| `subjectaccessreviews` | | authorization.k8s.io | false | SubjectAccessReview |
-| `horizontalpodautoscalers` | `hpa` | autoscaling | true | HorizontalPodAutoscaler |
-| `cronjobs` | `cj` | batch | true | CronJob |
-| `jobs` | | batch | true | Job |
-| `certificatesigningrequests` | `csr` | certificates.k8s.io | false | CertificateSigningRequest |
-| `leases` | | coordination.k8s.io | true | Lease |
-| `endpointslices` |  | discovery.k8s.io | true | EndpointSlice |
-| `events` | `ev` | events.k8s.io | true | Event |
-| `ingresses` | `ing` | extensions | true | Ingress |
-| `flowschemas` |  | flowcontrol.apiserver.k8s.io | false | FlowSchema |
-| `prioritylevelconfigurations` |  | flowcontrol.apiserver.k8s.io | false | PriorityLevelConfiguration |
-| `ingressclasses` |  | networking.k8s.io | false | IngressClass |
-| `ingresses` | `ing` | networking.k8s.io | true | Ingress |
-| `networkpolicies` | `netpol` | networking.k8s.io | true | NetworkPolicy |
-| `runtimeclasses` |  | node.k8s.io | false | RuntimeClass |
-| `poddisruptionbudgets` | `pdb` | policy | true | PodDisruptionBudget |
-| `podsecuritypolicies` | `psp` | policy | false | PodSecurityPolicy |
-| `clusterrolebindings` | | rbac.authorization.k8s.io | false | ClusterRoleBinding |
-| `clusterroles` | | rbac.authorization.k8s.io | false | ClusterRole |
-| `rolebindings` | | rbac.authorization.k8s.io | true | RoleBinding |
-| `roles` | | rbac.authorization.k8s.io | true | Role |
-| `priorityclasses` | `pc` | scheduling.k8s.io | false | PriorityClass |
-| `csidrivers` | | storage.k8s.io | false | CSIDriver |
-| `csinodes` | | storage.k8s.io | false | CSINode |
-| `storageclasses` | `sc` | storage.k8s.io | false | StorageClass |
-| `volumeattachments` | | storage.k8s.io | false | VolumeAttachment |
 -->
 | 资源名 | 缩写名 | API 分组 | 按命名空间 | 资源类型 |
 |---|---|---|---|---|
@@ -388,7 +421,6 @@ The following table includes a list of all the supported resource types and thei
 | `storageclasses` | `sc` | storage.k8s.io | false | StorageClass |
 | `volumeattachments` | | storage.k8s.io | false | VolumeAttachment |
 
-
 <!--
 ## Output options
 -->
@@ -398,7 +430,8 @@ The following table includes a list of all the supported resource types and thei
 <!--
 Use the following sections for information about how you can format or sort the output of certain commands. For details about which commands support the various output options, see the [kubectl](/docs/reference/kubectl/kubectl/) reference documentation.
 -->
-有关如何格式化或排序某些命令的输出的信息，请使用以下部分。有关哪些命令支持各种输出选项的详细信息，请参阅[kubectl](/zh/docs/reference/kubectl/kubectl/) 参考文档。
+有关如何格式化或排序某些命令的输出的信息，请参阅以下章节。有关哪些命令支持不同输出选项的详细信息，
+请参阅 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 参考文档。
 
 <!--
 ### Formatting output
@@ -408,7 +441,8 @@ Use the following sections for information about how you can format or sort the
 <!--
 The default output format for all `kubectl` commands is the human readable plain-text format. To output details to your terminal window in a specific format, you can add either the `-o` or `--output` flags to a supported `kubectl` command.
 -->
-所有 `kubectl` 命令的默认输出格式都是人类可读的纯文本格式。要以特定格式向终端窗口输出详细信息，可以将 `-o` 或 `--output` 参数添加到受支持的 `kubectl` 命令中。
+所有 `kubectl` 命令的默认输出格式都是人类可读的纯文本格式。要以特定格式在终端窗口输出详细信息，
+可以将 `-o` 或 `--output` 参数添加到受支持的 `kubectl` 命令中。
 
 <!--
 #### Syntax
@@ -416,13 +450,13 @@ The default output format for all `kubectl` commands is the human readable plain
 #### 语法
 
 ```shell
-kubectl [command] [TYPE] [NAME] -o=<output_format>
+kubectl [command] [TYPE] [NAME] -o <output_format>
 ```
 
 <!--
 Depending on the `kubectl` operation, the following output formats are supported:
 -->
-根据 `kubectl` 操作，支持以下输出格式：
+取决于具体的 `kubectl` 操作，支持的输出格式如下：
 
 <!--
 Output format | Description
@@ -436,18 +470,17 @@ Output format | Description
 `-o wide`     | Output in the plain-text format with any additional information. For pods, the node name is included.
 `-o yaml`     | Output a YAML formatted API object.
 -->
-Output format | Description
+输出格式  |  描述
 --------------| -----------
 `-o custom-columns=<spec>` | 使用逗号分隔的[自定义列](#custom-columns)列表打印表。
 `-o custom-columns-file=<filename>` | 使用 `<filename>` 文件中的[自定义列](#custom-columns)模板打印表。
 `-o json`     | 输出 JSON 格式的 API 对象
-`-o jsonpath=<template>` | 打印 [jsonpath](/zh/docs/reference/kubectl/jsonpath/) 表达式定义的字段
-`-o jsonpath-file=<filename>` | 打印 `<filename>` 文件中 [jsonpath](/zh/docs/reference/kubectl/jsonpath/) 表达式定义的字段。
+`-o jsonpath=<template>` | 打印 [jsonpath](/zh-cn/docs/reference/kubectl/jsonpath/) 表达式定义的字段
+`-o jsonpath-file=<filename>` | 打印 `<filename>` 文件中 [jsonpath](/zh-cn/docs/reference/kubectl/jsonpath/) 表达式定义的字段。
 `-o name`     | 仅打印资源名称而不打印任何其他内容。
-`-o wide`     | 以纯文本格式输出，包含任何附加信息。对于 pod 包含节点名。
+`-o wide`     | 以纯文本格式输出，包含所有附加信息。对于 Pod 包含节点名。
 `-o yaml`     | 输出 YAML 格式的 API 对象。
 
-
 <!--
 ##### Example
 -->
@@ -457,27 +490,29 @@ Output format | Description
 <!--
 In this example, the following command outputs the details for a single pod as a YAML formatted object:
 -->
-在此示例中，以下命令将单个 pod 的详细信息输出为 YAML 格式的对象：
+在此示例中，以下命令将单个 Pod 的详细信息输出为 YAML 格式的对象：
 
 ```shell
 kubectl get pod web-pod-13je7 -o yaml
 ```
-
 <!--
 Remember: See the [kubectl](/docs/reference/kubectl/kubectl/) reference documentation
 for details about which output format is supported by each command.
 -->
-请记住：有关每个命令支持哪种输出格式的详细信息，请参阅 [kubectl](/zh/docs/reference/kubectl/kubectl/) 参考文档。
+请记住：有关每个命令支持哪种输出格式的详细信息，
+请参阅 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 参考文档。
 
 <!--
 #### Custom columns
 -->
-#### 自定义列
+#### 自定义列   {#custom-columns}
 
 <!--
-To define custom columns and output only the details that you want into a table, you can use the `custom-columns` option. You can choose to define the custom columns inline or use a template file: `-o=custom-columns=<spec>` or `-o=custom-columns-file=<filename>`.
+To define custom columns and output only the details that you want into a table, you can use the `custom-columns` option.
+You can choose to define the custom columns inline or use a template file: `-o custom-columns=<spec>` or `-o custom-columns-file=<filename>`.
 -->
-要定义自定义列并仅将所需的详细信息输出到表中，可以使用该 custom-columns 选项。你可以选择内联定义自定义列或使用模板文件：`-o=custom-columns=<spec>` 或 `-o=custom-columns-file=<filename>`。
+要定义自定义列并仅将所需的详细信息输出到表中，可以使用 `custom-columns` 选项。
+你可以选择内联定义自定义列或使用模板文件：`-o custom-columns=<spec>` 或 `-o custom-columns-file=<filename>`。
 
 <!--
 ##### Examples
@@ -515,7 +550,7 @@ metadata.name metadata.resourceVersion
 <!--
 The result of running either command is similar to:
 -->
-运行任何一个命令的结果类似于:
+运行这两个命令之一的结果类似于：
 
 ```shell
 NAME           RSRC
@@ -550,7 +585,7 @@ This feature is enabled by default. To disable it, add the
 <!--
 To print information about the status of a pod, use a command like the following:
 -->
-要打印有关 pod 状态的信息，请使用如下命令：
+要打印有关 Pod 状态的信息，请使用如下命令：
 
 ```shell
 kubectl get pods <pod-name> --server-print=false
@@ -574,7 +609,9 @@ pod-name   1m
 <!--
 To output objects to a sorted list in your terminal window, you can add the `--sort-by` flag to a supported `kubectl` command. Sort your objects by specifying any numeric or string field with the `--sort-by` flag. To specify a field, use a [jsonpath](/docs/reference/kubectl/jsonpath/) expression.
 -->
-要将对象排序后输出到终端窗口，可以将 `--sort-by` 参数添加到支持的 `kubectl` 命令。通过使用 `--sort-by` 参数指定任何数字或字符串字段来对对象进行排序。要指定字段，请使用 [jsonpath](/zh/docs/reference/kubectl/jsonpath/) 表达式。
+要将对象排序后输出到终端窗口，可以将 `--sort-by` 参数添加到支持的 `kubectl` 命令。
+通过使用 `--sort-by` 参数指定任何数字或字符串字段来对对象进行排序。
+要指定字段，请使用 [jsonpath](/zh-cn/docs/reference/kubectl/jsonpath/) 表达式。
 
 <!--
 #### Syntax
@@ -593,7 +630,7 @@ kubectl [command] [TYPE] [NAME] --sort-by=<jsonpath_exp>
 <!--
 To print a list of pods sorted by name, you run:
 -->
-要打印按名称排序的 pod 列表，请运行：
+要打印按名称排序的 Pod 列表，请运行：
 
 ```shell
 kubectl get pods --sort-by=.metadata.name
@@ -633,7 +670,7 @@ kubectl apply -f example-service.yaml
 # 使用 example-controller.yaml 中的定义创建 replication controller。
 kubectl apply -f example-controller.yaml
 
-# 使用 <directory> 路径下的任意 .yaml, .yml, 或 .json 文件 创建对象。
+# 使用 <directory> 路径下的任意 .yaml、.yml 或 .json 文件 创建对象。
 kubectl apply -f <directory>
 ```
 
@@ -644,18 +681,29 @@ kubectl apply -f <directory>
 
 <!--
 # List all pods in plain-text output format.
+kubectl get pods
+
 # List all pods in plain-text output format and include additional information (such as node name).
+kubectl get pods -o wide
+
 # List the replication controller with the specified name in plain-text output format. Tip: You can shorten and replace the 'replicationcontroller' resource type with the alias 'rc'.
+kubectl get replicationcontroller <rc-name>
+
 # List all replication controllers and services together in plain-text output format.
-# List all daemon sets, including uninitialized ones, in plain-text output format.
+kubectl get rc,services
+
+# List all daemon sets in plain-text output format.
+kubectl get ds
+
 # List all pods running on node server01
+kubectl get pods --field-selector=spec.nodeName=server01
 -->
 
 ```shell
-# 以纯文本输出格式列出所有 pod。
+# 以纯文本输出格式列出所有 Pod。
 kubectl get pods
 
-# 以纯文本输出格式列出所有 pod，并包含附加信息(如节点名)。
+# 以纯文本输出格式列出所有 Pod，并包含附加信息(如节点名)。
 kubectl get pods -o wide
 
 # 以纯文本输出格式列出具有指定名称的副本控制器。提示：你可以使用别名 'rc' 缩短和替换 'replicationcontroller' 资源类型。
@@ -667,7 +715,7 @@ kubectl get rc,services
 # 以纯文本输出格式列出所有守护程序集，包括未初始化的守护程序集。
 kubectl get ds --include-uninitialized
 
-# 列出在节点 server01 上运行的所有 pod
+# 列出在节点 server01 上运行的所有 Pod
 kubectl get pods --field-selector=spec.nodeName=server01
 ```
 
@@ -687,22 +735,22 @@ kubectl describe pods/<pod-name>
 # Remember: Any pods that are created by the replication controller get prefixed with the name of the replication controller.
 kubectl describe pods <rc-name>
 
-# Describe all pods, not including uninitialized ones
+# Describe all pods
 kubectl describe pods
 -->
 
 ```shell
-# 显示名称为 <node-name> 的节点的详细信息。
+# 显示名为 <pod-name> 的 Pod 的详细信息。
 kubectl describe nodes <node-name>
 
-# 显示名为 <pod-name> 的 pod 的详细信息。
+# 显示名为 <pod-name> 的 Pod 的详细信息。
 kubectl describe pods/<pod-name>
 
-# 显示由名为 <rc-name> 的副本控制器管理的所有 pod 的详细信息。
-# 记住：副本控制器创建的任何 pod 都以复制控制器的名称为前缀。
+# 显示由名为 <rc-name> 的副本控制器管理的所有 Pod 的详细信息。
+# 记住：副本控制器创建的任何 Pod 都以副本控制器的名称为前缀。
 kubectl describe pods <rc-name>
 
-# 描述所有的 pod，不包括未初始化的 pod
+# 描述所有的 Pod
 kubectl describe pods
 ```
 
@@ -719,17 +767,18 @@ API server to build a view for the user. For example, the `kubectl describe node
 command retrieves not only the information about the node, but also a summary of
 the pods running on it, the events generated for the node etc.
 -->
-`kubectl get` 命令通常用于检索同一资源类型的一个或多个资源。
-它具有丰富的参数，允许你使用 `-o` 或 `--output` 参数自定义输出格式。你可以指定 `-w` 或 `--watch` 参数以开始观察特定对象的更新。
+`kubectl get` 命令通常用于检索同一资源类别的一个或多个资源。
+它具有丰富的参数，允许你使用 `-o` 或 `--output` 参数自定义输出格式。
+你可以指定 `-w` 或 `--watch` 参数以开始监测特定对象的更新。
 `kubectl describe` 命令更侧重于描述指定资源的许多相关方面。它可以调用对 `API 服务器` 的多个 API 调用来为用户构建视图。
-例如，该 `kubectl describe node` 命令不仅检索有关节点的信息，还检索在其上运行的 pod 的摘要，为节点生成的事件等。
+例如，该 `kubectl describe node` 命令不仅检索有关节点的信息，还检索在其上运行的 Pod 的摘要，为节点生成的事件等。
 
 {{< /note >}}
 
 <!--
 `kubectl delete` - Delete resources either from a file, stdin, or specifying label selectors, names, resource selectors, or resources.
 -->
-`kubectl delete` - 从文件、stdin 或指定标签选择器、名称、资源选择器或资源中删除资源。
+`kubectl delete` - 基于文件、标准输入或通过指定标签选择器、名称、资源选择器或资源来删除资源。
 
 <!--
 ```shell
@@ -746,20 +795,20 @@ kubectl delete pods --all
 -->
 
 ```shell
-# 使用 pod.yaml 文件中指定的类型和名称删除 pod。
+# 使用 pod.yaml 文件中指定的类型和名称删除 Pod。
 kubectl delete -f pod.yaml
 
 # 删除所有带有 '<label-key>=<label-value>' 标签的 Pod 和服务。
 kubectl delete pods,services -l <label-key>=<label-value>
 
-# 删除所有 pod，包括未初始化的 pod。
+# 删除所有 Pod，包括未初始化的 Pod。
 kubectl delete pods --all
 ```
 
 <!--
 `kubectl exec` - Execute a command against a container in a pod.
 -->
-`kubectl exec` - 对 pod 中的容器执行命令。
+`kubectl exec` - 对 Pod 中的容器执行命令。
 
 <!--
 # Get output from running 'date' from pod <pod-name>. By default, output is from the first container.
@@ -773,13 +822,13 @@ kubectl exec -ti <pod-name> -- /bin/bash
 -->
 
 ```shell
-# 从 pod <pod-name> 中获取运行 'date' 的输出。默认情况下，输出来自第一个容器。
+# 从 Pod <pod-name> 中获取运行 'date' 的输出。默认情况下，输出来自第一个容器。
 kubectl exec <pod-name> -- date
 
-# 运行输出 'date' 获取在容器的 <container-name> 中 pod <pod-name> 的输出。
+# 运行输出 'date' 获取在 Pod <pod-name> 中容器 <container-name> 的输出。
 kubectl exec <pod-name> -c <container-name> -- date
 
-# 获取一个交互 TTY 并运行 /bin/bash <pod-name >。默认情况下，输出来自第一个容器。
+# 获取一个交互 TTY 并在 Pod  <pod-name> 中运行 /bin/bash。默认情况下，输出来自第一个容器。
 kubectl exec -ti <pod-name> -- /bin/bash
 ```
 
@@ -797,13 +846,34 @@ kubectl logs -f <pod-name>
 -->
 
 ```shell
-# 从 pod 返回日志快照。
+# 返回 Pod <pod-name> 的日志快照。
 kubectl logs <pod-name>
 
-# 从 pod <pod-name> 开始流式传输日志。这类似于 'tail -f' Linux 命令。
+# 从 Pod <pod-name> 开始流式传输日志。这类似于 'tail -f' Linux 命令。
 kubectl logs -f <pod-name>
 ```
 
+<!--
+`kubectl diff` - View a diff of the proposed updates to a cluster.
+
+```shell
+# Diff resources included in "pod.json".
+kubectl diff -f pod.json
+
+# Diff file read from stdin.
+cat service.yaml | kubectl diff -f -
+```
+-->
+`kubectl diff` - 查看集群建议更新的差异。
+
+```shell
+# “pod.json”中包含的差异资源。
+kubectl diff -f pod.json
+
+# 从标准输入读取的差异文件。
+cat service.yaml | kubectl diff -f -
+```
+
 <!--
 ## Examples: Creating and using plugins
 -->
@@ -820,11 +890,31 @@ Use the following set of examples to help you familiarize yourself with writing
 # create a simple plugin in any language and name the resulting executable file
 # so that it begins with the prefix "kubectl-"
 cat ./kubectl-hello
+```
+-->
+```shell
+# 用任何语言创建一个简单的插件，并为生成的可执行文件命名
+# 以前缀 "kubectl-" 开始
+cat ./kubectl-hello
+```
+
+<!--
+```shell
 #!/bin/sh
 
 # this plugin prints the words "hello world"
 echo "hello world"
 ```
+-->
+
+```shell
+#!/bin/sh
+
+# 这个插件打印单词 "hello world"
+echo "hello world"
+```
+
+<!--
 With a plugin written, let's make it executable:
 ```bash
 chmod a+x ./kubectl-hello
@@ -838,20 +928,10 @@ sudo chown root:root /usr/local/bin
 kubectl hello
 ```
 -->
-```shell
-# 用任何语言创建一个简单的插件，并为生成的可执行文件命名
-# 以前缀 "kubectl-" 开始
-cat ./kubectl-hello
-```
-
-```shell
-#!/bin/sh
 
-# 这个插件打印单词 "hello world"
-echo "hello world"
-```
 这个插件写好了，把它变成可执行的：
 ```bash
+
 sudo chmod a+x ./kubectl-hello
 
 # 并将其移动到路径中的某个位置
@@ -862,6 +942,7 @@ sudo chown root:root /usr/local/bin
 # 你可以开始使用这个插件，从 kubectl 调用它，就像它是一个常规命令一样
 kubectl hello
 ```
+
 ```
 hello world
 ```
@@ -873,7 +954,7 @@ sudo rm /usr/local/bin/kubectl-hello
 ```
 -->
 ```shell
-# 你可以"卸载"一个插件，只需从你的路径中删除它
+# 你可以"卸载"一个插件，只需从你的 $PATH 中删除它
 sudo rm /usr/local/bin/kubectl-hello
 ```
 
@@ -887,13 +968,6 @@ kubectl plugin list
 ```
 <!--
 The output is similar to:
-```
-The following kubectl-compatible plugins are available:
-
-/usr/local/bin/kubectl-hello
-/usr/local/bin/kubectl-foo
-/usr/local/bin/kubectl-bar
-```
 -->
 输出类似于：
 ```
@@ -911,23 +985,12 @@ sudo chmod -x /usr/local/bin/kubectl-foo # remove execute permission
 kubectl plugin list
 ```
 -->
-`kubectl plugin list`指令也可以向你告警哪些插件被运行，或是被其它插件覆盖了,例如:
+`kubectl plugin list` 指令也可以向你告警哪些插件被运行，或是被其它插件覆盖了，例如：
 ```shell
 sudo chmod -x /usr/local/bin/kubectl-foo # 删除执行权限
 kubectl plugin list
 ```
-<!--
-```
-The following kubectl-compatible plugins are available:
-
-/usr/local/bin/kubectl-hello
-/usr/local/bin/kubectl-foo
-  - warning: /usr/local/bin/kubectl-foo identified as a plugin, but it is not executable
-/usr/local/bin/kubectl-bar
 
-error: one plugin warning was found
-```
--->
 ```
 The following kubectl-compatible plugins are available:
 
@@ -945,10 +1008,6 @@ of the existing kubectl commands:
 -->
 你可以将插件视为在现有 kubectl 命令之上构建更复杂功能的一种方法：
 
-<!--
-```shell
-cat ./kubectl-whoami```
--->
 ```shell
 cat ./kubectl-whoami
 ```
@@ -957,7 +1016,7 @@ cat ./kubectl-whoami
 The next few examples assume that you already made `kubectl-whoami` have
 the following contents:
 -->
-接下来的几个示例假设你已经将 `kubectl-whoami` 设置为以下内容:
+接下来的几个示例假设你已经将 `kubectl-whoami` 设置为以下内容：
 
 <!--
 ```shell
@@ -979,7 +1038,7 @@ kubectl config view --template='{{ range .contexts }}{{ if eq .name "'$(kubectl
 Running the above command gives you an output containing the user for the
 current context in your KUBECONFIG file:
 -->
-运行以上命令将为你提供一个输出，其中包含 KUBECONFIG 文件中当前上下文的用户:
+运行以上命令将为你提供一个输出，其中包含 KUBECONFIG 文件中当前上下文的用户：
 
 <!--
 ```shell
@@ -1005,21 +1064,22 @@ kubectl whoami
 Current user: plugins-user
 ```
 
-<!--
-To find out more about plugins, take a look at the [example cli plugin](https://github.com/kubernetes/sample-cli-plugin).
--->
-要了解关于插件的更多信息，请查看[示例 cli 插件](https://github.com/kubernetes/sample-cli-plugin)。
-
-
-
 ## {{% heading "whatsnext" %}}
 
 
 <!--
-* Start using the [kubectl](/docs/reference/generated/kubectl/kubectl-commands/) commands.
-
-* To find out more about plugins, take a look at the [example cli plugin](https://github.com/kubernetes/sample-cli-plugin).
+* Read the `kubectl` reference documentation:
+  * the kubectl [command reference](/docs/reference/kubectl/kubectl/)
+  * the [command line arguments](/docs/reference/generated/kubectl/kubectl-commands/) reference
+* Learn about [`kubectl` usage conventions](/docs/reference/kubectl/conventions/)
+* Read about [JSONPath support](/docs/reference/kubectl/jsonpath/) in kubectl
+* Read about how to [extend kubectl with plugins](/docs/tasks/extend-kubectl/kubectl-plugins)
+  * To find out more about plugins, take a look at the [example CLI plugin](https://github.com/kubernetes/sample-cli-plugin).
 -->
-* 开始使用 [kubectl](/docs/reference/generated/kubectl/kubectl-commands/) 命令。
-
-* 查看更多[示例 cli 插件](https://github.com/kubernetes/sample-cli-plugin)。
+* 阅读 `kubectl` 参考文档：
+  * kubectl [命令参考](/zh-cn/docs/reference/kubectl/kubectl/)
+  * 参考[命令行参数](/docs/reference/generated/kubectl/kubectl-commands/)
+* 学习关于 [`kubectl` 使用约定](/zh-cn/docs/reference/kubectl/conventions/)
+* 阅读 kubectl 中的 [JSONPath 支持](/zh-cn/docs/reference/kubectl/jsonpath/)
+* 了解如何[使用插件扩展 kubectl](/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins)
+  * 查看更多[示例 cli 插件](https://github.com/kubernetes/sample-cli-plugin)。
\ No newline at end of file
diff --git a/content/zh/docs/reference/kubectl/cheatsheet.md b/content/zh-cn/docs/reference/kubectl/cheatsheet.md
similarity index 85%
rename from content/zh/docs/reference/kubectl/cheatsheet.md
rename to content/zh-cn/docs/reference/kubectl/cheatsheet.md
index 4bd973b8bdd48..a20e05c71319c 100644
--- a/content/zh/docs/reference/kubectl/cheatsheet.md
+++ b/content/zh-cn/docs/reference/kubectl/cheatsheet.md
@@ -1,6 +1,7 @@
 ---
 title: kubectl 备忘单
 content_type: concept
+weight: 10
 card:
   name: reference
   weight: 30
@@ -12,6 +13,7 @@ reviewers:
 - krousey
 - clove
 content_type: concept
+weight: 10 # highlight it
 card:
   name: reference
   weight: 30
@@ -54,7 +56,7 @@ echo "source <(kubectl completion bash)" >> ~/.bashrc # 在您的 bash shell 中
 
 ```bash
 alias k=kubectl
-complete -F __start_kubectl k
+complete -o default -F __start_kubectl k
 ```
 
 ### ZSH
@@ -70,6 +72,18 @@ source <(kubectl completion zsh)  # 在 zsh 中设置当前 shell 的自动补
 echo "[[ $commands[kubectl] ]] && source <(kubectl completion zsh)" >> ~/.zshrc # 在您的 zsh shell 中永久的添加自动补全
 ```
 
+<!--
+### A Note on --all-namespaces
+-->
+### 关于 --all-namespaces 的一点说明
+
+<!--
+Appending `--all-namespaces` happens frequently enough where you should be aware of the shorthand for `--all-namespaces`:
+-->
+我们经常用到 `--all-namespaces` 参数，你应该要知道它的简写：
+
+```kubectl -A```
+
 <!--
 ## Kubectl Context and Configuration
 
@@ -80,7 +94,7 @@ detailed config file information.
 ##  Kubectl 上下文和配置
 
 设置 `kubectl` 与哪个 Kubernetes 集群进行通信并修改配置信息。
-查看[使用 kubeconfig 跨集群授权访问](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+查看[使用 kubeconfig 跨集群授权访问](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 文档获取配置文件详细信息。
 
 <!--
@@ -112,6 +126,10 @@ kubectl config set-context gce --user=cluster-admin --namespace=foo \
   && kubectl config use-context gce
 
 kubectl config unset users.foo                       # delete user foo
+
+# short alias to set/show context/namespace (only works for bash and bash-compatible shells, current context to be set before using kn to set namespace) 
+alias kx='f() { [ "$1" ] && kubectl config use-context $1 || kubectl config current-context ; } ; f'
+alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1 || kubectl config view --minify | grep namespace | cut -d" " -f6 ; } ; f'
 ```
 -->
 ```bash
@@ -140,6 +158,11 @@ kubectl config set-context gce --user=cluster-admin --namespace=foo \
   && kubectl config use-context gce
 
 kubectl config unset users.foo                       # 删除用户 foo
+
+# 设置或显示 context / namespace 的短别名
+# （仅适用于 bash 和 bash 兼容的 shell，在使用 kn 设置命名空间之前要先设置 current-context）
+alias kx='f() { [ "$1" ] && kubectl config use-context $1 || kubectl config current-context ; } ; f'
+alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1 || kubectl config view --minify | grep namespace | cut -d" " -f6 ; } ; f'
 ```
 
 <!--
@@ -172,10 +195,10 @@ kubectl apply -f https://git.io/vPieo          # create resource(s) from url
 kubectl create deployment nginx --image=nginx  # start a single instance of nginx
 
 # create a Job which prints "Hello World"
-kubectl create job hello --image=busybox -- echo "Hello World" 
+kubectl create job hello --image=busybox:1.28 -- echo "Hello World"
 
 # create a CronJob that prints "Hello World" every minute
-kubectl create cronjob hello --image=busybox   --schedule="*/1 * * * *" -- echo "Hello World"    
+kubectl create cronjob hello --image=busybox:1.28   --schedule="*/1 * * * *" -- echo "Hello World"    
 
 kubectl explain pods                           # get the documentation for pod manifests
 
@@ -188,7 +211,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox
+    image: busybox:1.28
     args:
     - sleep
     - "1000000"
@@ -200,7 +223,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox
+    image: busybox:1.28
     args:
     - sleep
     - "1000"
@@ -227,10 +250,10 @@ kubectl apply -f https://git.io/vPieo         # 从 URL 中创建资源
 kubectl create deployment nginx --image=nginx # 启动单实例 nginx
 
 # 创建一个打印 “Hello World” 的 Job
-kubectl create job hello --image=busybox -- echo "Hello World" 
+kubectl create job hello --image=busybox:1.28 -- echo "Hello World" 
 
 # 创建一个打印 “Hello World” 间隔1分钟的 CronJob
-kubectl create cronjob hello --image=busybox   --schedule="*/1 * * * *" -- echo "Hello World"    
+kubectl create cronjob hello --image=busybox:1.28   --schedule="*/1 * * * *" -- echo "Hello World"    
 
 kubectl explain pods                          # 获取 pod 清单的文档说明
 
@@ -243,7 +266,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox
+    image: busybox:1.28
     args:
     - sleep
     - "1000000"
@@ -255,7 +278,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox
+    image: busybox:1.28
     args:
     - sleep
     - "1000"
@@ -311,8 +334,8 @@ kubectl get configmap myconfig \
   -o jsonpath='{.data.ca\.crt}'
 
 # Get all worker nodes (use a selector to exclude results that have a label
-# named 'node-role.kubernetes.io/master')
-kubectl get node --selector='!node-role.kubernetes.io/master'
+# named 'node-role.kubernetes.io/control-plane')
+kubectl get node --selector='!node-role.kubernetes.io/control-plane'
 
 # Get all running pods in the namespace
 kubectl get pods --field-selector=status.phase=Running
@@ -350,14 +373,17 @@ kubectl diff -f ./my-manifest.yaml
 
 # Produce a period-delimited tree of all keys returned for nodes
 # Helpful when locating a key within a complex nested JSON structure
-kubectl get nodes -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'
+kubectl get nodes -o json | jq -c 'paths|join(".")'
 
 # Produce a period-delimited tree of all keys returned for pods, etc
-kubectl get pods -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'
+kubectl get pods -o json | jq -c 'paths|join(".")'
 
 # Produce ENV for all pods, assuming you have a default container for the pods, default namespace and the `env` command is supported.
 # Helpful when running any supported command across all pods, not just `env`
 for pod in $(kubectl get po --output=jsonpath={.items..metadata.name}); do echo $pod && kubectl exec -it $pod -- env; done
+
+# Get a deployment's status subresource
+kubectl get deployment nginx-deployment --subresource=status
 ```
 -->
 ```bash
@@ -390,8 +416,8 @@ kubectl get pods --selector=app=cassandra -o \
 kubectl get configmap myconfig \
   -o jsonpath='{.data.ca\.crt}'
 
-# 获取所有工作节点（使用选择器以排除标签名称为 'node-role.kubernetes.io/master' 的结果）
-kubectl get node --selector='!node-role.kubernetes.io/master'
+# 获取所有工作节点（使用选择器以排除标签名称为 'node-role.kubernetes.io/control-plane' 的结果）
+kubectl get node --selector='!node-role.kubernetes.io/control-plane'
 
 # 获取当前命名空间中正在运行的 Pods
 kubectl get pods --field-selector=status.phase=Running
@@ -429,14 +455,17 @@ kubectl diff -f ./my-manifest.yaml
 
 # 生成一个句点分隔的树，其中包含为节点返回的所有键
 # 在复杂的嵌套JSON结构中定位键时非常有用
-kubectl get nodes -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'
+kubectl get nodes -o json | jq -c 'paths|join(".")'
 
 # 生成一个句点分隔的树，其中包含为pod等返回的所有键
-kubectl get pods -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'
+kubectl get pods -o json | jq -c 'paths|join(".")'
 
 # 假设你的 Pods 有默认的容器和默认的名字空间，并且支持 'env' 命令，可以使用以下脚本为所有 Pods 生成 ENV 变量。
 # 该脚本也可用于在所有的 Pods 里运行任何受支持的命令，而不仅仅是 'env'。 
 for pod in $(kubectl get po --output=jsonpath={.items..metadata.name}); do echo $pod && kubectl exec -it $pod -- env; done
+
+# 获取一个 Deployment 的 status 子资源
+kubectl get deployment nginx-deployment --subresource=status
 ```
 
 <!--
@@ -453,7 +482,7 @@ kubectl rollout undo deployment/frontend --to-revision=2         # Rollback to a
 kubectl rollout status -w deployment/frontend                    # Watch rolling update status of "frontend" deployment until completion
 kubectl rollout restart deployment/frontend                      # Rolling restart of the "frontend" deployment
 
-cat pod.json | kubectl replace -f -                              # Replace a pod based on the JSON passed into std
+cat pod.json | kubectl replace -f -                              # Replace a pod based on the JSON passed into stdin
 
 # Force replace, delete and then re-create the resource. Will cause a service outage.
 kubectl replace --force -f ./pod.json
@@ -512,6 +541,9 @@ kubectl patch deployment valid-deployment  --type json   -p='[{"op": "remove", "
 
 # Add a new element to a positional array
 kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'
+
+# Update a deployment's replica count by patching it's scale subresource
+kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
 ```
 -->
 ```bash
@@ -529,6 +561,9 @@ kubectl patch deployment valid-deployment  --type json   -p='[{"op": "remove", "
 
 # 在带位置数组中添加元素
 kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'
+
+# 通过修正 scale 子资源来更新 Deployment 的副本数
+kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
 ```
 
 <!--
@@ -609,9 +644,8 @@ kubectl logs my-pod -c my-container --previous      # dump pod container logs (s
 kubectl logs -f my-pod                              # stream pod logs (stdout)
 kubectl logs -f my-pod -c my-container              # stream pod container logs (stdout, multi-container case)
 kubectl logs -f -l name=myLabel --all-containers    # stream all pods logs with label name=myLabel (stdout)
-kubectl run -i --tty busybox --image=busybox -- sh  # Run pod as interactive shell
-kubectl run nginx --image=nginx -n 
-mynamespace                                         # Run pod nginx in a specific namespace
+kubectl run -i --tty busybox --image=busybox:1.28 -- sh  # Run pod as interactive shell
+kubectl run nginx --image=nginx -n mynamespace      # Start a single instance of nginx pod in the namespace of mynamespace
 kubectl run nginx --image=nginx                     # Run pod nginx and write its spec into a file called pod.yaml
 --dry-run=client -o yaml > pod.yaml
 
@@ -634,8 +668,8 @@ kubectl logs my-pod -c my-container --previous      # 获取 Pod 中某容器的
 kubectl logs -f my-pod                              # 流式输出 Pod 的日志（标准输出）
 kubectl logs -f my-pod -c my-container              # 流式输出 Pod 容器的日志（标准输出, 多容器场景）
 kubectl logs -f -l name=myLabel --all-containers    # 流式输出含 name=myLabel 标签的 Pod 的所有日志（标准输出）
-kubectl run -i --tty busybox --image=busybox -- sh  # 以交互式 Shell 运行 Pod
-kubectl run nginx --image=nginx -n mynamespace      # 在指定名字空间中运行 nginx Pod
+kubectl run -i --tty busybox --image=busybox:1.28 -- sh  # 以交互式 Shell 运行 Pod
+kubectl run nginx --image=nginx -n mynamespace      # 在 “mynamespace” 命名空间中运行单个 nginx Pod
 kubectl run nginx --image=nginx                     # 运行 ngins Pod 并将其规约写入到名为 pod.yaml 的文件
   --dry-run=client -o yaml > pod.yaml
 
@@ -648,6 +682,46 @@ kubectl top pod POD_NAME --containers               # 显示给定 Pod 和其中
 kubectl top pod POD_NAME --sort-by=cpu              # 显示给定 Pod 的指标并且按照 'cpu' 或者 'memory' 排序
 ```
 
+<!--
+## Copy files and directories to and from containers
+-->
+## 从容器中复制文件和目录
+
+<!--
+```bash
+kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir            # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the current namespace
+kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container    # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
+kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar       # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
+kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar       # Copy /tmp/foo from a remote pod to /tmp/bar locally
+```
+-->
+```bash
+kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir            # 将 /tmp/foo_dir 本地目录复制到远程当前命名空间中 Pod 中的 /tmp/bar_dir
+kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container    # 将 /tmp/foo 本地文件复制到远程 Pod 中特定容器的 /tmp/bar 下
+kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar       # 将 /tmp/foo 本地文件复制到远程 “my-namespace” 命名空间内指定 Pod 中的 /tmp/bar
+kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar       # 将 /tmp/foo 从远程 Pod 复制到本地 /tmp/bar
+```
+
+<!--
+`kubectl cp` requires that the 'tar' binary is present in your container image. If 'tar' is not present,`kubectl cp` will fail.
+For advanced use cases, such as symlinks, wildcard expansion or file mode preservation consider using `kubectl exec`.
+-->
+{{< note >}}
+`kubectl cp` 要求容器镜像中存在 “tar” 二进制文件。如果 “tar” 不存在，`kubectl cp` 将失败。
+对于进阶用例，例如符号链接、通配符扩展或保留文件权限，请考虑使用 `kubectl exec`。
+{{< /note >}}
+
+<!--
+```bash
+tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar           # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
+kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar    # Copy /tmp/foo from a remote pod to /tmp/bar locally
+```
+-->
+```bash
+tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar  # 将 /tmp/foo 本地文件复制到远程 “my-namespace” 命名空间中 pod 中的 /tmp/bar
+kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar    # 将 /tmp/foo 从远程 pod 复制到本地 /tmp/bar
+```
+
 <!--
 ## Interacting with Deployments and Services
 -->
@@ -716,7 +790,7 @@ kubectl taint nodes foo dedicated=special-user:NoSchedule
 <!--
 List all supported resource types along with their shortnames, [API group](/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning), whether they are [namespaced](/docs/concepts/overview/working-with-objects/namespaces), and [Kind](/docs/concepts/overview/working-with-objects/kubernetes-objects):
 -->
-列出所支持的全部资源类型和它们的简称、[API 组](/zh/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning), 是否是[名字空间作用域](/zh/docs/concepts/overview/working-with-objects/namespaces) 和 [Kind](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects)。
+列出所支持的全部资源类型和它们的简称、[API 组](/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning), 是否是[名字空间作用域](/zh-cn/docs/concepts/overview/working-with-objects/namespaces) 和 [Kind](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects)。
 
 ```bash
 kubectl api-resources
@@ -772,8 +846,8 @@ Output format | Description
 `-o=custom-columns=<spec>` | 使用逗号分隔的自定义列来打印表格
 `-o=custom-columns-file=<filename>` | 使用 `<filename>` 文件中的自定义列模板打印表格
 `-o=json`     | 输出 JSON 格式的 API 对象
-`-o=jsonpath=<template>` | 打印 [jsonpath](/zh/docs/reference/kubectl/jsonpath) 表达式中定义的字段
-`-o=jsonpath-file=<filename>` | 打印在 `<filename>` 文件中定义的 [jsonpath](/zh/docs/reference/kubectl/jsonpath) 表达式所指定的字段。
+`-o=jsonpath=<template>` | 打印 [jsonpath](/zh-cn/docs/reference/kubectl/jsonpath) 表达式中定义的字段
+`-o=jsonpath-file=<filename>` | 打印在 `<filename>` 文件中定义的 [jsonpath](/zh-cn/docs/reference/kubectl/jsonpath) 表达式所指定的字段。
 `-o=name`     | 仅打印资源名称而不打印其他内容
 `-o=wide`     | 以纯文本格式输出额外信息，对于 Pod 来说，输出中包含了节点名称
 `-o=yaml`     | 输出 YAML 格式的 API 对象
@@ -794,7 +868,7 @@ kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="k8s.gcr.
 # All fields under metadata regardless of name
 kubectl get pods -A -o=custom-columns='DATA:metadata.*'
 
-More examples in the kubectl [reference documentation](/docs/reference/kubectl/overview/#custom-columns).
+More examples in the kubectl [reference documentation](/docs/reference/kubectl/#custom-columns).
 ```
 -->
 使用 `-o=custom-columns` 的示例：
@@ -813,7 +887,7 @@ kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="k8s.gcr.
 kubectl get pods -A -o=custom-columns='DATA:metadata.*'
 ```
 
-有关更多示例，请参看 kubectl [参考文档](/zh/docs/reference/kubectl/overview/#custom-columns)。
+有关更多示例，请参看 kubectl [参考文档](/zh-cn/docs/reference/kubectl/#custom-columns)。
 
 <!--
 ### Kubectl output verbosity and debugging
@@ -857,7 +931,7 @@ Verbosity | Description
 
 <!--
 
-* Read the [kubectl overview](/docs/reference/kubectl/overview/) and learn about [JsonPath](/docs/reference/kubectl/jsonpath).
+* Read the [kubectl overview](/docs/reference/kubectl/) and learn about [JsonPath](/docs/reference/kubectl/jsonpath).
 
 * See [kubectl](/docs/reference/kubectl/kubectl/) options.
 
@@ -865,7 +939,7 @@ Verbosity | Description
 
 * See more community [kubectl cheatsheets](https://github.com/dennyzhang/cheatsheet-kubernetes-A4).
 -->
-* 参阅 [kubectl 概述](/zh/docs/reference/kubectl/overview/)，进一步了解[JsonPath](/zh/docs/reference/kubectl/jsonpath)。
-* 参阅 [kubectl](/zh/docs/reference/kubectl/kubectl/) 选项。
-* 参阅 [kubectl 使用约定](/zh/docs/reference/kubectl/conventions/)来理解如何在可复用的脚本中使用它。
+* 参阅 [kubectl 概述](/zh-cn/docs/reference/kubectl/)，进一步了解 [JsonPath](/zh-cn/docs/reference/kubectl/jsonpath)。
+* 参阅 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 选项。
+* 参阅 [kubectl 使用约定](/zh-cn/docs/reference/kubectl/conventions/)来理解如何在可复用的脚本中使用它。
 * 查看社区中其他的 [kubectl 备忘单](https://github.com/dennyzhang/cheatsheet-kubernetes-A4)。
diff --git a/content/zh/docs/reference/kubectl/conventions.md b/content/zh-cn/docs/reference/kubectl/conventions.md
similarity index 85%
rename from content/zh/docs/reference/kubectl/conventions.md
rename to content/zh-cn/docs/reference/kubectl/conventions.md
index 78aa374a7c198..33332e071a2e5 100644
--- a/content/zh/docs/reference/kubectl/conventions.md
+++ b/content/zh-cn/docs/reference/kubectl/conventions.md
@@ -1,17 +1,12 @@
 ---
 title: kubectl 的用法约定
-reviewers:
-- janetkuo
 content_type: concept
 ---
-
 <!--
----
 title: kubectl Usage Conventions
 reviewers:
 - janetkuo
 content_type: concept
----
 -->
 
 <!-- overview -->
@@ -26,7 +21,7 @@ Recommended usage conventions for `kubectl`.
 <!--
 ## Using `kubectl` in Reusable Scripts
 -->
-## 在可重用脚本中使用 `kubectl`
+## 在可重用脚本中使用 `kubectl` {#using-kubectl-in-reusable-scripts}
 
 <!--
 For a stable output in a script:
@@ -58,14 +53,14 @@ reconciled by a controller to a different value.
 -->
 
 * 你可以将 `--subresource` alpha 标志用于 kubectl 命令，例如 `get`、`patch`、`edit` 和 `replace`
-  来获取和更新所有支持子资源的资源的子资源。 目前，仅支持 `status` 和 `scale` 子资源。
-* 针对子资源的 API 协定与完整资源相同。在更新`status` 子资源为一个新值时，请记住，
+  来获取和更新所有支持子资源的资源的子资源。目前，仅支持 `status` 和 `scale` 子资源。
+* 针对子资源的 API 协定与完整资源相同。在更新 `status` 子资源为一个新值时，请记住，
   子资源可能是潜在的由控制器调和为不同的值。
 
 <!--
 ## Best Practices
 -->
-## 最佳实践
+## 最佳实践 {#best-practices}
 
 ### `kubectl run`
 
@@ -80,7 +75,8 @@ For `kubectl run` to satisfy infrastructure as code:
 * Switch to configuration files checked into source control for features that are needed, but not expressible via `kubectl run` flags.
 -->
 
-* 使用特定版本的标签标记镜像，不要将该标签移动到新版本。例如，使用 `:v1234`、`v1.2.3`、`r03062016-1-4`，而不是 `:latest`（有关详细信息，请参阅[配置的最佳实践](/zh/docs/concepts/configuration/overview/#container-images))。
+* 使用特定版本的标签标记镜像，不要将该标签改为新版本。例如使用 `:v1234`、`v1.2.3`、`r03062016-1-4`，
+  而不是 `:latest`（有关详细信息，请参阅[配置的最佳实践](/zh-cn/docs/concepts/configuration/overview/#container-images))。
 * 使用基于版本控制的脚本来运行包含大量参数的镜像。
 * 对于无法通过 `kubectl run` 参数来表示的功能特性，使用基于源码控制的配置文件，以记录要使用的功能特性。
 
@@ -94,4 +90,4 @@ You can use the `--dry-run=client` flag to preview the object that would be sent
 <!--
 * You can use `kubectl apply` to create or update resources. For more information about using kubectl apply to update resources, see [Kubectl Book](https://kubectl.docs.kubernetes.io).
 -->
-* 您可以使用 `kubectl apply` 命令创建或更新资源。有关使用 kubectl apply 更新资源的详细信息，请参阅 [Kubectl 文档](https://kubectl.docs.kubernetes.io)。
+* 你可以使用 `kubectl apply` 命令创建或更新资源。有关使用 kubectl apply 更新资源的详细信息，请参阅 [Kubectl 文档](https://kubectl.docs.kubernetes.io)。
diff --git a/content/zh/docs/reference/kubectl/docker-cli-to-kubectl.md b/content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
similarity index 78%
rename from content/zh/docs/reference/kubectl/docker-cli-to-kubectl.md
rename to content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
index f31e6a23a7059..7a7880fc50c53 100644
--- a/content/zh/docs/reference/kubectl/docker-cli-to-kubectl.md
+++ b/content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
@@ -1,25 +1,22 @@
 ---
 title: 适用于 Docker 用户的 kubectl
 content_type: concept
-reviewers:
-- brendandburns
-- thockin
 ---
 <!--
----
 title: kubectl for Docker Users
 content_type: concept
 reviewers:
 - brendandburns
 - thockin
----
 -->
 
 <!-- overview -->
 <!--
-You can use the Kubernetes command line tool `kubectl` to interact with the API Server. Using kubectl is straightforward if you are familiar with the Docker command line tool. However, there are a few differences between the docker commands and the kubectl commands. The following sections show a Docker sub-command and describe the equivalent `kubectl` command.
+You can use the Kubernetes command line tool `kubectl` to interact with the API Server. Using kubectl is straightforward if you are familiar with the Docker command line tool. However, there are a few differences between the Docker commands and the kubectl commands. The following sections show a Docker sub-command and describe the equivalent `kubectl` command.
 -->
-您可以使用 Kubernetes 命令行工具 `kubectl` 与 API 服务器进行交互。如果您熟悉 Docker 命令行工具，则使用 kubectl 非常简单。但是，Docker 命令和 kubectl 命令之间有一些区别。以下显示了 Docker 子命令，并描述了等效的 `kubectl` 命令。
+你可以使用 Kubernetes 命令行工具 `kubectl` 与 API 服务器进行交互。如果你熟悉 Docker 命令行工具，
+则使用 kubectl 非常简单。但是，Docker 命令和 kubectl 命令之间有一些区别。以下显示了 Docker 子命令，
+并描述了等效的 `kubectl` 命令。
 
 
 <!-- body -->
@@ -28,8 +25,12 @@ You can use the Kubernetes command line tool `kubectl` to interact with the API
 <!--
 To run an nginx Deployment and expose the Deployment, see [kubectl create deployment](/docs/reference/generated/kubectl/kubectl-commands#-em-deployment-em-).
 -->
-要运行 nginx 部署并将其暴露，请参见[kubectl create deployment](/docs/reference/generated/kubectl/kubectl-commands#-em-deployment-em-)
+要运行 nginx 部署并将其暴露，请参见 [kubectl create deployment](/docs/reference/generated/kubectl/kubectl-commands#-em-deployment-em-)
+
+<!--
 docker:
+-->
+使用 docker 命令：
 
 ```shell
 docker run -d --restart=always -e DOMAIN=cluster --name nginx-app -p 80:80 nginx
@@ -46,7 +47,10 @@ CONTAINER ID        IMAGE               COMMAND                  CREATED
 55c103fa1296        nginx               "nginx -g 'daemon of…"   9 seconds ago       Up 9 seconds        0.0.0.0:80->80/tcp   nginx-app
 ```
 
+<!--
 kubectl:
+-->
+使用 kubectl 命令：
 
 <!--
 ```shell
@@ -74,7 +78,7 @@ deployment.apps/nginx-app env updated
 <!--
 `kubectl` commands print the type and name of the resource created or mutated, which can then be used in subsequent commands. You can expose a new Service after a Deployment is created.
 -->
-`kubectl` 命令打印创建或突变资源的类型和名称，然后可以在后续命令中使用。部署后，您可以公开新服务。
+`kubectl` 命令打印创建或突变资源的类型和名称，然后可以在后续命令中使用。部署后，你可以公开新服务。
 {{< /note >}}
 
 <!--
@@ -94,12 +98,16 @@ service "nginx-http" exposed
 <!--
 By using kubectl, you can create a [Deployment](/docs/concepts/workloads/controllers/deployment/) to ensure that N pods are running nginx, where N is the number of replicas stated in the spec and defaults to 1. You can also create a [service](/docs/concepts/services-networking/service/) with a selector that matches the pod labels. For more information, see [Use a Service to Access an Application in a Cluster](/docs/tasks/access-application-cluster/service-access-application-cluster).
 -->
-在 kubectl 命令中，我们创建了一个 [Deployment](/zh/docs/concepts/workloads/controllers/deployment/)，这将保证有 N 个运行 nginx 的 pod(N 代表 spec 中声明的 replica 数，默认为 1)。我们还创建了一个 [service](/zh/docs/concepts/services-networking/service/)，其选择器与容器标签匹配。查看[使用服务访问群集中的应用程序](/zh/docs/tasks/access-application-cluster/service-access-application-cluster) 获取更多信息。
+在 kubectl 命令中，我们创建了一个 [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)，
+这将保证有 N 个运行 nginx 的 Pod（N 代表 spec 中声明的 replica 数，默认为 1）。
+我们还创建了一个 [service](/zh-cn/docs/concepts/services-networking/service/)，其选择器与容器标签匹配。
+查看[使用服务访问集群中的应用程序](/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster) 获取更多信息。
 
 <!--
 By default images run in the background, similar to `docker run -d ...`. To run things in the foreground, use [`kubectl run`](/docs/reference/generated/kubectl/kubectl-commands/#run) to create pod:
 -->
-默认情况下镜像会在后台运行，与 `docker run -d ...` 类似，如果您想在前台运行，使用 [`kubectl run`](/docs/reference/generated/kubectl/kubectl-commands/#run) 在前台运行 Pod:
+默认情况下镜像会在后台运行，与 `docker run -d ...` 类似，如果你想在前台运行，
+使用 [`kubectl run`](/docs/reference/generated/kubectl/kubectl-commands/#run) 在前台运行 Pod:
 
 ```shell
 kubectl run [-i] [--tty] --attach <name> --image=<image>
@@ -109,14 +117,16 @@ kubectl run [-i] [--tty] --attach <name> --image=<image>
 Unlike `docker run ...`, if you specify `--attach`, then you attach `stdin`, `stdout` and `stderr`. You cannot control which streams are attached (`docker -a ...`).
 To detach from the container, you can type the escape sequence Ctrl+P followed by Ctrl+Q.
 -->
-与 `docker run ...` 不同的是，如果指定了 `--attach` ，我们将连接到 `stdin`，`stdout` 和 `stderr`，而不能控制具体连接到哪个输出流（`docker -a ...`）。要从容器中退出，可以输入 Ctrl + P，然后按 Ctrl + Q。
+与 `docker run ...` 不同的是，如果指定了 `--attach`，我们将连接到 `stdin`，`stdout` 和 `stderr`，
+而不能控制具体连接到哪个输出流（`docker -a ...`）。要从容器中退出，可以输入 Ctrl + P，然后按 Ctrl + Q。
 
 <!--
 Because the kubectl run command starts a Deployment for the container, the Deployment restarts if you terminate the attached process by using Ctrl+C, unlike `docker run -it`.
 To destroy the Deployment and its pods you need to run `kubectl delete deployment <name>`.
 -->
-因为我们使用 Deployment 启动了容器，如果您终止连接到的进程（例如 `ctrl-c`），容器将会重启，这跟 `docker run -it` 不同。
-如果想销毁该 Deployment（和它的 pod），您需要运行 `kubectl delete deployment <name>`。
+因为我们使用 Deployment 启动了容器，如果你终止连接到的进程（例如 `ctrl-c`），容器将会重启，
+这跟 `docker run -it` 不同。如果想销毁该 Deployment（和它的 Pod），
+你需要运行 `kubectl delete deployment <name>`。
 
 ## docker ps
 
@@ -158,7 +168,8 @@ ubuntu                      0/1       Completed   0          20s
 <!--
 To attach a process that is already running in a container, see [kubectl attach](/docs/reference/generated/kubectl/kubectl-commands/#attach).
 -->
-如何连接到已经运行在容器中的进程？查看 [kubectl attach](/docs/reference/generated/kubectl/kubectl-commands/#attach)。
+如何连接到已经运行在容器中的进程？
+查看 [kubectl attach](/docs/reference/generated/kubectl/kubectl-commands/#attach)。
 
 <!--
 docker:
@@ -262,14 +273,14 @@ docker exec -ti 55c103fa1296 /bin/sh
 kubectl:
 
 ```shell
-kubectl exec -ti nginx-app-5jyvm -- /bin/sh      
+kubectl exec -ti nginx-app-5jyvm -- /bin/sh
 # exit
 ```
 
 <!--
 For more information, see [Get a Shell to a Running Container](/docs/tasks/debug/debug-application/get-shell-running-container/).
 -->
-更多信息请查看[获取运行中容器的 Shell 环境](/zh/docs/tasks/debug/debug-application/get-shell-running-container/)。
+更多信息请查看[获取运行中容器的 Shell 环境](/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/)。
 
 ## docker logs
 
@@ -308,7 +319,10 @@ kubectl logs -f nginx-app-zibvs
 <!--
 There is a slight difference between pods and containers; by default pods do not terminate if their processes exit. Instead the pods restart the process. This is similar to the docker run option `--restart=always` with one major difference. In docker, the output for each invocation of the process is concatenated, but for Kubernetes, each invocation is separate. To see the output from a previous run in Kubernetes, do this:
 -->
-现在是时候提一下 pod 和容器之间的细微差别了；默认情况下如果 pod 中的进程退出 pod 也不会终止，相反它将会重启该进程。这类似于 docker run 时的 `--restart=always` 选项， 这是主要差别。在 docker 中，进程的每个调用的输出都是被连接起来的，但是对于 kubernetes，每个调用都是分开的。要查看以前在 kubernetes 中执行的输出，请执行以下操作：
+现在是时候提一下 Pod 和容器之间的细微差别了；默认情况下如果 Pod 中的进程退出 Pod 也不会终止，
+相反它将会重启该进程。这类似于 docker run 时的 `--restart=always` 选项，这是主要差别。
+在 docker 中，进程的每个调用的输出都是被连接起来的，但是对于 Kubernetes，每个调用都是分开的。
+要查看以前在 Kubernetes 中执行的输出，请执行以下操作：
 
 ```shell
 kubectl logs --previous nginx-app-zibvs
@@ -321,7 +335,7 @@ kubectl logs --previous nginx-app-zibvs
 <!--
 For more information, see [Logging Architecture](/docs/concepts/cluster-administration/logging/).
 -->
-查看[日志架构](/zh/docs/concepts/cluster-administration/logging/)获取更多信息。
+查看[日志架构](/zh-cn/docs/concepts/cluster-administration/logging/)获取更多信息。
 
 ## docker stop and docker rm
 
@@ -391,9 +405,10 @@ kubectl get po -l app=nginx-app
 
 {{< note >}}
 <!--
-When you use kubectl, you don't delete the pod directly.You have to first delete the Deployment that owns the pod. If you delete the pod directly, the Deployment recreates the pod.
+When you use kubectl, you don't delete the pod directly. You have to first delete the Deployment that owns the pod. If you delete the pod directly, the Deployment recreates the pod.
 -->
-请注意，我们不直接删除 pod。使用 kubectl 命令，我们要删除拥有该 pod 的 Deployment。如果我们直接删除 pod，Deployment 将会重新创建该 pod。
+请注意，我们不直接删除 Pod。使用 kubectl 命令，我们要删除拥有该 Pod 的 Deployment。
+如果我们直接删除 Pod，Deployment 将会重新创建该 Pod。
 {{< /note >}}
 
 ## docker login
@@ -401,7 +416,8 @@ When you use kubectl, you don't delete the pod directly.You have to first delete
 <!--
 There is no direct analog of `docker login` in kubectl. If you are interested in using Kubernetes with a private registry, see [Using a Private Registry](/docs/concepts/containers/images/#using-a-private-registry).
 -->
-在 kubectl 中没有对 `docker login` 的直接模拟。如果您有兴趣在私有镜像仓库中使用 Kubernetes，请参阅[使用私有镜像仓库](/zh/docs/concepts/containers/images/#using-a-private-registry)。
+在 kubectl 中没有对 `docker login` 的直接模拟。如果你有兴趣在私有镜像仓库中使用 Kubernetes，
+请参阅[使用私有镜像仓库](/zh-cn/docs/concepts/containers/images/#using-a-private-registry)。
 
 ## docker version
 
@@ -487,10 +503,10 @@ kubectl:
 kubectl cluster-info
 ```
 ```
-Kubernetes master is running at https://108.59.85.141
-KubeDNS is running at https://108.59.85.141/api/v1/namespaces/kube-system/services/kube-dns/proxy
-kubernetes-dashboard is running at https://108.59.85.141/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy
-Grafana is running at https://108.59.85.141/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
-Heapster is running at https://108.59.85.141/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
-InfluxDB is running at https://108.59.85.141/api/v1/namespaces/kube-system/services/monitoring-influxdb/proxy
+Kubernetes master is running at https://203.0.113.141
+KubeDNS is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/kube-dns/proxy
+kubernetes-dashboard is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy
+Grafana is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
+Heapster is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
+InfluxDB is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-influxdb/proxy
 ```
diff --git a/content/zh/docs/reference/kubectl/jsonpath.md b/content/zh-cn/docs/reference/kubectl/jsonpath.md
similarity index 95%
rename from content/zh/docs/reference/kubectl/jsonpath.md
rename to content/zh-cn/docs/reference/kubectl/jsonpath.md
index 82385b700966b..5f3593eefab12 100644
--- a/content/zh/docs/reference/kubectl/jsonpath.md
+++ b/content/zh-cn/docs/reference/kubectl/jsonpath.md
@@ -3,17 +3,15 @@ title: JSONPath 支持
 content_type: concept
 ---
 <!--
----
 title: JSONPath Support
 content_type: concept
----
 -->
 
 <!-- overview -->
 <!--
 Kubectl supports JSONPath template.
 -->
-Kubectl 支持 JSONPath 模板。
+kubectl 支持 JSONPath 模板。
 
 
 <!-- body -->
@@ -23,7 +21,8 @@ JSONPath template is composed of JSONPath expressions enclosed by curly braces {
 Kubectl uses JSONPath expressions to filter on specific fields in the JSON object and format the output.
 In addition to the original JSONPath template syntax, the following functions and syntax are valid:
 -->
-JSONPath 模板由 {} 包起来的 JSONPath 表达式组成。Kubectl 使用 JSONPath 表达式来过滤 JSON 对象中的特定字段并格式化输出。除了原始的 JSONPath 模板语法，以下函数和语法也是有效的:
+JSONPath 模板由 {} 包起来的 JSONPath 表达式组成。Kubectl 使用 JSONPath 表达式来过滤 JSON 对象中的特定字段并格式化输出。
+除了原始的 JSONPath 模板语法，以下函数和语法也是有效的:
 
 <!--
 1. Use double quotes to quote text inside JSONPath expressions.
@@ -140,8 +139,8 @@ kubectl get pods -o=jsonpath="{range .items[*]}{.metadata.name}{\"\t\"}{.status.
 {{< /note >}}
 -->
 {{< note >}}
-在 Windows 上，对于任何包含空格的 JSONPath 模板，您必须使用双引号（不是上面 bash 所示的单引号）。
-反过来，这意味着您必须在模板中的所有文字周围使用单引号或转义的双引号。
+在 Windows 上，对于任何包含空格的 JSONPath 模板，你必须使用双引号（不是上面 bash 所示的单引号）。
+反过来，这意味着你必须在模板中的所有文字周围使用单引号或转义的双引号。
 例如:
 
 ```cmd
@@ -163,7 +162,7 @@ kubectl get pods -o json | jq -r '.items[] | select(.metadata.name | test("test-
 ```
 -->
 {{< note >}}
-不支持 JSONPath 正则表达式。如需使用正则表达式进行匹配操作，您可以使用如 `jq` 之类的工具。
+不支持 JSONPath 正则表达式。如需使用正则表达式进行匹配操作，你可以使用如 `jq` 之类的工具。
 
 ```shell
 # kubectl 的 JSONpath 输出不支持正则表达式
diff --git a/content/zh/docs/reference/kubectl/kubectl-cmds.md b/content/zh-cn/docs/reference/kubectl/kubectl-cmds.md
similarity index 100%
rename from content/zh/docs/reference/kubectl/kubectl-cmds.md
rename to content/zh-cn/docs/reference/kubectl/kubectl-cmds.md
diff --git a/content/zh/docs/reference/kubectl/kubectl.md b/content/zh-cn/docs/reference/kubectl/kubectl.md
similarity index 99%
rename from content/zh/docs/reference/kubectl/kubectl.md
rename to content/zh-cn/docs/reference/kubectl/kubectl.md
index 612c3d9cf1374..9b591b654ca6d 100644
--- a/content/zh/docs/reference/kubectl/kubectl.md
+++ b/content/zh-cn/docs/reference/kubectl/kubectl.md
@@ -22,9 +22,9 @@ kubectl 管理控制 Kubernetes 集群。
 
 
 <!--
-Find more information at: https://kubernetes.io/docs/reference/kubectl/overview/
+Find more information at: https://kubernetes.io/docs/reference/kubectl/
 -->
-获取更多信息，请访问 [kubectl 概述](/zh/docs/reference/kubectl/overview/)。
+获取更多信息，请访问 [kubectl 概述](/zh-cn/docs/reference/kubectl/)。
 
 ```
 kubectl [flags]
@@ -220,7 +220,7 @@ kubectl [flags]
       <!--
       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       -->
-      设置为 true，则表示不会检查服务器证书的有效性。这样会导致您的 HTTPS 连接不安全。
+      设置为 true，则表示不会检查服务器证书的有效性。这样会导致你的 HTTPS 连接不安全。
       </td>
     </tr>
     <tr>
@@ -625,4 +625,4 @@ When set to false, turns off extra HTTP headers detailing invoked kubectl comman
 * [kubectl top](/docs/reference/generated/kubectl/kubectl-commands#top)	 - 显示资源（CPU /内存/存储）使用率
 * [kubectl uncordon](/docs/reference/generated/kubectl/kubectl-commands#uncordon)	 - 标记节点为可调度的
 * [kubectl version](/docs/reference/generated/kubectl/kubectl-commands#version)	 - 打印客户端和服务器的版本信息
-* [kubectl wait](/docs/reference/generated/kubectl/kubectl-commands#wait)	 - 实验性：等待一个或多个资源达到某种状态
+* [kubectl wait](/docs/reference/generated/kubectl/kubectl-commands#wait)	 - 实验性：等待一个或多个资源达到某种状态
\ No newline at end of file
diff --git a/content/zh/docs/reference/kubernetes-api/_index.md b/content/zh-cn/docs/reference/kubernetes-api/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/_index.md
diff --git a/content/zh/docs/reference/kubernetes-api/authentication-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/authentication-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/authentication-resources/_index.md
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md
new file mode 100644
index 0000000000000..8038b324843af
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1.md
@@ -0,0 +1,1600 @@
+---
+api_metadata:
+  apiVersion: "certificates.k8s.io/v1"
+  import: "k8s.io/api/certificates/v1"
+  kind: "CertificateSigningRequest"
+content_type: "api_reference"
+description: "CertificateSigningRequest 对象提供了一种通过提交证书签名请求并异步批准和颁发 x509 证书的机制。"
+title: "证书签名请求"
+weight: 4
+auto_generated: true
+---
+
+<!--
+---
+api_metadata:
+  apiVersion: "certificates.k8s.io/v1"
+  import: "k8s.io/api/certificates/v1"
+  kind: "CertificateSigningRequest"
+content_type: "api_reference"
+description: "CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued."
+title: "CertificateSigningRequest"
+weight: 4
+auto_generated: true
+---
+-->
+
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference content, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+`apiVersion: certificates.k8s.io/v1`
+
+`import "k8s.io/api/certificates/v1"`
+-->
+`apiVersion: certificates.k8s.io/v1`
+
+`import "k8s.io/api/certificates/v1"`
+
+<!--
+## CertificateSigningRequest {#CertificateSigningRequest}
+-->
+## 证书签名请求 CertificateSigningRequest {#CertificateSigningRequest}
+
+<!--
+CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
+
+Kubelets use this API to obtain:
+ 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
+ 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
+-->
+CertificateSigningRequest 对象提供了一种通过提交证书签名请求并异步批准和颁发 x509 证书的机制。
+
+Kubelets 使用 CertificateSigningRequest API 来获取：
+ 1. 向 kube-apiserver 进行身份认证的客户端证书（使用 “kubernetes.io/kube-apiserver-client-kubelet” signerName）。
+ 2. kube-apiserver 可以安全连接到 TLS 端点的服务证书（使用 “kubernetes.io/kubelet-serving” signerName）。
+
+<!--
+This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), 
+or to obtain certificates from custom non-Kubernetes signers.
+-->
+此 API 可用于请求客户端证书以向 kube-apiserver 进行身份验证（使用 “kubernetes.io/kube-apiserver-client” 签名者名称），
+或从自定义非 Kubernetes 签名者那里获取证书。
+
+<!--
+<hr>
+- **apiVersion**: certificates.k8s.io/v1
+
+- **kind**: CertificateSigningRequest
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+-->
+<hr>
+
+- **apiVersion**: certificates.k8s.io/v1
+
+- **kind**: CertificateSigningRequest
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+<!--
+- **spec** (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestSpec" >}}">
+   CertificateSigningRequestSpec</a>), required
+
+  spec contains the certificate request, and is immutable after creation. 
+  Only the request, signerName, expirationSeconds, and usages fields can be set on creation. 
+  Other fields are derived by Kubernetes and cannot be modified by users.
+-->
+- **spec** (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestSpec" >}}">
+   CertificateSigningRequestSpec</a>)，必需
+
+  spec 包含证书请求，并且在创建后是不可变的。
+  只有 request、signerName、expirationSeconds 和 usages 字段可以在创建时设置。
+  其他字段由 Kubernetes 派生，用户无法修改。
+  
+<!--
+- **status** (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestStatus" >}}">
+  CertificateSigningRequestStatus</a>)
+
+  status contains information about whether the request is approved or denied, and the certificate issued by the signer, 
+  or the failure condition indicating signer failure.
+-->
+- **status** (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestStatus" >}}">
+  CertificateSigningRequestStatus</a>)
+
+  status 包含有关请求是被批准还是拒绝的信息，以及签名者颁发的证书或指示签名者失败的状况。
+
+<!--
+## CertificateSigningRequestSpec {#CertificateSigningRequestSpec}
+
+CertificateSigningRequestSpec contains the certificate request.
+-->
+## 证书签名请求规范 CertificateSigningRequestSpec {#CertificateSigningRequestSpec}
+
+CertificateSigningRequestSpec 包含证书请求。
+
+<!--
+<hr>
+
+- **request** ([]byte), required
+
+  *Atomic: will be replaced during a merge*
+  
+  request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. 
+  When serialized as JSON or YAML, the data is additionally base64-encoded.
+-->
+<hr>
+
+- **request** ([]byte)，必需
+
+  **Atomic：将在合并期间被替换**
+
+  request 包含一个在 “CERTIFICATE REQUEST” PEM 块中编码的 x509 证书签名请求。
+  当序列化为 JSON 或 YAML 时，数据额外采用 base64 编码。
+
+<!--
+- **signerName** (string), required
+
+  signerName indicates the requested signer, and is a qualified name.
+  
+  List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
+-->
+- **signerName** (string)，必需
+
+  signerName 表示请求的签名者，是一个限定名。
+
+  CertificateSigningRequests 的 list/watch 请求可以使用 “spec.signerName=NAME” 字段选择器进行过滤。
+  
+<!--
+  Well-known Kubernetes signers are:
+   1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
+    Requests for this signer are never auto-approved by kube-controller-manager, 
+	can be issued by the "csrsigning" controller in kube-controller-manager.
+   2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
+    Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, 
+	and can be issued by the "csrsigning" controller in kube-controller-manager.
+   3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
+    Requests for this signer are never auto-approved by kube-controller-manager, 
+	and can be issued by the "csrsigning" controller in kube-controller-manager.
+  
+  More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers  
+-->
+  众所周知的 Kubernetes 签名者有：
+  1. “kubernetes.io/kube-apiserver-client”：颁发客户端证书，用于向 kube-apiserver 进行身份验证。
+     对此签名者的请求永远不会被 kube-controller-manager 自动批准，
+     可以由 kube-controller-manager 中的 “csrsigning” 控制器颁发。
+  2. “kubernetes.io/kube-apiserver-client-kubelet”：颁发客户端证书，kubelet 用于向 kube-apiserver 进行身份验证。
+     对此签名者的请求可以由 kube-controller-manager 中的 “csrapproving” 控制器自动批准，
+     并且可以由 kube-controller-manager 中的 “csrsigning” 控制器颁发。
+  3. “kubernetes.io/kubelet-serving” 颁发服务证书，kubelet 用于服务 TLS 端点，kube-apiserver 可以安全的连接到这些端点。
+     对此签名者的请求永远不会被 kube-controller-manager 自动批准，
+     可以由 kube-controller-manager 中的 “csrsigning” 控制器颁发。
+  
+  更多详细信息，请访问 https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
+
+<!--
+  Custom signerNames can also be specified. The signer defines:
+   1. Trust distribution: how trust (CA bundles) are distributed.
+   2. Permitted subjects: and behavior when a disallowed subject is requested.
+   3. Required, permitted, or forbidden x509 extensions in the request 
+     (including whether subjectAltNames are allowed, which types, restrictions on allowed values) 
+     and behavior when a disallowed extension is requested.
+   4. Required, permitted, or forbidden key usages / extended key usages.
+   5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
+   6. Whether or not requests for CA certificates are allowed.  
+-->
+  也可以指定自定义 signerName。签名者定义如下：
+  1. 信任分发：信任（CA 证书包）是如何分发的。
+  2. 许可的主体：当请求不允许的主体时的行为。
+  3. 请求中必需、许可或禁止的 x509 扩展（包括是否允许 subjectAltNames、哪些类型、对允许值的限制）
+     以及请求不允许的扩展时的行为。
+  4. 必需、许可或禁止的密钥用途/扩展密钥用途。
+  5. 过期/证书生命周期：是否由签名者确定，管理员可配置。
+  6. 是否允许申请 CA 证书。
+
+<!--
+- **expirationSeconds** (int32)
+
+  expirationSeconds is the requested duration of validity of the issued certificate. 
+  The certificate signer may issue a certificate with a different validity duration so 
+  a client must check the delta between the notBefore and and notAfter fields 
+  in the issued certificate to determine the actual duration.
+-->
+- **expirationSeconds** (int32)
+
+  expirationSeconds 是所颁发证书的所请求的有效期。
+  证书签署者可以颁发具有不同有效期的证书，
+  因此客户端必须检查颁发证书中 notBefore 和 notAfter 字段之间的增量以确定实际持续时间。
+
+<!--
+  The v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field 
+  as long as the requested duration is not greater than the maximum duration they will honor per the 
+  --cluster-signing-duration CLI flag to the Kubernetes controller manager.
+-->
+  众所周知的 Kubernetes 签名者在 v1.22+ 版本内实现将遵守此字段，
+  只要请求的持续时间不大于最大持续时间，它们将遵守 Kubernetes 控制管理器的
+  --cluster-signing-duration CLI 标志。
+  
+<!--
+  Certificate signers may not honor this field for various reasons:
+  
+    1. Old signer that is unaware of the field (such as the in-tree
+       implementations prior to v1.22)
+    2. Signer whose configured maximum is shorter than the requested duration
+    3. Signer whose configured minimum is longer than the requested duration
+  
+  The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.  
+-->
+  由于各种原因，证书签名者可能忽略此字段:
+
+  1. 不认识此字段的旧签名者(如 v1.22 版本之前的实现)
+  2. 配置的最大持续时间小于请求持续时间的签名者
+  3. 配置的最小持续时间大于请求持续时间的签名者
+
+  expirationSeconds 的最小有效值为 600，即 10 分钟。
+
+<!-- 
+- **extra** (map[string][]string)
+
+  extra contains extra attributes of the user that created the CertificateSigningRequest. 
+  Populated by the API server on creation and immutable.
+-->
+- **extra** (map[string][]string)
+
+  extra 包含创建 CertificateSigningRequest 的用户的额外属性。
+  在创建时由 API 服务器填充，且不可变。
+
+<!-- 
+- **groups** ([]string)
+
+  *Atomic: will be replaced during a merge*
+  
+  groups contains group membership of the user that created the CertificateSigningRequest. 
+  Populated by the API server on creation and immutable.
+-->
+- **groups** ([]string)
+
+  **Atomic：将在合并过程中被替换**
+
+  groups 包含创建 CertificateSigningRequest 的用户的组成员关系。
+  在创建时由 API 服务器填充，且不可变。
+
+<!-- 
+- **uid** (string)
+
+  uid contains the uid of the user that created the CertificateSigningRequest. 
+  Populated by the API server on creation and immutable.
+-->
+- **uid** (string)
+
+  uid 包含创建 CertificateSigningRequest 的用户的 uid 。
+  在创建时由 API 服务器填充，且不可变。
+
+<!-- 
+- **usages** ([]string)
+
+  *Atomic: will be replaced during a merge*
+  
+  usages specifies a set of key usages requested in the issued certificate.
+  
+  Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
+  
+  Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
+-->
+- **usages** ([]string)
+
+  **Atomic：将在合并期间被替换**
+
+  usages 指定颁发证书中请求的一组密钥用途。
+
+  TLS 客户端证书的请求通常要求："digital signature"、"key encipherment"、"client auth"。
+
+  TLS 服务证书的请求通常要求："key encipherment"、"digital signature"、"server auth"。
+
+<!-- 
+  Valid values are:
+   "signing", "digital signature", "content commitment",
+   "key encipherment", "key agreement", "data encipherment",
+   "cert sign", "crl sign", "encipher only", "decipher only", "any",
+   "server auth", "client auth",
+   "code signing", "email protection", "s/mime",
+   "ipsec end system", "ipsec tunnel", "ipsec user",
+   "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
+-->
+  有效值：
+   "signing"、"digital signature"、"content commitment"、
+   "key encipherment"、"key agreement"、"data encipherment"、
+   "cert sign"、"crl sign"、"encipher only"、"decipher only"、"any"、
+   "server auth"、"client auth"、
+   "code signing"、"email protection"、"s/mime"、
+   "ipsec end system"、"ipsec tunnel"、"ipsec user"、
+   "timestamping"、"ocsp signing"、"microsoft sgc"、"netscape sgc"。
+
+<!-- 
+- **username** (string)
+
+  username contains the name of the user that created the CertificateSigningRequest. 
+  Populated by the API server on creation and immutable.
+-->
+- **username** (string)
+  
+  username 包含创建 CertificateSigningRequest 的用户名。
+  在创建时由 API 服务器填充，且不可变。
+
+<!-- 
+## CertificateSigningRequestStatus {#CertificateSigningRequestStatus}
+
+CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, 
+and the issued certificate.
+
+<hr>
+-->
+## 证书签名请求状态 CertificateSigningRequestStatus {#CertificateSigningRequestStatus}
+
+CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败状态和颁发证书的状况。
+
+<hr>
+
+<!-- 
+- **certificate** ([]byte)
+  *Atomic: will be replaced during a merge*
+  
+  certificate is populated with an issued certificate by the signer after an Approved condition is present. 
+  This field is set via the /status subresource. Once populated, this field is immutable.
+  
+  If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. 
+  If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
+-->
+- **certificate** ([]byte)
+
+  **Atomic：将在合并期间被替换**
+  
+  certificate 在出现 Approved 状况后，由签名者使用已颁发的证书填充。
+  这个字段通过 /status 子资源设置。填充后，该字段将不可变。
+
+  如果证书签名请求被拒绝，则添加类型为 “Denied” 的状况，并且保持该字段为空。
+  如果签名者不能颁发证书，则添加类型为 “Failed” 的状况，并且保持该字段为空。
+
+<!-- 
+  Validation requirements:
+   1. certificate must contain one or more PEM blocks.
+   2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
+    must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
+   3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
+    to allow for explanatory text as described in section 5.2 of RFC7468.
+-->
+  验证要求:
+  1. 证书必须包含一个或多个 PEM 块。
+  2. 所有的 PEM 块必须有 “CERTIFICATE” 标签，不包含头和编码的数据，
+     必须是由 BER 编码的 ASN.1 证书结构，如 RFC5280 第 4 节所述。
+  3. 非 PEM 内容可能出现在 “CERTIFICATE”PEM 块之前或之后，并且是未验证的，
+     允许如 RFC7468 5.2 节中描述的解释性文本。
+
+<!-- 
+  If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, 
+  the first block is the issued certificate, and subsequent blocks should be treated as
+  intermediate certificates and presented in TLS handshakes.
+-->
+  如果存在多个 PEM 块，并且所请求的 spec.signerName 的定义没有另外说明，
+  那么第一个块是颁发的证书，后续的块应该被视为中间证书并在 TLS 握手中呈现。
+
+<!-- 
+  The certificate is encoded in PEM format.
+  
+  When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
+  
+      base64(
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+      )
+-->
+  证书编码为 PEM 格式。
+  
+  当序列化为 JSON 或 YAML 时，数据额外采用 base64 编码，它包括:
+  ```
+  base64(
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+  )
+  ```
+<!-- 
+- **conditions** ([]CertificateSigningRequestCondition)
+  *Map: unique values on key type will be kept during a merge*
+  
+  conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
+
+  <a name="CertificateSigningRequestCondition"></a>
+  *CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object*
+-->
+- **conditions** ([]CertificateSigningRequestCondition)
+
+  **Map：键类型的唯一值将在合并期间保留**
+  
+   应用于请求的状况。已知的状况有 "Approved"、"Denied" 与 "Failed"。
+
+   <a name="CertificateSigningRequestCondition"></a>
+   **CertificateSigningRequestCondition 描述 CertificateSigningRequest 对象的状况。**
+
+<!-- 
+  - **conditions.status** (string), required
+
+    status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+-->
+  - **conditions.status** (string)，必需
+  
+    状况的状态，True、False、Unknown 之一。Approved、Denied 与 Failed 的状况不可以是 "False" 或 "Unknown"。
+
+<!-- 
+  - **conditions.type** (string), required
+    type of the condition. Known conditions are "Approved", "Denied", and "Failed".
+    
+    An "Approved" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.
+    
+    A "Denied" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.
+    
+    A "Failed" condition is added via the /status subresource, indicating the signer failed to issue the certificate.
+    
+    Approved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.
+    
+    Only one condition of a given type is allowed.
+-->
+  - **conditions.type** (string)，必需
+  
+    状况的类型。已知的状况是 "Approved"、"Denied" 与 "Failed"。
+    
+    通过 /approval 子资源添加 “Approved” 状况，表示请求已被批准并且应由签名者颁发。
+    
+    通过 /approval 子资源添加 “Denied” 状况，指示请求被拒绝并且不应由签名者颁发。
+    
+    通过 /status 子资源添加 “Failed” 状况，表示签名者未能颁发证书。
+    
+    Approved 和 Denied 状况是相互排斥的。Approved、Denied 和 Failed 状况一旦添加就无法删除。
+    
+    给定类型只允许设置一种状况。
+
+<!-- 
+  - **conditions.lastTransitionTime** (Time)
+
+    lastTransitionTime is the time the condition last transitioned from one status to another. 
+	If unset, when a new condition type is added or an existing condition's status is changed, 
+	the server defaults this to the current time.
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  
+	Wrappers are provided for many of the factory methods that the time package offers.*
+-->
+
+  - **conditions.lastTransitionTime** (Time)
+  
+    lastTransitionTime 是状况上一次从一种状态转换到另一种状态的时间。
+    如果未设置，当添加新状况类型或更改现有状况的状态时，服务器默认为当前时间。
+  
+    <a name="Time"></a>
+    **Time 是 time.Time 的包装器，支持正确编码为 YAML 和 JSON。为 time 包提供的许多工厂方法提供了包装器。**
+
+<!-- 
+  - **conditions.lastUpdateTime** (Time)
+
+    lastUpdateTime is the time of the last update to this condition
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  
+	Wrappers are provided for many of the factory methods that the time package offers.*
+-->
+  - **conditions.lastUpdateTime** (Time)
+  
+    lastUpdateTime 是该状况最后一次更新的时间。
+  
+    <a name="Time"></a>
+    **Time 是 time.Time 的包装器，支持正确编组为 YAML 和 JSON。为 time 包提供的许多工厂方法提供了包装器。**
+  
+<!-- 
+  - **conditions.message** (string)
+
+    message contains a human readable message with details about the request state
+-->
+  - **conditions.message** (string)
+
+    message 包含一个人类可读的消息，包含关于请求状态的详细信息。
+
+<!-- 
+  - **conditions.reason** (string)
+
+    reason indicates a brief reason for the request state
+-->
+  - **conditions.reason** (string)
+  
+    reason 表示请求状态的简短原因。
+
+<!-- 
+## CertificateSigningRequestList {#CertificateSigningRequestList}
+
+CertificateSigningRequestList is a collection of CertificateSigningRequest objects
+
+<hr>
+-->
+## 证书签名请求列表 CertificateSigningRequestList {#CertificateSigningRequestList}
+
+CertificateSigningRequestList 是 CertificateSigningRequest 对象的集合。
+
+<hr>
+
+<!-- 
+- **apiVersion**: certificates.k8s.io/v1
+
+- **kind**: CertificateSigningRequestList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+- **items** ([]<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>), required
+
+  items is a collection of CertificateSigningRequest objects
+-->
+- **apiVersion**: certificates.k8s.io/v1
+
+- **kind**: CertificateSigningRequestList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+- **items** ([]<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>)，必需
+
+  items 是 CertificateSigningRequest 对象的集合。
+
+
+<!-- 
+## Operations {#Operations}
+
+<hr>
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!-- 
+### `get` read the specified CertificateSigningRequest
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+-->
+### `get` 读取指定的 CertificateSigningRequest
+
+#### HTTP 请求
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+<!-- 
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!-- 
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+
+<!-- 
+### `get` read approval of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+-->
+### `get` 读取指定 CertificateSigningRequest 的批准信息
+
+#### HTTP 请求
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+
+### `get` read status of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+
+### `get` 读取指定 CertificateSigningRequest 的状态
+
+#### HTTP 请求
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind CertificateSigningRequest
+
+#### HTTP Request
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests
+-->
+### `list` list 或 watch CertificateSigningRequest 类型的对象
+
+#### HTTP 请求
+
+GET /apis/certificates.k8s.io/v1/certificatesigningrequests
+
+<!--
+#### Parameters
+
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestList" >}}">CertificateSigningRequestList</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequestList" >}}">CertificateSigningRequestList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a CertificateSigningRequest
+
+#### HTTP Request
+
+POST /apis/certificates.k8s.io/v1/certificatesigningrequests
+-->
+### `create` 创建一个 CertificateSigningRequest
+
+#### HTTP 请求
+
+POST /apis/certificates.k8s.io/v1/certificatesigningrequests
+
+<!--
+#### Parameters
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+202 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+202 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### Parameters
+-->
+### `update` 替换指定的 CertificateSigningRequest
+
+#### HTTP 请求
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace approval of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+
+#### Parameters
+-->
+### `update` 替换对指定 CertificateSigningRequest 的批准信息
+
+#### HTTP 请求
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace status of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+
+#### Parameters
+-->
+### `update` 替换指定 CertificateSigningRequest 的状态
+
+#### HTTP 请求
+
+PUT /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>，必需
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### Parameters
+-->
+### `patch` 部分更新指定的 CertificateSigningRequest
+
+#### HTTP 请求
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+  
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update approval of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+
+#### Parameters
+-->
+### `patch` 部分更新指定 CertificateSigningRequest 的批准信息
+
+#### HTTP 请求
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+  
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+  
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified CertificateSigningRequest
+
+#### HTTP Request
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+
+#### Parameters
+-->
+### `patch` 部分更新指定 CertificateSigningRequest 的状态
+
+#### HTTP 请求
+
+PATCH /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+  
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+  
+<!--
+#### Response
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/certificate-signing-request-v1#CertificateSigningRequest" >}}">CertificateSigningRequest</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a CertificateSigningRequest
+
+#### HTTP Request
+
+DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### Parameters
+-->
+### `delete` 删除一个 CertificateSigningRequest
+
+#### HTTP 请求
+
+DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the CertificateSigningRequest
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **name** (**路径参数**): string，必需
+
+  CertificateSigningRequest 的名称。
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+  
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of CertificateSigningRequest
+
+#### HTTP Request
+
+DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests
+
+#### Parameters
+-->
+### `deletecollection` 删除 CertificateSigningRequest 集合
+
+#### HTTP 请求
+
+DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests
+
+#### 参数
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+  
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+  
+<!--
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+  
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
\ No newline at end of file
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md
new file mode 100644
index 0000000000000..b2c44fc792b8b
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/service-account-v1.md
@@ -0,0 +1,816 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "ServiceAccount"
+content_type: "api_reference"
+description: "ServiceAccount 将以下内容绑定在一起：1. 用户可以理解的名称，也可能是外围系统理解的身份标识 2. 可以验证和授权的主体 3. 一组 secret。"
+title: "ServiceAccount"
+weight: 1
+auto_generated: true
+---
+
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "ServiceAccount"
+content_type: "api_reference"
+description: "ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets."
+title: "ServiceAccount"
+weight: 1
+auto_generated: true
+-->
+
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference content, please follow the
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+
+## ServiceAccount {#ServiceAccount}
+
+<!--
+ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets
+-->
+ServiceAccount 将以下内容绑定在一起：
+* 用户可以理解的名称，也可能是外围系统理解的身份标识
+* 可以验证和授权的主体
+* 一组 secret
+
+<hr>
+
+- **apiVersion**: v1
+
+
+- **kind**: ServiceAccount
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  <!--
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  -->
+  标准对象的元数据，更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **automountServiceAccountToken** (boolean)
+
+  <!--
+  AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.
+  -->
+  AutomountServiceAccountToken 指示作为此服务帐户运行的 pod 是否应自动挂载 API 令牌，
+  可以在 pod 级别覆盖。
+
+- **imagePullSecrets** ([]<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+
+  <!--
+  ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+  -->
+  imagePullSecrets 是对同一命名空间中 Secret 的引用列表，用于拉取引用此 ServiceAccount 的 Pod 中的任何镜像。
+  imagePullSecrets 与 Secrets 不同，因为 Secrets 可以挂载在 Pod 中，但 imagePullSecrets 只能由 kubelet 访问。
+  更多信息： https://kubernetes.io/zh-cn/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+
+- **secrets** ([]<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)
+
+  <!--
+  *Patch strategy: merge on key `name`*
+
+  Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret
+  Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use
+  Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountabl
+  -secrets" annotation set to "true". This field should not be used to find auto-generated service accoun
+  token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or servic
+  account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret
+  -->
+  **补丁策略：基于键 `name` 合并**
+
+  Secrets 是允许使用此 ServiceAccount 运行的 pod 使用的同一命名空间中的秘密列表。
+  仅当此服务帐户的 “kubernetes.io/enforce-mountable-secrets” 注释设置为 “true” 时，Pod 才限于此列表。
+  此字段不应用于查找自动生成的服务帐户令牌机密以在 pod 之外使用。
+  相反，可以使用 TokenRequest API 直接请求令牌，或者可以手动创建服务帐户令牌 secret。
+  更多信息： https://kubernetes.io/docs/concepts/configuration/secret
+
+## ServiceAccountList {#ServiceAccountList}
+
+<!--
+ServiceAccountList is a list of ServiceAccount objects
+-->
+ServiceAccountList 是 ServiceAccount 对象的列表
+
+<hr>
+
+- **apiVersion**: v1
+
+
+- **kind**: ServiceAccountList
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  <!--
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+  -->
+  标准列表元数据, 更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+<!--
+- **items** ([]<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>), required
+-->
+- **items** ([]<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>), 必需
+
+  <!--
+  List of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  -->
+  ServiceAccount 列表，更多信息： https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-service-account/
+
+<!--
+## Operations {#Operations}
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!--
+### `get` read the specified ServiceAccount
+
+#### HTTP Request
+-->
+### `get` 读取指定的 ServiceAccount
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/serviceaccounts/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+-->
+- **name** (**路径参数**): string, 必需
+
+  <!--
+  name of the ServiceAccount
+  -->
+  ServiceAccount 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ServiceAccount
+
+#### HTTP Request
+-->
+### `list` 列出或监控 ServiceAccount 类型的对象
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/serviceaccounts
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+-->
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+-->
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+-->
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+<!--
+- **labelSelector** (*in query*): string
+-->
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+<!--
+- **limit** (*in query*): integer
+-->
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+-->
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+-->
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+-->
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+-->
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccountList" >}}">ServiceAccountList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ServiceAccount
+
+#### HTTP Request
+-->
+### `list` 列出或监控 ServiceAccount 类型的对象
+
+#### HTTP 请求
+
+GET /api/v1/serviceaccounts
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+-->
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+-->
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+-->
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+<!--
+- **labelSelector** (*in query*): string
+-->
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+-->
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+-->
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+-->
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+-->
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+-->
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccountList" >}}">ServiceAccountList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a ServiceAccount
+
+#### HTTP Request
+-->
+### `create` 创建一个 ServiceAccount
+
+#### HTTP 请求
+
+POST /api/v1/namespaces/{namespace}/serviceaccounts
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>, required
+-->
+- **body**: <a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): Created
+
+202 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified ServiceAccount
+
+#### HTTP Request
+-->
+`update` 替换指定的ServiceAccount
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{namespace}/serviceaccounts/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+-->
+- **name** (**路径参数**): string, required
+
+  name of the ServiceAccount
+
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>, required
+-->
+- **body**: <a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified ServiceAccount
+
+#### HTTP Request
+-->
+`patch` 部分更新指定的 ServiceAccount
+
+#### HTTP 请求
+
+PATCH /api/v1/namespaces/{namespace}/serviceaccounts/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+-->
+- **name** (**路径参数**): string, 必需
+
+  <!--
+  name of the ServiceAccount
+  -->
+  ServiceAccount 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **force** (*in query*): boolean
+-->
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+<!--
+#### Response
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): OK
+
+201 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a ServiceAccount
+
+#### HTTP Request
+-->
+### `delete` 删除一个 ServiceAccount
+#### HTTP 请求
+
+
+DELETE /api/v1/namespaces/{namespace}/serviceaccounts/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+-->
+- **name** (**路径参数**): string, 必需
+
+  <!--
+  name of the ServiceAccount
+  -->
+  ServiceAccount 的名称
+
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+-->
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): OK
+
+202 (<a href="{{< ref "../authentication-resources/service-account-v1#ServiceAccount" >}}">ServiceAccount</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of ServiceAccount
+
+#### HTTP Request
+-->
+### `deletecollection` 删除 ServiceAccount 的集合
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{namespace}/serviceaccounts
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **continue** (*in query*): string
+-->
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+-->
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+-->
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **labelSelector** (*in query*): string
+-->
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+-->
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+-->
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+-->
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+-->
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+-->
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md
similarity index 94%
rename from content/zh/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md
rename to content/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md
index c440a7de357ab..0ec8dc91bef4f 100644
--- a/content/zh/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-review-v1.md
@@ -32,7 +32,7 @@ TokenReview attempts to authenticate a token to a known user. Note: TokenReview
 -->
 ## TokenReview {#TokenReview}
 
-TokenReview 尝试通过验证令牌来确认已知用户。 
+TokenReview 尝试通过验证令牌来确认已知用户。
 注意：TokenReview 请求可能会被 kube-apiserver 中的 webhook 令牌验证器插件缓存。
 
 <hr>
@@ -48,7 +48,7 @@ TokenReview 尝试通过验证令牌来确认已知用户。
   <!--
   Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   -->
-  标准对象的元数据，更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  标准对象的元数据，更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
 - **spec** (<a href="{{< ref "../authentication-resources/token-review-v1#TokenReviewSpec" >}}">TokenReviewSpec</a>), required
 
@@ -104,10 +104,10 @@ TokenReviewStatus 是令牌认证请求的结果。
   <!--
   Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is "true", the token is valid against the audience of the Kubernetes API server.
   -->
-  audiences 是身份验证者选择的与 TokenReview 和令牌兼容的受众标识符。 标识符是 
-  TokenReviewSpec 受众和令牌受众的交集中的任何标识符。 设置 spec.audiences
+  audiences 是身份验证者选择的与 TokenReview 和令牌兼容的受众标识符。标识符是
+  TokenReviewSpec 受众和令牌受众的交集中的任何标识符。设置 spec.audiences
   字段的 TokenReview API 的客户端应验证在 status.audiences 字段中返回了兼容的受众标识符，
-  以确保 TokenReview 服务器能够识别受众。 如果 TokenReview 
+  以确保 TokenReview 服务器能够识别受众。如果 TokenReview
   返回一个空的 status.audience 字段，其中 status.authenticated 为 “true”，
   则该令牌对 Kubernetes API 服务器的受众有效。
 
@@ -148,7 +148,7 @@ TokenReviewStatus 是令牌认证请求的结果。
 
     <!--
     The names of groups this user is a part of.
-    -->  
+    -->
    此用户所属的组的名称。
 
   - **user.uid** (string)
@@ -168,7 +168,7 @@ TokenReviewStatus 是令牌认证请求的结果。
 <!--
 ## Operations {#Operations}
 -->
-## 操作 {#Operations} 
+## 操作 {#Operations}
 
 <hr>
 
diff --git a/content/zh/docs/reference/kubernetes-api/authorization-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/authorization-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/authorization-resources/_index.md
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
new file mode 100644
index 0000000000000..fbfa9dd428a06
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
@@ -0,0 +1,619 @@
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "ClusterRoleBinding"
+content_type: "api_reference"
+description: "ClusterRoleBinding 引用 ClusterRole，但不包含它。"
+title: "ClusterRoleBinding"
+weight: 6
+auto_generated: false
+---
+<!-- 
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "ClusterRoleBinding"
+content_type: "api_reference"
+description: "ClusterRoleBinding references a ClusterRole, but not contain it."
+title: "ClusterRoleBinding"
+weight: 6
+auto_generated: true
+---
+-->
+<!-- 
+`apiVersion: rbac.authorization.k8s.io/v1`
+
+`import "k8s.io/api/rbac/v1"`
+-->
+`apiVersion: rbac.authorization.k8s.io/v1`
+
+`import "k8s.io/api/rbac/v1"`
+<!--
+## ClusterRoleBinding {#ClusterRoleBinding}
+ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.
+-->
+## ClusterRoleBinding {#ClusterRoleBinding}
+
+ClusterRoleBinding 引用 ClusterRole，但不包含它。
+它可以引用全局命名空间中的 ClusterRole，并通过 Subject 添加主体信息。
+<!-- 
+<hr>
+- **apiVersion**: rbac.authorization.k8s.io/v1
+- **kind**: ClusterRoleBinding
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata.
+-->
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: ClusterRoleBinding
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准对象的元数据。
+<!-- 
+- **roleRef** (RoleRef), required
+  RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.
+  <a name="RoleRef"></a>
+  *RoleRef contains information that points to the role being used*
+  - **roleRef.apiGroup** (string), required
+    APIGroup is the group for the resource being referenced
+  - **roleRef.kind** (string), required
+    Kind is the type of resource being referenced
+  - **roleRef.name** (string), required
+    Name is the name of resource being referenced
+-->
+- **roleRef** (RoleRef)，必需
+
+  RoleRef 只能引用全局命名空间中的 ClusterRole。
+  如果无法解析 RoleRef，则 Authorizer 必定返回一个错误。
+  
+  <a name="RoleRef"></a>
+  **RoleRef 包含指向正被使用的角色的信息。**
+
+  - **roleRef.apiGroup** (string)，必需
+
+    apiGroup 是被引用资源的组
+
+  - **roleRef.kind** (string)，必需
+
+    kind 是被引用的资源的类别
+
+  - **roleRef.name** (string)，必需
+
+    name 是被引用的资源的名称
+<!-- 
+- **subjects** ([]Subject)
+  Subjects holds references to the objects the role applies to.
+  <a name="Subject"></a>
+  *Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.*
+-->
+- **subjects** ([]Subject)
+
+  Subjects 包含角色所适用的对象的引用。
+  
+  <a name="Subject"></a>
+  **Subject 包含对角色绑定所适用的对象或用户标识的引用。其中可以包含直接 API 对象的引用或非对象（如用户名和组名）的值。**
+  <!--
+  - **subjects.kind** (string), required
+    Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+  - **subjects.name** (string), required
+    Name of the object being referenced. 
+  -->
+  - **subjects.kind** (string)，必需
+
+    被引用的对象的类别。这个 API 组定义的值是 `User`、`Group` 和 `ServiceAccount`。
+    如果 Authorizer 无法识别类别值，则 Authorizer 应报告一个错误。
+
+  - **subjects.name** (string)，必需
+
+    被引用的对象的名称。
+  <!-- 
+    - **subjects.apiGroup** (string)
+    APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+  - **subjects.namespace** (string)
+    Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
+  -->
+  - **subjects.apiGroup** (string)
+
+    apiGroup 包含被引用主体的 API 组。对于 ServiceAccount 主体默认为 ""。
+    对于 User 和 Group 主体，默认为 "rbac.authorization.k8s.io"。
+
+  - **subjects.namespace** (string)
+
+    被引用对象的命名空间。
+    如果对象类别是 "User" 或 "Group" 等非命名空间作用域的对象且该值不为空，
+    则 Authorizer 应报告一个错误。
+<!-- 
+## ClusterRoleBindingList {#ClusterRoleBindingList}
+ClusterRoleBindingList is a collection of ClusterRoleBindings
+<hr>
+- **apiVersion**: rbac.authorization.k8s.io/v1
+- **kind**: ClusterRoleBindingList
+-->
+## ClusterRoleBindingList {#ClusterRoleBindingList}
+
+ClusterRoleBindingList 是 ClusterRoleBinding 的集合。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: ClusterRoleBindingList
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard object's metadata.
+- **items** ([]<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>), required
+  Items is a list of ClusterRoleBindings
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  标准的对象元数据。
+
+- **items** ([]<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>)，必需
+
+  items 是 ClusterRoleBindings 的列表。
+<!-- 
+## Operations {#Operations}
+<hr>
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!-- 
+### `get` read the specified ClusterRoleBinding
+#### HTTP Request
+-->
+### `get` 读取指定的 ClusterRoleBinding
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
+<!-- 
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRoleBinding
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  ClusterRoleBinding 的名称
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!-- 
+#### Response
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+401: Unauthorized
+<!-- 
+### `list` list or watch objects of kind ClusterRoleBinding
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 ClusterRoleBinding 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+<!-- 
+#### Response
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBindingList" >}}">ClusterRoleBindingList</a>): OK
+401: Unauthorized
+### `create` create a ClusterRoleBinding
+#### HTTP Request
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBindingList" >}}">ClusterRoleBindingList</a>): OK
+
+401: Unauthorized
+
+### `create` 创建 ClusterRoleBinding
+
+#### HTTP 请求
+
+POST /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
+<!-- 
+#### Parameters
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>, required
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>，必需
+<!--
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+202 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Accepted
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Accepted
+
+401: Unauthorized
+<!--
+### `update` replace the specified ClusterRoleBinding
+#### HTTP Request
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRoleBinding
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>, required
+-->
+### `update` 替换指定的 ClusterRoleBinding
+
+#### HTTP 请求
+
+PUT /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
+
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  ClusterRoleBinding 的名称
+
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>，必需
+<!--
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+
+401: Unauthorized
+<!--
+### `patch` partially update the specified ClusterRoleBinding
+#### HTTP Request
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRoleBinding
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+-->
+### `patch` 部分更新指定的 ClusterRoleBinding
+
+#### HTTP 请求
+
+PATCH /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
+
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  ClusterRoleBinding 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+<!--
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **force** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-binding-v1#ClusterRoleBinding" >}}">ClusterRoleBinding</a>): Created
+
+401: Unauthorized
+<!--
+### `delete` delete a ClusterRoleBinding
+#### HTTP Request
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRoleBinding
+-->
+### `delete` 删除 ClusterRoleBinding
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
+
+#### 参数
+
+- **name** (**路径参数**): string，必需
+
+  ClusterRoleBinding 的名称
+<!--
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+<!--
+#### Response
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+<!--
+### `deletecollection` delete collection of ClusterRoleBinding
+#### HTTP Request
+-->
+### `deletecollection` 删除 ClusterRoleBinding 的集合
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+<!--
+#### Response
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
new file mode 100644
index 0000000000000..c528d0c36f64f
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
@@ -0,0 +1,592 @@
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "ClusterRole"
+content_type: "api_reference"
+description: "ClusterRole 是一个集群级别的 PolicyRule 逻辑分组，可以被 RoleBinding 或 ClusterRoleBinding 作为一个单元引用。"  
+title: "ClusterRole" 
+weight: 5  
+auto_generated: false
+---
+<!--
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "ClusterRole"
+content_type: "api_reference"
+description: "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding."
+title: "ClusterRole"
+weight: 5
+auto_generated: true
+---
+-->
+
+`apiVersion: rbac.authorization.k8s.io/v1`
+
+`import "k8s.io/api/rbac/v1"`
+<!-- 
+## ClusterRole {#ClusterRole}
+ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+<hr>
+-->
+## ClusterRole {#ClusterRole}
+
+ClusterRole 是一个集群级别的 PolicyRule 逻辑分组，
+可以被 RoleBinding 或 ClusterRoleBinding 作为一个单元引用。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: ClusterRole
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+<!--
+  Standard object's metadata.
+- **aggregationRule** (AggregationRule)
+  AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.
+  <a name="AggregationRule"></a>
+  *AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole*
+  - **aggregationRule.clusterRoleSelectors** ([]<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+    ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added
+-->
+  标准的对象元数据。
+
+- **aggregationRule** (AggregationRule)
+  
+  aggregationRule 是一个可选字段，用于描述如何构建这个 ClusterRole 的 rules。
+  如果设置了 aggregationRule，则 rules 将由控制器管理，对 rules 的直接变更会被该控制器阻止。
+  
+  <a name="AggregationRule"></a>
+  **aggregationRule 描述如何定位并聚合其它 ClusterRole 到此 ClusterRole**
+  
+  - **aggregationRule.clusterRoleSelectors** ([]<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+    
+    clusterRoleSelectors 包含一个选择器的列表，用于查找 ClusterRole 并创建规则。
+    如果发现任何选择器匹配的 ClusterRole，将添加其对应的权限。
+<!--
+- **rules** ([]PolicyRule)
+  Rules holds all the PolicyRules for this ClusterRole
+
+  <a name="PolicyRule"></a>
+  *PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.*
+
+  - **rules.apiGroups** ([]string)
+    APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
+
+  - **rules.resources** ([]string)
+    Resources is a list of resources this rule applies to. '*' represents all resources.
+-->
+- **rules** ([]PolicyRule)
+  
+  rules 包含了这个 ClusterRole 的所有 PolicyRule。
+  
+  <a name="PolicyRule"></a>
+  **PolicyRule 包含描述一个策略规则的信息，但不包含该规则适用于哪个主体或适用于哪个命名空间的信息。**
+  
+  - **rules.apiGroups** ([]string)
+    
+    apiGroups 是包含资源的 apiGroup 的名称。
+    如果指定了多个 API 组，则允许针对任何 API 组中的其中一个枚举资源来请求任何操作。
+  
+  - **rules.resources** ([]string)
+    
+    resources 是此规则所适用的资源的列表。“*” 表示所有资源。
+  <!--
+    - **rules.verbs** ([]string), required
+    Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+
+  - **rules.resourceNames** ([]string)
+    ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+
+  - **rules.nonResourceURLs** ([]string)
+    NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+  -->
+  - **rules.verbs** ([]string)，必需
+    
+    verbs 是适用于此规则中所包含的所有 ResourceKinds 的动作。
+    “*” 表示所有动作。
+  
+  - **rules.resourceNames** ([]string)
+    
+    resourceNames 是此规则所适用的资源名称白名单，可选。
+    空集合意味着允许所有资源。
+  
+  - **rules.nonResourceURLs** ([]string)
+    
+    nonResourceURLs 是用户应有权访问的一组部分 URL。
+    允许使用 “*”，但仅能作为路径中最后一段且必须用于完整的一段，
+    因为非资源 URL 没有划分命名空间。
+    此字段仅适用于从 ClusterRoleBinding 引用的 ClusterRole。
+    rules 可以应用到 API 资源（如 “pod” 或 “secret”）或非资源 URL 路径（如 “/api”），
+    但不能同时应用于两者。
+<!-- 
+## ClusterRoleList {#ClusterRoleList}
+
+ClusterRoleList is a collection of ClusterRoles
+-->
+## ClusterRoleList {#ClusterRoleList}
+
+ClusterRoleList 是 ClusterRole 的集合。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: ClusterRoleList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  <!--
+  Standard object's metadata.
+
+  - **items** ([]<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>), required
+
+    Items is a list of ClusterRoles
+  -->
+  标准的对象元数据。
+
+- **items** ([]<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>)，必需
+  
+  items 是 ClusterRole 的列表。
+<!--
+## Operations {#Operations}
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!--
+### `get` read the specified ClusterRole
+#### HTTP Request
+-->
+### `get` 读取指定的 ClusterRole
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+  name of the ClusterRole
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (路径参数): string，必需
+  
+  ClusterRole 的名称
+
+- **pretty** (查询参数): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): OK
+
+401: Unauthorized
+<!--
+### `list` list or watch objects of kind ClusterRole
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 ClusterRole 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/clusterroles
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRoleList" >}}">ClusterRoleList</a>): OK
+
+401: Unauthorized
+<!--
+### `create` create a ClusterRole
+#### HTTP Request
+-->
+### `create` 创建一个 ClusterRole
+
+#### HTTP 请求
+
+POST /apis/rbac.authorization.k8s.io/v1/clusterroles
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): Accepted
+
+401: Unauthorized
+<!--
+### `update` replace the specified ClusterRole
+#### HTTP Request
+-->
+### `update` 替换指定的 ClusterRole
+
+#### HTTP 请求
+
+PUT /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRole
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ClusterRole 的名称
+
+- **body**: <a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): Created
+
+401: Unauthorized
+<!--
+### `patch` partially update the specified ClusterRole
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 ClusterRole
+
+#### HTTP 请求
+
+PATCH /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRole
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **force** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ClusterRole 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/cluster-role-v1#ClusterRole" >}}">ClusterRole</a>): Created
+
+401: Unauthorized
+<!--
+### `delete` delete a ClusterRole
+#### HTTP Request
+-->
+### `delete` 删除一个 ClusterRole
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ClusterRole
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ClusterRole 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+<!--
+### `deletecollection` delete collection of ClusterRole
+#### HTTP Request
+-->
+### `deletecollection` 删除 ClusterRole 的集合
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/clusterroles
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
\ No newline at end of file
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/local-subject-access-review-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/local-subject-access-review-v1.md
new file mode 100644
index 0000000000000..26a99fe96265a
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/local-subject-access-review-v1.md
@@ -0,0 +1,146 @@
+---
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "LocalSubjectAccessReview"
+content_type: "api_reference"
+description: "LocalSubjectAccessReview 检查用户或组是否可以在给定的命名空间内执行某操作。"
+title: "LocalSubjectAccessReview"
+weight: 1
+---
+<!--
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "LocalSubjectAccessReview"
+content_type: "api_reference"
+description: "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace."
+title: "LocalSubjectAccessReview"
+weight: 1
+-->
+
+`apiVersion: authorization.k8s.io/v1`
+
+`import "k8s.io/api/authorization/v1"`
+
+## LocalSubjectAccessReview {#LocalSubjectAccessReview}
+<!--
+LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.
+
+<hr>
+
+- **apiVersion**: authorization.k8s.io/v1
+
+- **kind**: LocalSubjectAccessReview
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+LocalSubjectAccessReview 检查用户或组是否可以在给定的命名空间内执行某操作。
+划分命名空间范围的资源简化了命名空间范围的策略设置，例如权限检查。
+
+<hr>
+
+- **apiVersion**: authorization.k8s.io/v1
+
+- **kind**: LocalSubjectAccessReview
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的列表元数据。
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>), required
+
+  Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.
+
+- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
+
+  Status is filled in by the server and indicates whether the request is allowed or not
+-->
+- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>)，必需
+  
+  spec 包含有关正在评估的请求的信息。
+  spec.namespace 必须是你的请求所针对的命名空间。
+  如果留空，则会被设置默认值。
+
+- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
+  
+  status 由服务器填写，表示请求是否被允许。
+
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `create` create a LocalSubjectAccessReview
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `create` 创建 LocalSubjectAccessReview
+
+#### HTTP 请求
+
+POST /apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviews
+<!--
+#### Parameters
+
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/local-subject-access-review-v1#LocalSubjectAccessReview" >}}">LocalSubjectAccessReview</a>, required
+
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/local-subject-access-review-v1#LocalSubjectAccessReview" >}}">LocalSubjectAccessReview</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/local-subject-access-review-v1#LocalSubjectAccessReview" >}}">LocalSubjectAccessReview</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/local-subject-access-review-v1#LocalSubjectAccessReview" >}}">LocalSubjectAccessReview</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/local-subject-access-review-v1#LocalSubjectAccessReview" >}}">LocalSubjectAccessReview</a>): Accepted
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
new file mode 100644
index 0000000000000..38abf1da14b39
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
@@ -0,0 +1,718 @@
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "RoleBinding"
+content_type: "api_reference"
+description: "RoleBinding 引用一个角色，但不包含它。"
+title: "RoleBinding"
+weight: 8
+auto_generated: false
+---
+<!--
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "RoleBinding"
+content_type: "api_reference"
+description: "RoleBinding references a role, but does not contain it."
+title: "RoleBinding"
+weight: 8
+auto_generated: true
+---
+-->
+`apiVersion: rbac.authorization.k8s.io/v1`
+
+`import "k8s.io/api/rbac/v1"`
+
+## RoleBinding {#RoleBinding}
+<!--
+RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.
+-->
+RoleBinding 引用一个角色，但不包含它。
+RoleBinding 可以引用相同命名空间中的 Role 或全局命名空间中的 ClusterRole。
+RoleBinding 通过 Subjects 和所在的命名空间信息添加主体信息。
+处于给定命名空间中的 RoleBinding 仅在该命名空间中有效。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: RoleBinding
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+<!--
+  Standard object's metadata.
+
+- **roleRef** (RoleRef), required
+
+  RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.
+
+  <a name="RoleRef"></a>
+  *RoleRef contains information that points to the role being used*
+-->
+  标准的对象元数据。
+
+- **roleRef** (RoleRef)，必需
+  
+  roleRef 可以引用当前命名空间中的 Role 或全局命名空间中的 ClusterRole。
+  如果无法解析 roleRef，则 Authorizer 必定返回一个错误。
+  
+  <a name="RoleRef"></a>
+  **roleRef 包含指向正被使用的角色的信息。**
+<!--
+  - **roleRef.apiGroup** (string), required
+    APIGroup is the group for the resource being referenced
+
+  - **roleRef.kind** (string), required
+    Kind is the type of resource being referenced
+
+  - **roleRef.name** (string), required
+    Name is the name of resource being referenced
+-->  
+  - **roleRef.apiGroup** (string)，必需
+    
+    apiGroup 是被引用资源的组
+  
+  - **roleRef.kind** (string)，必需
+    
+    kind 是被引用的资源的类别
+  
+  - **roleRef.name** (string)，必需
+    
+    name 是被引用的资源的名称
+<!--
+  Subjects holds references to the objects the role applies to.
+  <a name="Subject"></a>
+  *Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.*
+
+  - **subjects.kind** (string), required
+    Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+-->
+- **subjects** ([]Subject)
+  
+  subjects 包含角色所适用的对象的引用。
+  
+  <a name="Subject"></a>
+  **Subject 包含对角色绑定所适用的对象或用户标识的引用。其中可以包含直接 API 对象的引用或非对象（如用户名和组名）的值。**
+  
+  - **subjects.kind** (string)，必需
+    
+    被引用的对象的类别。
+    这个 API 组定义的值是 `User`、`Group` 和 `ServiceAccount`。
+    如果 Authorizer 无法识别类别值，则 Authorizer 应报告一个错误。
+<!--
+  - **subjects.name** (string), required
+    Name of the object being referenced.
+
+  - **subjects.apiGroup** (string)
+    APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+
+  - **subjects.namespace** (string)
+    Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
+-->  
+  - **subjects.name** (string)，必需
+    
+    被引用的对象的名称。
+  
+  - **subjects.apiGroup** (string)
+    
+    apiGroup 包含被引用主体的 API 组。
+    对于 ServiceAccount 主体默认为 ""。
+    对于 User 和 Group 主体，默认为 "rbac.authorization.k8s.io"。
+  
+  - **subjects.namespace** (string)
+    
+    被引用的对象的命名空间。
+    如果对象类别是 “User” 或 “Group” 等非命名空间作用域的对象且该值不为空，
+    则 Authorizer 应报告一个错误。
+
+## RoleBindingList {#RoleBindingList}
+<!--
+RoleBindingList is a collection of RoleBindings
+-->
+RoleBindingList 是 RoleBinding 的集合。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: RoleBindingList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+<!--
+  Standard object's metadata.
+
+- **items** ([]<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>), required
+
+  Items is a list of RoleBindings
+-->  
+  标准的对象元数据。
+
+- **items** ([]<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>)，必需
+  
+  items 是 RoleBinding 的列表。
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified RoleBinding
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 RoleBinding
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the RoleBinding
+
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  RoleBinding 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): OK
+
+401: Unauthorized
+<!--
+### `list` list or watch objects of kind RoleBinding
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 RoleBinding 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBindingList" >}}">RoleBindingList</a>): OK
+
+401: Unauthorized
+<!--
+### `list` list or watch objects of kind RoleBinding
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 RoleBinding 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/rolebindings
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBindingList" >}}">RoleBindingList</a>): OK
+
+401: Unauthorized
+<!--
+### `create` create a RoleBinding
+#### HTTP Request
+-->
+### `create` 创建 RoleBinding
+
+#### HTTP 请求
+
+POST /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): Accepted
+
+401: Unauthorized
+<!--
+### `update` replace the specified RoleBinding
+#### HTTP Request
+-->
+### `update` 替换指定的 RoleBinding
+
+#### HTTP 请求
+
+PUT /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the RoleBinding
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  RoleBinding 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): Created
+
+401: Unauthorized
+<!--
+### `patch` partially update the specified RoleBinding
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 RoleBinding
+
+#### HTTP 请求
+
+PATCH /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the RoleBinding
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **force** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  RoleBinding 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-binding-v1#RoleBinding" >}}">RoleBinding</a>): Created
+
+401: Unauthorized
+<!--
+### `delete` delete a RoleBinding
+#### HTTP Request
+-->
+### `delete` 删除 RoleBinding
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the RoleBinding
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  RoleBinding 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+<!--
+### `deletecollection` delete collection of RoleBinding
+#### HTTP Request
+-->
+### `deletecollection` 删除 RoleBinding 的集合
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
\ No newline at end of file
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md
new file mode 100644
index 0000000000000..8b6f1362993b5
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md
@@ -0,0 +1,690 @@
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "Role"
+content_type: "api_reference"
+description: "Role 是一个按命名空间划分的 PolicyRule 逻辑分组，可以被 RoleBinding 作为一个单元引用。"
+title: "Role"
+weight: 7
+auto_generated: false
+---
+<!--
+---
+api_metadata:
+  apiVersion: "rbac.authorization.k8s.io/v1"
+  import: "k8s.io/api/rbac/v1"
+  kind: "Role"
+content_type: "api_reference"
+description: "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding."
+title: "Role"
+weight: 7
+auto_generated: true
+---
+-->
+
+`apiVersion: rbac.authorization.k8s.io/v1`
+
+`import "k8s.io/api/rbac/v1"`
+
+## Role {#Role}
+<!--
+Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+-->
+Role 是一个按命名空间划分的 PolicyRule 逻辑分组，可以被 RoleBinding 作为一个单元引用。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: Role
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+<!--
+Standard object's metadata.
+
+- **rules** ([]PolicyRule)
+  Rules holds all the PolicyRules for this Role
+
+  <a name="PolicyRule"></a>
+  *PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.*
+
+  - **rules.apiGroups** ([]string)
+    APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
+
+  - **rules.resources** ([]string)
+    Resources is a list of resources this rule applies to. '*' represents all resources.
+-->  
+  标准的对象元数据。
+
+- **rules** ([]PolicyRule)
+  
+  rules 包含了这个 Role 的所有 PolicyRule。
+  
+  <a name="PolicyRule"></a> 
+  **PolicyRule 包含描述一个策略规则的信息，但不包含该规则适用于哪个主体或适用于哪个命名空间的信息。**
+  
+  - **rules.apiGroups** ([]string)
+    
+    apiGroups 是包含资源的 apiGroup 的名称。
+    如果指定了多个 API 组，则允许对任何 API 组中的其中一个枚举资源来请求任何操作。
+  
+  - **rules.resources** ([]string)
+    
+    resources 是此规则所适用的资源的列表。
+    “*” 表示所有资源。
+<!--
+  - **rules.verbs** ([]string), required
+    Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+
+  - **rules.resourceNames** ([]string)
+    ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+
+  - **rules.nonResourceURLs** ([]string)
+    NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+-->  
+  - **rules.verbs** ([]string)，必需
+    
+    verbs 是适用于此规则中所包含的所有 ResourceKinds 的动作。
+    “*” 表示所有动作。
+  
+  - **rules.resourceNames** ([]string)
+    
+    resourceNames 是此规则所适用的资源名称白名单，可选。
+    空集合意味着允许所有资源。
+  
+  - **rules.nonResourceURLs** ([]string)
+    
+    nonResourceURLs 是用户应有权访问的一组部分 URL。
+    允许使用 “*”，但仅能作为路径中最后一段且必须用于完整的一段，
+    因为非资源 URL 没有划分命名空间。
+    此字段仅适用于从 ClusterRoleBinding 引用的 ClusterRole。
+    rules 可以应用到 API 资源（如 “pod” 或 “secret”）或非资源 URL 路径（如 “/api”），
+    但不能同时应用于两者。
+
+## RoleList {#RoleList}
+<!--
+RoleList is a collection of Roles
+-->
+RoleList 是 Role 的集合。
+
+<hr>
+
+- **apiVersion**: rbac.authorization.k8s.io/v1
+
+- **kind**: RoleList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+<!--
+  Standard object's metadata.
+
+- **items** ([]<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>), required
+
+  Items is a list of Roles
+-->  
+  标准的对象元数据。
+
+- **items** ([]<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>)，必需
+  
+  items 是 Role 的列表。
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified Role
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 Role
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Role
+
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Role 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): OK
+
+401: Unauthorized
+<!--
+### `list` list or watch objects of kind Role
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 Role 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#RoleList" >}}">RoleList</a>): OK
+
+401: Unauthorized
+<!--
+### `list` list or watch objects of kind Role
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 Role 的对象
+
+#### HTTP 请求
+
+GET /apis/rbac.authorization.k8s.io/v1/roles
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+- **watch** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#RoleList" >}}">RoleList</a>): OK
+
+401: Unauthorized
+<!--
+### `create` create a Role
+#### HTTP Request
+-->
+### `create` 创建 Role
+
+#### HTTP 请求
+
+POST /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): Accepted
+
+401: Unauthorized
+<!--
+### `update` replace the specified Role
+#### HTTP Request
+-->
+### `update` 替换指定的 Role
+
+#### HTTP 请求
+
+PUT /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Role
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Role 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): Created
+
+401: Unauthorized
+<!--
+### `patch` partially update the specified Role
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 Role
+
+#### HTTP 请求
+
+PATCH /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Role
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+- **force** (*in query*): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Role 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/role-v1#Role" >}}">Role</a>): Created
+
+401: Unauthorized
+<!--
+### `delete` delete a Role
+#### HTTP Request
+-->
+### `delete` 删除 Role
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Role
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Role 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+<!--
+### `deletecollection` delete collection of Role
+#### HTTP Request
+-->
+### `deletecollection` 删除 Role 的集合
+
+#### HTTP 请求
+
+DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+- **fieldSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+- **gracePeriodSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+- **labelSelector** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+- **limit** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+- **propagationPolicy** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+- **resourceVersion** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+- **resourceVersionMatch** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+- **timeoutSeconds** (*in query*): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1.md
new file mode 100644
index 0000000000000..164a054c41422
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1.md
@@ -0,0 +1,230 @@
+---
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SelfSubjectAccessReview"
+content_type: "api_reference"
+description: "SelfSubjectAccessReview 检查当前用户是否可以执行某操作。"
+title: "SelfSubjectAccessReview"
+weight: 2
+---
+<!--
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SelfSubjectAccessReview"
+content_type: "api_reference"
+description: "SelfSubjectAccessReview checks whether or the current user can perform an action."
+title: "SelfSubjectAccessReview"
+weight: 2
+-->
+`apiVersion: authorization.k8s.io/v1`
+
+`import "k8s.io/api/authorization/v1"`
+
+## SelfSubjectAccessReview {#SelfSubjectAccessReview}
+<!--
+SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means "in all namespaces".  Self is a special case, because users should always be able to check whether they can perform an action
+-->
+SelfSubjectAccessReview 检查当前用户是否可以执行某操作。
+不填写 spec.namespace 表示 “在所有命名空间中”。
+Self 是一个特殊情况，因为用户应始终能够检查自己是否可以执行某操作。
+
+<hr>
+
+- **apiVersion**: authorization.k8s.io/v1
+
+- **kind**: SelfSubjectAccessReview
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+- **spec** (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReviewSpec" >}}">SelfSubjectAccessReviewSpec</a>), required
+  Spec holds information about the request being evaluated.  user and groups must be empty
+  Status is filled in by the server and indicates whether the request is allowed or not
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准的列表元数据。
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReviewSpec" >}}">SelfSubjectAccessReviewSpec</a>)，必需
+  
+  spec 包含有关正在评估的请求的信息。
+  user 和 group 必须为空。
+
+- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
+
+  status 由服务器填写，表示请求是否被允许。
+
+## SelfSubjectAccessReviewSpec {#SelfSubjectAccessReviewSpec}
+<!--
+SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
+-->
+SelfSubjectAccessReviewSpec 是访问请求的描述。
+resourceAuthorizationAttributes 和 nonResourceAuthorizationAttributes 二者必须设置其一，并且只能设置其一。
+
+<hr>
+<!--
+- **nonResourceAttributes** (NonResourceAttributes)
+  NonResourceAttributes describes information for a non-resource access request
+  <a name="NonResourceAttributes"></a>
+  *NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface*
+  - **nonResourceAttributes.path** (string)
+    Path is the URL path of the request
+  - **nonResourceAttributes.verb** (string)
+    Verb is the standard HTTP verb
+-->
+
+- **nonResourceAttributes** (NonResourceAttributes)
+  
+  nonResourceAttributes 描述非资源访问请求的信息。
+  
+  <a name="NonResourceAttributes"></a>
+  **nonResourceAttributes 包括提供给 Authorizer 接口进行非资源请求鉴权时所用的属性。**
+  
+  - **nonResourceAttributes.path** (string)
+    
+    path 是请求的 URL 路径。
+  
+  - **nonResourceAttributes.verb** (string)
+    
+    verb 是标准的 HTTP 动作。
+<!--
+- **resourceAttributes** (ResourceAttributes)
+  ResourceAuthorizationAttributes describes information for a resource access request
+
+  <a name="ResourceAttributes"></a>
+  *ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface*
+
+  - **resourceAttributes.group** (string)
+    Group is the API Group of the Resource.  "*" means all.
+
+  - **resourceAttributes.name** (string)
+    Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+-->
+- **resourceAttributes** (ResourceAttributes)
+  
+  resourceAuthorizationAttributes 描述资源访问请求的信息。
+  
+  <a name="ResourceAttributes"></a>
+  **resourceAttributes 包括提供给 Authorizer 接口进行资源请求鉴权时所用的属性。**
+  
+  - **resourceAttributes.group** (string)
+    
+    group 是资源的 API 组。
+    "*" 表示所有组。
+  
+  - **resourceAttributes.name** (string)
+    
+    name 是 "get" 正在请求或 "delete" 已删除的资源的名称。
+    ""（空字符串）表示所有资源。
+<!--
+  - **resourceAttributes.namespace** (string)
+    Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+
+  - **resourceAttributes.resource** (string)
+    Resource is one of the existing resource types.  "*" means all.
+-->  
+  - **resourceAttributes.namespace** (string)
+    
+    namespace 是正在请求的操作的命名空间。
+    目前，无命名空间和所有命名空间之间没有区别。
+    对于 LocalSubjectAccessReviews，默认为 ""（空字符串）。
+    对于集群范围的资源，默认为 ""（空字符串）。
+    对于来自 SubjectAccessReview 或 SelfSubjectAccessReview 的命名空间范围的资源，""（空字符串）表示 "all"（所有资源）。
+  
+  - **resourceAttributes.resource** (string)
+    
+    resource 是现有的资源类别之一。
+    "*" 表示所有资源类别。
+<!--
+  - **resourceAttributes.subresource** (string)
+    Subresource is one of the existing resource types.  "" means none.
+
+  - **resourceAttributes.verb** (string)
+    Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+
+  - **resourceAttributes.version** (string)
+    Version is the API Version of the Resource.  "*" means all.
+-->  
+  - **resourceAttributes.subresource** (string)
+    
+    subresource 是现有的资源类型之一。
+    "" 表示无。
+
+  - **resourceAttributes.verb** (string)
+    
+    verb 是 kubernetes 资源 API 动作，例如 get、list、watch、create、update、delete、proxy。
+    "*" 表示所有动作。
+  
+  - **resourceAttributes.version** (string)
+    
+    version 是资源的 API 版本。
+    "*" 表示所有版本。
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `create` create a SelfSubjectAccessReview
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `create` 创建 SelfSubjectAccessReview
+
+#### HTTP 请求
+
+POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
+<!--
+#### Parameters
+
+- **body**: <a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>, required
+
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): Accepted
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1.md
new file mode 100644
index 0000000000000..e4c39decdca3d
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1.md
@@ -0,0 +1,246 @@
+---
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SelfSubjectRulesReview"
+content_type: "api_reference"
+description: "SelfSubjectRulesReview 枚举当前用户可以在某命名空间内执行的操作集合。"
+title: "SelfSubjectRulesReview"
+weight: 3
+---
+<!--
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SelfSubjectRulesReview"
+content_type: "api_reference"
+description: "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace."
+title: "SelfSubjectRulesReview"
+weight: 3
+-->
+`apiVersion: authorization.k8s.io/v1`
+
+`import "k8s.io/api/authorization/v1"`
+
+## SelfSubjectRulesReview {#SelfSubjectRulesReview}
+<!--
+SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+-->
+SelfSubjectRulesReview 枚举当前用户可以在某命名空间内执行的操作集合。
+返回的操作列表可能不完整，具体取决于服务器的鉴权模式以及评估过程中遇到的任何错误。
+SelfSubjectRulesReview 应由 UI 用于显示/隐藏操作，或让最终用户尽快理解自己的权限。
+SelfSubjectRulesReview 不得被外部系统使用以驱动鉴权决策，
+因为这会引起混淆代理人（confused deputy）、缓存有效期/吊销（cache lifetime/revocation）和正确性问题。
+SubjectAccessReview 和 LocalAccessReview 是遵从 API 服务器所做鉴权决策的正确方式。
+
+<hr>
+
+- **apiVersion**: authorization.k8s.io/v1
+
+- **kind**: SelfSubjectRulesReview
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReviewSpec" >}}">SelfSubjectRulesReviewSpec</a>), required
+
+  Spec holds information about the request being evaluated.
+-->  
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准的列表元数据。
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReviewSpec" >}}">SelfSubjectRulesReviewSpec</a>)，必需
+  
+  spec 包含有关正在评估的请求的信息。
+<!--
+- **status** (SubjectRulesReviewStatus)
+  Status is filled in by the server and indicates the set of actions a user can perform.
+  <a name="SubjectRulesReviewStatus"></a>
+  *SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.*
+  - **status.incomplete** (boolean), required
+    Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+  - **status.nonResourceRules** ([]NonResourceRule), required
+    NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+    <a name="NonResourceRule"></a>
+    *NonResourceRule holds information that describes a rule for the non-resource*
+-->
+- **status** (SubjectRulesReviewStatus)
+  
+  status 由服务器填写，表示用户可以执行的操作的集合。
+  
+  <a name="SubjectRulesReviewStatus"></a>
+  **SubjectRulesReviewStatus 包含规则检查的结果。
+  此检查可能不完整，具体取决于服务器配置的 Authorizer 的集合以及评估期间遇到的任何错误。
+  由于鉴权规则是叠加的，所以如果某个规则出现在列表中，即使该列表不完整，也可以安全地假定该主体拥有该权限。**
+
+  - **status.incomplete** (boolean)，必需
+    
+    当此调用返回的规则不完整时，incomplete 结果为 true。
+    这种情况常见于 Authorizer（例如外部 Authorizer）不支持规则评估时。
+  
+  - **status.nonResourceRules** ([]NonResourceRule)，必需
+    
+    nonResourceRules 是允许主体对非资源执行路径执行的操作列表。
+    该列表顺序不重要，可以包含重复项，还可能不完整。
+    
+    <a name="NonResourceRule"></a>
+    **nonResourceRule 包含描述非资源路径的规则的信息。**
+<!--
+    - **status.nonResourceRules.verbs** ([]string), required
+      Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+    - **status.nonResourceRules.nonResourceURLs** ([]string)
+      NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  "*" means all.
+  - **status.resourceRules** ([]ResourceRule), required
+    ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+    <a name="ResourceRule"></a>
+    *ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.*
+    - **status.resourceRules.verbs** ([]string), required
+    Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.  
+-->
+    - **status.nonResourceRules.verbs** ([]string)，必需
+      
+      verb 是 kubernetes 非资源 API 动作的列表，例如 get、post、put、delete、patch、head、options。
+      "*" 表示所有动作。
+    
+    - **status.nonResourceRules.nonResourceURLs** ([]string)
+      
+      nonResourceURLs 是用户应有权访问的一组部分 URL。
+      允许使用 "*"，但仅能作为路径中最后一段且必须用于完整的一段。
+      "*" 表示全部。
+
+  - **status.resourceRules** ([]ResourceRule)，必需
+    
+    resourceRules 是允许主体对资源执行的操作的列表。
+    该列表顺序不重要，可以包含重复项，还可能不完整。
+    
+    <a name="ResourceRule"></a>
+    **resourceRule 是允许主体对资源执行的操作的列表。该列表顺序不重要，可以包含重复项，还可能不完整。**
+    
+    - **status.resourceRules.verbs** ([]string)，必需
+      
+      verb 是 kubernetes 资源 API 动作的列表，例如 get、list、watch、create、update、delete、proxy。
+      "*" 表示所有动作。
+<!--
+    - **status.resourceRules.apiGroups** ([]string)
+      APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  "*" means all.
+    - **status.resourceRules.resourceNames** ([]string)
+      ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+    - **status.resourceRules.resources** ([]string)
+      Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
+       "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
+  - **status.evaluationError** (string)
+    EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.
+--> 
+    - **status.resourceRules.apiGroups** ([]string)
+      
+      apiGroups 是包含资源的 APIGroup 的名称。
+      如果指定了多个 API 组，则允许对任何 API 组中枚举的资源之一请求任何操作。
+      "*" 表示所有 APIGroup。
+    
+    - **status.resourceRules.resourceNames** ([]string)
+      
+      resourceNames 是此规则所适用的资源名称白名单，可选。
+      空集合意味着允许所有资源。
+      "*" 表示所有资源。
+    
+    - **status.resourceRules.resources** ([]string)
+      
+      resources 是此规则所适用的资源的列表。
+      "*" 表示指定 APIGroup 中的所有资源。
+      "*/foo" 表示指定 APIGroup 中所有资源的子资源 "foo"。
+
+  - **status.evaluationError** (string)
+    
+    evaluationError 可以与 rules 一起出现。
+    它表示在规则评估期间发生错误，例如 Authorizer 不支持规则评估以及 resourceRules 和/或 nonResourceRules 可能不完整。
+
+## SelfSubjectRulesReviewSpec {#SelfSubjectRulesReviewSpec}
+
+<!--
+SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
+
+<hr>
+
+- **namespace** (string)
+
+  Namespace to evaluate rules for. Required.
+-->
+SelfSubjectRulesReviewSpec 定义 SelfSubjectRulesReview 的规范。
+
+<hr>
+
+- **namespace** (string)
+  
+  namespace 是要评估规则的命名空间。
+  必需。
+
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `create` create a SelfSubjectRulesReview
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `create` 创建 SelfSubjectRulesReview
+
+#### HTTP 请求
+
+POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews
+<!--
+#### Parameters
+
+- **body**: <a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>, required
+
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): Accepted
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1.md
new file mode 100644
index 0000000000000..be42036d46dcf
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1.md
@@ -0,0 +1,301 @@
+---
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SubjectAccessReview"
+content_type: "api_reference"
+description: "SubjectAccessReview 检查用户或组是否可以执行某操作。"
+title: "SubjectAccessReview"
+weight: 4
+---
+<!--
+api_metadata:
+  apiVersion: "authorization.k8s.io/v1"
+  import: "k8s.io/api/authorization/v1"
+  kind: "SubjectAccessReview"
+content_type: "api_reference"
+description: "SubjectAccessReview checks whether or not a user or group can perform an action."
+title: "SubjectAccessReview"
+weight: 4
+-->
+
+`apiVersion: authorization.k8s.io/v1`
+
+`import "k8s.io/api/authorization/v1"`
+
+## SubjectAccessReview {#SubjectAccessReview}
+<!--
+SubjectAccessReview checks whether or not a user or group can perform an action.
+-->
+SubjectAccessReview 检查用户或组是否可以执行某操作。
+
+<hr>
+
+- **apiVersion**: authorization.k8s.io/v1
+
+- **kind**: SubjectAccessReview
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+<!--
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>), required
+  Spec holds information about the request being evaluated
+- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
+  Status is filled in by the server and indicates whether the request is allowed or not
+-->  
+  标准的列表元数据。
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>)，必需
+  
+  spec 包含有关正在评估的请求的信息。
+
+- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
+  
+  status 由服务器填写，表示请求是否被允许。
+
+## SubjectAccessReviewSpec {#SubjectAccessReviewSpec}
+<!--
+SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
+-->
+SubjectAccessReviewSpec 是访问请求的描述。
+resourceAuthorizationAttributes 和 nonResourceAuthorizationAttributes 二者必须设置其一，并且只能设置其一。
+
+<hr>
+
+<!--
+- **extra** (map[string][]string)
+  Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.
+- **groups** ([]string)
+  Groups is the groups you're testing for.
+-->
+- **extra** (map[string][]string)
+  
+  extra 对应于来自鉴权器的 user.Info.GetExtra() 方法。
+  由于这是针对 Authorizer 的输入，所以它需要在此处反映。
+
+- **groups** ([]string)
+  
+  groups 是你正在测试的组。
+<!--
+- **nonResourceAttributes** (NonResourceAttributes)
+  NonResourceAttributes describes information for a non-resource access request
+
+  <a name="NonResourceAttributes"></a>
+  *NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface*
+
+  - **nonResourceAttributes.path** (string)
+    Path is the URL path of the request
+
+  - **nonResourceAttributes.verb** (string)
+    Verb is the standard HTTP verb
+-->
+- **nonResourceAttributes** (NonResourceAttributes)
+  
+  nonResourceAttributes 描述非资源访问请求的信息。
+  
+  <a name="NonResourceAttributes"></a> 
+  **nonResourceAttributes 包括提供给 Authorizer 接口进行非资源请求鉴权时所用的属性。**
+  
+  - **nonResourceAttributes.path** (string)
+    
+    path 是请求的 URL 路径。
+  
+  - **nonResourceAttributes.verb** (string)
+    
+    verb 是标准的 HTTP 动作。
+<!--
+- **resourceAttributes** (ResourceAttributes)
+  ResourceAuthorizationAttributes describes information for a resource access request
+
+  <a name="ResourceAttributes"></a>
+  *ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface*
+
+  - **resourceAttributes.group** (string)
+    Group is the API Group of the Resource.  "*" means all.
+
+  - **resourceAttributes.name** (string)
+    Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+-->
+- **resourceAttributes** (ResourceAttributes)
+  
+  resourceAuthorizationAttributes 描述资源访问请求的信息。
+  
+  <a name="ResourceAttributes"></a> 
+  **resourceAttributes 包括提供给 Authorizer 接口进行资源请求鉴权时所用的属性。**
+  
+  - **resourceAttributes.group** (string)
+    
+    group 是资源的 API 组。
+    "*" 表示所有资源。
+  
+  - **resourceAttributes.name** (string)
+    
+    name 是 "get" 正在请求或 "delete" 已删除的资源。
+    ""（空字符串）表示所有资源。
+<!--
+  - **resourceAttributes.namespace** (string)
+    Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+
+  - **resourceAttributes.resource** (string)
+    Resource is one of the existing resource types.  "*" means all.
+
+  - **resourceAttributes.subresource** (string)
+    Subresource is one of the existing resource types.  "" means none.
+-->  
+  - **resourceAttributes.namespace** (string)
+    
+    namespace 是正在请求的操作的命名空间。
+    目前，无命名空间和所有命名空间之间没有区别。
+    对于 LocalSubjectAccessReviews，默认为 ""（空字符串）。
+    对于集群范围的资源，默认为 ""（空字符串）。
+    对于来自 SubjectAccessReview 或 SelfSubjectAccessReview 的命名空间范围的资源，
+    ""（空字符串）表示 "all"（所有资源）。
+  
+  - **resourceAttributes.resource** (string)
+    
+    resource 是现有的资源类别之一。
+    "*" 表示所有资源类别。
+  
+  - **resourceAttributes.subresource** (string)
+    
+    subresource 是现有的资源类别之一。
+    "" 表示无子资源。
+<!--
+  - **resourceAttributes.verb** (string)
+    Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+
+  - **resourceAttributes.version** (string)
+    Version is the API Version of the Resource.  "*" means all.
+
+- **uid** (string)
+  UID information about the requesting user.
+
+- **user** (string)
+  User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+-->  
+  - **resourceAttributes.verb** (string)
+    
+    verb 是 kubernetes 资源的 API 动作，例如 get、list、watch、create、update、delete、proxy。
+    "*" 表示所有动作。
+  
+  - **resourceAttributes.version** (string)
+    
+    version 是资源的 API 版本。
+    "*" 表示所有版本。
+
+- **uid** (string)
+  
+  有关正在请求的用户的 UID 信息。
+
+- **user** (string)
+  
+  user 是你正在测试的用户。
+  如果你指定 “user” 而不是 “groups”，它将被解读为“如果 user 不是任何组的成员，将会怎样”。
+
+## SubjectAccessReviewStatus {#SubjectAccessReviewStatus}
+
+SubjectAccessReviewStatus
+
+<hr>
+
+<!--
+- **allowed** (boolean), required
+  Allowed is required. True if the action would be allowed, false otherwise.
+
+- **denied** (boolean)
+  Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.
+-->
+- **allowed** (boolean)，必需
+  
+  allowed 是必需的。
+  如果允许该操作，则为 true，否则为 false。
+
+- **denied** (boolean)
+  
+  denied 是可选的。
+  如果拒绝该操作，则为 true，否则为 false。
+  如果 allowed 和 denied 均为 false，则 Authorizer 对是否鉴权操作没有意见。
+  如果 allowed 为 true，则 denied 不能为 true。
+<!--
+- **evaluationError** (string)
+  EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+
+- **reason** (string)
+  Reason is optional.  It indicates why a request was allowed or denied.
+-->
+- **evaluationError** (string)
+  
+  evaluationError 表示鉴权检查期间发生一些错误。
+  出现错误的情况下完全有可能继续确定鉴权状态。
+  例如，RBAC 可能缺少一个角色，但仍存在足够多的角色进行绑定，进而了解请求有关的原因。
+
+- **reason** (string)
+  
+  reason 是可选的。
+  它表示为什么允许或拒绝请求。
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `create` create a SubjectAccessReview
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `create` 创建 SubjectAccessReview
+
+#### HTTP 请求
+
+POST /apis/authorization.k8s.io/v1/subjectaccessreviews
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>, required
+- **dryRun** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): OK
+
+201 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): Created
+
+202 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): Accepted
+
+401: Unauthorized
diff --git a/content/zh/docs/reference/kubernetes-api/cluster-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/cluster-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/cluster-resources/_index.md
diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md
new file mode 100644
index 0000000000000..c6c92edd6cbc3
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1.md
@@ -0,0 +1,785 @@
+---
+api_metadata:
+  apiVersion: "apiregistration.k8s.io/v1"
+  import: "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+  kind: "APIService"
+content_type: "api_reference"
+description: "APIService 是用来表示一个特定的 GroupVersion 的服务器"
+title: "APIService"
+weight: 4
+---
+
+<!--
+api_metadata:
+  apiVersion: "apiregistration.k8s.io/v1"
+  import: "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+  kind: "APIService"
+content_type: "api_reference"
+description: "APIService represents a server for a particular GroupVersion."
+title: "APIService"
+weight: 4
+auto_generated: true
+-->
+
+`apiVersion: apiregistration.k8s.io/v1`
+
+`import "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"`
+
+
+## APIService {#APIService}
+
+<!--
+APIService represents a server for a particular GroupVersion. Name must be "version.group".
+-->
+APIService 是用来表示一个特定的 GroupVersion 的服务器。名称必须为 "version.group"。
+
+<hr>
+
+- **apiVersion**: apiregistration.k8s.io/v1
+
+- **kind**: APIService
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  <!--
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  -->
+  标准的对象元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../cluster-resources/api-service-v1#APIServiceSpec" >}}">APIServiceSpec</a>)
+  <!--
+  Spec contains information for locating and communicating with a server
+  -->
+  spec 包含用于定位和与服务器通信的信息
+
+- **status** (<a href="{{< ref "../cluster-resources/api-service-v1#APIServiceStatus" >}}">APIServiceStatus</a>)
+  <!--
+  Status contains derived information about an API server
+  -->
+  status 包含某 API 服务器的派生信息
+
+
+## APIServiceSpec {#APIServiceSpec}
+<!--
+APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.
+-->
+APIServiceSpec 包含用于定位和与服务器通信的信息。仅支持 HTTPS 协议，但是你可以禁用证书验证。
+
+<hr>
+
+- **groupPriorityMinimum** (int32)， <!--required-->必需
+  <!--
+  GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object.  (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s
+  -->
+  groupPriorityMininum 是这个组至少应该具有的优先级。优先级高表示客户端优先选择该组。
+  请注意，该组的其他版本可能会指定更高的 groupPriorityMininum 值，使得整个组获得更高的优先级。
+  主排序基于 groupPriorityMinimum 值，从高到低排序（20 在 10 之前）。
+  次要排序基于对象名称的字母顺序（v1.bar 在 v1.foo 之前）。
+  我们建议这样配置：`*.k8s.io`（扩展除外）值设置为 18000，PaaS（OpenShift、Deis）建议值为 2000 左右。
+
+- **versionPriority** (int32)， <!--required-->必需
+  <!--
+  VersionPriority controls the ordering of this API version inside of its group.  Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+  -->
+  versionPriority 控制该 API 版本在其组中的排序，必须大于零。主排序基于 versionPriority，
+  从高到低排序（20 在 10 之前）。因为在同一个组里，这个数字可以很小，可能是几十。
+  在版本优先级相等的情况下，版本字符串将被用来计算组内的顺序。如果版本字符串是与 Kubernetes 的版本号形式类似，
+  则它将排序在 Kubernetes 形式版本字符串之前。Kubernetes 的版本号字符串按字典顺序排列。
+  Kubernetes 版本号以 “v” 字符开头，后面是一个数字（主版本），然后是可选字符串 “alpha” 或 “beta” 和另一个数字（次要版本）。
+  它们首先按 GA > beta > alpha 排序（其中 GA 是没有 beta 或 alpha 等后缀的版本），然后比较主要版本，
+  最后是比较次要版本。版本排序列表示例：v10、v2、v1、v11beta2、v10beta3、v3beta1、v12alpha1、v11alpha2、foo1、foo10。
+
+- **caBundle** ([]byte)
+  <!--
+  *Atomic: will be replaced during a merge*
+  
+  CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.
+  -->
+  **原子性：将在合并期间被替换**
+
+  caBundle 是一个 PEM 编码的 CA 包，用于验证 API 服务器的服务证书。如果未指定，
+  则使用 API 服务器上的系统根证书。
+
+- **group** (string)
+  <!--
+  Group is the API group name this server hosts
+  -->
+  group 是此服务器主机的 API 组名称。
+
+- **insecureSkipTLSVerify** (boolean)
+  <!--
+  InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged.  You should use the CABundle instead.
+  -->
+  insecureSkipTLSVerify 代表在与此服务器通信时禁用 TLS 证书验证。强烈建议不要这样做。你应该使用 caBundle。  
+
+- **service** (ServiceReference)
+  <!--
+  Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.
+  -->
+  service 是对该 API 服务器的服务的引用。它只能在端口 443 上通信。如果 service 是 nil，
+  则意味着 API groupversion 的处理是在当前服务器上本地处理的。服务调用被直接委托给正常的处理程序链来完成。
+
+  <a name="ServiceReference"></a>
+  <!--
+  *ServiceReference holds a reference to Service.legacy.k8s.io*
+  -->
+  **ServiceReference 保存对 Service.legacy.k8s.io 的一个引用。**
+
+  - **service.name** (string)
+    <!--
+    Name is the name of the service
+    -->
+    name 是服务的名称
+  
+  - **service.namespace** (string)
+    <!--
+    namespace is the namespace of the service
+    -->
+    namespace 是服务的命名空间
+  
+  - **service.port** (int32)
+    <!--
+    If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
+    -->
+    如果指定，则为托管 Webhook 的服务上的端口。为实现向后兼容，默认端口号为 443。
+    `port` 应该是一个有效的端口号（1-65535，包含）。
+
+- **version** (string)
+  <!--
+  Version is the API version this server hosts.  For example, "v1"
+  -->
+  version 是此服务器的 API 版本。例如：“v1”。
+
+## APIServiceStatus {#APIServiceStatus}
+
+<!--
+APIServiceStatus contains derived information about an API server
+-->
+APIServiceStatus 包含有关 API 服务器的派生信息
+
+<hr>
+
+- **conditions** ([]APIServiceCondition)
+  <!--
+  *Patch strategy: merge on key `type`*
+  
+  *Map: unique values on key type will be kept during a merge*
+  
+  Current service state of apiService.
+  -->
+  **补丁策略：基于键 `type` 合并**
+
+  **Map：合并时将保留 type 键的唯一值**
+
+  APIService 的当前服务状态。
+
+  <a name="APIServiceCondition"></a>
+  <!--
+  *APIServiceCondition describes the state of an APIService at a particular point*
+  -->
+  **APIServiceCondition 描述 APIService 在特定点的状态** 
+
+  - **conditions.status** (string)， <!--required-->必需
+    <!--
+    Status is the status of the condition. Can be True, False, Unknown.
+    -->
+    status 表示状况（Condition）的状态，取值为 True、False 或 Unknown 之一。
+  
+  - **conditions.type** (string)， <!--required-->必需
+    <!--
+    Type is the type of the condition.
+    -->
+    type 是状况的类型。
+
+  - **conditions.lastTransitionTime** (Time)
+    <!--
+    Last time the condition transitioned from one status to another.
+    -->
+    上一次发生状况状态转换的时间。
+  
+    <a name="Time"></a>
+    <!--
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+    -->
+    Time 是对 time.Time 的封装。Time 支持对 YAML 和 JSON 进行正确封包。为 time 包的许多函数方法提供了封装器。
+  
+  - **conditions.message** (string)
+    <!--
+    Human-readable message indicating details about last transition.
+    -->
+    指示上次转换的详细可读信息。  
+  
+  - **conditions.reason** (string)
+    <!--
+    Unique, one-word, CamelCase reason for the condition's last transition.
+    -->
+    表述状况上次转换原因的、驼峰格式命名的、唯一的一个词。
+  
+
+## APIServiceList {#APIServiceList}
+<!--
+APIServiceList is a list of APIService objects.
+-->
+APIServiceList 是 APIService 对象的列表。
+
+<hr>
+
+- **apiVersion**: apiregistration.k8s.io/v1
+
+- **kind**: APIServiceList
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  <!--
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  -->
+  标准的列表元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>)， <!--required-->必需
+  <!--
+  Items is the list of APIService
+  -->
+  items 是 APIService 的列表
+
+
+## Operations {#Operations}
+
+<hr>
+
+<!--
+### `get` read the specified APIService
+
+#### HTTP Request
+-->
+### `get` 读取指定的 APIService
+
+#### HTTP 请求
+
+GET /apis/apiregistration.k8s.io/v1/apiservices/{name}
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+
+
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** （**路径参数**）：string，必需
+
+  APIService 名称
+
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+401: Unauthorized
+
+<!--
+### `get` read status of the specified APIService
+
+#### HTTP Request
+-->
+### `get` 读取指定 APIService 的状态
+
+#### HTTP 请求
+
+GET /apis/apiregistration.k8s.io/v1/apiservices/{name}/status
+
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+
+
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** （**路径参数**）：string，必需
+
+  APIService 名称
+
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind APIService
+
+#### HTTP Request
+-->
+### `list` 列出或观察 APIService 类的对象
+
+#### HTTP 请求
+
+GET /apis/apiregistration.k8s.io/v1/apiservices
+
+<!--
+#### Parameters
+
+
+- **allowWatchBookmarks** (*in query*): boolean
+-->
+#### 参数
+
+- **allowWatchBookmarks** （**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** <!--(*in query*):-->（**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIServiceList" >}}">APIServiceList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create an APIService
+
+#### HTTP Request
+-->
+### `create` 创建一个 APIService
+
+#### HTTP 请求
+
+POST /apis/apiregistration.k8s.io/v1/apiservices
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+- **body**：<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>， <!--required-->必需
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Created
+
+202 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified APIService
+
+#### HTTP Request
+-->
+### `update` 替换指定的 APIService
+
+#### HTTP 请求
+
+PUT /apis/apiregistration.k8s.io/v1/apiservices/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+- **name** <!-- (*in path*): -->（**路径参数**）：string， <!--required-->必需
+  <!--
+  name of the APIService
+  -->
+  APIService 名称
+
+- **body**：<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>， <!--required-->必需
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace status of the specified APIService
+
+#### HTTP Request
+-->
+### `update` 替换指定 APIService 的 status
+
+#### HTTP 请求
+
+PUT /apis/apiregistration.k8s.io/v1/apiservices/{name}/status
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+-->
+#### 参数
+- **name**（**路径参数**）：string， 必需
+
+  APIService 名称
+
+- **body**：<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>， <!--required-->必需
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified APIService
+
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 APIService
+
+#### HTTP 请求
+
+PATCH /apis/apiregistration.k8s.io/v1/apiservices/{name}
+
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+-->
+#### 参数
+
+- **name**（**路径参数**）：string， 必需
+
+  APIService 名称
+
+- **body**：<a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>， <!--required-->必需
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** <!--(*in query*):-->（**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified APIService
+
+#### HTTP Request
+-->
+### `patch` 部分更新指定 APIService 的 status
+
+#### HTTP 请求
+
+PATCH /apis/apiregistration.k8s.io/v1/apiservices/{name}/status
+
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+-->
+#### 参数
+
+- **name**（**路径参数**）：string， 必需
+
+  APIService 名称
+
+- **body**：<a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>， <!--required-->必需
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** <!--(*in query*):-->（**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/api-service-v1#APIService" >}}">APIService</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete an APIService
+
+#### HTTP Request
+-->
+### `delete` 删除一个 APIService
+
+#### HTTP 请求
+
+DELETE /apis/apiregistration.k8s.io/v1/apiservices/{name}
+
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the APIService
+-->
+#### 参数
+
+- **name**（**路径参数**）：string， 必需
+
+  APIService 名称
+
+- **body**：<a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of APIService
+
+#### HTTP Request
+-->
+### `deletecollection` 删除 APIService 集合
+
+#### HTTP 请求
+
+DELETE /apis/apiregistration.k8s.io/v1/apiservices
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+- **body**：<a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** <!--(*in query*):-->（**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** <!--(*in query*):-->（**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/binding-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/binding-v1.md
new file mode 100644
index 0000000000000..1b23f65ee8965
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/binding-v1.md
@@ -0,0 +1,222 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "Binding"
+content_type: "api_reference"
+description: "Binding 将一个对象与另一个对象联系起来; 例如，一个 Pod 被调度程序绑定到一个节点。"
+title: "Binding"
+weight: 9
+auto_generated: true
+---
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+
+## Binding {#Binding}
+<!--
+Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated in 1.7, please use the bindings subresource of pods instead.
+-->
+Binding 将一个对象与另一个对象联系起来; 例如，一个 Pod 被调度程序绑定到一个节点。
+已在 1.7 版本弃用，请使用 Pod 的 binding 子资源。
+<hr>
+
+- **apiVersion**: v1
+
+
+- **kind**: Binding
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+<!--
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+  标准对象的元数据， 更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **target** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>), required
+
+  The target object that you want to bind to the standard object.
+-->
+
+- **target** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)， 必需
+
+  要绑定到标准对象的目标对象。
+<!--
+## Operations {#Operations}
+-->
+## 操作   {#operations}
+
+<hr>
+
+<!--
+### `create` create a Binding
+
+#### HTTP Request
+
+POST /api/v1/namespaces/{namespace}/bindings
+
+#### Parameters
+-->
+### `create` 创建一个 Binding
+
+#### HTTP 请求
+
+POST /api/v1/namespaces/{namespace}/bindings
+
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>, required
+-->
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>, 必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): Created
+
+202 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `create` create binding of a Pod
+
+#### HTTP Request
+
+POST /api/v1/namespaces/{namespace}/pods/{name}/binding
+-->
+### `create` 创建 Pod 的绑定
+
+#### HTTP 请求
+
+POST /api/v1/namespaces/{namespace}/pods/{name}/binding
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the Binding
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>, required
+-->
+#### 参数
+
+- **name** (**路径参数**): string, 必需
+
+  Binding 的名称
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>, 必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): Created
+
+202 (<a href="{{< ref "../cluster-resources/binding-v1#Binding" >}}">Binding</a>): Accepted
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
new file mode 100644
index 0000000000000..425cfcab7f03c
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1.md
@@ -0,0 +1,1073 @@
+---
+api_metadata:
+  apiVersion: "coordination.k8s.io/v1"
+  import: "k8s.io/api/coordination/v1"
+  kind: "Lease"
+content_type: "api_reference"
+description: "Lease defines a lease concept."
+title: "Lease"
+weight: 5
+---
+
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference content, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+`apiVersion: coordination.k8s.io/v1`
+
+`import "k8s.io/api/coordination/v1"`
+
+
+## Lease {#Lease}
+<!--
+Lease defines a lease concept.
+-->
+Lease 定义了租约的概念。
+<hr>
+
+- **apiVersion**: coordination.k8s.io/v1
+
+
+- **kind**: Lease
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+<!--
+  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../cluster-resources/lease-v1#LeaseSpec" >}}">LeaseSpec</a>)
+
+<!--
+  Specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+-->
+  Lease 规范。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+
+
+
+
+## LeaseSpec {#LeaseSpec}
+
+<!--
+LeaseSpec is a specification of a Lease.
+-->
+LeaseSpec 是一个 Lease 的规范。
+
+<hr>
+
+<!--
+- **acquireTime** (MicroTime)
+
+  acquireTime is a time when the current lease was acquired.
+
+  <a name="MicroTime"></a>
+  *MicroTime is version of Time with microsecond level precision.*
+
+- **holderIdentity** (string)
+
+  holderIdentity contains the identity of the holder of a current lease.
+
+- **leaseDurationSeconds** (int32)
+
+  leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.
+
+- **leaseTransitions** (int32)
+
+  leaseTransitions is the number of transitions of a lease between holders.
+
+- **renewTime** (MicroTime)
+
+  renewTime is a time when the current holder of a lease has last updated the lease.
+
+  <a name="MicroTime"></a>
+  *MicroTime is version of Time with microsecond level precision.*
+-->
+- **acquireTime** (MicroTime)
+
+  acquireTime 是当前租约被获取的时间。
+  
+  <a name="MicroTime"></a>
+  **MicroTime 是微秒级精确时间的版本。**
+
+- **holderIdentity** (string)
+
+  holderIdentity 包含当前租约持有人的身份。
+
+- **leaseDurationSeconds** (int32)
+
+  leaseDurationSeconds 是租约候选人需要等待强制获取租约的持续时间。这是相对于上次观察到的更新时间的度量。
+
+- **leaseTransitions** (int32)
+
+  LeasetTransitions 是租约持有人之间的转换次数。
+
+- **renewTime** (MicroTime)
+
+  renewTime 是当前租约持有人上次更新租约的时间。
+
+  <a name="MicroTime"></a>
+  **MicroTime 是具有微秒级精度的时间版本。**
+
+
+
+
+## LeaseList {#LeaseList}
+
+<!--
+LeaseList is a list of Lease objects.
+-->
+LeaseList 是 Lease 对象的列表。
+
+<hr>
+
+- **apiVersion**: coordination.k8s.io/v1
+
+
+- **kind**: LeaseList
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+<!--
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+   标准列表元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>), required
+
+<!--
+  Items is a list of schema objects.
+-->
+  Items 是架构对象的列表。
+
+
+
+<!--
+## Operations {#Operations}
+-->
+## 操作   {#operations}
+
+
+<hr>
+
+
+
+
+
+<!--
+### `get` read the specified Lease
+
+#### HTTP Request
+
+GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+
+#### Parameters
+-->
+### `get` 读取指定的租赁
+
+#### HTTP 请求
+
+GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Lease
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **name** (**路径参数**): string, 必需
+
+  Lease 名称
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind Lease
+
+#### HTTP Request
+
+GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+-->
+### `list` 列出或监视 Lease 类对象
+
+#### HTTP 请求
+
+GET /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+
+<!--
+#### Parameters
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#LeaseList" >}}">LeaseList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind Lease
+
+#### HTTP Request
+-->
+### `list` 列出或监视 Lease 类对象
+
+#### HTTP 请求
+
+GET /apis/coordination.k8s.io/v1/leases
+
+<!--
+#### Parameters
+
+
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+#### 参数
+
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#LeaseList" >}}">LeaseList</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#LeaseList" >}}">LeaseList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a Lease
+
+#### HTTP Request
+
+POST /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+-->
+### `create` 创建 Lease
+
+#### HTTP 请求
+
+POST /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+
+<!--
+#### Parameters
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>, 必需
+
+  
+
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+202 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+202 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified Lease
+
+#### HTTP Request
+
+PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+-->
+### `update` 替换指定的 Lease
+
+#### HTTP 请求
+
+PUT /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the Lease
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+
+- **name** (**路径参数**): string, 必需
+
+  租贷名称
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>, 必需
+
+  
+
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified Lease
+
+#### HTTP Request
+
+PATCH /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+-->
+### `patch` 部分更新指定的 Lease
+
+#### HTTP 请求
+
+PATCH /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the Lease
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+#### 参数
+
+
+- **name** (**路径参数**): string, 必需
+
+  租贷名称
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, 必需
+
+  
+
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): OK
+
+201 (<a href="{{< ref "../cluster-resources/lease-v1#Lease" >}}">Lease</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a Lease
+
+#### HTTP Request
+
+DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+-->
+### `delete` 删除一个 Lease
+
+#### HTTP 请求
+
+DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}
+<!--
+#### Parameters
+
+
+- **name** (*in path*): string, required
+
+  name of the Lease
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+  
+
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+#### 参数
+
+
+- **name** (**路径参数**): string, 必需
+
+  租贷的名称
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+  
+
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of Lease
+
+#### HTTP Request
+
+DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+-->
+### `deletecollection` 删除 Lease 收款
+
+#### HTTP 请求
+
+DELETE /apis/coordination.k8s.io/v1/namespaces/{namespace}/leases
+<!--
+#### Parameters
+
+
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+  
+
+
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+#### 参数
+
+
+- **namespace** (**路径参数**): string, 必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+  
+
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+
diff --git a/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md
new file mode 100644
index 0000000000000..dc0e8d4ef2e02
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1.md
@@ -0,0 +1,839 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "Namespace"
+content_type: "api_reference"
+description: "Namespace 为名字提供作用域。"
+title: "Namespace"
+weight: 2
+---
+
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "Namespace"
+content_type: "api_reference"
+description: "Namespace provides a scope for Names."
+title: "Namespace"
+weight: 2
+auto_generated: true
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+## Namespace {#Namespace}
+<!--
+Namespace provides a scope for Names. Use of multiple namespaces is optional.
+-->
+Namespace 为名字提供作用域。使用多个命名空间是可选的。
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: Namespace
+
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  <!--
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  -->
+  标准的对象元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../cluster-resources/namespace-v1#NamespaceSpec" >}}">NamespaceSpec</a>)
+  <!--
+  Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  -->
+  spec 定义了 Namespace 的行为。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+
+- **status** (<a href="{{< ref "../cluster-resources/namespace-v1#NamespaceStatus" >}}">NamespaceStatus</a>)
+  <!--
+  Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  -->
+  status 描述了当前 Namespace 的状态。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+
+## NamespaceSpec {#NamespaceSpec}
+<!--
+NamespaceSpec describes the attributes on a Namespace.
+-->
+NamespaceSpec 用于描述 Namespace 的属性。
+
+<hr>
+
+- **finalizers** ([]string)
+  <!--
+  Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
+  -->
+
+  finalizers 是一个不透明的值列表，只有此列表为空时才能从存储中永久删除对象。 更多信息： https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
+
+## NamespaceStatus {#NamespaceStatus}
+<!--
+NamespaceStatus is information about the current status of a Namespace.
+-->
+NamespaceStatus 表示 Namespace 的当前状态信息。
+<hr>
+
+- **conditions** ([]NamespaceCondition)
+  <!--
+  *Patch strategy: merge on key `type`*
+  
+  Represents the latest available observations of a namespace's current state.
+  -->
+  **补丁策略：基于 `type` 健合并**
+  
+  表示命名空间当前状态的最新可用状况。
+
+  <a name="NamespaceCondition"></a>
+  <!--
+  *NamespaceCondition contains details about state of namespace.*
+
+  - **conditions.status** (string), required
+
+    Status of the condition, one of True, False, Unknown.
+  -->
+  **NamespaceCondition 包含命名空间状态的详细信息。**
+
+  - **conditions.status** (string)，必需
+
+    状况（condition）的状态，取值为 True、False 或 Unknown 之一。
+  <!--
+  - **conditions.type** (string), required
+
+    Type of namespace controller condition.
+    
+  - **conditions.lastTransitionTime** (Time)
+  -->
+  - **conditions.type** (string), 必需
+
+    命名空间控制器状况的类型。
+    
+  - **conditions.lastTransitionTime** (Time)
+
+    <a name="Time"></a>
+    <!--
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+    -->
+    **Time 是对 time.Time 的封装。Time 支持对 YAML 和 JSON 进行正确封包。为 time 包的许多函数方法提供了封装器。**
+
+  - **conditions.message** (string)
+
+  - **conditions.reason** (string)
+
+- **phase** (string)
+
+  <!--
+  Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
+  -->
+  phase 是命名空间的当前生命周期阶段。更多信息： https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
+
+## NamespaceList {#NamespaceList}
+<!--
+NamespaceList is a list of Namespaces.
+-->
+NamespaceList 是一个命名空间列表。
+<hr>
+
+- **apiVersion**: v1
+
+
+- **kind**: NamespaceList
+
+
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  <!--
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+  -->
+  标准的列表元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+<!--
+- **items** ([]<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>), required
+-->
+
+- **items** ([]<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)，必需
+
+  <!--
+  Items is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+  -->
+  items 是列表中的 Namespace 对象列表。更多信息： https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+
+<!--
+## Operations {#Operations}
+-->
+
+## 操作 {#Operations}
+
+<!--
+### `get` read the specified Namespace
+
+#### HTTP Request
+
+GET /api/v1/namespaces/{name}
+
+#### Parameters
+-->
+<hr>
+
+### `get` 读取指定的 Namespace
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+
+- **pretty** (*in query*): string
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+401：Unauthorized
+
+<!--
+### `get` read status of the specified Namespace
+
+#### HTTP Request
+
+GET /api/v1/namespaces/{name}/status
+
+#### Parameters
+-->
+### `get` 读取指定 Namespace 的状态
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{name}/status
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+<!--
+- **pretty** (*in query*): string
+-->
+
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+401：Unauthorized
+
+<!--
+### `list` list or watch objects of kind Namespace
+
+#### HTTP Request
+
+GET /api/v1/namespaces
+
+#### Parameters
+-->
+### `list` 列出或者检查类别为 Namespace 的对象
+
+#### HTTP 请求
+
+GET /api/v1/namespaces
+
+#### 参数
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+-->
+- **allowWatchBookmarks** (**查询参数**)：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+-->
+- **continue** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+-->
+- **fieldSelector** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **labelSelector** (*in query*): string
+-->
+- **labelSelector** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+-->
+- **limit** (**查询参数**)：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+-->
+- **resourceVersion** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+-->
+- **resourceVersionMatch** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+-->
+- **timeoutSeconds** (**查询参数**)：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+-->
+- **watch** (**查询参数**)：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#NamespaceList" >}}">NamespaceList</a>)：OK
+
+401：Unauthorized
+
+<!--
+### `create` create a Namespace
+
+#### HTTP Request
+
+POST /api/v1/namespaces
+
+#### Parameters
+-->
+### `create` 创建一个 Namespace
+
+#### HTTP 请求
+
+POST /api/v1/namespaces
+
+#### 参数
+<!--
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>, required
+-->
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*):string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+202 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Accepted
+
+401：Unauthorized
+
+<!--
+### `update` replace the specified Namespace
+
+#### HTTP Request
+
+PUT /api/v1/namespaces/{name}
+
+#### Parameters
+-->
+### `update` 替换指定的 Namespace
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>, required
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>， 必需
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+401：Unauthorized
+
+<!--
+### `update` replace finalize of the specified Namespace
+
+#### HTTP Request
+
+PUT /api/v1/namespaces/{name}/finalize
+
+#### Parameters
+-->
+### `update` 替换指定 Namespace 的终结器
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{name}/finalize
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>, required
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+401：Unauthorized
+
+<!--
+### `update` replace status of the specified Namespace
+
+#### HTTP Request
+
+PUT /api/v1/namespaces/{name}/status
+
+#### Parameters
+-->
+### `update` 替换指定 Namespace 的状态
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{name}/status
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>, required
+-->
+- **name** (**路径阐述**)：string，必需
+
+  Namespace 的名称
+
+- **body**: <a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>，必需  
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified Namespace
+
+#### HTTP Request
+
+PATCH /api/v1/namespaces/{name}
+
+#### Parameters
+-->
+### `patch` 部分更新指定的 Namespace
+
+#### HTTP 请求
+
+PATCH /api/v1/namespaces/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+-->
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+  
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **force** (*in query*): boolean
+-->
+- **force** (**查询参数**)：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified Namespace
+
+#### HTTP Request
+
+PATCH /api/v1/namespaces/{name}/status
+
+#### Parameters
+-->
+### `patch` 部分更新指定 Namespace 的状态
+
+#### HTTP 请求
+
+PATCH /api/v1/namespaces/{name}/status
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+-->
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+  
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+-->
+- **fieldManager** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+-->
+- **fieldValidation** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **force** (*in query*): boolean
+-->
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：OK
+
+201 (<a href="{{< ref "../cluster-resources/namespace-v1#Namespace" >}}">Namespace</a>)：Created
+
+401：Unauthorized
+
+<!--
+### `delete` delete a Namespace
+
+#### HTTP Request
+
+DELETE /api/v1/namespaces/{name}
+
+#### Parameters
+-->
+### `delete` 删除一个 Namespace
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{name}
+
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the Namespace
+-->
+- **name** (**路径参数**)：string，必需
+
+  Namespace 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **dryRun** (*in query*): string
+-->
+- **dryRun** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+-->
+- **gracePeriodSeconds** (*查询参数*)：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **pretty** (*in query*): string
+-->
+- **pretty** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+-->
+- **propagationPolicy** (**查询参数**)：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>)：OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>)：Accepted
+
+401：Unauthorized
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/_index.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/_index.md
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/delete-options.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/delete-options.md
similarity index 91%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/delete-options.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/delete-options.md
index a4bd2e0405121..b1790035e3aff 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/delete-options.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/delete-options.md
@@ -4,8 +4,8 @@ api_metadata:
   import: "k8s.io/apimachinery/pkg/apis/meta/v1"
   kind: "DeleteOptions"
 content_type: "api_reference"
-description: "删除 API 对象时可能会提供删除选项。"
-title: "删除选项"
+description: "删除 API 对象时可以提供 DeleteOptions。"
+title: "DeleteOptions"
 weight: 1
 auto_generated: true
 ---
@@ -25,7 +25,7 @@ auto_generated: true
 `import "k8s.io/apimachinery/pkg/apis/meta/v1"`
 
 <!--DeleteOptions may be provided when deleting an API object.-->
-删除 API 对象时可能会提供 DeleteOptions。
+删除 API 对象时可以提供 DeleteOptions。
 
 <hr>
 
@@ -39,7 +39,7 @@ auto_generated: true
 
   `APIVersion` 定义对象表示的版本化模式。
   服务器应将已识别的模式转换为最新的内部值，并可能拒绝无法识别的值。
-  更多信息：https ://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 
 <!--
 - **dryRun** ([]string)
@@ -51,7 +51,7 @@ auto_generated: true
 
   该值如果存在，则表示不应保留修改。
   无效或无法识别的 `dryRun` 指令将导致错误响应并且不会进一步处理请求。有效值为：
-   
+
    - `All`：处理所有试运行阶段（Dry Run Stages）
 
 <!--
@@ -75,7 +75,7 @@ auto_generated: true
 
   `kind` 是一个字符串值，表示此对象代表的 REST 资源。
   服务器可以从客户端提交请求的端点推断出此值。此值无法更新，是驼峰的格式。
-  更多信息：https ://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 。
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 。
 
 <!--
 - **orphanDependents** (boolean)
@@ -105,11 +105,11 @@ auto_generated: true
 
     Specifies the target UID.
 -->
-  
+
 - **preconditions** (Preconditions)
 
   先决条件必须在执行删除之前完成。如果无法满足这些条件，将返回 409（冲突）状态。
-  
+
   <a name="Preconditions"></a>
   *执行操作（更新、删除等）之前必须满足先决条件。*
 
@@ -119,7 +119,7 @@ auto_generated: true
 
   - **preconditions.uid** (string)
 
-    指定目标 UID.
+    指定目标 UID。
 
 <!--
 - **propagationPolicy** (string)
@@ -131,7 +131,7 @@ auto_generated: true
 
   表示是否以及如何执行垃圾收集。可以设置此字段或 `orphanDependents` 字段，但不能同时设置二者。
   默认策略由 `metadata.finalizers` 中现有终结器（Finalizer）集合和特定资源的默认策略决定。
-  可接受的值为： `Orphan` - 令依赖对象成为孤儿对象；`Background` - 允许垃圾收集器在后台删除依赖项；`Foreground` - 一个级联策略，前台删除所有依赖项。
+  可接受的值为：`Orphan` - 令依赖对象成为孤儿对象；`Background` - 允许垃圾收集器在后台删除依赖项；`Foreground` - 一个级联策略，前台删除所有依赖项。
 
 
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/label-selector.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/label-selector.md
similarity index 76%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/label-selector.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/label-selector.md
index ffa372d2df5eb..0097baf971bea 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/label-selector.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/label-selector.md
@@ -5,7 +5,7 @@ api_metadata:
   kind: "LabelSelector"
 content_type: "api_reference"
 description: "标签选择器是对一组资源的标签查询。"
-title: "标签选择器"
+title: "LabelSelector"
 weight: 2
 auto_generated: true
 ---
@@ -23,11 +23,14 @@ weight: 2
 
 `import "k8s.io/apimachinery/pkg/apis/meta/v1"`
 
-<!-- A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.-->
+<!-- 
+A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
+-->
 
 标签选择器是对一组资源的标签查询。
 
-`matchLabels` 和 `matchExpressions` 的结果按逻辑与的关系组合。一个 `empty` 标签选择器匹配所有对象。一个 `null` 标签选择器不匹配任何对象。
+`matchLabels` 和 `matchExpressions` 的结果按逻辑与的关系组合。
+一个 `empty` 标签选择器匹配所有对象。一个 `null` 标签选择器不匹配任何对象。
 
 <hr>
 
@@ -42,7 +45,7 @@ weight: 2
 
 - **matchExpressions** ([]LabelSelectorRequirement)
   
-   `matchExpressions` 是 `LabelSelectorRequirement` 的列表，这些需求结果按逻辑与的关系来计算。
+   `matchExpressions` 是标签选择器要求的列表，这些要求的结果按逻辑与的关系来计算。
    
    <a name="LabelSelectorRequirement"></a> 
    *标签选择器要求是包含值、键和关联键和值的运算符的选择器。*
@@ -55,9 +58,9 @@ weight: 2
 
   - **matchExpressions.key** (string)， 必填
 
-    *补丁策略: 按照键 `key` 合并*    
+    *补丁策略：按照键 `key` 合并*    
     
-    `key` 是选择器应用的标签键.
+    `key` 是选择器应用的标签键。
   
    <!-- 
        - **matchExpressions.operator** (string), required
@@ -66,7 +69,7 @@ weight: 2
    
   - **matchExpressions.operator** (string)，必填
  
-    operator 表示键与一组值的关系。有效的运算符包括 `In`、`NotIn`、`Exists` 和 `DoesNotExist`。
+    `operator` 表示键与一组值的关系。有效的运算符包括 `In`、`NotIn`、`Exists` 和 `DoesNotExist`。
     
   <!--
   - **matchExpressions.values** ([]string)
@@ -78,9 +81,9 @@ weight: 2
   
     `values` 是一个字符串值数组。如果运算符为 `In` 或 `NotIn`，则 `values` 数组必须为非空。
     
-     如果运算符是 `Exists` 或 `DoesNotExist`，则 `values` 数组必须为空。
-     
-     该数组在战略性补丁（Strategic Merge Patch）期间被替换。
+    如果运算符是 `Exists` 或 `DoesNotExist`，则 `values` 数组必须为空。
+    
+    该数组在策略性合并补丁（Strategic Merge Patch）期间被替换。
   
 <!--
 - **matchLabels** (map[string]string)
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/list-meta.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/list-meta.md
similarity index 89%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/list-meta.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/list-meta.md
index a4779fcd4db64..a196b4f8acf8a 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/list-meta.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/list-meta.md
@@ -71,21 +71,17 @@ ListMeta describes metadata that synthetic resources must have, including lists
 
   标识该对象的服务器内部版本的字符串，客户端可以用该字段来确定对象何时被更改。
   该值对客户端是不透明的，并且应该原样传回给服务器。该值由系统填充，只读。
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency。
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency 。
 
 <!--
-- **selfLink** (string)
-
-  selfLink is a URL representing this object. Populated by the system. Read-only.
-  
-  DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.
+  Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
 -->
 
 - **selfLink** (string)
   
   selfLink 表示此对象的 URL，由系统填充，只读。
   
-  已弃用。 Kubernetes 将在 1.20 版本中停止传播该字段，并计划在 1.21 版本中删除该字段。
+  已弃用：selfLink 是一个遗留的只读字段，不再由系统填充。
 
 
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/local-object-reference.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/local-object-reference.md
similarity index 91%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/local-object-reference.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/local-object-reference.md
index 198d2bd193f7f..80b46ad9a8f18 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/local-object-reference.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/local-object-reference.md
@@ -39,7 +39,7 @@ LocalObjectReference 包含足够的信息，可以让你在同一命名空间
 - **name** (string)
 
   被引用者的名称。
-  更多信息: https://kubernetes.io/zh/docs/concepts/overview/working-with-objects/names/#names。
+  更多信息: https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/#names。
 
 
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
old mode 100755
new mode 100644
similarity index 78%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
index e643330a1bc36..018672655dd8c
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/node-selector-requirement.md
@@ -10,7 +10,6 @@ weight: 5
 auto_generated: true
 ---
 <!--
----
 api_metadata:
   apiVersion: ""
   import: "k8s.io/api/core/v1"
@@ -20,9 +19,21 @@ description: "A node selector requirement is a selector that contains values, a
 title: "NodeSelectorRequirement"
 weight: 5
 auto_generated: true
----
 -->
 
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference content, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+
 `import "k8s.io/api/core/v1"`
 
 
@@ -35,7 +46,7 @@ A node selector requirement is a selector that contains values, a key, and an op
 
 <!--
 - **key** (string), required
-  
+
   The label key that the selector applies to.
 -->
 - **key** (string), 必选
@@ -46,27 +57,11 @@ A node selector requirement is a selector that contains values, a key, and an op
 - **operator** (string), required
 
   Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-
-   Possible enum values:
-   - `"DoesNotExist"`
-   - `"Exists"`
-   - `"Gt"`
-   - `"In"`
-   - `"Lt"`
-   - `"NotIn"` 
 -->
 - **operator** (string), 必选
 
   表示键与一组值的关系的运算符。有效的运算符包括：In、NotIn、Exists、DoesNotExist、Gt 和 Lt。
 
-  可选值:
-   - `"DoesNotExist"`
-   - `"Exists"`
-   - `"Gt"`
-   - `"In"`
-   - `"Lt"`
-   - `"NotIn"`
-
 <!--
 - **values** ([]string)
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/object-field-selector.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-field-selector.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/object-field-selector.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-field-selector.md
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/object-meta.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta.md
similarity index 92%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/object-meta.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta.md
index e89bdc9e337ff..1d7cf6c7f47f8 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/object-meta.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta.md
@@ -52,7 +52,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   -->
   name 在命名空间内必须是唯一的。创建资源时需要，尽管某些资源可能允许客户端请求自动地生成适当的名称。
   名称主要用于创建幂等性和配置定义。无法更新。
-  更多信息：http://kubernetes.io/docs/user-guide/identifiers#names
+  更多信息： http://kubernetes.io/docs/user-guide/identifiers#names
 
 
 - **generateName** (string)
@@ -72,7 +72,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   如果指定了此字段并且生成的名称存在，则服务器将不会返回 409 ——相反，它将返回 201 Created 或 500，
   原因是 ServerTimeout 指示在分配的时间内找不到唯一名称，客户端应重试（可选，在 Retry-After 标头中指定的时间之后）。
   
-  仅在未指定 name 时应用。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+  仅在未指定 name 时应用。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
 
 - **namespace** (string)
 
@@ -84,7 +84,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   namespace 定义了一个值空间，其中每个名称必须唯一。空命名空间相当于 “default” 命名空间，但 “default” 是规范表示。
   并非所有对象都需要限定在命名空间中——这些对象的此字段的值将为空。
   
-  必须是 DNS_LABEL。无法更新。更多信息：http://kubernetes.io/docs/user-guide/namespaces
+  必须是 DNS_LABEL。无法更新。更多信息： http://kubernetes.io/docs/user-guide/namespaces
 
 - **labels** (map[string]string)
 
@@ -92,7 +92,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
   -->
   可用于组织和分类（确定范围和选择）对象的字符串键和值的映射。
-  可以匹配 ReplicationControllers 和 Service 的选择器。更多信息：http://kubernetes.io/docs/user-guide/labels
+  可以匹配 ReplicationControllers 和 Service 的选择器。更多信息： http://kubernetes.io/docs/user-guide/labels
 
 - **annotations** (map[string]string)
 
@@ -100,7 +100,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
   -->
   annotations 是一个非结构化的键值映射，存储在资源中，可以由外部工具设置以存储和检索任意元数据。
-  它们不可查询，在修改对象时应保留。更多信息：http://kubernetes.io/docs/user-guide/annotations
+  它们不可查询，在修改对象时应保留。更多信息： http://kubernetes.io/docs/user-guide/annotations
 
 
 <!-- ### System {#System} -->
@@ -251,17 +251,17 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   - **ownerReferences.kind** (string)，<!-- required -->必选
 
     <!-- Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds -->
-    被引用资源的类别。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    被引用资源的类别。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
   - **ownerReferences.name** (string)，<!-- required -->必选
 
     <!-- Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names -->
-    被引用资源的名称。更多信息：http://kubernetes.io/docs/user-guide/identifiers#names
+    被引用资源的名称。更多信息： http://kubernetes.io/docs/user-guide/identifiers#names
 
   - **ownerReferences.uid** (string)，<!-- required -->必选
 
     <!-- UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids -->
-    被引用资源的 uid。更多信息：http://kubernetes.io/docs/user-guide/identifiers#uids
+    被引用资源的 uid。更多信息： http://kubernetes.io/docs/user-guide/identifiers#uids
 
   - **ownerReferences.blockOwnerDeletion** (boolean)
 
@@ -293,7 +293,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   不能保证在单独的操作中按发生前的顺序设置。
   客户端不得设置此值。它以 RFC3339 形式表示，并采用 UTC。
   
-  由系统填充。只读。列表为空。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  由系统填充。只读。列表为空。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
   <a name="Time"></a>
   <!-- 
@@ -331,7 +331,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   此对象可能在此时间戳之后仍然存在，直到管理员或自动化进程可以确定资源已完全终止。
   如果未设置，则未请求优雅删除该对象。
   
-  请求优雅删除时由系统填充。只读。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  请求优雅删除时由系统填充。只读。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 
   <a name="Time"></a>
   <!-- 
@@ -360,7 +360,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   它们可能仅对特定资源或一组资源有效。
   
   由系统填充。只读。客户端必须将值视为不透明。
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
 
 - **selfLink** (string)
 
@@ -382,7 +382,7 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
   -->
   UID 是该对象在时间和空间上的唯一值。它通常由服务器在成功创建资源时生成，并且不允许使用 PUT 操作更改。
   
-  由系统填充。只读。更多信息：http://kubernetes.io/docs/user-guide/identifiers#uids
+  由系统填充。只读。更多信息： http://kubernetes.io/docs/user-guide/identifiers#uids
 
 <!-- ### Ignored {#Ignored} -->
 ### 忽略字段 {#Ignored}
@@ -391,10 +391,11 @@ ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户
 - **clusterName** (string)
 
   <!-- 
-  The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
+  Deprecated: ClusterName is a legacy field that was always cleared by the system and never used; it will be removed completely in 1.25.
+  The name in the go struct is changed to help clients detect accidental use.
   -->
-  对象所属的集群的名称。这用于区分不同集群中具有相同名称和命名空间的资源。
-  该字段现在没有在任何地方设置，如果在创建或更新请求中设置，apiserver 将忽略它。
+  已弃用：clusterName 是一个总是被系统清除并且从未使用过的遗留字段；它将在 1.25 中完全删除。
+  go 结构体中的对应字段名称已更改，以帮助客户端检测意外使用。
 
 
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/object-reference.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-reference.md
similarity index 80%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/object-reference.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-reference.md
index 2655586d21087..03280ccedaeba 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/object-reference.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/object-reference.md
@@ -84,28 +84,28 @@ ObjectReference包含足够的信息，允许你检查或修改引用的对象
 - **fieldPath** (string)
 
   如果引用的是对象的某个对象是整个对象，则该字符串而不是应包含的 JSON/Go 字段有效访问语句，
-  例如`desiredState.manifest.containers[ 2 ]`。例如，如果对象引用针对的是 Pod 中的一个容器，
-  此字段取值类似于：`spec.containers{name}`（`name`指触发的容器的名称），
-  或者如果没有指定容器名称，`spec.containers[ 2 ]`（此Pod中索引为2的容器）。
+  例如 `desiredState.manifest.containers[ 2 ]`。例如，如果对象引用针对的是 Pod 中的一个容器，
+  此字段取值类似于：`spec.containers{name}`（`name` 指触发的容器的名称），
+  或者如果没有指定容器名称，`spec.containers[ 2 ]`（此 Pod 中索引为 2 的容器）。
   选择这种只是为了有一些定义好的语法来引用对象的部分。
 
 - **kind** (string)
 
-  被引用者的类别（kind）。 更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md #types-kinds
+  被引用者的类别（kind）。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
 - **name** (string)
 
-  被引用对象的名称。更多信息：https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+  被引用对象的名称。更多信息： https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 
 - **namespace** (string)
 
-  被引用对象的名字空间。更多信息：https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+  被引用对象的名字空间。更多信息： https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
 
 - **resourceVersion** (string)
 
-  被引用对象的特定资源版本（如果有）。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+  被引用对象的特定资源版本（如果有）。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
 
 - **uid** (string)
 
-  被引用对象的UID。更多信息：https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+  被引用对象的UID。更多信息： https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
 
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/patch.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/patch.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/patch.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/patch.md
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/quantity.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity.md
similarity index 97%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/quantity.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity.md
index 84ce0dd899511..82d129c4ad72f 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/quantity.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity.md
@@ -68,7 +68,7 @@ The serialization format is:
 -->
 ```
 <quantity>        ::= <signedNumber><suffix>
-  (注意 <suffix> 可能为空, 例如 <decimalSI> 的 "" 情形。) </br>
+  (注意 <suffix> 可能为空，例如 <decimalSI> 的 "" 情形。) </br>
 <digit>           ::= 0 | 1 | ... | 9 </br>
 <digits>          ::= <digit> | <digit><digits> </br>
 <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> </br>
@@ -76,7 +76,7 @@ The serialization format is:
 <signedNumber>    ::= <number> | <sign><number> </br>
 <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> </br>
 <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei 
-  (国际单位制度；查阅：http://physics.nist.gov/cuu/Units/binary.html) </br>
+  (国际单位制度；查阅： http://physics.nist.gov/cuu/Units/binary.html)</br>
 <decimalSI>       ::= m | "" | k | M | G | T | P | E 
   (注意，1024 = 1ki 但 1000 = 1k；我没有选择大写。) </br>
 <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber> </br>
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/resource-field-selector.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/resource-field-selector.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/resource-field-selector.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/resource-field-selector.md
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/status.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
similarity index 91%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/status.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
index 54e8033160533..0d3a6de1b6f6f 100644
--- a/content/zh/docs/reference/kubernetes-api/common-definitions/status.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/status.md
@@ -10,7 +10,7 @@ weight: 12
 auto_generated: true
 ---
 
-<!-- 
+<!--
 api_metadata:
   apiVersion: ""
   import: "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -45,13 +45,13 @@ guide. You can file document formatting bugs against the
 
 - **apiVersion** (string)
 
-  <!-- 
+  <!--
   APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 
   -->
 
   APIVersion 定义对象表示的版本化模式。
   服务器应将已识别的模式转换为最新的内部值，并可能拒绝无法识别的值。
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 
 - **code** (int32)
 
@@ -60,7 +60,7 @@ guide. You can file document formatting bugs against the
 
 - **details** (StatusDetails)
 
-  <!--  
+  <!--
   Extended data associated with the reason.  Each reason may define its own extended details. 
   This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.
   -->
@@ -68,7 +68,7 @@ guide. You can file document formatting bugs against the
   此字段是可选的，并且不保证返回的数据符合任何模式，除非由原因类型定义。
 
   <a name="StatusDetails"></a>
-  <!-- 
+  <!--
   *StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. 
   The Reason field of a Status object defines what attributes will be set. 
   Clients must ignore fields that do not match the defined type of each attribute, 
@@ -80,7 +80,7 @@ guide. You can file document formatting bugs against the
 
   - **details.causes** ([]StatusCause)
 
-    <!-- 
+    <!--
     The Causes array includes more details associated with the StatusReason failure. 
     Not all StatusReasons may provide detailed causes. 
     -->
@@ -88,14 +88,14 @@ guide. You can file document formatting bugs against the
     并非所有 StatusReasons 都可以提供详细的原因。
 
     <a name="StatusCause"></a>
-    <!-- 
+    <!--
     *StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.*
     -->
     *StatusCause 提供有关 api.Status 失败的更多信息，包括遇到多个错误的情况。*
 
     - **details.causes.field** (string)
 
-      <!-- 
+      <!--
       The field of the resource that has caused this error, as named by its JSON serialization. 
       May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  
       Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.
@@ -104,7 +104,7 @@ guide. You can file document formatting bugs against the
       可能包括嵌套属性的点和后缀表示法。数组是从零开始索引的。
       由于字段有多个错误，字段可能会在一系列原因中出现多次。可选。
 
-      <!-- 
+      <!--
       Examples:
         "name" - the field "name" on the current resource
         "items[0].name" - the field "name" on the first array entry in "items"
@@ -130,14 +130,14 @@ guide. You can file document formatting bugs against the
 
   - **details.kind** (string)
 
-    <!-- 
+    <!--
     The kind attribute of the resource associated with the status StatusReason. 
     On some operations may differ from the requested resource Kind. 
     More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
     -->
     与状态 StatusReason 关联的资源的种类属性。
     在某些操作上可能与请求的资源种类不同。
-    更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+    更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
   - **details.name** (string)
 
@@ -146,7 +146,7 @@ guide. You can file document formatting bugs against the
 
   - **details.retryAfterSeconds** (int32)
 
-    <!-- 
+    <!--
     If specified, the time in seconds before the operation should be retried. 
     Some errors may indicate the client must take an alternate action - 
     for those errors this field may indicate how long to wait before taking the alternate action.
@@ -156,16 +156,16 @@ guide. You can file document formatting bugs against the
 
   - **details.uid** (string)
 
-    <!-- 
+    <!--
     UID of the resource. (when there is a single resource which can be described). 
     More info: http://kubernetes.io/docs/user-guide/identifiers#uids 
     -->
     资源的 UID（当有单个可以描述的资源时）。
-    更多信息：http://kubernetes.io/docs/user-guide/identifiers#uids
+    更多信息： http://kubernetes.io/docs/user-guide/identifiers#uids
 
 - **kind** (string)
 
-  <!-- 
+  <!--
    Kind is a string value representing the REST resource this object represents. 
    Servers may infer this from the endpoint the client submits requests to. 
    Cannot be updated. In CamelCase.
@@ -174,7 +174,7 @@ guide. You can file document formatting bugs against the
   Kind 是一个字符串值，表示此对象表示的 REST 资源。
   服务器可以从客户端提交请求的端点推断出这一点。
   无法更新。驼峰式规则。
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
 - **message** (string)
 
@@ -185,12 +185,12 @@ guide. You can file document formatting bugs against the
 
   <!-- Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds -->
   标准列表元数据。
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 
 
 - **reason** (string)
 
-  <!-- 
+  <!--
   A machine-readable description of why this operation is in the "Failure" status. 
   If this value is empty there is no information available. 
   A Reason clarifies an HTTP status code but does not override it.
@@ -201,8 +201,8 @@ guide. You can file document formatting bugs against the
 
 - **status** (string)
 
-  <!-- 
+  <!--
   Status of the operation. One of: "Success" or "Failure". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
   -->
-  操作状态。“Success”或“Failure” 之一。 
-  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+  操作状态。“Success”或“Failure” 之一。
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
diff --git a/content/zh/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference.md b/content/zh-cn/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference.md
diff --git a/content/zh/docs/reference/kubernetes-api/common-parameters/common-parameters.md b/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
similarity index 84%
rename from content/zh/docs/reference/kubernetes-api/common-parameters/common-parameters.md
rename to content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
index c93149c288a2d..f53524eb9d3fa 100644
--- a/content/zh/docs/reference/kubernetes-api/common-parameters/common-parameters.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
@@ -86,6 +86,32 @@ A selector to restrict the list of returned objects by their fields. Defaults to
 根据返回对象的字段限制返回对象列表的选择器。默认为返回所有字段。
 <hr>
 
+## fieldValidation {#fieldValidation}
+
+<!--
+fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled.
+-->
+fieldValidation 指示服务器如何处理请求（POST/PUT/PATCH）中包含未知或重复字段的对象，
+前提是 `ServerSideFieldValidation` 特性门控也已启用。
+<!--
+Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled.
+-->
+有效值为：
+- Ignore：这将忽略从对象中默默删除的所有未知字段，并将忽略除解码器遇到的最后一个重复字段之外的所有字段。
+  这是在 v1.23 之前的默认行为，也是当 `ServerSideFieldValidation` 特性门控被禁用时的默认行为。
+<!--
+- Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled.
+-->
+- Warn：这将针对从对象中删除的各个未知字段以及所遇到的各个重复字段，分别通过标准警告响应头发出警告。
+  如果没有其他错误，请求仍然会成功，并且只会保留所有重复字段中的最后一个。
+  这是启用 `ServerSideFieldValidation` 特性门控时的默认值。
+<!--
+- Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.
+-->
+- Strict：如果从对象中删除任何未知字段，或者存在任何重复字段，将使请求失败并返回 BadRequest 错误。
+
+<hr>
+
 ## force {#force}
 <!--
 Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.
diff --git a/content/zh/docs/reference/kubernetes-api/config-and-storage-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/config-and-storage-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/_index.md
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md
new file mode 100644
index 0000000000000..30a998ce968c6
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1.md
@@ -0,0 +1,649 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "ConfigMap"
+content_type: "api_reference"
+description: "ConfigMap 包含供 Pod 使用的配置数据。"
+title: "ConfigMap"
+weight: 1
+---
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "ConfigMap"
+content_type: "api_reference"
+description: "ConfigMap holds configuration data for pods to consume."
+title: "ConfigMap"
+weight: 1
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+## ConfigMap {#ConfigMap}
+
+<!--
+ConfigMap holds configuration data for pods to consume.
+-->
+ConfigMap 包含供 Pod 使用的配置数据。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: ConfigMap
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的对象元数据。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **binaryData** (map[string][]byte)
+
+  BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.
+-->
+- **binaryData** (map[string][]byte)
+  
+  binaryData 包含二进制数据。
+  每个键必须由字母、数字、“-”、“_” 或 “.” 组成。
+  binaryData 可以包含不在 UTF-8 范围中的字节序列。
+  binaryData 中存储的键不得与 data 字段中的键重叠，这在验证过程中是强制要求。
+  使用此字段需要 apiserver 和 kubelet 的版本高于 1.10。
+
+<!--
+- **data** (map[string]string)
+
+  Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.
+
+- **immutable** (boolean)
+
+  Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
+-->
+- **data** (map[string]string)
+  
+  data 包含配置数据。
+  每个键必须由字母、数字、“-”、“_” 或 “.” 组成。
+  如果值包含非 UTF-8 字节序列，则必须使用 binaryData 字段。
+  data 中存储的键不得与 binaryData 字段中的键重叠，这在验证过程中是强制要求。
+
+- **immutable** (boolean)
+  
+  如果 immutable 设为 true，
+  则确保不会更新 ConfigMap 中存储的数据（只能修改对象元数据）。
+  如果未设为 true，则可以随时修改此字段。
+  默认为 nil。
+
+## ConfigMapList {#ConfigMapList}
+
+<!--
+ConfigMapList is a resource containing a list of ConfigMap objects.
+-->
+ConfigMapList 是包含 ConfigMap 对象列表的资源。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: ConfigMapList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>), required
+  Items is the list of ConfigMaps.
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>)，必需
+  
+  items 是 ConfigMap 的列表。
+
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified ConfigMap
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 ConfigMap
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/configmaps/{name}
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+  name of the ConfigMap
+
+- **namespace** (*in path*): string, required
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ConfigMap 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ConfigMap
+
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 ConfigMap 的对象
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/configmaps
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMapList" >}}">ConfigMapList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ConfigMap
+
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 ConfigMap 的对象
+
+#### HTTP 请求
+
+GET /api/v1/configmaps
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMapList" >}}">ConfigMapList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a ConfigMap
+
+#### HTTP Request
+-->
+### `create` 创建 ConfigMap
+
+#### HTTP 请求
+
+POST /api/v1/namespaces/{namespace}/configmaps
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified ConfigMap
+
+#### HTTP Request
+-->
+### `update` 替换指定的 ConfigMap
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{namespace}/configmaps/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ConfigMap
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ConfigMap 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified ConfigMap
+
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 ConfigMap
+
+#### HTTP 请求
+
+PATCH /api/v1/namespaces/{namespace}/configmaps/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ConfigMap
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ConfigMap 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/config-map-v1#ConfigMap" >}}">ConfigMap</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a ConfigMap
+
+#### HTTP Request
+-->
+### `delete` 删除 ConfigMap
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{namespace}/configmaps/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the ConfigMap
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  ConfigMap 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of ConfigMap
+
+#### HTTP Request
+-->
+### `deletecollection` 删除 ConfigMap 的集合
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{namespace}/configmaps
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
new file mode 100644
index 0000000000000..29011ebe89de5
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1.md
@@ -0,0 +1,718 @@
+---
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSIDriver"
+content_type: "api_reference"
+description: "CSIDriver 抓取集群上部署的容器存储接口（CSI）卷驱动有关的信息。"
+title: "CSIDriver"
+weight: 8
+---
+<!--
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSIDriver"
+content_type: "api_reference"
+description: "CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster."
+title: "CSIDriver"
+weight: 8
+-->
+
+`apiVersion: storage.k8s.io/v1`
+
+`import "k8s.io/api/storage/v1"`
+
+## CSIDriver {#CSIDriver}
+
+<!--
+CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.
+-->
+CSIDriver 抓取集群上部署的容器存储接口（CSI）卷驱动有关的信息。
+Kubernetes 挂接/解除挂接控制器使用此对象来决定是否需要挂接。
+Kubelet 使用此对象决定挂载时是否需要传递 Pod 信息。
+CSIDriver 对象未划分命名空间。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSIDriver
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriverSpec" >}}">CSIDriverSpec</a>), required
+  Specification of the CSI Driver.
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的对象元数据。
+  `metadata.name` 表示此对象引用的 CSI 驱动的名称；
+  它必须与该驱动的 CSI GetPluginName() 调用返回的名称相同。
+  驱动名称不得超过 63 个字符，以字母、数字（[a-z0-9A-Z]）开头和结尾，
+  中间可包含短划线（-）、英文句点（.）、字母和数字。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriverSpec" >}}">CSIDriverSpec</a>)，必需
+  
+  CSI 驱动的规约。
+
+## CSIDriverSpec {#CSIDriverSpec}
+
+<!--
+CSIDriverSpec is the specification of a CSIDriver.
+-->
+CSIDriverSpec 是 CSIDriver 的规约。
+
+<hr>
+
+<!--
+- **attachRequired** (boolean)
+  attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.
+  
+  This field is immutable.
+-->
+- **attachRequired** (boolean)
+  
+  attachRequired 表示这个 CSI 卷驱动需要挂接操作
+  （因为它实现了 CSI ControllerPublishVolume() 方法），
+  Kubernetes 挂接/解除挂接控制器应调用挂接卷接口，
+  以检查卷挂接（volumeattachment）状态并在继续挂载之前等待卷被挂接。
+  CSI 外部挂接器与 CSI 卷驱动配合使用，并在挂接操作完成时更新 volumeattachment 状态。
+  如果 CSIDriverRegistry 特性门控被启用且此值指定为 false，将跳过挂接操作。
+  否则将调用挂接操作。
+  
+  此字段不可变更。
+
+<!--
+- **fsGroupPolicy** (string)
+  Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.
+  
+  This field is immutable.
+  
+  Defaults to ReadWriteOnceWithFSType, which will examine each volume to determine if Kubernetes should modify ownership and permissions of the volume. With the default policy the defined fsGroup will only be applied if a fstype is defined and the volume's access mode contains ReadWriteOnce.
+-->
+- **fsGroupPolicy** (string)
+  
+  定义底层卷是否支持在挂载之前更改卷的所有权和权限。
+  有关更多详细信息，请参考特定的 FSGroupPolicy 值。
+  
+  此字段不可变更。
+  
+  默认为 ReadWriteOnceWithFSType，这会检查每个卷，以决定 Kubernetes 是否应修改卷的所有权和权限。
+  采用默认策略时，如果定义了 fstype 且卷的访问模式包含 ReadWriteOnce，将仅应用定义的 fsGroup。
+
+<!--
+- **podInfoOnMount** (boolean)
+  If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume defined by a CSIVolumeSource, otherwise "false"
+  
+  "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.
+  
+  This field is immutable.
+-->
+- **podInfoOnMount** (boolean)
+  
+  如果设为 true，则 podInfoOnMount 表示在挂载操作期间这个 CSI 卷需要更多的 Pod 信息（例如 podName 和 podUID 等）。
+  如果设为 false，则挂载时将不传递 Pod 信息。
+  默认为 false。
+  CSI 驱动将 podInfoOnMount 指定为驱动部署的一部分。
+  如果为 true，Kubelet 将在 CSI NodePublishVolume() 调用中作为 VolumeContext 传递 Pod 信息。
+  CSI 驱动负责解析和校验作为 VolumeContext 传递进来的信息。
+  如果 podInfoOnMount 设为 true，将传递以下 VolumeConext。
+  此列表可能变大，但将使用前缀。
+  - "csi.storage.k8s.io/pod.name": pod.name
+  - "csi.storage.k8s.io/pod.namespace": pod.namespace
+  - "csi.storage.k8s.io/pod.uid": string(pod.UID)
+  - "csi.storage.k8s.io/ephemeral":
+    如果此卷是 CSIVolumeSource 定义的一个临时内联卷，则为 “true”，否则为 “false”
+  
+  “csi.storage.k8s.io/ephemeral” 是 Kubernetes 1.16 中一个新的功能特性。
+  只有同时支持 “Persistent” 和 “Ephemeral” VolumeLifecycleMode 的驱动，此字段才是必需的。
+  其他驱动可以保持禁用 Pod 信息或忽略此字段。
+  由于 Kubernetes 1.15 不支持此字段，所以在这类集群上部署驱动时，只能支持一种模式。
+  该部署就决定了是哪种模式，例如通过驱动的命令行参数。
+  
+  此字段不可变更。
+
+<!--
+- **requiresRepublish** (boolean)
+  RequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.
+  
+  Note: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.
+-->
+- **requiresRepublish** (boolean)
+  
+  requiresRepublish 表示 CSI 驱动想要 `NodePublishVolume` 被周期性地调用，
+  以反映已挂载卷中的任何可能的变化。
+  此字段默认为 false。
+  
+  注：成功完成对 NodePublishVolume 的初始调用后，对 NodePublishVolume 的后续调用只应更新卷的内容。
+  新的挂载点将不会被运行的容器察觉。
+
+<!--
+- **storageCapacity** (boolean)
+  If set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.
+  
+  The check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.
+  
+  Alternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.
+  
+  This field was immutable in Kubernetes \<= 1.22 and now is mutable.
+-->
+- **storageCapacity** (boolean)
+  
+  如果设为 true，则 storageCapacity 表示 CSI 卷驱动希望 Pod 调度时考虑存储容量，
+  驱动部署将通过创建包含容量信息的 CSIStorageCapacity 对象来报告该存储容量。
+  
+  部署驱动时可以立即启用这个检查。
+  这种情况下，只有此驱动部署已发布某些合适的 CSIStorageCapacity 对象，
+  才会继续制备新的卷，然后进行绑定。
+  
+  换言之，可以在未设置此字段或此字段为 false 的情况下部署驱动，
+  并且可以在发布存储容量信息后再修改此字段。
+  
+  此字段在 Kubernetes 1.22 及更早版本中不可变更，但现在可以变更。
+
+<!--
+- **tokenRequests** ([]TokenRequest)
+  *Atomic: will be replaced during a merge*
+  
+  TokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/
+  
+  Note: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.
+  <a name="TokenRequest"></a>
+  *TokenRequest contains parameters of a service account token.*
+-->
+- **tokenRequests** ([]TokenRequest)
+  
+  **原子性：将在合并期间被替换**
+  
+  tokenRequests 表示 CSI 驱动需要供挂载卷所用的 Pod 的服务帐户令牌，进行必要的鉴权。
+  Kubelet 将在 CSI NodePublishVolume 调用中传递 VolumeContext 中的令牌。
+  CSI 驱动应解析和校验以下 VolumeContext：
+
+  ```
+  "csi.storage.k8s.io/serviceAccount.tokens": {
+    "<audience>": {
+      "token": <token>,
+      "expirationTimestamp": <expiration timestamp in RFC3339>,
+    },
+    ...
+  }
+  ```
+
+  注：每个 tokenRequest 中的受众应该不同，且最多有一个令牌是空字符串。
+  要在令牌过期后接收一个新的令牌，requiresRepublish 可用于周期性地触发 NodePublishVolume。
+  
+  <a name="TokenRequest"></a>
+  **tokenRequest 包含一个服务帐户令牌的参数。**
+
+<!--
+  - **tokenRequests.audience** (string), required
+
+    Audience is the intended audience of the token in "TokenRequestSpec". It will default to the audiences of kube apiserver.
+
+  - **tokenRequests.expirationSeconds** (int64)
+
+    ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
+-->  
+  - **tokenRequests.audience** (string)，必需
+    
+    audience 是 “TokenRequestSpec” 中令牌的目标受众。
+    它默认为 kube apiserver 的受众。
+  
+  - **tokenRequests.expirationSeconds** (int64)
+    
+    expirationSeconds 是 “TokenRequestSpec” 中令牌的有效期。
+    它具有与 “TokenRequestSpec” 中 “expirationSeconds” 相同的默认值。
+
+<!--
+- **volumeLifecycleModes** ([]string)
+
+  *Set: unique values will be kept during a merge*
+  
+  volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.
+  
+  This field is immutable.
+-->
+- **volumeLifecycleModes** ([]string)
+  
+  **集合：唯一值将在合并期间被保留**
+  
+  volumeLifecycleModes 定义这个 CSI 卷驱动支持哪种类别的卷。
+  如果列表为空，则默认值为 “Persistent”，这是 CSI 规范定义的用法，
+  并通过常用的 PV/PVC 机制在 Kubernetes 中实现。
+  另一种模式是 “Ephemeral”。
+  在这种模式下，在 Pod 规约中用 CSIVolumeSource 以内联方式定义卷，其生命周期与该 Pod 的生命周期相关联。
+  驱动必须感知到这一点，因为只有针对这种卷才会接收到 NodePublishVolume 调用。
+  有关实现此模式的更多信息，请参阅
+  https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html。
+  驱动可以支持其中一种或多种模式，将来可能会添加更多模式。
+  此字段处于 beta 阶段。
+  
+  此字段不可变更。
+
+## CSIDriverList {#CSIDriverList}
+
+<!--
+CSIDriverList is a collection of CSIDriver objects.
+-->
+CSIDriverList 是 CSIDriver 对象的集合。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSIDriverList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>), required
+
+  items is the list of CSIDriver
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  
+  标准的列表元数据。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>)，必需
+  
+  items 是 CSIDriver 的列表。
+
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `get` read the specified CSIDriver
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 CSIDriver
+
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/csidrivers/{name}
+
+<!--
+#### Parameters
+
+- **name** (*in path*): string, required
+
+  name of the CSIDriver
+
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIDriver 的名称
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind CSIDriver
+
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 CSIDriver 的对象
+
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/csidrivers
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriverList" >}}">CSIDriverList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a CSIDriver
+
+#### HTTP Request
+-->
+### `create` 创建 CSIDriver
+
+#### HTTP 请求
+
+POST /apis/storage.k8s.io/v1/csidrivers
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified CSIDriver
+
+#### HTTP Request
+-->
+### `update` 替换指定的 CSIDriver
+
+#### HTTP 请求
+
+PUT /apis/storage.k8s.io/v1/csidrivers/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIDriver
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIDriver 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified CSIDriver
+
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 CSIDriver
+
+#### HTTP 请求
+
+PATCH /apis/storage.k8s.io/v1/csidrivers/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIDriver
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIDriver 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a CSIDriver
+
+#### HTTP Request
+-->
+### `delete` 删除 CSIDriver
+
+#### HTTP 请求
+
+DELETE /apis/storage.k8s.io/v1/csidrivers/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIDriver
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIDriver 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/csi-driver-v1#CSIDriver" >}}">CSIDriver</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of CSIDriver
+
+#### HTTP Request
+-->
+### `deletecollection` 删除 CSIDriver 的集合
+
+#### HTTP 请求
+
+DELETE /apis/storage.k8s.io/v1/csidrivers
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md
new file mode 100644
index 0000000000000..a05152e1c5078
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1.md
@@ -0,0 +1,566 @@
+---
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSINode"
+content_type: "api_reference"
+description: "CSINode 包含节点上安装的所有 CSI 驱动有关的信息。"
+title: "CSINode"
+weight: 9
+---
+<!--
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSINode"
+content_type: "api_reference"
+description: "CSINode holds information about all CSI drivers installed on a node."
+title: "CSINode"
+weight: 9
+-->
+
+`apiVersion: storage.k8s.io/v1`
+
+`import "k8s.io/api/storage/v1"`
+
+## CSINode {#CSINode}
+<!--
+CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.
+-->
+CSINode 包含节点上安装的所有 CSI 驱动有关的信息。CSI 驱动不需要直接创建 CSINode 对象。
+只要这些驱动使用 node-driver-registrar 边车容器，kubelet 就会自动为 CSI 驱动填充 CSINode 对象，
+作为 kubelet 插件注册操作的一部分。CSINode 的名称与节点名称相同。
+如果不存在此对象，则说明该节点上没有可用的 CSI 驱动或 Kubelet 版本太低无法创建该对象。
+CSINode 包含指向相应节点对象的 OwnerReference。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSINode
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  metadata.name must be the Kubernetes node name.
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINodeSpec" >}}">CSINodeSpec</a>), required
+  spec is the specification of CSINode
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  metadata.name 必须是 Kubernetes 节点的名称。
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINodeSpec" >}}">CSINodeSpec</a>)，必需
+
+  spec 是 CSINode 的规约。
+
+## CSINodeSpec {#CSINodeSpec}
+<!--
+CSINodeSpec holds information about the specification of all CSI drivers installed on a node
+-->
+CSINodeSpec 包含一个节点上安装的所有 CSI 驱动规约有关的信息。
+
+<hr>
+
+<!--
+- **drivers** ([]CSINodeDriver), required
+
+  *Patch strategy: merge on key `name`*
+  
+  drivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.
+
+  <a name="CSINodeDriver"></a>
+  *CSINodeDriver holds information about the specification of one CSI driver installed on a node*
+
+  - **drivers.name** (string), required
+
+    This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.
+-->
+- **drivers** ([]CSINodeDriver)，必需
+
+  **补丁策略：按照键 `name` 合并**
+  
+  drivers 是节点上存在的所有 CSI 驱动的信息列表。如果列表中的所有驱动均被卸载，则此字段可以为空。
+  
+  <a name="CSINodeDriver"></a>
+  **CSINodeDriver 包含一个节点上安装的一个 CSI 驱动规约有关的信息。**
+  
+  - **drivers.name** (string)，必需
+
+    这是该对象引用的 CSI 驱动的名称。此字段值必须是针对该驱动由 CSI GetPluginName() 调用返回的相同名称。
+
+<!--
+  - **drivers.nodeID** (string), required
+    nodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as "node1", but the storage system may refer to the same node as "nodeA". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. "nodeA" instead of "node1". This field is required.
+-->  
+  - **drivers.nodeID** (string)，必需
+
+    从驱动角度来看，这是节点的 nodeID。
+    对于未与节点共享相同命名法的存储系统，此字段使得 Kubernetes 能够与之进行通信。
+    例如，Kubernetes 可能将给定节点视为 "node1"，但存储系统可以将同一节点视为 "nodeA"。
+    当 Kubernetes 向存储系统发出一条命令将一个卷挂接到特定的节点时，
+    它可以藉此字段使用存储系统所理解的 ID 引用节点名称，例如使用 “nodeA” 而不是 “node1”。
+    此字段是必需的。
+
+<!--
+  - **drivers.allocatable** (VolumeNodeResources)
+    allocatable represents the volume resources of a node that are available for scheduling. This field is beta.
+
+    <a name="VolumeNodeResources"></a>
+    *VolumeNodeResources is a set of resource limits for scheduling of volumes.*
+
+    - **drivers.allocatable.count** (int32)
+      Maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.
+-->  
+  - **drivers.allocatable** (VolumeNodeResources)
+
+    allocatable 表示一个节点上可供调度的卷资源。此字段处于 beta 阶段。
+    
+    <a name="VolumeNodeResources"></a>
+    **VolumeNodeResources 是调度卷时所用的一组资源限制。**
+    
+    - **drivers.allocatable.count** (int32)
+
+      这是一个节点上可使用的、由 CSI 驱动管理的独立卷个数的上限。
+      挂接并挂载到一个节点上的卷被视为被使用一次，不是两次。
+      相同的规则适用于同一个节点上多个 Pod 之间共享的同一个卷。
+      如果未指定此字段，则该节点上支持的卷数量是无限的。
+
+<!--
+  - **drivers.topologyKeys** ([]string)
+
+    topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. "company.com/zone", "company.com/region"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.
+-->  
+  - **drivers.topologyKeys** ([]string)
+
+    topologyKeys 是驱动支持的键的列表。
+    在集群上初始化一个驱动时，该驱动将提供一组自己理解的拓扑键
+    （例如 “company.com/zone”、“company.com/region”）。
+    在一个节点上初始化一个驱动时，该驱动将提供相同的拓扑键和值。
+    Kubelet 将在其自己的节点对象上将这些拓扑键暴露为标签。
+    当 Kubernetes 进行拓扑感知的制备时，可以使用此列表决定应从节点对象中检索哪些标签并传回驱动。
+    不同的节点可以使用不同的拓扑键。
+    如果驱动不支持拓扑，则此字段可以为空。
+
+## CSINodeList {#CSINodeList}
+<!--
+CSINodeList is a collection of CSINode objects.
+-->
+CSINodeList 是 CSINode 对象的集合。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSINodeList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>), required
+  items is the list of CSINode
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  标准的列表元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>)，必需
+
+  items 是 CSINode 的列表。
+
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified CSINode
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 CSINode
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/csinodes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSINode
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  CSINode 的名称
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind CSINode
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 CSINode 的对象
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/csinodes
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINodeList" >}}">CSINodeList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a CSINode
+#### HTTP Request
+-->
+### `create` 创建 CSINode
+#### HTTP 请求
+
+POST /apis/storage.k8s.io/v1/csinodes
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified CSINode
+#### HTTP Request
+-->
+### `update` 替换指定的 CSINode
+#### HTTP 请求
+
+PUT /apis/storage.k8s.io/v1/csinodes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSINode
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  CSINode 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified CSINode
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 CSINode
+#### HTTP 请求
+
+PATCH /apis/storage.k8s.io/v1/csinodes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSINode
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  CSINode 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a CSINode
+#### HTTP Request
+-->
+### `delete` 删除 CSINode
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/csinodes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSINode
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  CSINode 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/csi-node-v1#CSINode" >}}">CSINode</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of CSINode
+#### HTTP Request
+-->
+### `deletecollection` 删除 CSINode 的集合
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/csinodes
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
\ No newline at end of file
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md
new file mode 100644
index 0000000000000..37fb580127a9c
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1.md
@@ -0,0 +1,685 @@
+---
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSIStorageCapacity"
+content_type: "api_reference"
+description: "CSIStorageCapacity 存储一个 CSI GetCapacity 调用的结果。"
+title: "CSIStorageCapacity"
+weight: 10
+---
+<!--
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "CSIStorageCapacity"
+content_type: "api_reference"
+description: "CSIStorageCapacity stores the result of one CSI GetCapacity call."
+title: "CSIStorageCapacity"
+weight: 10
+-->
+
+`apiVersion: storage.k8s.io/v1`
+
+`import "k8s.io/api/storage/v1"`
+
+## CSIStorageCapacity {#CSIStorageCapacity}
+
+<!--
+CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment.  This can be used when considering where to instantiate new PersistentVolumes.
+For example this can express things like: - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+The following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero
+-->
+CSIStorageCapacity 存储一个 CSI GetCapacity 调用的结果。
+对于给定的 StorageClass，此结构描述了特定拓扑段中可用的容量。
+当考虑在哪里实例化新的 PersistentVolume 时可以使用此项。
+
+例如，此结构可以描述如下内容：
+
+- “standard” 的 StorageClass 容量为 “1234 GiB”，可用于 “topology.kubernetes.io/zone=us-east1”
+- “localssd” 的 StorageClass 容量为 “10 GiB”，可用于 “kubernetes.io/hostname=knode-abc123”
+
+以下三种情况均暗示了某些组合没有可用的容量：
+
+- 不存在拓扑和存储类名称合适的对象  
+- 这种对象存在，但容量未设置  
+- 这种对象存在，但容量为零
+
+<!--
+The producer of these objects can decide which approach is more suitable.
+They are consumed by the kube-scheduler when a CSI driver opts into capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler compares the MaximumVolumeSize against the requested size of pending volumes to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back to a comparison against the less precise Capacity. If that is also unset, the scheduler assumes that capacity is insufficient and tries some other node.
+-->
+这些对象的制作方可以决定哪种方法更合适。
+
+当 CSI 驱动选择使用 CSIDriverSpec.StorageCapacity 进行容量感知调度时，kube-scheduler 会使用这些对象。
+该调度器将 MaximumVolumeSize 与 pending 卷的请求大小进行比较，以过滤掉不合适的节点。
+如果未设置 MaximumVolumeSize，则回退为与不太精确的容量（Capacity）进行比较。
+如果还是未设置，则该调度器假定容量不足并尝试某些其他节点。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSIStorageCapacity
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-\<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.
+  Objects are namespaced.
+  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的对象元数据。
+  此名称没有特定的含义。
+  它必须是 DNS 子域名（允许英文句点，最多 253 个字符）。
+  为了确保与集群上的其他 CSI 驱动没有冲突，建议使用一个生成的名称 csisc-\<uuid>，
+  或使用以唯一 CSI 驱动名称结尾的反向域名。
+  
+  这些对象是有命名空间的。
+  
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **storageClassName** (string), required
+  The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.
+- **capacity** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+  The semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.
+-->
+- **storageClassName** (string)，必需
+  
+  这是已报告容量所应用到的 StorageClass 的名称。
+  它必须满足与 StorageClass 对象名称相同的要求（非空，DNS 子域名）。
+  如果该对象不再存在，则 CSIStorageCapacity 对象将被废弃且应由创建者移除。
+  此字段不可变更。
+
+- **capacity** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  
+  capacity 是 CSI 驱动在其 GetCapacityResponse 中为 GetCapacityRequest 报告的值，其拓扑和参数与之前的字段匹配。
+  
+  该语义目前（CSI 规范 1.2）定义为：可用于制备卷的可用存储容量（单位为字节）。
+  如果未设置，则该信息目前不可用。
+
+<!--
+- **maximumVolumeSize** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  MaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+  This is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.
+-->
+- **maximumVolumeSize** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  
+  maximumVolumeSize 是 CSI 驱动在其 GetCapacityResponse 中为 GetCapacityRequest 报告的值，其拓扑和参数与之前的字段匹配。
+  
+  自从 CSI 规范 1.4.0 起，这定义为 `CreateVolumeRequest.capacity_range.required_bytes` 字段中可以使用的最大值，
+  以便用 GetCapacityRequest 中相同的参数创建一个卷。
+  Kubernetes API 中的相应值是卷声明中的 ResourceRequirements.Requests。
+
+<!--
+- **nodeTopology** (<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+  NodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.
+-->
+- **nodeTopology** (<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+  
+  nodeTopology 定义了哪些节点有权访问已报告容量的存储。
+  如果未设置，则不能从集群中的任意节点访问此存储。
+  如果留空，则可以从所有节点访问此存储。此字段不可变更。
+
+## CSIStorageCapacityList {#CSIStorageCapacityList}
+
+<!--
+CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
+-->
+CSIStorageCapacityList 是 CSIStorageCapacity 对象的集合。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: CSIStorageCapacityList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>), required
+  *Map: unique values on key name will be kept during a merge*
+  Items is the list of CSIStorageCapacity objects.
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  
+  标准的列表元数据。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>)，必需
+  
+  **映射：有关键名称的唯一值将在合并期间被保留**
+  
+  items 是 CSIStorageCapacity 对象的列表。
+
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified CSIStorageCapacity
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 CSIStorageCapacity
+
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIStorageCapacity
+- **namespace** (*in path*): string, required
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIStorageCapacity 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind CSIStorageCapacity
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 CSIStorageCapacity 的对象
+
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacityList" >}}">CSIStorageCapacityList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind CSIStorageCapacity
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 CSIStorageCapacity 的对象
+
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/csistoragecapacities
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacityList" >}}">CSIStorageCapacityList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a CSIStorageCapacity
+#### HTTP Request
+-->
+### `create` 创建 CSIStorageCapacity
+
+#### HTTP 请求
+
+POST /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified CSIStorageCapacity
+#### HTTP Request
+-->
+### `update` 替换指定的 CSIStorageCapacity
+
+#### HTTP 请求
+
+PUT /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIStorageCapacity
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIStorageCapacity 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified CSIStorageCapacity
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 CSIStorageCapacity
+
+#### HTTP 请求
+
+PATCH /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIStorageCapacity
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIStorageCapacity 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/csi-storage-capacity-v1#CSIStorageCapacity" >}}">CSIStorageCapacity</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a CSIStorageCapacity
+#### HTTP Request
+-->
+### `delete` 删除 CSIStorageCapacity
+
+#### HTTP 请求
+
+DELETE /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the CSIStorageCapacity
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  CSIStorageCapacity 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of CSIStorageCapacity
+#### HTTP Request
+-->
+### `deletecollection` 删除 CSIStorageCapacity 的集合
+
+#### HTTP 请求
+
+DELETE /apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
new file mode 100644
index 0000000000000..cfe2fd37abd4b
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
@@ -0,0 +1,993 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "PersistentVolumeClaim"
+content_type: "api_reference"
+description: "PersistentVolumeClaim 是用户针对一个持久卷的请求和申领。"
+title: "PersistentVolumeClaim"
+weight: 4
+---
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "PersistentVolumeClaim"
+content_type: "api_reference"
+description: "PersistentVolumeClaim is a user's request for and claim to a persistent volume."
+title: "PersistentVolumeClaim"
+weight: 4
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+## PersistentVolumeClaim {#PersistentVolumeClaim}
+<!--
+PersistentVolumeClaim is a user's request for and claim to a persistent volume
+-->
+PersistentVolumeClaim 是用户针对一个持久卷的请求和申领。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: PersistentVolumeClaim
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>)
+  spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的对象元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>)
+  
+  spec 定义 Pod 作者所请求的卷的预期特征。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+
+<!--
+- **status** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimStatus" >}}">PersistentVolumeClaimStatus</a>)
+  status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+-->
+- **status** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimStatus" >}}">PersistentVolumeClaimStatus</a>)
+  
+  status 表示一个持久卷申领的当前信息/状态。只读。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+
+## PersistentVolumeClaimSpec {#PersistentVolumeClaimSpec}
+<!--
+PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes
+<hr>
+- **accessModes** ([]string)
+  accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+
+- **selector** (<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+  selector is a label query over volumes to consider for binding.
+-->
+PersistentVolumeClaimSpec 描述存储设备的常用参数，并支持通过 source 来设置特定于提供商的属性。
+
+<hr>
+
+- **accessModes** ([]string)
+  
+  accessModes 包含卷应具备的预期访问模式。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#access-modes-1
+
+- **selector** (<a href="{{< ref "../common-definitions/label-selector#LabelSelector" >}}">LabelSelector</a>)
+  
+  selector 是在绑定时对卷进行选择所执行的标签查询。
+
+<!--
+- **resources** (ResourceRequirements)
+  resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+
+  <a name="ResourceRequirements"></a>
+  *ResourceRequirements describes the compute resource requirements.*
+
+  - **resources.limits** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+  - **resources.requests** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+-->
+- **resources** (ResourceRequirements)
+  
+  resources 表示卷应拥有的最小资源。
+  如果启用了 RecoverVolumeExpansionFailure 功能特性，则允许用户指定这些资源要求，
+  此值必须低于之前的值，但必须高于申领的状态字段中记录的容量。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#resources
+  
+  <a name="ResourceRequirements"></a> 
+  **ResourceRequirements 描述计算资源要求。**
+  
+  - **resources.limits** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    
+    limits 描述允许的最大计算资源量。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/
+  
+  - **resources.requests** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    
+    requests 描述所需的最小计算资源量。
+    如果针对容器省略 requests，则在显式指定的情况下默认为 limits，否则为具体实现所定义的值。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/
+
+<!--
+- **volumeName** (string)
+  volumeName is the binding reference to the PersistentVolume backing this claim.
+
+- **storageClassName** (string)
+  storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+
+- **volumeMode** (string)
+  volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.
+-->
+- **volumeName** (string)
+  
+  volumeName 是对此申领所对应的 PersistentVolume 的绑定引用。
+
+- **storageClassName** (string)
+  
+  storageClassName 是此申领所要求的 StorageClass 名称。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#class-1
+
+- **volumeMode** (string)
+  
+  volumeMode 定义申领需要哪种类别的卷。当申领规约中未包含此字段时，意味着取值为 Filesystem。
+
+<!--
+### Alpha level
+
+- **dataSource** (<a href="{{< ref "../common-definitions/typed-local-object-reference#TypedLocalObjectReference" >}}">TypedLocalObjectReference</a>)
+
+  dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field.
+-->
+### Alpha 级别
+- **dataSource** (<a href="{{< ref "../common-definitions/typed-local-object-reference#TypedLocalObjectReference" >}}">TypedLocalObjectReference</a>)
+  
+  dataSource 字段可用于二选一：
+
+  * 现有的 VolumeSnapshot 对象（snapshot.storage.k8s.io/VolumeSnapshot）
+
+  * 现有的 PVC (PersistentVolumeClaim)
+  
+  如果制备器或外部控制器可以支持指定的数据源，则它将根据指定数据源的内容创建新的卷。
+  如果 AnyVolumeDataSource 特性门控被启用，此字段的内容将始终与 dataSourceRef 字段内容相同。
+
+<!--
+- **dataSourceRef** (<a href="{{< ref "../common-definitions/typed-local-object-reference#TypedLocalObjectReference" >}}">TypedLocalObjectReference</a>)
+
+  dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef
+    allows any non-core object, as well as PersistentVolumeClaim objects.
+  * While DataSource ignores disallowed values (dropping them), DataSourceRef
+    preserves all values, and generates an error if a disallowed value is
+    specified.
+  (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+-->
+- **dataSourceRef** (<a href="{{< ref "../common-definitions/typed-local-object-reference#TypedLocalObjectReference" >}}">TypedLocalObjectReference</a>)
+  
+  dataSourceRef 指定一个对象，当需要非空卷时，可以使用它来为卷填充数据。
+  此字段值可以是来自非空 API 组（非核心对象）的一个本地对象，或一个 PersistentVolumeClaim 对象。
+  如果设置了此字段，则仅当所指定对象的类型与所安装的某些卷填充器或动态制备器匹配时，卷绑定才会成功。
+  此字段将替换 dataSource 字段的功能，因此如果两个字段非空，其取值必须相同。
+  为了向后兼容，如果其中一个字段为空且另一个字段非空，
+  则两个字段（dataSource 和 dataSourceRef）将被自动设为相同的值。
+  dataSource 和 dataSourceRef 之间有两个重要的区别：
+
+  * dataSource 仅允许两个特定类型的对象，而 dataSourceRef 允许设置任何非核心对象以及 PersistentVolumeClaim 对象。
+  
+  * dataSource 忽略不允许的值（这类值会被丢弃），dataSourceRef 保留所有值并在指定不允许的值时产生错误。
+  
+  （Beta）使用此字段需要启用 AnyVolumeDataSource 特性门控。
+
+## PersistentVolumeClaimStatus {#PersistentVolumeClaimStatus}
+<!--
+PersistentVolumeClaimStatus is the current status of a persistent volume claim.
+
+<hr>
+
+- **accessModes** ([]string)
+  accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+-->
+PersistentVolumeClaimStatus 是持久卷申领的当前状态。
+
+<hr>
+
+- **accessModes** ([]string)
+  
+  accessModes 包含支持 PVC 的卷所具有的实际访问模式。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#access-modes-1
+
+<!--
+- **allocatedResources** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+
+  allocatedResources is the storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+-->
+- **allocatedResources** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  
+  allocatedResources 跟踪分配给 PVC 的容量。
+  当出现卷扩充操作请求时，此字段可能大于实际的容量。
+  就存储配额而言，将使用 allocatedResources 和 PVC.spec.resources 二者中的更大值。
+  如果未设置 allocatedResources，则 PVC.spec.resources 单独用于配额计算。
+  如果减小一个卷扩充容量请求，则仅当没有正在进行的扩充操作且实际卷容量等于或小于请求的容量时，
+  才会减小 allocatedResources。
+  这是一个 Alpha 字段，需要启用 RecoverVolumeExpansionFailure 功能特性。
+
+<!--
+- **capacity** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+
+  capacity represents the actual resources of the underlying volume.
+-->
+- **capacity** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  
+  capacity 表示底层卷的实际资源。
+
+<!--
+- **conditions** ([]PersistentVolumeClaimCondition)
+  *Patch strategy: merge on key `type`*
+  
+  conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
+
+  <a name="PersistentVolumeClaimCondition"></a>
+  *PersistentVolumeClaimCondition contails details about state of pvc*
+-->
+- **conditions** ([]PersistentVolumeClaimCondition)
+  
+  **补丁策略：按照键 `type` 合并**
+  
+  conditions 是持久卷声明的当前的状况。
+  如果正在调整底层持久卷的大小，则状况将被设为 “ResizeStarted”。
+  
+  <a name="PersistentVolumeClaimCondition"></a> 
+  **PersistentVolumeClaimCondition 包含有关 PVC 状态的详细信息。**
+
+<!--
+  - **conditions.status** (string), required
+  - **conditions.type** (string), required
+  - **conditions.lastProbeTime** (Time)
+    lastProbeTime is the time we probed the condition.
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+-->  
+  - **conditions.status** (string)，必需
+  
+  - **conditions.type** (string)，必需
+  
+  - **conditions.lastProbeTime** (Time)
+    
+    lastProbeTime 是我们探测 PVC 状况的时间。
+    
+    <a name="Time"></a> 
+    **Time 是 time.Time 的包装类，支持正确地序列化为 YAML 和 JSON。
+    为 time 包提供的许多工厂方法提供了包装类。**
+
+<!--
+  - **conditions.lastTransitionTime** (Time)
+    lastTransitionTime is the time the condition transitioned from one status to another.
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+
+  - **conditions.message** (string)
+    message is the human-readable message indicating details about last transition.
+
+  - **conditions.reason** (string)
+    reason is a unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.
+-->  
+  - **conditions.lastTransitionTime** (Time)
+    
+    lastTransitionTime 是状况从一个状态转换为另一个状态的时间。
+    
+    <a name="Time"></a> 
+    **Time 是 time.Time 的包装类，支持正确地序列化为 YAML 和 JSON。
+    为 time 包提供的许多工厂方法提供了包装类。**
+  
+  - **conditions.message** (string)
+    
+    message 是人类可读的消息，指示有关上一次转换的详细信息。
+  
+  - **conditions.reason** (string)
+    
+    reason 是唯一的，它应该是一个机器可理解的简短字符串，指明上次状况转换的原因。
+    如果它报告 “ResizeStarted”，则意味着正在调整底层持久卷的大小。
+
+<!--
+- **phase** (string)
+  phase represents the current phase of PersistentVolumeClaim.
+  
+- **resizeStatus** (string)
+  resizeStatus stores status of resize operation. ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty string by resize controller or kubelet. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+-->
+- **phase** (string)
+  
+  phase 表示 PersistentVolumeClaim 的当前阶段。
+
+- **resizeStatus** (string)
+  
+  resizeStatus 存储大小调整操作的状态。默认不设置 resizeStatus，但在扩充完成时，
+  resizeStatus 将由大小调整控制器或 kubelet 设为空。
+  这是一个 Alpha 字段，需要启用 RecoverVolumeExpansionFailure 功能特性。
+
+## PersistentVolumeClaimList {#PersistentVolumeClaimList}
+<!--
+PersistentVolumeClaimList is a list of PersistentVolumeClaim items.
+-->
+PersistentVolumeClaimList 是 PersistentVolumeClaim 各项的列表。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: PersistentVolumeClaimList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>), required
+  items is a list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  
+  标准的列表元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>)，必需
+  
+  items 是持久卷申领的列表。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+
+<!--
+## Operations {#Operations}
+<hr>
+### `get` read the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+## 操作 {#Operations}
+<hr>
+
+### `get` 读取指定的 PersistentVolumeClaim
+#### HTTP 请求
+GET /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+401: Unauthorized
+
+<!--
+### `get` read status of the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+### `get` 读取指定的 PersistentVolumeClaim 的状态
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind PersistentVolumeClaim
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 PersistentVolumeClaim 的对象
+#### HTTP 请求
+GET /api/v1/namespaces/{namespace}/persistentvolumeclaims
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimList" >}}">PersistentVolumeClaimList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind PersistentVolumeClaim
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 PersistentVolumeClaim 的对象
+#### HTTP 请求
+GET /api/v1/persistentvolumeclaims
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimList" >}}">PersistentVolumeClaimList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a PersistentVolumeClaim
+#### HTTP Request
+-->
+### `create` 创建 PersistentVolumeClaim
+#### HTTP 请求
+POST /api/v1/namespaces/{namespace}/persistentvolumeclaims
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+### `update` 替换指定的 PersistentVolumeClaim
+#### HTTP 请求
+PUT /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace status of the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+### `update` 替换指定的 PersistentVolumeClaim 的状态
+#### HTTP 请求
+PUT /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 PersistentVolumeClaim
+#### HTTP 请求
+PATCH /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified PersistentVolumeClaim
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 PersistentVolumeClaim 的状态
+#### HTTP 请求
+PATCH /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a PersistentVolumeClaim
+#### HTTP Request
+-->
+### `delete` 删除 PersistentVolumeClaim
+#### HTTP 请求
+DELETE /api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolumeClaim
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  
+  PersistentVolumeClaim 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaim" >}}">PersistentVolumeClaim</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of PersistentVolumeClaim
+#### HTTP Request
+-->
+### `deletecollection` 删除 PersistentVolumeClaim 的集合
+#### HTTP 请求
+DELETE /api/v1/namespaces/{namespace}/persistentvolumeclaims
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
new file mode 100644
index 0000000000000..32cdd21d494b3
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
@@ -0,0 +1,2180 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "PersistentVolume"
+content_type: "api_reference"
+description: "PersistentVolume (PV) 是管理员制备的一个存储资源。"
+title: "PersistentVolume"
+weight: 5
+---
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "PersistentVolume"
+content_type: "api_reference"
+description: "PersistentVolume (PV) is a storage resource provisioned by an administrator."
+title: "PersistentVolume"
+weight: 5
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+## PersistentVolume {#PersistentVolume}
+<!--
+PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+-->
+PersistentVolume (PV) 是管理员制备的一个存储资源。它类似于一个节点。更多信息：
+https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: PersistentVolume
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeSpec" >}}">PersistentVolumeSpec</a>)
+  spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+
+- **status** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeStatus" >}}">PersistentVolumeStatus</a>)
+  status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准的对象元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeSpec" >}}">PersistentVolumeSpec</a>)
+
+  spec 定义了集群所拥有的持久卷的规约。由管理员进行制备。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistent-volumes
+
+- **status** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeStatus" >}}">PersistentVolumeStatus</a>)
+
+  status 表示持久卷的当前信息/状态。该值由系统填充，只读。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistent-volumes
+
+## PersistentVolumeSpec {#PersistentVolumeSpec}
+<!--
+PersistentVolumeSpec is the specification of a persistent volume.
+-->
+PersistentVolumeSpec 是持久卷的规约。
+
+<hr>
+
+<!--
+- **accessModes** ([]string)
+  accessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
+
+- **capacity** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+  capacity is the description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+-->
+- **accessModes** ([]string)
+
+  accessModes 包含可以挂载卷的所有方式。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#access-modes
+
+- **capacity** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+
+  capacity 描述持久卷的资源和容量。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#capacity
+
+<!--
+- **claimRef** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)
+  claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
+
+- **mountOptions** ([]string)
+  mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options
+-->
+- **claimRef** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)
+
+  claimRef 是 PersistentVolume 和 PersistentVolumeClaim 之间双向绑定的一部分。
+  预期在绑定时为非空。claim.VolumeName 是在 PV 和 PVC 间绑定关系的正式确认。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#binding
+
+- **mountOptions** ([]string)
+
+  mountOptions 是挂载选项的列表，例如 ["ro", "soft"]。
+  针对此字段无合法性检查——如果某选项无效，则只是挂载会失败。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes/#mount-options
+
+<!--
+- **nodeAffinity** (VolumeNodeAffinity)
+  nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.
+
+  <a name="VolumeNodeAffinity"></a>
+  *VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.*
+-->
+- **nodeAffinity** (VolumeNodeAffinity)
+
+  nodeAffinity 定义可以从哪些节点访问此卷的约束限制。此字段会影响调度使用此卷的 Pod。
+  
+  <a name="VolumeNodeAffinity"></a> 
+  **VolumeNodeAffinity 定义可以从哪些节点访问此卷的约束限制。**
+
+<!--
+  - **nodeAffinity.required** (NodeSelector)
+    required specifies hard node constraints that must be met.
+
+    <a name="NodeSelector"></a>
+    *A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.*
+
+    - **nodeAffinity.required.nodeSelectorTerms** ([]NodeSelectorTerm), required
+      Required. A list of node selector terms. The terms are ORed.
+      <a name="NodeSelectorTerm"></a>
+      *A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.*
+
+      - **nodeAffinity.required.nodeSelectorTerms.matchExpressions** ([]<a href="{{< ref "../common-definitions/node-selector-requirement#NodeSelectorRequirement" >}}">NodeSelectorRequirement</a>)
+        A list of node selector requirements by node's labels.
+
+      - **nodeAffinity.required.nodeSelectorTerms.matchFields** ([]<a href="{{< ref "../common-definitions/node-selector-requirement#NodeSelectorRequirement" >}}">NodeSelectorRequirement</a>)
+        A list of node selector requirements by node's fields.
+-->  
+  - **nodeAffinity.required** (NodeSelector)
+
+    required 指定必须满足的硬性节点约束。
+    
+    <a name="NodeSelector"></a> 
+    **节点选择器表示在一组节点上一个或多个标签查询结果的并集；
+    也就是说，它表示由节点选择器条件表示的选择器的逻辑或计算结果。**
+    
+    - **nodeAffinity.required.nodeSelectorTerms** ([]NodeSelectorTerm)，必需
+
+      必需。节点选择器条件的列表。这些条件是逻辑或的计算结果。
+      
+      <a name="NodeSelectorTerm"></a>
+      **一个 null 或空的节点选择器条件不会与任何对象匹配。这些条件会按逻辑与的关系来计算。
+      TopologySelectorTerm 类别实现了 NodeSelectorTerm 的子集。**
+      
+      - **nodeAffinity.required.nodeSelectorTerms.matchExpressions** ([]<a href="{{< ref "../common-definitions/node-selector-requirement#NodeSelectorRequirement" >}}">NodeSelectorRequirement</a>)
+
+        基于节点标签所设置的节点选择器要求的列表。
+      
+      - **nodeAffinity.required.nodeSelectorTerms.matchFields** ([]<a href="{{< ref "../common-definitions/node-selector-requirement#NodeSelectorRequirement" >}}">NodeSelectorRequirement</a>)
+
+        基于节点字段所设置的节点选择器要求的列表。
+
+<!--
+- **persistentVolumeReclaimPolicy** (string)
+
+  persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
+-->
+- **persistentVolumeReclaimPolicy** (string)
+
+  persistentVolumeReclaimPolicy 定义当从持久卷声明释放持久卷时会发生什么。
+  有效的选项为 Retain（手动创建 PersistentVolumes 所用的默认值）、
+  Delete（动态制备 PersistentVolumes 所用的默认值）和 Recycle（已弃用）。
+  Recycle 选项必须被 PersistentVolume 下层的卷插件所支持才行。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#reclaiming
+
+<!--
+- **storageClassName** (string)
+  storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.
+
+- **volumeMode** (string)
+  volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.
+-->
+- **storageClassName** (string)
+
+  storageClassName 是这个持久卷所属于的 StorageClass 的名称。
+  空值意味着此卷不属于任何 StorageClass。
+
+- **volumeMode** (string)
+
+  volumeMode 定义一个卷是带着已格式化的文件系统来使用还是保持在原始块状态来使用。
+  当 spec 中未包含此字段时，意味着取值为 Filesystem。
+
+### Local
+<!--
+- **hostPath** (HostPathVolumeSource)
+  hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+
+  <a name="HostPathVolumeSource"></a>
+  *Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.*
+
+  - **hostPath.path** (string), required
+    path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+
+  - **hostPath.type** (string)
+    type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+-->
+- **hostPath** (HostPathVolumeSource)
+
+  hostPath 表示主机上的目录，由开发或测试人员进行制备。hostPath 仅对单节点开发和测试有用！
+  不会以任何方式支持主机存储（On-host storage），并且**不能用于**多节点集群中。
+  更多信息： https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+  
+  <a name="HostPathVolumeSource"></a> 
+  **表示映射到 Pod 中的主机路径。主机路径卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **hostPath.path** (string)，必需
+
+    目录在主机上的路径。如果该路径是一个符号链接，则它将沿着链接指向真实路径。
+    更多信息： https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+  
+  - **hostPath.type** (string)
+
+    HostPath 卷的类型。默认为 ""。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+
+<!--
+- **local** (LocalVolumeSource)
+  local represents directly-attached storage with node affinity
+
+  <a name="LocalVolumeSource"></a>
+  *Local represents directly-attached storage with node affinity (Beta feature)*
+
+  - **local.path** (string), required
+    path of the full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).
+
+  - **local.fsType** (string)
+    fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified.
+-->
+- **local** (LocalVolumeSource)
+
+  local 表示具有节点亲和性的直连式存储。
+  
+  <a name="LocalVolumeSource"></a> 
+  **local 表示具有节点亲和性的直连式存储（Beta 特性）。**
+  
+  - **local.path** (string)，必需
+
+    指向节点上卷的完整路径。它可以是一个目录或块设备（磁盘、分区...）。
+  
+  - **local.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。它仅适用于 path 是一个块设备的情况。
+    必须是主机操作系统所支持的文件系统类型之一。例如 “ext4”、“xfs”、“ntfs”。
+    在未指定的情况下，默认值是自动选择一个文件系统。
+
+<!--
+### Persistent volumes
+- **awsElasticBlockStore** (AWSElasticBlockStoreVolumeSource)
+  awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+
+  <a name="AWSElasticBlockStoreVolumeSource"></a>
+  *Represents a Persistent Disk resource in AWS.
+  
+  An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.*
+-->
+### 持久卷 {#persistent-volumes}
+- **awsElasticBlockStore** (AWSElasticBlockStoreVolumeSource)
+  
+  awsElasticBlockStore 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 AWS Disk 资源。
+  更多信息： https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+  
+  <a name="AWSElasticBlockStoreVolumeSource"></a>
+  **表示 AWS 上的 Persistent Disk 资源。挂载到一个容器之前 AWS EBS 磁盘必须存在。
+  该磁盘还必须与 kubelet 位于相同的 AWS 区域中。AWS EBS 磁盘只能以读/写一次进行挂载。
+  AWS EBS 卷支持所有权管理和 SELinux 重新打标签。**
+
+<!--
+  - **awsElasticBlockStore.volumeID** (string), required
+    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+
+  - **awsElasticBlockStore.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+
+  - **awsElasticBlockStore.partition** (int32)
+    partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+
+  - **awsElasticBlockStore.readOnly** (boolean)
+    readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+-->  
+  - **awsElasticBlockStore.volumeID** (string)，必需
+
+    volumeID 是 AWS（Amazon EBS 卷）中持久磁盘资源的唯一 ID。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+  
+  - **awsElasticBlockStore.fsType** (string)
+
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为“ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+  
+  - **awsElasticBlockStore.partition** (int32)
+
+    partition 是你要挂载的卷中的分区。如果省略，则默认为按卷名称进行挂载。
+    例如：对于卷 /dev/sda1，将分区指定为 “1”。
+    类似地，/dev/sda 的卷分区为 “0”（或可以将属性留空）。
+  
+  - **awsElasticBlockStore.readOnly** (boolean)
+
+    readOnly 值为 true 将在 VolumeMounts 中强制设置 readOnly。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+
+<!--
+- **azureDisk** (AzureDiskVolumeSource)
+  azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+
+  <a name="AzureDiskVolumeSource"></a>
+  *AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.*
+-->
+- **azureDisk** (AzureDiskVolumeSource)
+
+  azureDisk 表示主机上挂载的 Azure Data Disk 并绑定挂载到 Pod 上。
+  
+  <a name="AzureDiskVolumeSource"></a>
+  **azureDisk 表示主机上挂载的 Azure Data Disk 并绑定挂载到 Pod 上。**
+
+<!--
+  - **azureDisk.diskName** (string), required
+    diskName is the Name of the data disk in the blob storage
+
+  - **azureDisk.diskURI** (string), required
+    diskURI is the URI of data disk in the blob storage
+
+  - **azureDisk.cachingMode** (string)
+    cachingMode is the Host Caching mode: None, Read Only, Read Write.
+
+  - **azureDisk.fsType** (string)
+    fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **azureDisk.kind** (string)
+    kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
+
+  - **azureDisk.readOnly** (boolean)
+    readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+-->  
+  - **azureDisk.diskName** (string)，必需
+
+    diskName 是 Blob 存储中数据盘的名称。
+  
+  - **azureDisk.diskURI** (string)，必需
+
+    diskURI 是 Blob 存储中数据盘的 URI。
+  
+  - **azureDisk.cachingMode** (string)
+
+    cachingMode 是主机缓存（Host Caching）模式：None、Read Only、Read Write。
+  
+  - **azureDisk.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **azureDisk.kind** (string)
+
+    kind 预期值包括：
+    - Shared：每个存储帐户多个 Blob 磁盘；
+    - Dedicated：每个存储帐户单个 Blob 磁盘；
+    - Managed：azure 托管的数据盘（仅托管的可用性集合中）。
+    默认为 Shared。
+  
+  - **azureDisk.readOnly** (boolean)
+
+    readOnly 默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+
+<!--
+- **azureFile** (AzureFilePersistentVolumeSource)
+  azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+  <a name="AzureFilePersistentVolumeSource"></a>
+  *AzureFile represents an Azure File Service mount on the host and bind mount to the pod.*
+
+  - **azureFile.secretName** (string), required
+    secretName is the name of secret that contains Azure Storage Account Name and Key
+
+  - **azureFile.shareName** (string), required
+    shareName is the azure Share Name
+
+  - **azureFile.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **azureFile.secretNamespace** (string)
+    secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod
+-->
+- **azureFile** (AzureFilePersistentVolumeSource)
+
+  azureDisk 表示主机上挂载的 Azure File Service 并绑定挂载到 Pod 上。
+  
+  <a name="AzureFilePersistentVolumeSource"></a> 
+  **azureFile 表示主机上挂载的 Azure File Service 并绑定挂载到 Pod 上。**
+  
+  - **azureFile.secretName** (string)，必需
+
+    secretName 是包含 Azure 存储账号名称和主键的 Secret 的名称。
+  
+  - **azureFile.shareName** (string)，必需
+
+    shareName 是 azure Share Name。
+  
+  - **azureFile.readOnly** (boolean)
+
+    readOnly 默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+  
+  - **azureFile.secretNamespace** (string)
+
+    secretNamespace 是包含 Azure 存储账号名称和主键的 Secret 的名字空间，默认与 Pod 相同。
+
+<!--
+- **cephfs** (CephFSPersistentVolumeSource)
+  cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+
+  <a name="CephFSPersistentVolumeSource"></a>
+  *Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.*
+-->
+- **cephfs** (CephFSPersistentVolumeSource)
+
+  cephfs 表示在主机上挂载的 Ceph FS，该文件系统挂载与 Pod 的生命周期相同。
+  
+  <a name="CephFSPersistentVolumeSource"></a> 
+  **表示在 Pod 的生命周期内持续的 Ceph Filesystem 挂载。cephfs 卷不支持所有权管理或 SELinux 重新打标签。**
+
+<!--
+  - **cephfs.monitors** ([]string), required
+    monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+  - **cephfs.path** (string)
+    path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+
+  - **cephfs.readOnly** (boolean)
+    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+  - **cephfs.secretFile** (string)
+    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+-->  
+  - **cephfs.monitors** ([]string)，必需
+
+    monitors 是必需的。monitors 是 Ceph 监测的集合。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  
+  - **cephfs.path** (string)
+
+    path 是可选的。用作挂载的根，而不是完整的 Ceph 树，默认为 /。
+  
+  - **cephfs.readOnly** (boolean)
+
+    readOnly 是可选的。默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+    更多信息： https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  
+  - **cephfs.secretFile** (string)
+
+    secretFile 是可选的。secretFile 是 user 对应的密钥环的路径，默认为 /etc/ceph/user.secret。
+    更多信息： https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+<!--
+  - **cephfs.secretRef** (SecretReference)
+    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **cephfs.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **cephfs.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+
+  - **cephfs.user** (string)
+    user is Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+-->  
+  - **cephfs.secretRef** (SecretReference)
+
+    secretRef 是可选的。secretRef 是针对用户到身份认证 Secret 的引用，默认为空。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **cephfs.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **cephfs.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+  
+  - **cephfs.user** (string)
+
+    user 是可选的。user 是 rados 用户名，默认为 admin。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+<!--
+- **cinder** (CinderPersistentVolumeSource)
+  cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  <a name="CinderPersistentVolumeSource"></a>
+  *Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.*
+-->
+- **cinder** (CinderPersistentVolumeSource)
+
+  cinder 表示 kubelet 主机上挂接和挂载的 Cinder 卷。更多信息：
+  https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  <a name="CinderPersistentVolumeSource"></a> 
+  **表示 OpenStack 中的一个 Cinder 卷资源。挂载到一个容器之前 Cinder 卷必须已经存在。
+  该卷还必须与 kubelet 位于相同的地区中。cinder 卷支持所有权管理和 SELinux 重新打标签。**
+
+<!--
+  - **cinder.volumeID** (string), required
+    volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  - **cinder.fsType** (string)
+    fsType Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  - **cinder.readOnly** (boolean)
+    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+-->  
+  - **cinder.volumeID** (string)，必需
+
+    volumeID 用于标识 Cinder 中的卷。更多信息：
+    https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  - **cinder.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统支持的文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  - **cinder.readOnly** (boolean)
+
+    readOnly 是可选的。默认为 false（读/写）。
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。更多信息：
+    https://examples.k8s.io/mysql-cinder-pd/README.md
+
+<!--
+  - **cinder.secretRef** (SecretReference)
+    secretRef is Optional: points to a secret object containing parameters used to connect to OpenStack.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **cinder.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **cinder.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **cinder.secretRef** (SecretReference)
+
+    secretRef 是可选的。指向 Secret 对象，内含的参数用于连接到 OpenStack。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **cinder.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **cinder.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+- **csi** (CSIPersistentVolumeSource)
+  csi represents storage that is handled by an external CSI driver (Beta feature).
+
+  <a name="CSIPersistentVolumeSource"></a>
+  *Represents storage that is managed by an external CSI volume driver (Beta feature)*
+
+  - **csi.driver** (string), required
+    driver is the name of the driver to use for this volume. Required.
+
+  - **csi.volumeHandle** (string), required
+    volumeHandle is the unique volume name returned by the CSI volume plugin’s CreateVolume to refer to the volume on all subsequent calls. Required.
+-->
+- **csi** (CSIPersistentVolumeSource)
+
+  csi 表示由一个外部 CSI 驱动处理的存储（Beta 特性）。
+  
+  <a name="CSIPersistentVolumeSource"></a> 
+  **表示由一个外部 CSI 卷驱动管理的存储（Beta 特性）。**
+  
+  - **csi.driver** (string)，必需
+
+    driver 是此卷所使用的驱动的名称。必需。
+  
+  - **csi.volumeHandle** (string)，必需
+
+    volumeHandle 是 CSI 卷插件的 CreateVolume 所返回的唯一卷名称，用于在所有后续调用中引用此卷。必需。
+
+<!--
+  - **csi.controllerExpandSecretRef** (SecretReference)
+    controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an alpha field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **csi.controllerExpandSecretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **csi.controllerExpandSecretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **csi.controllerExpandSecretRef** (SecretReference)
+
+    controllerExpandSecretRef 是对包含敏感信息的 Secret 对象的引用，
+    该 Secret 会被传递到 CSI 驱动以完成 CSI ControllerExpandVolume 调用。
+    这是一个 Alpha 字段，需要启用 ExpandCSIVolumes 特性门控。
+    此字段是可选的，且如果不需要 Secret，则此字段可以为空。
+    如果 Secret 对象包含多个 Secret，则所有 Secret 被传递。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **csi.controllerExpandSecretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **csi.controllerExpandSecretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+  - **csi.controllerPublishSecretRef** (SecretReference)
+    controllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **csi.controllerPublishSecretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **csi.controllerPublishSecretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **csi.controllerPublishSecretRef** (SecretReference)
+
+    controllerPublishSecretRef 是对包含敏感信息的 Secret 对象的引用，
+    该 Secret 会被传递到 CSI 驱动以完成 CSI ControllerPublishVolume 和 ControllerUnpublishVolume 调用。
+    此字段是可选的，且如果不需要 Secret，则此字段可以为空。
+    如果 Secret 对象包含多个 Secret，则所有 Secret 被传递。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **csi.controllerPublishSecretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **csi.controllerPublishSecretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+  - **csi.fsType** (string)
+    fsType to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs".
+
+  - **csi.nodePublishSecretRef** (SecretReference)
+    nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **csi.nodePublishSecretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **csi.nodePublishSecretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **csi.fsType** (string)
+
+    要挂载的 fsType。必须是主机操作系统所支持的文件系统类型之一。例如 “ext4”、“xfs”、“ntfs”。
+  
+  - **csi.nodePublishSecretRef** (SecretReference)
+
+    nodePublishSecretRef 是对包含敏感信息的 Secret 对象的引用，
+    从而传递到 CSI 驱动以完成 CSI NodePublishVolume 和 NodeUnpublishVolume 调用。
+    此字段是可选的，且如果不需要 Secret，则此字段可以为空。
+    如果 Secret 对象包含多个 Secret，则所有 Secret 被传递。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **csi.nodePublishSecretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **csi.nodePublishSecretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+<!--
+  - **csi.nodeStageSecretRef** (SecretReference)
+    nodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **csi.nodeStageSecretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **csi.nodeStageSecretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **csi.nodeStageSecretRef** (SecretReference)
+
+    nodeStageSecretRef 是对包含敏感信息的 Secret 对象的引用，
+    从而传递到 CSI 驱动以完成 CSI NodeStageVolume、NodeStageVolume 和 NodeUnstageVolume 调用。
+    此字段是可选的，且如果不需要 Secret，则此字段可以为空。
+    如果 Secret 对象包含多个 Secret，则所有 Secret 被传递。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **csi.nodeStageSecretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **csi.nodeStageSecretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+  - **csi.readOnly** (boolean)
+    readOnly value to pass to ControllerPublishVolumeRequest. Defaults to false (read/write).
+
+  - **csi.volumeAttributes** (map[string]string)
+    volumeAttributes of the volume to publish.
+-->  
+  - **csi.readOnly** (boolean)
+
+    传递到 ControllerPublishVolumeRequest 的 readOnly 值。默认为 false（读/写）。
+  
+  - **csi.volumeAttributes** (map[string]string)
+
+    要发布的卷的 volumeAttributes。
+
+<!--
+- **fc** (FCVolumeSource)
+  fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+
+  <a name="FCVolumeSource"></a>
+  *Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.*
+-->
+- **fc** (FCVolumeSource)
+
+  fc 表示挂接到 kubelet 的主机并随后暴露给 Pod 的一个光纤通道（FC）资源。
+  
+  <a name="FCVolumeSource"></a> 
+  **表示光纤通道卷。光纤通道卷只能以读/写一次进行挂载。光纤通道卷支持所有权管理和 SELinux 重新打标签。**
+
+<!--
+  - **fc.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **fc.lun** (int32)
+    lun is Optional: FC target lun number
+
+  - **fc.readOnly** (boolean)
+    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **fc.targetWWNs** ([]string)
+    targetWWNs is Optional: FC target worldwide names (WWNs)
+
+  - **fc.wwids** ([]string)
+    wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+-->  
+  - **fc.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **fc.lun** (int32)
+
+    lun 是可选的。FC 目标 lun 编号。
+  
+  - **fc.readOnly** (boolean)
+
+    readOnly 是可选的。默认为 false（读/写）。
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+  
+  - **fc.targetWWNs** ([]string)
+
+    targetWWNs 是可选的。FC 目标全球名称（WWN）。
+  
+  - **fc.wwids** ([]string)
+
+    wwids 是可选的。FC 卷全球识别号（wwids）。
+    必须设置 wwids 或 targetWWNs 及 lun 的组合，但不能同时设置两者。
+
+<!--
+- **flexVolume** (FlexPersistentVolumeSource)
+  flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
+
+  <a name="FlexPersistentVolumeSource"></a>
+  *FlexPersistentVolumeSource represents a generic persistent volume resource that is provisioned/attached using an exec based plugin.*
+-->
+- **flexVolume** (FlexPersistentVolumeSource)
+
+  flexVolume 表示使用基于 exec 的插件制备/挂接的通用卷资源。
+  
+  <a name="FlexPersistentVolumeSource"></a>
+  **FlexPersistentVolumeSource 表示使用基于 exec 的插件制备/挂接的通用持久卷资源。**
+
+<!--
+  - **flexVolume.driver** (string), required
+    driver is the name of the driver to use for this volume.
+
+  - **flexVolume.fsType** (string)
+    fsType is the Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+
+  - **flexVolume.options** (map[string]string)
+    options is Optional: this field holds extra command options if any.
+
+  - **flexVolume.readOnly** (boolean)
+    readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+-->  
+  - **flexVolume.driver** (string)，必需
+
+    driver 是此卷所使用的驱动的名称。
+  
+  - **flexVolume.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。默认的文件系统取决于 flexVolume 脚本。
+  
+  - **flexVolume.options** (map[string]string)
+
+    options 是可选的。此字段包含额外的命令选项（如果有）。
+  
+  - **flexVolume.readOnly** (boolean)
+
+    readOnly 是可选的。默认为 false（读/写）。
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+
+<!--
+  - **flexVolume.secretRef** (SecretReference)
+    secretRef is Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **flexVolume.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **flexVolume.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **flexVolume.secretRef** (SecretReference)
+
+    secretRef 是可选的。secretRef 是对包含敏感信息的 Secret 对象的引用，从而传递到插件脚本。
+    如果未指定 Secret 对象，则此字段可以为空。如果 Secret 对象包含多个 Secret，则所有 Secret 被传递到插件脚本。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **flexVolume.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **flexVolume.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+- **flocker** (FlockerVolumeSource)
+  flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running
+
+  <a name="FlockerVolumeSource"></a>
+  *Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.*
+
+  - **flocker.datasetName** (string)
+    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
+
+  - **flocker.datasetUUID** (string)
+    datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
+-->
+- **flocker** (FlockerVolumeSource)
+
+  flocker 表示挂接到 kubelet 的主机并暴露给 Pod 供其使用的 Flocker 卷。
+  这取决于所运行的 Flocker 控制服务。
+  
+  <a name="FlockerVolumeSource"></a> 
+  **表示 Flocker 代理挂载的 Flocker 卷。应设置且仅设置 datasetName 和 datasetUUID 中的一个。
+  Flocker 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **flocker.datasetName** (string)
+
+    datasetName 是存储为元数据的数据集的名称。针对 Flocker 有关数据集的名称应视为已弃用。
+  
+  - **flocker.datasetUUID** (string)
+
+    datasetUUID 是数据集的 UUID。这是 Flocker 数据集的唯一标识符。
+
+<!--
+- **gcePersistentDisk** (GCEPersistentDiskVolumeSource)
+  gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  <a name="GCEPersistentDiskVolumeSource"></a>
+  *Represents a Persistent Disk resource in Google Compute Engine.
+  
+  A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.*
+-->
+- **gcePersistentDisk** (GCEPersistentDiskVolumeSource)
+
+  gcePersistentDisk 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 GCE Disk 资源。
+  由管理员进行制备。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  <a name="GCEPersistentDiskVolumeSource"></a> 
+  **表示 Google 计算引擎中的 Persistent Disk 资源。挂载到一个容器之前 GCE PD 必须存在。
+  该磁盘还必须与 kubelet 位于相同的 GCE 项目和区域中。GCE PD 只能挂载为读/写一次或只读多次。
+  GCE PD 支持所有权管理和 SELinux 重新打标签。**
+
+<!--
+  - **gcePersistentDisk.pdName** (string), required
+    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  - **gcePersistentDisk.fsType** (string)
+    fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  - **gcePersistentDisk.partition** (int32)
+    partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  - **gcePersistentDisk.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+-->  
+  - **gcePersistentDisk.pdName** (string)，必需
+
+    pdName 是 GCE 中 PD 资源的唯一名称。用于标识 GCE 中的磁盘。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  - **gcePersistentDisk.fsType** (string)
+
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  - **gcePersistentDisk.partition** (int32)
+
+    partition 是你要挂载的卷中的分区。如果省略，则默认为按卷名称进行挂载。
+    例如：对于卷 /dev/sda1，将分区指定为 “1”。类似地，/dev/sda 的卷分区为 “0”（或可以将属性留空）。
+    更多信息： https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  - **gcePersistentDisk.readOnly** (boolean)
+
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。默认为 false。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+
+<!--
+- **glusterfs** (GlusterfsPersistentVolumeSource)
+  glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+
+  <a name="GlusterfsPersistentVolumeSource"></a>
+  *Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.*
+-->
+- **glusterfs** (GlusterfsPersistentVolumeSource)
+
+  glusterfs 表示挂接到主机并暴露给 Pod 的 Glusterfs 卷。由管理员进行制备。更多信息：
+  https://examples.k8s.io/volumes/glusterfs/README.md
+  
+  <a name="GlusterfsPersistentVolumeSource"></a> 
+  **表示与 Pod 生命周期相同的 Glusterfs 挂载。Glusterfs 卷不支持所有权管理或 SELinux 重新打标签。**
+
+<!--
+  - **glusterfs.endpoints** (string), required
+    endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.path** (string), required
+    path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.endpointsNamespace** (string)
+    endpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.readOnly** (boolean)
+    readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+-->  
+  - **glusterfs.endpoints** (string)，必需
+
+    endpoints 是详细说明 Glusterfs 拓扑的端点名称。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  
+  - **glusterfs.path** (string)，必需
+
+    path 是 Glusterfs 卷路径。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  
+  - **glusterfs.endpointsNamespace** (string)
+
+    endpointsNamespace 是包含 Glusterfs 端点的名字空间。
+    如果此字段为空，则 EndpointNamespace 默认为与绑定的 PVC 相同的名字空间。
+    更多信息： https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  
+  - **glusterfs.readOnly** (boolean)
+
+    此处 readOnly 将强制使用只读权限挂载 Glusterfs 卷。默认为 false。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+<!--
+- **iscsi** (ISCSIPersistentVolumeSource)
+  iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+
+  <a name="ISCSIPersistentVolumeSource"></a>
+  *ISCSIPersistentVolumeSource represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.*
+-->
+- **iscsi** (ISCSIPersistentVolumeSource)
+
+  iscsi 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 ISCSI Disk 资源。由管理员进行制备。
+  
+  <a name="ISCSIPersistentVolumeSource"></a> 
+  **ISCSIPersistentVolumeSource 表示一个 ISCSI 磁盘。ISCSI 卷只能以读/写一次进行挂载。ISCSI 卷支持所有权管理和 SELinux 重新打标签。**
+
+<!--
+  - **iscsi.iqn** (string), required
+    iqn is Target iSCSI Qualified Name.
+
+  - **iscsi.lun** (int32), required
+    lun is iSCSI Target Lun number.
+
+  - **iscsi.targetPortal** (string), required
+    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
+-->  
+  - **iscsi.iqn** (string)，必需
+
+    iqn 是目标 iSCSI 限定名称（Target iSCSI Qualified Name）。
+  
+  - **iscsi.lun** (int32)，必需
+
+    lun 是 iSCSI 目标逻辑单元号（iSCSI Target Lun）。
+  
+  - **iscsi.targetPortal** (string)，必需
+
+    targetPortal 是 iSCSI 目标门户（iSCSI Target Portal）。
+    如果不是默认端口（通常是 TCP 端口 860 和 3260），则 Portal 为 IP 或 ip_addr:port。
+
+<!--
+  - **iscsi.chapAuthDiscovery** (boolean)
+    chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+
+  - **iscsi.chapAuthSession** (boolean)
+    chapAuthSession defines whether support iSCSI Session CHAP authentication
+
+  - **iscsi.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+-->  
+  - **iscsi.chapAuthDiscovery** (boolean)
+
+    chapAuthDiscovery 定义是否支持 iSCSI Discovery CHAP 身份认证。
+  
+  - **iscsi.chapAuthSession** (boolean)
+
+    chapAuthSession 定义是否支持 iSCSI Session CHAP 身份认证。
+  
+  - **iscsi.fsType** (string)
+
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#iscsi
+
+<!--
+  - **iscsi.initiatorName** (string)
+    initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \<target portal>:\<volume name> will be created for the connection.
+
+  - **iscsi.iscsiInterface** (string)
+    iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).
+
+  - **iscsi.portals** ([]string)
+    portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
+
+  - **iscsi.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.
+-->  
+  - **iscsi.initiatorName** (string)
+
+    initiatorName 是自定义的 iSCSI 发起程序名称（iSCSI Initiator Name）。
+    如果同时用 iscsiInterface 指定 initiatorName，将为连接创建新的 iSCSI 接口 \<目标门户>:\<卷名称>。
+  
+  - **iscsi.iscsiInterface** (string)
+
+    iscsiInterface 是使用 iSCSI 传输的接口名称。默认为 “default”（tcp）。
+  
+  - **iscsi.portals** ([]string)
+
+    portals 是 iSCSI 目标门户列表（iSCSI Target Portal List）。
+    如果不是默认端口（通常是 TCP 端口 860 和 3260），则 Portal 为 IP 或 ip_addr:port。
+  
+  - **iscsi.readOnly** (boolean)
+
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。默认为 false。
+
+<!--
+  - **iscsi.secretRef** (SecretReference)
+    secretRef is the CHAP Secret for iSCSI target and initiator authentication
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **iscsi.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **iscsi.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **iscsi.secretRef** (SecretReference)
+
+    secretRef 是 iSCSI 目标和发起程序身份认证所用的 CHAP Secret。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **iscsi.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **iscsi.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+- **nfs** (NFSVolumeSource)
+  nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+
+  <a name="NFSVolumeSource"></a>
+  *Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.*
+
+  - **nfs.path** (string), required
+    path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+
+  - **nfs.server** (string), required
+    server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+
+  - **nfs.readOnly** (boolean)
+    readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+-->
+- **nfs** (NFSVolumeSource)
+
+  nfs 表示主机上挂载的 NFS。由管理员进行制备。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  <a name="NFSVolumeSource"></a> 
+  **表示 Pod 的生命周期内持续的 NFS 挂载。NFS 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **nfs.path** (string)，必需
+
+    path 是由 NFS 服务器导出的路径。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  - **nfs.server** (string)，必需
+
+    server 是 NFS 服务器的主机名或 IP 地址。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  - **nfs.readOnly** (boolean)
+
+    此处 readOnly 将强制使用只读权限挂载 NFS 导出。默认为 false。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+
+<!--
+- **photonPersistentDisk** (PhotonPersistentDiskVolumeSource)
+  photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+
+  <a name="PhotonPersistentDiskVolumeSource"></a>
+  *Represents a Photon Controller persistent disk resource.*
+
+  - **photonPersistentDisk.pdID** (string), required
+    pdID is the ID that identifies Photon Controller persistent disk
+
+  - **photonPersistentDisk.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+-->
+- **photonPersistentDisk** (PhotonPersistentDiskVolumeSource)
+
+  photonPersistentDisk 表示 kubelet 主机上挂接和挂载的 PhotonController 持久磁盘。
+  
+  <a name="PhotonPersistentDiskVolumeSource"></a>
+  **表示 Photon Controller 持久磁盘资源。**
+  
+  - **photonPersistentDisk.pdID** (string)，必需
+
+    pdID 是标识 Photon Controller 持久磁盘的 ID。
+  
+  - **photonPersistentDisk.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+
+<!--
+- **portworxVolume** (PortworxVolumeSource)
+  portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+
+  <a name="PortworxVolumeSource"></a>
+  *PortworxVolumeSource represents a Portworx volume resource.*
+
+  - **portworxVolume.volumeID** (string), required
+    volumeID uniquely identifies a Portworx volume
+
+  - **portworxVolume.fsType** (string)
+    fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **portworxVolume.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+-->
+- **portworxVolume** (PortworxVolumeSource)
+
+  portworxVolume 表示 kubelet 主机上挂接和挂载的 portworx 卷。
+  
+  <a name="PortworxVolumeSource"></a>
+  **PortworxVolumeSource 表示 Portworx 卷资源。**
+  
+  - **portworxVolume.volumeID** (string)，必需
+
+    volumeID 唯一标识 Portworx 卷。
+  
+  - **portworxVolume.fsType** (string)
+
+    fSType 表示要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **portworxVolume.readOnly** (boolean)
+
+    readOnly 默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+
+<!--
+- **quobyte** (QuobyteVolumeSource)
+  quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+
+  <a name="QuobyteVolumeSource"></a>
+  *Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.*
+
+  - **quobyte.registry** (string), required
+    registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
+
+  - **quobyte.volume** (string), required
+    volume is a string that references an already created Quobyte volume by name.
+-->
+- **quobyte** (QuobyteVolumeSource)
+
+  quobyte 表示在共享 Pod 生命周期的主机上挂载的 Quobyte。
+  
+  <a name="QuobyteVolumeSource"></a>
+  **表示在 Pod 的生命周期内持续的 Quobyte 挂载。Quobyte 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **quobyte.registry** (string)，必需
+
+    registry 表示将一个或多个 Quobyte Registry 服务指定为 host:port 
+    对的字符串形式（多个条目用英文逗号分隔），用作卷的中央注册表。
+  
+  - **quobyte.volume** (string)，必需
+
+    volume 是一个字符串，通过名称引用已创建的 Quobyte 卷。
+
+<!--
+  - **quobyte.group** (string)
+    group to map volume access to Default is no group
+
+  - **quobyte.readOnly** (boolean)
+    readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
+
+  - **quobyte.tenant** (string)
+    tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+
+  - **quobyte.user** (string)
+    user to map volume access to Defaults to serivceaccount user
+-->  
+  - **quobyte.group** (string)
+
+    group 是将卷访问映射到的组。默认为无组。
+  
+  - **quobyte.readOnly** (boolean)
+
+    此处 readOnly 将强制使用只读权限挂载 Quobyte 卷。默认为 false。
+  
+  - **quobyte.tenant** (string)
+
+    后台中拥有给定 Quobyte 卷的租户。用于动态制备的 Quobyte 卷，其值由插件设置。
+  
+  - **quobyte.user** (string)
+
+    user 是将卷访问映射到的用户。默认为 serivceaccount 用户。
+
+<!--
+- **rbd** (RBDPersistentVolumeSource)
+  rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
+
+  <a name="RBDPersistentVolumeSource"></a>
+  *Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.*
+
+  - **rbd.image** (string), required
+    image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.monitors** ([]string), required
+    monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+-->
+- **rbd** (RBDPersistentVolumeSource)
+
+  rbd 表示主机上挂载的 Rados 块设备，其生命周期与 Pod 生命周期相同。更多信息：
+  https://examples.k8s.io/volumes/rbd/README.md
+  
+  <a name="RBDPersistentVolumeSource"></a> 
+  **表示在 Pod 的生命周期内一直存在的 Rados 块设备挂载。RBD 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  - **rbd.image** (string)，必需
+
+    image 是 rados 镜像名称。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.monitors** ([]string)，必需
+
+    monitors 是 Ceph 监测的集合。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+<!--
+  - **rbd.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+
+  - **rbd.keyring** (string)
+    keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.pool** (string)
+    pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+-->  
+  - **rbd.fsType** (string)
+
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#rbd
+  
+  - **rbd.keyring** (string)
+
+    keyring 是给定用户的密钥环的路径。默认为 /etc/ceph/keyring。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.pool** (string)
+
+    pool 是 rados 池名称。默认为 rbd。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+   
+  - **rbd.readOnly** (boolean)
+
+    此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。默认为 false。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+<!--
+  - **rbd.secretRef** (SecretReference)
+    secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **rbd.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **rbd.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+  
+  - **rbd.user** (string)
+    user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+-->  
+  - **rbd.secretRef** (SecretReference)
+
+    secretRef 是针对 RBDUser 的身份认证 Secret 的名称。如果提供，则重载 keyring。默认为 nil。
+    更多信息： https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **rbd.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **rbd.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+  
+  - **rbd.user** (string)
+
+    user 是 rados 用户名。默认为 admin。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+<!--
+- **scaleIO** (ScaleIOPersistentVolumeSource)
+  scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+
+  <a name="ScaleIOPersistentVolumeSource"></a>
+  *ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume*
+
+  - **scaleIO.gateway** (string), required
+    gateway is the host address of the ScaleIO API Gateway.
+-->
+- **scaleIO** (ScaleIOPersistentVolumeSource)
+
+  scaleIO 表示 Kubernetes 节点上挂接和挂载的 ScaleIO 持久卷。
+  
+  <a name="ScaleIOPersistentVolumeSource"></a> 
+  **ScaleIOPersistentVolumeSource 表示一个 ScaleIO 持久卷。**
+  
+  - **scaleIO.gateway** (string)，必需
+
+    gateway 是 ScaleIO API 网关的主机地址。
+
+<!--
+  - **scaleIO.secretRef** (SecretReference), required
+    secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
+
+    <a name="SecretReference"></a>
+    *SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
+
+    - **scaleIO.secretRef.name** (string)
+      name is unique within a namespace to reference a secret resource.
+
+    - **scaleIO.secretRef.namespace** (string)
+      namespace defines the space within which the secret name must be unique.
+-->  
+  - **scaleIO.secretRef** (SecretReference)，必需
+
+    secretRef 引用包含 ScaleIO 用户和其他敏感信息的 Secret。如果未提供此项，则 Login 操作将失败。
+    
+    <a name="SecretReference"></a> 
+    **SecretReference 表示对某 Secret 的引用，其中包含足够的信息来访问任何名字空间中的 Secret。**
+    
+    - **scaleIO.secretRef.name** (string)
+
+      name 在名字空间内是唯一的，以引用一个 Secret 资源。
+    
+    - **scaleIO.secretRef.namespace** (string)
+
+      namespace 指定一个名字空间，Secret 名称在该名字空间中必须唯一。
+
+<!--
+  - **scaleIO.system** (string), required
+    system is the name of the storage system as configured in ScaleIO.
+
+  - **scaleIO.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs"
+
+  - **scaleIO.protectionDomain** (string)
+    protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+
+  - **scaleIO.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+-->  
+  - **scaleIO.system** (string)，必需
+
+    system 是 ScaleIO 中所配置的存储系统的名称。
+  
+  - **scaleIO.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。默认为 “xfs”。
+  
+  - **scaleIO.protectionDomain** (string)
+
+    protectionDomain 是 ScaleIO 保护域（ScaleIO Protection Domain）的名称，用于已配置的存储。
+  
+  - **scaleIO.readOnly** (boolean)
+
+    readOnly 默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+
+<!--
+  - **scaleIO.sslEnabled** (boolean)
+    sslEnabled is the flag to enable/disable SSL communication with Gateway, default false
+
+  - **scaleIO.storageMode** (string)
+    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.
+
+  - **scaleIO.storagePool** (string)
+    storagePool is the ScaleIO Storage Pool associated with the protection domain.
+
+  - **scaleIO.volumeName** (string)
+    volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.
+-->  
+  - **scaleIO.sslEnabled** (boolean)
+
+    sslEnabled 是启用/禁用与网关（Gateway）进行 SSL 通信的标志，默认为 false。
+  
+  - **scaleIO.storageMode** (string)
+
+    storageMode 指示卷所用的存储应是 ThickProvisioned 或 ThinProvisioned。
+    默认为 ThinProvisioned。
+  
+  - **scaleIO.storagePool** (string)
+
+    storagePool 是与保护域关联的 ScaleIO Storage Pool。
+  
+  - **scaleIO.volumeName** (string)
+
+    volumeName 是在与此卷源关联的 ScaleIO 系统中已创建的卷的名称。
+
+<!--
+- **storageos** (StorageOSPersistentVolumeSource)
+  storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md
+
+  <a name="StorageOSPersistentVolumeSource"></a>
+  *Represents a StorageOS persistent volume resource.*
+
+  - **storageos.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **storageos.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+-->
+- **storageos** (StorageOSPersistentVolumeSource)
+
+  storageOS 表示一个 StorageOS 卷，该卷被挂接到 kubelet 的主机并挂载到 Pod 中。更多信息：
+  https://examples.k8s.io/volumes/storageos/README.md
+  
+  <a name="StorageOSPersistentVolumeSource"></a>
+  **表示 StorageOS 持久卷资源。**
+  
+  - **storageos.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **storageos.readOnly** (boolean)
+
+    readOnly 默认为 false（读/写）。此处 readOnly 将在 VolumeMounts 中强制设置 readOnly。
+
+<!--
+  - **storageos.secretRef** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)
+    secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.
+
+  - **storageos.volumeName** (string)
+    volumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.
+
+  - **storageos.volumeNamespace** (string)
+    volumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.
+-->  
+  - **storageos.secretRef** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)
+
+    secretRef 指定用于获取 StorageOS API 凭据的 Secret。如果未指定，则将尝试使用默认值。
+  
+  - **storageos.volumeName** (string)
+
+    volumeName 是 StorageOS 卷的人类可读名称。这些卷名称在一个名字空间内是唯一的。
+  
+  - **storageos.volumeNamespace** (string)
+
+    volumeNamespace 指定 StorageOS 内卷的作用域。如果未指定名字空间，则将使用 Pod 的名字空间。
+    这一字段的存在允许 Kubernetes 中名称作用域与 StorageOS 进行映射，实现更紧密的集成。
+    将 volumeName 设为任何名称均可以重载默认的行为。
+    如果你未在 StorageOS 内使用名字空间，则设为 “default”。
+    StorageOS 内预先不存在的名字空间会被创建。
+
+<!--
+- **vsphereVolume** (VsphereVirtualDiskVolumeSource)
+  vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+
+  <a name="VsphereVirtualDiskVolumeSource"></a>
+  *Represents a vSphere volume resource.*
+
+  - **vsphereVolume.volumePath** (string), required
+    volumePath is the path that identifies vSphere volume vmdk
+
+  - **vsphereVolume.fsType** (string)
+    fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **vsphereVolume.storagePolicyID** (string)
+    storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+
+  - **vsphereVolume.storagePolicyName** (string)
+    storagePolicyName is the storage Policy Based Management (SPBM) profile name.
+-->
+- **vsphereVolume** (VsphereVirtualDiskVolumeSource)
+
+  vsphereVolume 表示 kubelet 主机上挂接和挂载的 vSphere 卷。
+  
+  <a name="VsphereVirtualDiskVolumeSource"></a> 
+  **表示 vSphere 卷资源。**
+  
+  - **vsphereVolume.volumePath** (string)，必需
+
+    volumePath 是标识 vSphere 卷 vmdk 的路径。
+  
+  - **vsphereVolume.fsType** (string)
+
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **vsphereVolume.storagePolicyID** (string)
+
+    storagePolicyID 是与 StoragePolicyName 关联的基于存储策略的管理（SPBM）配置文件 ID。
+  
+  - **vsphereVolume.storagePolicyName** (string)
+
+    storagePolicyName 是基于存储策略的管理（SPBM）配置文件名称。
+
+## PersistentVolumeStatus {#PersistentVolumeStatus}
+<!--
+PersistentVolumeStatus is the current status of a persistent volume.
+-->
+PersistentVolumeStatus 是持久卷的当前状态。
+
+<hr>
+
+<!--
+- **message** (string)
+  message is a human-readable message indicating details about why the volume is in this state.
+
+- **phase** (string)
+  phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
+  
+- **reason** (string)
+  reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.
+-->
+- **message** (string)
+
+  message 是一条人类可读的消息，指明有关卷为何处于此状态的详细信息。
+
+- **phase** (string)
+
+  phase 表示一个卷是否可用，是否绑定到一个 PVC 或是否由某个 PVC 释放。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#phase
+
+- **reason** (string)
+
+  reason 是一个描述任何故障的简短 CamelCase 字符串，用于机器解析并在 CLI 中整齐地显示。
+
+## PersistentVolumeList {#PersistentVolumeList}
+<!--
+PersistentVolumeList is a list of PersistentVolume items.
+-->
+PersistentVolumeList 是 PersistentVolume 各项的列表。
+
+<hr>
+
+- **apiVersion**: v1
+- **kind**: PersistentVolumeList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>), required
+  items is a list of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  标准的列表元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>)，必需
+
+  items 是持久卷的列表。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes
+
+<!--
+## Operations {#Operations}
+### `get` read the specified PersistentVolume
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 PersistentVolume
+#### HTTP 请求
+GET /api/v1/persistentvolumes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+401: Unauthorized
+
+<!--
+### `get` read status of the specified PersistentVolume
+#### HTTP Request
+-->
+### `get` 读取指定的 PersistentVolume 的状态
+#### HTTP 请求
+GET /api/v1/persistentvolumes/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind PersistentVolume
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 PersistentVolume 的对象
+#### HTTP 请求
+GET /api/v1/persistentvolumes
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeList" >}}">PersistentVolumeList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a PersistentVolume
+#### HTTP Request
+-->
+### `create` 创建 PersistentVolume
+#### HTTP 请求
+POST /api/v1/persistentvolumes
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>，必需
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified PersistentVolume
+#### HTTP Request
+-->
+### `update` 替换指定的 PersistentVolume
+#### HTTP 请求
+PUT /api/v1/persistentvolumes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace status of the specified PersistentVolume
+#### HTTP Request
+-->
+### `update` 替换指定的 PersistentVolume 的状态
+#### HTTP 请求
+PUT /api/v1/persistentvolumes/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified PersistentVolume
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 PersistentVolume
+#### HTTP 请求
+PATCH /api/v1/persistentvolumes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified PersistentVolume
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 PersistentVolume 的状态
+#### HTTP 请求
+PATCH /api/v1/persistentvolumes/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a PersistentVolume
+#### HTTP Request
+-->
+### `delete` 删除 PersistentVolume
+#### HTTP 请求
+DELETE /api/v1/persistentvolumes/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the PersistentVolume
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  PersistentVolume 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolume" >}}">PersistentVolume</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of PersistentVolume
+#### HTTP Request
+-->
+### `deletecollection` 删除 PersistentVolume 的集合
+#### HTTP 请求
+DELETE /api/v1/persistentvolumes
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md
new file mode 100644
index 0000000000000..18251f251d06c
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1.md
@@ -0,0 +1,657 @@
+---
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "Secret"
+content_type: "api_reference"
+description: "Secret 包含某些类别的秘密数据。"
+title: "Secret"
+weight: 2
+---
+<!--
+api_metadata:
+  apiVersion: "v1"
+  import: "k8s.io/api/core/v1"
+  kind: "Secret"
+content_type: "api_reference"
+description: "Secret holds secret data of a certain type."
+title: "Secret"
+weight: 2
+-->
+
+`apiVersion: v1`
+
+`import "k8s.io/api/core/v1"`
+
+## Secret {#Secret}
+<!--
+Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.
+-->
+Secret 包含某些类别的秘密数据。
+data 字段值的总字节必须小于 MaxSecretSize 字节。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: Secret
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **data** (map[string][]byte)
+  Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  
+  标准的对象元数据。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **data** (map[string][]byte)
+  
+  data 包含秘密数据。
+  每个键必须由字母、数字、“-”、“_” 或 “.” 组成。
+  秘密数据的序列化格式是 base64 编码的字符串，表示此处的任意（可能是非字符串）数据值。
+  请参阅 https://tools.ietf.org/html/rfc4648#section-4
+
+<!--
+- **immutable** (boolean)
+  Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
+
+- **stringData** (map[string]string)
+  stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.
+
+- **type** (string)
+  Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
+-->
+- **immutable** (boolean)
+  
+  如果 immutable 设为 true，则确保不会更新 Secret 中存储的数据（只能修改对象元数据）。
+  如果未设为 true，则可以随时修改此字段。
+  默认为 nil。
+
+- **stringData** (map[string]string)
+  
+  stringData 允许指定字符串格式的非二进制秘密数据。
+  为了方便起见，它作为只写输入字段提供。
+  写入时将所有键和值合并到 data 字段，且覆盖任何现有的值。
+  从 API 读取时绝不会输出 stringData 字段。
+
+- **type** (string)
+  
+  用于满足程序化方式处理秘密数据。
+  更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/configuration/secret/#secret-types
+
+## SecretList {#SecretList}
+
+<!--
+SecretList is a list of Secret.
+-->
+SecretList 是 Secret 的列表。
+
+<hr>
+
+- **apiVersion**: v1
+
+- **kind**: SecretList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>), required
+
+  Items is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  
+  标准的列表元数据。
+  更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>)，必需
+  
+  items 是 Secret 对象的列表。
+  更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/configuration/secret
+
+<!--
+## Operations {#Operations}
+
+<hr>
+
+### `get` read the specified Secret
+
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 Secret
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/secrets/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Secret
+- **namespace** (*in path*): string, required
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Secret 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind Secret
+
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 Secret 的对象
+
+#### HTTP 请求
+
+GET /api/v1/namespaces/{namespace}/secrets
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#SecretList" >}}">SecretList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind Secret
+
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 Secret 的对象
+
+#### HTTP 请求
+
+GET /api/v1/secrets
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+
+- **allowWatchBookmarks** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#SecretList" >}}">SecretList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a Secret
+
+#### HTTP Request
+-->
+### `create` 创建 Secret
+
+#### HTTP 请求
+
+POST /api/v1/namespaces/{namespace}/secrets
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified Secret
+
+#### HTTP Request
+-->
+### `update` 替换指定的 Secret
+
+#### HTTP 请求
+
+PUT /api/v1/namespaces/{namespace}/secrets/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Secret
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Secret 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified Secret
+
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 Secret
+
+#### HTTP 请求
+
+PATCH /api/v1/namespaces/{namespace}/secrets/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Secret
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Secret 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/secret-v1#Secret" >}}">Secret</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a Secret
+
+#### HTTP Request
+-->
+### `delete` 删除 Secret
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{namespace}/secrets/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the Secret
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+
+- **name** (**路径参数**): string，必需
+  
+  Secret 的名称
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of Secret
+
+#### HTTP Request
+-->
+### `deletecollection` 删除 Secret 的集合
+
+#### HTTP 请求
+
+DELETE /api/v1/namespaces/{namespace}/secrets
+
+<!--
+#### Parameters
+- **namespace** (*in path*): string, required
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+
+- **namespace** (**路径参数**): string，必需
+  
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md
new file mode 100644
index 0000000000000..4837dfeb35ef9
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1.md
@@ -0,0 +1,561 @@
+---
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "StorageClass"
+content_type: "api_reference"
+description: "StorageClass 为可以动态制备 PersistentVolume 的存储类描述参数。"
+title: "StorageClass"
+weight: 6
+---
+<!--
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "StorageClass"
+content_type: "api_reference"
+description: "StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned."
+title: "StorageClass"
+weight: 6
+-->
+
+`apiVersion: storage.k8s.io/v1`
+
+`import "k8s.io/api/storage/v1"`
+
+## StorageClass {#StorageClass}
+<!--
+StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.
+
+StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.
+-->
+StorageClass 为可以动态制备 PersistentVolume 的存储类描述参数。
+
+StorageClass 是不受名字空间作用域限制的；按照 etcd 设定的存储类的名称位于 ObjectMeta.Name 中。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: StorageClass
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **provisioner** (string), required
+  Provisioner indicates the type of the provisioner.
+
+- **allowVolumeExpansion** (boolean)
+  AllowVolumeExpansion shows whether the storage class allow volume expand
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准的对象元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **provisioner** (string)，必需
+
+  provisioner 表示制备器的类别。
+
+- **allowVolumeExpansion** (boolean)
+
+  allowVolumeExpansion 显示存储类是否允许卷扩充。
+
+<!--
+- **allowedTopologies** ([]TopologySelectorTerm)
+  *Atomic: will be replaced during a merge*
+
+  Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.
+  
+  <a name="TopologySelectorTerm"></a>
+  *A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.*
+-->
+- **allowedTopologies** ([]TopologySelectorTerm)
+
+  **原子性：将在合并期间被替换**
+  
+  限制可以动态制备卷的节点拓扑。每个卷插件定义其自己支持的拓扑规约。
+  空的 TopologySelectorTerm 列表意味着没有拓扑限制。
+  只有启用 VolumeScheduling 功能特性的服务器才能使用此字段。
+  
+  <a name="TopologySelectorTerm"></a> 
+  **拓扑选择器条件表示标签查询的结果。
+  一个 null 或空的拓扑选择器条件不会匹配任何对象。各个条件的要求按逻辑与的关系来计算。
+  此选择器作为 NodeSelectorTerm 所提供功能的子集。此功能为 Alpha 特性，将来可能会变更。**
+
+<!--
+  - **allowedTopologies.matchLabelExpressions** ([]TopologySelectorLabelRequirement)
+    A list of topology selector requirements by labels.
+    <a name="TopologySelectorLabelRequirement"></a>
+    *A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.*
+
+    - **allowedTopologies.matchLabelExpressions.key** (string), required
+      The label key that the selector applies to.
+    - **allowedTopologies.matchLabelExpressions.values** ([]string), required
+      An array of string values. One value must match the label to be selected. Each entry in Values is ORed.
+-->  
+  - **allowedTopologies.matchLabelExpressions** ([]TopologySelectorLabelRequirement)
+
+    按标签设置的拓扑选择器要求的列表。
+    
+    <a name="TopologySelectorLabelRequirement"></a> 
+    **拓扑选择器要求是与给定标签匹配的一个选择器。此功能为 Alpha 特性，将来可能会变更。**
+    
+    - **allowedTopologies.matchLabelExpressions.key** (string)，必需
+
+      选择器所针对的标签键。
+    
+    - **allowedTopologies.matchLabelExpressions.values** ([]string)，必需
+
+      字符串数组。一个值必须与要选择的标签匹配。values 中的每个条目按逻辑或的关系来计算。
+
+<!--
+- **mountOptions** ([]string)
+  Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.
+
+- **parameters** (map[string]string)
+  Parameters holds the parameters for the provisioner that should create volumes of this storage class.
+-->
+- **mountOptions** ([]string)
+
+  此存储类动态制备的 PersistentVolume 用这些 mountOptions（例如 ["ro", "soft"]）进行创建。
+  系统对选项作检查——如果有一个选项无效，则这些 PV 的挂载将失败。
+
+- **parameters** (map[string]string)
+
+  parameters 包含应创建此存储类卷的制备器的参数。
+
+<!--
+- **reclaimPolicy** (string)
+  Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.
+
+- **volumeBindingMode** (string)
+  VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.
+-->
+- **reclaimPolicy** (string)
+
+  此存储类动态制备的 PersistentVolume 用这个 reclaimPolicy 进行创建。默认为 Delete。
+
+- **volumeBindingMode** (string)
+
+  volumeBindingMode 指示应该如何制备和绑定 PersistentVolumeClaim。
+  未设置时，将使用 VolumeBindingImmediate。
+  只有启用 VolumeScheduling 功能特性的服务器才能使用此字段。
+
+## StorageClassList {#StorageClassList}
+<!--
+StorageClassList is a collection of storage classes.
+-->
+StorageClassList 是存储类的集合。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+
+- **kind**: StorageClassList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>), required
+  Items is the list of StorageClasses
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  标准的列表元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>)，必需
+
+  items 是 StorageClass 的列表。
+
+<!--
+## Operations {#Operations}
+### `get` read the specified StorageClass
+#### HTTP Request
+-->
+## 操作 {#Operations}
+
+<hr>
+
+### `get` 读取指定的 StorageClass
+#### HTTP 请求
+GET /apis/storage.k8s.io/v1/storageclasses/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the StorageClass
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  StorageClass 的名称
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind StorageClass
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 StorageClass 的对象
+#### HTTP 请求
+GET /apis/storage.k8s.io/v1/storageclasses
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **allowWatchBookmarks** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClassList" >}}">StorageClassList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a StorageClass
+#### HTTP Request
+-->
+### `create` 创建 StorageClass
+#### HTTP 请求
+POST /apis/storage.k8s.io/v1/storageclasses
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **body**: <a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified StorageClass
+#### HTTP Request
+-->
+### `update` 替换指定的 StorageClass
+#### HTTP 请求
+PUT /apis/storage.k8s.io/v1/storageclasses/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the StorageClass
+- **body**: <a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  StorageClass 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified StorageClass
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 StorageClass
+#### HTTP 请求
+PATCH /apis/storage.k8s.io/v1/storageclasses/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the StorageClass
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  StorageClass 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a StorageClass
+#### HTTP Request
+-->
+### `delete` 删除 StorageClass
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/storageclasses/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the StorageClass
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+
+  StorageClass 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/storage-class-v1#StorageClass" >}}">StorageClass</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of StorageClass
+#### HTTP Request
+-->
+### `deletecollection` 删除 StorageClass 的集合
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/storageclasses
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+- **continue** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md
new file mode 100644
index 0000000000000..ef5a7772d0824
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1.md
@@ -0,0 +1,690 @@
+---
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "VolumeAttachment"
+content_type: "api_reference"
+description: "VolumeAttachment 抓取将指定卷挂接到指定节点或从指定节点解除挂接指定卷的意图。"
+title: "VolumeAttachment"
+weight: 7
+---
+<!--
+api_metadata:
+  apiVersion: "storage.k8s.io/v1"
+  import: "k8s.io/api/storage/v1"
+  kind: "VolumeAttachment"
+content_type: "api_reference"
+description: "VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node."
+title: "VolumeAttachment"
+weight: 7
+-->
+
+`apiVersion: storage.k8s.io/v1`
+
+`import "k8s.io/api/storage/v1"`
+
+## VolumeAttachment {#VolumeAttachment}
+<!--
+VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
+
+VolumeAttachment objects are non-namespaced.
+-->
+VolumeAttachment 抓取将指定卷挂接到指定节点或从指定节点解除挂接指定卷的意图。
+
+VolumeAttachment 对象未划分命名空间。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+- **kind**: VolumeAttachment
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachmentSpec" >}}">VolumeAttachmentSpec</a>), required
+  Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+  标准的对象元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **spec** (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachmentSpec" >}}">VolumeAttachmentSpec</a>)，必需
+  期望的挂接/解除挂接卷行为的规约。由 Kubernetes 系统填充。
+
+<!--
+- **status** (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachmentStatus" >}}">VolumeAttachmentStatus</a>)
+  Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.
+-->
+- **status** (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachmentStatus" >}}">VolumeAttachmentStatus</a>)
+  VolumeAttachment 请求的状态。由完成挂接或解除挂接操作的实体（即外部挂接器）进行填充。
+
+## VolumeAttachmentSpec {#VolumeAttachmentSpec}
+<!--
+VolumeAttachmentSpec is the specification of a VolumeAttachment request.
+-->
+VolumeAttachmentSpec 是 VolumeAttachment 请求的规约。
+
+<hr>
+
+<!--
+- **attacher** (string), required
+  Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().
+
+- **nodeName** (string), required
+  The node that the volume should be attached to.
+-->
+- **attacher** (string)，必需
+  attacher 表示必须处理此请求的卷驱动的名称。这是由 GetPluginName() 返回的名称。
+
+- **nodeName** (string)，必需
+  卷应挂接到的节点。
+
+<!--
+- **source** (VolumeAttachmentSource), required
+  Source represents the volume that should be attached.
+
+  <a name="VolumeAttachmentSource"></a>
+  *VolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.*
+
+  - **source.inlineVolumeSpec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeSpec" >}}">PersistentVolumeSpec</a>)
+    inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.
+
+  - **source.persistentVolumeName** (string)
+    Name of the persistent volume to attach.
+-->
+- **source** (VolumeAttachmentSource)，必需
+  source 表示应挂接的卷。
+  
+  <a name="VolumeAttachmentSource"></a>
+  **VolumeAttachmentSource 表示应挂接的卷。现在只能通过外部挂接器挂接 PersistenVolume，
+  将来我们可能还允许 Pod 中的内联卷。只能设置一个成员。**
+  
+  - **source.inlineVolumeSpec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-v1#PersistentVolumeSpec" >}}">PersistentVolumeSpec</a>)
+    
+    inlineVolumeSpec 包含挂接由 Pod 的内联 VolumeSource 定义的持久卷时所有必需的信息。
+    仅为 CSIMigation 功能填充此字段。
+    它包含从 Pod 的内联 VolumeSource 转换为 PersistentVolumeSpec 的字段。
+    此字段处于 beta 阶段，且只有启用 CSIMigration 功能的服务器才能使用此字段。
+  
+  - **source.persistentVolumeName** (string)
+    要挂接的持久卷的名称。
+
+## VolumeAttachmentStatus {#VolumeAttachmentStatus}
+<!--
+VolumeAttachmentStatus is the status of a VolumeAttachment request.
+- **attached** (boolean), required
+  Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+-->
+VolumeAttachmentStatus 是 VolumeAttachment 请求的状态。
+
+<hr>
+
+- **attached** (boolean)，必需
+  表示卷被成功挂接。此字段只能由完成挂接操作的实体（例如外部挂接器）进行设置。
+
+<!--
+- **attachError** (VolumeError)
+  The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+
+  <a name="VolumeError"></a>
+  *VolumeError captures an error encountered during a volume operation.*
+
+  - **attachError.message** (string)
+    String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
+
+  - **attachError.time** (Time)
+    Time the error was encountered.
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+-->
+- **attachError** (VolumeError)
+  挂接操作期间遇到的最后一个错误，如果有。
+  此字段只能由完成挂接操作的实体（例如外部挂接器）进行设置。
+  
+  <a name="VolumeError"></a> 
+  **VolumeError 抓取卷操作期间遇到的一个错误。**
+  
+  - **attachError.message** (string)
+    此字符串详细说明挂接或解除挂接操作期间遇到的错误。
+    此字符串可以放入日志，因此它不应包含敏感信息。
+  
+  - **attachError.time** (Time)
+    遇到错误的时间。
+    
+    <a name="Time"></a> 
+    **time 是 time.Time 的包装类，支持正确地序列化为 YAML 和 JSON。
+    为 time 包提供的许多工厂方法提供了包装类。**
+
+<!--
+- **attachmentMetadata** (map[string]string)
+  Upon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+-->
+- **attachmentMetadata** (map[string]string)
+  成功挂接时，此字段将由挂接操作返回的任何信息进行填充，
+  这些信息必须传递到后续的 WaitForAttach 或 Mount 调用中。
+  此字段只能由完成挂接操作的实体（例如外部挂接器）进行设置。
+
+<!--
+- **detachError** (VolumeError)
+  The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.
+
+  <a name="VolumeError"></a>
+  *VolumeError captures an error encountered during a volume operation.*
+
+  - **detachError.message** (string)
+    String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.
+
+  - **detachError.time** (Time)
+    Time the error was encountered.
+
+    <a name="Time"></a>
+    *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.*
+-->
+- **detachError** (VolumeError)
+  解除挂接操作期间遇到的最后一个错误，如果有。
+  此字段只能由完成解除挂接操作的实体（例如外部挂接器）进行设置。
+  
+  <a name="VolumeError"></a> 
+  **VolumeError 抓取卷操作期间遇到的一个错误。**
+  
+  - **detachError.message** (string)
+    此字符串详细说明挂接或解除挂接操作期间遇到的错误。
+    此字符串可以放入日志，因此它不应包含敏感信息。
+  
+  - **detachError.time** (Time)
+    遇到错误的时间。
+    
+    <a name="Time"></a> 
+    **time 是 time.Time 的包装类，支持正确地序列化为 YAML 和 JSON。
+    为 time 包提供的许多工厂方法提供了包装类。**
+
+## VolumeAttachmentList {#VolumeAttachmentList}
+<!--
+VolumeAttachmentList is a collection of VolumeAttachment objects.
+-->
+VolumeAttachmentList 是 VolumeAttachment 对象的集合。
+
+<hr>
+
+- **apiVersion**: storage.k8s.io/v1
+- **kind**: VolumeAttachmentList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>), required
+  Items is the list of VolumeAttachments
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+  标准的列表元数据。更多信息：
+  https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+- **items** ([]<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>)，必需
+  items 是 VolumeAttachment 的列表。
+
+<!--
+## Operations {#Operations}
+### `get` read the specified VolumeAttachment
+#### HTTP Request
+-->
+## 操作 {#Operations}
+<hr>
+
+### `get` 读取指定的 VolumeAttachment
+#### HTTP 请求
+
+GET /apis/storage.k8s.io/v1/volumeattachments/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+401: Unauthorized
+
+<!--
+### `get` read status of the specified VolumeAttachment
+#### HTTP Request
+-->
+### `get` 读取指定的 VolumeAttachment 的状态
+#### HTTP 请求
+GET /apis/storage.k8s.io/v1/volumeattachments/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind VolumeAttachment
+#### HTTP Request
+-->
+### `list` 列出或观测类别为 VolumeAttachment 的对象
+#### HTTP 请求
+GET /apis/storage.k8s.io/v1/volumeattachments
+
+<!--
+#### Parameters
+- **allowWatchBookmarks** (*in query*): boolean
+- **continue** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+- **watch** (*in query*): boolean
+-->
+#### 参数
+- **allowWatchBookmarks** (**查询参数**): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+- **continue** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **fieldSelector** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **labelSelector** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **resourceVersion** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+- **watch** (**查询参数**): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachmentList" >}}">VolumeAttachmentList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a VolumeAttachment
+#### HTTP Request
+-->
+### `create` 创建 VolumeAttachment
+#### HTTP 请求
+POST /apis/storage.k8s.io/v1/volumeattachments
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>，必需
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Created
+
+202 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified VolumeAttachment
+#### HTTP Request
+-->
+### `update` 替换指定的 VolumeAttachment
+#### HTTP 请求
+PUT /apis/storage.k8s.io/v1/volumeattachments/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>，必需
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Created
+
+401: Unauthorized
+
+<!--
+### `update` replace status of the specified VolumeAttachment
+#### HTTP Request
+-->
+### `update` 替换指定的 VolumeAttachment 的状态
+#### HTTP 请求
+PUT /apis/storage.k8s.io/v1/volumeattachments/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **body**: <a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>，必需
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified VolumeAttachment
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 VolumeAttachment
+#### HTTP 请求
+PATCH /apis/storage.k8s.io/v1/volumeattachments/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update status of the specified VolumeAttachment
+#### HTTP Request
+-->
+### `patch` 部分更新指定的 VolumeAttachment 的状态
+#### HTTP 请求
+PATCH /apis/storage.k8s.io/v1/volumeattachments/{name}/status
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+- **dryRun** (*in query*): string
+- **fieldManager** (*in query*): string
+- **fieldValidation** (*in query*): string
+- **force** (*in query*): boolean
+- **pretty** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldManager** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+- **fieldValidation** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+- **force** (**查询参数**): boolean
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+201 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a VolumeAttachment
+#### HTTP Request
+-->
+### `delete` 删除 VolumeAttachment
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/volumeattachments/{name}
+
+<!--
+#### Parameters
+- **name** (*in path*): string, required
+  name of the VolumeAttachment
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+-->
+#### 参数
+- **name** (**路径参数**): string，必需
+  VolumeAttachment 的名称
+
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): OK
+
+202 (<a href="{{< ref "../config-and-storage-resources/volume-attachment-v1#VolumeAttachment" >}}">VolumeAttachment</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of VolumeAttachment
+#### HTTP Request
+-->
+### `deletecollection` 删除 VolumeAttachment 的集合
+#### HTTP 请求
+DELETE /apis/storage.k8s.io/v1/volumeattachments
+
+<!--
+#### Parameters
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (*in query*): string
+- **dryRun** (*in query*): string
+- **fieldSelector** (*in query*): string
+- **gracePeriodSeconds** (*in query*): integer
+- **labelSelector** (*in query*): string
+- **limit** (*in query*): integer
+- **pretty** (*in query*): string
+- **propagationPolicy** (*in query*): string
+- **resourceVersion** (*in query*): string
+- **resourceVersionMatch** (*in query*): string
+- **timeoutSeconds** (*in query*): integer
+-->
+#### 参数
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+- **continue** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+- **dryRun** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+- **fieldSelector** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+- **gracePeriodSeconds** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+- **labelSelector** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+- **limit** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+- **pretty** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+- **propagationPolicy** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+- **resourceVersion** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+- **resourceVersionMatch** (**查询参数**): string
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+- **timeoutSeconds** (**查询参数**): integer
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+-->
+#### 响应
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume.md b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
new file mode 100755
index 0000000000000..5b5f3eb352f8f
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
@@ -0,0 +1,1785 @@
+---
+api_metadata:
+  apiVersion: ""
+  import: "k8s.io/api/core/v1"
+  kind: "Volume"
+content_type: "api_reference"
+description: "Volume 表示 Pod 中一个有名字的卷，可以由 Pod 中的任意容器进行访问。"
+title: "Volume"
+weight: 3
+---
+<!--
+api_metadata:
+  apiVersion: ""
+  import: "k8s.io/api/core/v1"
+  kind: "Volume"
+content_type: "api_reference"
+description: "Volume represents a named volume in a pod that may be accessed by any container in the pod."
+title: "Volume"
+weight: 3
+auto_generated: true
+-->
+
+`import "k8s.io/api/core/v1"`
+
+## Volume {#Volume}
+<!--
+Volume represents a named volume in a pod that may be accessed by any container in the pod.
+-->
+Volume 表示 Pod 中一个有名字的卷，可以由 Pod 中的任意容器进行访问。
+
+<hr>
+
+<!--
+- **name** (string), required
+  name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+-->
+- **name** (string)，必需
+  
+  卷的名称。必须是 DNS_LABEL 且在 Pod 内是唯一的。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/#names
+
+<!--
+### Exposed Persistent volumes
+- **persistentVolumeClaim** (PersistentVolumeClaimVolumeSource)
+  persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+
+  <a name="PersistentVolumeClaimVolumeSource"></a>
+  *PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).*
+-->
+### 暴露的持久卷 {#exposed-persistent-volumes}
+- **persistentVolumeClaim** (PersistentVolumeClaimVolumeSource)
+  
+  persistentVolumeClaimVolumeSource 表示对同一名字空间中 PersistentVolumeClaim 的引用。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  
+  <a name="PersistentVolumeClaimVolumeSource"></a>
+  **PersistentVolumeClaimVolumeSource 引用同一名字空间中用户的 PVC。
+  此卷找到绑定的 PV 并为 Pod 挂载这个 PV 卷。
+  PersistentVolumeClaimVolumeSource 本质上是其他人（或系统）拥有的另一类卷的包装类。**
+  
+  <!--
+  - **persistentVolumeClaim.claimName** (string), required
+    claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+
+  - **persistentVolumeClaim.readOnly** (boolean)
+    readOnly Will force the ReadOnly setting in VolumeMounts. Default false.
+  -->
+  - **persistentVolumeClaim.claimName** (string)，必需
+    
+    claimName 是与使用此卷的 Pod 位于同一名字空间中的 PersistentVolumeClaim 的名称。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  
+  - **persistentVolumeClaim.readOnly** (boolean)
+    
+    readOnly 将在卷挂载中强制设置 readOnly 属性。默认为 false。
+
+<!--
+### Projections
+- **configMap** (ConfigMapVolumeSource)
+  configMap represents a configMap that should populate this volume
+
+  <a name="ConfigMapVolumeSource"></a>
+  *Adapts a ConfigMap into a volume.
+  The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.*
+-->
+### 投射 {#projections}
+- **configMap** (ConfigMapVolumeSource)
+  
+  configMap 表示应填充此卷的 configMap。
+  
+  <a name="ConfigMapVolumeSource"></a>
+  **将 ConfigMap 适配到一个卷中。目标 ConfigMap 的 data 字段的内容将以文件的形式呈现在一个卷中，
+  使用 data 字段中的键名作为文件名，除非 items 元素中已经填充了由键名到路径的特定映射。
+  ConfigMap 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  <!--
+  - **configMap.name** (string)
+    Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+
+  - **configMap.optional** (boolean)
+    optional specify whether the ConfigMap or its keys must be defined
+  -->
+  - **configMap.name** (string)
+    
+    被引用资源的名称。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/#names
+  
+  - **configMap.optional** (boolean)
+    
+    optional 指定是否所引用的 ConfigMap 或其键必须已经被定义。
+  <!--
+  - **configMap.defaultMode** (int32)
+    defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+
+  - **configMap.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+    items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
+  -->  
+  - **configMap.defaultMode** (int32)
+    
+    defaultMode 是可选的：默认情况下，模式位用于为已创建的文件设置权限。
+    必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+    YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。此字段默认为 0644。
+    路径内的目录不受此设置的影响。这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
+  
+  - **configMap.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+    
+    如果未指定 items，则所引用的 ConfigMap 的 data 字段中的每个键值对将作为一个文件被投射到卷中，
+    这个文件的名称是键名，而文件的内容是键的取值。
+    如果指定 items，则所列出的键将被投射到指定的路径中，且不会显示未列出的键。
+    如果指定的键不在 ConfigMap 中，则卷设置将出错，除非对应的键被标记为可选。
+    路径必须是相对路径，不能包含 “..” 路径，也不能以 “..” 开头。
+<!--
+- **secret** (SecretVolumeSource)
+  secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+
+  <a name="SecretVolumeSource"></a>
+  *Adapts a Secret into a volume.
+  The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.*
+-->
+- **secret** (SecretVolumeSource)
+  
+  secret 表示用来填充此卷的 Secret。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#secret
+  
+  <a name="SecretVolumeSource"></a> 
+  **将 Secret 适配到一个卷中。
+  目标 Secret 的 data 字段的内容将以文件的形式呈现在一个卷中，使用 data 字段中的键名作为文件名。
+  Secret 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  <!--
+  - **secret.secretName** (string)
+    secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+
+  - **secret.optional** (boolean)
+    optional field specify whether the Secret or its keys must be defined
+  -->
+  - **secret.secretName** (string)
+    
+    secretName 是要使用的、位于 Pod 的名字空间中的 Secret 名称。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#secret
+  
+  - **secret.optional** (boolean)
+    
+    optional 字段指定是否 Secret 或其键必须已经定义。
+
+  <!--
+  - **secret.defaultMode** (int32)
+    defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+
+  - **secret.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+    items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
+  -->  
+  - **secret.defaultMode** (int32)
+    
+    defaultMode 是可选的：默认情况下，模式位用于为已创建的文件设置权限。
+    必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+    YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。此字段默认为 0644。
+    路径内的目录不受此设置的影响。
+    这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
+  
+  - **secret.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+    
+    如果未指定 items，则所引用的 Secret 的 data 字段中的每个键值对将作为一个文件被投射到卷中，
+    这个文件的名称是键名，而文件的内容是键的取值。
+    如果指定 items，则所列出的键将被投射到指定的路径中，且不会显示未列出的键。
+    如果指定的键不在 Secret 中，则卷设置将出错，除非对应的键被标记为可选。
+    路径必须是相对路径，不能包含 “..” 路径，也不能以 “..” 开头。
+
+<!--
+- **downwardAPI** (DownwardAPIVolumeSource)
+  downwardAPI represents downward API about the pod that should populate this volume
+
+  <a name="DownwardAPIVolumeSource"></a>
+  *DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.*
+-->
+- **downwardAPI** (DownwardAPIVolumeSource)
+  
+  downwardAPI 表示有关 Pod 的 Downward API，用来填充此卷。
+  
+  <a name="DownwardAPIVolumeSource"></a> 
+  **DownwardAPIVolumeSource 表示包含 Downward API 信息的一个卷。Downward API 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  <!--
+  - **downwardAPI.defaultMode** (int32)
+    Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+
+  - **downwardAPI.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#DownwardAPIVolumeFile" >}}">DownwardAPIVolumeFile</a>)
+    Items is a list of downward API volume file
+  -->
+  - **downwardAPI.defaultMode** (int32)
+    
+    可选：默认情况下，模式位用于已创建的文件。
+    必须是可选的：默认情况下，模式位用于为已创建的文件设置权限。
+    必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+    YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。此字段默认为 0644。
+    路径内的目录不受此设置的影响。这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
+  
+  - **downwardAPI.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#DownwardAPIVolumeFile" >}}">DownwardAPIVolumeFile</a>)
+    
+    items 是 Downward API 卷文件的列表。
+
+<!--
+- **projected** (ProjectedVolumeSource)
+  projected items for all in one resources secrets, configmaps, and downward API
+
+  <a name="ProjectedVolumeSource"></a>
+  *Represents a projected volume source*
+
+  - **projected.defaultMode** (int32)
+    defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+-->
+- **projected** (ProjectedVolumeSource)
+  
+  这是供 Secret、ConfigMap 和 Downward API 等所有资源使用的投射项。
+  
+  <a name="ProjectedVolumeSource"></a>
+  **表示一个投射的卷源。**
+  
+  - **projected.defaultMode** (int32)
+    
+    defaultMode 是默认情况下用于为已创建的文件设置权限的模式位。
+    必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+    YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。
+    路径内的目录不受此设置的影响。
+    这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
+
+ <!--
+ - **projected.sources** ([]VolumeProjection)
+    sources is the list of volume projections
+
+    <a name="VolumeProjection"></a>
+    *Projection that may be projected along with other supported volume types*
+
+    - **projected.sources.configMap** (ConfigMapProjection)
+      configMap information about the configMap data to project
+
+      <a name="ConfigMapProjection"></a>
+      *Adapts a ConfigMap into a projected volume.
+      The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.*
+ -->  
+  - **projected.sources** ([]VolumeProjection)
+    
+    sources 是卷投射的列表。
+    
+    <a name="VolumeProjection"></a> 
+    **这里的投射项目可能与其他受支持的卷类型一起进行投射。**
+    
+    - **projected.sources.configMap** (ConfigMapProjection)
+      
+      与要投射的 ConfigMap 数据有关的 ConfigMap 信息。
+      
+      <a name="ConfigMapProjection"></a> 
+      **将 ConfigMap 适配到一个投射的卷中。
+      目标 ConfigMap 的 Data 字段的内容将以文件的形式呈现在一个被投射的卷中，
+      使用 data 字段中的键名作为文件名，除非 items 元素中已经填充了由键名到路径的特定映射。
+      请注意，这等同于没有默认模式的 ConfigMap 卷源。**
+
+      <!--
+      - **projected.sources.configMap.name** (string)
+        Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+
+      - **projected.sources.configMap.optional** (boolean)
+        optional specify whether the ConfigMap or its keys must be defined
+      -->      
+      - **projected.sources.configMap.name** (string)
+        
+        被引用资源的名称。更多信息：
+        https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/#names
+      
+      - **projected.sources.configMap.optional** (boolean)
+        
+        optional 指定是否所引用的 ConfigMap 或其键必须已经被定义。
+      
+      <!--
+      - **projected.sources.configMap.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+        items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
+      -->
+      - **projected.sources.configMap.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+        
+        如果未指定 items，则所引用的 ConfigMap 的 data 字段中的每个键值对将作为一个文件被投射到卷中，
+        这个文件的名称是键名，而文件的内容是键的取值。
+        如果指定 items，则所列出的键将被投射到指定的路径中，且不会显示未列出的键。
+        如果指定的键不在 ConfigMap 中，则卷设置将出错，除非对应的键被标记为可选。
+        路径必须是相对路径，不能包含 “..” 路径，也不能以 “..” 开头。
+
+    <!--
+    - **projected.sources.downwardAPI** (DownwardAPIProjection)
+      downwardAPI information about the downwardAPI data to project
+
+      <a name="DownwardAPIProjection"></a>
+      *Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.*
+
+      - **projected.sources.downwardAPI.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#DownwardAPIVolumeFile" >}}">DownwardAPIVolumeFile</a>)
+        Items is a list of DownwardAPIVolume file
+    -->    
+    - **projected.sources.downwardAPI** (DownwardAPIProjection)
+      
+      与要投射的 downward API 数据有关的 downward API 信息。
+      
+      <a name="DownwardAPIProjection"></a> 
+      **表示投射到投射卷的 Downward API 信息。请注意，这等同于没有默认模式的 downwardAPI 卷源。**
+      
+      - **projected.sources.downwardAPI.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#DownwardAPIVolumeFile" >}}">DownwardAPIVolumeFile</a>)
+        
+        items 是 DownwardAPIVolume 文件的列表。
+
+    <!--
+    - **projected.sources.secret** (SecretProjection)
+      secret information about the secret data to project
+
+      <a name="SecretProjection"></a>
+      *Adapts a secret into a projected volume.
+      
+      The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.*
+
+      - **projected.sources.secret.name** (string)
+        Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+      -->    
+    - **projected.sources.secret** (SecretProjection)
+      
+      与要投射的 Secret 数据有关的 Secret 信息。
+      
+      <a name="SecretProjection"></a> 
+      **将 Secret 适配到一个投射卷中。
+      目标 Secret 的 data 字段的内容将以文件的形式呈现在一个投射卷中，使用 data 字段中的键名作为文件名。
+      请注意，这等同于没有默认模式的 Secret 卷源。**
+      
+      - **projected.sources.secret.name** (string)
+        
+        被引用资源的名称。更多信息：
+        https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/#names
+      
+      <!--
+      - **projected.sources.secret.optional** (boolean)
+        optional field specify whether the Secret or its key must be defined
+
+      - **projected.sources.secret.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+        items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.
+      -->
+      - **projected.sources.secret.optional** (boolean)
+        
+        optional 字段指定是否 Secret 或其键必须已经定义。
+      
+      - **projected.sources.secret.items** ([]<a href="{{< ref "../config-and-storage-resources/volume#KeyToPath" >}}">KeyToPath</a>)
+        
+        如果未指定 items，则所引用的 Secret 的 data 字段中的每个键值对将作为一个文件被投射到卷中，
+        这个文件的名称是键名，而文件的内容是键的取值。
+        如果指定 items，则所列出的键将被投射到指定的路径中，且不会显示未列出的键。
+        如果指定的键不在 Secret 中，则卷设置将出错，除非对应的键被标记为可选。
+        路径必须是相对路径，不能包含 “..” 路径，也不能以 “..” 开头。
+    <!--
+    - **projected.sources.serviceAccountToken** (ServiceAccountTokenProjection)
+      serviceAccountToken is information about the serviceAccountToken data to project
+
+      <a name="ServiceAccountTokenProjection"></a>
+      *ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).*
+
+      - **projected.sources.serviceAccountToken.path** (string), required
+        path is the path relative to the mount point of the file to project the token into.
+    -->    
+    - **projected.sources.serviceAccountToken** (ServiceAccountTokenProjection)
+      
+      serviceAccountToken 是与要投射的服务账号令牌数据有关的信息。
+      
+      <a name="ServiceAccountTokenProjection"></a> 
+      **ServiceAccountTokenProjection 表示一个投射的服务账号令牌卷。
+      这种投射可用于将服务账号令牌插入到 Pod 运行时文件系统，供访问 API（Kubernetes API Server 或其他）使用。**
+      
+      - **projected.sources.serviceAccountToken.path** (string)，必需
+        
+        path 是相对于令牌投射目标文件的挂载点的路径。
+      
+      <!--
+      - **projected.sources.serviceAccountToken.audience** (string)
+        audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
+
+      - **projected.sources.serviceAccountToken.expirationSeconds** (int64)
+        expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.
+      -->
+      - **projected.sources.serviceAccountToken.audience** (string)
+        
+        audience 是令牌的目标受众。
+        令牌的接收方必须用令牌受众中指定的一个标识符来标识自己，否则应拒绝此令牌。
+        受众默认为 apiserver 的标识符。
+      
+      - **projected.sources.serviceAccountToken.expirationSeconds** (int64)
+        
+        expirationSeconds 是所请求的服务账号令牌的有效期。
+        当令牌即将到期时，kubelet 卷插件将主动轮换服务账号令牌。
+        如果令牌超过其生存时间的 80% 或令牌超过 24 小时，kubelet 将开始尝试轮换令牌。
+        默认为 1 小时且必须至少为 10 分钟。
+
+<!--
+### Local / Temporary Directory
+- **emptyDir** (EmptyDirVolumeSource)
+  emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+
+  <a name="EmptyDirVolumeSource"></a>
+  *Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.*
+
+  - **emptyDir.medium** (string)
+    medium represents what type of storage medium should back this directory. The default is "" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+-->
+### 本地/临时目录 {#local-temporary-directory}
+- **emptyDir** (EmptyDirVolumeSource)
+  
+  emptyDir 表示与 Pod 生命周期相同的临时目录。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#emptydir
+  
+  <a name="EmptyDirVolumeSource"></a> 
+  **表示供 Pod 使用的一个空目录。空目录卷支持所有权管理和 SELinux 重新打标签。**
+  
+  - **emptyDir.medium** (string)
+    
+    medium 表示此目录应使用哪种类别的存储介质。默认为 ""，这意味着使用节点的默认介质。
+    必须是空字符串（默认值）或 Memory。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#emptydir
+  
+  <!--
+  - **emptyDir.sizeLimit** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir
+  -->
+  - **emptyDir.sizeLimit** (<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
+    
+    sizeLimit 是这个 EmptyDir 卷所需的本地存储总量。这个大小限制也适用于内存介质。
+    EmptyDir 的内存介质最大使用量将是此处指定的 sizeLimit 与 Pod 中所有容器内存限制总和这两个值之间的最小值。
+    默认为 nil，这意味着限制未被定义。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes/#emptydir
+
+<!--
+- **hostPath** (HostPathVolumeSource)
+  hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+
+  <a name="HostPathVolumeSource"></a>
+  *Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.*
+-->
+- **hostPath** (HostPathVolumeSource)
+  
+  hostPath 表示主机上预先存在的文件或目录，它们将被直接暴露给容器。
+  这种卷通常用于系统代理或允许查看主机的其他特权操作。大多数容器**不需要**这种卷。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+  
+  <a name="HostPathVolumeSource"></a> 
+  **表示映射到 Pod 中的主机路径。主机路径卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  <!--
+  - **hostPath.path** (string), required
+    path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+
+  - **hostPath.type** (string)
+    type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+  -->
+  - **hostPath.path** (string)，必需
+    
+    目录在主机上的路径。如果该路径是一个符号链接，则它将沿着链接指向真实路径。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+  
+  - **hostPath.type** (string)
+    
+    HostPath 卷的类型。默认为 ""。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#hostpath
+
+<!--
+### Persistent volumes
+- **awsElasticBlockStore** (AWSElasticBlockStoreVolumeSource)
+  awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+
+  <a name="AWSElasticBlockStoreVolumeSource"></a>
+  *Represents a Persistent Disk resource in AWS.
+  
+  An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.*
+-->
+### 持久卷 {#persistent-volumes}
+- **awsElasticBlockStore** (AWSElasticBlockStoreVolumeSource)
+  
+  awsElasticBlockStore 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 AWS Disk 资源。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+  
+  <a name="AWSElasticBlockStoreVolumeSource"></a> 
+  **表示 AWS 上的 Persistent Disk 资源。挂载到一个容器之前 AWS EBS 磁盘必须存在。
+  该磁盘还必须与 kubelet 位于相同的 AWS 区域中。AWS EBS 磁盘只能以读/写一次进行挂载。
+  AWS EBS 卷支持所有权管理和 SELinux 重新打标签。**
+
+  <!--
+  - **awsElasticBlockStore.volumeID** (string), required
+    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+
+  - **awsElasticBlockStore.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  -->  
+  - **awsElasticBlockStore.volumeID** (string)，必需
+    
+    volumeID 是 AWS（Amazon EBS 卷）中持久磁盘资源的唯一 ID。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+
+  - **awsElasticBlockStore.fsType** (string)
+    
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+  
+  <!--
+  - **awsElasticBlockStore.partition** (int32)
+    partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+
+  - **awsElasticBlockStore.readOnly** (boolean)
+    readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  -->
+  - **awsElasticBlockStore.partition** (int32)
+    
+    partition 是你要挂载的卷中的分区。如果省略，则默认为按卷名称进行挂载。例如：对于卷 /dev/sda1，
+    将分区指定为 “1”。类似地，/dev/sda 的卷分区为 “0”（或可以将属性留空）。
+  
+  - **awsElasticBlockStore.readOnly** (boolean)
+    
+    readOnly 值为 true 将使得卷挂载被强制设置为 readOnly。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#awselasticblockstore
+
+<!--
+- **azureDisk** (AzureDiskVolumeSource)
+  azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+
+  <a name="AzureDiskVolumeSource"></a>
+  *AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.*
+-->
+- **azureDisk** (AzureDiskVolumeSource)
+  
+  azureDisk 表示挂载到主机上并绑定挂载到 Pod 上的 Azure 数据盘。
+  
+  <a name="AzureDiskVolumeSource"></a>
+  **azureDisk 表示挂载到主机上并绑定挂载到 Pod 上的 Azure 数据盘。**
+  
+  <!--
+  - **azureDisk.diskName** (string), required
+    diskName is the Name of the data disk in the blob storage
+
+  - **azureDisk.diskURI** (string), required
+    diskURI is the URI of data disk in the blob storage
+
+  - **azureDisk.cachingMode** (string)
+    cachingMode is the Host Caching mode: None, Read Only, Read Write.
+  -->
+  - **azureDisk.diskName** (string)，必需
+    
+    diskName 是 Blob 存储中数据盘的名称。
+  
+  - **azureDisk.diskURI** (string)，必需
+    
+    diskURI 是 Blob 存储中数据盘的 URI。
+  
+  - **azureDisk.cachingMode** (string)
+    
+    cachingMode 是主机缓存（Host Caching）模式：None、Read Only、Read Write。
+
+  <!--
+  - **azureDisk.fsType** (string)
+    fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **azureDisk.kind** (string)
+    kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
+
+  - **azureDisk.readOnly** (boolean)
+    readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  -->  
+  - **azureDisk.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **azureDisk.kind** (string)
+    
+    kind 预期值包括：
+
+    - Shared：每个存储帐户多个 Blob 磁盘；
+    - Dedicated：每个存储帐户单个 Blob 磁盘；
+    - Managed：azure 托管的数据盘（仅托管的可用性集合中）。
+    
+    默认为 Shared。
+  
+  - **azureDisk.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+
+<!--
+- **azureFile** (AzureFileVolumeSource)
+  azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+
+  <a name="AzureFileVolumeSource"></a>
+  *AzureFile represents an Azure File Service mount on the host and bind mount to the pod.*
+-->
+- **azureFile** (AzureFileVolumeSource)
+  
+  azureDisk 表示挂载到主机上并绑定挂载到 Pod 上的 Azure File Service。
+  
+  <a name="AzureFileVolumeSource"></a> 
+  **azureFile 表示挂载到主机上并绑定挂载到 Pod 上的 Azure File Service。**
+  
+  <!--
+  - **azureFile.secretName** (string), required
+    secretName is the  name of secret that contains Azure Storage Account Name and Key
+
+  - **azureFile.shareName** (string), required
+    shareName is the azure share Name
+
+  - **azureFile.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  -->
+  - **azureFile.secretName** (string)，必需
+    
+    secretName 是包含 Azure 存储账号名称和主键的 Secret 的名称。
+  
+  - **azureFile.shareName** (string)，必需
+    
+    shareName 是 Azure 共享名称。
+  
+  - **azureFile.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+
+<!--
+- **cephfs** (CephFSVolumeSource)
+  cephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+
+  <a name="CephFSVolumeSource"></a>
+  *Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.*
+
+  - **cephfs.monitors** ([]string), required
+    monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+-->
+- **cephfs** (CephFSVolumeSource)
+  
+  cephfs 表示在主机上挂载的 Ceph FS，该文件系统挂载与 Pod 的生命周期相同。
+  
+  <a name="CephFSVolumeSource"></a> 
+  **表示在 Pod 的生命周期内持续的 Ceph Filesystem 挂载。cephfs 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **cephfs.monitors** ([]string)，必需
+    
+    monitors 是必需的。monitors 是 Ceph 监测的集合。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  
+  <!--
+  - **cephfs.path** (string)
+    path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+
+  - **cephfs.readOnly** (boolean)
+    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  -->
+  - **cephfs.path** (string)
+    
+    path 是可选的。用作挂载的根，而不是挂载完整的 Ceph 树，默认为 “/”。
+  
+  - **cephfs.readOnly** (boolean)
+    
+    readOnly 是可选的。默认为 false（读/写）。
+    此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+  <!--
+  - **cephfs.secretFile** (string)
+    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+  - **cephfs.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+  - **cephfs.user** (string)
+    user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  -->  
+  - **cephfs.secretFile** (string)
+    
+    secretFile 是可选的。secretFile 是 User 对应的密钥环的路径，默认为 /etc/ceph/user.secret。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  
+  - **cephfs.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 是可选的。secretRef 是针对用户的身份认证 Secret 的引用，默认为空。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+  
+  - **cephfs.user** (string)
+    
+    user 是可选的。user 是 rados 用户名，默认为 admin。更多信息：
+    https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+
+<!--
+- **cinder** (CinderVolumeSource)
+  cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  <a name="CinderVolumeSource"></a>
+  *Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.*
+
+  - **cinder.volumeID** (string), required
+    volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+-->
+- **cinder** (CinderVolumeSource)
+  
+  cinder 表示 kubelet 主机上挂接和挂载的 Cinder 卷。更多信息：
+  https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  <a name="CinderVolumeSource"></a> 
+  **表示 Openstack 中的一个 Cinder 卷资源。挂载到一个容器之前 Cinder 卷必须已经存在。
+  该卷还必须与 kubelet 位于相同的地区中。cinder 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  - **cinder.volumeID** (string)，必需
+    
+    volumeID 用于标识 Cinder 中的卷。更多信息：
+    https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  <!--
+  - **cinder.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  - **cinder.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+
+  - **cinder.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.
+  -->  
+  - **cinder.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。例如：“ext4”、“xfs”、“ntfs”。
+    如果未指定，则隐式推断为“ext4”。更多信息：
+    https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  - **cinder.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+    更多信息： https://examples.k8s.io/mysql-cinder-pd/README.md
+  
+  - **cinder.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 是可选的。指向 Secret 对象，内含的参数用于连接到 OpenStack。
+
+<!--
+- **csi** (CSIVolumeSource)
+  csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+
+  <a name="CSIVolumeSource"></a>
+  *Represents a source location of a volume to mount, managed by an external CSI driver*
+
+  - **csi.driver** (string), required
+    driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.
+
+  - **csi.fsType** (string)
+    fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.
+-->
+- **csi** (CSIVolumeSource)
+  
+  csi 表示由某个外部容器存储接口（Container Storage Interface，CSI）驱动处理的临时存储（Beta 特性）。
+  
+  <a name="CSIVolumeSource"></a> 
+  **表示要挂载的卷的源位置，由外部 CSI 驱动进行管理。**
+  
+  - **csi.driver** (string)，必需
+    
+    driver 是处理此卷的 CSI 驱动的名称。咨询你的管理员以获取在集群中注册的正确名称。
+  
+  - **csi.fsType** (string)
+    
+    要挂载的 fsType。例如 “ext4”、“xfs”、“ntfs”。
+    如果未提供，则将空值传递给关联的 CSI 驱动，以便决定要应用的默认文件系统。
+
+  <!--
+  - **csi.nodePublishSecretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and  may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.
+
+  - **csi.readOnly** (boolean)
+    readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).
+
+  - **csi.volumeAttributes** (map[string]string)
+    volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.
+  -->  
+  - **csi.nodePublishSecretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    nodePublishSecretRef 是对包含敏感信息的 Secret 对象的引用，
+    该 Secret 对象将被传递到 CSI 驱动以完成 CSI NodePublishVolume 和 NodeUnpublishVolume 调用。
+    此字段是可选的，如果不需要 Secret，则此字段可以为空。
+    如果 Secret 对象包含多个 Secret，则所有 Secret 引用将被传递。
+  
+  - **csi.readOnly** (boolean)
+    
+    readOnly 指定供卷使用的只读配置。默认为 false（读/写）。
+  
+  - **csi.volumeAttributes** (map[string]string)
+    
+    volumeAttributes 存储传递给 CSI 驱动且特定于驱动的属性。查阅你的驱动文档，了解支持的值。
+
+<!--
+- **fc** (FCVolumeSource)
+  fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+
+  <a name="FCVolumeSource"></a>
+  *Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.*
+-->
+- **fc** (FCVolumeSource)
+  
+  fc 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 Fibre Channel 资源。
+  
+  <a name="FCVolumeSource"></a>
+  **表示 Fibre Channel 卷。Fibre Channel 卷只能以读/写一次进行挂载。
+  Fibre Channel 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  <!--
+  - **fc.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **fc.lun** (int32)
+    lun is Optional: FC target lun number
+  -->
+  - **fc.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **fc.lun** (int32)
+    
+    lun 是可选的：FC 目标 lun 编号。
+
+  <!--
+  - **fc.readOnly** (boolean)
+    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **fc.targetWWNs** ([]string)
+    targetWWNs is Optional: FC target worldwide names (WWNs)
+
+  - **fc.wwids** ([]string)
+    wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+  -->  
+  - **fc.readOnly** (boolean)
+    
+    readOnly 是可选的。默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+  
+  - **fc.targetWWNs** ([]string)
+    
+    targetWWNs 是可选的。FC 目标全球名称（WWN）。
+  
+  - **fc.wwids** ([]string)
+    
+    wwids 是可选的。FC 卷全球识别号（wwids）。
+    必须设置 wwids 或 targetWWNs 及 lun 的组合，但不能同时设置两者。
+
+<!--
+- **flexVolume** (FlexVolumeSource)
+  flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
+
+  <a name="FlexVolumeSource"></a>
+  *FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.*
+
+  - **flexVolume.driver** (string), required
+    driver is the name of the driver to use for this volume.
+
+  - **flexVolume.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+-->
+- **flexVolume** (FlexVolumeSource)
+  
+  flexVolume 表示使用基于 exec 的插件制备/挂接的通用卷资源。
+  
+  <a name="FlexVolumeSource"></a> 
+  **flexVolume 表示使用基于 exec 的插件制备/挂接的通用卷资源。**
+  
+  - **flexVolume.driver** (string)，必需
+    
+    driver 是供此卷使用的驱动的名称。
+  
+  - **flexVolume.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。例如 “ext4”、“xfs”、“ntfs”。
+    默认的文件系统取决于 flexVolume 脚本。
+
+  <!--
+  - **flexVolume.options** (map[string]string)
+    options is Optional: this field holds extra command options if any.
+
+  - **flexVolume.readOnly** (boolean)
+    readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **flexVolume.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
+  -->  
+  - **flexVolume.options** (map[string]string)
+    
+    options 是可选的。此字段包含额外的命令选项（如果有）。
+  
+  - **flexVolume.readOnly** (boolean)
+    
+    readOnly 是可选的。默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+  
+  - **flexVolume.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 是可选的。secretRef 是对包含敏感信息的 Secret 对象的引用，该 Secret 会被传递到插件脚本。
+    如果未指定 Secret 对象，则此字段可以为空。如果 Secret 对象包含多个 Secret，则所有 Secret 被传递到插件脚本。
+
+<!--
+- **flocker** (FlockerVolumeSource)
+  flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+
+  <a name="FlockerVolumeSource"></a>
+  *Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.*
+
+  - **flocker.datasetName** (string)
+    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
+
+  - **flocker.datasetUUID** (string)
+    datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
+-->
+- **flocker** (FlockerVolumeSource)
+  
+  flocker 表示挂接到一个 kubelet 主机的 Flocker 卷。Flocker 卷依赖于正在运行的 Flocker 控制服务。
+  
+  <a name="FlockerVolumeSource"></a> 
+  **表示 Flocker 代理挂载的 Flocker 卷。应设置一个且仅设置 datasetName 和 datasetUUID 中的一个。
+  Flocker 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **flocker.datasetName** (string)
+    
+    datasetName 是存储为元数据的数据集的名称。Flocker 数据集的名称应视为已弃用。
+  
+  - **flocker.datasetUUID** (string)
+    
+    datasetUUID 是数据集的 UUID。这是 Flocker 数据集的唯一标识符。
+
+<!--
+- **gcePersistentDisk** (GCEPersistentDiskVolumeSource)
+  gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  <a name="GCEPersistentDiskVolumeSource"></a>
+  *Represents a Persistent Disk resource in Google Compute Engine.
+  
+  A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.*
+-->
+- **gcePersistentDisk** (GCEPersistentDiskVolumeSource)
+  
+  gcePersistentDisk 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 GCE Disk 资源。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  <a name="GCEPersistentDiskVolumeSource"></a>
+  **表示 Google Compute Engine 中的 Persistent Disk 资源。
+  挂载到一个容器之前 GCE PD 必须已经存在。该磁盘还必须与 kubelet 位于相同的 GCE 项目和区域中。
+  GCE PD 只能挂载为读/写一次或只读多次。GCE PD 支持所有权管理和 SELinux 重新打标签。**
+
+  <!--
+  - **gcePersistentDisk.pdName** (string), required
+    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  - **gcePersistentDisk.fsType** (string)
+    fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  -->  
+  - **gcePersistentDisk.pdName** (string)，必需
+    
+    pdName 是 GCE 中 PD 资源的唯一名称。用于标识 GCE 中的磁盘。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+
+  - **gcePersistentDisk.fsType** (string)
+    
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为“ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  <!--
+  - **gcePersistentDisk.partition** (int32)
+    partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+
+  - **gcePersistentDisk.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  -->
+  - **gcePersistentDisk.partition** (int32)
+    
+    partition 是你要挂载的卷中的分区。如果省略，则默认为按卷名称进行挂载。
+    例如：对于卷 /dev/sda1，将分区指定为 “1”。类似地，/dev/sda 的卷分区为 “0”（或可以将属性留空）。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+  
+  - **gcePersistentDisk.readOnly** (boolean)
+    
+    此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。默认为 false。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#gcepersistentdisk
+
+<!--
+- **glusterfs** (GlusterfsVolumeSource)
+  glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+
+  <a name="GlusterfsVolumeSource"></a>
+  *Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.*
+-->
+- **glusterfs** (GlusterfsVolumeSource)
+  
+  glusterfs 表示在与 Pod 共享生命周期的主机上挂载的 Glusterfs。更多信息：
+  https://examples.k8s.io/volumes/glusterfs/README.md
+  
+  <a name="GlusterfsVolumeSource"></a> 
+  **表示在 Pod 的生命周期内持续的 Glusterfs 挂载。glusterfs 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  <!--
+  - **glusterfs.endpoints** (string), required
+    endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.path** (string), required
+    path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+  - **glusterfs.readOnly** (boolean)
+    readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  -->
+  - **glusterfs.endpoints** (string)，必需
+    
+    endpoints 是详细说明 Glusterfs 拓扑的端点名称。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  
+  - **glusterfs.path** (string)，必需
+    
+    path 是 Glusterfs 卷路径。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+  
+  - **glusterfs.readOnly** (boolean)
+    
+    此处 readOnly 将强制使用只读权限挂载 Glusterfs 卷。默认为 false。更多信息：
+    https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+
+<!--
+- **iscsi** (ISCSIVolumeSource)
+  iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md
+
+  <a name="ISCSIVolumeSource"></a>
+  *Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.*
+-->
+- **iscsi** (ISCSIVolumeSource)
+  
+  iscsi 表示挂接到 kubelet 的主机随后暴露给 Pod 的一个 ISCSI Disk 资源。更多信息：
+  https://examples.k8s.io/volumes/iscsi/README.md
+  
+  <a name="ISCSIVolumeSource"></a> 
+  **表示一个 ISCSI 磁盘。ISCSI 卷只能以读/写一次进行挂载。ISCSI 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  <!--
+  - **iscsi.iqn** (string), required
+    iqn is the target iSCSI Qualified Name.
+
+  - **iscsi.lun** (int32), required
+    lun represents iSCSI Target Lun number.
+
+  - **iscsi.targetPortal** (string), required
+    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
+  -->
+  - **iscsi.iqn** (string)，必需
+    
+    iqn 是目标 iSCSI 限定名称。
+  
+  - **iscsi.lun** (int32)，必需
+    
+    lun 表示 iSCSI 目标逻辑单元号。
+  
+  - **iscsi.targetPortal** (string)，必需
+    
+    targetPortal 是 iSCSI 目标门户。
+    如果不是默认端口（通常是 TCP 端口 860 和 3260），则 Portal 为 IP 或 ip_addr:port。
+
+  <!--
+  - **iscsi.chapAuthDiscovery** (boolean)
+    chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+
+  - **iscsi.chapAuthSession** (boolean)
+    chapAuthSession defines whether support iSCSI Session CHAP authentication
+  -->  
+  - **iscsi.chapAuthDiscovery** (boolean)
+    
+    chapAuthDiscovery 定义是否支持 iSCSI Discovery CHAP 身份认证。
+  
+  - **iscsi.chapAuthSession** (boolean)
+    
+    chapAuthSession 定义是否支持 iSCSI Session CHAP 身份认证。
+  
+  <!--
+  - **iscsi.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+
+  - **iscsi.initiatorName** (string)
+    initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \<target portal>:\<volume name> will be created for the connection.
+  -->
+  - **iscsi.fsType** (string)
+    
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#iscsi
+  
+  - **iscsi.initiatorName** (string)
+    
+    initiatorName 是自定义的 iSCSI 发起程序名称（iSCSI Initiator Name）。
+    如果同时用 iscsiInterface 指定 initiatorName，将为连接创建新的 iSCSI 接口 \<目标门户>:\<卷名称>。
+
+  <!--
+  - **iscsi.iscsiInterface** (string)
+    iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).
+
+  - **iscsi.portals** ([]string)
+    portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
+  -->  
+  - **iscsi.iscsiInterface** (string)
+    
+    iscsiInterface 是使用 iSCSI 传输的接口名称。默认为 “default”（tcp）。
+  
+  - **iscsi.portals** ([]string)
+    
+    portals 是 iSCSI 目标门户列表（iSCSI Target Portal List）。
+    如果不是默认端口（通常是 TCP 端口 860 和 3260），则 Portal 为 IP 或 ip_addr:port。
+  
+  <!--
+  - **iscsi.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.
+
+  - **iscsi.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef is the CHAP Secret for iSCSI target and initiator authentication
+  -->
+  - **iscsi.readOnly** (boolean)
+    
+    此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。默认为 false。
+  
+  - **iscsi.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 是 iSCSI 目标和发起程序身份认证所用的 CHAP Secret。
+
+<!--
+- **nfs** (NFSVolumeSource)
+  nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+
+  <a name="NFSVolumeSource"></a>
+  *Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.*
+
+  - **nfs.path** (string), required
+    path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+-->
+- **nfs** (NFSVolumeSource)
+  
+  nfs 表示在主机上挂载的 NFS，其生命周期与 Pod 相同。更多信息：
+  https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  <a name="NFSVolumeSource"></a>
+  **表示 Pod 的生命周期内一直存在的 NFS 挂载。NFS 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  - **nfs.path** (string)，必需
+    
+    path 是由 NFS 服务器导出的路径。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  <!--
+  - **nfs.server** (string), required
+    server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+
+  - **nfs.readOnly** (boolean)
+    readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  -->
+  - **nfs.server** (string)，必需
+    
+    server 是 NFS 服务器的主机名或 IP 地址。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+  
+  - **nfs.readOnly** (boolean)
+    
+    此处 readOnly 将强制使用只读权限挂载 NFS 导出。默认为 false。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#nfs
+
+<!--
+- **photonPersistentDisk** (PhotonPersistentDiskVolumeSource)
+  photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+
+  <a name="PhotonPersistentDiskVolumeSource"></a>
+  *Represents a Photon Controller persistent disk resource.*
+
+  - **photonPersistentDisk.pdID** (string), required
+    pdID is the ID that identifies Photon Controller persistent disk
+
+  - **photonPersistentDisk.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+-->
+- **photonPersistentDisk** (PhotonPersistentDiskVolumeSource)
+  
+  photonPersistentDisk 表示 kubelet 主机上挂接和挂载的 PhotonController 持久磁盘。
+  
+  <a name="PhotonPersistentDiskVolumeSource"></a> 
+  **表示 Photon Controller 持久磁盘资源。**
+  
+  - **photonPersistentDisk.pdID** (string)，必需
+    
+    pdID 是标识 Photon Controller 持久磁盘的 ID。
+  
+  - **photonPersistentDisk.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+
+<!--
+- **portworxVolume** (PortworxVolumeSource)
+  portworxVolume represents a portworx volume attached and mounted on kubelets host machine
+
+  <a name="PortworxVolumeSource"></a>
+  *PortworxVolumeSource represents a Portworx volume resource.*
+
+  - **portworxVolume.volumeID** (string), required
+    volumeID uniquely identifies a Portworx volume
+-->
+- **portworxVolume** (PortworxVolumeSource)
+  
+  portworxVolume 表示 kubelet 主机上挂接和挂载的 portworx 卷。
+  
+  <a name="PortworxVolumeSource"></a> 
+  **PortworxVolumeSource 表示 Portworx 卷资源。**
+  
+  - **portworxVolume.volumeID** (string)，必需
+    
+    volumeID 唯一标识 Portworx 卷。
+  
+  <!--
+  - **portworxVolume.fsType** (string)
+    fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **portworxVolume.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  -->
+  - **portworxVolume.fsType** (string)
+    
+    fSType 表示要挂载的文件系统类型。必须是主机操作系统支持的文件系统类型。例如 “ext4”、“xfs”。
+    如果未指定，则隐式推断为 “ext4”。
+  
+  - **portworxVolume.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+
+<!--
+- **quobyte** (QuobyteVolumeSource)
+  quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+
+  <a name="QuobyteVolumeSource"></a>
+  *Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.*
+-->
+- **quobyte** (QuobyteVolumeSource)
+  
+  quobyte 表示在共享 Pod 生命周期的主机上挂载的 Quobyte。
+  
+  <a name="QuobyteVolumeSource"></a> 
+  **表示在 Pod 的生命周期内持续的 Quobyte 挂载。Quobyte 卷不支持所有权管理或 SELinux 重新打标签。**
+  
+  <!--
+  - **quobyte.registry** (string), required
+    registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
+
+  - **quobyte.volume** (string), required
+    volume is a string that references an already created Quobyte volume by name.
+
+  - **quobyte.group** (string)
+    group to map volume access to Default is no group
+  -->
+  - **quobyte.registry** (string)，必需
+    
+    registry 表示将一个或多个 Quobyte Registry 服务指定为 host:port 对的字符串形式
+    （多个条目用英文逗号分隔），用作卷的中央注册表。
+  
+  - **quobyte.volume** (string)，必需
+    
+    volume 是按名称引用已创建的 Quobyte 卷的字符串。
+  
+  - **quobyte.group** (string)
+    
+    group 是将卷访问映射到的组。默认为无组。
+
+  <!--
+  - **quobyte.readOnly** (boolean)
+    readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
+
+  - **quobyte.tenant** (string)
+    tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+
+  - **quobyte.user** (string)
+    user to map volume access to Defaults to serivceaccount user
+  -->  
+  - **quobyte.readOnly** (boolean)
+    
+    此处 readOnly 将强制使用只读权限挂载 Quobyte 卷。默认为 false。
+  
+  - **quobyte.tenant** (string)
+    
+    tenant 拥有 Backend Used 中给定的 Quobyte 卷，随动态制备的 Quobyte 卷一起使用，值由插件设置。
+  
+  - **quobyte.user** (string)
+    
+    user 是将卷访问映射到的用户。默认为 serivceaccount 用户。
+
+<!--
+- **rbd** (RBDVolumeSource)
+  rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
+
+  <a name="RBDVolumeSource"></a>
+  *Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.*
+
+  - **rbd.image** (string), required
+    image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+-->
+- **rbd** (RBDVolumeSource)
+  
+  rbd 表示在共享 Pod 生命周期的主机上挂载的 Rados Block Device。更多信息：
+  https://examples.k8s.io/volumes/rbd/README.md
+  
+  <a name="RBDVolumeSource"></a> 
+  **表示在 Pod 的生命周期内持续的 Rados Block Device 挂载。RBD 卷支持所有权管理和 SELinux 重新打标签。**
+  
+  - **rbd.image** (string)，必需
+    
+    image 是 rados 镜像名称。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  <!--
+  - **rbd.monitors** ([]string), required
+    monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.fsType** (string)
+    fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+  -->
+  - **rbd.monitors** ([]string)，必需
+    
+    monitors 是 Ceph 监测的集合。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.fsType** (string)
+    
+    fsType 是你要挂载的卷的文件系统类型。提示：确保主机操作系统支持此文件系统类型。
+    例如：“ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。更多信息：
+    https://kubernetes.io/zh-cn/docs/concepts/storage/volumes#rbd
+
+  <!--
+  - **rbd.keyring** (string)
+    keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.pool** (string)
+    pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.readOnly** (boolean)
+    readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  -->  
+  - **rbd.keyring** (string)
+    
+    keyring 是 RBDUser 密钥环的路径。默认为 /etc/ceph/keyring。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.pool** (string)
+    
+    pool 是 rados 池名称。默认为 rbd。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.readOnly** (boolean)
+    
+    此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。默认为 false。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  <!--
+  - **rbd.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+  - **rbd.user** (string)
+    user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  -->
+  - **rbd.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 是 RBDUser 的身份认证 Secret 的名称。如果提供，则重载 keyring。默认为 nil。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+  
+  - **rbd.user** (string)
+    
+    user 是 rados 用户名。默认为 admin。更多信息：
+    https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+
+<!--
+- **scaleIO** (ScaleIOVolumeSource)
+  scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+
+  <a name="ScaleIOVolumeSource"></a>
+  *ScaleIOVolumeSource represents a persistent ScaleIO volume*
+
+  - **scaleIO.gateway** (string), required
+    gateway is the host address of the ScaleIO API Gateway.
+-->
+- **scaleIO** (ScaleIOVolumeSource)
+  
+  scaleIO 表示 Kubernetes 节点上挂接和挂载的 ScaleIO 持久卷。
+  
+  <a name="ScaleIOVolumeSource"></a> 
+  **ScaleIOVolumeSource 表示一个 ScaleIO 持久卷。**
+  
+  - **scaleIO.gateway** (string)，必需
+    
+    gateway 是 ScaleIO API 网关的主机地址。
+  
+  <!--
+  - **scaleIO.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>), required
+    secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
+
+  - **scaleIO.system** (string), required
+    system is the name of the storage system as configured in ScaleIO.
+
+  - **scaleIO.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".
+  -->
+  - **scaleIO.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)，必需
+    
+    secretRef 引用到 ScaleIO 用户的 Secret 和其他敏感信息。如果未提供此项，则 Login 操作将失败。
+  
+  - **scaleIO.system** (string)，必需
+    
+    system 是存储系统的名称，与 ScaleIO 中的配置相同。
+  
+  - **scaleIO.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。例如 “ext4”、“xfs”、“ntfs”。默认为 “xfs”。
+
+  <!--
+  - **scaleIO.protectionDomain** (string)
+    protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+
+  - **scaleIO.readOnly** (boolean)
+    readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **scaleIO.sslEnabled** (boolean)
+    sslEnabled Flag enable/disable SSL communication with Gateway, default false
+  -->  
+  - **scaleIO.protectionDomain** (string)
+    
+    protectionDomain 是 ScaleIO 保护域（ScaleIO Protection Domain）的名称，用于已配置的存储。
+  
+  - **scaleIO.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+  
+  - **scaleIO.sslEnabled** (boolean)
+    
+    sslEnabled 标志启用/禁用与网关的 SSL 通信，默认为 false。
+  
+  <!--
+  - **scaleIO.storageMode** (string)
+    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.
+
+  - **scaleIO.storagePool** (string)
+    storagePool is the ScaleIO Storage Pool associated with the protection domain.
+
+  - **scaleIO.volumeName** (string)
+    volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.
+  -->
+  - **scaleIO.storageMode** (string)
+    
+    storageMode 指示卷所用的存储应是 ThickProvisioned 或 ThinProvisioned。默认为 ThinProvisioned。
+  
+  - **scaleIO.storagePool** (string)
+    
+    storagePool 是与保护域关联的 ScaleIO Storage Pool。
+  
+  - **scaleIO.volumeName** (string)
+    
+    volumeName 是在与此卷源关联的 ScaleIO 系统中已创建的卷的名称。
+
+<!--
+- **storageos** (StorageOSVolumeSource)
+  storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+
+  <a name="StorageOSVolumeSource"></a>
+  *Represents a StorageOS persistent volume resource.*
+
+  - **storageos.fsType** (string)
+    fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+-->
+- **storageos** (StorageOSVolumeSource)
+  
+  storageOS 表示 Kubernetes 节点上挂接和挂载的 StorageOS 卷。
+  
+  <a name="StorageOSVolumeSource"></a> 
+  **表示 StorageOS 持久卷资源。**
+  
+  - **storageos.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  <!--
+  - **storageos.readOnly** (boolean)
+    readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.
+
+  - **storageos.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.
+  -->
+  - **storageos.readOnly** (boolean)
+    
+    readOnly 默认为 false（读/写）。此处的 readOnly 将强制设置卷挂载中的 readOnly 属性。
+  
+  - **storageos.secretRef** (<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
+    
+    secretRef 指定用于获取 StorageOS API 凭据的 Secret。如果未指定，则将尝试使用默认值。
+
+  <!--
+  - **storageos.volumeName** (string)
+    volumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.
+
+  - **storageos.volumeNamespace** (string)
+    volumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.
+  -->  
+  - **storageos.volumeName** (string)
+    
+    volumeName 是 StorageOS 卷的人类可读名称。这些卷名称在一个名字空间内是唯一的。
+  
+  - **storageos.volumeNamespace** (string)
+    
+    volumeNamespace 指定 StorageOS 内卷的作用域。如果未指定名字空间，则将使用 Pod 的名字空间。
+    这个设置使得 Kubernetes 的名字作用域可以在 StorageOS 内进行映射，实现更紧密的集成。
+    将 volumeName 设为任何名称以重载默认的行为。如果你未在 StorageOS 内使用名字空间，则设为“default”。
+    将创建 StorageOS 内预先不存在的名字空间。
+
+<!--
+- **vsphereVolume** (VsphereVirtualDiskVolumeSource)
+  vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+
+  <a name="VsphereVirtualDiskVolumeSource"></a>
+  *Represents a vSphere volume resource.*
+
+  - **vsphereVolume.volumePath** (string), required
+    volumePath is the path that identifies vSphere volume vmdk
+-->
+- **vsphereVolume** (VsphereVirtualDiskVolumeSource)
+  
+  vsphereVolume 表示 kubelet 主机上挂接和挂载的 vSphere 卷。
+  
+  <a name="VsphereVirtualDiskVolumeSource"></a>
+  **表示 vSphere 卷资源。**
+  
+  - **vsphereVolume.volumePath** (string)，必需
+    
+    volumePath 是标识 vSphere 卷 vmdk 的路径。
+  
+  <!--
+  - **vsphereVolume.fsType** (string)
+    fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+
+  - **vsphereVolume.storagePolicyID** (string)
+    storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+
+  - **vsphereVolume.storagePolicyName** (string)
+    storagePolicyName is the storage Policy Based Management (SPBM) profile name.
+  -->
+  - **vsphereVolume.fsType** (string)
+    
+    fsType 是要挂载的文件系统类型。必须是主机操作系统所支持的文件系统类型之一。
+    例如 “ext4”、“xfs”、“ntfs”。如果未指定，则隐式推断为 “ext4”。
+  
+  - **vsphereVolume.storagePolicyID** (string)
+    
+    storagePolicyID 是与 StoragePolicyName 关联的基于存储策略的管理（SPBM）配置文件 ID。
+  
+  - **vsphereVolume.storagePolicyName** (string)
+    
+    storagePolicyName 是基于存储策略的管理（SPBM）配置文件名称。
+
+<!--
+### Alpha level
+- **ephemeral** (EphemeralVolumeSource)
+  ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.
+  
+  Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity
+     tracking are needed,
+  c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through
+     a PersistentVolumeClaim (see EphemeralVolumeSource for more
+     information on the connection between this volume type
+     and PersistentVolumeClaim).
+-->
+### Alpha 级别 {#alpha-level}
+- **ephemeral** (EphemeralVolumeSource)
+  
+  ephemeral 表示由一个集群存储驱动处理的卷。此卷的生命周期与定义其的 Pod 相关联。
+  Pod 启动前创建此卷，Pod 移除时删除此卷。
+  
+  使用此字段的情形包括：
+  a) 仅在 pod 运行时才需要此卷，
+  b) 需要从快照恢复或容量跟踪等正常卷的功能特性，
+  c) 通过存储类指定存储驱动，以及
+  d) 存储驱动支持通过 PersistentVolumeClaim 进行动态卷制备（有关此卷类型和 PersistentVolumeClaim 之间连接的更多信息，请参考 EphemeralVolumeSource）。
+
+<!--
+  Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.
+  
+  Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.
+  
+  A pod can use both types of ephemeral volumes and persistent volumes at the same time.
+
+  <a name="EphemeralVolumeSource"></a>
+  *Represents an ephemeral volume that is handled by a normal storage driver.*
+-->  
+  对于持续时间超过单个 Pod 生命周期的卷，使用 PersistentVolumeClaim 或某种特定于供应商的 API。
+  
+  如果打算以这种方式使用 CSI 驱动，则将 CSI 用于轻量级本地临时卷。更多的相关信息，请参考驱动文档。
+  
+  一个 Pod 可以同时使用临时卷和持久卷这两种类别的卷。
+  
+  <a name="EphemeralVolumeSource"></a>
+  **表示由一个正常存储驱动处理的临时卷。**
+
+  <!--
+  - **ephemeral.volumeClaimTemplate** (PersistentVolumeClaimTemplate)
+
+    Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod.  The name of the PVC will be `\<pod name>-\<volume name>` where `\<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).
+    
+    An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.
+  -->  
+  - **ephemeral.volumeClaimTemplate** (PersistentVolumeClaimTemplate)
+    
+    将用于创建独立的 PVC 以制备卷。
+    嵌入了 EphemeralVolumeSource 的 Pod 将是 PVC 的所有者，即 PVC 将与 Pod 一起删除。
+    PVC 的名称将是 `<pod 名称>-<卷名称>`，其中 `<卷名称>` 是来自 `PodSpec.Volumes` 数组条目的名称。
+    如果串联的名称对于 PVC 无效（例如太长），则 Pod 验证将拒绝该 Pod。
+    
+    如果具有此名称的 PVC 不属于 Pod，则这个 PVC 将不会用于此 Pod，以避免错误地使用不相关的卷。
+    如果出现这种情况，Pod 的启动操作会被阻塞直到不相关的 PVC 被移除。
+    如果 Pod 准备使用这样一个预先创建的 PVC ，那么一旦此 Pod 出现，就必须更新 PVC，
+    将其属主引用指向该 Pod。通常没有必要这样做，但这对手动重构损坏的集群时可能很有用。
+
+    <!--
+    This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.
+    
+    Required, must not be nil.
+
+    <a name="PersistentVolumeClaimTemplate"></a>
+    *PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.*
+    -->    
+    此字段是只读的，PVC 被创建后 Kubernetes 不会对其进行任何更改。
+    
+    必需，不能为 nil。
+    
+    <a name="PersistentVolumeClaimTemplate"></a> 
+    **PersistentVolumeClaimTemplate 用于作为 EphemeralVolumeSource 的一部分生成 PersistentVolumeClaim 对象。**
+    
+    <!--
+    - **ephemeral.volumeClaimTemplate.spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>), required
+
+      The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
+
+    - **ephemeral.volumeClaimTemplate.metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+      May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
+    -->
+    - **ephemeral.volumeClaimTemplate.spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>)，必需
+      
+      PersistentVolumeClaim 的规约。整个规约的内容将被原封不动地复制到从此模板创建的 PVC 中。
+      与 PersistentVolumeClaim 相同的字段在此处也有效。
+    
+    - **ephemeral.volumeClaimTemplate.metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+      
+      可能包含一些标签和注解，在创建 PVC 时，这些数据会被复制到 PVC 中。在验证期间，其他字段都不允许设置进而被拒绝。
+
+<!--
+### Deprecated
+- **gitRepo** (GitRepoVolumeSource)
+  gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.
+
+  <a name="GitRepoVolumeSource"></a>
+  *Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.
+  
+  DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.*
+-->
+### 已弃用 {#deprecated}
+- **gitRepo** (GitRepoVolumeSource)
+  
+  gitRepo 表示特定修订版本的 git 仓库。（注意：GitRepo 已被弃用。）如果与为某容器提速 Git 仓库，
+  可以先将 emptyDir 挂载到 InitContainer 上，由后者使用 git 克隆仓库，然后将 emptyDir 挂载到 Pod 的容器中。
+  
+  <a name="GitRepoVolumeSource"></a> 
+  **表示用 Git 仓库的内容进行填充的一个卷。Git 仓库卷不支持所有权管理。Git 仓库卷支持 SELinux 重新打标签。
+  （注意：GitRepo 已被弃用。）如果与为某容器提速 Git 仓库，
+  可以先将 emptyDir 挂载到 InitContainer 上，由后者使用 git 克隆仓库，然后将 emptyDir 挂载到 Pod 的容器中。**
+
+  <!--
+  - **gitRepo.repository** (string), required
+    repository is the URL
+
+  - **gitRepo.directory** (string)
+    directory is the target directory name. Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the git repository.  Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
+
+  - **gitRepo.revision** (string)
+    revision is the commit hash for the specified revision.
+  -->  
+  - **gitRepo.repository** (string)，必需
+    
+    repository 是仓库的 URL。
+  
+  - **gitRepo.directory** (string)
+    
+    directory 是目标目录的名称。不得包含 “..” 或以 “..” 开头。如果提供了 “.”，则卷目录将是 Git 仓库。
+    否则，如果指定，卷将用给定名称的子目录中存放 Git 仓库。
+  
+  - **gitRepo.revision** (string)
+    
+    revision 是指定修订版本的提交哈希值。
+
+## DownwardAPIVolumeFile {#DownwardAPIVolumeFile}
+<!--
+DownwardAPIVolumeFile represents information to create the file containing the pod field
+<hr>
+- **path** (string), required
+  Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+
+- **fieldRef** (<a href="{{< ref "../common-definitions/object-field-selector#ObjectFieldSelector" >}}">ObjectFieldSelector</a>)
+  Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
+-->
+DownwardAPIVolumeFile 表示创建包含 Pod 字段的文件的信息。
+
+<hr>
+
+- **path** (string)，必需
+  
+  必需。path 是要创建的文件的相对路径名称。不得使用绝对路径，也不得包含 “..” 路径。
+  必须用 UTF-8 进行编码。相对路径的第一项不得用 “..” 开头。
+
+- **fieldRef** (<a href="{{< ref "../common-definitions/object-field-selector#ObjectFieldSelector" >}}">ObjectFieldSelector</a>)
+  
+  必需。选择 Pod 的字段：仅支持注解、标签、名称和名字空间。
+
+<!--
+- **mode** (int32)
+  Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+
+- **resourceFieldRef** (<a href="{{< ref "../common-definitions/resource-field-selector#ResourceFieldSelector" >}}">ResourceFieldSelector</a>)
+  Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+-->
+- **mode** (int32)
+  
+  可选：模式位用于设置文件的权限，必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+  YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。
+  如果未指定，则将使用卷 defaultMode。
+  这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
+
+- **resourceFieldRef** (<a href="{{< ref "../common-definitions/resource-field-selector#ResourceFieldSelector" >}}">ResourceFieldSelector</a>)
+  
+  选择容器的资源：目前仅支持资源限制与请求（limits.cpu、limits.memory、requests.cpu 和 requests.memory）。
+
+## KeyToPath {#KeyToPath}
+
+<!--
+Maps a string key to a path within a volume.
+<hr>
+- **key** (string), required
+  key is the key to project.
+
+- **path** (string), required
+  path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.
+-->
+将一个字符串键映射到卷中的一个路径。
+
+<hr>
+
+- **key** (string)，必需
+  
+  key 是要投射的键。
+
+- **path** (string)，必需
+  
+  path 是将键映射到的文件的相对路径。不能是绝对路径。不能包含路径元素 “..”。不能以字符串 “..” 开头。
+
+<!--
+- **mode** (int32)
+  mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.
+-->
+- **mode** (int32)
+  
+  mode 是可选的：模式位用于为文件设置权限。必须是 0000 到 0777 之间的八进制值或 0 到 511 之间的十进制值。
+  YAML 既接受八进制值也接受十进制值，JSON 针对模式位需要十进制值。
+  如果未指定，则将使用卷 defaultMode。
+  这可能与影响文件模式的其他选项（如 fsGroup）有冲突，且结果可以是其他模式位也被设置。
diff --git a/content/zh/docs/reference/kubernetes-api/extend-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/extend-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/extend-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/extend-resources/_index.md
diff --git a/content/zh/docs/reference/kubernetes-api/policy-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/policy-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/policy-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/policy-resources/_index.md
diff --git a/content/zh/docs/reference/kubernetes-api/service-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/service-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/service-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/service-resources/_index.md
diff --git a/content/zh/docs/reference/kubernetes-api/workload-resources/_index.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/_index.md
similarity index 100%
rename from content/zh/docs/reference/kubernetes-api/workload-resources/_index.md
rename to content/zh-cn/docs/reference/kubernetes-api/workload-resources/_index.md
diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
new file mode 100644
index 0000000000000..d29eda09df6e0
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
@@ -0,0 +1,1069 @@
+---
+api_metadata:
+  apiVersion: "apps/v1"
+  import: "k8s.io/api/apps/v1"
+  kind: "ControllerRevision"
+content_type: "api_reference"
+description: "ControllerRevision 实现了状态数据的不可变快照。"
+title: "ControllerRevision"
+weight: 7
+auto_generated: false
+---
+
+<!--
+api_metadata:
+  apiVersion: "apps/v1"
+  import: "k8s.io/api/apps/v1"
+  kind: "ControllerRevision"
+content_type: "api_reference"
+description: "ControllerRevision implements an immutable snapshot of state data."
+title: "ControllerRevision"
+weight: 7
+auto_generated: true
+-->
+
+
+`apiVersion: apps/v1`
+
+`import "k8s.io/api/apps/v1"`
+
+<!-- 
+## ControllerRevision {#ControllerRevision 
+-->
+## ControllerRevision {#ControllerRevision}
+
+<!--
+ControllerRevision implements an immutable snapshot of state data.
+Clients are responsible for serializing and deserializing the objects that contain their internal state.
+Once a ControllerRevision has been successfully created, it can not be updated. 
+The API Server will fail validation of all requests that attempt to mutate the Data field.
+ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback,
+this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability.
+It is primarily for internal use by controllers.
+
+<hr>
+-->
+ControllerRevision 实现了状态数据的不可变快照。
+客户端负责序列化和反序列化对象，包含对象内部状态。
+成功创建 ControllerRevision 后，将无法对其进行更新。
+API 服务器将无法成功验证所有尝试改变 data 字段的请求。
+但是，可以删除 ControllerRevisions。
+请注意，由于 DaemonSet 和 StatefulSet 控制器都使用它来进行更新和回滚，所以这个对象是 beta 版。
+但是，它可能会在未来版本中更改名称和表示形式，客户不应依赖其稳定性。
+它主要供控制器内部使用。
+
+<hr>
+
+<!--
+- **apiVersion**: apps/v1
+-->
+- **apiVersion**: apps/v1
+
+<!--
+- **kind**: ControllerRevision
+-->
+- **kind**: ControllerRevision
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准的对象元数据。
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **revision** (int64), required
+
+  Revision indicates the revision of the state represented by Data.
+-->
+- **revision** (int64)，必需
+
+  revision 表示 data 表示的状态的修订。
+
+<!--
+- **data** (RawExtension)
+
+  Data is the serialized representation of the state.
+-->
+- **data** (RawExtension)
+
+  data 是状态的序列化表示。
+  
+  <!--
+  <a name="RawExtension"></a>
+    *RawExtension is used to hold extensions in external versions.
+  -->
+  <a name="RawExtension"></a>
+  *RawExtension 用于以外部版本来保存扩展数据。
+  
+  <!--
+  To use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.
+  -->
+  要使用它，请生成一个字段，在外部、版本化结构中以 RawExtension 作为其类型，在内部结构中以 Object 作为其类型。
+  
+  <!--
+  // Internal package: type MyAPIObject struct {
+    	runtime.TypeMeta `json:",inline"`
+    	MyPlugin runtime.Object `json:"myPlugin"`
+    } type PluginA struct {
+    	AOption string `json:"aOption"`
+    }
+  -->
+  // 内部包：  
+  type MyAPIObject struct {  
+  	runtime.TypeMeta `json:",inline"`   
+  	MyPlugin runtime.Object `json:"myPlugin"`  
+  }       
+  type PluginA struct {  
+  	AOption string `json:"aOption"`  
+  }
+  
+  <!--
+  // External package: type MyAPIObject struct {
+    	runtime.TypeMeta `json:",inline"`
+    	MyPlugin runtime.RawExtension `json:"myPlugin"`
+    } type PluginA struct {
+    	AOption string `json:"aOption"`
+    }
+  -->
+  // 外部包：   
+  type MyAPIObject struct {  
+  	runtime.TypeMeta `json:",inline"`  
+  	MyPlugin runtime.RawExtension `json:"myPlugin"`    
+  }   
+  type PluginA struct {  
+  	AOption string `json:"aOption"`  
+  }
+  
+  <!--
+  // On the wire, the JSON will look something like this: {
+    	"kind":"MyAPIObject",
+    	"apiVersion":"v1",
+    	"myPlugin": {
+    		"kind":"PluginA",
+    		"aOption":"foo",
+    	},
+    }
+  -->
+  // 在网络上，JSON 看起来像这样：   
+  {  
+  	"kind":"MyAPIObject",  
+  	"apiVersion":"v1",  
+  	"myPlugin": {  
+  		"kind":"PluginA",  
+  		"aOption":"foo",  
+  	},  
+  }
+  
+  <!--
+  So what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)*
+  -->
+  那么会发生什么？
+  解码首先使用 json 或 yaml 将序列化数据解组到你的外部 MyAPIObject 中。
+  这会导致原始 JSON 被存储下来，但不会被解包。
+  下一步是复制（使用 pkg/conversion）到内部结构中。
+  runtime 包的 DefaultScheme 安装了转换函数，它将解析存储在 RawExtension 中的 JSON，
+  将其转换为正确的对象类型，并将其存储在 Object 中。
+  （TODO：如果对象是未知类型，将创建并存储一个 `runtime.Unknown`对象。）*
+
+<!--
+## ControllerRevisionList {#ControllerRevisionList}
+
+ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+
+<hr>
+-->
+## ControllerRevisionList {#ControllerRevisionList}
+
+ControllerRevisionList 是一个包含 ControllerRevision 对象列表的资源。
+
+<hr>
+
+<!--
+- **apiVersion**: apps/v1
+-->
+- **apiVersion**: apps/v1
+
+<!--
+- **kind**: ControllerRevisionList
+-->
+- **kind**: ControllerRevisionList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **items** ([]<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>), required
+
+  Items is the list of ControllerRevisions
+-->
+- **items** ([]<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>)，必需
+
+  items 是 ControllerRevisions 的列表
+
+<!--
+## Operations {#Operations}
+
+<hr>
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!--
+### `get` read the specified ControllerRevision
+-->
+### `get` 读取特定的 ControllerRevision
+
+<!--
+#### HTTP Request
+
+GET /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+-->
+#### HTTP 请求
+
+GET /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the ControllerRevision
+-->
+- **name** （**路径参数**）：string，必需
+
+  ControllerRevision 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ControllerRevision
+-->
+### `list` 列出或监视 ControllerRevision 类别的对象
+
+<!--
+#### HTTP Request
+
+GET /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+-->
+#### HTTP 请求
+
+GET /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+-->
+- **allowWatchBookmarks** （**查询参数**）： boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->
+- **continue** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **fieldSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+-->
+- **labelSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **limit** (**查询参数**)): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+-->
+- **resourceVersion** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **resourceVersionMatch** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **timeoutSeconds** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+- **watch** （**查询参数**）： boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevisionList" >}}">ControllerRevisionList</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevisionList" >}}">ControllerRevisionList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `list` list or watch objects of kind ControllerRevision
+-->
+### `list` 列出或监视 ControllerRevision 类别的对象
+
+<!--
+#### HTTP Request
+
+GET /apis/apps/v1/controllerrevisions
+-->
+#### HTTP 请求
+
+GET /apis/apps/v1/controllerrevisions
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+-->
+- **allowWatchBookmarks** （**查询参数**）： boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->
+- **continue** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **fieldSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+-->
+- **labelSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **limit** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+-->
+- **resourceVersion** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **resourceVersionMatch** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **timeoutSeconds** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+- **watch** （**查询参数**）： boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevisionList" >}}">ControllerRevisionList</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevisionList" >}}">ControllerRevisionList</a>): OK
+
+401: Unauthorized
+
+<!--
+### `create` create a ControllerRevision
+-->
+### `create` 创建一个 ControllerRevision
+
+<!--
+#### HTTP Request
+
+POST /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+-->
+#### HTTP 请求
+
+POST /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>, required
+-->
+- **body**: <a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->  
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+202 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+202 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `update` replace the specified ControllerRevision
+-->
+### `update` 替换特定的 ControllerRevision
+
+<!--
+#### HTTP Request
+
+PUT /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+-->
+#### HTTP 参数
+
+PUT /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the ControllerRevision
+-->
+- **name** （**路径参数**）：string，必需
+
+  ControllerRevision 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>, required
+-->
+- **body**: <a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+401: Unauthorized
+
+<!--
+### `patch` partially update the specified ControllerRevision
+-->
+### `patch` 部分更新特定的 ControllerRevision
+
+<!--
+#### HTTP Request
+
+PATCH /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+-->
+#### HTTP 请求
+
+PATCH /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the ControllerRevision
+-->
+- **name** （**路径参数**）：string，必需
+
+  ControllerRevision 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+-->
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+-->
+- **force** （**查询参数**）： boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/controller-revision-v1#ControllerRevision" >}}">ControllerRevision</a>): Created
+
+401: Unauthorized
+
+<!--
+### `delete` delete a ControllerRevision
+-->
+### `delete` 删除一个 ControllerRevision
+
+<!--
+#### HTTP Request
+
+DELETE /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+-->
+#### HTTP 请求
+
+DELETE /apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the ControllerRevision
+-->
+- **name** （**路径参数**）：string，必需
+
+  ControllerRevision 的名称
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+-->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->  
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+-->
+- **gracePeriodSeconds** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **propagationPolicy** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!--
+### `deletecollection` delete collection of ControllerRevision
+-->
+### `deletecollection` 删除 ControllerRevision 集合
+
+<!--
+#### HTTP Request
+
+DELETE /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+-->
+#### HTTP 请求
+
+DELETE /apis/apps/v1/namespaces/{namespace}/controllerrevisions
+
+<!--
+#### Parameters
+-->
+#### 参数
+
+<!--
+- **namespace** (*in path*): string, required
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+-->
+- **namespace** （**路径参数**）：string，必需
+
+  <a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace</a>
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+-->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->  
+- **continue** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **fieldSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+-->
+- **gracePeriodSeconds** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+-->
+- **labelSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **limit** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **propagationPolicy** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+-->
+- **resourceVersion** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **resourceVersionMatch** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **timeoutSeconds** （**查询参数**）： integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+
diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
new file mode 100644
index 0000000000000..52fc887ab97e0
--- /dev/null
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
@@ -0,0 +1,810 @@
+---
+api_metadata:
+  apiVersion: "scheduling.k8s.io/v1"
+  import: "k8s.io/api/scheduling/v1"
+  kind: "PriorityClass"
+content_type: "api_reference"
+description: "PriorityClass 定义了从优先级类名到优先级数值的映射。"
+title: "PriorityClass"
+weight: 14
+auto_generated: false
+---
+
+<!--
+api_metadata:
+  apiVersion: "scheduling.k8s.io/v1"
+  import: "k8s.io/api/scheduling/v1"
+  kind: "PriorityClass"
+content_type: "api_reference"
+description: "PriorityClass defines mapping from a priority class name to the priority integer value."
+title: "PriorityClass"
+weight: 14
+auto_generated: true
+-->
+
+
+`apiVersion: scheduling.k8s.io/v1`
+
+`import "k8s.io/api/scheduling/v1"`
+
+<!--
+## PriorityClass {#PriorityClass}
+-->
+## PriorityClass {#PriorityClass}
+
+<!-- 
+PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.
+
+<hr>
+ -->
+PriorityClass 定义了从优先级类名到优先级数值的映射。
+该值可以是任何有效的整数。
+
+<hr>
+
+<!--
+ - **apiVersion**: scheduling.k8s.io/v1
+-->
+- **apiVersion**: scheduling.k8s.io/v1
+
+<!-- 
+- **kind**: PriorityClass 
+-->
+- **kind**: PriorityClass
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
+
+  标准对象的元数据。
+  更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **value** (int32), required
+
+  The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
+-->
+- **value** （int32），必需
+
+  此优先级的值。这是 Pod 在其 Pod 规约中有此类名称时收到的实际优先级。
+
+<!--
+- **description** (string)
+
+  description is an arbitrary string that usually provides guidelines on when this priority class should be used.
+-->
+- **description** (string)
+
+  description 是一个任意字符串，通常提供有关何时应使用此优先级的指南。
+
+<!--
+- **globalDefault** (boolean)
+
+  globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.
+-->
+- **globalDefault** (boolean)
+
+  globalDefault 指定是否应将此 PriorityClass 视为没有任何优先级类的 pod 的默认优先级。
+  只有一个 PriorityClass 可以标记为 `globalDefault`。
+  但是，如果存在多个 PriorityClasses 且其 `globalDefault` 字段设置为 true，
+  则将使用此类全局默认 PriorityClasses 的最小值作为默认优先级。
+  
+<!--
+- **preemptionPolicy** (string)
+
+  PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
+-->  
+- **preemptionPolicy** (string)
+
+  PreemptionPolicy 是抢占优先级较低的 Pod 的策略。
+  可选值：Never、PreemptLowerPriority。
+  如果未设置，则默认为 PreemptLowerPriority。
+
+<!--
+## PriorityClassList {#PriorityClassList}
+
+PriorityClassList is a collection of priority classes.
+
+<hr>
+-->
+## PriorityClassList {#PriorityClassList}
+
+PriorityClassList 是优先级类的集合。
+
+<hr>
+
+<!-- 
+- **apiVersion**: scheduling.k8s.io/v1 
+-->
+- **apiVersion**: scheduling.k8s.io/v1
+
+<!-- 
+- **kind**: PriorityClassList 
+-->
+- **kind**: PriorityClassList
+
+<!--
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+-->
+- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
+
+  标准列表元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+<!--
+- **items** ([]<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>), required
+
+  items is the list of PriorityClasses
+-->
+- **items** ([]<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>)，必需
+
+  items 是 PriorityClasses 的列表
+
+<!--
+## Operations {#Operations}
+
+<hr>
+-->
+## 操作 {#Operations}
+
+<hr>
+
+<!-- 
+### `get` read the specified PriorityClass 
+-->
+### `get` 读取特定的 PriorityClass
+
+<!-- 
+#### HTTP Request
+
+GET /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+ -->
+#### HTTP 请求
+
+GET /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+
+<!-- 
+#### Parameters 
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the PriorityClass
+-->
+- **name** （**路径参数**）: string，必需
+
+  PriorityClass 名称
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+401: Unauthorized
+
+<!-- 
+### `list` list or watch objects of kind PriorityClass
+ -->
+### `list` 列出或观察 PriorityClass类的对象
+
+<!-- 
+#### HTTP Request
+
+GET /apis/scheduling.k8s.io/v1/priorityclasses
+-->
+#### HTTP 请求
+
+GET /apis/scheduling.k8s.io/v1/priorityclasses
+
+<!-- 
+#### Parameters 
+-->
+#### 参数
+
+<!--
+- **allowWatchBookmarks** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+-->
+- **allowWatchBookmarks** （**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
+
+<!--
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->
+- **continue** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **fieldSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+-->
+- **labelSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **limit** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+-->
+- **resourceVersion** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **resourceVersionMatch** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **timeoutSeconds** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+- **watch** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+-->
+- **watch** （**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClassList" >}}">PriorityClassList</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClassList" >}}">PriorityClassList</a>): OK
+
+401: Unauthorized
+
+<!-- 
+### `create` create a PriorityClass 
+-->
+### `create` 创建一个 PriorityClass
+
+<!--
+#### HTTP Request
+
+POST /apis/scheduling.k8s.io/v1/priorityclasses
+-->
+#### HTTP 请求
+
+POST /apis/scheduling.k8s.io/v1/priorityclasses
+
+<!-- 
+#### Parameters 
+-->
+#### 参数
+
+<!--
+- **body**: <a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>, required
+-->
+- **body**: <a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>，必需
+  
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+202 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+202 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Accepted
+
+401: Unauthorized
+
+<!-- 
+### `update` replace the specified PriorityClass
+-->
+### `update` 替换指定的 PriorityClass
+
+<!--
+#### HTTP Request
+
+PUT /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+-->
+#### HTTP 请求
+
+PUT /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+
+<!--  
+#### Parameters 
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the PriorityClass
+-->
+- **name** （*路径参数*）: string，必需
+
+  PriorityClass 名称
+
+<!--
+- **body**: <a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>, required
+-->
+- **body**: <a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>，必需
+ 
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+401: Unauthorized
+
+
+<!-- 
+### `patch` partially update the specified PriorityClass  
+-->
+### `patch` 部分更新特定的 PriorityClass
+
+<!--
+#### HTTP Request
+
+PATCH /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+-->
+#### HTTP 请求
+
+PATCH /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+
+<!-- 
+#### Parameters 
+-->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the PriorityClass
+-->
+- **name** （*路径参数*）: string，必须
+
+  PriorityClass 名称
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
+-->
+- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>，必需
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldManager** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+-->
+- **fieldManager** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
+
+<!--
+- **fieldValidation** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+-->
+- **fieldValidation** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
+
+<!--
+- **force** (*in query*): boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+-->
+- **force** （**查询参数**）：boolean
+
+  <a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): OK
+
+201 (<a href="{{< ref "../workload-resources/priority-class-v1#PriorityClass" >}}">PriorityClass</a>): Created
+
+401: Unauthorized
+
+<!-- 
+### `delete` delete a PriorityClass 
+-->
+### `delete` 删除一个 PriorityClass
+
+<!--
+#### HTTP Request
+
+DELETE /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+-->
+#### HTTP 请求
+
+DELETE /apis/scheduling.k8s.io/v1/priorityclasses/{name}
+
+<!-- #### 
+Parameters 
+--->
+#### 参数
+
+<!--
+- **name** (*in path*): string, required
+
+  name of the PriorityClass
+-->
+- **name** （*路径参数*）: string，必需
+
+  PriorityClass 名称。
+
+<!--
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+-->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+-->
+- **gracePeriodSeconds** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **propagationPolicy** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+202 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): Accepted
+
+401: Unauthorized
+
+<!-- 
+### `deletecollection` delete collection of PriorityClass 
+-->
+### `deletecollection` 删除 PriorityClass 集合
+
+<!--
+#### HTTP Request
+
+DELETE /apis/scheduling.k8s.io/v1/priorityclasses
+-->
+#### HTTP 请求
+
+DELETE /apis/scheduling.k8s.io/v1/priorityclasses
+
+<!-- 
+#### Parameters 
+-->
+#### 参数
+
+<!-- - **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a> -->
+- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
+
+<!--
+- **continue** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+-->
+- **continue** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
+
+<!--
+- **dryRun** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+-->
+- **dryRun** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
+
+<!--
+- **fieldSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+-->
+- **fieldSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
+
+<!--
+- **gracePeriodSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+-->
+- **gracePeriodSeconds** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
+
+<!--
+- **labelSelector** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+-->
+- **labelSelector** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
+
+<!--
+- **limit** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+-->
+- **limit** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
+
+<!--
+- **pretty** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+-->
+- **pretty** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
+
+<!--
+- **propagationPolicy** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+-->
+- **propagationPolicy** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
+
+<!--
+- **resourceVersion** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+-->
+- **resourceVersion** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
+
+<!--
+- **resourceVersionMatch** (*in query*): string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+-->
+- **resourceVersionMatch** （**查询参数**）：string
+
+  <a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
+
+<!--
+- **timeoutSeconds** (*in query*): integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+-->
+- **timeoutSeconds** （**查询参数**）：integer
+
+  <a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
+
+<!--
+#### Response
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
+-->
+#### 响应
+
+200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
+
+401: Unauthorized
diff --git a/content/zh/docs/reference/labels-annotations-taints/_index.md b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
similarity index 76%
rename from content/zh/docs/reference/labels-annotations-taints/_index.md
rename to content/zh-cn/docs/reference/labels-annotations-taints/_index.md
index faca42d237f4e..984a12ccf2948 100644
--- a/content/zh/docs/reference/labels-annotations-taints/_index.md
+++ b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
@@ -46,7 +46,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 架构中的组件。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/created-by
 
@@ -65,7 +65,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 创建此资源的控制器/用户。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/instance
 
@@ -84,7 +84,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 标识应用实例的唯一名称。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/managed-by
 
@@ -103,7 +103,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 用于管理应用操作的工具。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/name
 
@@ -123,7 +123,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 应用的名称。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/part-of
 
@@ -142,7 +142,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 此应用所属的更高级别应用的名称。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- ### app.kubernetes.io/version
 
@@ -161,7 +161,7 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 应用的当前版本（例如，语义版本、修订哈希等）。
 
-[推荐标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
+[推荐标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)之一。
 
 <!-- 
 ### kubernetes.io/arch
@@ -178,7 +178,7 @@ The Kubelet populates this with `runtime.GOARCH` as defined by Go. This can be h
 
 用于：Node
 
-Kubelet 使用 Go 定义的 `runtime.GOARCH` 填充它。 如果你混合使用 ARM 和 X86 节点，这会很方便。
+Kubelet 使用 Go 定义的 `runtime.GOARCH` 填充它。如果你混合使用 ARM 和 X86 节点，这会很方便。
 <!--
 ### kubernetes.io/os
 
@@ -230,11 +230,11 @@ This label has been deprecated. Please use `kubernetes.io/os` instead.
 -->
 ### beta.kubernetes.io/arch (已弃用) {#beta-kubernetes-io-arch}
 
-此标签已被弃用。请改用`kubernetes.io/arch`。
+此标签已被弃用。请改用 `kubernetes.io/arch`。
 
 ### beta.kubernetes.io/os (已弃用) {#beta-kubernetes-io-os}
 
-此标签已被弃用。请改用`kubernetes.io/os`。
+此标签已被弃用。请改用 `kubernetes.io/os`。
 
 <!--
 ### kubernetes.io/hostname {#kubernetesiohostname}
@@ -255,7 +255,7 @@ This label is also used as part of the topology hierarchy.  See [topology.kubern
 
 Kubelet 使用主机名填充此标签。请注意，可以通过将 `--hostname-override` 标志传递给 `kubelet` 来替代“实际”主机名。
 
-此标签也用作拓扑层次结构的一部分。 有关详细信息，请参阅 [topology.kubernetes.io/zone](#topologykubernetesiozone)。
+此标签也用作拓扑层次结构的一部分。有关详细信息，请参阅 [topology.kubernetes.io/zone](#topologykubernetesiozone)。
 
 <!--
 ### kubernetes.io/change-cause {#change-cause}
@@ -328,7 +328,7 @@ which allows users to influence ReplicaSet downscaling order. The annotation par
 
 用于：Pod
 
-该注解用于设置 [Pod 删除成本](/docs/concepts/workloads/controllers/replicaset/#pod-deletion-cost)允许用户影响 ReplicaSet 缩减顺序。注解解析为 `int32` 类型。
+该注解用于设置 [Pod 删除成本](/zh-cn/docs/concepts/workloads/controllers/replicaset/#pod-deletion-cost)允许用户影响 ReplicaSet 缩减顺序。注解解析为 `int32` 类型。
 
 <!-- 
 ### kubernetes.io/ingress-bandwidth
@@ -353,7 +353,7 @@ For example, `10M` means 10 megabits per second.
 
 {{< note >}}
 入站流量控制注解是一项实验性功能。
-如果要启用流量控制支持，必须将`bandwidth`插件添加到 CNI 配置文件（默认为`/etc/cni/net.d`）
+如果要启用流量控制支持，必须将 `bandwidth` 插件添加到 CNI 配置文件（默认为`/etc/cni/net.d`）
 并确保二进制文件包含在你的 CNI bin 目录中（默认为`/opt/cni/bin`）。
 {{< /note >}}
 
@@ -364,9 +364,9 @@ For example, `10M` means 10 megabits per second.
 你可以对 Pod 应用服务质量流量控制并有效限制其可用带宽。
 入站流量（到 Pod）通过控制排队的数据包来处理，以有效地处理数据。
 要限制 Pod 的带宽，请编写对象定义 JSON 文件并使用 `kubernetes.io/ingress-bandwidth`
-注解指定数据流量速度。 用于指定入站的速率单位是每秒，
-作为[量纲（Quantity）](/zh/docs/reference/kubernetes-api/common-definitions/quantity/)。
-例如，`10M`表示每秒 10 兆比特。
+注解指定数据流量速度。用于指定入站的速率单位是每秒，
+作为[量纲（Quantity）](/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/)。
+例如，`10M` 表示每秒 10 兆比特。
 
 <!-- 
 ### kubernetes.io/egress-bandwidth
@@ -391,7 +391,7 @@ For example, `10M` means 10 megabits per second.
 
 {{< note >}}
 出站流量控制注解是一项实验性功能。
-如果要启用流量控制支持，必须将`bandwidth`插件添加到 CNI 配置文件（默认为`/etc/cni/net.d`）
+如果要启用流量控制支持，必须将 `bandwidth` 插件添加到 CNI 配置文件（默认为`/etc/cni/net.d`）
 并确保二进制文件包含在你的 CNI bin 目录中（默认为`/opt/cni/bin`）。
 {{< /note >}}
 
@@ -403,7 +403,7 @@ For example, `10M` means 10 megabits per second.
 你为一个 Pod 所设置的限制不会影响其他 Pod 的带宽。
 要限制 Pod 的带宽，请编写对象定义 JSON 文件并使用 `kubernetes.io/egress-bandwidth` 注解指定数据流量速度。
 用于指定出站的速率单位是每秒比特数，
-以[量纲（Quantity）](/zh/docs/reference/kubernetes-api/common-definitions/quantity/)的形式给出。
+以[量纲（Quantity）](/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/)的形式给出。
 例如，`10M` 表示每秒 10 兆比特。
 
 <!-- ### beta.kubernetes.io/instance-type (deprecated) -->
@@ -483,7 +483,7 @@ StatefulSet topic for more details.
 
 当 StatefulSet 控制器为 StatefulSet 创建 Pod 时，控制平面会在该 Pod 上设置此标签。标签的值是正在创建的 Pod 的名称。
 
-有关详细信息，请参阅 StatefulSet 主题中的 [Pod 名称标签](/docs/concepts/workloads/controllers/statefulset/#pod-name-label)。
+有关详细信息，请参阅 StatefulSet 主题中的 [Pod 名称标签](/zh-cn/docs/concepts/workloads/controllers/statefulset/#pod-name-label)。
 
 <!--
 ### topology.kubernetes.io/region {#topologykubernetesioregion}
@@ -529,8 +529,8 @@ A region represents a larger domain, made up of one or more zones.  It is uncomm
 
 在 PersistentVolume 上：拓扑感知卷配置器将自动在 `PersistentVolume` 上设置 Node 亲和性约束。
 
-一个 Zone 代表一个逻辑故障域。 Kubernetes 集群通常跨越多个 Zone 以提高可用性。虽然 Zone 的确切定义留给基础设施实现，
-但 Zone 的常见属性包括 Zone 内非常低的网络延迟、 Zone 内的免费网络流量以及与其他 Zone 的故障独立性。
+一个 Zone 代表一个逻辑故障域。Kubernetes 集群通常跨越多个 Zone 以提高可用性。虽然 Zone 的确切定义留给基础设施实现，
+但 Zone 的常见属性包括 Zone 内非常低的网络延迟、Zone 内的免费网络流量以及与其他 Zone 的故障独立性。
 例如，一个 Zone 内的 Node 可能共享一个网络交换机，但不同 Zone 中的 Node 无法共享交换机。
 
 一个 Region 代表一个更大的域，由一个或多个 Zone 组成。Kubernetes 集群跨多个 Region 并不常见，虽然 Zone 或 Region 的确切定义留给基础设施实现，
@@ -544,9 +544,9 @@ Kubernetes makes a few assumptions about the structure of zones and regions:
 -->
 Kubernetes 对 Zone 和 Region 的结构做了一些假设：
 
-1. Zone 和 Region 是分层的： Zone 是 Region 的严格子集，没有 Zone 可以在两个 Region 中；
+1. Zone 和 Region 是分层的：Zone 是 Region 的严格子集，没有 Zone 可以在两个 Region 中；
 
-2. Zone 名称跨 Region 是唯一的；例如， Region “africa-east-1” 可能由 Zone “africa-east-1a” 和 “africa-east-1b” 组成。
+2. Zone 名称跨 Region 是唯一的；例如，Region “africa-east-1” 可能由 Zone “africa-east-1a” 和 “africa-east-1b” 组成。
 
 <!--
 It should be safe to assume that topology labels do not change.  Even though labels are strictly mutable, consumers of them can assume that a given node is not going to be moved between zones without being destroyed and recreated.
@@ -581,7 +581,7 @@ If `PersistentVolumeLabel` does not support automatic labeling of your Persisten
 adding the labels manually (or adding support for `PersistentVolumeLabel`). With `PersistentVolumeLabel`, the scheduler prevents Pods from mounting volumes in a different zone. If your infrastructure doesn't have this constraint, you don't need to add the zone labels to the volumes at all.
 -->
 你应该考虑手动添加标签（或添加对 `PersistentVolumeLabel` 的支持）。
-基于 `PersistentVolumeLabel` ，调度程序可以防止 Pod 挂载来自其他 Zone 的卷。如果你的基础架构没有此限制，则不需要将 Zone 标签添加到卷上。
+基于 `PersistentVolumeLabel`，调度程序可以防止 Pod 挂载来自其他 Zone 的卷。如果你的基础架构没有此限制，则不需要将 Zone 标签添加到卷上。
 
 <!--
 ### volume.beta.kubernetes.io/storage-provisioner (deprecated)
@@ -668,6 +668,44 @@ Kubernetes uses this label to differentiate multiple Services. Used currently fo
 
 Kubernetes 使用这个标签来区分多个服务。目前仅用于 `ELB` （弹性负载均衡器）。
 
+<!-- 
+### kubernetes.io/service-account.name
+
+Example: `kubernetes.io/service-account.name: "sa-name"`
+
+Used on: Secret
+
+This annotation records the {{< glossary_tooltip term_id="name" text="name">}} of the
+ServiceAccount that the token (stored in the Secret of type `kubernetes.io/service-account-token`) represents.
+-->
+### kubernetes.io/service-account.name
+
+示例：`kubernetes.io/service-account.name: "sa-name"`
+
+用于：Secret
+
+这个注解记录了令牌（存储在 `kubernetes.io/service-account-token` 类型的 Secret 中）所代表的
+ServiceAccount 的{{<glossary_tooltip term_id="name" text="名称">}}。
+
+<!-- 
+### kubernetes.io/service-account.uid
+
+Example: `kubernetes.io/service-account.uid: da68f9c6-9d26-11e7-b84e-002dc52800da`
+
+Used on: Secret
+
+This annotation records the {{< glossary_tooltip term_id="uid" text="unique ID" >}} of the
+ServiceAccount that the token (stored in the Secret of type `kubernetes.io/service-account-token`) represents.
+-->
+### kubernetes.io/service-account.uid
+
+示例：`kubernetes.io/service-account.uid: da68f9c6-9d26-11e7-b84e-002dc52800da`
+
+用于：Secret
+
+该注解记录了令牌（存储在 `kubernetes.io/service-account-token` 类型的 Secret 中）所代表的
+ServiceAccount 的{{<glossary_tooltip term_id="uid" text="唯一 ID" >}}。
+
 <!--
 ### endpointslice.kubernetes.io/managed-by {#endpointslicekubernetesiomanaged-by}
 
@@ -835,7 +873,7 @@ created with Indexed [completion mode](/docs/concepts/workloads/controllers/job/
 用于：Pod
 
 kube-controller-manager 中的 Job 控制器为使用 Indexed
-[完成模式](/zh/docs/concepts/workloads/controllers/job/#completion-mode)创建的 Pod
+[完成模式](/zh-cn/docs/concepts/workloads/controllers/job/#completion-mode)创建的 Pod
 设置此注解。
 
 <!--
@@ -888,7 +926,7 @@ You should **not** manually add or remove this annotation.
 
 用于：Job
 
-Job 上存在此注解表明控制平面正在[使用 Finalizer 追踪 Job](/zh/docs/concepts/workloads/controllers/job/#job-tracking-with-finalizers)。
+Job 上存在此注解表明控制平面正在[使用 Finalizer 追踪 Job](/zh-cn/docs/concepts/workloads/controllers/job/#job-tracking-with-finalizers)。
 你 **不** 可以手动添加或删除此注解。
 
 <!--
@@ -906,9 +944,9 @@ Use [Taints and Tolerations](/docs/concepts/scheduling-eviction/taint-and-tolera
 
 用于：Node
 
-此注解需要启用 [NodePreferAvoidPods 调度插件](/zh/docs/reference/scheduling/config/#scheduling-plugins)。
+此注解需要启用 [NodePreferAvoidPods 调度插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins)。
 该插件自 Kubernetes 1.22 起已被弃用。
-请改用[污点和容忍度](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
+请改用[污点和容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
 
 **下面列出的污点总是在 Node 上使用**
 
@@ -935,7 +973,7 @@ Node 控制器通过监控 Node 的健康状况来检测 Node 是否准备就绪
 
 例子：`node.kubernetes.io/unreachable:NoExecute`
 
-Node 控制器将此污点添加到对应[节点状况](/zh/docs/concepts/architecture/nodes/#condition) `Ready`
+Node 控制器将此污点添加到对应[节点状况](/zh-cn/docs/concepts/architecture/nodes/#condition) `Ready`
 为 `Unknown` 的 Node 上。
 
 <!--
@@ -1008,6 +1046,30 @@ kubelet 检查 `/proc/sys/kernel/pid_max` 大小的 D 值和 Kubernetes 在 Node
 以获取可用 PID 数量，并将其作为 `pid.available` 指标值。
 然后该指标与在 kubelet 上设置的相应阈值进行比较，以确定是否应该添加/删除 Node 状况和污点。
 
+### node.kubernetes.io/out-of-service
+<!--
+Example: `node.kubernetes.io/out-of-service:NoExecute`
+A user can manually add the taint to a Node marking it out-of-service. If the `NodeOutOfServiceVolumeDetach` 
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled on
+`kube-controller-manager`, and a Node is marked out-of-service with this taint, the pods on the node will be forcefully deleted if there are no matching tolerations on it and volume detach operations for the pods terminating on the node will happen immediately. This allows the Pods on the out-of-service node to recover quickly on a different node.
+-->
+例子：`node.kubernetes.io/out-of-service:NoExecute`
+
+用户可以手动将污点添加到节点，将其标记为停止服务。
+如果 `kube-controller-manager` 上启用了 `NodeOutOfServiceVolumeDetach`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
+并且一个节点被这个污点标记为停止服务，如果节点上的 Pod 没有对应的容忍度，
+这类 Pod 将被强制删除，并且，针对在节点上被终止 Pod 的卷分离操作将被立即执行。
+
+{{< caution >}}
+<!--
+Refer to
+[Non-graceful node shutdown](/docs/concepts/architecture/nodes/#non-graceful-node-shutdown)
+for further details about when and how to use this taint.
+-->
+有关何时以及如何使用此污点的更多详细信息，请参阅[非正常节点关闭](/zh-cn/docs/concepts/architecture/nodes/#non-graceful-node-shutdown)。
+{{< /caution >}}
+
 <!--
 ### node.cloudprovider.kubernetes.io/uninitialized
 
@@ -1058,15 +1120,15 @@ for more information.
 用于：Namespace
 
 值**必须**是 `privileged`、`baseline` 或 `restricted` 之一，它们对应于
-[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards) 级别。
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards) 级别。
 特别地，`enforce` 标签 **禁止** 在带标签的 Namespace 中创建任何不符合指示级别要求的 Pod。
 
-请请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### pod-security.kubernetes.io/enforce-version
 
-Example: `pod-security.kubernetes.io/enforce-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/enforce-version: {{< skew currentVersion >}}`
 
 Used on: Namespace
 
@@ -1079,14 +1141,14 @@ for more information.
 -->
 ### pod-security.kubernetes.io/enforce-version {#pod-security-kubernetes-io-enforce-version}
 
-例子：`pod-security.kubernetes.io/enforce-version: {{< skew latestVersion >}}`
+例子：`pod-security.kubernetes.io/enforce-version: {{< skew currentVersion >}}`
 
 用于：Namespace
 
 值**必须**是 `latest` 或格式为 `v<MAJOR>.<MINOR>` 的有效 Kubernetes 版本。
-此注解决定了在验证提交的 Pod 时要应用的 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)策略的版本。
+此注解决定了在验证提交的 Pod 时要应用的 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)策略的版本。
 
-请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### pod-security.kubernetes.io/audit
@@ -1109,17 +1171,17 @@ for more information.
 
 用于：Namespace
 
-值**必须**是与 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards) 级别相对应的
+值**必须**是与 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards) 级别相对应的
 `privileged`、`baseline` 或 `restricted` 之一。
 具体来说，`audit` 标签不会阻止在带标签的 Namespace 中创建不符合指示级别要求的 Pod，
 但会向该 Pod 添加审计注解。
 
-请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### pod-security.kubernetes.io/audit-version
 
-Example: `pod-security.kubernetes.io/audit-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/audit-version: {{< skew currentVersion >}}`
 
 Used on: Namespace
 
@@ -1132,14 +1194,14 @@ for more information.
 -->
 ### pod-security.kubernetes.io/audit-version {#pod-security-kubernetes-io-audit-version}
 
-例子：`pod-security.kubernetes.io/audit-version: {{< skew latestVersion >}}`
+例子：`pod-security.kubernetes.io/audit-version: {{< skew currentVersion >}}`
 
 用于：Namespace
 
 值**必须**是 `latest` 或格式为 `v<MAJOR>.<MINOR>` 的有效 Kubernetes 版本。
-此注解决定了在验证提交的 Pod 时要应用的  [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)策略的版本。
+此注解决定了在验证提交的 Pod 时要应用的  [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)策略的版本。
 
-请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### pod-security.kubernetes.io/warn
@@ -1164,17 +1226,17 @@ for more information.
 
 用于：Namespace
 
-值**必须**是与 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)级别相对应的
+值**必须**是与 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)级别相对应的
 `privileged`、`baseline` 或 `restricted` 之一。特别地，
 `warn` 标签不会阻止在带标签的 Namespace 中创建不符合指示级别概述要求的 Pod，但会在这样做后向用户返回警告。
 请注意，在创建或更新包含 Pod 模板的对象时也会显示警告，例如 Deployment、Jobs、StatefulSets 等。
 
-请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### pod-security.kubernetes.io/warn-version
 
-Example: `pod-security.kubernetes.io/warn-version: {{< skew latestVersion >}}`
+Example: `pod-security.kubernetes.io/warn-version: {{< skew currentVersion >}}`
 
 Used on: Namespace
 
@@ -1188,16 +1250,16 @@ for more information.
 -->
 ### pod-security.kubernetes.io/warn-version {#pod-security-kubernetes-io-warn-version}
 
-例子：`pod-security.kubernetes.io/warn-version: {{< skew latestVersion >}}`
+例子：`pod-security.kubernetes.io/warn-version: {{< skew currentVersion >}}`
 
 用于：Namespace
 
 值**必须**是 `latest` 或格式为 `v<MAJOR>.<MINOR>` 的有效 Kubernetes 版本。
-此注解决定了在验证提交的 Pod 时要应用的 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)策略的版本。
+此注解决定了在验证提交的 Pod 时要应用的 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)策略的版本。
 请注意，在创建或更新包含 Pod 模板的对象时也会显示警告，
 例如 Deployment、Jobs、StatefulSets 等。
 
-请参阅[在名字空间级别实施 Pod 安全性](/zh/docs/concepts/security/pod-security-admission)了解更多信息。
+请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
 <!--
 ### seccomp.security.alpha.kubernetes.io/pod (deprecated) {#seccomp-security-alpha-kubernetes-io-pod}
@@ -1212,16 +1274,16 @@ the settings you specify apply to all containers in that Pod.
 
 此注解自 Kubernetes v1.19 起已被弃用，将在 v1.25 中失效。
 要为 Pod 指定安全设置，请在 Pod 规范中包含 `securityContext` 字段。
-Pod 的 `.spec` 中的 [`securityContext`](/zh/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
+Pod 的 `.spec` 中的 [`securityContext`](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
 字段定义了 Pod 级别的安全属性。
-你[为 Pod 设置安全上下文](/zh/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 时，
+你[为 Pod 设置安全上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 时，
 你所给出的设置适用于该 Pod 中的所有容器。
 
 <!--
 ### container.seccomp.security.alpha.kubernetes.io/[NAME] {#container-seccomp-security-alpha-kubernetes-io}
 
 This annotation has been deprecated since Kubernetes v1.19 and will become non-functional in v1.25.
-The tutorial [Restrict a Container's Syscalls with seccomp](/docs/tutorials/clusters/seccomp/) takes
+The tutorial [Restrict a Container's Syscalls with seccomp](/docs/tutorials/security/seccomp/) takes
 you through the steps you follow to apply a seccomp profile to a Pod or to one of
 its containers. That tutorial covers the supported mechanism for configuring seccomp in Kubernetes,
 based on setting `securityContext` within the Pod's `.spec`.
@@ -1229,15 +1291,38 @@ based on setting `securityContext` within the Pod's `.spec`.
 ### container.seccomp.security.alpha.kubernetes.io/[NAME] {#container-seccomp-security-alpha-kubernetes-io}
 
 此注解自 Kubernetes v1.19 起已被弃用，将在 v1.25 中失效。
-教程[使用 seccomp 限制容器的系统调用](/zh/docs/tutorials/clusters/seccomp/)将引导你完成将
+教程[使用 seccomp 限制容器的系统调用](/zh-cn/docs/tutorials/security/seccomp/)将引导你完成将
 seccomp 配置文件应用于 Pod 或其容器的步骤。
 该教程介绍了在 Kubernetes 中配置 seccomp 的支持机制，基于在 Pod 的 `.spec` 中设置 `securityContext`。
 
+### snapshot.storage.kubernetes.io/allowVolumeModeChange
+<!--
+Example: `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`
+Used on: VolumeSnapshotContent
+-->
+例子：`snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`
+
+用于：VolumeSnapshotContent
+
+<!--
+Value can either be `true` or `false`.
+This determines whether a user can modify the mode of the source volume when a
+{{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}} is being created from a VolumeSnapshot.
+Refer to [Converting the volume mode of a Snapshot](/docs/concepts/storage/volume-snapshots/#convert-volume-mode) and the [Kubernetes CSI Developer Documentation](https://kubernetes-csi.github.io/docs/) for more information.
+-->
+值可以是 `true` 或者 `false`。
+这决定了当从 VolumeSnapshot 创建 {{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}}
+时，用户是否可以修改源卷的模式。
+更多信息请参阅[转换快照的卷模式](/zh-cn/docs/concepts/storage/volume-snapshots/#convert-volume-mode)和
+[Kubernetes CSI 开发者文档](https://kubernetes-csi.github.io/docs/)。
+
 <!--
 ## Annotations used for audit
 
 - [`authorization.k8s.io/decision`](/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-decision)
 - [`authorization.k8s.io/reason`](/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-reason)
+- [`insecure-sha1.invalid-cert.kubernetes.io/$hostname`](/docs/reference/labels-annotations-taints/audit-annotations/#insecure-sha1-invalid-cert-kubernetes-io-hostname)
+- [`missing-san.invalid-cert.kubernetes.io/$hostname`](/docs/reference/labels-annotations-taints/audit-annotations/#missing-san-invalid-cert-kubernetes-io-hostname)
 - [`pod-security.kubernetes.io/audit-violations`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violations)
 - [`pod-security.kubernetes.io/enforce-policy`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy)
 - [`pod-security.kubernetes.io/exempt`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-exempt)
@@ -1246,10 +1331,126 @@ See more details on the [Audit Annotations](/docs/reference/labels-annotations-t
 -->
 ## 用于审计的注解    {#annonations-used-for-audit}
 
-- [`authorization.k8s.io/decision`](/zh/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-decision)
-- [`authorization.k8s.io/reason`](/zh/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-reason)
-- [`pod-security.kubernetes.io/audit-violations`](/zh/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violations)
-- [`pod-security.kubernetes.io/enforce-policy`](/zh/zh/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy)
-- [`pod-security.kubernetes.io/exempt`](/zh/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-exempt)
+- [`authorization.k8s.io/decision`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-decision)
+- [`authorization.k8s.io/reason`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-reason)
+- [`insecure-sha1.invalid-cert.kubernetes.io/$hostname`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#insecure-sha1-invalid-cert-kubernetes-io-hostname)
+- [`missing-san.invalid-cert.kubernetes.io/$hostname`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#missing-san-invalid-cert-kubernetes-io-hostname)
+- [`pod-security.kubernetes.io/audit-violations`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violations)
+- [`pod-security.kubernetes.io/enforce-policy`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy)
+- [`pod-security.kubernetes.io/exempt`](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-exempt)
+
+在[审计注解](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/)页面上查看更多详细信息。
+
+## kubeadm
+
+### kubeadm.alpha.kubernetes.io/cri-socket
+
+<!--
+Example: `kubeadm.alpha.kubernetes.io/cri-socket: unix:///run/containerd/container.sock`
+Used on: Node
+-->
+例子：`kubeadm.alpha.kubernetes.io/cri-socket: unix:///run/containerd/container.sock`
+
+用于：Node
+
+<!--
+Annotation that kubeadm uses to preserve the CRI socket information given to kubeadm at `init`/`join` time for later use.
+kubeadm annotates the Node object with this information. The annotation remains "alpha", since ideally this should be a field in KubeletConfiguration instead.
+-->
+kubeadm 用来保存 `init`/`join` 时提供给 kubeadm 以后使用的 CRI 套接字信息的注解。
+kubeadm 使用此信息为 Node 对象设置注解。
+此注解仍然是 “alpha” 阶段，因为理论上这应该是 KubeletConfiguration 中的一个字段。
+
+### kubeadm.kubernetes.io/etcd.advertise-client-urls
+
+<!--
+Example: `kubeadm.kubernetes.io/etcd.advertise-client-urls: https://172.17.0.18:2379`
+Used on: Pod
+-->
+例子：`kubeadm.kubernetes.io/etcd.advertise-client-urls: https://172.17.0.18:2379`
+
+用于：Pod
 
-在[审计注解](/zh/docs/reference/labels-annotations-taints/audit-annotations/)页面上查看更多详细信息。
\ No newline at end of file
+<!--
+Annotation that kubeadm places on locally managed etcd pods to keep track of a list of URLs where etcd clients should connect to. This is used mainly for etcd cluster health check purposes.
+-->
+kubeadm 为本地管理的 etcd Pod 设置的注解，用来跟踪 etcd 客户端应连接到的 URL 列表。
+这主要用于 etcd 集群健康检查目的。
+
+### kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint
+
+<!--
+Example: `kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: https//172.17.0.18:6443`
+Used on: Pod
+-->
+例子：`kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: https//172.17.0.18:6443`
+
+用于：Pod
+
+<!--
+Annotation that kubeadm places on locally managed kube-apiserver pods to keep track of the exposed advertise address/port endpoint for that API server instance.
+-->
+kubeadm 为本地管理的 kube-apiserver Pod 设置的注解，用以跟踪该 API 服务器实例的公开宣告地址/端口端点。
+
+### kubeadm.kubernetes.io/component-config.hash
+
+<!--
+Used on: ConfigMap
+Example: `kubeadm.kubernetes.io/component-config.hash: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
+-->
+例子：`kubeadm.kubernetes.io/component-config.hash: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
+
+用于：ConfigMap
+
+<!--
+Annotation that kubeadm places on ConfigMaps that it manages for configuring components. It contains a hash (SHA-256) used to determine if the user has applied settings different from the kubeadm defaults for a particular component.
+-->
+kubeadm 为它所管理的 ConfigMaps 设置的注解，用于配置组件。它包含一个哈希（SHA-256）值，
+用于确定用户是否应用了不同于特定组件的 kubeadm 默认设置的设置。
+
+### node-role.kubernetes.io/control-plane
+
+<!--
+Used on: Node
+
+Label that kubeadm applies on the control plane nodes that it manages.
+-->
+用于：Node
+
+kubeadm 在其管理的控制平面节点上应用的标签。
+
+### node-role.kubernetes.io/control-plane
+
+<!--
+Used on: Node
+
+Example: `node-role.kubernetes.io/control-plane:NoSchedule`
+-->
+例子：`node-role.kubernetes.io/control-plane:NoSchedule`
+
+用于：Node
+
+<!--
+Taint that kubeadm applies on control plane nodes to allow only critical workloads to schedule on them.
+-->
+kubeadm 应用在控制平面节点上的污点，仅允许在其上调度关键工作负载。
+
+### node-role.kubernetes.io/master
+
+<!--
+Used on: Node
+
+Example: `node-role.kubernetes.io/master:NoSchedule`
+-->
+例子：`node-role.kubernetes.io/master:NoSchedule`
+
+用于：Node
+
+<!--
+Taint that kubeadm applies on control plane nodes to allow only critical workloads to schedule on them.
+Starting in v1.20, this taint is deprecated in favor of `node-role.kubernetes.io/control-plane` and will be removed in v1.25.
+-->
+kubeadm 应用在控制平面节点上的污点，仅允许在其上调度关键工作负载。
+{{< note >}}
+从 v1.20 开始，此污点已弃用，并将在 v1.25 中将其删除，取而代之的是 `node-role.kubernetes.io/control-plane`。
+{{< /note >}}
\ No newline at end of file
diff --git a/content/zh/docs/reference/labels-annotations-taints/audit-annotations.md b/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
similarity index 56%
rename from content/zh/docs/reference/labels-annotations-taints/audit-annotations.md
rename to content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
index a2e7132ea4ac5..d5c2345a61301 100644
--- a/content/zh/docs/reference/labels-annotations-taints/audit-annotations.md
+++ b/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
@@ -24,9 +24,9 @@ The annotations apply to audit events. Audit events are different from objects i
 `events.k8s.io`).
 -->
 {{< note >}}
-Kubernetes API 中不使用以下注解。当你在集群中[启用审计](/zh/docs/tasks/debug/debug-cluster/audit/)时，
+Kubernetes API 中不使用以下注解。当你在集群中[启用审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)时，
 审计事件数据将使用 API 组 `audit.k8s.io` 中的 `Event` 写入。
-注解适用于审计事件。审计事件不同于[事件 API ](/zh/docs/reference/kubernetes-api/cluster-resources/event-v1/)
+注解适用于审计事件。审计事件不同于[事件 API ](/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/)
 （API 组 `events.k8s.io`）中的对象。
 {{</note>}}
 
@@ -45,7 +45,7 @@ from the PodSecurity enforcement.
 
 例子：`pod-security.kubernetes.io/exempt: namespace`
 
-值**必须**是对应于 [Pod 安全豁免](/zh/docs/concepts/security/pod-security-admission/#exemptions)维度的 
+值**必须**是对应于 [Pod 安全豁免](/zh-cn/docs/concepts/security/pod-security-admission/#exemptions)维度的 
 `user`、`namespace` 或 `runtimeClass` 之一。
 此注解指示 PodSecurity 基于哪个维度的强制豁免执行。
 
@@ -68,12 +68,12 @@ for more information.
 
 例子：`pod-security.kubernetes.io/enforce-policy: restricted:latest`
 
-值**必须**是对应于 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards) 级别的
+值**必须**是对应于 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards) 级别的
 `privileged:<版本>`、`baseline:<版本>`、`restricted:<版本>`，
 关联的版本**必须**是 `latest` 或格式为 `v<MAJOR>.<MINOR>` 的有效 Kubernetes 版本。
 此注解通知有关在 PodSecurity 准入期间允许或拒绝 Pod 的执行级别。
 
-有关详细信息，请参阅 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)。
+有关详细信息，请参阅 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)。
 
 <!--
 ## pod-security.kubernetes.io/audit-violations
@@ -96,10 +96,10 @@ for more information.
 PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container
 "example" must set securityContext.allowPrivilegeEscalation=false), ...`
 
-注解值给出审计策略违规的详细说明，它包含所违反的 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)级别以及
+注解值给出审计策略违规的详细说明，它包含所违反的 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)级别以及
 PodSecurity 执行中违反的特定策略及对应字段。
 
-有关详细信息，请参阅 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)。
+有关详细信息，请参阅 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)。
 
 <!--
 ## authorization.k8s.io/decision
@@ -116,7 +116,7 @@ See [Auditing](/docs/tasks/debug/debug-cluster/audit/) for more information.
 
 此注解在 Kubernetes 审计日志中表示请求是否获得授权。
 
-有关详细信息，请参阅[审计](/zh/docs/tasks/debug/debug-cluster/audit/)。
+有关详细信息，请参阅[审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)。
 
 <!--
 ## authorization.k8s.io/reason
@@ -133,4 +133,72 @@ See [Auditing](/docs/tasks/debug/debug-cluster/audit/) for more information.
 
 此注解给出了 Kubernetes 审计日志中 [decision](#authorization-k8s-io-decision) 的原因。
 
-有关详细信息，请参阅[审计](/zh/docs/tasks/debug/debug-cluster/audit/)。
\ No newline at end of file
+有关详细信息，请参阅[审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)。
+
+## missing-san.invalid-cert.kubernetes.io/$hostname
+
+<!--
+Example: `missing-san.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "relies on a legacy Common Name field instead of the SAN extension for subject validation"`
+
+Used by Kubernetes version v1.24 and later
+-->
+例子：`missing-san.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "relies on a legacy Common Name field instead of the SAN extension for subject validation"`
+
+由 Kubernetes v1.24 及更高版本使用
+
+<!--
+This annotation indicates a webhook or aggregated API server
+is using an invalid certificate that is missing `subjectAltNames`.
+Support for these certificates was disabled by default in Kubernetes 1.19,
+and removed in Kubernetes 1.23.
+-->
+此注解表示 webhook 或聚合 API 服务器正在使用缺少 `subjectAltNames` 的无效证书。
+Kubernetes 1.19 已经默认禁用，且 Kubernetes 1.23 已经移除对这些证书的支持。
+
+<!--
+Requests to endpoints using these certificates will fail.
+Services using these certificates should replace them as soon as possible
+to avoid disruption when running in Kubernetes 1.23+ environments.
+-->
+使用这些证书向端点发出的请求将失败。
+使用这些证书的服务应尽快替换它们，以避免在 Kubernetes 1.23+ 环境中运行时中断。
+
+<!--
+There's more information about this in the Go documentation:
+[X.509 CommonName deprecation](https://go.dev/doc/go1.15#commonname).
+-->
+Go 文档中有更多关于此的信息：
+[X.509 CommonName 弃用](https://go.dev/doc/go1.15#commonname)。
+
+## insecure-sha1.invalid-cert.kubernetes.io/$hostname
+
+<!--
+Example: `insecure-sha1.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "uses an insecure SHA-1 signature"`
+Used by Kubernetes version v1.24 and later
+-->
+
+例子：`insecure-sha1.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "uses an insecure SHA-1 signature"`
+
+由 Kubernetes v1.24 及更高版本使用
+
+<!--
+This annotation indicates a webhook or aggregated API server
+is using an insecure certificate signed with a SHA-1 hash.
+Support for these insecure certificates is disabled by default in Kubernetes 1.24,
+and will be removed in a future release.
+-->
+此注解表示 webhook 或聚合 API 服务器正在使用使用 SHA-1 签名的不安全证书。
+Kubernetes 1.24 已经默认禁用，并将在未来的版本中删除对这些证书的支持。
+
+<!--
+Services using these certificates should replace them as soon as possible,
+to ensure connections are secured properly and to avoid disruption in future releases.
+-->
+使用这些证书的服务应尽快替换它们，以确保正确保护连接并避免在未来版本中出现中断。
+
+<!--
+There's more information about this in the Go documentation:
+[Rejecting SHA-1 certificates](https://go.dev/doc/go1.18#sha1).
+-->
+Go 文档中有更多关于此的信息：
+[拒绝 SHA-1 证书](https://go.dev/doc/go1.18#sha1)。
diff --git a/content/zh/docs/reference/node/_index.md b/content/zh-cn/docs/reference/node/_index.md
similarity index 100%
rename from content/zh/docs/reference/node/_index.md
rename to content/zh-cn/docs/reference/node/_index.md
diff --git a/content/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md b/content/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md
new file mode 100644
index 0000000000000..af1072c84477e
--- /dev/null
+++ b/content/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md
@@ -0,0 +1,99 @@
+---
+title: 关于 dockershim 移除和使用兼容 CRI 运行时的文章
+content_type: reference
+weight: 20
+---
+
+<!-- 
+title: Articles on dockershim Removal and on Using CRI-compatible Runtimes
+content_type: reference
+weight: 20
+-->
+
+<!-- overview -->
+<!-- 
+This is a list of articles and other pages that are either
+about the Kubernetes' deprecation and removal of _dockershim_,
+or about using CRI-compatible container runtimes, in connection
+with that removal.
+-->
+这是关于 Kubernetes 弃用和删除 “dockershim”
+或使用兼容 CRI 的容器运行时相关的文章和其他页面的列表，
+<!-- body -->
+
+<!-- 
+## Kubernetes project
+
+* Kubernetes blog: [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) (originally published 2022/02/17)
+
+* Kubernetes blog: [Kubernetes is Moving on From Dockershim: Commitments and Next Steps](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/) (published 2022/01/07)
+
+* Kubernetes blog: [Dockershim removal is coming. Are you ready?](/blog/2021/11/12/are-you-ready-for-dockershim-removal/) (published 2021/11/12)
+
+* Kubernetes documentation: [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/)
+
+* Kubernetes documentation: [Container runtimes](/docs/setup/production-environment/container-runtimes/)
+
+* Kubernetes enhancement proposal: [KEP-2221: Removing dockershim from kubelet](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2221-remove-dockershim/README.md)
+
+* Kubernetes enhancement proposal issue: [Removing dockershim from kubelet](https://github.com/kubernetes/enhancements/issues/2221) (_k/enhancements#2221_)
+-->
+
+## Kubernetes 项目 {#kubernetes-project}
+
+* Kubernetes 博客：[Dockershim 弃用常见问题解答](/zh-cn/blog/2022/02/17/dockershim-faq/)（最初发表于 2022/02/17）
+
+* Kubernetes 博客：[Kubernetes 即将移除 Dockershim：承诺和下一步](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/)（发表于 2022/01/07）
+
+* Kubernetes 博客：[移除 Dockershim 即将到来。你准备好了吗？](/zh-cn/blog/2021/11/12/are-you-ready-for-dockershim-removal/)（发表于  2021/11/12）
+
+* Kubernetes 文档：[从 dockershim 迁移](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/)
+
+* Kubernetes 文档：[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
+
+* Kubernetes 增强建议：[KEP-2221: 从 kubelet 中删除 dockershim](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2221-remove-dockershim/README.md)
+
+* Kubernetes 增强提问：[从 kubelet 中删除 dockershim](https://github.com/kubernetes/enhancements/issues/2221)（“k/enhancements#2221”）
+
+<!--
+You can provide feedback via the GitHub issue [**Dockershim removal feedback & issues**](https://github.com/kubernetes/kubernetes/issues/106917).
+-->
+你可以通过 GitHub 问题
+[**Dockershim 删除反馈和问题**](https://github.com/kubernetes/kubernetes/issues/106917) 提供反馈。
+
+<!-- 
+## External sources {#third-party}
+
+* Amazon Web Services EKS documentation: [Dockershim deprecation](https://docs.aws.amazon.com/eks/latest/userguide/dockershim-deprecation.html)
+
+* CNCF conference video: [Lessons Learned Migrating Kubernetes from Docker to containerd Runtime](https://www.youtube.com/watch?v=uDOu6rK4yOk) (Ana Caylin, at KubeCon Europe 2019)
+
+* Docker.com blog: [What developers need to know about Docker, Docker Engine, and Kubernetes v1.20](https://www.docker.com/blog/what-developers-need-to-know-about-docker-docker-engine-and-kubernetes-v1-20/) (published 2020/12/04)
+
+* "_Google Open Source_" channel on YouTube: [Learn Kubernetes with Google - Migrating from Dockershim to Containerd](https://youtu.be/fl7_4hjT52g)
+
+* Microsoft Apps on Azure blog: [Dockershim deprecation and AKS](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/dockershim-deprecation-and-aks/ba-p/3055902) (published 2022/01/21)
+
+* Mirantis blog: [The Future of Dockershim is cri-dockerd](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/) (published 2021/04/21)
+
+* Mirantis: [Mirantis/cri-dockerd](https://github.com/Mirantis/cri-dockerd) Git repository (on GitHub)
+
+* Tripwire: [How Dockershim’s Forthcoming Deprecation Affects Your Kubernetes](https://www.tripwire.com/state-of-security/security-data-protection/cloud/how-dockershim-forthcoming-deprecation-affects-your-kubernetes/)
+-->
+## 外部来源 {#third-party}
+
+* Amazon 网络服务 EKS 文档：[Dockershim 弃用](https://docs.aws.amazon.com/eks/latest/userguide/dockershim-deprecation.html)
+
+* CNCF会议视频：[将 Kubernetes 从 Docker 迁移到 containerd 运行时的经验教训](https://www.docker.com/blog/what-developers-need-to-know-about-docker-docker-engine-and-kubernetes-v1-20/)（Ana Caylin，在 KubeCon Europe 2019）
+
+* Docker.com 博客：[开发人员需要了解的关于 Docker、Docker Engine 和 Kubernetes v1.20 的哪些知识](https://www.docker.com/blog/what-developers-need-to-know-about-docker-docker-engine-and-kubernetes-v1-20/)（发表于 2020/12/04）
+
+* YouTube 上的“Google 开源”频道：[与 Google 一起学习 Kubernetes - 从 Dockershim 迁移到 Containerd](https://youtu.be/fl7_4hjT52g)
+
+* Azure 博客上的 Microsoft 应用：[Dockershim 弃用和 AKS](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/dockershim-deprecation-and-aks/ba-p/3055902)（发表于 2022/01/21）
+
+* Mirantis 博客：[Dockershim 的未来是 cri-dockerd](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/)（发表于 2021/04/21）
+
+* Mirantis: [Mirantis/cri-dockerd](https://github.com/Mirantis/cri-dockerd) Git 仓库（在 GitHub 上）
+
+* Tripwire：[Dockershim 即将弃用如何影响你的 Kubernetes](https://www.tripwire.com/state-of-security/security-data-protection/cloud/how-dockershim-forthcoming-deprecation-affects-your-kubernetes/)
diff --git a/content/zh/docs/reference/ports-and-protocols.md b/content/zh-cn/docs/reference/ports-and-protocols.md
similarity index 97%
rename from content/zh/docs/reference/ports-and-protocols.md
rename to content/zh-cn/docs/reference/ports-and-protocols.md
index 4f496a7b3a7c8..4bd3aab5d5754 100644
--- a/content/zh/docs/reference/ports-and-protocols.md
+++ b/content/zh-cn/docs/reference/ports-and-protocols.md
@@ -70,7 +70,7 @@ on the default port.
 | TCP      | 入站       | 10250       | Kubelet API           | 自身, 控制面             |
 | TCP      | 入站       | 30000-32767 | NodePort Services†    | 所有                    |
 
-† [NodePort Services](/zh/docs/concepts/services-networking/service/)的默认端口范围。
+† [NodePort Services](/zh-cn/docs/concepts/services-networking/service/)的默认端口范围。
 
 所有默认端口都可以重新配置。当使用自定义的端口时，你需要打开这些端口来代替这里提到的默认端口。
 
diff --git a/content/zh/docs/reference/scheduling/_index.md b/content/zh-cn/docs/reference/scheduling/_index.md
similarity index 100%
rename from content/zh/docs/reference/scheduling/_index.md
rename to content/zh-cn/docs/reference/scheduling/_index.md
diff --git a/content/zh/docs/reference/scheduling/config.md b/content/zh-cn/docs/reference/scheduling/config.md
similarity index 94%
rename from content/zh/docs/reference/scheduling/config.md
rename to content/zh-cn/docs/reference/scheduling/config.md
index cd6c8507ea282..0cd7190d71bc5 100644
--- a/content/zh/docs/reference/scheduling/config.md
+++ b/content/zh-cn/docs/reference/scheduling/config.md
@@ -36,8 +36,8 @@ or [v1beta3](/docs/reference/config-api/kube-scheduler-config.v1beta3/))
 struct.
 -->
 你可以通过运行 `kube-scheduler --config <filename>` 来设置调度模板，
-使用 KubeSchedulerConfiguration （[v1beta2](/zh/docs/reference/config-api/kube-scheduler-config.v1beta2/)
-或者 [v1beta3](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)） 结构体。
+使用 KubeSchedulerConfiguration （[v1beta2](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta2/)
+或者 [v1beta3](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)） 结构体。
 
 <!-- A minimal configuration looks as follows: -->
 最简单的配置如下：
@@ -199,7 +199,7 @@ extension points:
   [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/).
   Implements extension points: `filter`, `prescore`, `score`.
 -->
-- `TaintToleration`：实现了[污点和容忍](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
+- `TaintToleration`：实现了[污点和容忍](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
 
   实现的扩展点：`filter`，`prescore`，`score`。
 <!--  
@@ -223,8 +223,8 @@ extension points:
   and [node affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
   Extension points: `filter`, `score`.
 -->
-- `NodeAffinity`：实现了[节点选择器](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
-  和[节点亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)。
+- `NodeAffinity`：实现了[节点选择器](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+  和[节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)。
 
   实现的扩展点：`filter`，`score`.
 <!--  
@@ -232,7 +232,7 @@ extension points:
   [Pod topology spread](/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
   Extension points: `preFilter`, `filter`, `preScore`, `score`.
 -->
-- `PodTopologySpread`：实现了 [Pod 拓扑分布](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/)。
+- `PodTopologySpread`：实现了 [Pod 拓扑分布](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/)。
 
   实现的扩展点：`preFilter`，`filter`，`preScore`，`score`。
 <!--  
@@ -251,7 +251,7 @@ extension points:
 -->
 - `NodeResourcesFit`：检查节点是否拥有 Pod 请求的所有资源。
   得分可以使用以下三种策略之一：`LeastAllocated`（默认）、`MostAllocated`
-  和`RequestedToCapacityRatio`。
+  和 `RequestedToCapacityRatio`。
 
   实现的扩展点：`preFilter`，`filter`，`score`。
 <!--  
@@ -331,7 +331,7 @@ extension points:
   [inter-Pod affinity and anti-affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
   Extension points: `preFilter`, `filter`, `preScore`, `score`.
 -->
-- `InterPodAffinity`：实现 [Pod 间亲和性与反亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)。
+- `InterPodAffinity`：实现 [Pod 间亲和性与反亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity)。
 
   实现的扩展点：`preFilter`，`filter`，`preScore`，`score`。
 <!--  
@@ -501,7 +501,7 @@ This would equate to manually enabling `MyPlugin` for all of its extension
 points, like so:
 -->
 
-这相当于为所有扩展点手动启用`MyPlugin`，如下所示：
+这相当于为所有扩展点手动启用 `MyPlugin`，如下所示：
 
 ```yaml
 apiVersion: kubescheduler.config.k8s.io/v1beta3
@@ -732,7 +732,7 @@ as well as its seamless integration with the existing methods for configuring ex
 ## Scheduler configuration migrations
 -->
 
-## 调度程序配置迁移
+## 调度程序配置迁移   {#scheduler-configuration-migrations}
 {{< tabs name="tab_with_md" >}}
 {{% tab name="v1beta1 → v1beta2" %}}
 <!--
@@ -767,21 +767,21 @@ as well as its seamless integration with the existing methods for configuring ex
 * The scheduler plugin `NodeLabel` is deprecated; instead, use the [`NodeAffinity`](/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) plugin (enabled by default) to achieve similar behavior.
 -->
 * 调度器插件 `NodeLabel` 已弃用；
-  相反，要使用 [`NodeAffinity`](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 
+  相反，要使用 [`NodeAffinity`](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) 
   插件（默认启用）来实现类似的行为。
 
 <!--
 * The scheduler plugin `ServiceAffinity` is deprecated; instead, use the [`InterPodAffinity`](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) plugin (enabled by default) to achieve similar behavior.
 -->
 * 调度程序插件 `ServiceAffinity` 已弃用；
-  相反，使用 [`InterPodAffinity`](/zh/doc/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) 
+  相反，使用 [`InterPodAffinity`](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) 
   插件（默认启用）来实现类似的行为。
   
 <!--
 * The scheduler plugin `NodePreferAvoidPods` is deprecated; instead, use [node taints](/docs/concepts/scheduling-eviction/taint-and-toleration/) to achieve similar behavior.
 -->
 * 调度器插件 `NodePreferAvoidPods` 已弃用；
-  相反，使用 [节点污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/) 来实现类似的行为。
+  相反，使用 [节点污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/) 来实现类似的行为。
 
 <!--
 * A plugin enabled in a v1beta2 configuration file takes precedence over the default configuration for that plugin.
@@ -817,7 +817,7 @@ as well as its seamless integration with the existing methods for configuring ex
 * Read the [kube-scheduler configuration (v1beta2)](/docs/reference/config-api/kube-scheduler-config.v1beta2/) reference
 * Read the [kube-scheduler configuration (v1beta3)](/docs/reference/config-api/kube-scheduler-config.v1beta3/) reference
 -->
-* 阅读 [kube-scheduler 参考](/zh/docs/reference/command-line-tools-reference/kube-scheduler/)
-* 了解[调度](/zh/docs/concepts/scheduling-eviction/kube-scheduler/)
-* 阅读 [kube-scheduler 配置 (v1beta2)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta2/) 参考
-* 阅读 [kube-scheduler 配置 (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/) 参考
+* 阅读 [kube-scheduler 参考](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/)
+* 了解[调度](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/)
+* 阅读 [kube-scheduler 配置 (v1beta2)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta2/) 参考
+* 阅读 [kube-scheduler 配置 (v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/) 参考
diff --git a/content/zh/docs/reference/scheduling/policies.md b/content/zh-cn/docs/reference/scheduling/policies.md
similarity index 78%
rename from content/zh/docs/reference/scheduling/policies.md
rename to content/zh-cn/docs/reference/scheduling/policies.md
index dbc6a958606be..89905d3bb27cb 100644
--- a/content/zh/docs/reference/scheduling/policies.md
+++ b/content/zh-cn/docs/reference/scheduling/policies.md
@@ -26,17 +26,17 @@ This scheduling policy is not supported since Kubernetes v1.23. Associated flags
 
 但是从 Kubernetes v1.23 版本开始，不再支持这种调度策略。
 同样地也不支持相关的 `policy-config-file`、 `policy-configmap`、 `policy-configmap-namespace` 以及 `use-legacy-policy-config` 标志。
-你可以通过使用 [调度配置](/zh/docs/reference/scheduling/config/)来实现类似的行为。
+你可以通过使用 [调度配置](/zh-cn/docs/reference/scheduling/config/)来实现类似的行为。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
 * Learn about [scheduling](/docs/concepts/scheduling-eviction/kube-scheduler/)
 * Learn about [kube-scheduler Configuration](/docs/reference/scheduling/config/)
-* Read the [kube-scheduler configuration reference (v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)
+* Read the [kube-scheduler configuration reference (v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)
 -->
 
-* 了解 [调度](/zh/docs/concepts/scheduling-eviction/kube-scheduler/)。
-* 了解 [kube-scheduler 配置](/zh/docs/reference/scheduling/config/)。
-* 阅读 [kube-scheduler 配置参考(v1beta3)](/zh/docs/reference/config-api/kube-scheduler-config.v1beta3/)。
+* 了解 [调度](/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/)。
+* 了解 [kube-scheduler 配置](/zh-cn/docs/reference/scheduling/config/)。
+* 阅读 [kube-scheduler 配置参考(v1beta3)](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1beta3/)。
 
diff --git a/content/zh/docs/reference/setup-tools/_index.md b/content/zh-cn/docs/reference/setup-tools/_index.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/_index.md
rename to content/zh-cn/docs/reference/setup-tools/_index.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/_index.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/_index.md
similarity index 82%
rename from content/zh/docs/reference/setup-tools/kubeadm/_index.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/_index.md
index fcb5542a297b5..36e69e23422e1 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/_index.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/_index.md
@@ -40,7 +40,7 @@ Instead, we expect higher-level and more tailored tooling to be built on top of
 To install kubeadm, see the [installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm).
 -->
 要安装 kubeadm, 请查阅
-[安装指南](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
+[安装指南](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
 
 ## {{% heading "whatsnext" %}}
 
@@ -56,24 +56,24 @@ To install kubeadm, see the [installation guide](/docs/setup/production-environm
 * [kubeadm version](/docs/reference/setup-tools/kubeadm/kubeadm-version) to print the kubeadm version
 * [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha) to preview a set of features made available for gathering feedback from the community
  -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init)
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init)
   用于搭建控制平面节点
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join)
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join)
   用于搭建工作节点并将其加入到集群中
-* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade)
+* [kubeadm upgrade](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade)
   用于升级 Kubernetes 集群到新版本
-* [kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config)
+* [kubeadm config](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config)
   如果你使用了 v1.7.x 或更低版本的 kubeadm 版本初始化你的集群，则使用
   `kubeadm upgrade` 来配置你的集群
-* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token)
+* [kubeadm token](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token)
   用于管理 `kubeadm join` 使用的令牌
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset)
   用于恢复通过 `kubeadm init` 或者 `kubeadm join` 命令对节点进行的任何变更
-* [kubeadm certs](/zh/docs/reference/setup-tools/kubeadm/kubeadm-certs)
+* [kubeadm certs](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs)
   用于管理 Kubernetes 证书
 * [kubeadm kubeconfig](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
   用于管理 kubeconfig 文件
-* [kubeadm version](/zh/docs/reference/setup-tools/kubeadm/kubeadm-version)
+* [kubeadm version](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-version)
   用于打印 kubeadm 的版本信息
-* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha)
+* [kubeadm alpha](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha)
   用于预览一组可用于收集社区反馈的特性
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/README.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/README.md
similarity index 53%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/README.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/README.md
index b718c7ef340b8..c7321f582d017 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/README.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/README.md
@@ -1 +1 @@
-此目录下的所有文件都是从其他仓库自动生成的。 **不要人工编辑它们。 您必须在上游仓库中编辑它们**
+此目录下的所有文件都是从其他仓库自动生成的。 **不要人工编辑它们。 你必须在上游仓库中编辑它们**
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/_index.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/_index.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/_index.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/_index.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
similarity index 97%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
index 83ece115b2ceb..7e07147a3f725 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
@@ -40,7 +40,7 @@ Example usage:
     (where your workloads, like Pods and Deployments run). 
 -->
 
-创建一个有两台机器的集群，包含一个主节点（用来控制集群），和一个工作节点（运行您的工作负载，像 Pod 和 Deployment）。
+创建一个有两台机器的集群，包含一个主节点（用来控制集群），和一个工作节点（运行你的工作负载，像 Pod 和 Deployment）。
 
 <!--
     ┌──────────────────────────────────────────────────────────┐
@@ -72,7 +72,7 @@ Example usage:
 └──────────────────────────────────────────────────────────┘
 ```
 
-您可以重复第二步，向集群添加更多机器。
+你可以重复第二步，向集群添加更多机器。
 
 <!-- 
 ### Options 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_certificate-key.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_certificate-key.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_certificate-key.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_certificate-key.md
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md
new file mode 100644
index 0000000000000..5cff01b9f75b0
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md
@@ -0,0 +1,130 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Check certificates expiration for a Kubernetes cluster 
+-->
+为一个 Kubernetes 集群检查证书的到期时间
+
+<!--
+### Synopsis
+-->
+### 概要
+
+<!-- 
+Checks expiration for the certificates in the local PKI managed by kubeadm.
+-->
+检查 kubeadm 管理的本地 PKI 中证书的到期时间。
+
+```
+kubeadm certs check-expiration [flags]
+```
+
+<!--
+### Options
+-->
+### 选项 
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<!--
+<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td> 
+-->
+<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: "/etc/kubernetes/pki"</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>The path where to save the certificates</p> 
+-->
+<p>保存证书的路径</p> 
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>Path to a kubeadm configuration file.</p> 
+-->
+<p>kubeadm 配置文件的路径</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>help for check-expiration</p> 
+-->
+<p>check-expiration 的帮助命令</p> 
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!-- 
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf" 
+-->
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认为: "/etc/kubernetes/admin.conf"
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p> 
+-->
+<p>在和集群连接时使用该 kubeconfig 文件。
+如果该标志没有设置，那么将会在一些标准的位置去搜索存在的 kubeconfig 文件。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+### 继承于父命令的选项 
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+ -->
+<p>[实验] 到'真实'主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
index 03dcc9298bcf8..30a7f0995c836 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_generate-csr.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Generate keys and certificate signing requests
+-->
+生成密钥和证书签名请求
 
 <!-- ### Synopsis -->
 ### 概要
@@ -13,7 +28,7 @@ Generates keys and certificate signing requests (CSRs) for all the certificates
 This command is designed for use in [Kubeadm External CA Mode](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode). It generates CSRs which you can then submit to your external certificate authority for signing.
 -->
 此命令设计用于
-[Kubeadm 外部 CA 模式](https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode)。 
+[Kubeadm 外部 CA 模式](https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode)。 
 它生成你可以提交给外部证书颁发机构进行签名的 CSR。
 
 <!--  
@@ -60,7 +75,7 @@ kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s
 </tr>
 <tr>
 <!-- td></td><td style="line-height: 130%; word-wrap: break-word;">The path where to save the certificates</td-->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">保存证书的路径</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>保存证书的路径</p></td>
 </tr>
 
 <tr>
@@ -68,7 +83,7 @@ kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s
 </tr>
 <tr>
 <!-- td></td><td style="line-height: 130%; word-wrap: break-word;">Path to a kubeadm configuration file.</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubeadm 配置文件的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>kubeadm 配置文件的路径。</p></td>
 </tr>
 
 <tr>
@@ -76,7 +91,7 @@ kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s
 </tr>
 <tr>
 <!-- td></td><td style="line-height: 130%; word-wrap: break-word;">help for generate-csr</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">generate-csr 命令的帮助</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>generate-csr 命令的帮助</p></td>
 </tr>
 
 <tr>
@@ -85,7 +100,7 @@ kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s
 </tr>
 <tr>
 <!-- td></td><td style="line-height: 130%; word-wrap: break-word;">The path where to save the kubeconfig file.</td-->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">保存 kubeconfig 文件的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>保存 kubeconfig 文件的路径。</p></td>
 </tr>
 
 </tbody>
@@ -108,9 +123,8 @@ kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s
 </tr>
 <tr>
 <!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md
similarity index 68%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md
index d770d8438d417..de9376b6abd42 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_admin.conf.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself 
+-->
+续订 kubeconfig 文件中嵌入的证书，供管理员 和 kubeadm 自身使用。
 
 <!--
 ### Synopsis
@@ -51,9 +66,9 @@ kubeadm certs renew admin.conf [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the certificates.
+<p>The path where to save the certificates</p>
 -->
-保存证书的路径。
+<p>保存证书的路径。</p>
 </td>
 </tr>
 
@@ -62,30 +77,8 @@ The path where to save the certificates.
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to a kubeadm configuration file.  -->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path to output the CSRs and private keys to -->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
+<!-- <p>Path to a kubeadm configuration file.</p> -->
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -94,8 +87,8 @@ Create CSRs instead of generating certificates
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for admin.conf -->
-admin.conf 子操作的帮助命令
+<!-- <p>help for admin.conf</p> -->
+<p>admin.conf 子操作的帮助命令</p>
 </td>
 </tr>
 
@@ -104,9 +97,9 @@ admin.conf 子操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.  -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<!-- <p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>  -->
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -143,9 +136,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md
similarity index 63%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md
index 2ac56da0ddd32..28a9fbd42f626 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_all.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew all available certificates 
+-->
+续订所有可用证书
 
 <!--
 ### Synopsis
@@ -36,9 +51,9 @@ kubeadm certs renew all [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -48,33 +63,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-输出 CSR 和私钥的路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
+<p>Path to a kubeadm configuration file.</p>
 -->
-创建 CSR 而不是生成证书
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -84,9 +75,9 @@ Create CSRs instead of generating certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for all
+<p>help for all</p>
 -->
-all 操作的帮助命令
+<p>all 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -101,10 +92,10 @@ all 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -141,9 +132,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md
similarity index 67%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md
index 2e5c428da3df4..235206573c91e 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-etcd-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate the apiserver uses to access etcd 
+-->
+续订 apiserver 用于访问 etcd 的证书
 
 <!-- 
 ### Synopsis
@@ -49,8 +64,10 @@ kubeadm certs renew apiserver-etcd-client [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path where to save and store the certificates.  -->
-存储证书的路径。
+<!-- 
+<p>The path where to save and store the certificates.</p>
+-->
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -59,28 +76,10 @@ kubeadm certs renew apiserver-etcd-client [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to a kubeadm configuration file.  -->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path to output the CSRs and private keys to -->
-输出 CSR 和私钥的路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Create CSRs instead of generating certificates -->
-创建 CSR 而不是生成证书
+<!-- 
+<p>Path to a kubeadm configuration file.</p>  
+-->
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -89,8 +88,10 @@ kubeadm 配置文件的路径。
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for apiserver-etcd-client -->
-apiserver-etcd-client 操作的帮助命令
+<!-- 
+<p>help for apiserver-etcd-client</p>
+-->
+<p>apiserver-etcd-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -105,20 +106,10 @@ apiserver-etcd-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--use-api</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Use the Kubernetes certificate API to renew certificates -->
-使用 Kubernetes 证书 API 续订证书
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -144,8 +135,10 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md
index 9b1d8127b9482..4272890db49a3 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver-kubelet-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate for the API server to connect to kubelet 
+-->
+续订 apiserver 用于连接 kubelet 的证书。
 
 <!-- 
 ### Synopsis
@@ -52,9 +67,9 @@ kubeadm certs renew apiserver-kubelet-client [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -64,33 +79,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-输出 CSR 和私钥的路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
+<p>Path to a kubeadm configuration file.</p>
 -->
-创建 CSR 而不是生成证书
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -100,9 +91,9 @@ Create CSRs instead of generating certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for apiserver-kubelet-client
+<p>help for apiserver-kubelet-client</p>
 -->
-apiserver-kubelet-client 操作的帮助命令
+<p>apiserver-kubelet-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -117,10 +108,10 @@ apiserver-kubelet-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -157,9 +148,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
similarity index 73%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
index a2e2e2c9156fe..345147be1466a 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_apiserver.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Renew the certificate for serving the Kubernetes API
+-->
+续订用于提供 Kubernetes API 的证书
 
 <!--
 ### Synopsis
@@ -12,7 +28,6 @@ Renew the certificate for serving the Kubernetes API.
 <!--
 Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
 -->
-
 无论证书的到期日期如何，续订都会无条件地进行；SAN 等额外属性将基于现有文件/证书，因此无需重新提供它们。
 
 <!--
@@ -22,7 +37,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 可以使用 K8s 证书 API 进行证书更新，或者作为最后一个选择来生成 CSR 请求。
 
 <!--
-After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
+After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 -->
 续订后，为了使更改生效，需要重新启动控制平面组件，并最终重新分发更新的证书，以防文件在其他地方使用。
 
@@ -55,7 +70,9 @@ kubeadm certs renew apiserver [flags]
 <!--
 The path where to save the certificates.
 -->
+<p>
 保存证书的路径。
+</p>
 </td>
 </tr>
 
@@ -67,31 +84,9 @@ The path where to save the certificates.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;"> 
-<!--
-The path to output the CSRs and private keys to
--->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
+</p>
 </td>
 </tr>
 
@@ -103,37 +98,26 @@ Create CSRs instead of generating certificates
 <!--
 help for apiserver
 -->
+<p>
 apiserver 子操作的帮助命令
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">
-<!--
---kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
--->
+<td colspan="2"><!-- --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf" -->
 --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
 </td>
 </tr>
+
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。
 如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--use-api</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use the Kubernetes certificate API to renew certificates
--->
-使用 Kubernetes 证书 API 续订证书
+</p>
 </td>
 </tr>
 
@@ -143,7 +127,6 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -161,10 +144,11 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md
similarity index 69%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md
index a4d974bb52f76..9285782b4baea 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_controller-manager.conf.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate embedded in the kubeconfig file for the controller manager to use 
+-->
+续订 kubeconfig 文件中嵌入的证书，以供控制器管理器（Controller Manager）使用。
 
 <!--
 ### Synopsis
@@ -52,9 +67,9 @@ kubeadm alpha renew controller-manager.conf [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the certificates.
+<p>The path where to save the certificates.</p>
 -->
-保存证书的路径。
+<p>保存证书的路径。</p>
 </td>
 </tr>
 
@@ -64,33 +79,9 @@ The path where to save the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
+<p>Path to a kubeadm configuration file.</p>
 -->
-创建 CSR 而不是生成证书
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -100,9 +91,9 @@ Create CSRs instead of generating certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for controller-manager.conf
+<p>help for controller-manager.conf</p>
 -->
-controller-manager.conf 操作的帮助命令
+<p>controller-manager.conf 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -117,10 +108,10 @@ controller-manager.conf 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -157,9 +148,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
similarity index 78%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
index 44f59cffa08e8..bb417a018e5c6 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-healthcheck-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Renew the certificate for liveness probes to healthcheck etcd
+-->
+续订存活态探针的证书，用于对 etcd 执行健康检查
 
 <!--
 ### Synopsis
@@ -21,7 +36,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 也可以使用 K8s certificate API 进行证书续订，或者（作为最后一种选择）生成 CSR 请求。
 
 <!--
-After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
+After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 -->
 续订后，为了使更改生效，需要重新启动控制平面组件，并最终重新分发更新的证书，以防证书文件在其他地方使用。
 
@@ -54,7 +69,9 @@ kubeadm certs renew etcd-healthcheck-client [flags]
 <!--
 The path where to save the certificates.
 -->
+<p>
 保存证书的路径。
+</p>
 </td>
 </tr>
 
@@ -66,33 +83,10 @@ The path where to save the certificates.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
-</td>
-</tr>
 
 <tr>
 <td colspan="2">-h, --help</td>
@@ -102,7 +96,9 @@ Create CSRs instead of generating certificates
 <!--
 help for etcd-healthcheck-client
 -->
+<p>
 etcd-healthcheck-client 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -119,20 +115,10 @@ etcd-healthcheck-client 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。
 如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--use-api</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use the Kubernetes certificate API to renew certificates
--->
-使用 Kubernetes 证书 API 续订证书
+</p>
 </td>
 </tr>
 
@@ -159,10 +145,11 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
similarity index 82%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
index 55264306eb8ce..1207467a3f287 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-peer.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Renew the certificate for etcd nodes to communicate with each other
+-->
+续订 etcd 节点间用来相互通信的证书
 
 <!--
 ### Synopsis
@@ -54,7 +70,9 @@ kubeadm certs renew etcd-peer [flags]
 <!--
 The path where to save the certificates.
 -->
+<p>
 保存证书的路径。
+</p>
 </td>
 </tr>
 
@@ -66,31 +84,9 @@ The path where to save the certificates.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
+</p>
 </td>
 </tr>
 
@@ -119,22 +115,16 @@ etcd-peer 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。
 如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
 <tr>
 <td colspan="2">--use-api</td>
 </tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use the Kubernetes certificate API to renew certificates
--->
-使用 Kubernetes 证书 API 续订证书
-</td>
-</tr>
 
 </tbody>
 </table>
@@ -159,10 +149,11 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
similarity index 78%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
index 237c9d3f4465a..2b828425447fa 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_etcd-server.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Renew the certificate for serving etcd
+-->
+续订用于提供 etcd 服务的证书
 
 <!--
 ### Synopsis
@@ -21,7 +36,7 @@ Renewal by default tries to use the certificate authority in the local PKI manag
 可以使用 K8s 证书 API 进行证书续订，或者作为最后一种选择来生成 CSR 请求。
 
 <!--
-After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
+After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
 -->
 续订后，为了使更改生效，需要重新启动控制平面组件，并最终重新分发更新的证书，以防文件在其他地方使用。
 
@@ -54,7 +69,9 @@ kubeadm certs renew etcd-server [flags]
 <!--
 The path where to save the certificates.
 -->
+<p>
 保存证书的路径。
+</p>
 </td>
 </tr>
 
@@ -66,31 +83,9 @@ The path where to save the certificates.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
+</p>
 </td>
 </tr>
 
@@ -102,7 +97,9 @@ Create CSRs instead of generating certificates
 <!--
 help for etcd-server
 -->
+<p>
 etcd-server 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -119,22 +116,16 @@ etcd-server 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。
 如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
 <tr>
 <td colspan="2">--use-api</td>
 </tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use the Kubernetes certificate API to renew certificates
--->
-使用 Kubernetes 证书 API 续订证书
-</td>
-</tr>
 
 </tbody>
 </table>
@@ -142,7 +133,6 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -160,10 +150,11 @@ Use the Kubernetes certificate API to renew certificates
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md
index 7dac9e30d2754..ca748f5482ff0 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_front-proxy-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate for the front proxy client 
+-->
+为前端代理客户端续订证书。
 
 <!--
 ### Synopsis
@@ -48,9 +63,9 @@ kubeadm certs renew front-proxy-client [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the certificates
+<p>The path where to save the certificates</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -60,33 +75,9 @@ The path where to save the certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
--->
-输出 CSR 和私钥的路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
+<p>Path to a kubeadm configuration file.</p>
 -->
-创建 CSR 而不是生成证书
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -96,9 +87,9 @@ Create CSRs instead of generating certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for front-proxy-client
+<p>help for front-proxy-client</p>
 -->
-front-proxy-client 操作的帮助命令
+<p>front-proxy-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -113,10 +104,10 @@ front-proxy-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -153,9 +144,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md
similarity index 68%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md
index 9898202f484df..33a13fb95c4e0 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_renew_scheduler.conf.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Renew the certificate embedded in the kubeconfig file for the scheduler manager to use 
+-->
+续订 kubeconfig 文件中嵌入的证书，以供调度管理器使用
 
 <!--
 ### Synopsis
@@ -52,9 +67,9 @@ kubeadm certs renew scheduler.conf [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the certificates.
+<p>The path where to save the certificates.</p>
 -->
-保存证书的路径。
+<p>保存证书的路径。</p>
 </td>
 </tr>
 
@@ -64,33 +79,9 @@ The path where to save the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path to output the CSRs and private keys to
+<p>Path to a kubeadm configuration file.</p>
 -->
-CSR 和私钥的输出路径
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--csr-only</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create CSRs instead of generating certificates
--->
-创建 CSR 而不是生成证书
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -100,9 +91,9 @@ Create CSRs instead of generating certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for scheduler.conf
+<p>help for scheduler.conf</p>
 -->
-scheduler.conf 操作的帮助命令
+<p>scheduler.conf 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -117,22 +108,10 @@ scheduler.conf 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
--->
-与集群通信时使用的 kubeconfig 文件。
-如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--use-api</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use the Kubernetes certificate API to renew certificates
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-使用 Kubernetes 证书 API 续订证书
+<p>与集群通信时使用的 kubeconfig 文件。
+如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -157,9 +136,9 @@ Use the Kubernetes certificate API to renew certificates
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
similarity index 98%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
index be3bf82b867f5..73979c0424c3b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
@@ -61,7 +61,7 @@ If bash-completion is not installed on Linux, please install the 'bash-completio
 via your distribution's package manager.
 -->
 
-如果在 Linux 上没有安装 bash-completion，请通过您的发行版的包管理器安装 `bash-completion` 软件包。
+如果在 Linux 上没有安装 bash-completion，请通过你的发行版的包管理器安装 `bash-completion` 软件包。
 
 <!--
 Note for zsh users: [1] zsh completions are only supported in versions of zsh &gt;= 5.2
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
similarity index 63%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
index 3d15456c8d2c5..b45cb94f1cd43 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster 
+-->
+管理持久化在 ConfigMap 中的 kubeadm 集群的配置
 
 <!--
 ### Synopsis
@@ -41,8 +56,10 @@ kubeadm config [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for config -->
-config 操作的帮助命令
+<!-- 
+<p>help for config</p>
+-->
+<p>config 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -56,10 +73,11 @@ config 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The kubeconfig file to use when talking to the cluster.
-If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<!-- 
+<p>The kubeconfig file to use when talking to the cluster.
+If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件
+<p>用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件
 </td>
 </tr>
 
@@ -84,8 +102,10 @@ If the flag is not set, a set of standard locations can be searched for an exist
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
index 6177ab80c1efa..ae7f5ac3f1572 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Interact with container images used by kubeadm
+-->
+与 kubeadm 使用的容器镜像交互
 
 <!--
 ### Synopsis
@@ -36,7 +51,9 @@ kubeadm config images [flags]
 <!--
 help for images
 -->
+<p>
 images 的帮助命令
+</p>
 </td>
 </tr>
 
@@ -47,7 +64,6 @@ images 的帮助命令
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -70,7 +86,9 @@ images 的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -82,7 +100,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
similarity index 92%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
index 705b8d76ab0d1..1f8db00a51d5b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
@@ -16,16 +16,21 @@ guide. You can file document formatting bugs against the
 -->
 
 <!--
+
+<!--
+Print a list of images kubeadm will use. The configuration file is used in case any images or image repositories are customized
+-->
+打印 kubeadm 要使用的镜像列表。配置文件用于自定义镜像或镜像存储库
+
 ### Synopsis
 -->
 
 ### 概要
 
 <!--
-Print a list of images kubeadm will use. The configuration file is used in case any images or image repositories are customized.
+Print a list of images kubeadm will use. The configuration file is used in case any images or image repositories are customized
 -->
-
-打印 kubeadm 要使用的镜像列表。配置文件用于自定义任何镜像或镜像存储库。
+打印 kubeadm 要使用的镜像列表。配置文件用于自定义镜像或镜像存储库
 
 ```
 kubeadm config images list [flags]
@@ -63,49 +68,49 @@ If true, ignore any errors in templates when a field or map key is missing in th
 </tr>
 
 <tr>
-<td colspan="2">
-<!-- -o, --experimental-output string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "text" -->
--o, --experimental-output string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："text"
-</td>
+<td colspan="2">--config string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
+<!--
+Path to a kubeadm configuration file.
 -->
 <p>
-输出格式：text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file 其中之一
+kubeadm 配置文件的路径。
 </p>
 </td>
 </tr>
-
 <tr>
-<td colspan="2">--config string</td>
+<td colspan="2">
+<!-- -o, --experimental-output string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "text" -->
+-o, --experimental-output string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："text"
+</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to a kubeadm configuration file.
+<!--  
+Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
 -->
 <p>
-kubeadm 配置文件的路径。
+输出格式：text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file 其中之一
 </p>
 </td>
 </tr>
 
+
 <tr>
 <td colspan="2">--feature-gates string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of key=value pairs that describe feature gates for various features. Options are:<br/>PublicKeysECDSA=true|false (ALPHA - default=false)<br/>RootlessControlPlane=true|false (ALPHA - default=false)<br/>UnversionedKubeletConfigMap=true|false (ALPHA - default=false)
+A set of key=value pairs that describe feature gates for various features. Options are:<br/>PublicKeysECDSA=true|false (ALPHA - default=false)<br/>RootlessControlPlane=true|false (ALPHA - default=false)<br/>UnversionedKubeletConfigMap=true|false (BETA - default=true)
 -->
 <p>
 一组键值对（key=value），用于描述各种特征。选项是：
 <br/>PublicKeysECDSA=true|false (ALPHA - 默认=false)
 <br/>RootlessControlPlane=true|false (ALPHA - 默认=false)
-<br/>UnversionedKubeletConfigMap=true|false (ALPHA - 默认=false)
+<br/>UnversionedKubeletConfigMap=true|false (BETA - 默认=true)
 </p>
 </td>
 </tr>
@@ -184,7 +189,6 @@ If true, keep the managedFields when printing objects in JSON or YAML format.
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_pull.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md
similarity index 58%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md
index 7d1ae11ea0e23..df70d0663734a 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_migrate.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Read an older version of the kubeadm configuration API types from a file, and output the similar config object for the newer version 
+-->
+从文件中读取旧版本的 kubeadm 配置的 API 类型，并为新版本输出类似的配置对象
 
 <!--
 ### Synopsis
@@ -9,12 +24,11 @@
 This command lets you convert configuration objects of older versions to the latest supported version,
 locally in the CLI tool without ever touching anything in the cluster.
 In this version of kubeadm, the following API versions are supported:
-- kubeadm.k8s.io/v1beta2
+- kubeadm.k8s.io/v1beta3
 -->
 
 此命令允许您在 CLI 工具中将本地旧版本的配置对象转换为最新支持的版本，而无需变更集群中的任何内容。在此版本的 kubeadm 中，支持以下 API 版本：
-
-- kubeadm.k8s.io/v1beta2
+- kubeadm.k8s.io/v1beta3
 
 <!--
 Further, kubeadm can only write out config of version "kubeadm.k8s.io/v1beta2", but read both types.
@@ -55,8 +69,10 @@ kubeadm config migrate [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for migrate -->
-migrate 操作的帮助信息
+<!-- 
+<p>help for migrate</p> 
+-->
+<p>migrate 操作的帮助信息</p>
 </td>
 </tr>
 
@@ -66,9 +82,9 @@ migrate 操作的帮助信息
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to the resulting equivalent kubeadm config file using the new API version. Optional, if not specified output will be sent to STDOUT.
+<p>Path to the resulting equivalent kubeadm config file using the new API version. Optional, if not specified output will be sent to STDOUT.</p>
 -->
-使用新的 API 版本生成的 kubeadm 配置文件的路径。这个路径是可选的。如果没有指定，输出将被写到 stdout。
+<p>使用新的 API 版本生成的 kubeadm 配置文件的路径。这个路径是可选的。如果没有指定，输出将被写到 stdout。</p>
 </td>
 </tr>
 
@@ -78,9 +94,9 @@ Path to the resulting equivalent kubeadm config file using the new API version.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to the kubeadm config file that is using an old API version and should be converted. This flag is mandatory.
+<p>Path to the kubeadm config file that is using an old API version and should be converted. This flag is mandatory.</p>
 -->
-使用旧 API 版本且应转换的 kubeadm 配置文件的路径。此参数是必需的。
+<p>使用旧 API 版本且应转换的 kubeadm 配置文件的路径。此参数是必需的。</p>
 </td>
 </tr>
 
@@ -109,9 +125,9 @@ Path to the kubeadm config file that is using an old API version and should be c
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-用于和集群通信的 kubeconfig 文件。如果未设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。
+<p>用于和集群通信的 kubeconfig 文件。如果未设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -120,8 +136,10 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print.md
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md
new file mode 100644
index 0000000000000..0ae02abb63955
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md
@@ -0,0 +1,123 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Print default init configuration, that can be used for 'kubeadm init' 
+-->
+打印用于 'kubeadm init' 的默认 init 配置
+
+<!--
+### Synopsis
+-->
+### 概要
+
+<!--
+This command prints objects such as the default init configuration that is used for 'kubeadm init'.
+-->
+
+此命令打印对象，例如用于 'kubeadm init' 的默认 init 配置对象。
+
+<!--
+<p>Note that sensitive values like the Bootstrap Token fields are replaced with placeholder values like "abcdef.0123456789abcdef" in order to pass validation but
+not perform the real computation for creating a token.
+-->
+
+<p>请注意，Bootstrap Token 字段之类的敏感值已替换为 "abcdef.0123456789abcdef" 之类的占位符值以通过验证，但不执行创建令牌的实际计算。
+
+```
+kubeadm config print init-defaults [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--component-configs strings</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>A comma-separated list for component config API objects to print the default values for. Available values: [KubeProxyConfiguration KubeletConfiguration]. If this flag is not set, no component configs will be printed.</p>
+-->
+<p>组件配置 API 对象的逗号分隔列表，打印其默认值。可用值：[KubeProxyConfiguration KubeletConfiguration]。如果未设置此参数，则不会打印任何组件配置。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for init-defaults</p>
+-->
+<p>init-defaults 操作的帮助命令</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">
+<!--
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
+-->
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
+-->
+<p>与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
index 6b63d74216ff3..3e69e53bf303b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_join-defaults.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Print default join configuration, that can be used for 'kubeadm join'
+-->
+打印默认的节点添加配置，该配置可用于 'kubeadm join' 命令
 
 <!--
 ### Synopsis
@@ -12,12 +28,12 @@ This command prints objects such as the default join configuration that is used
 此命令打印对象，例如用于 'kubeadm join' 的默认 join 配置对象。
 
 <!--
-Note that sensitive values like the Bootstrap Token fields are replaced with placeholder values like {"abcdef.0123456789abcdef" "" "nil" &lt;nil&gt; [] []} in order to pass validation but
+Note that sensitive values like the Bootstrap Token fields are replaced with placeholder values like "abcdef.0123456789abcdef" in order to pass validation but
 not perform the real computation for creating a token.
 -->
 
-请注意，诸如启动引导令牌字段之类的敏感值已替换为 {"abcdef.0123456789abcdef" "" "nil" &lt;nil&gt; [] []}
-之类的占位符值以通过验证，但不执行创建令牌的实际计算。
+请注意，诸如启动引导令牌字段之类的敏感值已替换为 "abcdef.0123456789abcdef" 之类的占位符值以通过验证，
+但不执行创建令牌的实际计算。
 
 ```
 kubeadm config print join-defaults [flags]
@@ -37,14 +53,16 @@ kubeadm config print join-defaults [flags]
 <tbody>
 
 <tr>
-<td colspan="2">--component-configs stringSlice</td>
+<td colspan="2">--component-configs strings/td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 A comma-separated list for component config API objects to print the default values for. Available values: [KubeProxyConfiguration KubeletConfiguration]. If this flag is not set, no component configs will be printed.
 -->
+<p>
 组件配置 API 对象的逗号分隔列表，打印其默认值。可用值：[KubeProxyConfiguration KubeletConfiguration]。如果未设置此参数，则不会打印任何组件配置。
+</p>
 </td>
 </tr>
 
@@ -56,7 +74,9 @@ A comma-separated list for component config API objects to print the default val
 <!--
 help for join-defaults
 -->
+<p>
 join-defaults 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -89,7 +109,9 @@ join-defaults 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -101,7 +123,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md
new file mode 100644
index 0000000000000..2b74059aefe15
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md
@@ -0,0 +1,84 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Use this command to invoke single phase of the init workflow
+-->
+使用此命令可以调用 init 工作流程的单个阶段
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Use this command to invoke single phase of the init workflow
+-->
+
+使用此命令可以调用 init 工作流程的单个阶段
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>help for phase</p>
+-->
+<p>phase 操作的帮助命令</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 继承于父命令的选择项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
similarity index 61%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
index 5a6b5bda67e59..43d750eb5a52f 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Install required addons for passing conformance tests
+-->
+安装必要的插件以通过一致性测试
 
 <!--
 ### Synopsis
@@ -36,7 +51,9 @@ kubeadm init phase addon [flags]
 <!--
 help for addon
 -->
+<p>
 addon 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -64,10 +81,11 @@ addon 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_all.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_coredns.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md
similarity index 54%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md
index 4698ee4b32f6e..ca63db2de467d 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_addon_kube-proxy.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Install the kube-proxy addon to a Kubernetes cluster 
+-->
+将 kube-proxy 插件安装到 Kubernetes 集群
 
 <!--
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase addon kube-proxy [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则将使用默认网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则将使用默认网络接口。</p>
 </td>
 </tr>
 
@@ -51,9 +66,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果未设置，则将
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Port for the API Server to bind to.
+<p>Port for the API Server to bind to.</p>
 -->
-API 服务器绑定的端口。
+<p>API 服务器绑定的端口。</p>
 </td>
 </tr>
 
@@ -63,9 +78,9 @@ API 服务器绑定的端口。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm config file.
+<p>Path to kubeadm config file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -75,9 +90,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -87,9 +102,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for kube-proxy
+<p>help for kube-proxy</p>
 -->
-kube-proxy 操作的帮助命令
+<p>kube-proxy 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -104,9 +119,9 @@ kube-proxy 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a container registry to pull control plane images from
+<p>Choose a container registry to pull control plane images from</p>
 -->
-选择用于拉取控制平面镜像的容器仓库
+<p>选择用于拉取控制平面镜像的容器仓库</p>
 </td>
 </tr>
 
@@ -121,9 +136,9 @@ Choose a container registry to pull control plane images from
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+<p>与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -138,9 +153,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -150,9 +165,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
+<p>Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.</p>
 -->
-指定 Pod 网络的 IP 地址范围。如果已设置，控制平面将自动为每个节点分配 CIDR。
+<p>指定 Pod 网络的 IP 地址范围。如果已设置，控制平面将自动为每个节点分配 CIDR。</p>
 </td>
 </tr>
 
@@ -178,9 +193,9 @@ Specify range of IP addresses for the pod network. If set, the control plane wil
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md
similarity index 60%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md
index 2ea181aac10ce..5c77af373540b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_bootstrap-token.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generates bootstrap tokens used to join a node to a cluster 
+-->
+生成用于将节点加入集群的引导令牌
 
 <!--
 ### Synopsis
@@ -55,9 +70,9 @@ kubeadm init phase bootstrap-token
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -67,9 +82,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for bootstrap-token
+<p>help for bootstrap-token</p>
 -->
-bootstrap-token 操作的帮助命令
+<p>bootstrap-token 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -84,9 +99,9 @@ bootstrap-token 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。
+<p>用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。</p>
 </td>
 </tr>
 
@@ -96,9 +111,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Skip printing of the default bootstrap token generated by 'kubeadm init'.
+<p>Skip printing of the default bootstrap token generated by 'kubeadm init'.</p>
 -->
-跳过打印 'kubeadm init' 生成的默认引导令牌。
+<p>跳过打印 'kubeadm init' 生成的默认引导令牌。</p>
 </td>
 </tr>
 
@@ -124,9 +139,9 @@ Skip printing of the default bootstrap token generated by 'kubeadm init'.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md
similarity index 55%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md
index f56cec6086609..38a7fb842db3d 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_all.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate all certificates 
+-->
+生成所有证书
 
 <!--
 ### Synopsis
@@ -8,7 +23,6 @@
 <!--
 Generate all certificates
 -->
-
 生成所有证书
 
 ```
@@ -34,21 +48,21 @@ kubeadm init phase certs all [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，将使用默认网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，将使用默认网络接口。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--apiserver-cert-extra-sans stringSlice</td>
+<td colspan="2">--apiserver-cert-extra-sans strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
+<p>Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.</p>
 -->
-用于 API 服务器服务证书的可选额外替代名称（SAN）。可以同时使用 IP 地址和 DNS 名称。
+<p>用于 API 服务器服务证书的可选额外替代名称（SAN）。可以同时使用 IP 地址和 DNS 名称。</p>
 </td>
 </tr>
 
@@ -63,9 +77,9 @@ Optional extra Subject Alternative Names (SANs) to use for the API Server servin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-证书的存储路径。
+<p>证书的存储路径。</p>
 </td>
 </tr>
 
@@ -75,9 +89,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -87,9 +101,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -99,9 +113,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for all
+<p>help for all</p>
 -->
-all 操作的帮助命令 
+<p>all 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -116,9 +130,9 @@ all 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -133,9 +147,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use alternative range of IP address for service VIPs.
+<p>Use alternative range of IP address for service VIPs.</p>
 -->
-VIP 服务使用其它的 IP 地址范围。
+<p>VIP 服务使用其它的 IP 地址范围。</p>
 </td>
 </tr>
 
@@ -150,9 +164,9 @@ VIP 服务使用其它的 IP 地址范围。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use alternative domain for services, e.g. "myorg.internal".
+<p>Use alternative domain for services, e.g. "myorg.internal".</p>
 -->
-服务使用其它的域名，例如："myorg.internal"。
+<p>服务使用其它的域名，例如："myorg.internal"。</p>
 </td>
 </tr>
 
@@ -178,9 +192,9 @@ Use alternative domain for services, e.g. "myorg.internal".
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md
similarity index 58%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md
index 00444ac3f420a..d3035731f4c68 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-etcd-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the certificate the apiserver uses to access etcd 
+-->
+生成 apiserver 用来访问 etcd 的证书
 
 <!--
 ### Synopsis
@@ -6,10 +21,10 @@
 ### 概要
 
 <!--
-Generate the certificate the apiserver uses to access etcd, and save them into apiserver-etcd-client.cert and apiserver-etcd-client.key files.
+Generate the certificate the apiserver uses to access etcd, and save them into apiserver-etcd-client.crt and apiserver-etcd-client.key files.
 -->
 
-生成 apiserver 用于访问 etcd 的证书，并将其保存到 apiserver-etcd-client.cert 和 apiserver-etcd-client.key 文件中。
+生成 apiserver 用于访问 etcd 的证书，并将其保存到 apiserver-etcd-client.crt 和 apiserver-etcd-client.key 文件中。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
@@ -50,8 +65,10 @@ kubeadm init phase certs apiserver-etcd-client [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path where to save and store the certificates.  -->
-证书的存储路径。
+<!-- 
+<p>The path where to save and store the certificates.</p>
+-->
+<p>证书的存储路径。</p>
 </td>
 </tr>
 
@@ -60,8 +77,10 @@ kubeadm init phase certs apiserver-etcd-client [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to a kubeadm configuration file.  -->
-kubeadm 配置文件的路径。
+<!-- 
+<p>Path to a kubeadm configuration file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -70,8 +89,10 @@ kubeadm 配置文件的路径。
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for apiserver-etcd-client -->
-apiserver-etcd-client 操作的帮助命令
+<!-- 
+<p>help for apiserver-etcd-client</p>
+-->
+<p>apiserver-etcd-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -84,9 +105,9 @@ apiserver-etcd-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -111,8 +132,10 @@ Choose a specific Kubernetes version for the control plane.
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem. -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md
similarity index 58%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md
index 49b2749c065e0..696f564c6a686 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver-kubelet-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the certificate for the API server to connect to kubelet 
+-->
+生成供 API 服务器连接 kubelet 的证书
 
 <!-- 
 ### Synopsis
@@ -6,10 +21,9 @@
 ### 概要
 
 <!--
-Generate the certificate for the API server to connect to kubelet, and save them into apiserver-kubelet-client.cert and apiserver-kubelet-client.key files.
+Generate the certificate for the API server to connect to kubelet, and save them into apiserver-kubelet-client.crt and apiserver-kubelet-client.key files.
 -->
-
-生成供 API 服务器连接 kubelet 的证书，并将其保存到 apiserver-kubelet-client.cert 和 apiserver-kubelet-client.key 文件中。
+生成供 API 服务器连接 kubelet 的证书，并将其保存到 apiserver-kubelet-client.crt 和 apiserver-kubelet-client.key 文件中。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
@@ -51,9 +65,9 @@ kubeadm init phase certs apiserver-kubelet-client [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -63,9 +77,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件路径。
+<p>kubeadm 配置文件路径。</p>
 </td>
 </tr>
 
@@ -75,9 +89,9 @@ kubeadm 配置文件路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for apiserver-kubelet-client
+<p>help for apiserver-kubelet-client</p>
 -->
-apiserver-kubelet-client 操作的帮助命令
+<p>apiserver-kubelet-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -92,9 +106,9 @@ apiserver-kubelet-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -120,9 +134,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 指向宿主机上的 '实际' 根文件系统的路径。
+<p>[实验] 指向宿主机上的 '实际' 根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md
similarity index 57%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md
index 1b096a7424fb0..84a86e32d3544 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_apiserver.md
@@ -1,21 +1,30 @@
-
 <!--
-### Synopsis
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
 -->
 
-### 概要
+<!-- 
+Generate the certificate for serving the Kubernetes API 
+-->
+生成用于服务 Kubernetes API 的证书
 
 <!--
-Generate the certificate for serving the Kubernetes API, and save them into apiserver.cert and apiserver.key files.
+### Synopsis
 -->
 
-生成用于服务 Kubernetes API 的证书，并将其保存到 apiserver.cert 和 apiserver.key 文件中。
+### 概要
 
 <!--
-Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 10.96.0.1, 127.0.0.1
+Generate the certificate for serving the Kubernetes API, and save them into apiserver.crt and apiserver.key files.
 -->
+生成用于服务 Kubernetes API 的证书，并将其保存到 apiserver.crt 和 apiserver.key 文件中。
 
-默认 SAN 是 kubernetes、kubernetes.default、kubernetes.default.svc、kubernetes.default.svc.cluster.local、10.96.0.1、127.0.0.1。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
@@ -52,21 +61,21 @@ kubeadm init phase certs apiserver [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--apiserver-cert-extra-sans stringSlice</td>
+<td colspan="2">--apiserver-cert-extra-sans strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
+<p>Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.</p>
 -->
-用于 API Server 服务证书的可选附加主体备用名称（SAN）。可以是 IP 地址和 DNS 名称。
+<p>用于 API Server 服务证书的可选附加主体备用名称（SAN）。可以是 IP 地址和 DNS 名称。</p>
 </td>
 </tr>
 
@@ -81,9 +90,9 @@ Optional extra Subject Alternative Names (SANs) to use for the API Server servin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-证书的存储路径。
+<p>证书的存储路径。</p>
 </td>
 </tr>
 
@@ -93,9 +102,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -105,9 +114,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -117,9 +126,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for apiserver
+<p>help for apiserver</p>
 -->
-apiserver 操作的帮助命令
+<p>apiserver 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -134,9 +143,9 @@ apiserver 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -151,9 +160,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use alternative range of IP address for service VIPs.
+<p>Use alternative range of IP address for service VIPs.</p>
 -->
-指定服务 VIP 可使用的其他 IP 地址段。
+<p>指定服务 VIP 可使用的其他 IP 地址段。</p>
 </td>
 </tr>
 
@@ -168,9 +177,9 @@ Use alternative range of IP address for service VIPs.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use alternative domain for services, e.g. "myorg.internal".
+<p>Use alternative domain for services, e.g. "myorg.internal".</p>
 -->
-为服务使用其他域名，例如 "myorg.internal"。
+<p>为服务使用其他域名，例如 "myorg.internal"。</p>
 </td>
 </tr>
 
@@ -196,9 +205,9 @@ Use alternative domain for services, e.g. "myorg.internal".
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md
similarity index 56%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md
index 3b24c3d0b43cf..71a091342a4db 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_ca.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components 
+-->
+生成自签名的 Kubernetes CA 以便为其他 Kubernetes 组件提供身份标识
 
 <!--
 ### Synopsis
@@ -6,21 +21,18 @@
 ### 概要
 
 <!--
-Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components, and save them into ca.cert and ca.key files.
+Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components, and save them into ca.crt and ca.key files.
 -->
-
-生成自签名的 Kubernetes CA 以提供其他 Kubernetes 组件的身份，并将其保存到 ca.cert 和 ca.key 文件中。
+生成自签名的 Kubernetes CA 以便为其他 Kubernetes 组件提供身份标识，并将其保存到 ca.crt 和 ca.key 文件中。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
 -->
-
 如果两个文件都已存在，则 kubeadm 将跳过生成步骤，使用现有文件。
 
 <!--
 Alpha Disclaimer: this command is currently alpha.
 -->
-
 Alpha 免责声明：此命令当前为 Alpha 功能。
 
 ```
@@ -51,9 +63,9 @@ kubeadm init phase certs ca [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-证书的存储路径。
+<p>证书的存储路径。</p>
 </td>
 </tr>
 
@@ -63,9 +75,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -75,9 +87,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for ca
+<p>help for ca</p>
 -->
-ca 操作的帮助命令
+<p>ca 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -92,9 +104,9 @@ ca 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -120,9 +132,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </td>
 </tr>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
similarity index 74%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
index b5d159496cd11..319e415cb09ff 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-ca.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Generate the self-signed CA to provision identities for etcd
+-->
+生成用于为 etcd 设置身份的自签名 CA
 
 <!--
 ### Synopsis
@@ -6,10 +21,10 @@
 ### 概要
 
 <!--
-Generate the self-signed CA to provision identities for etcd, and save them into etcd/ca.cert and etcd/ca.key files.
+Generate the self-signed CA to provision identities for etcd, and save them into etcd/ca.crt and etcd/ca.key files.
 -->
 
-生成用于为 etcd 设置身份的自签名 CA，并将其保存到 etcd/ca.cert 和 etcd/ca.key 文件中。
+生成用于为 etcd 设置身份的自签名 CA，并将其保存到 etcd/ca.crt 和 etcd/ca.key 文件中。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
@@ -53,7 +68,9 @@ kubeadm init phase certs etcd-ca [flags]
 <!--
 The path where to save and store the certificates.
 -->
+<p>
 证书的存储路径。
+</p>
 </td>
 </tr>
 
@@ -65,7 +82,9 @@ The path where to save and store the certificates.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -77,7 +96,9 @@ kubeadm 配置文件的路径。
 <!--
 help for etcd-ca
 -->
+<p>
 etcd-ca 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -94,7 +115,9 @@ etcd-ca 操作的帮助命令
 <!--
 Choose a specific Kubernetes version for the control plane.
 -->
+<p>
 为控制平面选择特定的 Kubernetes 版本。
+</p>
 </td>
 </tr>
 
@@ -122,10 +145,11 @@ Choose a specific Kubernetes version for the control plane.
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md
similarity index 58%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md
index 706d70614efa7..804dc02f75240 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-healthcheck-client.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!-- 
+Generate the certificate for liveness probes to healthcheck etcd 
+-->
+生成用于 etcd 健康检查的活跃性探针的证书
 
 <!--
 ### Synopsis
@@ -6,21 +22,18 @@
 ### 概要
 
 <!--
-Generate the certificate for liveness probes to healthcheck etcd, and save them into etcd/healthcheck-client.cert and etcd/healthcheck-client.key files.
+Generate the certificate for liveness probes to healthcheck etcd, and save them into etcd/healthcheck-client.crt and etcd/healthcheck-client.key files
 -->
-
-生成用于 etcd 健康检查的活跃性探针的证书，并将其保存到 healthcheck-client.cert 和 etcd/healthcheck-client.key 文件中。
+生成用于 etcd 健康检查的活跃性探针的证书，并将其保存到 etcd/healthcheck-client.crt 和 etcd/healthcheck-client.key 文件中。
 
 <!--
 If both files already exist, kubeadm skips the generation step and existing files will be used.
 -->
-
 如果两个文件都已存在，则 kubeadm 将跳过生成步骤，使用现有文件。
 
 <!--
 Alpha Disclaimer: this command is currently alpha.
 -->
-
 Alpha 免责声明：此命令当前为 alpha 功能。
 
 ```
@@ -51,9 +64,9 @@ kubeadm init phase certs etcd-healthcheck-client [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-证书存储的路径。
+<p>证书存储的路径。</p>
 </td>
 </tr>
 
@@ -63,9 +76,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -75,9 +88,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for etcd-healthcheck-client
+<p>help for etcd-healthcheck-client</p>
 -->
-etcd-healthcheck-client 操作的帮助命令
+<p>etcd-healthcheck-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -92,9 +105,9 @@ etcd-healthcheck-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -120,9 +133,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md
similarity index 60%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md
index 9933975b92d21..4a4ec4fd19bfe 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-peer.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the certificate for etcd nodes to communicate with each other 
+-->
+生成 etcd 节点相互通信的证书
 
 <!-- 
 ### Synopsis
@@ -6,10 +21,10 @@
 ### 概要
 
 <!--
-Generate the certificate for etcd nodes to communicate with each other, and save them into etcd/peer.cert and etcd/peer.key files.
+Generate the certificate for etcd nodes to communicate with each other, and save them into etcd/peer.crt and etcd/peer.key files.
 -->
 
-生成 etcd 节点相互通信的证书，并将其保存到 etcd/peer.cert 和 etcd/peer.key 文件中。
+生成 etcd 节点相互通信的证书，并将其保存到 etcd/peer.crt 和 etcd/peer.key 文件中。
 
 <!--
 Default SANs are localhost, 127.0.0.1, 127.0.0.1, ::1
@@ -56,8 +71,10 @@ kubeadm init phase certs etcd-peer [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path where to save and store the certificates.  -->
-保存和存储证书的路径。
+<!-- 
+<p>The path where to save and store the certificates.</p>  
+-->
+<p>保存和存储证书的路径。</p>
 </td>
 </tr>
 
@@ -66,8 +83,10 @@ kubeadm init phase certs etcd-peer [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to kubeadm configuration file.  -->
-kubeadm 配置文件的路径。
+<!-- 
+<p>Path to kubeadm configuration file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -76,8 +95,10 @@ kubeadm 配置文件的路径。
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for etcd-peer -->
-etcd-peer 操作的帮助命令
+<!-- 
+<p>help for etcd-peer</p> 
+-->
+<p>etcd-peer 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -91,8 +112,10 @@ etcd-peer 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Choose a specific Kubernetes version for the control plane.  -->
-为控制平面指定特定的 Kubernetes 版本。
+<!-- 
+<p>Choose a specific Kubernetes version for the control plane.</p>  
+-->
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -118,9 +141,9 @@ etcd-peer 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-server.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-server.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-server.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_etcd-server.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md
similarity index 63%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md
index 3baed70fba7ae..94b30d7ca210d 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-ca.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the self-signed CA to provision identities for front proxy 
+-->
+生成自签名 CA 来提供前端代理的身份
 
 <!--
 ### Synopsis
@@ -51,9 +66,9 @@ kubeadm init phase certs front-proxy-ca [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -63,9 +78,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -75,9 +90,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for front-proxy-ca
+<p>help for front-proxy-ca</p>
 -->
-front-proxy-ca 操作的帮助命令
+<p>front-proxy-ca 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -92,9 +107,9 @@ front-proxy-ca 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -120,9 +135,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md
index fb39d4a6cfa48..e2dba21e7ef67 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_front-proxy-client.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the certificate for the front proxy client 
+-->
+为前端代理客户端生成证书
 
 <!--
 ### Synopsis
@@ -6,12 +21,12 @@
 ### 概要
 
 <!--
-Generate the certificate for the front proxy client, and save them into front-proxy-client.cert and front-proxy-client.key files.
+Generate the certificate for the front proxy client, and save them into front-proxy-client.crt and front-proxy-client.key files.
 If both files already exist, kubeadm skips the generation step and existing files will be used.
 Alpha Disclaimer: this command is currently alpha.
 -->
 
-为前端代理客户端生成证书，并将其保存到 front-proxy-client.cert 和 front-proxy-client.key 文件中。
+为前端代理客户端生成证书，并将其保存到 front-proxy-client.crt 和 front-proxy-client.key 文件中。
 如果两个文件都已存在，kubeadm 将跳过生成步骤并将使用现有文件。
 Alpha 免责声明：此命令目前是 alpha 阶段。
 
@@ -42,9 +57,9 @@ kubeadm init phase certs front-proxy-client [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -54,9 +69,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -66,9 +81,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for front-proxy-client
+<p>help for front-proxy-client</p>
 -->
-front-proxy-client 操作的帮助命令
+<p>front-proxy-client 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -83,9 +98,9 @@ front-proxy-client 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -111,9 +126,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
similarity index 62%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
index 4b5cde8362e2d..42ca96025df3e 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_certs_sa.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Generate a private key for signing service account tokens along with its public key
+-->
+生成用来签署服务账号令牌的私钥及其公钥
 
 <!--
 ### Synopsis
@@ -8,20 +24,21 @@
 <!--
 Generate the private key for signing service account tokens along with its public key, and save them into sa.key and sa.pub files. If both files already exist, kubeadm skips the generation step and existing files will be used.
 -->
-
-生成用于签名 service account 令牌的私钥及其公钥，并将其保存到 sa.key 和 sa.pub 文件中。如果两个文件都已存在，则 kubeadm 会跳过生成步骤，而将使用现有文件。
+生成用来签署服务账号令牌的私钥及其公钥，并将其保存到 sa.key 和 sa.pub 文件中。
+如果两个文件都已存在，则 kubeadm 会跳过生成步骤，而将使用现有文件。
 
 <!--
 Alpha Disclaimer: this command is currently alpha.
 -->
-
 Alpha 免责声明：此命令当前为 alpha 阶段。
 
 ```
 kubeadm init phase certs sa [flags]
 ```
 
-<!-- ### Options -->
+<!--
+### Options
+-->
 
 ### 选项
 
@@ -45,7 +62,9 @@ kubeadm init phase certs sa [flags]
 <!--
 The path where to save and store the certificates.
 -->
+<p>
 保存和存储证书的路径。
+</p>
 </td>
 </tr>
 
@@ -57,7 +76,9 @@ The path where to save and store the certificates.
 <!--
 help for sa
 -->
+<p>
 sa 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -67,7 +88,6 @@ sa 操作的帮助命令
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 继承于父命令的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -85,10 +105,11 @@ sa 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md
similarity index 50%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md
index 61320596e68e5..683327985a7d0 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate all static Pod manifest files necessary to establish the control plane 
+-->
+生成建立控制平面所需的静态 Pod 清单文件
 
 <!-- 
 ### Synopsis
@@ -33,8 +48,10 @@ kubeadm init phase control-plane [flags]
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for control-plane -->
-control-plane 操作的帮助命令
+<!-- 
+<p>help for control-plane</p> 
+-->
+<p>control-plane 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -59,8 +76,10 @@ control-plane 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </td>
 </tr>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_all.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_apiserver.md
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md
new file mode 100644
index 0000000000000..ed54d6d8e59f7
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md
@@ -0,0 +1,197 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generates the kube-controller-manager static Pod manifest 
+-->
+生成 kube-controller-manager 静态 Pod 清单
+
+<!--
+### Synopsis
+-->
+### 概要
+
+<!--
+Generates the kube-controller-manager static Pod manifest
+-->
+生成 kube-controller-manager 静态 Pod 清单
+
+```
+kubeadm init phase control-plane controller-manager [flags]
+```
+
+<!--
+### Options
+-->
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<!-- td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td -->
+<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/pki"</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>The path where to save and store the certificates.</p>
+-->
+<p>存储证书的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to a kubeadm configuration file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--controller-manager-extra-args &lt;comma-separated 'key=value' pairs&gt;</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>A set of extra flags to pass to the Controller Manager or override default ones in form of &lt;flagname&gt;=&lt;value&gt;</p>
+-->
+<p>一组 &lt;flagname&gt;=&lt; 形式的额外参数，传递给控制器管理器（Controller Manager）
+或者覆盖其默认配置值</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--dry-run</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!-- 
+Don't apply any changes; just output what would be done. 
+-->
+不应用任何变更，仅输出将要执行的操作
+</p></td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for controller-manager</p>
+-->
+<p>controller-manager 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!--
+--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "k8s.gcr.io"
+-->
+--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："k8s.gcr.io"
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Choose a container registry to pull control plane images from</p>
+-->
+<p>选择要从中拉取控制平面镜像的容器仓库</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!--
+--kubernetes-version string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "stable-1"
+-->
+--kubernetes-version string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："stable-1"
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Choose a specific Kubernetes version for the control plane.</p>
+-->
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.</p>
+-->
+<p>包含名为 "target[suffix][+patchtype].extension" 的文件的目录。
+例如，"kube-apiserver0+merge.yaml" 或者 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，分别与 kubectl
+所支持的 patch 格式相匹配。默认的 "patchtype" 是 "strategic"。
+"extension" 必须是 "json" 或 "yaml"。
+"suffix" 是一个可选的字符串，用来确定按字母顺序排序时首先应用哪些 patch。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--pod-network-cidr string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.</p>
+-->
+<p>指定 Pod 网络的 IP 地址范围。如果设置，控制平面将自动为每个节点分配 CIDR。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md
index ce801ff39902d..3b10963776ff5 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_scheduler.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generates the kube-scheduler static Pod manifest
+-->
+生成 kube-scheduler 静态 Pod 清单
 
 <!-- 
 ### Synopsis
@@ -36,9 +51,9 @@ kubeadm init phase control-plane scheduler [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-存储证书的路径。
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -48,25 +63,21 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--experimental-patches string</td>
+<td colspan="2">--dry-run</td>
 </tr>
-
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.-->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录。
-例如，"kube-apiserver0+merge.yaml" 或者 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，分别与 kubectl
-所支持的 patch 格式相匹配。默认的 "patchtype" 是 "strategic"。
-"extension" 必须是 "json" 或 "yaml"。
-"suffix" 是一个可选的字符串，用来确定按字母顺序排序时首先应用哪些 patch。
+<!--
+<p>Don't apply any changes; just output what would be done.</p>
+-->
+<p>不应用任何变更；仅仅输出将会变更的内容</p>
 </td>
 </tr>
 
@@ -76,9 +87,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for scheduler
+<p>help for scheduler</p>
 -->
-scheduler 操作的帮助命令
+<p>scheduler 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -93,9 +104,9 @@ scheduler 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a container registry to pull control plane images from
+<p>Choose a container registry to pull control plane images from</p>
 -->
-选择要从中拉取控制平面镜像的容器仓库
+<p>选择要从中拉取控制平面镜像的容器仓库</p>
 </td>
 </tr>
 
@@ -110,22 +121,42 @@ Choose a container registry to pull control plane images from
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--scheduler-extra-args mapStringString</td>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.-->
+包含名为 "target[suffix][+patchtype].extension" 的文件的目录。
+例如，"kube-apiserver0+merge.yaml" 或者 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，分别与 kubectl
+所支持的 patch 格式相匹配。默认的 "patchtype" 是 "strategic"。
+"extension" 必须是 "json" 或 "yaml"。
+"suffix" 是一个可选的字符串，用来确定按字母顺序排序时首先应用哪些 patch。
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!-- 
+--scheduler-extra-args &lt;comma-separated 'key=value' pairs&gt; 
+-->
+--scheduler-extra-args &lt;逗号分隔的 'key=value' 键值对&gt;
+</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of extra flags to pass to the Scheduler or override default ones in form of &lt;flagname&gt;=&lt;value&gt;
+<p>A set of extra flags to pass to the Scheduler or override default ones in form of &lt;flagname&gt;=&lt;value&gt;</p>
 -->
-一组 &lt;flagname&gt;=&lt;value&gt; 形式的额外参数，用来传递给调度器
-或者覆盖其默认参数配置
+<p>一组 &lt;flagname&gt;=&lt;value&gt; 形式的额外参数，用来传递给调度器
+或者覆盖其默认参数配置</p>
 </td>
 </tr>
 
@@ -150,9 +181,9 @@ A set of extra flags to pass to the Scheduler or override default ones in form o
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md
similarity index 57%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md
index 0a09b80c865d6..e046168998171 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_etcd_local.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the static Pod manifest file for a local, single-node local etcd instance 
+-->
+为本地单节点 etcd 实例生成静态 Pod 清单文件
 
 <!--
 ### Synopsis
@@ -59,8 +74,10 @@ kubeadm init phase etcd local --config config.yaml
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- The path where to save and store the certificates.  -->
-存储证书的路径。
+<!-- 
+<p>The path where to save and store the certificates.</p>  
+-->
+<p>存储证书的路径。</p>
 </td>
 </tr>
 
@@ -69,24 +86,10 @@ kubeadm init phase etcd local --config config.yaml
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to a kubeadm configuration file.  -->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--experimental-patches string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
+<!-- 
+<p>Path to a kubeadm configuration file.</p>  
 -->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -95,8 +98,10 @@ Path to a directory that contains files named "target[suffix][+patchtype].extens
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for local -->
-local 操作的帮助命令
+<!-- 
+<p>help for local</p> 
+-->
+<p>local 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -110,8 +115,26 @@ local 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Choose a container registry to pull control plane images from -->
-选择要从中拉取控制平面镜像的容器仓库
+<!-- 
+<p>Choose a container registry to pull control plane images from</p> 
+-->
+<p>选择要从中拉取控制平面镜像的容器仓库</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--  
+<p>Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.</p>
+-->
+<p>包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
+例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
+默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
+"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。</p>
 </td>
 </tr>
 
@@ -136,8 +159,10 @@ local 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md
similarity index 50%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md
index 0a5eaf2f99169..753f6fd0bd13a 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file 
+-->
+生成所有建立控制平面和管理员（admin）所需的 kubeconfig 文件
 
 <!-- 
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase kubeconfig [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for kubeconfig
+<p>help for kubeconfig</p>
 -->
-kubeconfig 操作的帮助命令
+<p>kubeconfig 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -62,9 +77,9 @@ kubeconfig 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md
index 2384f2f9c0926..2521e85e9fd6b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_admin.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate a kubeconfig file for the admin to use and for kubeadm itself 
+-->
+为管理员（admin）和 kubeadm 本身生成 kubeconfig 文件
 
 <!-- 
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase kubeconfig admin [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。</p>
 </td>
 </tr>
 
@@ -51,9 +66,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Port for the API Server to bind to.
+<p>Port for the API Server to bind to.</p>
 -->
-要绑定到 API 服务器的端口。
+<p>要绑定到 API 服务器的端口。</p>
 </td>
 </tr>
 
@@ -68,9 +83,9 @@ Port for the API Server to bind to.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-保存和存储证书的路径。
+<p>保存和存储证书的路径。</p>
 </td>
 </tr>
 
@@ -80,9 +95,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm configuration file.
+<p>Path to kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -92,9 +107,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -104,9 +119,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for admin
+<p>help for admin</p>
 -->
-admin 操作的帮助命令
+<p>admin 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -121,9 +136,9 @@ admin 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the kubeconfig file.
+<p>The path where to save the kubeconfig file.</p>
 -->
-kubeconfig 文件的保存路径。
+<p>kubeconfig 文件的保存路径。</p>
 </td>
 </tr>
 
@@ -138,9 +153,9 @@ kubeconfig 文件的保存路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -166,9 +181,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
similarity index 83%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
index b1d34aca1e430..72ef16dbd97d6 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_all.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Generate all kubeconfig files
+-->
+生成所有 kubeconfig 文件
 
 <!-- 
 ### Synopsis
@@ -8,7 +23,6 @@
 <!--
 Generate all kubeconfig files
 -->
-
 生成所有 kubeconfig 文件
 
 ```
@@ -36,7 +50,9 @@ kubeadm init phase kubeconfig all [flags]
 <!--
 The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
 -->
+<p>
 API 服务器所公布的其正在监听的 IP 地址。如果没有设置，将使用默认的网络接口。
+</p>
 </td>
 </tr>
 
@@ -53,7 +69,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果没有设置，将
 <!--
 Port for the API Server to bind to.
 -->
+<p>
 要绑定到 API 服务器的端口。
+</p>
 </td>
 </tr>
 
@@ -70,7 +88,9 @@ Port for the API Server to bind to.
 <!--
 The path where to save and store the certificates.
 -->
+<p>
 保存和存储证书的路径。
+</p>
 </td>
 </tr>
 
@@ -82,7 +102,9 @@ The path where to save and store the certificates.
 <!--
 Path to kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -94,7 +116,9 @@ kubeadm 配置文件的路径。
 <!--
 Specify a stable IP address or DNS name for the control plane.
 -->
+<p>
 为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+</p>
 </td>
 </tr>
 
@@ -106,7 +130,9 @@ Specify a stable IP address or DNS name for the control plane.
 <!--
 help for all
 -->
+<p>
 all 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -123,7 +149,9 @@ all 操作的帮助命令
 <!--
 The path where to save the kubeconfig file.
 -->
+<p>
 kubeconfig 文件的保存路径。
+</p>
 </td>
 </tr>
 
@@ -140,7 +168,9 @@ kubeconfig 文件的保存路径。
 <!--
 Choose a specific Kubernetes version for the control plane.
 -->
+<p>
 为控制平面指定特定的 Kubernetes 版本。
+</p>
 </td>
 </tr>
 
@@ -152,7 +182,9 @@ Choose a specific Kubernetes version for the control plane.
 <!--
 Specify the node name.
 -->
+<p>
 指定节点名称。
+</p>
 </td>
 </tr>
 
@@ -162,7 +194,6 @@ Specify the node name.
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 继承于父命令的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -180,10 +211,11 @@ Specify the node name.
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md
index 0ba7a636c3513..a5c2db1235bc1 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_controller-manager.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate a kubeconfig file for the controller manager to use 
+-->
+生成控制器管理器要使用的 kubeconfig 文件
 
 <!--
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase kubeconfig controller-manager [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。</p>
 </td>
 </tr>
 
@@ -51,9 +66,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Port for the API Server to bind to.
+<p>Port for the API Server to bind to.</p>
 -->
-要绑定到 API 服务器的端口。
+<p>要绑定到 API 服务器的端口。</p>
 </td>
 </tr>
 
@@ -68,9 +83,9 @@ Port for the API Server to bind to.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-保存和存储证书的路径。
+<p>保存和存储证书的路径。</p>
 </td>
 </tr>
 
@@ -80,9 +95,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm configuration file.
+<p>Path to kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 <tr>
@@ -92,9 +107,9 @@ kubeadm 配置文件的路径。
 </tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>    
 
@@ -104,9 +119,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"> 
 <!--
-help for controller-manager
+<p>help for controller-manager</p>
 -->
-controller-manager 操作的帮助命令
+<p>controller-manager 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -121,9 +136,9 @@ controller-manager 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the kubeconfig file.
+<p>The path where to save the kubeconfig file.</p>
 -->
-kubeconfig 文件的保存路径。
+<p>kubeconfig 文件的保存路径。</p>
 </td>
 </tr>
 
@@ -138,9 +153,9 @@ kubeconfig 文件的保存路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 </tbody>
@@ -165,9 +180,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md
similarity index 61%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md
index b95587803d83d..ae4dc9bddb471 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_kubelet.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
+-->
+为 kubelet 生成一个 kubeconfig 文件，*仅仅*用于集群引导目的
 
 <!--
 ### Synopsis
@@ -39,9 +54,9 @@ kubeadm init phase kubeconfig kubelet [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。</p>
 </td>
 </tr>
 
@@ -56,9 +71,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Port for the API Server to bind to.
+<p>Port for the API Server to bind to.</p>
 -->
-要绑定到 API 服务器的端口。
+<p>要绑定到 API 服务器的端口。</p>
 </td>
 </tr>
 
@@ -73,9 +88,9 @@ Port for the API Server to bind to.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-保存和存储证书的路径。
+<p>保存和存储证书的路径。</p>
 </td>
 </tr>
 
@@ -85,9 +100,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm configuration file.
+<p>Path to kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -97,9 +112,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -109,9 +124,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for kubelet
+<p>help for kubelet</p>
 -->
-kubelet 操作的帮助命令
+<p>kubelet 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -126,9 +141,9 @@ kubelet 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the kubeconfig file.
+<p>The path where to save the kubeconfig file.</p>
 -->
-kubeconfig 文件的保存路径。
+<p>kubeconfig 文件的保存路径。</p>
 </td>
 </tr>
 
@@ -143,9 +158,9 @@ kubeconfig 文件的保存路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面选择特定的 Kubernetes 版本。
+<p>为控制平面选择特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -155,9 +170,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify the node name.
+<p>Specify the node name.</p>
 -->
-指定节点的名称。
+<p>指定节点的名称。</p>
 </td>
 </tr>
 
@@ -183,9 +198,9 @@ Specify the node name.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md
index 452247b6de39c..38d951e51a348 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubeconfig_scheduler.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate a kubeconfig file for the scheduler to use 
+-->
+生成调度器使用的 kubeconfig 文件
 
 <!--
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase kubeconfig scheduler [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。
+<p>API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认的网络接口。</p>
 </td>
 </tr>
 
@@ -51,9 +66,9 @@ API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Port for the API Server to bind to.
+<p>Port for the API Server to bind to.</p>
 -->
-要绑定到 API 服务器的端口。
+<p>要绑定到 API 服务器的端口。</p>
 </td>
 </tr>
 
@@ -68,9 +83,9 @@ Port for the API Server to bind to.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save and store the certificates.
+<p>The path where to save and store the certificates.</p>
 -->
-保存和存储证书的路径。
+<p>保存和存储证书的路径。</p>
 </td>
 </tr>
 
@@ -80,9 +95,9 @@ The path where to save and store the certificates.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm configuration file.
+<p>Path to kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -92,9 +107,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify a stable IP address or DNS name for the control plane.
+<p>Specify a stable IP address or DNS name for the control plane.</p>
 -->
-为控制平面指定一个稳定的 IP 地址或 DNS 名称。
+<p>为控制平面指定一个稳定的 IP 地址或 DNS 名称。</p>
 </td>
 </tr>
 
@@ -104,9 +119,9 @@ Specify a stable IP address or DNS name for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for scheduler
+<p>help for scheduler</p>
 -->
-scheduler 操作的帮助命令
+<p>scheduler 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -121,9 +136,9 @@ scheduler 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The path where to save the kubeconfig file.
+<p>The path where to save the kubeconfig file.</p>
 -->
-kubeconfig 文件的保存路径。
+<p>kubeconfig 文件的保存路径。</p>
 </td>
 </tr>
 
@@ -138,9 +153,9 @@ kubeconfig 文件的保存路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Choose a specific Kubernetes version for the control plane.
+<p>Choose a specific Kubernetes version for the control plane.</p>
 -->
-为控制平面指定特定的 Kubernetes 版本。
+<p>为控制平面指定特定的 Kubernetes 版本。</p>
 </td>
 </tr>
 
@@ -166,9 +181,9 @@ Choose a specific Kubernetes version for the control plane.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md
similarity index 50%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md
index 644a8c604eea4..3b13b77dd52f6 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Updates settings relevant to the kubelet after TLS bootstrap 
+-->
+TLS 引导后更新与 kubelet 相关的设置
 
 <!-- ### Synopsis -->
 ### 概要
@@ -37,8 +52,8 @@ kubeadm init phase kubelet-finalize [flags]
 <td colspan="2">-h, --help</td>
 </tr>
 <tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">help for kubelet-finalize</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubelet-finalize 操作的帮助命令</td>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>help for kubelet-finalize</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>kubelet-finalize 操作的帮助命令</p></td>
 </tr>
 
 </tbody>
@@ -60,8 +75,8 @@ kubeadm init phase kubelet-finalize [flags]
 <td colspan="2">--rootfs string</td>
 </tr>
 <tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
 </tr>
 
 </tbody>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
similarity index 56%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
index d99d6036a1325..71bc1e0d896f6 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_all.md
@@ -1,10 +1,27 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Run all kubelet-finalize phases
+-->
+运行 kubelet-finalize 的所有阶段
 
 <!-- ### Synopsis -->
 ### 概要
 
 
-<!-- Run all kubelet-finalize phases -->
-运行所有 kubelet-finalize 阶段
+<!--
+Run all kubelet-finalize phases
+-->
+运行 kubelet-finalize 的所有阶段
 
 ```
 kubeadm init phase kubelet-finalize all [flags]
@@ -40,7 +57,7 @@ kubeadm init phase kubelet-finalize all [flags]
 </tr>
 <tr>
 <!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">The path where to save and store the certificates.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">保存和存储证书的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>保存和存储证书的路径。</p></td>
 </tr>
 
 <tr>
@@ -48,7 +65,7 @@ kubeadm init phase kubelet-finalize all [flags]
 </tr>
 <tr>
 <!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">Path to a kubeadm configuration file.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubeadm 配置文件的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>kubeadm 配置文件的路径。</p></td>
 </tr>
 
 <tr>
@@ -56,7 +73,7 @@ kubeadm init phase kubelet-finalize all [flags]
 </tr>
 <tr>
 <!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">help for all</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">all 操作的帮助命令</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>all 操作的帮助命令</p></td>
 </tr>
 
 </tbody>
@@ -79,11 +96,8 @@ kubeadm init phase kubelet-finalize all [flags]
 </tr>
 <tr>
 <!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
 </tr>
 
 </tbody>
 </table>
-
-
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md
new file mode 100644
index 0000000000000..ef3c0ae99af1d
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md
@@ -0,0 +1,88 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Enable kubelet client certificate rotation 
+-->
+启用 kubelet 客户端证书轮换
+
+<!-- ### Synopsis -->
+### 概要
+
+<!-- Enable kubelet client certificate rotation -->
+启用 kubelet 客户端证书轮换
+
+```
+kubeadm init phase kubelet-finalize experimental-cert-rotation [flags]
+```
+
+<!-- ### Options -->
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The path where to save and store the certificates.</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>保存和存储证书的路径。</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Path to a kubeadm configuration file.</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>kubeadm 配置文件的路径。</p></td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>help for experimental-cert-rotation</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>experimental-cert-rotation 操作的帮助命令</p></td>
+</tr>
+
+</tbody>
+</table>
+
+
+
+<!-- ### Options inherited from parent commands -->
+### 继承于父命令的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p></td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
+</tr>
+
+</tbody>
+</table>
+
+
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
similarity index 77%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
index 2e1e2a8daed85..2067c9711e422 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-start.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Write kubelet settings and (re)start the kubelet
+-->
+编写 kubelet 配置并（重新）启动 kubelet
 
 <!-- 
 ### Synopsis
@@ -51,7 +67,9 @@ kubeadm init phase kubelet-start --config config.yaml
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -63,7 +81,9 @@ kubeadm 配置文件的路径。
 <!--
 Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
 -->
+<p>
 连接到 CRI 套接字的路径。如果为空，则 kubeadm 将尝试自动检测该值；仅当安装了多个 CRI 或具有非标准 CRI 套接字时，才使用此选项。
+</p>
 </td>
 </tr>
 
@@ -75,7 +95,9 @@ Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this
 <!--
 help for kubelet-start
 -->
+<p>
 kubelet-start 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -87,7 +109,9 @@ kubelet-start 操作的帮助命令
 <!--
 Specify the node name.
 -->
+<p>
 指定节点名称。
+</p>
 </td>
 </tr>
 
@@ -115,10 +139,11 @@ Specify the node name.
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md
similarity index 60%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md
index 25cd3de7f7995..0ddec0c498d2c 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_mark-control-plane.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Mark a node as a control-plane 
+-->
+标记节点为控制平面节点
 
 <!--
 ### Synopsis
@@ -26,7 +41,7 @@ kubeadm init phase mark-control-plane [flags]
 
 ```
 # 将控制平面标签和污点应用于当前节点，其功能等效于 kubeadm init执行的操作。
-kubeadm init phase mark-control-plane --config config.yml
+kubeadm init phase mark-control-plane --config config.yaml
 
 # 将控制平面标签和污点应用于特定节点
 kubeadm init phase mark-control-plane --node-name myNode
@@ -51,9 +66,9 @@ kubeadm init phase mark-control-plane --node-name myNode
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to a kubeadm configuration file.
+<p>Path to a kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -63,9 +78,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for mark-control-plane
+<p>help for mark-control-plane</p>
 -->
-mark-control-plane 操作的帮助命令
+<p>mark-control-plane 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -75,9 +90,9 @@ mark-control-plane 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify the node name.
+<p>Specify the node name.</p>
 -->
-指定节点名称。
+<p>指定节点名称。</p>
 </td>
 </tr>
 
@@ -103,9 +118,9 @@ Specify the node name.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
similarity index 70%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
index 55d36d7c8598c..d7c3d4225dd68 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_preflight.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Run pre-flight checks
+-->
+运行启动检查
 
 <!-- 
 ### Synopsis
@@ -27,7 +42,7 @@ kubeadm init phase preflight [flags]
 
 ```
 # 使用配置文件对 kubeadm init 进行启动检查。
-kubeadm init phase preflight --config kubeadm-config.yml
+kubeadm init phase preflight --config kubeadm-config.yaml
 ```
 
 <!-- 
@@ -51,7 +66,9 @@ kubeadm init phase preflight --config kubeadm-config.yml
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -63,19 +80,23 @@ kubeadm 配置文件的路径。
 <!--
 help for preflight
 -->
+<p>
 preflight 操作的帮助命令
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
+<td colspan="2">--ignore-preflight-errors strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
 -->
+<p>
 错误将显示为警告的检查列表：例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。
+</p>
 </td>
 </tr>
 
@@ -103,10 +124,11 @@ A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedU
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
similarity index 80%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
index bf8880294789a..fc7b1e50efc15 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Upload certificates to kubeadm-certs
+-->
+将证书上传到 kubeadm-certs
 
 <!-- 
 ### Synopsis
@@ -33,7 +48,9 @@ kubeadm init phase upload-certs [flags]
 <!--
 Key used to encrypt the control-plane certificates in the kubeadm-certs Secret.
 -->
+<p>
 用于加密 kubeadm-certs Secret 中的控制平面证书的密钥。
+</p>
 </td>
 </tr>
 
@@ -45,7 +62,9 @@ Key used to encrypt the control-plane certificates in the kubeadm-certs Secret.
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -57,7 +76,9 @@ kubeadm 配置文件的路径。
 <!--
 help for upload-certs
 -->
+<p>
 upload-certs 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -68,8 +89,10 @@ upload-certs 操作的帮助命令
 <tr>
 <!-- td></td><td style="line-height: 130%; word-wrap: break-word;">The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</td -->
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
 用来与集群通信的 kubeconfig 文件。
 如果此标志未设置，则可以在一组标准的位置搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -81,7 +104,9 @@ upload-certs 操作的帮助命令
 <!--
 Don't print the key used to encrypt the control-plane certificates.
 -->
+<p>
 不要打印输出用于加密控制平面证书的密钥。
+</p>
 </td>
 </tr>
 
@@ -93,7 +118,9 @@ Don't print the key used to encrypt the control-plane certificates.
 <!--
 Upload control-plane certificates to the kubeadm-certs Secret.
 -->
+<p>
 将控制平面证书上传到 kubeadm-certs Secret。
+</p>
 </td>
 </tr>
 
@@ -120,10 +147,11 @@ Upload control-plane certificates to the kubeadm-certs Secret.
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md
similarity index 51%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md
index dc424bd24e480..0447fc428cf87 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Upload the kubeadm and kubelet configuration to a ConfigMap
+-->
+上传 kubeadm 和 kubelet 配置到 ConfigMap 中
 
 <!--
 ### Synopsis
@@ -34,9 +49,9 @@ kubeadm init phase upload-config [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for upload-config
+<p>help for upload-config</p>
 -->
-upload-config 操作的帮助命令
+<p>upload-config 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -62,9 +77,9 @@ upload-config 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
similarity index 71%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
index e994273193b92..350255ca985b0 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_all.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Upload all configuration to a config map
+-->
+将所有配置上传到 ConfigMap
 
 <!-- 
 ### Synopsis
@@ -34,9 +50,13 @@ kubeadm init phase upload-config all [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
+<p>
 Path to a kubeadm configuration file.
+</p>
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </td>
 </tr>
@@ -47,9 +67,13 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
+<p>
 help for all
+</p>
 -->
+<p>
 all 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -58,15 +82,21 @@ all 操作的帮助命令
 <!--
 --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
 -->
+<p>
 --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
+</p>
 </td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
+<p>
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+</p>
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -92,12 +122,15 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
+<p>
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
+</p>
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
similarity index 77%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
index e6155a1d9f442..14a4f268f9dc5 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubeadm.md
@@ -1,4 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
 
+<!--
+Upload the kubeadm ClusterConfiguration to a ConfigMap
+-->
+将 kubeadm ClusterConfiguration 上传到 ConfigMap
 <!-- 
 ### Synopsis
 -->
@@ -58,7 +73,9 @@ kubeadm init phase upload-config --config=myConfig.yaml
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -70,7 +87,9 @@ kubeadm 配置文件的路径。
 <!--
 help for kubeadm
 -->
+<p>
 kubeadm 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -87,7 +106,9 @@ kubeadm 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -115,10 +136,11 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-config_kubelet.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
similarity index 64%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
index e113203a1a8e1..e341577329e6f 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Run this on any machine you wish to join an existing cluster 
+-->
+在你希望加入现有集群的任何机器上运行它
 
 <!--
 ### Synopsis
@@ -98,7 +113,7 @@ control-plane-prepare  Prepare the machine for serving a control plane
 kubelet-start          Write kubelet settings, certificates and (re)start the kubelet
 control-plane-join     Join a machine as a control plane instance
   /etcd                  Add a new local etcd member
-  /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
+  /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
   /mark-control-plane    Mark a node as a control-plane
 ```
 
@@ -123,9 +138,9 @@ kubeadm join [api-server-endpoint] [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+<p>If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
 -->
-如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
+<p>如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。</p>
 </td>
 </tr>
 
@@ -140,9 +155,9 @@ If the node should host a new control plane instance, the IP address the API Ser
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If the node should host a new control plane instance, the port for the API Server to bind to.
+<p>If the node should host a new control plane instance, the port for the API Server to bind to.</p>
 -->
-如果节点应该托管新的控制平面实例，则为 API 服务器要绑定的端口。
+<p>如果节点应该托管新的控制平面实例，则为 API 服务器要绑定的端口。</p>
 </td>
 </tr>
 
@@ -152,9 +167,9 @@ If the node should host a new control plane instance, the port for the API Serve
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use this key to decrypt the certificate secrets uploaded by init.
+<p>Use this key to decrypt the certificate secrets uploaded by init.</p>
 -->
-使用此密钥可以解密由 init 上传的证书 secret。
+<p>使用此密钥可以解密由 init 上传的证书 secret。</p>
 </td>
 </tr>
 
@@ -164,9 +179,9 @@ Use this key to decrypt the certificate secrets uploaded by init.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm config file.
+<p>Path to kubeadm config file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -176,9 +191,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Create a new control plane instance on this node
+<p>Create a new control plane instance on this node</p>
 -->
-在此节点上创建一个新的控制平面实例
+<p>在此节点上创建一个新的控制平面实例</p>
 </td>
 </tr>
 
@@ -188,9 +203,9 @@ Create a new control plane instance on this node
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
+<p>Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.</p>
 -->
-要连接的 CRI 套接字的路径。如果为空，则 kubeadm 将尝试自动检测此值；仅当安装了多个 CRI 或具有非标准 CRI 插槽时，才使用此选项。
+<p>要连接的 CRI 套接字的路径。如果为空，则 kubeadm 将尝试自动检测此值；仅当安装了多个 CRI 或具有非标准 CRI 插槽时，才使用此选项。</p>
 </td>
 </tr>
 
@@ -200,9 +215,9 @@ Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-For file-based discovery, a file or URL from which to load cluster information.
+<p>For file-based discovery, a file or URL from which to load cluster information.</p>
 -->
-对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
+<p>对于基于文件的发现，给出用于加载集群信息的文件或者 URL。</p>
 </td>
 </tr>
 
@@ -212,9 +227,9 @@ For file-based discovery, a file or URL from which to load cluster information.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-For token-based discovery, the token used to validate cluster information fetched from the API server.
+<p>For token-based discovery, the token used to validate cluster information fetched from the API server.</p>
 -->
-对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
+<p>对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。</p>
 </td>
 </tr>
 
@@ -224,9 +239,9 @@ For token-based discovery, the token used to validate cluster information fetche
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
+<p>For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").</p>
 -->
-对基于令牌的发现，验证根 CA 公钥是否与此哈希匹配 (格式: "&lt;type&gt;:&lt;value&gt;")。
+<p>对基于令牌的发现，验证根 CA 公钥是否与此哈希匹配 (格式: "&lt;type&gt;:&lt;value&gt;")。</p>
 </td>
 </tr>
 
@@ -236,26 +251,22 @@ For token-based discovery, validate that the root CA public key matches this has
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
+<p>For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.</p>
 -->
-对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
+<p>对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--experimental-patches string</td>
+<td colspan="2">--dry-run</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!-- 
+Don't apply any changes; just output what would be done. 
 -->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
-</td>
+不会应用任何改动，仅仅输出那些将变动的地方。
+</p></td>
 </tr>
 
 <tr>
@@ -264,21 +275,21 @@ Path to a directory that contains files named "target[suffix][+patchtype].extens
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for join
+<p>help for join</p>
 -->
-join 操作的帮助命令
+<p>join 操作的帮助命令</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
+<td colspan="2">--ignore-preflight-errors strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+<p>A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
 -->
-错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。
+<p>错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。</p>
 </td>
 </tr>
 
@@ -288,21 +299,37 @@ A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedU
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify the node name.
+<p>Specify the node name.</p>
 -->
-指定节点的名称
+<p>指定节点的名称</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--  
+<p>Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.</p>
+-->
+<p>包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
+例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
+默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
+"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--skip-phases stringSlice</td>
+<td colspan="2">--skip-phases strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-List of phases to be skipped
+<p>List of phases to be skipped</p>
 -->
-要跳过的阶段列表
+<p>要跳过的阶段列表</p>
 </td>
 </tr>
 
@@ -312,9 +339,9 @@ List of phases to be skipped
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
+<p>Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.</p>
 -->
-指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
+<p>指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。</p>
 </td>
 </tr>
 
@@ -324,9 +351,9 @@ Specify the token used to temporarily authenticate with the Kubernetes Control P
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
+<p>Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.</p>
 -->
-如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
+<p>如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。</p>
 </td>
 </tr>
 
@@ -353,9 +380,9 @@ Use this token for both discovery-token and tls-bootstrap-token when those value
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md
new file mode 100644
index 0000000000000..1fea4a45f4b46
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md
@@ -0,0 +1,84 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Use this command to invoke single phase of the join workflow 
+-->
+使用此命令来调用 `join` 工作流程的某个阶段
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Use this command to invoke single phase of the join workflow
+-->
+
+使用此命令来调用 `join` 工作流程的某个阶段
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>help for phase</p> 
+-->
+<p>phase 操作的帮助命令</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令中继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
similarity index 65%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
index 51fe587053466..a2872f1b47964 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Join a machine as a control plane instance
+-->
+添加作为控制平面实例的机器
 
 <!--
 ### Synopsis
@@ -54,7 +69,9 @@ kubeadm join phase control-plane-join all
 <!--
 help for control-plane-join
 -->
+<p>
 control-plane-join 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -82,10 +99,11 @@ control-plane-join 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
new file mode 100644
index 0000000000000..85334ea94c8c4
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
@@ -0,0 +1,162 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Join a machine as a control plane instance
+-->
+添加作为控制平面实例的机器
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Join a machine as a control plane instance
+-->
+添加作为控制平面实例的机器
+
+```
+kubeadm join phase control-plane-join all [flags]
+```
+
+<!--
+### Options
+-->
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--apiserver-advertise-address string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
+-->
+<p>
+如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Path to kubeadm config file.
+-->
+<p>
+kubeadm 配置文件的路径。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Create a new control plane instance on this node
+-->
+<p>
+在此节点上创建一个新的控制平面实例
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+help for all
+-->
+<p>
+all 操作的帮助命令      
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--node-name string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Specify the node name.
+-->
+<p>
+指定节点名称。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!--
+Path to a directory that contains files named &quot;target[suffix][+patchtype].extension&quot;. For example, &quot;kube-apiserver0+merge.yaml&quot; or just &quot;etcd.json&quot;. &quot;target&quot; can be one of &quot;kube-apiserver&quot;, &quot;kube-controller-manager&quot;, &quot;kube-scheduler&quot;, &quot;etcd&quot;. &quot;patchtype&quot; can be one of &quot;strategic&quot;, &quot;merge&quot; or &quot;json&quot; and they match the patch formats supported by kubectl. The default &quot;patchtype&quot; is &quot;strategic&quot;. &quot;extension&quot; must be either &quot;json&quot; or &quot;yaml&quot;. &quot;suffix&quot; is an optional string that can be used to determine which patches are applied first alpha-numerically.
+-->
+包含名为 “target[suffix][+patchtype].extension” 的文件的目录的路径。
+例如，“kube-apiserver0+merge.yaml” 或只是 “etcd.json”。
+“target” 可以是 “kube-apiserver”、“kube-controller-manager”、“kube-scheduler”、“etcd” 之一。
+“patchtype” 可以是 “strategic”、“merge” 或 “json”，它们匹配 kubectl 支持的补丁格式。
+默认的 “patchtype” 是 “strategic”。“extension” 必须是 “json” 或 “yaml”。
+“suffix” 是一个可选字符串，可用于基于字母数字顺序确定首先应用哪些补丁。
+</p></td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+[EXPERIMENTAL] The path to the 'real' host root filesystem.
+-->
+<p>
+[实验] 到 '真实' 主机根文件系统的路径。
+</p>
+</td>
+</tr>
+
+</tbody>
+</table>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
similarity index 50%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
index 196f9f6840d9e..f35448397051c 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Add a new local etcd member
+-->
+添加一个新的本地 etcd 成员
 
 <!--
 ### Synopsis
@@ -36,7 +51,9 @@ kubeadm join phase control-plane-join etcd [flags]
 <!--
 If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
 -->
+<p>
 如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
+</p>
 </td>
 </tr>
 
@@ -48,7 +65,9 @@ If the node should host a new control plane instance, the IP address the API Ser
 <!--
 Path to kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -60,23 +79,9 @@ kubeadm 配置文件的路径。
 <!--
 Create a new control plane instance on this node
 -->
+<p>
 在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--experimental-patches string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
--->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是"strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+</p>
 </td>
 </tr>
 
@@ -88,7 +93,9 @@ Path to a directory that contains files named "target[suffix][+patchtype].extens
 <!--
 help for etcd
 -->
+<p>
 etcd 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -100,9 +107,25 @@ etcd 操作的帮助命令
 <!--
 Specify the node name.
 -->
+<p>
 指定节点的名称
+</p>
 </td>
 </tr>
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!-- Path to a directory that contains files named &quot;target[suffix][+patchtype].extension&quot;. For example, &quot;kube-apiserver0+merge.yaml&quot; or just &quot;etcd.json&quot;. &quot;target&quot; can be one of &quot;kube-apiserver&quot;, &quot;kube-controller-manager&quot;, &quot;kube-scheduler&quot;, &quot;etcd&quot;. &quot;patchtype&quot; can be one of &quot;strategic&quot;, &quot;merge&quot; or &quot;json&quot; and they match the patch formats supported by kubectl. The default &quot;patchtype&quot; is &quot;strategic&quot;. &quot;extension&quot; must be either &quot;json&quot; or &quot;yaml&quot;. &quot;suffix&quot; is an optional string that can be used to determine which patches are applied first alpha-numerically. -->
+包含名为 “target[suffix][+patchtype].extension” 的文件的目录的路径。
+例如，“kube-apiserver0+merge.yaml” 或只是 “etcd.json”。
+“target” 可以是 “kube-apiserver”、“kube-controller-manager”、“kube-scheduler”、“etcd” 之一。
+“patchtype” 可以是 “strategic”、“merge” 或 “json”，它们匹配 kubectl 支持的补丁格式。
+默认的 “patchtype” 是 “strategic”。“extension” 必须是 “json” 或 “yaml”。
+“suffix” 是一个可选字符串，可用于基于字母数字顺序确定首先应用哪些补丁。
+</p></td>
+</tr>
 
 </tbody>
 </table>
@@ -128,7 +151,9 @@ Specify the node name.
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 到 '真实' 主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md
similarity index 52%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md
index 3ce1d641a5767..ad52e01bbb17e 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Mark a node as a control-plane 
+-->
+将节点标记为控制平面节点
 
 <!--
 ### Synopsis
@@ -9,7 +24,7 @@
 Mark a node as a control-plane
 -->
 
-将 Node 节点标记为控制平面节点
+将节点标记为控制平面节点
 
 ```
 kubeadm join phase control-plane-join mark-control-plane [flags]
@@ -34,9 +49,9 @@ kubeadm join phase control-plane-join mark-control-plane [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Path to kubeadm configuration file.
+<p>Path to kubeadm configuration file.</p>
 -->
-kubeadm 配置文件的路径。
+<p>kubeadm 配置文件的路径。</p>
 </td>
 </tr>
 
@@ -46,9 +61,9 @@ kubeadm 配置文件的路径。
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Create a new control plane instance on this node
+<p>Create a new control plane instance on this node</p>
 -->
-在此节点上创建一个新的控制平面实例
+<p>在此节点上创建一个新的控制平面实例</p>
 </td>
 </tr>
 
@@ -58,9 +73,9 @@ Create a new control plane instance on this node
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for mark-control-plane
+<p>help for mark-control-plane</p>
 -->
-mark-control-plane 操作的帮助命令
+<p>mark-control-plane 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -70,9 +85,9 @@ mark-control-plane 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Specify the node name.
+<p>Specify the node name.</p>
 -->
-指定节点的名称
+<p>指定节点的名称。</p>
 </td>
 </tr>
 
@@ -98,9 +113,9 @@ Specify the node name.
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
 -->
-[实验] 到 '真实' 主机根文件系统的路径。
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md
new file mode 100644
index 0000000000000..22df0e47a8f19
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md
@@ -0,0 +1,138 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED) 
+-->
+将新的控制平面节点注册到 kubeadm-config ConfigMap 维护的 ClusterStatus 中（已弃用）
+
+<!-- 
+### Synopsis 
+-->
+
+## 概要
+
+<!-- 
+Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
+-->
+
+将新的控制平面节点注册到 kubeadm-config ConfigMap 维护的 ClusterStatus 中（已弃用）
+
+```
+kubeadm join phase control-plane-join update-status [flags]
+```
+
+<!-- 
+### Options 
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--apiserver-advertise-address string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
+-->
+<p>如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>Path to kubeadm config file.</p>  
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>Create a new control plane instance on this node</p> 
+-->
+<p>在此节点上创建一个新的控制平面实例</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>help for update-status</p> 
+-->
+<p>update-status 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--node-name string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>Specify the node name.</p>  
+-->
+<p>指定节点名称。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令中继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 到 '真实' 主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
similarity index 65%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
index 76025d8d729c6..b932b05540e63 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Prepare the machine for serving a control plane
+-->
+准备为控制平面服务的机器
 
 <!--
 ### Synopsis
@@ -50,7 +66,9 @@ kubeadm join phase control-plane-prepare all
 <!--
 help for control-plane-prepare
 -->
+<p>
 control-plane-prepare 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -78,10 +96,11 @@ control-plane-prepare 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
similarity index 69%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
index 7a75089abbe6b..e9ea15e302bc6 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Prepare the machine for serving a control plane
+-->
+准备为控制平面服务的机器
 
 <!--
 ### Synopsis
@@ -36,7 +52,9 @@ kubeadm join phase control-plane-prepare all [api-server-endpoint] [flags]
 <!--
 If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
 -->
+<p>
 如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
+</p>
 </td>
 </tr>
 
@@ -53,7 +71,9 @@ If the node should host a new control plane instance, the IP address the API Ser
 <!--
 If the node should host a new control plane instance, the port for the API Server to bind to.
 -->
+<p>
 如果该节点托管一个新的控制平面实例，则为 API 服务器要绑定的端口。
+</p>
 </td>
 </tr>
 
@@ -65,7 +85,9 @@ If the node should host a new control plane instance, the port for the API Serve
 <!--
 Use this key to decrypt the certificate secrets uploaded by init.
 -->
+<p>
 使用此密钥解密由 init 上传的证书 secrets。
+</p>
 </td>
 </tr>
 
@@ -77,7 +99,9 @@ Use this key to decrypt the certificate secrets uploaded by init.
 <!--
 Path to kubeadm config file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -89,7 +113,9 @@ kubeadm 配置文件的路径。
 <!--
 Create a new control plane instance on this node
 -->
+<p>
 在此节点上创建一个新的控制平面实例
+</p>
 </td>
 </tr>
 
@@ -101,7 +127,9 @@ Create a new control plane instance on this node
 <!--
 For file-based discovery, a file or URL from which to load cluster information.
 -->
+<p>
 对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
+</p>
 </td>
 </tr>
 
@@ -113,19 +141,23 @@ For file-based discovery, a file or URL from which to load cluster information.
 <!--
 For token-based discovery, the token used to validate cluster information fetched from the API server.
 -->
+<p>
 对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
+<td colspan="2">--discovery-token-ca-cert-hash strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
 -->
+<p>
 对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
+</p>
 </td>
 </tr>
 
@@ -137,47 +169,54 @@ For token-based discovery, validate that the root CA public key matches this has
 <!--
 For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
 -->
+<p>
 对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--experimental-patches string</td>
+<td colspan="2">-h, --help</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
+<!--
+help for all
 -->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+all 操作的帮助命令
 </td>
 </tr>
 
 <tr>
-<td colspan="2">-h, --help</td>
+<td colspan="2">--node-name string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for all
+Specify the node name.
 -->
-all 操作的帮助命令
+<p>
+指定节点名称。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--node-name string</td>
+<td colspan="2">--patches string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the node name.
+<!--  
+Path to a directory that contains files named &quot;target[suffix][+patchtype].extension&quot;. For example, &quot;kube-apiserver0+merge.yaml&quot; or just &quot;etcd.json&quot;. &quot;target&quot; can be one of &quot;kube-apiserver&quot;, &quot;kube-controller-manager&quot;, &quot;kube-scheduler&quot;, &quot;etcd&quot;. &quot;patchtype&quot; can be one of &quot;strategic&quot;, &quot;merge&quot; or &quot;json&quot; and they match the patch formats supported by kubectl. The default &quot;patchtype&quot; is &quot;strategic&quot;. &quot;extension&quot; must be either &quot;json&quot; or &quot;yaml&quot;. &quot;suffix&quot; is an optional string that can be used to determine which patches are applied first alpha-numerically.
 -->
-指定节点名称。
+<p>
+包含名为 “target[suffix][+patchtype].extension” 的文件的目录的路径。
+例如，“kube-apiserver0+merge.yaml” 或只是 “etcd.json”。
+“target” 可以是 “kube-apiserver”、“kube-controller-manager”、“kube-scheduler”、“etcd” 之一。
+“patchtype” 可以是 “strategic”、“merge” 或 “json”，它们匹配 kubectl 支持的补丁格式。
+默认的 “patchtype” 是 “strategic”。“extension” 必须是 “json” 或 “yaml”。
+“suffix” 是一个可选字符串，可用于基于字母数字顺序确定首先应用哪些补丁。
+</p>
 </td>
 </tr>
 
@@ -189,7 +228,9 @@ Specify the node name.
 <!--
 Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
 -->
+<p>
 指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
+</p>
 </td>
 </tr>
 
@@ -201,17 +242,19 @@ Specify the token used to temporarily authenticate with the Kubernetes Control P
 <!--
 Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
 -->
+<p>
 如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
 
+
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -229,10 +272,11 @@ Use this token for both discovery-token and tls-bootstrap-token when those value
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
similarity index 83%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
index fb823d616c4ad..9ff8a9cbf4b52 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Generate the certificates for the new control plane components
+-->
+为新的控制平面组件生成证书
 
 <!--
 ### Synopsis
@@ -8,7 +24,6 @@
 <!--
 Generate the certificates for the new control plane components
 -->
-
 为新的控制平面组件生成证书
 
 ```
@@ -18,7 +33,6 @@ kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags]
 <!--
 ### Options
 -->
-
 ### 选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -36,7 +50,9 @@ kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags]
 <!--
 If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
 -->
+<p>
 如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
+</p>
 </td>
 </tr>
 
@@ -48,7 +64,9 @@ If the node should host a new control plane instance, the IP address the API Ser
 <!--
 Path to kubeadm config file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -60,7 +78,9 @@ kubeadm 配置文件的路径。
 <!--
 Create a new control plane instance on this node
 -->
+<p>
 在此节点上创建一个新的控制平面实例
+</p>
 </td>
 </tr>
 
@@ -72,7 +92,9 @@ Create a new control plane instance on this node
 <!--
 For file-based discovery, a file or URL from which to load cluster information.
 -->
+<p>
 对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
+</p>
 </td>
 </tr>
 
@@ -84,19 +106,23 @@ For file-based discovery, a file or URL from which to load cluster information.
 <!--
 For token-based discovery, the token used to validate cluster information fetched from the API server.
 -->
+<p>
 对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
+<td colspan="2">--discovery-token-ca-cert-hash strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
 -->
+<p>
 对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
+</p>
 </td>
 </tr>
 
@@ -108,7 +134,9 @@ For token-based discovery, validate that the root CA public key matches this has
 <!--
 For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
 -->
+<p>
 对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
+</p>
 </td>
 </tr>
 
@@ -120,7 +148,9 @@ For token-based discovery, allow joining without --discovery-token-ca-cert-hash
 <!--
 help for certs
 -->
+<p>
 certs 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -132,7 +162,9 @@ certs 操作的帮助命令
 <!--
 Specify the node name.
 -->
+<p>
 指定节点名称。
+</p>
 </td>
 </tr>
 
@@ -144,7 +176,9 @@ Specify the node name.
 <!--
 Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
 -->
+<p>
 指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
+</p>
 </td>
 </tr>
 
@@ -156,7 +190,9 @@ Specify the token used to temporarily authenticate with the Kubernetes Control P
 <!--
 Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
 -->
+<p>
 如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
+</p>
 </td>
 </tr>
 
@@ -166,7 +202,6 @@ Use this token for both discovery-token and tls-bootstrap-token when those value
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -184,10 +219,11 @@ Use this token for both discovery-token and tls-bootstrap-token when those value
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md
new file mode 100644
index 0000000000000..98528e9cfc520
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md
@@ -0,0 +1,157 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the manifests for the new control plane components 
+-->
+为新的控制平面组件生成清单
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Generate the manifests for the new control plane components
+-->
+
+为新的控制平面组件生成清单（manifest）
+
+```
+kubeadm join phase control-plane-prepare control-plane [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--apiserver-advertise-address string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
+-->
+<p>对于将要托管新的控制平面实例的节点，指定 API 服务器将公布的其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!--
+--apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 6443
+-->
+--apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：6443
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>If the node should host a new control plane instance, the port for the API Server to bind to.</p>
+-->
+<p>针对将要托管新的控制平面实例的节点，设置 API 服务器要绑定的端口。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to kubeadm config file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Create a new control plane instance on this node</p>
+-->
+<p>在此节点上创建一个新的控制平面实例</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for control-plane</p>
+-->
+<p>control-plane 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--  
+<p>Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.</p>
+-->
+<p>包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
+例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
+默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
+"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令中继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md
new file mode 100644
index 0000000000000..a0d501c29ee10
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md
@@ -0,0 +1,196 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+[EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret 
+-->
+[实验]从 kubeadm-certs Secret 下载控制平面节点之间共享的证书
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+[EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
+-->
+
+[实验]从 kubeadm-certs Secret 下载控制平面节点之间共享的证书
+
+```
+kubeadm join phase control-plane-prepare download-certs [api-server-endpoint] [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--certificate-key string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this key to decrypt the certificate secrets uploaded by init.</p>
+-->
+<p>使用此密钥可以解密由 init 上传的证书 secret。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to kubeadm config file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Create a new control plane instance on this node</p>
+-->
+<p>在此节点上创建一个新的控制平面实例</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-file string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For file-based discovery, a file or URL from which to load cluster information.</p>
+-->
+<p>对于基于文件的发现，给出用于加载集群信息的文件或者 URL。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, the token used to validate cluster information fetched from the API server.</p>
+-->
+<p>对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").</p>
+-->
+<p>对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.</p>
+-->
+<p>对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for download-certs</p>
+-->
+<p>download-certs 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--tls-bootstrap-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.</p>
+-->
+<p>指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.</p>
+-->
+<p>如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令中继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md
new file mode 100644
index 0000000000000..449f477df5ae6
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md
@@ -0,0 +1,195 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate the kubeconfig for the new control plane components 
+-->
+为新的控制平面组件生成 kubeconfig
+
+<!--
+### Synopsis
+-->
+### 概要
+
+<!--
+Generate the kubeconfig for the new control plane components
+-->
+
+为新的控制平面组件生成 kubeconfig
+
+```
+kubeadm join phase control-plane-prepare kubeconfig [api-server-endpoint] [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--certificate-key string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this key to decrypt the certificate secrets uploaded by init.</p>
+-->
+<p>使用此密钥可以解密由 init 上传的证书 secret。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to kubeadm config file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Create a new control plane instance on this node</p>
+-->
+<p>在此节点上创建一个新的控制平面实例</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-file string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For file-based discovery, a file or URL from which to load cluster information.</p>
+-->
+<p>对于基于文件的发现，给出用于加载集群信息的文件或者 URL。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, the token used to validate cluster information fetched from the API server.</p>
+-->
+<p>对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").</p>
+-->
+<p>对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.</p>
+-->
+<p>对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for kubeconfig</p>
+-->
+<p>kubeconfig 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--tls-bootstrap-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.</p>
+-->
+<p>指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.</p>
+-->
+<p>如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令中继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
similarity index 84%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
index ca95429a969e1..19379e86ce234 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Write kubelet settings, certificates and (re)start the kubelet
+-->
+配置 Kubelet、证书并（重新）启动 Kubelet
 
 <!--
 ### Synopsis
@@ -48,7 +64,9 @@ kubeadm 配置文件的路径。
 <!--
 Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
 -->
+<p>
 提供给 CRI 套接字建立连接的路径。如果为空，则 kubeadm 将尝试自动检测该值；仅当安装了多个 CRI 或具有非标准 CRI 套接字时，才使用此选项。
+</p>
 </td>
 </tr>
 
@@ -57,11 +75,12 @@ Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-For file-based discovery, a file or URL from which to load cluster information.
 <!--
 For file-based discovery, a file or URL from which to load cluster information.
 -->
+<p>
 对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
+</p>
 </td>
 </tr>
 
@@ -73,7 +92,9 @@ For file-based discovery, a file or URL from which to load cluster information.
 <!--
 For token-based discovery, the token used to validate cluster information fetched from the API server.
 -->
+<p>
 对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
+</p>
 </td>
 </tr>
 
@@ -85,7 +106,9 @@ For token-based discovery, the token used to validate cluster information fetche
 <!--
 For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
 -->
+<p>
 对于基于令牌的发现，验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
+</p>
 </td>
 </tr>
 
@@ -97,7 +120,9 @@ For token-based discovery, validate that the root CA public key matches this has
 <!--
 For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
 -->
+<p>
 对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
+</p>
 </td>
 </tr>
 
@@ -109,7 +134,9 @@ For token-based discovery, allow joining without --discovery-token-ca-cert-hash
 <!--
 help for kubelet-start
 -->
+<p>
 kubelet-start 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -121,7 +148,9 @@ kubelet-start 操作的帮助命令
 <!--
 Specify the node name.
 -->
+<p>
 指定节点名称。
+</p>
 </td>
 </tr>
 
@@ -133,7 +162,9 @@ Specify the node name.
 <!--
 Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
 -->
+<p>
 指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
+</p>
 </td>
 </tr>
 
@@ -145,7 +176,9 @@ Specify the token used to temporarily authenticate with the Kubernetes Control P
 <!--
 Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
 -->
+<p>
 如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
+</p>
 </td>
 </tr>
 
@@ -173,10 +206,11 @@ Use this token for both discovery-token and tls-bootstrap-token when those value
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md
new file mode 100644
index 0000000000000..77951cba33807
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md
@@ -0,0 +1,273 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Run join pre-flight checks 
+-->
+运行 join 命令前检查
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Run pre-flight checks for kubeadm join.
+-->
+
+运行 kubeadm join 命令添加节点前检查。
+
+```
+kubeadm join phase preflight [api-server-endpoint] [flags]
+```
+
+<!--
+### Examples
+# Run join pre-flight checks using a config file.
+-->
+
+### 示例
+
+```
+# 使用配置文件运行 kubeadm join 命令添加节点前检查。
+kubeadm join phase preflight --config kubeadm-config.yaml
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--apiserver-advertise-address string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.</p>
+-->
+<p>对于将要托管新的控制平面实例的节点，指定 API 服务器将公布的其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!--
+--apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 6443
+-->
+--apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：6443
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>If the node should host a new control plane instance, the port for the API Server to bind to.</p>
+-->
+<p>针对将要托管新的控制平面实例的节点，设置 API 服务器要绑定的端口。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--certificate-key string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this key to decrypt the certificate secrets uploaded by init.</p>
+-->
+<p>使用此密钥可以解密由 `init` 操作上传的证书 secret。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to kubeadm config file.</p>
+-->
+<p>kubeadm 配置文件的路径。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--control-plane</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Create a new control plane instance on this node</p>
+-->
+<p>在此节点上创建一个新的控制平面实例</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--cri-socket string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.</p>
+-->
+<p>提供给 CRI 套接字建立连接的路径。如果为空，则 kubeadm 将尝试自动检测该值；仅当安装了多个 CRI 或具有非标准 CRI 套接字时，才使用此选项。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-file string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For file-based discovery, a file or URL from which to load cluster information.</p>
+-->
+<p>对于基于文件的发现，给出用于加载集群信息的文件或者 URL。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, the token used to validate cluster information fetched from the API server.</p>
+-->
+<p>对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-ca-cert-hash strings</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").</p>
+-->
+<p>对于基于令牌的发现，验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.</p>
+-->
+<p>对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for preflight</p>
+-->
+<p>preflight 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--ignore-preflight-errors stringSlice</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
+-->
+<p>错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--node-name string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Specify the node name.</p>
+-->
+<p>指定节点名称。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--tls-bootstrap-token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.</p>
+-->
+<p>指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--token string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.</p>
+-->
+<p>如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_kubeconfig_user.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
similarity index 83%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
index 737aa778391a8..1864e5554c35e 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Performs a best effort revert of changes made to this host by 'kubeadm init' or 'kubeadm join'
+-->
+尽最大努力还原通过 'kubeadm init' 或者 'kubeadm join' 操作对主机所作的更改
+
 <!--
 ### Synopsis
 -->
@@ -7,8 +23,7 @@
 <!--
 Performs a best effort revert of changes made to this host by 'kubeadm init' or 'kubeadm join'
 -->
-
-尽最大努力还原通过 'kubeadm init' 或者 'kubeadm join' 操作对主机所做的更改
+尽最大努力还原通过 'kubeadm init' 或者 'kubeadm join' 操作对主机所作的更改
 
 <!--
 The "reset" command executes the following phases:
@@ -53,7 +68,9 @@ kubeadm reset [flags]
 <!--
 The path to the directory where the certificates are stored. If specified, clean this directory.
 -->
+<p>
 存储证书的目录路径。如果已指定，则需要清空此目录。
+</p>
 </td>
 </tr>
 
@@ -99,7 +116,7 @@ Don't apply any changes; just output what would be done.
 Reset the node without prompting for confirmation.
 -->
 在不提示确认的情况下重置节点。
-<p>
+</p>
 </td>
 </tr>
 
@@ -113,7 +130,7 @@ Reset the node without prompting for confirmation.
 help for reset
 -->
 reset 操作的帮助命令
-<p>
+</p>
 </td>
 </tr>
 
@@ -127,7 +144,7 @@ reset 操作的帮助命令
 A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
 -->
 错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。
-<p>
+</p>
 </td>
 </tr>
 
@@ -138,7 +155,7 @@ A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedU
 --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
 -->
 --kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
-<p>
+</p>
 </td>
 </tr>
 <tr>
@@ -148,7 +165,7 @@ A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedU
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
 与集群通信时使用的 kubeconfig 文件。如果未设置该标志，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-<p>
+</p>
 </td>
 </tr>
 
@@ -160,7 +177,7 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <p>
 <!-- List of phases to be skipped -->
 要跳过的阶段列表
-<p>
+</p>
 </td>
 </tr>
 
@@ -192,10 +209,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
 [实验] 指向 '真实' 宿主机根文件系统的路径。
-<p>
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
similarity index 74%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
index 99584e48757a9..dc2993b580677 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_cleanup-node.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Run cleanup node.
+-->
+执行 cleanup node（清理节点）操作。
 
 <!--
 ### Synopsis
@@ -8,7 +23,6 @@
 <!--
 Run cleanup node.
 -->
-
 执行 cleanup node（清理节点）操作。
 
 ```
@@ -18,7 +32,6 @@ kubeadm reset phase cleanup-node [flags]
 <!--
 ### Options
 -->
-
 ### 选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -41,7 +54,9 @@ kubeadm reset phase cleanup-node [flags]
 <!--
 The path to the directory where the certificates are stored. If specified, clean this directory.
 -->
+<p>
 存储证书的目录路径。如果已指定，则需要清空此目录。
+</p>
 </td>
 </tr>
 
@@ -53,7 +68,9 @@ The path to the directory where the certificates are stored. If specified, clean
 <!--
 Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
 -->
+<p>
 要连接的 CRI 套接字的路径。如果为空，则 kubeadm 将尝试自动检测此值；仅当安装了多个CRI 或具有非标准 CRI 插槽时，才使用此选项。
+</p>
 </td>
 </tr>
 
@@ -65,7 +82,9 @@ Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this
 <!--
 help for cleanup-node
 -->
+<p>
 cleanup-node 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -75,7 +94,6 @@ cleanup-node 操作的帮助命令
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -93,10 +111,11 @@ cleanup-node 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md
new file mode 100644
index 0000000000000..acce31aaca0b6
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md
@@ -0,0 +1,112 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Run reset pre-flight checks 
+-->
+运行重置启动前检查
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Run pre-flight checks for kubeadm reset.
+-->
+
+kubeadm reset（重置）前运行启动前检查。
+
+```
+kubeadm reset phase preflight [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">-f, --force</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>Reset the node without prompting for confirmation.</p>
+-->
+<p>在不提示确认的情况下重置节点。</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>help for preflight</p>
+-->
+<p>preflight 操作的帮助命令</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--ignore-preflight-errors strings</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</p>
+-->
+<p>错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
new file mode 100644
index 0000000000000..8b69953efd8af
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
@@ -0,0 +1,98 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Remove a local etcd member.
+-->
+删除本地 etcd 成员
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Remove a local etcd member for a control plane node.
+-->
+删除控制平面节点的本地 etcd 成员
+
+```
+kubeadm reset phase remove-etcd-member [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
+<!-- help for remove-etcd-member -->
+remove-etcd-member 的帮助信息
+</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："/etc/kubernetes/admin.conf"</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
+<!-- The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. -->
+与集群通信时使用的 Kubeconfig 文件。如果未设置该标志，则可以在默认位置中查找现有的 Kubeconfig 文件。
+</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
+<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.-->
+[实验] 到'真实'主机根文件系统的路径。
+</p>
+</td>
+</tr>
+
+</tbody>
+</table>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
similarity index 85%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
index 7c2449a36d7a5..8f7411036643c 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Manage bootstrap tokens
+-->
+管理引导令牌
 
 <!--
 ### Synopsis
@@ -47,7 +62,7 @@ You can read more about bootstrap tokens here:
   /docs/admin/bootstrap-tokens/
 -->
 
-您可以在此处阅读有关引导令牌（bootstrap token）的更多信息：
+你可以在此处阅读有关引导令牌（bootstrap token）的更多信息：
   /docs/admin/bootstrap-tokens/
 
 ```
@@ -78,7 +93,9 @@ kubeadm token [flags]
 <!--
 Whether to enable dry-run mode or not
 -->
+<p>
 是否启用 `dry-run` 模式
+</p>
 </td>
 </tr>
 
@@ -93,7 +110,9 @@ Whether to enable dry-run mode or not
 <!--
 help for token
 -->
+<p>
 token 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -113,7 +132,9 @@ token 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 与集群通信时使用的 kubeconfig 文件。如果未设置，则搜索一组标准位置以查找现有 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -140,10 +161,11 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
similarity index 77%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
index 3142fa5d492c3..472cab153c2f2 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Create bootstrap tokens on the server
+-->
+在服务器上创建引导令牌
 
 <!--
 ### Synopsis
@@ -15,7 +30,7 @@ If no [token] is given, kubeadm will generate a random token instead.
 -->
 
 这个命令将为你创建一个引导令牌。
-您可以设置此令牌的用途，"有效时间" 和可选的人性化的描述。
+你可以设置此令牌的用途，"有效时间" 和可选的人性化的描述。
 
 这里的 [token] 是指将要生成的实际令牌。
 该令牌应该是一个通过安全机制生成的随机令牌，形式为 "[a-z0-9]{6}.[a-z0-9]{16}"。
@@ -38,6 +53,19 @@ kubeadm token create [token]
 </colgroup>
 <tbody>
 
+<tr>
+<td colspan="2">--certificate-key string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!--
+When used together with '--print-join-command', print the full 'kubeadm join' flag needed to join the cluster as a control-plane. To create a new certificate key you must use 'kubeadm init phase upload-certs --upload-certs'.
+-->
+当与 “--print-join-command” 一起使用时，打印作为控制平面加入集群时所需的所有 “kubeadm join” 标志。
+要创建新的证书密钥，你必须使用 “kubeadm init phase upload-certs --upload-certs”。
+</p></td>
+</tr>
+
 <tr>
 <td colspan="2">--config string</td>
 </tr>
@@ -46,7 +74,9 @@ kubeadm token create [token]
 <!--
 Path to a kubeadm configuration file.
 -->
+<p>
 kubeadm 配置文件的路径。
+</p>
 </td>
 </tr>
 
@@ -58,7 +88,9 @@ kubeadm 配置文件的路径。
 <!--
 A human friendly description of how this token is used.
 -->
+<p>
 针对令牌用途的人性化的描述。
+</p>
 </td>
 </tr>
 
@@ -67,7 +99,9 @@ A human friendly description of how this token is used.
 <!--
 --groups stringSlice&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: [system:bootstrappers:kubeadm:default-node-token]
 -->
+<p>
 --groups stringSlice&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：[system:bootstrappers:kubeadm:default-node-token]
+</p>
 </td>
 </tr>
 <tr>
@@ -75,7 +109,9 @@ A human friendly description of how this token is used.
 <!--
 Extra groups that this token will authenticate as when used for authentication. Must match "\\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\\z"
 -->
+<p>
 此令牌用于身份验证时将进行身份验证的其他组。必须匹配  "\\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\\z"
+</p>
 </td>
 </tr>
 
@@ -87,7 +123,9 @@ Extra groups that this token will authenticate as when used for authentication.
 <!--
 help for create
 -->
+<p>
 create 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -99,7 +137,9 @@ create 操作的帮助命令
 <!--
 Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token.
 -->
+<p>
 不仅仅打印令牌，而是打印使用令牌加入集群所需的完整 'kubeadm join' 参数。
+</p>
 </td>
 </tr>
 
@@ -116,7 +156,9 @@ Instead of printing only the token, print the full 'kubeadm join' flag needed to
 <!--
 The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire
 -->
+<p>
 令牌有效时间，超过该时间令牌被自动删除。(例如： 1s, 2m, 3h)。如果设置为 '0'，令牌将永远不过期。
+</p>
 </td>
 </tr>
 
@@ -133,7 +175,9 @@ The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set
 <!--
 Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication]
 -->
+<p>
 描述可以使用此令牌的方式。你可以多次使用 `--usages` 或者提供一个以逗号分隔的选项列表。合法选项有: [signing,authentication]
+</p>
 </td>
 </tr>
 
@@ -143,7 +187,6 @@ Describes the ways in which this token can be used. You can pass --usages multip
 <!--
 ### Options inherited from parent commands
 -->
-
 ### 从父命令继承的选项
 
    <table style="width: 100%; table-layout: fixed;">
@@ -161,7 +204,9 @@ Describes the ways in which this token can be used. You can pass --usages multip
 <!--
 Whether to enable dry-run mode or not
 -->
+<p>
 是否启用 `dry-run` 运行模式
+</p>
 </td>
 </tr>
 
@@ -178,7 +223,9 @@ Whether to enable dry-run mode or not
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。
+</p>
 </td>
 </tr>
 
@@ -190,7 +237,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
similarity index 75%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
index 97e7e6008dc1d..58d56ac39994d 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Delete bootstrap tokens on the server
+-->
+删除服务器上的引导令牌
 
 <!--
 ### Synopsis
@@ -41,7 +56,9 @@ kubeadm token delete [token-value] ...
 <!--
 help for delete
 -->
+<p>
 delete 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -69,7 +86,9 @@ delete 操作的帮助命令
 <!--
 Whether to enable dry-run mode or not
 -->
+<p>
 是否启用 `dry-run` 运行模式
+</p>
 </td>
 </tr>
 
@@ -86,7 +105,9 @@ Whether to enable dry-run mode or not
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。
+</p>
 </td>
 </tr>
 
@@ -98,10 +119,11 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
index c91bb69ae8643..da02baf36f4f9 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Generate and print a bootstrap token, but do not create it on the server 
+-->
+生成并打印一个引导令牌，但不要在服务器上创建它
 
 <!--
 ### Synopsis
@@ -44,9 +59,9 @@ kubeadm token generate [flags]
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-help for generate
+<p>help for generate</p>
 -->
-generate 操作的帮助命令
+<p>generate 操作的帮助命令</p>
 </td>
 </tr>
 
@@ -71,8 +86,11 @@ generate 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Whether to enable dry-run mode or not -->
-是否启用 `dry-run` 运行模式</td>
+<!-- 
+<p>Whether to enable dry-run mode or not</p> 
+-->
+<p>是否启用 `dry-run` 运行模式</p>
+</td>
 </tr>
 
 <tr>
@@ -86,9 +104,9 @@ generate 操作的帮助命令
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+<p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p>
 -->
-用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。
+<p>用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。</p>
 </td>
 </tr>
 
@@ -97,8 +115,10 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
+<!-- 
+<p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p>  
+-->
+<p>[实验] 指向 '真实' 宿主机根文件系统的路径。</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
similarity index 73%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
index de796ebe3a7a3..a300297317a69 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
@@ -1,3 +1,19 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+List bootstrap tokens on the server
+-->
+列出服务器上的引导令牌
+
 <!--
 ### Synopsis
 -->
@@ -8,7 +24,7 @@
 This command will list all bootstrap tokens for you.
 -->
 
-此命令将为您列出所有的引导令牌。
+此命令将为你列出所有的引导令牌。
 
 ```
 kubeadm token list [flags]
@@ -38,8 +54,10 @@ kubeadm token list [flags]
 <!-- 
 If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
 -->
+<p>
 如果设置为 true，则在模板中缺少字段或哈希表的键时忽略模板中的任何错误。
 仅适用于 golang 和 jsonpath 输出格式。
+</p>
 </td>
 </tr>
 
@@ -54,7 +72,9 @@ If true, ignore any errors in templates when a field or map key is missing in th
 <!--  
 Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
 -->
+<p>
 输出格式：text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file 其中之一
+</p>
 </td>
 </tr>
 
@@ -64,7 +84,21 @@ Output format. One of: text|json|yaml|go-template|go-template-file|template|temp
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!-- help for list -->
+<p>
 list 操作的帮助命令
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--show-managed-fields</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
+<!-- If true, keep the managedFields when printing objects in JSON or YAML format. -->
+如果为 true，则在以 JSON 或 YAML 格式打印对象时保留 managedFields。
+</p>
 </td>
 </tr>
 
@@ -90,8 +124,10 @@ list 操作的帮助命令
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
+<p>
 <!-- Whether to enable dry-run mode or not -->
 是否启用 `dry-run` 模式
+</p>
 </td>
 </tr>
 
@@ -108,7 +144,9 @@ list 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 用于和集群通信的 kubeconfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
@@ -118,7 +156,9 @@ The kubeconfig file to use when talking to the cluster. If the flag is not set,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
similarity index 64%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
index 62c1fd2152fec..e57e36ffb8de4 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_diff.md
@@ -1,6 +1,21 @@
 <!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
 
 
+<!--
+Show what differences would be applied to existing static pod manifests. See also: kubeadm upgrade apply --dry-run
+-->
+显示哪些差异将被应用于现有的静态 pod 资源清单。参考: kubeadm upgrade apply --dry-run
+
+<!--
 ### Synopsis
 
 
@@ -49,7 +64,7 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">--api-server-manifest string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/manifests/kube-apiserver.yaml"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">API服务器清单的路径</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>API服务器清单的路径</p></td>
 </tr>
 <!--
 <tr>
@@ -63,14 +78,14 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">--config string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubeadm 配置文件的路径</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>kubeadm 配置文件的路径</p></td>
 </tr>
 <!--
 <tr>
 <td colspan="2">-c, --context-lines int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 3</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">How many lines of context in the diff</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>How many lines of context in the diff</p></td>
 </tr>
 -->
 <tr>
@@ -91,7 +106,7 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">--controller-manager-manifest string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值： "/etc/kubernetes/manifests/kube-controller-manager.yaml"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">控制器清单的路径</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>控制器清单的路径</p></td>
 </tr>
 <!--
 <tr>
@@ -105,21 +120,21 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">-h, --help</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">帮助</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>帮助</p></td>
 </tr>
 <!--
 <tr>
 <td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p></td>
 </tr>
 -->
 <tr>
 <td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">与集群通信时使用的 kubeconfig 文件，如果标志是未设置，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>与集群通信时使用的 kubeconfig 文件，如果标志是未设置，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</p></td>
 </tr>
 <!--
 <tr>
@@ -136,7 +151,7 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">--scheduler-manifest string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/manifests/kube-scheduler.yaml"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">调度程序清单的路径</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>调度程序清单的路径</p></td>
 </tr>
 
 </tbody>
@@ -177,9 +192,8 @@ kubeadm upgrade diff [version] [flags]
 <td colspan="2">--rootfs string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] “真实”主机根文件系统的路径。</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[EXPERIMENTAL] “真实”主机根文件系统的路径。</p></td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
similarity index 52%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
index 7f5320214f8bb..c40d02317df20 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Upgrade commands for a node in the cluster
+-->
+升级集群中某个节点的命令
 
 <!--
 ### Synopsis
@@ -8,7 +23,6 @@
 <!--
 Upgrade commands for a node in the cluster
 -->
-
 升级集群中某个节点的命令
 
 <!--
@@ -49,14 +63,16 @@ kubeadm upgrade node [flags]
 <tbody>
 
 <tr>
-<td colspan="2">--certificate-renewal</td>
+<td colspan="2">--certificate-renewal&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default-->默认值: true</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 Perform the renewal of certificates used by component changed during upgrades.
 -->
+<p>
 对升级期间变化的组件所使用的证书执行更新。
+</p>
 </td>
 </tr>
 
@@ -69,7 +85,9 @@ Perform the renewal of certificates used by component changed during upgrades.
 <!--
 Do not change any state, just output the actions that would be performed.
 -->
+<p>
 不更改任何状态，只输出将要执行的操作。
+</p>
 </td>
 </tr>
 
@@ -84,23 +102,9 @@ Do not change any state, just output the actions that would be performed.
 <!--
 Perform the upgrade of etcd.
 -->
+<p>
 执行 etcd 的升级。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--experimental-patches string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
--->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+</p>
 </td>
 </tr>
 
@@ -112,10 +116,23 @@ Path to a directory that contains files named "target[suffix][+patchtype].extens
 <!--
 help for node
 -->
+<p>
 node 操作的帮助命令
+</p>
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--ignore-preflight-errors strings</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!-- A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. -->
+其错误将显示为警告的检查列表。示例：'IsPrivilegedUser,Swap'。 值 'all' 忽略所有检查中的错误。
+</p></td>
+</tr>
+
+
 <tr>
 <!-- 
 <td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
@@ -127,31 +144,41 @@ node 操作的帮助命令
 <!--
 The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
 -->
+<p>
 用于与集群交互的 kubeconfig 文件。如果参数未指定，将从一系列标准位置检索存在的 kubeconfig 文件。
+</p>
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--kubelet-version string</td>
+<td colspan="2">--patches string</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The *desired* version for the kubelet config after the upgrade. If not specified, the KubernetesVersion from the kubeadm-config ConfigMap will be used
--->
-升级后 *期望的* kubelet 配置版本。如未指定，将使用 kubeadm-config ConfigMap 中的 KubernetesVersion
-</td>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>
+<!-- Path to a directory that contains files named &quot;target[suffix][+patchtype].extension&quot;. For example, &quot;kube-apiserver0+merge.yaml&quot; or just &quot;etcd.json&quot;. &quot;target&quot; can be one of &quot;kube-apiserver&quot;, &quot;kube-controller-manager&quot;, &quot;kube-scheduler&quot;, &quot;etcd&quot;. &quot;patchtype&quot; can be one of &quot;strategic&quot;, &quot;merge&quot; or &quot;json&quot; and they match the patch formats supported by kubectl. The default &quot;patchtype&quot; is &quot;strategic&quot;. &quot;extension&quot; must be either &quot;json&quot; or &quot;yaml&quot;. &quot;suffix&quot; is an optional string that can be used to determine which patches are applied first alpha-numerically. -->
+包含名为 &quot;target[suffix][+patchtype].extension&quot; 的文件的目录的路径。
+例如，&quot;kube-apiserver0+merge.yaml&quot;或仅仅是 &quot;etcd.json&quot;。
+&quot;target&quot; 可以是 &quot;kube-apiserver&quot;、&quot;kube-controller-manager&quot;、&quot;kube-scheduler&quot;、&quot;etcd&quot; 之一。
+&quot;patchtype&quot; 可以是 &quot;strategic&quot;、&quot;merge&quot; 或者 &quot;json&quot; 之一，
+并且它们与 kubectl 支持的补丁格式相同。
+默认的 &quot;patchtype&quot; 是 &quot;strategic&quot;。
+&quot;extension&quot; 必须是&quot;json&quot; 或&quot;yaml&quot;。
+&quot;suffix&quot; 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+</p></td>
+</tr>
 </tr>
 
 <tr>
-<td colspan="2">--skip-phases stringSlice</td>
+<td colspan="2">--skip-phases strings</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 List of phases to be skipped
 -->
+<p>
 要跳过的阶段的列表
+</p>
 </td>
 </tr>
 
@@ -179,10 +206,11 @@ List of phases to be skipped
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
 </tbody>
 </table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
similarity index 59%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
index 3ce963a02477f..6f75dfa88f419 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase.md
@@ -1,3 +1,18 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Use this command to invoke single phase of the node workflow
+-->
+使用此命令调用 node 工作流的某个阶段
 
 <!--
 ### Synopsis
@@ -32,7 +47,9 @@ Use this command to invoke single phase of the node workflow
 <!--
 help for phase
 -->
+<p>
 phase 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -59,7 +76,9 @@ phase 操作的帮助命令
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md
new file mode 100644
index 0000000000000..f69ec4a67ee8b
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md
@@ -0,0 +1,154 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!-- 
+Upgrade the control plane instance deployed on this node, if any 
+-->
+升级部署在此节点上的控制平面实例，如果有的话
+
+<!--
+### Synopsis
+-->
+
+### 概要
+
+<!--
+Upgrade the control plane instance deployed on this node, if any
+-->
+
+升级部署在此节点上的控制平面实例，如果有的话
+
+```
+kubeadm upgrade node phase control-plane [flags]
+```
+
+<!--
+### Options
+-->
+
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--certificate-renewal</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>更新在升级期间变更的组件使用的证书。</p></td>
+</tr>
+<!-- 
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Perform the renewal of certificates used by component changed during upgrades.</p></td>
+-->
+
+<tr>
+<td colspan="2">--dry-run</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>不改变任何状态，只输出将要执行的动作。</p></td>
+</tr>
+<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Do not change any state, just output the actions that would be performed.</p></td>
+-->
+
+<tr>
+<td colspan="2">--etcd-upgrade&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: true</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>执行 etcd 的升级。</p></td>
+</tr>
+<!--
+<td colspan="2">--etcd-upgrade&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td> 
+-->
+
+<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Perform the upgrade of etcd.</p></td>
+-->
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>control-plane 的帮助信息</p></td>
+</tr>
+
+<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>help for control-plane</p></td>
+-->
+
+<tr>
+<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: "/etc/kubernetes/admin.conf"</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。</p></td>
+</tr>
+
+<!--
+<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
+-->
+
+<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p></td>
+-->
+
+<tr>
+<td colspan="2">--patches string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--  
+Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
+-->
+包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
+例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
+"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
+默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
+"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
+</td>
+</tr>
+
+</tbody>
+</table>
+
+
+
+<!--
+### Options inherited from parent commands
+-->
+
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
+</tr>
+<!--
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p></td>
+-->
+
+</tbody>
+</table>
+
+
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md
similarity index 97%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md
index d6329cfe05072..30ca0fd8e804e 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_kubelet-config.md
@@ -11,7 +11,7 @@ Upgrade the kubelet configuration for this node
 Download the kubelet configuration from the kubelet-config ConfigMap stored in the cluster
 -->
 
-从群集中 ConfigMap kubelet-config 下载 kubelet 配置
+从集群中 ConfigMap kubelet-config 下载 kubelet 配置
 
 ```
 kubeadm upgrade node phase kubelet-config [flags]
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
new file mode 100644
index 0000000000000..47c7903ac0a63
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
@@ -0,0 +1,85 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+<!--
+Run upgrade node pre-flight checks
+-->
+执行升级节点的预检
+
+<!-- ### Synopsis -->
+### 概要
+
+
+<!-- Run pre-flight checks for kubeadm upgrade node. -->
+
+执行 kubeadm 升级节点的预检。
+
+```
+kubeadm upgrade node phase preflight [flags]
+```
+
+<!--
+### Options
+-->
+### 选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">help for preflight</td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>preflight 操作的帮助命令</p></td>
+</tr>
+
+<tr>
+<td colspan="2">--ignore-preflight-errors strings</td>
+</tr>
+<tr>
+<!-- 
+<td></td><td style="line-height: 130%; word-wrap: break-word;">A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</td> 
+-->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>错误将显示为警告的检查清单。示例：'IsPrivilegedUser,Swap'。值为'all'表示忽略所有检查的错误。</p></td>
+</tr>
+
+</tbody>
+</table>
+
+
+
+<!--
+### Options inherited from parent commands
+-->
+### 继承于父命令的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
+<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[实验] 到'真实'主机根文件系统的路径。</p></td>
+</tr>
+
+</tbody>
+</table>
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
new file mode 100644
index 0000000000000..c94439f4289d5
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
@@ -0,0 +1,177 @@
+<!--
+### Synopsis
+
+Check which versions are available to upgrade to and validate whether your current cluster is upgradeable. To skip the internet check, pass in the optional [version] parameter
+-->
+### 概述
+
+检查可升级到哪些版本，并验证你当前的集群是否可升级。 要跳过互联网检查，请传递可选的 [version] 参数 
+
+```
+kubeadm upgrade plan [version] [flags]
+```
+
+<!--
+### Options
+-->
+### 选项
+
+<table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--allow-experimental-upgrades</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.
+-->
+<p>
+显示不稳定版本的 Kubernetes 作为升级替代方案，并允许升级到 Kubernetes 的 Alpha/Beta/发行候选版本。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--allow-release-candidate-upgrades</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
+-->
+<p>
+显示 Kubernetes 的发行候选版本作为升级选择，并允许升级到 Kubernetes 的发行候选版本。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--config string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Path to a kubeadm configuration file.
+-->
+<p>
+配置文件的路径。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--feature-gates string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+A set of key=value pairs that describe feature gates for various features. Options are:<br/>PublicKeysECDSA=true|false (ALPHA - default=false)<br/>RootlessControlPlane=true|false (ALPHA - default=false)<br/>UnversionedKubeletConfigMap=true|false (BETA - default=true)
+-->
+<p>
+一组描述各种特征特性门控的键值对。选项有：
+<br/>PublicKeysECDSA=true|false (ALPHA - 默认值=false)
+<br/>RootlessControlPlane=true|false (ALPHA - 默认值=false)
+<br/>UnversionedKubeletConfigMap=true|false (BETA - 默认值=true)
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">-h, --help</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+help for plan
+-->
+<p>
+plan 的帮助信息
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--ignore-preflight-errors strings</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+-->
+<p>
+其错误将显示为警告的检查列表。 例如：'IsPrivilegedUser,Swap'。 值 'all' 忽略所有检查错误。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">
+<!--
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
+-->
+--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
+</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
+-->
+<p>
+与集群通信时使用的 kubeconfig 文件。如果标志为未设置，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
+</p>
+</td>
+</tr>
+
+<tr>
+<td colspan="2">--print-config</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Specifies whether the configuration file that will be used in the upgrade should be printed or not.
+-->
+<p>
+指定是否打印将在升级中使用的配置文件。
+</p>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+
+<!--
+### Options inherited from parent commands
+-->
+### 从父命令继承的选项
+
+   <table style="width: 100%; table-layout: fixed;">
+<colgroup>
+<col span="1" style="width: 10px;" />
+<col span="1" />
+</colgroup>
+<tbody>
+
+<tr>
+<td colspan="2">--rootfs string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+[EXPERIMENTAL] The path to the 'real' host root filesystem.
+-->
+<p>
+[EXPERIMENTAL] “真实”主机根文件系统的路径。
+</p>
+</td>
+</tr>
+
+</tbody>
+</table>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
similarity index 65%
rename from content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
index 86e8805ad1a1b..48baeb90b013b 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
@@ -1,3 +1,20 @@
+<!--
+The file is auto-generated from the Go source code of the component using a generic
+[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
+to generate the reference documentation, please read
+[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
+To update the reference conent, please follow the 
+[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
+guide. You can file document formatting bugs against the
+[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
+-->
+
+
+<!--
+Print the version of kubeadm
+-->
+打印 kubeadm 的版本
+
 <!--
 ### Synopsis
 -->
@@ -7,7 +24,6 @@
 <!--
 Print the version of kubeadm
 -->
-
 打印 kubeadm 的版本
 
 ```
@@ -35,7 +51,9 @@ kubeadm version [flags]
 <!--
 help for version
 -->
+<p>
 version 操作的帮助命令
+</p>
 </td>
 </tr>
 
@@ -47,7 +65,9 @@ version 操作的帮助命令
 <!--
 Output format; available options are 'yaml', 'json' and 'short'
 -->
+<p>
 输出格式；可用的选项有 'yaml', 'json' 和 'short'
+</p>
 </td>
 </tr>
 
@@ -75,7 +95,9 @@ Output format; available options are 'yaml', 'json' and 'short'
 <!--
 [EXPERIMENTAL] The path to the 'real' host root filesystem.
 -->
+<p>
 [实验] 指向 '真实' 宿主机根文件系统的路径。
+</p>
 </td>
 </tr>
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/implementation-details.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details.md
similarity index 89%
rename from content/zh/docs/reference/setup-tools/kubeadm/implementation-details.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details.md
index e303eebfe19ef..3c9063d6871da 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/implementation-details.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details.md
@@ -138,13 +138,13 @@ Kubernetes 目录 `/etc/kubernetes` 在应用程序中是一个常量，因为
 The `kubeadm init` [internal workflow](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow) consists of a sequence of atomic work tasks to perform,
 as described in `kubeadm init`.
 -->
-`kubeadm init` [内部工作流程](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)
+`kubeadm init` [内部工作流程](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)
 包含一系列要执行的原子性工作任务，如 `kubeadm init` 中所述。
 
 <!--  
 The [`kubeadm init phase`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/) command allows users to invoke each task individually, and ultimately offers a reusable and composable API/toolbox that can be used by other Kubernetes bootstrap tools, by any IT automation tool or by an advanced user for creating custom clusters.
 -->
-[`kubeadm init phase`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
+[`kubeadm init phase`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
 命令允许用户分别调用每个任务，并最终提供可重用且可组合的 API 或工具箱，
 其他 Kubernetes 引导工具、任何 IT 自动化工具和高级用户都可以使用它来
 创建自定义集群。
@@ -166,13 +166,8 @@ Kubeadm 在启动 init 之前执行一组预检，目的是验证先决条件并
 - Kubernetes system requirements:
   - if running on linux:
     - [error] if Kernel is older than the minimum required version
-    - [error] if required cgroups subsystem aren't in set up
-  - if using docker:
-    - [warning/error] if Docker service does not exist, if it is disabled, if it is not active.
-    - [error] if Docker endpoint does not exist or does not work
-    - [warning] if docker version is not in the list of validated docker versions
-  - If using other cri engine:
-    - [error] if crictl socket does not answer
+    - [error] if required cgroups subsystem aren't set up
+- [error] if the CRI endpoint does not answer
 -->
 - [警告] 如果要使用的 Kubernetes 版本（由 `--kubernetes-version` 标志指定）比 kubeadm CLI
   版本至少高一个小版本。
@@ -180,12 +175,7 @@ Kubeadm 在启动 init 之前执行一组预检，目的是验证先决条件并
   - 如果在 linux上运行：
     - [错误] 如果内核早于最低要求的版本
     - [错误] 如果未设置所需的 cgroups 子系统
-  - 如果使用 docker：
-    - [警告/错误] 如果 Docker 服务不存在、被禁用或未激活。
-    - [错误] 如果 Docker 端点不存在或不起作用
-    - [警告] 如果 docker 版本不在经过验证的 docker 版本列表中
-  - 如果使用其他 cri 引擎：
-    - [错误] 如果 crictl 套接字未应答
+- [错误] 如果 CRI 端点未应答
 <!--  
 - [error] if user is not root
 - [error] if the machine hostname is not a valid DNS subdomain
@@ -253,7 +243,7 @@ Kubeadm 在启动 init 之前执行一组预检，目的是验证先决条件并
 <!--  
 1. Preflight checks can be invoked individually with the [`kubeadm init phase preflight`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-preflight) command
 -->
-1. 可以使用 [`kubeadm init phase preflight`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-preflight)
+1. 可以使用 [`kubeadm init phase preflight`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-preflight)
    命令单独触发预检。
 
 <!--
@@ -331,16 +321,16 @@ Please note that:
    并且跳过给定证书的生成阶段。
    这意味着用户可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.{crt,key}`，
    kubeadm 将使用这些文件对其余证书进行签名。
-   请参阅[使用自定义证书](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#custom-certificates)。
+   请参阅[使用自定义证书](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#custom-certificates)。
 2. 仅对 CA 来说，如果所有其他证书和 kubeconfig 文件都已就位，则可以只提供 `ca.crt` 文件，
    而不提供 `ca.key` 文件。
    kubeadm 能够识别出这种情况并启用 ExternalCA，这也意味着了控制器管理器中的
    `csrsigner` 控制器将不会启动
 3. 如果 kubeadm 在
-   [外部 CA 模式](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#external-ca-mode)
+   [外部 CA 模式](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#external-ca-mode)
    下运行，所有证书必须由用户提供，因为 kubeadm 无法自行生成它们。
 4. 如果在 `--dry-run` 模式下执行 kubeadm，证书文件将写入一个临时文件夹中
-5. 可以使用 [`kubeadm init phase certs all`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-certs) 
+5. 可以使用 [`kubeadm init phase certs all`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-certs) 
    命令单独生成证书。
 
 <!--
@@ -368,18 +358,18 @@ by default [RBAC core components roles](/docs/reference/access-authn-authz/rbac/
   在此文件中，有一个引导令牌或内嵌的客户端证书，向集群表明此节点身份。
   此客户端证书应：
 
-  - 根据[节点鉴权](/zh/docs/reference/access-authn-authz/node/)模块的要求，属于 `system:nodes` 组织
+  - 根据[节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)模块的要求，属于 `system:nodes` 组织
   - 具有通用名称（CN）：`system:node:<小写主机名>`
 
 - 控制器管理器的 kubeconfig 文件 —— `/etc/kubernetes/controller-manager.conf`；
   在此文件中嵌入了一个具有控制器管理器身份标识的客户端证书。
   此客户端证书应具有 CN：`system:kube-controller-manager`，
-  该 CN 由 [RBAC 核心组件角色](/zh/docs/reference/access-authn-authz/rbac/#core-component-roles)
+  该 CN 由 [RBAC 核心组件角色](/zh-cn/docs/reference/access-authn-authz/rbac/#core-component-roles)
   默认定义的。
 
 - 调度器的 kubeconfig 文件 —— `/etc/kubernetes/scheduler.conf`；
   此文件中嵌入了具有调度器身份标识的客户端证书。此客户端证书应具有 CN：`system:kube-scheduler`，
-  该 CN 由 [RBAC 核心组件角色](/zh/docs/reference/access-authn-authz/rbac/#core-component-roles)
+  该 CN 由 [RBAC 核心组件角色](/zh-cn/docs/reference/access-authn-authz/rbac/#core-component-roles)
   默认定义的。
 
 <!-- 
@@ -393,7 +383,7 @@ CN. Kubeadm uses the `kubernetes-admin` CN.
 `/etc/kubernetes/admin.conf` 文件中。
 此处的 admin 定义为正在管理集群并希望完全控制集群（**root**）的实际人员。
 内嵌的 admin 客户端证书应是  `system:masters` 组织的成员，
-这一组织名由默认的 [RBAC 面向用户的角色绑定](/zh/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+这一组织名由默认的 [RBAC 面向用户的角色绑定](/zh-cn/docs/reference/access-authn-authz/rbac/#user-facing-roles)
 定义。它还应包括一个 CN。kubeadm 使用 `kubernetes-admin` CN。
 
 <!-- Please note that: -->
@@ -409,11 +399,11 @@ CN. Kubeadm uses the `kubernetes-admin` CN.
 1. `ca.crt` 证书内嵌在所有 kubeconfig 文件中。
 2. 如果给定的 kubeconfig 文件存在且其内容经过评估符合上述规范，则 kubeadm 将使用现有文件，
    并跳过给定 kubeconfig 的生成阶段
-3. 如果 kubeadm 以 [ExternalCA 模式](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#external-ca-mode)
+3. 如果 kubeadm 以 [ExternalCA 模式](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#external-ca-mode)
    运行，则所有必需的 kubeconfig 也必须由用户提供，因为 kubeadm 不能自己生成
 4. 如果在 `--dry-run` 模式下执行 kubeadm，则 kubeconfig 文件将写入一个临时文件夹中
 5. 可以使用
-   [`kubeadm init phase kubeconfig all`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-kubeconfig)
+   [`kubeadm init phase kubeconfig all`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-kubeconfig)
    命令分别生成 kubeconfig 文件。
 
 <!--
@@ -452,7 +442,7 @@ Kubelet 启动后会监视这个目录以便创建 Pod。
 
 - 同时为控制器管理器和调度器启用了领导者选举
 - 控制器管理器和调度器将引用 kubeconfig 文件及其各自的唯一标识
-- 如[将自定义参数传递给控制平面组件](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
+- 如[将自定义参数传递给控制平面组件](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
   中所述，所有静态 Pod 都会获得用户指定的额外标志
 - 所有静态 Pod 都会获得用户指定的额外卷（主机路径）
 
@@ -466,9 +456,9 @@ Kubelet 启动后会监视这个目录以便创建 Pod。
 -->
 1. 所有镜像默认从 k8s.gcr.io 拉取。 
    关于自定义镜像仓库，请参阅
-   [使用自定义镜像](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#custom-images)。
+   [使用自定义镜像](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#custom-images)。
 2. 如果在 `--dry-run` 模式下执行 kubeadm，则静态 Pod 文件写入一个临时文件夹中。
-3. 可以使用 [`kubeadm init phase control-plane all`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-control-plane) 
+3. 可以使用 [`kubeadm init phase control-plane all`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-control-plane) 
    命令分别生成主控组件的静态 Pod 清单。
 
 <!--
@@ -504,13 +494,13 @@ API 服务器的静态 Pod 清单会受到用户提供的以下参数的影响:
 <!--  
  - `--insecure-port=0` to avoid insecure connections to the api server
  - `--enable-bootstrap-token-auth=true` to enable the `BootstrapTokenAuthenticator` authentication module.
-   See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
+   See [TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for more details
  - `--allow-privileged` to `true` (required e.g. by kube proxy)
  - `--requestheader-client-ca-file` to `front-proxy-ca.crt`
 -->
 - `--insecure-port=0` 禁止到 API 服务器不安全的连接
 - `--enable-bootstrap-token-auth=true` 启用 `BootstrapTokenAuthenticator` 身份验证模块。
-  更多细节请参见 [TLS 引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)。
+  更多细节请参见 [TLS 引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)。
 - `--allow-privileged` 设为 `true`（诸如 kube-proxy 这些组件有此要求）
 - `--requestheader-client-ca-file` 设为 `front-proxy-ca.crt`
 
@@ -529,21 +519,21 @@ API 服务器的静态 Pod 清单会受到用户提供的以下参数的影响:
       (e.g. only pods on this node)
 -->
 - `--enable-admission-plugins` 设为：
-  - [`NamespaceLifecycle`](/zh/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle) 
+  - [`NamespaceLifecycle`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle) 
     例如，避免删除系统保留的名字空间
-  - [`LimitRanger`](/zh/docs/reference/access-authn-authz/admission-controllers/#limitranger) 和
-    [`ResourceQuota`](/zh/docs/reference/access-authn-authz/admission-controllers/#resourcequota)
+  - [`LimitRanger`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#limitranger) 和
+    [`ResourceQuota`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#resourcequota)
     对名字空间实施限制
-  - [`ServiceAccount`](/zh/docs/reference/access-authn-authz/admission-controllers/#serviceaccount)
+  - [`ServiceAccount`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#serviceaccount)
     实施服务账户自动化
-  - [`PersistentVolumeLabel`](/zh/docs/reference/access-authn-authz/admission-controllers/#persistentvolumelabel) 
+  - [`PersistentVolumeLabel`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#persistentvolumelabel) 
     将区域（Region）或区（Zone）标签附加到由云提供商定义的 PersistentVolumes
     （此准入控制器已被弃用并将在以后的版本中删除）。
     如果未明确选择使用 `gce` 或 `aws` 作为云提供商，则默认情况下，v1.9 以后的版本 kubeadm 都不会部署。
-  - [`DefaultStorageClass`](/zh/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass) 
+  - [`DefaultStorageClass`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass) 
     在 `PersistentVolumeClaim` 对象上强制使用默认存储类型
-  - [`DefaultTolerationSeconds`](/zh/docs/reference/access-authn-authz/admission-controllers/#defaulttolerationseconds)
-  - [`NodeRestriction`](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction) 
+  - [`DefaultTolerationSeconds`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaulttolerationseconds)
+  - [`NodeRestriction`](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction) 
     限制 kubelet 可以修改的内容（例如，仅此节点上的 pod）
 <!--
  - `--kubelet-preferred-address-types` to `InternalIP,ExternalIP,Hostname;` this makes `kubectl logs` and other API server-kubelet
@@ -580,7 +570,7 @@ API 服务器的静态 Pod 清单会受到用户提供的以下参数的影响:
   - `--proxy-client-key-file` 设为 `front-proxy-client.key`
 
 - 其他用于保护前端代理（
-  [API 聚合层](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)）
+  [API 聚合层](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)）
   通信的标志:
 
   - `--requestheader-username-headers=X-Remote-User`
@@ -618,7 +608,7 @@ The static Pod manifest for the controller manager is affected by following para
 
 <!--  
  - `--controllers` enabling all the default controllers plus `BootstrapSigner` and `TokenCleaner` controllers for TLS bootstrap.
-   See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
+   See [TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for more details
  - `--use-service-account-credentials` to `true`
  - Flags for using certificates generated in previous steps:
     - `--root-ca-file` to `ca.crt`
@@ -628,7 +618,7 @@ The static Pod manifest for the controller manager is affected by following para
 -->
 - `--controllers` 为 TLS 引导程序启用所有默认控制器以及 `BootstrapSigner` 和
   `TokenCleaner` 控制器。详细信息请参阅
-  [TLS 引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+  [TLS 引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 - `--use-service-account-credentials` 设为 `true`
 - 使用先前步骤中生成的证书的标志：
 
@@ -676,10 +666,10 @@ a local etcd instance running in a Pod with following attributes:
 3. Static Pod manifest generation for local etcd can be invoked individually with the [`kubeadm init phase etcd local`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-etcd) command
 -->
 1. etcd 镜像默认从 `k8s.gcr.io` 拉取。有关自定义镜像仓库，请参阅
-   [使用自定义镜像](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#custom-images)。
+   [使用自定义镜像](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#custom-images)。
 2. 如果 kubeadm 以 `--dry-run` 模式执行，etcd 静态 Pod 清单将写入一个临时文件夹。
 3. 可以使用
-   ['kubeadm init phase etcd local'](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-etcd)
+   ['kubeadm init phase etcd local'](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-etcd)
    命令单独为本地 etcd 生成静态 Pod 清单
 
 <!--
@@ -731,7 +721,7 @@ state and make new decisions based on that data.
 -->
 1. 在保存 ClusterConfiguration 之前，从配置中删除令牌等敏感信息。
 2. 可以使用
-   [`kubeadm init phase upload-config`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-upload-config) 
+   [`kubeadm init phase upload-config`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-upload-config) 
    命令单独上传主控节点配置。
 
 <!--
@@ -745,19 +735,21 @@ As soon as the control plane is available, kubeadm executes following actions:
 一旦控制平面可用，kubeadm 将执行以下操作：
 
 <!-- 
-- Labels the node as control-plane with `node-role.kubernetes.io/master=""`
-- Taints the node with `node-role.kubernetes.io/master:NoSchedule`
+- Labels the node as control-plane with `node-role.kubernetes.io/control-plane=""`
+- Taints the node with `node-role.kubernetes.io/master:NoSchedule` and `node-role.kubernetes.io/control-plane:NoSchedule`
 -->
-- 给节点打上 `node-role.kubernetes.io/master=""` 标签，标记其为控制平面
-- 给节点打上 `node-role.kubernetes.io/master:NoSchedule` 污点
+- 给节点打上 `node-role.kubernetes.io/control-plane=""` 标签，标记其为控制平面
+- 给节点打上 `node-role.kubernetes.io/master:NoSchedule` 和 `node-role.kubernetes.io/control-plane:NoSchedule` 污点
 
 <!-- Please note that: -->
 请注意：
 
 <!-- 
+1. The `node-role.kubernetes.io/master` taint is deprecated and will be removed in kubeadm version 1.25
 1. Mark control-plane phase can be invoked individually with the [`kubeadm init phase mark-control-plane`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-mark-control-plane) command
 -->
-1. 可以使用 [`kubeadm init phase mark-control-plane`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-mark-control-plane) 
+1. `node-role.kubernetes.io/master` 污点是已废弃的，将会在 kubeadm 1.25 版本中移除
+1. 可以使用 [`kubeadm init phase mark-control-plane`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-mark-control-plane) 
   命令单独触发控制平面标记
 
 <!--
@@ -770,7 +762,7 @@ Kubeadm uses [Authenticating with Bootstrap Tokens](/docs/reference/access-authn
 existing cluster; for more details see also [design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md).
 -->
 
-Kubeadm 使用[引导令牌认证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
+Kubeadm 使用[引导令牌认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
 将新节点连接到现有集群；
 更多的详细信息，请参见
 [设计提案](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md)。
@@ -790,7 +782,7 @@ setting API server and controller flags as already described in previous paragra
    command, executing all the configuration steps described in following paragraphs; alternatively, each step can be invoked individually
 -->
 1. 可以使用
-   [`kubeadm init phase bootstrap-token`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-bootstrap-token) 
+   [`kubeadm init phase bootstrap-token`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-bootstrap-token) 
    命令配置节点的 TLS 引导，执行以下段落中描述的所有配置步骤；
    或者每个步骤都单独触发。
 
@@ -823,7 +815,7 @@ Please note that:
 1. 由 `kubeadm init` 创建的默认令牌将用于在 TLS 引导过程中验证临时用户；
    这些用户会成为 `system:bootstrappers:kubeadm:default-node-token` 组的成员。
 2. 令牌的有效期有限，默认为 24 小时（间隔可以通过 `-token-ttl` 标志进行更改）
-3. 可以使用 [`kubeadm token`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/)
+3. 可以使用 [`kubeadm token`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/)
    命令创建其他令牌，这些令牌还提供其他有用的令牌管理功能
 
 <!--
@@ -942,7 +934,7 @@ Please note that:
 1. This phase can be invoked individually with the [`kubeadm init phase addon all`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon) command. 
 -->
 1. 此步骤可以调用
-   ['kubeadm init phase addon all'](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
+   ['kubeadm init phase addon all'](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
    命令单独执行。
 
 <!--
@@ -976,7 +968,7 @@ A ServiceAccount for `kube-proxy` is created in the `kube-system` namespace; the
 -->
 - CoreDNS 服务的名称为 `kube-dns`。这样做是为了防止当用户将集群 DNS 从 kube-dns
   切换到 CoreDNS 时出现服务中断。`--config` 方法在
-  [这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
+  [这里](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
   有描述。
 - 在 `kube-system` 名字空间中创建 CoreDNS 的 ServiceAccount
 - `coredns` 的 ServiceAccount 绑定了 `system:coredns` ClusterRole 中的特权
@@ -1007,7 +999,7 @@ This is split into discovery (having the Node trust the Kubernetes Master) and T
 <!-- 
 see [Authenticating with Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) or the corresponding [design proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md). 
 -->
-请参阅[使用引导令牌进行身份验证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
+请参阅[使用引导令牌进行身份验证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
 或相应的[设计提案](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md)。
 
 <!--
@@ -1026,14 +1018,12 @@ cluster startup problems.
 
 <!--  
 1. `kubeadm join` preflight checks are basically a subset `kubeadm init` preflight checks
-1. Starting from 1.9, kubeadm provides better support for CRI-generic functionality; in that case, docker specific controls
-   are skipped or replaced by similar controls for crictl.
+1. Starting from 1.24, kubeadm uses crictl to communicate to all known CRI endpoints.
 1. Starting from 1.9, kubeadm provides support for joining nodes running on Windows; in that case, linux specific controls are skipped.
 1. In any case the user can skip specific preflight checks (or eventually all preflight checks) with the `--ignore-preflight-errors` option.
 -->
 1. `kubeadm join` 预检基本上是 `kubeadm init` 预检的一个子集
-2. 从 1.9 开始，kubeadm 为 CRI 通用的功能提供了更好的支持；在这种情况下，
-   Docker 特定的控制参数将跳过或替换为 crictl 中与之相似的控制参数。
+2. 从 1.24 开始，kubeadm 使用 crictl 与所有已知的 CRI 端点进行通信。
 3. 从 1.9 开始，kubeadm 支持加入在 Windows 上运行的节点；在这种情况下，
    将跳过 Linux 特定的控制参数。
 4. 在任何情况下，用户都可以通过 `--ignore-preflight-errors` 选项跳过
@@ -1114,7 +1104,7 @@ when the connection with the cluster is established, kubeadm try to access the `
 -->
 通过文件发现，集群 CA 证书是文件本身提供；事实上，这个发现文件是一个 kubeconfig 文件，
 只设置了 `server` 和 `certificate-authority-data` 属性，
-如 [`kubeadm join`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#file-or-https-based-discovery)
+如 [`kubeadm join`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/#file-or-https-based-discovery)
 参考文档中所述，当与集群建立连接时，kubeadm 尝试访问 `cluster-info` ConfigMap，
 如果可用，就使用它。
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
similarity index 84%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
index 3276fd9acc273..350f907bb15b9 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
@@ -31,12 +31,12 @@ Currently there are no experimental commands under `kubeadm alpha`.
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 -->
 * 用来启动引导 Kubernetes 控制平面节点的
-  [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+  [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
   命令
 * 用来将节点连接到集群的
-  [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 
+  [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/) 
   命令
 * 用来还原 `kubeadm init` 或 `kubeadm join` 操作对主机所做的任何更改的
-  [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+  [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   命令
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-certs.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
similarity index 86%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
index 9f790c9383e6d..627bff0ddc9fa 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs.md
@@ -10,7 +10,7 @@ For more details on how these commands can be used, see
 [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
 -->
 `kubeadm certs` 提供管理证书的工具。关于如何使用这些命令的细节，可参见
-[使用 kubeadm 管理证书](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
+[使用 kubeadm 管理证书](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
 
 ## kubeadm certs {#cmd-certs}
 
@@ -31,7 +31,7 @@ For more details see [Manual certificate renewal](/docs/tasks/administer-cluster
 -->
 你可以使用 `all` 子命令来续订所有 Kubernetes 证书，也可以选择性地续订部分证书。
 更多的相关细节，可参见
-[手动续订证书](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal)。
+[手动续订证书](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal)。
 
 {{< tabs name="tab-certs-renew" >}}
 {{< tab name="renew" include="generated/kubeadm_certs_renew.md" />}}
@@ -57,8 +57,8 @@ and [`kubeadm join`](/docs/reference/setup-tools/kubeadm/kubeadm-join)
 to enable the automatic copy of certificates when joining additional control-plane nodes.
 -->
 此命令可用来生成一个新的控制面证书密钥。密钥可以作为 `--certificate-key`
-标志的取值传递给 [`kubeadm init`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init)
-和 [`kubeadm join`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join)
+标志的取值传递给 [`kubeadm init`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init)
+和 [`kubeadm join`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join)
 命令，从而在添加新的控制面节点时能够自动完成证书复制。
 
 {{< tabs name="tab-certs-certificate-key" >}}
@@ -74,7 +74,7 @@ For more details see
 -->
 此命令检查 kubeadm 所管理的本地 PKI 中的证书是否以及何时过期。
 更多的相关细节，可参见
-[检查证书过期](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration)。
+[检查证书过期](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration)。
 
 
 {{< tabs name="tab-certs-check-expiration" >}}
@@ -102,12 +102,12 @@ The user can then sign the CSRs with a CA of their choice.
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 -->
 * 用来启动引导 Kubernetes 控制面节点的
-  [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+  [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
   命令
 * 用来将节点连接到集群的
-  [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
+  [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)
   命令
 * 用来回滚 `kubeadm init` 或 `kubeadm join` 对当前主机所做修改的
-  [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+  [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   命令
 
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config.md
new file mode 100644
index 0000000000000..0d12828260059
--- /dev/null
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config.md
@@ -0,0 +1,90 @@
+---
+title: kubeadm config
+content_type: concept
+weight: 50
+---
+
+<!-- overview -->
+<!--
+During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your cluster
+in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during
+`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`.
+-->
+在 `kubeadm init` 执行期间，kubeadm 将 `ClusterConfiguration` 对象上传
+到你的集群的 `kube-system` 名字空间下名为 `kubeadm-config` 的 ConfigMap 对象中。
+然后在 `kubeadm join`、`kubeadm reset` 和 `kubeadm upgrade` 执行期间读取此配置。 
+
+<!--
+You can use `kubeadm config print` to print the default static configuration that kubeadm
+uses for `kubeadm init` and `kubeadm join`.
+-->
+你可以使用 `kubeadm config print` 命令打印默认静态配置，
+kubeadm 运行 `kubeadm init` and `kubeadm join` 时将使用此配置。
+
+<!-- 
+The output of the command is meant to serve as an example. You must manually edit the output
+of this command to adapt to your setup. Remove the fields that you are not certain about and kubeadm
+will try to default them on runtime by examining the host. 
+-->
+{{< note >}}
+此命令的输出旨在作为示例。你必须手动编辑此命令的输出来适配你的设置。
+删除你不确定的字段，kubeadm 将通过检查主机来尝试在运行时给它们设默认值。
+{{< /note >}}
+
+<!--
+For more information on `init` and `join` navigate to
+[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
+or [Using kubeadm join with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
+-->
+更多有关 `init` 和 `join` 的信息请浏览[使用带配置文件的 kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
+或[使用带配置文件的 kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file)。
+
+<!--
+For more information on using the kubeadm configuration API navigate to
+[Customizing components with the kubeadm API](/docs/setup/production-environment/tools/kubeadm/control-plane-flags).
+-->
+有关使用 kubeadm 的配置 API 的更多信息，
+请浏览[使用 kubeadm API 来自定义组件](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags)。
+
+<!-- 
+You can use `kubeadm config migrate` to convert your old configuration files that contain a deprecated
+API version to a newer, supported API version. 
+-->
+你可以使用 `kubeadm config migrate` 来转换旧配置文件，
+把其中已弃用的 API 版本更新为受支持的 API 版本。
+
+<!-- 
+`kubeadm config images list` and `kubeadm config images pull` can be used to list and pull the images
+that kubeadm requires. 
+-->
+`kubeadm config images list` 和 `kubeadm config images pull` 可以用来列出和拉取 kubeadm 所需的镜像。
+
+<!-- body -->
+## kubeadm config print {#cmd-config-print}
+{{< include "generated/kubeadm_config_print.md" >}}
+
+## kubeadm config print init-defaults {#cmd-config-print-init-defaults}
+{{< include "generated/kubeadm_config_print_init-defaults.md" >}}
+
+## kubeadm config print join-defaults {#cmd-config-print-join-defaults}
+{{< include "generated/kubeadm_config_print_join-defaults.md" >}}
+
+## kubeadm config migrate {#cmd-config-migrate}
+{{< include "generated/kubeadm_config_migrate.md" >}}
+
+## kubeadm config images list {#cmd-config-images-list}
+{{< include "generated/kubeadm_config_images_list.md" >}}
+
+## kubeadm config images pull {#cmd-config-images-pull}
+{{< include "generated/kubeadm_config_images_pull.md" >}}
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
+-->
+
+* [kubeadm upgrade](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
+  将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]
+
+
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
similarity index 94%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
index 67884d38a233c..d1ffaa586240c 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
@@ -21,7 +21,7 @@ if you wish to apply customization.
 `kubeadm init phase` is consistent with the [kubeadm init workflow](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow),
 and behind the scene both use the same code.
 -->
-`kubeadm init phase` 与 [kubeadm init 工作流](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)
+`kubeadm init phase` 与 [kubeadm init 工作流](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)
 一致，后台都使用相同的代码。
 
 <!--
@@ -143,7 +143,7 @@ You can use this command to upload the kubeadm configuration to your cluster.
 Alternatively, you can use [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/).
 -->
 可以使用此命令将 kubeadm 配置文件上传到集群。或者使用
-[kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)。
+[kubeadm config](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)。
 
 {{< tabs name="upload-config" >}}
 {{< tab name="upload-config" include="generated/kubeadm_init_phase_upload-config.md" />}}
@@ -238,7 +238,7 @@ For more details on each field in the `v1beta3` configuration you can navigate t
 [API reference pages.](/docs/reference/config-api/kubeadm-config.v1beta3/)
 -->
 有关 `v1beta3` 配置中每个字段的更多详细信息，可以访问
-[API](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
+[API](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
 ## {{% heading "whatsnext" %}}
 
@@ -248,11 +248,11 @@ For more details on each field in the `v1beta3` configuration you can navigate t
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 * [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
 -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
   引导 Kubernetes 控制平面节点
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)
   将节点加入到集群
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   恢复通过 `kubeadm init` 或 `kubeadm join` 操作对主机所做的任何更改
-* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
+* [kubeadm alpha](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
   尝试实验性功能
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
similarity index 66%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
index 6914bdee27f5b..c53ca16be06f8 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -96,13 +96,13 @@ following steps:
    [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs.
 -->
 6. 生成令牌，将来其他节点可使用该令牌向控制平面注册自己。
-   如 [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/) 文档所述，
+   如 [kubeadm token](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/) 文档所述，
    用户可以选择通过 `--token` 提供令牌。
 
 <!--
 1. Makes all the necessary configurations for allowing node joining with the
    [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
-   [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+   [TLS Bootstrap](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
    mechanism:
 
    - Write a ConfigMap for making available all the information required
@@ -114,8 +114,8 @@ following steps:
 
    See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additional info.
 -->
-7. 为了使得节点能够遵照[启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
-   和 [TLS 启动引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
+7. 为了使得节点能够遵照[启动引导令牌](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
+   和 [TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
    这两份文档中描述的机制加入到集群中，kubeadm 会执行所有的必要配置：
 
    - 创建一个 ConfigMap 提供添加集群节点所需的信息，并为该 ConfigMap 设置相关的 RBAC 访问规则。
@@ -124,7 +124,7 @@ following steps:
 
    - 配置自动签发新的 CSR 请求。
 
-   更多相关信息，请查看 [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)。
+   更多相关信息，请查看 [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)。
    
 <!-- 
 1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
@@ -207,6 +207,13 @@ What this example would do is write the manifest files for the control plane and
 这允许你修改文件，然后使用 `--skip-phases` 跳过这些阶段。
 通过调用最后一个命令，你将使用自定义清单文件创建一个控制平面节点。
 
+{{< feature-state for_k8s_version="v1.22" state="beta" >}}
+
+<!-- 
+Alternatively, you can use the `skipPhases` field under `InitConfiguration`. 
+-->
+或者，你可以使用 `InitConfiguration` 下的 `skipPhases` 字段。
+
 <!--
 ### Using kubeadm init with a configuration file {#config-file}
 -->
@@ -239,20 +246,129 @@ The default configuration can be printed out using the
 If your configuration is not using the latest version it is **recommended** that you migrate using
 the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
 
-For more information on the fields and usage of the configuration you can navigate to our API reference
-page and pick a version from [the list](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories).
+For more information on the fields and usage of the configuration you can navigate to our
+[API reference page](/docs/reference/config-api/kubeadm-config.v1beta3/).
 -->
-可以使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
+可以使用 [kubeadm config print](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)
 命令打印出默认配置。
 
 如果你的配置没有使用最新版本，
-**推荐**使用 [kubeadm config migrate](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
+**推荐**使用 [kubeadm config migrate](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)
 命令进行迁移。
 
-有关配置的字段和用法的更多信息，
-你可以访问 API 参考页面并从
-[列表](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories)
-中选择一个版本。
+关于配置的字段和用法的更多信息，你可以访问 [API 参考页面](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
+
+<!-- 
+### Using kubeadm init with feature gates {#feature-gates} 
+-->
+### 使用 kubeadm init 时设置特性门控 {#feature-gates} 
+
+<!-- 
+Kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
+during cluster creation with `kubeadm init`. These features can control the behavior
+of the cluster. Feature gates are removed after a feature graduates to GA. 
+-->
+Kubeadm 支持一组独有的特性门控，只能在 `kubeadm init` 创建集群期间使用。
+这些特性可以控制集群的行为。特性门控会在毕业到 GA 后被移除。
+
+<!-- 
+To pass a feature gate you can either use the `--feature-gates` flag for
+`kubeadm init`, or you can add items into the `featureGates` field when you pass
+a [configuration file](/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
+using `--config`. 
+-->
+你可以使用 `--feature-gates` 标志来为 `kubeadm init` 设置特性门控，
+或者你可以在用 `--config` 传递[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
+时添加条目到 `featureGates` 字段中去。
+
+<!-- 
+Passing [feature gates for core Kubernetes components](/docs/reference/command-line-tools-reference/feature-gates)
+directly to kubeadm is not supported. Instead, it is possible to pass them by
+[Customizing components with the kubeadm API](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/). 
+-->
+直接传递 [Kubernetes 核心组件的特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates)给 kubeadm 是不支持的。
+相反，可以通过[使用 kubeadm API 的自定义组件](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)来传递。
+
+<!-- 
+List of feature gates: 
+-->
+特性门控的列表：
+
+{{< table caption="kubeadm feature gates" >}}
+特性 | 默认值 | Alpha | Beta
+:-------|:--------|:------|:-----
+`PublicKeysECDSA` | `false` | 1.19 | -
+`RootlessControlPlane` | `false` | 1.22 | -
+`UnversionedKubeletConfigMap` | `true` | 1.22 | 1.23
+{{< /table >}}
+
+<!-- 
+Once a feature gate goes GA it is removed from this list as its value becomes locked to `true` by default. 
+-->
+{{< note >}}
+一旦特性门控变成了 GA，那它将会从这个列表中移除，因为它的值会被默认锁定为 `true` 。
+{{< /note >}}
+
+<!-- 
+Feature gate descriptions: 
+-->
+特性门控的描述：
+
+<!-- 
+`PublicKeysECDSA`
+: Can be used to create a cluster that uses ECDSA certificates instead of the default RSA algorithm.
+Renewal of existing ECDSA certificates is also supported using `kubeadm certs renew`, but you cannot
+switch between the RSA and ECDSA algorithms on the fly or during upgrades. 
+-->
+`PublicKeysECDSA`
+: 可用于创建集群时使用 ECDSA 证书而不是默认 RSA 算法。
+支持用 `kubeadm certs renew` 更新现有 ECDSA 证书，
+但你不能在集群运行期间或升级期间切换 RSA 和 ECDSA 算法。
+
+<!-- 
+`RootlessControlPlane`
+: Setting this flag configures the kubeadm deployed control plane component static Pod containers
+for `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` to run as non-root users.
+If the flag is not set, those components run as root. You can change the value of this feature gate before
+you upgrade to a newer version of Kubernetes. 
+-->
+`RootlessControlPlane`
+: 设置此标志来配置 kubeadm 所部署的控制平面组件中的静态 Pod 容器 
+`kube-apiserver`、`kube-controller-manager`、`kube-scheduler` 和 `etcd` 以非 root 用户身份运行。
+如果未设置该标志，则这些组件以 root 身份运行。
+你可以在升级到更新版本的 Kubernetes 之前更改此特性门控的值。
+
+<!-- 
+`UnversionedKubeletConfigMap`
+: This flag controls the name of the {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} where kubeadm stores
+kubelet configuration data. With this flag not specified or set to `true`, the ConfigMap is named `kubelet-config`.
+If you set this flag to `false`, the name of the ConfigMap includes the major and minor version for Kubernetes
+(for example: `kubelet-config-{{< skew currentVersion >}}`). Kubeadm ensures that RBAC rules for reading and writing
+that ConfigMap are appropriate for the value you set. When kubeadm writes this ConfigMap (during `kubeadm init`
+or `kubeadm upgrade apply`), kubeadm respects the value of `UnversionedKubeletConfigMap`. When reading that ConfigMap
+(during `kubeadm join`, `kubeadm reset`, `kubeadm upgrade ...`), kubeadm attempts to use unversioned ConfigMap name first;
+if that does not succeed, kubeadm falls back to using the legacy (versioned) name for that ConfigMap. 
+-->
+`UnversionedKubeletConfigMap`
+: 此标志控制 kubeadm 存储 kubelet 配置数据的 {{<glossary_tooltip text="ConfigMap" term_id="configmap" >}} 的名称。
+在未指定此标志或设置为 `true` 的情况下，此 ConfigMap 被命名为 `kubelet-config`。
+如果将此标志设置为 `false`，则此 ConfigMap 的名称会包括 Kubernetes 的主要版本和次要版本（例如：`kubelet-config-{{< skew currentVersion >}}`）。 
+Kubeadm 会确保用于读写 ConfigMap 的 RBAC 规则适合你设置的值。
+当 kubeadm 写入此 ConfigMap 时（在 `kubeadm init` 或 `kubeadm upgrade apply` 期间），
+kubeadm 根据 `UnversionedKubeletConfigMap` 的设置值来执行操作。
+当读取此 ConfigMap 时（在 `kubeadm join`、`kubeadm reset`、`kubeadm upgrade ...` 期间），
+kubeadm 尝试首先使用无版本（后缀）的 ConfigMap 名称；
+如果不成功，kubeadm 将回退到使用该 ConfigMap 的旧（带版本号的）名称。
+
+<!-- 
+Setting `UnversionedKubeletConfigMap` to `false` is supported but **deprecated**. 
+-->
+{{< note >}}
+设置 `UnversionedKubeletConfigMap` 为 `false` 是被支持的特性，但该特性**已被弃用**。
+{{< /note >}}
+
+
+
 
 <!--
 ### Adding kube-proxy parameters {#kube-proxy}
@@ -268,7 +384,7 @@ For information about enabling IPVS mode with kubeadm see:
 -->
 kubeadm 配置中有关 kube-proxy 的说明请查看：
 
-- [kube-proxy 参考](/zh/docs/reference/config-api/kube-proxy-config.v1alpha1/)
+- [kube-proxy 参考](/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/)
 
 使用 kubeadm 启用 IPVS 模式的说明请查看：
 
@@ -283,7 +399,38 @@ kubeadm 配置中有关 kube-proxy 的说明请查看：
 For information about passing flags to control plane components see:
 - [control-plane-flags](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/) -->
 有关向控制平面组件传递命令行参数的说明请查看：
-[控制平面命令行参数](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
+[控制平面命令行参数](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
+
+<!--
+### Running kubeadm without an Internet connection {#without-internet-connection}
+-->
+### 在没有互联网连接的情况下运行 kubeadm {#without-internet-connection}
+
+<!--
+For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
+-->
+要在没有互联网连接的情况下运行 kubeadm，你必须提前拉取所需的控制平面镜像。
+
+<!--
+You can list and pull the images using the `kubeadm config images` sub-command:
+-->
+你可以使用 `kubeadm config images` 子命令列出并拉取镜像：
+
+```shell
+kubeadm config images list
+kubeadm config images pull
+```
+
+<!-- 
+You can pass `--config` to the above commands with a [kubeadm configuration file](#config-file)
+to control the `kubernetesVersion` and `imageRepository` fields. 
+-->
+你可以通过 `--config` 把 [kubeadm 配置文件](#config-file) 传递给上述命令来控制 `kubernetesVersion` 和 `imageRepository` 字段。
+
+<!-- 
+All default `k8s.gcr.io` images that kubeadm requires support multiple architectures. 
+-->
+kubeadm 需要的所有默认 `k8s.gcr.io` 镜像都支持多种硬件体系结构。
 
 <!--
 ### Using custom images {#custom-images}
@@ -306,23 +453,44 @@ You can override this behavior by using [kubeadm with a configuration file](#con
 <!--
 Allowed customization are:
 
+* To provide `kubernetesVersion` which affects the version of the images.
 * To provide an alternative `imageRepository` to be used instead of
   `k8s.gcr.io`.
-* To set `useHyperKubeImage` to `true` to use the HyperKube image.
-* To provide a specific `imageRepository` and `imageTag` for etcd or DNS add-on.
+* To provide a specific `imageRepository` and `imageTag` for etcd or CoreDNS.
 -->
 允许的自定义功能有：
 
+* 提供影响镜像版本的 `kubernetesVersion`。 
 * 使用其他的 `imageRepository` 来代替 `k8s.gcr.io`。
-* 将 `useHyperKubeImage` 设置为 `true`，使用 HyperKube 镜像。
-* 为 etcd 或 DNS 附件提供特定的 `imageRepository` 和 `imageTag`。
+* 为 etcd 或 CoreDNS 提供特定的 `imageRepository` 和 `imageTag`。
 
-<!--
-Please note that the configuration field `kubernetesVersion` or the command line flag
-`-kubernetes-version` affect the version of the images.
+<!-- 
+`imageRepository` may differ for backwards compatibility reasons. For example,
+one image might have a subpath at `k8s.gcr.io/subpath/image`, but be defaulted
+to `my.customrepository.io/image` when using a custom repository. 
+-->
+由于向后兼容的原因，`imageRepository` 可能会有所不同。
+例如，某镜像的子路径可能是 `k8s.gcr.io/subpath/image`，
+但使用自定义仓库时默认为 `my.customrepository.io/image`。
+
+<!-- 
+To ensure you push the images to your custom repository in paths that kubeadm
+can consume, you must:
+-->
+确保将镜像推送到 kubeadm 可以使用的自定义仓库的路径中，你必须：
+
+<!-- 
+* Pull images from the defaults paths at `k8s.gcr.io` using `kubeadm config images {list|pull}`.
+* Push images to the paths from `kubeadm config images list --config=config.yaml`,
+where `config.yaml` contains the custom `imageRepository`, and/or `imageTag`
+for etcd and CoreDNS.
+* Pass the same `config.yaml` to `kubeadm init`. 
 -->
-请注意配置文件中的配置项 `kubernetesVersion` 或者命令行参数 `--kubernetes-version`
-会影响到镜像的版本。
+* 使用 `kubeadm config images {list|pull}` 从 `k8s.gcr.io` 的默认路径中拉取镜像。
+* 将镜像推送到 `kubeadm config images list --config=config.yaml` 的路径，
+其中 `config.yaml` 包含自定义的 `imageRepository` 和/或用于 etcd 和 CoreDNS 的 `imageTag`。 
+* 将相同的 `config.yaml` 传递给 `kubeadm init`。
+
 
 <!--
 ### Uploading control-plane certificates to the cluster
@@ -377,7 +545,7 @@ The document includes information about using external CA, custom certificates
 and certificate renewal.
 -->
 有关使用 kubeadm 进行证书管理的详细信息，请参阅
-[使用 kubeadm 进行证书管理](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
+[使用 kubeadm 进行证书管理](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
 该文档包括有关使用外部 CA，自定义证书和证书更新的信息。
 
 <!--
@@ -396,7 +564,7 @@ The `kubeadm` package ships with a configuration file for running the `kubelet`
 For further information, see [Managing the kubeadm drop-in file for systemd](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd).
 -->
 有关更多信息，请阅读
-[管理 systemd 的 kubeadm 内嵌文件](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd)。
+[管理 systemd 的 kubeadm 内嵌文件](/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd)。
 
 <!--
 ### Use kubeadm with CRI runtimes
@@ -408,7 +576,7 @@ By default kubeadm attempts to detect your container runtime. For more details o
 the [kubeadm CRI installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
 -->
 默认情况下，kubeadm 尝试检测你的容器运行环境。有关此检测的更多详细信息，请参见
-[kubeadm CRI 安装指南](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime)。
+[kubeadm CRI 安装指南](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime)。
 
 <!--
 ### Setting the node name
@@ -422,35 +590,9 @@ value to the kubelet.
 -->
 默认情况下, `kubeadm` 基于机器的主机地址分配一个节点名称。你可以使用 `--node-name` 参数覆盖此设置。
 此标识将合适的
-[`--hostname-override`](/zh/docs/reference/command-line-tools-reference/kubelet/#options)
+[`--hostname-override`](/zh-cn/docs/reference/command-line-tools-reference/kubelet/#options)
 值传递给 kubelet。
 
-<!--
-### Running kubeadm without an internet connection
--->
-### 在没有互联网连接的情况下运行 kubeadm
-
-<!--
-For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
--->
-要在没有互联网连接的情况下运行 kubeadm，你必须提前拉取所需的控制平面镜像。
-
-<!--
-You can list and pull the images using the `kubeadm config images` sub-command:
--->
-你可以使用 `kubeadm config images` 子命令列出并拉取镜像：
-
-```shell
-kubeadm config images list
-kubeadm config images pull
-```
-
-<!--
-All images that kubeadm requires such as `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` and `k8s.gcr.io/pause` support multiple architectures.
--->
-kubeadm 需要的所有镜像，例如 `k8s.gcr.io/kube-*`、`k8s.gcr.io/etcd` 和 `k8s.gcr.io/pause`
-都支持多种架构。
-
 <!--
 ### Automating kubeadm
 -->
@@ -463,7 +605,7 @@ token distribution for easier automation. To implement this automation, you must
 know the IP address that the control-plane node will have after it is started,
 or use a DNS name or an address of a load balancer.
 -->
-除了像文档 [kubeadm 基础教程](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
+除了像文档 [kubeadm 基础教程](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
 中所描述的那样，将从 `kubeadm init` 取得的令牌复制到每个节点，
 你还可以并行地分发令牌以实现简单自动化。
 要实现自动化，你必须知道控制平面节点启动后将拥有的 IP 地址，或使用 DNS 名称或负载均衡器的地址。
@@ -513,7 +655,7 @@ provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/ku
 -->
 注意这种搭建集群的方式在安全保证上会有一些宽松，因为这种方式不允许使用 `--discovery-token-ca-cert-hash` 
 来验证根 CA 的哈希值（因为当配置节点的时候，它还没有被生成）。
-更多信息请参阅 [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 文档。
+更多信息请参阅 [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/) 文档。
 
 ## {{% heading "whatsnext" %}}
 
@@ -524,11 +666,11 @@ provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/ku
 * [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 -->
-* 进一步阅读了解 [kubeadm init phase](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
+* 进一步阅读了解 [kubeadm init phase](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)
   启动一个 Kubernetes 工作节点并且将其加入到集群
-* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
+* [kubeadm upgrade](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
   将 Kubernetes 集群升级到新版本
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   恢复 `kubeadm init` 或 `kubeadm join` 命令对节点所作的变更
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
similarity index 91%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
index 9ecb549aa3e3c..3f2c81f2df1e8 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
@@ -21,7 +21,7 @@ if you wish to apply customization.
 and behind the scene both use the same code.
 -->
 `kubeadm join phase` 与
-[kubeadm join 工作流程](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow)
+[kubeadm join 工作流程](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow)
 一致，后台都使用相同的代码。
 
 ## kubeadm join phase {#cmd-join-phase}
@@ -91,11 +91,11 @@ Using this phase you can join a node as a control-plane instance.
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 * [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
 -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
   引导 Kubernetes 控制平面节点
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)
   将节点添加到集群
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   恢复通过 `kubeadm init` 或 `kubeadm join` 操作对主机所做的任何更改
-* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
+* [kubeadm alpha](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
   尝试实验性功能
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
similarity index 72%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
index 9b0fc237d9447..51003b241592c 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
@@ -1,12 +1,17 @@
 ---
+title: kubeadm join
+content_type: concept
+weight: 30
+---
+<!--
 reviewers:
-- mikedanese
 - luxas
 - jbeda
 title: kubeadm join
 content_type: concept
 weight: 30
----
+-->
+
 <!-- overview -->
 <!--
 This command initializes a Kubernetes worker node and joins it to the cluster.
@@ -22,12 +27,12 @@ This command initializes a Kubernetes worker node and joins it to the cluster.
 -->
 ### join 工作流 {#join-workflow}
 
-<!--  
-`kubeadm join` bootstraps a Kubernetes worker node and joins it to the cluster.
-This action consists of the following steps:
+<!--
+`kubeadm join` bootstraps a Kubernetes worker node or a control-plane node and adds it to the cluster.
+This action consists of the following steps for worker nodes:
 -->
-`kubeadm join` 初始化 Kubernetes 工作节点并将其加入集群。
-该操作过程包含下面几个步骤：
+`kubeadm join` 初始化 Kubernetes 工作节点或控制平面节点并将其添加到集群中。
+对于工作节点，该操作包括以下步骤：
 
 <!--
 1. kubeadm downloads necessary cluster information from the API server.
@@ -39,7 +44,7 @@ This action consists of the following steps:
    默认情况下，它使用引导令牌和 CA 密钥哈希来验证数据的真实性。
    也可以通过文件或 URL 直接发现根 CA。
 
-<!--  
+<!--
 1. Once the cluster information is known, kubelet can start the TLS bootstrapping
    process.
 
@@ -48,17 +53,17 @@ This action consists of the following steps:
    default the control plane signs this CSR request automatically.
 -->
 2. 一旦知道集群信息，kubelet 就可以开始 TLS 引导过程。
-   
+
    TLS 引导程序使用共享令牌与 Kubernetes API 服务器进行临时的身份验证，以提交证书签名请求 (CSR)；
    默认情况下，控制平面自动对该 CSR 请求进行签名。
 
-<!-- 
+<!--
 1. Finally, kubeadm configures the local kubelet to connect to the API
    server with the definitive identity assigned to the node.
 -->
 3. 最后，kubeadm 配置本地 kubelet 使用分配给节点的确定标识连接到 API 服务器。
 
-<!-- 
+<!--
 For control-plane nodes additional steps are performed:
 
 1. Downloading certificates shared among control-plane nodes from the cluster
@@ -76,26 +81,26 @@ For control-plane nodes additional steps are performed:
 
 1. 添加新的本地 etcd 成员。
 
-<!-- 
+<!--
 ### Using join phases with kubeadm {#join-phases}
 -->
 ### 使用 kubeadm 的 join phase 命令 {#join-phases}
 
-<!-- 
+<!--
 Kubeadm allows you join a node to the cluster in phases using `kubeadm join phase`.
 -->
 Kubeadm 允许你使用 `kubeadm join phase` 分阶段将节点加入集群。
 
-<!--  
+<!--
 To view the ordered list of phases and sub-phases you can call `kubeadm join --help`. The list will be located
 at the top of the help screen and each phase will have a description next to it.
 Note that by calling `kubeadm join` all of the phases and sub-phases will be executed in this exact order.
 -->
-要查看阶段和子阶段的有序列表，可以调用 `kubeadm join --help`。 
+要查看阶段和子阶段的有序列表，可以调用 `kubeadm join --help`。
 该列表将位于帮助屏幕的顶部，每个阶段旁边都有一个描述。
 注意，通过调用 `kubeadm join`，所有阶段和子阶段都将按照此确切顺序执行。
 
-<!--  
+<!--
 Some phases have unique flags, so if you want to have a look at the list of available options add `--help`, for example:
 -->
 有些阶段具有唯一的标志，因此，如果要查看可用选项列表，请添加 `--help`，例如：
@@ -104,13 +109,13 @@ Some phases have unique flags, so if you want to have a look at the list of avai
 kubeadm join phase kubelet-start --help
 ```
 
-<!-- 
+<!--
 Similar to the [kubeadm init phase](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases)
 command, `kubeadm join phase` allows you to skip a list of phases using the `--skip-phases` flag.
 
 For example:
 -->
-类似于 [kubeadm init phase](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases)命令，
+类似于 [kubeadm init phase](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases) 命令，
 `kubeadm join phase` 允许你使用 `--skip-phases` 标志跳过阶段列表。
 
 例如：
@@ -129,9 +134,9 @@ Alternatively, you can use the `skipPhases` field in `JoinConfiguration`.
 <!--
 ### Discovering what cluster CA to trust
 -->
-### 发现要信任的集群 CA
+### 发现要信任的集群 CA {#discovering-what-cluster-ca-to-trust}
 
-<!-- 
+<!--
 The kubeadm discovery has several options, each with security tradeoffs.
 The right method for your environment depends on how you provision nodes and the
 security expectations you have about your network and node lifecycles.
@@ -143,16 +148,16 @@ Kubeadm 的发现有几个选项，每个选项都有安全性上的优缺点。
 <!--
 #### Token-based discovery with CA pinning
 -->
-#### 带 CA 锁定模式的基于令牌的发现
+#### 带 CA 锁定模式的基于令牌的发现 {#token-based-discovery-with-ca-pinning}
 
-<!-- 
-This is the default mode in Kubernetes 1.8 and above. In this mode, kubeadm downloads
+<!--
+This is the default mode in kubeadm. In this mode, kubeadm downloads
 the cluster configuration (including root CA) and validates it using the token
 as well as validating that the root CA public key matches the provided hash and
 that the API server certificate is valid under the root CA.
 -->
-这是 Kubernetes 1.8 及以上版本中的默认模式。
-在这种模式下，kubeadm 下载集群配置（包括根CA）并使用令牌验证它，
+这是 kubeadm 的默认模式。
+在这种模式下，kubeadm 下载集群配置（包括根 CA）并使用令牌验证它，
 并且会验证根 CA 的公钥与所提供的哈希是否匹配，
 以及 API 服务器证书在根 CA 下是否有效。
 
@@ -162,7 +167,7 @@ The CA key hash has the format `sha256:<hex_encoded_hash>`. By default, the hash
 CA 键哈希格式为 `sha256:<hex_encoded_hash>`。
 默认情况下，在 `kubeadm init` 最后打印的 `kubeadm join` 命令
 或者 `kubeadm token create --print-join-command` 的输出信息中返回哈希值。
-它使用标准格式 (请参考 [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) 
+它使用标准格式（请参考 [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)）
 并且也能通过第三方工具或者制备系统进行计算。
 例如，使用 OpenSSL CLI：
 
@@ -171,7 +176,7 @@ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outfor
 ```
 
 <!--
-**Example `kubeadm join` command:**
+**Example `kubeadm join` commands:**
 -->
 **`kubeadm join` 命令示例**
 
@@ -193,7 +198,7 @@ For control-plane nodes:
 kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef --control-plane 1.2.3.4:6443
 ```
 
-<!-- 
+<!--
 You can also call `join` for a control-plane node with `--certificate-key` to copy certificates to this node,
 if the `kubeadm init` command was called with `--upload-certs`.
 -->
@@ -204,52 +209,52 @@ if the `kubeadm init` command was called with `--upload-certs`.
 <!--
 **Advantages:**
 
- - Allows bootstrapping nodes to securely discover a root of trust for the
-   master even if other worker nodes or the network are compromised.
+- Allows bootstrapping nodes to securely discover a root of trust for the
+  control-plane node even if other worker nodes or the network are compromised.
 
- - Convenient to execute manually since all of the information required fits
-   into a single `kubeadm join` command.
+- Convenient to execute manually since all of the information required fits
+  into a single `kubeadm join` command.
 -->
 
 **优势：**
 
-- 允许引导节点安全地发现主节点的信任根，即使其他工作节点或网络受到损害。
+- 允许引导节点安全地发现控制平面节点的信任根，即使其他工作节点或网络受到损害。
 
 - 方便手动执行，因为所需的所有信息都可放到一个 `kubeadm join` 命令中。
 
-<!-- 
+<!--
 **Disadvantages:**
 
-- The CA hash is not normally known until the master has been provisioned,
+- The CA hash is not normally known until the control-plane node has been provisioned,
   which can make it more difficult to build automated provisioning tools that
   use kubeadm. By generating your CA in beforehand, you may workaround this
-  limitation though.
+  limitation.
 -->
 
 **劣势：**
 
-- CA 哈希通常在主节点被提供之前是不知道的，这使得构建使用 kubeadm 的自动化配置工具更加困难。
-  通过预先生成CA，你可以解除这个限制。
+- CA 哈希通常在控制平面节点被提供之前是不知道的，这使得构建使用 kubeadm 的自动化配置工具更加困难。
+  通过预先生成 CA，你可以解除这个限制。
 
-<!--   
+<!--
 #### Token-based discovery without CA pinning
 -->
-#### 无 CA 锁定模式的基于令牌的发现
+#### 无 CA 锁定模式的基于令牌的发现 {#token-based-discovery-without-ca-pinning}
 
-<!--  
-_This was the default in Kubernetes 1.7 and earlier_, but comes with some
-important caveats. This mode relies only on the symmetric token to sign
+<!--
+This mode relies only on the symmetric token to sign
 (HMAC-SHA256) the discovery information that establishes the root of trust for
-the master. It's still possible in Kubernetes 1.8 and above using the
-`--discovery-token-unsafe-skip-ca-verification` flag, but you should consider
+the control-plane. To use the mode the joining nodes must skip the hash validation of the
+CA public key, using `--discovery-token-unsafe-skip-ca-verification`. You should consider
 using one of the other modes if possible.
 
 **Example `kubeadm join` command:**
 -->
-_这是 Kubernetes 1.7 和早期版本_中的默认设置；使用时要注意一些重要的补充说明。
-此模式仅依赖于对称令牌来签名(HMAC-SHA256)发现信息，这些发现信息为主节点建立信任根。
-在 Kubernetes 1.8 及以上版本中仍然可以使用 `--discovery-token-unsafe-skip-ca-verification`
-参数，但是如果可能的话，你应该考虑使用一种其他模式。
+此模式仅依靠对称令牌来签署 (HMAC-SHA256) 为控制平面建立信任根的发现信息。
+要使用该模式，加入节点必须使用
+`--discovery-token-unsafe-skip-ca-verification`
+跳过 CA 公钥的哈希验证。
+如果可以，你应该考虑使用其他模式。
 
 **`kubeadm join` 命令示例**
 
@@ -262,7 +267,7 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve
 
 - Still protects against many network-level attacks.
 
-- The token can be generated ahead of time and shared with the master and
+- The token can be generated ahead of time and shared with the control-plane node and
   worker nodes, which can then bootstrap in parallel without coordination. This
   allows it to be used in many provisioning scenarios.
 -->
@@ -271,7 +276,7 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve
 
 - 仍然可以防止许多网络级攻击。
 
-- 可以提前生成令牌并与主节点和工作节点共享，这样主节点和工作节点就可以并行引导而无需协调。
+- 可以提前生成令牌并与控制平面节点和工作节点共享，这样控制平面节点和工作节点就可以并行引导而无需协调。
   这允许它在许多配置场景中使用。
 
 <!--
@@ -279,22 +284,22 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve
 
 - If an attacker is able to steal a bootstrap token via some vulnerability,
   they can use that token (along with network-level access) to impersonate the
-  master to other bootstrapping nodes. This may or may not be an appropriate
+  control-plane node to other bootstrapping nodes. This may or may not be an appropriate
   tradeoff in your environment.
 -->
 
 **劣势**
 
 - 如果攻击者能够通过某些漏洞窃取引导令牌，那么他们可以使用该令牌（连同网络级访问）
-  为其它处于引导过程中的节点提供假冒的主节点。
+  为其它处于引导过程中的节点提供假冒的控制平面节点。
   在你的环境中，这可能是一个适当的折衷方法，也可能不是。
 
 <!--
 #### File or HTTPS-based discovery
 -->
-#### 基于 HTTPS 或文件发现
+#### 基于 HTTPS 或文件发现 {#file-or-https-based-discovery}
 
-<!-- 
+<!--
 This provides an out-of-band way to establish a root of trust between the control-plane node
 and bootstrapping nodes. Consider using this mode if you are building automated provisioning
 using kubeadm. The format of the discovery file is a regular Kubernetes
@@ -302,10 +307,10 @@ using kubeadm. The format of the discovery file is a regular Kubernetes
 
 In case the discovery file does not contain credentials, the TLS discovery token will be used.
 -->
-这种方案提供了一种带外方式在主节点和引导节点之间建立信任根。
+这种方案提供了一种带外方式在控制平面节点和引导节点之间建立信任根。
 如果使用 kubeadm 构建自动配置，请考虑使用此模式。
 发现文件的格式为常规的 Kubernetes
-[kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) 文件。
+[kubeconfig](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) 文件。
 
 如果发现文件不包含凭据，则将使用 TLS 发现令牌。
 
@@ -314,42 +319,47 @@ In case the discovery file does not contain credentials, the TLS discovery token
 -->
 **`kubeadm join` 命令示例：**
 
-- `kubeadm join --discovery-file path/to/file.conf` （本地文件）
+<!--
+- `kubeadm join --discovery-file path/to/file.conf` (local file)
+
+- `kubeadm join --discovery-file https://url/file.conf` (remote HTTPS URL)
+-->
+- `kubeadm join --discovery-file path/to/file.conf`（本地文件）
 
-- `kubeadm join --discovery-file https://url/file.conf` (远程 HTTPS URL)
+- `kubeadm join --discovery-file https://url/file.conf`（远程 HTTPS URL）
 
 <!--
 **Advantages:**
 
 - Allows bootstrapping nodes to securely discover a root of trust for the
-  master even if the network or other worker nodes are compromised.
+  control-plane node even if the network or other worker nodes are compromised.
 -->
 
 **优势：**
 
-- 允许引导节点安全地发现主节点的信任根，即使网络或其他工作节点受到损害。
+- 允许引导节点安全地发现控制平面节点的信任根，即使网络或其他工作节点受到损害。
 
 <!--
 **Disadvantages:**
 
 - Requires that you have some way to carry the discovery information from
-  the master to the bootstrapping nodes. This might be possible, for example,
-  via your cloud provider or provisioning tool. The information in this file is
-  not secret, but HTTPS or equivalent is required to ensure its integrity.
+  the control-plane node to the bootstrapping nodes. If the discovery file contains credentials
+  you must keep it secret and transfer it over a secure channel. This might be possible with your
+  cloud provider or provisioning tool.
 -->
 
 **劣势：**
 
-- 要求你有某种方法将发现信息从主节点传送到引导节点。
-  例如，这可以通过云提供商或驱动工具实现。
-  该文件中的信息不是加密的，而是需要 HTTPS 或等效文件来保证其完整性。
+- 要求你有某种方法将发现信息从控制平面节点传送到引导节点。
+  如果发现文件包含凭据，你必须对其保密并通过安全通道进行传输。
+  这可能通过你的云提供商或供应工具来实现。
 
 <!--
 ### Securing your installation even more {#securing-more}
 -->
 ### 确保你的安装更加安全 {#securing-more}
 
-<!-- 
+<!--
 The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm installation
 at the cost of some usability.
 -->
@@ -359,9 +369,9 @@ Kubeadm 的默认值可能不适用于所有人。
 <!--
 #### Turning off auto-approval of node client certificates
 -->
-#### 关闭节点客户端证书的自动批准
+#### 关闭节点客户端证书的自动批准 {#turning-off-auto-approval-of-node-client-certificates}
 
-<!-- 
+<!--
 By default, there is a CSR auto-approver enabled that basically approves any client certificate request
 for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to
 automatically approve kubelet client certs, you can turn it off by executing this command:
@@ -420,30 +430,29 @@ NAME                                                   AGE       REQUESTOR
 node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   1m        system:bootstrap:878f07   Approved,Issued
 ```
 
-<!--  
+<!--
 This forces the workflow that `kubeadm join` will only succeed if `kubectl certificate approve` has been run.
 -->
-这迫使工作流只有在运行了 kubectl 证书批准后，kubeadm join 才能成功。
+这迫使工作流只有在运行了 `kubectl certificate approve` 后，`kubeadm join` 才能成功。
 
 <!--
 #### Turning off public access to the cluster-info ConfigMap
 -->
-#### 关闭对集群信息 ConfigMap 的公开访问
+#### 关闭对集群信息 ConfigMap 的公开访问 {#turning-off-public-access-to-the-cluster-info-configmap}
 
-<!-- 
+<!--
 In order to achieve the joining flow using the token as the only piece of validation information, a
- ConfigMap with some data needed for validation of the master's identity is exposed publicly by
+ ConfigMap with some data needed for validation of the control-plane node's identity is exposed publicly by
 default. While there is no private data in this ConfigMap, some users might wish to turn
 it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the
 `kubeadm join` flow. Here are the steps to do so:
 -->
-为了实现使用令牌作为唯一验证信息的加入工作流，默认情况下会公开带有验证主节点标识
-所需数据的 ConfigMap。
+为了实现使用令牌作为唯一验证信息的加入工作流，默认情况下会公开带有验证控制平面节点标识所需数据的 ConfigMap。
 虽然此 ConfigMap 中没有私有数据，但一些用户可能希望无论如何都关闭它。
 这样做需要禁用 `kubeadm join` 工作流的 `--discovery-token` 参数。
 以下是实现步骤：
 
-<!-- 
+<!--
 * Fetch the `cluster-info` file from the API Server:
 -->
 * 从 API 服务器获取 `cluster-info` 文件：
@@ -488,16 +497,18 @@ users: []
 <!--
 These commands should be run after `kubeadm init` but before `kubeadm join`.
 -->
-这些命令应该在执行 `kubeadm init` 之后、在`kubeadm join` 之前执行。
+这些命令应该在执行 `kubeadm init` 之后、在 `kubeadm join` 之前执行。
 
-<!-- 
+<!--
 ### Using kubeadm join with a configuration file {#config-file}
 -->
-### 使用带有配置文件的 kubeadm join
+### 使用带有配置文件的 kubeadm join {#config-file}
 
 {{< caution >}}
-<!--The config file is still considered alpha and may change in future versions.-->
-配置文件目前是 alpha 功能，在将来的版本中可能会变动。
+<!--
+The config file is still considered beta and may change in future versions.
+-->
+配置文件目前是 beta 功能，在将来的版本中可能会变动。
 {{< /caution >}}
 
 <!--
@@ -507,22 +518,22 @@ configuration file options. This file is passed using the `--config` flag and it
 contain a `JoinConfiguration` structure. Mixing `--config` with others flags may not be
 allowed in some cases.
 -->
-可以用配置文件替代命令行参数的方法配置 `kubeadm join`，一些高级功能也只有在使用配置文件时才可选用。
+可以用配置文件替代命令行参数的方法配置 `kubeadm join`，一些进阶功能也只有在使用配置文件时才可选用。
 该文件通过 `--config` 参数来传递，并且文件中必须包含 `JoinConfiguration` 结构。
 在某些情况下，不允许将 `--config` 与其他标志混合使用。
 
-<!--  
+<!--
 The default configuration can be printed out using the
 [kubeadm config print](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
 
 If your configuration is not using the latest version it is **recommended** that you migrate using
 the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
 -->
-使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
+使用 [kubeadm config print](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)
 命令可以打印默认配置。
 
 如果你的配置没有使用最新版本，
-**推荐**使用 [kubeadm config migrate](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
+**推荐**使用 [kubeadm config migrate](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)
 命令转换。
 
 <!--
@@ -530,20 +541,20 @@ For more information on the fields and usage of the configuration you can naviga
 [API reference](/docs/reference/config-api/kubeadm-config.v1beta3/).
 -->
 有关配置的字段和用法的更多信息，你可以导航到我们的
-[API 参考页](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
+[API 参考页](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes master node
+* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node
 * [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) to manage tokens for `kubeadm join`
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
-  初始化 Kubernetes 主节点
-* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/)
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+  初始化 Kubernetes 控制平面节点
+* [kubeadm token](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/)
   管理 `kubeadm join` 的令牌
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   将 `kubeadm init` 或 `kubeadm join` 对主机的更改恢复到之前状态
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md
similarity index 88%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md
index c90f621bc24df..e911fe1a7b3fb 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig.md
@@ -13,7 +13,7 @@ For examples on how to use `kubeadm kubeconfig user` see
 `kubeadm kubeconfig` 提供用来管理 kubeconfig 文件的工具。
 
 如果希望查看如何使用 `kubeadm kubeconfig user` 的示例，请参阅
-[为其他用户生成 kubeconfig 文件](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users).
+[为其他用户生成 kubeconfig 文件](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users).
 
 ## kubeadm kubeconfig {#cmd-kubeconfig}
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
similarity index 87%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
index 4d1d6e82d1e59..134b18f91efa3 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
@@ -23,7 +23,7 @@ if you wish to apply customization.
 and behind the scene both use the same code.
 -->
 `kubeadm reset phase` 与
-[kubeadm reset 工作流程](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/#reset-workflow)
+[kubeadm reset 工作流程](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/#reset-workflow)
 一致，后台都使用相同的代码。
 
 ## kubeadm reset phase {#cmd-reset-phase}
@@ -79,11 +79,11 @@ Using this phase you can perform cleanup on this node.
 * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
 * [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
 -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/)
   引导 Kubernetes 控制平面节点
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)
   将节点添加到集群
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   恢复通过 `kubeadm init` 或 `kubeadm join` 操作对主机所做的任何更改
-* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
+* [kubeadm alpha](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
   尝试实验性功能
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
similarity index 91%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
index eefcfd45fc143..5143c8f1111f4 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
@@ -58,6 +58,6 @@ etcdctl del "" --prefix
 
 <!-- * [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node
 * [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to bootstrap a Kubernetes worker node and join it to the cluster -->
-* 参考 [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 来初始化 Kubernetes 主节点。
-* 参考 [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 来初始化 Kubernetes 工作节点并加入集群。
+* 参考 [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/) 来初始化 Kubernetes 主节点。
+* 参考 [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/) 来初始化 Kubernetes 工作节点并加入集群。
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-token.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token.md
similarity index 80%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-token.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token.md
index 4409371db7dbf..cfb95bc700e82 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-token.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token.md
@@ -22,7 +22,7 @@ Bootstrap tokens are used for establishing bidirectional trust between a node jo
 the cluster and a master node, as described in [authenticating with bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/).
 -->
 
-如[使用引导令牌进行身份验证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)所描述的，引导令牌用于在即将加入集群的节点和主节点间建立双向认证。
+如[使用引导令牌进行身份验证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)所描述的，引导令牌用于在即将加入集群的节点和主节点间建立双向认证。
 
 <!--
 `kubeadm init` creates an initial token with a 24-hour TTL. The following commands allow you to manage
@@ -52,4 +52,4 @@ such a token and also to create and manage new ones.
 <!--
 * [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to bootstrap a Kubernetes worker node and join it to the cluster
 -->
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 引导 Kubernetes 工作节点并将其加入集群
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/) 引导 Kubernetes 工作节点并将其加入集群
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
similarity index 77%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
index 1b970b50975db..4fdbb38d40d2f 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
@@ -41,8 +41,8 @@ be called on a primary control-plane node.
 * [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a kubeadm node
 * [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
 -->
-* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导一个 Kubernetes 控制平面节点
-* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点加入到集群
-* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 还原 `kubeadm init` 或 `kubeadm join` 命令对主机所做的任何更改
-* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 升级 kubeadm 节点
-* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能
+* [kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导一个 Kubernetes 控制平面节点
+* [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点加入到集群
+* [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 还原 `kubeadm init` 或 `kubeadm join` 命令对主机所做的任何更改
+* [kubeadm upgrade](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 升级 kubeadm 节点
+* [kubeadm alpha](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
similarity index 93%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
index d14c44a5572cd..283bde562fe4f 100644
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
@@ -30,7 +30,7 @@ behind one command, with support for both planning an upgrade and actually perfo
 The steps for performing an upgrade using kubeadm are outlined in [this document](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
 For older versions of kubeadm, please refer to older documentation sets of the Kubernetes website.
 -->
-[本文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述
+[本文档](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述
 使用 kubeadm 执行升级的步骤。
 与 kubeadm 旧版本相关的文档，请参阅 Kubernetes 网站的旧版文档。
 
@@ -48,7 +48,7 @@ renewal see the [certificate management documentation](/docs/tasks/administer-cl
 在 Kubernetes v1.15.0 和更高版本中，`kubeadm upgrade apply` 和 `kubeadm upgrade node`
 也将自动续订该节点上的 kubeadm 托管证书，包括存储在 kubeconfig 文件中的证书。
 要选择退出，可以传递参数 `--certificate-renewal=false`。
-有关证书续订的更多详细信息请参见[证书管理文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
+有关证书续订的更多详细信息请参见[证书管理文档](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
 
 
 {{< note >}}
@@ -81,6 +81,6 @@ reports of unexpected results.
 * [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade`
 -->
 * 如果你使用 kubeadm v1.7.x 或更低版本初始化集群，则可以参考
-  [kubeadm 配置](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
+  [kubeadm 配置](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/)
   配置集群用于 `kubeadm upgrade`。
 
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-version.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-version.md
similarity index 100%
rename from content/zh/docs/reference/setup-tools/kubeadm/kubeadm-version.md
rename to content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-version.md
diff --git a/content/zh/docs/reference/tools/_index.md b/content/zh-cn/docs/reference/tools/_index.md
similarity index 51%
rename from content/zh/docs/reference/tools/_index.md
rename to content/zh-cn/docs/reference/tools/_index.md
index 2b7fefbe32d76..6dab3ddb63e34 100644
--- a/content/zh/docs/reference/tools/_index.md
+++ b/content/zh-cn/docs/reference/tools/_index.md
@@ -16,24 +16,22 @@ no_list: true
 
 <!-- overview -->
 <!-- 
-Kubernetes contains several built-in tools to help you work with the Kubernetes system.
+Kubernetes contains several tools to help you work with the Kubernetes system.
 -->
-Kubernetes 包含多个内置工具来帮助你使用 Kubernetes 系统。
+Kubernetes 包含多种工具来帮助你使用 Kubernetes 系统。
 
 
 <!-- body -->
 
 <!--  
-## Minikube
-
-[`minikube`](https://minikube.sigs.k8s.io/docs/) is a tool that
-runs a single-node Kubernetes cluster locally on your workstation for
-development and testing purposes.
+[`crictl`](https://github.com/kubernetes-sigs/cri-tools) is a command-line
+interface for inspecting and debugging {{<glossary_tooltip term_id="cri" text="CRI">}}-compatible
+container runtimes.
 -->
-## Minikube
+## crictl
 
-[`minikube`](https://minikube.sigs.k8s.io/docs/)
-是一种在你的工作站上本地运行单节点 Kubernetes 集群的工具，用于开发和测试。
+[`crictl`](https://github.com/kubernetes-sigs/cri-tools)
+是用于检查和调试兼容 {{<glossary_tooltip term_id="cri" text="CRI">}} 的容器运行时的命令行接口。
 
 <!-- 
 ## Dashboard
@@ -43,7 +41,7 @@ to a Kubernetes cluster, troubleshoot them, and manage the cluster and its resou
 -->
 ## 仪表盘
 
-[`Dashboard`](/zh/docs/tasks/access-application-cluster/web-ui-dashboard/)，
+[`Dashboard`](/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/)，
 基于 Web 的 Kubernetes 用户界面，
 允许你将容器化的应用程序部署到 Kubernetes 集群，
 对它们进行故障排查，并管理集群及其资源本身。
@@ -51,13 +49,14 @@ to a Kubernetes cluster, troubleshoot them, and manage the cluster and its resou
 <!-- 
 ## Helm
 
-[`Kubernetes Helm`](https://github.com/kubernetes/helm) is a tool for managing packages of pre-configured
-Kubernetes resources, aka Kubernetes charts.
+[Helm](https://helm.sh/) is a tool for managing packages of pre-configured
+Kubernetes resources. These packages are known as _Helm charts_.
 -->
 ## Helm
+{{% thirdparty-content single="true" %}}
 
-[`Kubernetes Helm`](https://github.com/kubernetes/helm)
-是一个用于管理预配置 Kubernetes 资源包的工具，也就是 Kubernetes 图表。
+[Helm](https://helm.sh/)
+是一个用于管理预配置 Kubernetes 资源包的工具。这些包被称为“Helm 图表”。
 
 <!-- 
 Use Helm to:
@@ -98,4 +97,46 @@ Use Kompose to:
 
 * 将 Docker Compose 文件翻译成 Kubernetes 对象
 * 从本地 Docker 开发转到通过 Kubernetes 管理你的应用程序
-* 转换 Docker Compose v1 或 v2 版本的 `yaml` 文件或[分布式应用程序包](https://docs.docker.com/compose/bundles/)
\ No newline at end of file
+* 转换 Docker Compose v1 或 v2 版本的 `yaml` 文件或[分布式应用程序包](https://docs.docker.com/compose/bundles/)
+
+## Kui
+
+<!--
+[`Kui`](https://github.com/kubernetes-sigs/kui) is a GUI tool that takes your normal
+`kubectl` command line requests and responds with graphics.
+-->
+[`Kui`](https://github.com/kubernetes-sigs/kui)
+是一个接受你标准的 `kubectl` 命令行请求并以图形响应的 GUI 工具。
+
+<!--
+Kui takes the normal `kubectl` command line requests and responds with graphics. Instead 
+of ASCII tables, Kui provides a GUI rendering with tables that you can sort.
+-->
+Kui 接受标准的 `kubectl` 命令行工具并以图形响应。
+Kui 提供包含可排序表格的 GUI 渲染，而不是 ASCII 表格。
+
+<!--
+Kui lets you:
+
+* Directly click on long, auto-generated resource names instead of copying and pasting
+* Type in `kubectl` commands and see them execute, even sometimes faster than `kubectl` itself
+* Query a {{< glossary_tooltip text="Job" term_id="job">}} and see its execution rendered
+  as a waterfall diagram
+* Click through resources in your cluster using a tabbed UI 
+-->
+Kui 让你能够：
+
+* 直接点击长的、自动生成的资源名称，而不是复制和粘贴
+* 输入 `kubectl` 命令并查看它们的执行，有时甚至比 `kubectl` 本身更快
+* 查询 {{<glossary_tooltip text="Job" term_id="job">}} 并查看其执行渲染为瀑布图
+* 使用选项卡式 UI 在集群中单击资源
+
+## Minikube
+
+<!--
+[`minikube`](https://minikube.sigs.k8s.io/docs/) is a tool that
+runs a single-node Kubernetes cluster locally on your workstation for
+development and testing purposes.
+-->
+[`minikube`](https://minikube.sigs.k8s.io/docs/)
+是一种在你的工作站上本地运行单节点 Kubernetes 集群的工具，用于开发和测试。
\ No newline at end of file
diff --git a/content/zh/docs/reference/tools/map-crictl-dockercli.md b/content/zh-cn/docs/reference/tools/map-crictl-dockercli.md
similarity index 100%
rename from content/zh/docs/reference/tools/map-crictl-dockercli.md
rename to content/zh-cn/docs/reference/tools/map-crictl-dockercli.md
diff --git a/content/zh/docs/reference/using-api/_index.md b/content/zh-cn/docs/reference/using-api/_index.md
similarity index 94%
rename from content/zh/docs/reference/using-api/_index.md
rename to content/zh-cn/docs/reference/using-api/_index.md
index 837adf9dc6069..3d39084395acd 100644
--- a/content/zh/docs/reference/using-api/_index.md
+++ b/content/zh-cn/docs/reference/using-api/_index.md
@@ -40,8 +40,8 @@ For general background information, read
 describes how clients can authenticate to the Kubernetes API server, and how their
 requests are authorized.
 -->
-如需了解一般背景信息，请查阅 [Kubernetes API](/zh/docs/concepts/overview/kubernetes-api/)。
-[Kubernetes API 控制访问](/zh/docs/concepts/security/controlling-access/)描述了客户端如何
+如需了解一般背景信息，请查阅 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)。
+[Kubernetes API 控制访问](/zh-cn/docs/concepts/security/controlling-access/)描述了客户端如何
 向 Kubernetes API 服务器进行身份认证以及他们的请求如何被鉴权。
 
 
@@ -191,6 +191,7 @@ part is omitted, it is treated as if `=true` is specified. For example:
 
  - to disable `batch/v1`, set `--runtime-config=batch/v1=false`
  - to enable `batch/v2alpha1`, set `--runtime-config=batch/v2alpha1`
+ - to enable a specific version of an API, such as `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities` 
 -->
 ## 启用或禁用 API 组   {#enabling-or-disabling}
 资源和 API 组是在默认情况下被启用的。
@@ -200,6 +201,8 @@ part is omitted, it is treated as if `=true` is specified. For example:
 例如：
  - 禁用 `batch/v1`， 对应参数设置 `--runtime-config=batch/v1=false`
  - 启用 `batch/v2alpha1`， 对应参数设置 `--runtime-config=batch/v2alpha1`
+ - 要启用特定版本的 API，如 `storage.k8s.io/v1beta1/csistoragecapacities`，可以设置
+   `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`
 
 <!--
 When you enable or disable groups or resources, you need to restart the API
diff --git a/content/zh/docs/reference/using-api/api-concepts.md b/content/zh-cn/docs/reference/using-api/api-concepts.md
similarity index 96%
rename from content/zh/docs/reference/using-api/api-concepts.md
rename to content/zh-cn/docs/reference/using-api/api-concepts.md
index bf31ae7a78c03..2523de7e0b2c9 100644
--- a/content/zh/docs/reference/using-api/api-concepts.md
+++ b/content/zh-cn/docs/reference/using-api/api-concepts.md
@@ -42,7 +42,7 @@ or read on to learn about the API in general.
 Kubernetes 支持通过 **watchs** 实现高效的资源变更通知。
 Kubernetes 还提供了一致的列表操作，以便 API 客户端可以有效地缓存、跟踪和同步资源的状态。
 
-你可以在线查看 [API 参考](/zh/docs/reference/kubernetes-api/)，
+你可以在线查看 [API 参考](/zh-cn/docs/reference/kubernetes-api/)，
 或继续阅读以了解 API 的一般信息。
 
 <!--
@@ -79,11 +79,11 @@ as a permission check
 [API-initiated eviction](/docs/concepts/scheduling-eviction/api-eviction/)).
 -->
 大多数 Kubernetes API 资源类型都是
-[对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/#kubernetes-objects)：
+[对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#kubernetes-objects)：
 它们代表集群上某个概念的具体实例，例如 Pod 或命名空间。
 少数 API 资源类型是 “虚拟的”，它们通常代表的是操作而非对象本身，
 例如权限检查（使用带有 JSON 编码的 `SubjectAccessReview` 主体的 POST 到 `subjectaccessreviews` 资源），
-或 Pod 的子资源 `eviction`（用于触发 [API-发起的驱逐](/zh/docs/concepts/scheduling-eviction/api-eviction/)）。
+或 Pod 的子资源 `eviction`（用于触发 [API-发起的驱逐](/zh-cn/docs/concepts/scheduling-eviction/api-eviction/)）。
 
 <!--
 ### Object names
@@ -127,7 +127,7 @@ HTTP verb for a **patch** is PATCH.
 -->
 ### API 动词 {#api-verbs}
 
-几乎所有对象资源类型都支持标准 HTTP 动词 - GET、POST、PUT、PATCH 和 DELETE。 
+几乎所有对象资源类型都支持标准 HTTP 动词 - GET、POST、PUT、PATCH 和 DELETE。
 Kubernetes 也使用自己的动词，这些动词通常写成小写，以区别于 HTTP 动词。
 
 Kubernetes 使用术语 **list** 来描述返回资源[集合](#collections)，
@@ -198,7 +198,7 @@ virtual resource type would be used if that becomes necessary.
 * 集群作用域的子资源：`GET /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE`
 * 名字空间作用域的子资源：`GET /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE`
 
-取决于对象是什么，每个子资源所支持的动词有所不同 - 参见 [API 文档](/zh/docs/reference/kubernetes-api/)以了解更多信息。
+取决于对象是什么，每个子资源所支持的动词有所不同 - 参见 [API 文档](/zh-cn/docs/reference/kubernetes-api/)以了解更多信息。
 跨多个资源来访问其子资源是不可能的 - 如果需要这一能力，则通常意味着需要一种
 新的虚拟资源类型了。
 
@@ -315,7 +315,7 @@ this is called a `Reflector` and is located in the `k8s.io/client-go/tools/cache
 并基于新返回的 `resourceVersion` 来开始新的 **watch** 操作。
 
 对于订阅集合，Kubernetes 客户端库通常会为 **list** -然后- **watch** 的逻辑提供某种形式的标准工具。
-（在 Go 客户端库中，这称为`反射器（Reflector）`，位于 `k8s.io/client-go/tools/cache` 包中。）
+（在 Go 客户端库中，这称为 `反射器（Reflector）`，位于 `k8s.io/client-go/tools/cache` 包中。）
 
 <!--
 ### Watch bookmarks
@@ -385,7 +385,7 @@ into many smaller chunks while preserving the consistency of the total request.
 chunk can be returned sequentially which reduces both the total size of the request and
 allows user-oriented clients to display results incrementally to improve responsiveness.
 -->
-如果你没有明确禁用 `APIListChunking` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+如果你没有明确禁用 `APIListChunking` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 Kubernetes API 服务器支持将单个大型集合请求分解为许多较小块的能力，同时保持总请求的一致性。
 
 <!--
@@ -525,7 +525,7 @@ last chunk), then there are no more remaining items and the API server does not
 is estimating the size of a collection.
 -->
 `remainingItemCount` 是集合中未包含在此响应中的后续项目的数量。
-如果 **list** 请求包含标签或字段{{< glossary_tooltip text="选择器" term_id="selector">}} ，
+如果 **list** 请求包含标签或字段{{< glossary_tooltip text="选择器" term_id="selector">}}，
 则剩余项目的数量是未知的，并且 API 服务器在其响应中不包含 `remainingItemCount` 字段。
 如果 **list** 是完整的（因为它没有分块，或者因为这是最后一个块），没有更多的剩余项目，
 API 服务器在其响应中不包含 `remainingItemCount` 字段。
@@ -553,7 +553,7 @@ has `kind` set to
 
 当你查询特定类型的 API 时，该查询返回的所有项目都属于该类型。
 例如，当你 **list** Service 对象时，集合响应的 `kind` 设置为
-[`ServiceList`](/zh/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceList)；
+[`ServiceList`](/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceList)；
 该集合中的每个项目都代表一个 Service。例如：
 
 ```
@@ -591,7 +591,7 @@ multiple **list** operations at the API level, `kubectl` represents
 a list of items using `kind: List`. For example:
 -->
 Kubernetes API 中定义了数十种集合类型（如 `PodList`、`ServiceList` 和 `NodeList`）。
-你可以从 [Kubernetes API](/zh/docs/reference/kubernetes-api/) 文档中获取有关每种集合类型的更多信息。
+你可以从 [Kubernetes API](/zh-cn/docs/reference/kubernetes-api/) 文档中获取有关每种集合类型的更多信息。
 
 一些工具，例如 `kubectl`，对于 Kubernetes 集合的表现机制与 Kubernetes API 本身略有不同。
 因为 `kubectl` 的输出可能包含来自 API 级别的多个 **list** 操作的响应，
@@ -660,7 +660,7 @@ had to be in place for types unrecognized by a client.
 -->
 ## 以表格形式接收资源  {#receiving-resources-as-tables}
 
-当你执行`kubectl get` 时，默认的输出格式是特定资源类型的一个或多个实例的简单表格形式。
+当你执行 `kubectl get` 时，默认的输出格式是特定资源类型的一个或多个实例的简单表格形式。
 过去，客户端需要重复 `kubectl` 中所实现的表格输出和描述输出逻辑，以执行
 简单的对象列表操作。
 该方法的一些限制包括处理某些对象时的不可忽视逻辑。
@@ -748,7 +748,7 @@ extensions, you should make requests that specify multiple content types in the
 -->
 并非所有 API 资源类型都支持 Table 响应；
 例如，{{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinitions" >}} 可能没有定义字段到表的映射，
-[扩展核心 Kubernetes API](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+[扩展核心 Kubernetes API](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 的 APIService 可能根本不提供 Table 响应。
 如果你正在实现使用 Table 信息并且必须针对所有资源类型（包括扩展）工作的客户端，
 你应该在 `Accept` 请求头中指定多种内容类型的请求。例如：
@@ -775,7 +775,7 @@ header appropriately.
 默认情况下，Kubernetes 返回序列化为 JSON 的对象，内容类型为 `application/json`。
 这是 API 的默认序列化格式。
 但是，客户端可能会使用更有效的 [Protobuf 表示](#protobuf-encoding) 请求这些对象，
-以获得更好的大规模性能。 Kubernetes API 实现标准的 HTTP 内容类型协商：
+以获得更好的大规模性能。Kubernetes API 实现标准的 HTTP 内容类型协商：
 带有 `Accept` 请求头部的 `GET` 调用会请求服务器尝试以你的首选媒体类型返回响应，
 而将 Protobuf 中的对象发送到服务器以进行 `PUT` 或 `POST` 调用意味着你必须适当地设置
 `Content-Type` 请求头。
@@ -795,7 +795,7 @@ For example:
 如果不支持你请求的媒体类型，则返回 `406 Not Acceptable` 错误。
 所有内置资源类型都支持 `application/json` 媒体类型。
 
-有关每个 API 支持的内容类型列表，请参阅 Kubernetes [API 参考](/zh/docs/reference/kubernetes-api/)。
+有关每个 API 支持的内容类型列表，请参阅 Kubernetes [API 参考](/zh-cn/docs/reference/kubernetes-api/)。
 
 例如：
 
@@ -846,7 +846,7 @@ content types in the request `Accept` header to support fallback to JSON.
 For example:
 -->
 并非所有 API 资源类型都支持 Protobuf；具体来说，
-Protobuf 不适用于定义为 {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinitions" >}} 
+Protobuf 不适用于定义为 {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinitions" >}}
 或通过{{< glossary_tooltip text="聚合层" term_id="aggregation-layer" >}}提供服务的资源。
 作为客户端，如果你可能需要使用扩展类型，则应在请求 `Accept` 请求头中指定多种内容类型以支持回退到 JSON。
 例如：
@@ -1066,8 +1066,6 @@ string, working as an enum, and the only accepted values are:
 `All`
 : Every stage runs as normal, except for the final storage stage where side effects
   are prevented.
-
-For example:
 -->
 ### 发起试运行请求  {#make-a-dry-run-request}
 
@@ -1102,7 +1100,7 @@ that they do not have side effects, by setting their `sideEffects` field to `Non
 -->
 如果请求的非试运行版本会触发具有副作用的准入控制器，则该请求将失败，而不是冒不希望的副作用的风险。
 所有内置准入控制插件都支持试运行。
-此外，准入 Webhook 还可以设置[配置对象](/zh/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#webhook-v1beta1-admissionregistration-k8s-io)
+此外，准入 Webhook 还可以设置[配置对象](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#webhook-v1beta1-admissionregistration-k8s-io)
 的 `sideEffects` 字段为 `None`，借此声明它们没有副作用。
 
 <!--
@@ -1140,11 +1138,11 @@ generated fields may differ.
 Some values of an object are typically generated before the object is persisted. It is important not to rely upon the values of these fields set by a dry-run request, since these values will likely be different in dry-run mode from when the real request is made. Some of these fields are:
 
 * `name`: if `generateName` is set, `name` will have a unique random name
-* `creationTimestamp`/`deletionTimestamp`: records the time of creation/deletion
-* `UID`: uniquely identifies the object and is randomly generated (non-deterministic)
+* `creationTimestamp` / `deletionTimestamp`: records the time of creation/deletion
+* `UID`: [uniquely identifies](/docs/concepts/overview/working-with-objects/names/#uids) the object and is randomly generated (non-deterministic)
 * `resourceVersion`: tracks the persisted version of the object
 * Any field set by a mutating admission controller
-* For the `Service` resource: Ports or IPs that kube-apiserver assigns to v1.Service objects
+* For the `Service` resource: Ports or IP addresses that the kube-apiserver assigns to Service objects
 -->
 ### 生成值  {#generated-values}
 
@@ -1153,11 +1151,12 @@ Some values of an object are typically generated before the object is persisted.
 值很可能不同。这类字段有：
 
 * `name`：如果设置了 `generateName` 字段，则 `name` 会获得一个唯一的随机名称
-* `creationTimestamp`/`deletionTimestamp`：记录对象的创建/删除时间
-* `UID`：唯一性标识对象，取值随机生成（非确定性）
-* `resourceVersion`： 跟踪对象的持久化（存储）版本
+* `creationTimestamp` / `deletionTimestamp`：记录对象的创建/删除时间
+* `UID`：[唯一标识](/zh-cn/docs/concepts/overview/working-with-objects/names/#uids)对象，
+  取值随机生成（非确定性）
+* `resourceVersion`：跟踪对象的持久化（存储）版本
 * 变更性准入控制器所设置的字段
-* 对于 `Service` 资源：`kube-apiserver` 为 `v1.Service` 对象分配的端口和 IP
+* 对于 `Service` 资源：`kube-apiserver` 为 `Service` 对象分配的端口和 IP 地址
 
 <!--
 ### Dry-run authorization
@@ -1188,7 +1187,7 @@ rules:
 <!--
 See [Authorization Overview](/docs/reference/access-authn-authz/authorization/).
 -->
-参阅[鉴权概述](/zh/docs/reference/access-authn-authz/authorization/)以了解鉴权细节。
+参阅[鉴权概述](/zh-cn/docs/reference/access-authn-authz/authorization/)以了解鉴权细节。
 
 <!--
 ## Server Side Apply
@@ -1205,12 +1204,12 @@ client-side functionality of `kubectl apply`.
 The API verb for Server-Side Apply is **apply**.
 See [Server Side Apply](/docs/reference/using-api/server-side-apply/) for more details.
 -->
-Kubernetes 的[服务器端应用](/zh/docs/reference/using-api/server-side-apply/)功能允许控制平面跟踪新创建对象的托管字段。
+Kubernetes 的[服务器端应用](/zh-cn/docs/reference/using-api/server-side-apply/)功能允许控制平面跟踪新创建对象的托管字段。
 服务端应用为管理字段冲突提供了清晰的模式，提供了服务器端 `Apply` 和 `Update` 操作，
 并替换了 `kubectl apply` 的客户端功能。
 
 服务端应用的 API 动词是 **apply**。有关详细信息，
-请参阅[服务器端应用](/zh/docs/reference/using-api/server-side-apply/)。
+请参阅[服务器端应用](/zh-cn/docs/reference/using-api/server-side-apply/)。
 
 <!--
 ## Resource Versions
@@ -1282,9 +1281,9 @@ API 服务器根据你请求的操作和 `resourceVersion` 的值对 `resourceVe
 For **get** and **list**, the semantics of `resourceVersion` are:
 
 -->
-### **get** 和 **list** 语义
+### **get** 和 **list** 语义   {#semantics-for-get-and-list}
 
-对于 **get** 和 **list** 而言，`resourceVersion`的语义为：
+对于 **get** 和 **list** 而言，`resourceVersion` 的语义为：
 
 **get:**
 
@@ -1338,8 +1337,6 @@ This table explains the behavior of **list** requests with various combinations
 
 下表解释了具有各种 `resourceVersion` 和 `resourceVersionMatch` 组合的 **list** 请求的行为：
 <!--
-{{</* table caption="resourceVersionMatch and paging parameters for list" */>}}
-
 | resourceVersionMatch param            | paging params                 | resourceVersion not set | resourceVersion="0"                       | resourceVersion="{value other than 0}" |
 |---------------------------------------|-------------------------------|-----------------------|-------------------------------------------|----------------------------------------|
 | _unset_            | _limit unset_                   | Most Recent           | Any                                       | Not older than                         |
@@ -1351,10 +1348,6 @@ This table explains the behavior of **list** requests with various combinations
 | `resourceVersionMatch=NotOlderThan` | limit=\<n\>, _continue unset_ | Invalid               | Any                                       | Not older than                         |
 
 {{</* /table */>}}
-
-**Footnotes:**
-
-[1] If the server does not honor the `resourceVersionMatch` parameter, it is treated as if it is unset.
 -->
 
 {{< table caption="list 操作的 resourceVersionMatch 与分页参数" >}}
@@ -1460,8 +1453,8 @@ the object is when served.
 
 {{< note >}}
 当你 **list** 资源并收到集合响应时，
-响应包括集合的[元数据](/zh/docs/reference/generated/kubernetes-api/v1.21/#listmeta-v1-meta)
-以及该集合中每个项目的[对象元数据](/zh/docs/reference/generated/kubernetes-api/v1.21/#listmeta-v1-meta)。
+响应包括集合的[元数据](/docs/reference/generated/kubernetes-api/v1.21/#listmeta-v1-meta)
+以及该集合中每个项目的[对象元数据](/docs/reference/generated/kubernetes-api/v1.21/#listmeta-v1-meta)。
 对于在集合响应中找到的单个对象，`.metadata.resourceVersion` 跟踪该对象的最后更新时间，
 而不是对象在服务时的最新程度。
 {{< /note >}}
@@ -1491,7 +1484,7 @@ example, the client might fall back to a request with `limit` set.
 
 For watch, the semantics of resource version are:
 -->
-### **watch** 语义
+### **watch** 语义   {#semantics-for-watch}
 
 对于 watch 操作而言，资源版本的语义如下：
 
@@ -1635,4 +1628,4 @@ available.
 kube-apiserver 还会使用 “Too large resource version” 消息额外标识其错误响应。
 
 如果你对无法识别的资源版本发出 **watch** 请求，
-API 服务器可能会无限期地等待（直到请求超时）资源版本变为可用。
+API 服务器可能会无限期地等待（直到请求超时）资源版本变为可用。
\ No newline at end of file
diff --git a/content/zh/docs/reference/using-api/client-libraries.md b/content/zh-cn/docs/reference/using-api/client-libraries.md
similarity index 89%
rename from content/zh/docs/reference/using-api/client-libraries.md
rename to content/zh-cn/docs/reference/using-api/client-libraries.md
index cf6ec6dff00e8..bbcc33cae1132 100644
--- a/content/zh/docs/reference/using-api/client-libraries.md
+++ b/content/zh-cn/docs/reference/using-api/client-libraries.md
@@ -26,9 +26,9 @@ To write applications using the [Kubernetes REST API](/docs/reference/using-api/
 you do not need to implement the API calls and request/response types yourself.
 You can use a client library for the programming language you are using.
 -->
-在使用 [Kubernetes REST API](/zh/docs/reference/using-api/) 编写应用程序时，
-您并不需要自己实现 API 调用和 “请求/响应” 类型。
-您可以根据自己的编程语言需要选择使用合适的客户端库。
+在使用 [Kubernetes REST API](/zh-cn/docs/reference/using-api/) 编写应用程序时，
+你并不需要自己实现 API 调用和 “请求/响应” 类型。
+你可以根据自己的编程语言需要选择使用合适的客户端库。
 
 <!--
 Client libraries often handle common tasks such as authentication for you.
@@ -37,9 +37,9 @@ authenticate if the API client is running inside the Kubernetes cluster, or can
 understand the [kubeconfig file](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 format to read the credentials and the API Server address.
 -->
-客户端库通常为您处理诸如身份验证之类的常见任务。
+客户端库通常为你处理诸如身份验证之类的常见任务。
 如果 API 客户端在 Kubernetes 集群中运行，大多数客户端库可以发现并使用 Kubernetes 服务帐户进行身份验证，
-或者能够理解 [kubeconfig 文件](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+或者能够理解 [kubeconfig 文件](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
 格式来读取凭据和 API 服务器地址。
 
 <!--
@@ -56,21 +56,27 @@ The following client libraries are officially maintained by
 <!--
 | Language | Client Library | Sample Programs |
 |----------|----------------|-----------------|
+| C          | [github.com/kubernetes-client/c](https://github.com/kubernetes-client/c/) | [browse](https://github.com/kubernetes-client/c/tree/master/examples)
 | dotnet   | [github.com/kubernetes-client/csharp](https://github.com/kubernetes-client/csharp) | [browse](https://github.com/kubernetes-client/csharp/tree/master/examples/simple)
 | Go       | [github.com/kubernetes/client-go/](https://github.com/kubernetes/client-go/) | [browse](https://github.com/kubernetes/client-go/tree/master/examples)
 | Haskell  | [github.com/kubernetes-client/haskell](https://github.com/kubernetes-client/haskell) | [browse](https://github.com/kubernetes-client/haskell/tree/master/kubernetes-client/example)
 | Java     | [github.com/kubernetes-client/java](https://github.com/kubernetes-client/java/) | [browse](https://github.com/kubernetes-client/java#installation)
 | JavaScript   | [github.com/kubernetes-client/javascript](https://github.com/kubernetes-client/javascript) | [browse](https://github.com/kubernetes-client/javascript/tree/master/examples)
+| Perl       | [github.com/kubernetes-client/perl/](https://github.com/kubernetes-client/perl/) | [browse](https://github.com/kubernetes-client/perl/tree/master/examples)
 | Python   | [github.com/kubernetes-client/python/](https://github.com/kubernetes-client/python/) | [browse](https://github.com/kubernetes-client/python/tree/master/examples)
+| Ruby       | [github.com/kubernetes-client/ruby/](https://github.com/kubernetes-client/ruby/) | [browse](https://github.com/kubernetes-client/ruby/tree/master/examples)
 -->
 |   语言  |     客户端库    |     样例程序    |
 |---------|-----------------|-----------------|
+| C       | [github.com/kubernetes-client/c](https://github.com/kubernetes-client/c/) | [浏览](https://github.com/kubernetes-client/c/tree/master/examples)
 | dotnet   | [github.com/kubernetes-client/csharp](https://github.com/kubernetes-client/csharp) | [浏览](https://github.com/kubernetes-client/csharp/tree/master/examples/simple)
 | Go       | [github.com/kubernetes/client-go/](https://github.com/kubernetes/client-go/) | [浏览](https://github.com/kubernetes/client-go/tree/master/examples)
 | Haskell  | [github.com/kubernetes-client/haskell](https://github.com/kubernetes-client/haskell) | [浏览](https://github.com/kubernetes-client/haskell/tree/master/kubernetes-client/example)
 | Java     | [github.com/kubernetes-client/java](https://github.com/kubernetes-client/java/) | [浏览](https://github.com/kubernetes-client/java#installation)
 | JavaScript   | [github.com/kubernetes-client/javascript](https://github.com/kubernetes-client/javascript) | [浏览](https://github.com/kubernetes-client/javascript/tree/master/examples)
+| Perl       | [github.com/kubernetes-client/perl/](https://github.com/kubernetes-client/perl/) | [浏览](https://github.com/kubernetes-client/perl/tree/master/examples)
 | Python   | [github.com/kubernetes-client/python/](https://github.com/kubernetes-client/python/) | [浏览](https://github.com/kubernetes-client/python/tree/master/examples)
+| Ruby       | [github.com/kubernetes-client/ruby/](https://github.com/kubernetes-client/ruby/) | [浏览](https://github.com/kubernetes-client/ruby/tree/master/examples)
 
 <!--
 ## Community-maintained client libraries
diff --git a/content/zh/docs/reference/using-api/deprecation-guide.md b/content/zh-cn/docs/reference/using-api/deprecation-guide.md
similarity index 95%
rename from content/zh/docs/reference/using-api/deprecation-guide.md
rename to content/zh-cn/docs/reference/using-api/deprecation-guide.md
index 7b5ed5b7b9775..70b0277985ad8 100644
--- a/content/zh/docs/reference/using-api/deprecation-guide.md
+++ b/content/zh-cn/docs/reference/using-api/deprecation-guide.md
@@ -221,14 +221,17 @@ The **policy/v1beta1** API version of PodDisruptionBudget will no longer be serv
 <!--
 PodSecurityPolicy in the **policy/v1beta1** API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.
 
-PodSecurityPolicy replacements are still under discussion, but current use can be migrated to
-[3rd-party admission webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/) now.
+Migrate to [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
+or a [3rd party admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/).
+For a migration guide, see [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](/docs/tasks/configure-pod-container/migrate-from-psp/).
+For more information on the deprecation, see [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/).
 -->
 **policy/v1beta1** API 版本中的 PodSecurityPolicy 将不会在 v1.25 中提供，
 并且 PodSecurityPolicy 准入控制器也会被删除。
 
-PodSecurityPolicy 的替换方案仍在讨论过程中，不过当前的用法可以迁移到
-[第三方准入性质的 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)。
+迁移到 [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)或[第三方准入 webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)。
+有关迁移指南，请参阅[从 PodSecurityPolicy 迁移到内置 PodSecurity 准入控制器](/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/)。
+有关弃用的更多信息，请参阅 [PodSecurityPolicy 弃用：过去、现在和未来](/zh-cn/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)。
 
 #### RuntimeClass {#runtimeclass-v125}
 
@@ -332,7 +335,7 @@ The **apiextensions.k8s.io/v1beta1** API version of CustomResourceDefinition is
       `spec.conversion.webhook.conversionReviewVersions`
     * `spec.versions[*].schema.openAPIV3Schema` 在创建 v1 版本的
       CustomResourceDefinition 对象时变成必需字段，并且其取值必须是一个
-      [结构化的 Schema](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema)
+      [结构化的 Schema](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema)
     * `spec.preserveUnknownFields: true` 在创建 v1 版本的 CustomResourceDefinition
       对象时不允许指定；该配置必须在 Schema 定义中使用
       `x-kubernetes-preserve-unknown-fields: true` 来设置
@@ -373,14 +376,14 @@ The **authentication.k8s.io/v1beta1** API version of TokenReview is no longer se
 #### SubjectAccessReview resources {#subjectaccessreview-resources-v122}
 
 <!--
-The **authorization.k8s.io/v1beta1** API version of LocalSubjectAccessReview, SelfSubjectAccessReview, and SubjectAccessReview is no longer served as of v1.22.
+The **authorization.k8s.io/v1beta1** API version of LocalSubjectAccessReview, SelfSubjectAccessReview, SubjectAccessReview, and SelfSubjectRulesReview is no longer served as of v1.22.
 
 * Migrate manifests and API clients to use the **authorization.k8s.io/v1** API version, available since v1.6.
 * Notable changes:
     * `spec.group` was renamed to `spec.groups` in v1 (fixes [#32709](https://github.com/kubernetes/kubernetes/issues/32709))
 -->
 **authorization.k8s.io/v1beta1** API 版本的 LocalSubjectAccessReview、
-SelfSubjectAccessReview、SubjectAccessReview 不在 v1.22 版本中继续提供。
+SelfSubjectAccessReview、SubjectAccessReview、SelfSubjectRulesReview 不在 v1.22 版本中继续提供。
 
 * 迁移清单和 API 客户端使用 **authorization.k8s.io/v1** API 版本，此 API 从
   v1.6 版本开始可用；
@@ -418,7 +421,7 @@ v1.22 版本中继续提供。
 * `certificates.k8s.io/v1` 中需要额外注意的变更：
   * 对于请求证书的 API 客户端而言：
     * `spec.signerName` 现在变成必需字段（参阅
-      [已知的 Kubernetes 签署者](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)），
+      [已知的 Kubernetes 签署者](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)），
       并且通过 `certificates.k8s.io/v1` API 不可以创建签署者为
       `kubernetes.io/legacy-unknown` 的请求
     * `spec.usages` 现在变成必需字段，其中不可以包含重复的字符串值，
@@ -761,5 +764,4 @@ Note that this may use non-ideal default values. To learn more about a specific
 resource, check the Kubernetes [API reference](/docs/reference/kubernetes-api/).
 -->
 注意这种操作生成的结果中可能使用的默认值并不理想。
-要进一步了解某个特定资源，可查阅 Kubernetes [API 参考](/zh/docs/reference/kubernetes-api/)。
-
+要进一步了解某个特定资源，可查阅 Kubernetes [API 参考](/zh-cn/docs/reference/kubernetes-api/)。
diff --git a/content/zh/docs/reference/using-api/deprecation-policy.md b/content/zh-cn/docs/reference/using-api/deprecation-policy.md
similarity index 99%
rename from content/zh/docs/reference/using-api/deprecation-policy.md
rename to content/zh-cn/docs/reference/using-api/deprecation-policy.md
index fc9ff0f8f34f1..c5700139924e1 100644
--- a/content/zh/docs/reference/using-api/deprecation-policy.md
+++ b/content/zh-cn/docs/reference/using-api/deprecation-policy.md
@@ -47,7 +47,7 @@ into 3 main tracks, each of which has different policies for deprecation:
 由于 Kubernetes 是一个 API 驱动的系统，API 会随着时间推移而演化，以反映
 人们对问题空间的认识的变化。Kubernetes API 实际上是一个 API 集合，其中每个
 成员称作“API 组（API Group）”，并且每个 API 组都是独立管理版本的。
-[API 版本](/zh/docs/reference/using-api/#api-versioning)会有
+[API 版本](/zh-cn/docs/reference/using-api/#api-versioning)会有
 三类，每类有不同的废弃策略：
 
 <!--
@@ -169,7 +169,7 @@ This ensures beta API support covers the [maximum supported version skew of 2 re
    * **Beta API 版本必须支持 9 个月或弃用后的 3 个版本（以较长者为准）**
    * **Alpha API 版本可能会在任何版本中被删除，不另行通知**
 
-这确保了 beta API 支持涵盖了[最多 2 个版本的支持版本偏差](/zh/releases/version-skew-policy/)。
+这确保了 beta API 支持涵盖了[最多 2 个版本的支持版本偏差](/zh-cn/releases/version-skew-policy/)。
 
 {{< note >}}
 <!--
@@ -450,7 +450,7 @@ Starting in Kubernetes v1.19, making an API request to a deprecated REST API end
 
 1. API 响应中会包含一个 `Warning` 头部字段（如 [RFC7234 5.5 节](https://tools.ietf.org/html/rfc7234#section-5.5)所定义）；
 2. 该请求会导致对应的 
-   [审计事件](/zh/docs/tasks/debug/debug-cluster/audit/)
+   [审计事件](/zh-cn/docs/tasks/debug/debug-cluster/audit/)
    中会增加一个注解 `"k8s.io/deprecated":"true"`。
 3. `kube-apiserver` 进程的 `apiserver_requested_deprecated_apis` 度量值会被
    设置为 `1`。
diff --git a/content/zh/docs/reference/using-api/health-checks.md b/content/zh-cn/docs/reference/using-api/health-checks.md
similarity index 96%
rename from content/zh/docs/reference/using-api/health-checks.md
rename to content/zh-cn/docs/reference/using-api/health-checks.md
index 150387f39661d..a62840b2efb72 100644
--- a/content/zh/docs/reference/using-api/health-checks.md
+++ b/content/zh-cn/docs/reference/using-api/health-checks.md
@@ -35,8 +35,8 @@ The more verbose options shown below are intended to be used by human operators
 -->
 Kubernetes API 服务器提供 3 个 API 端点（`healthz`、`livez` 和 `readyz`）来表明 API 服务器的当前状态。
 `healthz` 端点已被弃用（自 Kubernetes v1.16 起），你应该使用更为明确的 `livez` 和 `readyz` 端点。
-`livez` 端点可与 `--livez-grace-period` [标志](/zh/docs/reference/command-line-tools-reference/kube-apiserver)一起使用，来指定启动持续时间。
-为了正常关机，你可以使用 `/readyz` 端点并指定 `--shutdown-delay-duration` [标志](/zh/docs/reference/command-line-tools-reference/kube-apiserver)。
+`livez` 端点可与 `--livez-grace-period` [标志](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver)一起使用，来指定启动持续时间。
+为了正常关机，你可以使用 `/readyz` 端点并指定 `--shutdown-delay-duration` [标志](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver)。
 检查 API 服务器的 `healthz`/`livez`/`readyz` 端点的机器应依赖于 HTTP 状态代码。
 状态码 `200` 表示 API 服务器是 `healthy`、`live` 还是 `ready`，具体取决于所调用的端点。
 以下更详细的选项供操作人员使用，用来调试其集群或了解 API 服务器的状态。
diff --git a/content/zh/docs/reference/using-api/server-side-apply.md b/content/zh-cn/docs/reference/using-api/server-side-apply.md
similarity index 98%
rename from content/zh/docs/reference/using-api/server-side-apply.md
rename to content/zh-cn/docs/reference/using-api/server-side-apply.md
index 762b038ef5012..5e15982b9a004 100644
--- a/content/zh/docs/reference/using-api/server-side-apply.md
+++ b/content/zh-cn/docs/reference/using-api/server-side-apply.md
@@ -33,7 +33,7 @@ declaratively by sending their fully specified intent.
 服务器端应用协助用户、控制器通过声明式配置的方式管理他们的资源。
 客户端可以发送完整描述的目标（A fully specified intent），
 声明式地创建和/或修改
-[对象](/zh/docs/concepts/overview/working-with-objects/kubernetes-objects/)。
+[对象](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/)。
 
 <!--
 A fully specified intent is a partial object that only includes the fields and
@@ -220,7 +220,8 @@ this occurs, the applier has 3 options to resolve the conflicts:
 <!--
 * **Overwrite value, become sole manager:** If overwriting the value was
   intentional (or if the applier is an automated process like a controller) the
-  applier should set the `force` query parameter to true and make the request
+  applier should set the `force` query parameter to true (in kubectl, it can be done by
+  using the `--force-conflicts` flag with the apply command) and make the request
   again. This forces the operation to succeed, changes the value of the field,
   and removes the field from all other managers' entries in managedFields.
 
@@ -237,7 +238,8 @@ this occurs, the applier has 3 options to resolve the conflicts:
   field managers that already claimed to manage it.
 -->
 * **覆盖前值，成为唯一的管理器：** 如果打算覆盖该值（或应用者是一个自动化部件，比如控制器），
-  应用者应该设置查询参数 `force` 为 true，然后再发送一次请求。
+  应用者应该设置查询参数 `force` 为 true（在 kubectl 中，可以通过在
+  apply 命令中使用 `--force-conflicts` 标志来完成），然后再发送一次请求。
   这将强制操作成功，改变字段的值，从所有其他管理器的 managedFields 条目中删除指定字段。
 
 * **不覆盖前值，放弃管理权：** 如果应用者不再关注该字段的值，
diff --git a/content/zh/docs/setup/_index.md b/content/zh-cn/docs/setup/_index.md
similarity index 85%
rename from content/zh/docs/setup/_index.md
rename to content/zh-cn/docs/setup/_index.md
index 5d9665b942e70..4550dd355b73d 100644
--- a/content/zh/docs/setup/_index.md
+++ b/content/zh-cn/docs/setup/_index.md
@@ -57,7 +57,7 @@ There are also other standardized and custom solutions across a wide range of cl
 bare metal environments.
 -->
 可以[下载 Kubernetes](/releases/download/)，在本地机器、云或你自己的数据中心上部署 Kubernetes 集群。
-如果你不想自己管理 Kubernetes 集群，则可以选择托管服务，包括[经过认证的平台](/zh/docs/setup/production-environment/turnkey-solutions/)。
+如果你不想自己管理 Kubernetes 集群，则可以选择托管服务，包括[经过认证的平台](/zh-cn/docs/setup/production-environment/turnkey-solutions/)。
 在各种云和裸机环境中，还有其他标准化和定制的解决方案。
 <!-- body -->
 
@@ -73,7 +73,7 @@ See [Install tools](/docs/tasks/tools/).
 -->
 如果正打算学习 Kubernetes，请使用 Kubernetes 社区支持
 或生态系统中的工具在本地计算机上设置 Kubernetes 集群。
-请参阅[安装工具](/zh/docs/tasks/tools/)。
+请参阅[安装工具](/zh-cn/docs/tasks/tools/)。
 
 <!--
 ## Production environment
@@ -89,11 +89,11 @@ prefer to hand off to a provider.
 For a cluster you're managing yourself, the officially supported tool
 for deploying Kubernetes is [kubeadm](/docs/setup/production-environment/tools/kubeadm/).
 -->
-在评估[生产环境](/zh/docs/setup/production-environment/)的解决方案时，
+在评估[生产环境](/zh-cn/docs/setup/production-environment/)的解决方案时，
 请考虑要自己管理 Kubernetes 集群（或相关抽象）的哪些方面，将哪些托付给提供商。
 
 对于你自己管理的集群，官方支持的用于部署 Kubernetes 的工具是 
-[kubeadm](/zh/docs/setup/production-environment/tools/kubeadm/)。
+[kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/)。
 
 <!--
 ## {{% heading "whatsnext" %}}
@@ -111,10 +111,10 @@ Windows.
 ## {{% heading "whatsnext" %}}
 
 - [下载 Kubernetes](/releases/download/)
-- 下载并[安装工具](/zh/docs/tasks/tools/)，包括 kubectl 在内
-- 为新集群选择[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
-- 了解集群设置的[最佳实践](/zh/docs/setup/best-practices/)
+- 下载并[安装工具](/zh-cn/docs/tasks/tools/)，包括 kubectl 在内
+- 为新集群选择[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
+- 了解集群设置的[最佳实践](/zh-cn/docs/setup/best-practices/)
 
 Kubernetes 的设计是让其{{< glossary_tooltip term_id="control-plane" text="控制平面" >}}在 Linux 上运行的。
 在集群中，你可以在 Linux 或其他操作系统（包括 Windows）上运行应用程序。
-- 学习[配置包含 Windows 节点的集群](/zh/docs/setup/production-environment/windows/)
+- 学习[配置包含 Windows 节点的集群](/zh-cn/docs/setup/production-environment/windows/)
diff --git a/content/zh/docs/setup/best-practices/_index.md b/content/zh-cn/docs/setup/best-practices/_index.md
similarity index 100%
rename from content/zh/docs/setup/best-practices/_index.md
rename to content/zh-cn/docs/setup/best-practices/_index.md
diff --git a/content/zh/docs/setup/best-practices/certificates.md b/content/zh-cn/docs/setup/best-practices/certificates.md
similarity index 57%
rename from content/zh/docs/setup/best-practices/certificates.md
rename to content/zh-cn/docs/setup/best-practices/certificates.md
index f8a79245c0ef4..7b7b6a669ba51 100644
--- a/content/zh/docs/setup/best-practices/certificates.md
+++ b/content/zh-cn/docs/setup/best-practices/certificates.md
@@ -1,7 +1,5 @@
 ---
 title: PKI 证书和要求
-reviewers:
-- sig-cluster-lifecycle
 content_type: concept
 weight: 40
 ---
@@ -18,16 +16,14 @@ weight: 40
 <!--
 Kubernetes requires PKI certificates for authentication over TLS.
 If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/), the certificates that your cluster requires are automatically generated.
-You can also generate your own certificates - for example, to keep your private keys more secure by not storing them on the API server.
+You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server.
 This page explains the certificates that your cluster requires.
 -->
 Kubernetes 需要 PKI 证书才能进行基于 TLS 的身份验证。如果你是使用
-[kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 安装的 Kubernetes，
+[kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 安装的 Kubernetes，
 则会自动生成集群所需的证书。你还可以生成自己的证书。
 例如，不将私钥存储在 API 服务器上，可以让私钥更加安全。此页面说明了集群必需的证书。
 
-
-
 <!-- body -->
 
 <!--
@@ -35,12 +31,14 @@ Kubernetes 需要 PKI 证书才能进行基于 TLS 的身份验证。如果你
 
 Kubernetes requires PKI for the following operations:
 -->
-## 集群是如何使用证书的
+## 集群是如何使用证书的    {#how-certificates-are-used-by-your-cluster}
 
 Kubernetes 需要 PKI 才能执行以下操作：
 
 <!--
 * Client certificates for the kubelet to authenticate to the API server
+* Kubelet [server certificates](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates)
+  for the API server to talk to the kubelets
 * Server certificate for the API server endpoint
 * Client certificates for administrators of the cluster to authenticate to the API server
 * Client certificates for the API server to talk to the kubelets
@@ -50,20 +48,22 @@ Kubernetes 需要 PKI 才能执行以下操作：
 * Client and server certificates for the [front-proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
 -->
 * Kubelet 的客户端证书，用于 API 服务器身份验证
+* Kubelet [服务端证书](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates)，
+  用于 API 服务器与 Kubelet 的会话
 * API 服务器端点的证书
 * 集群管理员的客户端证书，用于 API 服务器身份认证
 * API 服务器的客户端证书，用于和 Kubelet 的会话
 * API 服务器的客户端证书，用于和 etcd 的会话
 * 控制器管理器的客户端证书/kubeconfig，用于和 API 服务器的会话
 * 调度器的客户端证书/kubeconfig，用于和 API 服务器的会话
-* [前端代理](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/) 的客户端及服务端证书
+* [前端代理](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/) 的客户端及服务端证书
 
 <!--
-`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/).
+`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
 -->
 {{< note >}}
 只有当你运行 kube-proxy 并要支持
-[扩展 API 服务器](/zh/docs/tasks/extend-kubernetes/setup-extension-api-server/)
+[扩展 API 服务器](/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server/)
 时，才需要 `front-proxy` 证书
 {{< /note >}}
 
@@ -75,34 +75,39 @@ etcd 还实现了双向 TLS 来对客户端和对其他对等节点进行身份
 <!--
 ## Where certificates are stored
 
-If you install Kubernetes with kubeadm, certificates are stored in `/etc/kubernetes/pki`. All paths in this documentation are relative to that directory.
+If you install Kubernetes with kubeadm, most certificates are stored in `/etc/kubernetes/pki`. All paths in this documentation are relative to that directory, with the exception of user account certificates which kubeadm places in `/etc/kubernetes`.
 -->
-## 证书存放的位置
+## 证书存放的位置    {#where-certificates-are-stored}
 
-如果你是通过 kubeadm 安装的 Kubernetes，所有证书都存放在 `/etc/kubernetes/pki` 目录下。本文所有相关的路径都是基于该路径的相对路径。
+假如通过 kubeadm 安装 Kubernetes，大多数证书都存储在 `/etc/kubernetes/pki`。
+本文档中的所有路径都是相对于该目录的，但用户账户证书除外，kubeadm 将其放在 `/etc/kubernetes` 中。
 
 <!--
 ## Configure certificates manually
 
-If you don't want kubeadm to generate the required certificates, you can create them in either of the following ways.
+If you don't want kubeadm to generate the required certificates, you can create them using a single root CA or by providing all certificates. See [Certificates](/docs/tasks/administer-cluster/certificates/) for details on creating your own certificate authority.
+See [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/) for more on managing certificates.
 -->
-## 手动配置证书
+## 手动配置证书    {#configure-certificates-manually}
 
-如果你不想通过 kubeadm 生成这些必需的证书，你可以通过下面两种方式之一来手动创建他们。
+如果你不想通过 kubeadm 生成这些必需的证书，你可以使用一个单一的根 CA
+来创建这些证书或者直接提供所有证书。
+参见[证书](/zh-cn/docs/tasks/administer-cluster/certificates/)以进一步了解创建自己的证书机构。
+关于管理证书的更多信息，请参见[使用 kubeadm 进行证书管理](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
 
 <!--
 ### Single root CA
 
 You can create a single root CA, controlled by an administrator. This root CA can then create multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
 -->
-### 单根 CA
+### 单根 CA    {#single-root-ca}
 
-你可以创建一个单根 CA，由管理员控制器它。该根 CA 可以创建多个中间 CA，并将所有进一步的创建委托给 Kubernetes。
+你可以创建由管理员控制的单根 CA。该根 CA 可以创建多个中间 CA，并将所有进一步的创建委托给 Kubernetes。
 
 <!--
 Required CAs:
 
-| 路径                    | 默认 CN                    | 描述                             |
+| path                   | Default CN                | description                      |
 |------------------------|---------------------------|----------------------------------|
 | ca.crt,key             | kubernetes-ca             | Kubernetes general CA            |
 | etcd/ca.crt,key        | etcd-ca                   | For all etcd-related functions   |
@@ -116,10 +121,24 @@ On top of the above CAs, it is also necessary to get a public/private key pair f
 |------------------------|---------------------------|----------------------------------|
 | ca.crt,key             | kubernetes-ca             | Kubernetes 通用 CA                |
 | etcd/ca.crt,key        | etcd-ca                   | 与 etcd 相关的所有功能              |
-| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | 用于 [前端代理](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/) |
+| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | 用于 [前端代理](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/) |
 
 上面的 CA 之外，还需要获取用于服务账户管理的密钥对，也就是 `sa.key` 和 `sa.pub`。
 
+<!--
+The following example illustrates the CA key and certificate files shown in the previous table:
+-->
+下面的例子说明了上表中所示的 CA 密钥和证书文件。
+
+```console
+/etc/kubernetes/pki/ca.crt
+/etc/kubernetes/pki/ca.key
+/etc/kubernetes/pki/etcd/ca.crt
+/etc/kubernetes/pki/etcd/ca.key
+/etc/kubernetes/pki/front-proxy-ca.crt
+/etc/kubernetes/pki/front-proxy-ca.key
+```
+
 <!--
 ### All certificates
 
@@ -127,15 +146,26 @@ If you don't wish to copy the CA private keys to your cluster, you can generate
 
 Required certificates:
 -->
-### 所有的证书
+### 所有的证书    {#all-certificates}
 
 如果你不想将 CA 的私钥拷贝至你的集群中，你也可以自己生成全部的证书。
 
 需要这些证书：
 
-| 默认 CN                    | 父级 CA                 | O (位于 Subject 中) | 类型                                   | 主机 (SAN)                                 |
+<!--
+| Default CN                    | Parent CA                 | O (in Subject) | kind                                   | hosts (SAN)                                 |
 |-------------------------------|---------------------------|----------------|----------------------------------------|---------------------------------------------|
-| kube-etcd                     | etcd-ca                   |                | server, client                         | `localhost`, `127.0.0.1`                        |
+| kube-etcd                     | etcd-ca                   |                | server, client                         | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
+| kube-etcd-peer                | etcd-ca                   |                | server, client                         | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
+| kube-etcd-healthcheck-client  | etcd-ca                   |                | client                                 |                                             |
+| kube-apiserver-etcd-client    | etcd-ca                   | system:masters | client                                 |                                             |
+| kube-apiserver                | kubernetes-ca             |                | server                                 | `<hostname>`, `<Host_IP>`, `<advertise_IP>`, `[1]` |
+| kube-apiserver-kubelet-client | kubernetes-ca             | system:masters | client                                 |                                             |
+| front-proxy-client            | kubernetes-front-proxy-ca |                | client                                 |                                             |
+-->
+| 默认 CN                       | 父级 CA                   | O (位于 Subject 中) | 类型                              | 主机 (SAN)                                  |
+|-------------------------------|---------------------------|----------------|----------------------------------------|---------------------------------------------|
+| kube-etcd                     | etcd-ca                   |                | server, client                         | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
 | kube-etcd-peer                | etcd-ca                   |                | server, client                         | `<hostname>`, `<Host_IP>`, `localhost`, `127.0.0.1` |
 | kube-etcd-healthcheck-client  | etcd-ca                   |                | client                                 |                                             |
 | kube-apiserver-etcd-client    | etcd-ca                   | system:masters | client                                 |                                             |
@@ -144,17 +174,18 @@ Required certificates:
 | front-proxy-client            | kubernetes-front-proxy-ca |                | client                                 |                                             |
 
 <!--
-[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/) the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
+[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
+the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
 `kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)
 
-where `kind` maps to one or more of the [x509 key usage](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage) types:
+where `kind` maps to one or more of the [x509 key usage](https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage) types:
 -->
 [1]: 用来连接到集群的不同 IP 或 DNS 名
-（就像 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 为负载均衡所使用的固定
+（就像 [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 为负载均衡所使用的固定
 IP 或 DNS 名，`kubernetes`、`kubernetes.default`、`kubernetes.default.svc`、
 `kubernetes.default.svc.cluster`、`kubernetes.default.svc.cluster.local`）。
 
-其中，`kind` 对应一种或多种类型的 [x509 密钥用途](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)：
+其中，`kind` 对应一种或多种类型的 [x509 密钥用途](https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage)：
 
 <!--
 | kind   | Key usage                                                                       |
@@ -167,7 +198,6 @@ IP 或 DNS 名，`kubernetes`、`kubernetes.default`、`kubernetes.default.svc`
 | server | 数字签名、密钥加密、服务端认证                                                       |
 | client | 数字签名、密钥加密、客户端认证                                                       |
 
-
 {{< note >}}
 <!--
 Hosts/SAN listed above are the recommended ones for getting a working cluster; if required by a specific setup, it is possible to add additional SANs on all the server certificates.
@@ -193,12 +223,32 @@ For kubeadm users only:
 <!--
 ### Certificate paths
 
-Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)). Paths should be specified using the given argument regardless of location.
+Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)).
+Paths should be specified using the given argument regardless of location.
 -->
-### 证书路径
+### 证书路径    {#certificate-paths}
 
-证书应放置在建议的路径中（以便 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/)使用）。无论使用什么位置，都应使用给定的参数指定路径。
+证书应放置在建议的路径中（以便 [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/)
+使用）。无论使用什么位置，都应使用给定的参数指定路径。
 
+<!--
+| Default CN                   | recommended key path         | recommended cert path       | command        | key argument                 | cert argument                             |
+|------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
+| etcd-ca                      |     etcd/ca.key                         | etcd/ca.crt                 | kube-apiserver |                              | --etcd-cafile                             |
+| kube-apiserver-etcd-client   | apiserver-etcd-client.key    | apiserver-etcd-client.crt   | kube-apiserver | --etcd-keyfile               | --etcd-certfile                           |
+| kubernetes-ca                |    ca.key                          | ca.crt                      | kube-apiserver |                              | --client-ca-file                          |
+| kubernetes-ca                |    ca.key                          | ca.crt                      | kube-controller-manager | --cluster-signing-key-file      | --client-ca-file, --root-ca-file, --cluster-signing-cert-file  |
+| kube-apiserver               | apiserver.key                | apiserver.crt               | kube-apiserver | --tls-private-key-file       | --tls-cert-file                           |
+| kube-apiserver-kubelet-client|     apiserver-kubelet-client.key                         | apiserver-kubelet-client.crt| kube-apiserver | --kubelet-client-key | --kubelet-client-certificate              |
+| front-proxy-ca               |     front-proxy-ca.key                         | front-proxy-ca.crt          | kube-apiserver |                              | --requestheader-client-ca-file            |
+| front-proxy-ca               |     front-proxy-ca.key                         | front-proxy-ca.crt          | kube-controller-manager |                              | --requestheader-client-ca-file |
+| front-proxy-client           | front-proxy-client.key       | front-proxy-client.crt      | kube-apiserver | --proxy-client-key-file      | --proxy-client-cert-file                  |
+| etcd-ca                      |         etcd/ca.key                     | etcd/ca.crt                 | etcd           |                              | --trusted-ca-file, --peer-trusted-ca-file |
+| kube-etcd                    | etcd/server.key              | etcd/server.crt             | etcd           | --key-file                   | --cert-file                               |
+| kube-etcd-peer               | etcd/peer.key                | etcd/peer.crt               | etcd           | --peer-key-file              | --peer-cert-file                          |
+| etcd-ca                      |                              | etcd/ca.crt                 | etcdctl    |                              | --cacert                                  |
+| kube-etcd-healthcheck-client | etcd/healthcheck-client.key  | etcd/healthcheck-client.crt | etcdctl     | --key                        | --cert                                    |
+-->
 | 默认 CN                   | 建议的密钥路径         | 建议的证书路径       | 命令        | 密钥参数               | 证书参数                             |
 |------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
 | etcd-ca                      |     etcd/ca.key                         | etcd/ca.crt                 | kube-apiserver |                              | --etcd-cafile                             |
@@ -221,20 +271,65 @@ Same considerations apply for the service account key pair:
 -->
 注意事项同样适用于服务帐户密钥对：
 
+<!--
+| private key path             | public key path             | command                 | argument                             |
+|------------------------------|-----------------------------|-------------------------|--------------------------------------|
+|  sa.key                      |                             | kube-controller-manager | --service-account-private-key-file   |
+|                              | sa.pub                      | kube-apiserver          | --service-account-key-file           |
+-->
 | 私钥路径            | 公钥路径            | 命令                 | 参数                             |
 |------------------------------|-----------------------------|-------------------------|--------------------------------------|
 |  sa.key                      |                             | kube-controller-manager | --service-account-private-key-file              |
 |                              | sa.pub                      | kube-apiserver          | --service-account-key-file                  |
 
+<!--
+The following example illustrates the file paths [from the previous tables](/docs/setup/best-practices/certificates/#certificate-paths) you need to provide if you are generating all of your own keys and certificates:
+-->
+下面的例子展示了自行生成所有密钥和证书时所需要提供的文件路径。
+这些路径基于[前面的表格](/zh-cn/docs/setup/best-practices/certificates/#certificate-paths)。
+
+```console
+/etc/kubernetes/pki/etcd/ca.key
+/etc/kubernetes/pki/etcd/ca.crt
+/etc/kubernetes/pki/apiserver-etcd-client.key
+/etc/kubernetes/pki/apiserver-etcd-client.crt
+/etc/kubernetes/pki/ca.key
+/etc/kubernetes/pki/ca.crt
+/etc/kubernetes/pki/apiserver.key
+/etc/kubernetes/pki/apiserver.crt
+/etc/kubernetes/pki/apiserver-kubelet-client.key
+/etc/kubernetes/pki/apiserver-kubelet-client.crt
+/etc/kubernetes/pki/front-proxy-ca.key
+/etc/kubernetes/pki/front-proxy-ca.crt
+/etc/kubernetes/pki/front-proxy-client.key
+/etc/kubernetes/pki/front-proxy-client.crt
+/etc/kubernetes/pki/etcd/server.key
+/etc/kubernetes/pki/etcd/server.crt
+/etc/kubernetes/pki/etcd/peer.key
+/etc/kubernetes/pki/etcd/peer.crt
+/etc/kubernetes/pki/etcd/healthcheck-client.key
+/etc/kubernetes/pki/etcd/healthcheck-client.crt
+/etc/kubernetes/pki/sa.key
+/etc/kubernetes/pki/sa.pub
+```
+
 <!--
 ## Configure certificates for user accounts
 
 You must manually configure these administrator account and service accounts:
 -->
-## 为用户帐户配置证书
+## 为用户帐户配置证书    {#configure-certificates-for-user-accounts}
 
 你必须手动配置以下管理员帐户和服务帐户：
 
+<!--
+| filename                | credential name            | Default CN                     | O (in Subject) |
+|-------------------------|----------------------------|--------------------------------|----------------|
+| admin.conf              | default-admin              | kubernetes-admin               | system:masters |
+| kubelet.conf            | default-auth               | system:node:`<nodeName>` (see note) | system:nodes   |
+| controller-manager.conf | default-controller-manager | system:kube-controller-manager |                |
+| scheduler.conf          | default-scheduler          | system:kube-scheduler          |                |
+-->
 | 文件名                  | 凭据名称                   | 默认 CN                        | O (位于 Subject 中) |
 |-------------------------|----------------------------|--------------------------------|---------------------|
 | admin.conf              | default-admin              | kubernetes-admin               | system:masters      |
@@ -247,7 +342,7 @@ The value of `<nodeName>` for `kubelet.conf` **must** match precisely the value
 -->
 {{< note >}}
 `kubelet.conf` 中 `<nodeName>` 的值 **必须** 与 kubelet 向 apiserver 注册时提供的节点名称的值完全匹配。
-有关更多详细信息，请阅读[节点授权](/zh/docs/reference/access-authn-authz/node/)。
+有关更多详细信息，请阅读[节点授权](/zh-cn/docs/reference/access-authn-authz/node/)。
 {{< /note >}}
 
 <!--
@@ -285,3 +380,14 @@ These files are used as follows:
 | controller-manager.conf | kube-controller-manager | 必需添加到 `manifests/kube-controller-manager.yaml` 清单中               |
 | scheduler.conf          | kube-scheduler          | 必需添加到 `manifests/kube-scheduler.yaml` 清单中                        |
 
+<!--
+The following files illustrate full paths to the files listed in the previous table:
+-->
+下面是前表中所列文件的完整路径。
+
+```console
+/etc/kubernetes/admin.conf
+/etc/kubernetes/kubelet.conf
+/etc/kubernetes/controller-manager.conf
+/etc/kubernetes/scheduler.conf
+```
diff --git a/content/zh/docs/setup/best-practices/cluster-large.md b/content/zh-cn/docs/setup/best-practices/cluster-large.md
similarity index 97%
rename from content/zh/docs/setup/best-practices/cluster-large.md
rename to content/zh-cn/docs/setup/best-practices/cluster-large.md
index 7e40a387eaea3..fe5f53249eeab 100644
--- a/content/zh/docs/setup/best-practices/cluster-large.md
+++ b/content/zh-cn/docs/setup/best-practices/cluster-large.md
@@ -138,8 +138,8 @@ See [Operating etcd clusters for Kubernetes](/docs/tasks/administer-cluster/conf
 for details on configuring and managing etcd for a large cluster.
 -->
 有关为大型集群配置和管理 etcd 的详细信息，请参阅
-[为 Kubernetes 运行 etcd 集群](/zh/docs/tasks/administer-cluster/configure-upgrade-etcd/)
-和使用 [kubeadm 创建一个高可用 etcd 集群](/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)。
+[为 Kubernetes 运行 etcd 集群](/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/)
+和使用 [kubeadm 创建一个高可用 etcd 集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)。
 
 <!--
 ### Addon Resources
@@ -154,7 +154,7 @@ impact on other components. These resource limits apply to
 
   For example, you can set CPU and memory limits for a logging component:
 -->
-Kubernetes [资源限制](/zh/docs/concepts/configuration/manage-resources-containers/)
+Kubernetes [资源限制](/zh-cn/docs/concepts/configuration/manage-resources-containers/)
 有助于最大程度地减少内存泄漏的影响以及 Pod 和容器可能对其他组件的其他方式的影响。
 这些资源限制适用于{{< glossary_tooltip text="插件" term_id="addons" >}}资源，
 就像它们适用于应用程序工作负载一样。
diff --git a/content/zh/docs/setup/best-practices/enforcing-pod-security-standards.md b/content/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards.md
similarity index 96%
rename from content/zh/docs/setup/best-practices/enforcing-pod-security-standards.md
rename to content/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards.md
index 7326dd5aaa523..75b1c98f7df0b 100644
--- a/content/zh/docs/setup/best-practices/enforcing-pod-security-standards.md
+++ b/content/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards.md
@@ -17,7 +17,7 @@ weight: 40
 This page provides an overview of best practices when it comes to enforcing
 [Pod Security Standards](/docs/concepts/security/pod-security-standards).
 -->
-本页提供实施 [Pod 安全标准（Pod Security Standards）](/zh/docs/concepts/security/pod-security-standards)
+本页提供实施 [Pod 安全标准（Pod Security Standards）](/zh-cn/docs/concepts/security/pod-security-standards)
 时的一些最佳实践。
 
 <!-- body -->
@@ -33,7 +33,7 @@ This page provides an overview of best practices when it comes to enforcing
 The [Pod Security Admission Controller](/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
 intends to replace the deprecated PodSecurityPolicies. 
 -->
-[Pod 安全性准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
+[Pod 安全性准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
 尝试替换已被废弃的 PodSecurityPolicies。
 
 <!--
@@ -58,7 +58,7 @@ we provide an [example](/docs/concepts/security/pod-security-admission/#applying
 that illustrates how the PodSecurity labels can be applied in bulk.
 -->
 针对所有名字空间中的所有负载都具有相同的安全性需求的场景，
-我们提供了一个[示例](/zh/docs/concepts/security/pod-security-admission/#applying-to-all-namespaces)
+我们提供了一个[示例](/zh-cn/docs/concepts/security/pod-security-admission/#applying-to-all-namespaces)
 用来展示如何批量应用 Pod 安全性标签。
 
 <!--
diff --git a/content/zh/docs/setup/best-practices/multiple-zones.md b/content/zh-cn/docs/setup/best-practices/multiple-zones.md
similarity index 94%
rename from content/zh/docs/setup/best-practices/multiple-zones.md
rename to content/zh-cn/docs/setup/best-practices/multiple-zones.md
index 76dac538fc33d..a2182b930caf2 100644
--- a/content/zh/docs/setup/best-practices/multiple-zones.md
+++ b/content/zh-cn/docs/setup/best-practices/multiple-zones.md
@@ -53,7 +53,7 @@ component.
 -->
 ## 控制面行为   {#control-plane-behavior}
 
-所有的[控制面组件](/zh/docs/concepts/overview/components/#control-plane-components)
+所有的[控制面组件](/zh-cn/docs/concepts/overview/components/#control-plane-components)
 都支持以一组可相互替换的资源池的形式来运行，每个组件都有多个副本。
 
 <!--
@@ -108,7 +108,7 @@ These labels can include
 -->
 节点启动时，每个节点上的 kubelet 会向 Kubernetes API 中代表该 kubelet 的 Node 对象
 添加 {{< glossary_tooltip text="标签" term_id="label" >}}。
-这些标签可能包含[区信息](/zh/docs/reference/labels-annotations-taints/#topologykubernetesiozone)。
+这些标签可能包含[区信息](/zh-cn/docs/reference/labels-annotations-taints/#topologykubernetesiozone)。
 
 <!--
 If your cluster spans multiple zones or regions, you can use node labels
@@ -122,7 +122,7 @@ Pods for better expected availability, reducing the risk that a correlated
 failure affects your whole workload.
 -->
 如果你的集群跨了多个可用区或者地理区域，你可以使用节点标签，结合
-[Pod 拓扑分布约束](/zh/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
+[Pod 拓扑分布约束](/zh-cn/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
 来控制如何在你的集群中多个失效域之间分布 Pods。这里的失效域可以是
 地理区域、可用区甚至是特定节点。
 这些提示信息使得{{< glossary_tooltip text="调度器" term_id="kube-scheduler" >}}
@@ -178,7 +178,7 @@ You can apply [node selector constraints](/docs/concepts/scheduling-eviction/ass
 to Pods that you create, as well as to Pod templates in workload resources
 such as Deployment, StatefulSet, or Job.
 -->
-你可以应用[节点选择算符约束](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+你可以应用[节点选择算符约束](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
 到你所创建的 Pods 上，或者为 Deployment、StatefulSet 或 Job 这类工作负载资源
 中的 Pod 模板设置此类约束。
 
@@ -195,7 +195,7 @@ are only placed into the same zone as that volume.
 ## 跨区的存储访问
 
 当创建持久卷时，`PersistentVolumeLabel` 
-[准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
+[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
 会自动向那些链接到特定区的 PersistentVolume 添加区标签。
 {{< glossary_tooltip text="调度器" term_id="kube-scheduler" >}}通过其
 `NoVolumeZoneConflict` 断言确保申领给定 PersistentVolume 的 Pods 只会
@@ -211,7 +211,7 @@ see [Allowed topologies](/docs/concepts/storage/storage-classes/#allowed-topolog
 你可以为 PersistentVolumeClaim 指定{{< glossary_tooltip text="StorageClass" term_id="storage-class" >}}
 以设置该类中的存储可以使用的失效域（区）。
 要了解如何配置能够感知失效域或区的 StorageClass，请参阅
-[可用的拓扑逻辑](/zh/docs/concepts/storage/storage-classes/#allowed-topologies)。
+[可用的拓扑逻辑](/zh-cn/docs/concepts/storage/storage-classes/#allowed-topologies)。
 
 <!--
 ## Networking
@@ -227,7 +227,7 @@ Check your cloud provider's documentation for details.
 ## 网络  {#networking}
 
 Kubernetes 自身不提供与可用区相关的联网配置。
-你可以使用[网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
+你可以使用[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
 来配置集群的联网，该网络解决方案可能拥有一些与可用区相关的元素。
 例如，如果你的云提供商支持 `type=LoadBalancer` 的 Service，则负载均衡器
 可能仅会将请求流量发送到运行在负责处理给定连接的负载均衡器组件所在的区。
@@ -278,5 +278,5 @@ To learn how the scheduler places Pods in a cluster, honoring the configured con
 visit [Scheduling and Eviction](/docs/concepts/scheduling-eviction/).
 -->
 要了解调度器如何在集群中放置 Pods 并遵从所配置的约束，可参阅
-[调度与驱逐](/zh/docs/concepts/scheduling-eviction/)。
+[调度与驱逐](/zh-cn/docs/concepts/scheduling-eviction/)。
 
diff --git a/content/zh/docs/setup/best-practices/node-conformance.md b/content/zh-cn/docs/setup/best-practices/node-conformance.md
similarity index 57%
rename from content/zh/docs/setup/best-practices/node-conformance.md
rename to content/zh-cn/docs/setup/best-practices/node-conformance.md
index 942ff09aec17f..9fe0ce0d90372 100644
--- a/content/zh/docs/setup/best-practices/node-conformance.md
+++ b/content/zh-cn/docs/setup/best-practices/node-conformance.md
@@ -1,16 +1,12 @@
 ---
-reviewers:
-- Random-Liu
 title: 校验节点设置
 weight: 30
 ---
 <!--
----
 reviewers:
 - Random-Liu
 title: Validate node setup
 weight: 30
----
 -->
 
 {{< toc >}}
@@ -18,13 +14,16 @@ weight: 30
 <!--
 ## Node Conformance Test
 -->
-## 节点一致性测试
+## 节点一致性测试    {#node-conformance-test}
 
 <!--
 *Node conformance test* is a containerized test framework that provides a system
-verification and functionality test for a node. 
+verification and functionality test for a node. The test validates whether the
+node meets the minimum requirements for Kubernetes; a node that passes the test
+is qualified to join a Kubernetes cluster.
 -->
-*节点一致性测试* 是一个容器化的测试框架，提供了针对节点的系统验证和功能测试。
+**节点一致性测试** 是一个容器化的测试框架，提供了针对节点的系统验证和功能测试。
+测试验证节点是否满足 Kubernetes 的最低要求；通过测试的节点有资格加入 Kubernetes 集群。
 
 <!--
 The test validates whether the node meets the minimum requirements for Kubernetes; a node that passes the testis qualified to join a Kubernetes cluster.
@@ -34,10 +33,12 @@ The test validates whether the node meets the minimum requirements for Kubernete
 <!--
 ## Node Prerequisite
 -->
-## 节点的前提条件
+## 节点的前提条件    {#node-prerequisite}
 
 <!--
-To run node conformance test, a node must satisfy the same prerequisites as astandard Kubernetes node. At a minimum, the node should have the following daemons installed:
+To run node conformance test, a node must satisfy the same prerequisites as a
+standard Kubernetes node. At a minimum, the node should have the following
+daemons installed:
 -->
 要运行节点一致性测试，节点必须满足与标准 Kubernetes 节点相同的前提条件。节点至少应安装以下守护程序：
 
@@ -51,7 +52,7 @@ To run node conformance test, a node must satisfy the same prerequisites as asta
 <!--
 ## Running Node Conformance Test
 -->
-## 运行节点一致性测试
+## 运行节点一致性测试    {#running-node-conformance-test}
 
 <!--
 To run the node conformance test, perform the following steps:
@@ -64,28 +65,31 @@ To run the node conformance test, perform the following steps:
     Because the test framework starts a local control plane to test the kubelet,
     use `http://localhost:8080` as the URL of the API server.
     There are some other kubelet command line parameters you may want to use:
-  * `--pod-cidr`: If you are using `kubenet`, you should specify an arbitrary CIDR
-    to Kubelet, for example `--pod-cidr=10.180.0.0/24`.
   * `--cloud-provider`: If you are using `--cloud-provider=gce`, you should
     remove the flag to run the test.
 -->
-1. 得出 kubelet 的 `--kubeconfig` 的值；例如：`--kubeconfig=/var/lib/kubelet/config.yaml`. 
-   由于测试框架启动了本地控制平面来测试 kubelet， 因此使用 `http://localhost:8080` 
+1. 得出 kubelet 的 `--kubeconfig` 的值；例如：`--kubeconfig=/var/lib/kubelet/config.yaml`。
+   由于测试框架启动了本地控制平面来测试 kubelet，因此使用 `http://localhost:8080`
    作为API 服务器的 URL。
    一些其他的 kubelet 命令行参数可能会被用到：
-   * `--pod-cidr`： 如果使用 `kubenet`， 需要为 Kubelet 任意指定一个 CIDR， 
-     例如 `--pod-cidr=10.180.0.0/24`。
-   * `--cloud-provider`： 如果使用 `--cloud-provider=gce`，需要移除这个参数
-     来运行测试。
+   * `--cloud-provider`：如果使用 `--cloud-provider=gce`，需要移除这个参数来运行测试。
 
 
 <!--
 2. Run the node conformance test with command:
+
+```shell
+# $CONFIG_DIR is the pod manifest path of your Kubelet.
+# $LOG_DIR is the test output path.
+sudo docker run -it --rm --privileged --net=host \
+  -v /:/rootfs -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
+  k8s.gcr.io/node-test:0.2
+```
 -->
 2. 使用以下命令运行节点一致性测试：
 
    ```shell
-   # $CONFIG_DIR 是您 Kubelet 的 pod manifest 路径。
+   # $CONFIG_DIR 是你 Kubelet 的 pod manifest 路径。
    # $LOG_DIR 是测试的输出路径。
    sudo docker run -it --rm --privileged --net=host \
      -v /:/rootfs -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
@@ -95,82 +99,87 @@ To run the node conformance test, perform the following steps:
 <!--
 ## Running Node Conformance Test for Other Architectures
 -->
-## 针对其他硬件体系结构运行节点一致性测试
+## 针对其他硬件体系结构运行节点一致性测试    {#running-node-conformance-test-for-other-architectures}
 
 <!--
-Kubernetes also provides node conformance test docker images for other architectures:
+Kubernetes also provides node conformance test docker images for other
+architectures:
 -->
 Kubernetes 也为其他硬件体系结构的系统提供了节点一致性测试的 Docker 镜像：
 
 <!--
-| Arch  |      Image      |      |
-| ----- | :-------------: | ---- |
-| amd64 | node-test-amd64 |      |
-| arm   |  node-test-arm  |      |
-| arm64 | node-test-arm64 |      |
+  Arch  |       Image       |
+--------|:-----------------:|
+ amd64  |  node-test-amd64  |
+  arm   |    node-test-arm  |
+ arm64  |  node-test-arm64  |
 -->
-| 架构   |      镜像        |      |
-| ----- | :-------------: | ---- |
-| amd64 | node-test-amd64 |      |
-| arm   |  node-test-arm  |      |
-| arm64 | node-test-arm64 |      |
+  架构  |       镜像        |
+--------|:-----------------:|
+ amd64  |  node-test-amd64  |
+  arm   |    node-test-arm  |
+ arm64  |  node-test-arm64  |
 
 <!--
 ## Running Selected Test
 -->
-## 运行特定的测试
+## 运行特定的测试    {#running-selected-test}
 
 <!--
-To run specific tests, overwrite the environment variable `FOCUS` with theregular expression of tests you want to run.
+To run specific tests, overwrite the environment variable `FOCUS` with the
+regular expression of tests you want to run.
 -->
-要运行特定测试，请使用您希望运行的测试的特定表达式覆盖环境变量 `FOCUS`。
+要运行特定测试，请使用你希望运行的测试的特定表达式覆盖环境变量 `FOCUS`。
 
 ```shell
 sudo docker run -it --rm --privileged --net=host \
-   -v /:/rootfs:ro -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
-   -e FOCUS=MirrorPod \ # Only run MirrorPod test
-k8s.gcr.io/node-test:0.2
+  -v /:/rootfs:ro -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
+  -e FOCUS=MirrorPod \ # Only run MirrorPod test
+  k8s.gcr.io/node-test:0.2
 ```
 
 <!--
-To skip specific tests, overwrite the environment variable `SKIP` with theregular expression of tests you want to skip.
+To skip specific tests, overwrite the environment variable `SKIP` with the
+regular expression of tests you want to skip.
 -->
-要跳过特定的测试，请使用您希望跳过的测试的常规表达式覆盖环境变量 `SKIP`。
+要跳过特定的测试，请使用你希望跳过的测试的常规表达式覆盖环境变量 `SKIP`。
 
 <!--
 ```shell
 sudo docker run -it --rm --privileged --net=host \
   -v /:/rootfs:ro -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
   -e SKIP=MirrorPod \ # Run all conformance tests but skip MirrorPod test
-k8s.gcr.io/node-test:0.2
+  k8s.gcr.io/node-test:0.2
 ```
 -->
 ```shell
 sudo docker run -it --rm --privileged --net=host \
   -v /:/rootfs:ro -v $CONFIG_DIR:$CONFIG_DIR -v $LOG_DIR:/var/result \
   -e SKIP=MirrorPod \ # 运行除 MirrorPod 测试外的所有一致性测试内容
-k8s.gcr.io/node-test:0.2
+  k8s.gcr.io/node-test:0.2
 ```
 
 
 <!--
-Node conformance test is a containerized version of [node e2e test](https://github.com/kubernetes/community/blob/{{< param "githubbranch" >}}/contributors/devel/e2e-node-tests.md).
+Node conformance test is a containerized version of [node e2e test](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/e2e-node-tests.md).
 -->
-节点一致性测试是[节点端到端测试](https://github.com/kubernetes/community/blob/{{< param "githubbranch" >}}/contributors/devel/e2e-node-tests.md)的容器化版本。
+节点一致性测试是[节点端到端测试](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/e2e-node-tests.md)的容器化版本。
 <!--
 By default, it runs all conformance tests.
 -->
 默认情况下，它会运行所有一致性测试。
 
 <!--
-Theoretically, you can run any node e2e test if you configure the container andmount required volumes properly. But **it is strongly recommended to only run conformance test**, because it requires much more complex configuration to run non-conformance test.
+Theoretically, you can run any node e2e test if you configure the container and
+mount required volumes properly. But **it is strongly recommended to only run conformance
+test**, because it requires much more complex configuration to run non-conformance test.
 -->
-理论上，只要合理地配置容器和挂载所需的卷，就可以运行任何的节点端到端测试用例。 但是这里**强烈建议只运行一致性测试**，因为运行非一致性测试需要很多复杂的配置。
+理论上，只要合理地配置容器和挂载所需的卷，就可以运行任何的节点端到端测试用例。但是这里**强烈建议只运行一致性测试**，因为运行非一致性测试需要很多复杂的配置。
 
 <!--
 ## Caveats
 -->
-## 注意
+## 注意事项    {#caveats}
 
 <!--
 * The test leaves some docker images on the node, including the node conformance
@@ -180,5 +189,5 @@ Theoretically, you can run any node e2e test if you configure the container andm
   during the functionality test.
 -->
 
-* 测试会在节点上遗留一些 Docker 镜像， 包括节点一致性测试本身的镜像和功能测试相关的镜像。
+* 测试会在节点上遗留一些 Docker 镜像，包括节点一致性测试本身的镜像和功能测试相关的镜像。
 * 测试会在节点上遗留一些死的容器。这些容器是在功能测试的过程中创建的。
\ No newline at end of file
diff --git a/content/zh/docs/setup/learning-environment/_index.md b/content/zh-cn/docs/setup/learning-environment/_index.md
similarity index 100%
rename from content/zh/docs/setup/learning-environment/_index.md
rename to content/zh-cn/docs/setup/learning-environment/_index.md
diff --git a/content/zh/docs/setup/production-environment/_index.md b/content/zh-cn/docs/setup/production-environment/_index.md
similarity index 85%
rename from content/zh/docs/setup/production-environment/_index.md
rename to content/zh-cn/docs/setup/production-environment/_index.md
index 0021a557f7f54..7476336ff463e 100644
--- a/content/zh/docs/setup/production-environment/_index.md
+++ b/content/zh-cn/docs/setup/production-environment/_index.md
@@ -53,7 +53,7 @@ has a single point of failure. Creating a highly available cluster means conside
   - Load balancing traffic to the cluster’s {{< glossary_tooltip term_id="kube-apiserver" text="API server" >}}.
   - Having enough worker nodes available, or able to quickly become available, as changing workloads warrant it.
 -->
-- *可用性*：一个单机的 Kubernetes [学习环境](/zh/docs/setup/#学习环境)
+- *可用性*：一个单机的 Kubernetes [学习环境](/zh-cn/docs/setup/#学习环境)
   具有单点失效特点。创建高可用的集群则意味着需要考虑：
   - 将控制面与工作节点分开
   - 在多个节点上提供控制面组件的副本
@@ -90,11 +90,11 @@ by managing [policies](/docs/concepts/policy/) and
 - *安全性与访问管理*：在你自己的学习环境 Kubernetes 集群上，你拥有完全的管理员特权。
   但是针对运行着重要工作负载的共享集群，用户账户不止一两个时，就需要更细粒度
   的方案来确定谁或者哪些主体可以访问集群资源。
-  你可以使用基于角色的访问控制（[RBAC](/zh/docs/reference/access-authn-authz/rbac/)）
+  你可以使用基于角色的访问控制（[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)）
   和其他安全机制来确保用户和负载能够访问到所需要的资源，同时确保工作负载及集群
   自身仍然是安全的。
-  你可以通过管理[策略](/zh/docs/concets/policy/)和
-  [容器资源](/zh/docs/concepts/configuration/manage-resources-containers)来
+  你可以通过管理[策略](/zh-cn/docs/concepts/policy/)和
+  [容器资源](/zh-cn/docs/concepts/configuration/manage-resources-containers)来
   针对用户和工作负载所可访问的资源设置约束，
 
 <!--
@@ -105,7 +105,7 @@ providers or other [Kubernetes Partners](https://kubernetes.io/partners/).
 Options include:
 -->
 在自行构造 Kubernetes 生产环境之前，请考虑将这一任务的部分或者全部交给
-[云方案承包服务](/zh/docs/setup/production-environment/turnkey-solutions)
+[云方案承包服务](/zh-cn/docs/setup/production-environment/turnkey-solutions)
 提供商或者其他 [Kubernetes 合作伙伴](https://kubernetes.io/partners/)。
 选项有：
 
@@ -152,7 +152,7 @@ is configured to run Kubernetes pods.
 
 在生产质量的 Kubernetes 集群中，控制面用不同的方式来管理集群和可以
 分布到多个计算机上的服务。每个工作节点则代表的是一个可配置来运行
-Kubernetes Pods 的实体。
+Kubernetes Pod 的实体。
 
 <!--
 ### Production control plane
@@ -168,7 +168,7 @@ discarded if something goes seriously wrong, this might meet your needs.
 
 最简单的 Kubernetes 集群中，整个控制面和工作节点服务都运行在同一台机器上。
 你可以通过添加工作节点来提升环境能力，正如
-[Kubernetes 组件](/zh/docs/concepts/overview/components/)示意图所示。
+[Kubernetes 组件](/zh-cn/docs/concepts/overview/components/)示意图所示。
 如果只需要集群在很短的一段时间内可用，或者可以在某些事物出现严重问题时直接丢弃，
 这种配置可能符合你的需要。
 
@@ -180,7 +180,7 @@ If keeping the cluster up and running
 and ensuring that it can be repaired if something goes wrong is important,
 consider these steps:
 -->
-如果你需要一个更为持久的、高可用的集群，那么你就需要考虑扩展控制面的方式。
+如果你需要一个更为持久的、高可用的集群，那么就需要考虑扩展控制面的方式。
 根据设计，运行在一台机器上的单机控制面服务不是高可用的。
 如果保持集群处于运行状态并且需要确保在出现问题时能够被修复这点很重要，
 可以考虑以下步骤：
@@ -194,9 +194,9 @@ methods. Different [Container Runtimes](/docs/setup/production-environment/conta
 are available to use with your deployments.
 -->
 - *选择部署工具*：你可以使用类似 kubeadm、kops 和 kubespray 这类工具来部署控制面。
-  参阅[使用部署工具安装 Kubernetes](/zh/docs/setup/production-environment/tools/)
+  参阅[使用部署工具安装 Kubernetes](/zh-cn/docs/setup/production-environment/tools/)
   以了解使用这类部署方法来完成生产就绪部署的技巧。
-  存在不同的[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
+  存在不同的[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
   可供你的部署采用。
 <!--
 - *Manage certificates*: Secure communications between control plane services
@@ -205,8 +205,8 @@ during deployment or you can generate them using your own certificate authority.
 See [PKI certificates and requirements](/docs/setup/best-practices/certificates/) for details.
 -->
 - *管理证书*：控制面服务之间的安全通信是通过证书来完成的。证书是在部署期间
-  自动生成的，或者你也可以使用你自己的证书机构来生成它们。
-  参阅 [PKI 证书和需求](/zh/docs/setup/best-practices/certificates/)了解细节。
+  自动生成的，或者你也可以使用自己的证书机构来生成它们。
+  参阅 [PKI 证书和需求](/zh-cn/docs/setup/best-practices/certificates/)了解细节。
 <!--
 - *Configure load balancer for apiserver*: Configure a load balancer
 to distribute external API requests to the apiserver service instances running on different nodes. See 
@@ -215,7 +215,7 @@ for details.
 -->
 - *为 API 服务器配置负载均衡*：配置负载均衡器来将外部的 API 请求散布给运行在
   不同节点上的 API 服务实例。参阅
-  [创建外部负载均衡器](/zh/docs/access-application-cluster/create-external-load-balancer/)
+  [创建外部负载均衡器](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/)
   了解细节。
 <!--
 - *Separate and backup etcd service*: The etcd services can either run on the
@@ -233,8 +233,8 @@ for details.
   因为 etcd 存储着集群的配置数据，应该经常性地对 etcd 数据库进行备份，
   以确保在需要的时候你可以修复该数据库。与配置和使用 etcd 相关的细节可参阅
   [etcd FAQ](/https://etcd.io/docs/v3.4/faq/)。
-  更多的细节可参阅[为 Kubernetes 运维 etcd 集群](/zh/docs/tasks/administer-cluster/configure-upgrade-etcd/)
-  和[使用 kubeadm 配置高可用的 etcd 集群](/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)。
+  更多的细节可参阅[为 Kubernetes 运维 etcd 集群](/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/)
+  和[使用 kubeadm 配置高可用的 etcd 集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)。
 <!--
 - *Create multiple control plane systems*: For high availability, the
 control plane should not be limited to a single machine. If the control plane
@@ -268,7 +268,7 @@ See [Running in multiple zones](/docs/setup/best-practices/multiple-zones/) for
   若干个可用区在一起可构成地理区域。
   通过将集群分散到同一区域中的多个可用区内，即使某个可用区不可用，整个集群
   能够继续工作的机会也大大增加。
-  更多的细节可参阅[跨多个可用区运行](/zh/docs/setup/best-practices/multiple-zones/)。
+  更多的细节可参阅[跨多个可用区运行](/zh-cn/docs/setup/best-practices/multiple-zones/)。
 <!--
 - *Manage on-going features*: If you plan to keep your cluster over time,
 there are tasks you need to do to maintain its health and security. For example,
@@ -280,10 +280,10 @@ for a longer list of Kubernetes administrative tasks.
 -->
 - *管理演进中的特性*：如果你计划长时间保留你的集群，就需要执行一些维护其
   健康和安全的任务。例如，如果你采用 kubeadm 安装的集群，则有一些可以帮助你完成
-  [证书管理](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
-  和[升级 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)
+  [证书管理](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
+  和[升级 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)
   的指令。
-  参见[管理集群](/zh/docs/tasks/administer-cluster)了解一个 Kubernetes
+  参见[管理集群](/zh-cn/docs/tasks/administer-cluster)了解一个 Kubernetes
   管理任务的较长列表。
 
 <!--
@@ -298,16 +298,16 @@ and [Operating etcd clusters for Kubernetes](/docs/tasks/administer-cluster/conf
 See [Backing up an etcd cluster](/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster)
 for information on making an etcd backup plan.
 -->
-要了解运行控制面服务时可使用的选项，可参阅
-[kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)、
-[kube-controller-manager](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/) 和
-[kube-scheduler](/zh/docs/reference/command-line-tools-reference/kube-scheduler/)
+如要了解运行控制面服务时可使用的选项，可参阅
+[kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)、
+[kube-controller-manager](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/) 和
+[kube-scheduler](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/)
 组件参考页面。
 如要了解高可用控制面的例子，可参阅
-[高可用拓扑结构选项](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/)、
-[使用 kubeadm 创建高可用集群](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/) 以及[为 Kubernetes 运维 etcd 集群](/zh/docs/tasks/administer-cluster/configure-upgrade-etcd/)。
+[高可用拓扑结构选项](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/)、
+[使用 kubeadm 创建高可用集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/) 以及[为 Kubernetes 运维 etcd 集群](/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/)。
 关于制定 etcd 备份计划，可参阅
-[对 etcd 集群执行备份](/zh/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster)。
+[对 etcd 集群执行备份](/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster)。
 
 <!--
 ### Production worker nodes
@@ -318,7 +318,7 @@ control plane or have a cloud provider do it for you, you still need to
 consider how you want to manage your worker nodes (also referred to
 simply as *nodes*).  
 -->
-### 生产用工作节点
+### 生产用工作节点   {#production-worker-nodes}
 
 生产质量的工作负载需要是弹性的；它们所依赖的其他组件（例如 CoreDNS）也需要是弹性的。
 无论你是自行管理控制面还是让云供应商来管理，你都需要考虑如何管理工作节点
@@ -332,7 +332,7 @@ then add and run the appropriate
 -->
 - *配置节点*：节点可以是物理机或者虚拟机。如果你希望自行创建和管理节点，
   你可以安装一个受支持的操作系统，之后添加并运行合适的
-  [节点服务](/zh/docs/concepts/overview/components/#node-components)。
+  [节点服务](/zh-cn/docs/concepts/overview/components/#node-components)。
   考虑：
   <!--
   - The demands of your workloads when you set up nodes by having appropriate memory, CPU, and disk speed and storage capacity available.
@@ -347,7 +347,7 @@ then add and run the appropriate
 for information on how to ensure that a node meets the requirements to join
 a Kubernetes cluster.
 -->
-- *验证节点*：参阅[验证节点配置](/zh/docs/setup/best-practices/node-conformance/)
+- *验证节点*：参阅[验证节点配置](/zh-cn/docs/setup/best-practices/node-conformance/)
   以了解如何确保节点满足加入到 Kubernetes 集群的需求。
 <!--
 - *Add nodes to the cluster*: If you are managing your own cluster you can
@@ -357,7 +357,7 @@ having them register themselves to the cluster’s apiserver. See the
 -->
 - *添加节点到集群中*：如果你自行管理你的集群，你可以通过安装配置你的机器，
   之后或者手动加入集群，或者让它们自动注册到集群的 API 服务器。参阅
-  [节点](/zh/docs/concepts/architecture/nodes/)节，了解如何配置 Kubernetes
+  [节点](/zh-cn/docs/concepts/architecture/nodes/)节，了解如何配置 Kubernetes
   以便以这些方式来添加节点。
 <!--
 - *Add Windows nodes to the cluster*: Kubernetes offers support for Windows
@@ -366,7 +366,7 @@ worker nodes, allowing you to run workloads implemented in Windows containers. S
 -->
 - *向集群中添加 Windows 节点*：Kubernetes 提供对 Windows 工作节点的支持；
   这使得你可以运行实现于 Windows 容器内的工作负载。参阅
-  [Kubernetes 中的 Windows](/zh/docs/setup/production-environment/windows/)
+  [Kubernetes 中的 Windows](/zh-cn/docs/setup/production-environment/windows/)
   了解进一步的详细信息。
 <!--
 - *Scale nodes*: Have a plan for expanding the capacity your cluster will
@@ -376,7 +376,7 @@ containers you need to run. If you are managing nodes yourself, this can mean
 purchasing and installing your own physical equipment.
 -->
 - *扩缩节点*：制定一个扩充集群容量的规划，你的集群最终会需要这一能力。
-  参阅[大规模集群考察事项](/zh/docs/setup/best-practices/cluster-large/)
+  参阅[大规模集群考察事项](/zh-cn/docs/setup/best-practices/cluster-large/)
   以确定你所需要的节点数；这一规模是基于你要运行的 Pod 和容器个数来确定的。
   如果你自行管理集群节点，这可能意味着要购买和安装你自己的物理设备。
 <!--
@@ -404,9 +404,9 @@ that the nodes and pods running on those nodes are healthy. Using the
 [Node Problem Detector](/docs/tasks/debug/debug-cluster/monitor-node-health/)
 daemon, you can ensure your nodes are healthy.
 -->
-- *安装节点健康检查*：对于重要的工作负载，你会希望确保节点以及在节点上
+- **安装节点健康检查**：对于重要的工作负载，你会希望确保节点以及在节点上
   运行的 Pod 处于健康状态。通过使用
-  [Node Problem Detector](/zh/docs/tasks/debug/debug-cluster/monitor-node-health/)，
+  [Node Problem Detector](/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health/)，
   你可以确保你的节点是健康的。
 
 <!--
@@ -418,11 +418,11 @@ hundreds of people. In a learning environment or platform prototype, you might h
 administrative account for everything you do. In production, you will want
 more accounts with different levels of access to different namespaces.
 -->
-### 生产级用户环境
+### 生产级用户环境   {#production-user-management}
 
 在生产环境中，情况可能不再是你或者一小组人在访问集群，而是几十
 上百人需要访问集群。在学习环境或者平台原型环境中，你可能具有一个
-可以执行任何操作的管理账号。在生产环境中，你可需要对不同名字空间
+可以执行任何操作的管理账号。在生产环境中，你会需要对不同名字空间
 具有不同访问权限级别的很多账号。
 
 <!--
@@ -450,18 +450,18 @@ for a description of these different methods of authenticating Kubernetes users.
   你可以选择你要使用的认证方法。通过使用插件，API 服务器可以充分利用你所在
   组织的现有身份认证方法，例如 LDAP 或者 Kerberos。
   关于认证 Kubernetes 用户身份的不同方法的描述，可参阅
-  [身份认证](/zh/docs/reference/access-authn-authz/authentication/)。
+  [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)。
 <!--
 - *Authorization*: When you set out to authorize your regular users, you will probably choose between RBAC and ABAC authorization. See [Authorization Overview](/docs/reference/access-authn-authz/authorization/) to review different modes for authorizing user accounts (as well as service account access to your cluster):
 -->
 - *鉴权（Authorization）*：当你准备为一般用户执行权限判定时，你可能会需要
   在 RBAC 和 ABAC 鉴权机制之间做出选择。参阅
-  [鉴权概述](/zh/docs/reference/access-authn-authz/authorization/)，了解
+  [鉴权概述](/zh-cn/docs/reference/access-authn-authz/authorization/)，了解
   对用户账户（以及访问你的集群的服务账户）执行鉴权的不同模式。
   <!--
   - *Role-based access control* ([RBAC](/docs/reference/access-authn-authz/rbac/)): Lets you assign access to your cluster by allowing specific sets of permissions to authenticated users. Permissions can be assigned for a specific namespace (Role) or across the entire cluster (ClusterRole). Then using RoleBindings and ClusterRoleBindings, those permissions can be attached to particular users.
   -->
-  - *基于角色的访问控制*（[RBAC](/zh/docs/reference/access-authn-authz/rbac/)）：
+  - *基于角色的访问控制*（[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)）：
     让你通过为通过身份认证的用户授权特定的许可集合来控制集群访问。
     访问许可可以针对某特定名字空间（Role）或者针对整个集群（ClusterRole）。
     通过使用 RoleBinding 和 ClusterRoleBinding 对象，这些访问许可可以被
@@ -469,12 +469,12 @@ for a description of these different methods of authenticating Kubernetes users.
   <!--
   - *Attribute-based access control* ([ABAC](/docs/reference/access-authn-authz/abac/)): Lets you create policies based on resource attributes in the cluster and will allow or deny access based on those attributes. Each line of a policy file identifies versioning properties (apiVersion and kind) and a map of spec properties to match the subject (user or group), resource property, non-resource property (/version or /apis), and readonly. See [Examples](/docs/reference/access-authn-authz/abac/#examples) for details.
   -->
-  - *基于属性的访问控制*（[ABAC](/zh/docs/reference/access-authn-authz/abac/)）：
+  - *基于属性的访问控制*（[ABAC](/zh-cn/docs/reference/access-authn-authz/abac/)）：
     让你能够基于集群中资源的属性来创建访问控制策略，基于对应的属性来决定
     允许还是拒绝访问。策略文件的每一行都给出版本属性（apiVersion 和 kind）
     以及一个规约属性的映射，用来匹配主体（用户或组）、资源属性、非资源属性
     （/version 或 /apis）和只读属性。
-    参阅[示例](/zh/docs/reference/access-authn-authz/abac/#examples)以了解细节。
+    参阅[示例](/zh-cn/docs/reference/access-authn-authz/abac/#examples)以了解细节。
 
 <!--
 As someone setting up authentication and authorization on your production Kubernetes cluster, here are some things to consider:
@@ -505,7 +505,7 @@ for details.
 - *创建用户证书和角色绑定（RBAC）*：如果你在使用 RBAC 鉴权，用户可以创建
   由集群 CA 签名的 CertificateSigningRequest（CSR）。接下来你就可以将 Role
   和 ClusterRole 绑定到每个用户身上。
-  参阅[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
+  参阅[证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
   了解细节。
 <!--
 - *Create policies that combine attributes (ABAC)*: If you are using ABAC
@@ -517,7 +517,7 @@ pod), namespace, or apiGroup. For more information, see
 - *创建组合属性的策略（ABAC）*：如果你在使用 ABAC 鉴权，你可以设置属性组合
   以构造策略对所选用户或用户组执行鉴权，判定他们是否可访问特定的资源
   （例如 Pod）、名字空间或者 apiGroup。进一步的详细信息可参阅
-  [示例](/zh/docs/reference/access-authn-authz/abac/#examples)。
+  [示例](/zh-cn/docs/reference/access-authn-authz/abac/#examples)。
 <!--
 - *Consider Admission Controllers*: Additional forms of authorization for
 requests that can come in through the API server include
@@ -527,9 +527,9 @@ Webhooks and other special authorization types need to be enabled by adding
 to the API server.
 -->
 - *考虑准入控制器*：针对指向 API 服务器的请求的其他鉴权形式还包括
-  [Webhook 令牌认证](/zh/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)。
+  [Webhook 令牌认证](/zh-cn/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)。
   Webhook 和其他特殊的鉴权类型需要通过向 API 服务器添加
-  [准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/)
+  [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
   来启用。
 
 <!--
@@ -552,7 +552,7 @@ for details. You can also set
 for inheriting limits.
 -->
 - *设置名字空间限制*：为每个名字空间的内存和 CPU 设置配额。
-  参阅[管理内存、CPU 和 API 资源](/zh/docs/tasks/administer-cluster/manage-resources/)
+  参阅[管理内存、CPU 和 API 资源](/zh-cn/docs/tasks/administer-cluster/manage-resources/)
   以了解细节。你也可以设置
   [层次化名字空间](/blog/2020/08/14/introducing-hierarchical-namespaces/)
   来继承这类约束。
@@ -563,7 +563,7 @@ your DNS service must be ready to scale up as well. See
 -->
 - *为 DNS 请求做准备*：如果你希望工作负载能够完成大规模扩展，你的 DNS 服务
   也必须能够扩大规模。参阅
-  [自动扩缩集群中 DNS 服务](/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)。
+  [自动扩缩集群中 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)。
 <!--
 - *Create additional service accounts*: User accounts determine what users can
 do on a cluster, while a service account defines pod access within a particular
@@ -574,17 +574,17 @@ for information on creating a new service account. For example, you might want t
 - *创建额外的服务账户*：用户账户决定用户可以在集群上执行的操作，服务账号则定义的
   是在特定名字空间中 Pod 的访问权限。
   默认情况下，Pod 使用所在名字空间中的 default 服务账号。
-  参阅[管理服务账号](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
+  参阅[管理服务账号](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
   以了解如何创建新的服务账号。例如，你可能需要：
   <!--
   - Add secrets that a pod could use to pull images from a particular container registry. See [Configure Service Accounts for Pods](/docs/tasks/configure-pod-container/configure-service-account/) for an example.
   - Assign RBAC permissions to a service account. See [ServiceAccount permissions](/docs/reference/access-authn-authz/rbac/#service-account-permissions) for details.
   -->
   - 为 Pod 添加 Secret，以便 Pod 能够从某特定的容器镜像仓库拉取镜像。
-    参阅[为 Pod 配置服务账号](/zh/docs/tasks/configure-pod-container/configure-service-account/)
+    参阅[为 Pod 配置服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
     以获得示例。
   - 为服务账号设置 RBAC 访问许可。参阅
-    [服务账号访问许可](/zh/docs/reference/access-authn-authz/rbac/#service-account-permissions)
+    [服务账号访问许可](/zh-cn/docs/reference/access-authn-authz/rbac/#service-account-permissions)
     了解细节。
 
 ## {{% heading "whatsnext" %}}
@@ -601,38 +601,37 @@ and the
 [API server](/docs/setup/production-environment/tools/kubeadm/ha-topology/).
 -->
 - 决定你是想自行构造自己的生产用 Kubernetes 还是从某可用的
-  [云服务外包厂商](/zh/docs/setup/production-environment/turnkey-solutions/)
+  [云服务外包厂商](/zh-cn/docs/setup/production-environment/turnkey-solutions/)
   或 [Kubernetes 合作伙伴](https://kubernetes.io/partners/)获得集群。
 - 如果你决定自行构造集群，则需要规划如何处理
-  [证书](/zh/docs/setup/best-practices/certificates/)
+  [证书](/zh-cn/docs/setup/best-practices/certificates/)
   并为类似
-  [etcd](/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
+  [etcd](/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/)
   和
-  [API 服务器](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/)
+  [API 服务器](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/)
   这些功能组件配置高可用能力。
 <!--
 - Choose from [kubeadm](/docs/setup/production-environment/tools/kubeadm/), [kops](/docs/setup/production-environment/tools/kops/) or [Kubespray](/docs/setup/production-environment/tools/kubespray/)
 deployment methods.
 -->
-- 选择使用 [kubeadm](/zh/docs/setup/production-environment/tools/kubeadm/)、
-  [kops](/zh/docs/setup/production-environment/tools/kops/) 或
-  [Kubespray](/zh/docs/setup/production-environment/tools/kubespray/)
+- 选择使用 [kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/)、
+  [kops](/zh-cn/docs/setup/production-environment/tools/kops/) 或
+  [Kubespray](/zh-cn/docs/setup/production-environment/tools/kubespray/)
   作为部署方法。
 <!--
 - Configure user management by determining your
 [Authentication](/docs/reference/access-authn-authz/authentication/) and
 [Authorization](/docs/reference/access-authn-authz/authorization/) methods.
 -->
-- 通过决定[身份认证](/zh/docs/reference/access-authn-authz/authentication/)和
-  [鉴权](/zh/docs/reference/access-authn-authz/authorization/)方法来配置用户管理。
+- 通过决定[身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)和
+  [鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)方法来配置用户管理。
 <!--
 - Prepare for application workloads by setting up
 [resource limits](/docs/tasks/administer-cluster/manage-resources/),
 [DNS autoscaling](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)
 and [service accounts](/docs/reference/access-authn-authz/service-accounts-admin/).
 -->
-- 通过配置[资源限制](/zh/docs/tasks/administer-cluster/manage-resources/)、
-  [DNS 自动扩缩](/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)
-  和[服务账号](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
+- 通过配置[资源限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/)、
+  [DNS 自动扩缩](/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling/)
+  和[服务账号](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
   来为应用负载作准备。
-
diff --git a/content/zh-cn/docs/setup/production-environment/container-runtimes.md b/content/zh-cn/docs/setup/production-environment/container-runtimes.md
new file mode 100644
index 0000000000000..ff89a9a946848
--- /dev/null
+++ b/content/zh-cn/docs/setup/production-environment/container-runtimes.md
@@ -0,0 +1,500 @@
+---
+title: 容器运行时
+content_type: concept
+weight: 20
+---
+<!--
+reviewers:
+- vincepri
+- bart0sh
+title: Container Runtimes
+content_type: concept
+weight: 20
+-->
+
+<!-- overview -->
+
+<!-- 
+{{% dockershim-removal %}}
+
+You need to install a
+{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
+into each node in the cluster so that Pods can run there. This page outlines
+what is involved and describes related tasks for setting up nodes.
+ -->
+你需要在集群内每个节点上安装一个
+{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}
+以使 Pod 可以运行在上面。本文概述了所涉及的内容并描述了与节点设置相关的任务。
+
+
+<!-- 
+Kubernetes {{< skew currentVersion >}} requires that you use a runtime that conforms with the {{< glossary_tooltip term_id="cri" text="Container Runtime Interface">}} (CRI).
+
+See [CRI version support](#cri-versions) for more information.
+This page provides an outline of how to use several common container runtimes with Kubernetes.
+ -->
+
+Kubernetes {{< skew currentVersion >}} 要求你使用符合{{<glossary_tooltip term_id="cri" text="容器运行时接口">}} (CRI)的运行时。
+
+有关详细信息，请参阅 [CRI 版本支持](#cri-versions)。
+本页简要介绍在 Kubernetes 中几个常见的容器运行时的用法。
+
+- [containerd](#containerd)
+- [CRI-O](#cri-o)
+- [Docker Engine](#docker)
+- [Mirantis Container Runtime](#mcr)
+
+<!-- 
+{{< note >}}
+Kubernetes releases before v1.24 included a direct integration with Docker Engine,
+using a component named _dockershim_. That special direct integration is no longer
+part of Kubernetes (this removal was
+[announced](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
+as part of the v1.20 release).
+You can read
+[Check whether Dockershim deprecation affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+to understand how this removal might
+affect you. To learn about migrating from using dockershim, see
+[Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/).
+
+If you are running a version of Kubernetes other than v{{< skew currentVersion >}},
+check the documentation for that version.
+{{< /note >}}
+
+ -->
+ {{< note >}}
+提示：v1.24 之前的 Kubernetes 版本包括与 Docker Engine 的直接集成，使用名为 _dockershim_ 的组件。 
+这种特殊的直接整合不再是 Kubernetes 的一部分
+（这次删除被作为 v1.20 发行版本的一部分[宣布](/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)）。
+你可以阅读[检查 Dockershim 弃用是否会影响你](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/) 
+以了解此删除可能会如何影响你。 
+要了解如何使用 dockershim 进行迁移，请参阅[从 dockershim 迁移](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/)。
+
+如果你正在运行 v{{< skew currentVersion >}} 以外的 Kubernetes 版本，检查该版本的文档。
+{{< /note >}}
+
+<!-- body -->
+<!-- 
+## Install and configure prerequisites
+
+The following steps apply common settings for Kubernetes nodes on Linux. 
+
+You can skip a particular setting if you're certain you don't need it.
+
+For more information, see [Network Plugin Requirements](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements) or the documentation for your specific container runtime.
+ -->
+
+## 安装和配置先决条件
+
+以下步骤将通用设置应用于 Linux 上的 Kubernetes 节点。
+
+如果你确定不需要某个特定设置，则可以跳过它。
+
+有关更多信息，请参阅[网络插件要求](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements) 
+或特定容器运行时的文档。
+
+<!-- 
+### Forwarding IPv4 and letting iptables see bridged traffic
+
+Verify that the `br_netfilter` module is loaded by running `lsmod | grep br_netfilter`. 
+
+To load it explicitly, run `sudo modprobe br_netfilter`.
+
+In order for a Linux node's iptables to correctly view bridged traffic, verify that `net.bridge.bridge-nf-call-iptables` is set to 1 in your `sysctl` config. For example: 
+-->
+
+### 转发 IPv4 并让 iptables 看到桥接流量
+
+通过运行 `lsmod | grep br_netfilter` 来验证 `br_netfilter` 模块是否已加载。
+
+若要显式加载此模块，请运行 `sudo modprobe br_netfilter`。
+
+为了让 Linux 节点的 iptables 能够正确查看桥接流量，请确认 `sysctl` 配置中的
+`net.bridge.bridge-nf-call-iptables` 设置为 1。 例如：
+
+<!-- 
+```bash
+cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
+overlay
+br_netfilter
+EOF
+
+sudo modprobe overlay
+sudo modprobe br_netfilter
+
+# sysctl params required by setup, params persist across reboots
+cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+EOF
+
+# Apply sysctl params without reboot
+sudo sysctl --system
+``` 
+-->
+
+```bash
+cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
+overlay
+br_netfilter
+EOF
+
+sudo modprobe overlay
+sudo modprobe br_netfilter
+
+# 设置所需的 sysctl 参数，参数在重新启动后保持不变
+cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+EOF
+
+# 应用 sysctl 参数而不重新启动
+sudo sysctl --system
+```
+
+<!--
+## Cgroup drivers
+-->
+## Cgroup 驱动程序
+
+<!--
+On Linux, {{< glossary_tooltip text="control groups" term_id="cgroup" >}} are used to constrain resources that are allocated to processes.
+
+When [systemd](https://www.freedesktop.org/wiki/Software/systemd/) is chosen as the init
+system for a Linux distribution, the init process generates and consumes a root control group
+(`cgroup`) and acts as a cgroup manager.
+Systemd has a tight integration with cgroups and allocates a cgroup per systemd unit. It's possible
+to configure your container runtime and the kubelet to use `cgroupfs`. Using `cgroupfs` alongside
+systemd means that there will be two different cgroup managers.
+-->
+在 Linux 上，{{<glossary_tooltip text="控制组（CGroup）" term_id="cgroup" >}}用于限制分配给进程的资源。
+
+当某个 Linux 系统发行版使用 [systemd](https://www.freedesktop.org/wiki/Software/systemd/)
+作为其初始化系统时，初始化进程会生成并使用一个 root 控制组（`cgroup`），并充当 cgroup 管理器。
+Systemd 与 cgroup 集成紧密，并将为每个 systemd 单元分配一个 cgroup。
+你也可以配置容器运行时和 kubelet 使用 `cgroupfs`。
+连同 systemd 一起使用 `cgroupfs` 意味着将有两个不同的 cgroup 管理器。
+
+<!--
+A single cgroup manager simplifies the view of what resources are being allocated
+and will by default have a more consistent view of the available and in-use resources.
+When there are two cgroup managers on a system, you end up with two views of those resources.
+In the field, people have reported cases where nodes that are configured to use `cgroupfs`
+for the kubelet and Docker, but `systemd` for the rest of the processes, become unstable under
+resource pressure.
+-->
+单个 cgroup 管理器将简化分配资源的视图，并且默认情况下将对可用资源和使用
+中的资源具有更一致的视图。
+当有两个管理器共存于一个系统中时，最终将对这些资源产生两种视图。
+在此领域人们已经报告过一些案例，某些节点配置让 kubelet 和 docker 使用
+`cgroupfs`，而节点上运行的其余进程则使用 systemd; 这类节点在资源压力下
+会变得不稳定。
+
+<!--
+Changing the settings such that your container runtime and kubelet use `systemd` as the cgroup driver
+stabilized the system. To configure this for Docker, set `native.cgroupdriver=systemd`.
+-->
+更改设置，令容器运行时和 kubelet 使用 `systemd` 作为 cgroup 驱动，以此使系统更为稳定。
+对于 Docker, 设置 `native.cgroupdriver=systemd` 选项。
+
+<!--
+{{< caution >}}
+Changing the cgroup driver of a Node that has joined a cluster is a sensitive operation. 
+If the kubelet has created Pods using the semantics of one cgroup driver, changing the container
+runtime to another cgroup driver can cause errors when trying to re-create the Pod sandbox
+for such existing Pods. Restarting the kubelet may not solve such errors.
+
+If you have automation that makes it feasible, replace the node with another using the updated
+configuration, or reinstall it using automation.
+{{< /caution >}}
+-->
+注意：更改已加入集群的节点的 cgroup 驱动是一项敏感的操作。
+如果 kubelet 已经使用某 cgroup 驱动的语义创建了 pod，更改运行时以使用
+别的 cgroup 驱动，当为现有 Pods 重新创建 PodSandbox 时会产生错误。
+重启 kubelet 也可能无法解决此类问题。
+如果你有切实可行的自动化方案，使用其他已更新配置的节点来替换该节点，
+或者使用自动化方案来重新安装。
+
+<!--
+### Cgroup version 2 {#cgroup-v2}
+
+Cgroup v2 is the next version of the cgroup Linux API.  Differently than cgroup v1, there is a single
+hierarchy instead of a different one for each controller.
+-->
+### Cgroup v2 {#cgroup-v2}
+
+Cgroup v2 是 cgroup Linux API 的下一个版本。与 cgroup v1 不同的是，
+Cgroup v2 只有一个层次结构，而不是每个控制器有一个不同的层次结构。
+
+<!--
+The new version offers several improvements over cgroup v1, some of these improvements are:
+
+- cleaner and easier to use API
+- safe sub-tree delegation to containers
+- newer features like Pressure Stall Information
+-->
+新版本对 cgroup v1 进行了多项改进，其中一些改进是：
+
+- 更简洁、更易于使用的 API
+- 可将安全子树委派给容器
+- 更新的功能，如压力失速信息（Pressure Stall Information）
+
+<!--
+Even if the kernel supports a hybrid configuration where some controllers are managed by cgroup v1
+and some others by cgroup v2, Kubernetes supports only the same cgroup version to manage all the
+controllers.
+
+If systemd doesn't use cgroup v2 by default, you can configure the system to use it by adding
+`systemd.unified_cgroup_hierarchy=1` to the kernel command line.
+-->
+尽管内核支持混合配置，即其中一些控制器由 cgroup v1 管理，另一些由 cgroup v2 管理，
+Kubernetes 仅支持使用同一 cgroup 版本来管理所有控制器。
+
+如果 systemd 默认不使用 cgroup v2，你可以通过在内核命令行中添加 
+`systemd.unified_cgroup_hierarchy=1` 来配置系统去使用它。
+
+<!-- 
+```shell
+# This example is for a Linux OS that uses the DNF package manager
+# Your system might use a different method for setting the command line
+# that the Linux kernel uses.
+sudo dnf install -y grubby && \
+  sudo grubby \
+  --update-kernel=ALL \
+  --args="systemd.unified_cgroup_hierarchy=1"
+``` 
+-->
+
+```shell
+# 此示例适用于使用 DNF 包管理器的 Linux 操作系统
+# 你的系统可能使用不同的方法来设置 Linux 内核使用的命令行。
+sudo dnf install -y grubby && \
+  sudo grubby \
+  --update-kernel=ALL \
+  --args="systemd.unified_cgroup_hierarchy=1"
+```
+
+<!--
+If you change the command line for the kernel, you must reboot the node before your change takes effect.
+
+There should not be any noticeable difference in the user experience when switching to cgroup v2, unless
+users are accessing the cgroup file system directly, either on the node or from within the containers.
+
+In order to use it, cgroup v2 must be supported by the CRI runtime as well.
+-->
+如果更改内核的命令行，则必须重新启动节点才能使更改生效。
+
+切换到 cgroup v2 时，用户体验不应有任何明显差异，
+除非用户直接在节点上或在容器内访问 cgroup 文件系统。
+为了使用它，CRI 运行时也必须支持 cgroup v2。
+
+<!-- 
+### Migrating to the `systemd` driver in kubeadm managed clusters
+-->
+### 将 kubeadm 托管的集群迁移到 `systemd` 驱动
+
+<!-- 
+If you wish to migrate to the `systemd` cgroup driver in existing kubeadm managed clusters, follow [configuring a cgroup driver](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/).
+
+## CRI version support {#cri-versions}
+
+Your container runtime must support at least v1alpha2 of the container runtime interface.
+
+Kubernetes {{< skew currentVersion >}}  defaults to using v1 of the CRI API.If a container runtime does not support the v1 API, the kubelet falls back to using the (deprecated) v1alpha2 API instead.
+-->
+如果你希望将现有的由 kubeadm 管理的集群迁移到 `systemd` cgroup 驱动程序，
+请按照[配置 cgroup 驱动程序](/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/)操作。
+
+## CRI 版本支持 {#cri-versions}
+
+你的容器运行时必须至少支持容器运行时接口的 v1alpha2。
+
+Kubernetes {{< skew currentVersion >}} 默认使用 v1 的 CRI API。如果容器运行时不支持 v1 API，
+则 kubelet 会回退到使用（已弃用的）v1alpha2 API。
+
+<!-- 
+## Container runtimes
+ -->
+## 容器运行时
+
+{{% thirdparty-content %}}
+
+### containerd
+
+<!--
+This section outlines the necessary steps to use containerd as CRI runtime.
+
+Use the following commands to install Containerd on your system:
+
+-->
+本节概述了使用 containerd 作为 CRI 运行时的必要步骤。
+
+使用以下命令在系统上安装 Containerd：
+
+<!-- 
+Follow the instructions for [getting started with containerd](https://github.com/containerd/containerd/blob/main/docs getting-started.md). Return to this step once you've created a valid configuration file, `config.toml`. 
+ -->
+
+按照[开始使用 containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) 的说明进行操作。 
+创建有效的配置文件 `config.toml` 后返回此步骤。
+
+{{< tabs name="Finding your config.toml file" >}}
+{{% tab name="Linux" %}}
+<!-- You can find this file under the path `/etc/containerd/config.toml`. -->
+你可以在路径 `/etc/containerd/config.toml` 下找到此文件。
+{{% /tab %}}
+{{< tab name="Windows" >}}
+<!-- You can find this file under the path `C:\Program Files\containerd\config.toml`. -->
+你可以在路径 `C:\Program Files\containerd\config.toml` 下找到此文件。
+{{< /tab >}}
+{{< /tabs >}}
+
+<!-- 
+On Linux the default CRI socket for containerd is `/run/containerd/containerd.sock`.
+On Windows the default CRI endpoint is `npipe://./pipe/containerd-containerd`.
+
+#### Configuring the `systemd` cgroup driver {#containerd-systemd}
+--> 
+在 Linux 上，containerd 的默认 CRI 套接字是 `/run/containerd/containerd.sock`。
+在 Windows 上，默认 CRI 端点是 `npipe://./pipe/containerd-containerd`。
+
+#### 配置 `systemd` cgroup 驱动程序 {#containerd-systemd}
+
+<!-- 
+To use the `systemd` cgroup driver in `/etc/containerd/config.toml` with `runc`, set
+-->
+结合 `runc` 使用 `systemd` cgroup 驱动，在 `/etc/containerd/config.toml` 中设置 
+
+```
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+  ...
+  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+    SystemdCgroup = true
+```
+
+<!--
+If you apply this change, make sure to restart containerd:
+-->
+如果你应用此更改，请确保重新启动 containerd：
+
+```shell
+sudo systemctl restart containerd
+```
+
+<!--
+When using kubeadm, manually configure the
+[cgroup driver for kubelet](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/#configuring-the-kubelet-cgroup-driver).
+-->
+当使用 kubeadm 时，请手动配置
+[kubelet 的 cgroup 驱动](/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/#configuring-the-kubelet-cgroup-driver).
+
+### CRI-O
+
+<!--
+This section contains the necessary steps to install CRI-O as a container runtime.
+
+-->
+本节包含安装 CRI-O 作为容器运行时的必要步骤。
+
+<!-- 
+To install CRI-O, follow [CRI-O Install Instructions](https://github.com/cri-o/cri-o/blob/main/install.md#readme).
+-->
+
+要安装 CRI-O，请按照 [CRI-O 安装说明](https://github.com/cri-o/cri-o/blob/main/install.md#readme)执行操作。
+
+<!-- #### cgroup driver -->
+
+#### cgroup 驱动程序
+
+<!--
+ CRI-O uses the systemd cgroup driver per default, which is likely to work fine for you. To switch to the `cgroupfs` cgroup driver, either edit `/etc/crio/crio.conf` or place a drop-in configuration in `/etc/crio/crio.conf.d/02-cgroup-manager.conf`, for example: 
+-->
+
+CRI-O 默认使用 systemd cgroup 驱动程序，这对你来说可能工作得很好。要切换到 `cgroupfs` cgroup 驱动程序，
+请编辑 `/etc/crio/crio.conf` 或在 `/etc/crio/crio.conf.d/02-cgroup-manager.conf` 中放置一个插入式配置 ，例如：
+
+
+```toml
+[crio.runtime]
+conmon_cgroup = "pod"
+cgroup_manager = "cgroupfs"
+```
+
+<!--
+ You should also note the changed `conmon_cgroup`, which has to be set to the value `pod` when using CRI-O with `cgroupfs`. It is generally necessary to keep the cgroup driver configuration of the kubelet (usually done via kubeadm) and CRI-O in sync.
+-->
+
+你还应该注意到 `conmon_cgroup` 被更改，当使用 CRI-O 和 `cgroupfs` 时，必须将其设置为值 `pod`。
+通常需要保持 kubelet 的 cgroup 驱动配置（通常通过 kubeadm 完成）和 CRI-O 同步。
+
+<!-- 
+For CRI-O, the CRI socket is `/var/run/crio/crio.sock` by default.
+
+### Docker Engine {#docker}
+
+-->
+对于 CRI-O，CRI 套接字默认为 `/var/run/crio/crio.sock`。
+
+### Docker Engine {#docker}
+
+<!-- 
+{{< note >}}
+These instructions assume that you are using the [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd) adapter to integrate
+Docker Engine with Kubernetes.
+{{< /note >}} 
+-->
+
+{{< note >}}
+以下操作假设你使用 [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd) 适配器来将
+Docker Engine 与 Kubernetes 集成。
+{{< /note >}} 
+
+<!--
+ 1. On each of your nodes, install Docker for your Linux distribution as per [Install Docker Engine](https://docs.docker.com/engine/install/#server). 
+ -->
+
+1. 在你的每个节点上，遵循[安装 Docker 引擎](https://docs.docker.com/engine/install/#server)指南为你的
+   Linux 发行版安装 Docker。
+
+<!-- 
+2. Install [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd), following the instructions in that source code repository.
+-->
+2. 按照源代码仓库中的说明安装 [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd)。
+
+
+<!--
+For `cri-dockerd`, the CRI socket is `/run/cri-dockerd.sock` by default.
+ 
+### Mirantis Container Runtime {#mcr}
+-->
+对于 `cri-dockerd`，默认情况下，CRI 套接字是 `/run/cri-dockerd.sock`。
+ 
+### Mirantis 容器运行时 {#mcr}
+
+<!--
+[Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR) is a commercially available container runtime that was formerly known as Docker Enterprise Edition.
+You can use Mirantis Container Runtime with Kubernetes using the open source [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd) component, included with MCR.
+-->
+[Mirantis Container Runtime](https://docs.mirantis.com/mcr/20.10/overview.html) (MCR) 是一种商用容器运行时，以前称为 Docker 企业版。
+你可以使用 MCR 中包含的开源 [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd) 组件将 Mirantis Container Runtime 与 Kubernetes 一起使用。
+
+<!--
+To learn more about how to install Mirantis Container Runtime, visit [MCR Deployment Guide](https://docs.mirantis.com/mcr/20.10/install.html). 
+-->
+要了解有关如何安装 Mirantis Container Runtime 的更多信息，请访问 [MCR 部署指南](https://docs.mirantis.com/mcr/20.10/install.html)。
+<!-- 
+Check the systemd unit named `cri-docker.socket` to find out the path to the CRI socket.
+-->
+检查名为 `cri-docker.socket` 的 systemd 单元以找出 CRI 套接字的路径。
+
+## {{% heading "whatsnext" %}}
+
+<!-- 
+As well as a container runtime, your cluster will need a working [network plugin](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model).
+-->
+
+除了容器运行时，你的集群还需要有效的[网络插件](/zh-cn/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model)。
+
+
diff --git a/content/zh/docs/setup/production-environment/tools/_index.md b/content/zh-cn/docs/setup/production-environment/tools/_index.md
similarity index 100%
rename from content/zh/docs/setup/production-environment/tools/_index.md
rename to content/zh-cn/docs/setup/production-environment/tools/_index.md
diff --git a/content/zh/docs/setup/production-environment/tools/kops.md b/content/zh-cn/docs/setup/production-environment/tools/kops.md
similarity index 98%
rename from content/zh/docs/setup/production-environment/tools/kops.md
rename to content/zh-cn/docs/setup/production-environment/tools/kops.md
index 73b322da644dc..5a659817c1835 100644
--- a/content/zh/docs/setup/production-environment/tools/kops.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kops.md
@@ -47,7 +47,7 @@ kops 是一个自动化的制备系统：
 
 * You must have an [AWS account](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), generate [IAM keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) and [configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration) them. The IAM user will need [adequate permissions](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user).
 -->
-* 你必须安装 [kubectl](/zh/docs/tasks/tools/)。 
+* 你必须安装 [kubectl](/zh-cn/docs/tasks/tools/)。 
 * 你必须安装[安装](https://github.com/kubernetes/kops#installing) `kops`
   到 64 位的（AMD64 和 Intel 64）设备架构上。
 * 你必须拥有一个 [AWS 账户](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html)，
@@ -204,7 +204,7 @@ no longer get your clusters confused, you can share clusters with your colleague
 and you can reach them without relying on remembering an IP address.
 -->
 kops 对集群名称有明显的要求：它应该是有效的 DNS 名称。这样一来，你就不会再使集群混乱，
-可以与同事明确共享集群，并且无需依赖记住 IP 地址即可访问群集。
+可以与同事明确共享集群，并且无需依赖记住 IP 地址即可访问集群。
 
 <!--
 You can, and probably should, use subdomains to divide your clusters.  As our example we will use
@@ -395,7 +395,7 @@ See the [list of add-ons](/docs/concepts/cluster-administration/addons/) to expl
 -->
 ### 探索其他附加组件
 
-请参阅[附加组件列表](/zh/docs/concepts/cluster-administration/addons/)探索其他附加组件，
+请参阅[附加组件列表](/zh-cn/docs/concepts/cluster-administration/addons/)探索其他附加组件，
 包括用于 Kubernetes 集群的日志记录、监视、网络策略、可视化和控制的工具。
 
 <!--
@@ -414,8 +414,8 @@ See the [list of add-ons](/docs/concepts/cluster-administration/addons/) to expl
 * Learn about `kops` [advanced usage](https://github.com/kubernetes/kops)
 * See the `kops` [docs](https://github.com/kubernetes/kops) section for tutorials, best practices and advanced configuration options.
 -->
-* 了解有关 Kubernetes 的[概念](/zh/docs/concepts/) 和
-  [`kubectl`](/zh/docs/reference/kubectl/) 有关的更多信息。
+* 了解有关 Kubernetes 的[概念](/zh-cn/docs/concepts/) 和
+  [`kubectl`](/zh-cn/docs/reference/kubectl/) 有关的更多信息。
 * 了解 `kops` [高级用法](https://github.com/kubernetes/kops)。
 * 请参阅 `kops` [文档](https://github.com/kubernetes/kops) 获取教程、
   最佳做法和高级配置选项。
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/_index.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/_index.md
similarity index 100%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/_index.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/_index.md
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
similarity index 96%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
index 84fd87ce69505..5fee60793a186 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
@@ -44,7 +44,7 @@ kubeadm 目前不支持对 CoreDNS 部署进行定制。
 你必须手动更新 `kube-system/coredns` {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} 
 并在更新后重新创建 CoreDNS {{< glossary_tooltip text="Pods" term_id="pod" >}}。
 或者，你可以跳过默认的 CoreDNS 部署并部署你自己的 CoreDNS 变种。
-有关更多详细信息，请参阅[在 kubeadm 中使用 init phases](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases).
+有关更多详细信息，请参阅[在 kubeadm 中使用 init phases](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases).
 {{< /note >}}
 
 {{< note >}}
@@ -53,7 +53,7 @@ To reconfigure a cluster that has already been created see
 [Reconfiguring a kubeadm cluster](/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure).
 -->
 
-要重新配置已创建的集群，请参阅[重新配置 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure)。
+要重新配置已创建的集群，请参阅[重新配置 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure)。
 {{< /note >}}
 
 <!-- body -->
@@ -109,7 +109,7 @@ on different nodes you can use [patches](#patches).
 -->
 `ClusterConfiguration` 对象目前在 kubeadm 集群中是全局的。
 这意味着你添加的任何标志都将应用于同一组件在不同节点上的所有实例。
-要在不同节点上为每个组件应用单独的配置，您可以使用[补丁](#patches)。
+要在不同节点上为每个组件应用单独的配置，你可以使用[补丁](#patches)。
 {{< /note >}}
 
 {{< note >}}
@@ -284,7 +284,7 @@ alpha-numerically.
 -->
 - `target` 可以是 `kube-apiserver`、`kube-controller-manager`、`kube-scheduler` 和 `etcd` 之一。
 - `patchtype` 可以是 `strategy`、`merge` 或 `json` 之一，并且这些必须匹配 
-  [kubectl 支持](/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch) 的补丁格式。
+  [kubectl 支持](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch) 的补丁格式。
   默认补丁类型是 `strategic` 的。
 - `extension` 必须是 `json` 或 `yaml`。
 - `suffix` 是一个可选字符串，可用于确定首先按字母数字应用哪些补丁。
@@ -323,13 +323,13 @@ before using them.
 kubeadm 将相同的 `KubeletConfiguration` 配置应用于集群中的所有节点。
 要应用节点特定设置，你可以使用 `kubelet` 参数进行覆盖，方法是将它们传递到 `InitConfiguration` 和 `JoinConfiguration` 
 支持的 `nodeRegistration.kubeletExtraArgs` 字段中。一些 kubelet 参数已被弃用，
-因此在使用这些参数之前，请在 [kubelet 参考文档](/zh/docs/reference/command-line-tools-reference/kubelet) 中检查它们的状态。
+因此在使用这些参数之前，请在 [kubelet 参考文档](/zh-cn/docs/reference/command-line-tools-reference/kubelet) 中检查它们的状态。
 {{< /note >}}
 
 <!--
 For more details see [Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration)
 -->
-更多详情，请参阅[使用 kubeadm 配置集群中的每个 kubelet](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration)
+更多详情，请参阅[使用 kubeadm 配置集群中的每个 kubelet](/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration)
 
 <!--
 ## Customizing kube-proxy
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
similarity index 67%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
index f6364dd169bf3..6f05c91de39aa 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
@@ -1,11 +1,8 @@
 ---
-reviewers:
-- sig-cluster-lifecycle
 title: 使用 kubeadm 创建集群
 content_type: task
 weight: 30
 ---
-
 <!--
 reviewers:
 - sig-cluster-lifecycle
@@ -17,13 +14,19 @@ weight: 30
 <!-- overview -->
 
 <!--
-<img src="https://raw.githubusercontent.com/kubernetes/kubeadm/master/logos/stacked/color/kubeadm-stacked-color.png" align="right" width="150px">Using `kubeadm`, you can create a minimum viable Kubernetes cluster that conforms to best practices. In fact, you can use `kubeadm` to set up a cluster that will pass the [Kubernetes Conformance tests](https://kubernetes.io/blog/2017/10/software-conformance-certification).
-`kubeadm` also supports other cluster
-lifecycle functions, such as [bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and cluster upgrades.
+<img src="/images/kubeadm-stacked-color.png" align="right" width="150px"></img>
+Using `kubeadm`, you can create a minimum viable Kubernetes cluster that conforms to best practices.
+In fact, you can use `kubeadm` to set up a cluster that will pass the
+[Kubernetes Conformance tests](https://kubernetes.io/blog/2017/10/software-conformance-certification).
+`kubeadm` also supports other cluster lifecycle functions, such as
+[bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and cluster upgrades.
 -->
-<img src="/images/kubeadm-stacked-color.png" align="right" width="150px">使用 `kubeadm`，你能创建一个符合最佳实践的最小化 Kubernetes 集群。事实上，你可以使用 `kubeadm` 配置一个通过 [Kubernetes 一致性测试](https://kubernetes.io/blog/2017/10/software-conformance-certification) 的集群。
+<img src="/images/kubeadm-stacked-color.png" align="right" width="150px"></img>
+使用 `kubeadm`，你能创建一个符合最佳实践的最小化 Kubernetes 集群。
+事实上，你可以使用 `kubeadm` 配置一个通过
+[Kubernetes 一致性测试](https://kubernetes.io/blog/2017/10/software-conformance-certification)的集群。
 `kubeadm` 还支持其他集群生命周期功能，
-例如 [启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/) 和集群升级。
+例如[启动引导令牌](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)和集群升级。
 
 <!--
 The `kubeadm` tool is good if you need:
@@ -49,11 +52,8 @@ as Ansible or Terraform.
 一组云服务器，Raspberry Pi 等。无论是部署到云还是本地，
 你都可以将 `kubeadm` 集成到预配置系统中，例如 Ansible 或 Terraform。
 
-
-
 ## {{% heading "prerequisites" %}}
 
-
 <!--
 To follow this guide, you need:
 
@@ -77,13 +77,13 @@ of Kubernetes that you want to use in your new cluster.
 -->
 你还需要使用可以在新集群中部署特定 Kubernetes 版本对应的 `kubeadm`。
 
-
 <!--
-[Kubernetes' version and version skew support policy](/docs/setup/release/version-skew-policy/#supported-versions) applies to `kubeadm` as well as to Kubernetes overall.
+[Kubernetes' version and version skew support policy](/docs/setup/release/version-skew-policy/#supported-versions)
+applies to `kubeadm` as well as to Kubernetes overall.
 Check that policy to learn about what versions of Kubernetes and `kubeadm`
 are supported. This page is written for Kubernetes {{< param "version" >}}.
 -->
-[Kubernetes 版本及版本倾斜支持策略](/zh/docs/setup/release/version-skew-policy/#supported-versions) 适用于 `kubeadm` 以及整个 Kubernetes。
+[Kubernetes 版本及版本偏差策略](/zh-cn/releases/version-skew-policy/#supported-versions)适用于 `kubeadm` 以及整个 Kubernetes。
 查阅该策略以了解支持哪些版本的 Kubernetes 和 `kubeadm`。
 该页面是为 Kubernetes {{< param "version" >}} 编写的。
 
@@ -102,14 +102,12 @@ Any commands under `kubeadm alpha` are, by definition, supported on an alpha lev
 根据定义，在 `kubeadm alpha` 下的所有命令均在 alpha 级别上受支持。
 {{< /note >}}
 
-
-
 <!-- steps -->
 
 <!--
 ## Objectives
 -->
-## 目标
+## 目标 {#objectives}
 
 <!--
 * Install a single control-plane Kubernetes cluster
@@ -122,17 +120,19 @@ Any commands under `kubeadm alpha` are, by definition, supported on an alpha lev
 <!--
 ## Instructions
 -->
-## 操作指南
+## 操作指南 {#instructions}
 
 <!--
-### Installing kubeadm on your hosts
+### Preparing the hosts
 -->
-### 在你的主机上安装 kubeadm
+### 主机准备 {#preparing-the-hosts}
 
 <!--
-See ["Installing kubeadm"](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
+Install a {{< glossary_tooltip term_id="container-runtime" text="container runtime" >}} and kubeadm on all the hosts.
+For detailed instructions and other prerequisites, see [Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
 -->
-查看 ["安装 kubeadm"](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)。
+在所有主机上安装 {{< glossary_tooltip term_id="container-runtime" text="容器运行时" >}} 和 kubeadm。
+详细说明和其他前提条件，请参见[安装 kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)。
 
 <!--
 If you have already installed kubeadm, run `apt-get update &&
@@ -154,7 +154,7 @@ apt-get upgrade` 或 `yum update` 以获取 kubeadm 的最新版本。
 <!--
 ### Preparing the required container images
 -->
-### 准备所需的容器镜像
+### 准备所需的容器镜像 {#preparing-the-required-container-images}
 
 <!--
 This step is optional and only applies in case you wish `kubeadm init` and `kubeadm join`
@@ -171,17 +171,17 @@ for more details.
 这个步骤是可选的，只适用于你希望 `kubeadm init` 和 `kubeadm join` 不去下载存放在 `k8s.gcr.io` 上的默认的容器镜像的情况。
 
 当你在离线的节点上创建一个集群的时候，Kubeadm 有一些命令可以帮助你预拉取所需的镜像。
-阅读[离线运行 kubeadm](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init#custom-images)
+阅读[离线运行 kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init#custom-images)
 获取更多的详情。
 
 Kubeadm 允许你给所需要的镜像指定一个自定义的镜像仓库。
-阅读[使用自定义镜像](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init#custom-images)
+阅读[使用自定义镜像](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init#custom-images)
 获取更多的详情。
 
 <!--
 ### Initializing your control-plane node
 -->
-### 初始化控制平面节点
+### 初始化控制平面节点 {#initializing-your-control-plane-node}
 
 <!--
 The control-plane node is the machine where the control plane components run, including
@@ -203,30 +203,32 @@ for all control-plane nodes. Such an endpoint can be either a DNS name or an IP
 be passed to `kubeadm init`. Depending on which
 third-party provider you choose, you might need to set the `--pod-network-cidr` to
 a provider-specific value. See [Installing a Pod network add-on](#pod-network).
-1. (Optional) Since version 1.14, `kubeadm` tries to detect the container runtime on Linux
-by using a list of well known domain socket paths. To use different container runtime or
-if there are more than one installed on the provisioned node, specify the `--cri-socket`
-argument to `kubeadm init`. See [Installing runtime](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
+-->
+1. （推荐）如果计划将单个控制平面 kubeadm 集群升级成高可用，
+   你应该指定 `--control-plane-endpoint` 为所有控制平面节点设置共享端点。
+   端点可以是负载均衡器的 DNS 名称或 IP 地址。
+1. 选择一个 Pod 网络插件，并验证是否需要为 `kubeadm init` 传递参数。
+   根据你选择的第三方网络插件，你可能需要设置 `--pod-network-cidr` 的值。
+   请参阅[安装 Pod 网络附加组件](#pod-network)。
+
+<!--
+1. (Optional) `kubeadm` tries to detect the container runtime by using a list of well
+known endpoints. To use different container runtime or if there are more than one installed
+on the provisioned node, specify the `--cri-socket` argument to `kubeadm`. See
+[Installing a runtime](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
 1. (Optional) Unless otherwise specified, `kubeadm` uses the network interface associated
 with the default gateway to set the advertise address for this particular control-plane node's API server.
 To use a different network interface, specify the `--apiserver-advertise-address=<ip-address>` argument
 to `kubeadm init`. To deploy an IPv6 Kubernetes cluster using IPv6 addressing, you
 must specify an IPv6 address, for example `--apiserver-advertise-address=fd00::101`
 -->
-1. （推荐）如果计划将单个控制平面 kubeadm 集群升级成高可用，
-你应该指定 `--control-plane-endpoint` 为所有控制平面节点设置共享端点。
-端点可以是负载均衡器的 DNS 名称或 IP 地址。
-1. 选择一个 Pod 网络插件，并验证是否需要为 `kubeadm init` 传递参数。
-根据你选择的第三方网络插件，你可能需要设置 `--pod-network-cidr` 的值。
-请参阅 [安装Pod网络附加组件](#pod-network)。
-1. （可选）从版本1.14开始，`kubeadm` 尝试使用一系列众所周知的域套接字路径来检测 Linux 上的容器运行时。
-要使用不同的容器运行时，
-或者如果在预配置的节点上安装了多个容器，请为 `kubeadm init` 指定 `--cri-socket` 参数。
-请参阅[安装运行时](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime)。
+1. （可选）`kubeadm` 试图通过使用已知的端点列表来检测容器运行时。
+   使用不同的容器运行时或在预配置的节点上安装了多个容器运行时，请为 `kubeadm init` 指定 `--cri-socket` 参数。
+   请参阅[安装运行时](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime)。
 1. （可选）除非另有说明，否则 `kubeadm` 使用与默认网关关联的网络接口来设置此控制平面节点 API server 的广播地址。
-要使用其他网络接口，请为 `kubeadm init` 设置 `--apiserver-advertise-address=<ip-address>` 参数。
-要部署使用 IPv6 地址的 Kubernetes 集群，
-必须指定一个 IPv6 地址，例如 `--apiserver-advertise-address=fd00::101`
+   要使用其他网络接口，请为 `kubeadm init` 设置 `--apiserver-advertise-address=<ip-address>` 参数。
+   要部署使用 IPv6 地址的 Kubernetes 集群，
+   必须指定一个 IPv6 地址，例如 `--apiserver-advertise-address=fd00::101`
 
 <!--
 To initialize the control-plane node run:
@@ -240,7 +242,7 @@ kubeadm init <args>
 <!--
 ### Considerations about apiserver-advertise-address and ControlPlaneEndpoint
 -->
-### 关于 apiserver-advertise-address 和 ControlPlaneEndpoint 的注意事项
+### 关于 apiserver-advertise-address 和 ControlPlaneEndpoint 的注意事项 {#considerations-about-apiserver-advertise-address-and-controlplaneendpoint}
 
 <!--
 While `--apiserver-advertise-address` can be used to set the advertise address for this particular
@@ -262,7 +264,7 @@ Here is an example mapping:
 -->
 这是一个示例映射：
 
-```
+```console
 192.168.0.102 cluster-endpoint
 ```
 
@@ -285,22 +287,34 @@ kubeadm 不支持将没有 `--control-plane-endpoint` 参数的单个控制平
 <!--
 ### More information
 -->
-### 更多信息
+### 更多信息 {#more-information}
 
 <!--
 For more information about `kubeadm init` arguments, see the [kubeadm reference guide](/docs/reference/setup-tools/kubeadm/).
 -->
-有关 `kubeadm init` 参数的更多信息，请参见 [kubeadm 参考指南](/zh/docs/reference/setup-tools/kubeadm/)。
+有关 `kubeadm init` 参数的更多信息，请参见 [kubeadm 参考指南](/zh-cn/docs/reference/setup-tools/kubeadm/)。
 
 <!--
-To configure `kubeadm init` with a configuration file see [Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file).
+To configure `kubeadm init` with a configuration file see
+[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file).
 -->
-要使用配置文件配置 `kubeadm init` 命令，请参见[带配置文件使用 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)。
+要使用配置文件配置 `kubeadm init` 命令，
+请参见[带配置文件使用 kubeadm init](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)。
 
 <!--
-To customize control plane components, including optional IPv6 assignment to liveness probe for control plane components and etcd server, provide extra arguments to each component as documented in [custom arguments](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/).
+To customize control plane components, including optional IPv6 assignment to liveness probe
+for control plane components and etcd server, provide extra arguments to each component as documented in
+[custom arguments](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/).
 -->
-要自定义控制平面组件，包括可选的对控制平面组件和 etcd 服务器的活动探针提供 IPv6 支持，请参阅[自定义参数](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)。
+要自定义控制平面组件，包括可选的对控制平面组件和 etcd 服务器的活动探针提供 IPv6 支持，
+请参阅[自定义参数](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)。
+
+<!--
+To reconfigure a cluster that has already been created see
+[Reconfiguring a kubeadm cluster](/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure).
+-->
+要重新配置一个已经创建的集群，请参见
+[重新配置一个 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure)。
 
 <!--
 To run `kubeadm init` again, you must first [tear down the cluster](#tear-down).
@@ -314,7 +328,6 @@ have container image support for this architecture.
 如果将具有不同架构的节点加入集群，
 请确保已部署的 DaemonSet 对这种体系结构具有容器镜像支持。
 
-
 <!--
 `kubeadm init` first runs a series of prechecks to ensure that the machine
 is ready to run Kubernetes. These prechecks expose warnings and exit on errors. `kubeadm init`
@@ -352,7 +365,6 @@ also part of the `kubeadm init` output:
 要使非 root 用户可以运行 kubectl，请运行以下命令，
 它们也是 `kubeadm init` 输出的一部分：
 
-
 ```bash
 mkdir -p $HOME/.kube
 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
@@ -373,13 +385,15 @@ export KUBECONFIG=/etc/kubernetes/admin.conf
 Kubeadm signs the certificate in the `admin.conf` to have `Subject: O = system:masters, CN = kubernetes-admin`.
 `system:masters` is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC).
 Do not share the `admin.conf` file with anyone and instead grant users custom permissions by generating
-them a kubeconfig file using the `kubeadm kubeconfig user` command.
+them a kubeconfig file using the `kubeadm kubeconfig user` command. For more details see
+[Generating kubeconfig files for additional users](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users).
 -->
 kubeadm 对 `admin.conf` 中的证书进行签名时，将其配置为
 `Subject: O = system:masters, CN = kubernetes-admin`。
 `system:masters` 是一个例外的、超级用户组，可以绕过鉴权层（例如 RBAC）。
 不要将 `admin.conf` 文件与任何人共享，应该使用 `kubeadm kubeconfig user`
 命令为其他用户生成 kubeconfig 文件，完成对他们的定制授权。
+更多细节请参见[为其他用户生成 kubeconfig 文件](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users)。
 {{< /warning >}}
 
 <!--
@@ -400,8 +414,7 @@ created, and deleted with the `kubeadm token` command. See the
 这里包含的令牌是密钥。确保它的安全，
 因为拥有此令牌的任何人都可以将经过身份验证的节点添加到你的集群中。
 可以使用 `kubeadm token` 命令列出，创建和删除这些令牌。
-请参阅 [kubeadm 参考指南](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/)。
-
+请参阅 [kubeadm 参考指南](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/)。
 
 <!--
 ### Installing a Pod network add-on {#pod-network}
@@ -449,7 +462,7 @@ Cluster DNS (CoreDNS) will not start up before a network is installed.**
   Make sure that your Pod network plugin supports RBAC, and so do any manifests
   that you use to deploy it.
 -->
-- 默认情况下，`kubeadm` 将集群设置为使用和强制使用 [RBAC](/zh/docs/reference/access-authn-authz/rbac/)（基于角色的访问控制）。
+- 默认情况下，`kubeadm` 将集群设置为使用和强制使用 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)（基于角色的访问控制）。
   确保你的 Pod 网络插件支持 RBAC，以及用于部署它的 manifests 也是如此。
 
 <!--
@@ -478,13 +491,13 @@ kubeadm 应该是与 CNI 无关的，对 CNI 驱动进行验证目前不在我
 Several external projects provide Kubernetes Pod networks using CNI, some of which also
 support [Network Policy](/docs/concepts/services-networking/network-policies/).
 -->
-一些外部项目为 Kubernetes 提供使用 CNI 的 Pod 网络，其中一些还支持[网络策略](/zh/docs/concepts/services-networking/network-policies/)。
+一些外部项目为 Kubernetes 提供使用 CNI 的 Pod 网络，其中一些还支持[网络策略](/zh-cn/docs/concepts/services-networking/network-policies/)。
 
 <!--
 See a list of add-ons that implement the
 [Kubernetes networking model](/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model).
 -->
-请参阅实现 [Kubernetes 网络模型](/zh/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model) 的附加组件列表。
+请参阅实现 [Kubernetes 网络模型](/zh-cn/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model)的附加组件列表。
 
 <!--
 You can install a Pod network add-on with the following command on the
@@ -506,7 +519,7 @@ Once a Pod network has been installed, you can confirm that it is working by
 checking that the CoreDNS Pod is `Running` in the output of `kubectl get pods --all-namespaces`.
 And once the CoreDNS Pod is up and running, you can continue by joining your nodes.
 -->
-安装 Pod 网络后，您可以通过在 `kubectl get pods --all-namespaces` 输出中检查 CoreDNS Pod 是否 `Running` 来确认其是否正常运行。
+安装 Pod 网络后，你可以通过在 `kubectl get pods --all-namespaces` 输出中检查 CoreDNS Pod 是否 `Running` 来确认其是否正常运行。
 一旦 CoreDNS Pod 启用并运行，你就可以继续加入节点。
 
 <!--
@@ -514,46 +527,75 @@ If your network is not working or CoreDNS is not in the `Running` state, check o
 [troubleshooting guide](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)
 for `kubeadm`.
 -->
-如果您的网络无法正常工作或 CoreDNS 不在“运行中”状态，请查看 `kubeadm` 的
-[故障排除指南](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
+如果你的网络无法正常工作或 CoreDNS 不在“运行中”状态，请查看 `kubeadm` 的
+[故障排除指南](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
+
+<!--
+### Managed node labels
+-->
 
+### 托管节点标签   {#managed-node-labels}
+
+<!--
+By default, kubeadm enables the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+admission controller that restricts what labels can be self-applied by kubelets on node registration.
+The admission controller documentation covers what labels are permitted to be used with the kubelet `--node-labels` option.
+The `node-role.kubernetes.io/control-plane` label is such a restricted label and kubeadm manually applies it using
+a privileged client after a node has been created. To do that manually you can do the same by using `kubectl label`
+and ensure it is using a privileged kubeconfig such as the kubeadm managed `/etc/kubernetes/admin.conf`.
+-->
+默认情况下，kubeadm 启用 [NodeRestriction](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+准入控制器来限制 kubelets 在节点注册时可以应用哪些标签。准入控制器文档描述 kubelet `--node-labels` 选项允许使用哪些标签。
+其中 `node-role.kubernetes.io/control-plane` 标签就是这样一个受限制的标签，
+kubeadm 在节点创建后使用特权客户端手动应用此标签。
+你可以使用一个有特权的 kubeconfig，比如由 kubeadm 管理的 `/etc/kubernetes/admin.conf`，
+通过执行 `kubectl label` 来手动完成操作。
 
 <!--
 ### Control plane node isolation
 -->
-### 控制平面节点隔离
+### 控制平面节点隔离 {#control-plane-node-isolation}
 
 <!--
-By default, your cluster will not schedule Pods on the control-plane node for security
-reasons. If you want to be able to schedule Pods on the control-plane node, for example for a
-single-machine Kubernetes cluster for development, run:
+By default, your cluster will not schedule Pods on the control plane nodes for security
+reasons. If you want to be able to schedule Pods on the control plane nodes,
+for example for a single machine Kubernetes cluster, run:
 -->
 默认情况下，出于安全原因，你的集群不会在控制平面节点上调度 Pod。
-如果你希望能够在控制平面节点上调度 Pod，
-例如用于开发的单机 Kubernetes 集群，请运行：
+如果你希望能够在控制平面节点上调度 Pod，例如单机 Kubernetes 集群，请运行:
 
 ```bash
-kubectl taint nodes --all node-role.kubernetes.io/master-
+kubectl taint nodes --all node-role.kubernetes.io/control-plane- node-role.kubernetes.io/master-
 ```
 <!--
-With output looking something like:
+The output will look something like:
 -->
 输出看起来像：
 
-```
+```console
 node "test-01" untainted
-taint "node-role.kubernetes.io/master:" not found
-taint "node-role.kubernetes.io/master:" not found
 ```
 
 <!--
-This will remove the `node-role.kubernetes.io/master` taint from any nodes that
-have it, including the control-plane node, meaning that the scheduler will then be able
+This will remove the `node-role.kubernetes.io/control-plane` and
+`node-role.kubernetes.io/master` taints from any nodes that have them,
+including the control plane nodes, meaning that the scheduler will then be able
 to schedule Pods everywhere.
 -->
-这将从任何拥有 `node-role.kubernetes.io/master` taint 标记的节点中移除该标记，
+这将从任何拥有 `node-role.kubernetes.io/control-plane` 和
+`node-role.kubernetes.io/master` 污点的节点上移除该污点。
+
 包括控制平面节点，这意味着调度程序将能够在任何地方调度 Pods。
 
+<!--
+{{< note >}}
+The `node-role.kubernetes.io/master` taint is deprecated and kubeadm will stop using it in version 1.25.
+{{< /note >}}
+-->
+
+{{< note >}}
+`node-role.kubernetes.io/master` 污点已被废弃，kubeadm 将在 1.25 版本中停止使用它。
+{{< /note >}}
 
 <!--
 ### Joining your nodes {#join-nodes}
@@ -572,18 +614,17 @@ The nodes are where your workloads (containers and Pods, etc) run. To add new no
 -->
 * SSH 到机器
 * 成为 root （例如 `sudo su -`）
-* 运行 `kubeadm init` 输出的命令。例如：
+* 运行 `kubeadm init` 输出的命令，例如：
 
-```bash
-kubeadm join --token <token> <control-plane-host>:<control-plane-port> --discovery-token-ca-cert-hash sha256:<hash>
-```
+  ```bash
+  kubeadm join --token <token> <control-plane-host>:<control-plane-port> --discovery-token-ca-cert-hash sha256:<hash>
+  ```
 
 <!--
 If you do not have the token, you can get it by running the following command on the control-plane node:
 -->
 如果没有令牌，可以通过在控制平面节点上运行以下命令来获取令牌：
 
-
 ```bash
 kubeadm token list
 ```
@@ -605,10 +646,9 @@ TOKEN                    TTL  EXPIRES              USAGES           DESCRIPTION
 By default, tokens expire after 24 hours. If you are joining a node to the cluster after the current token has expired,
 you can create a new token by running the following command on the control-plane node:
 -->
-默认情况下，令牌会在24小时后过期。如果要在当前令牌过期后将节点加入集群，
+默认情况下，令牌会在 24 小时后过期。如果要在当前令牌过期后将节点加入集群，
 则可以通过在控制平面节点上运行以下命令来创建新令牌：
 
-
 ```bash
 kubeadm token create
 ```
@@ -652,7 +692,7 @@ The output should look something like:
 -->
 输出应类似于：
 
-```
+```console
 [preflight] Running pre-flight checks
 
 ... (log output of join workflow) ...
@@ -672,11 +712,10 @@ nodes` when run on the control-plane node.
 几秒钟后，当你在控制平面节点上执行 `kubectl get nodes`，你会注意到该节点出现在输出中。
 
 <!--
-As the cluster nodes are usually initialized sequentially, the CoreDNS Pods are likely to all run 
-on the first control-plane node. To provide higher availability, please rebalance the CoreDNS Pods 
+As the cluster nodes are usually initialized sequentially, the CoreDNS Pods are likely to all run
+on the first control-plane node. To provide higher availability, please rebalance the CoreDNS Pods
 with `kubectl -n kube-system rollout restart deployment coredns` after at least one new node is joined.
 -->
-
 {{< note >}}
 由于集群节点通常是按顺序初始化的，CoreDNS Pods 很可能都运行在第一个控制面节点上。
 为了提供更高的可用性，请在加入至少一个新节点后
@@ -686,7 +725,7 @@ with `kubectl -n kube-system rollout restart deployment coredns` after at least
 <!--
 ### (Optional) Controlling your cluster from machines other than the control-plane node
 -->
-### （可选）从控制平面节点以外的计算机控制集群
+### （可选）从控制平面节点以外的计算机控制集群 {#optional-controlling-your-cluster-from-machines-other-than-the-control-plane-node}
 
 <!--
 In order to get a kubectl on some other computer (e.g. laptop) to talk to your
@@ -714,8 +753,8 @@ should save to a file and distribute to your user. After that, grant
 privileges by using `kubectl create (cluster)rolebinding`.
 -->
 {{< note >}}
-上面的示例假定为 root 用户启用了SSH访问。如果不是这种情况，
-你可以使用 `scp` 将 admin.conf 文件复制给其他允许访问的用户。
+上面的示例假定为 root 用户启用了 SSH 访问。如果不是这种情况，
+你可以使用 `scp` 将 `admin.conf` 文件复制给其他允许访问的用户。
 
 admin.conf 文件为用户提供了对集群的超级用户特权。
 该文件应谨慎使用。对于普通用户，建议生成一个你为其授予特权的唯一证书。
@@ -727,7 +766,7 @@ admin.conf 文件为用户提供了对集群的超级用户特权。
 <!--
 ### (Optional) Proxying API Server to localhost
 -->
-### （可选）将API服务器代理到本地主机
+### （可选）将 API 服务器代理到本地主机 {#optional-proxying-api-server-to-localhost}
 
 <!--
 If you want to connect to the API Server from outside the cluster you can use
@@ -742,7 +781,7 @@ kubectl --kubeconfig ./admin.conf proxy
 <!--
 You can now access the API Server locally at `http://localhost:8001/api/v1`
 -->
-你现在可以在本地访问API服务器 http://localhost:8001/api/v1
+你现在可以在本地访问 API 服务器 `http://localhost:8001/api/v1`。
 
 <!--
 ## Clean up {#tear-down}
@@ -762,15 +801,14 @@ However, if you want to deprovision your cluster more cleanly, you should
 first [drain the node](/docs/reference/generated/kubectl/kubectl-commands#drain)
 and make sure that the node is empty, then deconfigure the node.
 -->
-但是，如果要更干净地取消配置群集，
+但是，如果要更干净地取消配置集群，
 则应首先[清空节点](/docs/reference/generated/kubectl/kubectl-commands#drain)并确保该节点为空，
 然后取消配置该节点。
 
-
 <!--
 ### Remove the node
 -->
-### 删除节点
+### 删除节点 {#remove-the-node}
 
 <!--
 Talking to the control-plane node with the appropriate credentials, run:
@@ -817,7 +855,7 @@ kubectl delete node <node name>
 ```
 
 <!--
-If you wish to start over simply run `kubeadm init` or `kubeadm join` with the
+If you wish to start over, run `kubeadm init` or `kubeadm join` with the
 appropriate arguments.
 -->
 如果你想重新开始，只需运行 `kubeadm init` 或 `kubeadm join` 并加上适当的参数。
@@ -825,7 +863,7 @@ appropriate arguments.
 <!--
 ### Clean up the control plane
 -->
-### 清理控制平面
+### 清理控制平面 {#clean-up-the-control-plane}
 
 <!--
 You can use `kubeadm reset` on the control plane host to trigger a best-effort
@@ -838,8 +876,7 @@ See the [`kubeadm reset`](/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
 reference documentation for more information about this subcommand and its
 options.
 -->
-有关此子命令及其选项的更多信息，请参见[`kubeadm reset`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)参考文档。
-
+有关此子命令及其选项的更多信息，请参见 [`kubeadm reset`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 参考文档。
 
 <!-- discussion -->
 
@@ -852,8 +889,8 @@ options.
 * Verify that your cluster is running properly with [Sonobuoy](https://github.com/heptio/sonobuoy)
 * <a id="lifecycle" />See [Upgrading kubeadm clusters](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
   for details about upgrading your cluster using `kubeadm`.
-* Learn about advanced `kubeadm` usage in the [kubeadm reference documentation](/docs/reference/setup-tools/kubeadm)
-* Learn more about Kubernetes [concepts](/docs/concepts/) and [`kubectl`](/docs/reference/kubectl/overview/).
+* Learn about advanced `kubeadm` usage in the [kubeadm reference documentation](/docs/reference/setup-tools/kubeadm/)
+* Learn more about Kubernetes [concepts](/docs/concepts/) and [`kubectl`](/docs/reference/kubectl/).
 * See the [Cluster Networking](/docs/concepts/cluster-administration/networking/) page for a bigger list
   of Pod network add-ons.
 * <a id="other-addons" />See the [list of add-ons](/docs/concepts/cluster-administration/addons/) to
@@ -865,15 +902,15 @@ options.
   an overview of what is involved.
 -->
 * 使用 [Sonobuoy](https://github.com/heptio/sonobuoy) 验证集群是否正常运行。
-* <a id="lifecycle"/>有关使用 kubeadm 升级集群的详细信息，请参阅[升级 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
-* 在 [kubeadm 参考文档](/zh/docs/reference/setup-tools/kubeadm)中了解有关高级 `kubeadm` 用法的信息。
-* 了解有关 Kubernetes [概念](/zh/docs/concepts/)和 [`kubectl`](/zh/docs/reference/kubectl/overview/) 的更多信息。
-* 有关 Pod 网络附加组件的更多列表，请参见[集群网络](/zh/docs/concepts/cluster-administration/networking/)页面。
-* <a id="other-addons" />请参阅[附加组件列表](/zh/docs/concepts/cluster-administration/addons/)以探索其他附加组件，
+* <a id="lifecycle"/>有关使用 kubeadm 升级集群的详细信息，请参阅[升级 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
+* 在 [kubeadm 参考文档](/zh-cn/docs/reference/setup-tools/kubeadm/)中了解有关 `kubeadm` 进阶用法的信息。
+* 了解有关 Kubernetes [概念](/zh-cn/docs/concepts/)和 [`kubectl`](/zh-cn/docs/reference/kubectl/)的更多信息。
+* 有关 Pod 网络附加组件的更多列表，请参见[集群网络](/zh-cn/docs/concepts/cluster-administration/networking/)页面。
+* <a id="other-addons" />请参阅[附加组件列表](/zh-cn/docs/concepts/cluster-administration/addons/)以探索其他附加组件，
   包括用于 Kubernetes 集群的日志记录，监视，网络策略，可视化和控制的工具。
 * 配置集群如何处理集群事件的日志以及
    在 Pods 中运行的应用程序。
-  有关所涉及内容的概述，请参见[日志架构](/zh/docs/concepts/cluster-administration/logging/)。
+  有关所涉及内容的概述，请参见[日志架构](/zh-cn/docs/concepts/cluster-administration/logging/)。
 
 <!--
 ### Feedback {#feedback}
@@ -890,8 +927,8 @@ options.
 * SIG Cluster Lifecycle mailing list:
   [kubernetes-sig-cluster-lifecycle](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle)
 -->
-* 有关 bugs, 访问 [kubeadm GitHub issue tracker](https://github.com/kubernetes/kubeadm/issues)
-* 有关支持, 访问
+* 有关漏洞，访问 [kubeadm GitHub issue tracker](https://github.com/kubernetes/kubeadm/issues)
+* 有关支持，访问
   [#kubeadm](https://kubernetes.slack.com/messages/kubeadm/) Slack 频道
 * General SIG 集群生命周期开发 Slack 频道:
   [#sig-cluster-lifecycle](https://kubernetes.slack.com/messages/sig-cluster-lifecycle/)
@@ -899,44 +936,133 @@ options.
 * SIG 集群生命周期邮件列表:
   [kubernetes-sig-cluster-lifecycle](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle)
 
-
 <!--
 ## Version skew policy {#version-skew-policy}
 -->
-## 版本倾斜政策 {#version-skew-policy}
+## 版本偏差策略 {#version-skew-policy}
 
 <!--
-The `kubeadm` tool of version v{{< skew latestVersion >}} may deploy clusters with a control plane of version v{{< skew latestVersion >}} or v{{< skew prevMinorVersion >}}.
-`kubeadm` v{{< skew latestVersion >}} can also upgrade an existing kubeadm-created cluster of version v{{< skew prevMinorVersion >}}.
+While kubeadm allows version skew against some components that it manages, it is recommended that you
+match the kubeadm version with the versions of the control plane components, kube-proxy and kubelet.
 -->
-版本 v{{< skew latestVersion >}} 的kubeadm 工具可以使用版本 v{{< skew latestVersion >}} 或 v{{< skew prevMinorVersion >}} 的控制平面部署集群。kubeadm v{{< skew latestVersion >}} 还可以升级现有的 kubeadm 创建的 v{{< skew prevMinorVersion >}} 版本的集群。
+虽然 kubeadm 允许所管理的组件有一定程度的版本偏差，
+但是建议你将 kubeadm 的版本与控制平面组件、kube-proxy 和 kubelet 的版本相匹配。
 
 <!--
-Due to that we can't see into the future, kubeadm CLI v{{< skew latestVersion >}} may or may not be able to deploy v{{< skew nextMinorVersion >}} clusters.
+### kubeadm's skew against the Kubernetes version
 -->
-由于我们不能预见未来，kubeadm CLI v{{< skew latestVersion >}} 可能会或可能无法部署 v{{< skew nextMinorVersion >}} 集群。
+
+### kubeadm 中的 Kubernetes 版本偏差 {#kubeadm-s-skew-against-the-kubernetes-version}
 
 <!--
-These resources provide more information on supported version skew between kubelets and the control plane, and other Kubernetes components:
+kubeadm can be used with Kubernetes components that are the same version as kubeadm
+or one version older. The Kubernetes version can be specified to kubeadm by using the
+`--kubernetes-version` flag of `kubeadm init` or the
+[`ClusterConfiguration.kubernetesVersion`](/docs/reference/config-api/kubeadm-config.v1beta3/)
+field when using `--config`. This option will control the versions
+of kube-apiserver, kube-controller-manager, kube-scheduler and kube-proxy.
 -->
-这些资源提供了有关 kubelet 与控制平面以及其他 Kubernetes 组件之间受支持的版本倾斜的更多信息：
+kubeadm 可以与 Kubernetes 组件一起使用，这些组件的版本与 kubeadm 相同，或者比它大一个版本。
+Kubernetes 版本可以通过使用 `--kubeadm init` 的 `--kubernetes-version` 标志或使用 `--config` 时的
+[`ClusterConfiguration.kubernetesVersion`](/zh-cn/docs/reference/configapi/kubeadm-config.v1beta3/)
+字段指定给 kubeadm。
+这个选项将控制 kube-apiserver、kube-controller-manager、kube-scheduler 和 kube-proxy 的版本。
 
 <!--
-* Kubernetes [version and version-skew policy](/docs/setup/release/version-skew-policy/)
-* Kubeadm-specific [installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl)
+Example:
+* kubeadm is at {{< skew currentVersion >}}
+* `kubernetesVersion` must be at {{< skew currentVersion >}} or {{< skew currentVersionAddMinor -1 >}}
 -->
-* Kubernetes [版本和版本偏斜政策](/zh/docs/setup/release/version-skew-policy/)
-* Kubeadm-specific [安装指南](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl)
+例子：
 
+* kubeadm 的版本为 {{< skew currentVersion >}}。
+* `kubernetesVersion` 必须为 {{< skew currentVersion >}} 或者 {{< skew currentVersionAddMinor -1 >}}。
 
 <!--
-## Limitations {#limitations}
+### kubeadm's skew against the kubelet
 -->
-## 局限性 {#limitations}
+### kubeadm 中 kubelet 的版本偏差 {#kubeadm-s-skew-against-the-kubelet}
+
+<!--
+Similarly to the Kubernetes version, kubeadm can be used with a kubelet version that is the same
+version as kubeadm or one version older.
+-->
+与 Kubernetes 版本类似，kubeadm 可以使用与 kubeadm 相同版本的 kubelet，
+或者比 kubeadm 老一个版本的 kubelet。
+
+<!--
+Example:
+* kubeadm is at {{< skew currentVersion >}}
+* kubelet on the host must be at {{< skew currentVersion >}} or {{< skew currentVersionAddMinor -1 >}}
+-->
+例子：
+
+* kubeadm 的版本为 {{< skew currentVersion >}}。
+* 主机上的 kubelet 必须为 {{< skew currentVersion >}} 或者 {{< skew currentVersionAddMinor -1 >}}。
+
+<!--
+### kubeadm's skew against kubeadm
+-->
+### kubeadm 支持的 kubeadm 的版本偏差 {#kubeadm-s-skew-against-kubeadm}
+
+<!--
+There are certain limitations on how kubeadm commands can operate on existing nodes or whole clusters
+managed by kubeadm.
+-->
+kubeadm 命令在现有节点或由 kubeadm 管理的整个集群上的操作有一定限制。
 
 <!--
+If new nodes are joined to the cluster, the kubeadm binary used for `kubeadm join` must match
+the last version of kubeadm used to either create the cluster with `kubeadm init` or to upgrade
+the same node with `kubeadm upgrade`. Similar rules apply to the rest of the kubeadm commands
+with the exception of `kubeadm upgrade`.
+-->
+如果新的节点加入到集群中，用于 `kubeadm join` 的 kubeadm 二进制文件必须与用 `kubeadm init`
+创建集群或用 `kubeadm upgrade` 升级同一节点时所用的 kubeadm 版本一致。
+类似的规则适用于除了 `kubeadm upgrade` 以外的其他 kubeadm 命令。
+
+<!--
+Example for `kubeadm join`:
+* kubeadm version {{< skew currentVersion >}} was used to create a cluster with `kubeadm init`
+* Joining nodes must use a kubeadm binary that is at version {{< skew currentVersion >}}
+-->
+`kubeadm join` 的例子：
+
+* 使用 `kubeadm init` 创建集群时使用版本为 {{< skew currentVersion >}} 的 kubeadm。
+* 添加节点所用的 kubeadm 可执行文件为版本 {{< skew currenttVersion >}}。
+
+<!--
+Nodes that are being upgraded must use a version of kubeadm that is the same MINOR
+version or one MINOR version newer than the version of kubeadm used for managing the
+node.
+-->
+对于正在升级的节点，所使用的的 kubeadm 必须与管理该节点的 kubeadm 具有相同的
+MINOR 版本或比后者新一个 MINOR 版本。
+
+<!--
+Example for `kubeadm upgrade`:
+* kubeadm version {{< skew currentVersionAddMinor -1 >}} was used to create or upgrade the node
+* The version of kubeadm used for upgrading the node must be at {{< skew currentVersionAddMinor -1 >}}
+or {{< skew currentVersion >}}
+-->
+`kubeadm upgrade` 的例子:
+* 用于创建或升级节点的 kubeadm 版本为 {{< skew currentVersionAddMinor -1 >}}。
+* 用于升级节点的 kubeadm 版本必须为 {{< skew currentVersionAddMinor -1 >}} 或 {{< skew currentVersion >}}。
+
+<!--
+To learn more about the version skew between the different Kubernetes component see
+the [Version Skew Policy](https://kubernetes.io/releases/version-skew-policy/).
+-->
+要了解更多关于不同 Kubernetes 组件之间的版本偏差，请参见
+[版本偏差策略](/zh-cn/releases/version-skew-policy/)。
+
+<!--
+## Limitations {#limitations}
+
 ### Cluster resilience {#resilience}
 -->
+## 局限性 {#limitations}
+
 ### 集群弹性 {#resilience}
 
 <!--
@@ -944,14 +1070,13 @@ The cluster created here has a single control-plane node, with a single etcd dat
 running on it. This means that if the control-plane node fails, your cluster may lose
 data and may need to be recreated from scratch.
 -->
-
 此处创建的集群具有单个控制平面节点，运行单个 etcd 数据库。
 这意味着如果控制平面节点发生故障，你的集群可能会丢失数据并且可能需要从头开始重新创建。
 
 <!--
 Workarounds:
 -->
-解决方法:
+解决方法：
 
 <!--
 * Regularly [back up etcd](https://coreos.com/etcd/docs/latest/admin_guide.html). The
@@ -966,8 +1091,8 @@ Workarounds:
   topology that provides [high-availability](/docs/setup/production-environment/tools/kubeadm/high-availability/).
 -->
 * 使用多个控制平面节点。你可以阅读
-  [可选的高可用性拓扑](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/) 选择集群拓扑提供的
-  [高可用性](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/).
+  [可选的高可用性拓扑](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/)选择集群拓扑提供的
+  [高可用性](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)。
 
 <!--
 ### Platform compatibility {#multi-platform}
@@ -977,9 +1102,10 @@ Workarounds:
 <!--
 kubeadm deb/rpm packages and binaries are built for amd64, arm (32-bit), arm64, ppc64le, and s390x
 following the [multi-platform
-proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/multi-platform.md).
+proposal](https://git.k8s.io/design-proposals-archive/multi-platform.md).
 -->
-kubeadm deb/rpm 软件包和二进制文件是为 amd64，arm (32-bit)，arm64，ppc64le 和 s390x 构建的遵循[多平台提案](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/multi-platform.md)。
+kubeadm deb/rpm 软件包和二进制文件是为 amd64、arm (32-bit)、arm64、ppc64le 和 s390x
+构建的遵循[多平台提案](https://git.k8s.io/design-proposals-archive/multi-platform.md)。
 
 <!--
 Multiplatform container images for the control plane and addons are also supported since v1.12.
@@ -991,7 +1117,8 @@ Only some of the network providers offer solutions for all platforms. Please con
 network providers above or the documentation from each provider to figure out whether the provider
 supports your chosen platform.
 -->
-只有一些网络提供商为所有平台提供解决方案。请查阅上方的网络提供商清单或每个提供商的文档以确定提供商是否支持你选择的平台。
+只有一些网络提供商为所有平台提供解决方案。
+请查阅上方的网络提供商清单或每个提供商的文档以确定提供商是否支持你选择的平台。
 
 <!--
 ## Troubleshooting {#troubleshooting}
@@ -1001,5 +1128,5 @@ supports your chosen platform.
 <!--
 If you are running into difficulties with kubeadm, please consult our [troubleshooting docs](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/).
 -->
-
-如果你在使用 kubeadm 时遇到困难，请查阅我们的[故障排除文档](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
+如果你在使用 kubeadm 时遇到困难，
+请查阅我们的[故障排除文档](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md
similarity index 92%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md
index 987b392fee19a..201e0e01340ef 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support.md
@@ -19,7 +19,7 @@ min-kubernetes-server-version: 1.21
 <!--
 Your Kubernetes cluster includes [dual-stack](/docs/concepts/services-networking/dual-stack/) networking, which means that cluster networking lets you use either address family. In a cluster, the control plane can assign both an IPv4 address and an IPv6 address to a single {{< glossary_tooltip text="Pod" term_id="pod" >}} or a {{< glossary_tooltip text="Service" term_id="service" >}}.
 -->
-你的集群包含[双协议栈](/zh/docs/concepts/services-networking/dual-stack/)组网支持，
+你的集群包含[双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack/)组网支持，
 这意味着集群网络允许你在两种地址族间任选其一。在集群中，控制面可以为同一个
 {{< glossary_tooltip text="Pod" term_id="pod" >}} 或者 {{< glossary_tooltip text="Service" term_id="service" >}}
 同时赋予 IPv4 和 IPv6 地址。
@@ -31,7 +31,7 @@ Your Kubernetes cluster includes [dual-stack](/docs/concepts/services-networking
 <!--
 You need to have installed the {{< glossary_tooltip text="kubeadm" term_id="kubeadm" >}} tool, following the steps from [Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
 -->
-你需要已经遵从[安装 kubeadm](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)
+你需要已经遵从[安装 kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)
 中所给的步骤安装了 {{< glossary_tooltip text="kubeadm" term_id="kubeadm" >}} 工具。
 
 <!--
@@ -86,7 +86,7 @@ To make things clearer, here is an example kubeadm
 `kubeadm-config.yaml` for the primary dual-stack control plane node.
 -->
 为了更便于理解，参看下面的名为 `kubeadm-config.yaml` 的 kubeadm
-[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)，
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)，
 该文件用于双协议栈控制面的主控制节点。
 
 ```yaml
@@ -126,7 +126,7 @@ kubeadm init --config=kubeadm-config.yaml
 The kube-controller-manager flags `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6` are set with default values. See [configure IPv4/IPv6 dual stack](/docs/concepts/services-networking/dual-stack#configure-ipv4-ipv6-dual-stack).
 -->
 kube-controller-manager 标志 `--node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6`
-是使用默认值来设置的。参见[配置 IPv4/IPv6 双协议栈](/zh/docs/concepts/services-networking/dual-stack#configure-ipv4-ipv6-dual-stack)。
+是使用默认值来设置的。参见[配置 IPv4/IPv6 双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack#configure-ipv4-ipv6-dual-stack)。
 
 {{< note >}}
 <!--
@@ -148,7 +148,7 @@ Here is an example kubeadm [configuration file](/docs/reference/config-api/kubea
 在添加节点之前，请确保该节点具有 IPv6 可路由的网络接口并且启用了 IPv6 转发。
 
 下面的名为 `kubeadm-config.yaml` 的 kubeadm
-[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)
 示例用于向集群中添加工作节点。
 
 ```yaml
@@ -171,7 +171,7 @@ Also, here is an example kubeadm [configuration file](/docs/reference/config-api
 `kubeadm-config.yaml` for joining another control plane node to the cluster.
 -->
 下面的名为 `kubeadm-config.yaml` 的 kubeadm
-[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)
 示例用于向集群中添加另一个控制面节点。
 
 ```yaml
@@ -224,7 +224,7 @@ To make things more clear, here is an example kubeadm
 `kubeadm-config.yaml` for the single-stack control plane node.
 -->
 为了更便于理解，参看下面的名为 `kubeadm-config.yaml` 的 kubeadm
-[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)示例，
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)示例，
 该文件用于单协议栈控制面节点。
 
 ```yaml
@@ -242,7 +242,7 @@ networking:
 * Read about [Dual-stack](/docs/concepts/services-networking/dual-stack/) cluster networking
 * Learn more about the kubeadm [configuration format](/docs/reference/config-api/kubeadm-config.v1beta3/)
 -->
-* [验证 IPv4/IPv6 双协议栈](/zh/docs/tasks/network/validate-dual-stack)联网
-* 阅读[双协议栈](/zh/docs/concepts/services-networking/dual-stack/)集群网络
+* [验证 IPv4/IPv6 双协议栈](/zh-cn/docs/tasks/network/validate-dual-stack)联网
+* 阅读[双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack/)集群网络
 * 进一步了解 kubeadm [配置格式](/docs/reference/config-api/kubeadm-config.v1beta3/)
 
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/ha-topology.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology.md
similarity index 62%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/ha-topology.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology.md
index 278cadea23cda..4110bdd673794 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/ha-topology.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology.md
@@ -1,18 +1,14 @@
 ---
-reviewers:
-- sig-cluster-lifecycle
 title: 高可用拓扑选项
 content_type: concept
 weight: 50
 ---
 <!--
----
 reviewers:
 - sig-cluster-lifecycle
 title: Options for Highly Available Topology
 content_type: concept
 weight: 50
----
 -->
 
 <!-- overview -->
@@ -20,12 +16,12 @@ weight: 50
 <!--
 This page explains the two options for configuring the topology of your highly available (HA) Kubernetes clusters.
 -->
-本页面介绍了配置高可用（HA） Kubernetes 集群拓扑的两个选项。
+本页面介绍了配置高可用（HA）Kubernetes 集群拓扑的两个选项。
 
 <!--
 You can set up an HA cluster:
 -->
-您可以设置 HA 集群：
+你可以设置 HA 集群：
 
 <!--
 - With stacked control plane nodes, where etcd nodes are colocated with control plane nodes
@@ -37,15 +33,15 @@ You can set up an HA cluster:
 <!--
 You should carefully consider the advantages and disadvantages of each topology before setting up an HA cluster.
 -->
-在设置 HA 集群之前，您应该仔细考虑每种拓扑的优缺点。
+在设置 HA 集群之前，你应该仔细考虑每种拓扑的优缺点。
 
+{{< note >}}
 <!--
 kubeadm bootstraps the etcd cluster statically. Read the etcd [Clustering Guide](https://github.com/etcd-io/etcd/blob/release-3.4/Documentation/op-guide/clustering.md#static)
 for more details.
 -->
-
-{{< note >}}
-kubeadm 静态引导 etcd 集群。 阅读 etcd [集群指南](https://github.com/etcd-io/etcd/blob/release-3.4/Documentation/op-guide/clustering.md#static)以获得更多详细信息。
+kubeadm 静态引导 etcd 集群。
+阅读 etcd [集群指南](https://github.com/etcd-io/etcd/blob/release-3.4/Documentation/op-guide/clustering.md#static)以获得更多详细信息。
 {{< /note >}}
 
 
@@ -55,17 +51,20 @@ kubeadm 静态引导 etcd 集群。 阅读 etcd [集群指南](https://github.co
 <!--
 ## Stacked etcd topology
 -->
-## 堆叠（Stacked） etcd 拓扑
+## 堆叠（Stacked）etcd 拓扑    {#stacked-etcd-topology}
 
 <!--
-A stacked HA cluster is a [topology](https://en.wikipedia.org/wiki/Network_topology) where the distributeddata storage cluster provided by etcd is stacked on top of the cluster formed by the nodes managed by kubeadm that run control plane components.
+A stacked HA cluster is a [topology](https://en.wikipedia.org/wiki/Network_topology) where the distributed
+data storage cluster provided by etcd is stacked on top of the cluster formed by the nodes managed by
+kubeadm that run control plane components.
 -->
-堆叠（Stacked） HA 集群是一种这样的[拓扑](https://en.wikipedia.org/wiki/Network_topology)，其中 etcd 分布式数据存储集群堆叠在 kubeadm 管理的控制平面节点上，作为控制平面的一个组件运行。
+堆叠（Stacked）HA 集群是一种这样的[拓扑](https://en.wikipedia.org/wiki/Network_topology)，
+其中 etcd 分布式数据存储集群堆叠在 kubeadm 管理的控制平面节点上，作为控制平面的一个组件运行。
 
 <!--
 Each control plane node runs an instance of the `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager`.
 -->
-每个控制平面节点运行 `kube-apiserver`，`kube-scheduler` 和 `kube-controller-manager` 实例。
+每个控制平面节点运行 `kube-apiserver`、`kube-scheduler` 和 `kube-controller-manager` 实例。
 <!--
 The `kube-apiserver` is exposed to worker nodes using a load balancer.
 -->
@@ -76,28 +75,34 @@ Each control plane node creates a local etcd member and this etcd member communi
 the `kube-apiserver` of this node. The same applies to the local `kube-controller-manager`
 and `kube-scheduler` instances.
 -->
-每个控制平面节点创建一个本地 etcd 成员（member），这个 etcd 成员只与该节点的 `kube-apiserver` 通信。这同样适用于本地 `kube-controller-manager` 和 `kube-scheduler` 实例。
+每个控制平面节点创建一个本地 etcd 成员（member），这个 etcd 成员只与该节点的 `kube-apiserver` 通信。
+这同样适用于本地 `kube-controller-manager` 和 `kube-scheduler` 实例。
 
 <!--
-This topology couples the control planes and etcd members on the same nodes. It is simpler to set up than a cluster with external etcd nodes, and simpler to manage for replication.
+This topology couples the control planes and etcd members on the same nodes. It is simpler to set up than a cluster
+with external etcd nodes, and simpler to manage for replication.
 -->
-这种拓扑将控制平面和 etcd 成员耦合在同一节点上。相对使用外部 etcd 集群，设置起来更简单，而且更易于副本管理。
+这种拓扑将控制平面和 etcd 成员耦合在同一节点上。相对使用外部 etcd 集群，
+设置起来更简单，而且更易于副本管理。
 
 <!--
-However, a stacked cluster runs the risk of failed coupling. If one node goes down, both an etcd member and a controlplane instance are lost, and redundancy is compromised. You can mitigate this risk by adding more control plane nodes.
+However, a stacked cluster runs the risk of failed coupling. If one node goes down, both an etcd member and a control
+plane instance are lost, and redundancy is compromised. You can mitigate this risk by adding more control plane nodes.
 -->
-然而，堆叠集群存在耦合失败的风险。如果一个节点发生故障，则 etcd 成员和控制平面实例都将丢失，并且冗余会受到影响。您可以通过添加更多控制平面节点来降低此风险。
+然而，堆叠集群存在耦合失败的风险。如果一个节点发生故障，则 etcd 成员和控制平面实例都将丢失，
+并且冗余会受到影响。你可以通过添加更多控制平面节点来降低此风险。
 
 <!--
 You should therefore run a minimum of three stacked control plane nodes for an HA cluster.
 -->
-因此，您应该为 HA 集群运行至少三个堆叠的控制平面节点。
+因此，你应该为 HA 集群运行至少三个堆叠的控制平面节点。
 
 <!--
 This is the default topology in kubeadm. A local etcd member is created automatically
 on control plane nodes when using `kubeadm init` and `kubeadm join --control-plane`.
 -->
-这是 kubeadm 中的默认拓扑。当使用 `kubeadm init` 和 `kubeadm join --control-plane` 时，在控制平面节点上会自动创建本地 etcd 成员。
+这是 kubeadm 中的默认拓扑。当使用 `kubeadm init` 和 `kubeadm join --control-plane` 时，
+在控制平面节点上会自动创建本地 etcd 成员。
 
 <!--
 ![Stacked etcd topology](/images/kubeadm/kubeadm-ha-topology-stacked-etcd.svg)
@@ -107,27 +112,33 @@ on control plane nodes when using `kubeadm init` and `kubeadm join --control-pla
 <!--
 ## External etcd topology
 -->
-## 外部 etcd 拓扑
+## 外部 etcd 拓扑    {#external-etcd-topology}
 
 <!--
 An HA cluster with external etcd is a [topology](https://en.wikipedia.org/wiki/Network_topology) where the distributed data storage cluster provided by etcd is external to the cluster formed by the nodes that run control plane components.
 -->
-具有外部 etcd 的 HA 集群是一种这样的[拓扑](https://en.wikipedia.org/wiki/Network_topology)，其中 etcd 分布式数据存储集群在独立于控制平面节点的其他节点上运行。
+具有外部 etcd 的 HA 集群是一种这样的[拓扑](https://zh.wikipedia.org/wiki/%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91)，
+其中 etcd 分布式数据存储集群在独立于控制平面节点的其他节点上运行。
 
 <!--
 Like the stacked etcd topology, each control plane node in an external etcd topology runs an instance of the `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager`. And the `kube-apiserver` is exposed to worker nodes using a load balancer. However, etcd members run on separate hosts, and each etcd host communicates with the `kube-apiserver` of each control plane node.
 -->
-就像堆叠的 etcd 拓扑一样，外部 etcd 拓扑中的每个控制平面节点都运行 `kube-apiserver`，`kube-scheduler` 和 `kube-controller-manager` 实例。同样， `kube-apiserver` 使用负载均衡器暴露给工作节点。但是，etcd 成员在不同的主机上运行，​​每个 etcd 主机与每个控制平面节点的 `kube-apiserver` 通信。
+就像堆叠的 etcd 拓扑一样，外部 etcd 拓扑中的每个控制平面节点都运行 `kube-apiserver`，`kube-scheduler` 和 `kube-controller-manager` 实例。
+同样，`kube-apiserver` 使用负载均衡器暴露给工作节点。但是 etcd 成员在不同的主机上运行，
+每个 etcd 主机与每个控制平面节点的 `kube-apiserver` 通信。
 
 <!--
-This topology decouples the control plane and etcd member. It therefore provides an HA setup wherelosing a control plane instance or an etcd member has less impact and does not affectthe cluster redundancy as much as the stacked HA topology.
+This topology decouples the control plane and etcd member. It therefore provides an HA setup where
+losing a control plane instance or an etcd member has less impact and does not affect
+the cluster redundancy as much as the stacked HA topology.
 -->
-这种拓扑结构解耦了控制平面和 etcd 成员。因此，它提供了一种 HA 设置，其中失去控制平面实例或者 etcd 成员的影响较小，并且不会像堆叠的 HA 拓扑那样影响集群冗余。
+这种拓扑结构解耦了控制平面和 etcd 成员。因此它提供了一种 HA 设置，
+其中失去控制平面实例或者 etcd 成员的影响较小，并且不会像堆叠的 HA 拓扑那样影响集群冗余。
 
 <!--
 However, this topology requires twice the number of hosts as the stacked HA topology.
 -->
-但是，此拓扑需要两倍于堆叠 HA 拓扑的主机数量。
+但此拓扑需要两倍于堆叠 HA 拓扑的主机数量。
 <!--
 A minimum of three hosts for control plane nodes and three hosts for etcd nodes are required for an HA cluster with this topology.
 -->
@@ -138,14 +149,11 @@ A minimum of three hosts for control plane nodes and three hosts for etcd nodes
 -->
 ![外部 etcd 拓扑](/images/kubeadm/kubeadm-ha-topology-external-etcd.svg)
 
-
-
 ## {{% heading "whatsnext" %}}
 
-
 <!--
 - [Set up a highly available cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/high-availability/)
 -->
- -  [使用 kubeadm 设置高可用集群](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/)
+- [使用 kubeadm 设置高可用集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)
 
 
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/high-availability.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability.md
similarity index 95%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/high-availability.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability.md
index 2c5bfe86c246e..8a974af6c5c3a 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/high-availability.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability.md
@@ -39,11 +39,11 @@ in the kubeadm [issue tracker](https://github.com/kubernetes/kubeadm/issues/new)
 See also the [upgrade documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15).
 -->
 在下一步之前，你应该仔细考虑哪种方法更好的满足你的应用程序和环境的需求。 
-[高可用拓扑选项](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/) 讲述了每种方法的优缺点。
+[高可用拓扑选项](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/) 讲述了每种方法的优缺点。
 
 如果你在安装 HA 集群时遇到问题，请在 kubeadm [问题跟踪](https://github.com/kubernetes/kubeadm/issues/new)里向我们提供反馈。
 
-你也可以阅读[升级文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
+你也可以阅读[升级文档](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
 <!--
 This page does not address running your cluster on a cloud provider. In a cloud
 environment, neither approach documented here works with Service objects of type
@@ -91,10 +91,10 @@ _See [Stacked etcd topology](/docs/setup/production-environment/tools/kubeadm/ha
 -->
 需要准备：
 
-- 配置满足 [kubeadm 的最低要求](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
+- 配置满足 [kubeadm 的最低要求](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
   的三台机器作为控制面节点。奇数台控制平面节点有利于机器故障或者网络分区时进行重新选主。
   - 机器已经安装好{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}，并正常运行
-- 配置满足 [kubeadm 的最低要求](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
+- 配置满足 [kubeadm 的最低要求](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
   的三台机器作为工作节点
   - 机器已经安装好{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}，并正常运行
 - 在集群中，确保所有计算机之间存在全网络连接（公网或私网）
@@ -103,7 +103,7 @@ _See [Stacked etcd topology](/docs/setup/production-environment/tools/kubeadm/ha
 - 从某台设备通过 SSH 访问系统中所有节点的能力
 - 所有机器上已经安装 `kubeadm` 和 `kubelet`
 
-_拓扑详情请参考[堆叠（Stacked）etcd 拓扑](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/#堆叠-stacked-etcd-拓扑)。_
+_拓扑详情请参考[堆叠（Stacked）etcd 拓扑](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/#堆叠-stacked-etcd-拓扑)。_
 {{% /tab %}}
 {{% tab name="外部 etcd 拓扑" %}}
 <!--
@@ -129,10 +129,10 @@ You need:
 -->
 需要准备：
 
-- 配置满足 [kubeadm 的最低要求](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
+- 配置满足 [kubeadm 的最低要求](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
   的三台机器作为控制面节点。奇数台控制平面节点有利于机器故障或者网络分区时进行重新选主。
   - 机器已经安装好{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}，并正常运行
-- 配置满足 [kubeadm 的最低要求](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
+- 配置满足 [kubeadm 的最低要求](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#准备开始)
   的三台机器作为工作节点
   - 机器已经安装好{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}，并正常运行
 - 在集群中，确保所有计算机之间存在全网络连接（公网或私网）
@@ -156,7 +156,7 @@ And you also need:
 <!--
 _See [External etcd topology](/docs/setup/production-environment/tools/kubeadm/ha-topology/#external-etcd-topology) for context._
 -->
-_拓扑详情请参考[外部 etcd 拓扑](/zh/docs/setup/production-environment/tools/kubeadm/ha-topology/#外部-etcd-拓扑)。_
+_拓扑详情请参考[外部 etcd 拓扑](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/#外部-etcd-拓扑)。_
 {{% /tab %}}
 {{< /tabs >}}
 
@@ -179,7 +179,7 @@ To manage Kubernetes once your cluster is set up, you should
 to install the `kubectl` tool on each control plane node, as this can be
 helpful for troubleshooting.
 -->
-一旦集群创建成功，需要在 PC 上[安装 kubectl](/zh/docs/tasks/tools/#kubectl) 用于管理 Kubernetes。为了方便故障排查，也可以在每个控制平面节点上安装 `kubectl`。
+一旦集群创建成功，需要在 PC 上[安装 kubectl](/zh-cn/docs/tasks/tools/#kubectl) 用于管理 Kubernetes。为了方便故障排查，也可以在每个控制平面节点上安装 `kubectl`。
 
 <!-- steps -->
 
@@ -322,7 +322,7 @@ option. Your cluster requirements may need a different configuration.
    -->
    {{< note >}}
    一些 CNI 网络插件如 Calico 需要 CIDR 例如 `192.168.0.0/16` 和一些像 Weave 没有。参考
-   [CNI 网络文档](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network)。
+   [CNI 网络文档](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network)。
    通过传递 `--pod-network-cidr` 标志添加 pod CIDR，或者你可以使用 kubeadm
    配置文件，在 `ClusterConfiguration` 的 `networking` 对象下设置 `podSubnet` 字段。
    {{< /note >}}
@@ -379,7 +379,7 @@ option. Your cluster requirements may need a different configuration.
    As stated in the command output, the certificate key gives access to cluster sensitive data, keep it secret!
    -->
    {{< caution >}}
-   正如命令输出中所述，证书密钥可访问群集敏感数据。请妥善保管！
+   正如命令输出中所述，证书密钥可访问集群敏感数据。请妥善保管！
    {{< /caution >}}
 
 <!--
@@ -387,7 +387,7 @@ option. Your cluster requirements may need a different configuration.
    [Follow these instructions](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network) to install the CNI provider. Make sure the configuration corresponds to the Pod CIDR specified in the kubeadm configuration file (if applicable).
 -->
 2. 应用你所选择的 CNI 插件：
-   [请遵循以下指示](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network)
+   [请遵循以下指示](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network)
    安装 CNI 驱动。如果适用，请确保配置与 kubeadm 配置文件中指定的 Pod
    CIDR 相对应。
    <!--
@@ -484,7 +484,7 @@ in the kubeadm config file.
 -->
 ### 设置 ectd 集群
 
-1. 按照[这些指示](/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/) 
+1. 按照[这些指示](/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/) 
    去设置 etcd 集群。
 
 1. 根据[这里](#manual-certs) 的描述配置 SSH。
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
similarity index 77%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
index 51f9fd7758997..7b713372cf5b7 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md
@@ -25,8 +25,7 @@ For information on how to create a cluster with kubeadm once you have performed
 -->
 <img src="/images/kubeadm-stacked-color.png" align="right" width="150px">本页面显示如何安装 `kubeadm` 工具箱。
 有关在执行此安装过程后如何使用 kubeadm 创建集群的信息，请参见
-[使用 kubeadm 创建集群](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) 页面。
-
+[使用 kubeadm 创建集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) 页面。
 
 ## {{% heading "prerequisites" %}}
 
@@ -41,14 +40,13 @@ For information on how to create a cluster with kubeadm once you have performed
 -->
 * 一台兼容的 Linux 主机。Kubernetes 项目为基于 Debian 和 Red Hat 的 Linux
   发行版以及一些不提供包管理器的发行版提供通用的指令
-* 每台机器 2 GB 或更多的 RAM （如果少于这个数字将会影响你应用的运行内存)
+* 每台机器 2 GB 或更多的 RAM （如果少于这个数字将会影响你应用的运行内存）
 * 2 CPU 核或更多
 * 集群中的所有机器的网络彼此均能相互连接(公网和内网都可以)
 * 节点之中不可以有重复的主机名、MAC 地址或 product_uuid。请参见[这里](#verify-mac-address)了解更多详细信息。
 * 开启机器上的某些端口。请参见[这里](#check-required-ports) 了解更多详细信息。
 * 禁用交换分区。为了保证 kubelet 正常工作，你 **必须** 禁用交换分区。
 
-
 <!-- steps -->
 
 <!--
@@ -112,7 +110,7 @@ sudo sysctl --system
 <!--
 For more details please see the [Network Plugin Requirements](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements) page.
 -->
-更多的相关细节可查看[网络插件需求](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements)页面。
+更多的相关细节可查看[网络插件需求](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#network-plugin-requirements)页面。
 
 <!--
 ## Check required ports
@@ -123,14 +121,14 @@ need to be open in order for Kubernetes components to communicate with each othe
 
 ## 检查所需端口{#check-required-ports}
 
-启用这些[必要的端口](/zh/docs/reference/ports-and-protocols/)后才能使 Kubernetes 的各组件相互通信。可以使用 netcat 之类的工具来检查端口是否启用，例如：
+启用这些[必要的端口](/zh-cn/docs/reference/ports-and-protocols/)后才能使 Kubernetes 的各组件相互通信。可以使用 netcat 之类的工具来检查端口是否启用，例如：
 
 ```shell
 nc 127.0.0.1 6443
 ```
 
 <!--
-The pod network plugin you use (see below) may also require certain ports to be
+The pod network plugin you use may also require certain ports to be
 open. Since this differs with each pod network plugin, please see the
 documentation for the plugins about what port(s) those need.
 -->
@@ -138,86 +136,103 @@ documentation for the plugins about what port(s) those need.
 请参阅他们各自文档中对端口的要求。
 
 <!--
-## Installing runtime {#installing-runtime}
+## Installing a container runtime {#installing-runtime}
 
 To run containers in Pods, Kubernetes uses a
 {{< glossary_tooltip term_id="container-runtime" text="container runtime" >}}.
 -->
-## 安装 runtime{#installing-runtime}
+## 安装容器运行时{#installing-runtime}
 
 为了在 Pod 中运行容器，Kubernetes 使用
 {{< glossary_tooltip term_id="container-runtime" text="容器运行时（Container Runtime）" >}}。
 
-{{< tabs name="container-runtimes" >}}
-{{% tab name="Linux 节点" %}}
 <!--
 By default, Kubernetes uses the
 {{< glossary_tooltip term_id="cri" text="Container Runtime Interface">}} (CRI)
 to interface with your chosen container runtime.
 
 If you don't specify a runtime, kubeadm automatically tries to detect an installed
-container runtime by scanning through a list of well known Unix domain sockets.
-The following table lists container runtimes that kubeadm looks for, and their associated socket paths:
-
-| Runtime    | Domain Socket                   |
-|------------|---------------------------------|
-| Docker     | /var/run/dockershim.sock            |
-| containerd | /run/containerd/containerd.sock |
-| CRI-O      | /var/run/crio/crio.sock         |
+container runtime by scanning through a list of known endpoints.
 -->
 默认情况下，Kubernetes 使用
 {{< glossary_tooltip term_id="cri" text="容器运行时接口（Container Runtime Interface，CRI）" >}}
 来与你所选择的容器运行时交互。
 
-如果你不指定运行时，则 kubeadm 会自动尝试检测到系统上已经安装的运行时，
-方法是扫描一组众所周知的 Unix 域套接字。
-下面的表格列举了一些 kubeadm 查找的容器运行时及其对应的套接字路径：
-
-| 运行时     | 域套接字                         |
-|------------|----------------------------------|
-| Docker Engine  | `/var/run/dockershim.sock`        |
-| containerd     | `/run/containerd/containerd.sock` |
-| CRI-O          | `/var/run/crio/crio.sock`         |
+如果你不指定运行时，kubeadm 会自动尝试通过扫描已知的端点列表来检测已安装的容器运行时。
 
 <!--
-<br />
-If both Docker Engine and containerd are detected, kubeadm will give precedence to Docker Engine. This is
-needed because Docker 18.09 ships with containerd and both are detectable even if you only
-installed Docker.
-**If any other two or more runtimes are detected, kubeadm exits with an error.**
-
-The kubelet can integrate with Docker Engine using the deprecated `dockershim` adapter (the dockershim is part of the kubelet itself).
+If multiple or no container runtimes are detected kubeadm will throw an error
+and will request that you specify which one you want to use.
 
 See [container runtimes](/docs/setup/production-environment/container-runtimes/)
 for more information.
 -->
-<br/>
-如果同时检测到 Docker Engine 和 containerd，kubeadm 将优先考虑 Docker Engine。
-这是必然的，因为 Docker 18.09 附带了 containerd 并且两者都是可以检测到的，
-即使你仅安装了 Docker。
-**如果检测到其他两个或多个运行时，kubeadm 输出错误信息并退出。**
-
-kubelet 可以使用已弃用的 dockershim 适配器与 Docker Engine 集成（dockershim 是 kubelet 本身的一部分）。
+如果检测到有多个或者没有容器运行时，kubeadm 将抛出一个错误并要求你指定一个想要使用的运行时。
 
-参阅[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
+参阅[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
 以了解更多信息。
 
-{{% /tab %}}
-{{% tab name="其它操作系统" %}}
 <!--
-By default, kubeadm uses {{< glossary_tooltip term_id="docker" >}} as the container runtime.
-The kubelet can integrate with Docker Engine using the deprecated `dockershim` adapter (the dockershim is part of the kubelet itself).
+{{< note >}}
+Docker Engine does not implement the [CRI](/docs/concepts/architecture/cri/)
+which is a requirement for a container runtime to work with Kubernetes.
+For that reason, an additional service [cri-dockerd](https://github.com/Mirantis/cri-dockerd)
+has to be installed. cri-dockerd is a project based on the legacy built-in
+Docker Engine support that was [removed](/dockershim) from the kubelet in version 1.24.
+-->
 
-See [container runtimes](/docs/setup/production-environment/container-runtimes/)
-for more information.
+{{< note >}}
+Docker Engine 没有实现 [CRI](/zh-cn/docs/concepts/architecture/cri/)，而这是容器运行时在 Kubernetes 中工作所需要的。
+为此，必须安装一个额外的服务 [cri-dockerd](https://github.com/Mirantis/cri-dockerd)。
+cri-dockerd 是一个基于传统的内置Docker引擎支持的项目，它在 1.24 版本从 kubelet 中[移除](/zh-cn/dockershim)。
+{{< /note >}}
+
+<!--
+The tables below include the known endpoints for supported operating systems:
+
+{{< tabs name="container_runtime" >}}
+{{% tab name="Linux" %}}
 -->
-默认情况下， kubeadm 使用 {{< glossary_tooltip term_id="docker" >}} 作为容器运行时。
-kubelet 可以使用已弃用的 dockershim 适配器与 Docker Engine 集成（dockershim 是 kubelet 本身的一部分）。
-参阅[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
-以了解更多信息。
+下面的表格包括被支持的操作系统的已知端点。
 
-{{% /tab %}}
-{{< /tabs >}}
+{{< tabs name="container_runtime" >}}
+{{% tab name="Linux" %}}
+
+<!--
+{{< table >}}
+| Runtime                            | Path to Unix domain socket                   |
+|------------------------------------|----------------------------------------------|
+| containerd                         | `unix:///var/run/containerd/containerd.sock` |
+| CRI-O                              | `unix:///var/run/crio/crio.sock`             |
+| Docker Engine (using cri-dockerd)  | `unix:///var/run/cri-dockerd.sock`           |
+{{< /table >}}
+-->
+{{< table >}}
+| 运行时                              | Unix 域套接字                                     |
+|------------------------------------|----------------------------------------------|
+| containerd                         | `unix:///var/run/containerd/containerd.sock` |
+| CRI-O                              | `unix:///var/run/crio/crio.sock`             |
+| Docker Engine (使用 cri-dockerd)  | `unix:///var/run/cri-dockerd.sock`           |
+{{< /table >}}
+
+<!--
+{{% tab name="Windows" %}}
+
+{{< table >}}
+| Runtime                            | Path to Windows named pipe                   |
+|------------------------------------|----------------------------------------------|
+| containerd                         | `npipe:////./pipe/containerd-containerd`     |
+| Docker Engine (using cri-dockerd)  | `npipe:////./pipe/cri-dockerd`               |
+{{< /table >}}
+-->
+{{% tab name="Windows" %}}
+
+{{< table >}}
+| 运行时                              |  Windows 命名管道路径                         |
+|------------------------------------|----------------------------------------------|
+| containerd                         | `npipe:////./pipe/containerd-containerd`     |
+| Docker Engine (使用 cri-dockerd)  | `npipe:////./pipe/cri-dockerd`               |
+{{< /table >}}
 
 <!--
 ## Installing kubeadm, kubelet and kubectl
@@ -258,7 +273,7 @@ kubeadm **不能** 帮你安装或者管理 `kubelet` 或 `kubectl`，所以你
 的版本不可以超过 API 服务器的版本。
 例如，1.7.0 版本的 kubelet 可以完全兼容 1.8.0 版本的 API 服务器，反之则不可以。
 
-有关安装 `kubectl` 的信息，请参阅[安装和设置 kubectl](/zh/docs/tasks/tools/)文档。
+有关安装 `kubectl` 的信息，请参阅[安装和设置 kubectl](/zh-cn/docs/tasks/tools/)文档。
 
 {{< warning >}}
 <!--
@@ -267,7 +282,7 @@ This is because kubeadm and Kubernetes require
 [special attention to upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14/).
 -->
 这些指南不包括系统升级时使用的所有 Kubernetes 程序包。这是因为 kubeadm 和 Kubernetes
-有[特殊的升级注意事项](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
+有[特殊的升级注意事项](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
 {{</ warning >}}
 
 <!--
@@ -278,8 +293,8 @@ For more information on version skews, see:
 -->
 关于版本偏差的更多信息，请参阅以下文档：
 
-* Kubernetes [版本与版本间的偏差策略](/zh/docs/setup/release/version-skew-policy/)
-* Kubeadm 特定的[版本偏差策略](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#version-skew-policy)
+* Kubernetes [版本与版本间的偏差策略](/zh-cn/releases/version-skew-policy/)
+* Kubeadm 特定的[版本偏差策略](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#version-skew-policy)
 
 {{< tabs name="k8s_install" >}}
 {{% tab name="基于 Debian 的发行版" %}}
@@ -389,7 +404,7 @@ curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_
 ```
 
 <!--
-Define the directory to download command files  
+Define the directory to download command files
 -->
 定义要下载命令文件的目录。
 
@@ -453,7 +468,7 @@ See the [Kubeadm Troubleshooting guide](/docs/setup/production-environment/tools
 -->
 Flatcar Container Linux 发行版会将 `/usr/` 目录挂载为一个只读文件系统。
 在启动引导你的集群之前，你需要执行一些额外的操作来配置一个可写入的目录。
-参见 [kubeadm 故障排查指南](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#usr-mounted-read-only/)
+参见 [kubeadm 故障排查指南](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#usr-mounted-read-only/)
 以了解如何配置一个可写入的目录。
 {{< /note >}}
 
@@ -475,8 +490,8 @@ for the management of cgroups on Linux machines.
 -->
 ## 配置 cgroup 驱动程序  {#configure-cgroup-driver}
 
-容器运行时和 kubelet 都具有名字为 
-["cgroup driver"](/zh/docs/setup/production-environment/container-runtimes/)
+容器运行时和 kubelet 都具有名字为
+["cgroup driver"](/zh-cn/docs/setup/production-environment/container-runtimes/)
 的属性，该属性对于在 Linux 机器上管理 CGroups 而言非常重要。
 
 {{< warning >}}
@@ -488,7 +503,7 @@ See [Configuring a cgroup driver](/docs/tasks/administer-cluster/kubeadm/configu
 你需要确保容器运行时和 kubelet 所使用的是相同的 cgroup 驱动，否则 kubelet
 进程会失败。
 
-相关细节可参见[配置 cgroup 驱动](/zh/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/)。
+相关细节可参见[配置 cgroup 驱动](/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/)。
 {{< /warning >}}
 
 <!--
@@ -499,12 +514,11 @@ If you are running into difficulties with kubeadm, please consult our [troublesh
 ## 故障排查   {#troubleshooting}
 
 如果你在使用 kubeadm 时遇到困难，请参阅我们的
-[故障排查文档](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
+[故障排查文档](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
 * [Using kubeadm to Create a Cluster](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
 -->
-* [使用 kubeadm 创建集群](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
-
+* [使用 kubeadm 创建集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md
similarity index 75%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md
index 8990ee0acf0f7..ef4a468b347a4 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration.md
@@ -1,6 +1,4 @@
 ---
-reviewers:
-- sig-cluster-lifecycle
 title: 使用 kubeadm 配置集群中的每个 kubelet
 content_type: concept
 weight: 80
@@ -15,13 +13,15 @@ weight: 80
 
 <!-- overview -->
 
-{{< feature-state for_k8s_version="1.11" state="stable" >}}
+{{% dockershim-removal %}}
+
+{{< feature-state for_k8s_version="v1.11" state="stable" >}}
 
 <!--
 The lifecycle of the kubeadm CLI tool is decoupled from the
 [kubelet](/docs/reference/command-line-tools-reference/kubelet), which is a daemon that runs
 on each node within the Kubernetes cluster. The kubeadm CLI tool is executed by the user when Kubernetes is
-initialized or upgraded, where as the kubelet is always running in the background.
+initialized or upgraded, whereas the kubelet is always running in the background.
 
 Since the kubelet is a daemon, it needs to be maintained by some kind of an init
 system or service manager. When the kubelet is installed using DEBs or RPMs,
@@ -34,7 +34,7 @@ characteristics of a given machine (such as OS, storage, and networking). You ca
 of your kubelets manually, but kubeadm now provides a `KubeletConfiguration` API type for
 [managing your kubelet configurations centrally](#configure-kubelets-using-kubeadm).
 -->
-kubeadm CLI 工具的生命周期与 [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet)
+kubeadm CLI 工具的生命周期与 [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet)
 解耦；kubelet 是一个守护程序，在 Kubernetes 集群中的每个节点上运行。
 当 Kubernetes 初始化或升级时，kubeadm CLI 工具由用户执行，而 kubelet 始终在后台运行。
 
@@ -51,28 +51,38 @@ kubeadm CLI 工具的生命周期与 [kubelet](/zh/docs/reference/command-line-t
 
 <!--
 ## Kubelet configuration patterns
+-->
+## Kubelet 配置模式    {#kubelet-configuration-patterns}
 
+<!--
 The following sections describe patterns to kubelet configuration that are simplified by
 using kubeadm, rather than managing the kubelet configuration for each Node manually.
 -->
-## Kubelet 配置模式
-
 以下各节讲述了通过使用 kubeadm 简化 kubelet 配置模式，而不是在每个节点上手动地管理 kubelet 配置。
 
 <!--
 ### Propagating cluster-level configuration to each kubelet
+-->
+### 将集群级配置传播到每个 kubelet 中    {#propagating-cluster-level-configuration-to-each-kubelet}
 
+<!--
 You can provide the kubelet with default values to be used by `kubeadm init` and `kubeadm join`
-commands. Interesting examples include using a different CRI runtime or setting the default subnet
+commands. Interesting examples include using a different container runtime or setting the default subnet
 used by services.
 
 If you want your services to use the subnet `10.96.0.0/12` as the default for services, you can pass
 the `--service-cidr` parameter to kubeadm:
+-->
+你可以通过 `kubeadm init` 和 `kubeadm join` 命令为 kubelet 提供默认值。
+有趣的示例包括使用其他容器运行时或通过服务器设置不同的默认子网。
+
+如果你想使用子网 `10.96.0.0/12` 作为服务的默认网段，你可以给 kubeadm 传递 `--service-cidr` 参数：
 
 ```bash
 kubeadm init --service-cidr 10.96.0.0/12
 ```
 
+<!--
 Virtual IPs for services are now allocated from this subnet. You also need to set the DNS address used
 by the kubelet, using the `--cluster-dns` flag. This setting needs to be the same for every kubelet
 on every manager and Node in the cluster. The kubelet provides a versioned, structured API object
@@ -81,32 +91,12 @@ kubelet in the cluster. This object is called
 [`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/).
 The `KubeletConfiguration` allows the user to specify flags such as the cluster DNS IP addresses expressed as
 a list of values to a camelCased key, illustrated by the following example:
-
-```yaml
-apiVersion: kubelet.config.k8s.io/v1beta1
-kind: KubeletConfiguration
-clusterDNS:
-- 10.96.0.10
-```
-
-For more details on the `KubeletConfiguration` have a look at [this section](#configure-kubelets-using-kubeadm).
 -->
-### 将集群级配置传播到每个 kubelet 中
-
-你可以通过使用 `kubeadm init` 和 `kubeadm join` 命令为 kubelet 提供默认值。
-有趣的示例包括使用其他 CRI 运行时或通过服务器设置不同的默认子网。
-
-如果你想使用子网 `10.96.0.0/12` 作为services的默认网段，你可以给 kubeadm 传递 `--service-cidr` 参数：
-
-```bash
-kubeadm init --service-cidr 10.96.0.0/12
-```
-
 现在，可以从该子网分配服务的虚拟 IP。
 你还需要通过 kubelet 使用 `--cluster-dns` 标志设置 DNS 地址。
 在集群中的每个管理器和节点上的 kubelet 的设置需要相同。
 kubelet 提供了一个版本化的结构化 API 对象，该对象可以配置 kubelet 中的大多数参数，并将此配置推送到集群中正在运行的每个 kubelet 上。
-此对象被称为 [`KubeletConfiguration`](/zh/docs/reference/config-api/kubelet-config.v1beta1/)。
+此对象被称为 [`KubeletConfiguration`](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)。
 `KubeletConfiguration` 允许用户指定标志，例如用骆峰值代表集群的 DNS IP 地址，如下所示：
 
 ```yaml
@@ -116,14 +106,23 @@ clusterDNS:
 - 10.96.0.10
 ```
 
-有关 `KubeletConfiguration` 的更多详细信息，亲参阅[本节](#configure-kubelets-using-kubeadm)。
+<!--
+For more details on the `KubeletConfiguration` have a look at [this section](#configure-kubelets-using-kubeadm).
+-->
+有关 `KubeletConfiguration` 的更多详细信息，请参阅[本节](#configure-kubelets-using-kubeadm)。
 
 <!--
 ### Providing instance-specific configuration details
 
 Some hosts require specific kubelet configurations due to differences in hardware, operating system,
 networking, or other host-specific parameters. The following list provides a few examples.
+-->
+### 提供特定于某实例的配置细节    {#providing-instance-specific-configuration-details}
+
+由于硬件、操作系统、网络或者其他主机特定参数的差异。某些主机需要特定的 kubelet 配置。
+以下列表提供了一些示例。
 
+<!--
 - The path to the DNS resolution file, as specified by the `--resolv-conf` kubelet
   configuration flag, may differ among operating systems, or depending on whether you are using
   `systemd-resolved`. If this path is wrong, DNS resolution will fail on the Node whose kubelet
@@ -133,23 +132,16 @@ networking, or other host-specific parameters. The following list provides a few
   unless you are using a cloud provider. You can use the `--hostname-override` flag to override the
   default behavior if you need to specify a Node name different from the machine's hostname.
 
-- Currently, the kubelet cannot automatically detect the cgroup driver used by the CRI runtime,
-  but the value of `--cgroup-driver` must match the cgroup driver used by the CRI runtime to ensure
+- Currently, the kubelet cannot automatically detect the cgroup driver used by the container runtime,
+  but the value of `--cgroup-driver` must match the cgroup driver used by the container runtime to ensure
   the health of the kubelet.
 
-- Depending on the CRI runtime your cluster uses, you may need to specify different flags to the kubelet.
-  For instance, when using Docker, you need to specify flags such as `--network-plugin=cni`, but if you
-  are using an external runtime, you need to specify `--container-runtime=remote` and specify the CRI
-  endpoint using the `--container-runtime-endpoint=<path>`.
+- To specify the container runtime you must set its endpoint with the
+  `--container-runtime-endpoint=<path>` flag.
 
 You can specify these flags by configuring an individual kubelet's configuration in your service manager,
 such as systemd.
 -->
-### 提供指定实例的详细配置信息
-
-由于硬件、操作系统、网络或者其他主机特定参数的差异。某些主机需要特定的 kubelet 配置。
-以下列表提供了一些示例。
-
 - 由 kubelet 配置标志 `--resolv-conf` 指定的 DNS 解析文件的路径在操作系统之间可能有所不同，
   它取决于你是否使用 `systemd-resolved`。
   如果此路径错误，则在其 kubelet 配置错误的节点上 DNS 解析也将失败。
@@ -157,12 +149,10 @@ such as systemd.
 - 除非你使用云驱动，否则默认情况下 Node API 对象的 `.metadata.name` 会被设置为计算机的主机名。
   如果你需要指定一个与机器的主机名不同的节点名称，你可以使用 `--hostname-override` 标志覆盖默认值。
 
-- 当前，kubelet 无法自动检测 CRI 运行时使用的 cgroup 驱动程序，
-  但是值 `--cgroup-driver` 必须与 CRI 运行时使用的 cgroup 驱动程序匹配，以确保 kubelet 的健康运行状况。
+- 当前，kubelet 无法自动检测容器运行时使用的 cgroup 驱动程序，
+  但是值 `--cgroup-driver` 必须与容器运行时使用的 cgroup 驱动程序匹配，以确保 kubelet 的健康运行状况。
 
-- 取决于你的集群所使用的 CRI 运行时，你可能需要为 kubelet 指定不同的标志。
-  例如，当使用 Docker 时，你需要指定如 `--network-plugin=cni` 这类标志；但是如果你使用的是外部运行时，
-  则需要指定 `--container-runtime=remote` 并使用 `--container-runtime-endpoint=<path>` 指定 CRI 端点。
+- 要指定容器运行时，你必须用 `--container-runtime-endpoint=<path>` 标志来指定端点。
 
 你可以在服务管理器（例如 systemd）中设定某个 kubelet 的配置来指定这些参数。
 
@@ -179,75 +169,70 @@ Also have a look at the
 [reference for the KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/)
 for more information on the individual fields.
 -->
-## 使用 kubeadm 配置 kubelet
+## 使用 kubeadm 配置 kubelet    {#configure-kubelets-using-kubeadm}
 
 如果自定义的 `KubeletConfiguration` API 对象使用像  `kubeadm ... --config some-config-file.yaml` 这样的配置文件进行传递，则可以配置 kubeadm 启动的 kubelet。
 
 通过调用 `kubeadm config print init-defaults --component-configs KubeletConfiguration`，
 你可以看到此结构中的所有默认值。
 
-也可以阅读 [KubeletConfiguration 参考](/zh/docs/reference/config-api/kubelet-config.v1beta1/)
+也可以阅读 [KubeletConfiguration 参考](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
 来获取有关各个字段的更多信息。
 
 <!--
 ### Workflow when using `kubeadm init`
+-->
+### 使用 `kubeadm init` 时的工作流程    {#workflow-when-using-kubeadm-init}
 
+<!--
 When you call `kubeadm init`, the kubelet configuration is marshalled to disk
-at `/var/lib/kubelet/config.yaml`, and also uploaded to a ConfigMap in the cluster. The ConfigMap
-is named `kubelet-config-1.X`, where `X` is the minor version of the Kubernetes version you are
-initializing. A kubelet configuration file is also written to `/etc/kubernetes/kubelet.conf` with the
-baseline cluster-wide configuration for all kubelets in the cluster. This configuration file
+at `/var/lib/kubelet/config.yaml`, and also uploaded to a `kubelet-config` ConfigMap in the `kube-system`
+namespace of the cluster. A kubelet configuration file is also written to `/etc/kubernetes/kubelet.conf`
+with the baseline cluster-wide configuration for all kubelets in the cluster. This configuration file
 points to the client certificates that allow the kubelet to communicate with the API server. This
 addresses the need to
 [propagate cluster-level configuration to each kubelet](#propagating-cluster-level-configuration-to-each-kubelet).
+-->
+当调用 `kubeadm init` 时，kubelet 的配置会被写入磁盘 `/var/lib/kubelet/config.yaml`，
+并上传到集群 `kube-system` 命名空间的 `kubelet-config` ConfigMap。
+kubelet 配置信息也被写入 `/etc/kubernetes/kubelet.conf`，其中包含集群内所有 kubelet 的基线配置。
+此配置文件指向允许 kubelet 与 API 服务器通信的客户端证书。
+这解决了[将集群级配置传播到每个 kubelet](#propagating-cluster-level-configuration-to-each-kubelet) 的需求。
 
+<!--
 To address the second pattern of
 [providing instance-specific configuration details](#providing-instance-specific-configuration-details),
 kubeadm writes an environment file to `/var/lib/kubelet/kubeadm-flags.env`, which contains a list of
 flags to pass to the kubelet when it starts. The flags are presented in the file like this:
+-->
+针对[为特定实例提供配置细节](#providing-instance-specific-configuration-details)的第二种模式，
+kubeadm 的解决方法是将环境文件写入 `/var/lib/kubelet/kubeadm-flags.env`，其中包含了一个标志列表，
+当 kubelet 启动时，该标志列表会传递给 kubelet 标志在文件中的显示方式如下：
 
 ```bash
 KUBELET_KUBEADM_ARGS="--flag1=value1 --flag2=value2 ..."
 ```
 
+<!--
 In addition to the flags used when starting the kubelet, the file also contains dynamic
-parameters such as the cgroup driver and whether to use a different CRI runtime socket
+parameters such as the cgroup driver and whether to use a different container runtime socket
 (`--cri-socket`).
+-->
+除了启动 kubelet 时所使用的标志外，该文件还包含动态参数，例如 cgroup 驱动程序以及是否使用其他容器运行时套接字（`--cri-socket`）。
 
+<!--
 After marshalling these two files to disk, kubeadm attempts to run the following two
 commands, if you are using systemd:
-
-```bash
-systemctl daemon-reload && systemctl restart kubelet
-```
-
-If the reload and restart are successful, the normal `kubeadm init` workflow continues.
 -->
-### 当使用 `kubeadm init`时的工作流程
-
-当调用 `kubeadm init` 时，kubelet 配置被编组到磁盘上的 `/var/lib/kubelet/config.yaml` 中，
-并且上传到集群中的 ConfigMap。
-ConfigMap 名为 `kubelet-config-1.X`，其中 `X` 是你正在初始化的 kubernetes 版本的次版本。
-在集群中所有 kubelet 的基准集群范围内配置，将 kubelet 配置文件写入 `/etc/kubernetes/kubelet.conf` 中。
-此配置文件指向允许 kubelet 与 API 服务器通信的客户端证书。
-这解决了[将集群级配置传播到每个 kubelet](#propagating-cluster-level-configuration-to-each-kubelet) 的需求。
-
-该文档 [提供特定实例的配置详细信息](#providing-instance-specific-configuration-details) 是第二种解决模式，
-kubeadm 将环境文件写入 `/var/lib/kubelet/kubeadm-flags.env`，其中包含了一个标志列表，
-当 kubelet 启动时，该标志列表会传递给 kubelet 标志在文件中的显示方式如下：
-
-```bash
-KUBELET_KUBEADM_ARGS="--flag1=value1 --flag2=value2 ..."
-```
-
-除了启动 kubelet 时使用该标志外，该文件还包含动态参数，例如 cgroup 驱动程序以及是否使用其他 CRI 运行时 socket（`--cri-socket`）。
-
 将这两个文件编组到磁盘后，如果使用 systemd，则 kubeadm 尝试运行以下两个命令：
 
 ```bash
 systemctl daemon-reload && systemctl restart kubelet
 ```
 
+<!--
+If the reload and restart are successful, the normal `kubeadm init` workflow continues.
+-->
 如果重新加载和重新启动成功，则正常的 `kubeadm init` 工作流程将继续。
 
 <!--
@@ -255,14 +240,13 @@ systemctl daemon-reload && systemctl restart kubelet
 
 When you run `kubeadm join`, kubeadm uses the Bootstrap Token credential to perform
 a TLS bootstrap, which fetches the credential needed to download the
-`kubelet-config-1.X` ConfigMap and writes it to `/var/lib/kubelet/config.yaml`. The dynamic
+`kubelet-config` ConfigMap and writes it to `/var/lib/kubelet/config.yaml`. The dynamic
 environment file is generated in exactly the same way as `kubeadm init`.
 -->
-
-### 当使用 `kubeadm join`时的工作流程
+### 使用 `kubeadm join` 时的工作流程    {#workflow-when-using-kubeadm-join}
 
 当运行 `kubeadm join` 时，kubeadm 使用 Bootstrap Token 证书执行 TLS 引导，该引导会获取一份证书，
-该证书需要下载 `kubelet-config-1.X` ConfigMap 并把它写入 `/var/lib/kubelet/config.yaml` 中。
+该证书需要下载 `kubelet-config` ConfigMap 并把它写入 `/var/lib/kubelet/config.yaml` 中。
 动态环境文件的生成方式恰好与 `kubeadm init` 完全相同。
 
 <!--
@@ -280,7 +264,6 @@ After the kubelet loads the new configuration, kubeadm writes the
 Token. These are used by the kubelet to perform the TLS Bootstrap and obtain a unique
 credential, which is stored in `/etc/kubernetes/kubelet.conf`.
 -->
-
 在 kubelet 加载新配置后，kubeadm 将写入 `/etc/kubernetes/bootstrap-kubelet.conf` KubeConfig 文件中，
 该文件包含 CA 证书和引导程序令牌。
 kubelet 使用这些证书执行 TLS 引导程序并获取唯一的凭据，该凭据被存储在 `/etc/kubernetes/kubelet.conf` 中。
@@ -289,17 +272,22 @@ kubelet 使用这些证书执行 TLS 引导程序并获取唯一的凭据，该
 When the `/etc/kubernetes/kubelet.conf` file is written, the kubelet has finished performing the TLS Bootstrap.
 Kubeadm deletes the `/etc/kubernetes/bootstrap-kubelet.conf` file after completing the TLS Bootstrap.
 -->
-
 当 `/etc/kubernetes/kubelet.conf` 文件被写入后，kubelet 就完成了 TLS 引导过程。
 Kubeadm 在完成 TLS 引导过程后将删除 `/etc/kubernetes/bootstrap-kubelet.conf` 文件。
 
-
 <!--
 ##  The kubelet drop-in file for systemd
+-->
+## kubelet 的 systemd drop-in 文件    {#the-kubelet-drop-in-file-for-systemd}
 
+<!--
 `kubeadm` ships with configuration for how systemd should run the kubelet.
 Note that the kubeadm CLI command never touches this drop-in file.
+-->
+`kubeadm` 中附带了有关系统如何运行 kubelet 的 systemd 配置文件。
+请注意 kubeadm CLI 命令不会修改此文件。
 
+<!--
 This configuration file installed by the `kubeadm`
 [DEB](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf) or
 [RPM package](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubeadm/10-kubeadm.conf) is written to
@@ -307,13 +295,28 @@ This configuration file installed by the `kubeadm`
 It augments the basic
 [`kubelet.service` for RPM](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubelet/kubelet.service) or
 [`kubelet.service` for DEB](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service):
+-->
+通过 `kubeadm` [DEB 包](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf)
+或者 [RPM 包](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubeadm/10-kubeadm.conf)
+安装的配置文件被写入 `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` 并由 systemd 使用。
+它对原来的 [RPM 版本 `kubelet.service`](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubelet/kubelet.service)
+或者 [DEB 版本 `kubelet.service`](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service)
+作了增强：
 
+<!--
 {{< note >}}
 The contents below are just an example. If you don't want to use a package manager
 follow the guide outlined in the [Without a package manager](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#k8s-install-2))
 section.
 {{< /note >}}
+-->
+{{< note >}}
+下面的内容只是一个例子。如果你不想使用包管理器，
+请遵循[没有包管理器](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#k8s-install-2))
+章节的指南。
+{{< /note >}}
 
+<!--
 ```none
 [Service]
 Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
@@ -321,43 +324,14 @@ Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
 # This is a file that "kubeadm init" and "kubeadm join" generate at runtime, populating
 the KUBELET_KUBEADM_ARGS variable dynamically
 EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
-# This is a file that the user can use for overrides of the kubelet args as a last resort.
-# Preferably, the user should use the .NodeRegistration.KubeletExtraArgs object in the configuration files instead.
+# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably,
+# the user should use the .NodeRegistration.KubeletExtraArgs object in the configuration files instead.
 # KUBELET_EXTRA_ARGS should be sourced from this file.
 EnvironmentFile=-/etc/default/kubelet
 ExecStart=
 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
 ```
-
-This file specifies the default locations for all of the files managed by kubeadm for the kubelet.
-
-- The KubeConfig file to use for the TLS Bootstrap is `/etc/kubernetes/bootstrap-kubelet.conf`,
-  but it is only used if `/etc/kubernetes/kubelet.conf` does not exist.
-- The KubeConfig file with the unique kubelet identity is `/etc/kubernetes/kubelet.conf`.
-- The file containing the kubelet's ComponentConfig is `/var/lib/kubelet/config.yaml`.
-- The dynamic environment file that contains `KUBELET_KUBEADM_ARGS` is sourced from `/var/lib/kubelet/kubeadm-flags.env`.
-- The file that can contain user-specified flag overrides with `KUBELET_EXTRA_ARGS` is sourced from
-  `/etc/default/kubelet` (for DEBs), or `/etc/sysconfig/kubelet` (for RPMs). `KUBELET_EXTRA_ARGS`
-  is last in the flag chain and has the highest priority in the event of conflicting settings.
 -->
-##  kubelet 的 systemd 文件 {#the-kubelet-drop-in-file-for-systemd}
-
-`kubeadm` 中附带了有关系统如何运行 kubelet 的 systemd 配置文件。
-请注意 kubeadm CLI 命令不会修改此文件。
-
-通过 `kubeadm` [DEB](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf) 
-或者 [RPM 包](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubeadm/10-kubeadm.conf) 
-安装的配置文件被写入 `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` 并由系统使用。
-它对原来的 [RPM 版本 `kubelet.service`](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/rpm/kubelet/kubelet.service) 
-或者 [DEB 版本 `kubelet.service`](https://github.com/kubernetes/release/blob/master/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service)
-作了增强：
-
-{{< note >}}
-下面的内容只是一个例子。 如果您不想使用包管理器，
-请遵循[没有包管理器](/zh/docs/setup/productionenvironment/tools/kubeadm/install-kubeadm/#k8s-install-2))
-部分中叙述的指南。
-{{< /note >}}
-
 ```none
 [Service]
 Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
@@ -372,8 +346,21 @@ ExecStart=
 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
 ```
 
-该文件为 kubelet 指定由 kubeadm 管理的所有文件的默认位置。
+<!--
+This file specifies the default locations for all of the files managed by kubeadm for the kubelet.
+-->
+此文件指定由 kubeadm 为 kubelet 管理的所有文件的默认位置。
 
+<!--
+- The KubeConfig file to use for the TLS Bootstrap is `/etc/kubernetes/bootstrap-kubelet.conf`,
+  but it is only used if `/etc/kubernetes/kubelet.conf` does not exist.
+- The KubeConfig file with the unique kubelet identity is `/etc/kubernetes/kubelet.conf`.
+- The file containing the kubelet's ComponentConfig is `/var/lib/kubelet/config.yaml`.
+- The dynamic environment file that contains `KUBELET_KUBEADM_ARGS` is sourced from `/var/lib/kubelet/kubeadm-flags.env`.
+- The file that can contain user-specified flag overrides with `KUBELET_EXTRA_ARGS` is sourced from
+  `/etc/default/kubelet` (for DEBs), or `/etc/sysconfig/kubelet` (for RPMs). `KUBELET_EXTRA_ARGS`
+  is last in the flag chain and has the highest priority in the event of conflicting settings.
+-->
 - 用于 TLS 引导程序的 KubeConfig 文件为 `/etc/kubernetes/bootstrap-kubelet.conf`，
   但仅当 `/etc/kubernetes/kubelet.conf` 不存在时才能使用。
 - 具有唯一 kubelet 标识的 KubeConfig 文件为 `/etc/kubernetes/kubelet.conf`。
@@ -385,26 +372,27 @@ ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELE
 
 <!--
 ## Kubernetes binaries and package contents
+-->
+## Kubernetes 可执行文件和软件包内容    {#kubernetes-binaries-and-package-contents}
 
+<!--
 The DEB and RPM packages shipped with the Kubernetes releases are:
-
-| Package name   | Description |
-|----------------|-------------|
-| `kubeadm`      | Installs the `/usr/bin/kubeadm` CLI tool and the [kubelet drop-in file](#the-kubelet-drop-in-file-for-systemd) for the kubelet. |
-| `kubelet`      | Installs the `/usr/bin/kubelet` binary. |
-| `kubectl`      | Installs the `/usr/bin/kubectl` binary. |
-| `cri-tools`    | Installs the `/usr/bin/crictl` binary from the [cri-tools git repository](https://github.com/kubernetes-sigs/cri-tools). |
-| `kubernetes-cni` | Installs the `/opt/cni/bin` binaries from the [plugins git repository](https://github.com/containernetworking/plugins). |
 -->
-## Kubernetes 可执行文件和软件包内容
-
 Kubernetes 版本对应的 DEB 和 RPM 软件包是：
 
+<!--
 | Package name | Description |
 |--------------|-------------|
-| `kubeadm`    | 给 kubelet 安装 `/usr/bin/kubeadm` CLI 工具和 [kubelet 的 systemd 文件](#the-kubelet-drop-in-file-for-systemd)。 |
+| `kubeadm`    | Installs the `/usr/bin/kubeadm` CLI tool and the [kubelet drop-in file](#the-kubelet-drop-in-file-for-systemd) for the kubelet. |
+| `kubelet`    | Installs the `/usr/bin/kubelet` binary. |
+| `kubectl`    | Installs the `/usr/bin/kubectl` binary. |
+| `cri-tools` | Installs the `/usr/bin/crictl` binary from the [cri-tools git repository](https://github.com/kubernetes-sigs/cri-tools). |
+| `kubernetes-cni` | Installs the `/opt/cni/bin` binaries from the [plugins git repository](https://github.com/containernetworking/plugins). |
+-->
+| 软件包名称   | 描述        |
+|--------------|-------------|
+| `kubeadm`    | 给 kubelet 安装 `/usr/bin/kubeadm` CLI 工具和 [kubelet 的 systemd drop-in 文件](#the-kubelet-drop-in-file-for-systemd)。 |
 | `kubelet`    | 安装 `/usr/bin/kubelet` 可执行文件。 |
 | `kubectl`    | 安装 `/usr/bin/kubectl` 可执行文件。 |
 | `cri-tools` | 从 [cri-tools git 仓库](https://github.com/kubernetes-sigs/cri-tools)中安装 `/usr/bin/crictl` 可执行文件。 |
 | `kubernetes-cni` | 从 [plugins git 仓库](https://github.com/containernetworking/plugins)中安装 `/opt/cni/bin` 可执行文件。|
-
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
similarity index 70%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
index fc30729efd360..0fde3d0a86ed8 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm.md
@@ -7,7 +7,7 @@ weight: 70
 <!--
 reviewers:
 - sig-cluster-lifecycle
-title: Set up a High Availability etcd cluster with kubeadm
+title: Set up a High Availability etcd Cluster with kubeadm
 content_type: task
 weight: 70
 -->
@@ -22,46 +22,46 @@ or upgrades for such nodes. The long term plan is to empower the tool
 [etcdadm](https://github.com/kubernetes-sigs/etcdadm) to manage these
 aspects.
 -->
-在本指南中，当 kubeadm 用作为外部 etcd 节点管理工具，请注意 kubeadm 不计划支持此类节点的证书更换或升级。对于长期规划是使用 [etcdadm](https://github.com/kubernetes-sigs/etcdadm) 增强工具来管理这方面。
+在本指南中，使用 kubeadm 作为外部 etcd 节点管理工具，请注意 kubeadm 不计划支持此类节点的证书更换或升级。
+对于长期规划是使用 [etcdadm](https://github.com/kubernetes-sigs/etcdadm) 增强工具来管理这些方面。
 {{< /note >}}
 
 <!--
-Kubeadm defaults to running a single member etcd cluster in a static pod managed
-by the kubelet on the control plane node. This is not a high availability setup
-as the etcd cluster contains only one member and cannot sustain any members
-becoming unavailable. This task walks through the process of creating a high
-availability etcd cluster of three members that can be used as an external etcd
-when using kubeadm to set up a kubernetes cluster.
+By default, kubeadm runs a local etcd instance on each control plane node.
+It is also possible to treat the etcd cluster as external and provision
+etcd instances on separate hosts. The differences between the two approaches are covered in the
+[Options for Highly Available topology](/docs/setup/production-environment/tools/kubeadm/ha-topology) page.
 -->
-默认情况下，kubeadm 运行单成员的 etcd 集群，该集群由控制面节点上的 kubelet 以静态 Pod 的方式进行管理。由于 etcd 集群只包含一个成员且不能在任一成员不可用时保持运行，所以这不是一种高可用设置。本任务，将告诉你如何在使用 kubeadm 创建一个 kubernetes 集群时创建一个外部 etcd：有三个成员的高可用 etcd 集群。
 
+默认情况下，kubeadm 在每个控制平面节点上运行一个本地 etcd 实例。也可以使用外部的 etcd 集群，并在不同的主机上提供 etcd 实例。
+这两种方法的区别在 [高可用拓扑的选项](/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology) 页面中阐述。
 
+<!--
+This task walks through the process of creating a high availability external
+etcd cluster of three members that can be used by kubeadm during cluster creation.
+-->
 
-## {{% heading "prerequisites" %}}
+这个任务将指导你创建一个由三个成员组成的高可用外部 etcd 集群，该集群在创建过程中可被 kubeadm 使用。
 
+## {{% heading "prerequisites" %}}
 
 <!--
-* Three hosts that can talk to each other over ports 2379 and 2380. This document assumes these default ports. However, they are configurable through the kubeadm config file.
+* Three hosts that can talk to each other over TCP ports 2379 and 2380. This document assumes these default ports. However, they are configurable through the kubeadm config file.
 -->
 * 三个可以通过 2379 和 2380 端口相互通信的主机。本文档使用这些作为默认端口。不过，它们可以通过 kubeadm 的配置文件进行自定义。
 
 <!--
-* Each host must [have docker, kubelet, and kubeadm installed][toolbox].
+* Each host must have systemd and a bash compatible shell installed.
+* Each host must [have a container runtime, kubelet, and kubeadm installed](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
 -->
-* 每个主机必须 [安装有 docker、kubelet 和 kubeadm][工具箱]。
+* 每个主机必须安装 systemd 和 bash 兼容的 shell。
+* 每台主机必须[安装有容器运行时、kubelet 和 kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)。
 
 <!--
 * Some infrastructure to copy files between hosts. For example `ssh` and `scp` can satisfy this requirement.
 -->
 * 一些可以用来在主机间复制文件的基础设施。例如 `ssh` 和 `scp` 就可以满足需求。
 
-<!--
-[toolbox]: /docs/setup/production-environment/tools/kubeadm/install-kubeadm/
--->
-[工具箱]: /docs/setup/production-environment/tools/kubeadm/install-kubeadm/
-
-
-
 <!-- steps -->
 
 <!--
@@ -81,9 +81,22 @@ kubeadm contains all the necessary crytographic machinery to generate the certif
 kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这个例子中，不需要其他加密工具。
 {{< /note >}}
 
+<!--
+{{< note >}}
+The examples below use IPv4 addresses but you can also configure kubeadm, the kubelet and etcd
+to use IPv6 addresses. Dual-stack is supported by some Kubernetes options, but not by etcd. For more details
+on Kubernetes dual-stack support see [Dual-stack support with kubeadm](/docs/setup/production-environment/tools/kubeadm/dual-stack-support/).
+{{< /note >}}
+-->
+
+{{< note >}}
+下面的例子使用 IPv4 地址，但是你也可以使用 IPv6 地址配置 kubeadm、kubelet 和 etcd。一些 Kubernetes 选项支持双协议栈，但是 etcd 不支持。
+关于 Kubernetes 双协议栈支持的更多细节，请参见 [kubeadm 的双栈支持](/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support/)。
+{{< /note >}}
+
 <!--
 1. Configure the kubelet to be a service manager for etcd.
- 
+
    {{< note >}}You must do this on every host where etcd should be running.{{< /note >}}
    Since etcd was created first, you must override the service priority by creating a new unit file
    that has higher precedence than the kubeadm-provided kubelet unit file.
@@ -102,6 +115,7 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    ExecStart=
    # 将下面的 "systemd" 替换为你的容器运行时所使用的 cgroup 驱动。
    # kubelet 的默认值为 "cgroupfs"。
+   # 如果需要的话，将 "--container-runtime-endpoint " 的值替换为一个不同的容器运行时。
    ExecStart=/usr/bin/kubelet --address=127.0.0.1 --pod-manifest-path=/etc/kubernetes/manifests --cgroup-driver=systemd
    Restart=always
    EOF
@@ -113,8 +127,8 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    <!--
    Check the kubelet status to ensure it is running.
    -->
-   检查 kubelet 的状态以确保其处于运行状态：
 
+   检查 kubelet 的状态以确保其处于运行状态：
 
    ```shell
    systemctl status kubelet
@@ -131,39 +145,52 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    使用以下脚本为每个将要运行 etcd 成员的主机生成一个 kubeadm 配置文件。
 
    ```sh
-   # 使用 IP 或可解析的主机名替换 HOST0、HOST1 和 HOST2
+   # 使用你的主机 IP 替换 HOST0、HOST1 和 HOST2 的 IP 地址
    export HOST0=10.0.0.6
    export HOST1=10.0.0.7
    export HOST2=10.0.0.8
 
+    # 使用你的主机名更新 NAME0, NAME1 和 NAME2
+    export NAME0="infra0"
+    export NAME1="infra1"
+    export NAME2="infra2"
+
    # 创建临时目录来存储将被分发到其它主机上的文件
    mkdir -p /tmp/${HOST0}/ /tmp/${HOST1}/ /tmp/${HOST2}/
 
-   ETCDHOSTS=(${HOST0} ${HOST1} ${HOST2})
-   NAMES=("infra0" "infra1" "infra2")
-
-   for i in "${!ETCDHOSTS[@]}"; do
-   HOST=${ETCDHOSTS[$i]}
-   NAME=${NAMES[$i]}
-   cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml
-   apiVersion: "kubeadm.k8s.io/v1beta3"
-   kind: ClusterConfiguration
-   etcd:
-       local:
-           serverCertSANs:
-           - "${HOST}"
-           peerCertSANs:
-           - "${HOST}"
-           extraArgs:
-               initial-cluster: infra0=https://${ETCDHOSTS[0]}:2380,infra1=https://${ETCDHOSTS[1]}:2380,infra2=https://${ETCDHOSTS[2]}:2380
-               initial-cluster-state: new
-               name: ${NAME}
-               listen-peer-urls: https://${HOST}:2380
-               listen-client-urls: https://${HOST}:2379
-               advertise-client-urls: https://${HOST}:2379
-               initial-advertise-peer-urls: https://${HOST}:2380
-   EOF
-   done
+    HOSTS=(${HOST0} ${HOST1} ${HOST2})
+    NAMES=(${NAME0} ${NAME1} ${NAME2})
+
+    for i in "${!HOSTS[@]}"; do
+    HOST=${HOSTS[$i]}
+    NAME=${NAMES[$i]}
+    cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml
+    ---
+    apiVersion: "kubeadm.k8s.io/v1beta3"
+    kind: InitConfiguration
+    nodeRegistration:
+        name: ${NAME}
+    localAPIEndpoint:
+        advertiseAddress: ${HOST}
+    ---
+    apiVersion: "kubeadm.k8s.io/v1beta3"
+    kind: ClusterConfiguration
+    etcd:
+        local:
+            serverCertSANs:
+            - "${HOST}"
+            peerCertSANs:
+            - "${HOST}"
+            extraArgs:
+                initial-cluster: ${NAMES[0]}=https://${HOSTS[0]}:2380,${NAMES[1]}=https://${HOSTS[1]}:2380,${NAMES[2]}=https://${HOSTS[2]}:2380
+                initial-cluster-state: new
+                name: ${NAME}
+                listen-peer-urls: https://${HOST}:2380
+                listen-client-urls: https://${HOST}:2379
+                advertise-client-urls: https://${HOST}:2379
+                initial-advertise-peer-urls: https://${HOST}:2380
+    EOF
+    done
    ```
 
 <!--
@@ -185,7 +212,7 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    -->
    如果你还没有 CA，则在 `$HOST0`（你为 kubeadm 生成配置文件的位置）上运行此命令。
 
-   ```
+   ```shell
    kubeadm init phase certs etcd-ca
    ```
 
@@ -280,7 +307,7 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    -->
    在 `$HOST1` 上：
 
-   ```
+   ```console
    $HOME
    └── kubeadmcfg.yaml
    ---
@@ -302,7 +329,7 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    -->
    在 `$HOST2` 上：
 
-   ```
+   ```console
    $HOME
    └── kubeadmcfg.yaml
    ---
@@ -332,15 +359,15 @@ kubeadm 包含生成下述证书所需的所有必要的密码学工具；在这
    在每台主机上运行 `kubeadm` 命令来生成 etcd 使用的静态清单。
 
    ```shell
-   root@HOST0 $ kubeadm init phase etcd local --config=/tmp/${HOST0}/kubeadmcfg.yaml
-   root@HOST1 $ kubeadm init phase etcd local --config=/tmp/${HOST1}/kubeadmcfg.yaml
-   root@HOST2 $ kubeadm init phase etcd local --config=/tmp/${HOST2}/kubeadmcfg.yaml
+    root@HOST0 $ kubeadm init phase etcd local --config=/tmp/${HOST0}/kubeadmcfg.yaml
+    root@HOST1 $ kubeadm init phase etcd local --config=$HOME/kubeadmcfg.yaml
+    root@HOST2 $ kubeadm init phase etcd local --config=$HOME/kubeadmcfg.yaml
    ```
 
 <!--
 1. Optional: Check the cluster health
 -->
-8. 可选：检查群集运行状况
+8. 可选：检查集群运行状况
 
    ```shell
    docker run --rm -it \
@@ -373,6 +400,5 @@ highly available control plane using the [external etcd method with
 kubeadm](/docs/setup/independent/high-availability/).
 -->
 一旦拥有了一个正常工作的 3 成员的 etcd 集群，你就可以基于
-[使用 kubeadm 外部 etcd 的方法](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/)，
+[使用 kubeadm 外部 etcd 的方法](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)，
 继续部署一个高可用的控制平面。
-
diff --git a/content/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
similarity index 85%
rename from content/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
index d62864511c23e..766679f889d71 100644
--- a/content/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
@@ -21,7 +21,8 @@ If your problem is not listed below, please follow the following steps:
   - Go to [github.com/kubernetes/kubeadm](https://github.com/kubernetes/kubeadm/issues) and search for existing issues.
   - If no issue exists, please [open one](https://github.com/kubernetes/kubeadm/issues/new) and follow the issue template.
 
-- If you are unsure about how kubeadm works, you can ask on [Slack](http://slack.k8s.io/) in #kubeadm, or open a question on [StackOverflow](https://stackoverflow.com/questions/tagged/kubernetes). Please include
+- If you are unsure about how kubeadm works, you can ask on [Slack](https://slack.k8s.io/) in `#kubeadm`,
+  or open a question on [StackOverflow](https://stackoverflow.com/questions/tagged/kubernetes). Please include
   relevant tags like `#kubernetes` and `#kubeadm` so folks can help you.
 -->
 与任何程序一样，你可能会在安装或者运行 kubeadm 时遇到错误。
@@ -33,13 +34,73 @@ If your problem is not listed below, please follow the following steps:
   - 转到 [github.com/kubernetes/kubeadm](https://github.com/kubernetes/kubeadm/issues) 并搜索存在的问题。
   - 如果没有问题，请 [打开](https://github.com/kubernetes/kubeadm/issues/new) 并遵循问题模板。
 
-- 如果你对 kubeadm 的工作方式有疑问，可以在 [Slack](https://slack.k8s.io/) 上的 #kubeadm 频道提问，
+- 如果你对 kubeadm 的工作方式有疑问，可以在 [Slack](https://slack.k8s.io/) 上的 `#kubeadm` 频道提问，
 或者在 [StackOverflow](https://stackoverflow.com/questions/tagged/kubernetes) 上提问。
 请加入相关标签，例如 `#kubernetes` 和 `#kubeadm`，这样其他人可以帮助你。
 
-
 <!-- body -->
 
+<!--
+## Not possible to join a v1.18 Node to a v1.17 cluster due to missing RBAC
+-->
+## 由于缺少 RBAC，无法将 v1.18 Node 加入 v1.17 集群
+
+<!--
+In v1.18 kubeadm added prevention for joining a Node in the cluster if a Node with the same name already exists.
+This required adding RBAC for the bootstrap-token user to be able to GET a Node object.
+
+However this causes an issue where `kubeadm join` from v1.18 cannot join a cluster created by kubeadm v1.17.
+-->
+自从 v1.18 后，如果集群中已存在同名 Node，kubeadm 将禁止 Node 加入集群。
+这需要为 bootstrap-token 用户添加 RBAC 才能 GET Node 对象。
+
+但这会导致一个问题，v1.18 的 `kubeadm join` 无法加入由 kubeadm v1.17 创建的集群。
+
+<!--
+To workaround the issue you have two options:
+
+Execute `kubeadm init phase bootstrap-token` on a control-plane node using kubeadm v1.18.
+Note that this enables the rest of the bootstrap-token permissions as well.
+
+or
+
+Apply the following RBAC manually using `kubectl apply -f ...`:
+-->
+要解决此问题，你有两种选择：
+
+使用 kubeadm v1.18 在控制平面节点上执行 `kubeadm init phase bootstrap-token`。
+请注意，这也会启用 bootstrap-token 的其余权限。
+
+或者，也可以使用 `kubectl apply -f ...` 手动应用以下 RBAC：
+
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeadm:get-nodes
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubeadm:get-nodes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeadm:get-nodes
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:bootstrappers:kubeadm:default-node-token
+```
+
 <!--
 ## `ebtables` or some similar executable not found during installation
 
@@ -101,14 +162,15 @@ and investigating each container by running `docker logs`. For other container r
 
 - 网络连接问题。在继续之前，请检查你的计算机是否具有全部联通的网络连接。
 - 容器运行时的 cgroup 驱动不同于 kubelet 使用的 cgroup 驱动。要了解如何正确配置 cgroup 驱动，
-  请参阅[配置 cgroup 驱动](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/)。
+  请参阅[配置 cgroup 驱动](/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/)。
 - 控制平面上的 Docker 容器持续进入崩溃状态或（因其他原因）挂起。你可以运行 `docker ps` 命令来检查以及 `docker logs` 命令来检视每个容器的运行日志。
-  对于其他容器运行时，请参阅[使用 crictl 对 Kubernetes 节点进行调试](/zh/docs/tasks/debug/debug-cluster/crictl/)。
+  对于其他容器运行时，请参阅[使用 crictl 对 Kubernetes 节点进行调试](/zh-cn/docs/tasks/debug/debug-cluster/crictl/)。
 
 <!--
 ## kubeadm blocks when removing managed containers
 
-The following could happen if Docker halts and does not remove any Kubernetes-managed containers:
+The following could happen if the container runtime halts and does not remove
+any Kubernetes-managed containers:
 
 ```shell
 sudo kubeadm reset
@@ -122,22 +184,13 @@ sudo kubeadm reset
 (block)
 ```
 
-A possible solution is to restart the Docker service and then re-run `kubeadm reset`:
-
-```shell
-sudo systemctl restart docker.service
-sudo kubeadm reset
-```
-
-Inspecting the logs for docker may also be useful:
-
-```shell
-journalctl -ul docker
-```
+A possible solution is to restart the container runtime and then re-run `kubeadm reset`.
+You can also use `crictl` to debug the state of the container runtime. See
+[Debugging Kubernetes nodes with crictl](/docs/tasks/debug/debug-cluster/crictl/).
 -->
 ## 当删除托管容器时 kubeadm 阻塞
 
-如果 Docker 停止并且不删除 Kubernetes 所管理的所有容器，可能发生以下情况：
+如果容器运行时停止并且未删除 Kubernetes 所管理的容器，可能发生以下情况：
 
 ```shell
 sudo kubeadm reset
@@ -152,17 +205,8 @@ sudo kubeadm reset
 ```
 
 一个可行的解决方案是重新启动 Docker 服务，然后重新运行 `kubeadm reset`：
-
-```shell
-sudo systemctl restart docker.service
-sudo kubeadm reset
-```
-
-检查 docker 的日志也可能有用：
-
-```shell
-journalctl -ul docker
-```
+你也可以使用 `crictl` 来调试容器运行时的状态。
+参见[使用 CRICTL 调试 Kubernetes 节点](/zh-cn/docs/tasks/debug/debug-cluster/crictl/)。
 
 <!--
 ## Pods in `RunContainerError`, `CrashLoopBackOff` or `Error` state
@@ -177,10 +221,6 @@ Right after `kubeadm init` there should not be any pods in these states.
   it's very likely that the Pod Network add-on that you installed is somehow broken.
   You might have to grant it more RBAC privileges or use a newer version. Please file
   an issue in the Pod Network providers' issue tracker and get the issue triaged there.
-- If you install a version of Docker older than 1.12.1, remove the `MountFlags=slave` option
-  when booting `dockerd` with `systemd` and restart `docker`. You can see the MountFlags in `/usr/lib/systemd/system/docker.service`.
-  MountFlags can interfere with volumes mounted by Kubernetes, and put the Pods in `CrashLoopBackOff` state.
-  The error happens when Kubernetes does not find `var/run/secrets/kubernetes.io/serviceaccount` files.
 -->
 ## Pods 处于 `RunContainerError`、`CrashLoopBackOff` 或者 `Error` 状态
 
@@ -191,7 +231,7 @@ Right after `kubeadm init` there should not be any pods in these states.
   直到你部署了网络插件为止。
 
 - 如果在部署完网络插件之后，有 Pods 处于 `RunContainerError`、`CrashLoopBackOff`
-  或 `Error` 状态之一，并且`coredns` （或者 `kube-dns`）仍处于 `Pending` 状态，
+  或 `Error` 状态之一，并且 `coredns` （或者 `kube-dns`）仍处于 `Pending` 状态，
   那很可能是你安装的网络插件由于某种原因无法工作。你或许需要授予它更多的
   RBAC 特权或使用较新的版本。请在 Pod Network 提供商的问题跟踪器中提交问题，
   然后在此处分类问题。
@@ -199,7 +239,7 @@ Right after `kubeadm init` there should not be any pods in these states.
 - 如果你安装的 Docker 版本早于 1.12.1，请在使用 `systemd` 来启动 `dockerd` 和重启 `docker` 时，
   删除 `MountFlags=slave` 选项。
   你可以在 `/usr/lib/systemd/system/docker.service` 中看到 MountFlags。
-  MountFlags 可能会干扰 Kubernetes 挂载的卷， 并使 Pods 处于 `CrashLoopBackOff` 状态。
+  MountFlags 可能会干扰 Kubernetes 挂载的卷，并使 Pods 处于 `CrashLoopBackOff` 状态。
   当 Kubernetes 不能找到 `var/run/secrets/kubernetes.io/serviceaccount` 文件时会发生错误。
 
 <!--
@@ -214,7 +254,7 @@ before CoreDNS may be deployed fully. Hence the `Pending` state before the netwo
 
 这一行为是 **预期之中** 的，因为系统就是这么设计的。
 kubeadm 的网络供应商是中立的，因此管理员应该选择
-[安装 pod 的网络插件](/zh/docs/concepts/cluster-administration/addons/)。
+[安装 pod 的网络插件](/zh-cn/docs/concepts/cluster-administration/addons/)。
 你必须完成 Pod 的网络配置，然后才能完全部署 CoreDNS。
 在网络被配置好之前，DNS 组件会一直处于 `Pending` 状态。
 
@@ -242,7 +282,7 @@ services](/docs/concepts/services-networking/service/#type-nodeport) or use `Hos
 有关更多信息，请参考 [CNI portmap 文档](https://github.com/containernetworking/plugins/blob/master/plugins/meta/portmap/README.md).
 
 如果你的网络提供商不支持 portmap CNI 插件，你或许需要使用
-[NodePort 服务的功能](/zh/docs/concepts/services-networking/service/#type-nodeport)
+[NodePort 服务的功能](/zh-cn/docs/concepts/services-networking/service/#type-nodeport)
 或者使用 `HostNetwork=true`。
 
 <!--
@@ -261,7 +301,7 @@ services](/docs/concepts/services-networking/service/#type-nodeport) or use `Hos
 -->
 ## 无法通过其服务 IP 访问 Pod
 
-- 许多网络附加组件尚未启用 [hairpin 模式](/zh/docs/tasks/debug/debug-application/debug-service/#a-pod-fails-to-reach-itself-via-the-service-ip)
+- 许多网络附加组件尚未启用 [hairpin 模式](/zh-cn/docs/tasks/debug/debug-application/debug-service/#a-pod-fails-to-reach-itself-via-the-service-ip)
   该模式允许 Pod 通过其服务 IP 进行访问。这是与 [CNI](https://github.com/containernetworking/cni/issues/476) 有关的问题。
   请与网络附加组件提供商联系，以获取他们所提供的 hairpin 模式的最新状态。
 
@@ -281,7 +321,7 @@ Unable to connect to the server: x509: certificate signed by unknown authority (
 
 - Verify that the `$HOME/.kube/config` file contains a valid certificate, and
   regenerate a certificate if necessary. The certificates in a kubeconfig file
-  are base64 encoded. The `base64 -d` command can be used to decode the certificate
+  are base64 encoded. The `base64 --decode` command can be used to decode the certificate
   and `openssl x509 -text -noout` can be used for viewing the certificate information.
 - Unset the `KUBECONFIG` environment variable using:
 
@@ -315,7 +355,7 @@ Unable to connect to the server: x509: certificate signed by unknown authority (
 
 - 验证 `$HOME/.kube/config` 文件是否包含有效证书，并
   在必要时重新生成证书。在 kubeconfig 文件中的证书是 base64 编码的。
-  该 `base64 -d` 命令可以用来解码证书，`openssl x509 -text -noout` 命令
+  该 `base64 --decode` 命令可以用来解码证书，`openssl x509 -text -noout` 命令
   可以用于查看证书信息。
 - 使用如下方法取消设置 `KUBECONFIG` 环境变量的值：
 
@@ -329,7 +369,7 @@ Unable to connect to the server: x509: certificate signed by unknown authority (
   export KUBECONFIG=/etc/kubernetes/admin.conf
   ```
 
-- 另一个方法是覆盖 `kubeconfig` 的现有用户 "管理员" ：
+- 另一个方法是覆盖 `kubeconfig` 的现有用户 "管理员"：
 
   ```shell
   mv  $HOME/.kube $HOME/.kube.bak
@@ -338,22 +378,6 @@ Unable to connect to the server: x509: certificate signed by unknown authority (
   sudo chown $(id -u):$(id -g) $HOME/.kube/config
   ```
 
-<!--
-## Default NIC When using flannel as the pod network in Vagrant
-
-The following error might indicate that something was wrong in the pod network:
-
-```sh
-Error from server (NotFound): the server could not find the requested resource
-```
-
-- If you're using flannel as the pod network inside Vagrant, then you will have to specify the default interface name for flannel.
-
-  Vagrant typically assigns two interfaces to all VMs. The first, for which all hosts are assigned the IP address `10.0.2.15`, is for external traffic that gets NATed.
-
-  This may lead to problems with flannel, which defaults to the first interface on a host. This leads to all hosts thinking they have the same public IP address. To prevent this, pass the `-iface eth1` flag to flannel so that the second interface is chosen.
--->
-
 <!--
 ## Kubelet client certificate rotation fails {#kubelet-client-cert}
 
@@ -407,6 +431,22 @@ the `ca.key` you must sign the embedded certificates in the `kubelet.conf` exter
 6. 重新启动 kubelet。
 7. 确保节点状况变为 `Ready`。
 
+<!--
+## Default NIC When using flannel as the pod network in Vagrant
+
+The following error might indicate that something was wrong in the pod network:
+
+```sh
+Error from server (NotFound): the server could not find the requested resource
+```
+
+- If you're using flannel as the pod network inside Vagrant, then you will have to specify the default interface name for flannel.
+
+  Vagrant typically assigns two interfaces to all VMs. The first, for which all hosts are assigned the IP address `10.0.2.15`, is for external traffic that gets NATed.
+
+  This may lead to problems with flannel, which defaults to the first interface on a host. This leads to all hosts thinking they have the same public IP address. To prevent this, pass the `--iface eth1` flag to flannel so that the second interface is chosen.
+-->
+
 ## 在 Vagrant 中使用 flannel 作为 pod 网络时的默认 NIC
 
 以下错误可能表明 Pod 网络中出现问题：
@@ -432,9 +472,9 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6
 ```
 
 - This may be due to Kubernetes using an IP that can not communicate with other IPs on the seemingly same subnet, possibly by policy of the machine provider.
-- Digital Ocean assigns a public IP to `eth0` as well as a private one to be used internally as anchor for their floating IP feature, yet `kubelet` will pick the latter as the node's `InternalIP` instead of the public one.
+- DigitalOcean assigns a public IP to `eth0` as well as a private one to be used internally as anchor for their floating IP feature, yet `kubelet` will pick the latter as the node's `InternalIP` instead of the public one.
 
-  Use `ip addr show` to check for this scenario instead of `ifconfig` because `ifconfig` will not display the offending alias IP address. Alternatively an API endpoint specific to Digital Ocean allows to query for the anchor IP from the droplet:
+  Use `ip addr show` to check for this scenario instead of `ifconfig` because `ifconfig` will not display the offending alias IP address. Alternatively an API endpoint specific to DigitalOcean allows to query for the anchor IP from the droplet:
 
   ```sh
   curl http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address
@@ -446,7 +486,7 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6
   private network. The `kubeletExtraArgs` section of the kubeadm
   [`NodeRegistrationOptions` structure](/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-NodeRegistrationOptions)
   can be used for this.
-  
+
   Then restart `kubelet`:
 
   ```sh
@@ -464,20 +504,20 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6
 
 - 这或许是由于 Kubernetes 使用的 IP 无法与看似相同的子网上的其他 IP 进行通信的缘故，
 可能是由机器提供商的政策所导致的。
-- Digital Ocean 既分配一个共有 IP 给 `eth0`，也分配一个私有 IP 在内部用作其浮动 IP 功能的锚点，
+- DigitalOcean 既分配一个共有 IP 给 `eth0`，也分配一个私有 IP 在内部用作其浮动 IP 功能的锚点，
 然而 `kubelet` 将选择后者作为节点的 `InternalIP` 而不是公共 IP
 
   使用 `ip addr show` 命令代替 `ifconfig` 命令去检查这种情况，因为 `ifconfig` 命令
-  不会显示有问题的别名 IP 地址。或者指定的 Digital Ocean 的 API 端口允许从 droplet 中
+  不会显示有问题的别名 IP 地址。或者指定的 DigitalOcean 的 API 端口允许从 droplet 中
   查询 anchor IP：
 
   ```sh
   curl http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address
   ```
 
-  解决方法是通知 `kubelet` 使用哪个 `--node-ip`。当使用 Digital Ocean 时，可以是公网IP（分配给 `eth0`的），
+  解决方法是通知 `kubelet` 使用哪个 `--node-ip`。当使用 DigitalOcean 时，可以是公网IP（分配给 `eth0` 的），
   或者是私网IP（分配给 `eth1` 的）。私网 IP 是可选的。
-  [kubadm `NodeRegistrationOptions` 结构](/zh/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-NodeRegistrationOptions) 
+  [kubadm `NodeRegistrationOptions` 结构](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-NodeRegistrationOptions)
   的 `KubeletExtraArgs` 部分被用来处理这种情况。
 
   然后重启 `kubelet`：
@@ -512,7 +552,7 @@ are available to avoid Kubernetes trying to restart the CoreDNS Pod every time C
 如果有些节点运行的是旧版本的 Docker，同时启用了 SELinux，你或许会遇到 `coredns` pods 无法启动的情况。
 要解决此问题，你可以尝试以下选项之一：
 
-- 升级到 [Docker 的较新版本](/zh/docs/setup/production-environment/container-runtimes/#docker)。
+- 升级到 [Docker 的较新版本](/zh-cn/docs/setup/production-environment/container-runtimes/#docker)。
 
 - [禁用 SELinux](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-enabling_and_disabling_selinux-disabling_selinux).
 
@@ -557,7 +597,7 @@ yum downgrade docker-1.13.1-75.git8633870.el7.centos.x86_64 docker-client-1.13.1
 
 - Install one of the more recent recommended versions, such as 18.06:
 ```bash
-sudo yum-config-manager -add-repo https://download.docker.com/linux/centos/docker-ce.repo
+sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
 yum install docker-ce-18.06.1.ce-3.el7.x86_64
 ```
 -->
@@ -565,7 +605,7 @@ yum install docker-ce-18.06.1.ce-3.el7.x86_64
 
 如果你遇到以下错误：
 
-```
+```console
 rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:247: starting container process caused "process_linux.go:110: decoding init error from pipe caused \"read parent: connection reset by peer\""
 ```
 
@@ -595,13 +635,13 @@ component like the kube-apiserver. However, this mechanism is limited due to the
 the values (`mapStringString`).
 
 If you decide to pass an argument that supports multiple, comma-separated values such as
-`-apiserver-extra-args "enable-admission-plugins=LimitRanger,NamespaceExists"` this flag will fail with
+`--apiserver-extra-args "enable-admission-plugins=LimitRanger,NamespaceExists"` this flag will fail with
 `flag: malformed pair, expect string=string`. This happens because the list of arguments for
-`-apiserver-extra-args` expects `key=value` pairs and in this case `NamespacesExists` is considered
+`--apiserver-extra-args` expects `key=value` pairs and in this case `NamespacesExists` is considered
 as a key that is missing a value.
 
 Alternatively, you can try separating the `key=value` pairs like so:
-`-apiserver-extra-args "enable-admission-plugins=LimitRanger,enable-admission-plugins=NamespaceExists"`
+`--apiserver-extra-args "enable-admission-plugins=LimitRanger,enable-admission-plugins=NamespaceExists"`
 but this will result in the key `enable-admission-plugins` only having the value of `NamespaceExists`.
 
 A known workaround is to use the kubeadm [configuration file](/docs/reference/config-api/kubeadm-config.v1beta3/).
@@ -622,7 +662,7 @@ kube-apiserver 这样的控制平面组件。然而，由于解析 (`mapStringSt
 但这将导致键 `enable-admission-plugins` 仅有值 `NamespaceExists`。
 
 已知的解决方法是使用 kubeadm
-[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
 <!--
 ## kube-proxy scheduled before node is initialized by cloud-controller-manager
@@ -642,7 +682,7 @@ A known solution is to patch the kube-proxy DaemonSet to allow scheduling it on
 nodes regardless of their conditions, keeping it off of other nodes until their initial guarding
 conditions abate:
 ```
-kubectl -n kube-system patch ds kube-proxy -p='{ "spec": { "template": { "spec": { "tolerations": [ { "key": "CriticalAddonsOnly", "operator": "Exists" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" } ] } } } }'
+kubectl -n kube-system patch ds kube-proxy -p='{ "spec": { "template": { "spec": { "tolerations": [ { "key": "CriticalAddonsOnly", "operator": "Exists" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/control-plane" } ] } } } }'
 ```
 
 The tracking issue for this problem is [here](https://github.com/kubernetes/kubeadm/issues/1027).
@@ -654,7 +694,7 @@ The tracking issue for this problem is [here](https://github.com/kubernetes/kube
 
 在 kube-proxy Pod 中可以看到以下错误：
 
-```
+```console
 server.go:610] Failed to retrieve node IP: host IP unknown; known addresses: []
 proxier.go:340] invalid nodeIP, initializing kube-proxy with 127.0.0.1 as nodeIP
 ```
@@ -663,7 +703,7 @@ proxier.go:340] invalid nodeIP, initializing kube-proxy with 127.0.0.1 as nodeIP
 而不管它们的条件如何，将其与其他节点保持隔离，直到它们的初始保护条件消除：
 
 ```shell
-kubectl -n kube-system patch ds kube-proxy -p='{ "spec": { "template": { "spec": { "tolerations": [ { "key": "CriticalAddonsOnly", "operator": "Exists" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" } ] } } } }'
+kubectl -n kube-system patch ds kube-proxy -p='{ "spec": { "template": { "spec": { "tolerations": [ { "key": "CriticalAddonsOnly", "operator": "Exists" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" }, { "effect": "NoSchedule", "key": "node-role.kubernetes.io/control-plane" } ] } } } }'
 ```
 
 此问题的跟踪[在这里](https://github.com/kubernetes/kubeadm/issues/1027)。
@@ -681,7 +721,7 @@ for the feature to work.
 ## 节点上的 `/usr` 被以只读方式挂载 {#usr-mounted-read-only}
 
 在类似 Fedora CoreOS 或者 Flatcar Container Linux 这类 Linux 发行版本中，
-目录 `/usr` 是以只读文件系统的形式挂载的。 
+目录 `/usr` 是以只读文件系统的形式挂载的。
 在支持 [FlexVolume](https://github.com/kubernetes/community/blob/ab55d85/contributors/devel/sig-storage/flexvolume.md)时，
 类似 kubelet 和 kube-controller-manager 这类 Kubernetes 组件使用默认路径
 `/usr/libexec/kubernetes/kubelet-plugins/volume/exec/`，
@@ -695,9 +735,9 @@ To workaround this issue you can configure the flex-volume directory using the k
 On the primary control-plane Node (created using `kubeadm init`) pass the following
 file using `--config`:
 -->
-为了解决这个问题，你可以使用 kubeadm 的[配置文件](/docs/reference/config-api/kubeadm-config.v1beta3/) 来配置 FlexVolume 的目录。
+为了解决这个问题，你可以使用 kubeadm 的[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/) 来配置 FlexVolume 的目录。
 
-在（使用 `kubeadm init` 创建的）主控制节点上，使用 `-config`
+在（使用 `kubeadm init` 创建的）主控制节点上，使用 `--config`
 参数传入如下文件：
 
 ```yaml
@@ -789,7 +829,7 @@ on the side of the metrics-server:
 kubeadm 为 kubelet 部署的是自签名的服务证书。这可能会导致 metrics-server
 端报告下面的错误信息：
 
-```
+```console
 x509: certificate signed by unknown authority
 x509: certificate is valid for IP-foo not IP-bar
 ```
@@ -800,8 +840,7 @@ to understand how to configure the kubelets in a kubeadm cluster to have properl
 
 Also see [How to run the metrics-server securely](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely).
 -->
-参见[为 kubelet 启用签名的服务证书](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs)
+参见[为 kubelet 启用签名的服务证书](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs)
 以进一步了解如何在 kubeadm 集群中配置 kubelet 使用正确签名了的服务证书。
 
-另请参阅[How to run the metrics-server securely](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely)。
-
+另请参阅 [How to run the metrics-server securely](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md#how-to-run-metrics-server-securely)。
diff --git a/content/zh/docs/setup/production-environment/tools/kubespray.md b/content/zh-cn/docs/setup/production-environment/tools/kubespray.md
similarity index 98%
rename from content/zh/docs/setup/production-environment/tools/kubespray.md
rename to content/zh-cn/docs/setup/production-environment/tools/kubespray.md
index 512f7589dd209..0f17c9281f715 100644
--- a/content/zh/docs/setup/production-environment/tools/kubespray.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubespray.md
@@ -56,8 +56,8 @@ To choose a tool which best fits your use case, read [this comparison](https://g
 [kubeadm](/docs/reference/setup-tools/kubeadm/) and [kops](/docs/setup/production-environment/tools/kops/).
 -->
 要选择最适合你的用例的工具，请阅读
-[kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 和
-[kops](/zh/docs/setup/production-environment/tools/kops/) 之间的
+[kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 和
+[kops](/zh-cn/docs/setup/production-environment/tools/kops/) 之间的
 [这份比较](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/comparisons.md)。
  。
 <!-- body -->
diff --git a/content/zh/docs/setup/production-environment/turnkey-solutions.md b/content/zh-cn/docs/setup/production-environment/turnkey-solutions.md
similarity index 100%
rename from content/zh/docs/setup/production-environment/turnkey-solutions.md
rename to content/zh-cn/docs/setup/production-environment/turnkey-solutions.md
diff --git a/content/zh/docs/tasks/_index.md b/content/zh-cn/docs/tasks/_index.md
similarity index 89%
rename from content/zh/docs/tasks/_index.md
rename to content/zh-cn/docs/tasks/_index.md
index 4924d17d49aae..a8d0d9a919b8e 100644
--- a/content/zh/docs/tasks/_index.md
+++ b/content/zh-cn/docs/tasks/_index.md
@@ -26,5 +26,5 @@ If you would like to write a task page, see
 [Creating a Documentation Pull Request](/docs/contribute/new-content/open-a-pr/).
 -->
 如果你希望编写一个任务页面，参考
-[创建一个文档拉取请求](/zh/docs/contribute/new-content/open-a-pr/)。
+[创建一个文档拉取请求](/zh-cn/docs/contribute/new-content/open-a-pr/)。
 
diff --git a/content/zh/docs/tasks/access-application-cluster/_index.md b/content/zh-cn/docs/tasks/access-application-cluster/_index.md
similarity index 100%
rename from content/zh/docs/tasks/access-application-cluster/_index.md
rename to content/zh-cn/docs/tasks/access-application-cluster/_index.md
diff --git a/content/zh/docs/tasks/access-application-cluster/access-cluster-services.md b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
similarity index 78%
rename from content/zh/docs/tasks/access-application-cluster/access-cluster-services.md
rename to content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
index f2809b6849bd4..42d5ab139711f 100644
--- a/content/zh/docs/tasks/access-application-cluster/access-cluster-services.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
@@ -11,6 +11,7 @@ This page shows how to connect to services running on the Kubernetes cluster.
 
 ## {{% heading "prerequisites" %}}
 
+
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
 <!-- steps -->
@@ -26,9 +27,9 @@ such as your desktop machine.
 -->
 ## 访问集群上运行的服务
 
-在 Kubernetes 里，[节点](/zh/docs/concepts/architecture/nodes/)、
-[Pod](/zh/docs/concepts/workloads/pods/) 和
-[服务](/zh/docs/concepts/services-networking/service/) 都有自己的 IP。
+在 Kubernetes 里，[节点](/zh-cn/docs/concepts/architecture/nodes/)、
+[Pod](/zh-cn/docs/concepts/workloads/pods/) 和
+[服务](/zh-cn/docs/concepts/services-networking/service/) 都有自己的 IP。
 许多情况下，集群上的节点 IP、Pod IP 和某些服务 IP 是路由不可达的，
 所以不能从集群之外访问它们，例如从你自己的台式机。
 
@@ -56,7 +57,7 @@ You have several options for connecting to nodes, pods and services from outside
 -->
 - 通过公网 IP 访问服务
   - 使用类型为 `NodePort` 或 `LoadBalancer` 的服务，可以从外部访问它们。
-    请查阅[服务](/zh/docs/concepts/services-networking/service/) 和
+    请查阅[服务](/zh-cn/docs/concepts/services-networking/service/) 和
     [kubectl expose](/docs/reference/generated/kubectl/kubectl-commands/#expose) 文档。
   - 取决于你的集群环境，你可以仅把服务暴露在你的企业网络环境中，也可以将其暴露在
     因特网上。需要考虑暴露的服务是否安全，它是否有自己的用户认证？
@@ -117,23 +118,23 @@ The output is similar to this:
 输出类似于：
 
 ```
-Kubernetes master is running at https://104.197.5.247
-elasticsearch-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy
-kibana-logging is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kibana-logging/proxy
-kube-dns is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/kube-dns/proxy
-grafana is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
-heapster is running at https://104.197.5.247/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
+Kubernetes master is running at https://192.0.2.1
+elasticsearch-logging is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy
+kibana-logging is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/kibana-logging/proxy
+kube-dns is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/kube-dns/proxy
+grafana is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
+heapster is running at https://192.0.2.1/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
 ```
 
 <!--
 This shows the proxy-verb URL for accessing each service.
 For example, this cluster has cluster-level logging enabled (using Elasticsearch), which can be reached
-at `https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/` if suitable credentials are passed, or through a kubectl proxy at, for example:
+at `https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/` if suitable credentials are passed, or through a kubectl proxy at, for example:
 `http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`.
 -->
 这一输出显示了用 proxy 动词访问每个服务时可用的 URL。例如，此集群
 （使用 Elasticsearch）启用了集群层面的日志。如果提供合适的凭据，可以通过
-`https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`
+`https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`
 访问，或通过一个 `kubectl proxy` 来访问：
 `http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/`。
 
@@ -141,7 +142,7 @@ at `https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-l
 See [Access Clusters Using the Kubernetes API](/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-cluster-api) for how to pass credentials or use kubectl proxy.
 -->
 {{< note >}}
-请参阅[使用 Kubernets API 访问集群](/zh/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-cluster-api)
+请参阅[使用 Kubernetes API 访问集群](/zh-cn/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-cluster-api)
 了解如何传递凭据或如何使用 `kubectl proxy`。
 {{< /note >}}
 
@@ -189,47 +190,47 @@ URL 的 `<service_name>` 段支持的格式为：
 
 * 如要访问 Elasticsearch 服务末端 `_search?q=user:kimchy`，你可以使用：
 
-  ```
-  http://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy
-  ```
+    ```
+    http://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_search?q=user:kimchy
+    ```
 
 <!--
 * To access the Elasticsearch cluster health information `_cluster/health?pretty=true`, you would use:
 -->
 * 如要访问 Elasticsearch 集群健康信息`_cluster/health?pretty=true`，你会使用：
 
-  ```
-  https://104.197.5.247/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true`
-  ```
-
-  <!--
-  The health information is similar to this:
-  -->
-  健康信息与下面的例子类似：
-
-  ```json
-  {
-    "cluster_name" : "kubernetes_logging",
-    "status" : "yellow",
-    "timed_out" : false,
-    "number_of_nodes" : 1,
-    "number_of_data_nodes" : 1,
-    "active_primary_shards" : 5,
-    "active_shards" : 5,
-    "relocating_shards" : 0,
-    "initializing_shards" : 0,
-    "unassigned_shards" : 5
-  }
-  ```
+    ```
+    https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/_cluster/health?pretty=true
+    ```
+
+    <!--
+    The health information is similar to this:
+    -->
+    健康信息与下面的例子类似：
+
+    ```json
+    {
+      "cluster_name" : "kubernetes_logging",
+      "status" : "yellow",
+      "timed_out" : false,
+      "number_of_nodes" : 1,
+      "number_of_data_nodes" : 1,
+      "active_primary_shards" : 5,
+      "active_shards" : 5,
+      "relocating_shards" : 0,
+      "initializing_shards" : 0,
+      "unassigned_shards" : 5
+    }
+    ```
 
 <!--
 * To access the *https* Elasticsearch service health information `_cluster/health?pretty=true`, you would use:
 -->
 * 要访问 *https* Elasticsearch 服务健康信息 `_cluster/health?pretty=true`，你会使用：
 
-  ```
-  https://104.197.5.247/api/v1/namespaces/kube-system/services/https:elasticsearch-logging/proxy/_cluster/health?pretty=true
-  ```
+    ```
+    https://192.0.2.1/api/v1/namespaces/kube-system/services/https:elasticsearch-logging:/proxy/_cluster/health?pretty=true
+    ```
 
 <!--
 #### Using web browsers to access services running on the cluster
@@ -241,12 +242,12 @@ You may be able to put an apiserver proxy URL into the address bar of a browser.
 你或许能够将 API 服务器代理的 URL 放入浏览器的地址栏，然而：
 
 <!--
-- Web browsers cannot usually pass tokens, so you may need to use basic (password) auth. Apiserver can be configured to accept basic auth,
+  - Web browsers cannot usually pass tokens, so you may need to use basic (password) auth. Apiserver can be configured to accept basic auth,
     but your cluster may not be configured to accept basic auth.
-- Some web apps may not work, particularly those with client side javascript that construct URLs in a
+  - Some web apps may not work, particularly those with client side javascript that construct URLs in a
     way that is unaware of the proxy path prefix.
 -->
-- Web 服务器通常不能传递令牌，所以你可能需要使用基本（密码）认证。
-  API 服务器可以配置为接受基本认证，但你的集群可能并没有这样配置。
-- 某些 Web 应用可能无法工作，特别是那些使用客户端 Javascript 构造 URL 的
-  应用，所构造的 URL 可能并不支持代理路径前缀。
+  - Web 服务器通常不能传递令牌，所以你可能需要使用基本（密码）认证。
+    API 服务器可以配置为接受基本认证，但你的集群可能并没有这样配置。
+  - 某些 Web 应用可能无法工作，特别是那些使用客户端 Javascript 构造 URL 的
+    应用，所构造的 URL 可能并不支持代理路径前缀。
diff --git a/content/zh/docs/tasks/access-application-cluster/access-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster.md
similarity index 79%
rename from content/zh/docs/tasks/access-application-cluster/access-cluster.md
rename to content/zh-cn/docs/tasks/access-application-cluster/access-cluster.md
index 591652dc9ea14..1f910735d3a90 100644
--- a/content/zh/docs/tasks/access-application-cluster/access-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster.md
@@ -34,12 +34,12 @@ or someone else setup the cluster and provided you with credentials and a locati
 
 Check the location and credentials that kubectl knows about with this command:
 -->
-## 使用 kubectl 完成集群的第一次访问
+## 使用 kubectl 完成集群的第一次访问 {#accessing-for-the-first-time-with-kubectl}
 
-当你第一次访问 Kubernetes API 的时候，我们建议你使用 Kubernetes CLI，`kubectl`。
+当你第一次访问 Kubernetes API 的时候，我们建议你使用 Kubernetes CLI 工具 `kubectl`。
 
 访问集群时，你需要知道集群的地址并且拥有访问的凭证。通常，这些在你通过
-[启动安装](/zh/docs/setup/)安装集群时都是自动安装好的，或者其他人安装时
+[启动安装](/zh-cn/docs/setup/)安装集群时都是自动安装好的，或者其他人安装时
 也应该提供了凭证和集群地址。
 
 通过以下命令检查 kubectl 是否知道集群地址及凭证：
@@ -49,11 +49,12 @@ kubectl config view
 ```
 
 <!--
-Many of the [examples](/docs/user-guide/kubectl-cheatsheet) provide an introduction to using
-`kubectl` and complete documentation is found in the [kubectl reference](/docs/reference/kubectl/).
+Many of the [examples](/docs/reference/kubectl/cheatsheet/) provide an introduction to using
+`kubectl`, and complete documentation is found in the
+[kubectl reference](/docs/reference/kubectl/).
 -->
-有许多 [例子](/zh/docs/reference/kubectl/cheatsheet/) 介绍了如何使用 kubectl，
-可以在 [kubectl 参考](/zh/docs/reference/kubectl/overview/) 中找到更完整的文档。
+有许多[例子](/zh-cn/docs/reference/kubectl/cheatsheet/)介绍了如何使用 kubectl，
+可以在 [kubectl 参考](/zh-cn/docs/reference/kubectl/)中找到更完整的文档。
 
 <!--
 ## Directly accessing the REST API
@@ -73,7 +74,7 @@ curl or wget, or a browser, there are several ways to locate and authenticate:
     - Works with some types of client code that are confused by using a proxy.
     - Need to import a root cert into your browser to protect against MITM.
 -->
-## 直接访问 REST API
+## 直接访问 REST API {#directly-accessing-the-rest-api}
 
 Kubectl 处理 apiserver 的定位和身份验证。
 如果要使用 curl 或 wget 等 http 客户端或浏览器直接访问 REST API，可以通过
@@ -97,13 +98,13 @@ The following command runs kubectl in a mode where it acts as a reverse proxy.
 locating the apiserver and authenticating.
 Run it like this:
 -->
-### 使用 kubectl proxy
+### 使用 kubectl proxy {#using-kubectl-proxy}
 
 以下命令以反向代理的模式运行 kubectl。它处理 apiserver 的定位和验证。
 像这样运行：
 
 ```shell
-kubectl proxy --port=8080 &
+kubectl proxy --port=8080
 ```
 
 <!--
@@ -121,6 +122,12 @@ with [::1] for IPv6, like so:
 ```shell
 curl http://localhost:8080/api/
 ```
+
+<!--
+The output is similar to this:
+-->
+输出类似于：
+
 ```json
 {
   "kind": "APIVersions",
@@ -139,18 +146,18 @@ curl http://localhost:8080/api/
 <!--
 ### Without kubectl proxy
 
-In Kubernetes version 1.3 or later, `kubectl config view` no longer displays the token. Use `kubectl apply` and `kubectl describe secret...` to create a token for the default service account with grep/cut:
+Use `kubectl apply` and `kubectl describe secret...` to create a token for the default service account with grep/cut:
 
 First, create the Secret, requesting a token for the default ServiceAccount:
 
 -->
 
-### 不使用 kubectl proxy
+### 不使用 kubectl proxy {#without-kubectl-proxy}
 
-在 Kubernetes 1.3 或更高版本中，`kubectl config view` 不再显示 token。
 使用 `kubectl apply` 和 `kubectl describe secret ...` 及 grep 和剪切操作来为 default 服务帐户创建令牌，如下所示：
-`grep/cut` 方法实现：
+
 首先，创建 Secret，请求默认 ServiceAccount 的令牌：
+
 ```shell
 kubectl apply -f - <<EOF
 apiVersion: v1
@@ -165,10 +172,9 @@ EOF
 
 <!--
 Next, wait for the token controller to populate the Secret with a token:
-
-Capture and use the generated token:
 -->
 接下来，等待令牌控制器使用令牌填充 Secret：
+
 ```shell
 while ! kubectl describe secret default-token | grep -E '^token' >/dev/null; do
   echo "waiting for token..." >&2
@@ -176,12 +182,22 @@ while ! kubectl describe secret default-token | grep -E '^token' >/dev/null; do
 done
 ```
 
+<!--
+Capture and use the generated token:
+-->
 捕获并使用生成的令牌：
+
 ```shell
-APISERVER=$(kubectl config view | grep server | cut -f 2- -d ":" | tr -d " ")
-TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d ' ')
+APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
+TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ")
 curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
 ```
+
+<!--
+The output is similar to this:
+-->
+输出类似于：
+
 ```json
 {
   "kind": "APIVersions",
@@ -197,14 +213,22 @@ curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
 }
 ```
 
+<!--
+Using `jsonpath`:
+-->
 `jsonpath` 方法实现：
 
 ```shell
 APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
-TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode )
+TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)
 curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
 ```
 
+<!--
+The output is similar to this:
+-->
+输出类似于：
+
 ```json
 {
   "kind": "APIVersions",
@@ -230,9 +254,8 @@ certificate.
 
 On some clusters, the apiserver does not require authentication; it may serve
 on localhost, or be protected by a firewall.  There is not a standard
-for this.  [Configuring Access to the API](/docs/admin/accessing-the-api)
-describes how a cluster admin can configure this.  Such approaches may conflict
-with future high-availability support.
+for this.  [Controlling Access to the API](/docs/concepts/security/controlling-access)
+describes how a cluster admin can configure this.
 -->
 上面的例子使用了 `--insecure` 参数，这使得它很容易受到 MITM 攻击。
 当 kubectl 访问集群时，它使用存储的根证书和客户端证书来访问服务器
@@ -241,7 +264,7 @@ with future high-availability support.
 
 在一些集群中，apiserver 不需要身份验证；它可能只服务于 localhost，或者被防火墙保护，
 这个没有一定的标准。
-[配置对 API 的访问](/zh/docs/concepts/security/controlling-access/)
+[配置对 API 的访问](/zh-cn/docs/concepts/security/controlling-access/)
 描述了集群管理员如何进行配置。此类方法可能与未来的高可用性支持相冲突。
 
 <!--
@@ -252,29 +275,29 @@ client libraries.
 
 ### Go client
 
-* To get the library, run the following command: `go get k8s.io/client-go/<version number>/kubernetes`. See [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go) to see which versions are supported.
-* Write an application atop of the client-go clients. Note that client-go defines its own API objects, so if needed, please import API definitions from client-go rather than from the main repository, e.g., `import "k8s.io/client-go/1.4/pkg/api/v1"` is correct.
+* To get the library, run the following command: `go get k8s.io/client-go@kubernetes-<kubernetes-version-number>`, see [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user) for detailed installation instructions. See [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix) to see which versions are supported.
+* Write an application atop of the client-go clients. Note that client-go defines its own API objects, so if needed, please import API definitions from client-go rather than from the main repository, e.g., `import "k8s.io/client-go/kubernetes"` is correct.
 
 The Go client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go).
 
 If the application is deployed as a Pod in the cluster, please refer to the [next section](#accessing-the-api-from-a-pod).
 -->
-## 以编程方式访问 API
+## 以编程方式访问 API {#programmatic-access-to-the-api}
 
 Kubernetes 官方提供对 [Go](#go-client) 和 [Python](#python-client) 的客户端库支持。
 
-### Go 客户端
+### Go 客户端 {#go-client}
 
-* 想要获得这个库，请运行命令：`go get k8s.io/client-go/<version number>/kubernetes`。
-  参阅 [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go)
-  来查看目前支持哪些版本。
+* 想要获得这个库，请运行命令：`go get k8s.io/client-go@kubernetes-<kubernetes-version-number>`，
+  有关详细安装说明，请参阅 [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user)。
+  请参阅 [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix) 以查看支持的版本。
 * 基于这个 client-go 客户端库编写应用程序。
   请注意，client-go 定义了自己的 API 对象，因此如果需要，请从 client-go 而不是从主存储库
-  导入 API 定义，例如，`import "k8s.io/client-go/1.4/pkg/api/v1"` 才是对的。
+  导入 API 定义，例如，`import "k8s.io/client-go/kubernetes"` 才是对的。
 
 Go 客户端可以像 kubectl CLI 一样使用相同的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 来定位和验证 apiserver。可参阅
 [示例](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go)。
 
@@ -286,7 +309,7 @@ Go 客户端可以像 kubectl CLI 一样使用相同的
 
 To use [Python client](https://github.com/kubernetes-client/python), run the following command: `pip install kubernetes`. See [Python Client Library page](https://github.com/kubernetes-client/python) for more installation options.
 
-The Python client can use the same [kubeconfig file](/docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/)
+The Python client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://github.com/kubernetes-client/python/tree/master/examples).
 
 ### Other languages
@@ -294,7 +317,7 @@ as the kubectl CLI does to locate and authenticate to the apiserver. See this [e
 There are [client libraries](/docs/reference/using-api/client-libraries/) for accessing the API from other languages.
 See documentation for other libraries for how they authenticate.
 -->
-### Python 客户端
+### Python 客户端 {#python-client}
 
 如果想要使用 [Python 客户端](https://github.com/kubernetes-client/python)，
 请运行命令：`pip install kubernetes`。参阅
@@ -302,13 +325,13 @@ See documentation for other libraries for how they authenticate.
 以获得更详细的安装参数。
 
 Python 客户端可以像 kubectl CLI 一样使用相同的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 来定位和验证 apiserver，可参阅
 [示例](https://github.com/kubernetes-client/python/tree/master/examples)。
 
-### 其它语言
+### 其它语言 {#other-languages}
 
-目前有多个[客户端库](/zh/docs/reference/using-api/client-libraries/)
+目前有多个[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)
 为其它语言提供访问 API 的方法。
 参阅其它库的相关文档以获取他们是如何验证的。
 
@@ -326,29 +349,29 @@ to the API server are somewhat different.
 Please check [Accessing the API from within a Pod](/docs/tasks/run-application/access-api-from-pod/)
 for more details.
 -->
-请参阅[从 Pod 中访问 API](/zh/docs/tasks/run-application/access-api-from-pod/)
+请参阅[从 Pod 中访问 API](/zh-cn/docs/tasks/run-application/access-api-from-pod/)
 了解更多详情。
 
 <!--
 ## Accessing services running on the cluster
 
-The previous section describes how to connect to the Kubernetes API server. 
+The previous section describes how to connect to the Kubernetes API server.
 For information about connecting to other services running on a Kubernetes cluster, see
-[Access Cluster Services](/docs/tasks/administer-cluster/access-cluster-services/).
+[Access Cluster Services](/docs/tasks/access-application-cluster/access-cluster-services/).
 -->
 
 ## 访问集群上运行的服务  {#accessing-services-running-on-the-cluster}
 
 上一节介绍了如何连接到 Kubernetes API 服务器。
 有关连接到 Kubernetes 集群上运行的其他服务的信息，请参阅
-[访问集群服务](/zh/docs/tasks/administer-cluster/access-cluster-services/)。
+[访问集群服务](/zh-cn/docs/tasks/access-application-cluster/access-cluster-services/)。
 
 <!--
 ## Requesting redirects
 
 The redirect capabilities have been deprecated and removed.  Please use a proxy (see below) instead.
 -->
-## 请求重定向
+## 请求重定向 {#requesting-redirects}
 
 重定向功能已弃用并被删除。请改用代理（见下文）。
 
@@ -367,7 +390,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - adds authentication headers
 
 -->
-## 多种代理
+## 多种代理 {#so-many-proxies}
 
 使用 Kubernetes 时可能会遇到几种不同的代理：
 
@@ -381,7 +404,7 @@ There are several different proxies you may encounter when using Kubernetes:
    - 添加身份验证头部
 
 <!--
-1.  The [apiserver proxy](#discovering-builtin-services):
+1.  The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services):
 
     - is a bastion built into the apiserver
     - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
@@ -391,7 +414,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - can be used to reach a Node, Pod, or Service
     - does load balancing when used to reach a Service
 -->
-2. [apiserver 代理](#discovering-builtin-services)：
+2. [apiserver 代理](/zh-cn/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services)：
 
    - 内置于 apiserver 中
    - 将集群外部的用户连接到集群 IP，否则这些 IP 可能无法访问
@@ -410,7 +433,7 @@ There are several different proxies you may encounter when using Kubernetes:
     - provides load balancing
     - is only used to reach services
 -->
-3. [kube proxy](/zh/docs/concepts/services-networking/service/#ips-and-vips)：
+3. [kube proxy](/zh-cn/docs/concepts/services-networking/service/#ips-and-vips)：
 
    - 运行在每个节点上
    - 代理 UDP 和 TCP
diff --git a/content/zh/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
similarity index 96%
rename from content/zh/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
rename to content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
index 78986bb030447..8990741f5d47b 100644
--- a/content/zh/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
@@ -17,7 +17,7 @@ between containers.
 -->
 本文旨在说明如何让一个 Pod 内的两个容器使用一个卷（Volume）进行通信。
 参阅如何让两个进程跨容器通过
-[共享进程名字空间](/zh/docs/tasks/configure-pod-container/share-process-namespace/)。
+[共享进程名字空间](/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/)。
 
 ## {{% heading "prerequisites" %}}
 
@@ -205,8 +205,8 @@ the shared Volume is lost.
 -->
 * 进一步了解[复合容器的模式](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns.html)
 * 学习[模块化架构中的复合容器](https://www.slideshare.net/Docker/slideshare-burns)
-* 参见[配置 Pod 使用卷来存储数据](/zh/docs/tasks/configure-pod-container/configure-volume-storage/)
-* 参考[在 Pod 中的容器之间共享进程命名空间](/zh/docs/tasks/configure-pod-container/share-process-namespace/)
+* 参见[配置 Pod 使用卷来存储数据](/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage/)
+* 参考[在 Pod 中的容器之间共享进程命名空间](/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/)
 * 参考 [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
 * 参考 [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
 
diff --git a/content/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
similarity index 90%
rename from content/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
rename to content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
index 867063c0f6c10..cdf56f376d040 100644
--- a/content/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
@@ -22,14 +22,16 @@ configuration files. After your clusters, users, and contexts are defined in
 one or more configuration files, you can quickly switch between clusters by using the
 `kubectl config use-context` command.
 -->
-本文展示如何使用配置文件来配置对多个集群的访问。 在将集群、用户和上下文定义在一个或多个配置文件中之后，用户可以使用 `kubectl config use-context` 命令快速地在集群之间进行切换。
+本文展示如何使用配置文件来配置对多个集群的访问。
+在将集群、用户和上下文定义在一个或多个配置文件中之后，用户可以使用
+`kubectl config use-context` 命令快速地在集群之间进行切换。
 
+{{< note >}}
 <!--
 A file that is used to configure access to a cluster is sometimes called
 a *kubeconfig file*. This is a generic way of referring to configuration files.
 It does not mean that there is a file named `kubeconfig`.
 -->
-{{< note >}}
 用于配置集群访问的文件有时被称为 *kubeconfig 文件*。
 这是一种引用配置文件的通用方式，并不意味着存在一个名为 `kubeconfig` 的文件。
 {{< /note >}}
@@ -37,7 +39,8 @@ It does not mean that there is a file named `kubeconfig`.
 
 <!--
 {{< warning >}}
-Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure. 
+Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig
+file could result in malicious code execution or file exposure. 
 If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.
 {{< /warning>}}
 -->
@@ -60,9 +63,10 @@ cluster's API server.
 要检查 {{< glossary_tooltip text="kubectl" term_id="kubectl" >}} 是否安装，
 执行 `kubectl version --client` 命令。
 kubectl 的版本应该与集群的 API 服务器
-[使用同一次版本号](/zh/releases/version-skew-policy/#kubectl)。
+[使用同一次版本号](/zh-cn/releases/version-skew-policy/#kubectl)。
 
 <!-- steps -->
+
 <!--
 ## Define clusters, users, and contexts
 
@@ -76,16 +80,16 @@ to the scratch cluster requires authentication by username and password.
 Create a directory named `config-exercise`. In your
 `config-exercise` directory, create a file named `config-demo` with this content:
 -->
-## 定义集群、用户和上下文
+## 定义集群、用户和上下文    {#define-clusters-users-and-contexts}
 
 假设用户有两个集群，一个用于正式开发工作，一个用于其它临时用途（scratch）。
 在 `development` 集群中，前端开发者在名为 `frontend` 的名字空间下工作，
-存储开发者在名为 `storage` 的名字空间下工作。 在 `scratch` 集群中，
-开发人员可能在默认名字空间下工作，也可能视情况创建附加的名字空间。 
+存储开发者在名为 `storage` 的名字空间下工作。在 `scratch` 集群中，
+开发人员可能在默认名字空间下工作，也可能视情况创建附加的名字空间。
 访问开发集群需要通过证书进行认证。
 访问其它临时用途的集群需要通过用户名和密码进行认证。
 
-创建名为 `config-exercise` 的目录。 在
+创建名为 `config-exercise` 的目录。在
 `config-exercise` 目录中，创建名为 `config-demo` 的文件，其内容为：
 
 ```yaml
@@ -122,7 +126,7 @@ your configuration file:
 配置文件描述了集群、用户名和上下文。`config-demo` 文件中含有描述两个集群、
 两个用户和三个上下文的框架。
 
-进入 `config-exercise` 目录。输入以下命令，将群集详细信息添加到配置文件中：
+进入 `config-exercise` 目录。输入以下命令，将集群详细信息添加到配置文件中：
 
 ```shell
 kubectl config --kubeconfig=config-demo set-cluster development --server=https://1.2.3.4 --certificate-authority=fake-ca-file
@@ -139,16 +143,16 @@ kubectl config --kubeconfig=config-demo set-credentials developer --client-certi
 kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password
 ```
 
+{{< note >}}
 <!--
 - To delete a user you can run `kubectl --kubeconfig=config-demo config unset users.<name>`
 - To remove a cluster, you can run `kubectl --kubeconfig=config-demo config unset clusters.<name>`
 - To remove a context, you can run `kubectl --kubeconfig=config-demo config unset contexts.<name>`
 -->
-
-注意：
 - 要删除用户，可以运行 `kubectl --kubeconfig=config-demo config unset users.<name>`
 - 要删除集群，可以运行 `kubectl --kubeconfig=config-demo config unset clusters.<name>`
 - 要删除上下文，可以运行 `kubectl --kubeconfig=config-demo config unset contexts.<name>`
+{{< /note >}}
 
 <!--
 Add context details to your configuration file:
@@ -165,7 +169,7 @@ kubectl config --kubeconfig=config-demo set-context exp-scratch --cluster=scratc
 Open your `config-demo` file to see the added details. As an alternative to opening the
 `config-demo` file, you can use the `config view` command.
 -->
-打开 `config-demo` 文件查看添加的详细信息。 也可以使用 `config view`
+打开 `config-demo` 文件查看添加的详细信息。也可以使用 `config view`
 命令进行查看：
 
 ```shell
@@ -355,7 +359,7 @@ kubectl config --kubeconfig=config-demo view --minify
 In your `config-exercise` directory, create a file named `config-demo-2` with this content:
 -->
 
-## 创建第二个配置文件
+## 创建第二个配置文件    {#create-a-second-configuration-file}
 
 在 `config-exercise` 目录中，创建名为 `config-demo-2` 的文件，其中包含以下内容：
 
@@ -384,7 +388,7 @@ See whether you have an environment variable named `KUBECONFIG`. If so, save the
 current value of your `KUBECONFIG` environment variable, so you can restore it later.
 For example:
 -->
-## 设置 KUBECONFIG 环境变量
+## 设置 KUBECONFIG 环境变量    {#set-the-kubeconfig-environment-variable}
 
 查看是否有名为 `KUBECONFIG` 的环境变量。
 如有，保存 `KUBECONFIG` 环境变量当前的值，以便稍后恢复。
@@ -393,7 +397,7 @@ For example:
 ### Linux
 
 ```shell
-export KUBECONFIG_SAVED=$KUBECONFIG
+export KUBECONFIG_SAVED="$KUBECONFIG"
 ```
 
 ### Windows PowerShell
@@ -414,12 +418,12 @@ Temporarily append two paths to your `KUBECONFIG` environment variable. For exam
 在 Windows 中以分号分隔。
 如果有 `KUBECONFIG` 环境变量，请熟悉列表中的配置文件。
 
-临时添加两条路径到 `KUBECONFIG` 环境变量中。 例如：
+临时添加两条路径到 `KUBECONFIG` 环境变量中。例如：
 
 ### Linux
 
 ```shell
-export  KUBECONFIG=$KUBECONFIG:config-demo:config-demo-2
+export KUBECONFIG="${KUBECONFIG}:config-demo:config-demo-2"
 ```
 
 ### Windows PowerShell
@@ -476,7 +480,7 @@ For more information about how kubeconfig files are merged, see
 [Organizing Cluster Access Using kubeconfig Files](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 -->
 关于 kubeconfig 文件如何合并的更多信息，请参考
-[使用 kubeconfig 文件组织集群访问](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[使用 kubeconfig 文件组织集群访问](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 
 <!--
 ## Explore the $HOME/.kube directory
@@ -489,7 +493,7 @@ Go to `$HOME/.kube`, and see what files are there. Typically, there is a file na
 `config`. There might also be other configuration files in this directory. Briefly
 familiarize yourself with the contents of these files.
 -->
-## 探索 $HOME/.kube 目录
+## 探索 $HOME/.kube 目录    {#explore-the-home-kube-directory}
 
 如果用户已经拥有一个集群，可以使用 `kubectl` 与集群进行交互，
 那么很可能在 `$HOME/.kube` 目录下有一个名为 `config` 的文件。
@@ -504,7 +508,7 @@ If you have a `$HOME/.kube/config` file, and it's not already listed in your
 `KUBECONFIG` environment variable, append it to your `KUBECONFIG` environment variable now.
 For example:
 -->
-## 将 $HOME/.kube/config 追加到 KUBECONFIG 环境变量中
+## 将 $HOME/.kube/config 追加到 KUBECONFIG 环境变量中    {#append-home-kube-config-to-your-kubeconfig-environment-variable}
 
 如果有 `$HOME/.kube/config` 文件，并且还未列在 `KUBECONFIG` 环境变量中，
 那么现在将它追加到 `KUBECONFIG` 环境变量中。
@@ -513,7 +517,7 @@ For example:
 ### Linux
 
 ```shell
-export KUBECONFIG=$KUBECONFIG:$HOME/.kube/config
+export KUBECONFIG="${KUBECONFIG}:$HOME/.kube/config"
 ```
 
 ### Windows Powershell
@@ -535,16 +539,16 @@ kubectl config view
 <!--
 ## Clean up
 
-Return your `KUBECONFIG` environment variable to its original value. For example:
+Return your `KUBECONFIG` environment variable to its original value. For example:<br>
 -->
-## 清理
+## 清理    {#clean-up}
 
-将 `KUBECONFIG` 环境变量还原为原始值。 例如：
+将 `KUBECONFIG` 环境变量还原为原始值。例如：
 
 ### Linux
 
 ```shell
-export KUBECONFIG=$KUBECONFIG_SAVED
+export KUBECONFIG="$KUBECONFIG_SAVED"
 ```
 
 ### Windows PowerShell
@@ -560,6 +564,6 @@ $Env:KUBECONFIG=$ENV:KUBECONFIG_SAVED
 * [kubectl config](/docs/reference/generated/kubectl/kubectl-commands#config)
 -->
 
-* [使用 kubeconfig 文件组织集群访问](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+* [使用 kubeconfig 文件组织集群访问](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 * [kubectl config](/docs/reference/generated/kubectl/kubectl-commands#config)
 
diff --git a/content/zh/docs/tasks/access-application-cluster/configure-dns-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
similarity index 93%
rename from content/zh/docs/tasks/access-application-cluster/configure-dns-cluster.md
rename to content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
index 9125fcbfc0680..4bfd1cc54b28d 100644
--- a/content/zh/docs/tasks/access-application-cluster/configure-dns-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
@@ -25,7 +25,7 @@ kubeadm 默认会安装 CoreDNS。
 For more information on how to configure CoreDNS for a Kubernetes cluster, see the [Customizing DNS Service](/docs/tasks/administer-cluster/dns-custom-nameservers/). An example demonstrating how to use Kubernetes DNS with kube-dns, see the [Kubernetes DNS sample plugin](https://github.com/kubernetes/examples/tree/master/staging/cluster-dns)
 -->
 要了解关于如何为 Kubernetes 集群配置 CoreDNS 的更多信息，参阅 
-[定制 DNS 服务](/zh/docs/tasks/administer-cluster/dns-custom-nameservers/)。
+[定制 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/)。
 关于如何利用 kube-dns 配置 kubernetes DNS 的演示例子，参阅 
 [Kubernetes DNS 插件示例](https://github.com/kubernetes/examples/tree/master/staging/cluster-dns)。
 
diff --git a/content/zh/docs/tasks/access-application-cluster/connecting-frontend-backend.md b/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
similarity index 95%
rename from content/zh/docs/tasks/access-application-cluster/connecting-frontend-backend.md
rename to content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
index 5effcb94efffc..b455521662fcb 100644
--- a/content/zh/docs/tasks/access-application-cluster/connecting-frontend-backend.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend.md
@@ -48,9 +48,9 @@ This task uses
 require a supported environment. If your environment does not support this, you can use a Service of type
 [NodePort](/docs/concepts/services-networking/service/#type-nodeport) instead.
 -->
-本任务使用[外部负载均衡服务](/zh/docs/tasks/access-application-cluster/create-external-load-balancer/)，
+本任务使用[外部负载均衡服务](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/)，
 所以需要对应的可支持此功能的环境。如果你的环境不能支持，你可以使用
-[NodePort](/zh/docs/concepts/services-networking/service/#type-nodeport)
+[NodePort](/zh-cn/docs/concepts/services-networking/service/#type-nodeport)
 类型的服务代替。
 
 <!-- lessoncontent -->
@@ -246,7 +246,7 @@ so that you can change the configuration more easily.
 这个 nginx 配置文件是被打包在
 [容器镜像](/examples/service/access/Dockerfile) 里的。
 更好的方法是使用
-[ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)，
+[ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)，
 这样的话你可以更轻易地更改配置。
 {{< /note >}}
 
@@ -343,7 +343,7 @@ kubectl delete deployment frontend backend
 * Learn more about [ConfigMaps](/docs/tasks/configure-pod-container/configure-pod-configmap/)
 * Learn more about [DNS for Service and Pods](/docs/concepts/services-networking/dns-pod-service/)
 -->
-* 进一步了解 [Service](/zh/docs/concepts/services-networking/service/)
-* 进一步了解 [ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)
-* 进一步了解 [Service 和 Pods 的 DNS](/zh/docs/concepts/services-networking/dns-pod-service/)
+* 进一步了解 [Service](/zh-cn/docs/concepts/services-networking/service/)
+* 进一步了解 [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
+* 进一步了解 [Service 和 Pods 的 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
 
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer.md b/content/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer.md
new file mode 100644
index 0000000000000..a4156f14b9d37
--- /dev/null
+++ b/content/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer.md
@@ -0,0 +1,331 @@
+---
+title: 创建外部负载均衡器
+content_type: task
+weight: 80
+---
+
+<!--
+title: Create an External Load Balancer
+content_type: task
+weight: 80
+-->
+
+<!-- overview -->
+
+<!--
+This page shows how to create an external load balancer.
+-->
+本文展示如何创建一个外部负载均衡器。
+
+<!--
+When creating a {{< glossary_tooltip text="Service" term_id="service" >}}, you have
+the option of automatically creating a cloud load balancer. This provides an
+externally-accessible IP address that sends traffic to the correct port on your cluster
+nodes,
+_provided your cluster runs in a supported environment and is configured with
+the correct cloud load balancer provider package_.
+-->
+创建 {{< glossary_tooltip text="服务" term_id="service" >}} 时，你可以选择自动创建云网络负载均衡器。
+负载均衡器提供外部可访问的 IP 地址，可将流量发送到集群节点上的正确端口上
+（ **假设集群在支持的环境中运行，并配置了正确的云负载均衡器驱动包**）。
+
+<!--
+You can also use an {{< glossary_tooltip term_id="ingress" >}} in place of Service.
+For more information, check the [Ingress](/docs/concepts/services-networking/ingress/)
+documentation.
+-->
+你还可以使用 {{< glossary_tooltip text="Ingress" term_id="ingress" >}} 代替 Service。
+更多信息，请参阅 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/) 文档。
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!--
+Your cluster must be running in a cloud or other environment that already has support
+for configuring external load balancers.
+-->
+你的集群必须在已经支持配置外部负载均衡器的云或其他环境中运行。
+
+<!-- steps -->
+
+<!--
+## Create a Service
+
+### Create a Service from a manifest
+
+To create an external load balancer, add the following line to your
+Service manifest:
+-->
+## 创建服务   {#create-a-service}
+
+### 基于清单文件创建服务   {#create-a-service-from-a-manifest}
+
+要创建外部负载均衡器，请将以下内容添加到你的 Service 清单文件：
+
+```yaml
+    type: LoadBalancer
+```
+
+<!--
+Your manifest might then look like:
+-->
+你的清单文件可能会如下所示：
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: example-service
+spec:
+  selector:
+    app: example
+  ports:
+    - port: 8765
+      targetPort: 9376
+  type: LoadBalancer
+```
+
+<!--
+### Create a Service using kubectl
+
+You can alternatively create the service with the `kubectl expose` command and
+its `--type=LoadBalancer` flag:
+-->
+### 使用 kubectl 创建 Service   {#create-a-service-using-kubectl}
+
+你也可以使用 `kubectl expose` 命令及其 `--type=LoadBalancer` 参数创建服务：
+
+```bash
+kubectl expose deployment example --port=8765 --target-port=9376 \
+        --name=example-service --type=LoadBalancer
+```
+
+<!--
+This command creates a new Service using the same selectors as the referenced
+resource (in the case of the example above, a
+{{< glossary_tooltip text="Deployment" term_id="deployment" >}} named `example`).
+
+For more information, including optional flags, refer to the
+[`kubectl expose` reference](/docs/reference/generated/kubectl/kubectl-commands/#expose).
+-->
+此命令通过使用与引用资源（在上面的示例的情况下，名为 `example` 的
+{{< glossary_tooltip text="Deployment" term_id="deployment" >}}）
+相同的选择器来创建一个新的服务。
+
+更多信息（包括更多的可选参数），请参阅
+[`kubectl expose` 指南](/docs/reference/generated/kubectl/kubectl-commands/#expose)。
+
+<!--
+## Finding your IP address
+
+You can find the IP address created for your service by getting the service
+information through `kubectl`:
+-->
+## 找到你的 IP 地址   {#finding-your-ip-address}
+
+你可以通过 `kubectl` 获取服务信息，找到为你的服务创建的 IP 地址：
+
+```bash
+kubectl describe services example-service
+```
+
+<!--
+which should produce output similar to:
+-->
+这将获得类似如下输出：
+
+```
+Name:                     example-service
+Namespace:                default
+Labels:                   app=example
+Annotations:              <none>
+Selector:                 app=example
+Type:                     LoadBalancer
+IP Families:              <none>
+IP:                       10.3.22.96
+IPs:                      10.3.22.96
+LoadBalancer Ingress:     192.0.2.89
+Port:                     <unset>  8765/TCP
+TargetPort:               9376/TCP
+NodePort:                 <unset>  30593/TCP
+Endpoints:                172.17.0.3:9376
+Session Affinity:         None
+External Traffic Policy:  Cluster
+Events:                   <none>
+```
+
+<!--
+The load balancer's IP address is listed next to `LoadBalancer Ingress`.
+-->
+负载均衡器的 IP 地址列在 `LoadBalancer Ingress` 旁边。
+
+<!--
+If you are running your service on Minikube, you can find the assigned IP address and port with:
+-->
+{{< note >}}
+如果你在 Minikube 上运行服务，你可以通过以下命令找到分配的 IP 地址和端口：
+
+```bash
+minikube service example-service --url
+```
+{{< /note >}}
+
+<!--
+## Preserving the client source IP
+
+By default, the source IP seen in the target container is *not the original
+source IP* of the client. To enable preservation of the client IP, the following
+fields can be configured in the `.spec` of the Service:
+-->
+## 保留客户端源 IP   {#preserving-the-client-source-ip}
+
+默认情况下，目标容器中看到的源 IP 将**不是客户端的原始源 IP**。
+要启用保留客户端 IP，可以在服务的 `.spec` 中配置以下字段：
+
+<!--
+* `.spec.externalTrafficPolicy` - denotes if this Service desires to route
+  external traffic to node-local or cluster-wide endpoints. There are two available
+  options: `Cluster` (default) and `Local`. `Cluster` obscures the client source
+  IP and may cause a second hop to another node, but should have good overall
+  load-spreading. `Local` preserves the client source IP and avoids a second hop
+  for LoadBalancer and NodePort type Services, but risks potentially imbalanced
+  traffic spreading.
+-->
+* `.spec.externalTrafficPolicy` - 表示此 Service 是否希望将外部流量路由到节点本地或集群范围的端点。
+  有两个可用选项：`Cluster`（默认）和 `Local`。
+  `Cluster` 隐藏了客户端源 IP，可能导致第二跳到另一个节点，但具有良好的整体负载分布。
+  `Local` 保留客户端源 IP 并避免 LoadBalancer 和 NodePort 类型服务的第二跳，
+  但存在潜在的不均衡流量传播风险。
+
+<!--
+* `.spec.healthCheckNodePort` - specifies the health check node port
+  (numeric port number) for the service. If you don't specify
+  `healthCheckNodePort`, the service controller allocates a port from your
+  cluster's NodePort range.
+  You can configure that range by setting an API server command line option,
+  `--service-node-port-range`. The Service will use the user-specified
+  `healthCheckNodePort` value if you specify it, provided that the
+  Service `type` is set to LoadBalancer and `externalTrafficPolicy` is set
+  to `Local`.
+-->
+* `.spec.healthCheckNodePort` - 指定服务的 healthcheck nodePort（数字端口号）。
+  如果你未指定 `healthCheckNodePort`，服务控制器从集群的 NodePort 范围内分配一个端口。
+  你可以通过设置 API 服务器的命令行选项 `--service-node-port-range` 来配置上述范围。
+  在服务 `type` 设置为 LoadBalancer 并且 `externalTrafficPolicy` 设置为 `Local` 时，
+  Service 将会使用用户指定的 `healthCheckNodePort` 值（如果你指定了它）。
+
+<!--
+Setting `externalTrafficPolicy` to Local in the Service manifest
+activates this feature. For example:
+-->
+可以通过在服务的清单文件中将 `externalTrafficPolicy` 设置为 Local 来激活此功能。比如：
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: example-service
+spec:
+  selector:
+    app: example
+  ports:
+    - port: 8765
+      targetPort: 9376
+  externalTrafficPolicy: Local
+  type: LoadBalancer
+```
+
+<!--
+### Caveats and limitations when preserving source IPs
+
+Load balancing services from some cloud providers do not let you configure different weights for each target.
+
+With each target weighted equally in terms of sending traffic to Nodes, external
+traffic is not equally load balanced across different Pods. The external load balancer
+is unaware of the number of Pods on each node that are used as a target.
+-->
+### 保留源 IP 时的注意事项和限制   {#caveats-and-limitations-when-preserving-source-ips}
+
+一些云服务供应商的负载均衡服务不允许你为每个目标配置不同的权重。
+
+由于每个目标在向节点发送流量方面的权重相同，因此外部流量不会在不同 Pod 之间平均负载。
+外部负载均衡器不知道每个节点上用作目标的 Pod 数量。
+
+<!--
+Where `NumServicePods <<  _NumNodes` or `NumServicePods >> NumNodes`, a fairly close-to-equal
+distribution will be seen, even without weights.
+
+Internal pod to pod traffic should behave similar to ClusterIP services, with equal probability across all pods.
+-->
+在 `NumServicePods <<  _NumNodes` 或 `NumServicePods >> NumNodes` 时，
+即使没有权重，也会看到接近相等的分布。
+
+内部 Pod 到 Pod 的流量应该与 ClusterIP 服务类似，所有 Pod 的概率相同。
+
+<!--
+## Garbage Collecting Load Balancers
+
+{{< feature-state for_k8s_version="v1.17" state="stable" >}}
+
+In usual case, the correlating load balancer resources in cloud provider should
+be cleaned up soon after a LoadBalancer type Service is deleted. But it is known
+that there are various corner cases where cloud resources are orphaned after the
+associated Service is deleted. Finalizer Protection for Service LoadBalancers was
+introduced to prevent this from happening. By using finalizers, a Service resource
+will never be deleted until the correlating load balancer resources are also deleted.
+-->
+## 回收负载均衡器   {#garbage-collecting-load-balancers}
+
+{{< feature-state for_k8s_version="v1.17" state="stable" >}}
+
+在通常情况下，应在删除 LoadBalancer 类型 Service 后立即清除云服务供应商中的相关负载均衡器资源。
+但是，众所周知，在删除关联的服务后，云资源被孤立的情况很多。
+引入了针对服务负载均衡器的终结器保护，以防止这种情况发生。
+通过使用终结器，在删除相关的负载均衡器资源之前，也不会删除服务资源。
+
+<!--
+Specifically, if a Service has `type` LoadBalancer, the service controller will attach
+a finalizer named `service.kubernetes.io/load-balancer-cleanup`.
+The finalizer will only be removed after the load balancer resource is cleaned up.
+This prevents dangling load balancer resources even in corner cases such as the
+service controller crashing.
+-->
+具体来说，如果服务具有 `type` LoadBalancer，则服务控制器将附加一个名为
+`service.kubernetes.io/load-balancer-cleanup` 的终结器。
+仅在清除负载均衡器资源后才能删除终结器。
+即使在诸如服务控制器崩溃之类的极端情况下，这也可以防止负载均衡器资源悬空。
+
+<!--
+## External load balancer providers
+
+It is important to note that the datapath for this functionality is provided by a load balancer external to the Kubernetes cluster.
+-->
+## 外部负载均衡器供应商   {#external-load-balancer-providers}
+
+请务必注意，此功能的数据路径由 Kubernetes 集群外部的负载均衡器提供。
+
+<!--
+When the Service `type` is set to LoadBalancer, Kubernetes provides functionality equivalent to `type` equals ClusterIP to pods
+within the cluster and extends it by programming the (external to Kubernetes) load balancer with entries for the nodes
+hosting the relevant Kubernetes pods. The Kubernetes control plane automates the creation of the external load balancer,
+health checks (if needed), and packet filtering rules (if needed). Once the cloud provider allocates an IP address for the load
+balancer, the control plane looks up that external IP address and populates it into the Service object.
+-->
+当服务 `type` 设置为 LoadBalancer 时，Kubernetes 向集群中的 Pod 提供的功能等同于
+`type` 设置为 ClusterIP，并通过使用托管了相关 Kubernetes Pod 的节点作为条目对负载均衡器
+（从外部到 Kubernetes）进行编程来扩展它。
+Kubernetes 控制平面自动创建外部负载均衡器、健康检查（如果需要）和包过滤规则（如果需要）。
+一旦云服务供应商为负载均衡器分配了 IP 地址，控制平面就会查找该外部 IP 地址并将其填充到 Service 对象中。
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* Read about [Service](/docs/concepts/services-networking/service/)
+* Read about [Ingress](/docs/concepts/services-networking/ingress/)
+* Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
+-->
+* 阅读[服务](/zh-cn/docs/concepts/services-networking/service/)
+* 阅读 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)
+* 阅读[使用 Service 连接到应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
+
diff --git a/content/zh/docs/tasks/access-application-cluster/ingress-minikube.md b/content/zh-cn/docs/tasks/access-application-cluster/ingress-minikube.md
similarity index 95%
rename from content/zh/docs/tasks/access-application-cluster/ingress-minikube.md
rename to content/zh-cn/docs/tasks/access-application-cluster/ingress-minikube.md
index f23f1382101a6..906b0f5c96c6d 100644
--- a/content/zh/docs/tasks/access-application-cluster/ingress-minikube.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/ingress-minikube.md
@@ -19,9 +19,9 @@ to services in a cluster. An [Ingress controller](/docs/concepts/services-networ
 
 This page shows you how to set up a simple Ingress which routes requests to Service web or web2 depending on the HTTP URI.
 -->
-[Ingress](/zh/docs/concepts/services-networking/ingress/)是一种 API 对象，其中定义了一些规则使得集群中的
+[Ingress](/zh-cn/docs/concepts/services-networking/ingress/)是一种 API 对象，其中定义了一些规则使得集群中的
 服务可以从集群外访问。
-[Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers/)
+[Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers/)
 负责满足 Ingress 中所设置的规则。
 
 本节为你展示如何配置一个简单的 Ingress，根据 HTTP URI 将服务请求路由到
@@ -45,7 +45,7 @@ This page shows you how to set up a simple Ingress which routes requests to Serv
 : {{< kat-button >}}
 
 本地
-: 如果已经在本地[安装Minikube](/zh/docs/tasks/tools/#minikube)，
+: 如果已经在本地[安装Minikube](/zh-cn/docs/tasks/tools/#minikube)，
 请运行 `minikube start` 创建一个集群。
 
 <!--
@@ -438,6 +438,6 @@ The following manifest defines an Ingress that sends traffic to your Service via
 * Read more about [Services](/docs/concepts/services-networking/service/)
 -->
 
-* 进一步了解 [Ingress](/zh/docs/concepts/services-networking/ingress/)。
-* 进一步了解 [Ingress 控制器](/zh/docs/concepts/services-networking/ingress-controllers/)
-* 进一步了解 [服务](/zh/docs/concepts/services-networking/service/)
+* 进一步了解 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/)。
+* 进一步了解 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers/)
+* 进一步了解 [服务](/zh-cn/docs/concepts/services-networking/service/)
diff --git a/content/zh/docs/tasks/access-application-cluster/list-all-running-container-images.md b/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
similarity index 97%
rename from content/zh/docs/tasks/access-application-cluster/list-all-running-container-images.md
rename to content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
index 6459875aeb169..4e4d800937893 100644
--- a/content/zh/docs/tasks/access-application-cluster/list-all-running-container-images.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images.md
@@ -50,7 +50,7 @@ of Containers for each.
 - 使用 `kubectl get pods --all-namespaces` 获取所有命名空间下的所有 Pod
 - 使用 `-o jsonpath={.items[*].spec.containers[*].image}` 来格式化输出，以仅包含容器镜像名称。
   这将以递归方式从返回的 json 中解析出 `image` 字段。
-  - 参阅 [jsonpath 说明](/zh/docs/reference/kubectl/jsonpath/)
+  - 参阅 [jsonpath 说明](/zh-cn/docs/reference/kubectl/jsonpath/)
     获取更多关于如何使用 jsonpath 的信息。
 - 使用标准化工具来格式化输出：`tr`, `sort`, `uniq`
   - 使用 `tr` 以用换行符替换空格
@@ -173,6 +173,6 @@ kubectl get pods --all-namespaces -o go-template --template="{{range .items}}{{r
 -->
 ### 参考
 
-* [Jsonpath](/zh/docs/reference/kubectl/jsonpath/) 参考指南
+* [Jsonpath](/zh-cn/docs/reference/kubectl/jsonpath/) 参考指南
 * [Go template](https://golang.org/pkg/text/template/) 参考指南
 
diff --git a/content/zh/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
similarity index 77%
rename from content/zh/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
rename to content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
index 6c9b830116fec..d9b69809bd0a4 100644
--- a/content/zh/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster.md
@@ -22,7 +22,6 @@ for database debugging.
 ## {{% heading "prerequisites" %}}
 
 * {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
 <!--
 * Install [MongoDB Shell](https://www.mongodb.com/try/download/shell).
 -->
@@ -46,7 +45,7 @@ for database debugging.
    <!--
    The output of a successful command verifies that the deployment was created:
    -->
-   查看输出是否成功，以验证是否成功创建 deployment：
+   成功执行的命令的输出可以证明创建了 Deployment：
 
    ```
    deployment.apps/mongo created
@@ -94,8 +93,7 @@ for database debugging.
    The Deployment automatically manages a ReplicaSet.
    View the ReplicaSet status using:
    -->
-   Deployment 自动管理 ReplicaSet。
-   查看 ReplicaSet 状态：
+   该 Deployment 自动管理一个 ReplicaSet。查看该 ReplicaSet 的状态：
 
    ```shell
    kubectl get replicaset
@@ -104,7 +102,7 @@ for database debugging.
    <!--
    The output displays that the ReplicaSet was created:
    -->
-   输出显示创建的 ReplicaSet：
+   输出显示 ReplicaSet 已被创建：
 
    ```
    NAME               DESIRED   CURRENT   READY   AGE
@@ -123,7 +121,7 @@ for database debugging.
    <!--
    The output of a successful command verifies that the Service was created:
    -->
-   查看输出是否成功，以验证是否成功创建 Service：
+   成功执行的命令的输出可以证明 Service 已经被创建：
 
    ```
    service/mongo created
@@ -132,7 +130,7 @@ for database debugging.
    <!--
    Check the Service created:
    -->
-   检查 Service 是否创建：
+   检查所创建的 Service：
 
    ```shell
    kubectl get service mongo
@@ -141,7 +139,7 @@ for database debugging.
    <!--   
    The output displays the service created:
    -->
-   输出显示创建的 Service：
+   输出显示已被创建的 Service：
 
    ```
    NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
@@ -151,41 +149,53 @@ for database debugging.
 <!--
 3. Verify that the MongoDB server is running in the Pod, and listening on port 27017:
 -->
-3. 验证 MongoDB 服务是否运行在 Pod 中并且监听 27017 端口：
+3. 验证 MongoDB 服务是否运行在 Pod 中并且在 27017 端口上监听：
 
+   <!--
    ```shell
    # Change mongo-75f59d57f4-4nd6q to the name of the Pod
    kubectl get pod mongo-75f59d57f4-4nd6q --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
    ```
+   -->
+   ```shell
+   # 将 mongo-75f59d57f4-4nd6q 改为 Pod 的名称
+   kubectl get pod mongo-75f59d57f4-4nd6q --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
+   ```
 
    <!--
    The output displays the port for MongoDB in that Pod:
    -->
-   输出应该显示 Pod 中 MongoDB 的端口：
+   输出应该显示对应 Pod 中 MongoDB 的端口：
 
    ```
    27017
    ```
 
    <!--
-   (this is the TCP port allocated to MongoDB on the internet).
+   27017 is the TCP port allocated to MongoDB on the internet.
    -->
-   （这是 Internet 分配给 MongoDB 的 TCP 端口）。
+   27017 是分配给 MongoDB 的互联网 TCP 端口。
 
 <!--
 ## Forward a local port to a port on the Pod
 
-1.  `kubectl port-forward` allows using resource name, such as a pod name, to select a matching pod to port forward to.
+1. `kubectl port-forward` allows using resource name, such as a pod name, to select a matching pod to port forward to.
 -->
 ## 转发一个本地端口到 Pod 端口
 
 1. `kubectl port-forward` 允许使用资源名称
    （例如 pod 名称）来选择匹配的 pod 来进行端口转发。
 
+   <!--
    ```shell
    # Change mongo-75f59d57f4-4nd6q to the name of the Pod
    kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
    ```
+   -->
+   ```shell
+   # 将 mongo-75f59d57f4-4nd6q 改为 Pod 的名称
+   kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
+   ```
 
    <!--
    which is the same as
@@ -220,30 +230,25 @@ for database debugging.
    <!--
    Any of the above commands works. The output is similar to this:
    -->
-   以上所有命令都应该有效。输出应该类似于：
+   以上所有命令都有效。输出类似于：
 
    ```
    Forwarding from 127.0.0.1:28015 -> 27017
    Forwarding from [::1]:28015 -> 27017
     ```
-<!--
-{{< note >}}
-
-`kubectl port-forward` does not return. To continue with the exercises, you will need to open another terminal.
-
-{{< /note >}}
--->
-{{< note >}}
 
-`kubectl port-forward` 不会返回。你需要打开另一个终端来继续这个练习。
-
-{{< /note >}}
+   {{< note >}}
+   <!--
+   `kubectl port-forward` does not return. To continue with the exercises, you will need to open another terminal.
+   -->
+   `kubectl port-forward` 不会返回。你需要打开另一个终端来继续这个练习。
+   {{< /note >}}
 
 
 <!--
-2.  Start the MongoDB command line interface:
+2. Start the MongoDB command line interface:
 -->
-2.  启动 MongoDB 命令行接口：
+2. 启动 MongoDB 命令行接口：
 
    ```shell
    mongosh --port 28015
@@ -278,7 +283,7 @@ the local port and thus relieve you from having to manage local port conflicts,
 the slightly simpler syntax:
 -->
 如果你不需要指定特定的本地端口，你可以让 `kubectl` 来选择和分配本地端口，
-以便你不需要管理本地端口冲突。该命令使用稍微不同的语法：
+这样你就不需要管理本地端口冲突。该命令使用稍微不同的语法：
 
 ```shell
 kubectl port-forward deployment/mongo :27017
@@ -288,8 +293,8 @@ kubectl port-forward deployment/mongo :27017
 The `kubectl` tool finds a local port number that is not in use (avoiding low ports numbers,
 because these might be used by other applications). The output is similar to:
 -->
-`kubectl` 工具会找到一个未被使用的本地端口号（避免使用低段位的端口号，因为他们可能会被其他应用程序使用）。
-输出应该类似于：
+`kubectl` 工具会找到一个未被使用的本地端口号（避免使用低段位的端口号，
+因为他们可能会被其他应用程序使用）。输出类似于：
 
 ```
 Forwarding from 127.0.0.1:63753 -> 27017
@@ -307,19 +312,19 @@ local workstation to debug the database that is running in the Pod.
 -->
 ## 讨论  {#discussion}
 
-与本地 28015 端口建立的连接将转发到运行 MongoDB 服务器的 Pod 的 27017 端口。
-通过此连接，您可以使用本地工作站来调试在 Pod 中运行的数据库。
+与本地 28015 端口建立的连接将被转发到运行 MongoDB 服务器的 Pod 的 27017 端口。
+通过此连接，你可以使用本地工作站来调试在 Pod 中运行的数据库。
 
+{{< note >}}
 <!--
 `kubectl port-forward` is implemented for TCP ports only.
 The support for UDP protocol is tracked in
 [issue 47862](https://github.com/kubernetes/kubernetes/issues/47862).
 -->
-{{< warning >}}
-`kubectl port-forward` 仅适用于 TCP 端口。
+`kubectl port-forward` 仅实现了 TCP 端口 支持。
 在 [issue 47862](https://github.com/kubernetes/kubernetes/issues/47862)
 中跟踪了对 UDP 协议的支持。
-{{< /warning >}}
+{{< /note >}}
 
 ## {{% heading "whatsnext" %}}
 
diff --git a/content/zh/docs/tasks/access-application-cluster/service-access-application-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md
similarity index 93%
rename from content/zh/docs/tasks/access-application-cluster/service-access-application-cluster.md
rename to content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md
index b5a7084a46e77..8a99607786b3b 100644
--- a/content/zh/docs/tasks/access-application-cluster/service-access-application-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md
@@ -70,9 +70,9 @@ Here is the configuration file for the application Deployment:
    kubectl apply -f https://k8s.io/examples/service/access/hello-application.yaml
    ```
 
-   上面的命令创建一个 [Deployment](/zh/docs/concepts/workloads/controllers/deployment/) 对象
-   和一个关联的 [ReplicaSet](/zh/docs/concepts/workloads/controllers/replicaset/) 对象。
-   这个 ReplicaSet 有两个 [Pod](/zh/docs/concepts/workloads/pods/)，
+   上面的命令创建一个 [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/) 对象
+   和一个关联的 [ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/) 对象。
+   这个 ReplicaSet 有两个 [Pod](/zh-cn/docs/concepts/workloads/pods/)，
    每个 Pod 都运行着 Hello World 应用。
   
 <!--
@@ -211,7 +211,7 @@ to create a Service.
 ## 使用服务配置文件
 
 作为 `kubectl expose` 的替代方法，你可以使用
-[服务配置文件](/zh/docs/concepts/services-networking/service/) 来创建服务。
+[服务配置文件](/zh-cn/docs/concepts/services-networking/service/) 来创建服务。
 
 ## {{% heading "cleanup" %}}
 
@@ -240,5 +240,5 @@ kubectl delete deployment hello-world
 Learn more about
 [connecting applications with services](/docs/concepts/services-networking/connect-applications-service/).
 -->
-- 进一步了解[通过服务连接应用](/zh/docs/concepts/services-networking/connect-applications-service/)。
+- 进一步了解[通过服务连接应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)。
 
diff --git a/content/zh/docs/tasks/access-application-cluster/web-ui-dashboard.md b/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
similarity index 93%
rename from content/zh/docs/tasks/access-application-cluster/web-ui-dashboard.md
rename to content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
index e19888913fdd3..eb99e7c028d78 100644
--- a/content/zh/docs/tasks/access-application-cluster/web-ui-dashboard.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard.md
@@ -126,7 +126,7 @@ When you access Dashboard on an empty cluster, you'll see the welcome page. This
 当访问空集群的 Dashboard 时，你会看到欢迎界面。
 页面包含一个指向此文档的链接，以及一个用于部署第一个应用程序的按钮。
 此外，你可以看到在默认情况下有哪些默认系统应用运行在 `kube-system`
-[名字空间](/zh/docs/tasks/administer-cluster/namespaces/) 中，比如 Dashboard 自己。
+[名字空间](/zh-cn/docs/tasks/administer-cluster/namespaces/) 中，比如 Dashboard 自己。
 
 <!--
 ![Kubernetes Dashboard welcome page](/images/docs/ui-dashboard-zerostate.png)
@@ -163,13 +163,13 @@ The deploy wizard expects that you provide the following information:
 - **App name** (mandatory): Name for your application. A [label](/docs/concepts/overview/working-with-objects/labels/) with the name will be added to the Deployment and Service, if any, that will be deployed.
 -->
 - **应用名称**（必填）：应用的名称。内容为`应用名称`的
-  [标签](/zh/docs/concepts/overview/working-with-objects/labels/)
+  [标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)
   会被添加到任何将被部署的 Deployment 和 Service。
 
   <!--
   The application name must be unique within the selected Kubernetes [namespace](/docs/tasks/administer-cluster/namespaces/). It must start with a lowercase character, and end with a lowercase character or a number, and contain only lowercase letters, numbers and dashes (-). It is limited to 24 characters. Leading and trailing spaces are ignored.
   -->
-  在选定的 Kubernetes [名字空间](/zh/docs/tasks/administer-cluster/namespaces/) 中，
+  在选定的 Kubernetes [名字空间](/zh-cn/docs/tasks/administer-cluster/namespaces/) 中，
   应用名称必须唯一。必须由小写字母开头，以数字或者小写字母结尾，
   并且只含有小写字母、数字和中划线（-）。小于等于24个字符。开头和结尾的空格会被忽略。
 
@@ -177,7 +177,7 @@ The deploy wizard expects that you provide the following information:
 - **Container image** (mandatory): The URL of a public Docker [container image](/docs/concepts/containers/images/) on any registry, or a private image (commonly hosted on the Google Container Registry or Docker Hub). The container image specification must end with a colon.
  -->
 - **容器镜像**（必填）：公共镜像仓库上的 Docker
-  [容器镜像](/zh/docs/concepts/containers/images/) 或者私有镜像仓库
+  [容器镜像](/zh-cn/docs/concepts/containers/images/) 或者私有镜像仓库
   （通常是 Google Container Registry 或者 Docker Hub）的 URL。容器镜像参数说明必须以冒号结尾。
 
 <!--
@@ -189,14 +189,14 @@ The deploy wizard expects that you provide the following information:
   A [Deployment](/docs/concepts/workloads/controllers/deployment/) will be created to
   maintain the desired number of Pods across your cluster.
   -->
-  系统会创建一个 [Deployment](/zh/docs/concepts/workloads/controllers/deployment/)
+  系统会创建一个 [Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)
   以保证集群中运行期望的 Pod 数量。
 
 <!--
 - **Service** (optional): For some parts of your application (e.g. frontends) you may want to expose a [Service](/docs/concepts/services-networking/service/) onto an external, maybe public IP address outside of your cluster (external Service).
  -->
 - **服务**（可选）：对于部分应用（比如前端），你可能想对外暴露一个
-  [Service](/zh/docs/concepts/services-networking/service/) ，这个 Service
+  [Service](/zh-cn/docs/concepts/services-networking/service/) ，这个 Service
   可能用的是集群之外的公网 IP 地址（外部 Service）。
 
   <!-- 
@@ -234,14 +234,14 @@ If needed, you can expand the **Advanced options** section where you can specify
   to the Deployment and displayed in the application's details.
  -->
 - **描述**：这里你输入的文本会作为一个
-  [注解](/zh/docs/concepts/overview/working-with-objects/annotations/)
+  [注解](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)
   添加到 Deployment，并显示在应用的详细信息中。
 
 <!--
 - **Labels**: Default [labels](/docs/concepts/overview/working-with-objects/labels/) to be used for your application are application name and version. You can specify additional labels to be applied to the Deployment, Service (if any), and Pods, such as release, environment, tier, partition, and release track.
 -->
 - **标签**：应用默认使用的
-  [标签](/zh/docs/concepts/overview/working-with-objects/labels/) 是应用名称和版本。
+  [标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/) 是应用名称和版本。
   你可以为 Deployment、Service（如果有）定义额外的标签，比如 release（版本）、
   environment（环境）、tier（层级）、partition（分区） 和 release track（版本跟踪）。
 
@@ -260,7 +260,7 @@ If needed, you can expand the **Advanced options** section where you can specify
 -->
 - **名字空间**：Kubernetes 支持多个虚拟集群依附于同一个物理集群。
   这些虚拟集群被称为
-  [名字空间](/zh/docs/tasks/administer-cluster/namespaces/)，
+  [名字空间](/zh-cn/docs/tasks/administer-cluster/namespaces/)，
   可以让你将资源划分为逻辑命名的组。
 
   <!--
@@ -287,7 +287,7 @@ If needed, you can expand the **Advanced options** section where you can specify
 - **Image Pull Secret**: In case the specified Docker container image is private, it may require [pull secret](/docs/concepts/configuration/secret/) credentials.
 -->
 - **镜像拉取 Secret**：如果要使用私有的 Docker 容器镜像，需要拉取
-  [Secret](/zh/docs/concepts/configuration/secret/) 凭证。
+  [Secret](/zh-cn/docs/concepts/configuration/secret/) 凭证。
 
   <!--
   Dashboard offers all available secrets in a dropdown list, and allows you to create a new secret.
@@ -299,7 +299,7 @@ If needed, you can expand the **Advanced options** section where you can specify
   Dashboard 通过下拉菜单提供所有可用的 Secret，并允许你创建新的 Secret。
   Secret 名称必须遵循 DNS 域名语法，比如 `new.image-pull.secret`。
   Secret 的内容必须是 base64 编码的，并且在一个
-  [`.dockercfg`](/zh/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
+  [`.dockercfg`](/zh-cn/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
   文件中声明。Secret 名称最大可以包含 253 个字符。
   
   <!--
@@ -313,21 +313,21 @@ If needed, you can expand the **Advanced options** section where you can specify
 - **CPU requirement (cores)** and **Memory requirement (MiB)**: You can specify the minimum [resource limits](/docs/tasks/configure-pod-container/limit-range/) for the container. By default, Pods run with unbounded CPU and memory limits.
  -->
 - **CPU 需求（核数）**和**内存需求（MiB）**：你可以为容器定义最小的
-  [资源限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
+  [资源限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
   默认情况下，Pod 没有 CPU 和内存限制。
 
 <!--
 - **Run command** and **Run command arguments**: By default, your containers run the specified Docker image's default [entrypoint command](/docs/user-guide/containers/#containers-and-commands). You can use the command options and arguments to override the default.
  -->
 - **运行命令**和**运行命令参数**：默认情况下，你的容器会运行 Docker 镜像的默认
-  [入口命令](/zh/docs/tasks/inject-data-application/define-command-argument-container/)。
+  [入口命令](/zh-cn/docs/tasks/inject-data-application/define-command-argument-container/)。
   你可以使用 command 选项覆盖默认值。
 
 <!--
 - **Run as privileged**: This setting determines whether processes in [privileged containers](/docs/user-guide/pods/#privileged-mode-for-pod-containers) are equivalent to processes running as root on the host. Privileged containers can make use of capabilities like manipulating the network stack and accessing devices.
  -->
 - **以特权模式运行**：这个设置决定了在
-  [特权容器](/zh/docs/concepts/workloads/pods/#privileged-mode-for-containers)
+  [特权容器](/zh-cn/docs/concepts/workloads/pods/#privileged-mode-for-containers)
   中运行的进程是否像主机中使用 root 运行的进程一样。
   特权容器可以使用诸如操纵网络堆栈和访问设备的功能。
 
@@ -335,7 +335,7 @@ If needed, you can expand the **Advanced options** section where you can specify
 - **Environment variables**: Kubernetes exposes Services through [environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/). You can compose environment variable or pass arguments to your commands using the values of environment variables. They can be used in applications to find a Service. Values can reference other variables using the `$(VAR_NAME)` syntax.
  -->
 - **环境变量**：Kubernetes 通过
-  [环境变量](/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
+  [环境变量](/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
   暴露 Service。你可以构建环境变量，或者将环境变量的值作为参数传递给你的命令。
   它们可以被应用用于查找 Service。值可以通过  `$(VAR_NAME)` 语法关联其他变量。
 
@@ -350,7 +350,7 @@ The manifests use the Kubernetes [API](/docs/concepts/overview/kubernetes-api/)
 
 Kubernetes 支持声明式配置。所有的配置都存储在清单文件
 （YAML 或者 JSON 配置文件）中。这些
-清单使用 Kubernetes [API](/zh/docs/concepts/overview/kubernetes-api/) 定义的资源模式。
+清单使用 Kubernetes [API](/zh-cn/docs/concepts/overview/kubernetes-api/) 定义的资源模式。
 
 <!--
 As an alternative to specifying application details in the deploy wizard,
diff --git a/content/zh/docs/tasks/administer-cluster/_index.md b/content/zh-cn/docs/tasks/administer-cluster/_index.md
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/_index.md
rename to content/zh-cn/docs/tasks/administer-cluster/_index.md
diff --git a/content/zh/docs/tasks/administer-cluster/access-cluster-api.md b/content/zh-cn/docs/tasks/administer-cluster/access-cluster-api.md
similarity index 94%
rename from content/zh/docs/tasks/administer-cluster/access-cluster-api.md
rename to content/zh-cn/docs/tasks/administer-cluster/access-cluster-api.md
index d67fb83d5a1f6..19d2b1db472d0 100644
--- a/content/zh/docs/tasks/administer-cluster/access-cluster-api.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/access-cluster-api.md
@@ -42,7 +42,7 @@ a [Getting started guide](/docs/setup/),
 or someone else setup the cluster and provided you with credentials and a location.
 -->
 要访问集群，你需要知道集群位置并拥有访问它的凭证。
-通常，当你完成[入门指南](/zh/docs/setup/)时，这会自动设置完成，或者由其他人设置好集群并将凭证和位置提供给你。
+通常，当你完成[入门指南](/zh-cn/docs/setup/)时，这会自动设置完成，或者由其他人设置好集群并将凭证和位置提供给你。
 
 <!--
 Check the location and credentials that kubectl knows about with this command:
@@ -59,7 +59,7 @@ kubectl. Complete documentation is found in the [kubectl manual](/docs/reference
 -->
 
 许多[样例](https://github.com/kubernetes/examples/tree/master/)
-提供了使用 kubectl 的介绍。完整文档请见 [kubectl 手册](/zh/docs/reference/kubectl/)。
+提供了使用 kubectl 的介绍。完整文档请见 [kubectl 手册](/zh-cn/docs/reference/kubectl/)。
 
 <!--
 ### Directly accessing the REST API
@@ -222,7 +222,7 @@ describes how you can configure this as a cluster administrator.
 -->
 在一些集群中，API 服务器不需要身份认证；它运行在本地，或由防火墙保护着。
 对此并没有一个标准。
-[配置对 API 的访问](/zh/docs/concepts/security/controlling-access/)
+[配置对 API 的访问](/zh-cn/docs/concepts/security/controlling-access/)
 讲解了作为集群管理员可如何对此进行配置。
 
 <!--
@@ -235,7 +235,7 @@ Kubernetes officially supports client libraries for [Go](#go-client), [Python](#
 Kubernetes 官方支持 [Go](#go-client)、[Python](#python-client)、[Java](#java-client)、
 [dotnet](#dotnet-client)、[JavaScript](#javascript-client) 和 [Haskell](#haskell-client)
 语言的客户端库。还有一些其他客户端库由对应作者而非 Kubernetes 团队提供并维护。
-参考[客户端库](/zh/docs/reference/using-api/client-libraries/)了解如何使用其他语言
+参考[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)了解如何使用其他语言
 来访问 API 以及如何执行身份认证。
 
 <!-- #### Go client -->
@@ -264,7 +264,7 @@ The Go client can use the same [kubeconfig file](/docs/concepts/cluster-administ
 as the kubectl CLI does to locate and authenticate to the API server. See this [example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go):
 -->
 Go 客户端可以使用与 kubectl 命令行工具相同的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 定位和验证 API 服务器。参见这个
 [例子](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go)：
 
@@ -295,7 +295,7 @@ func main() {
 If the application is deployed as a Pod in the cluster, see [Accessing the API from within a Pod](/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod).
 -->
 如果该应用程序部署为集群中的一个
-Pod，请参阅[从 Pod 内访问 API](/zh/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)。
+Pod，请参阅[从 Pod 内访问 API](/zh-cn/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)。
 
 <!-- #### Python client -->
 #### Python 客户端 {#python-client}
@@ -312,7 +312,7 @@ The Python client can use the same [kubeconfig file](/docs/concepts/cluster-admi
 as the kubectl CLI does to locate and authenticate to the API server. See this [example](https://github.com/kubernetes-client/python/blob/master/examples/out_of_cluster_config.py):
 -->
 Python 客户端可以使用与 kubectl 命令行工具相同的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 定位和验证 API 服务器。参见这个
 [例子](https://github.com/kubernetes-client/python/blob/master/examples/out_of_cluster_config.py)：
 
@@ -355,7 +355,7 @@ as the kubectl CLI does to locate and authenticate to the API server. See this [
 了解当前支持的版本。
 
 Java 客户端可以使用 kubectl 命令行所使用的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 以定位 API 服务器并向其认证身份。
 参看此[示例](https://github.com/kubernetes-client/java/blob/master/examples/src/main/java/io/kubernetes/client/examples/KubeConfigFileClientExample.java)：
 
@@ -421,7 +421,7 @@ as the kubectl CLI does to locate and authenticate to the API server. See this [
 参见[.Net 客户端库页面](https://github.com/kubernetes-client/csharp)了解更多安装选项。
 关于可支持的版本，参见[https://github.com/kubernetes-client/csharp/releases](https://github.com/kubernetes-client/csharp/releases)。
 
-.Net 客户端可以使用与 kubectl CLI 相同的 [kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+.Net 客户端可以使用与 kubectl CLI 相同的 [kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 来定位并验证 API 服务器。
 参见[样例](https://github.com/kubernetes-client/csharp/blob/master/examples/simple/PodList.cs): 
 
@@ -468,7 +468,7 @@ as the kubectl CLI does to locate and authenticate to the API server. See this [
 参考[https://github.com/kubernetes-client/javascript/releases](https://github.com/kubernetes-client/javascript/releases)了解可支持的版本。
 
 JavaScript 客户端可以使用 kubectl 命令行所使用的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 以定位 API 服务器并向其认证身份。
 参见[此例](https://github.com/kubernetes-client/javascript/blob/master/examples/example.js)：
 
@@ -499,7 +499,7 @@ as the kubectl CLI does to locate and authenticate to the API server. See this [
 
 [Haskell 客户端](https://github.com/kubernetes-client/haskell)
 可以使用 kubectl 命令行所使用的
-[kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 以定位 API 服务器并向其认证身份。
 参见[此例](https://github.com/kubernetes-client/haskell/blob/master/kubernetes-client/example/App.hs)：
 
@@ -519,4 +519,4 @@ exampleWithKubeConfig = do
 <!--
 * [Accessing the Kubernetes API from a Pod](/docs/tasks/run-application/access-api-from-pod/)
 -->
-* [从 Pod 中访问 API](/zh/docs/tasks/run-application/access-api-from-pod/)
+* [从 Pod 中访问 API](/zh-cn/docs/tasks/run-application/access-api-from-pod/)
diff --git a/content/zh/docs/tasks/administer-cluster/certificates.md b/content/zh-cn/docs/tasks/administer-cluster/certificates.md
similarity index 98%
rename from content/zh/docs/tasks/administer-cluster/certificates.md
rename to content/zh-cn/docs/tasks/administer-cluster/certificates.md
index 9047c0c0aea8a..2842d9ebf9271 100644
--- a/content/zh/docs/tasks/administer-cluster/certificates.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/certificates.md
@@ -1,11 +1,11 @@
 ---
-title: 证书
+title: 手动生成证书
 content_type: task
 weight: 20
 ---
 <!-- 
 ---
-title: Certificates
+title: Generate Certificates Manually
 content_type: task
 weight: 20
 ---
@@ -291,7 +291,7 @@ Finally, add the same parameters into the API server start parameters.
     -->
 1.  创建一个 JSON 配置文件，用来为 API 服务器生成秘钥和证书，例如：`server-csr.json`。
     确认用你需要的值替换掉尖括号中的值。`MASTER_CLUSTER_IP` 是为 API 服务器 指定的服务集群 IP，就像前面小节描述的那样。
-    以下示例假定你的默认 DSN 域名为`cluster.local`。
+    以下示例假定你的默认 DNS 域名为`cluster.local`。
 
         {
           "CN": "kubernetes",
@@ -369,5 +369,5 @@ x509 certificates to use for authentication as documented
 [here](/docs/tasks/tls/managing-tls-in-a-cluster).
 -->
 你可以通过 `certificates.k8s.io` API 提供 x509 证书，用来做身份验证，
-如[本](/zh/docs/tasks/tls/managing-tls-in-a-cluster)文档所述。
+如[本](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster)文档所述。
 
diff --git a/content/zh/docs/tasks/administer-cluster/change-default-storage-class.md b/content/zh-cn/docs/tasks/administer-cluster/change-default-storage-class.md
similarity index 96%
rename from content/zh/docs/tasks/administer-cluster/change-default-storage-class.md
rename to content/zh-cn/docs/tasks/administer-cluster/change-default-storage-class.md
index ca4efbb7e2a27..fea5db84f5f72 100644
--- a/content/zh/docs/tasks/administer-cluster/change-default-storage-class.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/change-default-storage-class.md
@@ -31,7 +31,7 @@ for details.
 取决于安装模式，你的 Kubernetes 集群可能和一个被标记为默认的已有 StorageClass 一起部署。
 这个默认的 StorageClass 以后将被用于动态的为没有特定存储类需求的 PersistentVolumeClaims 
 配置存储。更多细节请查看
-[PersistentVolumeClaim 文档](/zh/docs/concepts/storage/persistent-volumes/#perspersistentvolumeclaims)。
+[PersistentVolumeClaim 文档](/zh-cn/docs/concepts/storage/persistent-volumes/#perspersistentvolumeclaims)。
 
 <!--
 The pre-installed default StorageClass may not fit well with your expected workload;
@@ -150,5 +150,5 @@ for details about addon manager and how to disable individual addons.
 <!--
 * Learn more about [PersistentVolumes](/docs/concepts/storage/persistent-volumes/).
 -->
-* 进一步了解 [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
+* 进一步了解 [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/change-pv-reclaim-policy.md b/content/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy.md
similarity index 74%
rename from content/zh/docs/tasks/administer-cluster/change-pv-reclaim-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy.md
index 950e493f52c01..65bade8e8eb64 100644
--- a/content/zh/docs/tasks/administer-cluster/change-pv-reclaim-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy.md
@@ -54,13 +54,16 @@ PersistentVolumes 可以有多种回收策略，包括 "Retain"、"Recycle" 和
    kubectl get pv
    ```
 
+   <!--
+   The output is similar to this:
+   -->
    输出类似于这样：
 
-   ```
-   NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLICY   STATUS    CLAIM                  REASON    AGE
-   pvc-b6efd8da-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim1                   10s
-   pvc-b95650f8-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim2                   6s
-   pvc-bb3ca71d-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim3                   3s
+   ```none
+   NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLICY   STATUS    CLAIM             STORAGECLASS     REASON    AGE
+   pvc-b6efd8da-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim1    manual                     10s
+   pvc-b95650f8-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim2    manual                     6s
+   pvc-bb3ca71d-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim3    manual                     3s
    ```
 
    <!--
@@ -112,11 +115,11 @@ PersistentVolumes 可以有多种回收策略，包括 "Retain"、"Recycle" 和
    -->
    输出类似于这样：
 
-   ```
-   NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLICY   STATUS    CLAIM                  REASON    AGE
-   pvc-b6efd8da-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim1                   40s
-   pvc-b95650f8-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim2                   36s
-   pvc-bb3ca71d-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Retain          Bound     default/claim3                   33s
+   ```none
+   NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLICY   STATUS    CLAIM             STORAGECLASS     REASON    AGE
+   pvc-b6efd8da-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim1    manual                     40s
+   pvc-b95650f8-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Delete          Bound     default/claim2    manual                     36s
+   pvc-bb3ca71d-b7b5-11e6-9d58-0ed433a7dd94   4Gi        RWO           Retain          Bound     default/claim3    manual                     33s
    ```
 
    <!--
@@ -133,12 +136,20 @@ PersistentVolumes 可以有多种回收策略，包括 "Retain"、"Recycle" 和
 * Learn more about [PersistentVolumes](/docs/concepts/storage/persistent-volumes/).
 * Learn more about [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims).
 -->
-* 进一步了解 [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
-* 进一步了解 [PersistentVolumeClaims](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
+* 进一步了解 [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
+* 进一步了解 [PersistentVolumeClaims](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
 
-### 参考
+### 参考 {#reference}
 
-* [PersistentVolume](/docs/api-reference/{{< param "version" >}}/#persistentvolume-v1-core)
-* [PersistentVolumeClaim](/docs/api-reference/{{< param "version" >}}/#persistentvolumeclaim-v1-core)
-* 参阅 [PersistentVolumeSpec](/docs/api-reference/{{< param "version" >}}/#persistentvolumeclaim-v1-core) 的 `persistentVolumeReclaimPolicy` 字段
+<!--
+* {{< api-reference page="config-and-storage-resources/persistent-volume-v1" >}}
+  * Pay attention to the `.spec.persistentVolumeReclaimPolicy`
+    [field](/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/#PersistentVolumeSpec)
+    of PersistentVolume.
+* {{< api-reference page="config-and-storage-resources/persistent-volume-claim-v1" >}}
+-->
+* {{< api-reference page="config-and-storage-resources/persistent-volume-v1" >}}
+  * 注意 PersistentVolume 的 `.spec.persistentVolumeReclaimPolicy`
+    [字段](/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/#PersistentVolumeSpec)。
+* {{< api-reference page="config-and-storage-resources/persistent-volume-claim-v1" >}}
 
diff --git a/content/zh/docs/tasks/administer-cluster/cluster-upgrade.md b/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
similarity index 84%
rename from content/zh/docs/tasks/administer-cluster/cluster-upgrade.md
rename to content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
index 72535b27e83d7..bcd5eb2b6efe0 100644
--- a/content/zh/docs/tasks/administer-cluster/cluster-upgrade.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
@@ -41,14 +41,14 @@ At a high level, the steps you perform are:
 
 <!-- 
 You must have an existing cluster. This page is about upgrading from Kubernetes
-{{< skew prevMinorVersion >}} to Kubernetes {{< skew latestVersion >}}. If your cluster
-is not currently running Kubernetes {{< skew prevMinorVersion >}} then please check
+{{< skew currentVersionAddMinor -1 >}} to Kubernetes {{< skew currentVersion >}}. If your cluster
+is not currently running Kubernetes {{< skew currentVersionAddMinor -1 >}} then please check
 the documentation for the version of Kubernetes that you plan to upgrade to.
 -->
 你必须有一个集群。
-本页内容涉及从 Kubernetes {{< skew prevMinorVersion >}} 
-升级到 Kubernetes {{< skew latestVersion >}}。
-如果你的集群未运行 Kubernetes {{< skew prevMinorVersion >}}，
+本页内容涉及从 Kubernetes {{< skew currentVersionAddMinor -1 >}} 
+升级到 Kubernetes {{< skew currentVersion >}}。
+如果你的集群未运行 Kubernetes {{< skew currentVersionAddMinor -1 >}}，
 那请参考目标 Kubernetes 版本的文档。
 
 <!-- ## Upgrade approaches -->
@@ -65,11 +65,11 @@ Once you have upgraded the cluster, remember to
 [install the latest version of `kubectl`](/docs/tasks/tools/).
 -->
 如果你的集群是使用 `kubeadm` 安装工具部署而来，
-那么升级群集的详细信息，请参阅
-[升级 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
+那么升级集群的详细信息，请参阅
+[升级 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)。
 
 升级集群之后，要记得
-[安装最新版本的 `kubectl`](/zh/docs/tasks/tools/).
+[安装最新版本的 `kubectl`](/zh-cn/docs/tasks/tools/).
 
 <!-- ### Manual deployments -->
 ### 手动部署 {#manual-deployments}
@@ -104,16 +104,16 @@ At this point you should
 [install the latest version of `kubectl`](/docs/tasks/tools/).
 
 For each node in your cluster, [drain](/docs/tasks/administer-cluster/safely-drain-node/)
-that node and then either replace it with a new node that uses the {{< skew latestVersion >}}
-kubelet, or upgrade the {{< skew latestVersion >}}
+that node and then either replace it with a new node that uses the {{< skew currentVersion >}}
+kubelet, or upgrade the {{< skew currentVersion >}}
 kubelet on that node and bring the node back into service.
 -->
 现在，你应该
-[安装最新版本的 `kubectl`](/zh/docs/tasks/tools/).
+[安装最新版本的 `kubectl`](/zh-cn/docs/tasks/tools/).
 
-对于群集中的每个节点，
-[排空](/zh/docs/tasks/administer-cluster/safely-drain-node/)
-节点，然后，或者用一个运行了 {{< skew latestVersion >}} kubelet 的新节点替换它；
+对于集群中的每个节点，
+[排空](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)
+节点，然后，或者用一个运行了 {{< skew currentVersion >}} kubelet 的新节点替换它；
 或者升级此节点的 kubelet，并使节点恢复服务。
 
 <!-- 
@@ -132,7 +132,7 @@ up steps for maintenance.
 
 ## 升级后的任务 {#post-upgrade-tasks}
 
-### 切换群集的存储 API 版本 {#switch-your-clusters-storage-api-version}
+### 切换集群的存储 API 版本 {#switch-your-clusters-storage-api-version}
 
 <!-- 
 The objects that are serialized into etcd for a cluster's internal
diff --git a/content/zh/docs/tasks/administer-cluster/configure-upgrade-etcd.md b/content/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd.md
similarity index 82%
rename from content/zh/docs/tasks/administer-cluster/configure-upgrade-etcd.md
rename to content/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd.md
index d4554412577b6..eea23e7df1bd3 100644
--- a/content/zh/docs/tasks/administer-cluster/configure-upgrade-etcd.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd.md
@@ -1,18 +1,13 @@
 ---
-reviewers:
-- mml
-- wojtek-t
 title: 为 Kubernetes 运行 etcd 集群
 content_type: task
 ---
 <!--
----
 reviewers:
 - mml
 - wojtek-t
 title: Operating etcd clusters for Kubernetes
 content_type: task
----
 -->
 
 <!-- overview -->
@@ -22,8 +17,6 @@ content_type: task
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
-
-
 <!-- steps -->
 
 <!--
@@ -49,14 +42,14 @@ content_type: task
 
 * The minimum recommended version of etcd to run in production is `3.2.10+`.
 -->
-## 先决条件
+## 先决条件    {#prerequisites}
 
 * 运行的 etcd 集群个数成员为奇数。
 
 * etcd 是一个 leader-based 分布式系统。确保主节点定期向所有从节点发送心跳，以保持集群稳定。
 
 * 确保不发生资源不足。
-  
+
   集群的性能和稳定性对网络和磁盘 I/O 非常敏感。任何资源匮乏都会导致心跳超时，
   从而导致集群的不稳定。不稳定的情况表明没有选出任何主节点。
   在这种情况下，集群不能对其当前状态进行任何更改，这意味着不能调度新的 pod。
@@ -66,7 +59,7 @@ content_type: task
   [所需资源需求](https://etcd.io/docs/current/op-guide/hardware/)。
 
 * 在生产中运行的 etcd 的最低推荐版本是 `3.2.10+`。
-  
+
 <!--
 ## Resource requirements
 
@@ -74,18 +67,18 @@ Operating etcd with limited resources is suitable only for testing purposes.
 For deploying in production, advanced hardware configuration is required.
 Before deploying etcd in production, see
 [resource requirement reference](https://etcd.io/docs/current/op-guide/hardware/#example-hardware-configurations).
-
-## Starting etcd clusters
-
-This section covers starting a single-node and multi-node etcd cluster. 
 -->
-## 资源要求
+## 资源需求    {#resource-requirements}
 
 使用有限的资源运行 etcd 只适合测试目的。为了在生产中部署，需要先进的硬件配置。
-在生产中部署 etcd 之前，请查看
-[所需资源参考文档](https://etcd.io/docs/current/op-guide/hardware/#example-hardware-configurations)。
+在生产中部署 etcd 之前，请查看[所需资源参考文档](https://etcd.io/docs/current/op-guide/hardware/#example-hardware-configurations)。
 
-## 启动 etcd 集群
+<!--
+## Starting etcd clusters
+
+This section covers starting a single-node and multi-node etcd cluster.
+-->
+## 启动 etcd 集群    {#starting-etcd-clusters}
 
 本节介绍如何启动单节点和多节点 etcd 集群。
 
@@ -104,9 +97,9 @@ Use a single-node etcd cluster only for testing purpose.
 2. Start the Kubernetes API server with the flag
    `--etcd-servers=$PRIVATE_IP:2379`.
 
-    Make sure `PRIVATE_IP` is set to your etcd client IP.
+   Make sure `PRIVATE_IP` is set to your etcd client IP.
 -->
-### 单节点 etcd 集群
+### 单节点 etcd 集群    {#single-node-etcd-cluster}
 
 只为测试目的使用单节点 etcd 集群。
 
@@ -123,20 +116,38 @@ Use a single-node etcd cluster only for testing purpose.
 
 <!--
 ### Multi-node etcd cluster
+-->
+### 多节点 etcd 集群    {#multi-node-etcd-cluster}
 
+<!--
 For durability and high availability, run etcd as a multi-node cluster in
 production and back it up periodically. A five-member cluster is recommended
 in production. For more information, see
 [FAQ documentation](https://etcd.io/docs/current/faq/#what-is-failure-tolerance).
+-->
+出于耐用性和高可用性考量，在生产环境中应以多节点集群的方式运行 etcd，并且定期备份。
+建议在生产环境中使用五个成员的集群。
+有关该内容的更多信息，请参阅[常见问题文档](https://etcd.io/docs/current/faq/#what-is-failure-tolerance)。
 
+<!--
 Configure an etcd cluster either by static member information or by dynamic
 discovery. For more information on clustering, see
 [etcd clustering documentation](https://etcd.io/docs/current/op-guide/clustering/).
+-->
+可以通过静态成员信息或动态发现的方式配置 etcd 集群。
+有关集群的详细信息，请参阅
+[etcd 集群文档](https://etcd.io/docs/current/op-guide/clustering/)。
 
+<!--
 For an example, consider a five-member etcd cluster running with the following
 client URLs: `http://$IP1:2379`, `http://$IP2:2379`, `http://$IP3:2379`,
 `http://$IP4:2379`, and `http://$IP5:2379`. To start a Kubernetes API server:
+-->
+例如，考虑运行以下客户端 URL 的五个成员的 etcd 集群：`http://$IP1:2379`、
+`http://$IP2:2379`、`http://$IP3:2379`、`http://$IP4:2379` 和 `http://$IP5:2379`。
+要启动 Kubernetes API 服务器：
 
+<!--
 1. Run the following:
 
    ```shell
@@ -148,28 +159,13 @@ client URLs: `http://$IP1:2379`, `http://$IP2:2379`, `http://$IP3:2379`,
 
    Make sure the `IP<n>` variables are set to your client IP addresses.
 -->
-### 多节点 etcd 集群
-
-为了耐用性和高可用性，在生产中将以多节点集群的方式运行 etcd，并且定期备份。
-建议在生产中使用五个成员的集群。
-有关该内容的更多信息，请参阅
-[常见问题文档](https://etcd.io/docs/current/faq/#what-is-failure-tolerance)。
-
-可以通过静态成员信息或动态发现的方式配置 etcd 集群。
-有关集群的详细信息，请参阅 
-[etcd 集群文档](https://etcd.io/docs/current/op-guide/clustering/)。
-
-例如，考虑运行以下客户端 URL 的五个成员的 etcd 集群：`http://$IP1:2379`，
-`http://$IP2:2379`，`http://$IP3:2379`，`http://$IP4:2379` 和 `http://$IP5:2379`。
-要启动 Kubernetes API 服务器：
-
 1. 运行以下命令：
 
    ```shell
    etcd --listen-client-urls=http://$IP1:2379,http://$IP2:2379,http://$IP3:2379,http://$IP4:2379,http://$IP5:2379 --advertise-client-urls=http://$IP1:2379,http://$IP2:2379,http://$IP3:2379,http://$IP4:2379,http://$IP5:2379
    ```
 
-2. 使用参数 `--etcd-servers=$IP1:2379,$IP2:2379,$IP3:2379,$IP4:2379,$IP5:2379` 
+2. 使用参数 `--etcd-servers=$IP1:2379,$IP2:2379,$IP3:2379,$IP4:2379,$IP5:2379`
    启动 Kubernetes API 服务器。
 
    确保将 `IP<n>` 变量设置为客户端 IP 地址。
@@ -184,7 +180,7 @@ To run a load balancing etcd cluster:
    For example, let the address of the load balancer be `$LB`.
 3. Start Kubernetes API Servers with the flag `--etcd-servers=$LB:2379`.
 -->
-### 使用负载均衡的多节点 etcd 集群
+### 使用负载均衡的多节点 etcd 集群    {#multi-node-etcd-cluster-with-load-balancer}
 
 要运行负载均衡的 etcd 集群：
 
@@ -194,12 +190,19 @@ To run a load balancing etcd cluster:
 
 <!--
 ## Securing etcd clusters
+-->
+## 加固 etcd 集群    {#securing-etcd-clusters}
 
+<!--
 Access to etcd is equivalent to root permission in the cluster so ideally only
 the API server should have access to it. Considering the sensitivity of the
 data, it is recommended to grant permission to only those nodes that require
 access to etcd clusters.
+-->
+对 etcd 的访问相当于集群中的 root 权限，因此理想情况下只有 API 服务器才能访问它。
+考虑到数据的敏感性，建议只向需要访问 etcd 集群的节点授予权限。
 
+<!--
 To secure etcd, either set up firewall rules or use the security features
 provided by etcd. etcd security features depend on x509 Public Key
 Infrastructure (PKI). To begin, establish secure communication channels by
@@ -210,11 +213,6 @@ clients. See the [example scripts](https://github.com/coreos/etcd/tree/master/ha
 provided by the etcd project to generate key pairs and CA files for client
 authentication.
 -->
-## 安全的 etcd 集群
-
-对 etcd 的访问相当于集群中的 root 权限，因此理想情况下只有 API 服务器才能访问它。
-考虑到数据的敏感性，建议只向需要访问 etcd 集群的节点授予权限。
-
 想要确保 etcd 的安全，可以设置防火墙规则或使用 etcd 提供的安全特性，这些安全特性依赖于 x509 公钥基础设施（PKI）。
 首先，通过生成密钥和证书对来建立安全的通信通道。
 例如，使用密钥对 `peer.key` 和 `peer.cert` 来保护 etcd 成员之间的通信，
@@ -224,76 +222,75 @@ authentication.
 
 <!--
 ### Securing communication
+-->
+### 安全通信    {#securing-communication}
 
+<!--
 To configure etcd with secure peer communication, specify flags
 `--peer-key-file=peer.key` and `--peer-cert-file=peer.cert`, and use HTTPS as
 the URL schema.
+-->
+若要使用安全对等通信对 etcd 进行配置，请指定参数 `--peer-key-file=peer.key`
+和 `--peer-cert-file=peer.cert`，并使用 HTTPS 作为 URL 模式。
 
+<!--
 Similarly, to configure etcd with secure client communication, specify flags
 `--key-file=k8sclient.key` and `--cert-file=k8sclient.cert`, and use HTTPS as
 the URL schema. Here is an example on a client command that uses secure
 communication:
-
-```
-ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 \
-  --cert=/etc/kubernetes/pki/etcd/client.crt \
-  --key=/etc/kubernetes/pki/etcd/client.key \
-  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
-  member list
-```
 -->
-### 安全通信
-
-若要使用安全对等通信对 etcd 进行配置，请指定参数 `--peer-key-file=peer.key` 
-和 `--peer-cert-file=peer.cert`，并使用 HTTPS 作为 URL 模式。
-
-类似地，要使用安全客户端通信对 etcd 进行配置，请指定参数 `--key-file=k8sclient.key` 
+类似地，要使用安全客户端通信对 etcd 进行配置，请指定参数 `--key-file=k8sclient.key`
 和 `--cert-file=k8sclient.cert`，并使用 HTTPS 作为 URL 模式。
 使用安全通信的客户端命令的示例：
 
 ```
 ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 \
-  --cert=/etc/kubernetes/pki/etcd/client.crt \
-  --key=/etc/kubernetes/pki/etcd/client.key \
+  --cert=/etc/kubernetes/pki/etcd/server.crt \
+  --key=/etc/kubernetes/pki/etcd/server.key \
   --cacert=/etc/kubernetes/pki/etcd/ca.crt \
   member list
 ```
 
 <!--
 ### Limiting access of etcd clusters
+-->
+### 限制 etcd 集群的访问    {#limiting-access-of-etcd-clusters}
 
+<!--
 After configuring secure communication, restrict the access of etcd cluster to
 only the Kubernetes API servers. Use TLS authentication to do so.
+-->
+配置安全通信后，限制只有 Kubernetes API 服务器可以访问 etcd 集群。使用 TLS 身份验证来完成此任务。
 
+<!--
 For example, consider key pairs `k8sclient.key` and `k8sclient.cert` that are
 trusted by the CA `etcd.ca`. When etcd is configured with `--client-cert-auth`
 along with TLS, it verifies the certificates from clients by using system CAs
 or the CA passed in by `--trusted-ca-file` flag. Specifying flags
 `--client-cert-auth=true` and `--trusted-ca-file=etcd.ca` will restrict the
 access to clients with the certificate `k8sclient.cert`.
+-->
+例如，考虑由 CA `etcd.ca` 信任的密钥对 `k8sclient.key` 和 `k8sclient.cert`。
+当 etcd 配置为 `--client-cert-auth` 和 TLS 时，它使用系统 CA 或由 `--trusted-ca-file`
+参数传入的 CA 验证来自客户端的证书。指定参数 `--client-cert-auth=true` 和
+`--trusted-ca-file=etcd.ca` 将限制对具有证书 `k8sclient.cert` 的客户端的访问。
 
+<!--
 Once etcd is configured correctly, only clients with valid certificates can
 access it. To give Kubernetes API servers the access, configure them with the
-flags `--etcd-certfile=k8sclient.cert`,`--etcd-keyfile=k8sclient.key` and
+flags `--etcd-certfile=k8sclient.cert`, `--etcd-keyfile=k8sclient.key` and
 `--etcd-cafile=ca.cert`.
+-->
+一旦正确配置了 etcd，只有具有有效证书的客户端才能访问它。要让 Kubernetes API 服务器访问，
+可以使用参数 `--etcd-certfile=k8sclient.cert`、`--etcd-keyfile=k8sclient.key` 和 `--etcd-cafile=ca.cert` 配置。
 
+<!--
 {{< note >}}
 etcd authentication is not currently supported by Kubernetes. For more
 information, see the related issue
 [Support Basic Auth for Etcd v2](https://github.com/kubernetes/kubernetes/issues/23398).
 {{< /note >}}
 -->
-### 限制 etcd 集群的访问
-
-配置安全通信后，将 etcd 集群的访问限制在 Kubernetes API 服务器上。使用 TLS 身份验证来完成此任务。
-
-例如，考虑由 CA `etcd.ca` 信任的密钥对 `k8sclient.key` 和 `k8sclient.cert`。
-当 etcd 配置为 `--client-cert-auth` 和 TLS 时，它使用系统 CA 或由 `--trusted-ca-file` 参数传入的 CA 验证来自客户端的证书。
-指定参数 `--client-cert-auth=true` 和 `--trusted-ca-file=etcd.ca` 将限制对具有证书 `k8sclient.cert` 的客户端的访问。
-
-一旦正确配置了 etcd，只有具有有效证书的客户端才能访问它。要让 Kubernetes API 服务器访问，
-可以使用参数 `--etcd-certfile=k8sclient.cert`,`--etcd-keyfile=k8sclient.key` 和 `--etcd-cafile=ca.cert` 配置。
-
 {{< note >}}
 Kubernetes 目前不支持 etcd 身份验证。
 想要了解更多信息，请参阅相关的问题
@@ -302,26 +299,44 @@ Kubernetes 目前不支持 etcd 身份验证。
 
 <!--
 ## Replacing a failed etcd member
+-->
+## 替换失败的 etcd 成员    {#replacing-a-failed-etcd-member}
 
+<!--
 etcd cluster achieves high availability by tolerating minor member failures.
 However, to improve the overall health of the cluster, replace failed members
 immediately. When multiple members fail, replace them one by one. Replacing a
 failed member involves two steps: removing the failed member and adding a new
 member.
+-->
+etcd 集群通过容忍少数成员故障实现高可用性。
+但是，要改善集群的整体健康状况，请立即替换失败的成员。当多个成员失败时，逐个替换它们。
+替换失败成员需要两个步骤：删除失败成员和添加新成员。
 
+<!--
 Though etcd keeps unique member IDs internally, it is recommended to use a
 unique name for each member to avoid human errors. For example, consider a
 three-member etcd cluster. Let the URLs be, `member1=http://10.0.0.1`,
 `member2=http://10.0.0.2`, and `member3=http://10.0.0.3`. When `member1` fails,
 replace it with `member4=http://10.0.0.4`.
+-->
+虽然 etcd 在内部保留唯一的成员 ID，但建议为每个成员使用唯一的名称，以避免人为错误。
+例如，考虑一个三成员的 etcd 集群。假定 URL 分别为：`member1=http://10.0.0.1`、`member2=http://10.0.0.2`
+和 `member3=http://10.0.0.3`。当 `member1` 失败时，将其替换为 `member4=http://10.0.0.4`。
 
+<!--
 1. Get the member ID of the failed `member1`:
+-->
+1. 获取失败的 `member1` 的成员 ID：
 
    ```shell
    etcdctl --endpoints=http://10.0.0.2,http://10.0.0.3 member list
    ```
 
+   <!--
    The following message is displayed:
+   -->
+   显示以下信息：
 
    ```console
    8211f1d0f64f3269, started, member1, http://10.0.0.1:2380, http://10.0.0.1:2379
@@ -329,31 +344,46 @@ replace it with `member4=http://10.0.0.4`.
    fd422379fda50e48, started, member3, http://10.0.0.3:2380, http://10.0.0.3:2379
    ```
 
+<!--
 2. Remove the failed member:
+-->
+2. 移除失败的成员
 
    ```shell
    etcdctl member remove 8211f1d0f64f3269
    ```
 
+   <!--
    The following message is displayed:
+   -->
+   显示以下信息：
 
    ```console
    Removed member 8211f1d0f64f3269 from cluster
    ```
 
+<!--
 3. Add the new member:
+-->
+3. 增加新成员：
 
    ```shell
    etcdctl member add member4 --peer-urls=http://10.0.0.4:2380
    ```
 
+   <!--
    The following message is displayed:
+   -->
+   显示以下信息：
 
    ```console
    Member 2be1eb8f84b7f63e added to cluster ef37ad9dc622a7c4
    ```
 
+<!--
 4. Start the newly added member on a machine with the IP `10.0.0.4`:
+-->
+4. 在 IP 为 `10.0.0.4` 的机器上启动新增加的成员：
 
    ```shell
    export ETCD_NAME="member4"
@@ -362,6 +392,7 @@ replace it with `member4=http://10.0.0.4`.
    etcd [flags]
    ```
 
+<!--
 5. Do either of the following:
 
    1. Update the `--etcd-servers` flag for the Kubernetes API servers to make
@@ -369,73 +400,19 @@ replace it with `member4=http://10.0.0.4`.
       Kubernetes API servers.
    2. Update the load balancer configuration if a load balancer is used in the
       deployment.
-
-For more information on cluster reconfiguration, see
-[etcd reconfiguration documentation](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member).
 -->
-## 替换失败的 etcd 成员
-
-etcd 集群通过容忍少数成员故障实现高可用性。
-但是，要改善集群的整体健康状况，请立即替换失败的成员。当多个成员失败时，逐个替换它们。
-替换失败成员需要两个步骤：删除失败成员和添加新成员。
-
-虽然 etcd 在内部保留唯一的成员 ID，但建议为每个成员使用唯一的名称，以避免人为错误。
-例如，考虑一个三成员的 etcd 集群。让 URL 为：`member1=http://10.0.0.1`， `member2=http://10.0.0.2` 
-和 `member3=http://10.0.0.3`。当 `member1` 失败时，将其替换为 `member4=http://10.0.0.4`。
-
-1. 获取失败的 `member1` 的成员 ID：
-
-   ```shell
-   etcdctl --endpoints=http://10.0.0.2,http://10.0.0.3 member list
-   ```
-
-   显示以下信息：
-
-   ```console
-   8211f1d0f64f3269, started, member1, http://10.0.0.1:2380, http://10.0.0.1:2379
-   91bc3c398fb3c146, started, member2, http://10.0.0.2:2380, http://10.0.0.2:2379
-   fd422379fda50e48, started, member3, http://10.0.0.3:2380, http://10.0.0.3:2379
-   ```
-
-2. 移除失败的成员
-
-   ```shell
-   etcdctl member remove 8211f1d0f64f3269
-   ```
-
-   显示以下信息：
-
-   ```console
-   Removed member 8211f1d0f64f3269 from cluster
-   ```
-
-3. 增加新成员：
-
-   ```shell
-   etcdctl member add member4 --peer-urls=http://10.0.0.4:2380
-   ```
-
-   显示以下信息：
-
-   ```console
-   Member 2be1eb8f84b7f63e added to cluster ef37ad9dc622a7c4
-   ```
+5. 执行以下操作之一：
 
-4. 在 IP 为 `10.0.0.4` 的机器上启动新增加的成员：
-
-   ```shell
-   export ETCD_NAME="member4"
-   export ETCD_INITIAL_CLUSTER="member2=http://10.0.0.2:2380,member3=http://10.0.0.3:2380,member4=http://10.0.0.4:2380"
-   export ETCD_INITIAL_CLUSTER_STATE=existing
-   etcd [flags]
-   ```
-
-5. 做以下事情之一：
-
-   1. 更新 Kubernetes API 服务器的 `--etcd-servers` 参数，使 Kubernetes 知道配置进行了更改，然后重新启动 Kubernetes API 服务器。
+   1. 更新 Kubernetes API 服务器的 `--etcd-servers` 参数，使 Kubernetes
+      知道配置已更改，然后重新启动 Kubernetes API 服务器。
    2. 如果在 deployment 中使用了负载均衡，更新负载均衡配置。
 
-有关集群重新配置的详细信息，请参阅 [etcd 重构文档](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member)。
+<!--
+For more information on cluster reconfiguration, see
+[etcd reconfiguration documentation](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member).
+-->
+有关集群重新配置的详细信息，请参阅
+[etcd 重构文档](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member)。
 
 <!--
 ## Backing up an etcd cluster
@@ -449,7 +426,7 @@ sensitive Kubernetes data safe, encrypt the snapshot files.
 Backing up an etcd cluster can be accomplished in two ways: etcd built-in
 snapshot and volume snapshot.
 -->
-## 备份 etcd 集群
+## 备份 etcd 集群    {#backing-up-an-etcd-cluster}
 
 所有 Kubernetes 对象都存储在 etcd 上。定期备份 etcd 集群数据对于在灾难场景（例如丢失所有控制平面节点）下恢复 Kubernetes 集群非常重要。
 快照文件包含所有 Kubernetes 状态和关键信息。为了保证敏感的 Kubernetes 数据的安全，可以对快照文件进行加密。
@@ -458,47 +435,33 @@ snapshot and volume snapshot.
 
 <!--
 ### Built-in snapshot
+-->
+### 内置快照    {#built-in-snapshot}
 
+<!--
 etcd supports built-in snapshot. A snapshot may either be taken from a live
 member with the `etcdctl snapshot save` command or by copying the
 `member/snap/db` file from an etcd
 [data directory](https://etcd.io/docs/current/op-guide/configuration/#--data-dir)
 that is not currently used by an etcd process. Taking the snapshot will
 not affect the performance of the member.
-
-Below is an example for taking a snapshot of the keyspace served by
-`$ENDPOINT` to the file `snapshotdb`:
-
-```shell
-ETCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshotdb
-```
-
-Verify the snapshot:
-
-```shell
-ETCDCTL_API=3 etcdctl --write-out=table snapshot status snapshotdb
-```
-
-```console
-+----------+----------+------------+------------+
-|   HASH   | REVISION | TOTAL KEYS | TOTAL SIZE |
-+----------+----------+------------+------------+
-| fe01cf57 |       10 |          7 | 2.1 MB     |
-+----------+----------+------------+------------+
-```
 -->
-### 内置快照
-
 etcd 支持内置快照。快照可以从使用 `etcdctl snapshot save` 命令的活动成员中获取，
 也可以通过从 etcd [数据目录](https://etcd.io/docs/current/op-guide/configuration/#--data-dir)
 复制 `member/snap/db` 文件，该 etcd 数据目录目前没有被 etcd 进程使用。获取快照不会影响成员的性能。
 
+<!--
+Below is an example for taking a snapshot of the keyspace served by
+`$ENDPOINT` to the file `snapshotdb`:
+-->
 下面是一个示例，用于获取 `$ENDPOINT` 所提供的键空间的快照到文件 `snapshotdb`：
 
 ```shell
 ETCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshotdb
 ```
-
+<!--
+Verify the snapshot:
+-->
 验证快照:
 
 ```shell
@@ -515,94 +478,120 @@ ETCDCTL_API=3 etcdctl --write-out=table snapshot status snapshotdb
 
 <!--
 ### Volume snapshot
+-->
+### 卷快照    {#volume-snapshot}
 
+<!--
 If etcd is running on a storage volume that supports backup, such as Amazon
 Elastic Block Store, back up etcd data by taking a snapshot of the storage
 volume.
+-->
+如果 etcd 运行在支持备份的存储卷（如 Amazon Elastic Block
+存储）上，则可以通过获取存储卷的快照来备份 etcd 数据。
 
+<!--
 ### Snapshot using etcdctl options
+-->
+### 使用 etcdctl 选项的快照    {#snapshot-using-etcdctl-options}
 
+<!--
 We can also take the snapshot using various options given by etcdctl. For example 
+-->
+我们还可以使用 etcdctl 提供的各种选项来制作快照。例如：
 
 ```shell
 ETCDCTL_API=3 etcdctl -h 
-``` 
+```
 
+<!--
 will list various options available from etcdctl. For example, you can take a snapshot by specifying
 the endpoint, certificates etc as shown below:
+-->
+列出 etcdctl 可用的各种选项。例如，你可以通过指定端点、证书等来制作快照，如下所示：
 
 ```shell
 ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
   --cacert=<trusted-ca-file> --cert=<cert-file> --key=<key-file> \
   snapshot save <backup-file-location>
 ```
+
+<!--
 where `trusted-ca-file`, `cert-file` and `key-file` can be obtained from the description of the etcd Pod.
+-->
+可以从 etcd Pod 的描述中获得 `trusted-ca-file`、`cert-file` 和 `key-file`。
 
+<!--
 ## Scaling up etcd clusters
+-->
+## 为 etcd 集群扩容    {#scaling-up-etcd-clusters}
 
+<!--
 Scaling up etcd clusters increases availability by trading off performance.
 Scaling does not increase cluster performance nor capability. A general rule
 is not to scale up or down etcd clusters. Do not configure any auto scaling
 groups for etcd clusters. It is highly recommended to always run a static
 five-member etcd cluster for production Kubernetes clusters at any officially
 supported scale.
+-->
+通过交换性能，对 etcd 集群扩容可以提高可用性。缩放不会提高集群性能和能力。
+一般情况下不要扩大或缩小 etcd 集群的集合。不要为 etcd 集群配置任何自动缩放组。
+强烈建议始终在任何官方支持的规模上运行生产 Kubernetes 集群时使用静态的五成员 etcd 集群。
 
+<!--
 A reasonable scaling is to upgrade a three-member cluster to a five-member
 one, when more reliability is desired. See
 [etcd reconfiguration documentation](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member)
 for information on how to add members into an existing cluster.
 -->
-### 卷快照
-
-如果 etcd 运行在支持备份的存储卷（如 Amazon Elastic Block 存储）上，则可以通过获取存储卷的快照来备份 etcd 数据。
-
-### 使用 etcdctl 选项的快照
-
-我们还可以使用 etcdctl 提供的各种选项来拍摄快照。例如：
-
-```shell
-ETCDCTL_API=3 etcdctl -h 
-``` 
-
-列出 etcdctl 可用的各种选项。例如，你可以通过指定端点，证书等来拍摄快照，如下所示：
-
-```shell
-ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
-  --cacert=<trusted-ca-file> --cert=<cert-file> --key=<key-file> \
-  snapshot save <backup-file-location>
-```
-可以从 etcd Pod 的描述中获得 `trusted-ca-file`, `cert-file` 和 `key-file` 。
-
-## 扩展 etcd 集群
-
-通过交换性能，扩展 etcd 集群可以提高可用性。缩放不会提高集群性能和能力。
-一般情况下不要扩大或缩小 etcd 集群的集合。不要为 etcd 集群配置任何自动缩放组。
-强烈建议始终在任何官方支持的规模上运行生产 Kubernetes 集群时使用静态的五成员 etcd 集群。
-
 合理的扩展是在需要更高可靠性的情况下，将三成员集群升级为五成员集群。
 请参阅 [etcd 重新配置文档](https://etcd.io/docs/current/op-guide/runtime-configuration/#remove-a-member)
 以了解如何将成员添加到现有集群中的信息。
 
 <!--
 ## Restoring an etcd cluster
+-->
+## 恢复 etcd 集群    {#restoring-an-etcd-cluster}
 
+<!--
 etcd supports restoring from snapshots that are taken from an etcd process of
 the [major.minor](http://semver.org/) version. Restoring a version from a
 different patch version of etcd also is supported. A restore operation is
 employed to recover the data of a failed cluster.
+-->
+etcd 支持从 [major.minor](http://semver.org/) 或其他不同 patch 版本的 etcd 进程中获取的快照进行恢复。
+还原操作用于恢复失败的集群的数据。
 
+<!--
 Before starting the restore operation, a snapshot file must be present. It can
 either be a snapshot file from a previous backup operation, or from a remaining
-[data directory]( https://etcd.io/docs/current/op-guide/configuration/#--data-dir).
+[data directory](https://etcd.io/docs/current/op-guide/configuration/#--data-dir).
 Here is an example:
+-->
+在启动还原操作之前，必须有一个快照文件。它可以是来自以前备份操作的快照文件，
+也可以是来自剩余[数据目录](https://etcd.io/docs/current/op-guide/configuration/#--data-dir)的快照文件。
+例如：
 
 ```shell
 ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 snapshot restore snapshotdb
 ```
 
+<!--
+Another example for restoring using etcdctl options:
+-->
+恢复时也可以指定操作选项，例如：
+
+```shell
+ETCDCTL_API=3 etcdctl --data-dir <data-dir-location> snapshot restore snapshotdb
+```
+
+<!--
 For more information and examples on restoring a cluster from a snapshot file, see
 [etcd disaster recovery documentation](https://etcd.io/docs/current/op-guide/recovery/#restoring-a-cluster).
+-->
+有关从快照文件还原集群的详细信息和示例，请参阅
+[etcd 灾难恢复文档](https://etcd.io/docs/current/op-guide/recovery/#restoring-a-cluster)。
 
+<!--
 If the access URLs of the restored cluster is changed from the previous
 cluster, the Kubernetes API server must be reconfigured accordingly. In this
 case, restart Kubernetes API servers with the flag
@@ -611,13 +600,22 @@ case, restart Kubernetes API servers with the flag
 `$OLD_ETCD_CLUSTER` with the respective IP addresses. If a load balancer is
 used in front of an etcd cluster, you might need to update the load balancer
 instead.
+-->
+如果还原的集群的访问 URL 与前一个集群不同，则必须相应地重新配置 Kubernetes API 服务器。
+在本例中，使用参数 `--etcd-servers=$NEW_ETCD_CLUSTER` 而不是参数 `--etcd-servers=$OLD_ETCD_CLUSTER` 重新启动 Kubernetes API 服务器。
+用相应的 IP 地址替换 `$NEW_ETCD_CLUSTER` 和 `$OLD_ETCD_CLUSTER`。如果在 etcd 集群前面使用负载平衡，则可能需要更新负载均衡器。
 
+<!--
 If the majority of etcd members have permanently failed, the etcd cluster is
 considered failed. In this scenario, Kubernetes cannot make any changes to its
 current state. Although the scheduled pods might continue to run, no new pods
 can be scheduled. In such cases, recover the etcd cluster and potentially
 reconfigure Kubernetes API servers to fix the issue.
+-->
+如果大多数 etcd 成员永久失败，则认为 etcd 集群失败。在这种情况下，Kubernetes 不能对其当前状态进行任何更改。
+虽然已调度的 pod 可能继续运行，但新的 pod 无法调度。在这种情况下，恢复 etcd 集群并可能需要重新配置 Kubernetes API 服务器以修复问题。
 
+<!--
 {{< note >}}
 If any API servers are running in your cluster, you should not attempt to
 restore instances of etcd. Instead, follow these steps to restore etcd:
@@ -632,39 +630,10 @@ stale data. Note that in practice, the restore takes a bit of time.  During the
 restoration, critical components will lose leader lock and restart themselves.
 {{< /note >}}
 -->
-## 恢复 etcd 集群
-
-etcd 支持从 [major.minor](http://semver.org/) 或其他不同 patch 版本的 etcd 进程中获取的快照进行恢复。
-还原操作用于恢复失败的集群的数据。
-
-在启动还原操作之前，必须有一个快照文件。它可以是来自以前备份操作的快照文件，
-也可以是来自剩余[数据目录]( https://etcd.io/docs/current/op-guide/configuration/#--data-dir)的快照文件。
-例如：
-
-```shell
-ETCDCTL_API=3 etcdctl --endpoints 10.2.0.9:2379 snapshot restore snapshotdb
-```
-
-恢复时也可以指定操作选项，例如：
-
-```
-ETCDCTL_API=3 etcdctl --data-dir <data-dir-location> snapshot restore snapshotdb
-```
-
-有关从快照文件还原集群的详细信息和示例，请参阅 
-[etcd 灾难恢复文档](https://etcd.io/docs/current/op-guide/recovery/#restoring-a-cluster)。
-
-如果还原的集群的访问 URL 与前一个集群不同，则必须相应地重新配置 Kubernetes API 服务器。
-在本例中，使用参数 `--etcd-servers=$NEW_ETCD_CLUSTER` 而不是参数 `--etcd-servers=$OLD_ETCD_CLUSTER` 重新启动 Kubernetes API 服务器。
-用相应的 IP 地址替换 `$NEW_ETCD_CLUSTER` 和 `$OLD_ETCD_CLUSTER`。如果在 etcd 集群前面使用负载平衡，则可能需要更新负载均衡器。
-
-如果大多数 etcd 成员永久失败，则认为 etcd 集群失败。在这种情况下，Kubernetes 不能对其当前状态进行任何更改。
-虽然已调度的 pod 可能继续运行，但新的 pod 无法调度。在这种情况下，恢复 etcd 集群并可能需要重新配置 Kubernetes API 服务器以修复问题。
-
 {{< note >}}
 如果集群中正在运行任何 API 服务器，则不应尝试还原 etcd 的实例。相反，请按照以下步骤还原 etcd：
 
-- 停止 *所有* API 服务实例
+- 停止**所有** API 服务实例
 - 在所有 etcd 实例中恢复状态
 - 重启所有 API 服务实例
 
@@ -674,17 +643,20 @@ ETCDCTL_API=3 etcdctl --data-dir <data-dir-location> snapshot restore snapshotdb
 {{< /note >}}
 
 <!--
-
 ## Upgrading etcd clusters
+-->
+## 升级 etcd 集群    {#upgrading-etcd-clusters}
 
+<!--
 For more details on etcd upgrade, please refer to the [etcd upgrades](https://etcd.io/docs/latest/upgrades/) documentation.
+-->
+有关 etcd 升级的更多详细信息，请参阅 [etcd 升级](https://etcd.io/docs/latest/upgrades/)文档。
 
+<!--
 {{< note >}}
 Before you start an upgrade, please back up your etcd cluster first.
 {{< /note >}}
 -->
-## 升级 etcd 集群
-有关 etcd 升级的更多详细信息，请参阅 [etcd 升级](https://etcd.io/docs/latest/upgrades/)文档。
 {{< note >}}
 在开始升级之前，请先备份你的 etcd 集群。
 {{< /note >}}
diff --git a/content/zh/docs/tasks/administer-cluster/controller-manager-leader-migration.md b/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
similarity index 81%
rename from content/zh/docs/tasks/administer-cluster/controller-manager-leader-migration.md
rename to content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
index 71b43494b22f1..f4e54653b14e7 100644
--- a/content/zh/docs/tasks/administer-cluster/controller-manager-leader-migration.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration.md
@@ -15,7 +15,7 @@ content_type: task
 
 <!-- overview -->
 
-{{< feature-state state="beta" for_k8s_version="v1.22" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable"  >}}
 
 {{< glossary_definition term_id="cloud-controller-manager" length="all">}}
 
@@ -48,8 +48,8 @@ Leader Migration can be enabled by setting `--enable-leader-migration` on `kube-
 Leader Migration only applies during the upgrade and can be safely disabled or left enabled after the upgrade is complete.
 
 This guide walks you through the manual process of upgrading the control plane from `kube-controller-manager` with 
-built-in cloud provider to running both `kube-controller-manager` and `cloud-controller-manager`. 
-If you use a tool to administrator the cluster, please refer to the documentation of the tool and the cloud provider for more details.
+built-in cloud provider to running both `kube-controller-manager` and `cloud-controller-manager`.
+If you use a tool to deploy and manage the cluster, please refer to the documentation of the tool and the cloud provider for specific instructions of the migration.
 -->
 领导者迁移可以通过在 `kube-controller-manager` 或 `cloud-controller-manager` 上设置
 `--enable-leader-migration` 来启用。
@@ -57,32 +57,32 @@ If you use a tool to administrator the cluster, please refer to the documentatio
 
 本指南将引导你手动将控制平面从内置的云驱动的 `kube-controller-manager` 升级为
 同时运行 `kube-controller-manager` 和 `cloud-controller-manager`。
-如果使用某种工具来管理群集，请参阅对应工具和云驱动的文档以获取更多详细信息。
+如果使用某种工具来部署和管理集群，请参阅对应工具和云驱动的文档以获取迁移的具体说明。
 
 ## {{% heading "prerequisites" %}}
 
 <!--
-It is assumed that the control plane is running Kubernetes version N and to be upgraded to version N + 1. 
-Although it is possible to migrate within the same version, ideally the migration should be performed as part of a upgrade so that changes of configuration can be aligned to each release. 
-The exact versions of N and N + 1 depend on each cloud provider. For example, if a cloud provider builds a `cloud-controller-manager` to work with Kubernetes 1.22, then N can be 1.21 and N + 1 can be 1.22.
+It is assumed that the control plane is running Kubernetes version N and to be upgraded to version N + 1.
+Although it is possible to migrate within the same version, ideally the migration should be performed as part of an upgrade so that changes of configuration can be aligned to each release.
+The exact versions of N and N + 1 depend on each cloud provider. For example, if a cloud provider builds a `cloud-controller-manager` to work with Kubernetes 1.24, then N can be 1.23 and N + 1 can be 1.24.
 
-The control plane nodes should run `kube-controller-manager` with Leader Election enabled through `--leader-elect=true`. 
-As of version N, an in-tree cloud privider must be set with `--cloud-provider` flag and `cloud-controller-manager` should not yet be deployed.
+The control plane nodes should run `kube-controller-manager` with Leader Election enabled, which is the default.
+As of version N, an in-tree cloud provider must be set with `--cloud-provider` flag and `cloud-controller-manager` should not yet be deployed.
 -->
 假定控制平面正在运行 Kubernetes 版本 N，要升级到版本 N+1。
 尽管可以在同一版本内进行迁移，但理想情况下，迁移应作为升级的一部分执行，
 以便可以配置的变更可以与发布版本变化对应起来。
-N 和 N+1 的确切版本值取决于各个云厂商。例如，如果云厂商构建了一个可与 Kubernetes 1.22
-配合使用的 `cloud-controller-manager`，则 N 可以为 1.21，N+1 可以为 1.22。
+N 和 N+1 的确切版本值取决于各个云厂商。例如，如果云厂商构建了一个可与 Kubernetes 1.24
+配合使用的 `cloud-controller-manager`，则 N 可以为 1.23，N+1 可以为 1.24。
 
-控制平面节点应运行 `kube-controller-manager`，并通过 `--leader-elect=true` 启用领导者选举。
+控制平面节点应运行 `kube-controller-manager` 并启用领导者选举，这也是默认设置。
 在版本 N 中，树内云驱动必须设置 `--cloud-provider` 标志，而且 `cloud-controller-manager`
 应该尚未部署。
 
 <!--
-The out-of-tree cloud provider must have built a `cloud-controller-manager` with Leader Migration implementation. 
+The out-of-tree cloud provider must have built a `cloud-controller-manager` with Leader Migration implementation.
 If the cloud provider imports `k8s.io/cloud-provider` and `k8s.io/controller-manager` of version v0.21.0 or later, Leader Migration will be available.
-However, for version before v0.22.0, Leader Migration is alpha and requires feature gate `ControllerManagerLeaderMigration` to be enabled.
+However, for version before v0.22.0, Leader Migration is alpha and requires feature gate `ControllerManagerLeaderMigration` to be enabled in `cloud-controller-manager`.
 
 This guide assumes that kubelet of each control plane node starts `kube-controller-manager` 
 and `cloud-controller-manager` as static pods defined by their manifests. 
@@ -95,8 +95,8 @@ please grant the needed access in a way that matches the mode.
 树外云驱动必须已经构建了一个实现了领导者迁移的 `cloud-controller-manager`。
 如果云驱动导入了 v0.21.0 或更高版本的 `k8s.io/cloud-provider` 和 `k8s.io/controller-manager`，
 则可以进行领导者迁移。
-但是，对 v0.22.0 以下的版本，领导者迁移是一项 Alpha 阶段功能，需要启用特性门控
-`ControllerManagerLeaderMigration`。
+但是，对 v0.22.0 以下的版本，领导者迁移是一项 Alpha 阶段功能，需要在 `cloud-controller-manager`
+中启用特性门控 `ControllerManagerLeaderMigration`。
 
 本指南假定每个控制平面节点的 kubelet 以静态 Pod 的形式启动 `kube-controller-manager`
 和 `cloud-controller-manager`，静态 Pod 的定义在清单文件中。
@@ -156,9 +156,8 @@ Leader Migration can be enabled without a configuration. Please see [Default Con
 
 ```yaml
 kind: LeaderMigrationConfiguration
-apiVersion: controllermanager.config.k8s.io/v1beta1
+apiVersion: controllermanager.config.k8s.io/v1
 leaderName: cloud-provider-extraction-migration
-resourceLock: leases
 controllerLeaders:
   - name: route
     component: kube-controller-manager
@@ -168,6 +167,27 @@ controllerLeaders:
     component: kube-controller-manager
 ```
 
+<!--
+Alternatively, because the controllers can run under either controller managers, setting `component` to `*`
+for both sides makes the configuration file consistent between both parties of the migration.
+-->
+或者，由于控制器可以在任一控制器管理器下运行，因此将双方的 `component` 设置为 `*`
+可以使迁移双方的配置文件保持一致。
+
+```yaml
+# 通配符版本
+kind: LeaderMigrationConfiguration
+apiVersion: controllermanager.config.k8s.io/v1
+leaderName: cloud-provider-extraction-migration
+controllerLeaders:
+  - name: route
+    component: *
+  - name: service
+    component: *
+  - name: cloud-node-lifecycle
+    component: *
+```
+
 <!--
 On each control plane node, save the content to `/etc/leadermigration.conf`, 
 and update the manifest of `kube-controller-manager` so that the file is mounted inside the container at the same location. 
@@ -191,20 +211,21 @@ Restart `kube-controller-manager` on each node. At this moment, `kube-controller
 <!--
 ### Deploy Cloud Controller Manager
 
-In version N + 1, the desired state of controller-to-manager assignment can be represented by a new configuration file, shown as follows. 
+In version N + 1, the desired state of controller-to-manager assignment can be represented by a new configuration file, shown as follows.
 Please note `component` field of each `controllerLeaders` changing from `kube-controller-manager` to `cloud-controller-manager`.
+Alternatively, use the wildcard version mentioned above, which has the same effect.
 -->
 ### 部署云控制器管理器
 
 在版本 N+1 中，如何将控制器分配给不同管理器的预期分配状态可以由新的配置文件表示，
 如下所示。请注意，各个 `controllerLeaders` 的 `component` 字段从 `kube-controller-manager`
 更改为 `cloud-controller-manager`。
+或者，使用上面提到的通配符版本，它具有相同的效果。
 
 ```yaml
 kind: LeaderMigrationConfiguration
-apiVersion: controllermanager.config.k8s.io/v1beta1
+apiVersion: controllermanager.config.k8s.io/v1
 leaderName: cloud-provider-extraction-migration
-resourceLock: leases
 controllerLeaders:
   - name: route
     component: cloud-controller-manager
@@ -215,15 +236,15 @@ controllerLeaders:
 ```
 
 <!--
-When creating control plane nodes of version N + 1, the content should be deploy to `/etc/leadermigration.conf`. 
-The manifest of `cloud-controller-manager` should be updated to mount the configuration file in 
-the same manner as `kube-controller-manager` of version N. Similarly, add `--feature-gates=ControllerManagerLeaderMigration=true`,
-`--enable-leader-migration`, and `--leader-migration-config=/etc/leadermigration.conf` to the arguments of `cloud-controller-manager`.
+When creating control plane nodes of version N + 1, the content should be deployed to `/etc/leadermigration.conf`.
+The manifest of `cloud-controller-manager` should be updated to mount the configuration file in
+the same manner as `kube-controller-manager` of version N. Similarly, add `--enable-leader-migration`
+and `--leader-migration-config=/etc/leadermigration.conf` to the arguments of `cloud-controller-manager`.
 
-Create a new control plane node of version N + 1 with the updated `cloud-controller-manager` manifest, 
-and with the `--cloud-provider` flag unset for `kube-controller-manager`.
-`kube-controller-manager` of version N + 1 MUST NOT have Leader Migration enabled because, 
-with an external cloud provider, it does not run the migrated controllers anymore and thus it is not involved in the migration.
+Create a new control plane node of version N + 1 with the updated `cloud-controller-manager` manifest,
+and with the `--cloud-provider` flag set to `external` for `kube-controller-manager`.
+`kube-controller-manager` of version N + 1 MUST NOT have Leader Migration enabled because,
+with an external cloud provider, it does not run the migrated controllers anymore, and thus it is not involved in the migration.
 
 Please refer to [Cloud Controller Manager Administration](/docs/tasks/administer-cluster/running-cloud-controller/)
 for more detail on how to deploy `cloud-controller-manager`.
@@ -231,16 +252,16 @@ for more detail on how to deploy `cloud-controller-manager`.
 当创建版本 N+1 的控制平面节点时，应将如上内容写入到 `/etc/leadermigration.conf`。
 你需要更新 `cloud-controller-manager` 的清单，以与版本 N 的 `kube-controller-manager`
 相同的方式挂载配置文件。
-类似地，添加 `--feature-gates=ControllerManagerLeaderMigration=true`、`--enable-leader-migration` 
+类似地，添加 `--enable-leader-migration`
 和 `--leader-migration-config=/etc/leadermigration.conf` 到 `cloud-controller-manager`
 的参数中。
 
 使用已更新的 `cloud-controller-manager` 清单创建一个新的 N+1 版本的控制平面节点，
-同时确保没有设置 `kube-controller-manager` 的 `--cloud-provider` 标志。
+同时设置 `kube-controller-manager` 的 `--cloud-provider` 标志为 `external`。
 版本为 N+1 的 `kube-controller-manager` 不能启用领导者迁移，
 因为在使用外部云驱动的情况下，它不再运行已迁移的控制器，因此不参与迁移。
 
-请参阅[云控制器管理器管理](/zh/docs/tasks/administer-cluster/running-cloud-controller/) 
+请参阅[云控制器管理器管理](/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/) 
 了解有关如何部署 `cloud-controller-manager` 的更多细节。
 
 <!--
@@ -311,9 +332,38 @@ For `kube-controller-manager` and `cloud-controller-manager`, if there are no fl
 对于 `kube-controller-manager` 和 `cloud-controller-manager`，如果没有用参数来启用树内云驱动或者改变控制器属主，
 则可以使用默认配置来避免手动创建配置文件。
 
+<!--
+### Special case: migrating the Node IPAM controller {#node-ipam-controller-migration}
+
+If your cloud provider provides an implementation of Node IPAM controller, you should switch to the implementation in `cloud-controller-manager`.
+Disable Node IPAM controller in `kube-controller-manager` of version N + 1 by adding `--controllers=*,-nodeipam` to its flags.
+Then add `nodeipam` to the list of migrated controllers.
+-->
+### 特殊情况：迁移节点 IPAM 控制器 {#node-ipam-controller-migration}
+
+如果你的云供应商提供了节点 IPAM 控制器的实现，你应该切换到 `cloud-controller-manager` 中的实现。
+通过在其标志中添加 `--controllers=*,-nodeipam` 来禁用 N+1 版本的 `kube-controller-manager` 中的节点 IPAM 控制器。
+然后将 `nodeipam` 添加到迁移的控制器列表中。
+
+```yaml
+# 通配符版本，带有 nodeipam
+kind: LeaderMigrationConfiguration
+apiVersion: controllermanager.config.k8s.io/v1
+leaderName: cloud-provider-extraction-migration
+controllerLeaders:
+  - name: route
+    component: *
+  - name: service
+    component: *
+  - name: cloud-node-lifecycle
+    component: *
+  - name: nodeipam
+-   component: *
+```
+
 ## {{% heading "whatsnext" %}}
 <!--
-- Read the [Controller Manager Leader Migration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cloud-provider/2436-controller-manager-leader-migration) enhancement proposal
+- Read the [Controller Manager Leader Migration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cloud-provider/2436-controller-manager-leader-migration) enhancement proposal.
 -->
 - 阅读[领导者迁移控制器管理器](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cloud-provider/2436-controller-manager-leader-migration)
   改进建议提案。
diff --git a/content/zh/docs/tasks/administer-cluster/coredns.md b/content/zh-cn/docs/tasks/administer-cluster/coredns.md
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/coredns.md
rename to content/zh-cn/docs/tasks/administer-cluster/coredns.md
diff --git a/content/zh/docs/tasks/administer-cluster/cpu-management-policies.md b/content/zh-cn/docs/tasks/administer-cluster/cpu-management-policies.md
similarity index 60%
rename from content/zh/docs/tasks/administer-cluster/cpu-management-policies.md
rename to content/zh-cn/docs/tasks/administer-cluster/cpu-management-policies.md
index 3d684ec5f5615..602d9000acf6f 100644
--- a/content/zh/docs/tasks/administer-cluster/cpu-management-policies.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/cpu-management-policies.md
@@ -23,7 +23,7 @@ acceptably. The kubelet provides methods to enable more complex workload
 placement policies while keeping the abstraction free from explicit placement
 directives.
 -->
-按照设计，Kubernetes 对 pod 执行相关的很多方面进行了抽象，使得用户不必关心。
+按照设计，Kubernetes 对 Pod 执行相关的很多方面进行了抽象，使得用户不必关心。
 然而，为了正常运行，有些工作负载要求在延迟和/或性能方面有更强的保证。
 为此，kubelet 提供方法来实现更复杂的负载放置策略，同时保持抽象，避免显式的放置指令。
 
@@ -62,12 +62,16 @@ management policies to determine some placement preferences on the node.
 <!--
 ### Configuration
 
-The CPU Manager policy is set with the `-cpu-manager-policy` kubelet
-option. There are two supported policies:
+The CPU Manager policy is set with the `--cpu-manager-policy` kubelet
+flag or the `cpuManagerPolicy` field in [KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/).
+There are two supported policies:
 -->
 ### 配置
 
-CPU 管理策略通过 kubelet 参数 `--cpu-manager-policy` 来指定。支持两种策略：
+CPU 管理策略通过 kubelet 参数 `--cpu-manager-policy`
+或 [KubeletConfiguration](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
+中的 `cpuManagerPolicy` 字段来指定。
+支持两种策略：
 
 <!--
 * `none`: the default, which represents the existing scheduling behavior.
@@ -75,7 +79,7 @@ CPU 管理策略通过 kubelet 参数 `--cpu-manager-policy` 来指定。支持
   granted increased CPU affinity and exclusivity on the node.
 -->
 * `none`: 默认策略，表示现有的调度行为。
-* `static`: 允许为节点上具有某些资源特征的 pod 赋予增强的 CPU 亲和性和独占性。
+* `static`: 允许为节点上具有某些资源特征的 Pod 赋予增强的 CPU 亲和性和独占性。
 
 <!--
 The CPU manager periodically writes resource updates through the CRI in
@@ -91,9 +95,66 @@ CPU 管理器定期通过 CRI 写入资源更新，以保证内存中 CPU 分配
 <!--
 The behavior of the static policy can be fine-tuned using the `--cpu-manager-policy-options` flag.
 The flag takes a comma-separated list of `key=value` policy options.
+This feature can be disabled completely using the `CPUManagerPolicyOptions` feature gate.
 -->
 Static 策略的行为可以使用 `--cpu-manager-policy-options` 参数来微调。
 该参数采用一个逗号分隔的 `key=value` 策略选项列表。
+此特性可以通过 `CPUManagerPolicyOptions` 特性门控来完全禁用。
+
+<!--
+The policy options are split into two groups: alpha quality (hidden by default) and beta quality
+(visible by default). The groups are guarded respectively by the `CPUManagerPolicyAlphaOptions`
+and `CPUManagerPolicyBetaOptions` feature gates. Diverging from the Kubernetes standard, these
+feature gates guard groups of options, because it would have been too cumbersome to add a feature
+gate for each individual option.
+-->
+策略选项分为两组：alpha 质量（默认隐藏）和 beta 质量（默认可见）。
+这些组分别由 `CPUManagerPolicyAlphaOptions` 和 `CPUManagerPolicyBetaOptions` 特性门控来管控。
+不同于 Kubernetes 标准，这里是由这些特性门控来管控选项组，因为为每个单独选项都添加一个特性门控过于繁琐。
+
+<!--
+### Changing the CPU Manager Policy
+
+Since the CPU manger policy can only be applied when kubelet spawns new pods, simply changing from
+"none" to "static" won't apply to existing pods. So in order to properly change the CPU manager
+policy on a node, perform the following steps:
+-->
+### 更改 CPU 管理器策略
+
+由于 CPU 管理器策略只能在 kubelet 生成新 Pod 时应用，所以简单地从 "none" 更改为 "static"
+将不会对现有的 Pod 起作用。
+因此，为了正确更改节点上的 CPU 管理器策略，请执行以下步骤：
+
+<!--
+1. [Drain](/docs/tasks/administer-cluster/safely-drain-node) the node.
+2. Stop kubelet.
+3. Remove the old CPU manager state file. The path to this file is
+`/var/lib/kubelet/cpu_manager_state` by default. This clears the state maintained by the
+CPUManager so that the cpu-sets set up by the new policy won’t conflict with it.
+4. Edit the kubelet configuration to change the CPU manager policy to the desired value.
+5. Start kubelet.
+-->
+1. [腾空](/zh-cn/docs/tasks/administer-cluster/safely-drain-node)节点。
+2. 停止 kubelet。
+3. 删除旧的 CPU 管理器状态文件。该文件的路径默认为 `/var/lib/kubelet/cpu_manager_state`。
+   这将清除 CPUManager 维护的状态，以便新策略设置的 cpu-sets 不会与之冲突。
+4. 编辑 kubelet 配置以将 CPU 管理器策略更改为所需的值。
+5. 启动 kubelet。
+
+<!--
+Repeat this process for every node that needs its CPU manager policy changed. Skipping this
+process will result in kubelet crashlooping with the following error:
+
+```
+could not restore state from checkpoint: configured policy "static" differs from state checkpoint policy "none", please drain this node and delete the CPU manager checkpoint file "/var/lib/kubelet/cpu_manager_state" before restarting Kubelet
+```
+-->
+对需要更改其 CPU 管理器策略的每个节点重复此过程。
+跳过此过程将导致 kubelet crashlooping 并出现以下错误：
+
+```
+could not restore state from checkpoint: configured policy "static" differs from state checkpoint policy "none", please drain this node and delete the CPU manager checkpoint file "/var/lib/kubelet/cpu_manager_state" before restarting Kubelet
+```
 
 <!--
 ### None policy
@@ -108,8 +169,8 @@ are enforced using CFS quota.
 ### none 策略
 
 `none` 策略显式地启用现有的默认 CPU 亲和方案，不提供操作系统调度器默认行为之外的亲和性策略。
-通过 CFS 配额来实现 [Guaranteed pods](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
-和 [Burstable pods](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+通过 CFS 配额来实现 [Guaranteed Pods](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
+和 [Burstable Pods](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 的 CPU 使用限制。
 
 <!--
@@ -159,11 +220,16 @@ CPU `requests` also run on CPUs in the shared pool. Only containers that are
 both part of a `Guaranteed` pod and have integer CPU `requests` are assigned
 exclusive CPUs.
 --->
-该策略管理一个共享 CPU 资源池，最初，该资源池包含节点上所有的 CPU 资源。可用
-的独占性 CPU 资源数量等于节点的 CPU 总量减去通过 `--kube-reserved` 或 `--system-reserved` 参数保留的 CPU 。从1.17版本开始，CPU保留列表可以通过 kublet 的 '--reserved-cpus' 参数显式地设置。
-通过 '--reserved-cpus' 指定的显式CPU列表优先于使用 '--kube-reserved' 和 '--system-reserved' 参数指定的保留CPU。 通过这些参数预留的 CPU 是以整数方式，按物理内
-核 ID 升序从初始共享池获取的。 共享池是 `BestEffort` 和 `Burstable` pod 运行
-的 CPU 集合。`Guaranteed` pod 中的容器，如果声明了非整数值的 CPU `requests` ，也将运行在共享池的 CPU 上。只有 `Guaranteed` pod 中，指定了整数型 CPU `requests` 的容器，才会被分配独占 CPU 资源。
+此策略管理一个 CPU 共享池，该共享池最初包含节点上所有的 CPU 资源。
+可独占性 CPU 资源数量等于节点的 CPU 总量减去通过 kubelet `--kube-reserved` 或 `--system-reserved`
+参数保留的 CPU 资源。
+从 1.17 版本开始，可以通过 kubelet `--reserved-cpus` 参数显式地指定 CPU 预留列表。
+由 `--reserved-cpus` 指定的显式 CPU 列表优先于由 `--kube-reserved` 和 `--system-reserved`
+指定的 CPU 预留。
+通过这些参数预留的 CPU 是以整数方式，按物理核心 ID 升序从初始共享池获取的。
+共享池是 `BestEffort` 和 `Burstable` Pod 运行的 CPU 集合。
+`Guaranteed` Pod 中的容器，如果声明了非整数值的 CPU `requests`，也将运行在共享池的 CPU 上。
+只有 `Guaranteed` Pod 中，指定了整数型 CPU `requests` 的容器，才会被分配独占 CPU 资源。
 
 <!--
 The kubelet requires a CPU reservation greater than zero be made
@@ -249,7 +315,7 @@ spec:
 This pod runs in the `Burstable` QoS class because resource `requests` do not
 equal `limits`. It runs in the shared pool.
 -->
-该 pod 属于 `Burstable` QoS 类型，因为其资源 `requests` 不等于 `limits`。
+该 Pod 属于 `Burstable` QoS 类型，因为其资源 `requests` 不等于 `limits`。
 所以该容器运行在共享 CPU 池中。
 
 ```yaml
@@ -322,19 +388,35 @@ equal to one. The `nginx` container is granted 2 exclusive CPUs.
 <!--
 #### Static policy options
 
-If the `full-pcpus-only` policy option is specified, the static policy will always allocate full physical cores.
-You can enable this option by adding `full-pcups-only=true` to the CPUManager policy options.
+You can toggle groups of options on and off based upon their maturity level
+using the following feature gates:
+* `CPUManagerPolicyBetaOptions` default enabled. Disable to hide beta-level options.
+* `CPUManagerPolicyAlphaOptions` default disabled. Enable to show alpha-level options.
+You will still have to enable each option using the `CPUManagerPolicyOptions` kubelet option.
+
+The following policy options exist for the static `CPUManager` policy:
+* `full-pcpus-only` (beta, visible by default)
+* `distribute-cpus-across-numa` (alpha, hidden by default)
 -->
 #### Static 策略选项
 
-如果使用 `full-pcpus-only` 策略选项，static 策略总是会分配完整的物理核心。
-你可以通过在 CPUManager 策略选项里加上 `full-pcups-only=true` 来启用该选项。
+你可以使用以下特性门控根据成熟度级别打开或关闭选项组：
+* `CPUManagerPolicyBetaOptions` 默认启用。禁用以隐藏 beta 级选项。
+* `CPUManagerPolicyAlphaOptions` 默认禁用。启用以显示 alpha 级选项。
+你仍然必须使用 `CPUManagerPolicyOptions` kubelet 选项启用每个选项。
+
+静态 `CPUManager` 策略存在以下策略选项：
+* `full-pcpus-only`（beta，默认可见）
+* `distribute-cpus-across-numa`（alpha，默认隐藏）
+
 <!--
+If the `full-pcpus-only` policy option is specified, the static policy will always allocate full physical cores.
 By default, without this option, the static policy allocates CPUs using a topology-aware best-fit allocation.
 On SMT enabled systems, the policy can allocate individual virtual cores, which correspond to hardware threads.
 This can lead to different containers sharing the same physical cores; this behaviour in turn contributes
 to the [noisy neighbours problem](https://en.wikipedia.org/wiki/Cloud_computing_issues#Performance_interference_and_noisy_neighbors).
 -->
+如果使用 `full-pcpus-only` 策略选项，static 策略总是会分配完整的物理核心。
 默认情况下，如果不使用该选项，static 策略会使用拓扑感知最适合的分配方法来分配 CPU。
 在启用了 SMT 的系统上，此策略所分配是与硬件线程对应的、独立的虚拟核。
 这会导致不同的容器共享相同的物理核心，该行为进而会导致
@@ -344,5 +426,47 @@ With the option enabled, the pod will be admitted by the kubelet only if the CPU
 can be fulfilled by allocating full physical cores.
 If the pod does not pass the admission, it will be put in Failed state with the message `SMTAlignmentError`.
 -->
-启用该选项之后，只有当一个 Pod 里所有容器的 CPU 请求都能够分配到完整的物理核心时，kubelet 才会接受该 Pod。
-如果 Pod 没有被准入，它会被置于 Failed 状态，错误消息是 `SMTAlignmentError`。
\ No newline at end of file
+启用该选项之后，只有当一个 Pod 里所有容器的 CPU 请求都能够分配到完整的物理核心时，
+kubelet 才会接受该 Pod。
+如果 Pod 没有被准入，它会被置于 Failed 状态，错误消息是 `SMTAlignmentError`。
+
+<!--
+If the `distribute-cpus-across-numa` policy option is specified, the static
+policy will evenly distribute CPUs across NUMA nodes in cases where more than
+one NUMA node is required to satisfy the allocation.
+By default, the `CPUManager` will pack CPUs onto one NUMA node until it is
+filled, with any remaining CPUs simply spilling over to the next NUMA node.
+This can cause undesired bottlenecks in parallel code relying on barriers (and
+similar synchronization primitives), as this type of code tends to run only as
+fast as its slowest worker (which is slowed down by the fact that fewer CPUs
+are available on at least one NUMA node).
+By distributing CPUs evenly across NUMA nodes, application developers can more
+easily ensure that no single worker suffers from NUMA effects more than any
+other, improving the overall performance of these types of applications.
+-->
+如果使用 `distribute-cpus-across-numa` 策略选项，
+在需要多个 NUMA 节点来满足分配的情况下，
+static 策略会在 NUMA 节点上平均分配 CPU。
+默认情况下，`CPUManager` 会将 CPU 分配到一个 NUMA 节点上，直到它被填满，
+剩余的 CPU 会简单地溢出到下一个 NUMA 节点。
+这会导致依赖于同步屏障（以及类似的同步原语）的并行代码出现不期望的瓶颈，
+因为此类代码的运行速度往往取决于最慢的工作线程
+（由于至少一个 NUMA 节点存在可用 CPU 较少的情况，因此速度变慢）。
+通过在 NUMA 节点上平均分配 CPU，
+应用程序开发人员可以更轻松地确保没有某个工作线程单独受到 NUMA 影响，
+从而提高这些类型应用程序的整体性能。
+
+<!--
+The `full-pcpus-only` option can be enabled by adding `full-pcups-only=true` to
+the CPUManager policy options.
+Likewise, the `distribute-cpus-across-numa` option can be enabled by adding
+`distribute-cpus-across-numa=true` to the CPUManager policy options.
+When both are set, they are "additive" in the sense that CPUs will be
+distributed across NUMA nodes in chunks of full-pcpus rather than individual
+cores.
+-->
+可以通过将 `full-pcups-only=true` 添加到 CPUManager 策略选项来启用 `full-pcpus-only` 选项。
+同样地，可以通过将 `distribute-cpus-across-numa=true`
+添加到 CPUManager 策略选项来启用 `distribute-cpus-across-numa` 选项。
+当两者都设置时，它们是“累加的”，因为 CPU 将分布在 NUMA 节点的 full-pcpus 块中，
+而不是单个核心。
diff --git a/content/zh/docs/tasks/administer-cluster/declare-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/declare-network-policy.md
similarity index 89%
rename from content/zh/docs/tasks/administer-cluster/declare-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/declare-network-policy.md
index b5858ba2fc4c6..22615f9bcaad8 100644
--- a/content/zh/docs/tasks/administer-cluster/declare-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/declare-network-policy.md
@@ -18,7 +18,7 @@ content_type: task
 This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/concepts/services-networking/network-policies/) to declare network policies that govern how pods communicate with each other.
 -->
 本文可以帮助你开始使用 Kubernetes 的
-[NetworkPolicy API](/zh/docs/concepts/services-networking/network-policies/)
+[NetworkPolicy API](/zh-cn/docs/concepts/services-networking/network-policies/)
 声明网络策略去管理 Pod 之间的通信
 
 {{% thirdparty-content %}}
@@ -39,12 +39,12 @@ Make sure you've configured a network provider with network policy support. Ther
 -->
 你首先需要有一个支持网络策略的 Kubernetes 集群。已经有许多支持 NetworkPolicy 的网络提供商，包括：
 
-* [Antrea](/zh/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy/)
-* [Calico](/zh/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/)
-* [Cilium](/zh/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/)
-* [Kube-router](/zh/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/)
-* [Romana](/zh/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/)
-* [Weave 网络](/zh/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/)
+* [Antrea](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy/)
+* [Calico](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/)
+* [Cilium](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/)
+* [Kube-router](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/)
+* [Romana](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/)
+* [Weave 网络](/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/)
 
 <!-- steps -->
 
@@ -142,7 +142,7 @@ The name of a NetworkPolicy object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 NetworkPolicy 对象的名称必须是一个合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 <!--
 NetworkPolicy includes a `podSelector` which selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the label `app=nginx`. The label was automatically added to the Pod in the `nginx` Deployment. An empty `podSelector` selects all pods in the namespace.
diff --git a/content/zh/docs/tasks/administer-cluster/developing-cloud-controller-manager.md b/content/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
similarity index 97%
rename from content/zh/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
rename to content/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
index 6b47fa7b01f90..8aff94ac8fbb8 100644
--- a/content/zh/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
@@ -81,5 +81,5 @@ For in-tree cloud providers, you can run the in-tree cloud controller manager as
 -->
 对于树内（In-Tree）驱动，你可以将树内云控制器管理器作为集群中的
 {{< glossary_tooltip term_id="daemonset" text="DaemonSet" >}} 来运行。
-有关详细信息，请参阅[云控制器管理器管理](/zh/docs/tasks/administer-cluster/running-cloud-controller/)。
+有关详细信息，请参阅[云控制器管理器管理](/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/)。
 
diff --git a/content/zh/docs/tasks/administer-cluster/dns-custom-nameservers.md b/content/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers.md
similarity index 97%
rename from content/zh/docs/tasks/administer-cluster/dns-custom-nameservers.md
rename to content/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers.md
index d5259d809b3e1..883324ab11467 100644
--- a/content/zh/docs/tasks/administer-cluster/dns-custom-nameservers.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers.md
@@ -30,7 +30,7 @@ Your cluster must be running the CoreDNS add-on.
 explains how to use `kubeadm` to migrate from `kube-dns`.
 -->
 你的集群必须运行 CoreDNS 插件。
-文档[迁移到 CoreDNS](/zh/docs/tasks/administer-cluster/coredns/#migrating-to-coredns)
+文档[迁移到 CoreDNS](/zh-cn/docs/tasks/administer-cluster/coredns/#migrating-to-coredns)
 解释了如何使用 `kubeadm` 从 `kube-dns` 迁移到 CoreDNS。
 
 <!-- steps -->
@@ -84,7 +84,7 @@ The DNS server supports forward lookups (A and AAAA records), port lookups (SRV
 and more. For more information, see [DNS for Services and Pods](/docs/concepts/services-networking/dns-pod-service/).
 -->
 DNS 服务器支持正向查找（A 和 AAAA 记录）、端口发现（SRV 记录）、反向 IP 地址发现（PTR 记录）等。
-更多信息，请参见[Pod 和 服务的 DNS](/zh/docs/concepts/services-networking/dns-pod-service/)。
+更多信息，请参见[Pod 和 服务的 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 
 <!-- 
 If a Pod's `dnsPolicy` is set to "`default`", it inherits the name resolution
@@ -94,7 +94,7 @@ But see [Known issues](/docs/tasks/administer-cluster/dns-debugging-resolution/#
 -->
 如果 Pod 的 `dnsPolicy` 设置为 "`default`"，则它将从 Pod 运行所在节点继承名称解析配置。
 Pod 的 DNS 解析行为应该与节点相同。
-但请参阅[已知问题](/zh/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues)。
+但请参阅[已知问题](/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues)。
 
 <!-- 
 If you don't want this, or if you want a different DNS config for pods, you can
@@ -399,5 +399,5 @@ A cluster administrator can also migrate using [the deploy script](https://githu
 <!--
 - Read [Debugging DNS Resolution](/docs/tasks/administer-cluster/dns-debugging-resolution/).
 -->
-- 阅读[调试 DNS 解析](/zh/docs/tasks/administer-cluster/dns-debugging-resolution/)
+- 阅读[调试 DNS 解析](/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/dns-custom-nameservers/dns.png b/content/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/dns.png
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/dns-custom-nameservers/dns.png
rename to content/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/dns.png
diff --git a/content/zh/docs/tasks/administer-cluster/dns-debugging-resolution.md b/content/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/dns-debugging-resolution.md
rename to content/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution.md
index 2a777134e126c..32481a42f49c8 100644
--- a/content/zh/docs/tasks/administer-cluster/dns-debugging-resolution.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution.md
@@ -55,7 +55,7 @@ busybox   1/1       Running   0          <some-time>
 
 {{< note >}}
 此示例在 `default` 命名空间创建 pod。 服务的 DNS 名字解析取决于 pod 的命名空间。 详细信息请查阅
-[服务和 Pod 的 DNS](/zh/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names)。
+[服务和 Pod 的 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names)。
 {{< /note >}}
 
 使用上面的清单来创建一个 Pod：
@@ -115,7 +115,7 @@ Take a look inside the resolv.conf file.
 ### 先检查本地的 DNS 配置
 
 查看 resolv.conf 文件的内容
-（阅读[定制 DNS 服务](/zh/docs/tasks/administer-cluster/dns-custom-nameservers/) 和
+（阅读[定制 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/) 和
 后文的[已知问题](#known-issues) ，获取更多信息)
 
 ```shell
@@ -197,7 +197,7 @@ the DNS add-on may not be deployed by default in your current environment and yo
 will have to deploy it manually.
 -->
 如果你发现没有 CoreDNS Pod 在运行，或者该 Pod 的状态是 failed 或者 completed，
-那可能这个 DNS 插件在您当前的环境里并没有成功部署，你将需要手动去部署它。
+那可能这个 DNS 插件在你当前的环境里并没有成功部署，你将需要手动去部署它。
 
 <!--
 ### Check for Errors in the DNS pod
@@ -266,7 +266,7 @@ but it does not appear, see
 more information.
 -->
 如果你已经创建了 DNS 服务，或者该服务应该是默认自动创建的但是它并没有出现，
-请阅读[调试服务](/zh/docs/tasks/debug/debug-application/debug-service/)
+请阅读[调试服务](/zh-cn/docs/tasks/debug/debug-application/debug-service/)
 来获取更多信息。
 
 <!--
@@ -297,7 +297,7 @@ For additional Kubernetes DNS examples, see the
 in the Kubernetes GitHub repository.
 -->
 如果你没看到对应的端点，请阅读
-[调试服务](/zh/docs/tasks/debug/debug-application/debug-service/)的端点部分。
+[调试服务](/zh-cn/docs/tasks/debug/debug-application/debug-service/)的端点部分。
 
 若需要了解更多的 Kubernetes DNS 例子，请在 Kubernetes GitHub 仓库里查看
 [cluster-dns 示例](https://github.com/kubernetes/examples/tree/master/staging/cluster-dns)。 
@@ -479,7 +479,7 @@ To learn more about name resolution, see
 [DNS for Services and Pods](/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names). 
 -->
 要进一步了解名字解析，请查看
-[服务和 Pod 的 DNS](/zh/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names)。
+[服务和 Pod 的 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/#what-things-get-dns-names)。
 
 <!--
 ## Known issues
@@ -538,7 +538,7 @@ Kubernetes 需要占用一个 `nameserver` 记录和三个`search`记录。
 With [Expanded DNS Configuration](/docs/concepts/services-networking/dns-pod-service/#expanded-dns-configuration),
 Kubernetes allows more DNS `search` records.
 -->
-使用[扩展 DNS 设置](/zh/docs/concepts/services-networking/dns-pod-service/#expanded-dns-configuration)，
+使用[扩展 DNS 设置](/zh-cn/docs/concepts/services-networking/dns-pod-service/#expanded-dns-configuration)，
 Kubernetes 允许更多的 `search` 记录。
 {{< /note >}}
 <!--
@@ -557,6 +557,6 @@ for more information.
 - [Autoscaling the DNS Service in a Cluster](/docs/tasks/administer-cluster/dns-horizontal-autoscaling/).
 - [DNS for Services and Pods](/docs/concepts/services-networking/dns-pod-service/)
 -->
-- 参阅[自动扩缩集群中的 DNS 服务](/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling/).
-- 阅读[服务和 Pod 的 DNS](/zh/docs/concepts/services-networking/dns-pod-service/)
+- 参阅[自动扩缩集群中的 DNS 服务](/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling/).
+- 阅读[服务和 Pod 的 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md b/content/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md
similarity index 98%
rename from content/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md
rename to content/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md
index b9face566f27c..ca19912cdc2f2 100644
--- a/content/zh/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling.md
@@ -27,7 +27,7 @@ Kubernetes cluster.
 -->
 * 本指南假设你的节点使用 AMD64 或 Intel 64 CPU 架构
 
-* 确保已启用 [DNS 功能](/zh/docs/concepts/services-networking/dns-pod-service/)本身。
+* 确保已启用 [DNS 功能](/zh-cn/docs/concepts/services-networking/dns-pod-service/)本身。
 
 * 建议使用 Kubernetes 1.4.0 或更高版本。
 
@@ -412,6 +412,6 @@ patterns: *linear* and *ladder*.
 [implementation of cluster-proportional-autoscaler](https://github.com/kubernetes-sigs/cluster-proportional-autoscaler).
 
 -->
-* 阅读[为关键插件 Pod 提供的调度保障](/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+* 阅读[为关键插件 Pod 提供的调度保障](/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
 * 进一步了解 [cluster-proportional-autoscaler 实现](https://github.com/kubernetes-sigs/cluster-proportional-autoscaler)
 
diff --git a/content/zh/docs/tasks/administer-cluster/enable-disable-api.md b/content/zh-cn/docs/tasks/administer-cluster/enable-disable-api.md
similarity index 88%
rename from content/zh/docs/tasks/administer-cluster/enable-disable-api.md
rename to content/zh-cn/docs/tasks/administer-cluster/enable-disable-api.md
index 5e2fc48059e8b..c1eb5ec970902 100644
--- a/content/zh/docs/tasks/administer-cluster/enable-disable-api.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/enable-disable-api.md
@@ -38,14 +38,14 @@ The `runtime-config` command line argument also supports 2 special keys:
 <!-- 
 - `api/all`, representing all known APIs
 - `api/legacy`, representing only legacy APIs. Legacy APIs are any APIs that have been
-   explicitly [deprecated](/zh/docs/reference/using-api/deprecation-policy/).
+   explicitly [deprecated](/zh-cn/docs/reference/using-api/deprecation-policy/).
 
 For example, to turning off all API versions except v1, pass `--runtime-config=api/all=false,api/v1=true`
 to the `kube-apiserver`.
 -->
 - `api/all`：指所有已知的 API
 - `api/legacy`：指过时的 API。过时的 API 就是明确地
-  [弃用](/zh/docs/reference/using-api/deprecation-policy/)
+  [弃用](/zh-cn/docs/reference/using-api/deprecation-policy/)
   的 API。
 
 例如：为了停用除去 v1 版本之外的全部其他 API 版本，
@@ -57,5 +57,5 @@ to the `kube-apiserver`.
 Read the [full documentation](/docs/reference/command-line-tools-reference/kube-apiserver/)
 for the `kube-apiserver` component.
 -->
-阅读[完整的文档](/zh/docs/reference/command-line-tools-reference/kube-apiserver/),
+阅读[完整的文档](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/),
 以了解 `kube-apiserver` 组件。
\ No newline at end of file
diff --git a/content/zh/docs/tasks/administer-cluster/enabling-service-topology.md b/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md
similarity index 81%
rename from content/zh/docs/tasks/administer-cluster/enabling-service-topology.md
rename to content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md
index 1307065c5a234..c646046c05128 100644
--- a/content/zh/docs/tasks/administer-cluster/enabling-service-topology.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md
@@ -13,7 +13,7 @@ Kubernetes v1.21.
 introduced in Kubernetes v1.21, provide similar functionality.
 -->
 这项功能，特别是 Alpha 状态的 `topologyKeys` 字段，在 kubernetes v1.21 中已经弃用。
-在 kubernetes v1.21 加入的[拓扑感知提示](/zh/docs/concepts/services-networking/topology-aware-hints/)
+在 kubernetes v1.21 加入的[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/)
 提供了类似的功能。
 
 ## {{% heading "prerequisites" %}}
@@ -61,7 +61,7 @@ To enable service topology, enable the `ServiceTopology`
 {{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
 
 要启用服务拓扑功能，需要为所有 Kubernetes 组件启用 `ServiceTopology` 
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)：
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)：
 
 ```
 --feature-gates="ServiceTopology=true`
@@ -77,7 +77,7 @@ To enable service topology, enable the `ServiceTopology`
 * Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/)
 -->
 
-* 阅读[拓扑感知提示](/zh/docs/concepts/services-networking/topology-aware-hints/)，该技术是用来替换 `topologyKeys` 字段的。
-* 阅读[端点切片](/zh/docs/concepts/services-networking/endpoint-slices)
-* 阅读[服务拓扑](/zh/docs/concepts/services-networking/service-topology)概念
-* 阅读[通过服务来连接应用](/zh/docs/concepts/services-networking/connect-applications-service/)
\ No newline at end of file
+* 阅读[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/)，该技术是用来替换 `topologyKeys` 字段的。
+* 阅读[端点切片](/zh-cn/docs/concepts/services-networking/endpoint-slices)
+* 阅读[服务拓扑](/zh-cn/docs/concepts/services-networking/service-topology)概念
+* 阅读[通过服务来连接应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
\ No newline at end of file
diff --git a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
new file mode 100644
index 0000000000000..a527c52c7ade5
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
@@ -0,0 +1,394 @@
+---
+title: 静态加密 Secret 数据
+content_type: task
+---
+
+<!--
+title: Encrypting Secret Data at Rest
+reviewers:
+- smarterclayton
+content_type: task
+-->
+
+<!-- overview -->
+<!--
+This page shows how to enable and configure encryption of secret data at rest.
+-->
+本文展示如何启用和配置静态 Secret 数据的加密
+
+## {{% heading "prerequisites" %}}
+
+* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+
+<!--
+* etcd v3.0 or later is required
+-->
+* 需要 etcd v3.0 或者更高版本
+
+<!-- steps -->
+
+<!--
+## Configuration and determining whether encryption at rest is already enabled
+
+The `kube-apiserver` process accepts an argument `--encryption-provider-config`
+that controls how API data is encrypted in etcd.
+The configuration is provided as an API named
+[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/).
+An example configuration is provided below.
+-->
+## 配置并确定是否已启用静态数据加密
+
+`kube-apiserver` 的参数 `--encryption-provider-config` 控制 API 数据在 etcd 中的加密方式。
+该配置作为一个名为 [`EncryptionConfiguration`](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/) 的 API 提供。
+下面提供了一个示例配置。
+
+<!--
+**IMPORTANT:** For high-availability configurations (with two or more control plane nodes), the
+encryption configuration file must be the same! Otherwise, the `kube-apiserver` component cannot
+decrypt data stored in the etcd.
+-->
+{{< caution >}}
+**重要：** 对于高可用配置（有两个或多个控制平面节点），加密配置文件必须相同！
+否则，`kube-apiserver` 组件无法解密存储在 etcd 中的数据。
+{{< /caution >}}
+
+<!--
+## Understanding the encryption at rest configuration.
+-->
+## 理解静态数据加密
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - identity: {}
+      - aesgcm:
+          keys:
+            - name: key1
+              secret: c2VjcmV0IGlzIHNlY3VyZQ==
+            - name: key2
+              secret: dGhpcyBpcyBwYXNzd29yZA==
+      - aescbc:
+          keys:
+            - name: key1
+              secret: c2VjcmV0IGlzIHNlY3VyZQ==
+            - name: key2
+              secret: dGhpcyBpcyBwYXNzd29yZA==
+      - secretbox:
+          keys:
+            - name: key1
+              secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
+```
+
+<!--
+Each `resources` array item is a separate config and contains a complete configuration. The
+`resources.resources` field is an array of Kubernetes resource names (`resource` or `resource.group`)
+that should be encrypted. The `providers` array is an ordered list of the possible encryption
+providers.
+
+Only one provider type may be specified per entry (`identity` or `aescbc` may be provided,
+but not both in the same item).
+The first provider in the list is used to encrypt resources written into the storage. When reading
+resources from storage, each provider that matches the stored data attempts in order to decrypt the
+data. If no provider can read the stored data due to a mismatch in format or secret key, an error
+is returned which prevents clients from accessing that resource.
+
+For more detailed information about the `EncryptionConfiguration` struct, please refer to the
+[encryption configuration API](/docs/reference/config-api/apiserver-encryption.v1/).
+-->
+每个 `resources` 数组项目是一个单独的完整的配置。
+`resources.resources` 字段是要加密的 Kubernetes 资源名称（`resource` 或 `resource.group`）的数组。
+`providers` 数组是可能的加密 provider 的有序列表。
+
+每个条目只能指定一个 provider 类型（可以是 `identity` 或 `aescbc`，但不能在同一个项目中同时指定二者）。
+列表中的第一个 provider 用于加密写入存储的资源。
+当从存储器读取资源时，与存储的数据匹配的所有 provider 将按顺序尝试解密数据。
+如果由于格式或密钥不匹配而导致没有 provider 能够读取存储的数据，则会返回一个错误，以防止客户端访问该资源。
+
+有关 `EncryptionConfiguration` 结构体的更多详细信息，请参阅[加密配置 API](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/)。
+
+<!--
+If any resource is not readable via the encryption config (because keys were changed),
+the only recourse is to delete that key from the underlying etcd directly. Calls that attempt to
+read that resource will fail until it is deleted or a valid decryption key is provided.
+-->
+{{< caution >}}
+如果通过加密配置无法读取资源（因为密钥已更改），唯一的方法是直接从底层 etcd 中删除该密钥。
+任何尝试读取资源的调用将会失败，直到它被删除或提供有效的解密密钥。
+{{< /caution >}}
+
+### Providers:
+
+<!--
+Name | Encryption | Strength | Speed | Key Length | Other Considerations
+-----|------------|----------|-------|------------|---------------------
+`identity` | None | N/A | N/A | N/A | Resources written as-is without encryption. When set as the first provider, the resource will be decrypted as new values are written.
+`secretbox` | XSalsa20 and Poly1305 | Strong | Faster | 32-byte | A newer standard and may not be considered acceptable in environments that require high levels of review.
+`aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented.
+`aescbc` | AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
+`kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/)
+
+Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider
+is the first provider, the first key is used for encryption.
+-->
+{{< table caption="Kubernetes 静态数据加密的 Providers" >}}
+名称 | 加密类型   | 强度     | 速度  | 密钥长度   | 其它事项
+-----|------------|----------|-------|------------|---------------------
+`identity` | 无 | N/A | N/A | N/A | 不加密写入的资源。当设置为第一个 provider 时，资源将在新值写入时被解密。
+`secretbox` | XSalsa20 和 Poly1305 | 强 | 更快 | 32字节 | 较新的标准，在需要高度评审的环境中可能不被接受。
+`aesgcm` | 带有随机数的 AES-GCM | 必须每 200k 写入一次 | 最快 | 16, 24 或者 32字节 | 建议不要使用，除非实施了自动密钥循环方案。
+`aescbc` | 填充 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 的 AES-CBC | 弱 | 快 | 32字节 | 由于 CBC 容易受到密文填塞攻击（Padding Oracle Attack），不推荐使用。
+`kms` | 使用信封加密方案：数据使用带有 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 填充的 AES-CBC 通过数据加密密钥（DEK）加密，DEK 根据 Key Management Service（KMS）中的配置通过密钥加密密钥（Key Encryption Keys，KEK）加密 | 最强 | 快 | 32字节 | 建议使用第三方工具进行密钥管理。为每个加密生成新的 DEK，并由用户控制 KEK 轮换来简化密钥轮换。[配置 KMS 提供程序](/zh-cn/docs/tasks/administer-cluster/kms-provider/)
+
+每个 provider 都支持多个密钥 - 在解密时会按顺序使用密钥，如果是第一个 provider，则第一个密钥用于加密。
+
+<!--
+Storing the raw encryption key in the EncryptionConfig only moderately improves your security
+posture, compared to no encryption.  Please use `kms` provider for additional security.
+-->
+{{< caution >}}
+在 EncryptionConfig 中保存原始的加密密钥与不加密相比只会略微地提升安全级别。
+请使用 `kms` 驱动以获得更强的安全性。
+{{< /caution >}}
+
+<!--
+By default, the `identity` provider is used to protect Secrets in etcd, which provides no
+encryption. `EncryptionConfiguration` was introduced to encrypt Secrets locally, with a locally
+managed key.
+
+Encrypting Secrets with a locally managed key protects against an etcd compromise, but it fails to
+protect against a host compromise. Since the encryption keys are stored on the host in the
+EncryptionConfiguration YAML file, a skilled attacker can access that file and extract the encryption
+keys.
+
+Envelope encryption creates dependence on a separate key, not stored in Kubernetes. In this case,
+an attacker would need to compromise etcd, the `kubeapi-server`, and the third-party KMS provider to
+retrieve the plaintext values, providing a higher level of security than locally stored encryption keys.
+-->
+默认情况下，`identity` 驱动被用来对 etcd 中的 Secret 提供保护，而这个驱动不提供加密能力。
+`EncryptionConfiguration` 的引入是为了能够使用本地管理的密钥来在本地加密 Secret 数据。
+
+使用本地管理的密钥来加密 Secret 能够保护数据免受 etcd 破坏的影响，不过无法针对
+主机被侵入提供防护。
+这是因为加密的密钥保存在主机上的 EncryptionConfig YAML 文件中，有经验的入侵者
+仍能访问该文件并从中提取出加密密钥。
+
+封套加密（Envelope Encryption）引入了对独立密钥的依赖，而这个密钥并不保存在 Kubernetes 中。
+在这种情况下，入侵者需要攻破 etcd、kube-apiserver 和第三方的 KMS
+驱动才能获得明文数据，因而这种方案提供了比本地保存加密密钥更高的安全级别。
+
+<!--
+## Encrypting your data
+
+Create a new encryption config file:
+-->
+## 加密你的数据
+
+创建一个新的加密配置文件：
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            - name: key1
+              secret: <BASE 64 ENCODED SECRET>
+      - identity: {}
+```
+
+<!--
+To create a new Secret, perform the following steps:
+
+1. Generate a 32-byte random key and base64 encode it. If you're on Linux or macOS, run the following command:
+-->
+遵循如下步骤来创建一个新的 Secret：
+
+1. 生成一个 32 字节的随机密钥并进行 base64 编码。如果你在 Linux 或 macOS 上，请运行以下命令：
+
+   ```shell
+   head -c 32 /dev/urandom | base64
+   ```
+
+<!--
+1. Place that value in the `secret` field of the `EncryptionConfiguration` struct.
+1. Set the `--encryption-provider-config` flag on the `kube-apiserver` to point to
+   the location of the config file.
+1. Restart your API server.
+-->
+2. 将这个值放入到 `EncryptionConfiguration` 结构体的 `secret` 字段中。
+3. 设置 `kube-apiserver` 的 `--encryption-provider-config` 参数，将其指向
+   配置文件所在位置。
+4. 重启你的 API server。
+
+<!--
+Your config file contains keys that can decrypt the contents in etcd, so you must properly restrict
+permissions on your control-plane nodes so only the user who runs the `kube-apiserver` can read it.
+-->
+{{< caution >}}
+你的配置文件包含可以解密 etcd 内容的密钥，因此你必须正确限制主控节点的访问权限，
+以便只有能运行 kube-apiserver 的用户才能读取它。
+{{< /caution >}}
+
+<!--
+## Verifying that data is encrypted
+
+Data is encrypted when written to etcd. After restarting your `kube-apiserver`, any newly created or
+updated Secret should be encrypted when stored. To check this, you can use the `etcdctl` command line
+program to retrieve the contents of your Secret.
+
+1. Create a new Secret called `secret1` in the `default` namespace:
+-->
+## 验证数据已被加密
+
+数据在写入 etcd 时会被加密。重新启动你的 `kube-apiserver` 后，任何新创建或更新的密码在存储时都应该被加密。
+如果想要检查，你可以使用 `etcdctl` 命令行程序来检索你的加密内容。
+
+1. 创建一个新的 secret，名称为 `secret1`，命名空间为 `default`：
+
+   ```shell
+   kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
+   ```
+
+<!--
+1. Using the `etcdctl` command line, read that Secret out of etcd:
+-->
+2. 使用 etcdctl 命令行，从 etcd 中读取 Secret：
+   ```shell
+   ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C
+   ```
+
+   <!--
+   where `[...]` must be the additional arguments for connecting to the etcd server.
+   -->
+   这里的 `[...]` 是用来连接 etcd 服务的额外参数。
+
+<!--
+1. Verify the stored Secret is prefixed with `k8s:enc:aescbc:v1:` which indicates
+   the `aescbc` provider has encrypted the resulting data.
+
+1. Verify the Secret is correctly decrypted when retrieved via the API:
+-->
+3. 验证存储的密钥前缀是否为 `k8s:enc:aescbc:v1:`，这表明 `aescbc` provider 已加密结果数据。
+
+4. 通过 API 检索，验证 Secret 是否被正确解密：
+
+   ```shell
+   kubectl describe secret secret1 -n default
+   ```
+
+   <!--
+   The output should contain `mykey: bXlkYXRh`, with contents of `mydata` encoded, check
+   [decoding a Secret](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)
+   to completely decode the Secret.
+   -->
+   其输出应该包含 `mykey: bXlkYXRh`，`mydata` 的内容是被加密过的，
+   请参阅[解密 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)
+   了解如何完全解码 Secret 内容。
+
+<!--
+## Ensure all Secrets are encrypted
+
+Since Secrets are encrypted on write, performing an update on a Secret will encrypt that content.
+-->
+## 确保所有 Secret 都被加密
+
+由于 Secret 是在写入时被加密，因此对 Secret 执行更新也会加密该内容。
+
+```shell
+kubectl get secrets --all-namespaces -o json | kubectl replace -f -
+```
+
+<!--
+The command above reads all Secrets and then updates them to apply server side encryption.
+-->
+上面的命令读取所有 Secret，然后使用服务端加密来更新其内容。
+
+<!--
+If an error occurs due to a conflicting write, retry the command.
+For larger clusters, you may wish to subdivide the secrets by namespace or script an update.
+-->
+{{< note >}}
+如果由于冲突写入而发生错误，请重试该命令。
+对于较大的集群，你可能希望通过命名空间或更新脚本来对 Secret 进行划分。
+{{< /note >}}
+
+<!--
+## Rotating a decryption key
+
+Changing a Secret without incurring downtime requires a multi-step operation, especially in
+the presence of a highly-available deployment where multiple `kube-apiserver` processes are running.
+
+1. Generate a new key and add it as the second key entry for the current provider on all servers
+1. Restart all `kube-apiserver` processes to ensure each server can decrypt using the new key
+1. Make the new key the first entry in the `keys` array so that it is used for encryption in the config
+1. Restart all `kube-apiserver` processes to ensure each server now encrypts using the new key
+1. Run `kubectl get secrets --all-namespaces -o json | kubectl replace -f -` to encrypt all
+   existing Secrets with the new key
+1. Remove the old decryption key from the config after you have backed up etcd with the new key in use
+   and updated all Secrets
+
+When running a single `kube-apiserver` instance, step 2 may be skipped.
+-->
+## 轮换解密密钥
+
+在不发生停机的情况下更改 Secret 需要多步操作，特别是在有多个 `kube-apiserver` 进程正在运行的
+高可用环境中。
+
+1. 生成一个新密钥并将其添加为所有服务器上当前提供程序的第二个密钥条目
+1. 重新启动所有 `kube-apiserver` 进程以确保每台服务器都可以使用新密钥进行解密
+1. 将新密钥设置为 `keys` 数组中的第一个条目，以便在配置中使用其进行加密
+1. 重新启动所有 `kube-apiserver` 进程以确保每个服务器现在都使用新密钥进行加密
+1. 运行 `kubectl get secrets --all-namespaces -o json | kubectl replace -f -`
+   以用新密钥加密所有现有的 Secret
+1. 在使用新密钥备份 etcd 后，从配置中删除旧的解密密钥并更新所有密钥
+
+当只运行一个 `kube-apiserver` 实例时，第 2 步可能可以忽略。
+
+<!--
+## Decrypting all data
+
+To disable encryption at rest, place the `identity` provider as the first entry in the config
+and restart all `kube-apiserver` processes.
+-->
+## 解密所有数据
+
+要禁用静态加密，请将 `identity` provider
+作为配置中的第一个条目并重新启动所有 `kube-apiserver` 进程。
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - identity: {}
+      - aescbc:
+          keys:
+            - name: key1
+              secret: <BASE 64 ENCODED SECRET>
+```
+
+<!--
+Then run the following command to force decrypt
+all Secrets:
+-->
+然后运行以下命令以强制解密所有 Secret：
+
+```shell
+kubectl get secrets --all-namespaces -o json | kubectl replace -f -
+```
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).
+-->
+进一步学习 [EncryptionConfiguration 配置 API (v1)](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/)。
diff --git a/content/zh/docs/tasks/administer-cluster/extended-resource-node.md b/content/zh-cn/docs/tasks/administer-cluster/extended-resource-node.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/extended-resource-node.md
rename to content/zh-cn/docs/tasks/administer-cluster/extended-resource-node.md
index 5c1d54b590e33..007c9021eb397 100644
--- a/content/zh/docs/tasks/administer-cluster/extended-resource-node.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/extended-resource-node.md
@@ -142,7 +142,7 @@ number of dongles. See
 [Assign Extended Resources to a Container](/docs/tasks/configure-pod-container/extended-resource/).
 -->
 现在，应用开发者可以创建请求一定数量 dongle 资源的 Pod 了。
-参见[将扩展资源分配给容器](/zh/docs/tasks/configure-pod-container/extended-resource/)。
+参见[将扩展资源分配给容器](/zh-cn/docs/tasks/configure-pod-container/extended-resource/)。
 
 <!--
 ## Discussion
@@ -294,10 +294,10 @@ kubectl describe node <your-node-name> | grep dongle
 -->
 ### 针对应用开发人员
 
-* [将扩展资源分配给容器](/zh/docs/tasks/configure-pod-container/extended-resource/)
+* [将扩展资源分配给容器](/zh-cn/docs/tasks/configure-pod-container/extended-resource/)
   
 ### 针对集群管理员
 
-* [为名字空间配置最小和最大内存约束](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为名字空间配置最小和最大 CPU 约束](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为名字空间配置最小和最大内存约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为名字空间配置最小和最大 CPU 约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md b/content/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
similarity index 94%
rename from content/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
rename to content/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
index 111d30d32d3ce..d5ce305d88add 100644
--- a/content/zh/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
@@ -15,8 +15,8 @@ vacated by the evicted critical add-on pod or the amount of resources available
 -->
 Kubernetes 核心组件（如 API 服务器、调度器、控制器管理器）在控制平面节点上运行。
 但是插件必须在常规集群节点上运行。
-其中一些插件对于功能完备的群集至关重要，例如 Heapster、DNS 和 UI。
-如果关键插件被逐出（手动或作为升级等其他操作的副作用）或者变成挂起状态，群集可能会停止正常工作。
+其中一些插件对于功能完备的集群至关重要，例如 Heapster、DNS 和 UI。
+如果关键插件被逐出（手动或作为升级等其他操作的副作用）或者变成挂起状态，集群可能会停止正常工作。
 关键插件进入挂起状态的例子有：集群利用率过高；被逐出的关键插件 Pod 释放了空间，但该空间被之前悬决的 Pod 占用；由于其它原因导致节点上可用资源的总量发生变化。
 
 <!--
diff --git a/content/zh/docs/tasks/administer-cluster/ip-masq-agent.md b/content/zh-cn/docs/tasks/administer-cluster/ip-masq-agent.md
similarity index 79%
rename from content/zh/docs/tasks/administer-cluster/ip-masq-agent.md
rename to content/zh-cn/docs/tasks/administer-cluster/ip-masq-agent.md
index e4d8bc82975ec..ce7835b23ea7c 100644
--- a/content/zh/docs/tasks/administer-cluster/ip-masq-agent.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/ip-masq-agent.md
@@ -9,9 +9,9 @@ content_type: task
 
 <!-- overview -->
 <!--
-This page shows how to configure and enable the ip-masq-agent.
+This page shows how to configure and enable the `ip-masq-agent`.
 -->
-此页面展示如何配置和启用 ip-masq-agent。
+此页面展示如何配置和启用 `ip-masq-agent`。
 
 ## {{% heading "prerequisites" %}}
 
@@ -24,9 +24,9 @@ This page shows how to configure and enable the ip-masq-agent.
 ## IP Masquerade Agent 用户指南
 
 <!--
-The ip-masq-agent configures iptables rules to hide a pod's IP address behind the cluster node's IP address. This is typically done when sending traffic to destinations outside the cluster's pod [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range.
+The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind the cluster node's IP address. This is typically done when sending traffic to destinations outside the cluster's pod [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range.
 -->
-ip-masq-agent 配置 iptables 规则以隐藏位于集群节点 IP 地址后面的 Pod 的 IP 地址。
+`ip-masq-agent` 配置 iptables 规则以隐藏位于集群节点 IP 地址后面的 Pod 的 IP 地址。
 这通常在将流量发送到集群的 Pod
 [CIDR](https://zh.wikipedia.org/wiki/%E6%97%A0%E7%B1%BB%E5%88%AB%E5%9F%9F%E9%97%B4%E8%B7%AF%E7%94%B1)
 范围之外的目的地时使用。
@@ -96,23 +96,26 @@ The agent configuration file must be written in YAML or JSON syntax, and may con
 代理配置文件必须使用 YAML 或 JSON 语法编写，并且可能包含三个可选值：
 
 <!--
-*   **nonMasqueradeCIDRs:** A list of strings in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation that specify the non-masquerade ranges.
+* `nonMasqueradeCIDRs`: A list of strings in
+  [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation that specify the non-masquerade ranges.
 -->
-* **nonMasqueradeCIDRs:**
+* `nonMasqueradeCIDRs`：
   [CIDR](https://zh.wikipedia.org/wiki/%E6%97%A0%E7%B1%BB%E5%88%AB%E5%9F%9F%E9%97%B4%E8%B7%AF%E7%94%B1)
   表示法中的字符串列表，用于指定不需伪装的地址范围。
 
 <!--
-*   **masqLinkLocal:** A Boolean (true / false) which indicates whether to masquerade traffic to the link local prefix 169.254.0.0/16. False by default.
+* `masqLinkLocal`: A Boolean (true/false) which indicates whether to masquerade traffic to the
+  link local prefix `169.254.0.0/16`. False by default.
 -->
-* **masqLinkLocal:** 布尔值 (true / false)，表示是否将流量伪装到
-  本地链路前缀 169.254.0.0/16。默认为 false。
+* `masqLinkLocal`：布尔值 (true/false)，表示是否为本地链路前缀 169.254.0.0/16 的流量提供伪装。
+  默认为 false。
 
 <!--
-*   **resyncInterval:** An interval at which the agent attempts to reload config from disk. e.g. '30s' where 's' is seconds, 'ms' is milliseconds etc...
+* `resyncInterval`: A time interval at which the agent attempts to reload config from disk.
+  For example: '30s', where 's' means seconds, 'ms' means milliseconds.
 -->
-* **resyncInterval:** 代理尝试从磁盘重新加载配置的时间间隔。
-  例如 '30s'，其中 's' 是秒，'ms' 是毫秒等...
+* `resyncInterval`：代理从磁盘重新加载配置的重试时间间隔。
+  例如 '30s'，其中 's' 是秒，'ms' 是毫秒。
 
 <!--
 Traffic to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) ranges will NOT be masqueraded. Any other traffic (assumed to be internet) will be masqueraded.  An example of a local destination from a pod could be its Node's IP address as well as another node's address or one of the IP addresses in Cluster's IP range.   Any other traffic will be masqueraded by default.  The below entries show the default set of rules that are applied by the ip-masq-agent:
@@ -122,8 +125,11 @@ Traffic to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) ranges will NOT be masq
 Pod 访问本地目的地的例子，可以是其节点的 IP 地址、另一节点的地址或集群的 IP 地址范围内的一个 IP 地址。
 默认情况下，任何其他流量都将伪装。以下条目展示了 ip-masq-agent 的默认使用的规则：
 
-```
+```shell
 iptables -t nat -L IP-MASQ-AGENT
+```
+
+```none
 RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 RETURN     all  --  anywhere             10.0.0.0/8           /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 RETURN     all  --  anywhere             172.16.0.0/12        /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
@@ -133,13 +139,17 @@ MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent:
 ```
 
 <!--
-By default, in GCE/Google Kubernetes Engine starting with Kubernetes version 1.7.0, if network policy is enabled or you are using a cluster CIDR not in the 10.0.0.0/8 range, the ip-masq-agent will run in your cluster.  If you are running in another environment, you can add the ip-masq-agent [DaemonSet](/docs/concepts/workloads/controllers/daemonset/) to your cluster:
+By default, in GCE/Google Kubernetes Engine, if network policy is enabled or
+you are using a cluster CIDR not in the 10.0.0.0/8 range, the `ip-masq-agent`
+will run in your cluster. If you are running in another environment,
+you can add the `ip-masq-agent` [DaemonSet](/docs/concepts/workloads/controllers/daemonset/)
+to your cluster.
 -->
-默认情况下，从 Kubernetes 1.7.0 版本开始的 GCE/Google Kubernetes Engine 中，
-如果启用了网络策略，或者你使用的集群 CIDR 不在 10.0.0.0/8 范围内，
-则 ip-masq-agent 将在你的集群中运行。
-如果你在其他环境中运行，则可以将 ip-masq-agent 
-[DaemonSet](/zh/docs/concepts/workloads/controllers/daemonset/) 添加到你的集群：
+默认情况下，在 GCE/Google Kubernetes Engine 中，如果启用了网络策略，
+或者你使用的集群 CIDR 不在 10.0.0.0/8 范围内，
+则 `ip-masq-agent` 将在你的集群中运行。
+如果你在其他环境中运行，可以将 `ip-masq-agent`
+[DaemonSet](/zh-cn/docs/concepts/workloads/controllers/daemonset/) 添加到你的集群中。
 
 <!-- steps -->
 
@@ -172,20 +182,20 @@ More information can be found in the ip-masq-agent documentation [here](https://
 <!--
 In most cases, the default set of rules should be sufficient; however, if this is not the case for your cluster, you can create and apply a [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) to customize the IP ranges that are affected.  For example, to allow only 10.0.0.0/8 to be considered by the ip-masq-agent, you can create the following [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) in a file called "config".
 -->
-在大多数情况下，默认的规则集应该足够；但是，如果你的群集不是这种情况，则可以创建并应用
-[ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)
+在大多数情况下，默认的规则集应该足够；但是，如果你的集群不是这种情况，则可以创建并应用
+[ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
 来自定义受影响的 IP 范围。
 例如，要允许 ip-masq-agent 仅作用于 10.0.0.0/8，你可以在一个名为 “config” 的文件中创建以下
-[ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/) 。
+[ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/) 。
 
 {{< note >}}
 <!--
-It is important that the file is called config since, by default, that will be used as the key for lookup by the ip-masq-agent:
+It is important that the file is called config since, by default, that will be used as the key for lookup by the `ip-masq-agent`:
 -->
 重要的是，该文件之所以被称为 config，因为默认情况下，该文件将被用作
-ip-masq-agent 查找的主键：
+`ip-masq-agent` 查找的主键：
 
-```
+```yaml
 nonMasqueradeCIDRs:
   - 10.0.0.0/8
 resyncInterval: 60s
@@ -195,22 +205,25 @@ resyncInterval: 60s
 <!--
 Run the following command to add the config map to your cluster:
 -->
-运行以下命令将配置映射添加到你的集群：
+运行以下命令将 ConfigMap 添加到你的集群：
 
-```
+```shell
 kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system
 ```
 
 <!--
-This will update a file located at */etc/config/ip-masq-agent* which is periodically checked every *resyncInterval* and applied to the cluster node.
+This will update a file located at `/etc/config/ip-masq-agent` which is periodically checked every `resyncInterval` and applied to the cluster node.
 After the resync interval has expired, you should see the iptables rules reflect your changes:
 -->
-这将更新位于 */etc/config/ip-masq-agent* 的一个文件，该文件以 *resyncInterval* 
+这将更新位于 `/etc/config/ip-masq-agent` 的一个文件，该文件以 `resyncInterval`
 为周期定期检查并应用于集群节点。
 重新同步间隔到期后，你应该看到你的更改在 iptables 规则中体现：
 
-```
+```shell
 iptables -t nat -L IP-MASQ-AGENT
+```
+
+```none
 Chain IP-MASQ-AGENT (1 references)
 target     prot opt source               destination
 RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
@@ -219,13 +232,13 @@ MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent:
 ```
 
 <!--
-By default, the link local range (169.254.0.0/16) is also handled by the ip-masq agent, which sets up the appropriate iptables rules.  To have the ip-masq-agent ignore link local, you can set *masqLinkLocal*  to true in the config map.
+By default, the link local range (169.254.0.0/16) is also handled by the ip-masq agent, which sets up the appropriate iptables rules.  To have the ip-masq-agent ignore link local, you can set `masqLinkLocal` to true in the ConfigMap.
 -->
 默认情况下，本地链路范围 (169.254.0.0/16) 也由 ip-masq agent 处理，
 该代理设置适当的 iptables 规则。 要使 ip-masq-agent 忽略本地链路，
-可以在配置映射中将 *masqLinkLocal* 设置为 true。
+可以在 ConfigMap 中将 `masqLinkLocal` 设置为 true。
 
-```
+```yaml
 nonMasqueradeCIDRs:
   - 10.0.0.0/8
 resyncInterval: 60s
diff --git a/content/zh/docs/tasks/administer-cluster/kms-provider.md b/content/zh-cn/docs/tasks/administer-cluster/kms-provider.md
similarity index 99%
rename from content/zh/docs/tasks/administer-cluster/kms-provider.md
rename to content/zh-cn/docs/tasks/administer-cluster/kms-provider.md
index e18e174fc2235..508ffe3b8b60f 100644
--- a/content/zh/docs/tasks/administer-cluster/kms-provider.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kms-provider.md
@@ -61,7 +61,7 @@ To configure a KMS provider on the API server, include a provider of type ```kms
 * `timeout`: 在返回一个错误之前，kube-apiserver 等待 kms-plugin 响应的时间（默认是 3 秒）。
 
 <!-- See [Understanding the encryption at rest configuration.](/docs/tasks/administer-cluster/encrypt-data) -->
-参见[理解静态数据加密配置](/zh/docs/tasks/administer-cluster/encrypt-data)
+参见[理解静态数据加密配置](/zh-cn/docs/tasks/administer-cluster/encrypt-data)
 
 <!--
 ## Implementing a KMS plugin
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/_index.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/_index.md
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/_index.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/_index.md
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
similarity index 79%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
index 377b5f3956e31..f6ee38a585f65 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
@@ -25,7 +25,6 @@ You can use Kubernetes to run a mixture of Linux and Windows nodes, so you can m
 混合使用运行于 Linux 上的 Pod 和运行于 Windows 上的 Pod。
 本页面展示如何将 Windows 节点注册到你的集群。
 
-
 ## {{% heading "prerequisites" %}}
  {{< version-check >}}
 
@@ -36,12 +35,13 @@ If you are using VXLAN/Overlay networking you must have also have [KB4489899](ht
 
 * A Linux-based Kubernetes kubeadm cluster in which you have access to the control plane (see [Creating a single control-plane cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)).
 -->
+
 * 获取 [Windows Server 2019 或更高版本的授权](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing)
   以便配置托管 Windows 容器的 Windows 节点。
   如果你在使用 VXLAN/覆盖（Overlay）联网设施，则你还必须安装 [KB4489899](https://support.microsoft.com/help/4489899)。
 
 * 一个利用 kubeadm 创建的基于 Linux 的 Kubernetes 集群；你能访问该集群的控制面
-  （参见[使用 kubeadm 创建一个单控制面的集群](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/))。
+  （参见[使用 kubeadm 创建一个单控制面的集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/))。
 
 ## {{% heading "objectives" %}}
 
@@ -275,55 +275,12 @@ Windows 工作节点上具有提升的权限（Administrator）。
 {{< /note >}}
 
 {{< tabs name="tab-windows-kubeadm-runtime-installation" >}}
-{{% tab name="Docker EE" %}}
-
-<!--
-#### Install Docker EE
-
-Install the `Containers` feature
--->
-#### 安装 Docker EE
-
-```powershell
-Install-WindowsFeature -Name containers
-```
-<!--
-Install Docker
-Instructions to do so are available at [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker).
--->
-安装 Docker
-操作指南在 [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker)。
-
-<!--
-#### Install wins, kubelet, and kubeadm.
--->
-#### 安装 wins、kubelet 和 kubeadm
-
-   ```PowerShell
-   curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
-   .\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}}
-   ```
-
-<!--
-#### Run `kubeadm` to join the node
 
-    Use the command that was given to you when you ran `kubeadm init` on a control plane host.
-    If you no longer have this command, or the token has expired, you can run `kubeadm token create -print-join-command`
-    (on a control plane host) to generate a new token and join command.
--->
-#### 运行 `kubeadm` 添加节点
-
-   当你在控制面主机上运行 `kubeadm init` 时，输出了一个命令。现在运行这个命令。
-   如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
-   `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
-
-{{% /tab %}}
 {{% tab name="CRI-containerD" %}}
 
 <!--
 #### Install containerD
 -->
-
 #### 安装 containerD
 
 ```powershell
@@ -335,16 +292,12 @@ curl.exe -LO https://github.com/kubernetes-sigs/sig-windows-tools/releases/lates
 <!--
 To install a specific version of containerD specify the version with -ContainerDVersion.
 -->
-要安装特定版本的 containerD，使用参数 -ContainerDVersion指定版本。
+要安装特定版本的 containerD，使用参数 -ContainerDVersion 指定版本。
 
 ```powershell
 # Example
 .\Install-Containerd.ps1 -ContainerDVersion 1.4.1
 ```
-
-{{< /note >}}
-
-{{< note >}}
 <!--
 If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2") on the Windows nodes, specify the name with `-netAdapterName`.
 -->
@@ -360,12 +313,18 @@ If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2")
 <!--
 #### Install wins, kubelet, and kubeadm
 -->
-#### 安装 wins，kubelet 和 kubeadm
+#### 安装 wins、kubelet 和 kubeadm
 
 ```PowerShell
 curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
 .\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}} -ContainerRuntime containerD
 ```
+<!--
+Install `crictl` from the [cri-tools project](https://github.com/kubernetes-sigs/cri-tools)
+which is required so that kubeadm can talk to the CRI endpoint.
+-->
+从 [cri-tools](https://github.com/kubernetes-sigs/cri-tools) 项目安装 `crtctl`。
+`crictl` 是必需的，kubeadm 使用它与 CRI 端点通信。
 
 <!--
 #### Run `kubeadm` to join the node
@@ -376,14 +335,92 @@ If you no longer have this command, or the token has expired, you can run `kubea
 -->
 #### 运行 `kubeadm` 添加节点
 
-   使用当你在控制面主机上运行 `kubeadm init` 时得到的命令。
-   如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
-   `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+ 使用当你在控制面主机上运行 `kubeadm init` 时得到的命令。
+ 如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
+ `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+
+
+{{% /tab %}}
+
+
+{{% tab name="Docker Engine" %}}
 
+<!--
+#### Install Docker Engine
+
+Install the `Containers` feature
+-->
+
+#### 安装 Docker Engine
+
+安装 `Containers` 功能特性
+
+```powershell
+Install-WindowsFeature -Name containers
+```
+
+<!--
+Install Docker
+Instructions to do so are available at [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker).
+-->
+
+安装 Docker
+
+操作指南在
+[Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker)。
+
+<!--
+[Install cri-dockerd](https://github.com/Mirantis/cri-dockerd) which is required so that the kubelet
+can communicate with Docker on a CRI compatible endpoint.
+-->
+
+[安装 cri-dockerd](https://github.com/Mirantis/cri-dockerd)。kubelet 可以通过 cri-dockerd
+在 CRI 兼容的节点上与 Docker 通信。
+ 
 {{< note >}}
-If using **CRI-containerD** add `--cri-socket "npipe:////./pipe/containerd-containerd"` to the kubeadm call
+<!--
+Docker Engine does not implement the [CRI](/docs/concepts/architecture/cri/)
+which is a requirement for a container runtime to work with Kubernetes.
+For that reason, an additional service [cri-dockerd](https://github.com/Mirantis/cri-dockerd)
+has to be installed. cri-dockerd is a project based on the legacy built-in
+Docker Engine support that was [removed](/dockershim) from the kubelet in version 1.24.
+-->
+Docker Engine 没有实现 [CRI](/zh-cn/docs/concepts/architecture/cri/)，
+而 CRI 是容器运行时能够与 Kubernetes 一起工作的要求。
+出于这个原因，必须安装一个额外的服务 [cri-dockerd](https://github.com/Mirantis/cri-dockerd)。
+cri-dockerd 是一个基于原来的内置 Docker Engine 支持的项目，
+而这一支持在 1.24 版本的 kubelet 中[已被移除](/zh-cn/dockershim)。
 {{< /note >}}
 
+<!--
+Install `crictl` from the [cri-tools project](https://github.com/kubernetes-sigs/cri-tools)
+which is required so that kubeadm can talk to the CRI endpoint.
+-->
+从 [cri-tools](https://github.com/kubernetes-sigs/cri-tools) 项目安装 `crictl`。
+kubeadm 需要 `crictl` 才能与 CRI 端点通信。
+
+<!--
+#### Install wins, kubelet, and kubeadm.
+-->
+#### 安装 wins、kubelet 和 kubeadm
+
+```PowerShell
+curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
+.\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}}
+```
+<!--
+# ### Run `kubeadm` to join the node
+
+Use the command that was given to you when you ran `kubeadm init` on a control plane host.
+If you no longer have this command, or the token has expired, you can run `kubeadm token create -print-join-command`
+(on a control plane host) to generate a new token and join command.
+-->
+#### 运行 `kubeadm` 添加节点
+
+当你在控制面主机上运行 `kubeadm init` 时，输出了一个命令。现在运行这个命令。
+如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
+`kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+
 {{% /tab %}}
 {{< /tabs >}}
 
@@ -423,5 +460,5 @@ Once the flannel Pod is running, your node should enter the `Ready` state and th
 <!--
 - [Upgrading Windows kubeadm nodes](/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes)
 -->
-- [升级 kubeadm 安装的 Windows 节点](/zh/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes)
+- [升级 kubeadm 安装的 Windows 节点](/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes)
 
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
similarity index 84%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
index c268c711b997a..8835046239f07 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver.md
@@ -4,11 +4,9 @@ content_type: task
 weight: 10
 ---
 <!-- 
----
 title: Configuring a cgroup driver
 content_type: task
 weight: 10
----
 -->
 
 <!-- overview -->
@@ -25,7 +23,8 @@ runtime cgroup driver for kubeadm clusters.
 You should be familiar with the Kubernetes
 [container runtime requirements](/docs/setup/production-environment/container-runtimes).
 -->
-你应该熟悉 Kubernetes 的[容器运行时需求](/zh/docs/setup/production-environment/container-runtimes)。
+你应该熟悉 Kubernetes 的[容器运行时需求](/zh-cn/docs/setup/production-environment/container-runtimes)。
+
 <!-- steps -->
 
 <!-- 
@@ -38,7 +37,7 @@ The [Container runtimes](/docs/setup/production-environment/container-runtimes)
 explains that the `systemd` driver is recommended for kubeadm based setups instead
 of the `cgroupfs` driver, because kubeadm manages the kubelet as a systemd service.
 -->
-[容器运行时](/zh/docs/setup/production-environment/container-runtimes)页面提到：
+[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes)页面提到：
 由于 kubeadm 把 kubelet 视为一个系统服务来管理，所以对基于 kubeadm 的安装，
 我们推荐使用 `systemd` 驱动，不推荐 `cgroupfs` 驱动。
 
@@ -108,7 +107,7 @@ and passing it to the local node kubelet.
 {{< note >}}
 Kubeadm 对集群所有的节点，使用相同的 `KubeletConfiguration`。
 `KubeletConfiguration` 存放于 `kube-system` 命名空间下的某个 
-[ConfigMap](/zh/docs/concepts/configuration/configmap) 对象中。
+[ConfigMap](/zh-cn/docs/concepts/configuration/configmap) 对象中。
 
 执行 `init`、`join` 和 `upgrade` 等子命令会促使 kubeadm 
 将 `KubeletConfiguration` 写入到文件 `/var/lib/kubelet/config.yaml` 中，
@@ -122,18 +121,13 @@ Kubeadm 对集群所有的节点，使用相同的 `KubeletConfiguration`。
 # 使用 `cgroupfs` 驱动
 
 <!-- 
-As this guide explains using the `cgroupfs` driver with kubeadm is not recommended.
-
-To continue using `cgroupfs` and to prevent `kubeadm upgrade` from modifying the
+To use `cgroupfs` and to prevent `kubeadm upgrade` from modifying the
 `KubeletConfiguration` cgroup driver on existing setups, you must be explicit
 about its value. This applies to a case where you do not wish future versions
 of kubeadm to apply the `systemd` driver by default.
 -->
-正如本指南阐述的：不推荐与 kubeadm 一起使用 `cgroupfs` 驱动。
-
-如仍需使用 `cgroupfs`，
-且要防止 `kubeadm upgrade` 修改现有系统中 `KubeletConfiguration` 的 cgroup 驱动，
-你必须显式声明它的值。
+如仍需使用 `cgroupfs` 且要防止 `kubeadm upgrade` 修改现有系统中
+`KubeletConfiguration` 的 cgroup 驱动，你必须显式声明它的值。
 此方法应对的场景为：在将来某个版本的 kubeadm 中，你不想使用默认的 `systemd` 驱动。
 
 <!-- 
@@ -143,7 +137,7 @@ how to be explicit about the value.
 If you wish to configure a container runtime to use the `cgroupfs` driver,
 you must refer to the documentation of the container runtime of your choice.
 -->
-参阅以下章节“修改 kubelet 的 ConfigMap”，了解显式设置该值的方法。
+参阅以下章节“[修改 kubelet 的 ConfigMap](#modify-the-kubelet-configmap) ”，了解显式设置该值的方法。
 
 如果你希望配置容器运行时来使用 `cgroupfs` 驱动，
 则必须参考所选容器运行时的文档。
@@ -177,16 +171,13 @@ nodes before deleting the old nodes.
 <!-- 
 ### Modify the kubelet ConfigMap
 -->
-### 修改 kubelet 的 ConfigMap
+### 修改 kubelet 的 ConfigMap  {#modify-the-kubelet-configmap}
 
 <!-- 
-- Find the kubelet ConfigMap name using `kubectl get cm -n kube-system | grep kubelet-config`.
-- Call `kubectl edit cm kubelet-config-x.yy -n kube-system` (replace `x.yy` with
-the Kubernetes version).
+- Call `kubectl edit cm kubelet-config -n kube-system`.
 - Either modify the existing `cgroupDriver` value or add a new field that looks like this:
 -->
-- 用命令 `kubectl get cm -n kube-system | grep kubelet-config` 找到 kubelet 的 ConfigMap 名称。
-- 运行 `kubectl edit cm kubelet-config-x.yy -n kube-system` （把 `x.yy` 替换为 Kubernetes 版本）。
+- 运行 `kubectl edit cm kubelet-config -n kube-system`。
 - 修改现有 `cgroupDriver` 的值，或者新增如下式样的字段：
 
   ```yaml
@@ -217,7 +208,7 @@ For each node in the cluster:
 对于集群中的每一个节点：
 
 - 执行命令 `kubectl drain <node-name> --ignore-daemonsets`，以
-  [腾空节点](/zh/docs/tasks/administer-cluster/safely-drain-node)
+  [腾空节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node)
 - 执行命令 `systemctl stop kubelet`，以停止 kubelet
 - 停止容器运行时
 - 修改容器运行时 cgroup 驱动为 `systemd`
@@ -225,7 +216,7 @@ For each node in the cluster:
 - 启动容器运行时
 - 执行命令 `systemctl start kubelet`，以启动 kubelet
 - 执行命令 `kubectl uncordon <node-name>`，以
-  [取消节点隔离](/zh/docs/tasks/administer-cluster/safely-drain-node)
+  [取消节点隔离](/zh-cn/docs/tasks/administer-cluster/safely-drain-node)
 
 <!-- 
 Execute these steps on nodes one at a time to ensure workloads
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
similarity index 69%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index a2c9194729216..fd33c404c56b5 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -15,18 +15,20 @@ weight: 10
 
 {{< feature-state for_k8s_version="v1.15" state="stable" >}}
 
-<!-- 
-Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. This page explains how to manage certificate renewals with kubeadm. 
+<!--
+Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year.
+This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related
+to kubeadm certificate management.
 -->
-由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
-本页说明如何使用 kubeadm 管理证书续订。
+由 [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
+本页说明如何使用 kubeadm 管理证书续订，同时也涵盖其他与 kubeadm 证书管理相关的说明。
 
 ## {{% heading "prerequisites" %}}
 
 <!--
 You should be familiar with [PKI certificates and requirements in Kubernetes](/docs/setup/best-practices/certificates/).
 -->
-你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)。
+你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)。
 
 <!-- steps -->
 
@@ -39,16 +41,16 @@ You can override this behavior by providing your own certificates.
 
 ## 使用自定义的证书 {#custom-certificates}
 
-默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
+默认情况下，kubeadm 会生成运行一个集群所需的全部证书。
 你可以通过提供你自己的证书来改变这个行为策略。
 
 <!--
 To do so, you must place them in whatever directory is specified by the
-`--cert-dir` flag or the `CertificatesDir`field of kubeadm's `ClusterConfiguration` . By default this
-is `/etc/kubernetes/pki`.
+`--cert-dir` flag or the `certificatesDir` field of kubeadm's `ClusterConfiguration`.
+By default this is `/etc/kubernetes/pki`.
 -->
-如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
-`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`。
+如果要这样做，你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
+`certificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`。
 
 <!--
 If a given certificate and private key pair exists before running `kubeadm init`,
@@ -57,7 +59,7 @@ CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
 and kubeadm will use this CA for signing the rest of the certificates.
 -->
 如果在运行 `kubeadm init` 之前存在给定的证书和私钥对，kubeadm 将不会重写它们。
-例如，这意味着您可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
+例如，这意味着你可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
 `/etc/kubernetes/pki/ca.key` 中，而 kubeadm 将使用此 CA 对其余证书进行签名。
 
 <!--
@@ -66,7 +68,8 @@ and kubeadm will use this CA for signing the rest of the certificates.
 It is also possible to provide only the `ca.crt` file and not the
 `ca.key` file (this is only available for the root CA file, not other cert pairs).
 If all other certificates and kubeconfig files are in place, kubeadm recognizes
-this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
+this condition and activates the "External CA" mode. kubeadm will proceed without the
+CA key on disk.
 -->
 
 ## 外部 CA 模式 {#external-ca-mode}
@@ -80,21 +83,21 @@ this condition and activates the "External CA" mode. kubeadm will proceed withou
 Instead, run the controller-manager standalone with `--controllers=csrsigner` and
 point to the CA certificate and key.
 -->
-否则, kubeadm 将独立运行 controller-manager，附加一个
+否则，kubeadm 将独立运行 controller-manager，附加一个
 `--controllers=csrsigner` 的参数，并且指明 CA 证书和密钥。
 
 <!--
 [PKI certificates and requirements](/docs/setup/best-practices/certificates/) includes guidance on
 setting up a cluster to use an external CA.
 -->
-[PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。
+[PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。
 
-<!-- 
-## Check certificate expiration 
+<!--
+## Check certificate expiration
 
 You can use the `check-expiration` subcommand to check when certificates expire:
 -->
-## 检查证书是否过期
+## 检查证书是否过期 {#check-certificate-expiration}
 
 你可以使用 `check-expiration` 子命令来检查证书何时过期
 
@@ -102,8 +105,8 @@ You can use the `check-expiration` subcommand to check when certificates expire:
 kubeadm certs check-expiration
 ```
 
-<!-- 
-The output is similar to this: 
+<!--
+The output is similar to this:
 -->
 输出类似于以下内容：
 
@@ -126,17 +129,17 @@ etcd-ca                 Dec 28, 2029 23:36 UTC   9y              no
 front-proxy-ca          Dec 28, 2029 23:36 UTC   9y              no
 ```
 
-<!-- 
-The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`). 
+<!--
+The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`).
 -->
-该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及 
-kubeadm（`admin.conf`, `controller-manager.conf` 和 `scheduler.conf`）
+该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及
+kubeadm（`admin.conf`、`controller-manager.conf` 和 `scheduler.conf`）
 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
 
-<!-- 
-Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools. 
+<!--
+Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools.
 -->
-另外， kubeadm 会通知用户证书是否由外部管理； 
+另外，kubeadm 会通知用户证书是否由外部管理；
 在这种情况下，用户应该小心的手动/使用其他工具来管理证书更新。
 
 <!--
@@ -146,7 +149,7 @@ Additionally, kubeadm informs the user if the certificate is externally managed;
 `kubeadm` 不能管理由外部 CA 签名的证书
 {{< /warning >}}
 
-<!-- 
+<!--
 `kubelet.conf` is not included in the list above because kubeadm configures kubelet
 for [automatic certificate renewal](/docs/tasks/tls/certificate-rotation/)
 with rotatable certificates under `/var/lib/kubelet/pki`.
@@ -155,10 +158,10 @@ To repair an expired kubelet client certificate see
 -->
 {{< note >}}
 上面的列表中没有包含 `kubelet.conf`，因为 kubeadm 将 kubelet 配置为
-[自动更新证书](/docs/tasks/tls/certificate-rotation/)。
+[自动更新证书](/zh-cn/docs/tasks/tls/certificate-rotation/)。
 轮换的证书位于目录 `/var/lib/kubelet/pki`。
 要修复过期的 kubelet 客户端证书，请参阅
-[kubelet 客户端证书轮换失败](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
+[kubelet 客户端证书轮换失败](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
 {{< /note >}}
 
 <!--
@@ -180,35 +183,35 @@ client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
 ```
 {{< /warning >}}
 
-<!-- 
+<!--
 ## Automatic certificate renewal
 
-`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15/). 
+kubeadm renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
 -->
 
-## 自动更新证书
+## 自动更新证书 {#automatic-certificate-renewal}
 
-`kubeadm` 会在控制面
-[升级](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
+kubeadm 会在控制面
+[升级](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
 的时候更新所有证书。
 
-<!-- 
-This feature is designed for addressing the simplest use cases; 
-if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure. 
+<!--
+This feature is designed for addressing the simplest use cases;
+if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
 -->
 这个功能旨在解决最简单的用例；如果你对此类证书的更新没有特殊要求，
 并且定期执行 Kubernetes 版本升级（每次升级之间的间隔时间少于 1 年），
 则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。
 
-<!-- 
+<!--
 It is a best practice to upgrade your cluster frequently in order to stay secure.
 -->
 {{< note >}}
 最佳的做法是经常升级集群以确保安全。
 {{< /note >}}
 
-<!-- 
-If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`. 
+<!--
+If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`.
 -->
 如果你对证书更新有更复杂的需求，则可通过将 `--certificate-renewal=false` 传递给
 `kubeadm upgrade apply` 或者 `kubeadm upgrade node`，从而选择不采用默认行为。
@@ -224,16 +227,16 @@ kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kub
 在这种情况下，你需要显式地设置 `--certificate-renewal=true`。
 {{< /warning >}}
 
-<!-- 
-## Manual certificate renewal 
+<!--
+## Manual certificate renewal
 
-You can renew your certificates manually at any time with the `kubeadm certs renew` command. 
+You can renew your certificates manually at any time with the `kubeadm certs renew` command.
 -->
-## 手动更新证书
+## 手动更新证书 {#manual-certificate-renewal}
 
 你能随时通过 `kubeadm certs renew` 命令手动更新你的证书。
 
-<!-- 
+<!--
 This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.
 
 After running the command you should restart the control plane Pods. This is required since
@@ -246,44 +249,43 @@ The kubelet will terminate the Pod if it's no longer in the manifest directory.
 You can then move the file back and after another `fileCheckFrequency` period, the kubelet will recreate
 the Pod and the certificate renewal for the component can complete.
 -->
-此命令用 CA （或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
+此命令用 CA（或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
 
 执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持，所有这项操作是必须的。
-[静态 Pods](/zh/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理，
+[静态 Pods](/zh-cn/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理，
 所以 kubectl 不能用来删除或重启他们。
 要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
-（参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
-如果 Pod 不在清单目录里，kubelet将会终止它。
+（参考 [KubeletConfiguration 结构](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
+如果 Pod 不在清单目录里，kubelet 将会终止它。
 在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去，为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。
 
-<!-- 
-If you are running an HA cluster, this command needs to be executed on all the control-plane nodes. 
+<!--
+If you are running an HA cluster, this command needs to be executed on all the control-plane nodes.
 -->
 {{< warning >}}
 如果你运行了一个 HA 集群，这个命令需要在所有控制面板节点上执行。
 {{< /warning >}}
 
-<!-- 
-` certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
+<!--
+`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
 -->
 {{< note >}}
-`certs renew` 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源，
-而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。
+`certs renew` 使用现有的证书作为属性（Common Name、Organization、SAN 等）的权威来源，
+而不是 kubeadm-config ConfigMap。强烈建议使它们保持同步。
 {{< /note >}}
 
 <!--
 `kubeadm certs renew` provides the following options:
 -->
-`kubeadm certs renew`提供以下选项：
+`kubeadm certs renew` 提供以下选项：
 
 <!--
 The Kubernetes certificates normally reach their expiration date after one year.
 -->
 Kubernetes 证书通常在一年后到期。
 
-<!-- 
-
-- `--csr-only` can be used to renew certificats with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information. 
+<!--
+- `--csr-only` can be used to renew certificates with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
 - It's also possible to renew a single certificate instead of all.
  -->
 
@@ -294,14 +296,14 @@ Kubernetes 证书通常在一年后到期。
 <!--
 ## Renew certificates with the Kubernetes certificates API
 
-This section provide more details about how to execute manual certificate renewal using the Kubernetes certificates API.
+This section provides more details about how to execute manual certificate renewal using the Kubernetes certificates API.
 -->
-## 用 Kubernetes 证书 API 更新证书
+## 用 Kubernetes 证书 API 更新证书 {#renew-certificates-with-the-kubernetes-certificates-api}
 
 本节提供有关如何使用 Kubernetes 证书 API 执行手动证书更新的更多详细信息。
 
-<!-- 
-These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead. 
+<!--
+These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead.
 -->
 {{< caution >}}
 这些是针对需要将其组织的证书基础结构集成到 kubeadm 构建的集群中的用户的高级主题。
@@ -312,27 +314,24 @@ These are advanced topics for users who need to integrate their organization's c
 ### Set up a signer
 
 The Kubernetes Certificate Authority does not work out of the box.
-You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the build-in signer.
+You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the built-in signer.
 The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
-To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
+To activate the built-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
 -->
 
-### 设置一个签名者（Signer）
+### 设置一个签名者（Signer） {#set-up-a-signer}
 
-Kubernetes 证书颁发机构不是开箱即用。
-你可以配置外部签名者，例如
-[cert-manager](https://cert-manager.io/docs/configuration/ca/)，
+Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者，例如 [cert-manager](https://cert-manager.io/docs/configuration/ca/)，
 也可以使用内置签名者。
 内置签名者是
-[`kube-controller-manager`](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
-的一部分。
+[`kube-controller-manager`](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/) 的一部分。
 要激活内置签名者，请传递 `--cluster-signing-cert-file` 和 `--cluster-signing-key-file` 参数。
 
 <!--
-If you're creating a new cluster, you can use a kubeadm [configuration file](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3): 
+If you're creating a new cluster, you can use a kubeadm [configuration file](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3):
 -->
 如果你正在创建一个新的集群，你可以使用 kubeadm 的
-[配置文件](/docs/reference/config-api/kubeadm-config.v1beta3/)。
+[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
 ```yaml
 apiVersion: kubeadm.k8s.io/v1beta3
@@ -343,23 +342,23 @@ controllerManager:
     cluster-signing-key-file: /etc/kubernetes/pki/ca.key
 ```
 
-<!-- 
+<!--
 ### Create certificate signing requests (CSR)
 -->
-### 创建证书签名请求 (CSR)
+### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr}
 
 <!--
 See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest) for creating CSRs with the Kubernetes API.
 -->
 有关使用 Kubernetes API 创建 CSR 的信息，
-请参见[创建 CertificateSigningRequest](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest)。
+请参见[创建 CertificateSigningRequest](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest)。
 
 <!--
 ## Renew certificates with external CA
 
-This section provides more details about how to execute manual certificate renewal using an external CA.
+This section provide more details about how to execute manual certificate renewal using an external CA.
 -->
-## 通过外部 CA 更新证书
+## 通过外部 CA 更新证书 {#renew-certificates-with-external-ca}
 
 本节提供有关如何使用外部 CA 执行手动更新证书的更多详细信息。
 
@@ -372,8 +371,8 @@ In kubeadm terms, any certificate that would normally be signed by an on-disk CA
 CSR 表示向 CA 请求客户的签名证书。
 在 kubeadm 术语中，通常由磁盘 CA 签名的任何证书都可以作为 CSR 生成。但是，CA 不能作为 CSR 生成。
 
-<!-- 
-### Create certificate signing requests (CSR) 
+<!--
+### Create certificate signing requests (CSR)
 
 You can create certificate signing requests with `kubeadm certs renew --csr-only`.
 
@@ -381,13 +380,13 @@ Both the CSR and the accompanying private key are given in the output.
 You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
 If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
 -->
-### 创建证书签名请求 (CSR)
+### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr-1}
 
 你可以通过 `kubeadm certs renew --csr-only` 命令创建证书签名请求。
 
 CSR 和随附的私钥都在输出中给出。
-你可以传入一个带有 `--csr-dir` 的目录，将 CRS 输出到指定位置。
-如果未指定 `--csr-dir` ，则使用默认证书目录（`/etc/kubernetes/pki`）。
+你可以传入一个带有 `--csr-dir` 的目录，将 CSR 输出到指定位置。
+如果未指定 `--csr-dir`，则使用默认证书目录（`/etc/kubernetes/pki`）。
 
 <!--
 Certificates can be renewed with `kubeadm certs renew --csr-only`.
@@ -404,9 +403,9 @@ It is the responsibility of the CA to specify [the correct cert usages](/docs/se
 when issuing a certificate.
 -->
 CSR 中包含一个证书的名字，域和 IP，但是未指定用法。
-颁发证书时，CA 有责任指定[正确的证书用法](/zh/docs/setup/best-practices/certificates/#all-certificates)
+颁发证书时，CA 有责任指定[正确的证书用法](/zh-cn/docs/setup/best-practices/certificates/#all-certificates)
 
-<!-- 
+<!--
 * In `openssl` this is done with the
   [`openssl ca` command](https://superuser.com/questions/738612/openssl-ca-keyusage-extension).
 * In `cfssl` you specify
@@ -419,8 +418,8 @@ CSR 中包含一个证书的名字，域和 IP，但是未指定用法。
   [在配置文件中指定用法](https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170)
   来完成的。
 
-<!-- 
-After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`). 
+<!--
+After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).
 -->
 使用首选方法对证书签名后，必须将证书和私钥复制到 PKI 目录（默认为 `/etc/kubernetes/pki` ）。
 
@@ -431,12 +430,12 @@ Kubeadm does not support rotation or replacement of CA certificates out of the b
 
 For more information about manual rotation or replacement of CA, see [manual rotation of CA certificates](/docs/tasks/tls/manual-rotation-of-ca-certificates/).
 -->
-## 证书机构（CA）轮换     {#certificate-authority-rotation}
+## 证书机构（CA）轮换 {#certificate-authority-rotation}
 
 kubeadm 并不直接支持对 CA 证书的轮换或者替换。
 
 关于手动轮换或者置换 CA 的更多信息，可参阅
-[手动轮换 CA 证书](/zh/docs/tasks/tls/manual-rotation-of-ca-certificates/)。
+[手动轮换 CA 证书](/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates/)。
 
 <!--
 ## Enabling signed kubelet serving certificates {#kubelet-serving-certs}
@@ -449,9 +448,9 @@ kubelet cannot be secured with TLS.
 To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
 certificates you must pass the following minimal configuration to `kubeadm init`:
 -->
-## 启用已签名的 kubelet 服务证书   {#kubelet-serving-certs}
+## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
 
-默认情况下，kubeadm 所部署的 kubelet 服务证书是自签名（Self-Signed））。
+默认情况下，kubeadm 所部署的 kubelet 服务证书是自签名（Self-Signed）。
 这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
 这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。
 
@@ -469,7 +468,7 @@ serverTLSBootstrap: true
 
 <!--
 If you have already created the cluster you must adapt it by doing the following:
- - Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace.
+ - Find and edit the `kubelet-config-{{< skew currentVersion>}}` ConfigMap in the `kube-system` namespace.
 In that ConfigMap, the `kubelet` key has a
 [KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
 document as its value. Edit the KubeletConfiguration document to set `serverTLSBootstrap: true`.
@@ -478,10 +477,10 @@ and restart the kubelet with `systemctl restart kubelet`
 -->
 如果你已经创建了集群，你必须通过执行下面的操作来完成适配：
 
-- 找到 `kube-system` 名字空间中名为 `kubelet-config-{{< skew latestVersion >}}`
+- 找到 `kube-system` 名字空间中名为 `kubelet-config-{{< skew currentVersion>}}`
   的 ConfigMap 并编辑之。
   在该 ConfigMap 中，`kubelet` 键下面有一个
-  [KubeletConfiguration](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+  [KubeletConfiguration](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
   文档作为其取值。编辑该 KubeletConfiguration 文档以设置
   `serverTLSBootstrap: true`。
 - 在每个节点上，在 `/var/lib/kubelet/config.yaml` 文件中添加
@@ -501,8 +500,8 @@ These CSRs can be viewed using:
 字段 `serverTLSBootstrap` 将允许启动引导 kubelet 的服务证书，方式
 是从 `certificates.k8s.io` API 处读取。这种方式的一种局限在于这些
 证书的 CSR（证书签名请求）不能被 kube-controller-manager 中默认的
-签名组件 
-[`kubernetes.io/kubelet-serving`](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
+签名组件
+[`kubernetes.io/kubelet-serving`](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
 批准。需要用户或者第三方控制器来执行此操作。
 
 可以使用下面的命令来查看 CSR：
@@ -531,14 +530,14 @@ By default, these serving certificate will expire after one year. Kubeadm sets t
 `KubeletConfiguration` field `rotateCertificates` to `true`, which means that close
 to expiration a new set of CSRs for the serving certificates will be created and must
 be approved to complete the rotation. To understand more see
-[Certificate Rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation).
+[Certificate Rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation).
 -->
-默认情况下，这些服务证书上会在一年后过期。
+默认情况下，这些服务证书会在一年后过期。
 kubeadm 将 `KubeletConfiguration` 的 `rotateCertificates` 字段设置为
 `true`；这意味着证书快要过期时，会生成一组针对服务证书的新的 CSR，而
 这些 CSR 也要被批准才能完成证书轮换。
 要进一步了解这里的细节，可参阅
-[证书轮换](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation)
+[证书轮换](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation)
 文档。
 
 <!--
@@ -554,7 +553,7 @@ the node identity with an out of band mechanism.
 
 <!--
 Third party custom controllers can be used:
-- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
+- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
 
 Such a controller is not a secure mechanism unless it not only verifies the CommonName
 in the CSR but also verifies the requested IPs and domain names. This would prevent
@@ -563,10 +562,87 @@ CSRs requesting serving certificates for any IP or domain name.
 -->
 也可以使用第三方定制的控制器：
 
-- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
+- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
 
 除非既能够验证 CSR 中的 CommonName，也能检查请求的 IP 和域名，
 这类控制器还算不得安全的机制。
 只有完成彻底的检查，才有可能避免有恶意的、能够访问 kubelet 客户端证书的第三方
 为任何 IP 或域名请求服务证书。
 
+<!--
+## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
+-->
+## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
+
+<!--
+During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
+`Subject: O = system:masters, CN = kubernetes-admin`.
+[`system:masters`](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC).
+Sharing the `admin.conf` with additional users is **not recommended**!
+-->
+在集群创建过程中，kubeadm 对 `admin.conf` 中的证书进行签名时，将其配置为
+`Subject: O = system:masters, CN = kubernetes-admin`。
+[`system:masters`](/zh-cn/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+是一个例外的超级用户组，可以绕过鉴权层（例如 RBAC）。
+强烈建议不要将 `admin.conf` 文件与任何人共享。
+
+<!--
+Instead, you can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+command to generate kubeconfig files for additional users.
+The command accepts a mixture of command line flags and
+[kubeadm configuration](/docs/reference/config-api/kubeadm-config.v1beta3/) options.
+The generated kubeconfig will be written to stdout and can be piped to a file
+using `kubeadm kubeconfig user ... > somefile.conf`.
+-->
+你要使用 [`kubeadm kubeconfig user`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+命令为其他用户生成 kubeconfig 文件，这个命令支持命令行参数和
+[kubeadm 配置结构](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
+以上命令会将 kubeconfig 打印到终端上，也可以使用 `kubeadm kubeconfig user ... > somefile.conf`
+输出到一个文件中。
+
+<!--
+Example configuration file that can be used with `--config`:
+-->
+如下 kubeadm 可以在 `--config` 后加的配置文件示例：
+
+```yaml
+# example.yaml
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+# kubernetes 将作为 kubeconfig 中集群名称
+clusterName: "kubernetes"
+# some-dns-address:6443 将作为集群 kubeconfig 文件中服务地址（IP 或者 DNS 名称）
+controlPlaneEndpoint: "some-dns-address:6443"
+# 从本地挂载集群的 CA 秘钥和 CA 证书
+certificatesDir: "/etc/kubernetes/pki"
+```
+
+<!--
+Make sure that these settings match the desired target cluster settings.
+To see the settings of an existing cluster use:
+-->
+确保这些设置与所需的目标集群设置相匹配。可以使用以下命令查看现有集群的设置：
+
+```shell
+kubectl get cm kubeadm-config -n kube-system -o=jsonpath="{.data.ClusterConfiguration}"
+```
+
+<!--
+The following example will generate a kubeconfig file with credentials valid for 24 hours
+for a new user `johndoe` that is part of the `appdevs` group:
+-->
+以下示例将为在 `appdevs` 组的 `johndoe` 用户创建一个有效期为 24 小时的 kubeconfig 文件：
+
+```shell
+kubeadm kubeconfig user --config example.yaml --org appdevs --client-name johndoe --validity-period 24h
+```
+
+<!--
+The following example will generate a kubeconfig file with administrator credentials valid for 1 week:
+-->
+以下示例将为管理员创建一个有效期有一周的 kubeconfig 文件：
+
+```shell
+kubeadm kubeconfig user --config example.yaml --client-name admin --validity-period 168h
+```
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md
index a9af9c080cc67..0b757039ecb4b 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure.md
@@ -19,7 +19,7 @@ by using a custom [operator](/docs/concepts/extend-kubernetes/operator/).
 -->
 kubeadm 不支持自动重新配置部署在托管节点上的组件的方式。 
 一种自动化的方法是使用自定义的 
-[operator](/zh/docs/concepts/extend-kubernetes/operator/)。
+[operator](/zh-cn/docs/concepts/extend-kubernetes/operator/)。
 
 <!--
 To modify the components configuration you must manually edit associated cluster
@@ -114,7 +114,7 @@ The configuration is located under the `data.ClusterConfiguration` key.
 #### 更新 `ClusterConfiguration`
 
 在集群创建和升级期间，kubeadm 将其
-[`ClusterConfiguration`](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)
+[`ClusterConfiguration`](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)
 写入 `kube-system` 命名空间中名为 `kubeadm-config` 的 ConfigMap。
 
 要更改 `ClusterConfiguration` 中的特定选项，你可以使用以下命令编辑 ConfigMap：
@@ -219,7 +219,7 @@ The configuration is located under the `data.kubelet` key.
 #### 更新 `KubeletConfiguration`
 
 在集群创建和升级期间，kubeadm 将其 
-[`KubeletConfiguration`](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 
+[`KubeletConfiguration`](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/) 
 写入 `kube-system` 命名空间中名为 `kubelet-config` 的 ConfigMap。
 你可以使用以下命令编辑 ConfigMap：
 
@@ -291,7 +291,7 @@ The configuration is located under the `data.config.conf` key.
 #### 更新 `KubeProxyConfiguration`
 
 在集群创建和升级期间，kubeadm 将其写入
-[`KubeProxyConfiguration`](/zh/docs/reference/config-api/kube-proxy-config.v1alpha1/) 
+[`KubeProxyConfiguration`](/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/) 
 在名为 `kube-proxy` 的 `kube-system` 命名空间中的 ConfigMap 中。
 
 此 ConfigMap 由 `kube-system` 命名空间中的 `kube-proxy` DaemonSet 使用。
@@ -440,7 +440,7 @@ and apply it to the Node object:
 -->
 在 `kubeadm upgrade` 期间，此类节点的内容可能会被覆盖。
 如果你想在升级后保留对 Node 对象的修改，你可以准备一个
-[kubectl patch](/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)
+[kubectl patch](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/)
 并将其应用到 Node 对象：
 
 ```shell
@@ -464,7 +464,7 @@ the set of node specific patches must be updated accordingly.
 
 控制平面配置的主要来源是存储在集群中的 `ClusterConfiguration` 对象。
 要扩展静态 Pod 清单配置，可以使用 
-[patches](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches)。
+[patches](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches)。
 
 这些补丁文件必须作为文件保留在控制平面节点上，以确保它们可以被 
 `kubeadm upgrade ... --patches <directory>` 使用。
@@ -504,6 +504,6 @@ kubelet 标志会覆盖相关的 `KubeletConfiguration` 选项，但请注意，
 - [Certificate management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)
 -->
 
-- [升级 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)
-- [使用 kubeadm API 自定义组件](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags)
-- [使用 kubeadm 管理证书](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)
\ No newline at end of file
+- [升级 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)
+- [使用 kubeadm API 自定义组件](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags)
+- [使用 kubeadm 管理证书](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)
\ No newline at end of file
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
similarity index 81%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
index 9704cf37601ff..64cf1c8acf64d 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
@@ -9,7 +9,6 @@ reviewers:
 title: Upgrading kubeadm clusters
 content_type: task
 weight: 20
-min-kubernetes-server-version: 1.18
 -->
 
 <!-- overview -->
@@ -44,13 +43,14 @@ please refer to following pages instead:
 
 <!--
 The upgrade workflow at high level is the following:
+-->
+升级工作的基本流程如下：
 
+<!--
 1. Upgrade a primary control plane node.
 1. Upgrade additional control plane nodes.
 1. Upgrade worker nodes.
 -->
-升级工作的基本流程如下：
-
 1. 升级主控制平面节点
 1. 升级其他控制平面节点
 1. 升级工作节点
@@ -58,12 +58,13 @@ The upgrade workflow at high level is the following:
 ## {{% heading "prerequisites" %}}
 
 <!--
-- Make sure you read the [release notes]({{< latest-release-notes >}}) carefully.
+- Make sure you read the [release notes](https://git.k8s.io/kubernetes/CHANGELOG) carefully.
 - The cluster should use a static control plane and etcd pods or external etcd.
 - Make sure to back up any important components, such as app-level state stored in a database.
   `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice.
+- [Swap must be disabled](https://serverfault.com/questions/684771/best-way-to-disable-swap-in-linux).
 -->
-- 务必仔细认真阅读[发行说明]({{< latest-release-notes >}})。
+- 务必仔细认真阅读[发行说明](https://git.k8s.io/kubernetes/CHANGELOG)。
 - 集群应使用静态的控制平面和 etcd Pod 或者外部 etcd。
 - 务必备份所有重要组件，例如存储在数据库中应用层面的状态。
   `kubeadm upgrade` 不会影响你的工作负载，只会涉及 Kubernetes 内部的组件，但备份终究是好的。
@@ -71,7 +72,10 @@ The upgrade workflow at high level is the following:
 
 <!--
 ### Additional information
+-->
+### 附加信息   {#additional-information}
 
+<!--
 - The instructions below outline when to drain each node during the upgrade process.
 If you are performing a **minor** version upgrade for any kubelet, you **must**
 first drain the node (or nodes) that you are upgrading. In the case of control plane nodes,
@@ -79,109 +83,100 @@ they could be running CoreDNS Pods or other critical workloads. For more informa
 [Draining nodes](/docs/tasks/administer-cluster/safely-drain-node/).
 - All containers are restarted after upgrade, because the container spec hash value is changed.
 -->
-
-### 附加信息
-
 - 下述说明了在升级过程中何时腾空每个节点。如果你正在对任何 kubelet 进行小版本升级，
   你需要先腾空待升级的节点（或多个节点）。对于控制面节点，其上可能运行着 CoreDNS Pods
-  或者其它非常重要的负载。更多信息见[腾空节点](/zh/docs/tasks/administer-cluster/safely-drain-node/)。
+  或者其它非常重要的负载。更多信息见[腾空节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)。
 - 升级后，因为容器规约的哈希值已更改，所有容器都会被重新启动。
 
 <!--
 - To verify that the kubelet service has successfully restarted after the kubelet has been upgraded,
-you can execute `systemctl status kubelet`  or view the service logs with `journalctl -xeu kubelet`.
+you can execute `systemctl status kubelet` or view the service logs with `journalctl -xeu kubelet`.
 - Usage of the `--config` flag of `kubeadm upgrade` with
 [kubeadm configuration API types](/docs/reference/config-api/kubeadm-config.v1beta3)
 with the purpose of reconfiguring the cluster is not recommended and can have unexpected results. Follow the steps in
 [Reconfiguring a kubeadm cluster](/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure) instead.
 -->
-
 - 要验证 kubelet 服务在升级后是否成功重启，可以执行 `systemctl status kubelet`
   或 `journalctl -xeu kubelet` 查看服务日志。
-- 不建议使用 `kubeadm upgrade` 的 `--config 参数和 [kubeadm 配置 API 类型](/zh/docs/reference/config-api/kubeadm-config.v1beta3)
-  来重新配置集群，这样会产生意想不到的结果。请按照[重新配置 kubeadm 集群](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure)
+- 不建议使用 `kubeadm upgrade` 的 `--config` 参数和 [kubeadm 配置 API 类型](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3)
+  来重新配置集群，这样会产生意想不到的结果。请按照[重新配置 kubeadm 集群](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure)
   中的步骤来进行。
 
 <!-- steps -->
 
 <!--
 ## Determine which version to upgrade to
+-->
+## 确定要升级到哪个版本   {#determine-which-version-to-upgrade-to}
 
+<!--
 Find the latest patch release for Kubernetes {{< skew currentVersion >}} using the OS package manager:
 -->
-## 确定要升级到哪个版本
-
 使用操作系统的包管理器找到最新的补丁版本 Kubernetes {{< skew currentVersion >}}：
 
 {{< tabs name="k8s_install_versions" >}}
 {{% tab name="Ubuntu、Debian 或 HypriotOS" %}}
-
 ```shell
 apt update
 apt-cache madison kubeadm
 # 在列表中查找最新的 {{< skew currentVersion >}} 版本
 # 它看起来应该是 {{< skew currentVersion >}}.x-00，其中 x 是最新的补丁版本
 ```
-
 {{% /tab %}}
 {{% tab name="CentOS、RHEL 或 Fedora" %}}
-
 ```shell
 yum list --showduplicates kubeadm --disableexcludes=kubernetes
 # 在列表中查找最新的 {{< skew currentVersion >}} 版本
 # 它看起来应该是 {{< skew currentVersion >}}.x-0，其中 x 是最新的补丁版本
 ```
-
 {{% /tab %}}
 {{< /tabs >}}
 
 <!--
-## Upgrade the control plane node
+## Upgrading control plane nodes
+-->
+## 升级控制平面节点  {#upgrading-control-plane-nodes}
 
+<!--
 The upgrade procedure on control plane nodes should be executed one node at a time.
 Pick a control plane node that you wish to upgrade first. It must have the `/etc/kubernetes/admin.conf` file.
-
-### Call "kubeadm upgrade"
 -->
-## 升级控制平面节点
-
 控制面节点上的升级过程应该每次处理一个节点。
 首先选择一个要先行升级的控制面节点。该节点上必须拥有
 `/etc/kubernetes/admin.conf` 文件。
 
-### 执行 "kubeadm upgrade"
-
 <!--
-**Upgrade the first control plane node**
+### Call "kubeadm upgrade"
 -->
+### 执行 “kubeadm upgrade”   {#call-kubeadm-upgrade}
 
-**升级第一个控制面节点**
+<!--
+**For the first control plane node**
+-->
+**对于第一个控制面节点**
 
 <!--
 - Upgrade kubeadm:
 -->
 - 升级 kubeadm：
 
-{{< tabs name="k8s_install_kubeadm_first_cp" >}}
-{{% tab name="Ubuntu、Debian 或 HypriotOS" %}}
-
-```shell
-# 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-00 中的 x
-apt-mark unhold kubeadm && \
-apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
-apt-mark hold kubeadm
--
-
-{{% /tab %}}
-{{% tab name="CentOS、RHEL 或 Fedora" %}}
-```shell
-# 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-0 中的 x
-yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-```
-
-{{% /tab %}}
-{{< /tabs >}}
-<br />
+  {{< tabs name="k8s_install_kubeadm_first_cp" >}}
+  {{% tab name="Ubuntu、Debian 或 HypriotOS" %}}
+  ```shell
+  # 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-00 中的 x
+  apt-mark unhold kubeadm && \
+  apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
+  apt-mark hold kubeadm
+  ```
+  {{% /tab %}}
+  {{% tab name="CentOS、RHEL 或 Fedora" %}}
+  ```shell
+  # 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-0 中的 x
+  yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
+  {{% /tab %}}
+  {{< /tabs >}}
+  <br />
 
 <!--
 - Verify that the download works and has the expected version:
@@ -216,7 +211,7 @@ yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kuberne
   -->
   `kubeadm upgrade` 也会自动对 kubeadm 在节点上所管理的证书执行续约操作。
   如果需要略过证书续约操作，可以使用标志 `--certificate-renewal=false`。
-  更多的信息，可参阅[证书管理指南](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
+  更多的信息，可参阅[证书管理指南](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
   {{</ note >}}
 
   {{< note >}}
@@ -232,14 +227,15 @@ yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kuberne
 
 <!--
 - Choose a version to upgrade to, and run the appropriate command. For example:
+-->
+- 选择要升级到的目标版本，运行合适的命令。例如：
 
+  <!--
   ```shell
   # replace x with the patch version you picked for this upgrade
   sudo kubeadm upgrade apply v{{< skew currentVersion >}}.x
   ```
--->
-选择要升级到的目标版本，运行合适的命令。例如：
-
+  -->
   ```shell
   # 将 x 替换为你为此次升级所选择的补丁版本号
   sudo kubeadm upgrade apply v{{< skew currentVersion >}}.x
@@ -258,19 +254,21 @@ yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kuberne
 
 <!--
 - Manually upgrade your CNI provider plugin.
+-->
+- 手动升级你的 CNI 驱动插件。
 
+  <!--
   Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow.
   Check the [addons](/docs/concepts/cluster-administration/addons/) page to
   find your CNI provider and see whether additional upgrade steps are required.
-
-  This step is not required on additional control plane nodes if the CNI provider runs as a DaemonSet.
--->
-- 手动升级你的 CNI 驱动插件。
-
+  -->
   你的容器网络接口（CNI）驱动应该提供了程序自身的升级说明。
-  参阅[插件](/zh/docs/concepts/cluster-administration/addons/)页面查找你的 CNI 驱动，
+  参阅[插件](/zh-cn/docs/concepts/cluster-administration/addons/)页面查找你的 CNI 驱动，
   并查看是否需要其他升级步骤。
 
+  <!--
+  This step is not required on additional control plane nodes if the CNI provider runs as a DaemonSet.
+  -->
   如果 CNI 驱动作为 DaemonSet 运行，则在其他控制平面节点上不需要此步骤。
 
 <!--
@@ -303,18 +301,20 @@ Also calling `kubeadm upgrade plan` and upgrading the CNI provider plugin is no
 
 <!--
 ### Drain the node
-
--  Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
-
-    ```shell
-    # replace <node-to-drain> with the name of your node you are draining
-    kubectl drain <node-to-drain> --ignore-daemonsets
-    ```
 -->
-### 腾空节点
+### 腾空节点   {#drain-the-node}
 
+<!--
+- Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
+-->
 - 通过将节点标记为不可调度并腾空节点为节点作升级准备：
 
+  <!--
+  ```shell
+  # replace <node-to-drain> with the name of your node you are draining
+  kubectl drain <node-to-drain> --ignore-daemonsets
+  ```
+  -->
   ```shell
   # 将 <node-to-drain> 替换为你要腾空的控制面节点名称
   kubectl drain <node-to-drain> --ignore-daemonsets
@@ -322,39 +322,36 @@ Also calling `kubeadm upgrade plan` and upgrading the CNI provider plugin is no
 
 <!--
 ### Upgrade kubelet and kubectl
-
--  Upgrade the kubelet and kubectl:
 -->
-### 升级 kubelet 和 kubectl
+### 升级 kubelet 和 kubectl   {#upgrade-kubelet-and-kubectl}
 
+<!--
+- Upgrade the kubelet and kubectl:
+-->
 - 升级 kubelet 和 kubectl：
 
   {{< tabs name="k8s_install_kubelet" >}}
   {{% tab name="Ubuntu、Debian 或 HypriotOS" %}}
-
-    ```shell
-    # 用最新的补丁版本替换 {{< skew currentVersion >}}.x-00 中的 x
-    apt-mark unhold kubelet kubectl && \
-    apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
-    apt-mark hold kubelet kubectl
-    ```
-
+  ```shell
+  # 用最新的补丁版本替换 {{< skew currentVersion >}}.x-00 中的 x
+  apt-mark unhold kubelet kubectl && \
+  apt-get update && apt-get install -y kubelet={{< skew currentVersion >}}.x-00 kubectl={{< skew currentVersion >}}.x-00 && \
+  apt-mark hold kubelet kubectl
+  ```
   {{% /tab %}}
   {{% tab name="CentOS、RHEL 或 Fedora" %}}
-
-    ```shell
-    # 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-00 中的 x
-    yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
-    ```
-
+  ```shell
+  # 用最新的补丁版本号替换 {{< skew currentVersion >}}.x-00 中的 x
+  yum install -y kubelet-{{< skew currentVersion >}}.x-0 kubectl-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
+  ```
   {{% /tab %}}
   {{< /tabs >}}
-<br />
+  <br />
 
 <!--
-- Restart the kubelet
+- Restart the kubelet:
 -->
-- 重启 kubelet
+- 重启 kubelet：
 
   ```shell
   sudo systemctl daemon-reload
@@ -363,18 +360,20 @@ Also calling `kubeadm upgrade plan` and upgrading the CNI provider plugin is no
 
 <!--
 ### Uncordon the node
+-->
+### 解除节点的保护   {#uncordon-the-node}
 
+<!--
 - Bring the node back online by marking it schedulable:
+-->
+- 通过将节点标记为可调度，让其重新上线：
 
+  <!--
   ```shell
   # replace <node-to-drain> with the name of your node
   kubectl uncordon <node-to-drain>
-
--->
-### 解除节点的保护
-
-- 通过将节点标记为可调度，让其重新上线：
-
+  ```
+  -->
   ```shell
   # 将 <node-to-drain> 替换为你的节点名称
   kubectl uncordon <node-to-drain>
@@ -382,19 +381,20 @@ Also calling `kubeadm upgrade plan` and upgrading the CNI provider plugin is no
 
 <!--
 ## Upgrade worker nodes
+-->
+## 升级工作节点   {#upgrade-worker-nodes}
 
+<!--
 The upgrade procedure on worker nodes should be executed one node at a time or few nodes at a time,
 without compromising the minimum required capacity for running your workloads.
 -->
-## 升级工作节点
-
 工作节点上的升级过程应该一次执行一个节点，或者一次执行几个节点，
 以不影响运行工作负载所需的最小容量。
 
 <!--
 ### Upgrade kubeadm
 -->
-### 升级 kubeadm
+### 升级 kubeadm   {#upgrade-kubeadm}
 
 <!--
 - Upgrade kubeadm:
@@ -403,32 +403,29 @@ without compromising the minimum required capacity for running your workloads.
 
   {{< tabs name="k8s_install_kubeadm_worker_nodes" >}}
   {{% tab name="Ubuntu、Debian 或 HypriotOS" %}}
-
   ```shell
   # 将 {{< skew currentVersion >}}.x-00 中的 x 替换为最新的补丁版本号
   apt-mark unhold kubeadm && \
   apt-get update && apt-get install -y kubeadm={{< skew currentVersion >}}.x-00 && \
   apt-mark hold kubeadm
   ```
-
   {{% /tab %}}
   {{% tab name="CentOS、RHEL 或 Fedora" %}}
-
   ```shell
   # 用最新的补丁版本替换 {{< skew currentVersion >}}.x-00 中的 x
   yum install -y kubeadm-{{< skew currentVersion >}}.x-0 --disableexcludes=kubernetes
   ```
-
   {{% /tab %}}
   {{< /tabs >}}
 
 <!--
 ### Call "kubeadm upgrade"
-
--  For worker nodes this upgrades the local kubelet configuration:
 -->
-### 执行 "kubeadm upgrade"
+### 执行 "kubeadm upgrade"   {#call-kubeadm-upgrade-1}
 
+<!--
+- For worker nodes this upgrades the local kubelet configuration:
+-->
 - 对于工作节点，下面的命令会升级本地的 kubelet 配置：
 
   ```shell
@@ -437,18 +434,20 @@ without compromising the minimum required capacity for running your workloads.
 
 <!--
 ### Drain the node
+-->
+### 腾空节点   {#drain-the-node-1}
 
+<!--
 - Prepare the node for maintenance by marking it unschedulable and evicting the workloads:
+-->
+- 将节点标记为不可调度并驱逐所有负载，准备节点的维护：
 
+  <!--
   ```shell
   # replace <node-to-drain> with the name of your node you are draining
   kubectl drain <node-to-drain> --ignore-daemonsets
   ```
--->
-### 腾空节点
-
-- 将节点标记为不可调度并驱逐所有负载，准备节点的维护：
-
+  -->
   ```shell
   # 将 <node-to-drain> 替换为你正在腾空的节点的名称
   kubectl drain <node-to-drain> --ignore-daemonsets
@@ -457,10 +456,10 @@ without compromising the minimum required capacity for running your workloads.
 <!--
 ### Upgrade kubelet and kubectl
 -->
-### 升级 kubelet 和 kubectl
+### 升级 kubelet 和 kubectl   {#upgrade-kubelet-and-kubectl-1}
 
 <!--
--  Upgrade the kubelet and kubectl:
+- Upgrade the kubelet and kubectl:
 -->
 - 升级 kubelet 和 kubectl：
 
@@ -484,36 +483,34 @@ without compromising the minimum required capacity for running your workloads.
 
   {{% /tab %}}
   {{< /tabs >}}
+  <br />
 
 <!--
-- Restart the kubelet
-
-    ```shell
-    sudo systemctl daemon-reload
-    sudo systemctl restart kubelet
-    ```
+- Restart the kubelet:
 -->
-- 重启 kubelet
+- 重启 kubelet：
 
   ```shell
   sudo systemctl daemon-reload
   sudo systemctl restart kubelet
   ```
+
 <!--
 ### Uncordon the node
 -->
-### 取消对节点的保护
+### 取消对节点的保护   {#uncordon-the-node-1}
 
 <!--
--  Bring the node back online by marking it schedulable:
-
-    ```shell
-    # replace <node-to-drain> with the name of your node
-    kubectl uncordon <node-to-drain>
-    ```
+- Bring the node back online by marking it schedulable:
 -->
 - 通过将节点标记为可调度，让节点重新上线:
 
+  <!--
+  ```shell
+  # replace <node-to-drain> with the name of your node
+  kubectl uncordon <node-to-drain>
+  ```
+  -->
   ```shell
   # 将 <node-to-drain> 替换为当前节点的名称
   kubectl uncordon <node-to-drain>
@@ -521,16 +518,13 @@ without compromising the minimum required capacity for running your workloads.
 
 <!--
 ## Verify the status of the cluster
-
-After the kubelet is upgraded on all nodes verify that all nodes are available again by running the following command
-from anywhere kubectl can access the cluster:
-
-```shell
-kubectl get nodes
-```
 -->
-## 验证集群的状态
+## 验证集群的状态   {#verify-the-status-of-the-cluster}
 
+<!--
+After the kubelet is upgraded on all nodes verify that all nodes are available again by running
+the following command from anywhere kubectl can access the cluster:
+-->
 在所有节点上升级 kubelet 后，通过从 kubectl 可以访问集群的任何位置运行以下命令，
 验证所有节点是否再次可用：
 
@@ -545,42 +539,45 @@ The `STATUS` column should show `Ready` for all your nodes, and the version numb
 
 <!--
 ## Recovering from a failure state
+-->
+## 从故障状态恢复   {#recovering-from-a-failure-state}
 
+<!--
 If `kubeadm upgrade` fails and does not roll back, for example because of an unexpected shutdown during execution, you can run `kubeadm upgrade` again.
 This command is idempotent and eventually makes sure that the actual state is the desired state you declare.
-
-To recover from a bad state, you can also run `kubeadm upgrade--force` without changing the version that your cluster is running.
 -->
-## 从故障状态恢复
-
 如果 `kubeadm upgrade` 失败并且没有回滚，例如由于执行期间节点意外关闭，
 你可以再次运行 `kubeadm upgrade`。
 此命令是幂等的，并最终确保实际状态是你声明的期望状态。
-要从故障状态恢复，你还可以运行 `kubeadm upgrade --force` 而无需更改集群正在运行的版本。
 
 <!--
-During upgrade kubeadm writes the following backup folders under `/etc/kubernetes/tmp`:
-- `kubeadm-backup-etcd-<date>-<time>`
-- `kubeadm-backup-manifests-<date>-<time>`
-
-`kubeadm-backup-etcd` contains a backup of the local etcd member data for this control-plane Node.
-In case of an etcd upgrade failure and if the automatic rollback does not work, the contents of this folder
-can be manually restored in `/var/lib/etcd`. In case external etcd is used this backup folder will be empty.
+To recover from a bad state, you can also run `kubeadm upgrade apply --force` without changing the version that your cluster is running.
+-->
+要从故障状态恢复，你还可以运行 `kubeadm upgrade apply --force` 而无需更改集群正在运行的版本。
 
-`kubeadm-backup-manifests` contains a backup of the static Pod manifest files for this control-plane Node.
-In case of a upgrade failure and if the automatic rollback does not work, the contents of this folder can be
-manually restored in `/etc/kubernetes/manifests`. If for some reason there is no difference between a pre-upgrade
-and post-upgrade manifest file for a certain component, a backup file for it will not be written.
+<!--
+During upgrade kubeadm writes the following backup folders under `/etc/kubernetes/tmp`:
 -->
 在升级期间，kubeadm 向 `/etc/kubernetes/tmp` 目录下的如下备份文件夹写入数据：
 
 - `kubeadm-backup-etcd-<date>-<time>`
 - `kubeadm-backup-manifests-<date>-<time>`
 
+<!--
+`kubeadm-backup-etcd` contains a backup of the local etcd member data for this control plane Node.
+In case of an etcd upgrade failure and if the automatic rollback does not work, the contents of this folder
+can be manually restored in `/var/lib/etcd`. In case external etcd is used this backup folder will be empty.
+-->
 `kubeadm-backup-etcd` 包含当前控制面节点本地 etcd 成员数据的备份。
 如果 etcd 升级失败并且自动回滚也无法修复，则可以将此文件夹中的内容复制到
 `/var/lib/etcd` 进行手工修复。如果使用的是外部的 etcd，则此备份文件夹为空。
 
+<!--
+`kubeadm-backup-manifests` contains a backup of the static Pod manifest files for this control plane Node.
+In case of a upgrade failure and if the automatic rollback does not work, the contents of this folder can be
+manually restored in `/etc/kubernetes/manifests`. If for some reason there is no difference between a pre-upgrade
+and post-upgrade manifest file for a certain component, a backup file for it will not be written.
+-->
 `kubeadm-backup-manifests` 包含当前控制面节点的静态 Pod 清单文件的备份版本。
 如果升级失败并且无法自动回滚，则此文件夹中的内容可以复制到
 `/etc/kubernetes/manifests` 目录实现手工恢复。
@@ -589,9 +586,15 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
 
 <!--
 ## How it works
+-->
+## 工作原理   {#how-it-works}
 
+<!--
 `kubeadm upgrade apply` does the following:
+-->
+`kubeadm upgrade apply` 做了以下工作：
 
+<!--
 - Checks that your cluster is in an upgradeable state:
   - The API server is reachable
   - All nodes are in the `Ready` state
@@ -603,10 +606,6 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
 - Applies the new `CoreDNS` and `kube-proxy` manifests and makes sure that all necessary RBAC rules are created.
 - Creates new certificate and key files of the API server and backs up old files if they're about to expire in 180 days.
 -->
-## 工作原理   {#how-it-works}
-
-`kubeadm upgrade apply` 做了以下工作：
-
 - 检查你的集群是否处于可升级状态:
   - API 服务器是可访问的
   - 所有节点处于 `Ready` 状态
@@ -620,14 +619,15 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
 
 <!--
 `kubeadm upgrade node` does the following on additional control plane nodes:
+-->
+`kubeadm upgrade node` 在其他控制平节点上执行以下操作：
 
+<!--
 - Fetches the kubeadm `ClusterConfiguration` from the cluster.
 - Optionally backups the kube-apiserver certificate.
 - Upgrades the static Pod manifests for the control plane components.
 - Upgrades the kubelet configuration for this node.
 -->
-`kubeadm upgrade node` 在其他控制平节点上执行以下操作：
-
 - 从集群中获取 kubeadm `ClusterConfiguration`。
 - （可选操作）备份 kube-apiserver 证书。
 - 升级控制平面组件的静态 Pod 清单。
@@ -635,11 +635,12 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
 
 <!--
 `kubeadm upgrade node` does the following on worker nodes:
+-->
+`kubeadm upgrade node` 在工作节点上完成以下工作：
 
+<!--
 - Fetches the kubeadm `ClusterConfiguration` from the cluster.
 - Upgrades the kubelet configuration for this node.
 -->
-`kubeadm upgrade node` 在工作节点上完成以下工作：
-
 - 从集群取回 kubeadm `ClusterConfiguration`。
 - 为本节点升级 kubelet 配置。
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
index 5570285f3b388..1aa7d0977f682 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes.md
@@ -18,7 +18,7 @@ weight: 40
 <!--
 This page explains how to upgrade a Windows node [created with kubeadm](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes).
 -->
-本页解释如何升级[用 kubeadm 创建的](/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes)
+本页解释如何升级[用 kubeadm 创建的](/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes)
 Windows 节点。
 
 ## {{% heading "prerequisites" %}}
@@ -30,7 +30,7 @@ Windows 节点。
 cluster](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade). You will want to
 upgrade the control plane nodes before upgrading your Windows nodes.
 -->
-* 熟悉[更新 kubeadm 集群中的其余组件](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)。
+* 熟悉[更新 kubeadm 集群中的其余组件](/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade)。
   在升级你的 Windows 节点之前你会想要升级控制面节点。
 
 <!-- steps -->
diff --git a/content/zh/docs/tasks/administer-cluster/kubelet-config-file.md b/content/zh-cn/docs/tasks/administer-cluster/kubelet-config-file.md
similarity index 92%
rename from content/zh/docs/tasks/administer-cluster/kubelet-config-file.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubelet-config-file.md
index 3f8ee37eb7c52..0af51406f29a3 100644
--- a/content/zh/docs/tasks/administer-cluster/kubelet-config-file.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubelet-config-file.md
@@ -36,7 +36,7 @@ struct.
 -->
 ## 创建配置文件
 
-[`KubeletConfiguration`](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 结构体定义了可以通过文件配置的 Kubelet 配置子集，
+[`KubeletConfiguration`](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/) 结构体定义了可以通过文件配置的 Kubelet 配置子集，
 
 <!--
 The configuration file must be a JSON or YAML representation of the parameters
@@ -86,7 +86,7 @@ The Kubelet will then load its config from this file.
 
 {{< note >}}
 如果你使用 kubeadm 初始化你的集群，在使用 `kubeadmin init` 创建你的集群的时候请使用 kubelet-config。
-更多细节请阅读[使用 kubeadm 配置 kubelet](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)
+更多细节请阅读[使用 kubeadm 配置 kubelet](/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)
 {{< /note >}}
 
 启动 Kubelet 需要将 `--config` 参数设置为 Kubelet 配置文件的路径。Kubelet 将从此文件加载其配置。
@@ -125,5 +125,5 @@ In the above example, this version is `kubelet.config.k8s.io/v1beta1`.
   [`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/)
   reference.
 --->
-- 参阅 [`KubeletConfiguration`](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 
+- 参阅 [`KubeletConfiguration`](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/) 
   进一步学习 kubelet 的配置。
diff --git a/content/zh/docs/tasks/administer-cluster/kubelet-in-userns.md b/content/zh-cn/docs/tasks/administer-cluster/kubelet-in-userns.md
similarity index 99%
rename from content/zh/docs/tasks/administer-cluster/kubelet-in-userns.md
rename to content/zh-cn/docs/tasks/administer-cluster/kubelet-in-userns.md
index 33c23ba8101f5..8f456e8058d9e 100644
--- a/content/zh/docs/tasks/administer-cluster/kubelet-in-userns.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubelet-in-userns.md
@@ -36,7 +36,7 @@ If you are just looking for how to run a pod as a non-root user, see [SecurityCo
 
 {{< note >}}
 这个文档描述了怎么以非 root 用户身份运行 Kubernetes 节点组件以及 Pod。
-如果你只是想了解如何以非 root 身份运行 Pod，请参阅 [SecurityContext](/zh/docs/tasks/configure-pod-container/security-context/)。
+如果你只是想了解如何以非 root 身份运行 Pod，请参阅 [SecurityContext](/zh-cn/docs/tasks/configure-pod-container/security-context/)。
 {{< /note >}}
 
 <!--
@@ -59,7 +59,7 @@ If you are just looking for how to run a pod as a non-root user, see [SecurityCo
 * [在 systemd 中启用 user session](https://rootlesscontaine.rs/getting-started/common/login/)
 * [根据不同的 Linux 发行版，配置 sysctl 的值](https://rootlesscontaine.rs/getting-started/common/sysctl/)
 * [确保你的非特权用户被列在 `/etc/subuid` 和 `/etc/subgid` 文件中](https://rootlesscontaine.rs/getting-started/common/subuid/)
-* 启用 `KubeletInUserNamespace` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+* 启用 `KubeletInUserNamespace` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 
 <!-- steps -->
 
diff --git a/content/zh/docs/tasks/administer-cluster/limit-storage-consumption.md b/content/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption.md
similarity index 94%
rename from content/zh/docs/tasks/administer-cluster/limit-storage-consumption.md
rename to content/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption.md
index 003b8dc7a4c48..668675fb6a04d 100644
--- a/content/zh/docs/tasks/administer-cluster/limit-storage-consumption.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption.md
@@ -19,9 +19,9 @@ The following resources are used in the demonstration: [ResourceQuota](/docs/con
 [LimitRange](/docs/tasks/administer-cluster/memory-default-namespace/),
 and [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/).
 -->
-演示中用到了以下资源：[ResourceQuota](/zh/docs/concepts/policy/resource-quotas/)，
-[LimitRange](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/) 和
-[PersistentVolumeClaim](/zh/docs/concepts/storage/persistent-volumes/)。
+演示中用到了以下资源：[ResourceQuota](/zh-cn/docs/concepts/policy/resource-quotas/)，
+[LimitRange](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/) 和
+[PersistentVolumeClaim](/zh-cn/docs/concepts/storage/persistent-volumes/)。
 
 ## {{% heading "prerequisites" %}}
 
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/_index.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/manage-resources/_index.md
rename to content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
similarity index 54%
rename from content/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
rename to content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
index d05a5f6b339b8..9fe493377d5e8 100644
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md
@@ -2,36 +2,53 @@
 title: 为命名空间配置 CPU 最小和最大约束
 content_type: task
 weight: 40
+description: >-
+  为命名空间定义一个有效的 CPU 资源限制范围，使得在该命名空间中所有新建 Pod 的 CPU 资源是在你所设置的范围内。
 ---
 
 <!--
 title: Configure Minimum and Maximum CPU Constraints for a Namespace
 content_type: task
 weight: 40
+description: >-
+  Define a range of valid CPU resource limits for a namespace, so that every new Pod
+  in that namespace falls within the range you configure.
 -->
 
 <!-- overview -->
 
 <!--
-This page shows how to set minimum and maximum values for the CPU resources used by Containers
-and Pods in a namespace. You specify minimum and maximum CPU values in a
-[LimitRange](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#limitrange-v1-core)
+This page shows how to set minimum and maximum values for the CPU resources used by containers
+and Pods in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}. You specify minimum
+and maximum CPU values in a
+[LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
 object. If a Pod does not meet the constraints imposed by the LimitRange, it cannot be created
 in the namespace.
 -->
-本页介绍如何为命名空间中容器和 Pod 使用的 CPU 资源设置最小和最大值。
+本页介绍如何为{{< glossary_tooltip text="命名空间" term_id="namespace" >}}中的容器和 Pod
+设置其所使用的 CPU 资源的最小和最大值。
 你可以通过
-[LimitRange](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#limitrange-v1-core)
-对象声明 CPU 的最小和最大值. 如果 Pod 不能满足 LimitRange 的限制，它就不能在命名空间中创建。
+[LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
+对象声明 CPU 的最小和最大值.
+如果 Pod 不能满足 LimitRange 的限制，就无法在该命名空间中被创建。
 
 ## {{% heading "prerequisites" %}}
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}} 
 
 <!--
-Your cluster must have at least 1 CPU available for use to run the task examples.
+You must have access to create namespaces in your cluster.
+
+Each node in your cluster must have at least 1.0 CPU available for Pods.
+See [meaning of CPU](/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)
+to learn what Kubernetes means by “1 CPU”.
 -->
-你的集群中每个节点至少要有 1 个 CPU 可用才能运行本任务示例。
+在你的集群里你必须要有创建命名空间的权限。
+
+集群中的每个节点都必须至少有 1.0 个 CPU 可供 Pod 使用。
+
+请阅读 [CPU 的含义](/zh-cn/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)
+理解 "1 CPU" 在 Kubernetes 中的含义。
 
 <!-- steps -->
 
@@ -52,11 +69,11 @@ kubectl create namespace constraints-cpu-example
 <!--
 ## Create a LimitRange and a Pod
 
-Here's the configuration file for a LimitRange:
+Here's a manifest for an example {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}}:
 -->
 ## 创建 LimitRange 和 Pod
 
-这里给出了 LimitRange 的配置文件：
+以下为 {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}} 的示例清单：
 
 {{< codenew file="admin/resource/cpu-constraints.yaml" >}}
 
@@ -100,24 +117,25 @@ limits:
 ```
 
 <!--
-Now whenever a Container is created in the constraints-cpu-example namespace, Kubernetes
-performs these steps:
+Now whenever you create a Pod in the constraints-cpu-example namespace (or some other client
+of the Kubernetes API creates an equivalent Pod), Kubernetes performs these steps:
 
-* If the Container does not specify its own CPU request and limit, assign the default
-CPU request and limit to the Container.
+* If any container in that Pod does not specify its own CPU request and limit, the control plane
+  assigns the default CPU request and limit to that container.
 
-* Verify that the Container specifies a CPU request that is greater than or equal to 200 millicpu.
+* Verify that every container in that Pod specifies a CPU request that is greater than or equal to 200 millicpu.
 
-* Verify that the Container specifies a CPU limit that is less than or equal to 800 millicpu.
+* Verify that every container in that Pod specifies a CPU limit that is less than or equal to 800 millicpu.
 -->
 
-现在不管什么时候在 constraints-cpu-example 命名空间中创建容器，Kubernetes 都会执行下面这些步骤：
+现在，每当你在 constraints-mem-example 命名空间中创建 Pod 时，或者某些其他的
+Kubernetes API 客户端创建了等价的 Pod 时，Kubernetes 就会执行下面的步骤：
 
-* 如果容器没有声明自己的 CPU 请求和限制，将为容器指定默认 CPU 请求和限制。
+* 如果 Pod 中的任何容器未声明自己的 CPU 请求和限制，控制面将为该容器设置默认的 CPU 请求和限制。
 
-* 核查容器声明的 CPU 请求确保其大于或者等于 200 millicpu。
+* 确保该 Pod 中的每个容器的 CPU 请求至少 200 millicpu。
 
-* 核查容器声明的 CPU 限制确保其小于或者等于 800 millicpu。
+* 确保该 Pod 中每个容器 CPU 请求不大于 800 millicpu。
 
 <!--
 When creating a `LimitRange` object, you can specify limits on huge-pages
@@ -130,29 +148,29 @@ on these resources, the two values must be the same.
 {{< /note >}}
 
 <!--
-Here's the configuration file for a Pod that has one Container. The Container manifest
+Here's a manifest for a Pod that has one container. The container manifest
 specifies a CPU request of 500 millicpu and a CPU limit of 800 millicpu. These satisfy the
-minimum and maximum CPU constraints imposed by the LimitRange.
+minimum and maximum CPU constraints imposed by the LimitRange for this namespace.
 -->
-这里给出了包含一个容器的 Pod 的配置文件。
-该容器声明了 500 millicpu 的 CPU 请求和 800 millicpu 的 CPU 限制。
-这些参数满足了 LimitRange 对象规定的 CPU 最小和最大限制。
+以下为某个仅包含一个容器的 Pod 的清单。
+该容器声明了 CPU 请求 500 millicpu 和 CPU 限制 800 millicpu 。
+这些参数满足了 LimitRange 对象为此名字空间规定的 CPU 最小和最大限制。
 
 {{< codenew file="admin/resource/cpu-constraints-pod.yaml" >}}
 
 <!--
 Create the Pod:
 -->
-创建Pod：
+创建 Pod：
 
 ```shell
 kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod.yaml --namespace=constraints-cpu-example
 ```
 
 <!--
-Verify that the Pod's Container is running:
+Verify that the Pod is running and that its container is healthy:
 -->
-确认一下 Pod 中的容器在运行：
+确认 Pod 正在运行，并且其容器处于健康状态：
 
 ```shell
 kubectl get pod constraints-cpu-demo --namespace=constraints-cpu-example
@@ -168,10 +186,10 @@ kubectl get pod constraints-cpu-demo --output=yaml --namespace=constraints-cpu-e
 ```
 
 <!--
-The output shows that the Container has a CPU request of 500 millicpu and CPU limit
+The output shows that the Pod's only container has a CPU request of 500 millicpu and CPU limit
 of 800 millicpu. These satisfy the constraints imposed by the LimitRange.
 -->
-输出结果表明容器的 CPU 请求为 500 millicpu，CPU 限制为 800 millicpu。
+输出结果显示该 Pod 的容器的 CPU 请求为 500 millicpu，CPU 限制为 800 millicpu。
 这些参数满足 LimitRange 规定的限制范围。
 
 ```yaml
@@ -214,10 +232,11 @@ kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-2.ya
 ```
 
 <!--
-The output shows that the Pod does not get created, because the Container specifies a CPU limit that is
-too large:
+The output shows that the Pod does not get created, because it defines an unacceptable container.
+That container is not acceptable because it specifies a CPU limit that is too large:
 -->
-输出结果表明 Pod 没有创建成功，因为容器声明的 CPU 限制太大了：
+输出结果表明 Pod 没有创建成功，因为其中定义了一个无法被接受的容器。
+该容器之所以无法被接受是因为其中设定了过高的 CPU 限制值：
 
 ```
 Error from server (Forbidden): error when creating "examples/admin/resource/cpu-constraints-pod-2.yaml":
@@ -227,12 +246,12 @@ pods "constraints-cpu-demo-2" is forbidden: maximum cpu usage per Container is 8
 <!--
 ## Attempt to create a Pod that does not meet the minimum CPU request
 
-Here's the configuration file for a Pod that has one Container. The Container specifies a
+Here's a manifest for a Pod that has one container. The container specifies a
 CPU request of 100 millicpu and a CPU limit of 800 millicpu.
 -->
 ## 尝试创建一个不满足最小 CPU 请求的 Pod
 
-这里给出了包含一个容器的 Pod 的配置文件。该容器声明了100 millicpu的 CPU 请求和800 millicpu的 CPU 限制。
+以下为某个只有一个容器的 Pod 的清单。该容器声明了 CPU 请求 100 millicpu 和 CPU 限制 800 millicpu。
 
 {{< codenew file="admin/resource/cpu-constraints-pod-3.yaml" >}}
 
@@ -246,10 +265,12 @@ kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-3.ya
 ```
 
 <!--
-The output shows that the Pod does not get created, because the Container specifies a CPU
-request that is too small:
+The output shows that the Pod does not get created, because it defines an unacceptable container.
+That container is not acceptable because it specifies a CPU request that is lower than the
+enforced minimum:
 -->
-输出结果显示 Pod 没有创建成功，因为容器声明的 CPU 请求太小了：
+输出结果显示 Pod 没有创建成功，因为其中定义了一个无法被接受的容器。
+该容器无法被接受的原因是其中所设置的 CPU 请求小于最小值的限制：
 
 ```
 Error from server (Forbidden): error when creating "examples/admin/resource/cpu-constraints-pod-3.yaml":
@@ -259,12 +280,12 @@ pods "constraints-cpu-demo-4" is forbidden: minimum cpu usage per Container is 2
 <!--
 ## Create a Pod that does not specify any CPU request or limit
 
-Here's the configuration file for a Pod that has one Container. The Container does not
-specify a CPU request, and it does not specify a CPU limit.
+Here's a manifest for a Pod that has one container. The container does not
+specify a CPU request, nor does it specify a CPU limit.
 -->
 ## 创建一个没有声明 CPU 请求和 CPU 限制的 Pod
 
-这里给出了包含一个容器的 Pod 的配置文件。该容器没有设定 CPU 请求和 CPU 限制。
+以下为一个只有一个容器的 Pod 的清单。该容器没有声明 CPU 请求，也没有声明 CPU 限制。
 
 {{< codenew file="admin/resource/cpu-constraints-pod-4.yaml" >}}
 
@@ -287,11 +308,14 @@ kubectl get pod constraints-cpu-demo-4 --namespace=constraints-cpu-example --out
 ```
 
 <!--
-The output shows that the Pod's Container has a CPU request of 800 millicpu and a CPU limit of 800 millicpu.
-How did the Container get those values?
+The output shows that the Pod's single container has a CPU request of 800 millicpu and a
+CPU limit of 800 millicpu.
+How did that container get those values?
 -->
-输出结果显示 Pod 的容器有个 800 millicpu 的 CPU 请求和 800 millicpu 的 CPU 限制。
-容器是怎样得到那些值的呢？
+输出结果显示 Pod 的唯一容器的 CPU 请求为 800 millicpu，CPU 限制为 800 millicpu。
+
+容器是怎样获得这些数值的呢？
+
 
 ```yaml
 resources:
@@ -302,26 +326,29 @@ resources:
 ```
 
 <!--
-Because your Container did not specify its own CPU request and limit, it was given the
-[default CPU request and limit](/docs/tasks/administer-cluster/cpu-default-namespace/)
-from the LimitRange.
+Because that container did not specify its own CPU request and limit, the control plane
+applied the
+[default CPU request and limit](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+from the LimitRange for this namespace.
 -->
-因为你的 Container 没有声明自己的 CPU 请求和限制，LimitRange 给它指定了
-[默认的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+因为这一容器没有声明自己的 CPU 请求和限制，
+控制面会根据命名空间中配置 LimitRange
+设置[默认的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)。
 
 <!--
-At this point, your Container might be running or it might not be running. Recall that a prerequisite
-for this task is that your Nodes have at least 1 CPU. If each of your Nodes has only
-1 CPU, then there might not be enough allocatable CPU on any Node to accommodate a request
-of 800 millicpu. If you happen to be using Nodes with 2 CPU, then you probably have
-enough CPU to accommodate the 800 millicpu request.
+At this point, your Pod may or may not be running. Recall that a prerequisite for
+this task is that your Nodes must have at least 1 CPU available for use. If each of your Nodes has only 1 CPU,
+then there might not be enough allocatable CPU on any Node to accommodate a request of 800 millicpu. 
+If you happen to be using Nodes with 2 CPU, then you probably have enough CPU to accommodate the 800 millicpu request.
 
 Delete your Pod:
 -->
-此时，你的容器可能运行也可能没有运行。
-回想一下，本任务的先决条件是你的节点要有 1 个 CPU。
-如果你的每个节点仅有 1 个 CPU，那么可能没有任何一个节点可以满足 800 millicpu 的 CPU 请求。
-如果你在用的节点恰好有两个 CPU，那么你才可能有足够的 CPU 来满足 800 millicpu 的请求。
+此时，你的 Pod 可能已经运行起来也可能没有运行起来。
+回想一下我们本次任务的先决条件是你的每个节点都至少有 1 CPU。
+如果你的每个节点都只有 1 CPU，那将没有一个节点拥有足够的可分配 CPU 来满足 800 millicpu 的请求。
+如果你在用的节点恰好有 2 CPU，那么有可能有足够的 CPU 来满足 800 millicpu 的请求。
+
+删除你的 Pod：
 
 ```
 kubectl delete pod constraints-cpu-demo-4 --namespace=constraints-cpu-example
@@ -396,12 +423,12 @@ kubectl delete namespace constraints-cpu-example
 
 ### 集群管理员参考：
 
-* [为命名空间配置默认内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置内存限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为命名空间配置默认内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置内存限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
 <!--
 ### For app developers
@@ -413,7 +440,7 @@ kubectl delete namespace constraints-cpu-example
 
 ### 应用开发者参考：
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
new file mode 100644
index 0000000000000..b31900a5149d1
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
@@ -0,0 +1,332 @@
+---
+title: 为命名空间配置默认的 CPU 请求和限制
+content_type: task
+weight: 20
+description: >-
+  为命名空间定义默认的 CPU 资源限制，在该命名空间中每个新建的 Pod 都会被配置上 CPU 资源限制。
+---
+
+<!--
+title: Configure Default CPU Requests and Limits for a Namespace
+content_type: task
+weight: 20
+-->
+
+<!-- overview -->
+<!--
+This page shows how to configure default CPU requests and limits for a
+{{< glossary_tooltip text="namespace" term_id="namespace" >}}.
+
+A Kubernetes cluster can be divided into namespaces. If you create a Pod within a
+namespace that has a default CPU
+[limit](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits), and any container in that Pod does not specify
+its own CPU limit, then the
+{{< glossary_tooltip text="control plane" term_id="control-plane" >}} assigns the default
+CPU limit to that container.
+
+Kubernetes assigns a default CPU
+[request](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits),
+but only under certain conditions that are explained later in this page.
+
+-->
+本章介绍如何为{{< glossary_tooltip text="命名空间" term_id="namespace" >}}配置默认的 CPU 请求和限制。
+
+一个 Kubernetes 集群可被划分为多个命名空间。
+如果你在具有默认 CPU[限制](/zh-cn/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)
+的命名空间内创建一个 Pod，并且这个 Pod 中任何容器都没有声明自己的 CPU 限制，
+那么{{< glossary_tooltip text="控制面" term_id="control-plane" >}}会为容器设定默认的 CPU 限制。
+
+Kubernetes 在一些特定情况还可以设置默认的 CPU 请求，本文后续章节将会对其进行解释。
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!--
+You must have access to create namespaces in your cluster.
+
+If you're not already familiar with what Kubernetes means by 1.0 CPU,
+read [meaning of CPU](/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu).
+-->
+在你的集群里你必须要有创建命名空间的权限。
+
+如果你还不熟悉 Kubernetes 中 1.0 CPU 的含义，
+请阅读 [CPU 的含义](/zh-cn/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)。
+
+<!-- steps -->
+
+<!--
+## Create a namespace
+
+Create a namespace so that the resources you create in this exercise are
+isolated from the rest of your cluster.
+-->
+## 创建命名空间
+
+创建一个命名空间，以便本练习中创建的资源和集群的其余部分相隔离。
+
+```shell
+kubectl create namespace default-cpu-example
+```
+
+<!--
+## Create a LimitRange and a Pod
+
+Here's a manifest for an example {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}}.
+The manifest specifies a default CPU request and a default CPU limit.
+-->
+## 创建 LimitRange 和 Pod
+
+以下为 {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}} 的示例清单。
+清单中声明了默认 CPU 请求和默认 CPU 限制。
+
+{{< codenew file="admin/resource/cpu-defaults.yaml" >}}
+
+<!--
+Create the LimitRange in the default-cpu-example namespace:
+-->
+在命名空间 default-cpu-example 中创建 LimitRange 对象：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults.yaml --namespace=default-cpu-example
+```
+
+<!--
+Now if you create a Pod in the default-cpu-example namespace, and any container
+in that Pod does not specify its own values for CPU request and CPU limit,
+then the control plane applies default values: a CPU request of 0.5 and a default
+CPU limit of 1.
+
+Here's a manifest for a Pod that has one container. The container
+does not specify a CPU request and limit.
+-->
+现在如果你在 default-cpu-example 命名空间中创建一个 Pod，
+并且该 Pod 中所有容器都没有声明自己的 CPU 请求和 CPU 限制，
+控制面会将 CPU 的默认请求值 0.5 和默认限制值 1 应用到 Pod 上。
+
+以下为只包含一个容器的 Pod 的清单。该容器没有声明 CPU 请求和限制。
+
+{{< codenew file="admin/resource/cpu-defaults-pod.yaml" >}}
+
+<!--
+Create the Pod.
+-->
+创建 Pod。
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod.yaml --namespace=default-cpu-example
+```
+
+<!--
+View the Pod's specification:
+-->
+查看该 Pod 的声明：
+
+```shell
+kubectl get pod default-cpu-demo --output=yaml --namespace=default-cpu-example
+```
+
+<!--
+The output shows that the Pod's only container has a CPU request of 500m `cpu`
+(which you can read as “500 millicpu”), and a CPU limit of 1 `cpu`.
+These are the default values specified by the LimitRange.
+-->
+输出显示该 Pod 的唯一的容器有 500m `cpu` 的 CPU 请求和 1 `cpu` 的 CPU 限制。
+这些是 LimitRange 声明的默认值。
+
+```shell
+containers:
+- image: nginx
+  imagePullPolicy: Always
+  name: default-cpu-demo-ctr
+  resources:
+    limits:
+      cpu: "1"
+    requests:
+      cpu: 500m
+```
+
+<!--
+## What if you specify a container's limit, but not its request?
+
+Here's a manifest for a Pod that has one container. The container
+specifies a CPU limit, but not a request:
+-->
+## 你只声明容器的限制，而不声明请求会怎么样？
+
+以下为只包含一个容器的 Pod 的清单。该容器声明了 CPU 限制，而没有声明 CPU 请求。
+
+{{< codenew file="admin/resource/cpu-defaults-pod-2.yaml" >}}
+
+<!--
+Create the Pod:
+-->
+创建 Pod
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-2.yaml --namespace=default-cpu-example
+```
+
+<!--
+View the [specification](/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)
+of the Pod that you created:
+-->
+查看你所创建的 Pod 的[规约](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)：
+
+```
+kubectl get pod default-cpu-demo-2 --output=yaml --namespace=default-cpu-example
+```
+
+<!--
+The output shows that the Container's CPU request is set to match its CPU limit.
+Notice that the container was not assigned the default CPU request value of 0.5 `cpu`:
+-->
+输出显示该容器的 CPU 请求和 CPU 限制设置相同。注意该容器没有被指定默认的 CPU 请求值 0.5 `cpu`：
+
+```
+resources:
+  limits:
+    cpu: "1"
+  requests:
+    cpu: "1"
+```
+
+<!--
+## What if you specify a container's request, but not its limit?
+
+Here's an example manifest for a Pod that has one container. The container
+specifies a CPU request, but not a limit:
+-->
+## 你只声明容器的请求，而不声明它的限制会怎么样？
+
+这里给出了包含一个容器的 Pod 的示例清单。该容器声明了 CPU 请求，而没有声明 CPU 限制。
+
+{{< codenew file="admin/resource/cpu-defaults-pod-3.yaml" >}}
+
+<!--
+Create the Pod:
+-->
+创建 Pod：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-3.yaml --namespace=default-cpu-example
+```
+
+<!--
+View the [specification](/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)
+of the Pod that you created:
+-->
+查看你所创建的 Pod 的[规约](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status)：
+
+```
+kubectl get pod default-cpu-demo-3 --output=yaml --namespace=default-cpu-example
+```
+
+<!--
+The output shows that the container's CPU request is set to the value you specified at
+the time you created the Pod (in other words: it matches the manifest).
+However, the same container's CPU limit is set to 1 `cpu`, which is the default CPU limit
+for that namespace.
+-->
+输出显示你所创建的 Pod 中，容器的 CPU 请求为 Pod 清单中声明的值。
+然而同一容器的 CPU 限制被设置为 1 `cpu`，此值是该命名空间的默认 CPU 限制值。
+
+```
+resources:
+  limits:
+    cpu: "1"
+  requests:
+    cpu: 750m
+```
+
+<!--
+## Motivation for default CPU limits and requests
+
+If your namespace has a CPU {{< glossary_tooltip text="resource quota" term_id="resource-quota" >}}
+configured,
+it is helpful to have a default value in place for CPU limit.
+Here are two of the restrictions that a CPU resource quota imposes on a namespace:
+
+* For every Pod that runs in the namespace, each of its containers must have a CPU limit.
+* CPU request apply a resource reservation on the node where the Pod in question is scheduled.
+  The total amount of CPU that is reserved for use by all Pods in the namespace must not
+  exceed a specified limit.
+
+-->
+## 默认 CPU 限制和请求的动机
+
+如果你的命名空间设置了 CPU {{< glossary_tooltip text="资源配额" term_id="resource-quota" >}}，
+为 CPU 限制设置一个默认值会很有帮助。
+以下是 CPU 资源配额对命名空间的施加的两条限制：
+
+* 命名空间中运行的每个 Pod 中的容器都必须有 CPU 限制。
+
+* CPU 限制用来在 Pod 被调度到的节点上执行资源预留。
+
+预留给命名空间中所有 Pod 使用的 CPU 总量不能超过规定的限制。
+
+<!--
+When you add a LimitRange:
+
+If any Pod in that namespace that includes a container does not specify its own CPU limit,
+the control plane applies the default CPU limit to that container, and the Pod can be
+allowed to run in a namespace that is restricted by a CPU ResourceQuota.
+-->
+当你添加 LimitRange 时：
+
+如果该命名空间中的任何 Pod 的容器未指定 CPU 限制，
+控制面将默认 CPU 限制应用于该容器，
+这样 Pod 可以在受到 CPU ResourceQuota 限制的命名空间中运行。
+
+<!--
+## Clean up
+
+Delete your namespace:
+
+```shell
+kubectl delete namespace default-cpu-example
+```
+-->
+## 清理
+
+删除你的命名空间：
+
+```shell
+kubectl delete namespace constraints-cpu-example
+```
+
+## {{% heading "whatsnext" %}}
+
+<!--
+### For cluster administrators
+
+* [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/memory-default-namespace/)
+* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/memory-constraint-namespace/)
+* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/cpu-constraint-namespace/)
+* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/)
+* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/quota-pod-namespace/)
+* [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+-->
+### 集群管理员参考
+
+* [为命名空间配置默认内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置内存限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
+
+<!--
+### For app developers
+
+* [Assign Memory Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [Assign CPU Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
+-->
+### 应用开发者参考
+
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
+
+
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
similarity index 54%
rename from content/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
rename to content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
index 372ca6c85424d..5172f347fe220 100644
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md
@@ -2,6 +2,9 @@
 title: 配置命名空间的最小和最大内存约束
 content_type: task
 weight: 30
+description: >-
+  为命名口空间定义一个有效的内存资源限制范围，在该命名空间中每个新创建
+  Pod 的内存资源是在设置的范围内。
 ---
 
 <!--
@@ -13,24 +16,30 @@ weight: 30
 <!-- overview -->
 
 <!--
-This page shows how to set minimum and maximum values for memory used by Containers
-running in a namespace. You specify minimum and maximum memory values in a
-[LimitRange](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#limitrange-v1-core)
+This page shows how to set minimum and maximum values for memory used by containers
+running in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}. 
+You specify minimum and maximum memory values in a
+[LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
 object. If a Pod does not meet the constraints imposed by the LimitRange,
 it cannot be created in the namespace.
 -->
-本页介绍如何设置在命名空间中运行的容器使用的内存的最小值和最大值。 你可以在
-[LimitRange](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#limitrange-v1-core)
-对象中指定最小和最大内存值。如果 Pod 不满足 LimitRange 施加的约束，则无法在命名空间中创建它。
+本页介绍如何设置在{{< glossary_tooltip text="名字空间" term_id="namespace" >}}
+中运行的容器所使用的内存的最小值和最大值。你可以在
+[LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/)
+对象中指定最小和最大内存值。如果 Pod 不满足 LimitRange 施加的约束，
+则无法在名字空间中创建它。
 
 ## {{% heading "prerequisites" %}}
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}} 
 
 <!--
-Each node in your cluster must have at least 1 GiB of memory.
+You must have access to create namespaces in your cluster.
+Each node in your cluster must have at least 1 GiB of memory available for Pods.
 -->
-集群中每个节点必须至少要有 1 GiB 的内存。
+在你的集群里你必须要有创建命名空间的权限。
+
+集群中的每个节点都必须至少有 1 GiB 的内存可供 Pod 使用。
 
 <!-- steps -->
 
@@ -42,7 +51,7 @@ isolated from the rest of your cluster.
 -->
 ## 创建命名空间
 
-创建一个命名空间，以便在此练习中创建的资源与群集的其余资源隔离。
+创建一个命名空间，以便在此练习中创建的资源与集群的其余资源隔离。
 
 ```shell
 kubectl create namespace constraints-mem-example
@@ -51,11 +60,11 @@ kubectl create namespace constraints-mem-example
 <!--
 ## Create a LimitRange and a Pod
 
-Here's the configuration file for a LimitRange:
+Here's an example manifest for a LimitRange:
 -->
 ## 创建 LimitRange 和 Pod
 
-下面是 LimitRange 的配置文件：
+下面是 LimitRange 的示例清单：
 
 {{< codenew file="admin/resource/memory-constraints.yaml" >}}
 
@@ -98,30 +107,29 @@ file for the LimitRange, they were created automatically.
 ```
 
 <!--
-Now whenever a Container is created in the constraints-mem-example namespace, Kubernetes
+Now whenever you define a Pod within the constraints-mem-example namespace, Kubernetes
 performs these steps:
 
-* If the Container does not specify its own memory request and limit, assign the default
-memory request and limit to the Container.
+* If any container in that Pod does not specify its own memory request and limit, 
+  the control plane assigns the default memory request and limit to that container.
 
-* Verify that the Container has a memory request that is greater than or equal to 500 MiB.
+* Verify that every container in that Pod requests at least 500 MiB of memory.
 
-* Verify that the Container has a memory limit that is less than or equal to 1 GiB.
+* Verify that every container in that Pod requests no more than 1024 MiB (1 GiB)
+  of memory.
 
-Here's the configuration file for a Pod that has one Container. The Container manifest
-specifies a memory request of 600 MiB and a memory limit of 800 MiB. These satisfy the
+Here's a manifest for a Pod that has one container. Within the Pod spec, the sole
+container specifies a memory request of 600 MiB and a memory limit of 800 MiB. These satisfy the
 minimum and maximum memory constraints imposed by the LimitRange.
 -->
-现在，只要在 constraints-mem-example 命名空间中创建容器，Kubernetes 就会执行下面的步骤：
-
-* 如果 Container 未指定自己的内存请求和限制，将为它指定默认的内存请求和限制。
+现在，每当在 constraints-mem-example 命名空间中创建 Pod 时，Kubernetes 就会执行下面的步骤：
 
-* 验证 Container 的内存请求是否大于或等于500 MiB。
+* 如果 Pod 中的任何容器未声明自己的内存请求和限制，控制面将为该容器设置默认的内存请求和限制。
+* 确保该 Pod 中的每个容器的内存请求至少 500 MiB。
+* 确保该 Pod 中每个容器内存请求不大于 1 GiB。
 
-* 验证 Container 的内存限制是否小于或等于1 GiB。
-
-这里给出了包含一个 Container 的 Pod 配置文件。Container 声明了 600 MiB 的内存请求和
-800 MiB 的内存限制， 这些满足了 LimitRange 施加的最小和最大内存约束。
+以下为包含一个容器的 Pod 清单。该容器声明了 600 MiB 的内存请求和 800 MiB 的内存限制，
+这些满足了 LimitRange 施加的最小和最大内存约束。
 
 {{< codenew file="admin/resource/memory-constraints-pod.yaml" >}}
 
@@ -135,9 +143,9 @@ kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod.y
 ```
 
 <!--
-Verify that the Pod's Container is running:
+Verify that the Pod is running and that its container is healthy:
 -->
-确认下 Pod 中的容器在运行：
+确认 Pod 正在运行，并且其容器处于健康状态：
 
 ```shell
 kubectl get pod constraints-mem-demo --namespace=constraints-mem-example
@@ -153,10 +161,12 @@ kubectl get pod constraints-mem-demo --output=yaml --namespace=constraints-mem-e
 ```
 
 <!--
-The output shows that the Container has a memory request of 600 MiB and a memory limit
-of 800 MiB. These satisfy the constraints imposed by the LimitRange.
+The output shows that the container within that Pod has a memory request of 600 MiB and
+a memory limit of 800 MiB. These satisfy the constraints imposed by the LimitRange for
+this namespace:
 -->
-输出结果显示容器的内存请求为600 MiB，内存限制为800 MiB。这些满足了 LimitRange 设定的限制范围。
+输出结果显示该 Pod 的容器的内存请求为 600 MiB，内存限制为 800 MiB。
+这些满足这个命名空间中 LimitRange 设定的限制范围。
 
 ```yaml
 resources:
@@ -178,12 +188,12 @@ kubectl delete pod constraints-mem-demo --namespace=constraints-mem-example
 <!--
 ## Attempt to create a Pod that exceeds the maximum memory constraint
 
-Here's the configuration file for a Pod that has one Container. The Container specifies a
+Here's a manifest for a Pod that has one container. The container specifies a
 memory request of 800 MiB and a memory limit of 1.5 GiB.
 -->
 ## 尝试创建一个超过最大内存限制的 Pod
 
-这里给出了包含一个容器的 Pod 的配置文件。容器声明了800 MiB 的内存请求和1.5 GiB 的内存限制。
+以下为包含一个容器的 Pod 的清单。这个容器声明了 800 MiB 的内存请求和 1.5 GiB 的内存限制。
 
 {{< codenew file="admin/resource/memory-constraints-pod-2.yaml" >}}
 
@@ -197,10 +207,10 @@ kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod-2
 ```
 
 <!--
-The output shows that the Pod does not get created, because the Container specifies a memory limit that is
-too large:
+The output shows that the Pod does not get created, because it defines a container that
+requests more memory than is allowed:
 -->
-输出结果显示 Pod 没有创建成功，因为容器声明的内存限制太大了：
+输出结果显示 Pod 没有创建成功，因为它定义了一个容器的内存请求超过了允许的值。
 
 ```
 Error from server (Forbidden): error when creating "examples/admin/resource/memory-constraints-pod-2.yaml":
@@ -210,12 +220,12 @@ pods "constraints-mem-demo-2" is forbidden: maximum memory usage per Container i
 <!--
 ## Attempt to create a Pod that does not meet the minimum memory request
 
-Here's the configuration file for a Pod that has one Container. The Container specifies a
+Here's a manifest for a Pod that has one container. That container specifies a
 memory request of 100 MiB and a memory limit of 800 MiB.
 -->
 ## 尝试创建一个不满足最小内存请求的 Pod
 
-这里给出了包含一个容器的 Pod 的配置文件。容器声明了100 MiB 的内存请求和800 MiB 的内存限制。
+以下为只有一个容器的 Pod 的清单。这个容器声明了 100 MiB 的内存请求和 800 MiB 的内存限制。
 
 {{< codenew file="admin/resource/memory-constraints-pod-3.yaml" >}}
 
@@ -229,10 +239,10 @@ kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod-3
 ```
 
 <!--
-The output shows that the Pod does not get created, because the Container specifies a memory
-request that is too small:
+The output shows that the Pod does not get created, because it defines a container
+that requests less memory than the enforced minimum:
 -->
-输出结果显示 Pod 没有创建成功，因为容器声明的内存请求太小了：
+输出结果显示 Pod 没有创建成功，因为它定义了一个容器的内存请求小于强制要求的最小值：
 
 ```
 Error from server (Forbidden): error when creating "examples/admin/resource/memory-constraints-pod-3.yaml":
@@ -242,12 +252,12 @@ pods "constraints-mem-demo-3" is forbidden: minimum memory usage per Container i
 <!--
 ## Create a Pod that does not specify any memory request or limit
 
-Here's the configuration file for a Pod that has one Container. The Container does not
+Here's a manifest for a Pod that has one container. The container does not
 specify a memory request, and it does not specify a memory limit.
 -->
 ## 创建一个没有声明内存请求和限制的 Pod
 
-这里给出了包含一个容器的 Pod 的配置文件。容器没有声明内存请求，也没有声明内存限制。
+以下为只有一个容器的 Pod 清单。该容器没有声明内存请求，也没有声明内存限制。
 
 {{< codenew file="admin/resource/memory-constraints-pod-4.yaml" >}}
 
@@ -265,15 +275,15 @@ View detailed information about the Pod:
 -->
 查看 Pod 详情：
 
-```
+```shell
 kubectl get pod constraints-mem-demo-4 --namespace=constraints-mem-example --output=yaml
 ```
 
 <!--
-The output shows that the Pod's Container has a memory request of 1 GiB and a memory limit of 1 GiB.
-How did the Container get those values?
+The output shows that the Pod's only container has a memory request of 1 GiB and a memory limit of 1 GiB.
+How did that container get those values?
 -->
-输出结果显示 Pod 的内存请求为1 GiB，内存限制为1 GiB。容器怎样获得哪些数值呢？
+输出结果显示 Pod 的唯一容器内存请求为 1 GiB，内存限制为 1 GiB。容器怎样获得那些数值呢？
 
 ```
 resources:
@@ -284,15 +294,33 @@ resources:
 ```
 
 <!--
-Because your Container did not specify its own memory request and limit, it was given the
+Because your Pod did not define any memory request and limit for that container, the cluster
+applied a
 [default memory request and limit](/docs/tasks/administer-cluster/memory-default-namespace/)
 from the LimitRange.
 -->
-因为你的容器没有声明自己的内存请求和限制，它从 LimitRange 那里获得了
-[默认的内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
+因为你的 Pod 没有为容器声明任何内存请求和限制，集群会从 LimitRange
+获取[默认的内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)。
+ 应用于容器。
+
+<!--
+This means that the definition of that Pod shows those values. You can check it using
+`kubectl describe`:
+
+```shell
+# Look for the "Requests:" section of the output
+kubectl describe pod constraints-mem-demo-4 --namespace=constraints-mem-example
+```
+-->
+这意味着 Pod 的定义会显示这些值。你可以通过 `kubectl describe` 查看：
+
+```shell
+# 查看输出结果中的 "Requests:" 的值
+kubectl describe pod constraints-mem-demo-4 --namespace=constraints-mem-example
+```
 
 <!--
-At this point, your Container might be running or it might not be running. Recall that a prerequisite
+At this point, your Pod might be running or it might not be running. Recall that a prerequisite
 for this task is that your Nodes have at least 1 GiB of memory. If each of your Nodes has only
 1 GiB of memory, then there is not enough allocatable memory on any Node to accommodate a memory
 request of 1 GiB. If you happen to be using Nodes with 2 GiB of memory, then you probably have
@@ -300,13 +328,13 @@ enough space to accommodate the 1 GiB request.
 
 Delete your Pod:
 -->
-此时，你的容器可能运行起来也可能没有运行起来。
-回想一下我们本次任务的先决条件是你的每个节点都至少有1 GiB 的内存。
-如果你的每个节点都只有1 GiB 的内存，那将没有一个节点拥有足够的可分配内存来满足1 GiB 的内存请求。
+此时，你的 Pod 可能已经运行起来也可能没有运行起来。
+回想一下我们本次任务的先决条件是你的每个节点都至少有 1 GiB 的内存。
+如果你的每个节点都只有 1 GiB 的内存，那将没有一个节点拥有足够的可分配内存来满足 1 GiB 的内存请求。
 
 删除你的 Pod：
 
-```
+```shell
 kubectl delete pod constraints-mem-demo-4 --namespace=constraints-mem-example
 ```
 
@@ -331,18 +359,18 @@ LimitRange 为命名空间设定的最小和最大内存限制只有在 Pod 创
 As a cluster administrator, you might want to impose restrictions on the amount of memory that Pods can use.
 For example:
 
-* Each Node in a cluster has 2 GB of memory. You do not want to accept any Pod that requests
-  more than 2 GB of memory, because no Node in the cluster can support the request.
+* Each Node in a cluster has 2 GiB of memory. You do not want to accept any Pod that requests
+more than 2 GiB of memory, because no Node in the cluster can support the request.
 
 * A cluster is shared by your production and development departments.
-  You want to allow production workloads to consume up to 8 GB of memory, but
-  you want development workloads to be limited to 512 MB. You create separate namespaces
+You want to allow production workloads to consume up to 8 GiB of memory, but
+you want development workloads to be limited to 512 MiB. You create separate namespaces
   for production and development, and you apply memory constraints to each namespace.
 -->
 作为集群管理员，你可能想规定 Pod 可以使用的内存总量限制。例如：
 
-* 集群的每个节点有 2 GB 内存。你不想接受任何请求超过 2 GB 的 Pod，因为集群中没有节点可以满足。
-* 集群由生产部门和开发部门共享。你希望允许产品部门的负载最多耗用 8 GB 内存，
+* 集群的每个节点有 2 GiB 内存。你不想接受任何请求超过 2 GiB 的 Pod，因为集群中没有节点可以满足。
+* 集群由生产部门和开发部门共享。你希望允许产品部门的负载最多耗用 8 GiB 内存，
   但是开发部门的负载最多可使用 512 MiB。
   这时，你可以为产品部门和开发部门分别创建名字空间，并为各个名字空间设置内存约束。
 
@@ -374,12 +402,12 @@ kubectl delete namespace constraints-mem-example
 
 ### 集群管理员参考
 
-* [为命名空间配置默认内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置内存限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为命名空间配置默认内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置内存限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
 <!--
 ### For app developers
@@ -391,7 +419,7 @@ kubectl delete namespace constraints-mem-example
 
 ### 应用开发者参考
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
new file mode 100644
index 0000000000000..177e0bb54be6c
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
@@ -0,0 +1,346 @@
+---
+title: 为命名空间配置默认的内存请求和限制
+content_type: task
+weight: 10
+description: >-
+  为命名空间定义默认的内存资源限制，这样在该命名空间中每个新建的 Pod 都会被配置上内存资源限制。
+---
+
+<!--
+title: Configure Default Memory Requests and Limits for a Namespace
+content_type: task
+weight: 10
+description: >-
+  Define a default memory resource limit for a namespace, so that every new Pod
+  in that namespace has a memory resource limit configured.
+-->
+
+<!-- overview -->
+
+<!--
+This page shows how to configure default memory requests and limits for a
+{{< glossary_tooltip text="namespace" term_id="namespace" >}}.
+
+A Kubernetes cluster can be divided into namespaces. Once you have a namespace that
+has a default memory
+[limit](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits),
+and you then try to create a Pod with a container that does not specify its own memory
+limit, then the
+{{< glossary_tooltip text="control plane" term_id="control-plane" >}} assigns the default
+memory limit to that container.
+
+Kubernetes assigns a default memory request under certain conditions that are explained later in this topic.
+-->
+本章介绍如何为{{< glossary_tooltip text="命名空间" term_id="namespace" >}}配置默认的内存请求和限制。
+
+一个 Kubernetes 集群可被划分为多个命名空间。
+如果你在具有默认内存[限制](/zh-cn/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)
+的命名空间内尝试创建一个 Pod，并且这个 Pod 中的容器没有声明自己的内存资源限制，
+那么{{< glossary_tooltip text="控制面" term_id="control-plane" >}}会为该容器设定默认的内存限制。
+
+Kubernetes 还为某些情况指定了默认的内存请求，本章后面会进行介绍。
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!--
+You must have access to create namespaces in your cluster.
+
+Each node in your cluster must have at least 2 GiB of memory.
+-->
+在你的集群里你必须要有创建命名空间的权限。
+
+你的集群中的每个节点必须至少有 2 GiB 的内存。
+
+<!-- steps -->
+
+<!--
+## Create a namespace
+
+Create a namespace so that the resources you create in this exercise are
+isolated from the rest of your cluster.
+-->
+## 创建命名空间
+
+创建一个命名空间，以便本练习中所建的资源与集群的其余资源相隔离。
+
+```shell
+kubectl create namespace default-mem-example
+```
+
+<!--
+## Create a LimitRange and a Pod
+
+Here's a manifest for an example {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}}.
+The manifest specifies a default memory
+request and a default memory limit.
+-->
+## 创建 LimitRange 和 Pod
+
+以下为 {{< glossary_tooltip text="LimitRange" term_id="limitrange" >}} 的示例清单。
+清单中声明了默认的内存请求和默认的内存限制。
+
+{{< codenew file="admin/resource/memory-defaults.yaml" >}}
+
+<!--
+Create the LimitRange in the default-mem-example namespace:
+-->
+在 default-mem-example 命名空间创建限制范围：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults.yaml --namespace=default-mem-example
+```
+
+<!--
+Now if you create a Pod in the default-mem-example namespace, and any container
+within that Pod does not specify its own values for memory request and memory limit,
+then the {{< glossary_tooltip text="control plane" term_id="control-plane" >}}
+applies default values: a memory request of 256MiB and a memory limit of 512MiB.
+
+Here's an example manifest for a Pod that has one container. The container
+does not specify a memory request and limit.
+-->
+现在如果你在 default-mem-example 命名空间中创建一个 Pod，
+并且该 Pod 中所有容器都没有声明自己的内存请求和内存限制，
+{{< glossary_tooltip text="控制面" term_id="control-plane" >}}
+会将内存的默认请求值 256MiB 和默认限制值 512MiB 应用到 Pod 上。
+
+以下为只包含一个容器的 Pod 的清单。该容器没有声明内存请求和限制。
+
+{{< codenew file="admin/resource/memory-defaults-pod.yaml" >}}
+
+<!--
+Create the Pod.
+-->
+创建 Pod：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod.yaml --namespace=default-mem-example
+```
+
+<!--
+View detailed information about the Pod:
+-->
+查看 Pod 的详情：
+
+```shell
+kubectl get pod default-mem-demo --output=yaml --namespace=default-mem-example
+```
+
+<!--
+The output shows that the Pod's container has a memory request of 256 MiB and
+a memory limit of 512 MiB. These are the default values specified by the LimitRange.
+-->
+输出内容显示该 Pod 的容器有 256 MiB 的内存请求和 512 MiB 的内存限制。
+这些都是 LimitRange 设置的默认值。
+
+```shell
+containers:
+- image: nginx
+  imagePullPolicy: Always
+  name: default-mem-demo-ctr
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      memory: 256Mi
+```
+
+<!--
+Delete your Pod:
+-->
+删除你的 Pod：
+
+```shell
+kubectl delete pod default-mem-demo --namespace=default-mem-example
+```
+
+<!--
+## What if you specify a container's limit, but not its request?
+
+Here's a manifest for a Pod that has one container. The container
+specifies a memory limit, but not a request:
+-->
+## 声明容器的限制而不声明它的请求会怎么样？
+
+以下为只包含一个容器的 Pod 的清单。该容器声明了内存限制，而没有声明内存请求。
+
+{{< codenew file="admin/resource/memory-defaults-pod-2.yaml" >}}
+
+<!--
+Create the Pod:
+-->
+创建 Pod：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-2.yaml --namespace=default-mem-example
+```
+
+<!--
+View detailed information about the Pod:
+-->
+查看 Pod 的详情：
+
+```shell
+kubectl get pod default-mem-demo-2 --output=yaml --namespace=default-mem-example
+```
+
+<!--
+The output shows that the container's memory request is set to match its memory limit.
+Notice that the container was not assigned the default memory request value of 256Mi.
+-->
+输出结果显示容器的内存请求被设置为它的内存限制相同的值。注意该容器没有被指定默认的内存请求值 256MiB。
+
+```
+resources:
+  limits:
+    memory: 1Gi
+  requests:
+    memory: 1Gi
+```
+
+<!--
+## What if you specify a container's request, but not its limit?
+-->
+## 声明容器的内存请求而不声明内存限制会怎么样？
+
+<!--
+Here's a manifest for a Pod that has one container. The container
+specifies a memory request, but not a limit:
+-->
+以下为只包含一个容器的 Pod 的清单。该容器声明了内存请求，但没有内存限制：
+
+{{< codenew file="admin/resource/memory-defaults-pod-3.yaml" >}}
+
+<!--
+Create the Pod:
+-->
+创建 Pod：
+
+```shell
+kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-3.yaml --namespace=default-mem-example
+```
+
+<!--
+View the Pod's specification:
+-->
+查看 Pod 声明：
+
+```shell
+kubectl get pod default-mem-demo-3 --output=yaml --namespace=default-mem-example
+```
+
+<!--
+The output shows that the container's memory request is set to the value specified in the
+container's manifest. The container is limited to use no more than 512MiB of
+memory, which matches the default memory limit for the namespace.
+-->
+输出结果显示所创建的 Pod 中，容器的内存请求为 Pod 清单中声明的值。
+然而同一容器的内存限制被设置为 512MiB，此值是该命名空间的默认内存限制值。
+
+```
+resources:
+  limits:
+    memory: 512Mi
+  requests:
+    memory: 128Mi
+```
+
+<!--
+## Motivation for default memory limits and requests
+
+If your namespace has a memory {{< glossary_tooltip text="resource quota" term_id="resource-quota" >}}
+configured,
+it is helpful to have a default value in place for memory limit.
+Here are three of the restrictions that a resource quota imposes on a namespace:
+
+* For every Pod that runs in the namespace, the Pod and each of its containers must have a memory limit.
+  (If you specify a memory limit for every container in a Pod, Kubernetes can infer the Pod-level memory
+  limit by adding up the limits for its containers).
+* Memory limits apply a resource reservation on the node where the Pod in question is scheduled.
+  The total amount of memory reserved for all Pods in the namespace must not exceed a specified limit.
+* The total amount of memory actually used by all Pods in the namespace must also not exceed a specified limit.
+-->
+## 设置默认内存限制和请求的动机
+
+如果你的命名空间设置了内存 {{< glossary_tooltip text="资源配额" term_id="resource-quota" >}}，
+那么为内存限制设置一个默认值会很有帮助。
+以下是内存资源配额对命名空间的施加的三条限制：
+
+* 命名空间中运行的每个 Pod 中的容器都必须有内存限制。
+  （如果为 Pod 中的每个容器声明了内存限制，
+  Kubernetes 可以通过将其容器的内存限制相加推断出 Pod 级别的内存限制）。
+
+* 内存限制用来在 Pod 被调度到的节点上执行资源预留。
+  预留给命名空间中所有 Pod 使用的内存总量不能超过规定的限制。
+
+* 命名空间中所有 Pod 实际使用的内存总量也不能超过规定的限制。
+
+<!--
+When you add a LimitRange:
+
+If any Pod in that namespace that includes a container does not specify its own memory limit,
+the control plane applies the default memory limit to that container, and the Pod can be
+allowed to run in a namespace that is restricted by a memory ResourceQuota.
+-->
+当你添加 LimitRange 时：
+
+如果该命名空间中的任何 Pod 的容器未指定内存限制，
+控制面将默认内存限制应用于该容器，
+这样 Pod 可以在受到内存 ResourceQuota 限制的命名空间中运行。
+
+<!--
+## Clean up
+
+Delete your namespace:
+-->
+## 清理
+
+删除你的命名空间：
+
+```shell
+kubectl delete namespace default-mem-example
+```
+
+## {{% heading "whatsnext" %}}
+
+<!--
+### For cluster administrators
+
+* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/cpu-default-namespace/)
+
+* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/memory-constraint-namespace/)
+
+* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/cpu-constraint-namespace/)
+
+* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/)
+
+* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/quota-pod-namespace/)
+
+* [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+-->
+### 集群管理员参考
+
+* [为命名空间配置默认的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+* [为命名空间配置最小和最大内存限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置最小和最大 CPU 限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
+
+<!--
+### For app developers
+
+* [Assign Memory Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-memory-resource/)
+
+* [Assign CPU Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-cpu-resource/)
+
+* [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
+-->
+### 应用开发者参考
+
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
+
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md
similarity index 53%
rename from content/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md
rename to content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md
index 416b076094234..e24f7426818eb 100644
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md
@@ -2,33 +2,43 @@
 title: 为命名空间配置内存和 CPU 配额
 content_type: task
 weight: 50
+description: >-
+  为命名空间定义总的 CPU 和内存资源限制。
 ---
 
 <!--
 title: Configure Memory and CPU Quotas for a Namespace
 content_type: task
 weight: 50
+description: >-
+  Define overall memory and CPU resource limits for a namespace.
 -->
 
 <!-- overview -->
 
 <!--
 This page shows how to set quotas for the total amount memory and CPU that
-can be used by all Containers running in a namespace. You specify quotas in a
-[ResourceQuota](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcequota-v1-core)
+can be used by all Pods running in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}.
+You specify quotas in a
+[ResourceQuota](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
 object.
 -->
-本文介绍怎样为命名空间设置容器可用的内存和 CPU 总量。你可以通过
-[ResourceQuota](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcequota-v1-core)
+本文介绍如何为{{< glossary_tooltip text="命名空间" term_id="namespace" >}}下运行的所有 Pod 设置总的内存和 CPU 配额。
+你可以通过使用
+[ResourceQuota](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
 对象设置配额.
 
 ## {{% heading "prerequisites" %}}
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}}
 
 <!--
+You must have access to create namespaces in your cluster.
+
 Each node in your cluster must have at least 1 GiB of memory.
 -->
+在你的集群里你必须要有创建命名空间的权限。
+
 集群中每个节点至少有 1 GiB 的内存。
 
 <!-- steps -->
@@ -51,11 +61,11 @@ kubectl create namespace quota-mem-cpu-example
 <!--
 ## Create a ResourceQuota
 
-Here is the configuration file for a ResourceQuota object:
+Here is a manifest for an example ResourceQuota:
 -->
 ## 创建 ResourceQuota
 
-这里给出一个 ResourceQuota 对象的配置文件：
+下面是 ResourceQuota 的示例清单：
 
 {{< codenew file="admin/resource/quota-mem-cpu.yaml" >}}
 
@@ -80,28 +90,33 @@ kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --outpu
 <!--
 The ResourceQuota places these requirements on the quota-mem-cpu-example namespace:
 
-* Every Container must have a memory request, memory limit, cpu request, and cpu limit.
-* The memory request total for all Containers must not exceed 1 GiB.
-* The memory limit total for all Containers must not exceed 2 GiB.
-* The CPU request total for all Containers must not exceed 1 cpu.
-* The CPU limit total for all Containers must not exceed 2 cpu.
+* For every Pod in the namespace, each container must have a memory request, memory limit, cpu request, and cpu limit.
+* The memory request total for all Pods in that namespace must not exceed 1 GiB.
+* The memory limit total for all Pods in that namespace must not exceed 2 GiB.
+* The CPU request total for all Pods in that namespace must not exceed 1 cpu.
+* The CPU limit total for all Pods in that namespace must not exceed 2 cpu.
+
+See [meaning of CPU](/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)
+to learn what Kubernetes means by “1 CPU”.
 -->
 ResourceQuota 在 quota-mem-cpu-example 命名空间中设置了如下要求：
 
-* 每个容器必须有内存请求和限制，以及 CPU 请求和限制。
-* 所有容器的内存请求总和不能超过1 GiB。
-* 所有容器的内存限制总和不能超过2 GiB。
-* 所有容器的 CPU 请求总和不能超过1 cpu。
-* 所有容器的 CPU 限制总和不能超过2 cpu。
+* 在该命名空间中的每个 Pod 的所有容器都必须要有内存请求和限制，以及 CPU 请求和限制。
+* 在该命名空间中所有 Pod 的内存请求总和不能超过 1 GiB。
+* 在该命名空间中所有 Pod 的内存限制总和不能超过 2 GiB。
+* 在该命名空间中所有 Pod 的 CPU 请求总和不能超过 1 cpu。
+* 在该命名空间中所有 Pod 的 CPU 限制总和不能超过 2 cpu。
 
+请阅读 [CPU 的含义](/zh-cn/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)
+理解 "1 CPU" 在 Kubernetes 中的含义。
 <!--
 ## Create a Pod
 
-Here is the configuration file for a Pod:
+Here is a manifest for an example Pod:
 -->
 ## 创建 Pod
 
-这里给出 Pod 的配置文件：
+以下是 Pod 的示例清单：
 
 {{< codenew file="admin/resource/quota-mem-cpu-pod.yaml" >}}
 
@@ -115,11 +130,11 @@ kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod.yaml -
 ```
 
 <!--
-Verify that the Pod's Container is running:
+Verify that the Pod is running and that its (only) container is healthy:
 -->
-检查下 Pod 中的容器在运行：
+确认 Pod 正在运行，并且其容器处于健康状态：
 
-```
+```shell
 kubectl get pod quota-mem-cpu-demo --namespace=quota-mem-cpu-example
 ```
 
@@ -128,7 +143,7 @@ Once again, view detailed information about the ResourceQuota:
 -->
 再查看 ResourceQuota 的详情：
 
-```
+```shell
 kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --output=yaml
 ```
 
@@ -153,27 +168,38 @@ status:
     requests.memory: 600Mi
 ```
 
+<!--
+If you have the `jq` tool, you can also query (using [JSONPath](/docs/reference/kubectl/jsonpath/))
+for just the `used` values, **and** pretty-print that that of the output. For example:
+-->
+如果有 `jq` 工具的话，你可以通过（使用 [JSONPath](/zh-cn/docs/reference/kubectl/jsonpath/)）
+直接查询 `used` 字段的值，并且输出整齐的 JSON 格式。
+
+```shell
+kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example -o jsonpath='{ .status.used }' | jq .
+```
+
 <!--
 ## Attempt to create a second Pod
 
-Here is the configuration file for a second Pod:
+Here is a manifest for a second Pod:
 -->
 ## 尝试创建第二个 Pod
 
-这里给出了第二个 Pod 的配置文件：
+以下为第二个 Pod 的清单：
 
 {{< codenew file="admin/resource/quota-mem-cpu-pod-2.yaml" >}}
 
 <!--
-In the configuration file, you can see that the Pod has a memory request of 700 MiB.
+In the manifest, you can see that the Pod has a memory request of 700 MiB.
 Notice that the sum of the used memory request and this new memory
-request exceeds the memory request quota. 600 MiB + 700 MiB > 1 GiB.
+request exceeds the memory request quota: 600 MiB + 700 MiB > 1 GiB.
 
 Attempt to create the Pod:
 -->
 
-配置文件中，你可以看到 Pod 的内存请求为 700 MiB。
-请注意新的内存请求与已经使用的内存请求只和超过了内存请求的配额。
+在清单中，你可以看到 Pod 的内存请求为 700 MiB。
+请注意新的内存请求与已经使用的内存请求之和超过了内存请求的配额：
 600 MiB + 700 MiB > 1 GiB。
 
 尝试创建 Pod：
@@ -198,19 +224,20 @@ requested: requests.memory=700Mi,used: requests.memory=600Mi, limited: requests.
 ## Discussion
 
 As you have seen in this exercise, you can use a ResourceQuota to restrict
-the memory request total for all Containers running in a namespace.
+the memory request total for all Pods running in a namespace.
 You can also restrict the totals for memory limit, cpu request, and cpu limit.
 
-If you want to restrict individual Containers, instead of totals for all Containers, use a
-[LimitRange](/docs/tasks/administer-cluster/memory-constraint-namespace/).
+Instead of managing total resource use within a namespace, you might want to restrict
+individual Pods, or the containers in those Pods. To achieve that kind of limiting, use a
+[LimitRange](/docs/concepts/policy/limit-range/).
 -->
 ## 讨论
 
-如你在本练习中所见，你可以用 ResourceQuota 限制命名空间中所有容器的内存请求总量。
+如你在本练习中所见，你可以用 ResourceQuota 限制命名空间中所有 Pod 的内存请求总量。
 同样你也可以限制内存限制总量、CPU 请求总量、CPU 限制总量。
 
-如果你想对单个容器而不是所有容器进行限制，就请使用
-[LimitRange](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)。
+除了可以管理命名空间资源使用的总和，如果你想限制单个 Pod，或者限制这些 Pod 中的容器资源，
+可以使用 [LimitRange](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/) 实现这类的功能。
 
 <!--
 ## Clean up
@@ -240,12 +267,12 @@ kubectl delete namespace quota-mem-cpu-example
 
 ### 集群管理员参考
 
-* [为命名空间配置默认内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置内存限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为命名空间配置默认内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置内存限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 限制的最小值和最大值](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
 <!--
 ### For app developers
@@ -256,7 +283,7 @@ kubectl delete namespace quota-mem-cpu-example
 -->
 ### 应用开发者参考
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配CPU资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md
similarity index 57%
rename from content/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md
rename to content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md
index 724a711d004a8..f892c30bfbf4a 100644
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md
@@ -2,24 +2,39 @@
 title: 配置命名空间下 Pod 配额
 content_type: task
 weight: 60
+description: >-
+  限制在命名空间中创建的 Pod 数量。
 ---
 
+<!--
+title: Configure a Pod Quota for a Namespace
+content_type: task
+weight: 60
+description: >-
+  Restrict how many Pods you can create within a namespace.
+-->
+
 <!-- overview -->
 
 <!--
 This page shows how to set a quota for the total number of Pods that can run
-in a namespace. You specify quotas in a
-[ResourceQuota](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcequota-v1-core)
+in a {{< glossary_tooltip text="Namespace" term_id="namespace" >}}. You specify quotas in a
+[ResourceQuota](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
 object.
 -->
-本文主要描述如何配置一个命名空间下可运行的 Pod 个数配额。
-你可以使用
-[ResourceQuota](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcequota-v1-core)
+本文主要介绍如何在{{< glossary_tooltip text="命名空间" term_id="namespace" >}}中设置可运行 Pod 总数的配额。
+你可以通过使用
+[ResourceQuota](/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/)
 对象来配置配额。
 
 ## {{% heading "prerequisites" %}}
 
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!--
+You must have access to create namespaces in your cluster.
+-->
+在你的集群里你必须要有创建命名空间的权限。
 
 <!-- steps -->
 
@@ -40,11 +55,11 @@ kubectl create namespace quota-pod-example
 <!--
 ## Create a ResourceQuota
 
-Here is the configuration file for a ResourceQuota object:
+Here is an example manifest for a ResourceQuota:
 -->
 ## 创建 ResourceQuota
 
-下面是一个 ResourceQuota 的配置文件：
+下面是 ResourceQuota 的示例清单：
 
 {{< codenew file="admin/resource/quota-pod.yaml" >}}
 
@@ -83,18 +98,20 @@ status:
 ```
 
 <!--
-Here is the configuration file for a Deployment:
+Here is an example manifest for a {{< glossary_tooltip term_id="deployment" >}}:
 -->
-下面是一个 Deployment 的配置文件：
+下面是一个 {{< glossary_tooltip term_id="deployment" >}} 的示例清单：
 
 {{< codenew file="admin/resource/quota-pod-deployment.yaml" >}}
 
 <!--
-In the configuration file, `replicas: 3` tells Kubernetes to attempt to create three Pods, all running the same application.
+In that manifest, `replicas: 3` tells Kubernetes to attempt to create three new Pods, all
+running the same application.
 
 Create the Deployment:
 -->
-在配置文件中，`replicas: 3` 告诉 Kubernetes 尝试创建三个 Pods，且运行相同的应用。
+在清单中，`replicas: 3` 告诉 Kubernetes 尝试创建三个 Pods，
+且运行相同的应用。
 
 创建这个 Deployment：
 
@@ -113,7 +130,7 @@ kubectl get deployment pod-quota-demo --namespace=quota-pod-example --output=yam
 
 <!--
 The output shows that even though the Deployment specifies three replicas, only two
-Pods were created because of the quota.
+Pods were created because of the quota you defined earlier:
 -->
 从输出的信息我们可以看到，尽管尝试创建三个 Pod，但是由于配额的限制，只有两个 Pod 能被成功创建。
 
@@ -125,11 +142,24 @@ spec:
 status:
   availableReplicas: 2
 ...
-lastUpdateTime: 2017-07-07T20:57:05Z
+lastUpdateTime: 2021-04-02T20:57:05Z
     message: 'unable to create pods: pods "pod-quota-demo-1650323038-" is forbidden:
       exceeded quota: pod-demo, requested: pods=1, used: pods=2, limited: pods=2'
 ```
 
+<!--
+### Choice of resource
+
+In this task you have defined a ResourceQuota that limited the total number of Pods, but
+you could also limit the total number of other kinds of object. For example, you
+might decide to limit how many {{< glossary_tooltip text="CronJobs" term_id="cronjob" >}}
+that can live in a single namespace.
+-->
+### 资源的选择
+在此任务中，你定义了一个限制 Pod 总数的 ResourceQuota，
+你也可以限制其他类型对象的总数。例如，
+你可以限制在一个命名空间中可以创建的 {{< glossary_tooltip text="CronJobs" term_id="cronjob" >}} 的数量。
+
 <!--
 ## Clean up
 
@@ -157,12 +187,12 @@ kubectl delete namespace quota-pod-example
 -->
 ### 集群管理人员参考
 
-* [为命名空间配置默认的内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置默认的的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
-* [为命名空间配置内存的最小值和最大值约束](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 的最小值和最大值约束](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为 API 对象的设置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为命名空间配置默认的内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置默认的的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+* [为命名空间配置内存的最小值和最大值约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 的最小值和最大值约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为 API 对象的设置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
 <!--
 ### For app developers
@@ -173,7 +203,7 @@ kubectl delete namespace quota-pod-example
 -->
 ### 应用开发人员参考
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [给容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [配置 Pod 的服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [给容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [配置 Pod 的服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
diff --git a/content/zh/docs/tasks/administer-cluster/memory-manager.md b/content/zh-cn/docs/tasks/administer-cluster/memory-manager.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/memory-manager.md
rename to content/zh-cn/docs/tasks/administer-cluster/memory-manager.md
index 4ad68c54b0d6f..f0124a24f5fab 100644
--- a/content/zh/docs/tasks/administer-cluster/memory-manager.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/memory-manager.md
@@ -62,9 +62,9 @@ To align memory resources with other requested resources in a Pod Spec:
 为了使得内存资源与 Pod 规约中所请求的其他资源对齐：
 
 - CPU 管理器应该被启用，并且在节点（Node）上要配置合适的 CPU 管理器策略，
-  参见[控制 CPU 管理策略](/zh/docs/tasks/administer-cluster/cpu-management-policies/)；
+  参见[控制 CPU 管理策略](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/)；
 - 拓扑管理器要被启用，并且要在节点上配置合适的拓扑管理器策略，参见
-  [控制拓扑管理器策略](/zh/docs/tasks/administer-cluster/topology-manager/)。
+  [控制拓扑管理器策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)。
 
 <!--
 Starting from v1.22, the Memory Manager is enabled by default through `MemoryManager`
@@ -77,7 +77,7 @@ Preceding v1.22, the `kubelet` must be started with the following flag:
 in order to enable the Memory Manager feature.
 -->
 从 v1.22 开始，内存管理器通过
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 `MemoryManager` 默认启用。
 
 在 v1.22 之前，`kubelet` 必须在启动时设置如下标志：
@@ -266,7 +266,7 @@ A dedicated set of flags can be used for this purpose to set the total amount of
 for a node. This pre-configured value is subsequently utilized to calculate
 the real amount of node's "allocatable" memory available to pods.
 -->
-[节点可分配](/zh/docs/tasks/administer-cluster/reserve-compute-resources/)机制通常
+[节点可分配](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/)机制通常
 被节点管理员用来为 kubelet 或操作系统进程预留 K8S 节点上的系统资源，目的是提高节点稳定性。
 有一组专用的标志可用于这个目的，为节点设置总的预留内存量。
 此预配置的值接下来会被用来计算节点上对 Pods “可分配的”内存。
@@ -315,7 +315,7 @@ In fact, `eviction-hard` threshold value is equal to `100Mi` by default, so
 if `Static` policy is used, `--reserved-memory` is obligatory.
 -->
 你也可以忽略此参数，不过这样做时，你要清楚，所有 NUMA 节点上预留内存的数量要等于
-[节点可分配特性](/zh/docs/tasks/administer-cluster/reserve-compute-resources/)
+[节点可分配特性](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/)
 所设定的内存量。如果至少有一个节点可分配参数值为非零，你就需要至少为一个 NUMA
 节点设置 `--reserved-memory`。实际上，`eviction-hard` 阈值默认为 `100Mi`，
 所以当使用 `Static` 策略时，`--reserved-memory` 是必须设置的。
@@ -777,7 +777,7 @@ This information can be retrieved solely for pods in Guaranteed QoS class.
 -->
 ### 设备插件资源 API     {#device-plugin-resource-api}
 
-通过使用此 [API](/zh/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)，
+通过使用此 [API](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)，
 可以获得每个容器的预留内存信息，该信息位于 protobuf 协议的 `ContainerMemory` 消息中。
 只能针对 Guaranteed QoS 类中的 Pod 来检索此信息。
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
new file mode 100644
index 0000000000000..d5f35928e70d3
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
@@ -0,0 +1,89 @@
+---
+title: 从 dockershim 迁移
+weight: 10
+content_type: task 
+no_list: true
+---
+<!-- 
+title: "Migrating from dockershim"
+weight: 10
+content_type: task 
+-->
+
+<!-- overview -->
+
+<!-- 
+This section presents information you need to know when migrating from
+dockershim to other container runtimes.
+-->
+本节提供从 dockershim 迁移到其他容器运行时的必备知识。
+
+<!-- 
+Since the announcement of [dockershim deprecation](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
+in Kubernetes 1.20, there were questions on how this will affect various workloads and Kubernetes
+installations. Our [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) is there to help you
+to understand the problem better.
+-->
+自从 Kubernetes 1.20 宣布
+[弃用 dockershim](/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)，
+各类疑问随之而来：这对各类工作负载和 Kubernetes 部署会产生什么影响。
+我们的[弃用  Dockershim 常见问题](/blog/2022/02/17/dockershim-faq/)可以帮助你更好地理解这个问题。
+
+<!-- 
+Dockershim was removed from Kubernetes with the release of v1.24.
+If you use Docker Engine via dockershim as your container runtime, and wish to upgrade to v1.24,
+it is recommended that you either migrate to another runtime or find an alternative means to obtain Docker Engine support.
+-->
+Dockershim 在 Kubernetes v1.24 版本已经被移除。
+如果你集群内是通过 dockershim 使用 Docker Engine 作为容器运行时，并希望 Kubernetes 升级到 v1.24，
+建议你迁移到其他容器运行时或使用其他方法以获得 Docker 引擎支持。
+
+<!--
+Check out [container runtimes](/docs/setup/production-environment/container-runtimes/)
+section to know your options. Make sure to
+[report issues](https://github.com/kubernetes/kubernetes/issues) you encountered
+with the migration. So the issue can be fixed in a timely manner and your cluster would be
+ready for dockershim removal.
+-->
+建议从 dockershim 迁移到其他替代的容器运行时。
+请参阅[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
+一节以了解可用的备选项。
+当在迁移过程中遇到麻烦，请[上报问题](https://github.com/kubernetes/kubernetes/issues)。
+那么问题就可以及时修复，你的集群也可以进入移除 dockershim 前的就绪状态。
+
+<!--
+Your cluster might have more than one kind of node, although this is not a common
+configuration.
+
+These tasks will help you to migrate:
+
+* [Check whether Dockershim deprecation affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+* [Migrate Docker Engine nodes from dockershim to cri-dockerd](/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/)
+* [Migrating telemetry and security agents from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/)
+-->
+你的集群中可以有不止一种类型的节点，尽管这不是常见的情况。
+
+下面这些任务可以帮助你完成迁移：
+
+* [检查弃用 Dockershim 是否影响到你](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/)
+* [将 Docker Engine 节点从 dockershim 迁移到 cri-dockerd](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd/)
+* [从 dockershim 迁移遥测和安全代理](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/)
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* Check out [container runtimes](/docs/setup/production-environment/container-runtimes/)
+  to understand your options for a container runtime.
+* There is a
+  [GitHub issue](https://github.com/kubernetes/kubernetes/issues/106917)
+  to track discussion about the deprecation and removal of dockershim.
+* If you found a defect or other technical concern relating to migrating away from dockershim,
+  you can [report an issue](https://github.com/kubernetes/kubernetes/issues/new/choose)
+  to the Kubernetes project.
+-->
+* 查看[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)了解可选的容器运行时。
+* [GitHub 问题](https://github.com/kubernetes/kubernetes/issues/106917)跟踪有关
+  dockershim 的弃用和删除的讨论。
+* 如果你发现与 dockershim 迁移相关的缺陷或其他技术问题，
+  可以在 Kubernetes 项目[报告问题](https://github.com/kubernetes/kubernetes/issues/new/choose)。
+
diff --git a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
similarity index 94%
rename from content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
rename to content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
index 44f4a9f008d66..6688fe25f32cc 100644
--- a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
@@ -19,7 +19,7 @@ can be picked from this [page](/docs/setup/production-environment/container-runt
 本任务给出将容器运行时从 Docker 改为 containerd 所需的步骤。
 此任务适用于运行 1.23 或更早版本 Kubernetes 的集群操作人员。
 同时，此任务也涉及从 dockershim 迁移到 containerd 的示例场景，
-以及可以从[此页面](/zh/docs/setup/production-environment/container-runtimes/)
+以及可以从[此页面](/zh-cn/docs/setup/production-environment/container-runtimes/)
 获得的其他容器运行时列表。
 
 ## {{% heading "prerequisites" %}}
@@ -34,7 +34,7 @@ and for specific prerequisite follow
 -->
 安装 containerd。进一步的信息可参见
 [containerd 的安装文档](https://containerd.io/docs/getting-started/)。
-关于一些特定的环境准备工作，请遵循 [containerd 指南](/zh/docs/setup/production-environment/container-runtimes/#containerd)。
+关于一些特定的环境准备工作，请遵循 [containerd 指南](/zh-cn/docs/setup/production-environment/container-runtimes/#containerd)。
 
 <!--
 ## Drain the node 
@@ -71,7 +71,7 @@ for detailed steps to install containerd.
 -->
 ## 安装 Containerd    {#install-containerd}
 
-遵循此[指南](/zh/docs/setup/production-environment/container-runtimes/#containerd)
+遵循此[指南](/zh-cn/docs/setup/production-environment/container-runtimes/#containerd)
 了解安装 containerd 的详细步骤。
 
 {{< tabs name="tab-cri-containerd-installation" >}}
@@ -81,11 +81,11 @@ for detailed steps to install containerd.
 1. Install the `containerd.io` package from the official Docker repositories. 
    Instructions for setting up the Docker repository for your respective Linux distribution and
    installing the `containerd.io` package can be found at 
-   [Install Docker Engine](https://docs.docker.com/engine/install/#server).
+   [Getting started with containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md).
 -->
 1. 从官方的 Docker 仓库安装 `containerd.io` 包。关于为你所使用的 Linux 发行版来设置
    Docker 仓库，以及安装 `containerd.io` 包的详细说明，可参见
-   [Install Docker Engine](https://docs.docker.com/engine/install/#server)。
+   [开始使用 containerd](https://github.com/containerd/containerd/blob/main/docs/getting-started.md)。
 
 <!--
 1. Configure containerd:
diff --git a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
similarity index 86%
rename from content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you.md
rename to content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
index 96132ad465ba3..cde525ce9a112 100644
--- a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
@@ -1,5 +1,5 @@
 ---
-title: 检查弃用 Dockershim 对你的影响
+title: 检查弃用 Dockershim 是否对你有影响
 content_type: task 
 weight: 20
 ---
@@ -16,19 +16,18 @@ weight: 20
 <!-- 
 The `dockershim` component of Kubernetes allows to use Docker as a Kubernetes's
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
-Kubernetes' built-in `dockershim` component was
-[deprecated](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
-in release v1.20.
+Kubernetes' built-in `dockershim` component was removed in release v1.24.
 -->
+
 Kubernetes 的 `dockershim` 组件使得你可以把 Docker 用作 Kubernetes 的
 {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}。
-在 Kubernetes v1.20 版本中，内建组件 `dockershim` 被[弃用](/zh/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)。
+在 Kubernetes v1.24 版本中，内建组件 `dockershim` 被移除。
 
 
 <!-- 
 This page explains how your cluster could be using Docker as a container runtime,
 provides details on the role that `dockershim` plays when in use, and shows steps
-you can take to check whether any workloads could be affected by `dockershim` deprecation.
+you can take to check whether any workloads could be affected by `dockershim` removal.
 -->
 本页讲解你的集群把 Docker 用作容器运行时的运作机制，
 并提供使用 `dockershim` 时，它所扮演角色的详细信息，
@@ -67,15 +66,6 @@ dependency on Docker:
    - SSH to nodes to troubleshoot;
    - Node startup scripts;
    - Monitoring and security agents installed on nodes directly.
-1. Third-party tools that perform above mentioned privileged operations. See
-   [Migrating telemetry and security agents from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents)
-   for more information.
-1. Make sure there is no indirect dependencies on dockershim behavior.
-   This is an edge case and unlikely to affect your application. Some tooling may be configured
-   to react to Docker-specific behaviors, for example, raise alert on specific metrics or search for
-   a specific log message as part of troubleshooting instructions.
-   If you have such tooling configured, test the behavior on test
-   cluster before migration.
 -->
 1. 确认没有特权 Pod 执行 Docker 命令（如 `docker ps`）、重新启动 Docker
    服务（如 `systemctl restart docker.service`）或修改 Docker 配置文件
@@ -83,12 +73,23 @@ dependency on Docker:
 2. 检查 Docker 配置文件（如 `/etc/docker/daemon.json`）中容器镜像仓库的镜像（mirror）站点设置。
    这些配置通常需要针对不同容器运行时来重新设置。
 3. 检查确保在 Kubernetes 基础设施之外的节点上运行的脚本和应用程序没有执行 Docker 命令。
-   可能的情况如：
+   可能的情况有：
    - SSH 到节点排查故障；
    - 节点启动脚本；
    - 直接安装在节点上的监控和安全代理。
-4. 检查执行上述特权操作的第三方工具。详细操作请参考
-   [从 dockershim 迁移遥测和安全代理](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents)。
+<!--
+1. Third-party tools that perform above mentioned privileged operations. See
+   [Migrating telemetry and security agents from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents)
+   for more information.
+1. Make sure there is no indirect dependencies on dockershim behavior.
+   This is an edge case and unlikely to affect your application. Some tooling may be configured
+   to react to Docker-specific behaviors, for example, raise alert on specific metrics or search for
+   a specific log message as part of troubleshooting instructions.
+   If you have such tooling configured, test the behavior on test
+   cluster before migration.
+-->
+4. 检查执行上述特权操作的第三方工具。
+   详细操作请参考[从 dockershim 迁移遥测和安全代理](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents)。
 5. 确认没有对 dockershim 行为的间接依赖。这是一种极端情况，不太可能影响你的应用。
    一些工具很可能被配置为使用了 Docker 特性，比如，基于特定指标发警报，
    或者在故障排查指令的一个环节中搜索特定的日志信息。
@@ -106,7 +107,8 @@ and scheduling of Pods; on each node, the {{< glossary_tooltip text="kubelet" te
 uses the container runtime interface as an abstraction so that you can use any compatible
 container runtime.
  -->
-[容器运行时](/zh/docs/concepts/containers/#container-runtimes)是一个软件，用来运行组成 Kubernetes Pod 的容器。
+[容器运行时](/zh-cn/docs/concepts/containers/#container-runtimes)是一个软件，
+用来运行组成 Kubernetes Pod 的容器。
 Kubernetes 负责编排和调度 Pod；在每一个节点上，{{< glossary_tooltip text="kubelet" term_id="kubelet" >}}
 使用抽象的容器运行时接口，所以你可以任意选用兼容的容器运行时。
 
@@ -119,8 +121,8 @@ adapter component, `dockershim`. The dockershim adapter allows the kubelet to in
 if Docker were a CRI compatible runtime.
  -->
 在早期版本中，Kubernetes 提供的兼容性支持一个容器运行时：Docker。
-在 Kubernetes 发展历史中，集群运营人员希望采用更多的容器运行时。
-于是 CRI 被设计出来满足这类灵活性需要 - 而 kubelet 亦开始支持 CRI。
+在 Kubernetes 后来的发展历史中，集群运营人员希望采用别的容器运行时。
+于是 CRI 被设计出来满足这类灵活性需求 - 而 kubelet 亦开始支持 CRI。
 然而，因为 Docker 在 CRI 规范创建之前就已经存在，Kubernetes 就创建了一个适配器组件 `dockershim`。
 dockershim 适配器允许 kubelet 与 Docker 交互，就好像 Docker 是一个 CRI 兼容的运行时一样。
 
@@ -128,7 +130,7 @@ dockershim 适配器允许 kubelet 与 Docker 交互，就好像 Docker 是一
 You can read about it in [Kubernetes Containerd integration goes GA](/blog/2018/05/24/kubernetes-containerd-integration-goes-ga/) blog post.
  -->
 你可以阅读博文
-[Kubernetes 正式支持集成 Containerd](/zh/blog/2018/05/24/kubernetes-containerd-integration-goes-ga/)。
+[Kubernetes 正式支持集成 Containerd](/zh-cn/blog/2018/05/24/kubernetes-containerd-integration-goes-ga/)。
 
 <!-- Dockershim vs. CRI with Containerd -->
 ![Dockershim 和 Containerd CRI 的实现对比图](/images/blog/2018-05-24-kubernetes-containerd-integration-goes-ga/cri-containerd.png)
@@ -140,7 +142,7 @@ now, since containers schedule directly with the container runtime, they are not
 So any Docker tooling or fancy UI you might have used
 before to check on these containers is no longer available.
  -->
-切换到容器运行时 Containerd 可以消除掉中间环节。
+切换到 Containerd 容器运行时可以消除掉中间环节。
 所有相同的容器都可由 Containerd 这类容器运行时来运行。
 但是现在，由于直接用容器运行时调度容器，它们对 Docker 是不可见的。
 因此，你以前用来检查这些容器的 Docker 工具或漂亮的 UI 都不再可用。
@@ -153,12 +155,12 @@ or execute something inside container using `docker exec`.
 你不能再使用 `docker ps` 或 `docker inspect` 命令来获取容器信息。
 由于你不能列出容器，因此你不能获取日志、停止容器，甚至不能通过 `docker exec` 在容器中执行命令。
 
+{{< note >}}
 <!-- 
 If you're running workloads via Kubernetes, the best way to stop a container is through
 the Kubernetes API rather than directly through the container runtime (this advice applies
 for all container runtimes, not only Docker).
  -->
-{{< note >}}
 如果你在用 Kubernetes 运行工作负载，最好通过 Kubernetes API 停止容器，
 而不是通过容器运行时来停止它们
 （此建议适用于所有容器运行时，不仅仅是针对 Docker）。
@@ -174,12 +176,13 @@ by Kubernetes.
 但用 Docker 创建、下载的镜像，对于容器运行时和 Kubernetes，均不可见。
 为了在 Kubernetes 中使用，需要把镜像推送（push）到某镜像仓库。
 
-<!-- ## {{% heading "whatsnext" %}}
+## {{% heading "whatsnext" %}}
 
+<!--
 - Read [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/) to understand your next steps
 - Read the [dockershim deprecation FAQ](/blog/2020/12/02/dockershim-faq/) article for more information. 
 -->
-## {{% heading "whatsnext" %}}
+- 阅读[从 dockershim 迁移](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/)，
+  以了解你的下一步工作。
+- 阅读[dockershim 弃用常见问题解答](/zh-cn/blog/2020/12/02/dockershim-faq/)文章，了解更多信息。
 
-- 阅读[从 dockershim 迁移](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/)以了解你的下一步工作
-- 阅读[dockershim 弃用常见问题解答](/zh/blog/2020/12/02/dockershim-faq/)文章了解更多信息。
\ No newline at end of file
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
new file mode 100644
index 0000000000000..5c7a15c2da537
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
@@ -0,0 +1,182 @@
+---
+title: 查明节点上所使用的容器运行时
+content_type: task
+weight: 10
+---
+<!--
+title: Find Out What Container Runtime is Used on a Node
+content_type: task
+reviewers:
+- SergeyKanzhelev
+weight: 10
+-->
+
+<!-- overview -->
+
+<!--
+This page outlines steps to find out what [container runtime](/docs/setup/production-environment/container-runtimes/)
+the nodes in your cluster use.
+-->
+本页面描述查明集群中节点所使用的[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
+的步骤。
+
+<!--
+Depending on the way you run your cluster, the container runtime for the nodes may
+have been pre-configured or you need to configure it. If you're using a managed
+Kubernetes service, there might be vendor-specific ways to check what container runtime is
+configured for the nodes. The method described on this page should work whenever
+the execution of `kubectl` is allowed.
+-->
+取决于你运行集群的方式，节点所使用的容器运行时可能是事先配置好的，
+也可能需要你来配置。如果你在使用托管的 Kubernetes 服务，
+可能存在特定于厂商的方法来检查节点上配置的容器运行时。
+本页描述的方法应该在能够执行 `kubectl` 的场合下都可以工作。
+
+## {{% heading "prerequisites" %}}
+
+<!--
+Install and configure `kubectl`. See [Install Tools](/docs/tasks/tools/#kubectl) section for details.
+-->
+安装并配置 `kubectl`。参见[安装工具](/zh-cn/docs/tasks/tools/#kubectl) 节了解详情。
+
+<!--
+## Find out the container runtime used on a Node
+
+Use `kubectl` to fetch and show node information:
+-->
+## 查明节点所使用的容器运行时 {#find-out-the-container-runtime-used-on-a-node}
+
+使用 `kubectl` 来读取并显示节点信息：
+
+```shell
+kubectl get nodes -o wide
+```
+
+<!--
+The output is similar to the following. The column `CONTAINER-RUNTIME` outputs
+the runtime and its version.
+
+For Docker Engine, the output is similar to this:
+-->
+输出如下面所示。`CONTAINER-RUNTIME` 列给出容器运行时及其版本。
+
+对于 Docker Engine，输出类似于：
+```none
+NAME         STATUS   VERSION    CONTAINER-RUNTIME
+node-1       Ready    v1.16.15   docker://19.3.1
+node-2       Ready    v1.16.15   docker://19.3.1
+node-3       Ready    v1.16.15   docker://19.3.1
+```
+<!--
+If your runtime shows as Docker Engine, you still might not be affected by the
+removal of dockershim in Kubernetes v1.24. [Check the runtime
+endpoint](#which-endpoint) to see if you use dockershim. If you don't use
+dockershim, you aren't affected. 
+
+For containerd, the output is similar to this:
+-->
+如果你的容器运行时显示为 Docker Engine，你仍然可能不会被 v1.24 中 dockershim 的移除所影响。
+通过[检查运行时端点](#which-endpoint)，可以查看你是否在使用 dockershim。
+如果你没有使用 dockershim，你就不会被影响。
+
+对于 containerd，输出类似于这样：
+
+```none
+# For containerd
+NAME         STATUS   VERSION   CONTAINER-RUNTIME
+node-1       Ready    v1.19.6   containerd://1.4.1
+node-2       Ready    v1.19.6   containerd://1.4.1
+node-3       Ready    v1.19.6   containerd://1.4.1
+```
+
+<!--
+Find out more information about container runtimes
+on [Container Runtimes](/docs/setup/production-environment/container-runtimes/)
+page.
+-->
+你可以在[容器运行时](/zh-cn/docs/setup/production-environment/container-runtimes/)
+页面找到与容器运行时相关的更多信息。
+
+<!--
+## Find out what container runtime endpoint you use {#which-endpoint}
+-->
+## 检查当前使用的运行时端点  {#which-endpoint}
+
+<!--
+The container runtime talks to the kubelet over a Unix socket using the [CRI
+protocol](/docs/concepts/architecture/cri/), which is based on the gRPC
+framework. The kubelet acts as a client, and the runtime acts as the server.
+In some cases, you might find it useful to know which socket your nodes use. For
+example, with the removal of dockershim in Kubernetes v1.24 and later, you might
+want to know whether you use Docker Engine with dockershim.
+-->
+
+容器运行时使用 Unix Socket 与 kubelet 通信，这一通信使用基于 gRPC 框架的
+[CRI 协议](/zh-cn/docs/concepts/architecture/cri/)。kubelet 扮演客户端，运行时扮演服务器端。
+在某些情况下，你可能想知道你的节点使用的是哪个 socket。
+如若集群是 Kubernetes v1.24 及以后的版本，
+或许你想知道当前运行时是否是使用 dockershim 的 Docker Engine。
+
+{{< note >}}
+<!--
+If you currently use Docker Engine in your nodes with `cri-dockerd`, you aren't
+affected by the dockershim removal.
+-->
+如果你的节点在通过 `cri-dockerd` 使用 Docker Engine，
+那么集群不会受到 Kubernetes 移除 dockershim 的影响。
+{{< /note >}}
+
+<!--
+You can check which socket you use by checking the kubelet configuration on your
+nodes.
+-->
+可以通过检查 kubelet 的参数得知当前使用的是哪个 socket。
+
+<!--
+1.  Read the starting commands for the kubelet process:
+
+    ```
+    tr \\0 ' ' < /proc/"$(pgrep kubelet)"/cmdline
+    ```
+    If you don't have `tr` or `pgrep`, check the command line for the kubelet
+    process manually.
+-->
+1. 查看 kubelet 进程的启动命令
+
+   ```
+    tr \\0 ' ' < /proc/"$(pgrep kubelet)"/cmdline
+   ```
+   如有节点上没有 `tr` 或者 `pgrep`，就需要手动检查 kubelet 的启动命令
+
+<!--
+1.  In the output, look for the `--container-runtime` flag and the
+    `--container-runtime-endpoint` flag.
+
+    *   If your nodes use Kubernetes v1.23 and earlier and these flags aren't
+        present or if the `--container-runtime` flag is not `remote`,
+        you use the dockershim socket with Docker Engine.
+    *   If the `--container-runtime-endpoint` flag is present, check the socket
+        name to find out which runtime you use. For example,
+        `unix:///run/containerd/containerd.sock` is the containerd endpoint.
+-->
+2. 在命令的输出中，查找 `--container-runtime` 和 `--container-runtime-endpoint` 标志。
+
+   * 如果 Kubernetes 集群版本是 v1.23 或者更早的版本，并且这两个参数不存在，
+      或者 `container-runtime` 标志值不是 `remote`，则你在通过 dockershim 套接字使用
+      Docker Engine。
+     或者如果集群使用的 Docker engine 和 dockershim socket，则输出结果中 `--container-runtime` 不是 `remote`,
+   * 如果设置了 `--container-runtime-endpoint` 参数，查看套接字名称即可得知当前使用的运行时。
+     如若套接字 `unix:///run/containerd/containerd.sock` 是 containerd 的端点。
+
+<!--
+If you want to change the Container Runtime on a Node from Docker Engine to containerd,
+you can find out more information on [migrating from Docker Engine to  containerd](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/),
+or, if you want to continue using Docker Engine in v1.24 and later, migrate to a
+CRI-compatible adapter like [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd).
+-->
+如果你将节点上的容器运行时从 Docker Engine 改变为 containerd，可在
+[迁移到不同的运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/)
+找到更多信息。或者，如果你想在 Kubernetes v1.24 及以后的版本仍使用 Docker Engine，
+可以安装 CRI 兼容的适配器实现，如 [`cri-dockerd`](https://github.com/Mirantis/cri-dockerd)。
+[`cri-dockerd`](https://github.com/Mirantis/cri-dockerd)。
+
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md
new file mode 100644
index 0000000000000..9fd5d22bd3ebc
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md
@@ -0,0 +1,233 @@
+---
+title: 将 Docker Engine 节点从 dockershim 迁移到 cri-dockerd
+weight: 9
+content_type: task 
+---
+
+<!--
+title: "Migrate Docker Engine nodes from dockershim to cri-dockerd"
+weight: 9
+content_type: task 
+-->
+
+{{% thirdparty-content %}}
+
+<!--
+This page shows you how to migrate your Docker Engine nodes to use `cri-dockerd`
+instead of dockershim. You should follow these steps in these scenarios:
+
+ * You want to switch away from dockershim and still use Docker Engine to run
+    containers in Kubernetes.
+ * You want to upgrade to Kubernetes v{{< skew currentVersion >}} and your
+    existing cluster relies on dockershim, in which case you must migrate 
+    from dockershim and `cri-dockerd` is one of your options.
+
+To learn more about the removal of dockershim, read the [FAQ page](/dockershim).
+-->
+本页面为你展示如何迁移你的 Docker Engine 节点，使之使用 `cri-dockerd` 而不是 dockershim。
+在以下场景中，你可以遵从这里的步骤执行操作：
+
+* 你期望不再使用 dockershim，但仍然使用 Docker Engine 来在 Kubernetes 中运行容器。
+* 你希望升级到 Kubernetes v{{< skew currentVersion >}} 且你的现有集群依赖于 dockershim，
+  因此你必须放弃 dockershim，而 `cri-dockerd` 是你的一种选项。
+
+要进一步了解 dockershim 的移除，请阅读 [FAQ 页面](/zh-cn/dockershim)。
+
+<!--
+## What is cri-dockerd? {#what-is-cri-dockerd}
+
+In Kubernetes 1.23 and earlier, you could use Docker Engine with Kubernetes,
+relying on a built-in component of Kubernetes named _dockershim_.
+The dockershim component was removed in the Kubernetes 1.24 release; however,
+a third-party replacement, `cri-dockerd`, is available. The `cri-dockerd` adapter
+lets you use Docker Engine through the {{<glossary_tooltip term_id="cri" text="Container Runtime Interface">}}.
+-->
+## cri-dockerd 是什么？ {#what-is-cri-dockerd}
+
+在 Kubernetes v1.24 及更早版本中，你可以在 Kubernetes 中使用 Docker Engine，
+依赖于一个称作 _dockershim_ 的内置 Kubernetes 组件。
+dockershim 组件在 Kubernetes v1.24 发行版本中已被移除；不过，一种来自第三方的替代品，
+`cri-dockerd` 是可供使用的。`cri-dockerd` 适配器允许你通过
+{{<glossary_tooltip term_id="cri" text="容器运行时接口（Container Runtime Interface，CRI）">}}
+来使用 Docker Engine。
+
+{{<note>}}
+<!--
+If you already use `cri-dockerd`, you aren't affected by the dockershim removal.
+Before you begin, [Check whether your nodes use the dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/).
+-->
+如果你已经在使用 `cri-dockerd`，那么你不会被 dockershim 的移除影响到。
+在开始之前，[检查你的节点是否在使用 dockershim](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)。
+{{</note>}}
+
+<!--
+If you want to migrate to `cri-dockerd` so that you can continue using Docker
+Engine as your container runtime, you should do the following for each affected
+node: 
+
+1.  Install `cri-dockerd`.
+1.  Cordon and drain the node.
+1.  Configure the kubelet to use `cri-dockerd`. 
+1.  Restart the kubelet.
+1.  Verify that the node is healthy.
+-->
+如果你想要迁移到 `cri-dockerd` 以便继续使用 Docker Engine 作为你的容器运行时，
+你需要在所有被影响的节点上执行以下操作：
+
+1. 安装 `cri-dockerd`；
+1. 隔离（Cordon）并腾空（Drain）该节点；
+1. 配置 kubelet 使用 `cri-dockerd`；
+1. 重新启动 kubelet；
+1. 验证节点处于健康状态。
+
+<!--
+Test the migration on non-critical nodes first.
+
+You should perform the following steps for each node that you want to migrate
+to `cri-dockerd`.
+-->
+首先在非关键节点上测试这一迁移过程。
+
+你应该针对所有希望迁移到 `cri-dockerd` 的节点执行以下步骤。
+
+## {{% heading "prerequisites" %}}
+
+<!--
+*   [`cri-dockerd`](https://github.com/mirantis/cri-dockerd#build-and-install)
+    installed and started on each node.
+*   A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
+-->
+* 安装了 [`cri-dockerd`](https://github.com/mirantis/cri-dockerd#build-and-install)
+  并且该服务已经在各节点上启动；
+* 一个[网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)。
+
+<!--
+## Cordon and drain the node
+
+1.  Cordon the node to stop new Pods scheduling on it:
+
+    ```shell
+    kubectl cordon <NODE_NAME>
+    ```
+    Replace `<NODE_NAME>` with the name of the node.
+-->
+## 隔离并腾空节点   {#cordon-and-drain-the-node}
+
+1. 隔离节点，阻止新的 Pod 被调度到节点上：
+
+   ```shell
+   kubectl cordon <NODE_NAME>
+   ```
+
+   将 `<NODE_NAME>` 替换为节点名称。
+
+<!--
+1.  Drain the node to safely evict running Pods: 
+-->
+2. 腾空节点以安全地逐出所有运行中的 Pod：
+
+   ```shell
+   kubectl drain <NODE_NAME> --ignore-daemonsets
+   ```
+
+<!--
+## Configure the kubelet to use cri-dockerd
+
+The following steps apply to clusters set up using the kubeadm tool. If you use
+a different tool, you should modify the kubelet using the configuration
+instructions for that tool.
+-->
+## 配置 kubelet 使用 cri-dockerd   {#configure-the-kubelet-to-use-cri-dockerd}
+
+下面的步骤适用于用 kubeadm 工具安装的集群。如果你使用不同的工具，
+你需要使用针对该工具的配置指令来修改 kubelet。
+
+<!--
+1.  Open `/var/lib/kubelet/kubeadm-flags.env` on each affected node.
+1.  Modify the `--container-runtime-endpoint` flag to
+    `unix:///var/run/cri-dockerd.sock`.
+-->
+1. 在每个被影响的节点上，打开 `/var/lib/kubelet/kubeadm-flags.env` 文件；
+1. 将 `--container-runtime-endpoint` 标志，将其设置为 `unix:///var/run/cri-dockerd.sock`。
+
+<!--
+The kubeadm tool stores the node's socket as an annotation on the `Node` object
+in the control plane. To modify this socket for each affected node:  
+-->
+kubeadm 工具将节点上的套接字存储为控制面上 `Node` 对象的注解。
+要为每个被影响的节点更改此套接字：
+
+<!--
+1.  Edit the YAML representation of the `Node` object:
+
+    ```shell
+    KUBECONFIG=/path/to/admin.conf kubectl edit no <NODE_NAME>
+    ```
+    Replace the following:
+    
+    *   `/path/to/admin.conf`: the path to the kubectl configuration file,
+        `admin.conf`.
+    *   `<NODE_NAME>`: the name of the node you want to modify.
+
+1.  Change `kubeadm.alpha.kubernetes.io/cri-socket` from
+    `/var/run/dockershim.sock` to `unix:///var/run/cri-dockerd.sock`.
+1.  Save the changes. The `Node` object is updated on save.
+-->
+1. 编辑 `Node` 对象的 YAML 表示：
+
+   ```shell
+   KUBECONFIG=/path/to/admin.conf kubectl edit no <NODE_NAME>
+   ```
+
+   根据下面的说明执行替换：
+    
+   * `/path/to/admin.conf`：指向 kubectl 配置文件 `admin.conf` 的路径；
+   * `<NODE_NAME>`：你要修改的节点的名称。
+
+1. 将 `kubeadm.alpha.kubernetes.io/cri-socket` 标志从
+   `/var/run/dockershim.sock` 更改为 `unix:///var/run/cri-dockerd.sock`；
+1. 保存所作更改。保存时，`Node` 对象被更新
+
+
+<!--
+## Restart the kubelet
+-->
+## 重启 kubelet    {#restart-the-kubelet}
+
+```shell
+systemctl restart kubelet
+```
+
+<!--
+## Verify that the node is healthy
+
+To check whether the node uses the `cri-dockerd` endpoint, follow the
+instructions in [Find out which runtime you use](/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/).
+The `--container-runtime-endpoint` flag for the kubelet should be `unix:///var/run/cri-dockerd.sock`.
+-->
+## 验证节点处于健康状态   {#verify-that-the-node-is-healthy}
+
+要检查节点是否在使用 `cri-dockerd` 端点，
+按照[找出你所使用的运行时](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/)页面所给的指令操作。
+kubelet 的 `--container-runtime-endpoint` 标志取值应该是 `unix:///var/run/cri-dockerd.sock`。
+
+<!--
+## Uncordon the node
+
+Uncordon the node to let Pods schedule on it: 
+-->
+## 解除节点隔离   {#uncordon-the-node}
+
+```shell
+kubectl uncordon <NODE_NAME>
+```
+
+## {{% heading "whatsnext" %}}
+
+<!--
+*   Read the [dockershim removal FAQ](/dockershim/).
+*   [Learn how to migrate from Docker Engine with dockershim to containerd](/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/).
+-->
+* 阅读 [dockershim 移除常见问题](/zh-cn/dockershim)。
+* [了解如何从基于 dockershim 的 Docker Engine 迁移到 containerd](/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/)。
+
diff --git a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
similarity index 55%
rename from content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
rename to content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
index b22c7d4b67eff..e36cde5dc1b84 100644
--- a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents.md
@@ -14,19 +14,11 @@ weight: 70
 <!-- overview -->
 
 <!-- 
-With Kubernetes 1.20 dockershim was deprecated. From the
-[Dockershim Deprecation FAQ](/blog/2020/12/02/dockershim-faq/)
-you might already know that most apps do not have a direct dependency on runtime hosting
-containers. However, there are still a lot of telemetry and security agents
-that has a dependency on docker to collect containers metadata, logs and
-metrics. This document aggregates information on how to detect tese
-dependencies and links on how to migrate these agents to use generic tools or
-alternative runtimes.
--->
-在 Kubernetes 1.20 版本中，dockershim 被弃用。
-在博文[弃用 Dockershim 常见问题](/zh/blog/2020/12/02/dockershim-faq/)中，
-你大概已经了解到，大多数应用并没有直接通过运行时来托管容器。
-但是，仍然有大量的遥测和安全代理依赖 docker 来收集容器元数据、日志和指标。
+Kubernetes' support for direct integration with Docker Engine is deprecated, and will be removed. Most apps do not have a direct dependency on runtime hosting containers. However, there are still a lot of telemetry and monitoring agents that has a dependency on docker to collect containers metadata, logs and metrics. This document aggregates information on how to detect these dependencies and links on how to migrate these agents to use generic tools or alternative runtimes.
+-->
+Kubernetes 对与 Docker Engine 直接集成的支持已被弃用并将被删除。
+大多数应用程序不直接依赖于托管容器的运行时。但是，仍然有大量的遥测和监控代理依赖
+docker 来收集容器元数据、日志和指标。
 本文汇总了一些信息和链接：信息用于阐述如何探查这些依赖，链接用于解释如何迁移这些代理去使用通用的工具或其他容器运行。
 
 <!-- 
@@ -35,51 +27,59 @@ alternative runtimes.
 ## 遥测和安全代理 {#telemetry-and-security-agents}
 
 <!-- 
-There are a few ways agents may run on Kubernetes cluster. Agents may run on
-nodes directly or as DaemonSets.
+Within a Kubernetes cluster there are a few different ways to run telemetry or security agents.
+Some agents have a direct dependency on Docker Engine when they run as DaemonSets or
+directly on nodes.
 -->
-为了让代理运行在 Kubernetes 集群中，我们有几种办法。
-代理既可以直接在节点上运行，也可以作为守护进程运行。
+在 Kubernetes 集群中，有几种不同的方式来运行遥测或安全代理。
+一些代理在以 DaemonSet 的形式运行或直接在节点上运行时，直接依赖于 Docker Engine。
 
 <!-- 
-### Why do telemetry agents rely on Docker?
+###  Why do some telemetry agents communicate with Docker Engine?
 -->
-### 为什么遥测代理依赖于 Docker？ {#why-do-telemetry-agents-relyon-docker}
+### 为什么有些遥测代理会与 Docker Engine 通信？
 
 <!-- 
-Historically, Kubernetes was built on top of Docker. Kubernetes is managing
-networking and scheduling, Docker was placing and operating containers on a
-node. So you can get scheduling-related metadata like a pod name from Kubernetes
-and containers state information from Docker. Over time more runtimes were
-created to manage containers. Also there are projects and Kubernetes features
-that generalize container status information extraction across many runtimes.
+Historically, Kubernetes was written to work specifically with Docker Engine.
+Kubernetes took care of networking and scheduling, relying on Docker Engine for launching
+and running containers (within Pods) on a node. Some information that is relevant to telemetry,
+such as a pod name, is only available from Kubernetes components. Other data, such as container
+metrics, is not the responsibility of the container runtime. Early telemetry agents needed to query the
+container runtime **and** Kubernetes to report an accurate picture. Over time, Kubernetes gained
+the ability to support multiple runtimes, and now supports any runtime that is compatible with
+the container runtime interface.
+
 -->
-因为历史原因，Kubernetes 建立在 Docker 之上。
-Kubernetes 管理网络和调度，Docker 则在具体的节点上定位并操作容器。
-所以，你可以从 Kubernetes 取得调度相关的元数据，比如 Pod 名称；从 Docker 取得容器状态信息。
-后来，人们开发了更多的运行时来管理容器。
-同时一些项目和 Kubernetes 特性也不断涌现，支持跨多个运行时收集容器状态信息。
+从历史上看，Kubernetes 是专门为与 Docker Engine 一起工作而编写的。
+Kubernetes 负责网络和调度，依靠 Docker Engine
+在节点上启动并运行容器（在 Pod 内）。一些与遥测相关的信息，例如 pod 名称，
+只能从 Kubernetes 组件中获得。其他数据，例如容器指标，不是容器运行时的责任。
+早期遥测代理需要查询容器运行时**和** Kubernetes 以报告准确的信息。
+随着时间的推移，Kubernetes 获得了支持多种运行时的能力，现在支持任何兼容容器运行时接口的运行时。
 
 <!-- 
-Some agents are tied specifically to the Docker tool. The agents may run
-commands like [`docker ps`](https://docs.docker.com/engine/reference/commandline/ps/)
+Some telemetry agents rely specifically on Docker Engine tooling. For example, an agent
+might run a command such as
+[`docker ps`](https://docs.docker.com/engine/reference/commandline/ps/)
 or [`docker top`](https://docs.docker.com/engine/reference/commandline/top/) to list
-containers and processes or [docker logs](https://docs.docker.com/engine/reference/commandline/logs/)
-to subscribe on docker logs. With the deprecating of Docker as a container runtime,
+containers and processes or [`docker logs`](https://docs.docker.com/engine/reference/commandline/logs/)
++to receive streamed logs. If nodes in your existing cluster use
++Docker Engine, and you switch to a different container runtime,
 these commands will not work any longer.
 -->
-一些代理和 Docker 工具紧密绑定。此类代理可以这样运行命令，比如用
+一些代理和 Docker 工具紧密绑定。比如代理会用到
 [`docker ps`](https://docs.docker.com/engine/reference/commandline/ps/)
 或 [`docker top`](https://docs.docker.com/engine/reference/commandline/top/)
 这类命令来列出容器和进程，用
-[docker logs](https://docs.docker.com/engine/reference/commandline/logs/)
+[`docker logs`](https://docs.docker.com/engine/reference/commandline/logs/)
 订阅 Docker 的日志。
-但随着 Docker 作为容器运行时被弃用，这些命令将不再工作。
+如果现有集群中的节点使用 Docker Engine，在你切换到其它容器运行时的时候，
+这些命令将不再起作用。
 
 <!-- 
-### Identify DaemonSets that depend on Docker {#identify-docker-dependency }
+### Identify DaemonSets that depend on Docker Engine {#identify-docker-dependency}
 -->
-### 识别依赖于 Docker 的 DaemonSet {#identify-docker-dependency}
+### 识别依赖于 Docker Engine 的 DaemonSet {#identify-docker-dependency}
 
 <!-- 
 If a pod wants to make calls to the `dockerd` running on the node, the pod must either:
@@ -104,10 +104,10 @@ For example: on COS images, Docker exposes its Unix domain socket at
 <!-- 
 Here's a sample shell script to find Pods that have a mount directly mapping the
 Docker socket. This script outputs the namespace and name of the pod. You can
-remove the grep `/var/run/docker.sock` to review other mounts.
+remove the `grep '/var/run/docker.sock'` to review other mounts.
 -->
 下面是一个 shell 示例脚本，用于查找包含直接映射 Docker 套接字的挂载点的 Pod。
-你也可以删掉 grep `/var/run/docker.sock` 这一代码片段以查看其它挂载信息。
+你也可以删掉 `grep '/var/run/docker.sock'` 这一代码片段以查看其它挂载信息。
 
 ```bash
 kubectl get pods --all-namespaces \
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md
new file mode 100644
index 0000000000000..e60db86be82ea
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md
@@ -0,0 +1,263 @@
+---
+title: 排查 CNI 插件相关的错误
+content_type: task
+weight: 10
+---
+<!--
+title: Troubleshooting CNI plugin-related errors
+content_type: task
+reviewers:
+- mikebrow
+- divya-mohan0209
+weight: 10
+-->
+
+<!-- overview -->
+
+<!--
+To avoid CNI plugin-related errors, verify that you are using or upgrading to a
+container runtime that has been tested to work correctly with your version of
+Kubernetes.
+-->
+
+为了避免 CNI 插件相关的错误，需要验证你正在使用或升级到一个经过测试的容器运行时，
+该容器运行时能够在你的 Kubernetes 版本上正常工作。
+
+<!--
+For example, the following container runtimes are being prepared, or have already been prepared, for Kubernetes v1.24:
+
+* containerd v1.6.4 and later, v1.5.11 and later
+* The CRI-O v1.24.0 and later
+-->
+
+例如，针对 Kubernetes v1.24 而言，以下容器运行时正在准备或已经就绪：
+
+* containerd v1.6.4 及更新版本、v1.5.11 及更新版本
+* CRI-O v1.24.0 及更新版本
+
+<!--
+## About the "Incompatible CNI versions" and "Failed to destroy network for sandbox" errors
+-->
+
+## 关于 "Incompatible CNI versions" 和 "Failed to destroy network for sandbox" 错误   {#about-the-incompatible-cni-versions-and-failed-to-destroy-network-for-sandbox-errors} 
+
+<!--
+Service issues exist for pod CNI network setup and tear down in containerd
+v1.6.0-v1.6.3 when the CNI plugins have not been upgraded and/or the CNI config
+version is not declared in the CNI config files. The containerd team reports, "these issues are resolved in containerd v1.6.4."
+With containerd v1.6.0-v1.6.3, if you do not upgrade the CNI plugins and/or
+declare the CNI config version, you might encounter the following "Incompatible
+CNI versions" or "Failed to destroy network for sandbox" error conditions.
+-->
+
+在 containerd v1.6.0-v1.6.3 中，当配置或清除 Pod CNI 网络时，如果 CNI 插件没有升级和/或
+CNI 配置文件中没有声明 CNI 配置版本时，会出现服务问题。containerd 团队报告说：
+“这些问题在 containerd v1.6.4 中得到了解决。”
+
+在使用 containerd v1.6.0-v1.6.3 时，如果你不升级 CNI 插件和/或声明 CNI 配置版本，
+你可能会遇到以下 "Incompatible CNI versions" 或 "Failed to destroy network for sandbox"
+错误状况。
+
+<!--
+### Incompatible CNI versions error
+-->
+
+### Incompatible CNI versions 错误   {#incompatible-cni-versions-error}
+
+<!--
+If the version of your CNI plugin does not correctly match the plugin version in
+the config because the config version is later than the plugin version, the
+containerd log will likely show an error message on startup of a pod similar
+to:
+-->
+
+如果因为配置版本比插件版本新，导致你的 CNI 插件版本与配置中的插件版本无法正确匹配时，
+在启动 Pod 时，containerd 日志可能会显示类似的错误信息：
+
+```
+incompatible CNI versions; config is \"1.0.0\", plugin supports [\"0.1.0\" \"0.2.0\" \"0.3.0\" \"0.3.1\" \"0.4.0\"]"
+```
+
+<!--
+To fix this issue, [update your CNI plugins and CNI config files](#updating-your-cni-plugins-and-cni-config-files).
+-->
+
+为了解决这个问题，需要[更新你的 CNI 插件和 CNI 配置文件](#updating-your-cni-plugins-and-cni-config-files)。
+
+<!--
+### Failed to destroy network for sandbox error
+-->
+
+### Failed to destroy network for sandbox 错误   {#failed-to-destroy-network-for-sandbox-error} 
+
+<!--
+If the version of the plugin is missing in the CNI plugin config, the pod may
+run. However, stopping the pod generates an error similar to:
+-->
+
+如果 CNI 插件配置中未给出插件的版本，
+Pod 可能可以运行。但是，停止 Pod 时会产生类似于以下错误：
+
+```
+ERRO[2022-04-26T00:43:24.518165483Z] StopPodSandbox for "b" failed
+error="failed to destroy network for sandbox \"bbc85f891eaf060c5a879e27bba9b6b06450210161dfdecfbb2732959fb6500a\": invalid version \"\": the version is empty"
+```
+
+<!--
+This error leaves the pod in the not-ready state with a network namespace still
+attached. To recover from this problem, [edit the CNI config file](#updating-your-cni-plugins-and-cni-config-files) to add
+the missing version information. The next attempt to stop the pod should
+be successful.
+-->
+
+此错误使 Pod 处于未就绪状态，且仍然挂接到某网络名字空间上。
+为修复这一问题，[编辑 CNI 配置文件](#updating-your-cni-plugins-and-cni-config-files)以添加缺失的版本信息。
+下一次尝试停止 Pod 应该会成功。
+
+<!--
+### Updating your CNI plugins and CNI config files
+-->
+
+### 更新你的 CNI 插件和 CNI 配置文件   {#updating-your-cni-plugins-and-cni-config-files}
+
+<!--
+If you're using containerd v1.6.0-v1.6.3 and encountered "Incompatible CNI
+versions" or "Failed to destroy network for sandbox" errors, consider updating
+your CNI plugins and editing the CNI config files.
+
+Here's an overview of the typical steps for each node:
+-->
+
+如果你使用 containerd v1.6.0-v1.6.3 并遇到 "Incompatible CNI versions" 或者
+"Failed to destroy network for sandbox" 错误，考虑更新你的 CNI 插件并编辑 CNI 配置文件。
+
+以下是针对各节点要执行的典型步骤的概述：
+
+<!--
+1. [Safely drain and cordon the
+node](/docs/tasks/administer-cluster/safely-drain-node/).
+-->
+
+1. [安全地腾空并隔离节点](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)。
+
+<!--
+2. After stopping your container runtime and kubelet services, perform the
+following upgrade operations:
+  - If you're running CNI plugins, upgrade them to the latest version.
+  - If you're using non-CNI plugins, replace them with CNI plugins. Use the
+  latest version of the plugins.
+  - Update the plugin configuration file to specify or match a version of the
+  CNI specification that the plugin supports, as shown in the following ["An
+  example containerd configuration
+  file"](#an-example-containerd-configuration-file) section.
+  - For `containerd`, ensure that you have installed the latest version (v1.0.0
+  or later) of the CNI loopback plugin.
+  - Upgrade node components (for example, the kubelet) to Kubernetes v1.24
+  - Upgrade to or install the most current version of the container runtime.
+-->
+
+2. 停止容器运行时和 kubelet 服务后，执行以下升级操作：
+  - 如果你正在运行 CNI 插件，请将它们升级到最新版本。
+  - 如果你使用的是非 CNI 插件，请将它们替换为 CNI 插件，并使用最新版本的插件。
+  - 更新插件配置文件以指定或匹配 CNI 规范支持的插件版本，
+    如后文["containerd 配置文件示例"](#an-example-containerd-configuration-file)章节所示。
+  - 对于 `containerd`，请确保你已安装 CNI loopback 插件的最新版本（v1.0.0 或更高版本）。
+  - 将节点组件（例如 kubelet）升级到 Kubernetes v1.24
+  - 升级到或安装最新版本的容器运行时。
+
+<!--
+3. Bring the node back into your cluster by restarting your container runtime
+and kubelet. Uncordon the node (`kubectl uncordon <nodename>`).
+-->
+
+3. 通过重新启动容器运行时和 kubelet 将节点重新加入到集群。取消节点隔离（`kubectl uncordon <nodename>`）。
+
+<!--
+## An example containerd configuration file
+-->
+
+## containerd 配置文件示例   {#an-example-containerd-configuration-file}
+
+<!--
+The following example shows a configuration for `containerd` runtime v1.6.x,
+which supports a recent version of the CNI specification (v1.0.0).
+Please see the documentation from your plugin and networking provider for
+further instructions on configuring your system.
+-->
+
+以下示例显示了 `containerd` 运行时 v1.6.x 的配置，
+它支持最新版本的 CNI 规范（v1.0.0）。
+请参阅你的插件和网络提供商的文档，以获取有关你系统配置的进一步说明。
+
+<!--
+On Kubernetes, containerd runtime adds a loopback interface, `lo`, to pods as a
+default behavior. The containerd runtime configures the loopback interface via a
+CNI plugin, `loopback`. The `loopback` plugin is distributed as part of the
+`containerd` release packages that have the `cni` designation. `containerd`
+v1.6.0 and later includes a CNI v1.0.0-compatible loopback plugin as well as
+other default CNI plugins. The configuration for the loopback plugin is done
+internally by containerd, and is set to use CNI v1.0.0. This also means that the
+version of the `loopback` plugin must be v1.0.0 or later when this newer version
+`containerd` is started.
+-->
+
+在 Kubernetes 中，作为其默认行为，containerd 运行时为 Pod 添加一个本地回路接口，`lo`。
+containerd 运行时通过 CNI 插件 `loopback` 配置本地回路接口。  
+`loopback` 插件作为 `containerd` 发布包的一部分，扮演 `cni` 角色。
+`containerd` v1.6.0 及更高版本包括与 CNI v1.0.0 兼容的 loopback 插件以及其他默认 CNI 插件。
+loopback 插件的配置由 containerd 内部完成， 并被设置为使用 CNI v1.0.0。
+这也意味着当这个更新版本的 `containerd` 启动时，`loopback` 插件的版本必然是 v1.0.0 或更高版本。
+
+<!--
+The following bash command generates an example CNI config. Here, the 1.0.0
+value for the config version is assigned to the `cniVersion` field for use when
+`containerd` invokes the CNI bridge plugin.
+-->
+
+以下 Bash 命令生成一个 CNI 配置示例。这里，`cniVersion` 字段被设置为配置版本值 1.0.0，
+以供 `containerd` 调用 CNI 桥接插件时使用。
+
+```bash
+cat << EOF | tee /etc/cni/net.d/10-containerd-net.conflist
+{
+ "cniVersion": "1.0.0",
+ "name": "containerd-net",
+ "plugins": [
+   {
+     "type": "bridge",
+     "bridge": "cni0",
+     "isGateway": true,
+     "ipMasq": true,
+     "promiscMode": true,
+     "ipam": {
+       "type": "host-local",
+       "ranges": [
+         [{
+           "subnet": "10.88.0.0/16"
+         }],
+         [{
+           "subnet": "2001:db8:4860::/64"
+         }]
+       ],
+       "routes": [
+         { "dst": "0.0.0.0/0" },
+         { "dst": "::/0" }
+       ]
+     }
+   },
+   {
+     "type": "portmap",
+     "capabilities": {"portMappings": true}
+   }
+ ]
+}
+EOF
+```
+
+<!--
+Update the IP address ranges in the preceding example with ones that are based
+on your use case and network addressing plan.
+-->
+
+基于你的用例和网络地址规划，将前面示例中的 IP 地址范围更新为合适的值。
+
diff --git a/content/zh/docs/tasks/administer-cluster/namespaces-walkthrough.md b/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
similarity index 96%
rename from content/zh/docs/tasks/administer-cluster/namespaces-walkthrough.md
rename to content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
index c28a918db0e23..bf3bd8088b8dc 100644
--- a/content/zh/docs/tasks/administer-cluster/namespaces-walkthrough.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
@@ -26,7 +26,7 @@ It does this by providing the following:
 -->
 名字空间通过以下方式实现这点：
 
-1. 为[名字](/zh/docs/concepts/overview/working-with-objects/names/)设置作用域.
+1. 为[名字](/zh-cn/docs/concepts/overview/working-with-objects/names/)设置作用域.
 2. 为集群中的部分资源关联鉴权和策略的机制。
 
 <!--
@@ -36,7 +36,7 @@ This example demonstrates how to use Kubernetes namespaces to subdivide your clu
 -->
 使用多个名字空间是可选的。
 
-此示例演示了如何使用 Kubernetes 名字空间细分群集。
+此示例演示了如何使用 Kubernetes 名字空间细分集群。
 
 ## {{% heading "prerequisites" %}}
 
@@ -56,10 +56,10 @@ This example assumes the following:
 
 此示例作如下假设：
 
-1. 你已拥有一个[配置好的 Kubernetes 集群](/zh/docs/setup/)。
-2. 你已对 Kubernetes 的 _[Pods](/zh/docs/concepts/workloads/pods/)_、
-   _[Services](/zh/docs/concepts/services-networking/service/)_ 和
-   _[Deployments](/zh/docs/concepts/workloads/controllers/deployment/)_
+1. 你已拥有一个[配置好的 Kubernetes 集群](/zh-cn/docs/setup/)。
+2. 你已对 Kubernetes 的 _[Pods](/zh-cn/docs/concepts/workloads/pods/)_、
+   _[Services](/zh-cn/docs/concepts/services-networking/service/)_ 和
+   _[Deployments](/zh-cn/docs/concepts/workloads/controllers/deployment/)_
    有基本理解。
 
 <!--
diff --git a/content/zh/docs/tasks/administer-cluster/namespaces.md b/content/zh-cn/docs/tasks/administer-cluster/namespaces.md
similarity index 96%
rename from content/zh/docs/tasks/administer-cluster/namespaces.md
rename to content/zh-cn/docs/tasks/administer-cluster/namespaces.md
index 8a55b78cda0fb..e8a2e0174fe46 100644
--- a/content/zh/docs/tasks/administer-cluster/namespaces.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/namespaces.md
@@ -23,7 +23,7 @@ This page shows how to view, work in, and delete {{< glossary_tooltip text="name
 * Have an [existing Kubernetes cluster](/docs/setup/).
 * You have a basic understanding of Kubernetes {{< glossary_tooltip text="Pods" term_id="pod" >}}, {{< glossary_tooltip term_id="service" text="Services" >}}, and {{< glossary_tooltip text="Deployments" term_id="deployment" >}}.
 -->
-* 你已拥有一个[配置好的 Kubernetes 集群](/zh/docs/setup/)。
+* 你已拥有一个[配置好的 Kubernetes 集群](/zh-cn/docs/setup/)。
 * 你已对 Kubernetes 的 {{< glossary_tooltip text="Pods" term_id="pod" >}} , 
   {{< glossary_tooltip term_id="service" text="Services" >}} , 和
   {{< glossary_tooltip text="Deployments" term_id="deployment" >}} 有基本理解。
@@ -160,7 +160,7 @@ The name of your namespace must be a valid
 [DNS label](/docs/concepts/overview/working-with-objects/names#dns-label-names).
 -->
 请注意，名字空间的名称必须是一个合法的
-[DNS 标签](/zh/docs/concepts/overview/working-with-objects/names#dns-label-names)。
+[DNS 标签](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-label-names)。
 
 <!--
 There's an optional field `finalizers`, which allows observables to purge resources whenever the namespace is deleted. Keep in mind that if you specify a nonexistent finalizer, the namespace will be created but will get stuck in the `Terminating` state if the user tries to delete it.
@@ -418,7 +418,7 @@ It does this by providing the following:
 -->
 名字空间通过以下方式实现这点：
 
-1. 为[名字](/zh/docs/concepts/overview/working-with-objects/names/)设置作用域.
+1. 为[名字](/zh-cn/docs/concepts/overview/working-with-objects/names/)设置作用域.
 2. 为集群中的部分资源关联鉴权和策略的机制。
 
 <!--
@@ -478,7 +478,7 @@ Use cases include:
 1.  作为集群运营者, 我希望能在单个集群上支持多个用户社区。
 2.  作为集群运营者，我希望将集群分区的权限委派给这些社区中的受信任用户。
 3.  作为集群运营者，我希望能限定每个用户社区可使用的资源量，以限制对使用同一集群的其他用户社区的影响。
-4.  作为群集用户，我希望与我的用户社区相关的资源进行交互，而与其他用户社区在该集群上执行的操作无关。
+4.  作为集群用户，我希望与我的用户社区相关的资源进行交互，而与其他用户社区在该集群上执行的操作无关。
 
 <!--
 ## Understanding namespaces and DNS
@@ -493,8 +493,8 @@ is local to a namespace.  This is useful for using the same configuration across
 multiple namespaces such as Development, Staging and Production.  If you want to reach
 across namespaces, you need to use the fully qualified domain name (FQDN).
 -->
-当你创建[服务](/zh/docs/concepts/services-networking/service/)时，Kubernetes
-会创建相应的 [DNS 条目](/zh/docs/concepts/services-networking/dns-pod-service/)。
+当你创建[服务](/zh-cn/docs/concepts/services-networking/service/)时，Kubernetes
+会创建相应的 [DNS 条目](/zh-cn/docs/concepts/services-networking/dns-pod-service/)。
 此条目的格式为 `<服务名称>.<名字空间名称>.svc.cluster.local`。
 这意味着如果容器使用 `<服务名称>`，它将解析为名字空间本地的服务。
 这对于在多个名字空间（如开发、暂存和生产）中使用相同的配置非常有用。
@@ -508,7 +508,7 @@ across namespaces, you need to use the fully qualified domain name (FQDN).
 * See [namespaces design](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/namespaces.md).
 -->
 
-* 进一步了解[设置名字空间偏好](/zh/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-preference)
-* 进一步了解[设置请求的名字空间](/zh/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-for-a-request)
+* 进一步了解[设置名字空间偏好](/zh-cn/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-preference)
+* 进一步了解[设置请求的名字空间](/zh-cn/docs/concepts/overview/working-with-objects/namespaces/#setting-the-namespace-for-a-request)
 * 参阅[名字空间的设计文档](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/namespaces.md)
 
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/_index.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md
similarity index 100%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/_index.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md
similarity index 88%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md
index b6a296aa71fc1..29870498a5c35 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy.md
@@ -26,7 +26,7 @@ You need to have a Kubernetes cluster. Follow the
 [kubeadm getting started guide](/docs/reference/setup-tools/kubeadm/) to bootstrap one.
 -->
 你需要拥有一个 kuernetes 集群。
-遵循 [kubeadm 入门指南](/zh/docs/reference/setup-tools/kubeadm/)自行创建一个。
+遵循 [kubeadm 入门指南](/zh-cn/docs/reference/setup-tools/kubeadm/)自行创建一个。
 
 <!-- steps -->
 
@@ -45,5 +45,5 @@ Follow [Getting Started](https://github.com/vmware-tanzu/antrea/blob/main/docs/g
 Once your cluster is running, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy.
 -->
 一旦你的集群已经运行，你可以遵循 
-[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 来尝试 Kubernetes NetworkPolicy。
\ No newline at end of file
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
index 9c0dee6fbbc49..8d4d3b13dd85f 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
@@ -73,6 +73,6 @@ To get a local single-host Calico cluster in fifteen minutes using kubeadm, refe
 <!--
 Once your cluster is running, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy.
 -->
-集群运行后，您可以按照[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+集群运行后，你可以按照[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 去尝试使用 Kubernetes NetworkPolicy。
 
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
similarity index 98%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
index 697e10275399a..051ac153d12df 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
@@ -164,7 +164,7 @@ Have fun, and if you have questions, contact us using the
 [Cilium Slack Channel](https://cilium.herokuapp.com/).
 -->
 集群运行后，你可以按照
-[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 试用基于 Cilium 的 Kubernetes NetworkPolicy。
 玩得开心，如果你有任何疑问，请到 [Cilium Slack 频道](https://cilium.herokuapp.com/)
 联系我们。
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
index 5e7ae8f98dd05..0c4cc7a8e1039 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
@@ -37,6 +37,6 @@ NetworkPolicy 和 Pod 的变化，根据策略指示配置 iptables 规则和 ip
 Once you have installed the Kube-router addon, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy.
 -->
 在你安装了 kube-router 插件后，可以参考
-[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 去尝试使用 Kubernetes NetworkPolicy。
 
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md
similarity index 90%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md
index 50771fa68ab3a..6331be657247f 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy.md
@@ -24,7 +24,7 @@ This page shows how to use Romana for NetworkPolicy.
 <!--
 Complete steps 1, 2, and 3 of  the [kubeadm getting started guide](/docs/getting-started-guides/kubeadm/).
 -->
-完成 [kubeadm 入门指南](/zh/docs/reference/setup-tools/kubeadm/)中的 1、2、3 步。
+完成 [kubeadm 入门指南](/zh-cn/docs/reference/setup-tools/kubeadm/)中的 1、2、3 步。
 
 <!-- steps -->
 <!--
@@ -59,6 +59,6 @@ To apply network policies use one of the following:
 Once you have installed Romana, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy.
  -->
 Romana 安装完成后，你可以按照
-[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 去尝试使用 Kubernetes NetworkPolicy。
 
diff --git a/content/zh/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md
similarity index 95%
rename from content/zh/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md
rename to content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md
index c1d08c31c87d3..b4415a72dd8ef 100644
--- a/content/zh/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy.md
@@ -26,7 +26,7 @@ You need to have a Kubernetes cluster. Follow the
 [kubeadm getting started guide](/docs/reference/setup-tools/kubeadm/) to bootstrap one.
  -->
 你需要拥有一个 Kubernetes 集群。按照
-[kubeadm 入门指南](/zh/docs/reference/setup-tools/kubeadm/)
+[kubeadm 入门指南](/zh-cn/docs/reference/setup-tools/kubeadm/)
 来启动一个。
 
 
@@ -92,7 +92,7 @@ Each Node has a weave Pod, and all Pods are `Running` and `2/2 READY`. (`2/2` me
 Once you have installed the Weave Net addon, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy. If you have any question, contact us at [#weave-community on Slack or Weave User Group](https://github.com/weaveworks/weave#getting-help).
  -->
 安装 Weave Net 插件后，你可以参考
-[声明网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 来试用 Kubernetes NetworkPolicy。
 如果你有任何疑问，请通过
 [Slack 上的 #weave-community 频道或者 Weave 用户组](https://github.com/weaveworks/weave#getting-help)
diff --git a/content/zh/docs/tasks/administer-cluster/nodelocaldns.md b/content/zh-cn/docs/tasks/administer-cluster/nodelocaldns.md
similarity index 66%
rename from content/zh/docs/tasks/administer-cluster/nodelocaldns.md
rename to content/zh-cn/docs/tasks/administer-cluster/nodelocaldns.md
index b68fd3ed1ecea..77364a1e18612 100644
--- a/content/zh/docs/tasks/administer-cluster/nodelocaldns.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/nodelocaldns.md
@@ -11,7 +11,9 @@ content_type: task
 -->
 
 <!-- overview -->
+
 {{< feature-state for_k8s_version="v1.18" state="stable" >}}
+
 <!--
 This page provides an overview of NodeLocal DNSCache feature in Kubernetes.
 -->
@@ -29,10 +31,17 @@ This page provides an overview of NodeLocal DNSCache feature in Kubernetes.
 ## 引言
 
 <!--
-NodeLocal DNSCache improves Cluster DNS performance by running a dns caching agent on cluster nodes as a DaemonSet. In today's architecture, Pods in ClusterFirst DNS mode reach out to a kube-dns serviceIP for DNS queries. This is translated to a kube-dns/CoreDNS endpoint via iptables rules added by kube-proxy. With this new architecture, Pods will reach out to the dns caching agent running on the same node, thereby avoiding iptables DNAT rules and connection tracking. The local caching agent will query kube-dns service for cache misses of cluster hostnames(cluster.local suffix by default).
+NodeLocal DNSCache improves Cluster DNS performance by running a DNS caching agent
+on cluster nodes as a DaemonSet. In today's architecture, Pods in 'ClusterFirst' DNS mode
+reach out to a kube-dns `serviceIP` for DNS queries. This is translated to a
+kube-dns/CoreDNS endpoint via iptables rules added by kube-proxy.
+With this new architecture, Pods will reach out to the DNS caching agent
+running on the same node, thereby avoiding iptables DNAT rules and connection tracking.
+The local caching agent will query kube-dns service for cache misses of cluster
+hostnames ("`cluster.local`" suffix by default).
 -->
 NodeLocal DNSCache 通过在集群节点上作为 DaemonSet 运行 DNS 缓存代理来提高集群 DNS 性能。
-在当今的体系结构中，运行在 ClusterFirst DNS 模式下的 Pod 可以连接到 kube-dns `serviceIP` 进行 DNS 查询。
+在当今的体系结构中，运行在 'ClusterFirst' DNS 模式下的 Pod 可以连接到 kube-dns `serviceIP` 进行 DNS 查询。
 通过 kube-proxy 添加的 iptables 规则将其转换为 kube-dns/CoreDNS 端点。
 借助这种新架构，Pods 将可以访问在同一节点上运行的 DNS 缓存代理，从而避免 iptables DNAT 规则和连接跟踪。
 本地缓存代理将查询 kube-dns 服务以获取集群主机名的缓存缺失（默认为 "`cluster.local`" 后缀）。
@@ -43,22 +52,29 @@ NodeLocal DNSCache 通过在集群节点上作为 DaemonSet 运行 DNS 缓存代
 ## 动机
 
 <!--
-* With the current DNS architecture, it is possible that Pods with the highest DNS QPS have to reach out to a different node, if there is no local kube-dns/CoreDNS instance.
-Having a local cache will help improve the latency in such scenarios.
+* With the current DNS architecture, it is possible that Pods with the highest DNS QPS
+  have to reach out to a different node, if there is no local kube-dns/CoreDNS instance.
+  Having a local cache will help improve the latency in such scenarios.
 -->
 * 使用当前的 DNS 体系结构，如果没有本地 kube-dns/CoreDNS 实例，则具有最高 DNS QPS
   的 Pod 可能必须延伸到另一个节点。
   在这种场景下，拥有本地缓存将有助于改善延迟。
 
 <!--
-* Skipping iptables DNAT and connection tracking will help reduce [conntrack races](https://github.com/kubernetes/kubernetes/issues/56903) and avoid UDP DNS entries filling up conntrack table.
+* Skipping iptables DNAT and connection tracking will help reduce
+  [conntrack races](https://github.com/kubernetes/kubernetes/issues/56903)
+  and avoid UDP DNS entries filling up conntrack table.
 -->
 * 跳过 iptables DNAT 和连接跟踪将有助于减少
   [conntrack 竞争](https://github.com/kubernetes/kubernetes/issues/56903)
   并避免 UDP DNS 条目填满 conntrack 表。
 
 <!--
-* Connections from local caching agent to kube-dns servie can be upgraded to TCP. TCP conntrack entries will be removed on connection close in contrast with UDP entries that have to timeout ([default](https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt) `nf_conntrack_udp_timeout` is 30 seconds)
+* Connections from local caching agent to kube-dns service can be upgraded to TCP.
+  TCP conntrack entries will be removed on connection close in contrast with
+  UDP entries that have to timeout
+  ([default](https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt)
+  `nf_conntrack_udp_timeout` is 30 seconds)
 -->
 * 从本地缓存代理到 kube-dns 服务的连接可以升级为 TCP 。
   TCP conntrack 条目将在连接关闭时被删除，相反 UDP 条目必须超时
@@ -66,14 +82,16 @@ Having a local cache will help improve the latency in such scenarios.
   `nf_conntrack_udp_timeout` 是 30 秒）。
 
 <!--
-* Upgrading DNS queries from UDP to TCP would reduce tail latency attributed to dropped UDP packets and DNS timeouts usually up to 30s (3 retries + 10s timeout). Since the nodelocal cache listens for UDP DNS queries, applications don't need to be changed.
+* Upgrading DNS queries from UDP to TCP would reduce tail latency attributed to
+  dropped UDP packets and DNS timeouts usually up to 30s (3 retries + 10s timeout).
+  Since the nodelocal cache listens for UDP DNS queries, applications don't need to be changed.
 -->
 * 将 DNS 查询从 UDP 升级到 TCP 将减少由于被丢弃的 UDP 包和 DNS 超时而带来的尾部等待时间；
   这类延时通常长达 30 秒（3 次重试 + 10 秒超时）。
   由于 nodelocal 缓存监听 UDP DNS 查询，应用不需要变更。
 
 <!--
-* Metrics & visibility into dns requests at a node level.
+* Metrics & visibility into DNS requests at a node level.
 -->
 * 在节点级别对 DNS 请求的度量和可见性。
 
@@ -101,8 +119,14 @@ This is the path followed by DNS Queries after NodeLocal DNSCache is enabled:
 ## Configuration
 -->
 ## 配置
+
 <!--
-{{< note >}} The local listen IP address for NodeLocal DNSCache can be any address that can be guaranteed to not collide with any existing IP in your cluster. It's recommended to use an address with a local scope, per example, from the link-local range 169.254.0.0/16 for IPv4 or from the Unique Local Address range in IPv6 fd00::/8.
+{{< note >}}
+The local listen IP address for NodeLocal DNSCache can be any address that
+can be guaranteed to not collide with any existing IP in your cluster.
+It's recommended to use an address with a local scope, per example,
+from the 'link-local' range '169.254.0.0/16' for IPv4 or from the
+'Unique Local Address' range in IPv6 'fd00::/8'.
 {{< /note >}}
 -->
 {{< note >}} 
@@ -117,32 +141,40 @@ This feature can be enabled using the following steps:
 可以使用以下步骤启动此功能：
 
 <!--
-* Prepare a manifest similar to the sample [`nodelocaldns.yaml`](https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml) and save it as `nodelocaldns.yaml.`
+* Prepare a manifest similar to the sample
+  [`nodelocaldns.yaml`](https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml)
+  and save it as `nodelocaldns.yaml.`
 -->
 * 根据示例 [`nodelocaldns.yaml`](https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml) 
   准备一个清单，把它保存为 `nodelocaldns.yaml`。
+
 <!--
-* If using IPv6, the CoreDNS configuration file need to enclose all the IPv6 addresses into square brackets if used in IP:Port format. 
-If you are using the sample manifest from the previous point, this will require to modify [the configuration line L70](https://github.com/kubernetes/kubernetes/blob/b2ecd1b3a3192fbbe2b9e348e095326f51dc43dd/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L70) like this `health [__PILLAR__LOCAL__DNS__]:8080`
+* If using IPv6, the CoreDNS configuration file need to enclose all the IPv6 addresses
+  into square brackets if used in 'IP:Port' format.
+  If you are using the sample manifest from the previous point, this will require to modify
+  [the configuration line L70](https://github.com/kubernetes/kubernetes/blob/b2ecd1b3a3192fbbe2b9e348e095326f51dc43dd/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L70)
+  like this: "`health [__PILLAR__LOCAL__DNS__]:8080`"
 -->
-* 如果使用 IPv6，在使用 IP:Port 格式的时候需要把 CoreDNS 配置文件里的所有 IPv6 地址用方括号包起来。
+* 如果使用 IPv6，在使用 'IP:Port' 格式的时候需要把 CoreDNS 配置文件里的所有 IPv6 地址用方括号包起来。
   如果你使用上述的示例清单，需要把
   [配置行 L70](https://github.com/kubernetes/kubernetes/blob/b2ecd1b3a3192fbbe2b9e348e095326f51dc43dd/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L70) 
-  修改为 `health [__PILLAR__LOCAL__DNS__]:8080`。
+  修改为： "`health [__PILLAR__LOCAL__DNS__]:8080`"。
+
 <!--
 * Substitute the variables in the manifest with the right values:
 
-     * kubedns=`kubectl get svc kube-dns -n kube-system -o jsonpath={.spec.clusterIP}`
-
-     * domain=`<cluster-domain>`
-
-     * localdns=`<node-local-address>`
+  ```shell
+  kubedns=`kubectl get svc kube-dns -n kube-system -o jsonpath={.spec.clusterIP}`
+  domain=<cluster-domain>
+  localdns=<node-local-address>
+  ```
 
-     `<cluster-domain>` is "cluster.local" by default. `<node-local-address>` is the local listen IP address chosen for NodeLocal DNSCache.
+  `<cluster-domain>` is "`cluster.local`" by default. `<node-local-address>` is the
+  local listen IP address chosen for NodeLocal DNSCache.
 -->
 * 把清单里的变量更改为正确的值：
 
-  ```
+  ```shell
   kubedns=`kubectl get svc kube-dns -n kube-system -o jsonpath={.spec.clusterIP}`
   domain=<cluster-domain>
   localdns=<node-local-address>
@@ -152,15 +184,17 @@ If you are using the sample manifest from the previous point, this will require
   NodeLocal DNSCache 选择的本地侦听 IP 地址。
 
 <!--
-   * If kube-proxy is running in IPTABLES mode:
+  * If kube-proxy is running in IPTABLES mode:
 
-     ``` bash
-     sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/__PILLAR__DNS__SERVER__/$kubedns/g" nodelocaldns.yaml
-     ```
+    ``` bash
+    sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/__PILLAR__DNS__SERVER__/$kubedns/g" nodelocaldns.yaml
+    ```
 
-     `__PILLAR__CLUSTER__DNS__` and `__PILLAR__UPSTREAM__SERVERS__` will be populated by the node-local-dns pods.
-     In this mode, node-local-dns pods listen on both the kube-dns service IP as well as `<node-local-address>`, so pods can lookup DNS records using either IP address.
--->   
+    `__PILLAR__CLUSTER__DNS__` and `__PILLAR__UPSTREAM__SERVERS__` will be populated by
+    the `node-local-dns` pods.
+    In this mode, the `node-local-dns` pods listen on both the kube-dns service IP
+    as well as `<node-local-address>`, so pods can lookup DNS records using either IP address.
+-->
   * 如果 kube-proxy 运行在 IPTABLES 模式：
 
     ``` bash
@@ -170,44 +204,57 @@ If you are using the sample manifest from the previous point, this will require
     node-local-dns Pods 会设置 `__PILLAR__CLUSTER__DNS__` 和 `__PILLAR__UPSTREAM__SERVERS__`。
     在此模式下, node-local-dns Pods 会同时侦听 kube-dns 服务的 IP 地址和
     `<node-local-address>` 的地址，以便 Pods 可以使用其中任何一个 IP 地址来查询 DNS 记录。
-  <!--
+
+<!--
   * If kube-proxy is running in IPVS mode:
 
     ``` bash
-     sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/,__PILLAR__DNS__SERVER__//g; s/__PILLAR__CLUSTER__DNS__/$kubedns/g" nodelocaldns.yaml
+    sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/,__PILLAR__DNS__SERVER__//g; s/__PILLAR__CLUSTER__DNS__/$kubedns/g" nodelocaldns.yaml
     ```
-     In this mode, node-local-dns pods listen only on `<node-local-address>`. The node-local-dns interface cannot bind the kube-dns cluster IP since the interface used for IPVS loadbalancing already uses this address.
-     `__PILLAR__UPSTREAM__SERVERS__` will be populated by the node-local-dns pods.
+
+    In this mode, the `node-local-dns` pods listen only on `<node-local-address>`.
+    The `node-local-dns` interface cannot bind the kube-dns cluster IP since the
+    interface used for IPVS loadbalancing already uses this address.
+    `__PILLAR__UPSTREAM__SERVERS__` will be populated by the node-local-dns pods.
 -->
   * 如果 kube-proxy 运行在 IPVS 模式：
 
     ``` bash
-    sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/__PILLAR__DNS__SERVER__//g; s/__PILLAR__CLUSTER__DNS__/$kubedns/g" nodelocaldns.yaml
+    sed -i "s/__PILLAR__LOCAL__DNS__/$localdns/g; s/__PILLAR__DNS__DOMAIN__/$domain/g; s/,__PILLAR__DNS__SERVER__//g; s/__PILLAR__CLUSTER__DNS__/$kubedns/g" nodelocaldns.yaml
     ```
 
     在此模式下，node-local-dns Pods 只会侦听 `<node-local-address>` 的地址。
     node-local-dns 接口不能绑定 kube-dns 的集群 IP 地址，因为 IPVS 负载均衡
     使用的接口已经占用了该地址。
     node-local-dns Pods 会设置 `__PILLAR__UPSTREAM__SERVERS__`。
-     
+
 <!--
 * Run `kubectl create -f nodelocaldns.yaml`
-* If using kube-proxy in IPVS mode, `--cluster-dns` flag to kubelet needs to be modified to use `<node-local-address>` that NodeLocal DNSCache is listening on.
-  Otherwise, there is no need to modify the value of the `--cluster-dns` flag, since NodeLocal DNSCache listens on both the kube-dns service IP as well as `<node-local-address>`.
+
+* If using kube-proxy in IPVS mode, `--cluster-dns` flag to kubelet needs to be modified
+  to use `<node-local-address>` that NodeLocal DNSCache is listening on.
+  Otherwise, there is no need to modify the value of the `--cluster-dns` flag,
+  since NodeLocal DNSCache listens on both the kube-dns service IP as well as
+  `<node-local-address>`.
 -->
 * 运行 `kubectl create -f nodelocaldns.yaml`
+
 * 如果 kube-proxy 运行在 IPVS 模式，需要修改 kubelet 的 `--cluster-dns` 参数
   NodeLocal DNSCache 正在侦听的 `<node-local-address>` 地址。
   否则，不需要修改 `--cluster-dns` 参数，因为 NodeLocal DNSCache 会同时侦听
   kube-dns 服务的 IP 地址和 `<node-local-address>` 的地址。
 
 <!--
-Once enabled, node-local-dns Pods will run in the kube-system namespace on each of the cluster nodes. This Pod runs [CoreDNS](https://github.com/coredns/coredns) in cache mode, so all CoreDNS metrics exposed by the different plugins will be available on a per-node basis.
+Once enabled, the `node-local-dns` Pods will run in the `kube-system` namespace
+on each of the cluster nodes. This Pod runs [CoreDNS](https://github.com/coredns/coredns)
+in cache mode, so all CoreDNS metrics exposed by the different plugins will
+be available on a per-node basis.
 
-You can disable this feature by removing the DaemonSet, using `kubectl delete -f <manifest>` . You should also revert any changes you made to the kubelet configuration.
+You can disable this feature by removing the DaemonSet, using `kubectl delete -f <manifest>`.
+You should also revert any changes you made to the kubelet configuration.
 -->
-启用后，node-local-dns Pods 将在每个集群节点上的 kube-system 名字空间中运行。
-此 Pod 在缓存模式下运行 [CoreDNS](https://github.com/coredns/coredns) ，
+启用后，`node-local-dns` Pods 将在每个集群节点上的 `kube-system` 名字空间中运行。
+此 Pod 在缓存模式下运行 [CoreDNS](https://github.com/coredns/coredns)，
 因此每个节点都可以使用不同插件公开的所有 CoreDNS 指标。
 
 如果要禁用该功能，你可以使用 `kubectl delete -f <manifest>` 来删除 DaemonSet。
@@ -228,7 +275,7 @@ In those cases, the `kube-dns` ConfigMap can be updated.
 -->
 `node-local-dns` Pod 能够自动读取 `kube-system` 名字空间中 `kube-dns` ConfigMap
 中保存的 StubDomains 和上游服务器信息。ConfigMap 中的内容需要遵从
-[此示例](/zh/docs/tasks/administer-cluster/dns-custom-nameservers/#example-1)
+[此示例](/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/#example-1)
 中所给的格式。
 `node-local-dns` ConfigMap 也可被直接修改，使用 Corefile 格式设置 stubDomain 配置。
 某些云厂商可能不允许直接修改 `node-local-dns` ConfigMap 的内容。
@@ -240,7 +287,9 @@ In those cases, the `kube-dns` ConfigMap can be updated.
 ## 设置内存限制
 
 <!--
-node-local-dns pods use memory for storing cache entries and processing queries. Since they do not watch Kubernetes objects, the cluster size or the number of Services/Endpoints do not directly affect memory usage. Memory usage is influenced by the DNS query pattern.
+The `node-local-dns` Pods use memory for storing cache entries and processing queries.
+Since they do not watch Kubernetes objects, the cluster size or the number of Services/Endpoints
+do not directly affect memory usage. Memory usage is influenced by the DNS query pattern.
 From [CoreDNS docs](https://github.com/coredns/deployment/blob/master/kubernetes/Scaling_CoreDNS.md),
 > The default cache size is 10000 entries, which uses about 30 MB when completely filled.
 -->
@@ -267,18 +316,18 @@ using the `max_concurrent` option in the forward plugin.
 你可以在 forward 插件中使用 `max_concurrent` 选项设置并发查询数量上限。
 
 <!--
-If a node-local-dns pod attempts to use more memory than is available (because of total system
+If a `node-local-dns` Pod attempts to use more memory than is available (because of total system
 resources, or because of a configured
 [resource limit](/docs/concepts/configuration/manage-resources-containers/)), the operating system
 may shut down that pod's container.
 If this happens, the container that is terminated (“OOMKilled”) does not clean up the custom
 packet filtering rules that it previously added during startup.
-The node-local-dns container should get restarted (since managed as part of a DaemonSet), but this
+The `node-local-dns` container should get restarted (since managed as part of a DaemonSet), but this
 will lead to a brief DNS downtime each time that the container fails: the packet filtering rules direct
 DNS queries to a local Pod that is unhealthy.
 -->
 如果一个 `node-local-dns` Pod 尝试使用的内存超出可提供的内存量
-（因为系统资源总量的，或者所配置的[资源约束](/zh/docs/concepts/configuration/manage-resources-containers/)）的原因，
+（因为系统资源总量的，或者所配置的[资源约束](/zh-cn/docs/concepts/configuration/manage-resources-containers/)）的原因，
 操作系统可能会关闭这一 Pod 的容器。
 发生这种情况时，被终止的（"OOMKilled"）容器不会清理其启动期间所添加的定制包过滤规则。
 该 `node-local-dns` 容器应该会被重启（因其作为 DaemonSet 的一部分被管理），
diff --git a/content/zh/docs/tasks/administer-cluster/quota-api-object.md b/content/zh-cn/docs/tasks/administer-cluster/quota-api-object.md
similarity index 72%
rename from content/zh/docs/tasks/administer-cluster/quota-api-object.md
rename to content/zh-cn/docs/tasks/administer-cluster/quota-api-object.md
index f1b5050523fee..ac8cabc067dc6 100644
--- a/content/zh/docs/tasks/administer-cluster/quota-api-object.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/quota-api-object.md
@@ -34,7 +34,7 @@ object.
 Create a namespace so that the resources you create in this exercise are
 isolated from the rest of your cluster.
 -->
-## 创建命名空间
+## 创建命名空间    {#create-a-namespace}
 
 创建一个命名空间以便本例中创建的资源和集群中的其余部分相隔离。
 
@@ -47,7 +47,7 @@ kubectl create namespace quota-object-example
 
 Here is the configuration file for a ResourceQuota object:
 -->
-## 创建 ResourceQuota
+## 创建 ResourceQuota    {#create-a-resourcequota}
 
 下面是一个 ResourceQuota 对象的配置文件：
 
@@ -96,7 +96,7 @@ status:
 
 Here is the configuration file for a PersistentVolumeClaim object:
 -->
-## 创建 PersistentVolumeClaim
+## 创建 PersistentVolumeClaim    {#create-a-persistentvolumeclaim}
 
 下面是一个 PersistentVolumeClaim 对象的配置文件：
 
@@ -135,7 +135,7 @@ pvc-quota-demo   Pending
 
 Here is the configuration file for a second PersistentVolumeClaim:
 -->
-## 尝试创建第二个 PersistentVolumeClaim
+## 尝试创建第二个 PersistentVolumeClaim    {#attempt-to-create-a-second-persistentvolumeclaim}
 
 下面是第二个 PersistentVolumeClaim 的配置文件：
 
@@ -147,8 +147,9 @@ Attempt to create the second PersistentVolumeClaim:
 尝试创建第二个 PersistentVolumeClaim：
 
 ```shell
-kubectl create -f https://k8s.io/examples/admin/resource/quota-objects-pvc-2.yaml --namespace=quota-object-example
+kubectl apply -f https://k8s.io/examples/admin/resource/quota-objects-pvc-2.yaml --namespace=quota-object-example
 ```
+
 <!--
 The output shows that the second PersistentVolumeClaim was not created,
 because it would have exceeded the quota for the namespace.
@@ -167,11 +168,14 @@ used: persistentvolumeclaims=1, limited: persistentvolumeclaims=1
 These are the strings used to identify API resources that can be constrained
 by quotas:
 -->
-## 说明
+## 说明    {#notes}
 
 下面这些字符串可被用来标识那些能被配额限制的 API 资源：
 
 <table>
+<!--
+<tr><th>String</th><th>API Object</th></tr>
+-->
 <tr><th>字符串</th><th>API 对象</th></tr>
 <tr><td>"pods"</td><td>Pod</td></tr>
 <tr><td>"services"</td><td>Service</td></tr>
@@ -180,7 +184,13 @@ by quotas:
 <tr><td>"secrets"</td><td>Secret</td></tr>
 <tr><td>"configmaps"</td><td>ConfigMap</td></tr>
 <tr><td>"persistentvolumeclaims"</td><td>PersistentVolumeClaim</td></tr>
+<!--
+<tr><td>"services.nodeports"</td><td>Service of type NodePort</td></tr>
+-->
 <tr><td>"services.nodeports"</td><td>NodePort 类型的 Service</td></tr>
+<!--
+<tr><td>"services.loadbalancers"</td><td>Service of type LoadBalancer</td></tr>
+-->
 <tr><td>"services.loadbalancers"</td><td>LoadBalancer 类型的 Service</td></tr>
 </table>
 
@@ -189,7 +199,7 @@ by quotas:
 
 Delete your namespace:
 -->
-## 清理
+## 清理    {#clean-up}
 
 删除你的命名空间：
 
@@ -202,27 +212,27 @@ kubectl delete namespace quota-object-example
 <!--
 ### For cluster administrators
 
-* [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/memory-default-namespace/)
+* [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
 
-* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/cpu-default-namespace/)
+* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
 
-* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/memory-constraint-namespace/)
+* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
 
-* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/cpu-constraint-namespace/)
+* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
 
-* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/)
+* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
 
-* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/quota-pod-namespace/)
+* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 -->
 
-### 集群管理员参考
+### 集群管理员参考    {#for-cluster-administrators}
 
-* [为命名空间配置默认的内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置默认的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
-* [为命名空间配置内存的最小和最大限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 的最小和最大限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置 CPU 和内存配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为命名空间配置默认的内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置默认的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+* [为命名空间配置内存的最小和最大限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置 CPU 的最小和最大限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置 CPU 和内存配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 
 <!--
 ### For app developers
@@ -234,9 +244,9 @@ kubectl delete namespace quota-object-example
 * [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
 -->
 
-### 应用开发者参考
+### 应用开发者参考    {#for-app-developers}
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 配置服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/reconfigure-kubelet.md b/content/zh-cn/docs/tasks/administer-cluster/reconfigure-kubelet.md
new file mode 100644
index 0000000000000..63dcd3ebf0b91
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/reconfigure-kubelet.md
@@ -0,0 +1,90 @@
+---
+title: 在运行中的集群上重新配置节点的 kubelet
+content_type: task
+min-kubernetes-server-version: v1.11
+---
+
+<!--
+reviewers:
+- mtaufen
+- dawnchen
+title: Reconfigure a Node's Kubelet in a Live Cluster
+content_type: task
+-->
+
+<!-- overview -->
+
+{{< feature-state for_k8s_version="v1.22" state="deprecated" >}}
+
+<!--
+{{< caution >}}
+The [Dynamic Kubelet Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration)
+feature is deprecated in 1.22 and removed in 1.24.
+Please switch to alternative means distributing configuration to the Nodes of your cluster.
+{{< /caution >}}
+-->
+{{< caution >}}
+[动态 kubelet 配置](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration)
+功能在 Kubernetes 1.22 版本弃用，并在 1.24 版本中移除。
+请选择其他方法将配置分发到集群中的节点。
+{{< /caution >}}
+
+<!--
+[Dynamic Kubelet Configuration](https://github.com/kubernetes/enhancements/issues/281)
+allowed you to change the configuration of each
+{{< glossary_tooltip text="kubelet" term_id="kubelet" >}} in a running kubernetes cluster,
+by deploying a {{< glossary_tooltip text="kubelet" text="ConfigMap" term_id="configmap" >}} and configuring
+each {{< glossary_tooltip term_id="node" >}} to use it.
+-->
+[动态 kubelet 配置](https://github.com/kubernetes/enhancements/issues/281)
+允许你通过部署并配置{{< glossary_tooltip text="节点" term_id="node" >}}使用的
+{{< glossary_tooltip text="ConfigMap" term_id="configmap" >}}，
+达到更改正在运行的 Kubernetes 集群的 {{< glossary_tooltip text="kubelet" term_id="kubelet" >}}
+配置的目的。
+
+<!--
+Please find documentation on this feature in [earlier versions of documentation](https://v1-23.docs.kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/).
+-->
+请在[早期版本的文档](https://v1-23.docs.kubernetes.io/zh-cn/docs/tasks/administer-cluster/reconfigure-kubelet/)中寻找有关此功能的文档。
+
+<!--
+## Migrating from using Dynamic Kubelet Configuration
+
+There is no recommended replacement for this feature that works generically
+across various Kubernetes distributions. If you are using managed Kubernetes
+version, please consult with the vendor hosting Kubernetes for the best
+practices for customizing your Kubernetes. If you are using `kubeadm`, refer to
+[Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/).
+-->
+## 不再使用动态 Kubelet 配置
+
+这里没有跨不同的 Kubernetes 发行版替换这个功能的建议方法。
+如果你使用托管 Kubernetes 版本，
+请咨询托管 Kubernetes 的供应商，以获得自定义 Kubernetes 的最佳实践。
+如果你使用的是 `kubeadm`，
+请参考[使用 kubeadm 配置集群中的各个 kubelet](/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)。
+
+<!--
+In order to migrate off the Dynamic Kubelet Configuration feature, the
+alternative mechanism should be used to distribute kubelet configuration files.
+In order to apply configuration, config file must be updated and kubelet restarted.
+See the [Set Kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file/)
+for information.
+-->
+为了停止使用动态 Kubelet 配置功能，
+应该使用替代机制分发 kubelet 配置文件。
+为了使配置生效，必须更新配置文件并重新启动 kubelet。
+请参考[通过配置文件设置 Kubelet 参数](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/)。
+
+<!--
+Please note, the `DynamicKubeletConfig` feature gate cannot be set on a kubelet
+starting v1.24 as it has no effect. However, the feature gate is not removed
+from the API server or the controller manager before v1.26. This is designed for
+the control plane to support nodes with older versions of kubelets and for
+satisfying the [Kubernetes version skew policy](/releases/version-skew-policy/).
+-->
+请注意，从 v1.24 开始 `DynamicKubeletConfig` 特性门控无法在 kubelet 上设置，
+因为不会生效。在 v1.26 之前 API 服务器和控制器管理器不会移除该特性门控。
+这是专为控制面支持有旧版本 kubelet 的节点以及满足
+[Kubernetes 版本偏差策略](/zh-cn/releases/version-skew-policy/)。
+
diff --git a/content/zh/docs/tasks/administer-cluster/reserve-compute-resources.md b/content/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources.md
similarity index 93%
rename from content/zh/docs/tasks/administer-cluster/reserve-compute-resources.md
rename to content/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources.md
index 0788303042268..04f87c790908b 100644
--- a/content/zh/docs/tasks/administer-cluster/reserve-compute-resources.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources.md
@@ -1,8 +1,4 @@
 ---
-reviewers:
-- vishh
-- derekwaynecarr
-- dashpole
 title: 为系统守护进程预留计算资源
 content_type: task
 min-kubernetes-server-version: 1.8
@@ -28,7 +24,7 @@ node.
 
 The `kubelet` exposes a feature named 'Node Allocatable' that helps to reserve
 compute resources for system daemons. Kubernetes recommends cluster
-administrators to configure `Node Allocatable` based on their workload density
+administrators to configure 'Node Allocatable' based on their workload density
 on each node.
 -->
 Kubernetes 的节点可以按照 `Capacity` 调度。默认情况下 pod 能够使用节点全部可用容量。
@@ -36,7 +32,7 @@ Kubernetes 的节点可以按照 `Capacity` 调度。默认情况下 pod 能够
 除非为这些系统守护进程留出资源，否则它们将与 pod 争夺资源并导致节点资源短缺问题。
 
 `kubelet` 公开了一个名为 'Node Allocatable' 的特性，有助于为系统守护进程预留计算资源。
-Kubernetes 推荐集群管理员按照每个节点上的工作负载密度配置 `Node Allocatable`。
+Kubernetes 推荐集群管理员按照每个节点上的工作负载密度配置 “Node Allocatable”。
 
 ## {{% heading "prerequisites" %}}
 
@@ -46,7 +42,7 @@ Your Kubernetes server must be at or later than version 1.17 to use
 the kubelet command line option `--reserved-cpus` to set an
 [explicitly reserved CPU list](#explicitly-reserved-cpu-list).
 -->
-您的 kubernetes 服务器版本必须至少是 1.17 版本，才能使用 kubelet
+你的 kubernetes 服务器版本必须至少是 1.17 版本，才能使用 kubelet
 命令行选项 `--reserved-cpus` 设置
 [显式预留 CPU 列表](#explicitly-reserved-cpu-list)。
 
@@ -72,7 +68,7 @@ Resources can be reserved for two categories of system daemons in the `kubelet`.
 
 Kubernetes 节点上的 'Allocatable' 被定义为 pod 可用计算资源量。
 调度器不会超额申请 'Allocatable'。
-目前支持 'CPU', 'memory' 和 'ephemeral-storage' 这几个参数。
+目前支持 'CPU'、'memory' 和 'ephemeral-storage' 这几个参数。
 
 可分配的节点暴露为 API 中 `v1.Node` 对象的一部分，也是 CLI 中
 `kubectl describe node` 的一部分。
@@ -87,7 +83,7 @@ enable the new cgroup hierarchy via the `--cgroups-per-qos` flag. This flag is
 enabled by default. When enabled, the `kubelet` will parent all end-user pods
 under a cgroup hierarchy managed by the `kubelet`.
 -->
-### 启用 QoS 和 Pod 级别的 cgroups
+### 启用 QoS 和 Pod 级别的 cgroups  {#enabling-qos-and-pod-level-cgroups}
 
 为了恰当的在节点范围实施节点可分配约束，你必须通过 `--cgroups-per-qos`
 标志启用新的 cgroup 层次结构。这个标志是默认启用的。
@@ -110,10 +106,10 @@ transient slices for resources that are supported by that init system.
 Depending on the configuration of the associated container runtime,
 operators may have to choose a particular cgroup driver to ensure
 proper system behavior. For example, if operators use the `systemd`
-cgroup driver provided by the `docker` runtime, the `kubelet` must
+cgroup driver provided by the `containerd` runtime, the `kubelet` must
 be configured to use the `systemd` cgroup driver.
 -->
-### 配置 cgroup 驱动
+### 配置 cgroup 驱动  {#configuring-a-cgroup-driver}
 
 `kubelet` 支持在主机上使用 cgroup 驱动操作 cgroup 层次结构。
 驱动通过 `--cgroup-driver` 标志配置。
@@ -127,7 +123,7 @@ be configured to use the `systemd` cgroup driver.
 
 取决于相关容器运行时的配置，操作员可能需要选择一个特定的 cgroup 驱动
 来保证系统正常运行。
-例如，如果操作员使用 `docker` 运行时提供的 `systemd` cgroup 驱动时，
+例如，如果操作员使用 `containerd` 运行时提供的 `systemd` cgroup 驱动时，
 必须配置 `kubelet` 使用 `systemd` cgroup 驱动。
 
 <!--
@@ -191,7 +187,6 @@ exist. Kubelet will fail if an invalid cgroup is specified.
 - **Kubelet Flag**: `--system-reserved=[cpu=100m][,][memory=100Mi][,][ephemeral-storage=1Gi][,][pid=1000]`
 - **Kubelet Flag**: `--system-reserved-cgroup=`
 
-
 `system-reserved` is meant to capture resource reservation for OS system daemons
 like `sshd`, `udev`, etc. `system-reserved` should reserve `memory` for the
 `kernel` too since `kernel` memory is not accounted to pods in Kubernetes at this time.
@@ -237,14 +232,15 @@ exist. `kubelet` will fail if an invalid cgroup is specified.
 
 <!--
 ### Explicitly Reserved CPU List
-
--**Kubelet Flag**: `--reserved-cpus=0-3`
 -->
 ### 显式保留的 CPU 列表 {#explicitly-reserved-cpu-list}
 
 {{< feature-state for_k8s_version="v1.17" state="stable" >}}
 
--**Kubelet 标志**: `--reserved-cpus=0-3`
+<!--
+**Kubelet Flag**: `--reserved-cpus=0-3`
+-->
+**Kubelet 标志**：`--reserved-cpus=0-3`
 
 <!--
 `reserved-cpus` is meant to define an explicit CPU set for OS system daemons and
@@ -283,7 +279,7 @@ cpuset 上，应使用 Kubernetes 之外的其他机制。
 <!--
 ### Eviction Thresholds
 
-- **Kubelet Flag**: `--eviction-hard=[memory.available<500Mi]`
+**Kubelet Flag**: `--eviction-hard=[memory.available<500Mi]`
 
 Memory pressure at the node level leads to System OOMs which affects the entire
 node and all pods running on it. Nodes can go offline temporarily until memory
@@ -299,12 +295,12 @@ available for pods.
 -->
 ### 驱逐阈值   {#eviction-Thresholds}
 
-- **Kubelet 标志**: `--eviction-hard=[memory.available<500Mi]`
+**Kubelet 标志**：`--eviction-hard=[memory.available<500Mi]`
 
 节点级别的内存压力将导致系统内存不足，这将影响到整个节点及其上运行的所有 Pod。
 节点可以暂时离线直到内存已经回收为止。
 为了防止（或减少可能性）系统内存不足，kubelet 提供了
-[资源不足](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)管理。
+[资源不足](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)管理。
 驱逐操作只支持 `memory` 和 `ephemeral-storage`。
 通过 `--eviction-hard` 标志预留一些内存后，当节点上的可用内存降至保留值以下时，
 `kubelet` 将尝试驱逐 Pod。
@@ -314,7 +310,7 @@ available for pods.
 <!--
 ### Enforcing Node Allocatable
 
--**Kubelet Flag**: `--enforce-node-allocatable=pods[,][system-reserved][,][kube-reserved]`
+**Kubelet Flag**: `--enforce-node-allocatable=pods[,][system-reserved][,][kube-reserved]`
 
 The scheduler treats 'Allocatable' as the available `capacity` for pods.
 
@@ -333,18 +329,18 @@ respectively.
 -->
 ### 实施节点可分配约束   {#enforcing-node-allocatable}
 
--**Kubelet 标志**: `--enforce-node-allocatable=pods[,][system-reserved][,][kube-reserved]`
+**Kubelet 标志**：`--enforce-node-allocatable=pods[,][system-reserved][,][kube-reserved]`
 
 调度器将 'Allocatable' 视为 Pod 可用的 `capacity`（资源容量）。
 
 `kubelet` 默认对 Pod 执行 'Allocatable' 约束。
 无论何时，如果所有 Pod 的总用量超过了 'Allocatable'，驱逐 Pod 的措施将被执行。
 有关驱逐策略的更多细节可以在
-[节点压力驱逐](/zh/docs/concepts/scheduling-eviction/pod-priority-preemption/)页找到。
+[节点压力驱逐](/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/)页找到。
 可通过设置 kubelet `--enforce-node-allocatable` 标志值为 `pods` 控制这个措施。
 
 可选地，通过在同一标志中同时指定 `kube-reserved` 和 `system-reserved` 值，
-可以使 `kubelet` 强制实施 `kube-reserved` 和 `system-reserved`约束。
+可以使 `kubelet` 强制实施 `kube-reserved` 和 `system-reserved` 约束。
 请注意，要想执行 `kube-reserved` 或者 `system-reserved` 约束，
 需要对应设置 `--kube-reserved-cgroup` 或者 `--system-reserved-cgroup`。
 
@@ -355,18 +351,18 @@ System daemons are expected to be treated similar to
 [Guaranteed pods](/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed). 
 System daemons can burst within their bounding control groups and this behavior needs
 to be managed as part of kubernetes deployments. For example, `kubelet` should
-have its own control group and share `Kube-reserved` resources with the
+have its own control group and share `kube-reserved` resources with the
 container runtime. However, Kubelet cannot burst and use up all available Node
 resources if `kube-reserved` is enforced.
 -->
 ## 一般原则   {#general-guidelines}
 
 系统守护进程一般会被按照类似
-[Guaranteed pods](/zh/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed)
+[Guaranteed pods](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed)
 一样对待。
 系统守护进程可以在与其对应的控制组中出现突发资源用量，这一行为要作为
 kubernetes 部署的一部分进行管理。
-例如，`kubelet` 应该有它自己的控制组并和容器运行时共享 `Kube-reserved` 资源。
+例如，`kubelet` 应该有它自己的控制组并和容器运行时共享 `kube-reserved` 资源。
 不过，如果执行了 `kube-reserved` 约束，则 kubelet 不可出现突发负载并用光
 节点的所有可用资源。
 
@@ -391,7 +387,7 @@ ability to recover if any process in that group is oom-killed.
 
 * 作为起步，可以先针对 `pods` 上执行 'Allocatable' 约束。
 * 一旦用于追踪系统守护进程的监控和告警的机制到位，可尝试基于用量估计的
-  方式执行 `kube-reserved`策略。
+  方式执行 `kube-reserved` 策略。
 * 随着时间推进，在绝对必要的时候可以执行 `system-reserved` 策略。
 
 <!--
@@ -437,7 +433,7 @@ much CPU as they can, pods together cannot consume more than 14.5 CPUs.
 
 If `kube-reserved` and/or `system-reserved` is not enforced and system daemons
 exceed their reservation, `kubelet` evicts pods whenever the overall node memory
-usage is higher than 31.5Gi or `storage` is greater than 90Gi
+usage is higher than 31.5Gi or `storage` is greater than 90Gi.
 -->
 在这个场景下，'Allocatable' 将会是 14.5 CPUs、28.5Gi 内存以及 `88Gi` 本地存储。
 调度器保证这个节点上的所有 Pod 的内存 `requests` 总量不超过 28.5Gi，
@@ -448,6 +444,6 @@ kubelet 将会驱逐它们。
 14.5 CPUs 的资源。
 
 当没有执行 `kube-reserved` 和/或 `system-reserved` 策略且系统守护进程
-使用量超过其预留时，如果节点内存用量高于 31.5Gi 或`存储`大于 90Gi，
+使用量超过其预留时，如果节点内存用量高于 31.5Gi 或 `storage` 大于 90Gi，
 kubelet 将会驱逐 Pod。
 
diff --git a/content/zh/docs/tasks/administer-cluster/running-cloud-controller.md b/content/zh-cn/docs/tasks/administer-cluster/running-cloud-controller.md
similarity index 98%
rename from content/zh/docs/tasks/administer-cluster/running-cloud-controller.md
rename to content/zh-cn/docs/tasks/administer-cluster/running-cloud-controller.md
index 5c4340be3b007..9eac2cd00535a 100644
--- a/content/zh/docs/tasks/administer-cluster/running-cloud-controller.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/running-cloud-controller.md
@@ -78,7 +78,7 @@ Successfully running cloud-controller-manager requires some changes to your clus
 <!--
 Keep in mind that setting up your cluster to use cloud controller manager will change your cluster behaviour in a few ways:
 -->
-请记住，设置群集使用云管理控制器将用多种方式更改群集行为：
+请记住，设置集群使用云管理控制器将用多种方式更改集群行为：
 
 <!--
 * kubelets specifying `--cloud-provider=external` will add a taint `node.cloudprovider.kubernetes.io/uninitialized` with an effect `NoSchedule` during initialization. This marks the node as needing a second initialization from an external controller before it can be scheduled work. Note that in the event that cloud controller manager is not available, new nodes in the cluster will be left unschedulable. The taint is important since the scheduler may require cloud specific information about nodes such as their region or type (high cpu, gpu, high memory, spot instance, etc).
@@ -196,6 +196,6 @@ TLS 证书以和 API 服务器通信。
 To build and develop your own cloud controller manager, read the [Developing Cloud Controller Manager](/docs/tasks/administer-cluster/developing-cloud-controller-manager.md) doc.
 -->
 要构建和开发你自己的云管理控制器，请阅读
-[开发云管理控制器](/zh/docs/tasks/administer-cluster/developing-cloud-controller-manager/)
+[开发云管理控制器](/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager/)
 文档。
 
diff --git a/content/zh/docs/tasks/administer-cluster/safely-drain-node.md b/content/zh-cn/docs/tasks/administer-cluster/safely-drain-node.md
similarity index 92%
rename from content/zh/docs/tasks/administer-cluster/safely-drain-node.md
rename to content/zh-cn/docs/tasks/administer-cluster/safely-drain-node.md
index 9f7be2553c608..ebe8ddd925e20 100644
--- a/content/zh/docs/tasks/administer-cluster/safely-drain-node.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/safely-drain-node.md
@@ -39,8 +39,8 @@ This task assumes that you have met the following prerequisites:
 * 使用的 Kubernetes 版本 >= 1.5。
 * 以下两项，具备其一：
   1. 在节点清空期间，不要求应用程序具有高可用性
-  2. 你已经了解了 [PodDisruptionBudget 的概念](/zh/docs/concepts/workloads/pods/disruptions/)，
-     并为需要它的应用程序[配置了 PodDisruptionBudget](/zh/docs/tasks/run-application/configure-pdb/)。
+  2. 你已经了解了 [PodDisruptionBudget 的概念](/zh-cn/docs/concepts/workloads/pods/disruptions/)，
+     并为需要它的应用程序[配置了 PodDisruptionBudget](/zh-cn/docs/tasks/run-application/configure-pdb/)。
 
 <!-- steps -->
 
@@ -56,9 +56,9 @@ first and then continue following this guide.
 -->
 ## （可选） 配置干扰预算 {#configure-poddisruptionbudget}
 
-为了确保你的负载在维护期间仍然可用，你可以配置一个 [PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/)。
+为了确保你的负载在维护期间仍然可用，你可以配置一个 [PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/)。
 如果可用性对于正在清空的该节点上运行或可能在该节点上运行的任何应用程序很重要，
-首先 [配置一个 PodDisruptionBudgets](/zh/docs/tasks/run-application/configure-pdb/) 并继续遵循本指南。
+首先 [配置一个 PodDisruptionBudgets](/zh-cn/docs/tasks/run-application/configure-pdb/) 并继续遵循本指南。
 
 <!-- 
 ## Use `kubectl drain` to remove a node from service
@@ -74,7 +74,7 @@ and will respect the `PodDisruptionBudgets` you have specified.
 在对节点执行维护（例如内核升级、硬件维护等）之前，
 可以使用 `kubectl drain` 从节点安全地逐出所有 Pods。
 安全的驱逐过程允许 Pod 的容器
-[体面地终止](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)，
+[体面地终止](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)，
 并确保满足指定的 PodDisruptionBudgets。
 
 <!-- 
@@ -183,12 +183,12 @@ For more information, see [API-initiated eviction](/docs/concepts/scheduling-evi
 [kubectl drain](/docs/reference/generated/kubectl/kubectl-commands/#drain)
 （比如避免调用外部命令，或者更细化地控制 pod 驱逐过程），
 你也可以用驱逐 API 通过编程的方式达到驱逐的效果。
-更多信息，请参阅 [API 发起的驱逐](/zh/docs/concepts/scheduling-eviction/api-eviction/)。
+更多信息，请参阅 [API 发起的驱逐](/zh-cn/docs/concepts/scheduling-eviction/api-eviction/)。
 
 ## {{% heading "whatsnext" %}}
 
 <!-- 
 * Follow steps to protect your application by [configuring a Pod Disruption Budget](/docs/tasks/run-application/configure-pdb/).
 -->
-* 执行[配置 PDB](/zh/docs/tasks/run-application/configure-pdb/)中的各个步骤，
+* 执行[配置 PDB](/zh-cn/docs/tasks/run-application/configure-pdb/)中的各个步骤，
   保护你的应用
diff --git a/content/zh/docs/tasks/administer-cluster/securing-a-cluster.md b/content/zh-cn/docs/tasks/administer-cluster/securing-a-cluster.md
similarity index 87%
rename from content/zh/docs/tasks/administer-cluster/securing-a-cluster.md
rename to content/zh-cn/docs/tasks/administer-cluster/securing-a-cluster.md
index 397c3d40a6f47..7ec999ec5c130 100644
--- a/content/zh/docs/tasks/administer-cluster/securing-a-cluster.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -73,10 +73,10 @@ Consult the [authentication reference document](/docs/reference/access-authn-aut
 更大的集群则可能希望整合现有的、OIDC、LDAP 等允许用户分组的服务器。
 
 所有 API 客户端都必须经过身份验证，即使它是基础设施的一部分，比如节点、代理、调度程序和卷插件。
-这些客户端通常使用 [服务帐户](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
+这些客户端通常使用 [服务帐户](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
 或 X509 客户端证书，并在集群启动时自动创建或是作为集群安装的一部分进行设置。
 
-如果你希望获取更多信息，请参考[认证参考文档](/zh/docs/reference/access-authn-authz/authentication/)。
+如果你希望获取更多信息，请参考[认证参考文档](/zh-cn/docs/reference/access-authn-authz/authentication/)。
 
 <!--
 ### API Authorization
@@ -86,19 +86,21 @@ an integrated [Role-Based Access Control (RBAC)](/docs/reference/access-authn-au
 set of permissions bundled into roles. These permissions combine verbs (get, create, delete) with
 resources (pods, services, nodes) and can be namespace-scoped or cluster-scoped. A set of out-of-the-box
 roles are provided that offer reasonable default separation of responsibility depending on what
-actions a client might want to perform. It is recommended that you use the [Node](/docs/reference/access-authn-authz/node/) and [RBAC](/docs/reference/access-authn-authz/rbac/) authorizers together, in combination with the
+actions a client might want to perform. It is recommended that you use the
+[Node](/docs/reference/access-authn-authz/node/) and
+[RBAC](/docs/reference/access-authn-authz/rbac/) authorizers together, in combination with the
 [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission plugin.
 -->
 ### API 授权
 
 一旦通过身份认证，每个 API 的调用都将通过鉴权检查。
-Kubernetes 集成[基于角色的访问控制（RBAC）](/zh/docs/reference/access-authn-authz/rbac/)组件，
+Kubernetes 集成[基于角色的访问控制（RBAC）](/zh-cn/docs/reference/access-authn-authz/rbac/)组件，
 将传入的用户或组与一组绑定到角色的权限匹配。
 这些权限将动作（get、create、delete）和资源（Pod、Service、Node）进行组合，并可在名字空间或者集群范围生效。
 Kubernetes 提供了一组可直接使用的角色，这些角色根据客户可能希望执行的操作提供合理的责任划分。
-建议你同时使用 [Node](/zh/docs/reference/access-authn-authz/node/) 和
-[RBAC](/zh/docs/reference/access-authn-authz/rbac/) 两个鉴权组件，再与
-[NodeRestriction](/zh/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+建议你同时使用 [Node](/zh-cn/docs/reference/access-authn-authz/node/) 和
+[RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/) 两个鉴权组件，再与
+[NodeRestriction](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
 准入插件结合使用。
 
 <!--
@@ -128,7 +130,7 @@ Consult the [authorization reference section](/docs/reference/access-authn-authz
 原生的角色设计代表了灵活性和常见用例之间的平衡，但须限制的角色应该被仔细审查，
 以防止意外的权限升级。如果内置的角色无法满足你的需求，则可以根据使用场景需要创建特定的角色。
 
-如果你希望获取更多信息，请参阅[鉴权参考](/zh/docs/reference/access-authn-authz/authorization/)。
+如果你希望获取更多信息，请参阅[鉴权参考](/zh-cn/docs/reference/access-authn-authz/authorization/)。
 
 <!--
 ## Controlling access to the Kubelet
@@ -137,7 +139,8 @@ Kubelets expose HTTPS endpoints which grant powerful control over the node and c
 
 Production clusters should enable Kubelet authentication and authorization.
 
-Consult the [Kubelet authentication/authorization reference](/docs/admin/kubelet-authentication-authorization) for more information.
+Consult the [Kubelet authentication/authorization reference](/docs/reference/access-authn-authz/kubelet-authn-authz/)
+for more information.
 -->
 ## 控制对 Kubelet 的访问
 
@@ -147,7 +150,7 @@ Kubelet 公开 HTTPS 端点，这些端点提供了对节点和容器的强大
 生产级别的集群应启用 Kubelet 身份认证和授权。
 
 进一步的信息，请参考
-[Kubelet 身份验证/授权参考](/zh/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)。
+[Kubelet 身份验证/授权参考](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)。
 
 <!--
 ## Controlling the capabilities of a workload or user at runtime
@@ -169,17 +172,17 @@ resources granted to a namespace. This is most often used to limit the amount of
 or persistent disk a namespace can allocate, but can also control how many pods, services, or
 volumes exist in each namespace.
 
-[Limit ranges](/docs/tasks/administer-cluster/memory-default-namespace/) restrict the maximum or minimum size of some of the
+[Limit ranges](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/) restrict the maximum or minimum size of some of the
 resources above, to prevent users from requesting unreasonably high or low values for commonly
 reserved resources like memory, or to provide default limits when none are specified.
 -->
 ### 限制集群上的资源使用
 
-[资源配额（Resource Quota）](/zh/docs/concepts/policy/resource-quotas/)限制了赋予命名空间的资源的数量或容量。
+[资源配额（Resource Quota）](/zh-cn/docs/concepts/policy/resource-quotas/)限制了赋予命名空间的资源的数量或容量。
 资源配额通常用于限制名字空间可以分配的 CPU、内存或持久磁盘的数量，
 但也可以控制每个名字空间中存在多少个 Pod、Service 或 Volume。
 
-[限制范围（Limit Range）](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+[限制范围（Limit Range）](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
 限制上述某些资源的最大值或者最小值，以防止用户使用类似内存这样的通用保留资源时请求不合理的过高或过低的值，
 或者在没有指定的情况下提供默认限制。
 
@@ -197,14 +200,14 @@ in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}, or to detect
 -->
 ### 控制容器运行的特权
 
-Pod 定义包含了一个[安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)，
+Pod 定义包含了一个[安全上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/)，
 用于描述一些访问请求，如以某个节点上的特定 Linux 用户（如 root）身份运行，
 以特权形式运行，访问主机网络，以及一些在宿主节点上不受约束地运行的其它控制权限等等。
 
-你可以配置 [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)来在某个
+你可以配置 [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)来在某个
 {{< glossary_tooltip text="名字空间" term_id="namespace" >}}中
 强制实施特定的
-[Pod 安全标准（Pod Security Standard）](/zh/docs/concepts/security/pod-security-standards/)，
+[Pod 安全标准（Pod Security Standard）](/zh-cn/docs/concepts/security/pod-security-standards/)，
 或者检查安全上的缺陷。
 
 <!--
@@ -231,25 +234,25 @@ now respect network policy.
 -->
 ### 限制网络访问
 
-基于名字空间的[网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+基于名字空间的[网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 允许应用程序作者限制其它名字空间中的哪些 Pod 可以访问自身名字空间内的 Pod 和端口。
 现在已经有许多支持网络策略的
-[Kubernetes 网络驱动](/zh/docs/concepts/cluster-administration/networking/)。
+[Kubernetes 网络驱动](/zh-cn/docs/concepts/cluster-administration/networking/)。
 
 <!--
 Quota and limit ranges can also be used to control whether users may request node ports or
 load-balanced services, which on many clusters can control whether those users applications
 are visible outside of the cluster.
 
-Additional protections may be available that control network rules on a per-plugin or
-per-environment basis, such as per-node firewalls, physically separating cluster nodes to
+Additional protections may be available that control network rules on a per-plugin or per-
+environment basis, such as per-node firewalls, physically separating cluster nodes to
 prevent cross talk, or advanced networking policy.
 -->
 配额（Quota）和限制范围（Limit Range）也可用于控制用户是否可以请求节点端口或负载均衡服务。
 在很多集群上，节点端口和负载均衡服务也可控制用户的应用程序是否在集群之外可见。
 
 此外也可能存在一些基于插件或基于环境的网络规则，能够提供额外的保护能力。
-例如各节点上的防火墙、物理隔离群集节点以防止串扰或者高级的网络策略等。
+例如各节点上的防火墙、物理隔离集群节点以防止串扰或者高级的网络策略等。
 
 <!--
 ### Restricting cloud metadata API access
@@ -265,21 +268,21 @@ to the metadata API, and avoid using provisioning data to deliver secrets.
 -->
 ### 限制云元数据 API 访问
 
-云平台（AWS,  Azure, GCE 等）经常将 metadata 本地服务暴露给实例。
+云平台（AWS、Azure、GCE 等）经常将 metadata 本地服务暴露给实例。
 默认情况下，这些 API 可由运行在实例上的 Pod 访问，并且可以包含
 该云节点的凭据或配置数据（如 kubelet 凭据）。
 这些凭据可以用于在集群内升级或在同一账户下升级到其他云服务。
 
 在云平台上运行 Kubernetes 时，需要限制对实例凭据的权限，使用
-[网络策略](/zh/docs/tasks/administer-cluster/declare-network-policy/)
+[网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)
 限制 Pod 对元数据 API 的访问，并避免使用配置数据来传递机密信息。
 
 <!--
 ### Controlling which nodes pods may access
 
 By default, there are no restrictions on which nodes may run a pod.  Kubernetes offers a
-[rich set of policies for controlling placement of pods onto nodes](/docs/concepts/configuration/assign-pod-node/)
-and the [taint-based pod placement and eviction](/docs/concepts/configuration/taint-and-toleration/)
+[rich set of policies for controlling placement of pods onto nodes](/docs/concepts/scheduling-eviction/assign-pod-node/)
+and the [taint-based pod placement and eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/)
 that are available to end users. For many clusters use of these policies to separate workloads
 can be a convention that authors adopt or enforce via tooling.
 
@@ -291,8 +294,8 @@ alter namespaces, this can strongly limit the placement of all of the pods in a
 
 默认情况下，对 Pod 可以运行在哪些节点上是没有任何限制的。
 Kubernetes 给最终用户提供了
-一组丰富的策略用于[控制 Pod 所放置的节点位置](/zh/docs/concepts/scheduling-eviction/assign-pod-node/)，
-以及[基于污点的 Pod 放置和驱逐](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)。
+一组丰富的策略用于[控制 Pod 所放置的节点位置](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/)，
+以及[基于污点的 Pod 放置和驱逐](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)。
 对于许多集群，使用这些策略来分离工作负载可以作为一种约定，要求作者遵守或者通过工具强制。
 
 对于管理员，Beta 阶段的准入插件 `PodNodeSelector` 可用于强制某名字空间中的 Pod
@@ -334,7 +337,7 @@ access to a subset of the keyspace is strongly recommended.
 
 {{< caution >}}
 允许集群中其它组件对整个主键空间（keyspace）拥有读或写权限去访问 etcd 实例，
-相当于授予这些组件群集管理员的访问权限。
+相当于授予这些组件集群管理员的访问权限。
 对于非主控组件，强烈推荐使用不同的 etcd 实例，或者使用 etcd 的访问控制列表
 来限制这些组件只能读或写主键空间的一个子集。
 {{< /caution >}}
@@ -342,13 +345,13 @@ access to a subset of the keyspace is strongly recommended.
 <!--
 ### Enable audit logging
 
-The [audit logger](/docs/tasks/debug-application-cluster/audit/) is a beta feature that records actions taken by the
+The [audit logger](/docs/tasks/debug/debug-cluster/audit/) is a beta feature that records actions taken by the
 API for later analysis in the event of a compromise. It is recommended to enable audit logging
 and archive the audit file on a secure server.
 -->
 ### 启用审计日志
 
-[审计日志](/zh/docs/tasks/debug-application-cluster/audit/)是 Beta 特性，
+[审计日志](/zh-cn/docs/tasks/debug/debug-cluster/audit/)是 Beta 特性，
 负责记录 API 操作以便在发生破坏时进行事后分析。
 建议启用审计日志，并将审计文件归档到安全服务器上。
 
@@ -373,7 +376,8 @@ The shorter the lifetime of a secret or credential the harder it is for an attac
 use of that credential. Set short lifetimes on certificates and automate their rotation. Use
 an authentication provider that can control how long issued tokens are available and use short
 lifetimes where possible. If you use service-account tokens in external integrations, plan to
-rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap token used for setting up nodes should be revoked or its authorization removed.
+rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap
+token used for setting up nodes should be revoked or its authorization removed.
 -->
 ### 经常轮换基础设施证书
 
@@ -409,7 +413,7 @@ or run with elevated permissions if those service accounts are granted access to
 如果执行 Pod 创建操作的组件能够在 `kube-system` 这类名字空间中创建 Pod，
 则这类组件也可能获得意外的权限，因为这些 Pod 可以访问服务账户的 Secret，
 或者，如果对应服务帐户被授权访问宽松的
-[PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/)，
+[PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)，
 它们就能以较高的权限运行。
 
 <!--
@@ -417,7 +421,7 @@ If you use [Pod Security admission](/docs/concepts/security/pod-security-admissi
 any component to create Pods within a namespace that permits privileged Pods, those Pods may
 be able to escape their containers and use this widened access to elevate their privileges.
 -->
-如果你使用 [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)，
+如果你使用 [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)，
 并且允许任何组件在一个允许执行特权 Pod 的名字空间中创建 Pod，这些 Pod
 就可能从所在的容器中逃逸，利用被拓宽的访问权限来实现特权提升。
 
@@ -450,7 +454,7 @@ are not encrypted or an attacker gains read access to etcd.
 你要始终使用经过充分审查的备份和加密方案来加密备份数据，
 并考虑在可能的情况下使用全盘加密。
 
-Kubernetes 支持[静态数据加密](/zh/docs/tasks/administer-cluster/encrypt-data/)。
+Kubernetes 支持[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
 该功能在 1.7 版本引入，并在 1.13 版本成为 Beta。
 它会加密 etcd 里面的 `Secret` 资源，以防止某一方通过查看 etcd 的备份文件查看到这些
 Secret 的内容。虽然目前该功能还只是 Beta 阶段，
@@ -460,12 +464,13 @@ Secret 的内容。虽然目前该功能还只是 Beta 阶段，
 ### Receiving alerts for security updates and reporting vulnerabilities
 
 Join the [kubernetes-announce](https://groups.google.com/forum/#!forum/kubernetes-announce)
-group for emails about security announcements. See the [security reporting](/security/)
+group for emails about security announcements. See the
+[security reporting](/docs/reference/issues-security/security/)
 page for more on how to report vulnerabilities.
 -->
 ### 接收安全更新和报告漏洞的警报
 
 请加入 [kubernetes-announce](https://groups.google.com/forum/#!forum/kubernetes-announce)
 组，这样你就能够收到有关安全公告的邮件。有关如何报告漏洞的更多信息，
-请参见[安全报告](/zh/docs/reference/issues-security/security/)页面。
+请参见[安全报告](/zh-cn/docs/reference/issues-security/security/)页面。
 
diff --git a/content/zh/docs/tasks/administer-cluster/sysctl-cluster.md b/content/zh-cn/docs/tasks/administer-cluster/sysctl-cluster.md
similarity index 99%
rename from content/zh/docs/tasks/administer-cluster/sysctl-cluster.md
rename to content/zh-cn/docs/tasks/administer-cluster/sysctl-cluster.md
index d67101cb85998..11d03ad34a223 100644
--- a/content/zh/docs/tasks/administer-cluster/sysctl-cluster.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/sysctl-cluster.md
@@ -293,7 +293,7 @@ to schedule those pods onto the right nodes.
 设置了 _非安全的_ sysctl 参数的 Pod 在禁用了这两种 _非安全的_ sysctl 参数配置
 的节点上启动都会失败。与 _节点级别的_ sysctl 一样，建议开启
 [污点和容忍度特性](/docs/reference/generated/kubectl/kubectl-commands/#taint) 或
-[为节点配置污点](/zh/docs/concepts/scheduling-eviction/taint-and-toleration/)
+[为节点配置污点](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)
 以便将 Pod 调度到正确的节点之上。
 
 ## PodSecurityPolicy
diff --git a/content/zh/docs/tasks/administer-cluster/topology-manager.md b/content/zh-cn/docs/tasks/administer-cluster/topology-manager.md
similarity index 90%
rename from content/zh/docs/tasks/administer-cluster/topology-manager.md
rename to content/zh-cn/docs/tasks/administer-cluster/topology-manager.md
index 6208fe60d16ea..57f1febdc98c2 100644
--- a/content/zh/docs/tasks/administer-cluster/topology-manager.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/topology-manager.md
@@ -33,7 +33,7 @@ In order to extract the best performance, optimizations related to CPU isolation
 但是，在 Kubernetes 中，这些优化由各自独立的组件集合来处理。
 
 <!--
-_Topology Manager_ is a Kubelet component that aims to co-ordinate the set of components that are responsible for these optimizations.
+_Topology Manager_ is a Kubelet component that aims to coordinate the set of components that are responsible for these optimizations.
 -->
 _拓扑管理器（Topology Manager）_ 是一个 kubelet 的一部分，旨在协调负责这些优化的一组组件。
 
@@ -46,16 +46,16 @@ _拓扑管理器（Topology Manager）_ 是一个 kubelet 的一部分，旨在
 <!--
 ## How Topology Manager Works
 -->
-## 拓扑管理器如何工作
+## 拓扑管理器如何工作 {#how-topology-manager-works}
 
 <!--
 Prior to the introduction of Topology Manager, the CPU and Device Manager in Kubernetes make resource allocation decisions independently of each other.
 This can result in undesirable allocations on multiple-socketed systems, performance/latency sensitive applications will suffer due to these undesirable allocations. 
  Undesirable in this case meaning for example, CPUs and devices being allocated from different NUMA Nodes thus, incurring additional latency.
 -->
-在引入拓扑管理器之前， Kubernetes 中的 CPU 和设备管理器相互独立地做出资源分配决策。
+在引入拓扑管理器之前，Kubernetes 中的 CPU 和设备管理器相互独立地做出资源分配决策。
 这可能会导致在多处理系统上出现并非期望的资源分配；由于这些与期望相左的分配，对性能或延迟敏感的应用将受到影响。
-这里的不符合期望意指，例如， CPU 和设备是从不同的 NUMA 节点分配的，因此会导致额外的延迟。
+这里的不符合期望意指，例如，CPU 和设备是从不同的 NUMA 节点分配的，因此会导致额外的延迟。
 
 <!--
 The Topology Manager is a Kubelet component, which acts as a source of truth so that other Kubelet components can make topology aligned resource allocation choices.
@@ -77,7 +77,7 @@ The hint is then stored in the Topology Manager for use by the *Hint Providers*
 拓扑管理器策略对所提供的建议执行一组操作，并根据策略对提示进行约减以得到最优解；如果存储了与预期不符的建议，则该建议的优选字段将被设置为 false。
 在当前策略中，首选的是最窄的优选掩码。
 所选建议将被存储为拓扑管理器的一部分。
-取决于所配置的策略，所选建议可用来决定节点接受或拒绝 Pod 。
+取决于所配置的策略，所选建议可用来决定节点接受或拒绝 Pod。
 之后，建议会被存储在拓扑管理器中，供 *建议提供者* 进行资源分配决策时使用。
 
 <!--
@@ -85,20 +85,20 @@ The hint is then stored in the Topology Manager for use by the *Hint Providers*
 
 Support for the Topology Manager requires `TopologyManager` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to be enabled. It is enabled by default starting with Kubernetes 1.18.
 -->
-### 启用拓扑管理器功能特性
+### 启用拓扑管理器功能特性 {#enable-the-topology-manager-feature}
 
 对拓扑管理器的支持要求启用 `TopologyManager`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)。
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)。
 从 Kubernetes 1.18 版本开始，这一特性默认是启用的。
 
 <!--
-### Topology Manager Scopes and Policies
+## Topology Manager Scopes and Policies
 
 The Topology Manager currently:
  - Aligns Pods of all QoS classes.
  - Aligns the requested resources that Hint Provider provides topology hints for.
 -->
-### 拓扑管理器作用域和策略
+## 拓扑管理器作用域和策略 {#topology-manager-scopes-and-policies}
 
 拓扑管理器目前：
 - 对所有 QoS 类的 Pod 执行对齐操作
@@ -129,7 +129,7 @@ To align CPU resources with other requested resources in a Pod Spec, the CPU Man
 {{< note >}}
 为了将 Pod 规约中的 CPU 资源与其他请求资源对齐，CPU 管理器需要被启用并且
 节点上应配置了适当的 CPU 管理器策略。
-参看[控制 CPU 管理策略](/zh/docs/tasks/administer-cluster/cpu-management-policies/).
+参看[控制 CPU 管理策略](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/).
 {{< /note >}}
 
 <!--
@@ -137,7 +137,7 @@ To align memory (and hugepages) resources with other requested resources in a Po
 -->
 {{< note >}}
 为了将 Pod 规约中的 memory（和 hugepages）资源与所请求的其他资源对齐，需要启用内存管理器，
-并且在节点配置适当的内存管理器策略。查看[内存管理器](/zh/docs/tasks/administer-cluster/memory-manager/)
+并且在节点配置适当的内存管理器策略。查看[内存管理器](/zh-cn/docs/tasks/administer-cluster/memory-manager/)
 文档。
 {{< /note >}}
 
@@ -151,7 +151,7 @@ The Topology Manager can deal with the alignment of resources in a couple of dis
 
 Either option can be selected at a time of the kubelet startup, with `--topology-manager-scope` flag.
 -->
-### 拓扑管理器作用域
+### 拓扑管理器作用域 {#topology-manager-scopes}
 
 拓扑管理器可以在以下不同的作用域内进行资源对齐：
 
@@ -165,7 +165,7 @@ Either option can be selected at a time of the kubelet startup, with `--topology
 
 The `container` scope is used by default.
 -->
-### 容器作用域
+### 容器作用域 {#container-scope}
 
 默认使用的是 `container` 作用域。
 
@@ -187,7 +187,7 @@ The notion of grouping the containers was endorsed and implemented on purpose in
 
 To select the `pod` scope, start the kubelet with the command line option `--topology-manager-scope=pod`.
 -->
-### Pod 作用域
+### Pod 作用域 {#pod-scope}
 
 使用命令行选项 `--topology-manager-scope=pod` 来启动 kubelet，就可以选择 `pod` 作用域。
 
@@ -213,7 +213,7 @@ The total amount of particular resource demanded for the entire pod is calculate
 for a resource.
 -->
 整个 Pod 所请求的某种资源总量是根据
-[有效 request/limit](/zh/docs/concepts/workloads/pods/init-containers/#resources)
+[有效 request/limit](/zh-cn/docs/concepts/workloads/pods/init-containers/#resources)
 公式来计算的，
 因此，对某一种资源而言，该总量等于以下数值中的最大值：
 * 所有应用容器请求之和；
@@ -250,7 +250,7 @@ To recap, Topology Manager first computes a set of NUMA nodes and then tests it
 <!--
 ### Topology Manager Policies
 -->
-### 拓扑管理器策略
+### 拓扑管理器策略 {#topology-manager-policies}
 
 <!--
 Topology Manager supports four allocation policies. You can set a policy via a Kubelet flag, `--topology-manager-policy`.
@@ -293,7 +293,7 @@ This is the default policy and does not perform any topology alignment.
 <!--
 ### best-effort policy {#policy-best-effort}
 
-For each container in a Guaranteed Pod, kubelet, with `best-effort` topology 
+For each container in a Pod, the kubelet, with `best-effort` topology 
 management policy, calls each Hint Provider to discover their resource availability.
 Using this information, the Topology Manager stores the 
 preferred NUMA Node affinity for that container. If the affinity is not preferred, 
@@ -301,7 +301,7 @@ Topology Manager will store this and admit the pod to the node anyway.
 -->
 ### best-effort 策略 {#policy-best-effort}
 
-对于 Guaranteed 类的 Pod 中的每个容器，具有 `best-effort` 拓扑管理策略的
+对于 Pod 中的每个容器，具有 `best-effort` 拓扑管理策略的
 kubelet 将调用每个建议提供者以确定资源可用性。
 使用此信息，拓扑管理器存储该容器的首选 NUMA 节点亲和性。
 如果亲和性不是首选，则拓扑管理器将存储该亲和性，并且无论如何都将  pod 接纳到该节点。
@@ -315,7 +315,7 @@ resource allocation decision.
 <!--
 ### restricted policy {#policy-restricted}
 
-For each container in a Guaranteed Pod, kubelet, with `restricted` topology 
+For each container in a Pod, the kubelet, with `restricted` topology 
 management policy, calls each Hint Provider to discover their resource availability.
 Using this information, the Topology Manager stores the 
 preferred NUMA Node affinity for that container. If the affinity is not preferred, 
@@ -323,10 +323,10 @@ Topology Manager will reject this pod from the node. This will result in a pod i
 -->
 ### restricted 策略 {#policy-restricted}
 
-对于 Guaranteed 类 Pod 中的每个容器， 配置了 `restricted` 拓扑管理策略的 kubelet
-调用每个建议提供者以确定其资源可用性。。
+对于 Pod 中的每个容器，配置了 `restricted` 拓扑管理策略的 kubelet
+调用每个建议提供者以确定其资源可用性。
 使用此信息，拓扑管理器存储该容器的首选 NUMA 节点亲和性。
-如果亲和性不是首选，则拓扑管理器将从节点中拒绝此 Pod 。
+如果亲和性不是首选，则拓扑管理器将从节点中拒绝此 Pod。
 这将导致 Pod 处于 `Terminated` 状态，且 Pod 无法被节点接纳。
 
 <!--
@@ -346,7 +346,7 @@ resource allocation decision.
 <!--
 ### single-numa-node policy {#policy-single-numa-node}
 
-For each container in a Guaranteed Pod, kubelet, with `single-numa-node` topology 
+For each container in a Pod, the kubelet, with `single-numa-node` topology 
 management policy, calls each Hint Provider to discover their resource availability.
 Using this information, the Topology Manager determines if a single NUMA Node affinity is possible.
 If it is, Topology Manager will store this and the *Hint Providers* can then use this information when making the 
@@ -355,7 +355,7 @@ If, however, this is not possible then the Topology Manager will reject the pod
 -->
 ### single-numa-node 策略 {#policy-single-numa-node}
 
-对于 Guaranteed 类 Pod 中的每个容器， 配置了 `single-numa-nodde` 拓扑管理策略的
+对于 Pod 中的每个容器，配置了 `single-numa-nodde` 拓扑管理策略的
 kubelet 调用每个建议提供者以确定其资源可用性。
 使用此信息，拓扑管理器确定单 NUMA 节点亲和性是否可能。
 如果是这样，则拓扑管理器将存储此信息，然后 *建议提供者* 可以在做出资源分配决定时使用此信息。
@@ -375,7 +375,7 @@ An external control loop could be also implemented to trigger a redeployment of
 
 Consider the containers in the following pod specs:
 -->
-### Pod 与拓扑管理器策略的交互
+### Pod 与拓扑管理器策略的交互 {#pod-interactions-with-topology-manager-policies}
 
 考虑以下 pod 规范中的容器：
 
@@ -410,7 +410,7 @@ This pod runs in the `Burstable` QoS class because requests are less than limits
 由于 requests 数少于 limits，因此该 Pod 以 `Burstable` QoS 类运行。
 
 <!--
-If the selected policy is anything other than `none`, Topology Manager would consider these Pod specifications. The Topology Manager would consult the Hint Providers to get topology hints. In the case of the `static`, the CPU Manager policy would return default topology hint, because these Pods do not have explicity request CPU resources.
+If the selected policy is anything other than `none`, Topology Manager would consider these Pod specifications. The Topology Manager would consult the Hint Providers to get topology hints. In the case of the `static`, the CPU Manager policy would return default topology hint, because these Pods do not have explicitly request CPU resources.
 -->
 如果选择的策略是 `none` 以外的任何其他策略，拓扑管理器都会评估这些 Pod 的规范。
 拓扑管理器会咨询建议提供者，获得拓扑建议。
@@ -434,8 +434,7 @@ spec:
 ```
 
 <!--
-This pod with integer CPU request runs in the `Guaranteed` QoS class because
-`requests` are equal to `limits`.
+This pod with integer CPU request runs in the `Guaranteed` QoS class because `requests` are equal to `limits`.
 -->
 此 Pod 以 `Guaranteed` QoS 类运行，因为其 `requests` 值等于 `limits` 值。
 
@@ -459,12 +458,12 @@ This pod runs in the `BestEffort` QoS class because there are no CPU and memory
 因为未指定 CPU 和内存请求，所以 Pod 以 `BestEffort` QoS 类运行。
 
 <!--
-The Topology Manager would consider both of the above pods. The Topology Manager would consult the Hint Providers, which are CPU and Device Manager to get topology hints for the pods. 
+The Topology Manager would consider the above pods. The Topology Manager would consult the Hint Providers, which are CPU and Device Manager to get topology hints for the pods. 
 
-In the case of the `Guaranteed` pod with integer request, the `static` CPU Manager policy would return hints relating to the CPU request and the Device Manager would send back hints for the requested device.
+In the case of the `Guaranteed` pod with integer CPU request, the `static` CPU Manager policy would return topology hints relating to the exclusive CPU and the Device Manager would send back hints for the requested device.
 -->
 拓扑管理器将考虑以上两个 Pod。拓扑管理器将咨询建议提供者即 CPU 和设备管理器，以获取 Pod 的拓扑提示。
-对于 `Guaranteed` 类的 CPU 请求数为整数的 Pod，`static` CPU 管理器策略将返回与 CPU 请求有关的提示，
+对于 `Guaranteed` 类的 CPU 请求数为整数的 Pod，`static` CPU 管理器策略将返回独占 CPU 相关的拓扑提示，
 而设备管理器将返回有关所请求设备的提示。
 
 <!--
@@ -497,7 +496,7 @@ Using this information the Topology Manager calculates the optimal hint for the
 
 2. The scheduler is not topology-aware, so it is possible to be scheduled on a node and then fail on the node due to the Topology Manager.
 -->
-### 已知的局限性
+### 已知的局限性 {#known-limitations}
 
 1. 拓扑管理器所能处理的最大 NUMA 节点个数是 8。若 NUMA 节点数超过 8，
    枚举可能的 NUMA 亲和性并为之生成提示时会发生状态爆炸。
diff --git a/content/zh/docs/tasks/administer-cluster/use-cascading-deletion.md b/content/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion.md
similarity index 93%
rename from content/zh/docs/tasks/administer-cluster/use-cascading-deletion.md
rename to content/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion.md
index 6bf5e1eeaa8b8..22d0dd800e054 100644
--- a/content/zh/docs/tasks/administer-cluster/use-cascading-deletion.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion.md
@@ -16,7 +16,7 @@ This page shows you how to specify the type of
 to use in your cluster during {{<glossary_tooltip text="garbage collection" term_id="garbage-collection">}}.
 -->
 本页面向你展示如何设置在你的集群执行{{<glossary_tooltip text="垃圾收集" term_id="garbage-collection">}}
-时要使用的[级联删除](/zh/docs/concepts/architecture/garbage-collection/#cascading-deletion)
+时要使用的[级联删除](/zh-cn/docs/concepts/architecture/garbage-collection/#cascading-deletion)
 类型。
 
 ## {{% heading "prerequisites" %}}
@@ -28,7 +28,7 @@ You also need to [create a sample Deployment](/docs/tasks/run-application/run-st
 to experiment with the different types of cascading deletion. You will need to
 recreate the Deployment for each type.
 -->
-你还需要[创建一个 Deployment 示例](/zh/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)
+你还需要[创建一个 Deployment 示例](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)
 以试验不同类型的级联删除。你需要为每种级联删除类型来重建 Deployment。
 
 <!--
@@ -72,7 +72,7 @@ version your cluster runs. {{<version-check>}}
 -->
 ## 使用前台级联删除    {#use-foreground-cascading-deletion}
 
-默认情况下，Kubernetes 使用[后台级联删除](/zh/docs/concepts/architecture/garbage-collection/#background-deletion)
+默认情况下，Kubernetes 使用[后台级联删除](/zh-cn/docs/concepts/architecture/garbage-collection/#background-deletion)
 以删除依赖某对象的其他对象。取决于你的集群所运行的 Kubernetes 版本，
 你可以使用 `kubectl` 或者 Kubernetes API 来切换到前台级联删除。
 {{<version-check>}}
@@ -160,7 +160,7 @@ For details, read the [documentation for your Kubernetes version](/docs/home/sup
 -->
 你可以通过调用 Kubernetes API 来基于前台级联删除模式删除对象。
 
-进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh/docs/home/supported-doc-versions)。
+进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh-cn/docs/home/supported-doc-versions)。
 
 <!--
 1. Start a local proxy session:
@@ -217,7 +217,7 @@ For details, read the [documentation for your Kubernetes version](/docs/home/sup
 1. Use either `kubectl` or the Kubernetes API to delete the Deployment,
    depending on the Kubernetes version your cluster runs. {{<version-check>}}
 -->
-1. [创建一个 Deployment 示例](/zh/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)。
+1. [创建一个 Deployment 示例](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)。
 1. 基于你的集群所运行的 Kubernetes 版本，使用 `kubectl` 或者 Kubernetes API 来删除 Deployment。
    {{<version-check>}}
 
@@ -306,7 +306,7 @@ Kubernetes 默认采用后台级联删除方式，如果你在运行下面的命
 <!--
 For details, read the [documentation for your Kubernetes version](/docs/home/supported-doc-versions/).
 -->
-进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh/docs/home/supported-doc-versions)。
+进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh-cn/docs/home/supported-doc-versions)。
 
 <!--
 **Using kubectl**
@@ -449,7 +449,7 @@ kubectl delete deployment nginx-deployment --cascade=orphan
 <!--
 For details, read the [documentation for your Kubernetes version](/docs/home/supported-doc-versions/).
 -->
-进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh/docs/home/supported-doc-versions)。
+进一步的细节，可阅读[特定于你的 Kubernetes 版本的文档](/zh-cn/docs/home/supported-doc-versions)。
 
 <!--
 **Using kubectl**
@@ -527,7 +527,7 @@ kubectl get pods -l app=nginx
 * Learn about Kubernetes [finalizers](/docs/concepts/overview/working-with-objects/finalizers/).
 * Learn about [garbage collection](/docs/concepts/workloads/controllers/garbage-collection/).
 -->
-* 了解 Kubernetes 中的[属主与依赖](/zh/docs/concepts/overview/working-with-objects/owners-dependents/)
-* 了解 Kubernetes [finalizers](/zh/docs/concepts/overview/working-with-objects/finalizers/)
-* 了解[垃圾收集](/zh/docs/concepts/architecture/garbage-collection/).
+* 了解 Kubernetes 中的[属主与依赖](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)
+* 了解 Kubernetes [finalizers](/zh-cn/docs/concepts/overview/working-with-objects/finalizers/)
+* 了解[垃圾收集](/zh-cn/docs/concepts/architecture/garbage-collection/).
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/verify-signed-images.md b/content/zh-cn/docs/tasks/administer-cluster/verify-signed-images.md
new file mode 100644
index 0000000000000..4fd9736b55f3c
--- /dev/null
+++ b/content/zh-cn/docs/tasks/administer-cluster/verify-signed-images.md
@@ -0,0 +1,120 @@
+---
+title: 验证已签名容器镜像
+content_type: task
+min-kubernetes-server-version: v1.24
+---
+<!--
+title: Verify Signed Container Images
+content_type: task
+min-kubernetes-server-version: v1.24
+-->
+
+<!-- overview -->
+
+{{< feature-state state="alpha" for_k8s_version="v1.24" >}}
+
+## {{% heading "prerequisites" %}}
+
+<!--
+These instructions are for Kubernetes {{< skew currentVersion >}}. If you want
+to check the integrity of components for a different version of Kubernetes,
+check the documentation for that Kubernetes release.
+
+You will need to have the following tools installed:
+
+- `cosign` ([install guide](https://docs.sigstore.dev/cosign/installation/))
+- `curl` (often provided by your operating system)
+-->
+这些说明适用于 Kubernetes {{< skew currentVersion >}}。如果你想要检查其他版本的 Kubernetes 组件的完整性，
+请查看对应 Kubernetes 版本的文档。
+
+你需要安装以下工具:
+
+- `cosign` ([安装指南](https://docs.sigstore.dev/cosign/installation/))
+- `curl` (通常由你的操作系统提供)
+
+<!--
+## Verifying image signatures
+
+For a complete list of images that are signed please refer
+to [Releases](/releases/download/).
+
+Let's pick one image from this list and verify its signature using
+the `cosign verify` command:
+-->
+## 验证镜像签名 {#verifying-image-signatures}
+
+完整的镜像签名列表请参见[发行版本](/releases/download/)。
+
+我们从这个列表中选择一个镜像，并使用 `cosign verify` 命令来验证它的签名：
+
+```shell
+COSIGN_EXPERIMENTAL=1 cosign verify k8s.gcr.io/kube-apiserver-amd64:v1.24.0
+```
+
+{{< note >}}
+<!--
+`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
+in `KEYLESS` mode. To learn more about keyless signing, please refer to
+[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
+-->
+`COSIGN_EXPERIMENTAL=1` 用于对以 `KEYLESS` 模式签名的镜像进行验证。想要进一步了解 `KEYLESS`，请参考
+[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)。
+{{< /note >}}
+
+<!--
+### Verifying images for all control plane components
+
+To verify all signed control plane images, please run this command:
+-->
+### 验证所有控制平面组件镜像  {#verifying-images-for-all-control-plane-components}
+
+验证所有已签名的控制平面组件镜像，请运行以下命令：
+
+```shell
+curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: k8s.gcr.io/' | awk '{print $2}' > images.txt
+input=images.txt
+while IFS= read -r image
+do
+  COSIGN_EXPERIMENTAL=1 cosign verify "$image"
+done < "$input"
+```
+
+<!--
+Once you have verified an image, specify that image by its digest in your Pod
+manifests as per this
+example: `registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`.
+
+For more information, please refer
+to [Image Pull Policy](/docs/concepts/containers/images/#image-pull-policy)
+section.
+-->
+当你完成某个镜像的验证时，可以在你的 Pod 清单通过摘要值来指定该镜像，例如：
+`registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`。
+
+要了解更多信息，请参考[镜像拉取策略](/zh-cn/docs/concepts/containers/images/#image-pull-policy)章节。
+
+<!--
+## Verifying Image Signatures with Admission Controller
+
+For non-control plane images (
+e.g. [conformance image](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md))
+, signatures can also be verified at deploy time using
+[cosigned](https://docs.sigstore.dev/cosign/kubernetes/#cosigned-admission-controller)
+admission controller. To get started with `cosigned` here are a few helpful
+resources:
+
+* [Installation](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned)
+* [Configuration Options](https://github.com/sigstore/cosign/tree/main/config)
+-->
+## 使用准入控制器验证镜像签名   {#verifying-image-signatures-with-admission-controller}
+
+有一些非控制平面镜像
+（例如 [conformance 镜像](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md)），
+也可以在部署时使用
+[cosigned](https://docs.sigstore.dev/cosign/kubernetes/#cosigned-admission-controller)
+控制器验证其签名。如要使用 `cosigned`，下面是一些有帮助的资源：
+
+* [安装](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned)
+* [配置选项](https://github.com/sigstore/cosign/tree/main/config)
+
diff --git a/content/zh/docs/tasks/configmap-secret/_index.md b/content/zh-cn/docs/tasks/configmap-secret/_index.md
similarity index 100%
rename from content/zh/docs/tasks/configmap-secret/_index.md
rename to content/zh-cn/docs/tasks/configmap-secret/_index.md
diff --git a/content/zh/docs/tasks/configmap-secret/managing-secret-using-config-file.md b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
similarity index 94%
rename from content/zh/docs/tasks/configmap-secret/managing-secret-using-config-file.md
rename to content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
index 7e155136edae2..7b796ebf90dba 100644
--- a/content/zh/docs/tasks/configmap-secret/managing-secret-using-config-file.md
+++ b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
@@ -86,7 +86,7 @@ data:
 Note that the name of a Secret object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). 
 -->
-注意，Secret 对象的名称必须是有效的 [DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). 
+注意，Secret 对象的名称必须是有效的 [DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). 
 
 {{< note >}}
 <!--  
@@ -204,7 +204,7 @@ To check the actual content of the encoded data, please refer to
 -->
 命令 `kubectl get` 和 `kubectl describe` 默认不显示 `Secret` 的内容。
 这是为了防止 `Secret` 意外地暴露给旁观者或者保存在终端日志中。
-检查编码数据的实际内容，请参考[解码 secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret).
+检查编码数据的实际内容，请参考[解码 secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret).
 
 <!-- 
 If a field, such as `username`, is specified in both `data` and `stringData`,
@@ -262,7 +262,7 @@ kubectl delete secret mysecret
 - Learn how to [manage Secrets with the `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
 - Learn how to [manage Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
 -->
-- 进一步阅读 [Secret 概念](/zh/docs/concepts/configuration/secret/)
-- 了解如何[使用 `kubectl` 命令管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
-- 了解如何[使用 kustomize 管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
+- 进一步阅读 [Secret 概念](/zh-cn/docs/concepts/configuration/secret/)
+- 了解如何[使用 `kubectl` 命令管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
+- 了解如何[使用 kustomize 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
 
diff --git a/content/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl.md b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
similarity index 95%
rename from content/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
rename to content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
index 86d0c9266b1e7..2dcf7ad266b33 100644
--- a/content/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
+++ b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
@@ -232,6 +232,6 @@ kubectl delete secret db-user-pass
 - Learn how to [manage Secrets using config files](/docs/tasks/configmap-secret/managing-secret-using-config-file/)
 - Learn how to [manage Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
 -->
-- 进一步阅读 [Secret 概念](/zh/docs/concepts/configuration/secret/)
-- 了解如何[使用配置文件管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-config-file/)
-- 了解如何[使用 kustomize 管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
+- 进一步阅读 [Secret 概念](/zh-cn/docs/concepts/configuration/secret/)
+- 了解如何[使用配置文件管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/)
+- 了解如何[使用 kustomize 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
diff --git a/content/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize.md b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize.md
similarity index 91%
rename from content/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize.md
rename to content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize.md
index de6967d438573..a6e6341e79b53 100644
--- a/content/zh/docs/tasks/configmap-secret/managing-secret-using-kustomize.md
+++ b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize.md
@@ -21,7 +21,7 @@ Kustomize generators should be specified in a `kustomization.yaml` file inside
 a directory. After generating the Secret, you can create the Secret on the API
 server with `kubectl apply`.
 -->
-从 kubernetes v1.14 开始，`kubectl` 支持[使用 Kustomize 管理对象](/zh/docs/tasks/manage-kubernetes-objects/kustomization/)。
+从 kubernetes v1.14 开始，`kubectl` 支持[使用 Kustomize 管理对象](/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/)。
 Kustomize 提供了资源生成器（Generators）来创建 Secret 和 ConfigMap。
 Kustomize 生成器应该在某个目录的 `kustomization.yaml` 文件中指定。
 生成 Secret 后，你可以使用 `kubectl apply` 在 API 服务器上创建该 Secret。
@@ -165,7 +165,7 @@ To check the actual content of the encoded data, please refer to
 -->
 `kubectl get` 和 `kubectl describe` 命令默认不显示 `Secret` 的内容。
 这是为了防止 `Secret` 被意外暴露给旁观者或存储在终端日志中。
-检查编码后的实际内容，请参考[解码 secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)。 
+检查编码后的实际内容，请参考[解码 secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)。 
 -->
 
 
@@ -187,6 +187,6 @@ kubectl delete secret db-user-pass-96mffmfh4k
 - Learn how to [manage Secrets with the `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
 - Learn how to [manage Secrets using config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) 
 -->
-- 进一步阅读 [Secret 概念](/zh/docs/concepts/configuration/secret/)
-- 了解如何[使用 `kubectl` 命令管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
-- 了解如何[使用配置文件管理 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-config-file/)
+- 进一步阅读 [Secret 概念](/zh-cn/docs/concepts/configuration/secret/)
+- 了解如何[使用 `kubectl` 命令管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
+- 了解如何[使用配置文件管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/)
diff --git a/content/zh/docs/tasks/configure-pod-container/_index.md b/content/zh-cn/docs/tasks/configure-pod-container/_index.md
similarity index 100%
rename from content/zh/docs/tasks/configure-pod-container/_index.md
rename to content/zh-cn/docs/tasks/configure-pod-container/_index.md
diff --git a/content/zh/docs/tasks/configure-pod-container/assign-cpu-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
similarity index 93%
rename from content/zh/docs/tasks/configure-pod-container/assign-cpu-resource.md
rename to content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
index df1636c8dd7fe..e574f993c28f5 100644
--- a/content/zh/docs/tasks/configure-pod-container/assign-cpu-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
@@ -412,8 +412,8 @@ kubectl delete namespace cpu-example
 -->
 ### 针对应用开发者
 
-* [将内存资源分配给容器和 Pod](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [配置 Pod 服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [将内存资源分配给容器和 Pod](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [配置 Pod 服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
 <!-- 
 ### For cluster administrators
@@ -429,11 +429,11 @@ kubectl delete namespace cpu-example
 -->
 ### 针对集群管理员
 
-* [配置名称空间的默认内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为名字空间配置默认 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
-* [为名字空间配置最小和最大内存限制](/zh/docs/tasks/administer-cluster//manage-resources/memory-constraint-namespace/)
-* [为名字空间配置最小和最大 CPU 约束](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为名字空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为名字空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [配置 API 对象的配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [配置名称空间的默认内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为名字空间配置默认 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+* [为名字空间配置最小和最大内存限制](/zh-cn/docs/tasks/administer-cluster//manage-resources/memory-constraint-namespace/)
+* [为名字空间配置最小和最大 CPU 约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为名字空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为名字空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [配置 API 对象的配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/assign-memory-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
similarity index 90%
rename from content/zh/docs/tasks/configure-pod-container/assign-memory-resource.md
rename to content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
index d8a9d37b03589..6aa46f560ea1d 100644
--- a/content/zh/docs/tasks/configure-pod-container/assign-memory-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource.md
@@ -78,7 +78,7 @@ v1beta1.metrics.k8s.io
 Create a namespace so that the resources you create in this exercise are
 isolated from the rest of your cluster.
 -->
-## 创建命名空间
+## 创建命名空间    {#create-a-namespace}
 
 创建一个命名空间，以便将本练习中创建的资源与集群的其余部分隔离。
 
@@ -96,7 +96,7 @@ In this exercise, you create a Pod that has one Container. The Container has a m
 request of 100 MiB and a memory limit of 200 MiB. Here's the configuration file
 for the Pod:
 -->
-## 指定内存请求和限制
+## 指定内存请求和限制    {#specify-a-memory-request-and-a-memory-limit}
 
 要为容器指定内存请求，请在容器资源清单中包含 `resources：requests` 字段。
 同理，要指定内存限制，请包含 `resources：limits`。
@@ -196,7 +196,7 @@ its limit, the Container becomes a candidate for termination. If the Container c
 consume memory beyond its limit, the Container is terminated. If a terminated Container can be
 restarted, the kubelet restarts it, as with any other type of runtime failure.
 -->
-## 超过容器限制的内存
+## 超过容器限制的内存    {#exceed-a-container-s-memory-limit}
 
 当节点拥有足够的可用内存时，容器可以使用其请求的内存。
 但是，容器不允许使用超过其限制的内存。
@@ -260,7 +260,7 @@ The output shows that the Container was killed because it is out of memory (OOM)
 -->
 输出结果显示：由于内存溢出（OOM），容器已被杀掉：
 
-```shell
+```yaml
 lastState:
    terminated:
      containerID: 65183c1877aaec2e8427bc95609cc52677a454b56fcb24340dbd22917c23b10f
@@ -352,7 +352,7 @@ of a Pod as having a memory request and limit. The memory request for the Pod is
 sum of the memory requests for all the Containers in the Pod. Likewise, the memory
 limit for the Pod is the sum of the limits of all the Containers in the Pod.
 -->
-## 超过整个节点容量的内存
+## 超过整个节点容量的内存    {#specify-a-memory-request-that-is-too-big-for-your-nodes}
 
 内存请求和限制是与容器关联的，但将 Pod 视为具有内存请求和限制，也是很有用的。
 Pod 的内存请求是 Pod 中所有容器的内存请求之和。
@@ -419,7 +419,7 @@ The output shows that the Container cannot be scheduled because of insufficient
 -->
 输出结果显示：由于节点内存不足，该容器无法被调度：
 
-```shell
+```
 Events:
   ...  Reason            Message
        ------            -------
@@ -433,14 +433,14 @@ The memory resource is measured in bytes. You can express memory as a plain inte
 fixed-point integer with one of these suffixes: E, P, T, G, M, K, Ei, Pi, Ti, Gi, Mi, Ki.
 For example, the following represent approximately the same value:
 -->
-## 内存单位
+## 内存单位    {#memory-units}
 
 内存资源的基本单位是字节（byte）。你可以使用这些后缀之一，将内存表示为
 纯整数或定点整数：E、P、T、G、M、K、Ei、Pi、Ti、Gi、Mi、Ki。
 例如，下面是一些近似相同的值：
 
-```shell
-128974848, 129e6, 129M , 123Mi
+```
+128974848, 129e6, 129M, 123Mi
 ```
 
 <!--
@@ -457,7 +457,7 @@ kubectl delete pod memory-demo-3 --namespace=mem-example
 
 If you do not specify a memory limit for a Container, one of the following situations applies:
 -->
-## 如果你没有指定内存限制
+## 如果你没有指定内存限制    {#if-you-do-not-specify-a-memory-limit}
 
 如果你没有为一个容器指定内存限制，则自动遵循以下情况之一：
 
@@ -486,7 +486,7 @@ cluster, you can make efficient use of the memory resources available on your cl
 Nodes. By keeping a Pod's memory request low, you give the Pod a good chance of being
 scheduled. By having a memory limit that is greater than the memory request, you accomplish two things:
 -->
-## 内存请求和限制的目的
+## 内存请求和限制的目的    {#motivation-for-memory-requests-and-limits}
 
 通过为集群中运行的容器配置内存请求和限制，你可以有效利用集群节点上可用的内存资源。
 通过将 Pod 的内存请求保持在较低水平，你可以更好地安排 Pod 调度。
@@ -504,7 +504,7 @@ scheduled. By having a memory limit that is greater than the memory request, you
 
 Delete your namespace. This deletes all the Pods that you created for this task:
 -->
-## 清理
+## 清理    {#clean-up}
 
 删除命名空间。下面的命令会删除你根据这个任务创建的所有 Pod：
 
@@ -521,11 +521,11 @@ kubectl delete namespace mem-example
 
 * [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
 -->
-### 应用开发者扩展阅读
+### 应用开发者扩展阅读    {#for-app-developers}
 
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
 
-* [配置 Pod 的服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
+* [配置 Pod 的服务质量](/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/)
 
 
 <!--
@@ -545,13 +545,13 @@ kubectl delete namespace mem-example
 
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
 -->
-### 集群管理员扩展阅读
+### 集群管理员扩展阅读    {#for-cluster-administrators}
 
-* [为命名空间配置默认的内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置默认的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
-* [配置命名空间的最小和最大内存约束](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [配置命名空间的最小和最大 CPU 约束](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [配置命名空间下 Pod 总数](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [配置 API 对象配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为命名空间配置默认的内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置默认的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+* [配置命名空间的最小和最大内存约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [配置命名空间的最小和最大 CPU 约束](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [配置命名空间下 Pod 总数](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [配置 API 对象配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
similarity index 98%
rename from content/zh/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
rename to content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
index 159468a06ba2a..856286b1ea35d 100644
--- a/content/zh/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
@@ -183,4 +183,4 @@ Learn more about
 [Node Affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
 -->
 进一步了解
-[节点亲和性](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+[节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
diff --git a/content/zh/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
similarity index 97%
rename from content/zh/docs/tasks/configure-pod-container/assign-pods-nodes.md
rename to content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
index 5ad4f62c28646..a05e0a4dc21af 100644
--- a/content/zh/docs/tasks/configure-pod-container/assign-pods-nodes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
@@ -134,5 +134,5 @@ a `disktype=ssd` label.
 Learn more about
 [labels and selectors](/docs/concepts/overview/working-with-objects/labels/).
 -->
-进一步了解[标签和选择器](/zh/docs/concepts/overview/working-with-objects/labels/)
+进一步了解[标签和选择器](/zh-cn/docs/concepts/overview/working-with-objects/labels/)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md b/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
similarity index 95%
rename from content/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
rename to content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
index 41f3a64f3be2a..45e6082a2b90c 100644
--- a/content/zh/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
@@ -126,7 +126,7 @@ unless the Pod's grace period expires. For more details, see
 -->
 Kubernetes 在容器结束前立即发送 preStop 事件。除非 Pod 宽限期限超时，Kubernetes 的容器管理逻辑
 会一直阻塞等待 preStop 处理函数执行完毕。更多的相关细节，可以参阅
-[Pods 的结束](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
+[Pods 的结束](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
 
 <!--
 Kubernetes only sends the preStop event when a Pod is *terminated*.
@@ -146,8 +146,8 @@ preStop 的事件处理逻辑不会被触发。这个限制在
 * Learn more about [Container lifecycle hooks](/docs/concepts/containers/container-lifecycle-hooks/).
 * Learn more about the [lifecycle of a Pod](/docs/concepts/workloads/pods/pod-lifecycle/).
 -->
-* 进一步了解[容器生命周期回调](/zh/docs/concepts/containers/container-lifecycle-hooks/)。
-* 进一步了解[Pod 的生命周期](/zh/docs/concepts/workloads/pods/pod-lifecycle/)。
+* 进一步了解[容器生命周期回调](/zh-cn/docs/concepts/containers/container-lifecycle-hooks/)。
+* 进一步了解[Pod 的生命周期](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/)。
 
 <!--
 ### Reference
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-gmsa.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
similarity index 85%
rename from content/zh/docs/tasks/configure-pod-container/configure-gmsa.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
index 54da4825022c8..cddd497ff6e0e 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-gmsa.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
@@ -22,13 +22,12 @@ This page shows how to configure [Group Managed Service Accounts](https://docs.m
 服务器将管理操作委派给其他管理员等能力。
 
 <!--
-In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide scope as Custom Resources. Windows Pods, as well as individual containers within a Pod, can be configured to use a GMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services. As of v1.16, the Docker runtime supports GMSA for Windows workloads.
+In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide scope as Custom Resources. Windows Pods, as well as individual containers within a Pod, can be configured to use a GMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services.
 -->
 在 Kubernetes 环境中，GMSA 凭据规约配置为 Kubernetes 集群范围的自定义资源
 （Custom Resources）形式。Windows Pod 以及各 Pod 中的每个容器可以配置为
 使用 GMSA 来完成基于域（Domain）的操作（例如，Kerberos 身份认证），以便
-与其他 Windows 服务相交互。自 Kubernetes 1.16 版本起，Docker 运行时为
-Windows 负载支持 GMSA。
+与其他 Windows 服务相交互。
 
 ## {{% heading "prerequisites" %}}
 
@@ -48,7 +47,7 @@ Next, install the CRD with `kubectl apply -f gmsa-crd.yaml`
 ### 安装 GMSACredentialSpec CRD
 
 你需要在集群上配置一个用于 GMSA 凭据规约资源的
-[CustomResourceDefinition](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)(CRD)，
+[CustomResourceDefinition](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)(CRD)，
 以便定义类型为 `GMSACredentialSpec` 的自定义资源。
 首先下载 GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-crd.yml)
 并将其保存为 `gmsa-crd.yaml`。接下来执行 `kubectl apply -f gmsa-crd.yaml`
@@ -190,7 +189,7 @@ credspec:
 下面的 YAML 配置描述的是一个名为 `gmsa-WebApp1` 的 GMSA 凭据规约：
 
 ```yaml
-apiVersion: windows.k8s.io/v1alpha1
+apiVersion: windows.k8s.io/v1
 kind: GMSACredentialSpec
 metadata:
   name: gmsa-WebApp1  # 这是随意起的一个名字，将用作引用
@@ -381,85 +380,24 @@ As Pod specs with GMSA fields populated (as described above) are applied in a cl
 1. 容器运行时为每个 Windows 容器配置所指定的 GMSA 凭据规约，这样容器就可以以
    活动目录中该 GMSA 所代表的身份来执行操作，使用该身份来访问域中的服务。
 
+## 使用主机名或 FQDN 对网络共享进行身份验证 
 <!--
-## Containerd 
-
-On Windows Server 2019, in order to use GMSA with containerd, you must be running OS Build 17763.1817 (or later) which can be installed using the patch [KB5000822](https://support.microsoft.com/en-us/topic/march-9-2021-kb5000822-os-build-17763-1817-2eb6197f-e3b1-4f42-ab51-84345e063564). 
-
-There is also a known issue with containerd that occurs when trying to connect to SMB shares from Pods. Once you have configured GMSA, the pod will be unable to connect to the share using the hostname or FQDN, but connecting to the share using an IP address works as expected. 
+If you are experiencing issues connecting to SMB shares from Pods using hostname or FQDN, but are able to access the shares via their IPv4 address then make sure the following registry key is set on the Windows nodes.
 -->
-## Containerd
-在 Windows Server 2019 上对 containerd 使用 GMSA，需要使用 Build 17763.1817（或更新的版本）， 
-你可以安装补丁 [KB5000822](https://support.microsoft.com/en-us/topic/march-9-2021-kb5000822-os-build-17763-1817-2eb6197f-e3b1-4f42-ab51-84345e063564)。
+如果你在使用主机名或 FQDN 从 Pod 连接到 SMB 共享时遇到问题，但能够通过其 IPv4 地址访问共享，
+请确保在 Windows 节点上设置了以下注册表项。
 
-containerd 场景从 Pod 连接 SMB 共享的时候有一个已知问题： 
-配置了 GMSA 以后，无法通过主机名或者 FQDN 访问 SMB共享，但是通过 IP 地址访问没有问题。
-
-```PowerShell
-ping adserver.ad.local
+```cmd
+reg add "HKLM\SYSTEM\CurrentControlSet\Services\hns\State" /v EnableCompartmentNamespace /t REG_DWORD /d 1
 ```
 
 <!--
-and correctly resolves the hostname to an IPv4 address. The output is similar to:
+Running Pods will then need to be recreated to pick up the behavior changes.
+More information on how this registry key is used can be found [here](
+https://github.com/microsoft/hcsshim/blob/885f896c5a8548ca36c88c4b87fd2208c8d16543/internal/uvm/create.go#L74-L83)
 -->
-
-主机名可以被解析为 IPv4 地址，输出类似如下所示：
-
-```
-Pinging adserver.ad.local [192.168.111.18] with 32 bytes of data:
-Reply from 192.168.111.18: bytes=32 time=6ms TTL=124
-Reply from 192.168.111.18: bytes=32 time=5ms TTL=124
-Reply from 192.168.111.18: bytes=32 time=5ms TTL=124
-Reply from 192.168.111.18: bytes=32 time=5ms TTL=124
-```
-
-<!--
-However, when attempting to browse the directory using the hostname
--->
-但是，当尝试使用主机名浏览目录时:
-
-```PowerShell
-cd \\adserver.ad.local\test
-```
-
-<!--
-you see an error that implies the target share doesn't exist:
--->
-你会看到一个错误，提示目标共享不存在:
-
-```
-cd : Cannot find path '\\adserver.ad.local\test' because it does not exist.
-At line:1 char:1
-+ cd \\adserver.ad.local\test
-+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    + CategoryInfo          : ObjectNotFound: (\\adserver.ad.local\test:String) [Set-Location], ItemNotFoundException
-    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
-```
-
-<!--
-but you notice that the error disappears if you browse to the share using its IPv4 address instead; for example:
--->
-但是你会注意到，如果你改为使用其 IPv4 地址浏览共享，错误就会消失；例如：
-
-```PowerShell
-cd \\192.168.111.18\test
-```
-
-<!--
-After you change into a directory within the share, you see a prompt similar to:
--->
-切换到共享中的目录后，你会看到类似于以下内容的提示：
-
-```
-Microsoft.PowerShell.Core\FileSystem::\\192.168.111.18\test>
-```
-
-<!--
-To correct the behaviour you must run the following on the node `reg add "HKLM\SYSTEM\CurrentControlSet\Services\hns\State" /v EnableCompartmentNamespace /t REG_DWORD /d 1` to add the required registry key. This node change will only take effect in newly created pods, meaning you must now recreate any running pods which require access to SMB shares.
--->
-要解决问题，你需要在节点上运行以下命令以添加所需的注册表项
-`reg add "HKLM\SYSTEM\CurrentControlSet\Services\hns\State" /v EnableCompartmentNamespace /t REG_DWORD /d 1`。
-此更改只会在新创建的 Pod 中生效，这意味着你必须重新创建任何需要访问 SMB 共享的正在运行的 Pod。
+然后需要重新创建正在运行的 Pod 以使行为更改生效。
+有关如何使用此注册表项的更多信息，请参见[此处](https://github.com/microsoft/hcsshim/blob/885f896c5a8548ca36c88c4b87fd2208c8d16543/internal/uvm/create.go#L74-L83)。
 <!--
 ## Troubleshooting
 
@@ -483,7 +421,7 @@ kubectl exec -it iis-auth-7776966999-n5nzr powershell.exe
 `nltest.exe /parentdomain` results in the following error:
 -->
 `nltest.exe /parentdomain` 导致以下错误：
-```
+```output
 Getting parent domain failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE
 ```
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
similarity index 95%
rename from content/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 8670a63b749c9..bf86ee2d1f045 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -6,7 +6,7 @@ weight: 110
 
 <!-- overview -->
 <!--
-This page shows how to configure liveness, readiness and startup probes for Containers.
+This page shows how to configure liveness, readiness and startup probes for containers.
 
 The [kubelet](/docs/reference/command-line-tools-reference/kubelet/) uses liveness probes to know when to
 restart a container. For example, liveness probes could catch a deadlock,
@@ -16,7 +16,7 @@ despite bugs.
 -->
 这篇文章介绍如何给容器配置活跃（Liveness）、就绪（Readiness）和启动（Startup）探测器。
 
-[kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/)
+[kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)
 使用存活探测器来确定什么时候要重启容器。
 例如，存活探测器可以探测到应用死锁（应用程序在运行，但是无法继续执行后面的步骤）情况。
 重启这种状态下的容器有助于提高应用的可用性，即使其中存在缺陷。
@@ -339,7 +339,7 @@ kubectl describe pod goproxy
 -->
 ## 定义 gRPC 活跃探测器
 
-{{< feature-state for_k8s_version="v1.23" state="alpha" >}}
+{{< feature-state for_k8s_version="v1.24" state="beta" >}}
 
 <!--
 If your application implements [gRPC Health Checking Protocol](https://github.com/grpc/grpc/blob/master/doc/health-checking.md),
@@ -350,10 +350,11 @@ in order to configure checks that rely on gRPC.
 
 Here is an example manifest:
 -->
-如果你的应用实现了 [gRPC 健康检查协议](https://github.com/grpc/grpc/blob/master/doc/health-checking.md)，
+如果你的应用实现了
+[gRPC 健康检查协议](https://github.com/grpc/grpc/blob/master/doc/health-checking.md)，
 kubelet 可以配置为使用该协议来执行应用活跃性检查。
 你必须启用 `GRPCContainerProbe`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 才能配置依赖于 gRPC 的检查机制。
 
 下面是一个示例清单：
@@ -420,7 +421,7 @@ When migrating from grpc-health-probe to built-in probes, remember the following
 - 内置探测器运行时针对的是 Pod 的 IP 地址，不像 `grpc-health-probe`
   那样通常针对 `127.0.0.1` 执行探测；
   请一定配置你的 gRPC 端点使之监听于 Pod 的 IP 地址之上。
-- 内置探测器不支持任何身份认证参数（例如 `tls`）。
+- 内置探测器不支持任何身份认证参数（例如 `-tls`）。
 - 对于内置的探测器而言，不存在错误代码。所有错误都被视作探测失败。
 - 如果 `ExecProbeTimeout` 特性门控被设置为 `false`，则 `grpc-health-probe`
   不会考虑 `timeoutSeconds` 设置状态（默认值为 1s），
@@ -430,13 +431,13 @@ When migrating from grpc-health-probe to built-in probes, remember the following
 ## Use a named port
 
 You can use a named
-[ContainerPort](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#containerport-v1-core)
+[`port`](/docs/reference/kubernetes-api/workload-resources/pod-v1/#ports)
 for HTTP or TCP liveness checks:
 -->
 ## 使用命名端口 {#use-a-named-port}
 
 对于 HTTP 或者 TCP 存活检测可以使用命名的
-[ContainerPort](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#containerport-v1-core)。
+[`port`](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#ports)。
 
 ```yaml
 ports:
@@ -526,17 +527,17 @@ Services.
 Kubernetes 提供了就绪探测器来发现并缓解这些情况。
 容器所在 Pod 上报还未就绪的信息，并且不接受通过 Kubernetes Service 的流量。
 
+{{< note >}}
 <!--
 Readiness probes runs on the container during its whole lifecycle.
 -->
-{{< note >}}
 就绪探测器在容器的整个生命周期中保持运行状态。
 {{< /note >}}
 
+{{< caution >}}
 <!--
 Liveness probes *do not* wait for readiness probes to succeed. If you want to wait before executing a liveness probe you should use initialDelaySeconds or a startupProbe.
 -->
-{{< caution >}}
 活跃探测器 **不等待** 就绪性探测器成功。
 如果要在执行活跃探测器之前等待，应该使用 `initialDelaySeconds` 或 `startupProbe`。
 {{< /caution >}}
@@ -637,7 +638,7 @@ eventual removal of that feature gate.
 这一缺陷在 Kubernetes v1.20 版本中得到修复。你可能一直依赖于之前错误的探测行为，
 甚至都没有觉察到这一问题的存在，因为默认的超时值是 1 秒钟。
 作为集群管理员，你可以在所有的 kubelet 上禁用 `ExecProbeTimeout`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 （将其设置为 `false`），从而恢复之前版本中的运行行为。之后当集群中所有的
 exec 探针都设置了 `timeoutSeconds` 参数后，移除此标志重载。
 如果你有 Pod 受到此默认 1 秒钟超时值的影响，你应该更新这些 Pod 对应的探针的超时值，
@@ -708,14 +709,14 @@ case, you should not use `host`, but rather set the `Host` header in `httpHeader
 
 <!--
 For an HTTP probe, the kubelet sends two request headers in addition to the mandatory `Host` header:
-`User-Agent`, and `Accept`. The default values for these headers are `kube-probe/{{< skew latestVersion >}}`
-(where `{{< skew latestVersion >}}` is the version of the kubelet ), and `*/*` respectively.
+`User-Agent`, and `Accept`. The default values for these headers are `kube-probe/{{< skew currentVersion >}}`
+(where `{{< skew currentVersion >}}` is the version of the kubelet ), and `*/*` respectively.
 
 You can override the default headers by defining `.httpHeaders` for the probe; for example
 -->
 针对 HTTP 探针，kubelet 除了必需的 `Host` 头部之外还发送两个请求头部字段：
-`User-Agent` 和 `Accept`。这些头部的默认值分别是 `kube-probe/{{ skew latestVersion >}}`
-（其中 `{{< skew latestVersion >}}` 是 kubelet 的版本号）和 `*/*`。
+`User-Agent` 和 `Accept`。这些头部的默认值分别是 `kube-probe/{{ skew currentVersion >}}`
+（其中 `{{< skew currentVersion >}}` 是 kubelet 的版本号）和 `*/*`。
 
 你可以通过为探测设置 `.httpHeaders` 来重载默认的头部字段值；例如：
 
@@ -826,7 +827,7 @@ a Pod or pod template specifies it.
 
 ```yaml
 spec:
-  terminationGracePeriodSeconds: 3600  # pod-level
+  terminationGracePeriodSeconds: 3600  # Pod 级别设置
   containers:
   - name: test
     image: ...
@@ -842,7 +843,7 @@ spec:
         port: liveness-port
       failureThreshold: 1
       periodSeconds: 60
-      # Override pod-level terminationGracePeriodSeconds #
+      # 重载 Pod 级别的 terminationGracePeriodSeconds
       terminationGracePeriodSeconds: 60
 ```
 
@@ -857,20 +858,20 @@ It will be rejected by the API server.
 
 <!--
 * Learn more about
-[Container Probes](/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+  [Container Probes](/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
 -->
-* 进一步了解[容器探针](/zh/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。
+* 进一步了解[容器探针](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)。
 
 <!--
 You can also read the API references for:
 
-* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
-* [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
-* [Probe](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#probe-v1-core)
+* [Pod](/docs/reference/kubernetes-api/workload-resources/pod-v1/), and specifically:
+  * [container(s)](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
+  * [probe(s)](/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe)
 -->
 你也可以阅读以下的 API 参考资料：
 
-* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
-* [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
-* [Probe](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#probe-v1-core)
+* [Pod](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/)，尤其是：
+  * [container](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
+  * [probe](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
similarity index 98%
rename from content/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
index b3253b4d005cd..3bd9777355f46 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
@@ -55,7 +55,7 @@ do not already have a single-node cluster, you can create one by using
   如果还没有单节点集群，可以使用
   [Minikube](https://minikube.sigs.k8s.io/docs/) 创建一个。
 .
-* 熟悉[持久卷](/zh/docs/concepts/storage/persistent-volumes/)中的材料。
+* 熟悉[持久卷](/zh-cn/docs/concepts/storage/persistent-volumes/)中的材料。
 
 <!-- steps -->
 
@@ -464,7 +464,7 @@ PersistentVolume are not present on the Pod resource itself.
 * Learn more about [PersistentVolumes](/docs/concepts/storage/persistent-volumes/).
 * Read the [Persistent Storage design document](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md).
 -->
-* 进一步了解 [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
+* 进一步了解 [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
 * 阅读[持久存储设计文档](https://git.k8s.io/community/contributors/design-proposals/storage/persistent-storage.md)
 
 <!--
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-pod-configmap.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap.md
similarity index 84%
rename from content/zh/docs/tasks/configure-pod-container/configure-pod-configmap.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap.md
index 6fece7c5e30e2..c79fa55c98692 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-pod-configmap.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap.md
@@ -20,8 +20,7 @@ card:
 Many applications rely on configuration which is used during either application initialization or runtime.
 Most of the times there is a requirement to adjust values assigned to configuration parameters.
 ConfigMaps is the kubernetes way to inject application pods with configuration data.
-
-ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable. This page provides a series of usage examples demonstrating how to create ConfigMaps and configure Pods using data stored in ConfigMaps. 
+ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable. This page provides a series of usage examples demonstrating how to create ConfigMaps and configure Pods using data stored in ConfigMaps.
 -->
 很多应用在其初始化或运行期间要依赖一些配置信息。大多数时候，
 存在要调整配置参数所设置的数值的需求。
@@ -41,7 +40,7 @@ ConfigMap 允许你将配置文件与镜像文件分离，以使容器化的应
 
 You can use either `kubectl create configmap` or a ConfigMap generator in `kustomization.yaml` to create a ConfigMap. Note that `kubectl` starts to support `kustomization.yaml` since 1.14.
 -->
-## 创建 ConfigMap
+## 创建 ConfigMap    {#create-a-configmap}
 
 你可以使用 `kubectl create configmap` 或者在 `kustomization.yaml` 中的 ConfigMap
 生成器来创建 ConfigMap。注意，`kubectl` 从 1.14 版本开始支持 `kustomization.yaml`。
@@ -49,15 +48,20 @@ You can use either `kubectl create configmap` or a ConfigMap generator in `kusto
 <!--
 ### Create a ConfigMap Using kubectl create configmap
 
-Use the `kubectl create configmap` command to create configmaps from [directories](#create-configmaps-from-directories), [files](#create-configmaps-from-files), or [literal values](#create-configmaps-from-literal-values):
+Use the `kubectl create configmap` command to create ConfigMaps from [directories](#create-configmaps-from-directories), [files](#create-configmaps-from-files), or [literal values](#create-configmaps-from-literal-values):
 -->
-### 使用 kubectl create configmap 创建 ConfigMap
+### 使用 kubectl create configmap 创建 ConfigMap    {#create-a-configmap-using-kubectl-create-configmap}
 
 你可以使用 `kubectl create configmap`
 命令基于[目录](#create-configmaps-from-directories)、
 [文件](#create-configmaps-from-files)或者[字面值](#create-configmaps-from-literal-values)来创建
 ConfigMap：
 
+<!--
+```shell
+kubectl create configmap <map-name> <data-source>
+```
+-->
 ```shell
 kubectl create configmap <映射名称> <数据源>
 ```
@@ -70,7 +74,7 @@ The name of a ConfigMap object must be a valid
 其中，`<映射名称>` 是为 ConfigMap 指定的名称，`<数据源>` 是要从中提取数据的目录、
 文件或者字面值。
 ConfigMap 对象的名称必须是合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 <!--
 When you are creating a ConfigMap based on a file, the key in the \<data-source> defaults to the basename of the file, and the value defaults to the file content.
@@ -107,11 +111,24 @@ For example:
 
 例如：
 
+<!--
+```shell
+# Create the local directory
+mkdir -p configure-pod-container/configmap/
+
+# Download the sample files into `configure-pod-container/configmap/` directory
+wget https://kubernetes.io/examples/configmap/game.properties -O configure-pod-container/configmap/game.properties
+wget https://kubernetes.io/examples/configmap/ui.properties -O configure-pod-container/configmap/ui.properties
+
+# Create the configmap
+kubectl create configmap game-config --from-file=configure-pod-container/configmap/
+```
+-->
 ```shell
 # 创建本地目录
 mkdir -p configure-pod-container/configmap/
 
-# 将实例文件下载到 `configure-pod-container/configmap/` 目录
+# 将示例文件下载到 `configure-pod-container/configmap/` 目录
 wget https://kubernetes.io/examples/configmap/game.properties -O configure-pod-container/configmap/game.properties
 wget https://kubernetes.io/examples/configmap/ui.properties -O configure-pod-container/configmap/ui.properties
 
@@ -186,7 +203,6 @@ metadata:
   name: game-config
   namespace: default
   resourceVersion: "516"
-  selfLink: /api/v1/namespaces/default/configmaps/game-config
   uid: b4952dc3-d670-11e5-8cd0-68f728db1985
 data:
   game.properties: |
@@ -264,9 +280,9 @@ kubectl create configmap game-config-2 --from-file=configure-pod-container/confi
 ```
 
 <!--
-Describe the above `game-config-2` configmap created
+You can display details of the `game-config-2` ConfigMap using the following command:
 -->
-描述上面创建的 `game-config-2` ConfigMap：
+你可以使用以下命令显示 `game-config-2` ConfigMap 的详细信息：
 
 ```shell
 kubectl describe configmaps game-config-2
@@ -334,6 +350,9 @@ cat configure-pod-container/configmap/game-env-file.properties
 enemies=aliens
 lives=3
 allowed="true"
+
+# This comment and the empty line above it are ignored
+```
 -->
 Env 文件包含环境变量列表。其中适用以下语法规则:
 
@@ -402,18 +421,6 @@ specified multiple times to create a ConfigMap from multiple data sources.
 -->
 从 Kubernetes 1.23 版本开始，`kubectl` 支持多次指定 `--from-env-file` 参数来从多个数据源创建 ConfigMap。
 
-<!--
-The behavior of passing `--from-env-file` multiple times is demonstrated by:
--->
-下面是一个多次使用 `--from-env-file` 参数的示例：
-
-<!--
-```shell
-kubectl create configmap config-multi-env-files \
-        --from-env-file=configure-pod-container/configmap/game-env-file.properties \
-        --from-env-file=configure-pod-container/configmap/ui-env-file.properties
-```
--->
 ```shell
 kubectl create configmap config-multi-env-files \
         --from-env-file=configure-pod-container/configmap/game-env-file.properties \
@@ -442,7 +449,6 @@ metadata:
   name: config-multi-env-files
   namespace: default
   resourceVersion: "810136"
-  selfLink: /api/v1/namespaces/default/configmaps/config-multi-env-files
   uid: 252c4572-eb35-11e7-887b-42010a8002b8
 data:
   allowed: '"true"'
@@ -458,21 +464,28 @@ data:
 
 You can define a key other than the file name to use in the `data` section of your ConfigMap when using the `--from-file` argument:
 -->
-#### 定义从文件创建 ConfigMap 时要使用的键
+#### 定义从文件创建 ConfigMap 时要使用的键    {#define-the-key-to-use-when-generating-a-configmap-from-a-file}
 
 在使用 `--from-file` 参数时，你可以定义在 ConfigMap 的 `data` 部分出现键名，
 而不是按默认行为使用文件名：
 
+<!--
+```shell
+kubectl create configmap game-config-3 --from-file=<my-key-name>=<path-to-file>
+```
+-->
 ```shell
 kubectl create configmap game-config-3 --from-file=<我的键名>=<文件路径>
 ```
 
 <!--
-where <my-key-name> is the key you want to use in the ConfigMap and `<path-to-file>` is the location of the data source file you want the key to represent.
+where `<my-key-name>` is the key you want to use in the ConfigMap and `<path-to-file>` is the location of the data source file you want the key to represent.
 -->
 `<我的键名>` 是你要在 ConfigMap 中使用的键名，`<文件路径>` 是你想要键所表示的数据源文件的位置。
 
-<!-- For example: -->
+<!--
+For example:
+-->
 例如:
 
 ```shell
@@ -488,7 +501,9 @@ would produce the following ConfigMap:
 kubectl get configmaps game-config-3 -o yaml
 ```
 
-<!-- where the output is similar to this: -->
+<!--
+where the output is similar to this:
+-->
 输出类似以下内容：
 
 ```yaml
@@ -499,7 +514,6 @@ metadata:
   name: game-config-3
   namespace: default
   resourceVersion: "530"
-  selfLink: /api/v1/namespaces/default/configmaps/game-config-3
   uid: 05f8da22-d671-11e5-8cd0-68f728db1985
 data:
   game-special-key: |
@@ -548,7 +562,6 @@ metadata:
   name: special-config
   namespace: default
   resourceVersion: "651"
-  selfLink: /api/v1/namespaces/default/configmaps/special-config
   uid: dadce046-d673-11e5-8cd0-68f728db1985
 data:
   special.how: very
@@ -563,7 +576,7 @@ You can also create a ConfigMap from generators and then apply it to create the
 the Apiserver. The generators
 should be specified in a `kustomization.yaml` inside a directory.
 -->
-### 基于生成器创建 ConfigMap
+### 基于生成器创建 ConfigMap    {#create-a-configmap-from-generator}
 
 自 1.14 开始，`kubectl` 开始支持 `kustomization.yaml`。
 你还可以基于生成器（Generators）创建 ConfigMap，然后将其应用于 API 服务器上创建对象。
@@ -572,20 +585,31 @@ should be specified in a `kustomization.yaml` inside a directory.
 <!--
 #### Generate ConfigMaps from files
 
-For example, to generate a ConfigMap from files `configure-pod-container/configmap/kubectl/game.properties`
+For example, to generate a ConfigMap from files `configure-pod-container/configmap/game.properties`
 -->
-#### 基于文件生成 ConfigMap
+#### 基于文件生成 ConfigMap    {#generate-configmaps-from-files}
 
-例如，要基于 `configure-pod-container/configmap/kubectl/game.properties`
+例如，要基于 `configure-pod-container/configmap/game.properties`
 文件生成一个 ConfigMap：
 
+<!--
+```shell
+# Create a kustomization.yaml file with ConfigMapGenerator
+cat <<EOF >./kustomization.yaml
+configMapGenerator:
+- name: game-config-4
+  files:
+  - configure-pod-container/configmap/game.properties
+EOF
+```
+-->
 ```shell
 # 创建包含 ConfigMapGenerator 的 kustomization.yaml 文件
 cat <<EOF >./kustomization.yaml
 configMapGenerator:
 - name: game-config-4
   files:
-  - configure-pod-container/configmap/kubectl/game.properties
+  - configure-pod-container/configmap/game.properties
 EOF
 ```
 
@@ -648,22 +672,33 @@ new ConfigMap is generated each time the content is modified.
 #### Define the key to use when generating a ConfigMap from a file
 
 You can define a key other than the file name to use in the ConfigMap generator.
-For example, to generate a ConfigMap from files `configure-pod-container/configmap/kubectl/game.properties`
+For example, to generate a ConfigMap from files `configure-pod-container/configmap/game.properties`
 with the key `game-special-key`
 -->
-#### 定义从文件生成 ConfigMap 时要使用的键
+#### 定义从文件生成 ConfigMap 时要使用的键    {#define-the-key-to-use-when-generating-a-configmap-from-a-file}
 
 在 ConfigMap 生成器中，你可以定义一个非文件名的键名。
 例如，从 `configure-pod-container/configmap/game.properties` 文件生成 ConfigMap，
 但使用 `game-special-key` 作为键名：
 
+<!--
+```shell
+# Create a kustomization.yaml file with ConfigMapGenerator
+cat <<EOF >./kustomization.yaml
+configMapGenerator:
+- name: game-config-5
+  files:
+  - game-special-key=configure-pod-container/configmap/game.properties
+EOF
+```
+-->
 ```shell
 # 创建包含 ConfigMapGenerator 的 kustomization.yaml 文件
 cat <<EOF >./kustomization.yaml
 configMapGenerator:
 - name: game-config-5
   files:
-  - game-special-key=configure-pod-container/configmap/kubectl/game.properties
+  - game-special-key=configure-pod-container/configmap/game.properties
 EOF
 ```
 
@@ -684,13 +719,25 @@ configmap/game-config-5-m67dt67794 created
 #### Generate ConfigMaps from Literals
 
 To generate a ConfigMap from literals `special.type=charm` and `special.how=very`,
-you can specify the ConfigMap generator in `kusotmization.yaml` as
+you can specify the ConfigMap generator in `kustomization.yaml` as
 -->
-#### 基于字面值生成 ConfigMap
+#### 基于字面值生成 ConfigMap    {#generate-configmaps-from-literals}
 
 要基于字符串 `special.type=charm` 和 `special.how=very` 生成 ConfigMap，
-可以在 `kusotmization.yaml` 中配置 ConfigMap 生成器：
+可以在 `kustomization.yaml` 中配置 ConfigMap 生成器：
 
+<!--
+```shell
+# Create a kustomization.yaml file with ConfigMapGenerator
+cat <<EOF >./kustomization.yaml
+configMapGenerator:
+- name: special-config-2
+  literals:
+  - special.how=very
+  - special.type=charm
+EOF
+```
+-->
 ```shell
 # 创建带有 ConfigMapGenerator 的 kustomization.yaml 文件
 cat <<EOF >./kustomization.yaml
@@ -720,12 +767,12 @@ configmap/special-config-2-c92b5mmcf2 created
 
 ### Define a container environment variable with data from a single ConfigMap
 -->
-## 使用 ConfigMap 数据定义容器环境变量
+## 使用 ConfigMap 数据定义容器环境变量    {#define-container-environment-variables-using-configmap-data}
 
-### 使用单个 ConfigMap 中的数据定义容器环境变量
+### 使用单个 ConfigMap 中的数据定义容器环境变量    {#define-a-container-environment-variable-with-data-from-a-single-configmap}
 
 <!--
-1.  Define an environment variable as a key-value pair in a ConfigMap:
+1. Define an environment variable as a key-value pair in a ConfigMap:
 -->
 1. 在 ConfigMap 中将环境变量定义为键值对:
 
@@ -734,33 +781,41 @@ configmap/special-config-2-c92b5mmcf2 created
    ```
 
 <!--
-2.  Assign the `special.how` value defined in the ConfigMap to the `SPECIAL_LEVEL_KEY` environment variable in the Pod specification.
+2. Assign the `special.how` value defined in the ConfigMap to the `SPECIAL_LEVEL_KEY` environment variable in the Pod specification.
 -->
 2. 将 ConfigMap 中定义的 `special.how` 赋值给 Pod 规约中的 `SPECIAL_LEVEL_KEY` 环境变量。
 
    {{< codenew file="pods/pod-single-configmap-env-variable.yaml" >}}
 
-   <!-- Create the Pod: -->
+   <!--
+   Create the Pod:
+   -->
    创建 Pod:
 
    ```shell
    kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml
    ```
 
-   <!-- Now, the Pod's output includes environment variable `SPECIAL_LEVEL_KEY=very`. -->
+   <!--
+   Now, the Pod's output includes environment variable `SPECIAL_LEVEL_KEY=very`.
+   -->
    现在，Pod 的输出包含环境变量 `SPECIAL_LEVEL_KEY=very`。
 
 <!--
 ### Define container environment variables with data from multiple ConfigMaps
 -->
-### 使用来自多个 ConfigMap 的数据定义容器环境变量
+### 使用来自多个 ConfigMap 的数据定义容器环境变量    {#define-container-environment-variables-with-data-from-multiple-configmaps}
 
-<!-- * As with the previous example, create the ConfigMaps first. -->
+<!--
+* As with the previous example, create the ConfigMaps first.
+-->
 * 与前面的示例一样，首先创建 ConfigMap。
 
   {{< codenew file="configmap/configmaps.yaml" >}}
 
-  <!-- Create the ConfigMap: -->
+  <!--
+  Create the ConfigMap:
+  -->
   创建 ConfigMap:
 
   ```shell
@@ -774,20 +829,24 @@ configmap/special-config-2-c92b5mmcf2 created
 
   {{< codenew file="pods/pod-multiple-configmap-env-variable.yaml" >}}
 
-  <!-- Create the Pod: -->
+  <!--
+  Create the Pod:
+  -->
   创建 Pod:
 
   ```shell
   kubectl create -f https://kubernetes.io/examples/pods/pod-multiple-configmap-env-variable.yaml
   ```
 
-  <!-- Now, the Pod's output includes environment variables `SPECIAL_LEVEL_KEY=very` and `LOG_LEVEL=INFO`. -->
+  <!--
+  Now, the Pod's output includes environment variables `SPECIAL_LEVEL_KEY=very` and `LOG_LEVEL=INFO`.
+  -->
   现在，Pod 的输出包含环境变量 `SPECIAL_LEVEL_KEY=very` 和 `LOG_LEVEL=INFO`。
 
 <!--
 ## Configure all key-value pairs in a ConfigMap as container environment variables
 -->
-## 将 ConfigMap 中的所有键值对配置为容器环境变量
+## 将 ConfigMap 中的所有键值对配置为容器环境变量    {#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables}
 
 <!--
 This functionality is available in Kubernetes v1.6 and later.
@@ -803,7 +862,9 @@ Kubernetes v1.6 和更高版本支持此功能。
 
   {{< codenew file="configmap/configmap-multikeys.yaml" >}}
 
-  <!-- Create the ConfigMap: -->
+  <!--
+  Create the ConfigMap:
+  -->
   创建 ConfigMap:
 
   ```shell
@@ -818,20 +879,24 @@ Kubernetes v1.6 和更高版本支持此功能。
 
   {{< codenew file="pods/pod-configmap-envFrom.yaml" >}}
 
-  <!-- Create the Pod: -->
+  <!--
+  Create the Pod:
+  -->
   创建 Pod:
 
   ```shell
   kubectl create -f https://kubernetes.io/examples/pods/pod-configmap-envFrom.yaml
   ```
 
-  <!-- Now, the Pod's output includes environment variables `SPECIAL_LEVEL=very` and `SPECIAL_TYPE=charm`.  -->
+  <!--
+  Now, the Pod's output includes environment variables `SPECIAL_LEVEL=very` and `SPECIAL_TYPE=charm`.
+  -->
   现在，Pod 的输出包含环境变量 `SPECIAL_LEVEL=very` 和 `SPECIAL_TYPE=charm`。
 
 <!--
 ## Use ConfigMap-defined environment variables in Pod commands
 -->
-## 在 Pod 命令中使用 ConfigMap 定义的环境变量
+## 在 Pod 命令中使用 ConfigMap 定义的环境变量    {#use-configmap-defined-environment-variables-in-pod-commands}
 
 <!--
 You can use ConfigMap-defined environment variables in the `command` and `args` of a container using the `$(VAR_NAME)` Kubernetes substitution syntax.
@@ -869,9 +934,9 @@ very charm
 
 As explained in [Create ConfigMaps from files](#create-configmaps-from-files), when you create a ConfigMap using ``--from-file``, the filename becomes a key stored in the `data` section of the ConfigMap. The file contents become the key's value.
 -->
-## 将 ConfigMap 数据添加到一个卷中
+## 将 ConfigMap 数据添加到一个卷中    {#add-configmap-data-to-a-volume}
 
-如基于文件创建 [ConfigMap](#create-configmaps-from-files) 中所述，当你使用 
+如基于文件创建 [ConfigMap](#create-configmaps-from-files) 中所述，当你使用
 `--from-file` 创建 ConfigMap 时，文件名成为存储在 ConfigMap 的 `data` 部分中的键，
 文件内容成为键对应的值。
 
@@ -896,18 +961,20 @@ kubectl create -f https://kubernetes.io/examples/configmap/configmap-multikeys.y
 
 Add the ConfigMap name under the `volumes` section of the Pod specification.
 This adds the ConfigMap data to the directory specified as `volumeMounts.mountPath` (in this case, `/etc/config`).
-The `command` section references the `special.level` item stored in the ConfigMap.
+The `command` section lists directory files with names that match the keys in ConfigMap.
 -->
-### 使用存储在 ConfigMap 中的数据填充卷
+### 使用存储在 ConfigMap 中的数据填充卷    {#populate-a-volume-with-data-stored-in-a-configmap}
 
 在 Pod 规约的 `volumes` 部分下添加 ConfigMap 名称。
 这会将 ConfigMap 数据添加到 `volumeMounts.mountPath` 所指定的目录
 （在本例中为 `/etc/config`）。
-`command` 部分引用存储在 ConfigMap 中的 `special.level`。
+`command` 部分列出了名称与 ConfigMap 中的键匹配的目录文件。
 
 {{< codenew file="pods/pod-configmap-volume.yaml" >}}
 
-<!-- Create the Pod: -->
+<!--
+Create the Pod:
+-->
 创建 Pod:
 
 ```shell
@@ -919,7 +986,7 @@ When the pod runs, the command `ls /etc/config/` produces the output below:
 -->
 Pod 运行时，命令 `ls /etc/config/` 产生下面的输出：
 
-```shell
+```
 SPECIAL_LEVEL
 SPECIAL_TYPE
 ```
@@ -944,7 +1011,7 @@ Text data is exposed as files using the UTF-8 character encoding. To use some ot
 Use the `path` field to specify the desired file path for specific ConfigMap items.
 In this case, the `SPECIAL_LEVEL` item will be mounted in the `config-volume` volume at `/etc/config/keys`.
 -->
-### 将 ConfigMap 数据添加到卷中的特定路径
+### 将 ConfigMap 数据添加到卷中的特定路径    {#add-configmap-data-to-a-specific-path-in-the-volume}
 
 使用 `path` 字段为特定的 ConfigMap 项目指定预期的文件路径。
 在这里，ConfigMap 中键 `SPECIAL_LEVEL` 的内容将挂载在 `config-volume`
@@ -983,10 +1050,10 @@ Like before, all previous files in the `/etc/config/` directory will be deleted.
 You can project keys to specific paths and specific permissions on a per-file
 basis. The [Secrets](/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod) user guide explains the syntax.
 -->
-### 映射键到指定路径并设置文件访问权限
+### 映射键到指定路径并设置文件访问权限    {#project-keys-to-specific-paths-and-file-permissions}
 
 你可以将指定键名投射到特定目录，也可以逐个文件地设定访问权限。
-[Secret 用户指南](/zh/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod)
+[Secret 用户指南](/zh-cn/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod)
 中为这一语法提供了解释。
 
 <!--
@@ -1031,7 +1098,7 @@ kubelet 同步周期（默认 1 分钟） + ConfigMap 在 kubelet 中缓存的 T
 A container using a ConfigMap as a [subPath](/docs/concepts/storage/volumes/#using-subpath) volume will not receive ConfigMap updates.
 -->
 {{< note >}}
-使用 ConfigMap 作为 [subPath](/zh/docs/concepts/storage/volumes/#using-subpath)
+使用 ConfigMap 作为 [subPath](/zh-cn/docs/concepts/storage/volumes/#using-subpath)
 的数据卷将不会收到 ConfigMap 更新。
 {{< /note >}}
 
@@ -1042,11 +1109,11 @@ A container using a ConfigMap as a [subPath](/docs/concepts/storage/volumes/#usi
 
 The ConfigMap API resource stores configuration data as key-value pairs. The data can be consumed in pods or provide the configurations for system components such as controllers. ConfigMap is similar to [Secrets](/docs/concepts/configuration/secret/), but provides a means of working with strings that don't contain sensitive information. Users and system components alike can store configuration data in ConfigMap.
 -->
-## 了解 ConfigMap 和 Pod
+## 了解 ConfigMap 和 Pod    {#understanding-configmaps-and-pods}
 
 ConfigMap API 资源将配置数据存储为键值对。
 数据可以在 Pod 中使用，也可以用来提供系统组件（如控制器）的配置。
-ConfigMap 与 [Secret](/zh/docs/concepts/configuration/secret/) 类似，
+ConfigMap 与 [Secret](/zh-cn/docs/concepts/configuration/secret/) 类似，
 但是提供的是一种处理不含敏感信息的字符串的方法。
 用户和系统组件都可以在 ConfigMap 中存储配置数据。
 
@@ -1056,7 +1123,7 @@ ConfigMaps should reference properties files, not replace them. Think of the Con
 {{< note >}}
 ConfigMap 应该引用属性文件，而不是替换它们。可以将 ConfigMap 理解为类似于 Linux
 `/etc` 目录及其内容的东西。例如，如果你基于 ConfigMap 创建
-[Kubernetes 卷](/zh/docs/concepts/storage/volumes/)，则 ConfigMap
+[Kubernetes 卷](/zh-cn/docs/concepts/storage/volumes/)，则 ConfigMap
 中的每个数据项都由该数据卷中的某个独立的文件表示。
 {{< /note >}}
 
@@ -1067,6 +1134,25 @@ ConfigMap 的 `data` 字段包含配置数据。如下例所示，它可以简
 （如用 `--from-literal` 的单个属性定义）或复杂
 （如用 `--from-file` 的配置文件或 JSON blob定义）。
 
+<!--
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  creationTimestamp: 2016-02-18T19:14:38Z
+  name: example-config
+  namespace: default
+data:
+  # example of a simple property defined using --from-literal
+  example.property.1: hello
+  example.property.2: world
+  # example of a complex property defined using --from-file
+  example.property.file: |-
+    property.1=value-1
+    property.2=value-2
+    property.3=value-3
+```
+-->
 ```yaml
 apiVersion: v1
 kind: ConfigMap
@@ -1107,7 +1193,9 @@ data:
   kubectl get events
   ```
 
-  <!-- The output is similar to this: -->
+  <!--
+  The output is similar to this:
+  -->
   输出与此类似:
 
   ```
@@ -1124,7 +1212,7 @@ data:
 <!--
 - You can't use ConfigMaps for {{< glossary_tooltip text="static pods" term_id="static-pod" >}}, because the Kubelet does not support this.
 -->
-- 你不能将 ConfigMap 用于{{< glossary_tooltip text="静态 Pod" term_id="static-pod" >}}， 
+- 你不能将 ConfigMap 用于{{< glossary_tooltip text="静态 Pod" term_id="static-pod" >}}，
   因为 Kubernetes 不支持这种用法。
 
 ## {{% heading "whatsnext" %}}
@@ -1132,6 +1220,6 @@ data:
 <!--
 * Follow a real world example of [Configuring Redis using a ConfigMap](/docs/tutorials/configuration/configure-redis-using-configmap/).
 -->
-* 浏览[使用 ConfigMap 配置 Redis](/zh/docs/tutorials/configuration/configure-redis-using-configmap/)
-  真实实例。
+* 浏览[使用 ConfigMap 配置 Redis](/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap/)
+  真实示例。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-pod-initialization.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
similarity index 88%
rename from content/zh/docs/tasks/configure-pod-container/configure-pod-initialization.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
index 90cf168b75f4d..65166ce246b32 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-pod-initialization.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
@@ -135,11 +135,11 @@ The output shows that nginx is serving the web page that was written by the init
 [communicating between Containers running in the same Pod](/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/).
 * Learn more about [Init Containers](/docs/concepts/workloads/pods/init-containers/).
 * Learn more about [Volumes](/docs/concepts/storage/volumes/).
-* Learn more about [Debugging Init Containers](/docs/tasks/debug-application-cluster/debug-init-containers/)
+* Learn more about [Debugging Init Containers](/docs/tasks/debug/debug-application/debug-init-containers/)
 -->
 
-* 进一步了解[同一 Pod 中的容器间的通信](/zh/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/)。
-* 进一步了解 [Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)。
-* 进一步了解[卷](/zh/docs/concepts/storage/volumes/)。
-* 进一步了解 [Init 容器排错](/zh/docs/tasks/debug-application-cluster/debug-init-containers/)。
+* 进一步了解[同一 Pod 中的容器间的通信](/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/)。
+* 进一步了解 [Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
+* 进一步了解[卷](/zh-cn/docs/concepts/storage/volumes/)。
+* 进一步了解 [Init 容器排错](/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/)。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-projected-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
similarity index 88%
rename from content/zh/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
index 66230434d937b..e9f49a2127e46 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
@@ -20,7 +20,7 @@ several existing volume sources into the same directory. Currently, `secret`, `c
 and `serviceAccountToken` volumes can be projected.
 -->
 
-本文介绍怎样通过[`projected`](/zh/docs/concepts/storage/volumes/#projected) 卷将现有的多个卷资源挂载到相同的目录。
+本文介绍怎样通过[`projected`](/zh-cn/docs/concepts/storage/volumes/#projected) 卷将现有的多个卷资源挂载到相同的目录。
 当前，`secret`、`configMap`、`downwardAPI` 和 `serviceAccountToken` 卷可以被投射。
 
 <!--
@@ -46,8 +46,8 @@ Here is the configuration file for the Pod:
 
 ## 为 Pod 配置 projected 卷
 
-本练习中，您将从本地文件来创建包含有用户名和密码的 Secret。然后创建运行一个容器的 Pod，
-该 Pod 使用[`projected`](/zh/docs/concepts/storage/volumes/#projected) 卷将 Secret 挂载到相同的路径下。
+本练习中，你将从本地文件来创建包含有用户名和密码的 Secret。然后创建运行一个容器的 Pod，
+该 Pod 使用[`projected`](/zh-cn/docs/concepts/storage/volumes/#projected) 卷将 Secret 挂载到相同的路径下。
 
 下面是 Pod 的配置文件：
 
@@ -126,6 +126,6 @@ kubectl delete secret user pass
 * Read the [all-in-one volume](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/all-in-one-volume.md) design document.
 -->
 
-* 进一步了解[`projected`](/zh/docs/concepts/storage/volumes/#projected) 卷。
+* 进一步了解[`projected`](/zh-cn/docs/concepts/storage/volumes/#projected) 卷。
 * 阅读[一体卷](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/all-in-one-volume.md)设计文档。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-runasusername.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
similarity index 87%
rename from content/zh/docs/tasks/configure-pod-container/configure-runasusername.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
index 4b4e05dd4bdd9..65df06ff344a6 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-runasusername.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
@@ -17,7 +17,7 @@ weight: 20
 <!--
 This page shows how to use the `runAsUserName` setting for Pods and containers that will run on Windows nodes. This is roughly equivalent of the Linux-specific `runAsUser` setting, allowing you to run applications in a container as a different username than the default.
 -->
-本页展示如何为运行为在 Windows 节点上运行的 Pod 和容器配置 `RunAsUserName` 。
+本页展示如何为运行为在 Windows 节点上运行的 Pod 和容器配置 `RunAsUserName`。
 大致相当于 Linux 上的 `runAsUser`，允许在容器中以与默认值不同的用户名运行应用。
 
 ## {{% heading "prerequisites" %}}
@@ -32,11 +32,11 @@ You need to have a Kubernetes cluster and the kubectl command-line tool must be
 ## Set the Username for a Pod
 
 To specify the username with which to execute the Pod's container processes, include the
-`securityContext` field ([PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core)) 
-in the Pod specification, and within it, the `windowsOptions` 
+`securityContext` field ([PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core))
+in the Pod specification, and within it, the `windowsOptions`
 ([WindowsSecurityContextOptions](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#windowssecuritycontextoptions-v1-core)) field containing the `runAsUserName` field.
 -->
-## 为 Pod 设置 Username
+## 为 Pod 设置 Username    {#set-the-username-for-a-pod}
 
 要指定运行 Pod 容器时所使用的用户名，请在 Pod 声明中包含 `securityContext`
 ([PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core)) 字段，
@@ -102,26 +102,26 @@ The output should be:
 
 输出结果应该是这样：
 
-```shell
+```
 ContainerUser
 ```
 
 <!--
 ## Set the Username for a Container
 
-To specify the username with which to execute a Container's processes, include the `securityContext` field 
-([SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)) 
-in the Container manifest, and within it, the 
-`windowsOptions` ([WindowsSecurityContextOptions](/docs/reference/generated/kubernetes-api/{{< param 
+To specify the username with which to execute a Container's processes, include the `securityContext` field
+([SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core))
+in the Container manifest, and within it, the
+`windowsOptions` ([WindowsSecurityContextOptions](/docs/reference/generated/kubernetes-api/{{< param
 "version" >}}/#windowssecuritycontextoptions-v1-core)) field containing the `runAsUserName` field.
 -->
 
-## 为容器设置 Username
+## 为容器设置 Username    {#set-the-username-for-a-container}
 
 要指定运行容器时所使用的用户名，请在容器清单中包含 `securityContext`
-([SecurityContext](/zh/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core))
+([SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core))
 字段，并在其内部包含 `windowsOptions`
-（[WindowsSecurityContextOptions](/zh/docs/reference/generated/kubernetes-api/{{< param
+（[WindowsSecurityContextOptions](/docs/reference/generated/kubernetes-api/{{< param
 "version" >}}/#windowssecuritycontextoptions-v1-core)）
 字段的 `runAsUserName` 字段。
 
@@ -186,7 +186,7 @@ ContainerAdministrator
 
 In order to use this feature, the value set in the `runAsUserName` field must be a valid username. It must have the following format: `DOMAIN\USER`, where `DOMAIN\` is optional. Windows user names are case insensitive. Additionally, there are some restrictions regarding the `DOMAIN` and `USER`:
 -->
-## Windows Username 的局限性
+## Windows Username 的局限性    {#windows-username-limitations}
 
 想要使用此功能，在 `runAsUserName` 字段中设置的值必须是有效的用户名。
 它必须是 `DOMAIN\USER` 这种格式，其中 `DOMAIN\` 是可选的。
@@ -218,10 +218,10 @@ For more information about these limtations, check [here](https://support.micros
 ## {{% heading "whatsnext" %}}
 
 <!--
-* [Guide for scheduling Windows containers in Kubernetes](/docs/setup/production-environment/windows/user-guide-windows-containers/)
-* [Managing Workload Identity with Group Managed Service Accounts (GMSA)](/docs/setup/production-environment/windows/user-guide-windows-containers/#managing-workload-identity-with-group-managed-service-accounts)
+* [Guide for scheduling Windows containers in Kubernetes](/docs/concepts/windows/user-guide/)
+* [Managing Workload Identity with Group Managed Service Accounts (GMSA)](/docs/concepts/windows/user-guide/#managing-workload-identity-with-group-managed-service-accounts)
 * [Configure GMSA for Windows pods and containers](/docs/tasks/configure-pod-container/configure-gmsa/)
 -->
-* [Kubernetes 中调度 Windows 容器的指南](/zh/docs/setup/production-environment/windows/user-guide-windows-containers/)
-* [使用组托管服务帐户（GMSA）管理工作负载身份](/zh/docs/setup/production-environment/windows/user-guide-windows-containers/#managing-workload-identity-with-group-managed-service-accounts)
-* [Windows 下 pod 和容器的 GMSA 配置](/zh/docs/tasks/configure-pod-container/configure-gmsa/)
+* [Kubernetes 中调度 Windows 容器的指南](/zh-cn/docs/concepts/windows/user-guide/)
+* [使用组托管服务帐户（GMSA）管理工作负载身份](/zh-cn/docs/concepts/windows/user-guide/#managing-workload-identity-with-group-managed-service-accounts)
+* [Windows 下 pod 和容器的 GMSA 配置](/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/)
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-service-account.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
similarity index 97%
rename from content/zh/docs/tasks/configure-pod-container/configure-service-account.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
index a27261c87fed8..badb1f5de2f3d 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-service-account.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
@@ -73,9 +73,9 @@ In version 1.6+, you can opt out of automounting API credentials for a service a
 `automountServiceAccountToken: false` on the service account:
 -->
 你可以使用自动挂载给 Pod 的服务账户凭据访问 API，
-[访问集群](/zh/docs/tasks/access-application-cluster/access-cluster/)页面中有相关描述。
+[访问集群](/zh-cn/docs/tasks/access-application-cluster/access-cluster/)页面中有相关描述。
 服务账户的 API 许可取决于你所使用的
-[鉴权插件和策略](/zh/docs/reference/access-authn-authz/authorization/#authorization-modules)。
+[鉴权插件和策略](/zh-cn/docs/reference/access-authn-authz/authorization/#authorization-modules)。
 
 在 1.6 以上版本中，你可以通过在服务账户上设置 `automountServiceAccountToken: false`
 来实现不给服务账号自动挂载 API 凭据：
@@ -155,7 +155,7 @@ The name of a ServiceAccount object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
 ServiceAccount 对象的名字必须是一个有效的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 
 <!--
 If you get a complete dump of the service account object, like this:
@@ -195,7 +195,7 @@ field of a pod to the name of the service account you wish to use.
 那么你就能看到系统已经自动创建了一个令牌并且被服务账户所引用。
 
 你可以使用授权插件来
-[设置服务账户的访问许可](/zh/docs/reference/access-authn-authz/rbac/#service-account-permissions)。
+[设置服务账户的访问许可](/zh-cn/docs/reference/access-authn-authz/rbac/#service-account-permissions)。
 
 要使用非默认的服务账户，将 Pod 的 `spec.serviceAccountName` 字段设置为你想用的服务账户名称。
 
@@ -289,7 +289,7 @@ The content of `token` is elided here.
 
 ### 创建 ImagePullSecret
 
-- 创建一个 ImagePullSecret，如同[为 Pod 设置 ImagePullSecret](/zh/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)所述。
+- 创建一个 ImagePullSecret，如同[为 Pod 设置 ImagePullSecret](/zh-cn/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)所述。
 
   ```shell
   kubectl create secret docker-registry myregistrykey --docker-server=DUMMY_SERVER \
@@ -494,7 +494,7 @@ This behavior is configured on a PodSpec using a ProjectedVolume type called
 pod with a token with an audience of "vault" and a validity duration of two
 hours, you would configure the following in your PodSpec:
 -->
-使用名为 [ServiceAccountToken](/zh/docs/concepts/storage/volumes/#projected) 的
+使用名为 [ServiceAccountToken](/zh-cn/docs/concepts/storage/volumes/#projected) 的
 ProjectedVolume 类型在 PodSpec 上配置此功能。
 要向 Pod 提供具有 "vault" 用户以及两个小时有效期的令牌，可以在 PodSpec 中配置以下内容：
 
@@ -640,7 +640,7 @@ See also:
 -->
 另请参见：
 
-- [服务账号的集群管理员指南](/zh/docs/reference/access-authn-authz/service-accounts-admin/)
+- [服务账号的集群管理员指南](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
 - [服务账号签署密钥检索 KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1393-oidc-discovery)
 - [OIDC 发现规范](https://openid.net/specs/openid-connect-discovery-1_0.html)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
similarity index 97%
rename from content/zh/docs/tasks/configure-pod-container/configure-volume-storage.md
rename to content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
index 5e5a9907e98b2..b468a6943e3b5 100644
--- a/content/zh/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -22,7 +22,7 @@ applications, such as key-value stores (such as Redis) and databases.
 此页面展示了如何配置 Pod 以使用卷进行存储。
 
 只要容器存在，容器的文件系统就会存在，因此当一个容器终止并重新启动，对该容器的文件系统改动将丢失。
-对于独立于容器的持久化存储，你可以使用[卷](/zh/docs/concepts/storage/volumes/)。
+对于独立于容器的持久化存储，你可以使用[卷](/zh-cn/docs/concepts/storage/volumes/)。
 这对于有状态应用程序尤为重要，例如键值存储（如 Redis）和数据库。
 
 ## {{% heading "prerequisites" %}}
@@ -44,7 +44,7 @@ restarts. Here is the configuration file for the Pod:
 ## 为 Pod 配置卷   {#configure-a-volume-for-a-pod}
 
 在本练习中，你将创建一个运行 Pod，该 Pod 仅运行一个容器并拥有一个类型为
-[emptyDir](/zh/docs/concepts/storage/volumes/#emptydir) 的卷，
+[emptyDir](/zh-cn/docs/concepts/storage/volumes/#emptydir) 的卷，
 在整个 Pod 生命周期中一直存在，即使 Pod 中的容器被终止和重启。以下是 Pod 的配置：
 
 {{< codenew file="pods/storage/redis.yaml" >}}
@@ -193,5 +193,5 @@ details such as mounting and unmounting the devices on the nodes. See
 * 参阅 [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)。
 * 除了 `emptyDir` 提供的本地磁盘存储外，Kubernetes 还支持许多不同的网络附加存储解决方案，
   包括 GCE 上的 PD 和 EC2 上的 EBS，它们是关键数据的首选，并将处理节点上的一些细节，
-  例如安装和卸载设备。了解更多详情请参阅[卷](/zh/docs/concepts/storage/volumes/)。
+  例如安装和卸载设备。了解更多详情请参阅[卷](/zh-cn/docs/concepts/storage/volumes/)。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
similarity index 93%
rename from content/zh/docs/tasks/configure-pod-container/create-hostprocess-pod.md
rename to content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index 97029bff8fefd..abc3896e70248 100644
--- a/content/zh/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -100,7 +100,7 @@ latest version of containerd (v1.6+) to run HostProcess containers.
 在 Kubernetes v{{< skew currentVersion >}} 中，HostProcess 容器功能特性默认是启用的。
 kubelet 会直接与 containerd 通信，通过 CRI 将主机进程标志传递过去。
 你可以使用 containerd 的最新版本（v1.6+）来运行 HostProcess 容器。
-参阅[如何安装 containerd](/zh/docs/setup/production-environment/container-runtimes/#containerd)。
+参阅[如何安装 containerd](/zh-cn/docs/setup/production-environment/container-runtimes/#containerd)。
 
 <!--
 To *disable* HostProcess containers you need to pass the following feature gate flag to the
@@ -117,7 +117,7 @@ To *disable* HostProcess containers you need to pass the following feature gate
 See [Features Gates](/docs/reference/command-line-tools-reference/feature-gates/#overview)
 documentation for more details.
 -->
-进一步的细节可参阅[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/#overview)文档。
+进一步的细节可参阅[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#overview)文档。
 
 <!--
 ## Limitations
@@ -177,7 +177,7 @@ the configurations which need to be set to enable the creation of a HostProcess
 -->
 启用 Windows HostProcess Pod 需要在 Pod 安全配置中设置合适的选项。
 在 [Pod
-安全标准](/zh/docs/concepts/security/pod-security-standards)中所定义的策略中，
+安全标准](/zh-cn/docs/concepts/security/pod-security-standards)中所定义的策略中，
 HostProcess Pod 默认是不被 basline 和 restricted 策略支持的。因此建议
 HostProcess 运行在与 privileged 模式相看齐的策略下。
 
@@ -193,11 +193,11 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
   </thead>
   <tbody>
     <tr>
-      <td style="white-space: nowrap"><a href="/zh/docs/concepts/security/pod-security-standards"><tt>securityContext.windowsOptions.hostProcess</tt></a></td>
+      <td style="white-space: nowrap"><a href="/zh-cn/docs/concepts/security/pod-security-standards"><tt>securityContext.windowsOptions.hostProcess</tt></a></td>
       <td>
         <p><!--Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">
         HostProcess containers</a> which enables privileged access to the Windows node.-->
-        Windows Pods 提供运行<a href="/zh/docs/tasks/configure-pod-container/create-hostprocess-pod">
+        Windows Pods 提供运行<a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">
         HostProcess 容器</a>的能力，这类容器能够具有对 Windows 节点的特权访问权限。</p>
         <p><strong><!--Allowed Values-->可选值</strong></p>
         <ul>
@@ -206,7 +206,7 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
       </td>
     </tr>
     <tr>
-      <td style="white-space: nowrap"><a href="/zh/docs/concepts/security/pod-security-standards"><tt>hostNetwork</tt></a></td>
+      <td style="white-space: nowrap"><a href="/zh-cn/docs/concepts/security/pod-security-standards"><tt>hostNetwork</tt></a></td>
       <td>
         <p><!--Will be in host network by default initially. Support
         to set network to a different compartment may be desirable in
@@ -220,7 +220,7 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
       </td>
     </tr>
     <tr>
-      <td style="white-space: nowrap"><a href="/zh/docs/tasks/configure-pod-container/configure-runasusername/"><tt>securityContext.windowsOptions.runAsUsername</tt></a></td>
+      <td style="white-space: nowrap"><a href="/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/"><tt>securityContext.windowsOptions.runAsUsername</tt></a></td>
       <td>
         <p><!--Specification of which user the HostProcess container should run as is required for the pod spec.-->
         关于 HostProcess 容器所要使用的用户的规约，需要设置在 Pod 的规约中。
@@ -234,7 +234,7 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
       </td>
     </tr>
     <tr>
-      <td style="white-space: nowrap"><a href="/zh/docs/concepts/security/pod-security-standards"><tt>runAsNonRoot</tt></a></td>
+      <td style="white-space: nowrap"><a href="/zh-cn/docs/concepts/security/pod-security-standards"><tt>runAsNonRoot</tt></a></td>
       <td>
         <p><!--Because HostProcess containers have privileged access to the host, the <tt>runAsNonRoot</tt> field cannot be set to true.-->
         因为 HostProcess 容器有访问主机的特权，<tt>runAsNonRoot</tt> 字段不可以设置为 true。
diff --git a/content/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
similarity index 85%
rename from content/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
rename to content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
index 854205cbd83e5..37bca7adb2216 100644
--- a/content/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -18,9 +18,9 @@ As of v1.22, Kubernetes provides a built-in [admission controller](/docs/referen
 to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards).
 You can configure this admission controller to set cluster-wide defaults and [exemptions](/docs/concepts/security/pod-security-admission/#exemptions).
 -->
-在 v1.22 版本中，Kubernetes 提供一种内置的[准入控制器](/zh/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
-用来强制实施 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)。
-你可以配置此准入控制器来设置集群范围的默认值和[豁免选项](/zh/docs/concepts/security/pod-security-admission/#exemptions)。
+在 v1.22 版本中，Kubernetes 提供一种内置的[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
+用来强制实施 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)。
+你可以配置此准入控制器来设置集群范围的默认值和[豁免选项](/zh-cn/docs/concepts/security/pod-security-admission/#exemptions)。
 
 ## {{% heading "prerequisites" %}}
 
@@ -29,7 +29,7 @@ You can configure this admission controller to set cluster-wide defaults and [ex
 <!--
 - Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 -->
-- 确保 `PodSecurity` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)已被启用。
+- 确保 `PodSecurity` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)已被启用。
 
 <!--
 ## Configure the Admission Controller
@@ -56,7 +56,7 @@ plugins:
     #
     # version 标签必须是如下取值之一：
     # - "latest" (默认) 
-    # - 诸如 "v{{< skew latestVersion >}}" 这类版本号
+    # - 诸如 "v{{< skew currentVersion>}}" 这类版本号
     defaults:
       enforce: "privileged"
       enforce-version: "latest"
@@ -99,7 +99,7 @@ plugins:
     #
     # version 标签必须是如下取值之一：
     # - "latest" (默认) 
-    # - 诸如 "v{{< skew latestVersion >}}" 这类版本号
+    # - 诸如 "v{{< skew currentVersion>}}" 这类版本号
     defaults:
       enforce: "privileged"
       enforce-version: "latest"
diff --git a/content/zh/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
similarity index 75%
rename from content/zh/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
rename to content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
index 7d75a934a604f..6a0912f8e668e 100644
--- a/content/zh/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
@@ -13,9 +13,16 @@ min-kubernetes-server-version: v1.22
 -->
 
 <!--
-Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards).
+Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards).The three policies
+[privileged](/docs/concepts/security/pod-security-standards/#privileged), [baseline](/docs/concepts/security/pod-security-standards/#baseline)
+and [restricted](/docs/concepts/security/pod-security-standards/#restricted) broadly cover the security spectrum
+and are implemented by the [Pod Security](/docs/concepts/security/pod-security-admission/)
 -->
-你可以通过为名字空间设置标签来强制实施 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)。
+[特权（privileged）](/zh-cn/docs/concepts/security/pod-security-standards/#privileged)、
+[基线（baseline）](/zh-cn/docs/concepts/security/pod-security-standards/#baseline)和
+[受限（restricted）](/zh-cn/docs/concepts/security/pod-security-standards/#restricted) 
+这三种策略涵盖了广泛安全范围，并由 [Pod 安全](/zh-cn/docs/concepts/security/pod-security-admission/)
+ {{< glossary_tooltip text="准入控制器" term_id="admission-controller" >}}实现。
 
 ## {{% heading "prerequisites" %}}
 
@@ -24,7 +31,7 @@ Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts
 <!--
 - Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 -->
-- 确保 `PodSecurity` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)已被启用。
+- 确保 `PodSecurity` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)已被启用。
 
 <!--
 ## Requiring the `baseline` Pod Security Standard with namespace labels
@@ -37,14 +44,14 @@ This manifest defines a Namespace `my-baseline-namespace` that:
 - _Blocks_ any pods that don't satisfy the `baseline` policy requirements.
 - Generates a user-facing warning and adds an audit annotation to any created pod that does not
   meet the `restricted` policy requirements.
-- Pins the versions of the `baseline` and `restricted` policies to v{{< skew latestVersion >}}.
+- Pins the versions of the `baseline` and `restricted` policies to v{{< skew currentVersion >}}.
 -->
 下面的清单定义了一个 `my-baseline-namespace` 名字空间，其中
 
 - *阻止*任何不满足 `baseline` 策略要求的 Pods；
 - 针对任何无法满足 `restricted` 策略要求的、已创建的 Pod 为用户生成警告信息，
   并添加审计注解；
-- 将 `baseline` 和 `restricted` 策略的版本锁定到 v{{< skew latestVersion >}}。
+- 将 `baseline` 和 `restricted` 策略的版本锁定到 v{{< skew currentVersion >}}。
 
 ```yaml
 apiVersion: v1
@@ -53,13 +60,13 @@ metadata:
   name: my-baseline-namespace
   labels:
     pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/enforce-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/enforce-version: v{{< skew currentVersion >}}
 
     # 我们将这些标签设置为我们所 _期望_ 的 `enforce` 级别
     pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/audit-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/audit-version: v{{< skew currentVersion >}}
     pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/warn-version: v{{< skew latestVersion >}}
+    pod-security.kubernetes.io/warn-version: v{{< skew currentVersion >}}
 ```
 
 <!--
@@ -128,14 +135,14 @@ kubectl get namespaces --selector='!pod-security.kubernetes.io/enforce'
 
 <!--
 You can update a specific namespace as well. This command adds the `enforce=restricted`
-policy to `my-existing-namespace`, pinning the restricted policy version to v{{< skew latestVersion >}}.
+policy to `my-existing-namespace`, pinning the restricted policy version to v{{< skew currentVersion >}}.
 -->
 你也可以更新特定的名字空间。下面的命令将 `enforce=restricted` 策略应用到
-`my-existing-namespace` 名字空间，将 restricted 策略的版本锁定到 v{{< skew latestVersion >}}。
+`my-existing-namespace` 名字空间，将 restricted 策略的版本锁定到 v{{< skew currentVersion >}}。
 
 ```shell
 kubectl label --overwrite ns my-existing-namespace \
   pod-security.kubernetes.io/enforce=restricted \
-  pod-security.kubernetes.io/enforce-version=v{{< skew latestVersion >}}
+  pod-security.kubernetes.io/enforce-version=v{{< skew currentVersion >}}
 ```
 
diff --git a/content/zh/docs/tasks/configure-pod-container/extended-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
similarity index 92%
rename from content/zh/docs/tasks/configure-pod-container/extended-resource.md
rename to content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
index e34a5e4eb158d..3abc19fb120fd 100644
--- a/content/zh/docs/tasks/configure-pod-container/extended-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
@@ -29,7 +29,7 @@ Before you do this exercise, do the exercise in
 That will configure one of your Nodes to advertise a dongle resource.
 -->
 在你开始此练习前，请先练习
-[为节点广播扩展资源](/zh/docs/tasks/administer-cluster/extended-resource-node/)。
+[为节点广播扩展资源](/zh-cn/docs/tasks/administer-cluster/extended-resource-node/)。
 在那个练习中将配置你的一个节点来广播 dongle 资源。
 
 <!-- steps -->
@@ -195,8 +195,8 @@ kubectl delete pod extended-resource-demo-2
 -->
 ## 应用开发者参考
 
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为容器和 Pod 分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为容器和 Pod 分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
 
 <!--
 ### For cluster administrators
@@ -205,5 +205,5 @@ kubectl delete pod extended-resource-demo-2
 -->
 ### 集群管理员参考
 
-* [为节点广播扩展资源](/zh/docs/tasks/administer-cluster/extended-resource-node/)
+* [为节点广播扩展资源](/zh-cn/docs/tasks/administer-cluster/extended-resource-node/)
 
diff --git a/content/zh/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
similarity index 93%
rename from content/zh/docs/tasks/configure-pod-container/migrate-from-psp.md
rename to content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
index 29d3396de713b..0210c87c141ac 100644
--- a/content/zh/docs/tasks/configure-pod-container/migrate-from-psp.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -31,13 +31,13 @@ admission controller. This can be done effectively using a combination of dry-ru
 <!--
 - Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 -->
-- 确保 `PodSecurity` [特性门控](/docs/reference/command-line-tools-reference/feature-gates/)被启用。
+- 确保 `PodSecurity` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用。
 
 <!--
 This page assumes you are already familiar with the basic [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
 concepts.
 -->
-本页面假定你已经熟悉 [Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)的基本概念。
+本页面假定你已经熟悉 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)的基本概念。
 
 <!-- body -->
 
@@ -104,7 +104,7 @@ Pod 安全性准入被设计用来直接满足最常见的安全性需求，并
 - **设置默认的安全性约束** - Pod 安全性准入是一个非变更性质的准入控制器，
   这就意味着它不会在对 Pod 进行合法性检查之前更改其配置。如果你之前依赖于 PSP 的这方面能力，
   你或者需要更改你的负载以满足 Pod 安全性约束，或者需要使用一个
-  [变更性质的准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+  [变更性质的准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
   来执行相应的变更。进一步的细节可参见后文的[简化和标准化 PodSecurityPolicy](#simplify-psps)。
 <!--
 - **Fine-grained control over policy definition** - Pod Security Admission only supports
@@ -114,9 +114,9 @@ Pod 安全性准入被设计用来直接满足最常见的安全性需求，并
   to enforce those policies.
 -->
 - **对策略定义的细粒度控制** - Pod 安全性准入仅支持
-  [三种标准级别](/zh/docs/concepts/security/pod-security-standards/)。
+  [三种标准级别](/zh-cn/docs/concepts/security/pod-security-standards/)。
   如果你需要对特定的约束施加更多的控制，你就需要使用一个
-  [验证性质的准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+  [验证性质的准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
   以实施这列策略。
 <!--
 - **Sub-namespace policy granularity** - PodSecurityPolicy lets you bind different policies to
@@ -131,9 +131,9 @@ Pod 安全性准入被设计用来直接满足最常见的安全性需求，并
   即使这些服务账户或用户隶属于同一个名字空间。这一方法有很多缺陷，不建议使用。
   不过如果你的确需要这种功能，你就需要使用第三方的 Webhook。
   唯一的例外是当你只需要完全针对某用户或者
-  [RuntimeClasses](/zh/docs/concepts/containers/runtime-class/) 赋予豁免规则时，
+  [RuntimeClasses](/zh-cn/docs/concepts/containers/runtime-class/) 赋予豁免规则时，
   Pod 安全性准入的确也为豁免规则暴露一些
-  [静态配置](/zh/docs/concepts/security/pod-security-admission/#exemptions)。
+  [静态配置](/zh-cn/docs/concepts/security/pod-security-admission/#exemptions)。
 
 <!--
 Even if Pod Security Admission does not meet all of your needs it was designed to be _complementary_
@@ -159,13 +159,13 @@ but if you must you will need to use an
 [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/)
 to place additional restrictions on setting Pod Security labels on Namespace objects.
 -->
-Pod 安全性准入是通过[名字空间上的标签](/zh/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces)
+Pod 安全性准入是通过[名字空间上的标签](/zh-cn/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces)
 来控制的。这也就是说，任何能够更新（或通过 patch 部分更新或创建）
 名字空间的人都可以更改该名字空间的 Pod 安全性级别，而这可能会被利用来绕过约束性更强的策略。
 在继续执行迁移操作之前，请确保只有被信任的、有特权的用户具有这类名字空间访问权限。
 不建议将这类强大的访问权限授予不应获得权限提升的用户，不过如果你必须这样做，
 你需要使用一个
-[准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 来针对为 Namespace 对象设置 Pod 安全性级别设置额外的约束。
 
 <!--
@@ -211,7 +211,7 @@ validating policy. These fields (also listed in the
 reference) are:
 -->
 你可以先去掉那些纯粹变更性质的字段，留下验证策略中的其他内容。
-这些字段（也列举于[将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards/)参考中）
+这些字段（也列举于[将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards/)参考中）
 包括：
 
 <!--
@@ -253,7 +253,7 @@ which is outside the scope of this guide.
 -->
 PodSecurityPolicy 中有一些字段未被 Pod 安全性准入机制覆盖。如果你必须使用这些选项，
 你需要在 Pod 安全性准入之外部署
-[准入 Webhook](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/)
+[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 以补充这一能力，而这类操作不在本指南范围。
 
 <!--
@@ -263,7 +263,7 @@ These fields (also listed in the
 reference with "no opinion") are:
 -->
 首先，你可以去掉 Pod 安全性标准所未覆盖的那些验证性字段。这些字段（也列举于
-[将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards/)参考中，标记为“无意见”）有：
+[将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards/)参考中，标记为“无意见”）有：
 
 - `.spec.allowedHostPaths`
 - `.spec.allowedFlexVolumes`
@@ -307,7 +307,7 @@ need to be handled on a case-by-case basis later:
 - `.spec.allowPrivilegeEscalation` - (Only mutating if set to `false`) required for the Restricted
   profile.
 -->
-- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。 
+- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。
 - `.spec.seLinux` - （仅针对带有 `MustRunAs` 规则的变更性设置）需要此字段来满足
   Baseline 和 Restricted 配置所需要的 SELinux 需求。
 - `.spec.runAsUser` - （仅针对带有 `RunAsAny` 规则的非变更性设置）需要此字段来为
@@ -355,7 +355,7 @@ For each updated PodSecurityPolicy:
    The fields to review are:
 -->
 2. 比较运行中的 Pod 与原来的 Pod 规约，确定 PodSecurityPolicy 是否更改过这些 Pod。
-   对于通过[工作负载资源](/zh/docs/concepts/workloads/controllers/)所创建的 Pod，
+   对于通过[工作负载资源](/zh-cn/docs/concepts/workloads/controllers/)所创建的 Pod，
    你可以比较 Pod 和控制器资源中的 PodTemplate。如果发现任何变更，则原来的 Pod
    或者 PodTemplate 需要被更新以加上所希望的配置。要审查的字段包括：
 
@@ -425,7 +425,7 @@ familiarizing yourself with the 3 different levels.
 
 There are several ways to choose a Pod Security level for your namespace:
 -->
-首先请回顾 [Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)内容，
+首先请回顾 [Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards/)内容，
 并了解三个安全级别。
 
 为你的名字空间选择 Pod 安全性级别有几种方法：
@@ -447,7 +447,7 @@ There are several ways to choose a Pod Security level for your namespace:
    namespace with this command:
 -->
 2. **根据现有的 PodSecurityPolicy 来确定** - 基于
-   [将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh/docs/reference/access-authn-authz/psp-to-pod-security-standards/)
+   [将 PodSecurityPolicy 映射到 Pod 安全性标准](/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards/)
    参考资料，你可以将各个 PSP 映射到某个 Pod 安全性标准级别。如果你的 PSP 不是基于
    Pod 安全性标准的，你可能或者需要选择一个至少与该 PSP 一样宽松的级别，
    或者选择一个至少与其一样严格的级别。使用下面的命令你可以查看被 Pod 使用的 PSP 有哪些：
@@ -556,7 +556,7 @@ Finally, you can effectively bypass PodSecurityPolicy at the namespace level by
 accounts in the namespace.
 -->
 最后，你可以通过将
-{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}} 
+{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}}
 绑定到某名字空间中所有服务账户上，在名字空间层面绕过所有 PodSecurityPolicy。
 
 ```sh
@@ -594,7 +594,7 @@ kubectl delete -n $NAMESPACE rolebinding disable-psp
 <!--
 ## 4. Review namespace creation processes {#review-namespace-creation-process}
 -->
-## 4. 审阅名字空间创建过程  {#review-namespace-creation-process}  
+## 4. 审阅名字空间创建过程  {#review-namespace-creation-process}
 
 <!--
 Now that existing namespaces have been updated to enforce Pod Security Admission, you should ensure
@@ -613,7 +613,7 @@ for more information.
 -->
 你也可以静态配置 Pod 安全性准入控制器，为尚未打标签的名字空间设置默认的
 enforce、audit 与/或 warn 级别。详细信息可参阅
-[配置准入控制器](/zh/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller)
+[配置准入控制器](/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller)
 页面。
 
 <!--
@@ -628,7 +628,7 @@ configuration of the API server:
 -->
 最后，你已为禁用 PodSecurityPolicy 做好准备。要禁用 PodSecurityPolicy，
 你需要更改 API 服务器上的准入配置：
-[我如何关闭某个准入控制器？](/zh/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-off-an-admission-controller)
+[我如何关闭某个准入控制器？](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-off-an-admission-controller)
 
 <!--
 To verify that the PodSecurityPolicy admission controller is no longer enabled, you can manually run
@@ -639,7 +639,7 @@ controller plugins:
 -->
 如果需要验证 PodSecurityPolicy 准入控制器不再被启用，你可以通过扮演某个无法访问任何
 PodSecurityPolicy 的用户来执行测试（参见
-[PodSecurityPolicy 示例](/zh/docs/concepts/policy/pod-security-policy/#example)），
+[PodSecurityPolicy 示例](/zh-cn/docs/concepts/security/pod-security-policy/#example)），
 或者通过检查 API 服务器的日志来进行验证。在启动期间，API
 服务器会输出日志行，列举所挂载的准入控制器插件。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/pull-image-private-registry.md b/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
similarity index 95%
rename from content/zh/docs/tasks/configure-pod-container/pull-image-private-registry.md
rename to content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
index 662ceef5061af..7fd8b2ad7f6c7 100644
--- a/content/zh/docs/tasks/configure-pod-container/pull-image-private-registry.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
@@ -63,11 +63,11 @@ The login process creates or updates a `config.json` file that holds an authoriz
 
 View the `config.json` file:
 -->
-当出现提示时，输入您的 Docker ID 和登录凭证（访问令牌、
+当出现提示时，输入你的 Docker ID 和登录凭证（访问令牌、
 或 Docker ID 的密码）。
 
 登录过程会创建或更新保存有授权令牌的 `config.json` 文件。
-查看 [Kubernetes 中如何解析这个文件](/zh/docs/concepts/containers/images#config-json)。
+查看 [Kubernetes 中如何解析这个文件](/zh-cn/docs/concepts/containers/images#config-json)。
 
 查看 `config.json` 文件：
 
@@ -348,9 +348,9 @@ kubectl get pod private-reg
 * See the `imagePullSecrets` field within the [container definitions](/docs/reference/kubernetes-api/workload-resources/pod-v1/#containers) of a Pod
 -->
 
-* 进一步了解 [Secrets](/zh/docs/concepts/configuration/secret/)
+* 进一步了解 [Secrets](/zh-cn/docs/concepts/configuration/secret/)
   * 或阅读 {{< api-reference page="config-and-storage-resources/secret-v1" >}} 的 API 参考
-* 进一步了解 [使用私有仓库](/zh/docs/concepts/containers/images/#using-a-private-registry)
-* 进一步了解 [为服务账户添加拉取镜像凭证](/zh/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
+* 进一步了解 [使用私有仓库](/zh-cn/docs/concepts/containers/images/#using-a-private-registry)
+* 进一步了解 [为服务账户添加拉取镜像凭证](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
 * 查看 [kubectl 创建 docker-registry 凭证](/docs/reference/generated/kubectl/kubectl-commands/#-em-secret-docker-registry-em-)
 * 查看 Pod [容器定义](/docs/reference/kubernetes-api/workload-resources/pod-v1/#containers)中的 `imagePullSecrets` 字段。
diff --git a/content/zh/docs/tasks/configure-pod-container/quality-service-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
similarity index 89%
rename from content/zh/docs/tasks/configure-pod-container/quality-service-pod.md
rename to content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
index bce6967b22870..b376ef213464b 100644
--- a/content/zh/docs/tasks/configure-pod-container/quality-service-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
@@ -378,9 +378,9 @@ kubectl delete namespace qos-example
 -->
 ### 应用开发者参考
 
-* [为 Pod 和容器分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
+* [为 Pod 和容器分配内存资源](/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/)
 
-* [为 Pod 和容器分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
+* [为 Pod 和容器分配 CPU 资源](/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/)
 
 <!--
 ### For cluster administrators
@@ -404,20 +404,20 @@ kubectl delete namespace qos-example
 
 ### 集群管理员参考
 
-* [为命名空间配置默认的内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置默认的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace)
+* [为命名空间配置默认的内存请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+* [为命名空间配置默认的 CPU 请求和限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace)
 
-* [为命名空间配置最小和最大内存限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+* [为命名空间配置最小和最大内存限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
 
-* [为命名空间配置最小和最大 CPU 限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+* [为命名空间配置最小和最大 CPU 限制](/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
 
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+* [为命名空间配置内存和 CPU 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
 
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+* [为命名空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
+* [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 
-* [控制节点上的拓扑管理策略](/zh/docs/tasks/administer-cluster/topology-manager/)
+* [控制节点上的拓扑管理策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)
 
 
 
diff --git a/content/zh/docs/tasks/configure-pod-container/security-context.md b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
similarity index 97%
rename from content/zh/docs/tasks/configure-pod-container/security-context.md
rename to content/zh-cn/docs/tasks/configure-pod-container/security-context.md
index 29e5a3afb3517..26a09e22fcec7 100644
--- a/content/zh/docs/tasks/configure-pod-container/security-context.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
@@ -54,8 +54,8 @@ a Pod or Container. Security context settings include, but are not limited to:
 
 * readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
 -->
-* [AppArmor](/zh/docs/tutorials/security/apparmor/)：使用程序配置来限制个别程序的权能。
-* [Seccomp](/zh/docs/tutorials/security/seccomp/)：过滤进程的系统调用。
+* [AppArmor](/zh-cn/docs/tutorials/security/apparmor/)：使用程序配置来限制个别程序的权能。
+* [Seccomp](/zh-cn/docs/tutorials/security/seccomp/)：过滤进程的系统调用。
 * `allowPrivilegeEscalation`：控制进程是否可以获得超出其父进程的特权。
   此布尔值直接控制是否为容器进程设置
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)标志。
@@ -306,9 +306,9 @@ This field has no effect on ephemeral volume types such as
 and [`emptydir`](/docs/concepts/storage/volumes/#emptydir).
 -->
 {{< note >}}
-此字段对于 [`secret`](/zh/docs/concepts/storage/volumes/#secret)、
-[`configMap`](/zh/docs/concepts/storage/volumes/#configmap)
-和 [`emptydir`](/zh/docs/concepts/storage/volumes/#emptydir)
+此字段对于 [`secret`](/zh-cn/docs/concepts/storage/volumes/#secret)、
+[`configMap`](/zh-cn/docs/concepts/storage/volumes/#configmap)
+和 [`emptydir`](/zh-cn/docs/concepts/storage/volumes/#emptydir)
 这类临时性存储无效。
 {{< /note >}}
 
@@ -782,10 +782,10 @@ kubectl delete pod security-context-demo-4
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core) API 定义
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core) API 定义
 * [使用最新的安全性增强来调优 Docker（英文）](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
-* [安全上下文的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/auth/security_context.md)
-* [属主管理的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
-* [Pod 安全策略](/zh/docs/concepts/security/pod-security-policy/)
-* [AllowPrivilegeEscalation 的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/auth/no-new-privs.md)
+* [安全上下文的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/auth/security_context.md)
+* [属主管理的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/volume-ownership-management.md)
+* [Pod 安全策略](/zh-cn/docs/concepts/security/pod-security-policy/)
+* [AllowPrivilegeEscalation 的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/auth/no-new-privs.md)
 * 关于在 Linux 系统中的安全机制的更多信息，可参阅
   [Linux 内核安全性能力概述](https://www.linux.com/learn/overview-linux-kernel-security-features)。
 
diff --git a/content/zh/docs/tasks/configure-pod-container/share-process-namespace.md b/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
similarity index 97%
rename from content/zh/docs/tasks/configure-pod-container/share-process-namespace.md
rename to content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
index 91e9e537331eb..e4144739a553c 100644
--- a/content/zh/docs/tasks/configure-pod-container/share-process-namespace.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
@@ -34,7 +34,7 @@ You can use this feature to configure cooperating containers, such as a log
 handler sidecar container, or to troubleshoot container images that don't
 include debugging utilities like a shell.
 -->
-您可以使用此功能来配置协作容器，比如日志处理 sidecar 容器，或者对那些不包含诸如 shell 等调试实用工具的镜像进行故障排查。
+你可以使用此功能来配置协作容器，比如日志处理 sidecar 容器，或者对那些不包含诸如 shell 等调试实用工具的镜像进行故障排查。
 
 
 
@@ -110,7 +110,7 @@ Process Namespace Sharing is enabled using the `ShareProcessNamespace` field of
 You can signal processes in other containers. For example, send `SIGHUP` to
 nginx to restart the worker process. This requires the `SYS_PTRACE` capability.
 -->
-您可以在其他容器中对进程发出信号。例如，发送 `SIGHUP` 到 nginx 以重启工作进程。这需要 `SYS_PTRACE` 功能。
+你可以在其他容器中对进程发出信号。例如，发送 `SIGHUP` 到 nginx 以重启工作进程。这需要 `SYS_PTRACE` 功能。
 
 ```
 / # kill -HUP 8
diff --git a/content/zh/docs/tasks/configure-pod-container/static-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
similarity index 96%
rename from content/zh/docs/tasks/configure-pod-container/static-pod.md
rename to content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
index a4fbc9affecea..aa2b7af0a0ce0 100644
--- a/content/zh/docs/tasks/configure-pod-container/static-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
@@ -84,8 +84,8 @@ You can configure a static Pod with either a [file system hosted configuration f
 -->
 ## 创建静态 Pod {#static-pod-creation}
 
-可以通过[文件系统上的配置文件](/zh/docs/tasks/configure-pod-container/static-pod/#configuration-files)
-或者 [web 网络上的配置文件](/zh/docs/tasks/configure-pod-container/static-pod/#pods-created-via-http)
+可以通过[文件系统上的配置文件](/zh-cn/docs/tasks/configure-pod-container/static-pod/#configuration-files)
+或者 [web 网络上的配置文件](/zh-cn/docs/tasks/configure-pod-container/static-pod/#pods-created-via-http)
 来配置静态 Pod。
 
 <!--
@@ -101,7 +101,7 @@ For example, this is how to start a simple web server as a static Pod:
 ### 文件系统上的静态 Pod 声明文件 {#configuration-files}
 
 声明文件是标准的 Pod 定义文件，以 JSON 或者 YAML 格式存储在指定目录。路径设置在
-[Kubelet 配置文件](/zh/docs/reference/config-api/kubelet-config.v1beta1/)
+[Kubelet 配置文件](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
 的 `staticPodPath: <目录>` 字段，kubelet 会定期的扫描这个文件夹下的 YAML/JSON
 文件来创建/删除静态 Pod。
 注意 kubelet 扫描目录的时候会忽略以点开头的文件。
@@ -179,7 +179,7 @@ For example, this is how to start a simple web server as a static Pod:
    ```
    KUBELET_ARGS="--cluster-dns=10.254.0.10 --cluster-domain=kube.local --pod-manifest-path=/etc/kubelet.d/"
    ```
-   或者在 [Kubelet 配置文件](/zh/docs/reference/config-api/kubelet-config.v1beta1/)
+   或者在 [Kubelet 配置文件](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
    中添加 `staticPodPath: <目录>`字段。
 
 <!--
@@ -329,7 +329,7 @@ Make sure the kubelet has permission to create the mirror Pod in the API server.
 -->
 {{< note >}}
 要确保 kubelet 在 API 服务上有创建镜像 Pod 的权限。如果没有，创建请求会被 API 服务拒绝。
-可以看 [Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)和 [Pod 安全策略](/zh/docs/concepts/security/pod-security-policy/)。
+可以看 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)和 [Pod 安全策略](/zh-cn/docs/concepts/security/pod-security-policy/)。
 {{< /note >}}
 
 <!--
diff --git a/content/zh/docs/tasks/configure-pod-container/translate-compose-kubernetes.md b/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
similarity index 94%
rename from content/zh/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
rename to content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
index 6a96b492a62da..11354f415d4ca 100644
--- a/content/zh/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
@@ -1,15 +1,14 @@
 ---
-reviewers:
-- cdrage
 title: 将 Docker Compose 文件转换为 Kubernetes 资源
 content_type: task
 weight: 200
 ---
-
 <!--
+reviewers:
+- cdrage
 title: Translate a Docker Compose File to Kubernetes Resources
 content_type: task
-weight: 170
+weight: 200
 -->
 
 <!-- overview -->
@@ -36,7 +35,7 @@ More information can be found on the Kompose website at [http://kompose.io](http
 
 We have multiple ways to install Kompose. Our preferred method is downloading the binary from the latest GitHub release.
 -->
-## 安装 Kompose
+## 安装 Kompose    {#install-kompose}
 
 我们有很多种方式安装 Kompose。首选方式是从最新的 GitHub 发布页面下载二进制文件。
 
@@ -132,7 +131,7 @@ brew install kompose
 <!--
 ## Use Kompose
 -->
-## 使用 Kompose
+## 使用 Kompose    {#use-kompose}
 
 <!--
 In a few steps, we'll take you from Docker Compose to Kubernetes. All
@@ -141,9 +140,10 @@ you need is an existing `docker-compose.yml` file.
 再需几步，我们就把你从 Docker Compose 带到 Kubernetes。
 你只需要一个现有的 `docker-compose.yml` 文件。
 
-1. <!--Go to the directory containing your `docker-compose.yml` file. If you don't
-   have one, test using this one.-->
-   进入 `docker-compose.yml` 文件所在的目录。如果没有，请使用下面这个进行测试。
+<!--
+1. Go to the directory containing your `docker-compose.yml` file. If you don't have one, test using this one.
+-->
+1. 进入 `docker-compose.yml` 文件所在的目录。如果没有，请使用下面这个进行测试。
 
    ```yaml
    version: "2"
@@ -174,10 +174,10 @@ you need is an existing `docker-compose.yml` file.
 
 <!--
 2. To convert the `docker-compose.yml` file to files that you can use with
-   `kubectl`, run `kompose convert` and then `kubectl create -f <output file>`.
+   `kubectl`, run `kompose convert` and then `kubectl apply -f <output file>`.
 -->
 2. 要将 `docker-compose.yml` 转换为 `kubectl` 可用的文件，请运行 `kompose convert`
-   命令进行转换，然后运行 `kubectl create -f <output file>` 进行创建。
+   命令进行转换，然后运行 `kubectl apply -f <output file>` 进行创建。
 
    ```shell
    kompose convert                           
@@ -318,7 +318,7 @@ Kompose 支持将 V1、V2 和 V3 版本的 Docker Compose 文件转换为 Kubern
 <!--
 ### Kubernetes `kompose convert` example
 -->
-### Kubernetes `kompose convert` 示例
+### Kubernetes `kompose convert` 示例    {#kubernetes-kompose-convert-example}
 
 ```shell
 kompose --file docker-voting.yml convert
@@ -390,7 +390,7 @@ When multiple docker-compose files are provided the configuration is merged. Any
 <!--
 ### OpenShift `kompose convert` example
 -->
-### OpenShift `kompose convert` 示例
+### OpenShift `kompose convert` 示例    {#openshift-kompose-convert-example}
 
 ```shell
 kompose --provider openshift --file docker-voting.yml convert
@@ -438,7 +438,7 @@ If you are manually pushing the Openshift artifacts using ``oc create -f``, you
 -->
 {{< note >}}
 如果使用 ``oc create -f`` 手动推送 Openshift 工件，则需要确保在构建配置工件之前推送
-imagestream 工件，以解决 Openshift 的这个问题：https://github.com/openshift/origin/issues/4518 。
+imagestream 工件，以解决 Openshift 的这个问题： https://github.com/openshift/origin/issues/4518 。
 {{< /note >}}
 
 <!--
@@ -449,11 +449,11 @@ The default `kompose` transformation will generate Kubernetes [Deployments](/doc
 ## 其他转换方式    {#alternative-conversions}
 
 默认的 `kompose` 转换会生成 yaml 格式的 Kubernetes
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/) 和
-[Service](/zh/docs/concepts/services-networking/service/) 对象。
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/) 和
+[Service](/zh-cn/docs/concepts/services-networking/service/) 对象。
 你可以选择通过 `-j` 参数生成 json 格式的对象。
-你也可以替换生成 [Replication Controllers](/zh/docs/concepts/workloads/controllers/replicationcontroller/) 对象、
-[Daemon Sets](/zh/docs/concepts/workloads/controllers/daemonset/) 或
+你也可以替换生成 [Replication Controllers](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/) 对象、
+[Daemon Sets](/zh-cn/docs/concepts/workloads/controllers/daemonset/) 或
 [Helm](https://github.com/helm/helm) charts。
 
 ```shell
@@ -584,7 +584,7 @@ For example:
 
   - 如果使用 Kubernetes 驱动，会有一个 Ingress 资源被创建，并且假定
     已经配置了相应的 Ingress 控制器。
-  - 如果使用 OpenShift 驱动, 则会有一个 route 被创建。
+  - 如果使用 OpenShift 驱动，则会有一个 route 被创建。
 
   例如：
 
@@ -680,10 +680,10 @@ services:
 
 If the Docker Compose file has a volume specified for a service, the Deployment (Kubernetes) or DeploymentConfig (OpenShift) strategy is changed to "Recreate" instead of "RollingUpdate" (default). This is done to avoid multiple instances of a service from accessing a volume at the same time.
 -->
-### 关于 Deployment Config 的提醒
+### 关于 Deployment Config 的提醒    {#warning-about-deployment-configurations}
 
-如果 Docker Compose 文件中为服务声明了卷，Deployment (Kubernetes) 或
-DeploymentConfig (OpenShift) 策略会从 "RollingUpdate" (默认) 变为 "Recreate"。
+如果 Docker Compose 文件中为服务声明了卷，Deployment（Kubernetes）或
+DeploymentConfig（OpenShift）策略会从 “RollingUpdate”（默认）变为 “Recreate”。
 这样做的目的是为了避免服务的多个实例同时访问卷。
 
 <!--
@@ -692,7 +692,7 @@ Please note that changing service name might break some `docker-compose` files.
 -->
 如果 Docker Compose 文件中的服务名包含 `_`（例如 `web_service`），
 那么将会被替换为 `-`，服务也相应的会重命名（例如 `web-service`）。
-Kompose 这样做的原因是 "Kubernetes" 不允许对象名称中包含 `_`。 
+Kompose 这样做的原因是 “Kubernetes” 不允许对象名称中包含 `_`。
 
 请注意，更改服务名称可能会破坏一些 `docker-compose` 文件。
 
@@ -711,4 +711,3 @@ Kompose 支持的 Docker Compose 版本包括：1、2 和 3。
 所有三个版本的兼容性列表请查看我们的
 [转换文档](https://github.com/kubernetes/kompose/blob/master/docs/conversion.md)，
 文档中列出了所有不兼容的 Docker Compose 关键字。
-
diff --git a/content/zh/docs/tasks/debug/_index.md b/content/zh-cn/docs/tasks/debug/_index.md
similarity index 94%
rename from content/zh/docs/tasks/debug/_index.md
rename to content/zh-cn/docs/tasks/debug/_index.md
index 8d154fd57cba4..dd5f1761f02c1 100644
--- a/content/zh/docs/tasks/debug/_index.md
+++ b/content/zh-cn/docs/tasks/debug/_index.md
@@ -30,9 +30,9 @@ two sections:
 * [Debugging your cluster](/docs/tasks/debug/debug-cluster/) - Useful
   for cluster administrators and people whose Kubernetes cluster is unhappy.
 -->
-* [应用排错](/zh/docs/tasks/debug/debug-application/) -
+* [应用排错](/zh-cn/docs/tasks/debug/debug-application/) -
   针对部署代码到 Kubernetes 并想知道代码为什么不能正常运行的用户。
-* [集群排错](/zh/docs/tasks/debug/debug-cluster/) -
+* [集群排错](/zh-cn/docs/tasks/debug/debug-cluster/) -
   针对集群管理员以及 Kubernetes 集群表现异常的用户。
 
 <!--
@@ -69,13 +69,13 @@ and command-line interfaces (CLIs), such as [`kubectl`](/docs/reference/kubectl/
 ### 问题  {#questions}
 
 本网站上的文档针对回答各类问题进行了结构化组织和分类。
-[概念](/zh/docs/concepts/)部分解释 Kubernetes 体系结构以及每个组件的工作方式，
-[安装](/zh/docs/setup/)部分提供了安装的实用说明。
-[任务](/zh/docs/tasks/)部分展示了如何完成常用任务，
-[教程](/zh/docs/tutorials/)部分则提供对现实世界、特定行业或端到端开发场景的更全面的演练。
-[参考](/zh/docs/reference/)部分提供了详细的
+[概念](/zh-cn/docs/concepts/)部分解释 Kubernetes 体系结构以及每个组件的工作方式，
+[安装](/zh-cn/docs/setup/)部分提供了安装的实用说明。
+[任务](/zh-cn/docs/tasks/)部分展示了如何完成常用任务，
+[教程](/zh-cn/docs/tutorials/)部分则提供对现实世界、特定行业或端到端开发场景的更全面的演练。
+[参考](/zh-cn/docs/reference/)部分提供了详细的
 [Kubernetes API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/) 文档
-和命令行 (CLI) 接口的文档，例如[`kubectl`](/zh/docs/reference/kubectl/)。
+和命令行 (CLI) 接口的文档，例如[`kubectl`](/zh-cn/docs/reference/kubectl/)。
 
 <!--
 ## Help! My question isn't covered!  I need help now!
diff --git a/content/zh/docs/tasks/debug/debug-application/_index.md b/content/zh-cn/docs/tasks/debug/debug-application/_index.md
similarity index 100%
rename from content/zh/docs/tasks/debug/debug-application/_index.md
rename to content/zh-cn/docs/tasks/debug/debug-application/_index.md
diff --git a/content/zh/docs/tasks/debug/debug-application/debug-init-containers.md b/content/zh-cn/docs/tasks/debug/debug-application/debug-init-containers.md
similarity index 95%
rename from content/zh/docs/tasks/debug/debug-application/debug-init-containers.md
rename to content/zh-cn/docs/tasks/debug/debug-application/debug-init-containers.md
index ff5f4a73109cc..03076705f5cdb 100644
--- a/content/zh/docs/tasks/debug/debug-application/debug-init-containers.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/debug-init-containers.md
@@ -40,8 +40,8 @@ Init Containers. The example command lines below refer to the Pod as
 * You should have [Configured an Init Container](/docs/tasks/configure-pod-container/configure-pod-initialization/#creating-a-pod-that-has-an-init-container/).
 -->
 
-* 你应该熟悉 [Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)的基础知识。
-* 你应该已经[配置好一个 Init 容器](/zh/docs/tasks/configure-pod-container/configure-pod-initialization/#creating-a-pod-that-has-an-init-container/)。
+* 你应该熟悉 [Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)的基础知识。
+* 你应该已经[配置好一个 Init 容器](/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization/#creating-a-pod-that-has-an-init-container/)。
 
 <!-- steps -->
 
diff --git a/content/zh/docs/tasks/debug/debug-application/debug-pods.md b/content/zh-cn/docs/tasks/debug/debug-application/debug-pods.md
similarity index 95%
rename from content/zh/docs/tasks/debug/debug-application/debug-pods.md
rename to content/zh-cn/docs/tasks/debug/debug-application/debug-pods.md
index e3fe206b3a0e4..f15af1f7ced3a 100644
--- a/content/zh/docs/tasks/debug/debug-application/debug-pods.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/debug-pods.md
@@ -23,7 +23,7 @@ This is *not* a guide for people who want to debug their cluster.  For that you
 
 本指南帮助用户调试那些部署到 Kubernetes 上后没有正常运行的应用。
 本指南 **并非** 指导用户如何调试集群。
-如果想调试集群的话，请参阅[这里](/zh/docs/tasks/debug/debug-cluster)。
+如果想调试集群的话，请参阅[这里](/zh-cn/docs/tasks/debug/debug-cluster)。
 
 
 <!-- body -->
@@ -94,7 +94,7 @@ scheduled.  In most cases, `hostPort` is unnecessary, try using a Service object
 -->
 * **资源不足**:
   你可能耗尽了集群上所有的 CPU 或内存。此时，你需要删除 Pod、调整资源请求或者为集群添加节点。
-  更多信息请参阅[计算资源文档](/zh/docs/concepts/configuration/manage-resources-containers/)
+  更多信息请参阅[计算资源文档](/zh-cn/docs/concepts/configuration/manage-resources-containers/)
 
 * **使用了 `hostPort`**:
   如果绑定 Pod 到 `hostPort`，那么能够运行该 Pod 的节点就有限了。
@@ -132,7 +132,7 @@ Once your pod has been scheduled, the methods described in [Debug Running Pods](
 #### Pod 处于 Crashing 或别的不健康状态
 
 一旦 Pod 被调度，就可以采用
-[调试运行中的 Pod](/zh/docs/tasks/debug/debug-application/debug-running-pod/)
+[调试运行中的 Pod](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/)
 中的方法来进一步调试。
 
 <!--
@@ -284,7 +284,7 @@ Please see [debugging service](/docs/tasks/debug/debug-applications/debug-servic
 -->
 #### 网络流量未被转发
 
-请参阅[调试 Service](/zh/docs/tasks/debug/debug-applications/debug-service/) 了解更多信息。
+请参阅[调试 Service](/zh-cn/docs/tasks/debug/debug-applications/debug-service/) 了解更多信息。
 
 ## {{% heading "whatsnext" %}}
 
@@ -295,11 +295,11 @@ to make sure that your `Service` is running, has `Endpoints`, and your `Pods` ar
 actually serving; you have DNS working, iptables rules installed, and kube-proxy
 does not seem to be misbehaving.
 
-You may also visit [troubleshooting document](/docs/tasks/debug/overview/) for more information.
+You may also visit [troubleshooting document](/docs/tasks/debug/) for more information.
 -->
 如果上述方法都不能解决你的问题，
-请按照[调试 Service 文档](/zh/docs/tasks/debug/debug-applications/debug-service/)中的介绍，
+请按照[调试 Service 文档](/zh-cn/docs/tasks/debug/debug-applications/debug-service/)中的介绍，
 确保你的 `Service` 处于 Running 态，有 `Endpoints` 被创建，`Pod` 真的在提供服务；
 DNS 服务已配置并正常工作，iptables 规则也以安装并且 `kube-proxy` 也没有异常行为。
 
-你也可以访问[故障排查文档](/zh/docs/tasks/debug/overview/)来获取更多信息。
+你也可以访问[故障排查文档](/zh-cn/docs/tasks/debug/)来获取更多信息。
diff --git a/content/zh/docs/tasks/debug/debug-application/debug-running-pod.md b/content/zh-cn/docs/tasks/debug/debug-application/debug-running-pod.md
similarity index 98%
rename from content/zh/docs/tasks/debug/debug-application/debug-running-pod.md
rename to content/zh-cn/docs/tasks/debug/debug-application/debug-running-pod.md
index 7bd02c5bd2efe..df4d0f647fbc5 100644
--- a/content/zh/docs/tasks/debug/debug-application/debug-running-pod.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/debug-running-pod.md
@@ -28,7 +28,7 @@ This page explains how to debug Pods running (or crashing) on a Node.
   need that access to run the standard debug steps that use `kubectl`.
 -->
 * 你的 {{< glossary_tooltip text="Pod" term_id="pod" >}} 应该已经被调度并正在运行中，
-  如果你的 Pod 还没有运行，请参阅[调试 Pod](/zh/docs/tasks/debug/debug-application/)。
+  如果你的 Pod 还没有运行，请参阅[调试 Pod](/zh-cn/docs/tasks/debug/debug-application/)。
 
 * 对于一些高级调试步骤，你应该知道 Pod 具体运行在哪个节点上，并具有在该节点上运行命令的 shell 访问权限。
   你不需要任何访问权限就可以使用 `kubectl` 去运行一些标准调试步骤。
@@ -147,7 +147,7 @@ Events:
 <!--
 Here you can see configuration information about the container(s) and Pod (labels, resource requirements, etc.), as well as status information about the container(s) and Pod (state, readiness, restart count, events, etc.).
 -->
-在这里，您可以看到有关容器和 Pod 的配置信息（标签、资源需求等），
+在这里，你可以看到有关容器和 Pod 的配置信息（标签、资源需求等），
 以及有关容器和 Pod 的状态信息（状态、就绪、重启计数、事件等） 。
 
 <!--
@@ -513,7 +513,7 @@ kubectl exec cassandra -- cat /var/log/cassandra/system.log
 kubectl exec -it cassandra -- sh
 ```
 
-若要了解更多内容，可查看[获取正在运行容器的 Shell](/zh/docs/tasks/debug/debug-application/get-shell-running-container/)。
+若要了解更多内容，可查看[获取正在运行容器的 Shell](/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/)。
 
 <!--
 ## Debugging with an ephemeral debug container {#ephemeral-container}
@@ -612,7 +612,7 @@ You can view the state of the newly created ephemeral container using `kubectl d
 -->
 此命令添加一个新的 busybox 容器并将其挂接到该容器。`--target` 参数指定另一个容器的进程命名空间。
 这是必需的，因为 `kubectl run` 不能在它创建的pod中启用
-[共享进程命名空间](/zh/docs/tasks/configure-pod-container/share-process-namespace/)。
+[共享进程命名空间](/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/)。
 
 {{< note >}}
 {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}必须支持 `--target` 参数。
@@ -728,7 +728,7 @@ root@myapp-debug:/#
   你可以通过指定 `--attach=false` 来防止这种情况。
   如果你的会话断开连接，你可以使用 `kubectl attach` 重新连接。
 * `--share-processes` 允许在此 Pod 中的其他容器中查看该容器的进程。
-  参阅[在 Pod 中的容器之间共享进程命名空间](/zh/docs/tasks/configure-pod-container/share-process-namespace/)
+  参阅[在 Pod 中的容器之间共享进程命名空间](/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/)
   获取更多信息。
 {{< /note >}}
 
diff --git a/content/zh/docs/tasks/debug/debug-application/debug-service.md b/content/zh-cn/docs/tasks/debug/debug-application/debug-service.md
similarity index 93%
rename from content/zh/docs/tasks/debug/debug-application/debug-service.md
rename to content/zh-cn/docs/tasks/debug/debug-application/debug-service.md
index 8c6d6e954f21f..a6fe8453f3451 100644
--- a/content/zh/docs/tasks/debug/debug-application/debug-service.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/debug-service.md
@@ -1,5 +1,5 @@
 ---
-content_type: concept
+content_type: task
 title: 调试 Service
 weight: 20
 ---
@@ -8,12 +8,13 @@ weight: 20
 reviewers:
 - thockin
 - bowei
-content_type: concept
+content_type: task
 title: Debug Services
 weight: 20
 -->
 
 <!-- overview -->
+
 <!--
 An issue that comes up rather frequently for new installations of Kubernetes is
 that a Service is not working properly.  You've run your Pods through a
@@ -21,11 +22,12 @@ Deployment (or other workload controller) and created a Service, but you
 get no response when you try to access it.  This document will hopefully help
 you to figure out what's going wrong.
 -->
-对于新安装的 Kubernetes，经常出现的问题是 Service 无法正常运行。 你已经通过
-Deployment（或其他工作负载控制器）运行了 Pod，并创建 Service ，但是
-当你尝试访问它时，没有任何响应。此文档有望对你有所帮助并找出问题所在。
+对于新安装的 Kubernetes，经常出现的问题是 Service 无法正常运行。你已经通过
+Deployment（或其他工作负载控制器）运行了 Pod，并创建 Service ，
+但是当你尝试访问它时，没有任何响应。此文档有望对你有所帮助并找出问题所在。
 
 <!-- body -->
+
 <!--
 ## Running commands in a Pod
 
@@ -217,11 +219,13 @@ What would happen if you tried to access a non-existent Service?  If
 you have another Pod that consumes this Service by name you would get
 something like:
 -->
-## Service 是否存在？
+## Service 是否存在？   {#does-the-service-exist}
 
-细心的读者会注意到我们实际上尚未创建 Service -这是有意而为之。 这一步有时会被遗忘，这是首先要检查的步骤。
+细心的读者会注意到我们实际上尚未创建 Service —— 这是有意而为之。
+这一步有时会被遗忘，这是首先要检查的步骤。
 
-那么，如果我尝试访问不存在的 Service 会怎样？ 假设你有另一个 Pod 通过名称匹配到 Service ，你将得到类似结果：
+那么，如果我尝试访问不存在的 Service 会怎样？ 
+假设你有另一个 Pod 通过名称匹配到 Service，你将得到类似结果：
 
 ```shell
 wget -O- hostnames
@@ -250,7 +254,7 @@ Error from server (NotFound): services "hostnames" not found
 Let's create the Service.  As before, this is for the walk-through - you can
 use your own Service's details here.
 -->
-让我们创建 Service。 和以前一样，在这次实践中 - 你可以在此处使用自己的 Service 的内容。
+让我们创建 Service。 和以前一样，在这次实践中 —— 你可以在此处使用自己的 Service 的内容。
 
 ```shell
 kubectl expose deployment hostnames --port=80 --target-port=9376
@@ -281,7 +285,7 @@ As before, this is the same as if you had started the `Service` with YAML:
 -->
 现在你知道了 Service 确实存在。
 
-同前，此步骤效果与通过 YAML 方式启动 'Service' 一样：
+同前，此步骤效果与通过 YAML 方式启动 `Service` 一样：
 
 ```yaml
 apiVersion: v1
@@ -314,13 +318,12 @@ traffic to `hostnames-*` Pods, these need to be reviewed.
 
 Please refer to [Network Policies](/docs/concepts/services-networking/network-policies/) for more details.
 -->
-
 ## 是否存在影响目标 Pod 的网络策略入站规则？
 
 如果你部署了任何可能影响到 `hostnames-*` Pod 的传入流量的网络策略入站规则，
 则需要对其进行检查。
 
-详细信息，请参阅[网络策略](/zh/docs/concepts/services-networking/network-policies/)。
+详细信息，请参阅[网络策略](/zh-cn/docs/concepts/services-networking/network-policies/)。
 
 <!--
 ## Does the Service work by DNS name?
@@ -330,7 +333,7 @@ name.
 
 From a Pod in the same Namespace:
 -->
-## Service 是否可通过 DNS 名字访问？
+## Service 是否可通过 DNS 名字访问？  {#does-the-service-work-by-dns-name}
 
 通常客户端通过 DNS 名称来匹配到 Service。
 
@@ -392,9 +395,6 @@ own cluster.
 
 You can also try this from a `Node` in the cluster:
 
-{{< note >}}
-10.0.0.10 is the cluster's DNS Service IP, yours might be different.
-{{< /note >}}
 -->
 注意这里的后缀："default.svc.cluster.local"。"default" 是我们正在操作的命名空间。
 "svc" 表示这是一个 Service。"cluster.local" 是你的集群域，在你自己的集群中可能会有所不同。
@@ -402,6 +402,9 @@ You can also try this from a `Node` in the cluster:
 你也可以在集群中的节点上尝试此操作：
 
 {{< note >}}
+<!--
+10.0.0.10 is the cluster's DNS Service IP, yours might be different.
+-->
 10.0.0.10 是集群的 DNS 服务 IP，你的可能有所不同。
 {{< /note >}}
 
@@ -443,7 +446,11 @@ options ndots:5
 <!--
 The `nameserver` line must indicate your cluster's DNS `Service`.  This is
 passed into `kubelet` with the `--cluster-dns` flag.
+-->
+`nameserver` 行必须指示你的集群的 DNS Service，
+它是通过 `--cluster-dns` 标志传递到 kubelet 的。
 
+<!--
 The `search` line must include an appropriate suffix for you to find the
 Service name.  In this case it is looking for Services in the local
 Namespace ("default.svc.cluster.local"), Services in all Namespaces
@@ -454,22 +461,20 @@ to 6 total).  The cluster suffix is passed into `kubelet` with the
 assumed to be "cluster.local".  Your own clusters might be configured
 differently, in which case you should change that in all of the previous
 commands.
-
-The `options` line must set `ndots` high enough that your DNS client library
-considers search paths at all.  Kubernetes sets this to 5 by default, which is
-high enough to cover all of the DNS names it generates.
 -->
-`nameserver` 行必须指示你的集群的 DNS Service，
-它是通过 `--cluster-dns` 标志传递到 kubelet 的。
-
 `search` 行必须包含一个适当的后缀，以便查找 Service 名称。
-在本例中，它查找本地命名空间（`default.svc.cluster.local`）中的服务和
-所有命名空间（`svc.cluster.local`）中的服务，最后在集群（`cluster.local`）中查找
-服务的名称。根据你自己的安装情况，可能会有额外的记录（最多 6 条）。
+在本例中，它查找本地命名空间（`default.svc.cluster.local`）中的服务和所有命名空间
+（`svc.cluster.local`）中的服务，最后在集群（`cluster.local`）中查找服务的名称。
+根据你自己的安装情况，可能会有额外的记录（最多 6 条）。
 集群后缀是通过 `--cluster-domain` 标志传递给 `kubelet` 的。 
 本文中，我们假定后缀是 “cluster.local”。
 你的集群配置可能不同，这种情况下，你应该在上面的所有命令中更改它。
 
+<!--
+The `options` line must set `ndots` high enough that your DNS client library
+considers search paths at all.  Kubernetes sets this to 5 by default, which is
+high enough to cover all of the DNS names it generates.
+-->
 `options` 行必须设置足够高的 `ndots`，以便 DNS 客户端库考虑搜索路径。
 在默认情况下，Kubernetes 将这个值设置为 5，这个值足够高，足以覆盖它生成的所有 DNS 名称。
 
@@ -512,7 +517,7 @@ Assuming you have confirmed that DNS works, the next thing to test is whether yo
 Service works by its IP address.  From a Pod in your cluster, access the
 Service's IP (from `kubectl get` above).
 -->
-### Service 能够通过 IP 访问么？
+### Service 能够通过 IP 访问么？   {#does-the-service-work-by-ip}
 
 假设你已经确认 DNS 工作正常，那么接下来要测试的是你的 Service 能否通过它的 IP 正常访问。
 从集群中的一个 Pod，尝试访问 Service 的 IP（从上面的 `kubectl get` 命令获取）。
@@ -538,7 +543,8 @@ hostnames-632524106-tlaok
 If your Service is working, you should get correct responses.  If not, there
 are a number of things that could be going wrong.  Read on.
 -->
-如果 Service 状态是正常的，你应该得到正确的响应。如果没有，有很多可能出错的地方，请继续阅读。
+如果 Service 状态是正常的，你应该得到正确的响应。
+如果没有，有很多可能出错的地方，请继续阅读。
 
 <!--
 ## Is the Service defined correctly?
@@ -547,7 +553,7 @@ It might sound silly, but you should really double and triple check that your
 `Service` is correct and matches your `Pod`'s port.  Read back your `Service`
 and verify it:
 -->
-## Service 的配置是否正确？
+## Service 的配置是否正确？   {#is-the-service-defined-correctly}
 
 这听起来可能很愚蠢，但你应该两次甚至三次检查你的 Service 配置是否正确，并且与你的 Pod 匹配。
 查看你的 Service 配置并验证它：
@@ -614,7 +620,7 @@ actually being selected by the Service.
 
 Earlier you saw that the Pods were running.  You can re-check that:
 -->
-## Service 有 Endpoints 吗？
+## Service 有 Endpoints 吗？  {#does-the-service-have-any-endpoints}
 
 如果你已经走到了这一步，你已经确认你的 Service 被正确定义，并能通过 DNS 解析。
 现在，让我们检查一下，你运行的 Pod 确实是被 Service 选中的。
@@ -624,18 +630,25 @@ Earlier you saw that the Pods were running.  You can re-check that:
 ```shell
 kubectl get pods -l app=hostnames
 ```
+
 ```none
 NAME                        READY     STATUS    RESTARTS   AGE
 hostnames-632524106-bbpiw   1/1       Running   0          1h
 hostnames-632524106-ly40y   1/1       Running   0          1h
 hostnames-632524106-tlaok   1/1       Running   0          1h
 ```
+
 <!--
 The `-l app=hostnames` argument is a label selector configured on the Service.
 
 The "AGE" column says that these Pods are about an hour old, which implies that
 they are running fine and not crashing.
+-->
+`-l app=hostnames` 参数是在 Service 上配置的标签选择器。
 
+“AGE” 列表明这些 Pod 已经启动一个小时了，这意味着它们运行良好，而未崩溃。
+
+<!--
 The "RESTARTS" column says that these pods are not crashing frequently or being
 restarted.  Frequent restarts could lead to intermittent connectivity issues.
 If the restart count is high, read more about how to [debug pods](/docs/tasks/debug/debug-application/debug-pods).
@@ -643,19 +656,17 @@ If the restart count is high, read more about how to [debug pods](/docs/tasks/de
 Inside the Kubernetes system is a control loop which evaluates the selector of
 every Service and saves the results into a corresponding Endpoints object.
 -->
-`-l app=hostnames` 参数是在 Service 上配置的标签选择器。
-
-"AGE" 列表明这些 Pod 已经启动一个小时了，这意味着它们运行良好，而未崩溃。
-
 "RESTARTS" 列表明 Pod 没有经常崩溃或重启。经常性崩溃可能导致间歇性连接问题。
-如果重启次数过大，通过[调试 Pod](/zh/docs/tasks/debug/debug-application/debug-pods)
+如果重启次数过大，通过[调试 Pod](/zh-cn/docs/tasks/debug/debug-application/debug-pods)
 了解相关技术。
 
-在 Kubernetes 系统中有一个控制回路，它评估每个 Service 的选择算符，并将结果保存到 Endpoints 对象中。
+在 Kubernetes 系统中有一个控制回路，它评估每个 Service 的选择算符，并将结果保存到
+Endpoints 对象中。
 
 ```shell
 kubectl get endpoints hostnames
 ```
+
 ```
 NAME        ENDPOINTS
 hostnames   10.244.0.5:9376,10.244.0.6:9376,10.244.0.7:9376
@@ -685,22 +696,23 @@ At the beginning of this walk-through, you verified the Pods themselves.
 Let's check again that the Pods are actually working - you can bypass the
 Service mechanism and go straight to the Pods, as listed by the Endpoints
 above.
-
-{{< note >}}
-These commands use the Pod port (9376), rather than the Service port (80).
-{{< /note >}}
-
-From within a Pod:
 -->
-## Pod 正常工作吗？
+## Pod 工作正常吗？   {#are-the-pods-working}
 
 至此，你知道你的 Service 已存在，并且已匹配到你的Pod。在本实验的开始，你已经检查了 Pod 本身。
-让我们再次检查 Pod 是否确实在工作 - 你可以绕过 Service 机制并直接转到 Pod，如上面的 Endpoint 所示。
+让我们再次检查 Pod 是否确实在工作 - 你可以绕过 Service 机制并直接转到 Pod，
+如上面的 Endpoints 所示。
 
 {{< note >}}
+<!--
+These commands use the Pod port (9376), rather than the Service port (80).
+-->
 这些命令使用的是 Pod 端口（9376），而不是 Service 端口（80）。
 {{< /note >}}
 
+<!--
+From within a Pod:
+-->
 在 Pod 中运行：
 
 ```shell
@@ -741,7 +753,7 @@ small set of mechanisms for providing the Service abstraction.  If your
 cluster does not use kube-proxy, the following sections will not apply, and you
 will have to investigate whatever implementation of Services you are using.
 -->
-## kube-proxy 正常工作吗？
+## kube-proxy 正常工作吗？  {#is-the-kube-proxy-working}
 
 如果你到达这里，则说明你的 Service 正在运行，拥有 Endpoints，Pod 真正在提供服务。
 此时，整个 Service 代理机制是可疑的。让我们一步一步地确认它没问题。
@@ -751,18 +763,19 @@ Service 的默认实现（在大多数集群上应用的）是 kube-proxy。
 如果你的集群不使用 kube-proxy，则以下各节将不适用，你将必须检查你正在使用的 Service 的实现方式。
 
 <!--
-## Is the kube-proxy working?
+## Is kube-proxy working?
 
 Confirm that `kube-proxy` is running on your Nodes.  Running directly on a
 Node, you should get something like the below:
 -->
-### kube-proxy 正常运行吗？
+### kube-proxy 正常运行吗？  {#is-kube-proxy working}
 
-确认 `kube-proxy` 正在节点上运行。 在节点上直接运行，你将会得到类似以下的输出：
+确认 `kube-proxy` 正在节点上运行。在节点上直接运行，你将会得到类似以下的输出：
 
 ```shell
 ps auxw | grep kube-proxy
 ```
+
 ```none
 root  4194  0.4  0.1 101864 17696 ?    Sl Jul04  25:43 /usr/local/bin/kube-proxy --master=https://kubernetes-master --kubeconfig=/var/lib/kube-proxy/kubeconfig --v=2
 ```
@@ -826,7 +839,7 @@ Kube-proxy 可以以若干模式之一运行。在上述日志中，`Using iptab
 
 In "iptables" mode, you should see something like the following on a Node:
 -->
-#### Iptables 模式
+#### Iptables 模式   {#iptables-mode}
 
 在 "iptables" 模式中, 你应该可以在节点上看到如下输出:
 
@@ -864,7 +877,7 @@ config (including node-ports and load-balancers).
 
 In "ipvs" mode, you should see something like the following on a Node:
 -->
-#### IPVS 模式
+#### IPVS 模式   {#ipvs-mode}
 
 在 "ipvs" 模式中, 你应该在节点下看到如下输出：
 
@@ -901,7 +914,7 @@ hostnames(`10.0.1.175:80`) has 3 endpoints(`10.244.0.5:9376`,
 
 In rare cases, you may be using "userspace" mode.  From your Node:
 -->
-#### Userspace 模式
+#### Userspace 模式   {#userspace-mode}
 
 在极少数情况下，你可能会用到 "userspace" 模式。在你的节点上运行：
 
@@ -932,7 +945,7 @@ more time on it here.
 Assuming you do see one the above cases, try again to access your Service by
 IP from one of your Nodes:
 -->
-### kube-proxy 是否在运行?
+### kube-proxy 是否在执行代理操作?    {#is-kube-proxy-proxying}
 
 假设你确实遇到上述情况之一，请重试从节点上通过 IP 访问你的 Service ：
 
@@ -995,14 +1008,14 @@ back to themselves if they try to access their own Service VIP. The
 `promiscuous-bridge`.
 
 -->
-### 边缘案例: Pod 无法通过 Service IP 连接到它本身       {#a-pod-fails-to-reach-itself-via-the-service-ip}
+### 边缘案例: Pod 无法通过 Service IP 连接到它本身  {#a-pod-fails-to-reach-itself-via-the-service-ip}
 
-这听起来似乎不太可能，但是确实可能发生，并且应该可行。
+这听起来似乎不太可能，但是确实可能发生，并且应该可以工作。
 
 如果网络没有为“发夹模式（Hairpin）”流量生成正确配置，
 通常当 `kube-proxy` 以 `iptables` 模式运行，并且 Pod 与桥接网络连接时，就会发生这种情况。
 `kubelet` 提供了 `hairpin-mode`
-[标志](/zh/docs/reference/command-line-tools-reference/kubelet/)。
+[标志](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)。
 如果 Service 的末端尝试访问自己的 Service VIP，则该端点可以把流量负载均衡回来到它们自身。
 `hairpin-mode` 标志必须被设置为 `hairpin-veth` 或者 `promiscuous-bridge`。
 
@@ -1093,25 +1106,23 @@ Service is not working.  Please let us know what is going on, so we can help
 investigate!
 
 Contact us on
-[Slack](/docs/tasks/debug/overview/#slack) or
+[Slack](https://slack.k8s.io/) or
 [Forum](https://discuss.kubernetes.io) or
 [GitHub](https://github.com/kubernetes/kubernetes).
 -->
-## 寻求帮助
+## 寻求帮助  {#seek-help}
 
 如果你走到这一步，那么就真的是奇怪的事情发生了。你的 Service 正在运行，有 Endpoints 存在，
 你的 Pods 也确实在提供服务。你的 DNS 正常，`iptables` 规则已经安装，`kube-proxy` 看起来也正常。
 然而 Service 还是没有正常工作。这种情况下，请告诉我们，以便我们可以帮助调查！
 
-通过
-[Slack](/zh/docs/tasks/debug/overview/#slack) 或者
-[Forum](https://discuss.kubernetes.io) 或者
-[GitHub](https://github.com/kubernetes/kubernetes) 
-联系我们。
+通过 [Slack](https://slack.k8s.io/) 或者 [Forum](https://discuss.kubernetes.io) 或者
+[GitHub](https://github.com/kubernetes/kubernetes) 联系我们。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-Visit [troubleshooting document](/docs/tasks/debug/overview/) for more information.
+Visit [troubleshooting document](/docs/tasks/debug/) for more information.
 -->
-访问[故障排查文档](/zh/docs/tasks/debug-application-cluster/troubleshooting/) 获取更多信息。
+访问[故障排查文档](/zh-cn/docs/tasks/debug/)获取更多信息。
+
diff --git a/content/zh/docs/tasks/debug/debug-application/debug-statefulset.md b/content/zh-cn/docs/tasks/debug/debug-application/debug-statefulset.md
similarity index 87%
rename from content/zh/docs/tasks/debug/debug-application/debug-statefulset.md
rename to content/zh-cn/docs/tasks/debug/debug-application/debug-statefulset.md
index 72dbc4d4f62ea..5f3be83d59328 100644
--- a/content/zh/docs/tasks/debug/debug-application/debug-statefulset.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/debug-statefulset.md
@@ -57,9 +57,9 @@ You can debug individual Pods in a StatefulSet using the
 [Debugging Pods](/docs/tasks/debug/debug-application/debug-pods/) guide.
 -->
 如果你发现列出的任何 Pod 长时间处于 `Unknown` 或 `Terminating` 状态，请参阅
-[删除 StatefulSet Pod](/zh/docs/tasks/run-application/delete-stateful-set/)
+[删除 StatefulSet Pod](/zh-cn/docs/tasks/run-application/delete-stateful-set/)
 了解如何处理它们的说明。
-你可以参考[调试 Pod](/zh/docs/tasks/debug/debug-application/debug-pods/)
+你可以参考[调试 Pod](/zh-cn/docs/tasks/debug/debug-application/debug-pods/)
 来调试 StatefulSet 中的各个 Pod。
 
 ## {{% heading "whatsnext" %}}
@@ -67,5 +67,5 @@ You can debug individual Pods in a StatefulSet using the
 <!--
 Learn more about [debugging an init-container](/docs/tasks/debug/debug-application/debug-init-containers/).
 -->
-* 进一步了解如何[调试 Init 容器](/zh/docs/tasks/debug/debug-application/debug-init-containers/)。
+* 进一步了解如何[调试 Init 容器](/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/)。
 
diff --git a/content/zh/docs/tasks/debug/debug-application/determine-reason-pod-failure.md b/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
similarity index 94%
rename from content/zh/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
rename to content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
index b7f1a4a7ab6aa..9dac663aad0d8 100644
--- a/content/zh/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure.md
@@ -27,8 +27,8 @@ the general
 -->
 终止消息为容器提供了一种方法，可以将有关致命事件的信息写入某个位置，
 在该位置可以通过仪表板和监控软件等工具轻松检索和显示致命事件。
-在大多数情况下，您放入终止消息中的信息也应该写入
-[常规 Kubernetes 日志](/zh/docs/concepts/cluster-administration/logging/)。
+在大多数情况下，你放入终止消息中的信息也应该写入
+[常规 Kubernetes 日志](/zh-cn/docs/concepts/cluster-administration/logging/)。
 
 ## {{% heading "prerequisites" %}}
 
@@ -45,7 +45,7 @@ the container starts.
 -->
 ## 读写终止消息
 
-在本练习中，您将创建运行一个容器的 Pod。
+在本练习中，你将创建运行一个容器的 Pod。
 配置文件指定在容器启动时要运行的命令。
 
 {{< codenew file="debug/termination.yaml" >}}
@@ -123,7 +123,7 @@ populate the Container's status message on both success and failure.
 
 Kubernetes 从容器的 `terminationMessagePath` 字段中指定的终止消息文件中检索终止消息，
 默认值为 `/dev/termination-log`。
-通过定制这个字段，您可以告诉 Kubernetes 使用不同的文件。
+通过定制这个字段，你可以告诉 Kubernetes 使用不同的文件。
 Kubernetes 使用指定文件中的内容在成功和失败时填充容器的状态消息。
 
 <!--
@@ -153,7 +153,6 @@ to use the last chunk of container log output if the termination message file
 is empty and the container exited with an error. The log output is limited to
 2048 bytes or 80 lines, whichever is smaller.
 -->
-
 此外，用户可以设置容器的 `terminationMessagePolicy` 字段，以便进一步自定义。
 此字段默认为 "`File`"，这意味着仅从终止消息文件中检索终止消息。
 通过将 `terminationMessagePolicy` 设置为 "`FallbackToLogsOnError`"，你就可以告诉 Kubernetes，在容器因错误退出时，如果终止消息文件为空，则使用容器日志输出的最后一块作为终止消息。
@@ -170,6 +169,6 @@ is empty and the container exited with an error. The log output is limited to
 
 * 参考 [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
   资源的 `terminationMessagePath` 字段。
-* 了解[接收日志](/zh/docs/concepts/cluster-administration/logging/)。
+* 了解[接收日志](/zh-cn/docs/concepts/cluster-administration/logging/)。
 * 了解 [Go 模版](https://golang.org/pkg/text/template/)。
 
diff --git a/content/zh/docs/tasks/debug/debug-application/get-shell-running-container.md b/content/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container.md
similarity index 96%
rename from content/zh/docs/tasks/debug/debug-application/get-shell-running-container.md
rename to content/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container.md
index e67d6b1859f2d..c65d3951b9697 100644
--- a/content/zh/docs/tasks/debug/debug-application/get-shell-running-container.md
+++ b/content/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container.md
@@ -20,14 +20,12 @@ running Container.
 <!--
 ## Getting a shell to a Container
 -->
-
 ## 获取容器的 Shell
 
 <!--
 In this exercise, you create a Pod that has one Container. The Container
 runs the nginx image. Here is the configuration file for the Pod:
 -->
-
 在本练习中，你将创建包含一个容器的 Pod。容器运行 nginx 镜像。下面是 Pod 的配置文件：
 
 {{< codenew file="application/shell-demo.yaml" >}}
@@ -35,7 +33,6 @@ runs the nginx image. Here is the configuration file for the Pod:
 <!--
 Create the Pod:
 -->
-
 创建 Pod：
 
 ```shell
@@ -45,7 +42,6 @@ kubectl create -f https://k8s.io/examples/application/shell-demo.yaml
 <!--
 Verify that the Container is running:
 -->
-
 检查容器是否运行正常：
 
 ```shell
@@ -55,7 +51,6 @@ kubectl get pod shell-demo
 <!--
 Get a shell to the running Container:
 -->
-
 获取正在运行容器的 Shell：
 
 ```shell
@@ -72,7 +67,6 @@ The double dash symbol "--" is used to separate the arguments you want to pass t
 <!--
 In your shell, list the root directory:
 -->
-
 在 shell 中，打印根目录：
 
 ```shell
@@ -83,7 +77,6 @@ root@shell-demo:/# ls /
 In your shell, experiment with other commands. Here are
 some examples:
 -->
-
 在 shell 中，实验其他命令。下面是一些示例：
 
 ```shell
@@ -103,7 +96,6 @@ root@shell-demo:/# ps aux | grep nginx
 <!--
 ## Writing the root page for nginx
 -->
-
 ## 编写 nginx 的根页面
 
 <!--
@@ -111,14 +103,12 @@ Look again at the configuration file for your Pod. The Pod
 has an `emptyDir` volume, and the Container mounts the volume
 at `/usr/share/nginx/html`.
 -->
-
-在看一下 Pod 的配置文件。该 Pod 有个 `emptyDir` 卷，容器将该卷挂载到了 `/usr/share/nginx/html`。
+再看一下 Pod 的配置文件。该 Pod 有个 `emptyDir` 卷，容器将该卷挂载到了 `/usr/share/nginx/html`。
 
 <!--
 In your shell, create an `index.html` file in the `/usr/share/nginx/html`
 directory:
 -->
-
 在 shell 中，在 `/usr/share/nginx/html` 目录创建一个 `index.html` 文件：
 
 ```shell
@@ -128,7 +118,6 @@ root@shell-demo:/# echo Hello shell demo > /usr/share/nginx/html/index.html
 <!--
 In your shell, send a GET request to the nginx server:
 -->
-
 在 shell 中，向 nginx 服务器发送 GET 请求：
 
 ```shell
@@ -140,7 +129,6 @@ root@shell-demo:/# curl localhost
 <!--
 The output shows the text that you wrote to the `index.html` file:
 -->
-
 输出结果显示了你在 `index.html` 中写入的文本。
 
 ```shell
@@ -150,20 +138,17 @@ Hello shell demo
 <!--
 When you are finished with your shell, enter `exit`.
 -->
-
 当用完 shell 后，输入 `exit` 退出。
 
 <!--
 ## Running individual commands in a Container
 -->
-
 ## 在容器中运行单个命令
 
 <!--
 In an ordinary command window, not your shell, list the environment
 variables in the running Container:
 -->
-
 在普通的命令窗口（而不是 shell）中，打印环境运行容器中的变量：
 
 ```shell
@@ -173,7 +158,6 @@ kubectl exec shell-demo env
 <!--
 Experiment running other commands. Here are some examples:
 -->
-
 实验运行其他命令。下面是一些示例：
 
 ```shell
@@ -187,7 +171,6 @@ kubectl exec shell-demo cat /proc/1/mounts
 <!--
 ## Opening a shell when a Pod has more than one Container
 -->
-
 ## 当 Pod 包含多个容器时打开 shell
 
 <!--
@@ -197,9 +180,8 @@ suppose you have a Pod named my-pod, and the Pod has two containers
 named main-app and helper-app. The following command would open a
 shell to the main-app Container.
 -->
-
 如果 Pod 有多个容器，`--container` 或者 `-c` 可以在 `kubectl exec` 命令中指定容器。
-例如，您有个名为 my-pod 的容器，该 Pod 有两个容器分别为 main-app 和 healper-app。
+例如，你有个名为 my-pod 的 Pod，该 Pod 有两个容器分别为 main-app 和 healper-app。
 下面的命令将会打开一个 shell 访问 main-app 容器。
 
 ```shell
diff --git a/content/zh/docs/tasks/debug/debug-cluster/_index.md b/content/zh-cn/docs/tasks/debug/debug-cluster/_index.md
similarity index 94%
rename from content/zh/docs/tasks/debug/debug-cluster/_index.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/_index.md
index 1d3db744e3f48..bf0f550c80446 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/_index.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/_index.md
@@ -22,8 +22,8 @@ the [application troubleshooting guide](/docs/tasks/debug/debug-application/) fo
 You may also visit the [troubleshooting overview document](/docs/tasks/debug/) for more information.
 -->
 本篇文档是介绍集群故障排查的；我们假设对于你碰到的问题，你已经排除了是由应用程序造成的。
-对于应用的调试，请参阅[应用故障排查指南](/zh/docs/tasks/debug/debug-application/)。
-你也可以访问[故障排查](/zh/docs/tasks/debug/)来获取更多的信息。
+对于应用的调试，请参阅[应用故障排查指南](/zh-cn/docs/tasks/debug/debug-application/)。
+你也可以访问[故障排查](/zh-cn/docs/tasks/debug/)来获取更多的信息。
 
 <!-- body -->
 
@@ -34,7 +34,7 @@ The first thing to debug in your cluster is if your nodes are all registered cor
 
 Run the following command:
 -->
-## 列举集群节点
+## 列举集群节点 {#listing-your-cluster}
 
 调试的第一步是查看所有的节点是否都已正确注册。
 
@@ -62,7 +62,7 @@ kubectl cluster-info dump
 
 Sometimes when debugging it can be useful to look at the status of a node -- for example, because you've noticed strange behavior of a Pod that's running on the node, or to find out why a Pod won't schedule onto the node. As with Pods, you can use `kubectl describe node` and `kubectl get node -o yaml` to retrieve detailed information about nodes. For example, here's what you'll see if a node is down (disconnected from the network, or kubelet dies and won't restart, etc.). Notice the events that show the node is NotReady, and also notice that the pods are no longer running (they are evicted after five minutes of NotReady status).
 -->
-### 示例：调试关闭/无法访问的节点
+### 示例：调试关闭/无法访问的节点 {#example-debugging-a-down-unreachable-node}
 
 有时在调试时查看节点的状态很有用——例如，因为你注意到在节点上运行的 Pod 的奇怪行为，
 或者找出为什么 Pod 不会调度到节点上。与 Pod 一样，你可以使用 `kubectl describe node`
@@ -247,10 +247,12 @@ status:
 ```
 
 <!--
+## Looking at logs
+
 For now, digging deeper into the cluster requires logging into the relevant machines.  Here are the locations
 of the relevant log files.  On systemd-based systems, you may need to use `journalctl` instead of examining log files.
 -->
-## 查看日志
+## 查看日志 {#looking-at-logs}
 
 目前，深入挖掘集群需要登录相关机器。以下是相关日志文件的位置。
 在基于 systemd 的系统上，你可能需要使用 `journalctl` 而不是检查日志文件。
@@ -262,7 +264,7 @@ of the relevant log files.  On systemd-based systems, you may need to use `journ
    * `/var/log/kube-scheduler.log` - Scheduler, responsible for making scheduling decisions
    * `/var/log/kube-controller-manager.log` - a component that runs most Kubernetes built-in {{<glossary_tooltip text="controllers" term_id="controller">}}, with the notable exception of scheduling (the kube-scheduler handles scheduling).
 -->
-### 控制平面节点
+### 控制平面节点 {#control-plane-nodes}
 
    * `/var/log/kube-apiserver.log` —— API 服务器 API
    * `/var/log/kube-scheduler.log` —— 调度器，负责制定调度决策
@@ -276,17 +278,17 @@ of the relevant log files.  On systemd-based systems, you may need to use `journ
    * `/var/log/kube-proxy.log` - logs from `kube-proxy`, which is responsible for directing traffic to Service endpoints
 -->
 
-### 工作节点
+### 工作节点 {#worker-nodes}
 
    * `/var/log/kubelet.log` —— 来自 `kubelet` 的日志，负责在节点运行容器
-   * `/var/log/kube-proxy.log` —— 来自 `kube-proxy` 的日志, 负责将流量转发到服务端点
+   * `/var/log/kube-proxy.log` —— 来自 `kube-proxy` 的日志，负责将流量转发到服务端点
 
 <!-- 
 ## Cluster failure modes
 
 This is an incomplete list of things that could go wrong, and how to adjust your cluster setup to mitigate the problems.
 -->
-## 集群故障模式
+## 集群故障模式 {#cluster-failure-modes}
 
 这是可能出错的事情的不完整列表，以及如何调整集群设置以缓解问题。
 
@@ -299,7 +301,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
   - Data loss or unavailability of persistent storage (e.g. GCE PD or AWS EBS volume)
   - Operator error, for example misconfigured Kubernetes software or application software
 -->
-### 贡献原因
+### 造成原因 {#contributing-causes}
 
    - 虚拟机关闭
    - 集群内或集群与用户之间的网络分区
@@ -308,19 +310,19 @@ This is an incomplete list of things that could go wrong, and how to adjust your
    - 操作员错误，例如配置错误的 Kubernetes 软件或应用程序软件
 
 <!--
-### Specific scenarios:
+### Specific scenarios
 
-  - Apiserver VM shutdown or apiserver crashing
+  - API server VM shutdown or apiserver crashing
     - Results
       - unable to stop, update, or start new pods, services, replication controller
       - existing pods and services should continue to work normally, unless they depend on the Kubernetes API
-  - Apiserver backing storage lost
+  - API server backing storage lost
     - Results
-      - apiserver should fail to come up
+      - the kube-apiserver component fails to start successfully and become healthy
       - kubelets will not be able to reach it but will continue to run the same pods and provide the same service proxying
       - manual recovery or recreation of apiserver state necessary before apiserver is restarted
 -->
-### 具体情况
+### 具体情况 {#specific-scenarios}
 
 - API 服务器所在的 VM 关机或者 API 服务器崩溃
   - 结果
@@ -328,7 +330,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
     - 现有的 Pod 和服务在不依赖 Kubernetes API 的情况下应该能继续正常工作
 - API 服务器的后端存储丢失
   - 结果
-    - API 服务器应该不能启动
+    - kube-apiserver 组件未能成功启动并变健康
     - kubelet 将不能访问 API 服务器，但是能够继续运行之前的 Pod 和提供相同的服务代理
     - 在 API 服务器重启之前，需要手动恢复或者重建 API 服务器的状态
 <!--
@@ -353,7 +355,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
 - 网络分裂
   - 结果
     - 分区 A 认为分区 B 中所有的节点都已宕机；分区 B 认为 API 服务器宕机
-      （假定主控节点所在的 VM 位于分区 A 内)。
+      （假定主控节点所在的 VM 位于分区 A 内）。
 <!--
   - Kubelet software fault
     - Results
@@ -397,7 +399,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
   - Mitigates: API server backing storage (i.e., etcd's data directory) lost
     - Assumes HA (highly-available) etcd configuration
 -->
-### 缓解措施
+### 缓解措施 {#mitigations}
 
 - 措施：对于 IaaS 上的 VM，使用 IaaS 的自动 VM 重启功能
   - 缓解：API 服务器 VM 关机或 API 服务器崩溃
@@ -406,7 +408,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
 - 措施: 对于运行 API 服务器和 etcd 的 VM，使用 IaaS 提供的可靠的存储（例如 GCE PD 或者 AWS EBS 卷）
   - 缓解：API 服务器后端存储的丢失
 
-- 措施：使用[高可用性](/zh/docs/setup/production-environment/tools/kubeadm/high-availability/)的配置
+- 措施：使用[高可用性](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)的配置
   - 缓解：主控节点 VM 关机或者主控节点组件（调度器、API 服务器、控制器管理器）崩馈
     - 将容许一个或多个节点或组件同时出现故障
   - 缓解：API 服务器后端存储（例如 etcd 的数据目录）丢失
@@ -449,7 +451,7 @@ This is an incomplete list of things that could go wrong, and how to adjust your
 * Get more information about [Kubernetes auditing](audit)
 * Use `telepresence` to [develop and debug services locally](local-debugging)
 -->
-* 了解 [资源指标管道](resource-metrics-pipeline) 中可用的指标
+* 了解[资源指标管道](resource-metrics-pipeline)中可用的指标
 * 发现用于[监控资源使用](resource-usage-monitoring)的其他工具
 * 使用节点问题检测器[监控节点健康](monitor-node-health)
 * 使用 `crictl` 来[调试 Kubernetes 节点](crictl)
diff --git a/content/zh/docs/tasks/debug/debug-cluster/audit.md b/content/zh-cn/docs/tasks/debug/debug-cluster/audit.md
similarity index 93%
rename from content/zh/docs/tasks/debug/debug-cluster/audit.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/audit.md
index b4b4c9ee66a8e..cfe19ea4b37c7 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/audit.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/audit.md
@@ -21,7 +21,7 @@ by applications that use the Kubernetes API, and by the control plane itself.
 
 Auditing allows cluster administrators to answer the following questions:
 -->
-Kubernetes _审计（Auditing）_ 功能提供了与安全相关的、按时间顺序排列的记录集，
+Kubernetes **审计（Auditing）**功能提供了与安全相关的、按时间顺序排列的记录集，
 记录每个用户、使用 Kubernetes API 的应用以及控制面自身引发的活动。
 
 审计功能使得集群管理员能够回答以下问题：
@@ -55,7 +55,7 @@ and the backends persist the records. The current backend implementations
 include logs files and webhooks.
 -->
 审计记录最初产生于
-[kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)
+[kube-apiserver](/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/)
 内部。每个请求在不同执行阶段都会生成审计事件；这些审计事件会根据特定策略
 被预处理并写入后端。策略确定要记录的内容和用来存储记录的后端。
 当前的后端支持日志文件和 webhook。
@@ -73,7 +73,7 @@ Each request can be recorded with an associated _stage_. The defined stages are:
   will be sent.
 - `Panic` - Events generated when a panic occurred.
 -->
-每个请求都可被记录其相关的 _阶段（stage）_。已定义的阶段有：
+每个请求都可被记录其相关的**阶段（stage）**。已定义的阶段有：
 
 - `RequestReceived` - 此阶段对应审计处理器接收到请求后，并且在委托给
   其余处理器之前生成的事件。
@@ -90,8 +90,8 @@ is different from the
 API object.
 -->
 {{< note >}}
-[审计事件配置](/zh/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Event)
-的配置与 [Event](/zh/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#event-v1-core)
+[审计事件配置](/zh-cn/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Event)
+的配置与 [Event](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#event-v1-core)
 API 对象不同。
 {{< /note >}}
 
@@ -117,9 +117,9 @@ _audit level_ of the event. The defined audit levels are:
 
 审计政策定义了关于应记录哪些事件以及应包含哪些数据的规则。
 审计策略对象结构定义在
-[`audit.k8s.io` API 组](/zh/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy)
+[`audit.k8s.io` API 组](/zh-cn/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy)
 处理事件时，将按顺序与规则列表进行比较。第一个匹配规则设置事件的
-_审计级别（Audit Level）_。已定义的审计级别有：
+**审计级别（Audit Level）**。已定义的审计级别有：
 
 <!--
 - `None` - don't log events that match this rule.
@@ -147,7 +147,7 @@ Below is an example audit policy file:
 -->
 你可以使用 `--audit-policy-file` 标志将包含策略的文件传递给 `kube-apiserver`。
 如果不设置该标志，则不记录事件。
-注意 `rules` 字段 __必须__ 在审计策略文件中提供。没有（0）规则的策略将被视为非法配置。
+注意 `rules` 字段**必须**在审计策略文件中提供。没有（0）规则的策略将被视为非法配置。
 
 以下是一个审计策略文件的示例：
 
@@ -179,7 +179,7 @@ for details about the fields defined.
 [configure-helper.sh](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh)
 脚本，该脚本能够生成审计策略文件。你可以直接在脚本中看到审计策略的绝大部份内容。
 
-你也可以参考 [`Policy` 配置参考](/zh/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy)
+你也可以参考 [`Policy` 配置参考](/zh-cn/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Policy)
 以获取有关已定义字段的详细信息。
 
 <!--
@@ -203,7 +203,7 @@ In all cases, audit events follow a structure defined by the Kubernetes API in t
 - Webhook 后端，将事件发送到外部 HTTP API
 
 在这所有情况下，审计事件均遵循 Kubernetes API 在
-[`audit.k8s.io` API 组](/zh/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Event)
+[`audit.k8s.io` API 组](/zh-cn/docs/reference/config-api/apiserver-audit.v1/#audit-k8s-io-v1-Event)
 中定义的结构。
 
 <!--
@@ -241,7 +241,7 @@ You can configure the log audit backend using the following `kube-apiserver` fla
 Log backend writes audit events to a file in JSON format. You can configure
 log audit backend using the following [kube-apiserver][kube-apiserver] flags:
 -->
-### Log 后端
+### Log 后端   {#log-backend}
 
 Log 后端将审计事件写入 [JSONlines](https://jsonlines.org/)  格式的文件。
 你可以使用以下 `kube-apiserver` 标志配置 Log 审计后端：
@@ -325,7 +325,7 @@ The webhook config file uses the kubeconfig format to specify the remote address
 the service and credentials used to connect to it.
 -->
 - `--audit-webhook-config-file` 设置 Webhook 配置文件的路径。Webhook 配置文件实际上是一个
-  [kubeconfig 文件](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)。
+  [kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)。
 - `--audit-webhook-initial-backoff` 指定在第一次失败后重发请求等待的时间。随后的请求将以指数退避重试。
 
 Webhook 配置文件使用 kubeconfig 格式指定服务的远程地址和用于连接它的凭据。
@@ -449,5 +449,4 @@ By default truncate is disabled in both `webhook` and `log`, a cluster administr
 <!--
 * Learn about [Mutating webhook auditing annotations](/docs/reference/access-authn-authz/extensible-admission-controllers/#mutating-webhook-auditing-annotations).
 -->
-* 了解 [Mutating webhook 审计注解](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#mutating-webhook-auditing-annotations)。
-
+* 了解 [Mutating webhook 审计注解](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#mutating-webhook-auditing-annotations)。
\ No newline at end of file
diff --git a/content/zh/docs/tasks/debug/debug-cluster/crictl.md b/content/zh-cn/docs/tasks/debug/debug-cluster/crictl.md
similarity index 95%
rename from content/zh/docs/tasks/debug/debug-cluster/crictl.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/crictl.md
index 3eb5cf4955d55..4a41a4ca05b9a 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/crictl.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/crictl.md
@@ -1,12 +1,8 @@
 ---
-reviewers:
-- Random-Liu
-- feiskyer
-- mrunalp
 title: 使用 crictl 对 Kubernetes 节点进行调试
 content_type: task
+weight: 30
 ---
-
 <!--
 reviewers:
 - Random-Liu
@@ -14,6 +10,7 @@ reviewers:
 - mrunalp
 title: Debugging Kubernetes nodes with crictl
 content_type: task
+weight: 30
 -->
 
 <!-- overview -->
@@ -50,7 +47,7 @@ different architectures. Download the version that corresponds to your version
 of Kubernetes. Extract it and move it to a location on your system path, such as
 `/usr/local/bin/`.
 -->
-## 安装 crictl
+## 安装 crictl    {#installing-crictl}
 
 你可以从 cri-tools [发布页面](https://github.com/kubernetes-sigs/cri-tools/releases)
 下载一个压缩的 `crictl` 归档文件，用于几种不同的架构。
@@ -63,7 +60,7 @@ of Kubernetes. Extract it and move it to a location on your system path, such as
 The `crictl` command has several subcommands and runtime flags. Use
 `crictl help` or `crictl <subcommand> help` for more details.
 -->
-## 一般用法
+## 一般用法    {#general-usage}
 
 `crictl` 命令有几个子命令和运行时参数。
 有关详细信息，请使用 `crictl help` 或 `crictl <subcommand> help` 获取帮助信息。
@@ -120,7 +117,7 @@ documentation](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/cri
 
 The following examples show some `crictl` commands and example output.
 -->
-## crictl 命令示例
+## crictl 命令示例    {#example-crictl-commands}
 
 {{< warning >}}
 <!--
@@ -138,7 +135,7 @@ kubelet 最终将删除它们。
 
 List all pods:
 -->
-### 打印 Pod 清单
+### 打印 Pod 清单    {#list-pods}
 
 打印所有 Pod 的清单：
 
@@ -202,7 +199,7 @@ POD ID              CREATED             STATE               NAME
 
 List all images:
 -->
-### 打印镜像清单
+### 打印镜像清单    {#list-containers}
 
 打印所有镜像清单：
 
@@ -268,7 +265,7 @@ sha256:cd5239a0906a6ccf0562354852fae04bc5b52d72a2aff9a871ddb6bd57553569
 
 List all containers:
 -->
-### 打印容器清单
+### 打印容器清单    {#list-containers}
 
 打印所有容器清单：
 
@@ -313,7 +310,7 @@ CONTAINER ID        IMAGE
 <!--
 ### Execute a command in a running container
 -->
-### 在正在运行的容器上执行命令
+### 在正在运行的容器上执行命令    {#execute-a-command-in-a-running-container}
 
 ```shell
 crictl exec -i -t 1f73f2d81bf98 ls
@@ -333,7 +330,7 @@ bin   dev   etc   home  proc  root  sys   tmp   usr   var
 
 Get all container logs:
 -->
-### 获取容器日志
+### 获取容器日志    {#get-a-container-s-logs}
 
 获取容器的所有日志：
 
@@ -377,7 +374,7 @@ Using `crictl` to run a pod sandbox is useful for debugging container runtimes.
 On a running Kubernetes cluster, the sandbox will eventually be stopped and
 deleted by the Kubelet.
 -->
-### 运行 Pod 沙盒
+### 运行 Pod 沙盒    {#run-a-pod-sandbox}
 
 用 `crictl` 运行 Pod 沙盒对容器运行时排错很有帮助。
 在运行的 Kubernetes 集群中，沙盒会随机地被 kubelet 停止和删除。
@@ -422,7 +419,7 @@ Using `crictl` to create a container is useful for debugging container runtimes.
 On a running Kubernetes cluster, the sandbox will eventually be stopped and
 deleted by the Kubelet.
 -->
-### 创建容器
+### 创建容器 {#create-a-container}
 
 用 `crictl` 创建容器对容器运行时排错很有帮助。
 在运行的 Kubernetes 集群中，沙盒会随机的被 kubelet 停止和删除。
@@ -471,13 +468,13 @@ deleted by the Kubelet.
    ```json
    {
      "metadata": {
-         "name": "busybox"
+       "name": "busybox"
      },
      "image":{
-         "image": "busybox"
+       "image": "busybox"
      },
      "command": [
-         "top"
+       "top"
      ],
      "log_path":"busybox.log",
      "linux": {
@@ -520,7 +517,7 @@ deleted by the Kubelet.
 
 To start a container, pass its ID to `crictl start`:
 -->
-### 启动容器
+### 启动容器 {#start-a-container}
 
 要启动容器，要将容器 ID 传给 `crictl start`：
 
@@ -562,5 +559,5 @@ CONTAINER ID   IMAGE    CREATED              STATE    NAME     ATTEMPT
 * [Learn more about `crictl`](https://github.com/kubernetes-sigs/cri-tools).
 * [Map `docker` CLI commands to `crictl`](/docs/reference/tools/map-crictl-dockercli/).
 -->
-* [进一步了解 `crictl`](https://github.com/kubernetes-sigs/cri-tools).
-* [将 `docker` CLI 命令映射到 `crictl`](/zh/docs/reference/tools/map-crictl-dockercli/).
+* [进一步了解 `crictl`](https://github.com/kubernetes-sigs/cri-tools)
+* [将 `docker` CLI 命令映射到 `crictl`](/zh-cn/docs/reference/tools/map-crictl-dockercli/)
diff --git a/content/zh/docs/tasks/debug/debug-cluster/local-debugging.md b/content/zh-cn/docs/tasks/debug/debug-cluster/local-debugging.md
similarity index 96%
rename from content/zh/docs/tasks/debug/debug-cluster/local-debugging.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/local-debugging.md
index c9d00ddda6811..2cc5c5d692e38 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/local-debugging.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/local-debugging.md
@@ -18,7 +18,7 @@ Kubernetes applications usually consist of multiple, separate services, each run
 
 Kubernetes 应用程序通常由多个独立的服务组成，每个服务都在自己的容器中运行。
 在远端的 Kubernetes 集群上开发和调试这些服务可能很麻烦，
-需要[在运行的容器上打开 Shell](/zh/docs/tasks/debug/debug-application/get-shell-running-container/)，
+需要[在运行的容器上打开 Shell](/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/)，
 以运行调试工具。
 
 <!--
@@ -26,7 +26,7 @@ Kubernetes 应用程序通常由多个独立的服务组成，每个服务都在
 -->
 
 `telepresence` 是一个工具，用于简化本地开发和调试服务的过程，同时可以将服务代理到远程 Kubernetes 集群。
-`telepresence` 允许你使用使用自定义工具（例如：调试器 和 IDE）调式服务，
+`telepresence` 允许你使用使用自定义工具（例如：调试器 和 IDE）调试服务，
 并提供对 Configmap、Secret 和远程集群上运行的服务的完全访问。
 
 
@@ -52,7 +52,7 @@ This document describes using `telepresence` to develop and debug services runni
 <!--
 ## Connecting your local machine to a remote Kubernetes cluster
  
-After installing `telepresence`, run `telepresence connect` to launch it's Daemon and connect your local workstation to the cluster.
+After installing `telepresence`, run `telepresence connect` to launch its Daemon and connect your local workstation to the cluster.
 -->
 
 ## 从本机连接到远程 Kubernetes 集群
diff --git a/content/zh/docs/tasks/debug/debug-cluster/monitor-node-health.md b/content/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health.md
similarity index 98%
rename from content/zh/docs/tasks/debug/debug-cluster/monitor-node-health.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health.md
index 7a8f5028c9460..8e2778c7a94fb 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/monitor-node-health.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health.md
@@ -27,7 +27,7 @@ To learn how to install and use Node Problem Detector, see
 *节点问题检测器（Node Problem Detector）* 是一个守护程序，用于监视和报告节点的健康状况。
 你可以将节点问题探测器以 `DaemonSet` 或独立守护程序运行。
 节点问题检测器从各种守护进程收集节点问题，并以
-[NodeCondition](/zh/docs/concepts/architecture/nodes/#condition) 和
+[NodeCondition](/zh-cn/docs/concepts/architecture/nodes/#condition) 和
 [Event](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#event-v1-core)
 的形式报告给 API 服务器。 
 
@@ -140,7 +140,7 @@ is embedded when building the Docker image of Node Problem Detector.
 However, you can use a [`ConfigMap`](/docs/tasks/configure-pod-container/configure-pod-configmap/)
 to overwrite the configuration:
 -->
-不过，你可以像下面这样使用 [`ConfigMap`](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)
+不过，你可以像下面这样使用 [`ConfigMap`](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
 将其覆盖：
 
 <!-- 
diff --git a/content/zh/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md b/content/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
similarity index 90%
rename from content/zh/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
index 6b9a4c70dd6d8..51ec65e6c4925 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline.md
@@ -35,11 +35,11 @@ command.
 包括 CPU 和内存的指标。如果将 Metrics API 部署到集群中，
 那么 Kubernetes API 的客户端就可以查询这些信息，并且可以使用 Kubernetes 的访问控制机制来管理权限。
 
-[HorizontalPodAutoscaler](/zh/docs/tasks/run-application/horizontal-pod-autoscale/) (HPA) 和 
+[HorizontalPodAutoscaler](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/) (HPA) 和 
 [VerticalPodAutoscaler](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#readme) (VPA) 
 使用 metrics API 中的数据调整工作负载副本和资源，以满足客户需求。
 
-你也可以通过 [`kubectl top`](/zh/docs/reference/generated/kubectl/kubectl-commands#top) 命令来查看资源指标。
+你也可以通过 [`kubectl top`](/docs/reference/generated/kubectl/kubectl-commands#top) 命令来查看资源指标。
 
 {{< note >}}
 <!--
@@ -52,7 +52,7 @@ that uses the _Custom Metrics API_.
 -->
 Metrics API 及其启用的指标管道仅提供最少的 CPU 和内存指标，以启用使用 HPA 和/或 VPA 的自动扩展。
 如果你想提供更完整的指标集，你可以通过部署使用 _Custom Metrics API_ 的第二个
-[指标管道](/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring/#full-metrics-pipeline)来作为简单的 Metrics API 的补充。
+[指标管道](/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring/#full-metrics-pipeline)来作为简单的 Metrics API 的补充。
 {{< /note >}}
 
 <!--
@@ -110,11 +110,11 @@ The architecture components, from right to left in the figure, consist of the fo
 图中从右到左的架构组件包括以下内容：
 
 * [cAdvisor](https://github.com/google/cadvisor): 用于收集、聚合和公开 Kubelet 中包含的容器指标的守护程序。
-* [kubelet](/zh/docs/concepts/overview/components/#kubelet): 用于管理容器资源的节点代理。
+* [kubelet](/zh-cn/docs/concepts/overview/components/#kubelet): 用于管理容器资源的节点代理。
   可以使用 `/metrics/resource` 和 `/stats` kubelet API 端点访问资源指标。
 * [Summary API](#summary-api-source): kubelet 提供的 API，用于发现和检索可通过 `/stats` 端点获得的每个节点的汇总统计信息。
 * [metrics-server](#metrics-server): 集群插件组件，用于收集和聚合从每个 kubelet 中提取的资源指标。
-  API 服务器提供 Metrics API 以供 HPA、VPA 和 `kubectl top` 命令使用。 Metrics Server 是 Metrics API 的参考实现。
+  API 服务器提供 Metrics API 以供 HPA、VPA 和 `kubectl top` 命令使用。Metrics Server 是 Metrics API 的参考实现。
 * [Metrics API](#metrics-api): Kubernetes API 支持访问用于工作负载自动缩放的 CPU 和内存。
   要在你的集群中进行这项工作，你需要一个提供 Metrics API 的 API 扩展服务器。
 
@@ -244,8 +244,8 @@ the [metrics-server repository](https://github.com/kubernetes-sigs/metrics-serve
 -->
 
 Metrics API 在 [k8s.io/metrics](https://github.com/kubernetes/metrics) 代码库中定义。
-你必须启用 [API 聚合层](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/)并为 
-`metrics.k8s.io` API 注册一个 [APIService](/zh/docs/reference/kubernetes-api/cluster-resources/api-service-v1/)。
+你必须启用 [API 聚合层](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/)并为 
+`metrics.k8s.io` API 注册一个 [APIService](/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1/)。
 
 要了解有关 Metrics API 的更多信息，
 请参阅资源 [Resource Metrics API Design](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/resource-metrics-api.md)、
@@ -286,7 +286,7 @@ CPU 报告为以 cpu 为单位测量的平均核心使用率。在 Kubernetes 
 用于计算 CPU 的时间窗口显示在 Metrics API 的窗口字段下。
 
 要了解更多关于 Kubernetes 如何分配和测量 CPU 资源的信息，请参阅
-[CPU 的含义](/zh/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)。
+[CPU 的含义](/zh-cn/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu)。
 
 <!--
 ### Memory
@@ -315,7 +315,7 @@ Kubernetes 模型中，容器工作集是由容器运行时计算的与相关容
 工作集指标通常还包括一些缓存（文件支持）内存，因为主机操作系统不能总是回收页面。
 
 要了解有关 Kubernetes 如何分配和测量内存资源的更多信息，
-请参阅[内存的含义](/zh/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory)。
+请参阅[内存的含义](/zh-cn/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory)。
 
 <!--
 ## Metrics Server
@@ -350,7 +350,7 @@ to collect metrics from each node. Depending on the metrics-server version it us
 * Metrics resource endpoint `/metrics/resource` in version v0.6.0+ or
 * Summary API endpoint `/stats/summary` in older versions
 -->
-metrics-server 调用 [kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) API
+metrics-server 调用 [kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) API
 从每个节点收集指标。根据它使用的度量服务器版本：
 
 * 版本 v0.6.0+ 中，使用指标资源端点 `/metrics/resource`
@@ -362,7 +362,7 @@ To learn more about the metrics-server, see the
 
 You can also check out the following:
 
-* [metrics-server design](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/instrumentation/metrics-server.md)
+* [metrics-server design](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/metrics-server.md)
 * [metrics-server FAQ](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md)
 * [metrics-server known issues](https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md)
 * [metrics-server releases](https://github.com/kubernetes-sigs/metrics-server/releases)
@@ -373,11 +373,11 @@ You can also check out the following:
 
 你还可以查看以下内容：
 
-* [metrics-server 设计](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/instrumentation/metrics-server.md)
+* [metrics-server 设计](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/metrics-server.md)
 * [metrics-server FAQ](https://github.com/kubernetes-sigs/metrics-server/blob/master/FAQ.md)
 * [metrics-server known issues](https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md)
 * [metrics-server releases](https://github.com/kubernetes-sigs/metrics-server/releases)
-* [Horizontal Pod Autoscaling](/zh/docs/tasks/run-application/horizontal-pod-autoscale/)
+* [Horizontal Pod Autoscaling](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/)
 
 <!--
 ### Summary API Source
@@ -387,10 +387,10 @@ them in the [Summary API](https://github.com/kubernetes/kubernetes/blob/7d309e01
 for consumers to read.
 -->
 
-### Summary API 来源
+### Summary API 来源   {#summary-api-source}
 
-[Kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/) 在节点、卷、Pod 和容器级别收集统计信息，
-并在[Summary API](https://github.com/kubernetes/kubernetes/blob/7d309e0104fedb57280b261e5677d919cb2a0e2d/staging/src/k8s.io/kubelet/pkg/apis/stats/v1alpha1/types.go)
+[Kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) 在节点、卷、Pod 和容器级别收集统计信息，
+并在 [Summary API](https://github.com/kubernetes/kubernetes/blob/7d309e0104fedb57280b261e5677d919cb2a0e2d/staging/src/k8s.io/kubelet/pkg/apis/stats/v1alpha1/types.go)
 中提供它们的统计信息供消费者阅读。
 
 <!--
@@ -416,4 +416,4 @@ The summary API `/stats/summary` endpoint will be replaced by the `/metrics/reso
 beginning with metrics-server 0.6.x.
 -->
 从 metrics-server 0.6.x 开始，Summary API `/stats/summary` 端点被 `/metrics/resource` 端点替换。
-{{< /note >}}
+{{< /note >}}
\ No newline at end of file
diff --git a/content/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md b/content/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
similarity index 95%
rename from content/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
rename to content/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
index 86345a09a88ab..b8ef029b0d6ba 100644
--- a/content/zh/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring.md
@@ -24,8 +24,8 @@ where bottlenecks can be removed to improve overall performance.
 -->
 要扩展应用程序并提供可靠的服务，你需要了解应用程序在部署时的行为。
 你可以通过检测容器检查 Kubernetes 集群中的应用程序性能，
-[Pods](/zh/docs/concepts/workloads/pods), 
-[服务](/zh/docs/concepts/services-networking/service/)
+[Pods](/zh-cn/docs/concepts/workloads/pods), 
+[服务](/zh-cn/docs/concepts/services-networking/service/)
 和整个集群的特征。
 Kubernetes 在每个级别上提供有关应用程序资源使用情况的详细信息。
 此信息使你可以评估应用程序的性能，以及在何处可以消除瓶颈以提高整体性能。
@@ -55,7 +55,7 @@ These  metrics are collected by the lightweight, short-term, in-memory
 ## 资源度量管道  {#resource-metrics-pipeline}
 
 资源指标管道提供了一组与集群组件，例如
-[Horizontal Pod Autoscaler](/zh/docs/tasks/run-application/horizontal-pod-autoscale/)
+[Horizontal Pod Autoscaler](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/)
 控制器以及 `kubectl top` 实用程序相关的有限度量。
 这些指标是由轻量级的、短期、内存存储的
 [metrics-server](https://github.com/kubernetes-sigs/metrics-server) 收集的，
@@ -76,7 +76,7 @@ This API is served at `/metrics/resource/v1beta1` on the kubelet's authenticated
 read-only ports. 
 -->
 度量服务器发现集群中的所有节点，并且查询每个节点的
-[kubelet](/zh/docs/reference/command-line-tools-reference/kubelet/)
+[kubelet](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)
 以获取 CPU 和内存使用情况。
 Kubelet 充当 Kubernetes 主节点与节点之间的桥梁，管理机器上运行的 Pod 和容器。
 kubelet 将每个 Pod 转换为其组成的容器，并在容器运行时通过容器运行时接口
diff --git a/content/zh-cn/docs/tasks/debug/debug-cluster/windows.md b/content/zh-cn/docs/tasks/debug/debug-cluster/windows.md
new file mode 100644
index 0000000000000..0dd8dba8e583b
--- /dev/null
+++ b/content/zh-cn/docs/tasks/debug/debug-cluster/windows.md
@@ -0,0 +1,314 @@
+---
+title: Windows 调试小技巧
+content_type: concept
+---
+<!--
+title: Windows debugging tips
+content_type: concept
+-->
+<!-- overview -->
+
+<!-- body -->
+<!-- 
+## Node-level troubleshooting {#troubleshooting-node}
+
+1. My Pods are stuck at "Container Creating" or restarting over and over
+
+   Ensure that your pause image is compatible with your Windows OS version.
+   See [Pause container](/docs/setup/production-environment/windows/intro-windows-in-kubernetes#pause-container)
+   to see the latest / recommended pause image and/or get more information.
+
+   {{< note >}}
+   If using containerd as your container runtime the pause image is specified in the
+   `plugins.plugins.cri.sandbox_image` field of the of config.toml configration file.
+   {{< /note >}}
+-->
+## 工作节点级别排障 {#troubleshooting-node}
+
+1. 我的 Pod 都卡在 “Container Creating” 或者不断重启
+
+   确保你的 pause 镜像跟你的 Windows 版本兼容。
+   查看 [Pause 容器](zh/docs/setup/production-environment/windows/intro-windows-in-kubernetes#pause-container)
+   以了解最新的或建议的 pause 镜像，或者了解更多信息。
+
+   {{< note >}}
+   如果你使用了 containerd 作为你的容器运行时，pause 镜像在 config.toml 配置文件的
+   `plugins.plugins.cri.sandbox_image` 中指定。
+   {{< /note >}}
+<!-- 
+2. My pods show status as `ErrImgPull` or `ImagePullBackOff`
+
+   Ensure that your Pod is getting scheduled to a [compatable](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) Windows Node.
+
+   More information on how to specify a compatable node for your Pod can be found in [this guide](/docs/setup/production-environment/windows/user-guide-windows-containers/#ensuring-os-specific-workloads-land-on-the-appropriate-container-host).
+-->
+2. 我的 pod 状态显示 'ErrImgPull' 或者 ‘ImagePullBackOff’
+
+   保证你的 Pod 被调度到[兼容的](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) Windows 节点上。
+
+   关于如何为你的 Pod 指定一个兼容节点，
+   的更多信息可以查看这个指可以查看[这个指南](/zh-cn/docs/setup/production-environment/windows/user-guide-windows-containers/#ensuring-os-specific-workloads-land-on-the-appropriate-container-host)以了解更多的信息。
+<!-- 
+## Network troubleshooting {#troubleshooting-network}
+
+1. My Windows Pods do not have network connectivity
+
+   If you are using virtual machines, ensure that MAC spoofing is **enabled** on all
+   the VM network adapter(s).
+-->
+## 网络排障 {#troubleshooting-network}
+
+1. 我的 Windows Pod 没有网络连接
+
+   如果你使用的是虚拟机，请确保所有 VM 网卡上都已启用 MAC spoofing。
+<!-- 
+2. My Windows Pods cannot ping external resources
+
+   Windows Pods do not have outbound rules programmed for the ICMP protocol. However,
+   TCP/UDP is supported. When trying to demonstrate connectivity to resources
+   outside of the cluster, substitute `ping <IP>` with corresponding
+   `curl <IP>` commands.
+
+   If you are still facing problems, most likely your network configuration in
+   [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
+   deserves some extra attention. You can always edit this static file. The
+   configuration update will apply to any new Kubernetes resources.
+
+   One of the Kubernetes networking requirements
+   (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is
+   for cluster communication to occur without
+   NAT internally. To honor this requirement, there is an
+   [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20)
+   for all the communication where you do not want outbound NAT to occur. However,
+   this also means that you need to exclude the external IP you are trying to query
+   from the `ExceptionList`. Only then will the traffic originating from your Windows
+   pods be SNAT'ed correctly to receive a response from the outside world. In this
+   regard, your `ExceptionList` in `cni.conf` should look as follows:
+
+   ```conf
+   "ExceptionList": [
+                   "10.244.0.0/16",  # Cluster subnet
+                   "10.96.0.0/12",   # Service subnet
+                   "10.127.130.0/24" # Management (host) subnet
+               ]
+   ```
+-->
+2. 我的 Windows Pod 不能 ping 通外界资源
+
+   Windows Pod 没有为 ICMP 协议编写出站规则，但 TCP/UDP 是支持的。当试图演示与集群外部资源的连接时，可以把 `ping <IP>` 替换为 `curl <IP>` 命令。
+
+   如果你仍然遇到问题，很可能你需要额外关注
+   [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
+   的配置。你可以随时编辑这个静态文件。更新配置将应用于新的 Kubernetes 资源。
+
+   Kubernetes 的网络需求之一 (查看 [Kubernetes 模型](/zh-cn/docs/concepts/cluster-administration/networking/)) 
+   是集群通信不需要内部的 NAT。
+   为了遵守这一要求， 对于你不希望发生的出站 NAT 通信，这里有一个
+   [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) 。
+   然而，这也意味着你需要从 `ExceptionList` 中去掉你试图查询的外部IP。
+   只有这样，来自你的 Windows Pod 的流量才会被正确地 SNAT 转换，以接收来自外部环境的响应。
+   就此而言，你的 `cni.conf` 中的 `ExceptionList` 应该如下所示：
+
+   ```conf
+   "ExceptionList": [
+                   "10.244.0.0/16",  # Cluster subnet
+                   "10.96.0.0/12",   # Service subnet
+                   "10.127.130.0/24" # Management (host) subnet
+               ]
+   ```
+<!--  
+3. My Windows node cannot access `NodePort` type Services
+
+   Local NodePort access from the node itself fails. This is a known
+   limitation. NodePort access works from other nodes or external clients.
+
+4. vNICs and HNS endpoints of containers are being deleted
+
+   This issue can be caused when the `hostname-override` parameter is not passed to
+   [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve
+   it, users need to pass the hostname to kube-proxy as follows:
+
+   ```powershell
+   C:\k\kube-proxy.exe --hostname-override=$(hostname)
+   ```
+-->
+3. 我的 Windows 节点无法访问 `NodePort` 类型服务
+
+   从节点本身访问本地 NodePort 失败，是一个已知的限制。你可以从其他节点或外部客户端正常访问 NodePort。
+
+4. 容器的 vnic 和 HNS endpoints 正在被删除
+
+   当 `hostname-override` 参数没有传递给 [kube-proxy](/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/)
+   时可能引发这一问题。想要解决这个问题，用户需要将主机名传递给 kube-proxy，如下所示：
+
+   ```powershell
+   C:\k\kube-proxy.exe --hostname-override=$(hostname)
+   ```
+<!-- 
+5. My Windows node cannot access my services using the service IP
+
+   This is a known limitation of the networking stack on Windows. However, Windows Pods can access the Service IP.
+
+6. No network adapter is found when starting the kubelet
+
+   The Windows networking stack needs a virtual adapter for Kubernetes networking to work.
+   If the following commands return no results (in an admin shell),
+   virtual network creation — a necessary prerequisite for the kubelet to work — has failed:
+
+   ```powershell
+   Get-HnsNetwork | ? Name -ieq "cbr0"
+   Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*"
+   ```
+
+   Often it is worthwhile to modify the [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7) parameter of the start.ps1 script,
+   in cases where the host's network adapter isn't "Ethernet".
+   Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation.
+-->
+5. 我的 Windows 节点无法通过服务 IP 访问我的服务
+
+   这是 Windows 上网络栈的一个已知限制。但是 Windows Pod 可以访问 Service IP。
+
+6. 启动 kubelet 时找不到网络适配器
+
+   Windows 网络栈需要一个虚拟适配器才能使 Kubernetes 网络工作。
+   如果以下命令没有返回结果（在管理员模式的 shell 中），
+   则意味着创建虚拟网络失败，而虚拟网络的存在是 kubelet 正常工作前提：
+
+   ```powershell
+   Get-HnsNetwork | ? Name -ieq "cbr0"
+   Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*"
+   ```
+
+   如果主机的网络适配器不是 "Ethernet"，通常有必要修改 `start.ps1` 脚本的
+   [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7) 参数。
+   否则，如果虚拟网络创建过程出错，请检查 `start-kubelet.ps1` 脚本的输出。
+<!--    
+7. DNS resolution is not properly working
+
+   Check the DNS limitations for Windows in this [section](#dns-limitations).
+
+8. `kubectl port-forward` fails with "unable to do port forwarding: wincat not found"
+
+   This was implemented in Kubernetes 1.15 by including `wincat.exe` in the pause infrastructure container `mcr.microsoft.com/oss/kubernetes/pause:3.6`.
+   Be sure to use a supported version of Kubernetes.
+   If you would like to build your own pause infrastructure container be sure to include [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat).
+-->
+7. DNS 解析工作异常
+
+   在[本节](#dns-limitations)中了解 Windows 系统上的 DNS 限制。
+
+8. `kubectl port-forward` 失败，错误为 "unable to do port forwarding: wincat not found"
+
+   在 Kubernetes 1.15 中，pause 基础架构容器 `mcr.microsoft.com/oss/kubernetes/pause:3.6`
+   中包含 `wincat.exe` 来实现端口转发。
+   请确保使用 Kubernetes 的受支持版本。如果你想构建自己的 pause 基础架构容器，
+   请确保其中包含 [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat)。
+<!--   
+9. My Kubernetes installation is failing because my Windows Server node is behind a proxy
+
+   If you are behind a proxy, the following PowerShell environment variables must be defined:
+
+   ```PowerShell
+   [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine)
+   [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine)
+   ```
+-->
+9. 我的 Kubernetes 安装失败，因为我的 Windows 服务器节点使用了代理服务器
+
+   如果使用了代理服务器，必须定义下面的 PowerShell 环境变量：
+
+   ```PowerShell
+   [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine)
+   [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine)
+   ```
+<!-- 
+### Flannel troubleshooting
+
+1. With Flannel, my nodes are having issues after rejoining a cluster
+
+   Whenever a previously deleted node is being re-joined to the cluster, flannelD
+   tries to assign a new pod subnet to the node. Users should remove the old pod
+   subnet configuration files in the following paths:
+
+   ```powershell
+   Remove-Item C:\k\SourceVip.json
+   Remove-Item C:\k\SourceVipRequest.json
+   ```
+-->
+## Flannel 故障排查 {#troubleshooting-network}
+
+1. 使用 Flannel 时，我的节点在重新加入集群后出现问题
+
+   当先前删除的节点重新加入集群时, flannelD 尝试为节点分配一个新的 Pod 子网。
+   用户应该在以下路径中删除旧的 Pod 子网配置文件：
+
+   ```powershell
+   Remove-Item C:\k\SourceVip.json
+   Remove-Item C:\k\SourceVipRequest.json
+   ```
+<!-- 
+2. Flanneld is stuck in "Waiting for the Network to be created"
+
+   There are numerous reports of this [issue](https://github.com/coreos/flannel/issues/1066);
+   most likely it is a timing issue for when the management IP of the flannel network is set.
+   A workaround is to relaunch `start.ps1` or relaunch it manually as follows:
+
+   ```powershell
+   [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows_Worker_Hostname>")
+   C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows_Worker_Node_IP> --ip-masq=1 --kube-subnet-mgr=1
+   ```
+-->
+2. Flanneld 卡在 "Waiting for the Network to be created"
+
+   关于这个[问题](https://github.com/coreos/flannel/issues/1066)有很多报告 ；
+   很可能是 flannel 网络管理 IP 的设置时机问题。
+   一个变通方法是重新启动 `start.ps1` 或按如下方式手动重启：
+
+   ```powershell
+   [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows 工作节点主机名>")
+   C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows 工作节点 IP> --ip-masq=1 --kube-subnet-mgr=1
+   ```
+<!-- 
+3. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env`
+
+   This indicates that Flannel didn't launch correctly. You can either try
+   to restart `flanneld.exe` or you can copy the files over manually from
+   `/run/flannel/subnet.env` on the Kubernetes master to `C:\run\flannel\subnet.env`
+   on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different
+   number. For example, if node subnet 10.244.4.1/24 is desired:
+
+   ```env
+   FLANNEL_NETWORK=10.244.0.0/16
+   FLANNEL_SUBNET=10.244.4.1/24
+   FLANNEL_MTU=1500
+   FLANNEL_IPMASQ=true
+   ```
+-->
+3. 我的 Windows Pod 无法启动，因为缺少 `/run/flannel/subnet.env`
+
+   这表明 Flannel 没有正确启动。你可以尝试重启`flanneld.exe` 或者你可以将 Kubernetes 控制节点的
+   `/run/flannel/subnet.env` 文件手动拷贝到 Windows 工作节点上，放在 `C:\run\flannel\subnet.env`；
+   并且将 `FLANNEL_SUBNET` 行修改为不同取值。例如，如果期望节点子网为 10.244.4.1/24：
+
+   ```env
+   FLANNEL_NETWORK=10.244.0.0/16
+   FLANNEL_SUBNET=10.244.4.1/24
+   FLANNEL_MTU=1500
+   FLANNEL_IPMASQ=true
+   ```
+<!-- 
+### Further investigation
+
+If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through:
+
+* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic
+* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/)
+* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows)
+-->
+### 进一步探查   {#further-investigation}
+
+如果这些步骤都不能解决你的问题，你可以通过以下方式获得关于在 Kubernetes 中运行 Windows 容器的帮助：
+
+* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic
+* Kubernetes 官方论坛 [discuss.kubernetes.io](https://discuss.kubernetes.io/)
+* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows)
diff --git a/content/zh/docs/tasks/extend-kubectl/kubectl-plugins.md b/content/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins.md
similarity index 99%
rename from content/zh/docs/tasks/extend-kubectl/kubectl-plugins.md
rename to content/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins.md
index 72235b1601fcb..348257e584154 100644
--- a/content/zh/docs/tasks/extend-kubectl/kubectl-plugins.md
+++ b/content/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins.md
@@ -18,7 +18,7 @@ content_type: task
 This guide demonstrates how to install and write extensions for [kubectl](/docs/reference/kubectl/kubectl/). By thinking of core `kubectl` commands as essential building blocks for interacting with a Kubernetes cluster, a cluster administrator can think
 of plugins as a means of utilizing these building blocks to create more complex behavior. Plugins extend `kubectl` with new sub-commands, allowing for new and custom features not included in the main distribution of `kubectl`.
 -->
-本指南演示了如何为 [kubectl](/zh/docs/reference/kubectl/kubectl/) 安装和编写扩展。
+本指南演示了如何为 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 安装和编写扩展。
 通过将核心 `kubectl` 命令看作与 Kubernetes 集群交互的基本构建块，
 集群管理员可以将插件视为一种利用这些构建块创建更复杂行为的方法。
 插件用新的子命令扩展了 `kubectl`，允许新的和自定义的特性不包括在 `kubectl` 的主要发行版中。
@@ -510,7 +510,7 @@ an example usage of the tools provided in the CLI Runtime repo.
 [cli-runtime](https://github.com/kubernetes/cli-runtime) 工具库。
 
 这些库提供了一些辅助函数，用来解析和更新用户的
-[kubeconfig](/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+[kubeconfig](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
 文件，向 API 服务器发起 REST 风格的请求，或者将参数绑定到某配置上，
 抑或将其打印输出。
 
diff --git a/content/zh/docs/tasks/extend-kubernetes/_index.md b/content/zh-cn/docs/tasks/extend-kubernetes/_index.md
similarity index 100%
rename from content/zh/docs/tasks/extend-kubernetes/_index.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/_index.md
diff --git a/content/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer.md b/content/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer.md
similarity index 96%
rename from content/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer.md
index ea9043c64b83b..6c2f42129e373 100644
--- a/content/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer.md
@@ -18,7 +18,7 @@ weight: 10
 <!--
 Configuring the [aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs.
 -->
-配置[聚合层](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
+配置[聚合层](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 可以允许 Kubernetes apiserver 使用其它 API 扩展，这些 API 不是核心
 Kubernetes API 的一部分。
 
@@ -39,7 +39,7 @@ There are a few setup requirements for getting the aggregation layer working in
 Reusing the same CA for different client types can negatively impact the cluster's ability to function. For more information, see [CA Reusage and Conflicts](#ca-reusage-and-conflicts).
 -->
 {{< caution >}}
-对不同的客户端类型重复使用相同的 CA 会对群集的功能产生负面影响。
+对不同的客户端类型重复使用相同的 CA 会对集群的功能产生负面影响。
 有关更多信息，请参见 [CA 重用和冲突](#ca-reusage-and-conflicts)。
 {{< /caution >}}
 
@@ -232,9 +232,9 @@ Kubernetes apiserver 中注册。
 Kubernetes apiserver 使用它的标准认证和授权配置来对用户认证，以及对特定路径的鉴权。
 
 有关对 Kubernetes 集群认证的概述，请参见
-[对集群认证](/zh/docs/reference/access-authn-authz/authentication/)。
-有关对Kubernetes群集资源的访问鉴权的概述，请参见
-[鉴权概述](/zh/docs/reference/access-authn-authz/authorization/)。
+[对集群认证](/zh-cn/docs/reference/access-authn-authz/authentication/)。
+有关对Kubernetes集群资源的访问鉴权的概述，请参见
+[鉴权概述](/zh-cn/docs/reference/access-authn-authz/authorization/)。
 
 到目前为止，所有内容都是标准的 Kubernetes API 请求，认证与鉴权。
 
@@ -407,7 +407,7 @@ In order for the extension apiserver to be authorized itself to submit the `Subj
 
 扩展 apiserver 现在可以验证从标头检索的`user/group`是否有权执行给定请求。
 通过向 Kubernetes apiserver 发送标准
-[SubjectAccessReview](/zh/docs/reference/access-authn-authz/authorization/) 请求来实现。
+[SubjectAccessReview](/zh-cn/docs/reference/access-authn-authz/authorization/) 请求来实现。
 
 为了使扩展 apiserver 本身被鉴权可以向 Kubernetes apiserver 提交 SubjectAccessReview 请求，
 它需要正确的权限。
@@ -466,7 +466,7 @@ Each of these functions independently and can conflict with each other, if not u
   则 Kubernetes apiserver 会检查请求的证书。
   如果它是由 `--client-ca-file` 引用的文件中的 CA 证书之一签名的，
   并且用户是公用名`CN=`的值，而组是组织`O=` 的取值，则该请求被视为合法请求。
-  请参阅[关于 TLS 身份验证的文档](/zh/docs/reference/access-authn-authz/authentication/#x509-client-certs)。
+  请参阅[关于 TLS 身份验证的文档](/zh-cn/docs/reference/access-authn-authz/authentication/#x509-client-certs)。
 
 * `--requestheader-client-ca-file`：当请求到达 Kubernetes apiserver 时，
   如果启用此选项，则 Kubernetes apiserver 会检查请求的证书。
@@ -545,7 +545,7 @@ The name of an APIService object must be a valid
 [path segment name](/docs/concepts/overview/working-with-objects/names#path-segment-names).
 -->
 APIService 对象的名称必须是合法的
-[路径片段名称](/zh/docs/concepts/overview/working-with-objects/names#path-segment-names)。
+[路径片段名称](/zh-cn/docs/concepts/overview/working-with-objects/names#path-segment-names)。
 
 <!--
 #### Contacting the extension apiserver
@@ -598,6 +598,6 @@ spec:
 * Learn how to [Extend the Kubernetes API Using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/).
 -->
 
-* 使用聚合层[安装扩展 API 服务器](/zh/docs/tasks/extend-kubernetes/setup-extension-api-server/)。
-* 有关高级概述，请参阅[使用聚合层扩展 Kubernetes API](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)。
-* 了解如何[使用自定义资源扩展 Kubernetes API](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
+* 使用聚合层[安装扩展 API 服务器](/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server/)。
+* 有关高级概述，请参阅[使用聚合层扩展 Kubernetes API](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)。
+* 了解如何[使用自定义资源扩展 Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
diff --git a/content/zh/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md b/content/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md
similarity index 97%
rename from content/zh/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md
index a90ddad7e4645..d9f67a4a5e68e 100644
--- a/content/zh/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers.md
@@ -23,7 +23,7 @@ scheduler and instruct Kubernetes what scheduler to use for each of your pods. L
 learn how to run multiple schedulers in Kubernetes with an example.
 -->
 Kubernetes 自带了一个默认调度器，其详细描述请查阅
-[这里](/zh/docs/reference/command-line-tools-reference/kube-scheduler/)。
+[这里](/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/)。
 如果默认调度器不适合你的需求，你可以实现自己的调度器。
 而且，你甚至可以和默认调度器一起同时运行多个调度器，并告诉 Kubernetes 为每个
 Pod 使用哪个调度器。
@@ -108,8 +108,8 @@ config. Save it as `my-scheduler.yaml`:
 
 现在将调度器放在容器镜像中，为它创建一个 Pod 配置，并在 Kubernetes 集群中
 运行它。但是与其在集群中直接创建一个 Pod，不如使用
-[Deployment](/zh/docs/concepts/workloads/controllers/deployment/)。
-Deployment 管理一个 [ReplicaSet](/zh/docs/concepts/workloads/controllers/replicaset/)，
+[Deployment](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
+Deployment 管理一个 [ReplicaSet](/zh-cn/docs/concepts/workloads/controllers/replicaset/)，
 ReplicaSet 再管理 Pod，从而使调度器能够免受一些故障的影响。
 以下是 Deployment 配置，将其保存为 `my-scheduler.yaml`：
 
@@ -120,7 +120,7 @@ In the above manifest, you use a [KubeSchedulerConfiguration](/docs/reference/sc
 to customize the behavior of your scheduler implementation. This configuration has been passed to
 the `kube-scheduler` during initialization with the `--config` option. The `my-scheduler-config` ConfigMap stores the configuration file. The Pod of the`my-scheduler` Deployment mounts the `my-scheduler-config` ConfigMap as a volume.
 -->
-在以上的清单中，你使用 [KubeSchedulerConfiguration](/zh/docs/reference/scheduling/config/) 
+在以上的清单中，你使用 [KubeSchedulerConfiguration](/zh-cn/docs/reference/scheduling/config/) 
 来自定义调度器实现的行为。当使用 `--config` 选项进行初始化时，该配置被传递到 `kube-scheduler`。
 `my-scheduler-config` ConfigMap 存储配置数据。
 `my-scheduler` Deployment 的 Pod 将 `my-scheduler-config` ConfigMap 挂载为一个卷。
@@ -369,6 +369,6 @@ You can also use a [custom scheduler configuration](/docs/reference/scheduling/c
 or a custom container image for the cluster's main scheduler by modifying its static pod manifest
 on the relevant control plane nodes.
 -->
-你也可以使用[自定义调度器配置](/zh/docs/reference/scheduling/config/#multiple-profiles)
+你也可以使用[自定义调度器配置](/zh-cn/docs/reference/scheduling/config/#multiple-profiles)
 或自定义容器镜像，用于集群的主调度器，方法是在相关控制平面节点上修改其静态 pod 清单。
 
diff --git a/content/zh/docs/tasks/extend-kubernetes/custom-resources/_index.md b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/_index.md
similarity index 100%
rename from content/zh/docs/tasks/extend-kubernetes/custom-resources/_index.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/_index.md
diff --git a/content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
similarity index 99%
rename from content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
index 38af138e6106b..540e8736fe361 100644
--- a/content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
@@ -33,7 +33,7 @@ API 升级时需要在不同 API 表示形式之间进行转换。
 <!--
 You should have a initial understanding of [custom resources](/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 -->
-你应该对[定制资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+你应该对[定制资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 有一些初步了解。
 
 {{< version-check >}}
@@ -524,7 +524,7 @@ Webhook conversion is available as beta since 1.15, and as alpha since Kubernete
 Webhook 转换在 Kubernetes 1.13 版本引入，在 Kubernetes 1.15 中成为 Beta 功能。
 要使用此功能，应启用 `CustomResourceWebhookConversion` 特性。
 在大多数集群上，这类 Beta 特性应该是自动启用的。
-请参阅[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+请参阅[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 文档以获得更多信息。
 {{< /note >}}
 
@@ -599,7 +599,7 @@ how to [authenticate API servers](/docs/reference/access-authn-authz/extensible-
 默认为 `NoClientCert`。
 这意味着 webhook 服务器没有验证客户端（也就是 API 服务器）的身份。
 如果你需要双向 TLS 或者其他方式来验证客户端，请参阅如何
-[验证 API 服务](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers)。
+[验证 API 服务](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers)。
 {{< /note >}}
 
 <!--
@@ -626,7 +626,7 @@ The assumption for next sections is that the conversion webhook server is deploy
 ### 部署转换 Webhook 服务
 
 用于部署转换 webhook 的文档与
-[准入 Webhook 服务示例](/zh/docs/reference/access-authn-authz/extensible-admission-controllers/#deploy_the_admission_webhook_service)相同。
+[准入 Webhook 服务示例](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#deploy_the_admission_webhook_service)相同。
 这里的假设是转换 Webhook 服务器被部署为 `default` 名字空间中名为
 `example-conversion-webhook-server` 的服务，并在路径 `/crdconvert`
 上处理请求。
diff --git a/content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
similarity index 56%
rename from content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
index 76ac25c9243ec..df078bdb74740 100644
--- a/content/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md
@@ -27,7 +27,7 @@ into the Kubernetes API by creating a
 本页展示如何使用
 [CustomResourceDefinition](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#customresourcedefinition-v1-apiextensions-k8s-io)
 将
-[定制资源（Custom Resource）](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+[定制资源（Custom Resource）](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 安装到 Kubernetes API 上。
 
 ## {{% heading "prerequisites" %}}
@@ -47,21 +47,23 @@ the documentation for that version to see advice that is relevant for your clust
 ## Create a CustomResourceDefinition
 
 When you create a new CustomResourceDefinition (CRD), the Kubernetes API Server
-creates a new RESTful resource path for each version you specify. The CRD can be
-either namespaced or cluster-scoped, as specified in the CRD's `scope` field. As
-with existing built-in objects, deleting a namespace deletes all custom objects
-in that namespace. CustomResourceDefinitions themselves are non-namespaced and
-are available to all namespaces.
-
+creates a new RESTful resource path for each version you specify. The custom
+resource created from a CRD object can be either namespaced or cluster-scoped,
+as specified in the CRD's `spec.scope` field. As with existing built-in
+objects, deleting a namespace deletes all custom objects in that namespace.
+CustomResourceDefinitions themselves are non-namespaced and are available to
+all namespaces.
 For example, if you save the following CustomResourceDefinition to `resourcedefinition.yaml`:
 -->
 ## 创建 CustomResourceDefinition  {#create-a-customresourcedefinition}
 
-当你创建新的 CustomResourceDefinition（CRD）时，Kubernetes API 服务器会为你所
-指定的每一个版本生成一个 RESTful 的 资源路径。CRD 可以是名字空间作用域的，也可以
-是集群作用域的，取决于 CRD 的 `scope` 字段设置。和其他现有的内置对象一样，删除
-一个名字空间时，该名字空间下的所有定制对象也会被删除。CustomResourceDefinition
-本身是不受名字空间限制的，对所有名字空间可用。
+当你创建新的 CustomResourceDefinition（CRD）时，Kubernetes API 服务器会为你所指定的每个版本生成一个新的
+RESTful 资源路径。
+基于 CRD 对象所创建的自定义资源可以是名字空间作用域的，也可以是集群作用域的，
+取决于 CRD 对象 `spec.scope` 字段的设置。
+
+与其它的内置对象一样，删除名字空间也将删除该名字空间中的所有自定义对象。
+CustomResourceDefinitions 本身是无名字空间的，可在所有名字空间中访问。
 
 例如，如果你将下面的 CustomResourceDefinition 保存到 `resourcedefinition.yaml`
 文件：
@@ -546,7 +548,7 @@ resource definitions to:
 * 裁剪未启用。
 * 可以存储任意数据。
 
-为了与 `apiextensions.k8s.io/v1` 兼容，将你的自定义资源定义更新为：
+为了与 `apiextensions.k8s.io/v1` 兼容，将你的定制资源定义更新为：
 
 1. 使用结构化的 OpenAPI 模式。
 2. `spec.preserveUnknownFields` 设置为 `false`。
@@ -831,7 +833,7 @@ CustomResourceDefinition and migrating your objects from one version to another.
 
 关于如何为你的 CustomResourceDefinition 提供多个版本的支持，以及如何将你的对象
 从一个版本迁移到另一个版本， 详细信息可参阅
-[定制资源定义的版本](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/)。
+[定制资源定义的版本](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/)。
 
 <!-- discussion -->
 
@@ -902,16 +904,17 @@ Kubernetes 会最终删除该资源，
 ### Validation
 
 Custom resources are validated via
-[OpenAPI v3 schemas](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#schemaObject)
-and you can add additional validation using
+[OpenAPI v3 schemas](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#schemaObject),
+by x-kubernetes-validations when the [Validation Rules feature](#validation-rules) is enabled, and you
+can add additional validation using
 [admission webhooks](/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook).
 -->
 ### 合法性检查    {#validation}
 
 定制资源是通过
 [OpenAPI v3 模式定义](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#schemaObject)
-来执行合法性检查的，
-你可以通过使用[准入控制 Webhook](/zh/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook)
+来执行合法性检查的，当启用[验证规则特性](#validation-rules)时，通过 `x-kubernetes-validations` 验证，
+你可以通过使用[准入控制 Webhook](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook)
 来添加额外的合法性检查逻辑。
 
 <!--
@@ -949,6 +952,16 @@ Additionally, the following restrictions are applied to the schema:
 - 字段 `additionalProperties` 不可设置为 `false`
 - 字段 `additionalProperties` 与 `properties` 互斥，不可同时使用
 
+<!--
+The `x-kubernetes-validations` extension can be used to validate custom resources using [Common
+Expression Language (CEL)](https://github.com/google/cel-spec) expressions when the [Validation
+rules](#validation-rules) feature is enabled and the CustomResourceDefinition schema is a
+[structural schema](#specifying-a-structural-schema).
+-->
+当[验证规则特性](#validation-rules)被启用并且 CustomResourceDefinition
+模式是一个[结构化的模式定义](#specifying-a-structural-schema)时，
+`x-kubernetes-validations` 扩展可以使用[通用表达式语言(CEL)](https://github.com/google/cel-spec)表达式来验证定制资源。
+
 <!--
 The `default` field can be set when the [Defaulting feature](#defaulting) is enabled,
 which is the case with `apiextensions.k8s.io/v1` CustomResourceDefinitions.
@@ -960,7 +973,7 @@ enabled, which is the case automatically for many clusters for beta features).
 就 `apiextensions.k8s.io/v1` 组的 CustomResourceDefinitions，这一条件是满足的。
 设置默认值的功能特性从 1.17 开始正式发布。该特性在 1.16 版本中处于
 Beta 状态，要求 `CustomResourceDefaulting`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
 被启用。对于大多数集群而言，Beta 状态的特性门控默认都是自动启用的。
 
 <!--
@@ -1112,6 +1125,780 @@ And create it:
 kubectl apply -f my-crontab.yaml
 crontab "my-new-cron-object" created
 ```
+<!--
+## Validation rules
+-->
+## 验证规则
+
+{{< feature-state state="alpha" for_k8s_version="v1.23" >}}
+
+<!--
+Validation rules are in alpha since 1.23 and validate custom resources when the
+`CustomResourceValidationExpressions` [feature
+gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled.
+This feature is only available if the schema is a
+[structural schema](#specifying-a-structural-schema).
+-->
+验证规则从 1.23 开始处于 Alpha 状态，
+当 `CustomResourceValidationExpressions` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用时，
+验证定制资源。这个功能只有在模式是[结构化的模式](#specifying-a-structural-schema)时才可用。
+
+<!--
+Validation rules use the [Common Expression Language (CEL)](https://github.com/google/cel-spec)
+to validate custom resource values. Validation rules are included in
+CustomResourceDefinition schemas using the `x-kubernetes-validations` extension.
+-->
+验证规则使用[通用表达式语言（CEL）](https://github.com/google/cel-spec)来验证定制资源的值。
+验证规则使用 `x-kubernetes-validations` 扩展包含在 `CustomResourceDefinition` 模式定义中。
+
+<!--
+The Rule is scoped to the location of the `x-kubernetes-validations` extension in the schema.
+And `self` variable in the CEL expression is bound to the scoped value.
+-->
+规则的作用域是模式定义中 `x-kubernetes-validations` 扩展所在的位置。
+CEL 表达式中的 `self` 变量被绑定到限定作用域的取值。
+
+<!--
+All validation rules are scoped to the current object: no cross-object or stateful validation rules are supported.
+-->
+所有验证规则都是针对当前对象的：不支持跨对象或有状态的验证规则。
+
+<!--
+For example:
+-->
+例如:
+
+```yaml
+    ...
+    openAPIV3Schema:
+      type: object
+      properties:
+        spec:
+          type: object
+          x-kubernetes-validations:
+            - rule: "self.minReplicas <= self.replicas"
+              message: "replicas should be greater than or equal to minReplicas."
+            - rule: "self.replicas <= self.maxReplicas"
+              message: "replicas should be smaller than or equal to maxReplicas."
+          properties:
+            ...
+            minReplicas:
+              type: integer
+            replicas:
+              type: integer
+            maxReplicas:
+              type: integer
+          required:
+            - minReplicas
+            - replicas
+            - maxReplicas
+```
+
+<!--
+will reject a request to create this custom resource:
+-->
+将拒绝创建这个定制资源的请求:
+
+```yaml
+apiVersion: "stable.example.com/v1"
+kind: CronTab
+metadata:
+  name: my-new-cron-object
+spec:
+  minReplicas: 0
+  replicas: 20
+  maxReplicas: 10
+```
+<!--
+with the response:
+-->
+
+返回响应为：
+
+```
+The CronTab "my-new-cron-object" is invalid:
+* spec: Invalid value: map[string]interface {}{"maxReplicas":10, "minReplicas":0, "replicas":20}: replicas should be smaller than or equal to maxReplicas.
+```
+
+<!--
+`x-kubernetes-validations` could have multiple rules.
+
+The `rule` under `x-kubernetes-validations` represents the expression which will be evaluated by CEL.
+
+The `message` represents the message displayed when validation fails. If message is unset, the above response would be:
+-->
+`x-kubernetes-validations` 可以有多条规则。 
+
+`x-kubernetes-validations` 下的 `rule` 代表将由 CEL 评估的表达式。
+
+`message` 代表验证失败时显示的信息。如果消息没有设置，上述响应将是：
+```
+The CronTab "my-new-cron-object" is invalid:
+* spec: Invalid value: map[string]interface {}{"maxReplicas":10, "minReplicas":0, "replicas":20}: failed rule: self.replicas <= self.maxReplicas
+```
+
+<!--
+Validation rules are compiled when CRDs are created/updated.
+The request of CRDs create/update will fail if compilation of validation rules fail.
+Compilation process includes type checking as well.
+-->
+当 CRD 被创建/更新时，验证规则被编译。
+如果验证规则的编译失败，CRD 的创建/更新请求将失败。
+编译过程也包括类型检查。
+
+<!--
+The compilation failure:
+- `no_matching_overload`: this function has no overload for the types of the arguments.
+
+   e.g. Rule like `self == true` against a field of integer type will get error:
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"self == true", Message:""}: compilation failed: ERROR: \<input>:1:6: found no matching overload for '_==_' applied to '(int, bool)'
+  ```
+
+- `no_such_field`: does not contain the desired field.
+
+   e.g. Rule like `self.nonExistingField > 0` against a non-existing field will return the error:
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"self.nonExistingField > 0", Message:""}: compilation failed: ERROR: \<input>:1:5: undefined field 'nonExistingField'
+  ```
+
+- `invalid argument`: invalid argument to macros.
+
+  e.g. Rule like `has(self)` will return error:
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"has(self)", Message:""}: compilation failed: ERROR: <input>:1:4: invalid argument to has() macro
+  ```
+-->
+编译失败：
+- `no_matching_overload`：此函数没有参数类型的重载。
+
+  例如，像 `self == true` 这样的规则对一个整数类型的字段将得到错误：
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"self == true", Message:""}: compilation failed: ERROR: \<input>:1:6: found no matching overload for '_==_' applied to '(int, bool)'
+  ```
+
+- `no_such_field`：不包含所需的字段。
+  例如，针对一个不存在的字段，像 `self.nonExistingField > 0` 这样的规则将返回错误：
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"self.nonExistingField > 0", Message:""}: compilation failed: ERROR: \<input>:1:5: undefined field 'nonExistingField'
+  ```
+
+- `invalid argument`：对宏的无效参数。
+  例如，像 `has(self)` 这样的规则将返回错误：
+  ```
+  Invalid value: apiextensions.ValidationRule{Rule:"has(self)", Message:""}: compilation failed: ERROR: <input>:1:4: invalid argument to has() macro
+  ```
+
+
+<!--
+Validation Rules Examples:
+
+| Rule                                                                             | Purpose                                                                           |
+| ----------------                                                                 | ------------                                                                      |
+| `self.minReplicas <= self.replicas && self.replicas <= self.maxReplicas`         | Validate that the three fields defining replicas are ordered appropriately        |
+| `'Available' in self.stateCounts`                                                | Validate that an entry with the 'Available' key exists in a map                   |
+| `(size(self.list1) == 0) != (size(self.list2) == 0)`                             | Validate that one of two lists is non-empty, but not both                         |
+| <code>!('MY_KEY' in self.map1) &#124;&#124; self['MY_KEY'].matches('^[a-zA-Z]*$')</code>               | Validate the value of a map for a specific key, if it is in the map               |
+| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')` | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
+| `has(self.expired) && self.created + self.ttl < self.expired`                    | Validate that 'expired' date is after a 'create' date plus a 'ttl' duration       |
+| `self.health.startsWith('ok')`                                                   | Validate a 'health' string field has the prefix 'ok'                              |
+| `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                             | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
+| `type(self) == string ? self == '100%' : self == 1000`                           | Validate an int-or-string field for both the the int and string cases             |
+| `self.metadata.name.startsWith(self.prefix)`                                     | Validate that an object's name has the prefix of another field value              |
+| `self.set1.all(e, !(e in self.set2))`                                            | Validate that two listSets are disjoint                                           |
+| `size(self.names) == size(self.details) && self.names.all(n, n in self.details)` | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+
+Xref: [Supported evaluation on CEL](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#evaluation)
+-->
+验证规则例子：
+
+| 规则                                                                             | 目的                                                                             |
+| ----------------                                                                 | ------------                                                                     |
+| `self.minReplicas <= self.replicas && self.replicas <= self.maxReplicas`         | 验证定义副本数的三个字段大小顺序是否正确                                             |
+| `'Available' in self.stateCounts`                                                | 验证 map 中是否存在键名为 `Available`的条目                                   |
+| `(size(self.list1) == 0) != (size(self.list2) == 0)`                             | 验证两个 list 之一是非空的，但不是二者都非空                                   |
+| <code>!('MY_KEY' in self.map1) &#124;&#124; self['MY_KEY'].matches('^[a-zA-Z]*$')</code>               | 如果某个特定的 key 在 map 中，验证 map 中这个 key 的 value |
+| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')` | 验证一个 listMap 中主键 'name' 为 'MY_ENV' 'value' 的表项，检查其取值 'value'             |
+| `has(self.expired) && self.created + self.ttl < self.expired`    | 验证 'Expired' 日期是否晚于 'Create' 日期加上 'ttl' 持续时间                   |
+| `self.health.startsWith('ok')`                                                   | 验证 'health' 字符串字段有前缀 'ok'             |
+| `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                             | 验证 key 为 'x' 的 listMap 项的 'foo' 属性是否小于 10                             |
+| `type(self) == string ? self == '100%' : self == 1000`                           | 在 int 型和 string 型两种情况下验证 int-or-string 字段                           |
+| `self.metadata.name.startsWith(self.prefix)`                                     | 验证对象的名称是否具有另一个字段值的前缀                                         |
+| `self.set1.all(e, !(e in self.set2))`                                            | 验证两个 listSet 是否不相交                                                      |
+| `size(self.names) == size(self.details) && self.names.all(n, n in self.details)` | 验证 'details' map 是由 'names' listSet 的项目所决定的。                         |
+
+参考：[CEL 中支持的求值](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#evaluation)
+
+
+<!--
+- If the Rule is scoped to the root of a resource, it may make field selection into any fields
+  declared in the OpenAPIv3 schema of the CRD as well as `apiVersion`, `kind`, `metadata.name` and
+  `metadata.generateName`. This includes selection of fields in both the `spec` and `status` in the
+  same expression:
+-->
+- 如果规则的作用域是某资源的根，则它可以对 CRD 的 OpenAPIv3 模式表达式中声明的任何字段进行字段选择，
+  以及 `apiVersion`、`kind`、`metadata.name` 和 `metadata.generateName`。
+  这包括在同一表达式中对 `spec` 和 `status` 的字段进行选择：
+  ```yaml
+      ...
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-validations:
+          - rule: "self.status.availableReplicas >= self.spec.minReplicas"
+        properties:
+            spec:
+              type: object
+              properties:
+                minReplicas:
+                  type: integer
+                ...
+            status:
+              type: object
+              properties:
+                availableReplicas:
+                  type: integer
+  ```
+
+<!--
+- If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+  via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+  absent fields in CEL expressions.
+-->
+- 如果规则的作用域是具有属性的对象，那么可以通过 `self.field` 对该对象的可访问属性进行字段选择，
+  而字段存在与否可以通过 `has(self.field)` 来检查。
+  在 CEL 表达式中，Null 值的字段被视为不存在的字段。
+
+  ```yaml
+      ...
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-validations:
+              - rule: "has(self.foo)"
+            properties:
+              ...
+              foo:
+                type: integer
+  ```
+
+<!--
+- If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+  are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+  are accessible via CEL macros and functions such as `self.all(...)`.
+-->
+- 如果规则的作用域是一个带有 additionalProperties 的对象（即map），那么 map 的值
+  可以通过 `self[mapKey]` 访问，map 的包含性可以通过 `mapKey in self` 检查，
+  map 中的所有条目可以通过 CEL 宏和函数如 `self.all(...)` 访问。
+  ```yaml
+      ...
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-validations:
+              - rule: "self['xyz'].foo > 0"
+            additionalProperties:
+              ...
+              type: object
+              properties:
+                foo:
+                  type: integer
+  ```
+
+<!--
+- If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+  functions.
+-->
+- 如果规则的作用域是 array，则 array 的元素可以通过 `self[i]` 访问，也可以通过宏和函数访问。
+  ```yaml
+      ...
+      openAPIV3Schema:
+        type: object
+        properties:
+          ...
+          foo:
+            type: array
+            x-kubernetes-validations:
+              - rule: "size(self) == 1"
+            items:
+              type: string
+  ```
+
+<!--
+- If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+-->
+- 如果规则的作用域为标量，则 `self` 将绑定到标量值。
+  ```yaml
+      ...
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              ...
+              foo:
+                type: integer
+                x-kubernetes-validations:
+                - rule: "self > 0"
+  ```
+<!--
+Examples:
+
+|type of the field rule scoped to    | Rule example             |
+| -----------------------| -----------------------|
+| root object            | `self.status.actual <= self.spec.maxDesired`|
+| map of objects         | `self.components['Widget'].priority < 10`|
+| list of integers       | `self.values.all(value, value >= 0 && value < 100)`|
+| string                 | `self.startsWith('kube')`|
+-->
+例子：
+
+| 规则作用域字段类型     | 规则示例             |
+| -----------------------| -----------------------|
+| 根对象            | `self.status.actual <= self.spec.maxDesired`|
+| 对象映射         | `self.components['Widget'].priority < 10`|
+| 整数列表       | `self.values.all(value, value >= 0 && value < 100)`|
+| 字符串                 | `self.startsWith('kube')`|
+
+
+<!--
+The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+-->
+`apiVersion`、`kind``metadata.name` 和 `metadata.generateName` 始终可以从对象的根目录和任何
+带有 `x-kubernetes-embedded-resource` 注解的对象访问。
+其他元数据属性都不可访问。
+
+<!--
+Unknown data preserved in custom resources via `x-kubernetes-preserve-unknown-fields` is not accessible in CEL
+  expressions. This includes:
+  - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+  - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+    - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+    - An array where the items schema is of an "unknown type"
+    - An object where the additionalProperties schema is of an "unknown type"
+-->
+通过 `x-kubernetes-preserve-unknown-fields` 保存在定制资源中的未知数据在 CEL 表达中无法访问。
+这包括：
+  - 使用 `x-kubernetes-preserve-unknown-fields` 的对象模式保留的未知字段值。
+  - 属性模式为"未知类型（Unknown Type）"的对象属性。一个"未知类型"被递归定义为：
+    - 一个没有类型的模式，`x-kubernetes-preserve-unknown-fields` 设置为 true。
+    - 一个数组，其中项目模式为"未知类型"
+    - 一个 additionalProperties 模式为"未知类型"的对象
+
+
+<!--
+Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+Accessible property names are escaped according to the following rules when accessed in the expression:
+-->
+只有 `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` 形式的属性名是可访问的。
+当在表达式中访问时，可访问的属性名称会根据以下规则进行转义：
+
+<!--
+| ----------------------- | -----------------------|
+| `__underscores__`       | `__`                  |
+| `__dot__`               | `.`                   |
+|`__dash__`               | `-`                   |
+| `__slash__`             | `/`                   |
+| `__{keyword}__`         | [CEL RESERVED keyword](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax)       |
+-->
+| 转义序列                | 属性名称等效为        |
+| ----------------------- | ----------------------|
+| `__underscores__`       | `__`                  |
+| `__dot__`               | `.`                   |
+|`__dash__`               | `-`                   |
+| `__slash__`             | `/`                   |
+| `__{keyword}__`         | [CEL 保留关键字](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax)       |
+
+<!--
+Note: CEL RESERVED keyword needs to match the exact property name to be escaped (e.g. int in the word sprint would not be escaped).
+-->
+注意：CEL 保留关键字需要与要转义的确切属性名匹配(例如，单词 `sprint` 中的 `int` 不会转义)。
+
+<!--
+Examples on escaping:
+-->
+转义的例子：
+
+<!--
+|property name    | rule with escaped property name     |
+| ----------------| -----------------------             |
+| namespace       | `self.__namespace__ > 0`            |
+| x-prop          | `self.x__dash__prop > 0`            |
+| redact__d       | `self.redact__underscores__d > 0`   |
+| string          | `self.startsWith('kube')`           |
+-->
+|属性名           | 转义属性名规则                      |
+| ----------------| -----------------------             |
+| namespace       | `self.__namespace__ > 0`            |
+| x-prop          | `self.x__dash__prop > 0`            |
+| redact__d       | `self.redact__underscores__d > 0`   |
+| string          | `self.startsWith('kube')`           |
+
+
+<!--
+Equality on arrays with `x-kubernetes-list-type` of `set` or `map` ignores element order, i.e. [1, 2] == [2, 1].
+Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+ - `set`: `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+      non-intersecting elements in `Y` are appended, retaining their partial order.
+ - `map`: `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+   are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+   non-intersecting keys are appended, retaining their partial order.
+-->
+`set` 或 `map` 的 `x-Kubernetes-list-type` 的数组的等值比较会忽略元素顺序，即[1，2] == [2，1]。
+使用 `x-kubernetes-list-type` 对数组进行串联时，使用 List 类型的语义：
+- `set`：`X + Y` 执行一个并集操作，其中 `X` 中所有元素的数组位置被保留，
+  `Y` 中不相交的元素被追加，保留其部分顺序。
+- `map`：`X + Y`执行合并，其中 `X` 中所有键的数组位置被保留，
+  但当 `X` 和 `Y` 的键集相交时，其值被 `Y` 中的值覆盖。
+  `Y` 中键值不相交的元素被附加，保留其部分顺序。
+
+
+<!--
+Here is the declarations type mapping between OpenAPIv3 and CEL type:
+-->
+以下是 OpenAPIV3 和 CEL 类型之间的声明类型映射：
+
+<!--
+| OpenAPIv3 type                                     | CEL type                                                                                                                     |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| 'object' with Properties                           | object / "message type"                                                                                                      |
+| 'object' with AdditionalProperties                 | map                                                                                                                          |
+| 'object' with x-kubernetes-embedded-type           | object / "message type", 'apiVersion', 'kind', 'metadata.name' and 'metadata.generateName' are implicitly included in schema |
+| 'object' with x-kubernetes-preserve-unknown-fields | object / "message type", unknown fields are NOT accessible in CEL expression                                                 |
+| x-kubernetes-int-or-string                         | dynamic object that is either an int or a string, `type(value)` can be used to check the type                                |
+| 'array                                             | list                                                                                                                         |
+| 'array' with x-kubernetes-list-type=map            | list with map based Equality & unique key guarantees                                                                         |
+| 'array' with x-kubernetes-list-type=set            | list with set based Equality & unique entry guarantees                                                                       |
+| 'boolean'                                          | boolean                                                                                                                      |
+| 'number' (all formats)                             | double                                                                                                                       |
+| 'integer' (all formats)                            | int (64)                                                                                                                     |
+| 'null'                                             | null_type                                                                                                                    |
+| 'string'                                           | string                                                                                                                       |
+| 'string' with format=byte (base64 encoded)         | bytes                                                                                                                        |
+| 'string' with format=date                          | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=datetime                      | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=duration                      | duration (google.protobuf.Duration)                                                                                          |
+-->
+| OpenAPIv3 类型                                     | CEL 类型                                                                                                                     |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| 带有 Properties 的对象                           | 对象 / "消息类型"                                                                                                      |
+| 带有 AdditionalProperties 的对象                 | map                                                                                                                          |
+| 带有 x-kubernetes-embedded-type 的对象           | 对象 / "消息类型"，'apiVersion'、'kind'、'metadata.name' 和 'metadata.generateName' 都隐式包含在模式中 |
+| 带有 x-kubernetes-preserve-unknown-fields 的对象 | 对象 / "消息类型"，未知字段无法从 CEL 表达式中访问                                                 |
+| x-kubernetes-int-or-string                         | 可能是整数或字符串的动态对象，可以用 `type(value)` 来检查类型                                |
+| 数组                                            | list                                                                                                                         |
+| 带有 x-kubernetes-list-type=map 的数组           | 列表，基于集合等值和唯一键名保证的 map 组成                                                                          |
+| 带有 x-kubernetes-list-type=set 的数组            | 列表，基于集合等值和唯一键名保证的 set 组成                                                                        |
+| 布尔值                                          | boolean                                                                                                                      |
+| 数字 (各种格式)                             | double                                                                                                                       |
+| 整数 (各种格式)                            | int (64)                                                                                                                     |
+| 'null'                                             | null_type                                                                                                                    |
+| 字符串                                           | string                                                                                                                       |
+| 带有 format=byte （base64 编码）字符串         | bytes                                                                                                                        |
+| 带有 format=date 字符串                          | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 带有 format=datetime 字符串                      | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 带有 format=duration 字符串                      | duration (google.protobuf.Duration)                                                                                          |
+
+<!--
+xref: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values), [OpenAPI
+types](https://swagger.io/specification/#data-types), [Kubernetes Structural Schemas](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
+-->
+参考：[CEL 类型](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values)，
+[OpenAPI 类型](https://swagger.io/specification/#data-types)，
+[Kubernetes 结构化模式](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema)。
+
+<!--
+#### Validation functions {#available-validation-functions}
+-->
+#### 验证函数   {#available-validation-functions}
+
+<!--
+Functions available include:
+  - CEL standard functions, defined in the [list of standard definitions](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#list-of-standard-definitions)
+  - CEL standard [macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+  - CEL [extended string function library](https://pkg.go.dev/github.com/google/cel-go@v0.11.2/ext#Strings)
+  - Kubernetes [CEL extension library](https://pkg.go.dev/k8s.io/apiextensions-apiserver@v0.24.0/pkg/apiserver/schema/cel/library#pkg-functions)
+-->
+可用的函数包括：
+  - CEL 标准函数，在[标准定义列表](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#list-of-standard-definitions)中定义
+  - CEL 标准[宏](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+  - CEL [扩展字符串函数库](https://pkg.go.dev/github.com/google/cel-go@v0.11.2/ext#Strings)
+  - Kubernetes [CEL 扩展库](https://pkg.go.dev/k8s.io/apiextensions-apiserver@v0.24.0/pkg/apiserver/schema/cel/library#pkg-functions)
+
+<!--
+#### Transition rules
+-->
+#### 转换规则
+
+<!--
+A rule that contains an expression referencing the identifier `oldSelf` is implicitly considered a
+_transition rule_. Transition rules allow schema authors to prevent certain transitions between two
+otherwise valid states. For example:
+-->
+包含引用标识符 `oldSself` 的表达式的规则被隐式视为“转换规则（Transition Rule）”。
+转换规则允许模式作者阻止两个原本有效的状态之间的某些转换。例如：
+
+```yaml
+type: string
+enum: ["low", "medium", "high"]
+x-kubernetes-validations:
+- rule: "!(self == 'high' && oldSelf == 'low') && !(self == 'low' && oldSelf == 'high')"
+  message: cannot transition directly between 'low' and 'high'
+```
+
+<!--
+Unlike other rules, transition rules apply only to operations meeting the following criteria:
+-->
+与其他规则不同，转换规则仅适用于满足以下条件的操作：
+
+<!--
+- The operation updates an existing object. Transition rules never apply to create operations.
+-->
+- 更新现有对象的操作。转换规则从不适用于创建操作。
+
+<!--
+- Both an old and a new value exist. It remains possible to check if a value has been added or
+  removed by placing a transition rule on the parent node. Transition rules are never applied to
+  custom resource creation. When placed on an optional field, a transition rule will not apply to
+  update operations that set or unset the field.
+-->
+- 旧的值和新的值都存在。仍然可以通过在父节点上放置转换规则来检查值是否已被添加或移除。
+  转换规则从不应用于定制资源创建。当被放置在可选字段上时，转换规则将不适用于设置或取消设置该字段的更新操作。
+
+<!--
+- The path to the schema node being validated by a transition rule must resolve to a node that is
+  comparable between the old object and the new object. For example, list items and their
+  descendants (`spec.foo[10].bar`) can't necessarily be correlated between an existing object and a
+  later update to the same object.
+-->
+- 被转换规则验证的模式节点的路径必须解析到一个在旧对象和新对象之间具有可比性的节点。
+  例如，列表项和它们的后代（`spec.foo[10].bar`）不一定能在现有对象和后来对同一对象的更新之间产生关联。
+
+<!--
+Errors will be generated on CRD writes if a schema node contains a transition rule that can never be
+applied, e.g. "*path*: update rule *rule* cannot be set on schema because the schema or its parent
+schema is not mergeable".
+-->
+如果一个模式节点包含一个永远不能应用的转换规则，在 CRD 写入时将会产生错误，例如：
+"*path*: update rule *rule* cannot be set on schema because the schema or its parent
+schema is not mergeable"。
+
+<!--
+Transition rules are only allowed on _correlatable portions_ of a schema.
+A portion of the schema is correlatable if all `array` parent schemas are of type `x-kubernetes-list-type=map`; any `set`or `atomic`array parent schemas make it impossible to unambiguously correlate a `self` with `oldSelf`.
+-->
+转换规则只允许在模式的“可关联部分（Correlatable Portions）”中使用。
+如果所有 `array` 父模式都是 `x-kubernetes-list-type=map`类型的，那么该模式的一部分就是可关联的；
+任何 `set` 或者 `atomic` 数组父模式都不支持确定性地将 `self` 与 `oldSelf` 关联起来。
+
+<!--
+Here are some examples for transition rules:
+-->
+这是一些转换规则的例子：
+
+<!--
+{{< table caption="Transition rules examples" >}}
+| Use Case                                                          | Rule
+| --------                                                          | --------
+| Immutability                                                      | `self.foo == oldSelf.foo`
+| Prevent modification/removal once assigned                        | `oldSelf != 'bar' \|\| self == 'bar'` or `!has(oldSelf.field) \|\| has(self.field)`
+| Append-only set                                                   | `self.all(element, element in oldSelf)`
+| If previous value was X, new value can only be A or B, not Y or Z | `oldSelf != 'X' \|\| self in ['A', 'B']`
+| Monotonic (non-decreasing) counters                               | `self >= oldSelf`
+{{< /table >}}
+-->
+{{< table caption="转换规则样例" >}}
+| 用例                                                 | 规则
+| --------                                             | --------
+| 不可变                                               | `self.foo == oldSelf.foo`
+| 赋值后禁止修改/删除                                  | `oldSelf != 'bar' \|\| self == 'bar'` or `!has(oldSelf.field) \|\| has(self.field)`
+| 仅附加的 set                                         | `self.all(element, element in oldSelf)`
+| 如果之前的值为 X，则新值只能为 A 或 B，不能为 Y 或 Z | `oldSelf != 'X' \|\| self in ['A', 'B']`
+| 单调（非递减）计数器                                   | `self >= oldSelf`
+{{< /table >}}
+
+<!--
+#### Resource use by validation functions
+-->
+#### 验证函数的资源使用
+
+<!--
+When you create or update a CustomResourceDefinition that uses validation rules,
+the API server checks the likely impact of running those validation rules. If a rule is
+estimated to be prohibitively expensive to execute, the API server rejects the create
+or update operation, and returns an error message.
+-->
+当你创建或更新一个使用验证规则的 CustomResourceDefinition 时，
+API 服务器会检查运行这些验证规则可能产生的影响。
+如果一个规则的执行成本过高，API 服务器会拒绝创建或更新操作，并返回一个错误信息。
+<!--
+A similar system is used at runtime that observes the actions the interpreter takes. If the interpreter executes
+too many instructions, execution of the rule will be halted, and an error will result.
+-->
+运行时也使用类似的系统来观察解释器的行动。如果解释器执行了太多的指令，规则的执行将被停止，并且会产生一个错误。
+<!--
+Each CustomResourceDefinition is also allowed a certain amount of resources to finish executing all of
+its validation rules. If the sum total of its rules are estimated at creation time to go over that limit,
+then a validation error will also occur.
+-->
+每个 CustomResourceDefinition 也被允许有一定数量的资源来完成其所有验证规则的执行。
+如果在创建时估计其规则的总和超过了这个限制，那么也会发生验证错误。
+
+<!--
+You are unlikely to encounter issues with the resource budget for validation if you only
+specify rules that always take the same amount of time regardless of how large their input is.
+-->
+如果你只指定那些无论输入量有多大都要花费相同时间的规则，你不太可能遇到验证的资源预算问题。
+<!--
+For example, a rule that asserts that `self.foo == 1` does not by itself have any
+risk of rejection on validation resource budget groups.
+-->
+例如，一个断言 `self.foo == 1` 的规则本身不存在因为资源预算组验证而导致被拒绝的风险。
+<!--
+But if `foo` is a string and you define a validation rule `self.foo.contains("someString")`, that rule takes
+longer to execute depending on how long `foo` is.
+-->
+但是，如果 `foo` 是一个字符串，而你定义了一个验证规则 `self.foo.contains("someString")`，
+这个规则需要更长的时间来执行，取决于 `foo` 有多长。
+<!--
+Another example would be if `foo` were an array, and you specified a validation rule `self.foo.all(x, x > 5)`. The cost system always assumes the worst-case scenario if
+a limit on the length of `foo` is not given, and this will happen for anything that can be iterated
+over (lists, maps, etc.).
+-->
+另一个例子是如果 `foo` 是一个数组，而你指定了验证规则 `self.foo.all(x, x > 5)`。
+如果没有给出 `foo` 的长度限制，成本系统总是假设最坏的情况，这将发生在任何可以被迭代的事物上（list、map 等）。
+
+<!--
+Because of this, it is considered best practice to put a limit via `maxItems`, `maxProperties`, and
+`maxLength` for anything that will be processed in a validation rule in order to prevent validation errors during cost estimation. For example, given this schema with one rule:
+-->
+因此，通过 `maxItems`，`maxProperties` 和 `maxLength` 进行限制被认为是最佳实践，
+以在验证规则中处理任何内容，以防止在成本估算期间验证错误。例如，给定具有一个规则的模式：
+
+```yaml
+openAPIV3Schema:
+  type: object
+  properties:
+    foo:
+      type: array
+      items:
+        type: string
+      x-kubernetes-validations:
+        - rule: "self.all(x, x.contains('a string'))"
+```
+
+<!--
+then the API server rejects this rule on validation budget grounds with error:
+-->
+API 服务器以验证预算为由拒绝该规则，并显示错误：
+```
+ spec.validation.openAPIV3Schema.properties[spec].properties[foo].x-kubernetes-validations[0].rule: Forbidden:
+ CEL rule exceeded budget by more than 100x (try simplifying the rule, or adding maxItems, maxProperties, and
+ maxLength where arrays, maps, and strings are used)
+```
+
+<!--
+The rejection happens because `self.all` implies calling `contains()` on every string in `foo`,
+which in turn will check the given string to see if it contains `'a string'`. Without limits, this is a very
+expensive rule.
+-->
+这个拒绝会发生是因为 `self.all` 意味着对 `foo` 中的每一个字符串调用 `contains()`，
+而这又会检查给定的字符串是否包含 `'a string'`。如果没有限制，这是一个非常昂贵的规则。
+
+<!--
+If you do not specify any validation limit, the estimated cost of this rule will exceed the per-rule cost limit. But if you
+add limits in the appropriate places, the rule will be allowed:
+-->
+如果你不指定任何验证限制，这个规则的估计成本将超过每条规则的成本限制。
+但如果你在适当的地方添加限制，该规则将被允许：
+
+```yaml
+openAPIV3Schema:
+  type: object
+  properties:
+    foo:
+      type: array
+      maxItems: 25
+      items:
+        type: string
+        maxLength: 10
+      x-kubernetes-validations:
+        - rule: "self.all(x, x.contains('a string'))"
+```
+
+<!--
+The cost estimation system takes into account how many times the rule will be executed in addition to the
+estimated cost of the rule itself. For instance, the following rule will have the same estimated cost as the
+previous example (despite the rule now being defined on the individual array items):
+-->
+成本评估系统除了考虑规则本身的估计成本外，还考虑到规则将被执行的次数。
+例如，下面这个规则的估计成本与前面的例子相同（尽管该规则现在被定义在单个数组项上）：
+
+```yaml
+openAPIV3Schema:
+  type: object
+  properties:
+    foo:
+      type: array
+      maxItems: 25
+      items:
+        type: string
+        x-kubernetes-validations:
+          - rule: "self.contains('a string'))"
+        maxLength: 10
+```
+
+<!--
+If a list inside of a list has a validation rule that uses `self.all`, that is significantly more expensive
+than a non-nested list with the same rule. A rule that would have been allowed on a non-nested list might need lower limits set on both nested lists in order to be allowed. For example, even without having limits set,
+the following rule is allowed:
+-->
+如果在一个列表内部的一个列表有一个使用 `self.all` 的验证规则，那就会比具有相同规则的非嵌套列表的成本高得多。
+一个在非嵌套列表中被允许的规则可能需要在两个嵌套列表中设置较低的限制才能被允许。
+例如，即使没有设置限制，下面的规则也是允许的：
+
+```yaml
+openAPIV3Schema:
+  type: object
+  properties:
+    foo:
+      type: array
+      items:
+        type: integer
+    x-kubernetes-validations:
+      - rule: "self.all(x, x == 5)"
+```
+
+<!--
+But the same rule on the following schema (with a nested array added) produces a validation error:
+-->
+但是同样的规则在下面的模式中（添加了一个嵌套数组）产生了一个验证错误：
+
+```yaml
+openAPIV3Schema:
+  type: object
+  properties:
+    foo:
+      type: array
+      items:
+        type: array
+        items:
+          type: integer
+        x-kubernetes-validations:
+          - rule: "self.all(x, x == 5)"
+```
+
+<!--
+This is because each item of `foo` is itself an array, and each subarray in turn calls `self.all`. Avoid nested
+lists and maps if possible where validation rules are used.
+-->
+这是因为 `foo` 的每一项本身就是一个数组，而每一个子数组依次调用 `self.all`。
+在使用验证规则的地方，尽可能避免嵌套的列表和字典。
 
 <!--
 ### Defaulting
@@ -1298,19 +2085,17 @@ with `foo` pruned and defaulted because the field is non-nullable, `bar` maintai
 
 CustomResourceDefinition [OpenAPI v3 validation schemas](#validation) which are [structural](#specifying-a-structural-schema) and [enable pruning](#field-pruning) are published as part of the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) from Kubernetes API server.
 
-The [kubectl](/docs/reference/kubectl/overview) command-line tool consumes the published schema to perform client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`) on custom resources. The published schema can be consumed for other purposes as well, like client generation or documentation.
+The [kubectl](/docs/reference/kubectl/) command-line tool consumes the published schema to perform client-side validation (`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`) on custom resources. The published schema can be consumed for other purposes as well, like client generation or documentation.
 -->
 ### 以 OpenAPI v2 形式发布合法性检查模式      {#publish-validation-schema-in-openapi-v2}
 
 CustomResourceDefinition 的[结构化的](#specifying-a-structural-schema)、
 [启用了剪裁的](#preserving-unknown-fields) [OpenAPI v3 合法性检查模式](#validation)
 会在 Kubernetes API 服务器上作为
-[OpenAPI v2 规约](/zh/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
+[OpenAPI v2 规约](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
 的一部分发布出来。
 
-[kubectl](/zh/docs/reference/kubectl/overview) 命令行工具会基于所发布的模式定义来执行
-客户端的合法性检查（`kubectl create` 和 `kubectl apply`），为定制资源的模式定义
-提供解释（`kubectl explain`）。
+[kubectl](/zh-cn/docs/reference/kubectl/) 命令行工具会基于所发布的模式定义来执行客户端的合法性检查（`kubectl create` 和 `kubectl apply`），为定制资源的模式定义提供解释（`kubectl explain`）。
 所发布的模式还可被用于其他目的，例如生成客户端或者生成文档。
 
 <!--
@@ -1323,7 +2108,7 @@ valid OpenAPI schemas that it doesn't understand. The conversion won't modify th
 and therefore won't affect [validation](#validation) in the API server.
 -->
 OpenAPI v3 合法性检查模式定义会被转换为 OpenAPI v2 模式定义，并出现在
-[OpenAPI v2 规范](/zh/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
+[OpenAPI v2 规范](/zh-cn/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions)
 的 `definitions` 和 `paths` 字段中。
 
 在转换过程中会发生以下修改，目的是保持与 1.13 版本以前的 kubectl 工具兼容。
@@ -1784,7 +2569,7 @@ kubectl get crontabs my-new-cron-object -o jsonpath='{.spec.replicas}'
 You can use a [PodDisruptionBudget](/docs/tasks/run-application/configure-pdb/) to protect custom
 resources that have the scale subresource enabled.
 -->
-你可以使用 [PodDisruptionBudget](/zh/docs/tasks/run-application/configure-pdb/)
+你可以使用 [PodDisruptionBudget](/zh-cn/docs/tasks/run-application/configure-pdb/)
 来保护启用了 scale 子资源的定制资源。
 
 <!--
@@ -1911,7 +2696,7 @@ crontabs/my-new-cron-object   3s
 * Serve [multiple versions](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/) of a
   CustomResourceDefinition.
 -->
-* 阅读了解[定制资源](/zh/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+* 阅读了解[定制资源](/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 * 参阅 [CustomResourceDefinition](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#customresourcedefinition-v1-apiextensions-k8s-io)
-* 参阅支持 CustomResourceDefinition 的[多个版本](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/)
+* 参阅支持 CustomResourceDefinition 的[多个版本](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/)
 
diff --git a/content/zh/docs/tasks/extend-kubernetes/http-proxy-access-api.md b/content/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api.md
similarity index 97%
rename from content/zh/docs/tasks/extend-kubernetes/http-proxy-access-api.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api.md
index 2e4e8bdfd161e..8d9a83f14e998 100644
--- a/content/zh/docs/tasks/extend-kubernetes/http-proxy-access-api.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api.md
@@ -27,7 +27,7 @@ This page shows how to use an HTTP proxy to access the Kubernetes API.
 * If you do not already have an application running in your cluster, start
   a Hello world application by entering this command:
 -->
-* 如果您的集群中还没有任何应用，使用如下命令启动一个 Hello World 应用：
+* 如果你的集群中还没有任何应用，使用如下命令启动一个 Hello World 应用：
 
 ```shell
 kubectl create deployment node-hello --image=gcr.io/google-samples/node-hello:1.0 --port=8080
diff --git a/content/zh/docs/tasks/extend-kubernetes/setup-extension-api-server.md b/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
similarity index 95%
rename from content/zh/docs/tasks/extend-kubernetes/setup-extension-api-server.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
index d66a853525cdd..b234c55855265 100644
--- a/content/zh/docs/tasks/extend-kubernetes/setup-extension-api-server.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
@@ -30,7 +30,7 @@ Setting up an extension API server to work the aggregation layer allows the Kube
 <!--
 * You must [configure the aggregation layer](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/) and enable the apiserver flags.
 -->
-* 你必须[配置聚合层](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
+* 你必须[配置聚合层](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
   并且启用 API 服务器的相关参数。
 
 <!-- steps -->
@@ -110,7 +110,7 @@ Alternatively, you can use an existing 3rd party solution, such as [apiserver-bu
 * For a high level overview, see [Extending the Kubernetes API with the aggregation layer](/docs/concepts/api-extension/apiserver-aggregation).
 * Learn how to [Extend the Kubernetes API Using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/).
 -->
-* 如果你还未配置，请[配置聚合层](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
+* 如果你还未配置，请[配置聚合层](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
   并启用 apiserver 的相关参数。
-* 高级概述，请参阅[使用聚合层扩展 Kubernetes API](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation)。
-* 了解如何[使用 Custom Resource Definition 扩展 Kubernetes API](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
+* 高级概述，请参阅[使用聚合层扩展 Kubernetes API](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation)。
+* 了解如何[使用 Custom Resource Definition 扩展 Kubernetes API](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/)。
diff --git a/content/zh/docs/tasks/extend-kubernetes/setup-konnectivity.md b/content/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity.md
similarity index 97%
rename from content/zh/docs/tasks/extend-kubernetes/setup-konnectivity.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity.md
index 1716735ed4a04..cc84dd812b2e5 100644
--- a/content/zh/docs/tasks/extend-kubernetes/setup-konnectivity.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity.md
@@ -64,7 +64,7 @@ your API Server egress configuration file.
 -->
 你需要配置 API 服务器来使用 Konnectivity 服务，并将网络流量定向到集群节点：
 
-确保[服务账号令牌卷投射](/zh/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
+确保[服务账号令牌卷投射](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
 特性被启用。该特性自 Kubernetes v1.20 起默认已被启用。
 
 1. 创建一个出站流量配置文件，比如 `admin/konnectivity/egress-selector-configuration.yaml`。
diff --git a/content/zh/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md b/content/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
similarity index 100%
rename from content/zh/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
rename to content/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
diff --git a/content/zh/docs/tasks/inject-data-application/_index.md b/content/zh-cn/docs/tasks/inject-data-application/_index.md
similarity index 100%
rename from content/zh/docs/tasks/inject-data-application/_index.md
rename to content/zh-cn/docs/tasks/inject-data-application/_index.md
diff --git a/content/zh/docs/tasks/inject-data-application/define-command-argument-container.md b/content/zh-cn/docs/tasks/inject-data-application/define-command-argument-container.md
similarity index 93%
rename from content/zh/docs/tasks/inject-data-application/define-command-argument-container.md
rename to content/zh-cn/docs/tasks/inject-data-application/define-command-argument-container.md
index 3372c8ca2662e..90fdfd02869b6 100644
--- a/content/zh/docs/tasks/inject-data-application/define-command-argument-container.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/define-command-argument-container.md
@@ -131,8 +131,8 @@ and
 [Secrets](/docs/concepts/configuration/secret/).
 -->
 这意味着你可以将那些用来设置环境变量的方法应用于设置命令的参数，其中包括了
-[ConfigMaps](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/) 与
-[Secrets](/zh/docs/concepts/configuration/secret/)。
+[ConfigMaps](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/) 与
+[Secrets](/zh-cn/docs/concepts/configuration/secret/)。
 
 <!--
 The environment variable appears in parentheses, `"$(VAR)"`. This is
@@ -165,11 +165,10 @@ args: ["-c", "while true; do echo hello; sleep 10;done"]
 
 <!--
 * Learn more about [configuring pods and containers](/docs/tasks/).
-* Learn more about [running commands in a container](/docs/tasks/debug-application-cluster/get-shell-running-container/).
+* Learn more about [running commands in a container](/docs/tasks/debug/debug-application/get-shell-running-container/).
 * See [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core).
 -->
-* 进一步了解[配置 Pod 和容器](/zh/docs/tasks/)
-* 进一步了解[在容器中运行命令](/zh/docs/tasks/debug-application-cluster/get-shell-running-container/)
+* 进一步了解[配置 Pod 和容器](/zh-cn/docs/tasks/)
+* 进一步了解[在容器中运行命令](/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/)
 * 参阅 [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
   API 资源
-
diff --git a/content/zh/docs/tasks/inject-data-application/define-environment-variable-container.md b/content/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container.md
similarity index 94%
rename from content/zh/docs/tasks/inject-data-application/define-environment-variable-container.md
rename to content/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container.md
index 2103b34cf21c4..01019ff84cad4 100644
--- a/content/zh/docs/tasks/inject-data-application/define-environment-variable-container.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container.md
@@ -135,7 +135,7 @@ container.
 -->
 ## 在配置中使用环境变量
 
-您在 Pod 的配置中定义的环境变量可以在配置的其他地方使用，
+你在 Pod 的配置中定义的环境变量可以在配置的其他地方使用，
 例如可用在为 Pod 的容器设置的命令和参数中。
 在下面的示例配置中，环境变量 `GREETING` ，`HONORIFIC` 和 `NAME` 分别设置为 `Warm greetings to` ，
 `The Most Honorable` 和 `Kubernetes`。然后这些环境变量在传递给容器 `env-print-demo` 的 CLI 参数中使用。
@@ -173,7 +173,7 @@ Upon creation, the command `echo Warm greetings to The Most Honorable Kubernetes
 * See [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core).
 -->
 
-* 进一步了解[环境变量](/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
-* 进一步了解[通过环境变量来使用 Secret](/zh/docs/concepts/configuration/secret/#using-secrets-as-environment-variables)
+* 进一步了解[环境变量](/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
+* 进一步了解[通过环境变量来使用 Secret](/zh-cn/docs/concepts/configuration/secret/#using-secrets-as-environment-variables)
 * 关于 [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core) 资源的信息。
 
diff --git a/content/zh/docs/tasks/inject-data-application/define-interdependent-environment-variables.md b/content/zh-cn/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
similarity index 94%
rename from content/zh/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
rename to content/zh-cn/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
index 12c5032b49dac..9567fc2e4e800 100644
--- a/content/zh/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
@@ -29,7 +29,7 @@ in a Kubernetes Pod.
 When you create a Pod, you can set dependent environment variables for the containers that run in the Pod. To set dependent environment variables, you can use $(VAR_NAME) in the `value` of `env` in the configuration file.
 
 In this exercise, you create a Pod that runs one container. The configuration
-file for the Pod defines an dependent environment variable with common usage defined. Here is the configuration manifest for the
+file for the Pod defines a dependent environment variable with common usage defined. Here is the configuration manifest for the
 Pod:
 -->
 ## 为容器定义相互依赖的环境变量   {#define-an-environment-dependent-variable-for-a-container}
@@ -110,6 +110,6 @@ is defined or not. This can be seen from the `ESCAPED_REFERENCE` case above.
 * Learn more about [environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/).
 * See [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core).
 -->
-* 进一步了解[环境变量](/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information/).
+* 进一步了解[环境变量](/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/).
 * 参阅 [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core).
 
diff --git a/content/zh/docs/tasks/inject-data-application/distribute-credentials-secure.md b/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
similarity index 98%
rename from content/zh/docs/tasks/inject-data-application/distribute-credentials-secure.md
rename to content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
index 5d271d71dd65b..5ede095df1049 100644
--- a/content/zh/docs/tasks/inject-data-application/distribute-credentials-secure.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
@@ -375,7 +375,7 @@ This functionality is available in Kubernetes v1.6 and later.
 * Learn more about [Secrets](/docs/concepts/configuration/secret/).
 * Learn about [Volumes](/docs/concepts/storage/volumes/).
 -->
-* 进一步了解 [Secret](/zh/docs/concepts/configuration/secret/)。
-* 了解 [Volumes](/zh/docs/concepts/storage/volumes/)。
+* 进一步了解 [Secret](/zh-cn/docs/concepts/configuration/secret/)。
+* 了解 [Volumes](/zh-cn/docs/concepts/storage/volumes/)。
 
 
diff --git a/content/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md b/content/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
similarity index 57%
rename from content/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
rename to content/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
index 69b0b9ee0d377..b41820ea6f870 100644
--- a/content/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md
@@ -7,12 +7,15 @@ weight: 40
 <!-- overview -->
 
 <!--
-This page shows how a Pod can use a DownwardAPIVolumeFile to expose information
-about itself to Containers running in the Pod. A DownwardAPIVolumeFile can expose
-Pod fields and Container fields.
+This page shows how a Pod can use a
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
+to expose information about itself to Containers running in the Pod.
+A `DownwardAPIVolumeFile` can expose Pod fields and Container fields.
 -->
-此页面描述 Pod 如何使用 DownwardAPIVolumeFile 把自己的信息呈现给 Pod 中运行的容器。
-DownwardAPIVolumeFile 可以呈现 Pod 的字段和容器字段。
+此页面描述 Pod 如何使用
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
+把自己的信息呈现给 Pod 中运行的容器。
+`DownwardAPIVolumeFile` 可以呈现 Pod 和容器的字段。
 
 ## {{% heading "prerequisites" %}}
 
@@ -26,16 +29,19 @@ DownwardAPIVolumeFile 可以呈现 Pod 的字段和容器字段。
 There are two ways to expose Pod and Container fields to a running Container:
 
 * [Environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
-* Volume Files
+* Volume files
+
+Together, these two ways of exposing Pod and Container fields are called the
+"Downward API".
 -->
-## Downward API
+## Downward API   {#the-downward-api}
 
 有两种方式可以将 Pod 和 Container 字段呈现给运行中的容器：
 
-* [环境变量](/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
+* [环境变量](/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#the-downward-api)
 * 卷文件
 
-这两种呈现 Pod 和 Container 字段的方式都称为 *Downward API*。
+这两种呈现 Pod 和 Container 字段的方式都称为 "Downward API"。
 
 <!--
 ## Store Pod fields
@@ -43,7 +49,7 @@ There are two ways to expose Pod and Container fields to a running Container:
 In this exercise, you create a Pod that has one Container.
 Here is the configuration file for the Pod:
 -->
-## 存储 Pod 字段
+## 存储 Pod 字段   {#store-pod-fields}
 
 在这个练习中，你将创建一个包含一个容器的 Pod。Pod 的配置文件如下：
 
@@ -64,7 +70,7 @@ field should be stored in a file named `annotations`.
 `/etc/podinfo` 目录。
 
 查看 `downwardAPI` 下面的 `items` 数组。
-每个数组元素都是一个 
+每个数组元素都是一个
 [DownwardAPIVolumeFile](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
 对象。
 第一个元素指示 Pod 的 `metadata.labels` 字段的值保存在名为 `labels` 的文件中。
@@ -88,7 +94,7 @@ kubectl apply -f https://k8s.io/examples/pods/inject/dapi-volume.yaml
 ```
 
 <!--
-Verify that the Container in the Pod is running:
+Verify that the container in the Pod is running:
 -->
 验证Pod中的容器运行正常：
 
@@ -97,7 +103,7 @@ kubectl get pods
 ```
 
 <!--
-View the Container's logs:
+View the container's logs:
 -->
 查看容器的日志：
 
@@ -106,7 +112,7 @@ kubectl logs kubernetes-downwardapi-volume-example
 ```
 
 <!--
-The output shows the contents of the labels file and the annotations file:
+The output shows the contents of the `labels` file and the `annotations` file:
 -->
 输出显示 `labels` 和 `annotations` 文件的内容：
 
@@ -120,7 +126,7 @@ builder="john-doe"
 ```
 
 <!--
-Get a shell into the Container that is running in your Pod:
+Get a shell into the container that is running in your Pod:
 -->
 进入 Pod 中运行的容器，打开一个 Shell：
 
@@ -152,7 +158,7 @@ zone="us-est-coast"
 <!--
 Similarly, view the `annotations` file:
 -->
-同样，查看`annotations`文件：
+同样，查看 `annotations` 文件：
 
 ```shell
 /# cat /etc/podinfo/annotations
@@ -161,7 +167,7 @@ Similarly, view the `annotations` file:
 <!--
 View the files in the `/etc/podinfo` directory:
 -->
-查看`/etc/podinfo`目录下的文件：
+查看 `/etc/podinfo` 目录下的文件：
 
 ```shell
 /# ls -laR /etc/podinfo
@@ -185,7 +191,7 @@ lrwxrwxrwx  ... Feb 6 21:47 ..data -> ..2982_06_02_21_47_53.299460680
 lrwxrwxrwx  ... Feb 6 21:47 annotations -> ..data/annotations
 lrwxrwxrwx  ... Feb 6 21:47 labels -> ..data/labels
 
-/etc/podinfo/..2982_06_02_21_47_53.299460680:
+/etc/..2982_06_02_21_47_53.299460680:
 total 8
 -rw-r--r--  ... Feb  6 21:47 annotations
 -rw-r--r--  ... Feb  6 21:47 labels
@@ -194,11 +200,10 @@ total 8
 <!--
 Using symbolic links enables dynamic atomic refresh of the metadata; updates are
 written to a new temporary directory, and the `..data` symlink is updated
-atomically using
-[rename(2)](http://man7.org/linux/man-pages/man2/rename.2.html).
+atomically using [rename(2)](http://man7.org/linux/man-pages/man2/rename.2.html).
 -->
 用符号链接可实现元数据的动态原子性刷新；更新将写入一个新的临时目录，
-然后通过使用[rename(2)](http://man7.org/linux/man-pages/man2/rename.2.html)
+然后通过使用 [rename(2)](http://man7.org/linux/man-pages/man2/rename.2.html)
 完成 `..data` 符号链接的原子性更新。
 
 <!--
@@ -208,34 +213,43 @@ receive Downward API updates.
 -->
 {{< note >}}
 如果容器以
-[subPath](/zh/docs/concepts/storage/volumes/#using-subpath)卷挂载方式来使用
+[subPath](/zh-cn/docs/concepts/storage/volumes/#using-subpath)卷挂载方式来使用
 Downward API，则该容器无法收到更新事件。
 {{< /note >}}
 
+<!--
+Exit the shell:
+-->
 退出 Shell：
 
 ```shell
 /# exit
 ```
 
-## 存储容器字段
-
 <!--
-The preceding exercise, you stored Pod fields in a DownwardAPIVolumeFile.
+## Store Container fields
+
+The preceding exercise, you stored Pod fields in a
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)..
 In this next exercise, you store Container fields. Here is the configuration
 file for a Pod that has one Container:
 -->
-前面的练习中，你将 Pod 字段保存到 DownwardAPIVolumeFile 中。
+## 存储容器字段   {#store-container-fields}
+
+前面的练习中，你将 Pod 字段保存到
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
+中。
 接下来这个练习，你将存储 Container 字段。这里是包含一个容器的 Pod 的配置文件：
 
 {{< codenew file="pods/inject/dapi-volume-resources.yaml" >}}
 
 <!--
-In the configuration file, you can see that the Pod has a `downwardAPI` Volume,
-and the Container mounts the Volume at `/etc/podinfo`.
+In the configuration file, you can see that the Pod has a
+[`downwardAPI` volume](/docs/concepts/storage/volumes/#downwardapi),
+and the Container mounts the volume at `/etc/podinfo`.
 
 Look at the `items` array under `downwardAPI`. Each element of the array is a
-DownwardAPIVolumeFile.
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core).
 
 The first element specifies that in the Container named `client-container`,
 the value of the `limits.cpu` field in the format specified by `1m` should be
@@ -244,13 +258,16 @@ default value of `1` which means cores for cpu and bytes for memory.
 
 Create the Pod:
 -->
-在这个配置文件中，你可以看到 Pod 有一个 `downwardAPI` 类型的卷，并且挂载到容器的
-`/etc/podinfo` 目录。
+在这个配置文件中，你可以看到 Pod 有一个
+[`downwardAPI` 卷](/zh-cn/docs/concepts/storage/volumes/#downwardapi)，
+并且挂载到容器的 `/etc/podinfo` 目录。
 
-查看 `downwardAPI` 下面的 `items` 数组。每个数组元素都是一个 DownwardAPIVolumeFile。
+查看 `downwardAPI` 下面的 `items` 数组。每个数组元素都是一个
+[`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)。
 
-第一个元素指定名为 `client-container` 的容器中 `limits.cpu` 字段的值应保存在名为
-`cpu_limit` 的文件中。
+第一个元素指定在名为 `client-container` 的容器中，
+以 `1m` 所指定格式的 `limits.cpu` 字段的值应保存在名为 `cpu_limit` 的文件中。
+`divisor` 字段是可选的，默认值为 `1`，表示 CPU 的核心和内存的字节。
 
 创建Pod：
 
@@ -259,11 +276,11 @@ kubectl apply -f https://k8s.io/examples/pods/inject/dapi-volume-resources.yaml
 ```
 
 <!--
-Get a shell into the Container that is running in your Pod:
+Get a shell into the container that is running in your Pod:
 -->
 打开一个 Shell，进入 Pod 中运行的容器：
 
-```
+```shell
 kubectl exec -it kubernetes-downwardapi-volume-example-2 -- sh
 ```
 
@@ -283,39 +300,50 @@ You can use similar commands to view the `cpu_request`, `mem_limit` and
 你可以使用同样的命令查看 `cpu_request`、`mem_limit` 和 `mem_request` 文件.
 
 <!-- discussion -->
+
+<!-- TODO: This section should be extracted out of the task page. -->
 <!--
 ## Capabilities of the Downward API
 -->
-## Downward API 的能力
+## Downward API 的能力   {#capabilities-of-the-downward-api}
 
 <!--
 The following information is available to containers through environment
 variables and `downwardAPI` volumes:
 
 * Information available via `fieldRef`:
+
   * `metadata.name` - the pod's name
   * `metadata.namespace` - the pod's namespace
   * `metadata.uid` - the pod's UID
-  * `metadata.labels['<KEY>']` - the value of the pod's label `<KEY>` (for example, `metadata.labels['mylabel']`)
-  * `metadata.annotations['<KEY>']` - the value of the pod's annotation `<KEY>` (for example, `metadata.annotations['myannotation']`)
+  * `metadata.labels['<KEY>']` - the value of the pod's label `<KEY>`
+    (for example, `metadata.labels['mylabel']`)
+  * `metadata.annotations['<KEY>']` - the value of the pod's annotation `<KEY>`
+    (for example, `metadata.annotations['myannotation']`)
 -->
 下面这些信息可以通过环境变量和 `downwardAPI` 卷提供给容器：
 
 * 能通过 `fieldRef` 获得的：
+
   * `metadata.name` - Pod 名称
   * `metadata.namespace` - Pod 名字空间
   * `metadata.uid` - Pod 的 UID
-  * `metadata.labels['<KEY>']` - Pod 标签 `<KEY>` 的值 (例如, `metadata.labels['mylabel']`）
-  * `metadata.annotations['<KEY>']` - Pod 的注解 `<KEY>` 的值（例如, `metadata.annotations['myannotation']`）
+  * `metadata.labels['<KEY>']` - Pod 标签 `<KEY>` 的值
+    （例如：`metadata.labels['mylabel']`）
+  * `metadata.annotations['<KEY>']` - Pod 的注解 `<KEY>` 的值
+    （例如：`metadata.annotations['myannotation']`）
 
 <!--
 * Information available via `resourceFieldRef`:
+
   * A Container's CPU limit
   * A Container's CPU request
   * A Container's memory limit
   * A Container's memory request
-  * A Container's hugepages limit (providing that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
-  * A Container's hugepages request (providing that the `DownwardAPIHugePages` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
+  * A Container's hugepages limit (provided that the `DownwardAPIHugePages`
+    [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
+  * A Container's hugepages request (provided that the `DownwardAPIHugePages`
+    [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled)
   * A Container's ephemeral-storage limit
   * A Container's ephemeral-storage request
 -->
@@ -324,8 +352,10 @@ variables and `downwardAPI` volumes:
   * 容器的 CPU 请求值
   * 容器的内存约束值
   * 容器的内存请求值
-  * 容器的巨页限制值（前提是启用了 `DownwardAPIHugePages` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)）
-  * 容器的巨页请求值（前提是启用了 `DownwardAPIHugePages` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)）
+  * 容器的巨页限制值（前提是启用了 `DownwardAPIHugePages`
+    [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)）
+  * 容器的巨页请求值（前提是启用了 `DownwardAPIHugePages`
+    [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)）
   * 容器的临时存储约束值
   * 容器的临时存储请求值
 
@@ -334,23 +364,33 @@ In addition, the following information is available through
 `downwardAPI` volume `fieldRef`:
 -->
 此外，以下信息可通过 `downwardAPI` 卷从 `fieldRef` 获得：
+
 <!--
-* `metadata.labels` - all of the pod’s labels, formatted as `label-key="escaped-label-value"` with one label per line
-* `metadata.annotations` - all of the pod’s annotations, formatted as `annotation-key="escaped-annotation-value"` with one annotation per line
+* `metadata.labels` - all of the pod's labels, formatted as `label-key="escaped-label-value"`
+  with one label per line
+* `metadata.annotations` - all of the pod's annotations, formatted as
+  `annotation-key="escaped-annotation-value"` with one annotation per line
 -->
-* `metadata.labels` - Pod 的所有标签，以 `label-key="escaped-label-value"` 格式显示，每行显示一个标签
-* `metadata.annotations` - Pod 的所有注解，以 `annotation-key="escaped-annotation-value"`
-  格式显示，每行显示一个标签
+* `metadata.labels` - Pod 的所有标签，以
+  `label-key="escaped-label-value"` 格式显示，每行显示一个标签
+* `metadata.annotations` - Pod 的所有注解，以
+  `annotation-key="escaped-annotation-value"` 格式显示，每行显示一个标签
 
 <!--
 The following information is available through environment variables:
+
+* `status.podIP` - the pod's IP address
+* `spec.serviceAccountName` - the pod's service account name
+* `spec.nodeName` - the name of the node to which the scheduler always attempts to
+  schedule the pod
+* `status.hostIP` - the IP of the node to which the Pod is assigned
 -->
 以下信息可通过环境变量获得：
 
-* `status.podIP` - 节点 IP
-* `spec.serviceAccountName` - Pod 服务帐号名称, 版本要求 v1.4.0-alpha.3
-* `spec.nodeName` - 节点名称, 版本要求 v1.4.0-alpha.3
-* `status.hostIP` - 节点 IP, 版本要求 v1.7.0-alpha.1
+* `status.podIP` - Pod IP 地址
+* `spec.serviceAccountName` - Pod 服务帐号名称
+* `spec.nodeName` - 调度器总是尝试将 Pod 调度到的节点的名称
+* `status.hostIP` - Pod 分配到的节点的 IP
 
 <!--
 If CPU and memory limits are not specified for a Container, the
@@ -368,15 +408,15 @@ You can project keys to specific paths and specific permissions on a per-file
 basis. For more information, see
 [Secrets](/docs/concepts/configuration/secret/).
 -->
-## 投射键名到指定路径并且指定文件权限
+## 投射键名到指定路径并且指定文件权限   {#project-keys-to-specific-paths-and-file-permissions}
 
 你可以将键名投射到指定路径并且指定每个文件的访问权限。
-更多信息，请参阅[Secrets](/zh/docs/concepts/configuration/secret/).
+更多信息，请参阅 [Secret](/zh-cn/docs/concepts/configuration/secret/)。
 
 <!--
 ## Motivation for the Downward API
 
-It is sometimes useful for a Container to have information about itself, without
+It is sometimes useful for a container to have information about itself, without
 being overly coupled to Kubernetes. The Downward API allows containers to consume
 information about themselves or the cluster without using the Kubernetes client
 or API server.
@@ -387,7 +427,7 @@ application, but that is tedious and error prone, and it violates the goal of lo
 coupling. A better option would be to use the Pod's name as an identifier, and
 inject the Pod's name into the well-known environment variable.
 -->
-## Downward API的动机
+## Downward API 的动机   {#motivation-for-the-downward-api}
 
 对于容器来说，有时候拥有自己的信息是很有用的，可避免与 Kubernetes 过度耦合。
 Downward API 使得容器使用自己或者集群的信息，而不必通过 Kubernetes 客户端或
@@ -399,9 +439,32 @@ API 服务器来获得。
 
 ## {{% heading "whatsnext" %}}
 
-* [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
-* [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
-* [DownwardAPIVolumeSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumesource-v1-core)
-* [DownwardAPIVolumeFile](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
-* [ResourceFieldSelector](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
+<!--
+* Check the [`PodSpec`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
+  API definition which defines the desired state of a Pod.
+* Check the [`Volume`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
+  API definition which defines a generic volume in a Pod for containers to access.
+* Check the [`DownwardAPIVolumeSource`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumesource-v1-core)
+  API definition which defines a volume that contains Downward API information.
+* Check the [`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
+  API definition which contains references to object or resource fields for
+  populating a file in the Downward API volume.
+* Check the [`ResourceFieldSelector`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
+  API definition which specifies the container resources and their output format.
+-->
+* 参阅
+  [`PodSpec`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
+  API 定义，该 API 定义 Pod 所需状态。
+* 参阅
+  [`Volume`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
+  API 定义，该 API 在 Pod 中定义通用卷以供容器访问。
+* 参阅
+  [`DownwardAPIVolumeSource`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumesource-v1-core)
+  API 定义，该 API 定义包含 Downward API 信息的卷。
+* 参阅
+  [`DownwardAPIVolumeFile`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#downwardapivolumefile-v1-core)
+  API 定义，该 API 包含对对象或资源字段的引用，用于在 Downward API 卷中填充文件。
+* 参阅
+  [`ResourceFieldSelector`](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
+  API 定义，该 API 指定容器资源及其输出格式。
 
diff --git a/content/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md b/content/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
similarity index 97%
rename from content/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
rename to content/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
index 94202ffb68bf3..6b52b73b461e1 100644
--- a/content/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md
@@ -39,7 +39,7 @@ Together, these two ways of exposing Pod and Container fields are called the
 有两种方式可以将 Pod 和 Container 字段呈现给运行中的容器：
 
 * 环境变量
-* [卷文件](/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api)
+* [卷文件](/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api)
 
 这两种呈现 Pod 和 Container 字段的方式统称为 *Downward API*。
 
@@ -245,7 +245,7 @@ The output shows the values of selected environment variables:
 * [ResourceFieldSelector](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#resourcefieldselector-v1-core)
 -->
 
-* [给容器定义环境变量](/zh/docs/tasks/inject-data-application/define-environment-variable-container/)
+* [给容器定义环境变量](/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container/)
 * [PodSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
 * [Container](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#container-v1-core)
 * [EnvVar](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvar-v1-core)
diff --git a/content/zh/docs/tasks/job/_index.md b/content/zh-cn/docs/tasks/job/_index.md
similarity index 100%
rename from content/zh/docs/tasks/job/_index.md
rename to content/zh-cn/docs/tasks/job/_index.md
diff --git a/content/zh/docs/tasks/job/automated-tasks-with-cron-jobs.md b/content/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs.md
similarity index 75%
rename from content/zh/docs/tasks/job/automated-tasks-with-cron-jobs.md
rename to content/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs.md
index 731d560c5debf..5e67e5bb39d46 100644
--- a/content/zh/docs/tasks/job/automated-tasks-with-cron-jobs.md
+++ b/content/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs.md
@@ -1,39 +1,42 @@
 ---
 title: 使用 CronJob 运行自动化任务
+min-kubernetes-server-version: v1.21
 content_type: task
 weight: 10
-min-kubernetes-server-version: v1.21
 ---
-
 <!--
 title: Running Automated Tasks with a CronJob
+min-kubernetes-server-version: v1.21
 reviewers:
 - chenopis
 content_type: task
 weight: 10
-min-kubernetes-server-version: v1.21
 -->
 
 <!-- overview -->
 
 <!--
-
 CronJobs was promoted to general availability in Kubernetes v1.21. If you are using an older version of
 Kubernetes, please refer to the documentation for the version of Kubernetes that you are using,
 so that you see accurate information. Older Kubernetes versions do not support the `batch/v1` CronJob API.
 
-You can use [CronJobs](/docs/concepts/workloads/controllers/cron-jobs) to run jobs on a time-based schedule.
+You can use a {{< glossary_tooltip text="CronJob" term_id="cronjob" >}} to run {{< glossary_tooltip text="Jobs" term_id="job" >}} on a time-based schedule.
 These automated jobs run like [Cron](https://en.wikipedia.org/wiki/Cron) tasks on a Linux or UNIX system.
 
 Cron jobs are useful for creating periodic and recurring tasks, like running backups or sending emails.
 Cron jobs can also schedule individual tasks for a specific time, such as if you want to schedule a job for a low activity period.
 -->
 
-在Kubernetes v1.21 版本中，CronJob 被提升为通用版本。如果你使用的是旧版本的 Kubernetes，请参考你正在使用的 Kubernetes 版本的文档，这样你就能看到准确的信息。旧的 Kubernetes 版本不支持`batch/v1` CronJob API。
+在 Kubernetes v1.21 版本中，CronJob 被提升为通用版本。如果你使用的是旧版本的 Kubernetes，
+请参考你正在使用的 Kubernetes 版本的文档，这样你就能看到准确的信息。
+旧的 Kubernetes 版本不支持 `batch/v1` CronJob API。
 
-你可以利用 [CronJobs](/zh/docs/concepts/workloads/controllers/cron-jobs) 执行基于时间调度的任务。这些自动化任务和 Linux 或者 Unix 系统的 [Cron](https://en.wikipedia.org/wiki/Cron) 任务类似。
+你可以利用 {{< glossary_tooltip text="CronJob" term_id="cronjob" >}}
+执行基于时间调度的 {{< glossary_tooltip text="Job" term_id="job" >}}。
+这些自动化任务和 Linux 或者 Unix 系统的 [Cron](https://zh.wikipedia.org/wiki/Cron) 任务类似。
 
-CronJobs 在创建周期性以及重复性的任务时很有帮助，例如执行备份操作或者发送邮件。CronJobs 也可以在特定时间调度单个任务，例如你想调度低活跃周期的任务。
+CronJob 在创建周期性以及重复性的任务时很有帮助，例如执行备份操作或者发送邮件。
+CronJob 也可以在特定时间调度单个任务，例如你想调度低活跃周期的任务。
 
 <!--
 Cron jobs have limitations and idiosyncrasies.
@@ -41,15 +44,14 @@ For example, in certain circumstances, a single cron job can create multiple job
 Therefore, jobs should be idempotent.
 For more limitations, see [CronJobs](/docs/concepts/workloads/controllers/cron-jobs).
 -->
-CronJobs 有一些限制和特点。
+CronJob 有一些限制和特点。
 例如，在特定状况下，同一个 CronJob 可以创建多个任务。
 因此，任务应该是幂等的。
 
-查看更多限制，请参考 [CronJobs](/zh/docs/concepts/workloads/controllers/cron-jobs)。
+有关更多限制，请参考 [CronJob](/zh-cn/docs/concepts/workloads/controllers/cron-jobs)。
 
 ## {{% heading "prerequisites" %}}
 
-
 * {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
 <!-- steps -->
@@ -60,7 +62,7 @@ CronJobs 有一些限制和特点。
 Cron jobs require a config file.
 This example cron job config `.spec` file prints the current time and a hello message every minute:
 -->
-## 创建 CronJob
+## 创建 CronJob {#creating-a-cronjob}
 
 CronJob 需要一个配置文件。
 本例中 CronJob 的`.spec` 配置文件每分钟打印出当前时间和一个问好信息：
@@ -68,13 +70,19 @@ CronJob 需要一个配置文件。
 {{< codenew file="application/job/cronjob.yaml" >}}
 
 <!--
-Run the example cron job by downloading the example file and then running this command:
+Run the example CronJob by using this command:
 -->
-想要运行示例的 CronJob，可以下载示例文件并执行命令：
+执行以下命令以运行此 CronJob 示例：
 
 ```shell
 kubectl create -f https://k8s.io/examples/application/job/cronjob.yaml
 ```
+
+<!--
+The output is similar to this:
+-->
+输出类似于：
+
 ```
 cronjob.batch/hello created
 ```
@@ -140,8 +148,8 @@ You should see that the cron job `hello` successfully scheduled a job at the tim
 
 Now, find the pods that the last scheduled job created and view the standard output of one of the pods.
 -->
-你应该能看到 `hello` CronJob 在 `LAST SCHEDULE` 声明的时间点成功的调度了一次任务。
-有 0 个活跃的任务意味着任务执行完毕或者执行失败。
+你应该能看到 `hello` CronJob 在 `LAST SCHEDULE` 声明的时间点成功地调度了一次任务。
+目前有 0 个活跃的任务，这意味着任务执行完毕或者执行失败。
 
 现在，找到最后一次调度任务创建的 Pod 并查看一个 Pod 的标准输出。
 
@@ -149,7 +157,7 @@ Now, find the pods that the last scheduled job created and view the standard out
 The job name and pod name are different.
 -->
 {{< note >}}
-Job 名称和 Pod 名称不同。
+Job 名称与 Pod 名称不同。
 {{< /note >}}
 
 ```shell
@@ -168,7 +176,7 @@ kubectl logs $pods
 <!--
 The output is similar to this:
 -->
-输出与此类似：
+输出类似于：
 
 ```
 Fri Feb 22 11:02:09 UTC 2019
@@ -181,7 +189,7 @@ Hello from the Kubernetes cluster
 When you don't need a cron job any more, delete it with `kubectl delete cronjob <cronjob name>`：
 -->
 
-## 删除 CronJob
+## 删除 CronJob {#deleting-a-cronjob}
 
 当你不再需要 CronJob 时，可以用 `kubectl delete cronjob <cronjob name>` 删掉它：
 
@@ -194,7 +202,7 @@ Deleting the cron job removes all the jobs and pods it created and stops it from
 You can read more about removing jobs in [garbage collection](/docs/concepts/workloads/controllers/garbage-collection/).
 -->
 删除 CronJob 会清除它创建的所有任务和 Pod，并阻止它创建额外的任务。你可以查阅
-[垃圾收集](/zh/docs/concepts/workloads/controllers/garbage-collection/)。
+[垃圾收集](/zh-cn/docs/concepts/workloads/controllers/garbage-collection/)。
 
 <!--
 ## Writing a Cron Job Spec
@@ -205,15 +213,15 @@ and [using kubectl to manage resources](/docs/concepts/overview/working-with-obj
 
 A cron job config also needs a [`.spec` section](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 -->
-## 编写 CronJob 声明信息
+## 编写 CronJob 声明信息 {#writing-a-cronjob-spec}
 
-像 Kubernetes 的其他配置一样，CronJob 需要 `apiVersion`、`kind`、和 `metadata` 域。
-配置文件的一般信息，请参考
-[部署应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/) 和
-[使用 kubectl 管理资源](/zh/docs/concepts/overview/working-with-objects/object-management/).
+像 Kubernetes 的其他配置一样，CronJob 需要 `apiVersion`、`kind` 和 `metadata` 字段。
+有关配置文件的一般信息，请参考
+[部署应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/) 和
+[使用 kubectl 管理资源](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)。
 
 CronJob 配置也需要包括
-[`.spec`](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+[`.spec`](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)。
 
 <!--
 All modifications to a cron job, especially its `.spec`, are applied only to the following runs.
@@ -228,15 +236,15 @@ All modifications to a cron job, especially its `.spec`, are applied only to the
 The `.spec.schedule` is a required field of the `.spec`.
 It takes a [Cron](https://en.wikipedia.org/wiki/Cron) format string, such as `0 * * * *` or `@hourly`, as schedule time of its jobs to be created and executed.
 -->
-### 时间安排
+### 时间安排 {#schedule}
 
-`.spec.schedule` 是 `.spec` 需要的域。它使用了 [Cron](https://en.wikipedia.org/wiki/Cron)
-格式串，例如 `0 * * * *` or `@hourly` ，作为它的任务被创建和执行的调度时间。
+`.spec.schedule` 是 `.spec` 中的必需字段。它接受 [Cron](https://en.wikipedia.org/wiki/Cron)
+格式串，例如 `0 * * * *` or `@hourly`，作为它的任务被创建和执行的调度时间。
 
 <!--
 The format also includes extended "Vixie cron" step values. As explained in the [FreeBSD manual](https://www.freebsd.org/cgi/man.cgi?crontab%285%29):
 -->
-该格式也包含了扩展的 "Vixie cron" 步长值。
+该格式也包含了扩展的 “Vixie cron” 步长值。
 [FreeBSD 手册](https://www.freebsd.org/cgi/man.cgi?crontab%285%29)中解释如下:
 
 <!--
@@ -249,15 +257,15 @@ The format also includes extended "Vixie cron" step values. As explained in the
 -->
 
 > 步长可被用于范围组合。范围后面带有 `/<数字>` 可以声明范围内的步幅数值。
-> 例如，`0-23/2` 可被用在小时域来声明命令在其他数值的小时数执行
-> （ V7 标准中对应的方法是`0,2,4,6,8,10,12,14,16,18,20,22`）。
-> 步长也可以放在通配符后面，因此如果你想表达 "每两小时"，就用 `*/2` 。
+> 例如，`0-23/2` 可被用在小时字段来声明命令在其他数值的小时数执行
+> （V7 标准中对应的方法是 `0,2,4,6,8,10,12,14,16,18,20,22`）。
+> 步长也可以放在通配符后面，因此如果你想表达 “每两小时”，就用 `*/2` 。
 
 <!--
 A question mark (`?`) in the schedule has the same meaning as an asterisk `*`, that is, it stands for any of available value for a given field.
 -->
 {{< note >}}
-调度中的问号 (`?`) 和星号  `*` 含义相同，表示给定域的任何可用值。
+调度中的问号 (`?`) 和星号 `*` 含义相同，表示给定字段的任何可用值。
 {{< /note >}}
 
 <!--
@@ -269,13 +277,13 @@ except that it is nested and does not have an `apiVersion` or `kind`.
 For information about writing a job `.spec`, see
 [Writing a Job Spec](/docs/concepts/workloads/controllers/job/#writing-a-job-spec).
 -->
-### 任务模版
+### 任务模板 {#job-template}
 
-`.spec.jobTemplate`是任务的模版，它是必须的。它和
-[Job](/zh/docs/concepts/workloads/controllers/job/)的语法完全一样，
-除了它是嵌套的没有 `apiVersion` 和 `kind`。
-编写任务的 `.spec` ，请参考
-[编写 Job 的Spec](/zh/docs/concepts/workloads/controllers/job/#writing-a-job-spec)。
+`.spec.jobTemplate`是任务的模板，它是必需的。它和
+[Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的语法完全一样，
+只不过它是嵌套的，没有 `apiVersion` 和 `kind`。
+有关如何编写一个任务的 `.spec`，请参考
+[编写 Job 规约](/zh-cn/docs/concepts/workloads/controllers/job/#writing-a-job-spec)。
 
 <!--
 ### Starting Deadline
@@ -286,11 +294,11 @@ After the deadline, the cron job does not start the job.
 Jobs that do not meet their deadline in this way count as failed jobs.
 If this field is not specified, the jobs have no deadline.
 -->
-### 开始的最后期限   {#starting-deadline}
+### 开始的最后期限 {#starting-deadline}
 
-`.spec.startingDeadlineSeconds` 域是可选的。
+`.spec.startingDeadlineSeconds` 字段是可选的。
 它表示任务如果由于某种原因错过了调度时间，开始该任务的截止时间的秒数。过了截止时间，CronJob 就不会开始任务。
-不满足这种最后期限的任务会被统计为失败任务。如果该域没有声明，那任务就没有最后期限。
+不满足这种最后期限的任务会被统计为失败任务。如果此字段未设置，那任务就没有最后期限。
 
 <!--
 If the `.spec.startingDeadlineSeconds` field is set (not null), the CronJob
@@ -300,7 +308,8 @@ now. If the difference is higher than that limit, it will skip this execution.
 For example, if it is set to `200`, it allows a job to be created for up to 200
 seconds after the actual schedule.
 -->
-如果`.spec.startingDeadlineSeconds`字段被设置(非空)，CronJob 控制器会计算从预期创建 Job 到当前时间的时间差。
+如果 `.spec.startingDeadlineSeconds` 字段被设置（非空），
+CronJob 控制器将会计算从预期创建 Job 到当前时间的时间差。
 如果时间差大于该限制，则跳过此次执行。
 
 例如，如果将其设置为 `200`，则 Job 控制器允许在实际调度之后最多 200 秒内创建 Job。
@@ -319,7 +328,7 @@ the spec may specify only one of the following concurrency policies:
 Note that concurrency policy only applies to the jobs created by the same cron job.
 If there are multiple cron jobs, their respective jobs are always allowed to run concurrently.
 -->
-### 并发性规则
+### 并发性规则 {#concurrency-policy}
 
 `.spec.concurrencyPolicy` 也是可选的。它声明了 CronJob 创建的任务执行时发生重叠如何处理。
 spec 仅能声明下列规则中的一种：
@@ -338,10 +347,10 @@ If it is set to `true`, all subsequent executions are suspended.
 This setting does not apply to already started executions.
 Defaults to false.
 -->
-### 挂起
+### 挂起 {#suspend}
 
-`.spec.suspend`域也是可选的。如果设置为 `true` ，后续发生的执行都会挂起。
-这个设置对已经开始的执行不起作用。默认是关闭的。
+`.spec.suspend` 字段也是可选的。如果设置为 `true` ，后续发生的执行都会被挂起。
+这个设置对已经开始的执行不起作用。默认是 `false`。
 
 <!--
 Executions that are suspended during their scheduled time count as missed jobs.
@@ -349,7 +358,7 @@ When `.spec.suspend` changes from `true` to `false` on an existing cron job with
 -->
 {{< caution >}}
 在调度时间内挂起的执行都会被统计为错过的任务。当 `.spec.suspend` 从 `true` 改为 `false` 时，
-且没有 [开始的最后期限](#starting-deadline)，错过的任务会被立即调度。
+且没有[开始的最后期限](#starting-deadline)，错过的任务会被立即调度。
 {{< /caution >}}
 
 <!--
@@ -359,10 +368,8 @@ The `.spec.successfulJobsHistoryLimit` and `.spec.failedJobsHistoryLimit` fields
 These fields specify how many completed and failed jobs should be kept.
 By default, they are set to 3 and 1 respectively.  Setting a limit to `0` corresponds to keeping none of the corresponding kind of jobs after they finish.
 -->
-### 任务历史限制
+### 任务历史限制 {#jobs-history-limits}
 
 `.spec.successfulJobsHistoryLimit` 和 `.spec.failedJobsHistoryLimit`是可选的。
 这两个字段指定应保留多少已完成和失败的任务。
-默认设置为3和1。限制设置为 `0` 代表相应类型的任务完成后不会保留。
-
-
+默认设置分别为 3 和 1。设置为 `0` 代表相应类型的任务完成后不会保留。
diff --git a/content/zh/docs/tasks/job/coarse-parallel-processing-work-queue.md b/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md
similarity index 98%
rename from content/zh/docs/tasks/job/coarse-parallel-processing-work-queue.md
rename to content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md
index 33690a938e579..37fe844b0388f 100644
--- a/content/zh/docs/tasks/job/coarse-parallel-processing-work-queue.md
+++ b/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md
@@ -54,7 +54,7 @@ non-parallel, use of [Job](/docs/concepts/jobs/run-to-completion-finite-workload
 -->
 
 要熟悉 Job 基本用法（非并行的），请参考
-[Job](/zh/docs/concepts/workloads/controllers/job/)。
+[Job](/zh-cn/docs/concepts/workloads/controllers/job/)。
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -448,7 +448,7 @@ want to consider one of the other [job patterns](/docs/concepts/jobs/run-to-comp
 本文所讲述的处理方法的好处是你不需要修改你的 "worker" 程序使其知道工作队列的存在。
 
 本文所描述的方法需要你运行一个消息队列服务。如果不方便运行消息队列服务，你也许会考虑另外一种
-[任务模式](/zh/docs/concepts/workloads/controllers/job/#job-patterns)。
+[任务模式](/zh-cn/docs/concepts/workloads/controllers/job/#job-patterns)。
 
 <!--
 This approach creates a pod for every work item.  If your work items only take a few seconds,
@@ -464,13 +464,13 @@ communicate with the work queue using a client library.
 
 本文所述的方法为每个工作项创建了一个 Pod。
 如果你的工作项仅需数秒钟，为每个工作项创建 Pod会增加很多的常规消耗。
-可以考虑另外的方案请参考[示例](/zh/docs/tasks/job/fine-parallel-processing-work-queue/)，
+可以考虑另外的方案请参考[示例](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/)，
 这种方案可以实现每个 Pod 执行多个工作项。
 
 示例中，我们使用 `amqp-consume` 从消息队列读取消息并执行我们真正的程序。
 这样的好处是你不需要修改你的程序使其知道队列的存在。
 要了解怎样使用客户端库和工作队列通信，请参考
-[不同的示例](/zh/docs/tasks/job/fine-parallel-processing-work-queue/)。
+[不同的示例](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/)。
 
 <!--
 ## Caveats
diff --git a/content/zh/docs/tasks/job/fine-parallel-processing-work-queue.md b/content/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue.md
similarity index 98%
rename from content/zh/docs/tasks/job/fine-parallel-processing-work-queue.md
rename to content/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue.md
index fb0c6faf0f986..57a26100f672c 100644
--- a/content/zh/docs/tasks/job/fine-parallel-processing-work-queue.md
+++ b/content/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue.md
@@ -65,7 +65,7 @@ Here is an overview of the steps in this example:
 Be familiar with the basic,
 non-parallel, use of [Job](/docs/concepts/workloads/controllers/job/).
 -->
-熟悉基本的、非并行的 [Job](/zh/docs/concepts/workloads/controllers/job/)。
+熟悉基本的、非并行的 [Job](/zh-cn/docs/concepts/workloads/controllers/job/)。
 
 <!-- steps -->
 
@@ -226,7 +226,7 @@ You need to push to a public repository or [configure your cluster to be able to
 your private repository](/docs/concepts/containers/images/).
 -->
 你需要将镜像 push 到一个公共仓库或者
-[配置集群访问你的私有仓库](/zh/docs/concepts/containers/images/)。
+[配置集群访问你的私有仓库](/zh-cn/docs/concepts/containers/images/)。
 
 <!--
 If you are using [Google Container
@@ -356,7 +356,7 @@ If running a queue service or modifying your containers to use a work queue is i
 want to consider one of the other [job patterns](/docs/concepts/jobs/run-to-completion-finite-workloads/#job-patterns).
 -->
 如果你不方便运行一个队列服务或者修改你的容器用于运行一个工作队列，你可以考虑其它的
-[Job 模式](/zh/docs/concepts/workloads/controllers/job/#job-patterns)。
+[Job 模式](/zh-cn/docs/concepts/workloads/controllers/job/#job-patterns)。
 
 <!--
 If you have a continuous stream of background processing work to run, then
diff --git a/content/zh/docs/tasks/job/indexed-parallel-processing-static.md b/content/zh-cn/docs/tasks/job/indexed-parallel-processing-static.md
similarity index 92%
rename from content/zh/docs/tasks/job/indexed-parallel-processing-static.md
rename to content/zh-cn/docs/tasks/job/indexed-parallel-processing-static.md
index 8b4e940373525..9490812abed8e 100644
--- a/content/zh/docs/tasks/job/indexed-parallel-processing-static.md
+++ b/content/zh-cn/docs/tasks/job/indexed-parallel-processing-static.md
@@ -11,7 +11,7 @@ min-kubernetes-server-version: v1.21
 weight: 30
 -->
 
-{{< feature-state for_k8s_version="v1.22" state="beta" >}}
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 <!-- overview -->
 
@@ -40,7 +40,7 @@ expose the index in the `JOB_COMPLETION_INDEX` environment variable.
 Pod 索引在{{<glossary_tooltip text="注解" term_id="annotation" >}}
 `batch.kubernetes.io/job-completion-index` 中呈现，具体表示为一个十进制值字符串。
 为了让容器化的任务进程获得此索引，你可以使用
-[downward API](/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api)
+[downward API](/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api)
 机制发布注解的值。为方便起见，
 控制平面自动设置 downward API 以在 `JOB_COMPLETION_INDEX` 环境变量中公开索引。
 
@@ -64,7 +64,7 @@ Here is an overview of the steps in this example:
 You should already be familiar with the basic,
 non-parallel, use of [Job](/docs/concepts/workloads/controllers/job/).
 -->
-你应该已经熟悉 [Job](/zh/docs/concepts/workloads/controllers/job/) 的基本的、非并行的用法。
+你应该已经熟悉 [Job](/zh-cn/docs/concepts/workloads/controllers/job/) 的基本的、非并行的用法。
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -149,13 +149,13 @@ to publish the index to containers. You can also choose to load a list of values
 from a [ConfigMap as an environment variable or file](/docs/tasks/configure-pod-container/configure-pod-configmap/).
 -->
 在上面的示例中，你使用 Job 控制器为所有容器设置的内置 `JOB_COMPLETION_INDEX` 环境变量。
-[Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)
+[Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)
 将索引映射到一个静态值，并将其写入一个文件，该文件通过 
-[emptyDir 卷](/zh/docs/concepts/storage/volumes/#emptydir)
+[emptyDir 卷](/zh-cn/docs/concepts/storage/volumes/#emptydir)
 与运行 worker 的容器共享。或者，你可以
-[通过 Downward API 定义自己的环境变量](/zh/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
+[通过 Downward API 定义自己的环境变量](/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/)
 将索引发布到容器。你还可以选择从
-[包含 ConfigMap 的环境变量或文件](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)
+[包含 ConfigMap 的环境变量或文件](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
 加载值列表。
 
 <!-- 
@@ -164,7 +164,7 @@ value as a volume file](/docs/tasks/inject-data-application/downward-api-volume-
 like shown in the following example:
 -->
 或者也可以直接
-[使用 Downward API 将注解值作为卷文件传递](/zh/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#store-pod-fields)，
+[使用 Downward API 将注解值作为卷文件传递](/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#store-pod-fields)，
 如下例所示：
 
 {{< codenew language="yaml" file="application/job/indexed-job-vol.yaml" >}}
diff --git a/content/zh/docs/tasks/job/parallel-processing-expansion.md b/content/zh-cn/docs/tasks/job/parallel-processing-expansion.md
similarity index 97%
rename from content/zh/docs/tasks/job/parallel-processing-expansion.md
rename to content/zh-cn/docs/tasks/job/parallel-processing-expansion.md
index 88240fc8a5c07..30442574810a4 100644
--- a/content/zh/docs/tasks/job/parallel-processing-expansion.md
+++ b/content/zh-cn/docs/tasks/job/parallel-processing-expansion.md
@@ -39,7 +39,7 @@ this pattern fits more realistic use cases.
 You should be familiar with the basic,
 non-parallel, use of [Job](/docs/concepts/workloads/controllers/job/).
 -->
-你应先熟悉基本的、非并行的 [Job](/zh/docs/concepts/workloads/controllers/job/)
+你应先熟悉基本的、非并行的 [Job](/zh-cn/docs/concepts/workloads/controllers/job/)
 的用法。
 
 {{< include "task-tutorial-prereqs.md" >}}
@@ -258,7 +258,7 @@ to contain only certain characters.
 
 在[第一个例子](#create-jobs-based-on-a-template)中，模板的每个示例都有一个参数
 而该参数也用在 Job 名称中。不过，对象
-[名称](/zh/docs/concepts/overview/working-with-objects/names/#names)
+[名称](/zh-cn/docs/concepts/overview/working-with-objects/names/#names)
 被限制只能使用某些字符。
 
 <!--
@@ -453,7 +453,7 @@ that you can use if you wish.
 -->
 {{< note >}}
 标签键 `jobgroup` 没什么特殊的，也不是保留字。 你可以选择你自己的标签方案。
-如果愿意，有一些[建议的标签](/zh/docs/concepts/overview/working-with-objects/common-labels/#labels)
+如果愿意，有一些[建议的标签](/zh-cn/docs/concepts/overview/working-with-objects/common-labels/#labels)
 可供使用。
 {{< /note >}}
 
@@ -490,8 +490,8 @@ objects.
 You could also consider writing your own [controller](/docs/concepts/architecture/controller/)
 to manage Job objects automatically.
 -->
-还有一些其他[作业模式](/zh/docs/concepts/workloads/controllers/job/#job-patterns)
+还有一些其他[作业模式](/zh-cn/docs/concepts/workloads/controllers/job/#job-patterns)
 可供选择，这些模式都能用来处理大量任务而又不会创建过多的 Job 对象。
 
-你也可以考虑编写自己的[控制器](/zh/docs/concepts/architecture/controller/)
+你也可以考虑编写自己的[控制器](/zh-cn/docs/concepts/architecture/controller/)
 来自动管理 Job 对象。
diff --git a/content/zh/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md b/content/zh-cn/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md
similarity index 85%
rename from content/zh/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md
rename to content/zh-cn/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md
index eb73c471c3dc7..0c63d0208e9d8 100644
--- a/content/zh/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md
+++ b/content/zh-cn/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md
@@ -48,7 +48,7 @@ This guide demonstrates how to configure the kubelet's image credential provider
 
 <!-- 
 * The kubelet image credential provider is introduced in v1.20 as an alpha feature. As with other alpha features,
-a feature gate `KubeletCredentialProviders` must be enabled on only the kubelet for the feature to work.
+  a feature gate `KubeletCredentialProviders` must be enabled on only the kubelet for the feature to work.
 * A working implementation of a credential provider exec plugin. You can build your own plugin or use one provided by cloud providers.
 -->
 * kubelet 镜像凭证提供程序在 v1.20 版本作为 alpha 功能引入。
@@ -73,12 +73,14 @@ every node in your cluster and stored in a known directory. The directory will b
 ## Configuring the Kubelet
 
 In order to use this feature, the kubelet expects two flags to be set:
+
 * `--image-credential-provider-config` - the path to the credential provider plugin config file.
 * `--image-credential-provider-bin-dir` - the path to the directory where credential provider plugin binaries are located.
 -->
 ## 配置 kubelet  {#configuring-the-kubelet}
 
 为了使用这个特性，kubelet 需要设置以下两个标志：
+
 * `--image-credential-provider-config` —— 凭据提供程序插件配置文件的路径。
 * `--image-credential-provider-bin-dir` —— 凭据提供程序插件二进制文件所在目录的路径。
 
@@ -86,18 +88,19 @@ In order to use this feature, the kubelet expects two flags to be set:
 ### Configure a kubelet credential provider
 
 The configuration file passed into `--image-credential-provider-config` is read by the kubelet to determine which exec plugins
-should be invoked for which container images. Here's an example configuration file you may end up using if you are using the [ECR](https://aws.amazon.com/ecr/)-based plugin:
+should be invoked for which container images. Here's an example configuration file you may end up using if you are using the
+[ECR](https://aws.amazon.com/ecr/)-based plugin:
 -->
 ### 配置 kubelet 凭据提供程序  {#configure-a-kubelet-credential-provider}
 
-kubelet 会读取传入 `--image-credential-provider-config` 的配置文件文件，
+kubelet 会读取传入 `--image-credential-provider-config` 的配置文件，
 以确定应该为哪些容器镜像调用哪些 exec 插件。
-如果你正在使用基于 [ECR](https://aws.amazon.com/ecr/) 插件，
+如果你正在使用基于 [ECR](https://aws.amazon.com/ecr/) 的插件，
 这里有个样例配置文件你可能最终会使用到：
 
 ```yaml
-kind: CredentialProviderConfig
 apiVersion: kubelet.config.k8s.io/v1alpha1
+kind: CredentialProviderConfig
 # providers 是将由 kubelet 启用的凭证提供程序插件列表。
 # 多个提供程序可能与单个镜像匹配，在这种情况下，来自所有提供程序的凭据将返回到 kubelet。
 # 如果为单个镜像调用多个提供程序，则结果会合并。
@@ -130,11 +133,11 @@ providers:
     # - *.*.registry.io
     # - registry.io:8080/path
     matchImages:
-    - "*.dkr.ecr.*.amazonaws.com"
-    - "*.dkr.ecr.*.amazonaws.cn"
-    - "*.dkr.ecr-fips.*.amazonaws.com"
-    - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
-    - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
+      - "*.dkr.ecr.*.amazonaws.com"
+      - "*.dkr.ecr.*.amazonaws.cn"
+      - "*.dkr.ecr-fips.*.amazonaws.com"
+      - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
+      - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
     # defaultCacheDuration 是插件将在内存中缓存凭据的默认持续时间
     # 如果插件响应中未提供缓存持续时间。此字段是必需的。
     defaultCacheDuration: "12h"
@@ -145,30 +148,36 @@ providers:
     # 执行命令时传递给命令的参数。
     # +可选
     args:
-    - get-credentials
+      - get-credentials
     # env 定义了额外的环境变量以暴露给进程。
     # 这些与主机环境以及 client-go 用于将参数传递给插件的变量结合在一起。
     # +可选
     env:
-    - name: AWS_PROFILE
-      value: example_profile
+      - name: AWS_PROFILE
+        value: example_profile
 ```
 
 <!-- 
 The `providers` field is a list of enabled plugins used by the kubelet. Each entry has a few required fields:
-* `name`: the name of the plugin which MUST match the name of the executable binary that exists in the directory passed into `--image-credential-provider-bin-dir`.
-* `matchImages`: a list of strings used to match against images in order to determine if this provider should be invoked. More on this below.
-* `defaultCacheDuration`: the default duration the kubelet will cache credentials in-memory if a cache duration was not specified by the plugin.
-* `apiVersion`: the api version that the kubelet and the exec plugin will use when communicating.
 
-Each credential provider can also be given optional args and environment variables as well. Consult the plugin implementors to determine what set of arguments and environment variables are required for a given plugin.
+* `name`: the name of the plugin which MUST match the name of the executable binary that exists
+  in the directory passed into `--image-credential-provider-bin-dir`.
+* `matchImages`: a list of strings used to match against images in order to determine
+  if this provider should be invoked. More on this below.
+* `defaultCacheDuration`: the default duration the kubelet will cache credentials in-memory
+  if a cache duration was not specified by the plugin.
+* `apiVersion`: the API version that the kubelet and the exec plugin will use when communicating.
+
+Each credential provider can also be given optional args and environment variables as well.
+Consult the plugin implementors to determine what set of arguments and environment variables are required for a given plugin.
 -->
 `providers` 字段是 kubelet 使用的已启用插件列表。每个条目都有几个必填字段：
+
 * `name`：插件的名称，必须与传入`--image-credential-provider-bin-dir`
   的目录中存在的可执行二进制文件的名称相匹配。
-* `matchImages`：用于匹配图像以确定是否应调用此提供程序的字符串列表。更多相关信息如下。
+* `matchImages`：用于匹配镜像以确定是否应调用此提供程序的字符串列表。更多相关信息如下。
 * `defaultCacheDuration`：如果插件未指定缓存持续时间，kubelet 将在内存中缓存凭据的默认持续时间。
-* `apiVersion`：kubelet 和 exec 插件在通信时将使用的 api 版本。
+* `apiVersion`：kubelet 和 exec 插件在通信时将使用的 API 版本。
 
 每个凭证提供程序也可以被赋予可选的参数和环境变量。
 咨询插件实现者以确定给定插件需要哪些参数和环境变量集。
@@ -207,8 +216,20 @@ Some example values of `matchImages` patterns are:
 * 如果 imageMatch 包含端口，则该端口也必须在镜像中匹配。
 
 `matchImages` 模式的一些示例值：
+
 * `123456789.dkr.ecr.us-east-1.amazonaws.com`
 * `*.azurecr.io`
 * `gcr.io`
 * `*.*.registry.io`
 * `foo.registry.io:8080/path`
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* Read the details about `CredentialProviderConfig` in the
+  [kubelet configuration API (v1alpha1) reference](/docs/reference/config-api/kubelet-config.v1alpha1/).
+* Read the [kubelet credential provider API reference (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/).
+-->
+* 阅读 [kubelet 配置 API (v1alpha1) 参考](/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1/)中有关 `CredentialProviderConfig` 的详细信息。
+* 阅读 [kubelet 凭据提供程序 API 参考 (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)。
+
diff --git a/content/zh/docs/tasks/manage-daemon/_index.md b/content/zh-cn/docs/tasks/manage-daemon/_index.md
similarity index 100%
rename from content/zh/docs/tasks/manage-daemon/_index.md
rename to content/zh-cn/docs/tasks/manage-daemon/_index.md
diff --git a/content/zh/docs/tasks/manage-daemon/rollback-daemon-set.md b/content/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set.md
similarity index 96%
rename from content/zh/docs/tasks/manage-daemon/rollback-daemon-set.md
rename to content/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set.md
index da87cb6015bda..d70d84dfc0f63 100644
--- a/content/zh/docs/tasks/manage-daemon/rollback-daemon-set.md
+++ b/content/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set.md
@@ -1,6 +1,4 @@
 ---
-approvers:
-- janetkuo
 title: 对 DaemonSet 执行回滚
 content_type: task
 weight: 20
@@ -29,7 +27,7 @@ This page shows how to perform a rollback on a {{< glossary_tooltip term_id="dae
 You should already know how to [perform a rolling update on a
  DaemonSet](/docs/tasks/manage-daemon/update-daemon-set/).
 -->
-你应该已经了解如何[为 DaemonSet 执行滚东更新](/zh/docs/tasks/manage-daemon/update-daemon-set/)。
+你应该已经了解如何[为 DaemonSet 执行滚东更新](/zh-cn/docs/tasks/manage-daemon/update-daemon-set/)。
 
 <!-- steps -->
 
@@ -222,7 +220,7 @@ have revision 1 and 2 in the system, and roll back from revision 2 to revision
 注意 DaemonSet 修订版本只会正向变化。也就是说，回滚完成后，所回滚到的
 `ControllerRevision` 版本号 (`.revision` 字段) 会增加。
 例如，如果用户在系统中有版本 1 和版本 2，并从版本 2 回滚到版本 1，
-带有 `.revision: 1` 的`ControllerRevision` 将变为 `.revision: 3`。
+带有 `.revision: 1` 的 `ControllerRevision` 将变为 `.revision: 3`。
 {{< /note >}}
 
 <!--
@@ -233,6 +231,4 @@ have revision 1 and 2 in the system, and roll back from revision 2 to revision
 -->
 ## 故障排查
 
-* 参阅 [DaemonSet 滚动升级故障排除](/zh/docs/tasks/manage-daemon/update-daemon-set/#troubleshooting)。
-
-
+* 参阅 [DaemonSet 滚动升级故障排除](/zh-cn/docs/tasks/manage-daemon/update-daemon-set/#troubleshooting)。
diff --git a/content/zh/docs/tasks/manage-daemon/update-daemon-set.md b/content/zh-cn/docs/tasks/manage-daemon/update-daemon-set.md
similarity index 78%
rename from content/zh/docs/tasks/manage-daemon/update-daemon-set.md
rename to content/zh-cn/docs/tasks/manage-daemon/update-daemon-set.md
index ee8bc83eaf000..7c4d9ff6cc056 100644
--- a/content/zh/docs/tasks/manage-daemon/update-daemon-set.md
+++ b/content/zh-cn/docs/tasks/manage-daemon/update-daemon-set.md
@@ -12,6 +12,7 @@ content_type: task
 -->
 
 <!-- overview -->
+
 <!--
 This page shows how to perform a rolling update on a DaemonSet.
 -->
@@ -28,7 +29,7 @@ This page shows how to perform a rolling update on a DaemonSet.
 
 DaemonSet has two update strategy types:
 -->
-## DaemonSet 更新策略
+## DaemonSet 更新策略    {#daemonset-update-strategy}
 
 DaemonSet 有两种更新策略：
 
@@ -40,8 +41,8 @@ DaemonSet 有两种更新策略：
 * `RollingUpdate`: This is the default update strategy.  
   With `RollingUpdate` update strategy, after you update a
   DaemonSet template, old DaemonSet pods will be killed, and new DaemonSet pods
-  will be created automatically, in a controlled fashion.
-  At most one pod of the DaemonSet will be running on each node during the whole update process.
+  will be created automatically, in a controlled fashion. At most one pod of
+  the DaemonSet will be running on each node during the whole update process.
 -->
 
 * `OnDelete`: 使用 `OnDelete` 更新策略时，在更新 DaemonSet 模板后，只有当你手动删除老的
@@ -56,32 +57,32 @@ DaemonSet 有两种更新策略：
 To enable the rolling update feature of a DaemonSet, you must set its
 `.spec.updateStrategy.type` to `RollingUpdate`.
 -->
-## 执行滚动更新
+## 执行滚动更新    {#performing-a-rolling-update}
 
 要启用 DaemonSet 的滚动更新功能，必须设置 `.spec.updateStrategy.type` 为 `RollingUpdate`。
 
 <!--
-You may want to set 
+You may want to set
 [`.spec.updateStrategy.rollingUpdate.maxUnavailable`](/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) 
 (default to 1),
-[`.spec.minReadySeconds`](/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) 
-(default to 0) and 
+[`.spec.minReadySeconds`](/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec)
+(default to 0) and
 [`.spec.updateStrategy.rollingUpdate.maxSurge`](/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec)
 (a beta feature and defaults to 0) as well.
 
 -->
 你可能想设置
-[`.spec.updateStrategy.rollingUpdate.maxUnavailable`](/zh/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) (默认为 1)，
-[`.spec.minReadySeconds`](/zh/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) (默认为 0) 和
-[`.spec.updateStrategy.rollingUpdate.maxSurge`](/zh/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec)
-（一种 Beta 阶段的特性，默认为 0）。 
+[`.spec.updateStrategy.rollingUpdate.maxUnavailable`](/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) (默认为 1)，
+[`.spec.minReadySeconds`](/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec) (默认为 0) 和
+[`.spec.updateStrategy.rollingUpdate.maxSurge`](/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec)
+（一种 Beta 阶段的特性，默认为 0）。
 
 <!--
 ### Creating a DaemonSet with `RollingUpdate` update strategy
 
 This YAML file specifies a DaemonSet with an update strategy as 'RollingUpdate'
 -->
-### 创建带有 `RollingUpdate` 更新策略的 DaemonSet
+### 创建带有 `RollingUpdate` 更新策略的 DaemonSet    {#creating-a-daemonset-with-rollingupdate-update-strategy}
 
 下面的 YAML 包含一个 DaemonSet，其更新策略为 'RollingUpdate'：
 
@@ -113,7 +114,7 @@ kubectl apply -f https://k8s.io/examples/controllers/fluentd-daemonset.yaml
 Check the update strategy of your DaemonSet, and make sure it's set to
 `RollingUpdate`:
 -->
-### 检查 DaemonSet 的滚动更新策略
+### 检查 DaemonSet 的滚动更新策略    {#checking-daemonset-rollingupdate-update-strategy}
 
 首先，检查 DaemonSet 的更新策略，确保已经将其设置为 `RollingUpdate`:
 
@@ -152,7 +153,7 @@ manifest accordingly.
 Any updates to a `RollingUpdate` DaemonSet `.spec.template` will trigger a rolling
 update. Let's update the DaemonSet by applying a new YAML file. This can be done with several different `kubectl` commands.
 -->
-### 更新 DaemonSet 模板
+### 更新 DaemonSet 模板    {#updating-a-daemonset-template}
 
 对 `RollingUpdate` DaemonSet 的 `.spec.template` 的任何更新都将触发滚动更新。
 这可以通过几个不同的 `kubectl` 命令来完成。
@@ -166,10 +167,10 @@ If you update DaemonSets using
 [configuration files](/docs/tasks/manage-kubernetes-objects/declarative-config/),
 use `kubectl apply`:
 -->
-#### 声明式命令
+#### 声明式命令    {#declarative-commands}
 
 如果你使用
-[配置文件](/zh/docs/tasks/manage-kubernetes-objects/declarative-config/)
+[配置文件](/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/)
 来更新 DaemonSet，请使用 `kubectl apply`:
 
 ```shell
@@ -180,14 +181,14 @@ kubectl apply -f https://k8s.io/examples/controllers/fluentd-daemonset-update.ya
 #### Imperative commands
 
 If you update DaemonSets using
-[imperative commands](/docs/concepts/overview/object-management-kubectl/imperative-command/),
+[imperative commands](/docs/tasks/manage-kubernetes-objects/imperative-command/),
 use `kubectl edit`:
 -->
-#### 指令式命令
+#### 指令式命令    {#imperative-commands}
 
 如果你使用
-[指令式命令](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-来更新 DaemonSets，请使用`kubectl edit`：
+[指令式命令](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+来更新 DaemonSets，请使用 `kubectl edit`：
 
 ```shell
 kubectl edit ds/fluentd-elasticsearch -n kube-system
@@ -199,21 +200,21 @@ kubectl edit ds/fluentd-elasticsearch -n kube-system
 If you only need to update the container image in the DaemonSet template, i.e.
 `.spec.template.spec.containers[*].image`, use `kubectl set image`:
 --->
-##### 只更新容器镜像
+##### 只更新容器镜像    {#updating-only-the-container-image}
 
-如果你只需要更新 DaemonSet 模板里的容器镜像，比如，`.spec.template.spec.containers[*].image`, 
-请使用 `kubectl set image`:
+如果你只需要更新 DaemonSet 模板里的容器镜像，比如 `.spec.template.spec.containers[*].image`，
+请使用 `kubectl set image`：
 
 ```shell
 kubectl set image ds/fluentd-elasticsearch fluentd-elasticsearch=quay.io/fluentd_elasticsearch/fluentd:v2.6.0 -n kube-system
 ```
 
 <!--
-### Step 4: Watching the rolling update status
+### Watching the rolling update status
 
 Finally, watch the rollout status of the latest DaemonSet rolling update:
 -->
-### 监视滚动更新状态
+### 监视滚动更新状态    {#watching-the-rolling-update-status}
 
 最后，观察 DaemonSet 最新滚动更新的进度：
 
@@ -235,9 +236,9 @@ daemonset "fluentd-elasticsearch" successfully rolled out
 
 ### DaemonSet rolling update is stuck
 -->
-## 故障排查
+## 故障排查    {#troubleshooting}
 
-### DaemonSet 滚动更新卡住
+### DaemonSet 滚动更新卡住    {#daemonset-rolling-update-is-stuck}
 
 <!--
 Sometimes, a DaemonSet rolling update may be stuck. Here are some possible
@@ -248,7 +249,7 @@ causes:
 有时，DaemonSet 滚动更新可能卡住，以下是一些可能的原因：
 
 
-#### 一些节点可用资源耗尽
+#### 一些节点可用资源耗尽    {#some-nodes-run-out-of-resources}
 
 <!--
 The rollout is stuck because new DaemonSet pods can't be scheduled on at least one
@@ -259,7 +260,7 @@ When this happens, find the nodes that don't have the DaemonSet pods scheduled o
 by comparing the output of `kubectl get nodes` and the output of:
 -->
 DaemonSet 滚动更新可能会卡住，其 Pod 至少在某个节点上无法调度运行。
-当节点上[可用资源耗尽](/zh/docs/concepts/scheduling-eviction/node-pressure-eviction/)时，
+当节点上[可用资源耗尽](/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/)时，
 这是可能的。
 
 发生这种情况时，通过对 `kubectl get nodes` 和下面命令行的输出作比较，
@@ -283,7 +284,7 @@ either.
 {{< note >}}
 当所删除的 Pod 不受任何控制器管理，也不是多副本的 Pod时，上述操作将导致服务中断。
 同时，上述操作也不会考虑
-[PodDisruptionBudget](/zh/docs/tasks/run-application/configure-pdb/)
+[PodDisruptionBudget](/zh-cn/docs/tasks/run-application/configure-pdb/)
 所施加的约束。
 {{< /note >}}
 
@@ -294,7 +295,7 @@ If the recent DaemonSet template update is broken, for example, the container is
 crash looping, or the container image doesn't exist (often due to a typo),
 DaemonSet rollout won't progress.
 -->
-#### 不完整的滚动更新
+#### 不完整的滚动更新    {#broken-rollout}
 
 如果最近的 DaemonSet 模板更新被破坏了，比如，容器处于崩溃循环状态或者容器镜像不存在
 （通常由于拼写错误），就会发生 DaemonSet 滚动更新中断。
@@ -312,7 +313,7 @@ If `.spec.minReadySeconds` is specified in the DaemonSet, clock skew between
 master and nodes will make DaemonSet unable to detect the right rollout
 progress.
 -->
-#### 时钟偏差
+#### 时钟偏差    {#clock-skew}
 
 如果在 DaemonSet 中指定了 `.spec.minReadySeconds`，主控节点和工作节点之间的时钟偏差会使
 DaemonSet 无法检测到正确的滚动更新进度。
@@ -322,7 +323,7 @@ DaemonSet 无法检测到正确的滚动更新进度。
 
 Delete DaemonSet from a namespace :
 -->
-## 清理
+## 清理    {#clean-up}
 
 从名字空间中删除 DaemonSet：
 
@@ -336,6 +337,6 @@ kubectl delete ds fluentd-elasticsearch -n kube-system
 * See [Performing a rollback on a DaemonSet](/docs/tasks/manage-daemon/rollback-daemon-set/)
 * See [Creating a DaemonSet to adopt existing DaemonSet pods](/docs/concepts/workloads/controllers/daemonset/)
 -->
-* 查看[在 DaemonSet 上执行回滚](/zh/docs/tasks/manage-daemon/rollback-daemon-set/)
-* 查看[创建 DaemonSet 以收养现有 DaemonSet Pod](/zh/docs/concepts/workloads/controllers/daemonset/)
+* 查看[在 DaemonSet 上执行回滚](/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set/)
+* 查看[创建 DaemonSet 以收养现有 DaemonSet Pod](/zh-cn/docs/concepts/workloads/controllers/daemonset/)
 
diff --git a/content/zh/docs/tasks/manage-gpus/scheduling-gpus.md b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
similarity index 99%
rename from content/zh/docs/tasks/manage-gpus/scheduling-gpus.md
rename to content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
index e88c3dbcf7926..91cd60a3f390c 100644
--- a/content/zh/docs/tasks/manage-gpus/scheduling-gpus.md
+++ b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
@@ -229,7 +229,7 @@ For example:
 ## 集群内存在不同类型的 GPU
 
 如果集群内部的不同节点上有不同类型的 NVIDIA GPU，那么你可以使用
-[节点标签和节点选择器](/zh/docs/tasks/configure-pod-container/assign-pods-nodes/)
+[节点标签和节点选择器](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/)
 来将 pod 调度到合适的节点上。
 
 例如：
diff --git a/content/zh/docs/tasks/manage-hugepages/scheduling-hugepages.md b/content/zh-cn/docs/tasks/manage-hugepages/scheduling-hugepages.md
similarity index 78%
rename from content/zh/docs/tasks/manage-hugepages/scheduling-hugepages.md
rename to content/zh-cn/docs/tasks/manage-hugepages/scheduling-hugepages.md
index 0cdc82eda4d38..64419de90fd08 100644
--- a/content/zh/docs/tasks/manage-hugepages/scheduling-hugepages.md
+++ b/content/zh-cn/docs/tasks/manage-hugepages/scheduling-hugepages.md
@@ -1,17 +1,14 @@
 ---
-reviewers:
-- derekwaynecarr
 title: 管理巨页（HugePages）
 content_type: task
 description: 将大页配置和管理为集群中的可调度资源。
 ---
 <!--
----
 reviewers:
 - derekwaynecarr
 title: Manage HugePages
 content_type: task
----
+description: Configure and manage huge pages as a schedulable resource in a cluster.
 --->
 
 <!-- overview -->
@@ -30,13 +27,13 @@ Kubernetes 支持在 Pod 应用中使用预先分配的巨页。本文描述了
 
 <!--
 1. Kubernetes nodes must pre-allocate huge pages in order for the node to report
-   its huge page capacity. A node may only pre-allocate huge pages for a single
-   size.
+   its huge page capacity. A node can pre-allocate huge pages for multiple
+   sizes.
 
-The nodes will automatically discover and report all huge page resources as a
-schedulable resource.
+The nodes will automatically discover and report all huge page resources as
+schedulable resources.
 --->
-1. 为了使节点能够上报巨页容量，Kubernetes 节点必须预先分配巨页。每个节点只能预先分配一种特定规格的巨页。
+1. 为了使节点能够上报巨页容量，Kubernetes 节点必须预先分配巨页。每个节点能够预先分配多种规格的巨页。
 
 节点会自动发现全部巨页资源，并作为可供调度的资源进行上报。
 
@@ -59,9 +56,14 @@ A pod may consume multiple huge page sizes in a single pod spec. In this case it
 must use `medium: HugePages-<hugepagesize>` notation for all volume mounts.
 --->
 
-用户可以通过在容器级别的资源需求中使用资源名称 `hugepages-<size>` 来使用巨页，其中的 size 是特定节点上支持的以整数值表示的最小二进制单位。 例如，如果一个节点支持 2048KiB 和 1048576KiB 页面大小，它将公开可调度的资源 `hugepages-2Mi` 和 `hugepages-1Gi`。与 CPU 或内存不同，巨页不支持过量使用（overcommit）。注意，在请求巨页资源时，还必须请求内存或 CPU 资源。
+用户可以通过在容器级别的资源需求中使用资源名称 `hugepages-<size>`
+来使用巨页，其中的 size 是特定节点上支持的以整数值表示的最小二进制单位。
+例如，如果一个节点支持 2048KiB 和 1048576KiB 页面大小，它将公开可调度的资源
+`hugepages-2Mi` 和 `hugepages-1Gi`。与 CPU 或内存不同，巨页不支持过量使用（overcommit）。
+注意，在请求巨页资源时，还必须请求内存或 CPU 资源。
 
-同一 Pod 的 spec 中可能会消耗不同尺寸的巨页。在这种情况下，它必须对所有挂载卷使用 `medium: HugePages-<hugepagesize>` 标识。
+同一 Pod 的 spec 中可能会消耗不同尺寸的巨页。在这种情况下，它必须对所有挂载卷使用
+`medium: HugePages-<hugepagesize>` 标识。
 
 ```yaml
 apiVersion: v1
@@ -130,7 +132,7 @@ spec:
 <!--
 - Huge page requests must equal the limits. This is the default if limits are
   specified, but requests are not.
-- Huge pages are isolated at a container scope, so each container has own 
+- Huge pages are isolated at a container scope, so each container has own
   limit on their cgroup sandbox as requested in a container spec.
 - EmptyDir volumes backed by huge pages may not consume more huge page memory
   than the pod request.
@@ -139,12 +141,6 @@ spec:
 - Huge page usage in a namespace is controllable via ResourceQuota similar
   to other compute resources like `cpu` or `memory` using the `hugepages-<size>`
   token.
-- Support of multiple sizes huge pages is feature gated. It can be
-  enabled with the `HugePageStorageMediumSize` [feature
-gate](/docs/reference/command-line-tools-reference/feature-gates/) on the {{<
-glossary_tooltip text="kubelet" term_id="kubelet" >}} and {{<
-glossary_tooltip text="kube-apiserver"
-term_id="kube-apiserver" >}} (`--feature-gates=HugePageStorageMediumSize=false`).
 --->
 
 - 巨页的资源请求值必须等于其限制值。该条件在指定了资源限制，而没有指定请求的情况下默认成立。
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/_index.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/_index.md
similarity index 100%
rename from content/zh/docs/tasks/manage-kubernetes-objects/_index.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/_index.md
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/declarative-config.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config.md
similarity index 98%
rename from content/zh/docs/tasks/manage-kubernetes-objects/declarative-config.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config.md
index 1445c21ec8418..517442cfb2765 100644
--- a/content/zh/docs/tasks/manage-kubernetes-objects/declarative-config.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config.md
@@ -28,7 +28,7 @@ preview of what changes `apply` will make.
 <!--
 Install [`kubectl`](/docs/tasks/tools/).
 -->
-安装 [`kubectl`](/zh/docs/tasks/tools/)。
+安装 [`kubectl`](/zh-cn/docs/tasks/tools/)。
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -55,7 +55,7 @@ for a discussion of the advantages and disadvantage of each kind of object manag
 * 声明式对象配置
 
 关于每种对象管理的优缺点的讨论，可参见
-[Kubernetes 对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)。
+[Kubernetes 对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)。
 
 <!--
 ## Overview
@@ -72,8 +72,8 @@ the following documents if you have not already:
 声明式对象管理需要用户对 Kubernetes 对象定义和配置有比较深刻的理解。
 如果你还没有这方面的知识储备，请先阅读下面的文档：
 
-* [使用指令式命令管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-* [使用配置文件对 Kubernetes 对象进行指令式管理](/zh/docs/tasks/manage-kubernetes-objects/imperative-config/)
+* [使用指令式命令管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+* [使用配置文件对 Kubernetes 对象进行指令式管理](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/)
 
 <!--
 Following are definitions for terms used in this document:
@@ -157,12 +157,12 @@ See [Dry-Run Authorization](/docs/reference/using-api/api-concepts#dry-run-autho
 for details.
 -->
 {{< note >}}
-`diff` 使用[服务器端试运行（Server-side Dry-run）](/zh/docs/reference/using-api/api-concepts/#dry-run)
+`diff` 使用[服务器端试运行（Server-side Dry-run）](/zh-cn/docs/reference/using-api/api-concepts/#dry-run)
 功能特性；而该功能特性需要在 `kube-apiserver` 上启用。
 
 由于 `diff` 操作会使用试运行模式执行服务器端 apply 请求，因此需要为
 用户配置 `PATCH`、`CREATE` 和 `UPDATE` 操作权限。
-参阅[试运行授权](/zh/docs/reference/using-api/api-concepts#dry-run-authorization)
+参阅[试运行授权](/zh-cn/docs/reference/using-api/api-concepts#dry-run-authorization)
 了解详情。
 {{< /note >}}
 
@@ -1547,8 +1547,8 @@ template:
 * [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 -->
-* [使用指令式命令管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-* [使用配置文件对 Kubernetes 对象执行指令式管理](/zh/docs/tasks/manage-kubernetes-objects/imperative-config/)
+* [使用指令式命令管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+* [使用配置文件对 Kubernetes 对象执行指令式管理](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/)
 * [Kubectl 命令参考](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/imperative-command.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command.md
similarity index 96%
rename from content/zh/docs/tasks/manage-kubernetes-objects/imperative-command.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command.md
index f84ab15b2e02f..c8b945453d06d 100644
--- a/content/zh/docs/tasks/manage-kubernetes-objects/imperative-command.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command.md
@@ -23,7 +23,7 @@ Kubernetes 对象。本文档解释这些命令的组织方式以及如何使用
 <!--
 Install [`kubectl`](/docs/tasks/tools/).
 -->
-安装[`kubectl`](/zh/docs/tasks/tools/)。
+安装[`kubectl`](/zh-cn/docs/tasks/tools/)。
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -50,7 +50,7 @@ for a discussion of the advantages and disadvantage of each kind of object manag
 * 声明式对象配置
 
 关于每种对象管理的优缺点的讨论，可参见
-[Kubernetes 对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)。
+[Kubernetes 对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)。
 
 <!--
 ## How to create objects
@@ -288,8 +288,8 @@ kubectl create --edit -f /tmp/srv.yaml
 * [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 -->
-* [使用指令式对象配置管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-config/)
-* [使用声明式对象配置管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/declarative-config/)
+* [使用指令式对象配置管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/)
+* [使用声明式对象配置管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/)
 * [Kubectl 命令参考](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/imperative-config.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config.md
similarity index 95%
rename from content/zh/docs/tasks/manage-kubernetes-objects/imperative-config.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config.md
index 654ea24d647e3..02ff2eb91f3f4 100644
--- a/content/zh/docs/tasks/manage-kubernetes-objects/imperative-config.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config.md
@@ -23,7 +23,7 @@ This document explains how to define and manage objects using configuration file
 <!--
 Install [`kubectl`](/docs/tasks/tools/).
 -->
-安装 [`kubectl`](/zh/docs/tasks/tools/) 。
+安装 [`kubectl`](/zh-cn/docs/tasks/tools/) 。
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -51,7 +51,7 @@ The `kubectl` tool supports three kinds of object management:
 See [Kubernetes Object Management](/docs/concepts/overview/working-with-objects/object-management/)
 for a discussion of the advantages and disadvantage of each kind of object management.
 -->
-参看 [Kubernetes 对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)
+参看 [Kubernetes 对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)
 中关于每种对象管理的优缺点的讨论。
 
 <!--
@@ -273,8 +273,8 @@ template:
 * [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl/)
 * [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 -->
-* [使用命令式命令管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-* [使用对象配置管理 Kubernetes 对象 (声明式)](/zh/docs/tasks/manage-kubernetes-objects/declarative-config/)
+* [使用命令式命令管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+* [使用对象配置管理 Kubernetes 对象 (声明式)](/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/)
 * [Kubectl 命令参考](/docs/reference/generated/kubectl/kubectl-commands/)
 * [Kubernetes API 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)
 
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/kustomization.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
similarity index 99%
rename from content/zh/docs/tasks/manage-kubernetes-objects/kustomization.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
index 796b20b85b43e..cb6f1e9ab49e0 100644
--- a/content/zh/docs/tasks/manage-kubernetes-objects/kustomization.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
@@ -45,7 +45,7 @@ kubectl apply -k <kustomization_directory>
 <!--
 Install [`kubectl`](/docs/tasks/tools/).
 -->
-安装 [`kubectl`](/zh/docs/tasks/tools/).
+安装 [`kubectl`](/zh-cn/docs/tasks/tools/).
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
@@ -1271,7 +1271,7 @@ deployment.apps "dev-my-nginx" deleted
 | vars                  | [][Var](https://github.com/kubernetes-sigs/kustomize/blob/master/api/types/var.go#L19)                       | 每个条目用来从某资源的字段来析取文字                            |
 | images                | [][Image](https://github.com/kubernetes-sigs/kustomize/blob/master/api/types/image.go#L8)                    | 每个条目都用来更改镜像的名称、标记与/或摘要，不必生成补丁 |
 | configurations        | []string                                                                                                     | 列表中每个条目都应能解析为一个包含 [Kustomize 转换器配置](https://github.com/kubernetes-sigs/kustomize/tree/master/examples/transformerconfigs) 的文件 |
-| crds                  | []string                                                                                                     | 列表中每个条目都赢能够解析为 Kubernetes 类别的 OpenAPI 定义文件 |
+| crds                  | []string                                                                                                     | 列表中每个条目都应能够解析为 Kubernetes 类别的 OpenAPI 定义文件 |
 
 ## {{% heading "whatsnext" %}}
 
diff --git a/content/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
similarity index 90%
rename from content/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
rename to content/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
index dd47ec39cf1e5..1d2c576841166 100644
--- a/content/zh/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch.md
@@ -9,7 +9,7 @@ weight: 50
 title: Update API Objects in Place Using kubectl patch
 description: Use kubectl patch to update Kubernetes API objects in place. Do a strategic merge patch or a JSON merge patch.
 content_type: task
-weight: 40
+weight: 50
 -->
 
 <!-- overview -->
@@ -34,7 +34,7 @@ in this task demonstrate a strategic merge patch and a JSON merge patch.
 Here's the configuration file for a Deployment that has two replicas. Each replica
 is a Pod that has one container:
 -->
-## 使用策略合并 patch 更新 Deployment
+## 使用策略合并 patch 更新 Deployment    {#use-a-strategic-merge-patch-to-update-a-deployment}
 
 下面是具有两个副本的 Deployment 的配置文件。每个副本是一个 Pod，有一个容器：
 
@@ -46,7 +46,7 @@ Create the Deployment:
 创建 Deployment：
 
 ```shell
-kubectl create -f https://k8s.io/examples/application/deployment-patch.yaml
+kubectl apply -f https://k8s.io/examples/application/deployment-patch.yaml
 ```
 
 <!--
@@ -83,9 +83,9 @@ you want each Pod to have two containers: one that runs nginx and one that runs
 此时，每个 Pod 都有一个运行 nginx 镜像的容器。现在假设你希望每个 Pod 有两个容器：一个运行 nginx，另一个运行 redis。
 
 <!--
-Create a file named `patch-file-containers.yaml` that has this content:
+Create a file named `patch-file.yaml` that has this content:
 -->
-创建一个名为 `patch-file-containers.yaml` 的文件。内容如下:
+创建一个名为 `patch-file.yaml` 的文件。内容如下:
 
 ```yaml
 spec:
@@ -102,7 +102,7 @@ Patch your Deployment:
 修补你的 Deployment：
 
 ```shell
-kubectl patch deployment patch-demo --patch "$(cat patch-file-containers.yaml)"
+kubectl patch deployment patch-demo --patch-file patch-file.yaml
 ```
 <!--
 View the patched Deployment:
@@ -185,10 +185,10 @@ Container to the list. In other words, the list in the patch was merged with the
 existing list. This is not always what happens when you use a strategic merge patch on a list.
 In some cases, the list is replaced, not merged.
 -->
-### 策略性合并类的 patch 的说明
+### 策略性合并类的 patch 的说明    {#notes-on-the-strategic-merge-patch}
 
-你在前面的练习中所做的 patch 称为`策略性合并 patch（Strategic Merge Patch)`。
-请注意，patch 没有替换`containers` 列表。相反，它向列表中添加了一个新 Container。换句话说，
+你在前面的练习中所做的 patch 称为 `策略性合并 patch（Strategic Merge Patch）`。
+请注意，patch 没有替换 `containers` 列表。相反，它向列表中添加了一个新 Container。换句话说，
 patch 中的列表与现有列表合并。当你在列表中使用策略性合并 patch 时，并不总是这样。
 在某些情况下，列表是替换的，而不是合并的。
 
@@ -254,7 +254,7 @@ Patch your Deployment:
 对 Deployment 执行 patch 操作：
 
 ```
-kubectl patch deployment patch-demo --patch-file patch-file-tolerations.yaml"
+kubectl patch deployment patch-demo --patch-file patch-file-tolerations.yaml
 ```
 
 <!--
@@ -295,7 +295,7 @@ Notice that the `tolerations` list in the PodSpec was replaced, not merged. This
 the Tolerations field of PodSpec does not have a `patchStrategy` key in its field tag. So the
 strategic merge patch uses the default patch strategy, which is `replace`.
 -->
-请注意，PodSpec 中的 `tolerations` 列表被替换，而不是合并。这是因为 PodSpec 的 `tolerations` 
+请注意，PodSpec 中的 `tolerations` 列表被替换，而不是合并。这是因为 PodSpec 的 `tolerations`
 的字段标签中没有 `patchStrategy` 键。所以策略合并 patch 操作使用默认的 patch 策略，也就是 `replace`。
 
 ```go
@@ -313,7 +313,7 @@ With a JSON merge patch, if you
 want to update a list, you have to specify the entire new list. And the new list completely
 replaces the existing list.
 -->
-## 使用 JSON 合并 patch 更新 Deployment
+## 使用 JSON 合并 patch 更新 Deployment    {#use-a-json-merge-patch-to-update-a-deployment}
 
 策略性合并 patch 不同于 [JSON 合并 patch](https://tools.ietf.org/html/rfc7386)。
 使用 JSON 合并 patch，如果你想更新列表，你必须指定整个新列表。新的列表完全取代现有的列表。
@@ -324,11 +324,15 @@ The `kubectl patch` command has a `type` parameter that you can set to one of th
 `kubectl patch` 命令有一个 `type` 参数，你可以将其设置为以下值之一:
 
 <table>
-  <!-- tr><th>Parameter value</th><th>Merge type</th></tr -->
+  <!--
+  <tr><th>Parameter value</th><th>Merge type</th></tr>
+  -->
   <tr><th>参数值</th><th>合并类型</th></tr>
   <tr><td>json</td><td><a href="https://tools.ietf.org/html/rfc6902">JSON Patch, RFC 6902</a></td></tr>
   <tr><td>merge</td><td><a href="https://tools.ietf.org/html/rfc7386">JSON Merge Patch, RFC 7386</a></td></tr>
-  <!-- tr><td>strategic</td><td>Strategic merge patch</td></tr -->
+  <!--
+  <tr><td>strategic</td><td>Strategic merge patch</td></tr>
+  -->
   <tr><td>strategic</td><td>策略合并 patch</td></tr>
 </table>
 
@@ -382,7 +386,7 @@ kubectl get deployment patch-demo --output yaml
 The `containers` list that you specified in the patch has only one Container.
 The output shows that your list of one Container replaced the existing `containers` list.
 -->
-patch 中指定的`containers`列表只有一个 Container。
+patch 中指定的 `containers` 列表只有一个 Container。
 输出显示你所给出的 Contaier 列表替换了现有的 `containers` 列表。
 
 ```yaml
@@ -406,7 +410,7 @@ kubectl get pods
 In the output, you can see that the existing Pods were terminated, and new Pods
 were created. The `1/1` indicates that each new Pod is running only one Container.
 -->
-在输出中，你可以看到已经终止了现有的 Pod，并创建了新的 Pod。`1/1` 表示每个新 Pod只运行一个容器。
+在输出中，你可以看到已经终止了现有的 Pod，并创建了新的 Pod。`1/1` 表示每个新 Pod 只运行一个容器。
 
 ```shell
 NAME                          READY     STATUS    RESTARTS   AGE
@@ -419,11 +423,13 @@ patch-demo-1307768864-c86dc   1/1       Running   0          1m
 
 Here's the configuration file for a Deployment that uses the `RollingUpdate` strategy:
 -->
-## 使用带 retainKeys 策略的策略合并 patch 更新 Deployment
+## 使用带 retainKeys 策略的策略合并 patch 更新 Deployment    {#use-strategic-merge-patch-to-update-a-deployment-using-the-retainkeys-strategy}
 
 {{< codenew file="application/deployment-retainkeys.yaml" >}}
 
-<!-- Create the deployment: -->
+<!--
+Create the deployment:
+-->
 创建 Deployment：
 
 ```shell
@@ -445,11 +451,13 @@ spec:
     type: Recreate
 ```
 
-<!-- Patch your Deployment: -->
+<!--
+Patch your Deployment:
+-->
 修补你的 Deployment:
 
 ```shell
-kubectl patch deployment patch-demo --patch-file patch-file.yaml
+kubectl patch deployment retainkeys-demo --type merge --patch-file patch-file-no-retainkeys.yaml
 ```
 
 <!--
@@ -458,7 +466,7 @@ In the output, you can see that it is not possible to set `type` as `Recreate` w
 在输出中，你可以看到，当 `spec.strategy.rollingUpdate` 已经拥有取值定义时，
 将其 `type` 设置为 `Recreate` 是不可能的。
 
-```shell
+```
 The Deployment "retainkeys-demo" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate'
 ```
 
@@ -491,10 +499,12 @@ Patch your Deployment again with this new patch:
 使用新的 patch 重新修补 Deployment：
 
 ```shell
-kubectl patch deployment retainkeys-demo --type merge --patch-file patch-file-no-retainkeys.yaml
+kubectl patch deployment retainkeys-demo --type merge --patch-file patch-file-retainkeys.yaml
 ```
 
-<!-- Examine the content of the Deployment: -->
+<!--
+Examine the content of the Deployment:
+-->
 检查 Deployment 的内容：
 
 ```shell
@@ -506,7 +516,7 @@ The output shows that the strategy object in the Deployment does not contain the
 -->
 输出显示 Deployment 中的 `strategy` 对象不再包含 `rollingUpdate` 键：
 
-```shell
+```yaml
 spec:
   strategy:
     type: Recreate
@@ -524,11 +534,11 @@ The patch you did in the preceding exercise is called a *strategic merge patch w
 - All of the missing fields will be cleared when patching.
 - All fields in the `$retainKeys` list must be a superset or the same as the fields present in the patch.
 -->
-### 关于使用 retainKeys 策略的策略合并 patch 操作的说明
+### 关于使用 retainKeys 策略的策略合并 patch 操作的说明    {#notes-on-the-strategic-merge-patch-using-the-retainkeys-strategy}
 
 在前文练习中所执行的称作 *带 `retainKeys` 策略的策略合并 patch（Strategic Merge
 Patch with retainKeys Strategy）*。
-这种方法引入了一种新的 `$retainKey` 指令，具有如下策略： 
+这种方法引入了一种新的 `$retainKey` 指令，具有如下策略：
 
 - 其中包含一个字符串列表；
 - 所有需要被保留的字段必须在 `$retainKeys` 列表中给出；
@@ -542,7 +552,7 @@ The `retainKeys` strategy does not work for all objects. It only works when the
 策略 `retainKeys` 并不能对所有对象都起作用。它仅对那些 Kubernetes 源码中
 `patchStrategy` 字段标志值包含 `retainKeys` 的字段有用。
 例如 `DeploymentSpec` 结构的 `Strategy` 字段就包含了 `patchStrategy` 为
-`retainKeys` 的标志。 
+`retainKeys` 的标志。
 
 ```go
 type DeploymentSpec struct {
@@ -580,7 +590,7 @@ And you can see the `retainKeys` strategy in the
 The `kubectl patch` command takes YAML or JSON. It can take the patch as a file or
 directly on the command line.
 -->
-## kubectl patch 命令的其他形式
+## kubectl patch 命令的其他形式    {#alternate-forms-of-the-kubectl-patch-command}
 
 `kubectl patch` 命令使用 YAML 或 JSON。它可以接受以文件形式提供的补丁，也可以
 接受直接在命令行中给出的补丁。
@@ -633,16 +643,15 @@ create the Deployment object. Other commands for updating API objects include
 and
 [kubectl apply](/docs/reference/generated/kubectl/kubectl-commands/#apply).
 -->
-## 总结
+## 总结    {#summary}
 
 在本练习中，你使用 `kubectl patch` 更改了 Deployment 对象的当前配置。
 你没有更改最初用于创建 Deployment 对象的配置文件。
 用于更新 API 对象的其他命令包括
-[`kubectl annotate`](/docs/reference/generated/kubectl/kubectl-commands/#annotate)，
-[`kubectl edit`](/docs/reference/generated/kubectl/kubectl-commands/#edit)，
-[`kubectl replace`](/docs/reference/generated/kubectl/kubectl-commands/#replace)，
-[`kubectl scale`](/docs/reference/generated/kubectl/kubectl-commands/#scale)，
-和
+[`kubectl annotate`](/docs/reference/generated/kubectl/kubectl-commands/#annotate)、
+[`kubectl edit`](/docs/reference/generated/kubectl/kubectl-commands/#edit)、
+[`kubectl replace`](/docs/reference/generated/kubectl/kubectl-commands/#replace)、
+[`kubectl scale`](/docs/reference/generated/kubectl/kubectl-commands/#scale) 和
 [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands/#apply)。
 
 
@@ -664,8 +673,8 @@ Strategic merge patch is not supported for custom resources.
 * [Imperative Management of Kubernetes Objects Using Configuration Files](/docs/tasks/manage-kubernetes-objects/imperative-config/)
 * [Declarative Management of Kubernetes Objects Using Configuration Files](/docs/tasks/manage-kubernetes-objects/declarative-config/)
 -->
-* [Kubernetes 对象管理](/zh/docs/concepts/overview/working-with-objects/object-management/)
-* [使用指令式命令管理 Kubernetes 对象](/zh/docs/tasks/manage-kubernetes-objects/imperative-command/)
-* [使用配置文件执行 Kubernetes 对象的指令式管理](/zh/docs/tasks/manage-kubernetes-objects/imperative-config)
-* [使用配置文件对 Kubernetes 对象进行声明式管理](/zh/docs/tasks/manage-kubernetes-objects/declarative-config/)
+* [Kubernetes 对象管理](/zh-cn/docs/concepts/overview/working-with-objects/object-management/)
+* [使用指令式命令管理 Kubernetes 对象](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/)
+* [使用配置文件执行 Kubernetes 对象的指令式管理](/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config)
+* [使用配置文件对 Kubernetes 对象进行声明式管理](/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/)
 
diff --git a/content/zh/docs/tasks/network/_index.md b/content/zh-cn/docs/tasks/network/_index.md
similarity index 100%
rename from content/zh/docs/tasks/network/_index.md
rename to content/zh-cn/docs/tasks/network/_index.md
diff --git a/content/zh/docs/tasks/network/customize-hosts-file-for-pods.md b/content/zh-cn/docs/tasks/network/customize-hosts-file-for-pods.md
similarity index 100%
rename from content/zh/docs/tasks/network/customize-hosts-file-for-pods.md
rename to content/zh-cn/docs/tasks/network/customize-hosts-file-for-pods.md
diff --git a/content/zh/docs/tasks/network/validate-dual-stack.md b/content/zh-cn/docs/tasks/network/validate-dual-stack.md
similarity index 96%
rename from content/zh/docs/tasks/network/validate-dual-stack.md
rename to content/zh-cn/docs/tasks/network/validate-dual-stack.md
index 0002356993057..bf490460505ff 100644
--- a/content/zh/docs/tasks/network/validate-dual-stack.md
+++ b/content/zh-cn/docs/tasks/network/validate-dual-stack.md
@@ -21,15 +21,15 @@ This document shares how to validate IPv4/IPv6 dual-stack enabled Kubernetes clu
 
 <!--
 * Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide Kubernetes nodes with routable IPv4/IPv6 network interfaces)
-* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports dual-stack (such as Calico, Cilium or Kubenet)
+* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports dual-stack networking.
 * [Dual-stack enabled](/docs/concepts/services-networking/dual-stack/) cluster
 -->
 * 提供程序对双协议栈网络的支持 (云供应商或其他方式必须能够为 Kubernetes 节点
   提供可路由的 IPv4/IPv6 网络接口)
-* 一个能够支持[双协议栈](/zh/docs/concepts/services-networking/dual-stack/)的
-  [网络插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)，
-  （如 Calico，Cilium 或 Kubenet）。 
-* [启用双协议栈](/zh/docs/concepts/services-networking/dual-stack/) 集群
+* 一个能够支持[双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack/)的
+  [网络插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)。
+  
+* [启用双协议栈](/zh-cn/docs/concepts/services-networking/dual-stack/) 集群
 
 {{< version-check >}}
 
diff --git a/content/zh/docs/tasks/run-application/_index.md b/content/zh-cn/docs/tasks/run-application/_index.md
similarity index 100%
rename from content/zh/docs/tasks/run-application/_index.md
rename to content/zh-cn/docs/tasks/run-application/_index.md
diff --git a/content/zh/docs/tasks/run-application/access-api-from-pod.md b/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
similarity index 95%
rename from content/zh/docs/tasks/run-application/access-api-from-pod.md
rename to content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
index fbb6c714cc8d8..aa1809c672994 100644
--- a/content/zh/docs/tasks/run-application/access-api-from-pod.md
+++ b/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
@@ -40,7 +40,7 @@ one of the official [client libraries](/docs/reference/using-api/client-librarie
 libraries can automatically discover the API server and authenticate.
 -->
 从 Pod 使用 Kubernetes API 的最简单的方法就是使用官方的
-[客户端库](/zh/docs/reference/using-api/client-libraries/)。
+[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)。
 这些库可以自动发现 API 服务器并进行身份验证。
 
 <!--
@@ -73,7 +73,7 @@ securely with the API server.
   函数 `config.load_incluster_config()` 自动处理 API 主机的发现和身份认证。
   参见[这里的一个例子](https://github.com/kubernetes-client/python/blob/master/examples/in_cluster_config.py)。
 
-- 还有一些其他可用的客户端库，请参阅[客户端库](/zh/docs/reference/using-api/client-libraries/)页面。
+- 还有一些其他可用的客户端库，请参阅[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)页面。
 
 在以上场景中，客户端库都使用 Pod 的服务账号凭据来与 API 服务器安全地通信。
 
@@ -100,7 +100,7 @@ service account is placed into the filesystem tree of each container in that Pod
 at `/var/run/secrets/kubernetes.io/serviceaccount/token`.
 -->
 向 API 服务器进行身份认证的推荐做法是使用
-[服务账号](/zh/docs/tasks/configure-pod-container/configure-service-account/)凭据。
+[服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)凭据。
 默认情况下，每个 Pod 与一个服务账号关联，该服务账户的凭证（令牌）放置在此 Pod 中
 每个容器的文件系统树中的 `/var/run/secrets/kubernetes.io/serviceaccount/token` 处。
 
@@ -132,7 +132,7 @@ in the Pod can use it directly.
 #### 使用 kubectl proxy   {#use-kubectl-proxy}
 
 如果你希望不使用官方客户端库就完成 API 查询，可以将 `kubectl proxy` 作为
-[command](/zh/docs/tasks/inject-data-application/define-command-argument-container/)
+[command](/zh-cn/docs/tasks/inject-data-application/define-command-argument-container/)
 在 Pod 中启动一个边车（Sidecar）容器。这样，`kubectl proxy` 自动完成对 API
 的身份认证，并将其暴露到 Pod 的 `localhost` 接口，从而 Pod 中的其他容器可以
 直接使用 API。
diff --git a/content/zh/docs/tasks/run-application/configure-pdb.md b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
similarity index 97%
rename from content/zh/docs/tasks/run-application/configure-pdb.md
rename to content/zh-cn/docs/tasks/run-application/configure-pdb.md
index df3d9383a5fa9..507c636784dde 100644
--- a/content/zh/docs/tasks/run-application/configure-pdb.md
+++ b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
@@ -37,9 +37,9 @@ nodes.
   Pod Disruption Budgets.
 -->
 * 你是 Kubernetes 集群中某应用的所有者，该应用有高可用要求。
-* 你应了解如何部署[无状态应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)
-  和/或[有状态应用](/zh/docs/tasks/run-application/run-replicated-stateful-application/)。
-* 你应当已经阅读过关于 [Pod 干扰](/zh/docs/concepts/workloads/pods/disruptions/) 的文档。
+* 你应了解如何部署[无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
+  和/或[有状态应用](/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/)。
+* 你应当已经阅读过关于 [Pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/) 的文档。
 * 用户应当与集群所有者或服务提供者确认其遵从 Pod 干扰预算（Pod Disruption Budgets）的规则。
 
 <!-- steps -->
@@ -87,7 +87,7 @@ selector goes into the PDBs `.spec.selector`.
 From version 1.15 PDBs support custom controllers where the [scale subresource](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource) is enabled.
 -->
 从 1.15 版本开始，PDB 支持启用
-[scale 子资源](/zh/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)
+[scale 子资源](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)
 的自定义控制器。
 
 <!--
diff --git a/content/zh/docs/tasks/run-application/delete-stateful-set.md b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
similarity index 94%
rename from content/zh/docs/tasks/run-application/delete-stateful-set.md
rename to content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
index 35eb55abcdf42..6008d0d2efeae 100644
--- a/content/zh/docs/tasks/run-application/delete-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
@@ -97,7 +97,7 @@ Deleting the Pods in a StatefulSet will not delete the associated volumes. This
 ### 持久卷  {#persistent-volumes}
 
 删除 StatefulSet 管理的 Pod 并不会删除关联的卷。这是为了确保你有机会在删除卷之前从卷中复制数据。
-在 Pod 离开[终止状态](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)
+在 Pod 离开[终止状态](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)
 后删除 PVC 可能会触发删除背后的 PV 持久卷，具体取决于存储类和回收策略。
 永远不要假定在 PVC 删除后仍然能够访问卷。
 
@@ -140,13 +140,13 @@ If you find that some pods in your StatefulSet are stuck in the 'Terminating' or
 如果你发现 StatefulSet 的某些 Pod 长时间处于 'Terminating' 或者 'Unknown' 状态，
 则可能需要手动干预以强制从 API 服务器中删除这些 Pod。
 这是一项有点危险的任务。详细信息请阅读
-[删除 StatefulSet 类型的 Pods](/zh/docs/tasks/run-application/force-delete-stateful-set-pod/)。
+[删除 StatefulSet 类型的 Pods](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
 Learn more about [force deleting StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/).
 -->
-进一步了解[强制删除 StatefulSet 的 Pods](/zh/docs/tasks/run-application/force-delete-stateful-set-pod/)。
+进一步了解[强制删除 StatefulSet 的 Pods](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
 
 
diff --git a/content/zh/docs/tasks/run-application/force-delete-stateful-set-pod.md b/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
similarity index 94%
rename from content/zh/docs/tasks/run-application/force-delete-stateful-set-pod.md
rename to content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
index 40f48886a648b..c23703f8ffd33 100644
--- a/content/zh/docs/tasks/run-application/force-delete-stateful-set-pod.md
+++ b/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
@@ -41,7 +41,7 @@ In normal operation of a StatefulSet, there is **never** a need to force delete
 ## StatefulSet 注意事项
 
 在 StatefulSet 的正常操作中，**永远不**需要强制删除 StatefulSet 管理的 Pod。
-[StatefulSet 控制器](/zh/docs/concepts/workloads/controllers/statefulset/)负责创建、
+[StatefulSet 控制器](/zh-cn/docs/concepts/workloads/controllers/statefulset/)负责创建、
 扩缩和删除 StatefulSet 管理的 Pods。它尝试确保指定数量的从序数 0 到 N-1 的 Pod
 处于活跃状态并准备就绪。StatefulSet 确保在任何时候，集群中最多只有一个具有给定标识的 Pod。
 这就是所谓的由 StatefulSet 提供的*最多一个（At Most One）*的语义。
@@ -73,7 +73,7 @@ For the above to lead to graceful termination, the Pod **must not** specify a `p
 为了让上面操作能够体面地终止 Pod，Pod **一定不能** 设置 `pod.Spec.TerminationGracePeriodSeconds` 为 0。
 将 `pod.Spec.TerminationGracePeriodSeconds` 设置为 0s 的做法是不安全的，强烈建议 StatefulSet 类型的
 Pod 不要使用。体面删除是安全的，并且会在 kubelet 从 API 服务器中删除资源名称之前确保
-[体面地结束 pod ](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
+[体面地结束 pod ](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)。
 
 <!--
 A Pod is not deleted automatically when a Node is unreachable.
@@ -85,7 +85,7 @@ The only ways in which a Pod in such a state can be removed from the apiserver a
 -->
 当某个节点不可达时，不会引发自动删除 Pod。
 在无法访问的节点上运行的 Pod 在
-[超时](/zh/docs/concepts/architecture/nodes/#condition)
+[超时](/zh-cn/docs/concepts/architecture/nodes/#condition)
 后会进入'Terminating' 或者 'Unknown' 状态。
 当用户尝试体面地删除无法访问的节点上的 Pod 时 Pod 也可能会进入这些状态。
 从 API 服务器上删除处于这些状态 Pod 的仅有可行方法如下：
@@ -95,7 +95,7 @@ The only ways in which a Pod in such a state can be removed from the apiserver a
    * The kubelet on the unresponsive Node starts responding, kills the Pod and removes the entry from the apiserver.<br/>
    * Force deletion of the Pod by the user.
 -->
-* 删除 Node 对象（要么你来删除, 要么[节点控制器](/zh/docs/concepts/architecture/nodes/#node-controller)
+* 删除 Node 对象（要么你来删除, 要么[节点控制器](/zh-cn/docs/concepts/architecture/nodes/#node-controller)
   来删除）
 * 无响应节点上的 kubelet 开始响应，杀死 Pod 并从 API 服务器上移除 Pod 对象
 * 用户强制删除 pod
@@ -169,8 +169,8 @@ Always perform force deletion of StatefulSet Pods carefully and with complete kn
 ## {{% heading "whatsnext" %}}
 
 <!--
-Learn more about [debugging a StatefulSet](/docs/tasks/debug-application-cluster/debug-stateful-set/).
+Learn more about [debugging a StatefulSet](/docs/tasks/debug/debug-application/debug-statefulset/).
 -->
-进一步了解[调试 StatefulSet](/zh/docs/tasks/debug-application-cluster/debug-stateful-set/)。
+进一步了解[调试 StatefulSet](/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/)。
 
 
diff --git a/content/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md b/content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md
similarity index 62%
rename from content/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md
rename to content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md
index d11843826c1a9..6c7b3f5e1bca4 100644
--- a/content/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md
+++ b/content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md
@@ -1,7 +1,8 @@
 ---
-title: Horizontal Pod Autoscaler 演练
+title: HorizontalPodAutoscaler 演练
 content_type: task
 weight: 100
+min-kubernetes-server-version: 1.23
 ---
 
 <!--
@@ -18,84 +19,106 @@ weight: 100
 <!-- overview -->
 
 <!--
-Horizontal Pod Autoscaler automatically scales the number of pods
-in a replication controller, deployment or replica set or statefulset based on observed CPU utilization
-(or, with beta support, on some other, application-provided metrics).
+A [HorizontalPodAutoscaler](/docs/tasks/run-application/horizontal-pod-autoscale/)
+(HPA for short)
+automatically updates a workload resource (such as
+a {{< glossary_tooltip text="Deployment" term_id="deployment" >}} or
+{{< glossary_tooltip text="StatefulSet" term_id="statefulset" >}}), with the
+aim of automatically scaling the workload to match demand.
+
+Horizontal scaling means that the response to increased load is to deploy more
+{{< glossary_tooltip text="Pods" term_id="pod" >}}.
+This is different from _vertical_ scaling, which for Kubernetes would mean
+assigning more resources (for example: memory or CPU) to the Pods that are already
+running for the workload.
 -->
-Horizontal Pod Autoscaler 可以根据 CPU 利用率自动扩缩 ReplicationController、
-Deployment、ReplicaSet 或 StatefulSet 中的 Pod 数量
-（也可以基于其他应用程序提供的度量指标，目前这一功能处于 beta 版本）。
+[HorizontalPodAutoscaler](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/) （简称 HPA ）
+自动更新工作负载资源（例如 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 或者
+{{< glossary_tooltip text="StatefulSet" term_id="statefulset" >}}），
+目的是自动扩缩工作负载以满足需求。
+
+水平扩缩意味着对增加的负载的响应是部署更多的 {{< glossary_tooltip text="Pods" term_id="pod" >}}。
+这与 “垂直（Vertical）” 扩缩不同，对于 Kubernetes，
+垂直扩缩意味着将更多资源（例如：内存或 CPU）分配给已经为工作负载运行的 Pod。
 
 <!--
-This document walks you through an example of enabling Horizontal Pod Autoscaler for the php-apache server.
-For more information on how Horizontal Pod Autoscaler behaves, see the
-[Horizontal Pod Autoscaler user guide](/docs/tasks/run-application/horizontal-pod-autoscale/).
+If the load decreases, and the number of Pods is above the configured minimum,
+the HorizontalPodAutoscaler instructs the workload resource (the Deployment, StatefulSet,
+or other similar resource) to scale back down.
+
+This document walks you through an example of enabling HorizontalPodAutoscaler to
+automatically manage scale for an example web app. This example workload is Apache
+httpd running some PHP code.
 -->
-本文将引领你了解如何为 php-apache 服务器配置和使用 Horizontal Pod Autoscaler。
-与 Horizontal Pod Autoscaler 相关的更多信息请参阅
-[Horizontal Pod Autoscaler 用户指南](/zh/docs/tasks/run-application/horizontal-pod-autoscale/)。
+如果负载减少，并且 Pod 的数量高于配置的最小值，
+HorizontalPodAutoscaler 会指示工作负载资源（ Deployment、StatefulSet 或其他类似资源）缩减。
+
+本文档将引导你完成启用 HorizontalPodAutoscaler 以自动管理示例 Web 应用程序的扩缩的示例。
+此示例工作负载是运行一些 PHP 代码的 Apache httpd。
 
 ## {{% heading "prerequisites" %}}
 
+{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+
+<!--
+If you're running an older
+release of Kubernetes, refer to the version of the documentation for that release (see
+[available documentation versions](/docs/home/supported-doc-versions/)).
+-->
+如果你运行的是旧版本的 Kubernetes，请参阅该版本的文档版本
+（[可用的文档版本](/zh-cn/docs/home/supported-doc-versions/)）。
+
 <!--
-This example requires a running Kubernetes cluster and kubectl, version 1.2 or later.
-[metrics-server](https://github.com/kubernetes-incubator/metrics-server/) monitoring needs to be deployed
-in the cluster to provide metrics through the [Metrics API](https://github.com/kubernetes/metrics).
-Horizontal Pod Autoscaler uses this API to collect metrics. To learn how to deploy the metrics-server,
-see the [metrics-server documentation](https://github.com/kubernetes-sigs/metrics-server#deployment).
--->
-本文示例需要一个运行中的 Kubernetes 集群以及 kubectl，版本为 1.2 或更高。
-[Metrics 服务器](https://github.com/kubernetes-incubator/metrics-server/)
-需要被部署到集群中，以便通过 [Metrics API](https://github.com/kubernetes/metrics)
-提供度量数据。
-Horizontal Pod Autoscaler 根据此 API 来获取度量数据。
-要了解如何部署 metrics-server，请参考
-[metrics-server 文档](https://github.com/kubernetes-incubator/metrics-server/) 。
-
-<!--
-To specify multiple resource metrics for a Horizontal Pod Autoscaler, you must have a
-Kubernetes cluster and kubectl at version 1.6 or later. To make use of custom metrics, your cluster
-must be able to communicate with the API server providing the custom metrics API.
-Finally, to use metrics not related to any Kubernetes object you must have a
-Kubernetes cluster at version 1.10 or later, and you must be able to communicate with
-the API server that provides the external metrics API.
-See the [Horizontal Pod Autoscaler user guide](/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics) for more details.
--->
-如果需要为 Horizontal Pod Autoscaler 指定多种资源度量指标，你的 Kubernetes
-集群以及 kubectl 至少需要达到 1.6 版本。 
-此外，如果要使用自定义度量指标，你的 Kubernetes 集群还必须能够与提供这些自定义指标
-的 API 服务器通信。
-最后，如果要使用与 Kubernetes 对象无关的度量指标，则 Kubernetes 集群版本至少需要
-达到 1.10 版本，同样，需要保证集群能够与提供这些外部指标的 API 服务器通信。
-更多详细信息，请参阅
-[Horizontal Pod Autoscaler 用户指南](/zh/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics)。
+To follow this walkthrough, you also need to use a cluster that has a
+[Metrics Server](https://github.com/kubernetes-sigs/metrics-server#readme) deployed and configured.
+The Kubernetes Metrics Server collects resource metrics from
+the {{<glossary_tooltip term_id="kubelet" text="kubelets">}} in your cluster, and exposes those metrics
+through the [Kubernetes API](/docs/concepts/overview/kubernetes-api/),
+using an [APIService](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) to add
+new kinds of resource that represent metric readings.
+
+To learn how to deploy the Metrics Server, see the
+[metrics-server documentation](https://github.com/kubernetes-sigs/metrics-server#deployment).
+-->
+按照本演练进行操作，你需要一个部署并配置了
+[Metrics Server](https://github.com/kubernetes-sigs/metrics-server#readme) 的集群。
+Kubernetes Metrics Server 从集群中的 {{<glossary_tooltip term_id="kubelet" text="kubelets">}} 收集资源指标，
+并通过 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/) 公开这些指标，
+使用 [APIService](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) 添加代表指标读数的新资源。
+
+要了解如何部署 Metrics Server，请参阅
+[metrics-server 文档](https://github.com/kubernetes-sigs/metrics-server#deployment)。
 
 <!-- steps -->
 
 <!--
-## Run & expose php-apache server
+## Run and expose php-apache server
 -->
-## 运行 php-apache 服务器并暴露服务
+## 运行 php-apache 服务器并暴露服务 {#run-and-expose-php-apache-server}
 
 <!--
-To demonstrate Horizontal Pod Autoscaler we will use a custom docker image based on the php-apache image.
-The Dockerfile has the following content:
+To demonstrate a HorizontalPodAutoscaler, you will first make a custom container image that uses
+the `php-apache` image from Docker Hub as its starting point. The `Dockerfile` is ready-made for you,
+and has the following content:
 -->
-为了演示 Horizontal Pod Autoscaler，我们将使用一个基于 php-apache 镜像的
-定制 Docker 镜像。Dockerfile 内容如下： 
+为了演示 HorizontalPodAutoscaler，你将首先制作一个自定义容器镜像，
+该镜像使用来自 Docker Hub 的 `php-apache` 镜像作为其起点。
+`Dockerfile` 已经为你准备好了，内容如下：
 
-```
+```dockerfile
 FROM php:5-apache
 COPY index.php /var/www/html/index.php
 RUN chmod a+rx index.php
 ```
 
 <!--
-It defines an index.php page which performs some CPU intensive computations:
+This code defines a simple `index.php` page that performs some CPU intensive computations,
+in order to simulate load in your cluster.
 -->
-该文件定义了一个 index.php 页面来执行一些 CPU 密集型计算：
+代码定义了一个简单的 `index.php` 页面，该页面执行一些 CPU 密集型计算，
+以模拟集群中的负载。
 
-```
+```php
 <?php
   $x = 0.0001;
   for ($i = 0; $i <= 1000000; $i++) {
@@ -106,17 +129,19 @@ It defines an index.php page which performs some CPU intensive computations:
 ```
 
 <!--
-First, we will start a deployment running the image and expose it as a service
-using the following configuration:
+Once you have made that container image, start a Deployment that runs a container using the
+image you made, and expose it as a {{< glossary_tooltip term_id="service">}}
+using the following manifest:
 -->
-首先，我们使用下面的配置启动一个 Deployment 来运行这个镜像并暴露一个服务：
+制作完该容器镜像后，使用你制作的镜像启动运行一个容器的 Deployment，
+并使用以下清单将其公开为{{< glossary_tooltip term_id="service" text="服务" >}}：
 
 {{< codenew file="application/php-apache.yaml" >}}
 
 <!--
-Run the following command:
+To do so, run the following command:
 -->
-运行下面的命令：
+为此，运行下面的命令：
 
 ```shell
 kubectl apply -f https://k8s.io/examples/application/php-apache.yaml
@@ -128,28 +153,46 @@ service/php-apache created
 ```
 
 <!--
-## Create Horizontal Pod Autoscaler
+## Create the HorizontalPodAutoscaler {#create-horizontal-pod-autoscaler}
+
+Now that the server is running, create the autoscaler using `kubectl`. There is
+[`kubectl autoscale`](/docs/reference/generated/kubectl/kubectl-commands#autoscale) subcommand,
+part of `kubectl`, that helps you do this.
+
+You will shortly run a command that creates a HorizontalPodAutoscaler that maintains
+between 1 and 10 replicas of the Pods controlled by the php-apache Deployment that
+you created in the first step of these instructions.
+
+Roughly speaking, the HPA {{<glossary_tooltip text="controller" term_id="controller">}} will increase and decrease
+the number of replicas (by updating the Deployment) to maintain an average CPU utilization across all Pods of 50%.
+The Deployment then updates the ReplicaSet - this is part of how all Deployments work in Kubernetes -
+and then the ReplicaSet either adds or removes Pods based on the change to its `.spec`.
 
-Now that the server is running, we will create the autoscaler using
-[kubectl autoscale](/docs/reference/generated/kubectl/kubectl-commands#autoscale).
-The following command will create a Horizontal Pod Autoscaler that maintains between 1 and 10 replicas of the Pods
-controlled by the php-apache deployment we created in the first step of these instructions.
-Roughly speaking, HPA will increase and decrease the number of replicas
-(via the deployment) to maintain an average CPU utilization across all Pods of 50%.
 Since each pod requests 200 milli-cores by `kubectl run`, this means an average CPU usage of 100 milli-cores.
-See [here](/docs/tasks/run-application/horizontal-pod-autoscale/#algorithm-details) for more details on the algorithm.
+See [Algorithm details](/docs/tasks/run-application/horizontal-pod-autoscale/#algorithm-details) for more details
+on the algorithm.
 -->
-## 创建 Horizontal Pod Autoscaler  {#create-horizontal-pod-autoscaler}
+## 创建 HorizontalPodAutoscaler  {#create-horizontal-pod-autoscaler}
+
+现在服务器正在运行，使用 `kubectl` 创建自动扩缩器。
+[`kubectl autoscale`](/docs/reference/generated/kubectl/kubectl-commands#autoscale) 子命令是 `kubectl` 的一部分，
+可以帮助你执行此操作。
+
+你将很快运行一个创建 HorizontalPodAutoscaler 的命令，
+该 HorizontalPodAutoscaler 维护由你在这些说明的第一步中创建的 php-apache Deployment 控制的 Pod 存在 1 到 10 个副本。
 
-现在，php-apache 服务器已经运行，我们将通过
-[kubectl autoscale](/docs/reference/generated/kubectl/kubectl-commands#autoscale)
-命令创建 Horizontal Pod Autoscaler。 
-以下命令将创建一个 Horizontal Pod Autoscaler 用于控制我们上一步骤中创建的
-Deployment，使 Pod 的副本数量维持在 1 到 10 之间。
-大致来说，HPA 将（通过 Deployment）增加或者减少 Pod 副本的数量以保持所有 Pod
-的平均 CPU 利用率在 50% 左右。由于每个 Pod 请求 200 毫核的 CPU，这意味着平均
-CPU 用量为 100 毫核。
-算法的详情请参阅[相关文档](/zh/docs/tasks/run-application/horizontal-pod-autoscale/#algorithm-details)。
+粗略地说，HPA {{<glossary_tooltip text="控制器" term_id="controller">}}将增加和减少副本的数量
+（通过更新 Deployment）以保持所有 Pod 的平均 CPU 利用率为 50%。
+Deployment 然后更新 ReplicaSet —— 这是所有 Deployment 在 Kubernetes 中工作方式的一部分 ——
+然后 ReplicaSet 根据其 `.spec` 的更改添加或删除 Pod。
+
+由于每个 Pod 通过 `kubectl run` 请求 200 milli-cores，这意味着平均 CPU 使用率为 100 milli-cores。
+有关算法的更多详细信息，
+请参阅[算法详细信息](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/#algorithm-details)。
+
+
+<!-- Create the HorizontalPodAutoscaler: -->
+创建 HorizontalPodAutoscaler：
 
 ```shell
 kubectl autoscale deployment php-apache --cpu-percent=50 --min=1 --max=10
@@ -160,14 +203,19 @@ horizontalpodautoscaler.autoscaling/php-apache autoscaled
 ```
 
 <!--
-We may check the current status of autoscaler by running:
+You can check the current status of the newly-made HorizontalPodAutoscaler, by running:
 -->
-我们可以通过以下命令查看 Autoscaler 的状态：
+你可以通过运行以下命令检查新制作的 HorizontalPodAutoscaler 的当前状态：
 
+<!--# You can use "hpa" or "horizontalpodautoscaler"; either name works OK. -->
 ```shell
+# 你可以使用 “hap” 或 “horizontalpodautoscaler”；任何一个名字都可以。
 kubectl get hpa
 ```
 
+<!-- The output is similar to: -->
+输出类似于：
+
 ```
 NAME         REFERENCE                     TARGET    MINPODS   MAXPODS   REPLICAS   AGE
 php-apache   Deployment/php-apache/scale   0% / 50%  1         10        1          18s
@@ -175,42 +223,71 @@ php-apache   Deployment/php-apache/scale   0% / 50%  1         10        1
 ```
 
 <!--
-Please note that the current CPU consumption is 0% as we are not sending any requests to the server
-(the ``CURRENT`` column shows the average across all the pods controlled by the corresponding deployment).
+(if you see other HorizontalPodAutoscalers with different names, that means they already existed,
+and isn't usually a problem).
+-->
+（如果你看到其他具有不同名称的 HorizontalPodAutoscalers，这意味着它们已经存在，这通常不是问题）。
+
+<!--
+Please note that the current CPU consumption is 0% as there are no clients sending requests to the server
+(the ``TARGET`` column shows the average across all the Pods controlled by the corresponding deployment).
 -->
 请注意当前的 CPU 利用率是 0%，这是由于我们尚未发送任何请求到服务器
-（``CURRENT`` 列显示了相应 Deployment 所控制的所有 Pod 的平均 CPU 利用率）。
+（``TARGET`` 列显示了相应 Deployment 所控制的所有 Pod 的平均 CPU 利用率）。
 
 <!--
-## Increase load
+## Increase the load {#increase-load}
 
-Now, we will see how the autoscaler reacts to increased load.
-We will start a container, and send an infinite loop of queries to the php-apache service (please run it in a different terminal):
+Next, see how the autoscaler reacts to increased load.
+To do this, you'll start a different Pod to act as a client. The container within the client Pod
+runs in an infinite loop, sending queries to the php-apache service.
 -->
 ## 增加负载  {#increase-load}
 
-现在，我们将看到 Autoscaler 如何对增加负载作出反应。 
-我们将启动一个容器，并通过一个循环向 php-apache 服务器发送无限的查询请求
-（请在另一个终端中运行以下命令）：
+接下来，看看自动扩缩器如何对增加的负载做出反应。
+为此，你将启动一个不同的 Pod 作为客户端。
+客户端 Pod 中的容器在无限循环中运行，向 php-apache 服务发送查询。
 
+<!--
+# Run this in a separate terminal
+# so that the load generation continues and you can carry on with the rest of the steps
+-->
 ```shell
-kubectl run -i --tty load-generator --rm --image=busybox --restart=Never -- /bin/sh -c "while sleep 0.01; do wget -q -O- http://php-apache; done"
+# 在单独的终端中运行它
+# 以便负载生成继续，你可以继续执行其余步骤
+kubectl run -i --tty load-generator --rm --image=busybox:1.28 --restart=Never -- /bin/sh -c "while sleep 0.01; do wget -q -O- http://php-apache; done"
 ```
 
 <!--
-Within a minute or so, we should see the higher CPU load by executing:
+Now run:
+
+Within a minute or so, you should see the higher CPU load; for example:
 -->
-一分钟时间左右之后，通过以下命令，我们可以看到 CPU 负载升高了：
+现在执行：
 
+<!-- # type Ctrl+C to end the watch when you're ready -->
 ```shell
-kubectl get hpa
+# 准备好后按 Ctrl+C 结束观察
+kubectl get hpa php-apache --watch
 ```
 
+一分钟时间左右之后，通过以下命令，我们可以看到 CPU 负载升高了；例如：
+
 ```
 NAME         REFERENCE                     TARGET      MINPODS   MAXPODS   REPLICAS   AGE
 php-apache   Deployment/php-apache/scale   305% / 50%  1         10        1          3m
 ```
 
+<!--
+and then, more replicas. For example:
+-->
+然后，更多的副本被创建。例如：
+
+```
+NAME         REFERENCE                     TARGET      MINPODS   MAXPODS   REPLICAS   AGE
+php-apache   Deployment/php-apache/scale   305% / 50%  1         10        7          3m
+```
+
 <!--
 Here, CPU consumption has increased to 305% of the request.
 As a result, the deployment was resized to 7 replicas:
@@ -222,6 +299,11 @@ As a result, the deployment was resized to 7 replicas:
 kubectl get deployment php-apache
 ```
 
+<!--
+You should see the replica count matching the figure from the HorizontalPodAutoscaler
+-->
+你应该会看到与 HorizontalPodAutoscaler 中的数字与副本数匹配
+
 ```
 NAME         READY   UP-TO-DATE   AVAILABLE   AGE
 php-apache   7/7      7           7           19m
@@ -238,32 +320,40 @@ will differ from this example.
 {{< /note >}}
 
 <!--
-## Stop load
+## Stop generating load {#stop-load}
 
-We will finish our example by stopping the user load.
+To finish the example, stop sending the load.
 
-In the terminal where we created the container with `busybox` image, terminate
+In the terminal where you created the Pod that runs a `busybox` image, terminate
 the load generation by typing `<Ctrl> + C`.
 
-Then we will verify the result state (after a minute or so):
+Then verify the result state (after a minute or so):
 -->
-## 停止负载
+## 停止产生负载 {#stop-load}
 
-我们将通过停止负载来结束我们的示例。
+要完成该示例，请停止发送负载。
 
-在我们创建 busybox 容器的终端中，输入`<Ctrl> + C` 来终止负载的产生。
+在我们创建 `busybox` 容器的终端中，输入 `<Ctrl> + C` 来终止负载的产生。
 
-然后我们可以再次检查负载状态（等待几分钟时间）：
+然后验证结果状态（大约一分钟后）：
 
+<!-- # type Ctrl+C to end the watch when you're ready -->
 ```shell
-kubectl get hpa
+# 准备好后按 Ctrl+C 结束观察
+kubectl get hpa php-apache --watch
 ```
 
+<!-- The output is similar to: -->
+输出类似于：
+
 ```
 NAME         REFERENCE                     TARGET       MINPODS   MAXPODS   REPLICAS   AGE
 php-apache   Deployment/php-apache/scale   0% / 50%     1         10        1          11m
 ```
 
+<!-- and the Deployment also shows that it has scaled down: -->
+Deployment 也显示它已经缩小了：
+
 ```shell
 kubectl get deployment php-apache
 ```
@@ -274,16 +364,14 @@ php-apache   1/1     1            1           27m
 ```
 
 <!--
-Here CPU utilization dropped to 0, and so HPA autoscaled the number of replicas back down to 1.
+Once CPU utilization dropped to 0, the HPA automatically scaled the number of replicas back down to 1.
 -->
-这时，CPU 利用率已经降到 0，所以 HPA 将自动缩减副本数量至 1。
+一旦 CPU 利用率降至 0，HPA 会自动将副本数缩减为 1。
 
 <!--
 Autoscaling the replicas may take a few minutes.
 -->
-{{< note >}}
 自动扩缩完成副本数量的改变可能需要几分钟的时间。
-{{< /note >}}
 
 <!-- discussion -->
 
@@ -291,17 +379,17 @@ Autoscaling the replicas may take a few minutes.
 ## Autoscaling on multiple metrics and custom metrics
 
 You can introduce additional metrics to use when autoscaling the `php-apache` Deployment
-by making use of the `autoscaling/v2beta2` API version.
+by making use of the `autoscaling/v2` API version.
 -->
 ## 基于多项度量指标和自定义度量指标自动扩缩 {#autoscaling-on-multiple-metrics-and-custom-metrics}
 
-利用 `autoscaling/v2beta2` API 版本，你可以在自动扩缩 php-apache 这个
+利用 `autoscaling/v2` API 版本，你可以在自动扩缩 php-apache 这个
 Deployment 时使用其他度量指标。
 
 <!--
-First, get the YAML of your HorizontalPodAutoscaler in the `autoscaling/v2beta2` form:
+First, get the YAML of your HorizontalPodAutoscaler in the `autoscaling/v2` form:
 -->
-首先，将 HorizontalPodAutoscaler 的 YAML 文件改为 `autoscaling/v2beta2` 格式：
+首先，将 HorizontalPodAutoscaler 的 YAML 文件改为 `autoscaling/v2` 格式：
 
 ```shell
 kubectl get hpa php-apache -o yaml > /tmp/hpa-v2.yaml
@@ -313,7 +401,7 @@ Open the `/tmp/hpa-v2.yaml` file in an editor, and you should see YAML which loo
 在编辑器中打开 `/tmp/hpa-v2.yaml`：
 
 ```yaml
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: php-apache
@@ -376,13 +464,13 @@ advanced cluster monitoring setup.
 这些度量指标可能具有特定于集群的名称，并且需要更高级的集群监控设置。
 
 <!--
-The first of these alternative metric types is *pod metrics*.  These metrics describe pods, and
-are averaged together across pods and compared with a target value to determine the replica count.
+The first of these alternative metric types is *pod metrics*.  These metrics describe Pods, and
+are averaged together across Pods and compared with a target value to determine the replica count.
 They work much like resource metrics, except that they *only* support a `target` type of `AverageValue`.
 -->
-第一种可选的度量指标类型是 Pod 度量指标。这些指标从某一方面描述了 Pod，
+第一种可选的度量指标类型是 **Pod 度量指标**。这些指标从某一方面描述了 Pod，
 在不同 Pod 之间进行平均，并通过与一个目标值比对来确定副本的数量。
-它们的工作方式与资源度量指标非常相像，只是它们仅支持 `target` 类型为 `AverageValue`。
+它们的工作方式与资源度量指标非常相像，只是它们 **仅** 支持 `target` 类型为 `AverageValue`。
 
 <!--
 Pod metrics are specified using a metric block like this:
@@ -401,14 +489,14 @@ pods:
 
 <!--
 The second alternative metric type is *object metrics*. These metrics describe a different
-object in the same namespace, instead of describing pods. The metrics are not necessarily
+object in the same namespace, instead of describing Pods. The metrics are not necessarily
 fetched from the object; they only describe it. Object metrics support `target` types of
 both `Value` and `AverageValue`.  With `Value`, the target is compared directly to the returned
 metric from the API. With `AverageValue`, the value returned from the custom metrics API is divided
-by the number of pods before being compared to the target. The following example is the YAML
+by the number of Pods before being compared to the target. The following example is the YAML
 representation of the `requests-per-second` metric.
 -->
-第二种可选的度量指标类型是对象（Object）度量指标。这些度量指标用于描述
+第二种可选的度量指标类型是对象 **（Object）度量指标**。这些度量指标用于描述
 在相同名字空间中的别的对象，而非 Pods。
 请注意这些度量指标不一定来自某对象，它们仅用于描述这些对象。
 对象度量指标支持的 `target` 类型包括 `Value` 和 `AverageValue`。
@@ -447,7 +535,7 @@ you could update the definition above using `kubectl edit` to look like this:
 将上述 Horizontal Pod Autoscaler 的定义更改为：
 
 ```yaml
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: php-apache
@@ -463,7 +551,7 @@ spec:
     resource:
       name: cpu
       target:
-        type: AverageUtilization
+        type: Utilization
         averageUtilization: 50
   - type: Pods
     pods:
@@ -477,11 +565,11 @@ spec:
       metric:
         name: requests-per-second
       describedObject:
-        apiVersion: networking.k8s.io/v1beta1
+        apiVersion: networking.k8s.io/v1
         kind: Ingress
         name: main-route
       target:
-        kind: Value
+        type: Value
         value: 10k
 status:
   observedGeneration: 1
@@ -500,7 +588,7 @@ status:
       metric:
         name: requests-per-second
       describedObject:
-        apiVersion: networking.k8s.io/v1beta1
+        apiVersion: networking.k8s.io/v1
         kind: Ingress
         name: main-route
       current:
@@ -537,8 +625,8 @@ GET 请求执行：
 type: Object
 object:
   metric:
-    name: `http_requests`
-    selector: `verb=GET`
+    name: http_requests
+    selector: {matchLabels: {verb: GET}}
 ```
 
 <!--
@@ -561,7 +649,7 @@ relationship to any object in the Kubernetes cluster, such as metrics describing
 no direct correlation to Kubernetes namespaces. In Kubernetes 1.10 and later, you can address this use case
 with *external metrics*.
 -->
-### 基于与 Kubernetes 对象无关的度量指标执行扩缩
+### 基于与 Kubernetes 对象无关的度量指标执行扩缩   {#autoscaling-on-metrics-not-related-to-kubernetes-objects}
 
 运行在 Kubernetes 上的应用程序可能需要基于与 Kubernetes 集群中的任何对象
 没有明显关系的度量指标进行自动扩缩，
@@ -617,14 +705,14 @@ access to any metric, so cluster administrators should take care when exposing i
 <!--
 ## Appendix: Horizontal Pod Autoscaler Status Conditions
 
-When using the `autoscaling/v2beta2` form of the HorizontalPodAutoscaler, you will be able to see
+When using the `autoscaling/v2` form of the HorizontalPodAutoscaler, you will be able to see
 *status conditions* set by Kubernetes on the HorizontalPodAutoscaler.  These status conditions indicate
 whether or not the HorizontalPodAutoscaler is able to scale, and whether or not it is currently restricted
 in any way.
 -->
-## 附录：Horizontal Pod Autoscaler 状态条件
+## 附录：Horizontal Pod Autoscaler 状态条件   {#appendix-horizontal-pod-autoscaler-status-conditions}
 
-使用 `autoscaling/v2beta2` 格式的 HorizontalPodAutoscaler 时，你将可以看到
+使用 `autoscaling/v2` 格式的 HorizontalPodAutoscaler 时，你将可以看到
 Kubernetes 为 HorizongtalPodAutoscaler 设置的状态条件（Status Conditions）。
 这些状态条件可以显示当前 HorizontalPodAutoscaler 是否能够执行扩缩以及是否受到一定的限制。
 
@@ -662,7 +750,7 @@ Events:
 ```
 
 <!--
-For this HorizontalPodAutoscaler, we can see several conditions in a healthy state.  The first,
+For this HorizontalPodAutoscaler, you can see several conditions in a healthy state.  The first,
 `AbleToScale`, indicates whether or not the HPA is able to fetch and update scales, as well as
 whether or not any backoff-related conditions would prevent scaling.  The second, `ScalingActive`,
 indicates whether or not the HPA is enabled (i.e. the replica count of the target is not zero) and
@@ -681,7 +769,7 @@ HorizontalPodAutoscaler.
 这通常表明你可能需要调整 HorizontalPodAutoscaler 所定义的最大或者最小副本数量的限制了。
 
 <!--
-## Appendix: Quantities
+## Quantities
 
 All metrics in the HorizontalPodAutoscaler and metrics APIs are specified using
 a special whole-number notation known in Kubernetes as a
@@ -691,7 +779,7 @@ will return whole numbers without a suffix when possible, and will generally ret
 quantities in milli-units otherwise.  This means you might see your metric value fluctuate
 between `1` and `1500m`, or `1` and `1.5` when written in decimal notation.
 -->
-## 附录：量纲    {#appendix-quantities}
+## 量纲    {#quantities}
 
 HorizontalPodAutoscaler 和 度量指标 API 中的所有的度量指标使用 Kubernetes 中称为
 {{< glossary_tooltip term_id="quantity" text="量纲（Quantity）">}}
@@ -701,24 +789,24 @@ HorizontalPodAutoscaler 和 度量指标 API 中的所有的度量指标使用 K
 这意味着你可能会看到你的度量指标在 `1` 和 `1500m` （也就是在十进制记数法中的 `1` 和 `1.5`）之间波动。
 
 <!--
-## Appendix: Other possible scenarios
+## Other possible scenarios
 
 ### Creating the autoscaler declaratively
 -->
-## 附录：其他可能的情况   {#appendix-other-possible-scenarios}
+## 其他可能的情况   {#other-possible-scenarios}
 
 ### 以声明式方式创建 Autoscaler     {#creating-the-autoscaler-declaratively}
 
 <!--
 Instead of using `kubectl autoscale` command to create a HorizontalPodAutoscaler imperatively we
-can use the following file to create it declaratively:
+can use the following manifest to create it declaratively:
 -->
-除了使用 `kubectl autoscale` 命令，也可以文件创建 HorizontalPodAutoscaler：
+除了使用 `kubectl autoscale` 命令，也可以使用以下清单以声明方式创建 HorizontalPodAutoscaler：
 
 {{< codenew file="application/hpa/php-apache.yaml" >}}
 
 <!--
-We will create the autoscaler by executing the following command:
+Then, create the autoscaler by executing the following command:
 -->
 使用如下命令创建 autoscaler：
 
@@ -728,5 +816,4 @@ kubectl create -f https://k8s.io/examples/application/hpa/php-apache.yaml
 
 ```
 horizontalpodautoscaler.autoscaling/php-apache created
-```
-
+```
\ No newline at end of file
diff --git a/content/zh/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale.md
similarity index 94%
rename from content/zh/docs/tasks/run-application/horizontal-pod-autoscale.md
rename to content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale.md
index 4ba6b9857af91..546f6d226f911 100644
--- a/content/zh/docs/tasks/run-application/horizontal-pod-autoscale.md
+++ b/content/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale.md
@@ -1,7 +1,7 @@
 ---
 title: Pod 水平自动扩缩
 feature:
-  title: 水平扩缩 
+  title: 水平扩缩
   description: >
     使用一个简单的命令、一个 UI 或基于 CPU 使用情况自动对应用程序进行扩缩。
 
@@ -18,7 +18,7 @@ a {{< glossary_tooltip text="Deployment" term_id="deployment" >}} or
 aim of automatically scaling the workload to match demand.
 -->
 在 Kubernetes 中，_HorizontalPodAutoscaler_ 自动更新工作负载资源
-（例如 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 或者 
+（例如 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 或者
 {{< glossary_tooltip text="StatefulSet" term_id="statefulset" >}}），
 目的是自动扩缩工作负载以满足需求。
 
@@ -65,7 +65,7 @@ Pod 自动扩缩控制器会定期调整其目标（例如：Deployment）的所
 There is [walkthrough example](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/) of using
 horizontal pod autoscaling.
 -->
-使用水平 Pod 自动扩缩[演练示例](/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)。
+使用水平 Pod 自动扩缩[演练示例](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)。
 
 <!-- body -->
 
@@ -83,8 +83,8 @@ Kubernetes implements horizontal pod autoscaling as a control loop that runs int
 [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/)
 (and the default interval is 15 seconds).
 -->
-Kubernetes 将水平 Pod 自动扩缩实现为一个间歇运行的控制回路（它不是一个连续的过程）。间隔由 
-[`kube-controller-manager`](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/) 
+Kubernetes 将水平 Pod 自动扩缩实现为一个间歇运行的控制回路（它不是一个连续的过程）。间隔由
+[`kube-controller-manager`](/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/)
 的 `--horizontal-pod-autoscaler-sync-period` 参数设置（默认间隔为 15 秒）。
 
 <!--
@@ -110,7 +110,7 @@ or the custom metrics API (for all other metrics).
 -->
 * 对于按 Pod 统计的资源指标（如 CPU），控制器从资源指标 API 中获取每一个
   HorizontalPodAutoscaler 指定的 Pod 的度量值，如果设置了目标使用率，
-  控制器获取每个 Pod 中的容器[资源使用](/zh/docs/concepts/configuration/manage-resources-containers/#requests-and-limits) 情况，
+  控制器获取每个 Pod 中的容器[资源使用](/zh-cn/docs/concepts/configuration/manage-resources-containers/#requests-and-limits) 情况，
   并计算资源使用率。如果设置了 target 值，将直接使用原始数据（不再计算百分比）。
   接下来，控制器根据平均的资源使用率或原始值计算出扩缩的比例，进而计算出目标副本数。
 
@@ -153,7 +153,7 @@ For more information about resource metrics, see
 HorizontalPodAutoscaler 的常见用途是将其配置为从{{< glossary_tooltip text="聚合 API" term_id="aggregation-layer" >}}
 （`metrics.k8s.io`、`custom.metrics.k8s.io` 或 `external.metrics.k8s.io`）获取指标。
 `metrics.k8s.io` API 通常由名为 Metrics Server 的插件提供，需要单独启动。有关资源指标的更多信息，
-请参阅 [Metrics Server](/zh/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#metrics-server)。
+请参阅 [Metrics Server](/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#metrics-server)。
 
 <!--
 [Support for metrics APIs](#support-for-metrics-apis) explains the stability guarantees and support status for these
@@ -170,7 +170,7 @@ For general information about subresources in the Kubernetes API, see
 HorizontalPodAutoscaler 控制器访问支持扩缩的相应工作负载资源（例如：Deployments 和 StatefulSet）。
 这些资源每个都有一个名为 `scale` 的子资源，该接口允许你动态设置副本的数量并检查它们的每个当前状态。
 有关 Kubernetes API 子资源的一般信息，
-请参阅 [Kubernetes API 概念](/zh/docs/reference/using-api/api-concepts/)。
+请参阅 [Kubernetes API 概念](/zh-cn/docs/reference/using-api/api-concepts/)。
 
 <!--
 ### Algorithm Details
@@ -218,7 +218,7 @@ are [`Ready`](/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions).
 那么将会把指定 Pod 度量值的平均值做为 `currentMetricValue`。
 
 在检查容差并决定最终值之前，控制平面还会考虑是否缺少任何指标，
-以及有多少 Pod [`已就绪`](/zh/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions)。
+以及有多少 Pod [`已就绪`](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions)。
 
 <!--
 All Pods with a deletion timestamp set (objects with a deletion timestamp are
@@ -238,7 +238,7 @@ When scaling on CPU, if any pod has yet to become ready (it's still
 initializing, or possibly is unhealthy) *or* the most recent metric point for the pod was before it
 became ready, that pod is set aside as well.
 -->
-当使用 CPU 指标来扩缩时，任何还未就绪（还在初始化，或者可能是不健康的）状态的 Pod **或** 
+当使用 CPU 指标来扩缩时，任何还未就绪（还在初始化，或者可能是不健康的）状态的 Pod **或**
 最近的指标度量值采集于就绪状态前的 Pod，该 Pod 也会被搁置。
 
 <!--
@@ -357,7 +357,7 @@ More details about the API object can be found at
 [HorizontalPodAutoscaler Object](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#horizontalpodautoscaler-v2-autoscaling).
 -->
 创建 HorizontalPodAutoscaler 对象时，需要确保所给的名称是一个合法的
-[DNS 子域名](/zh/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
+[DNS 子域名](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
 有关 API 对象的更多信息，请查阅
 [HorizontalPodAutoscaler 对象设计文档](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#horizontalpodautoscaler-v2-autoscaling)。
 
@@ -398,7 +398,7 @@ If you perform a rolling update of a StatefulSet that has an autoscaled number o
 replicas, the StatefulSet directly manages its set of Pods (there is no intermediate resource
 similar to ReplicaSet).
 -->
-如果你对一个副本个数被自动扩缩的 StatefulSet 执行滚动更新， 该 StatefulSet
+如果你对一个副本个数被自动扩缩的 StatefulSet 执行滚动更新，该 StatefulSet
 会直接管理它的 Pod 集合 （不存在类似 ReplicaSet 这样的中间资源）。
 
 <!--
@@ -540,7 +540,7 @@ See [Support for metrics APIs](#support-for-metrics-apis) for the requirements.
 
 （之前的 `autoscaling/v2beta2` API 版本将此功能作为 beta 功能提供）
 
-如果你使用 `autoscaling/v2` API 版本，则可以将 HorizontalPodAutoscaler 
+如果你使用 `autoscaling/v2` API 版本，则可以将 HorizontalPodAutoscaler
 配置为基于自定义指标（未内置于 Kubernetes 或任何 Kubernetes 组件）进行扩缩。
 HorizontalPodAutoscaler 控制器能够从 Kubernetes API 查询这些自定义指标。
 
@@ -592,20 +592,20 @@ APIs, cluster administrators must ensure that:
 
    * For external metrics, this is the `external.metrics.k8s.io` API.  It may be provided by the custom metrics adapters provided above.
 -->
-* 启用了 [API 聚合层](/zh/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
+* 启用了 [API 聚合层](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
 
 * 相应的 API 已注册：
 
    * 对于资源指标，将使用 `metrics.k8s.io` API，一般由 [metrics-server](https://github.com/kubernetes-incubator/metrics-server) 提供。
      它可以作为集群插件启动。
-    
+
    * 对于自定义指标，将使用 `custom.metrics.k8s.io` API。
     它由其他度量指标方案厂商的“适配器（Adapter）” API 服务器提供。
     检查你的指标管道以查看是否有可用的 Kubernetes 指标适配器。
-   
+
    * 对于外部指标，将使用 `external.metrics.k8s.io` API。可能由上面的自定义指标适配器提供。
 
-<!--  
+<!--
 For more information on these different metrics paths and how they differ please see the relevant design proposals for
 [the HPA V2](https://github.com/kubernetes/design-proposals-archive/blob/main/autoscaling/hpa-v2.md),
 [custom.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/custom-metrics-api.md)
@@ -613,18 +613,18 @@ and [external.metrics.k8s.io](https://github.com/kubernetes/design-proposals-arc
 -->
 关于指标来源以及其区别的更多信息，请参阅相关的设计文档，
 [HPA V2](https://github.com/kubernetes/design-proposals-archive/blob/main/autoscaling/hpa-v2.md)，
-[custom.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/custom-metrics-api.md) 和 
+[custom.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/custom-metrics-api.md) 和
 [external.metrics.k8s.io](https://github.com/kubernetes/design-proposals-archive/blob/main/instrumentation/external-metrics-api.md)。
 
 <!--
 For examples of how to use them see [the walkthrough for using custom metrics](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics)
 and [the walkthrough for using external metrics](/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-metrics-not-related-to-kubernetes-objects).
 -->
-关于如何使用它们的示例，请参考 
-[使用自定义指标的教程](/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics)
-和[使用外部指标的教程](/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-metrics-not-related-to-kubernetes-objects)。
+关于如何使用它们的示例，请参考
+[使用自定义指标的教程](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics)
+和[使用外部指标的教程](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-metrics-not-related-to-kubernetes-objects)。
 
-<!--  
+<!--
 ## Configurable scaling behavior
 
 (the `autoscaling/v2beta2` API version previously provided this ability as a beta feature)
@@ -642,7 +642,7 @@ under the `behavior` field.
 （之前的 `autoscaling/v2beta2` API 版本将此功能作为 beta 功能提供）
 
 如果你使用 `v2` HorizontalPodAutoscaler API，你可以使用 `behavior` 字段
-（请参阅 [API 参考](/zh/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/#HorizontalPodAutoscalerSpec)）
+（请参阅 [API 参考](/zh-cn/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/#HorizontalPodAutoscalerSpec)）
 来配置单独的放大和缩小行为。你可以通过在行为字段下设置 `scaleUp` 和/或 `scaleDown` 来指定这些行为。
 
 <!--
@@ -651,10 +651,10 @@ the replica count for a scaling target. Scaling policies also let you controls t
 rate of change of replicas while scaling.
 -->
 
-你可以指定一个 “稳定窗口” ，以防止扩缩目标的副本计数发生[波动](#flapping)。
+你可以指定一个 “稳定窗口”，以防止扩缩目标的副本计数发生[波动](#flapping)。
 扩缩策略还允许你在扩缩时控制副本的变化率。
 
-<!--  
+<!--
 ### Scaling Policies
 
 One or more scaling policies can be specified in the `behavior` section of the spec.
@@ -678,7 +678,7 @@ behavior:
       periodSeconds: 60
 ```
 
-<!--  
+<!--
 `periodSeconds` indicates the length of time in the past for which the policy must hold true.
 The first policy _(Pods)_ allows at most 4 replicas to be scaled down in one minute. The second policy
 _(Percent)_ allows at most 10% of the current replicas to be scaled down in one minute.
@@ -703,7 +703,7 @@ and 4 replicas will be reduced at a time.
 在 autoscaler 控制器的每个循环中，将根据当前副本的数量重新计算要更改的 Pod 数量。
 当副本数量低于 40 时，应用第一个策略（Pods），一次减少 4 个副本。
 
-<!--  
+<!--
 The policy selection can be changed by specifying the `selectPolicy` field for a scaling
 direction. By setting the value to `Min` which would select the policy which allows the
 smallest change in the replica count. Setting the value to `Disabled` completely disables
@@ -713,11 +713,11 @@ scaling in that direction.
 通过设置 `Min` 的值，它将选择副本数变化最小的策略。
 将该值设置为 `Disabled` 将完全禁用该方向的扩缩。
 
-<!--  
+<!--
 ### Stabilization Window
 
 The stabilization window is used to restrict the [flapping](#flapping) of
-replicas count when the metrics used for scaling keep fluctuating. The autoscaling algorithm
+replica count when the metrics used for scaling keep fluctuating. The autoscaling algorithm
 uses this window to infer a previous desired state and avoid unwanted changes to workload
 scale.
 
@@ -736,7 +736,7 @@ behavior:
     stabilizationWindowSeconds: 300
 ```
 
-<!--  
+<!--
 When the metrics indicate that the target should be scaled down the algorithm looks
 into previously computed desired states, and uses the highest value from the specified
 interval. In the above example, all desired states from the past 5 minutes will be considered.
@@ -750,7 +750,7 @@ remove Pods only to trigger recreating an equivalent Pod just moments later.
 -->
 这近似于滚动最大值，并避免了扩缩算法频繁删除 Pod 而又触发重新创建等效 Pod。
 
-<!--  
+<!--
 ### Default Behavior
 
 To use the custom scaling not all fields have to be specified. Only values which need to be
@@ -784,7 +784,7 @@ behavior:
     selectPolicy: Max
 ```
 
-<!--  
+<!--
 For scaling down the stabilization window is _300_ seconds (or the value of the
 `--horizontal-pod-autoscaler-downscale-stabilization` flag if provided). There is only a single policy
 for scaling down which allows a 100% of the currently running replicas to be removed which
@@ -793,18 +793,18 @@ For scaling up there is no stabilization window. When the metrics indicate that
 scaled up the target is scaled up immediately. There are 2 policies where 4 pods or a 100% of the currently
 running replicas will be added every 15 seconds till the HPA reaches its steady state.
 -->
-用于缩小稳定窗口的时间为 _300_  秒(或是 `--horizontal-pod-autoscaler-downscale-stabilization`
+用于缩小稳定窗口的时间为 _300_ 秒(或是 `--horizontal-pod-autoscaler-downscale-stabilization`
 参数设定值)。
 只有一种缩容的策略，允许 100% 删除当前运行的副本，这意味着扩缩目标可以缩小到允许的最小副本数。
 对于扩容，没有稳定窗口。当指标显示目标应该扩容时，目标会立即扩容。
 这里有两种策略，每 15 秒添加 4 个 Pod 或 100% 当前运行的副本数，直到 HPA 达到稳定状态。
 
-<!--  
+<!--
 ### Example: change downscale stabilization window
 
 To provide a custom downscale stabilization window of 1 minute, the following
 behavior would be added to the HPA:
---> 
+-->
 ### 示例：更改缩容稳定窗口 {#example-change-downscale-stabilization-window}
 
 将下面的 behavior 配置添加到 HPA 中，可提供一个 1 分钟的自定义缩容稳定窗口：
@@ -815,7 +815,7 @@ behavior:
     stabilizationWindowSeconds: 60
 ```
 
-<!--  
+<!--
 ### Example: limit scale down rate
 
 To limit the rate at which pods are removed by the HPA to 10% per minute, the
@@ -834,7 +834,7 @@ behavior:
       periodSeconds: 60
 ```
 
-<!--  
+<!--
 To ensure that no more than 5 Pods are removed per minute, you can add a second scale-down
 policy with a fixed size of 5, and set `selectPolicy` to minimum. Setting `selectPolicy` to `Min` means
 that the autoscaler chooses the policy that affects the smallest number of Pods:
@@ -855,7 +855,7 @@ behavior:
     selectPolicy: Min
 ```
 
-<!--  
+<!--
 ### Example: disable scale down
 
 The `selectPolicy` value of `Disabled` turns off scaling the given direction.
@@ -894,7 +894,7 @@ will create an autoscaler for ReplicaSet *foo*, with target CPU utilization set
 and the number of replicas between 2 and 5.
 -->
 此外，还有一个特殊的 `kubectl autoscale` 命令用于创建 HorizontalPodAutoscaler 对象。
-例如，执行 `kubectl autoscale rs foo --min=2 --max=5 --cpu-percent=80` 
+例如，执行 `kubectl autoscale rs foo --min=2 --max=5 --cpu-percent=80`
 将为 ReplicaSet *foo* 创建一个自动扩缩器，目标 CPU 利用率设置为 `80%`，副本数在 2 到 5 之间。
 
 <!--
@@ -944,7 +944,7 @@ update configuration as desired.  You can avoid this degradation by choosing one
 methods based on how you are modifying your deployments:
 -->
 请记住，删除 `spec.replicas` 可能会导致 Pod 计数一次性降级，因为此键的默认值为 1
-（参考 [Deployment Replicas](/zh/docs/concepts/workloads/controllers/deployment#replicas)）。
+（参考 [Deployment Replicas](/zh-cn/docs/concepts/workloads/controllers/deployment#replicas)）。
 更新后，除 1 之外的所有 Pod 都将开始其终止程序。之后的任何部署应用程序都将正常运行，
 并根据需要遵守滚动更新配置。你可以根据修改部署的方式选择以下两种方法之一来避免这种降级：
 
@@ -962,9 +962,9 @@ methods based on how you are modifying your deployments:
 -->
 1. `kubectl apply edit-last-applied deployment/<Deployment 名称>`
 2. 在编辑器中，删除 `spec.replicas`。当你保存并退出编辑器时，`kubectl` 会应用更新。
-  在此步骤中不会更改 Pod 计数。
+   在此步骤中不会更改 Pod 计数。
 3. 你现在可以从清单中删除 `spec.replicas`。如果你使用源代码管理，
-  还应提交你的更改或采取任何其他步骤来修改源代码，以适应你如何跟踪更新。
+   还应提交你的更改或采取任何其他步骤来修改源代码，以适应你如何跟踪更新。
 4. 从这里开始，你可以运行 `kubectl apply -f deployment.yaml`
 
 {{% /tab %}}
@@ -975,8 +975,8 @@ When using the [Server-Side Apply](/docs/reference/using-api/server-side-apply/)
 you can follow the [transferring ownership](/docs/reference/using-api/server-side-apply/#transferring-ownership)
 guidelines, which cover this exact use case.
 -->
-使用[服务器端 Apply](/zh/docs/reference/using-api/server-side-apply/) 机制，
-你可以遵循[交出所有权](/zh/docs/reference/using-api/server-side-apply/#transferring-ownership) 说明，
+使用[服务器端 Apply](/zh-cn/docs/reference/using-api/server-side-apply/) 机制，
+你可以遵循[交出所有权](/zh-cn/docs/reference/using-api/server-side-apply/#transferring-ownership) 说明，
 该指南涵盖了这个确切的用例。
 
 {{% /tab %}}
@@ -1001,8 +1001,8 @@ For more information on HorizontalPodAutoscaler:
   [boilerplate](https://github.com/kubernetes-sigs/custom-metrics-apiserver) to get started.
 * Read the [API reference](/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/) for HorizontalPodAutoscaler.
 -->
-* 阅读水平 Pod 自动扩缩的[演练示例](/zh/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)。
-* 阅读 [`kubectl autoscale`](/zh/docs/reference/generated/kubectl/kubectl-commands/#autoscale) 的文档。
+* 阅读水平 Pod 自动扩缩的[演练示例](/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/)。
+* 阅读 [`kubectl autoscale`](/docs/reference/generated/kubectl/kubectl-commands/#autoscale) 的文档。
 * 如果你想编写自己的自定义指标适配器，
   请查看 [boilerplate](https://github.com/kubernetes-sigs/custom-metrics-apiserver) 以开始使用。
-* 阅读 [API 参考](/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/)。
+* 阅读 [API 参考](/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/)。
\ No newline at end of file
diff --git a/content/zh/docs/tasks/run-application/run-replicated-stateful-application.md b/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
similarity index 81%
rename from content/zh/docs/tasks/run-application/run-replicated-stateful-application.md
rename to content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
index 0d23ffb7a55c2..69c9b8eaa7e66 100644
--- a/content/zh/docs/tasks/run-application/run-replicated-stateful-application.md
+++ b/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
@@ -20,12 +20,12 @@ weight: 30
 
 <!--
 This page shows how to run a replicated stateful application using a
-[StatefulSet](/docs/concepts/workloads/controllers/statefulset/) controller.
+{{< glossary_tooltip term_id="statefulset" >}}.
 This application is a replicated MySQL database. The example topology has a
 single primary server and multiple replicas, using asynchronous row-based
 replication.
 -->
-本页展示如何使用 [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)
+本页展示如何使用 {{< glossary_tooltip term_id="statefulset" >}}
 控制器运行一个有状态的应用程序。此例是多副本的 MySQL 数据库。
 示例应用的拓扑结构有一个主服务器和多个副本，使用异步的基于行（Row-Based）
 的数据复制。
@@ -43,7 +43,7 @@ on general patterns for running stateful applications in Kubernetes.
 
 ## {{% heading "prerequisites" %}}
 
-* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+* {{< include "task-tutorial-prereqs.md" >}}
 * {{< include "default-storage-class-prereqs.md" >}}
 
 <!--
@@ -58,23 +58,23 @@ on general patterns for running stateful applications in Kubernetes.
 * You are using the default namespace or another namespace that does not contain any conflicting objects.
 -->
 * 本教程假定你熟悉
-  [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
-  与 [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/),
-  以及其他核心概念，例如 [Pod](/zh/docs/concepts/workloads/pods/)、
-  [服务](/zh/docs/concepts/services-networking/service/) 与
-  [ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/).
+  [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
+  与 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/),
+  以及其他核心概念，例如 [Pod](/zh-cn/docs/concepts/workloads/pods/)、
+  [服务](/zh-cn/docs/concepts/services-networking/service/) 与
+  [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/).
 * 熟悉 MySQL 会有所帮助，但是本教程旨在介绍对其他系统应该有用的常规模式。
-* 您正在使用默认命名空间或不包含任何冲突对象的另一个命名空间。
+* 你正在使用默认命名空间或不包含任何冲突对象的另一个命名空间。
 
 ## {{% heading "objectives" %}}
 
 <!--
-* Deploy a replicated MySQL topology with a StatefulSet controller.
+* Deploy a replicated MySQL topology with a StatefulSet.
 * Send MySQL client traffic.
 * Observe resistance to downtime.
 * Scale the StatefulSet up and down.
 -->
-* 使用 StatefulSet 控制器部署多副本 MySQL 拓扑架构。
+* 使用 StatefulSet 部署多副本 MySQL 拓扑架构。
 * 发送 MySQL 客户端请求
 * 观察对宕机的抵抗力
 * 扩缩 StatefulSet 的规模
@@ -91,11 +91,13 @@ and a StatefulSet.
 
 MySQL 示例部署包含一个 ConfigMap、两个 Service 与一个 StatefulSet。
 
-### ConfigMap
-
 <!--
+### Create a ConfigMap {#configmap}
+
 Create the ConfigMap from the following YAML configuration file:
 -->
+### 创建一个 ConfigMap   {#configmap}
+
 使用以下的 YAML 配置文件创建 ConfigMap ：
 
 {{< codenew file="application/mysql/mysql-configmap.yaml" >}}
@@ -106,13 +108,13 @@ kubectl apply -f https://k8s.io/examples/application/mysql/mysql-configmap.yaml
 
 <!--
 This ConfigMap provides `my.cnf` overrides that let you independently control
-configuration on the primary MySQL server and replicas.
+configuration on the primary MySQL server and its replicas.
 In this case, you want the primary server to be able to serve replication logs to replicas
 and you want repicas to reject any writes that don't come via replication. 
 -->
-这个 ConfigMap 提供 `my.cnf` 覆盖设置，使你可以独立控制 MySQL 主服务器和从服务器的配置。
-在这里，你希望主服务器能够将复制日志提供给副本服务器，并且希望副本服务器拒绝任何不是通过
-复制进行的写操作。
+这个 ConfigMap 提供 `my.cnf` 覆盖设置，使你可以独立控制 MySQL 主服务器和副本服务器的配置。
+在这里，你希望主服务器能够将复制日志提供给副本服务器，
+并且希望副本服务器拒绝任何不是通过复制进行的写操作。
 
 <!--
 There's nothing special about the ConfigMap itself that causes different
@@ -124,11 +126,11 @@ ConfigMap 本身没有什么特别之处，因而也不会出现不同部分应
 每个 Pod 都会在初始化时基于 StatefulSet 控制器提供的信息决定要查看的部分。
 
 <!--
-### Services 
+### Create Services {#services}
 
 Create the Services from the following YAML configuration file: 
 -->
-### 服务  {#services}
+### 创建 Service  {#services}
 
 使用以下 YAML 配置文件创建服务：
 
@@ -139,41 +141,45 @@ kubectl apply -f https://k8s.io/examples/application/mysql/mysql-services.yaml
 ```
 
 <!--
-The Headless Service provides a home for the DNS entries that the StatefulSet
-controller creates for each Pod that's part of the set.
-Because the Headless Service is named `mysql`, the Pods are accessible by
+The headless Service provides a home for the DNS entries that the StatefulSet
+{{< glossary_tooltip text="controllers" term_id="controller" >}} creates for each
+Pod that's part of the set.
+Because the headless Service is named `mysql`, the Pods are accessible by
 resolving `<pod-name>.mysql` from within any other Pod in the same Kubernetes
 cluster and namespace. 
 -->
-这个无头服务给 StatefulSet 控制器为集合中每个 Pod 创建的 DNS 条目提供了一个宿主。
+这个无头 Service 给 StatefulSet {{< glossary_tooltip text="控制器" term_id="controller" >}}
+为集合中每个 Pod 创建的 DNS 条目提供了一个宿主。
 因为无头服务名为 `mysql`，所以可以通过在同一 Kubernetes 集群和命名空间中的任何其他 Pod
 内解析 `<Pod 名称>.mysql` 来访问 Pod。
 
 <!--
-The Client Service, called `mysql-read`, is a normal Service with its own
+The client Service, called `mysql-read`, is a normal Service with its own
 cluster IP that distributes connections across all MySQL Pods that report
 being Ready. The set of potential endpoints includes the primary MySQL server and all
 replicas. 
 -->
-客户端服务称为 `mysql-read`，是一种常规服务，具有其自己的集群 IP。
-该集群 IP 在报告就绪的所有MySQL Pod 之间分配连接。
+客户端 Service 称为 `mysql-read`，是一种常规 Service，具有其自己的集群 IP。
+该集群 IP 在报告就绪的所有 MySQL Pod 之间分配连接。
 可能的端点集合包括 MySQL 主节点和所有副本节点。
 
 <!--
-Note that only read queries can use the load-balanced Client Service.
+Note that only read queries can use the load-balanced client Service.
 Because there is only one primary MySQL server, clients should connect directly to the
-primary MySQL Pod (through its DNS entry within the Headless Service) to execute
+primary MySQL Pod (through its DNS entry within the headless Service) to execute
 writes. 
 -->
-请注意，只有读查询才能使用负载平衡的客户端服务。
+请注意，只有读查询才能使用负载平衡的客户端 Service。
 因为只有一个 MySQL 主服务器，所以客户端应直接连接到 MySQL 主服务器 Pod
-（通过其在无头服务中的 DNS 条目）以执行写入操作。
-
-### StatefulSet
+（通过其在无头 Service 中的 DNS 条目）以执行写入操作。
 
 <!--
+### Create the StatefulSet {#statefulset}
+
 Finally, create the StatefulSet from the following YAML configuration file: 
 -->
+### 创建 StatefulSet {#statefulset}
+
 最后，使用以下 YAML 配置文件创建 StatefulSet：
 
 {{< codenew file="application/mysql/mysql-statefulset.yaml" >}}
@@ -192,9 +198,9 @@ kubectl get pods -l app=mysql --watch
 ```
 
 <!--
-After a while, you should see all 3 Pods become Running: 
+After a while, you should see all 3 Pods become `Running`: 
 -->
-一段时间后，你应该看到所有 3 个 Pod 进入 Running 状态：
+一段时间后，你应该看到所有 3 个 Pod 进入 `Running` 状态：
 
 ```
 NAME      READY     STATUS    RESTARTS   AGE
@@ -205,12 +211,17 @@ mysql-2   2/2       Running   0          1m
 
 <!--
 Press **Ctrl+C** to cancel the watch.
+-->
+输入 **Ctrl+C** 结束监视操作。
+
+{{< note >}}
+<!--
 If you don't see any progress, make sure you have a dynamic PersistentVolume
 provisioner enabled as mentioned in the [prerequisites](#before-you-begin). 
 -->
-输入 **Ctrl+C** 结束 watch 操作。
 如果你看不到任何进度，确保已启用[前提条件](#准备开始)
-中提到的动态 PersistentVolume 预配器。
+中提到的动态 PersistentVolume 制备程序。
+{{< /note >}}
 
 <!--
 This manifest uses a variety of techniques for managing stateful Pods as part of
@@ -250,19 +261,19 @@ properties to perform orderly startup of MySQL replication.
 ### Generating configuration 
 
 Before starting any of the containers in the Pod spec, the Pod first runs any
-[Init Containers](/docs/concepts/workloads/pods/init-containers/)
+[init Containers](/docs/concepts/workloads/pods/init-containers/)
 in the order defined. 
 -->
 ### 生成配置
 
 在启动 Pod 规约中的任何容器之前，Pod 首先按顺序运行所有的
-[Init 容器](/zh/docs/concepts/workloads/pods/init-containers/)。
+[初始化容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
 
 <!--
-The first Init Container, named `init-mysql`, generates special MySQL config
+The first init container, named `init-mysql`, generates special MySQL config
 files based on the ordinal index. 
 -->
-第一个名为 `init-mysql` 的 Init 容器根据序号索引生成特殊的 MySQL 配置文件。
+第一个名为 `init-mysql` 的初始化容器根据序号索引生成特殊的 MySQL 配置文件。
 
 <!--
 The script determines its own ordinal index by extracting it from the end of
@@ -270,12 +281,11 @@ the Pod name, which is returned by the `hostname` command.
 Then it saves the ordinal (with a numeric offset to avoid reserved values)
 into a file called `server-id.cnf` in the MySQL `conf.d` directory.
 This translates the unique, stable identity provided by the StatefulSet
-controller into the domain of MySQL server IDs, which require the same
-properties. 
+into the domain of MySQL server IDs, which require the same properties. 
 -->
 该脚本通过从 Pod 名称的末尾提取索引来确定自己的序号索引，而 Pod 名称由 `hostname` 命令返回。
 然后将序数（带有数字偏移量以避免保留值）保存到 MySQL `conf.d` 目录中的文件 `server-id.cnf`。
-这一操作将 StatefulSet 所提供的唯一、稳定的标识转换为 MySQL 服务器的 ID，
+这一操作将 StatefulSet 所提供的唯一、稳定的标识转换为 MySQL 服务器 ID，
 而这些 ID 也是需要唯一性、稳定性保证的。
 
 <!--
@@ -296,7 +306,7 @@ replicating.
 因此脚本仅将序数 `0` 指定为主节点，而将其他所有节点指定为副本节点。
 
 与 StatefulSet 控制器的
-[部署顺序保证](/zh/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)
+[部署顺序保证](/zh-cn/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)
 相结合，
 可以确保 MySQL 主服务器在创建副本服务器之前已准备就绪，以便它们可以开始复制。
 
@@ -319,12 +329,12 @@ to scale up and down over time, rather than being fixed at its initial size.
 这些保守的假设是允许正在运行的 StatefulSet 随时间扩大和缩小而不是固定在其初始大小的关键。
 
 <!--
-The second Init Container, named `clone-mysql`, performs a clone operation on
+The second init container, named `clone-mysql`, performs a clone operation on
 a replica Pod the first time it starts up on an empty PersistentVolume.
 That means it copies all existing data from another running Pod,
 so its local state is consistent enough to begin replicating from the primary server.
 -->
-第二个名为 `clone-mysql` 的 Init 容器，第一次在带有空 PersistentVolume 的副本 Pod
+第二个名为 `clone-mysql` 的初始化容器，第一次在带有空 PersistentVolume 的副本 Pod
 上启动时，会在从属 Pod 上执行克隆操作。
 这意味着它将从另一个运行中的 Pod 复制所有现有数据，使此其本地状态足够一致，
 从而可以开始从主服务器复制。
@@ -346,17 +356,16 @@ MySQL 本身不提供执行此操作的机制，因此本示例使用了一种
 <!--
 ### Starting replication 
 
-After the Init Containers complete successfully, the regular containers run.
+After the init containers complete successfully, the regular containers run.
 The MySQL Pods consist of a `mysql` container that runs the actual `mysqld`
 server, and an `xtrabackup` container that acts as a
 [sidecar](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns). 
 -->
 ### 开始复制
 
-Init 容器成功完成后，应用容器将运行。
-MySQL Pod 由运行实际 `mysqld` 服务的 `mysql` 容器和充当
-[辅助工具](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns)
-的 xtrabackup 容器组成。
+初始化容器成功完成后，应用容器将运行。MySQL Pod 由运行实际 `mysqld` 服务的 `mysql`
+容器和充当[辅助工具](/blog/2015/06/the-distributed-system-toolkit-patterns)的
+xtrabackup 容器组成。
 
 <!--
 The `xtrabackup` sidecar looks at the cloned data files and determines if
@@ -366,8 +375,8 @@ If so, it waits for `mysqld` to be ready and then executes the
 extracted from the XtraBackup clone files. 
 -->
 `xtrabackup` sidecar 容器查看克隆的数据文件，并确定是否有必要在副本服务器上初始化 MySQL 复制。
-如果是这样，它将等待 `mysqld` 准备就绪，然后使用从 XtraBackup 克隆文件中提取的复制参数
-执行  `CHANGE MASTER TO` 和 `START SLAVE` 命令。
+如果是这样，它将等待 `mysqld` 准备就绪，然后使用从 XtraBackup 克隆文件中提取的复制参数执行
+`CHANGE MASTER TO` 和 `START SLAVE` 命令。
 
 <!--
 Once a replica begins replication, it remembers its primary MySQL server and
@@ -376,8 +385,7 @@ Also, because replicas look for the primary server at its stable DNS name
 (`mysql-0.mysql`), they automatically find the primary server even if it gets a new
 Pod IP due to being rescheduled. 
 -->
-一旦副本服务器开始复制后，它会记住其 MySQL 主服务器，并且如果服务器重新启动或
-连接中断也会自动重新连接。
+一旦副本服务器开始复制后，它会记住其 MySQL 主服务器，并且如果服务器重新启动或连接中断也会自动重新连接。
 另外，因为副本服务器会以其稳定的 DNS 名称查找主服务器（`mysql-0.mysql`），
 即使由于重新调度而获得新的 Pod IP，它们也会自动找到主服务器。
 
@@ -481,19 +489,19 @@ it running in another window so you can see the effects of the following steps.
 这样你就可以看到以下步骤的效果。
 
 <!--
-## Simulating Pod and Node downtime 
+## Simulate Pod and Node failure {#simulate-pod-and-node-downtime}
 
 To demonstrate the increased availability of reading from the pool of replicas
 instead of a single server, keep the `SELECT @@server_id` loop from above
 running while you force a Pod out of the Ready state. 
 -->
-## 模拟 Pod 和 Node 的宕机时间
+## 模拟 Pod 和 Node 失效   {#simulate-pod-and-node-downtime}
 
 为了证明从副本节点缓存而不是单个服务器读取数据的可用性提高，请在使 Pod 退出 Ready
 状态时，保持上述 `SELECT @@server_id` 循环一直运行。
 
 <!--
-### Break the Readiness Probe 
+### Break the Readiness probe
 
 The [readiness probe](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
 for the `mysql` container runs the command `mysql -h 127.0.0.1 -e 'SELECT 1'`
@@ -501,8 +509,7 @@ to make sure the server is up and able to execute queries.
 -->
 ### 破坏就绪态探测
 
-`mysql` 容器的
-[就绪态探测](/zh/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
+`mysql` 容器的[就绪态探测](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
 运行命令 `mysql -h 127.0.0.1 -e 'SELECT 1'`，以确保服务器已启动并能够执行查询。
 
 <!--
@@ -615,32 +622,40 @@ mysql-2   2/2       Running   0          15m       10.244.5.27   kubernetes-node
 ```
 
 <!--
-Then drain the Node by running the following command, which cordons it so
+Then, drain the Node by running the following command, which cordons it so
 no new Pods may schedule there, and then evicts any existing Pods.
 Replace `<node-name>` with the name of the Node you found in the last step. 
 -->
-然后通过运行以下命令腾空节点，该命令将其保护起来，以使新的 Pod 不能调度到该节点，
+接下来，通过运行以下命令腾空节点，该命令将其保护起来，以使新的 Pod 不能调度到该节点，
 然后逐出所有现有的 Pod。将 `<节点名称>` 替换为在上一步中找到的节点名称。
 
 
+{{< caution >}}
 <!--
-This might impact other applications on the Node, so it's best to
-**only do this in a test cluster**. 
+Draining a Node can impact other workloads and applications 
+running on the same node. Only perform the following step in a test
+cluster.
+-->
+腾空一个 Node 可能影响到在该节点上运行的其他负载和应用。
+只应在测试集群上执行下列步骤
+{{< /caution >}}
 
+<!--
 ```shell
-kubectl drain <node-name> --force --delete-local-data --ignore-daemonsets
+# See above advice about impact on other workloads
+kubectl drain <node-name> --force --delete-emptydir-data --ignore-daemonsets
 ```
 -->
-这可能会影响节点上的其他应用程序，因此最好 **仅在测试集群中执行此操作**。
 
 ```shell
+# 关于对其他负载的影响，参见前文建议
 kubectl drain <节点名称> --force --delete-local-data --ignore-daemonsets
 ```
 
 <!--
 Now you can watch as the Pod reschedules on a different Node: 
 -->
-现在，你可以看到 Pod 被重新调度到其他节点上：
+现在，你可以监视 Pod 被重新调度到其他节点上：
 
 ```shell
 kubectl get pod mysql-2 -o wide --watch
@@ -667,8 +682,8 @@ mysql-2   2/2     Running         0          30s       10.244.5.32   kubernetes-
 And again, you should see server ID `102` disappear from the
 `SELECT @@server_id` loop output for a while and then return. 
 -->
-再次，你应该看到服务器 ID `102` 从 `SELECT @@server_id` 循环输出
-中消失一段时间，然后自行出现。
+再次，你应该看到服务器 ID `102` 从 `SELECT @@server_id`
+循环输出中消失一段时间，然后再次出现。
 
 <!--
 Now uncordon the Node to return it to a normal state: 
@@ -686,12 +701,12 @@ kubectl uncordon <节点名称>
 <!--
 ## Scaling the number of replicas
 
-With MySQL replication, you can scale your read query capacity by adding replicas.
+When you use MySQL replication, you can scale your read query capacity by adding replicas.
 With StatefulSet, you can do this with a single command: 
 -->
 ## 扩展副本节点数量
 
-使用 MySQL 复制，你可以通过添加副本节点来扩展读取查询的能力。
+使用 MySQL 复制时，你可以通过添加副本节点来扩展读取查询的能力。
 使用 StatefulSet，你可以使用单个命令执行此操作：
 
 ```shell
@@ -701,7 +716,7 @@ kubectl scale statefulset mysql --replicas=5
 <!--
 Watch the new Pods come up by running: 
 -->
-查看新的 Pod 的运行情况：
+运行下面的命令，监视新的 Pod 启动：
 
 ```shell
 kubectl get pods -l app=mysql --watch
@@ -714,7 +729,8 @@ the `SELECT @@server_id` loop output.
 You can also verify that these new servers have the data you added before they
 existed: 
 -->
-一旦 Pod 启动，你应该看到服务器 IDs `103` 和 `104` 开始出现在 `SELECT @@server_id` 循环输出中。
+一旦 Pod 启动，你应该看到服务器 IDs `103` 和 `104` 开始出现在 `SELECT @@server_id`
+循环输出中。
 
 你还可以验证这些新服务器在存在之前已添加了数据：
 
@@ -742,19 +758,22 @@ Scaling back down is also seamless:
 kubectl scale statefulset mysql --replicas=3
 ```
 
+{{< note >}}
 <!--
-Note, however, that while scaling up creates new PersistentVolumeClaims
+Although scaling up creates new PersistentVolumeClaims
 automatically, scaling down does not automatically delete these PVCs.
+
 This gives you the choice to keep those initialized PVCs around to make
 scaling back up quicker, or to extract data before deleting them. 
 -->
-但是请注意，按比例扩大会自动创建新的 PersistentVolumeClaims，而按比例缩小不会自动删除这些 PVC。
-这使你可以选择保留那些初始化的 PVC，以更快地进行缩放，或者在删除它们之前提取数据。
+扩容操作会自动创建新的 PersistentVolumeClaim，但是缩容时不会自动删除这些 PVC。
+这使你可以选择保留那些已被初始化的 PVC，以加速再次扩容，或者在删除它们之前提取数据。
+{{< /note >}}
 
 <!--
 You can see this by running: 
 -->
-你可以通过运行以下命令查看此信息：
+你可以通过运行以下命令查看此效果：
 
 ```shell
 kubectl get pvc -l app=mysql
@@ -787,7 +806,6 @@ kubectl delete pvc data-mysql-4
 
 ## {{% heading "cleanup" %}}
 
-
 <!--
 1. Cancel the `SELECT @@server_id` loop by pressing **Ctrl+C** in its terminal,
    or running the following from another terminal: 
@@ -827,7 +845,7 @@ kubectl delete pvc data-mysql-4
 <!--
 1. Delete the ConfigMap, Services, and PersistentVolumeClaims. 
 -->
-4. 删除 ConfigMap、Services 和 PersistentVolumeClaims。
+4. 删除 ConfigMap、Service 和 PersistentVolumeClaim。
 
    ```shell
    kubectl delete configmap,service,pvc -l app=mysql
@@ -842,22 +860,22 @@ kubectl delete pvc data-mysql-4
    underlying resources upon deleting the PersistentVolumes. 
 -->
 5. 如果你手动供应 PersistentVolume，则还需要手动删除它们，并释放下层资源。
-   如果你使用了动态预配器，当得知你删除 PersistentVolumeClaims 时，它将自动删除 PersistentVolumes。
-   一些动态预配器（例如用于 EBS 和 PD 的预配器）也会在删除 PersistentVolumes 时释放下层资源。
+   如果你使用了动态预配器，当得知你删除 PersistentVolumeClaim 时，它将自动删除 PersistentVolume。
+   一些动态预配器（例如用于 EBS 和 PD 的预配器）也会在删除 PersistentVolume 时释放下层资源。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
 * Learn more about [scaling a StatefulSet](/docs/tasks/run-application/scale-stateful-set/).
-* Learn more about [debugging a StatefulSet](/docs/tasks/debug-application-cluster/debug-stateful-set/).
+* Learn more about [debugging a StatefulSet](/docs/tasks/debug/debug-application/debug-statefulset/).
 * Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
 * Learn more about [force deleting StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/).
 * Look in the [Helm Charts repository](https://artifacthub.io/)
   for other stateful application examples.
 -->
-* 进一步了解[为 StatefulSet 扩缩容](/zh/docs/tasks/run-application/scale-stateful-set/).
-* 进一步了解[调试 StatefulSet](/zh/docs/tasks/debug-application-cluster/debug-stateful-set/).
-* 进一步了解[删除 StatefulSet](/zh/docs/tasks/run-application/delete-stateful-set/).
-* 进一步了解[强制删除 StatefulSet Pods](/zh/docs/tasks/run-application/force-delete-stateful-set-pod/).
+* 进一步了解[为 StatefulSet 扩缩容](/zh-cn/docs/tasks/run-application/scale-stateful-set/)；
+* 进一步了解[调试 StatefulSet](/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/)；
+* 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)；
+* 进一步了解[强制删除 StatefulSet Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)；
 * 在 [Helm Charts 仓库](https://artifacthub.io/)中查找其他有状态的应用程序示例。
 
diff --git a/content/zh/docs/tasks/run-application/run-single-instance-stateful-application.md b/content/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application.md
similarity index 95%
rename from content/zh/docs/tasks/run-application/run-single-instance-stateful-application.md
rename to content/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application.md
index 130fb307ef8b3..857f549926b54 100644
--- a/content/zh/docs/tasks/run-application/run-single-instance-stateful-application.md
+++ b/content/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application.md
@@ -55,7 +55,7 @@ Note: The password is defined in the config yaml, and this is insecure. See
 for a secure solution.
 -->
 注意：在配置的 YAML 文件中定义密码的做法是不安全的。具体安全解决方案请参考
-[Kubernetes Secrets](/zh/docs/concepts/configuration/secret/).
+[Kubernetes Secrets](/zh-cn/docs/concepts/configuration/secret/).
 
 {{< codenew file="application/mysql/mysql-deployment.yaml" >}}
 {{< codenew file="application/mysql/mysql-pv.yaml" >}}
@@ -231,7 +231,7 @@ Deployment 中镜像或其他部分同往常一样可以通过 `kubectl apply` 
 -->
 * 不要对应用进行规模扩缩。这里的设置仅适用于单实例应用。下层的 PersistentVolume
   仅只能挂载到一个 Pod 上。对于集群级有状态应用，请参考
-  [StatefulSet 文档](/zh/docs/concepts/workloads/controllers/statefulset/).
+  [StatefulSet 文档](/zh-cn/docs/concepts/workloads/controllers/statefulset/).
 * 在 Deployment 的 YAML 文件中使用 `strategy:` `type: Recreate`。
   该选项指示 Kubernetes _不_ 使用滚动升级。滚动升级无法工作，因为这里一次不能
   运行多个 Pod。在使用更新的配置文件创建新的 Pod 前，`Recreate` 策略将
@@ -276,11 +276,11 @@ PersistentVolume 将被自动删除。
 
 * [Volumes](/docs/concepts/storage/volumes/) and [Persistent Volumes](/docs/concepts/storage/persistent-volumes/)
 -->
-* 欲进一步了解 Deployment 对象，请参考 [Deployment 对象](/zh/docs/concepts/workloads/controllers/deployment/)
-* 进一步了解[部署应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)
+* 欲进一步了解 Deployment 对象，请参考 [Deployment 对象](/zh-cn/docs/concepts/workloads/controllers/deployment/)
+* 进一步了解[部署应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
 
 * 参阅 [kubectl run 文档](/docs/reference/generated/kubectl/kubectl-commands/#run)
 
-* 参阅[卷](/zh/docs/concepts/storage/volumes/)和[持久卷](/zh/docs/concepts/storage/persistent-volumes/)
+* 参阅[卷](/zh-cn/docs/concepts/storage/volumes/)和[持久卷](/zh-cn/docs/concepts/storage/persistent-volumes/)
 
 
diff --git a/content/zh/docs/tasks/run-application/run-stateless-application-deployment.md b/content/zh-cn/docs/tasks/run-application/run-stateless-application-deployment.md
similarity index 88%
rename from content/zh/docs/tasks/run-application/run-stateless-application-deployment.md
rename to content/zh-cn/docs/tasks/run-application/run-stateless-application-deployment.md
index f33e2021af7bb..55f9f9b120faa 100644
--- a/content/zh/docs/tasks/run-application/run-stateless-application-deployment.md
+++ b/content/zh-cn/docs/tasks/run-application/run-stateless-application-deployment.md
@@ -10,7 +10,7 @@ weight: 10
 <!--
 This page shows how to run an application using a Kubernetes Deployment object.
 -->
-本文介绍如何通过 Kubernetes Deployment 对象去运行一个应用.
+本文介绍如何通过 Kubernetes Deployment 对象去运行一个应用。
 
 ## {{% heading "objectives" %}}
 
@@ -19,9 +19,9 @@ This page shows how to run an application using a Kubernetes Deployment object.
 * Use kubectl to list information about the deployment.
 * Update the deployment.
 -->
-* 创建一个 nginx Deployment.
-* 使用 kubectl 列举关于 Deployment 的信息.
-* 更新 Deployment。
+* 创建一个 nginx Deployment。
+* 使用 kubectl 列举该 Deployment 的相关信息。
+* 更新该 Deployment。
 
 ## {{% heading "prerequisites" %}}
 
@@ -56,7 +56,7 @@ Docker 镜像的 Deployment：
 <!--
 1. Display information about the Deployment:
 -->
-2. 显示 Deployment 相关信息：
+2. 显示该 Deployment 的相关信息：
 
    ```shell
    kubectl describe deployment nginx-deployment
@@ -100,7 +100,7 @@ Docker 镜像的 Deployment：
 <!--
 1. List the Pods created by the deployment:
 -->
-3. 列出 Deployment 创建的 Pods：
+3. 列出该 Deployment 创建的 Pod：
 
    ```shell
    kubectl get pods -l app=nginx
@@ -139,7 +139,7 @@ specifies that the deployment should be updated to use nginx 1.16.1.
 -->
 ## 更新 Deployment
 
-你可以通过更新一个新的 YAML 文件来更新 Deployment。下面的 YAML 文件指定该
+你可以通过应用一个新的 YAML 文件来更新 Deployment。下面的 YAML 文件指定该
 Deployment 镜像更新为 nginx 1.16.1。
 
 {{< codenew file="application/deployment-update.yaml" >}}
@@ -156,7 +156,7 @@ Deployment 镜像更新为 nginx 1.16.1。
 <!--
 1. Watch the deployment create pods with new names and delete the old pods:
 -->
-2. 查看该 Deployment 以新的名称创建 Pods 同时删除旧的 Pods：
+2. 查看该 Deployment 以新的名称创建 Pod 同时删除旧的 Pod：
 
    ```shell
    kubectl get pods -l app=nginx
@@ -170,8 +170,8 @@ should have four Pods:
 -->
 ## 通过增加副本数来扩缩应用
 
-你可以通过应用新的 YAML 文件来增加 Deployment 中 Pods 的数量。
-下面的 YAML 文件将 `replicas` 设置为 4，指定该 Deployment 应有 4 个 Pods：
+你可以通过应用新的 YAML 文件来增加 Deployment 中 Pod 的数量。
+下面的 YAML 文件将 `replicas` 设置为 4，指定该 Deployment 应有 4 个 Pod：
 
 {{< codenew file="application/deployment-scale.yaml" >}}
 
@@ -187,7 +187,7 @@ should have four Pods:
 <!--
 1. Verify that the Deployment has four Pods:
 -->
-2. 验证 Deployment 有 4 个 Pods：
+2. 验证该 Deployment 有 4 个 Pod：
 
    ```shell
    kubectl get pods -l app=nginx
@@ -227,11 +227,11 @@ which in turn uses a ReplicaSet. Before the Deployment and ReplicaSet were
 added to Kubernetes, replicated applications were configured using a
 [ReplicationController](/docs/concepts/workloads/controllers/replicationcontroller/).
 -->
-## ReplicationControllers -- 旧的方式
+## ReplicationController —— 旧的方式
 
-创建一个多副本应用首选方法是使用 Deployment，Deployment 内部使用 ReplicaSet。
+创建一个多副本应用首选方法是使用 Deployment，该 Deployment 内部将轮流使用 ReplicaSet。
 在 Deployment 和 ReplicaSet 被引入到 Kubernetes 之前，多副本应用通过
-[ReplicationController](/zh/docs/concepts/workloads/controllers/replicationcontroller/)
+[ReplicationController](/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/)
 来配置。
 
 ## {{% heading "whatsnext" %}}
@@ -239,5 +239,4 @@ added to Kubernetes, replicated applications were configured using a
 <!--
 * Learn more about [Deployment objects](/docs/concepts/workloads/controllers/deployment/).
 -->
-* 进一步了解 [Deployment 对象](/zh/docs/concepts/workloads/controllers/deployment/)。
-
+* 进一步了解 [Deployment 对象](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
diff --git a/content/zh/docs/tasks/run-application/scale-stateful-set.md b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
similarity index 93%
rename from content/zh/docs/tasks/run-application/scale-stateful-set.md
rename to content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
index 595373ea94084..02e7f13aa8e5b 100644
--- a/content/zh/docs/tasks/run-application/scale-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
@@ -24,8 +24,8 @@ This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to incr
 * StatefulSets 仅适用于 Kubernetes 1.5 及以上版本。
 * 不是所有 Stateful 应用都能很好地执行扩缩操作。 
   如果你不是很确定是否要扩缩你的 StatefulSet，可先参阅
-  [StatefulSet 概念](/zh/docs/concepts/workloads/controllers/statefulset/)
-  或者 [StatefulSet 教程](/zh/docs/tutorials/stateful-application/basic-stateful-set/)。
+  [StatefulSet 概念](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
+  或者 [StatefulSet 教程](/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/)。
 
 * 仅当你确定你的有状态应用的集群是完全健康的，才可执行扩缩操作.
 
@@ -75,7 +75,7 @@ update `.spec.replicas` of the StatefulSet manifests, and then do a `kubectl app
 -->
 ### 对 StatefulSet 执行就地更新
 
-另外, 你可以[就地更新](/zh/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) StatefulSet。
+另外, 你可以[就地更新](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) StatefulSet。
 
 如果你的 StatefulSet 最初通过 `kubectl apply` 或 `kubectl create --save-config` 创建,
 你可以更新 StatefulSet 清单中的 `.spec.replicas`, 然后执行命令 `kubectl apply`:
@@ -163,5 +163,5 @@ Stateful 应用的集群是完全健康时才执行扩缩操作。
 <!--
 * Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
 -->
-* 进一步了解[删除 StatefulSet](/zh/docs/tasks/run-application/delete-stateful-set/)
+* 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)
 
diff --git a/content/zh/docs/tasks/service-catalog/_index.md b/content/zh-cn/docs/tasks/service-catalog/_index.md
similarity index 100%
rename from content/zh/docs/tasks/service-catalog/_index.md
rename to content/zh-cn/docs/tasks/service-catalog/_index.md
diff --git a/content/zh/docs/tasks/service-catalog/install-service-catalog-using-helm.md b/content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-helm.md
similarity index 96%
rename from content/zh/docs/tasks/service-catalog/install-service-catalog-using-helm.md
rename to content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-helm.md
index a8c6988d83707..61afab1b33196 100644
--- a/content/zh/docs/tasks/service-catalog/install-service-catalog-using-helm.md
+++ b/content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-helm.md
@@ -32,12 +32,12 @@ Use [Helm](https://helm.sh/) to install Service Catalog on your Kubernetes clust
     * Follow the [Helm install instructions](https://github.com/kubernetes/helm/blob/master/docs/install.md).
     * If you already have an appropriate version of Helm installed, execute `helm init` to install Tiller, the server-side component of Helm.
 -->
-* 理解[服务目录](/zh/docs/concepts/extend-kubernetes/service-catalog/) 的关键概念。
+* 理解[服务目录](/zh-cn/docs/concepts/extend-kubernetes/service-catalog/) 的关键概念。
 * Service Catalog 需要 Kubernetes 集群版本在 1.7 或更高版本。
 * 你必须启用 Kubernetes 集群的 DNS 功能。
     * 如果使用基于云的 Kubernetes 集群或 {{< glossary_tooltip text="Minikube" term_id="minikube" >}}，则可能已经启用了集群 DNS。
     * 如果你正在使用 `hack/local-up-cluster.sh`，请确保设置了 `KUBE_ENABLE_CLUSTER_DNS` 环境变量，然后运行安装脚本。
-* [安装和设置 v1.7 或更高版本的 kubectl](/zh/docs/tasks/tools/)，确保将其配置为连接到 Kubernetes 集群。
+* [安装和设置 v1.7 或更高版本的 kubectl](/zh-cn/docs/tasks/tools/)，确保将其配置为连接到 Kubernetes 集群。
 * 安装 v2.7.0 或更高版本的 [Helm](https://helm.sh/)。
     * 遵照 [Helm 安装说明](https://helm.sh/docs/intro/install/)。
     * 如果已经安装了适当版本的 Helm，请执行 `helm init` 来安装 Helm 的服务器端组件 Tiller。
diff --git a/content/zh/docs/tasks/service-catalog/install-service-catalog-using-sc.md b/content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-sc.md
similarity index 90%
rename from content/zh/docs/tasks/service-catalog/install-service-catalog-using-sc.md
rename to content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-sc.md
index 4602fc56d85cb..0a6f2ed81726d 100644
--- a/content/zh/docs/tasks/service-catalog/install-service-catalog-using-sc.md
+++ b/content/zh-cn/docs/tasks/service-catalog/install-service-catalog-using-sc.md
@@ -1,10 +1,7 @@
 ---
 title: 使用 SC 安装服务目录
-reviewers:
-- chenopis
 content_type: task
 ---
-
 <!--
 title: Install Service Catalog using SC
 reviewers:
@@ -39,12 +36,12 @@ Service Catalog can work with any kind of managed service, not only Google Cloud
 
         kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=<user-name>
 -->
-* 了解[服务目录](/zh/docs/concepts/extend-kubernetes/service-catalog/)
+* 了解[服务目录](/zh-cn/docs/concepts/extend-kubernetes/service-catalog/)
   的主要概念。
 * 安装 [Go 1.6+](https://golang.org/dl/) 以及设置 `GOPATH`。
 * 安装生成 SSL 工件所需的 [cfssl](https://github.com/cloudflare/cfssl) 工具。
 * 服务目录需要 Kubernetes 1.7+ 版本。
-* [安装和设置 kubectl](/zh/docs/tasks/tools/)，
+* [安装和设置 kubectl](/zh-cn/docs/tasks/tools/)，
   以便将其配置为连接到 Kubernetes v1.7+ 集群。
 * 要安装服务目录，kubectl 用户必须绑定到 *cluster-admin* 角色。
   为了确保这是正确的，请运行以下命令：
@@ -61,7 +58,7 @@ The installer runs on your local computer as a CLI tool named `sc`.
 
 Install using `go get`:
 -->
-## 在本地环境中安装 `sc`
+## 在本地环境中安装 `sc`    {#install-sc-in-your-local-environment}
 
 安装程序在你的本地计算机上以 CLI 工具的形式运行，名为 `sc`。
 
@@ -81,7 +78,7 @@ go get github.com/GoogleCloudPlatform/k8s-service-catalog/installer/cmd/sc
 
 First, verify that all dependencies have been installed. Run:
 -->
-## 在 Kubernetes 集群中安装服务目录
+## 在 Kubernetes 集群中安装服务目录    {#install-service-catalog-in-your-kubernetes-cluster}
 
 首先，检查是否已经安装了所有依赖项。运行：
 
@@ -112,9 +109,9 @@ sc install --etcd-backup-storageclass "standard"
 
 If you would like to uninstall Service Catalog from your Kubernetes cluster using the `sc` tool, run:
 -->
-## 卸载服务目录
+## 卸载服务目录    {#uninstall-service-catalog}
 
-如果您想使用 `sc` 工具从 Kubernetes 集群卸载服务目录，请运行：
+如果你想使用 `sc` 工具从 Kubernetes 集群卸载服务目录，请运行：
 
 ```shell
 sc uninstall
diff --git a/content/zh/docs/tasks/tls/_index.md b/content/zh-cn/docs/tasks/tls/_index.md
similarity index 100%
rename from content/zh/docs/tasks/tls/_index.md
rename to content/zh-cn/docs/tasks/tls/_index.md
diff --git a/content/zh/docs/tasks/tls/certificate-rotation.md b/content/zh-cn/docs/tasks/tls/certificate-rotation.md
similarity index 96%
rename from content/zh/docs/tasks/tls/certificate-rotation.md
rename to content/zh-cn/docs/tasks/tls/certificate-rotation.md
index 0028592917d22..b4943da2fbddc 100644
--- a/content/zh/docs/tasks/tls/certificate-rotation.md
+++ b/content/zh-cn/docs/tasks/tls/certificate-rotation.md
@@ -41,14 +41,14 @@ Kubelet 使用证书进行 Kubernetes API 的认证。
 
 <!--
 Kubernetes contains [kubelet certificate
-rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/),
+rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/),
 that will automatically generate a new key and request a new certificate from
 the Kubernetes API as the current certificate approaches expiration. Once the
 new certificate is available, it will be used for authenticating connections to
 the Kubernetes API.
 -->
 Kubernetes 包含特性
-[kubelet 证书轮换](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)，
+[kubelet 证书轮换](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)，
 在当前证书即将过期时，
 将自动生成新的秘钥，并从 Kubernetes API 申请新的证书。 一旦新的证书可用，它将被用于与
 Kubernetes API 间的连接认证。
diff --git a/content/zh/docs/tasks/tls/managing-tls-in-a-cluster.md b/content/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster.md
similarity index 97%
rename from content/zh/docs/tasks/tls/managing-tls-in-a-cluster.md
rename to content/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster.md
index f6204c527f382..5fb539a5a502a 100644
--- a/content/zh/docs/tasks/tls/managing-tls-in-a-cluster.md
+++ b/content/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster.md
@@ -95,7 +95,7 @@ have access to read.
 内部 Kubernetes 端点的一个示例是默认命名空间中名为 `kubernetes` 的服务。
 
 如果你想为你的工作负载使用自定义证书颁发机构，你应该单独生成该 CA，
-并使用你的 Pod 有读权限的 [ConfigMap](/zh/docs/tasks/configure-pod-container/configure-pod-configmap)
+并使用你的 Pod 有读权限的 [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap)
 分发该 CA 证书。
 {{< /note >}}
 
@@ -217,7 +217,7 @@ it by running:
 “密钥加密（key encipherment）” 和 “服务器身份验证（server auth）” 密钥用途，
 由 `example.com/serving` 示例签名程序签名的证书。
 你也可以要求使用特定的 `signerName`。更多信息可参阅
-[支持的签署者名称](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#signers)。
+[支持的签署者名称](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signers)。
 
 在 API server 中可以看到这些 CSR 处于 Pending 状态。执行下面的命令你将可以看到：
 
@@ -254,7 +254,7 @@ manually using `kubectl`; for example:
 -->
 ## 批准证书签名请求（CSR）  {#get-the-certificate-signing-request-approved}
 
-[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)
+[证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
 的批准或者是通过自动批准过程完成的，或由集群管理员一次性完成。
 如果你被授权批准证书请求，你可以使用 `kubectl` 来手动完成此操作；例如：
 
@@ -530,7 +530,7 @@ reference page.
 当且仅当满足这两个要求时，审批者应该批准 CSR，否则拒绝 CSR。
 
 有关证书批准和访问控制的更多信息，
-请阅读[证书签名请求](/zh/docs/reference/access-authn-authz/certificate-signing-requests/)参考页。
+请阅读[证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)参考页。
 
 <!--
 ## Configuring your cluster to provide signing
diff --git a/content/zh/docs/tasks/tls/manual-rotation-of-ca-certificates.md b/content/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates.md
similarity index 94%
rename from content/zh/docs/tasks/tls/manual-rotation-of-ca-certificates.md
rename to content/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates.md
index 87e9b5eb64279..fcf9f7fab1fec 100644
--- a/content/zh/docs/tasks/tls/manual-rotation-of-ca-certificates.md
+++ b/content/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates.md
@@ -24,8 +24,8 @@ This page shows how to manually rotate the certificate authority (CA) certificat
 - For more information about best practices for CA certificates, see [Single root CA](/docs/setup/best-practices/certificates/#single-root-ca).
 -->
 - 要了解 Kubernetes 中用户认证的更多信息，参阅
-  [认证](/zh/docs/reference/access-authn-authz/authentication)；
-- 要了解与 CA 证书最佳实践有关的更多信息，参阅[单根 CA](/zh/docs/setup/best-practices/certificates/#single-root-ca)。
+  [认证](/zh-cn/docs/reference/access-authn-authz/authentication)；
+- 要了解与 CA 证书最佳实践有关的更多信息，参阅[单根 CA](/zh-cn/docs/setup/best-practices/certificates/#single-root-ca)。
 
 <!-- steps -->
 
@@ -152,7 +152,7 @@ Configurations with a single API server will experience unavailability while the
    中的内容，更新用户账号的证书。
 
    有关为独立用户账号创建证书的更多信息，可参阅
-   [为用户帐号配置证书](/zh/docs/setup/best-practices/certificates/#configure-certificates-for-user-accounts)。
+   [为用户帐号配置证书](/zh-cn/docs/setup/best-practices/certificates/#configure-certificates-for-user-accounts)。
 
    另外，还要更新 kubeconfig 文件中的 `certificate-authority-data`
    节，使之包含 Base64 编码的老的和新的证书机构数据。
@@ -171,7 +171,7 @@ Configurations with a single API server will experience unavailability while the
 -->
 8. 遵循下列步骤执行滚动更新
 
-   1. 重新启动所有其他 *[被聚合的 API 服务器](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)*
+   1. 重新启动所有其他 *[被聚合的 API 服务器](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)*
       或者 *Webhook 处理程序*，使之信任新的 CA 证书。
 
    2. 在所有节点上更新 kubelet 配置中的 `clientCAFile` 所指文件以及 kubelet.conf 中的
@@ -210,8 +210,8 @@ Configurations with a single API server will experience unavailability while the
       -->
       {{< note >}}
       要使用 `openssl` 命令行为集群生成新的证书和私钥，可参阅
-      [证书（`openssl`）](/zh/docs/tasks/administer-cluster/certificates/#openssl)。
-      你也可以使用[`cfssl`](/zh/docs/tasks/administer-cluster/certificates/#cfssl).
+      [证书（`openssl`）](/zh-cn/docs/tasks/administer-cluster/certificates/#openssl)。
+      你也可以使用[`cfssl`](/zh-cn/docs/tasks/administer-cluster/certificates/#cfssl).
       {{< /note >}}
 
    <!--
@@ -240,7 +240,7 @@ Configurations with a single API server will experience unavailability while the
       -->
       {{< note >}}
       要限制应用可能受到的并发干扰数量，可以参阅
-      [配置 Pod 干扰预算](/zh/docs/tasks/run-application/configure-pdb/).
+      [配置 Pod 干扰预算](/zh-cn/docs/tasks/run-application/configure-pdb/).
       {{< /note >}}
 <!--
 1. If your cluster is using bootstrap tokens to join nodes, update the ConfigMap `cluster-info` in the `kube-public` namespace with new CA.
@@ -260,7 +260,7 @@ Configurations with a single API server will experience unavailability while the
 
    1. Validate the logs from control plane components, along with the kubelet and the
       kube-proxy are not throwing any tls errors, see
-      [looking at the logs](/docs/tasks/debug-application-cluster/debug-cluster/#looking-at-logs).
+       [looking at the logs](/docs/tasks/debug/debug-cluster/#looking-at-logs).
 
    1. Validate logs from any aggregated api servers and pods using in-cluster config.
 -->
@@ -268,7 +268,7 @@ Configurations with a single API server will experience unavailability while the
 
     1. 验证控制面组件的日志，以及 `kubelet` 和 `kube-proxy` 的日志，确保其中没有
        抛出 TLS 错误，参阅
-       [查看日志](/zh/docs/tasks/debug-application-cluster/debug-cluster/#looking-at-logs).
+       [查看日志](/zh-cn/docs/tasks/debug/debug-cluster/#looking-at-logs).
 
     2. 验证被聚合的 API 服务器的日志，以及所有使用集群内配置的 Pod 的日志。
 
diff --git a/content/zh/docs/tasks/tools/_index.md b/content/zh-cn/docs/tasks/tools/_index.md
similarity index 88%
rename from content/zh/docs/tasks/tools/_index.md
rename to content/zh-cn/docs/tasks/tools/_index.md
index 028f22fb38733..e3beccc17bbe5 100644
--- a/content/zh/docs/tasks/tools/_index.md
+++ b/content/zh-cn/docs/tasks/tools/_index.md
@@ -27,7 +27,7 @@ Kubernetes 命令行工具，[kubectl](/docs/reference/kubectl/kubectl/)，使
 你可以使用 kubectl 来部署应用、监测和管理集群资源以及查看日志。
 
 有关更多信息，包括 kubectl 操作的完整列表，请参见[`kubectl` 
-参考文件](/zh/docs/reference/kubectl/)。
+参考文件](/zh-cn/docs/reference/kubectl/)。
 
 <!--
 kubectl is installable on a variety of Linux platforms, macOS and Windows. 
@@ -40,9 +40,9 @@ Find your preferred operating system below.
 kubectl 可安装在各种 Linux 平台、 macOS 和 Windows 上。
 在下面找到你喜欢的操作系统。
 
-- [在 Linux 上安装 kubectl](/zh/docs/tasks/tools/install-kubectl-linux)
-- [在 macOS 上安装 kubectl](/zh/docs/tasks/tools/install-kubectl-macos)
-- [在 Windows 上安装 kubectl](/zh/docs/tasks/tools/install-kubectl-windows)
+- [在 Linux 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-linux)
+- [在 macOS 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-macos)
+- [在 Windows 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-windows)
 
 <!--
 ## kind
@@ -104,7 +104,7 @@ Once you have `minikube` working, you can use it to
 </a>
 
 当你拥有了可工作的 `minikube` 时，就可以用它来
-[运行示例应用](/zh/docs/tutorials/hello-minikube/)了。
+[运行示例应用](/zh-cn/docs/tutorials/hello-minikube/)了。
 
 ## kubeadm
 
@@ -120,13 +120,13 @@ It performs the actions necessary to get a minimum viable, secure cluster up and
 [Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) shows you how to install kubeadm.
 Once installed, you can use it to [create a cluster](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).
 -->
-[安装 kubeadm](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)
+[安装 kubeadm](/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)
 展示了如何安装 kubeadm 的过程。
 一旦安装了 kubeadm，你就可以使用它来
-[创建一个集群](/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)。
+[创建一个集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)。
 
 <!-- a class="btn btn-primary" href="/docs/setup/production-environment/tools/kubeadm/install-kubeadm/" role="button" aria-label="View kubeadm Install Guide">View kubeadm Install Guide</a-->
 
-<a class="btn btn-primary" href="/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/"
+<a class="btn btn-primary" href="/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/"
   role="button" aria-label="查看 kubeadm 安装指南">查看 kubeadm 安装指南</a>
 
diff --git a/content/zh/docs/tasks/tools/included/_index.md b/content/zh-cn/docs/tasks/tools/included/_index.md
similarity index 100%
rename from content/zh/docs/tasks/tools/included/_index.md
rename to content/zh-cn/docs/tasks/tools/included/_index.md
diff --git a/content/zh/docs/tasks/tools/included/kubectl-convert-overview.md b/content/zh-cn/docs/tasks/tools/included/kubectl-convert-overview.md
similarity index 88%
rename from content/zh/docs/tasks/tools/included/kubectl-convert-overview.md
rename to content/zh-cn/docs/tasks/tools/included/kubectl-convert-overview.md
index 9e277732d529a..21d6556331645 100644
--- a/content/zh/docs/tasks/tools/included/kubectl-convert-overview.md
+++ b/content/zh-cn/docs/tasks/tools/included/kubectl-convert-overview.md
@@ -21,4 +21,4 @@ For more info, visit [migrate to non deprecated apis](/docs/reference/using-api/
 -->
 一个 Kubernetes 命令行工具 `kubectl` 的插件，允许你将清单在不同 API 版本间转换。
 这对于将清单迁移到新的 Kubernetes 发行版上未被废弃的 API 版本时尤其有帮助。
-更多信息请访问 [迁移到非弃用 API](/zh/docs/reference/using-api/deprecation-guide/#migrate-to-non-deprecated-apis)
+更多信息请访问 [迁移到非弃用 API](/zh-cn/docs/reference/using-api/deprecation-guide/#migrate-to-non-deprecated-apis)
diff --git a/content/zh/docs/tasks/tools/included/kubectl-whats-next.md b/content/zh-cn/docs/tasks/tools/included/kubectl-whats-next.md
similarity index 73%
rename from content/zh/docs/tasks/tools/included/kubectl-whats-next.md
rename to content/zh-cn/docs/tasks/tools/included/kubectl-whats-next.md
index 3990922e0e1fc..6d8a9a136da56 100644
--- a/content/zh/docs/tasks/tools/included/kubectl-whats-next.md
+++ b/content/zh-cn/docs/tasks/tools/included/kubectl-whats-next.md
@@ -20,8 +20,8 @@ headless: true
 * Read the [kubectl reference docs](/docs/reference/kubectl/kubectl/)
 -->
 * [安装 Minikube](https://minikube.sigs.k8s.io/docs/start/)
-* 有关创建集群的更多信息，请参阅[入门指南](/zh/docs/setup/).
-* [学习如何启动并对外公开你的应用程序。](/zh/docs/tasks/access-application-cluster/service-access-application-cluster/)
+* 有关创建集群的更多信息，请参阅[入门指南](/zh-cn/docs/setup/).
+* [学习如何启动并对外公开你的应用程序。](/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/)
 * 如果你需要访问其他人创建的集群，请参阅
-  [共享集群接入文档](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
-* 阅读 [kubectl 参考文档](/zh/docs/reference/kubectl/kubectl/)
+  [共享集群接入文档](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).
+* 阅读 [kubectl 参考文档](/zh-cn/docs/reference/kubectl/kubectl/)
diff --git a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
similarity index 98%
rename from content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
rename to content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
index 62046d0357896..eba8ea68cc1aa 100644
--- a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
+++ b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-linux.md
@@ -86,7 +86,7 @@ If you have an alias for kubectl, you can extend shell completion to work with t
 
 ```bash
 echo 'alias k=kubectl' >>~/.bashrc
-echo 'complete -F __start_kubectl k' >>~/.bashrc
+echo 'complete -o default -F __start_kubectl k' >>~/.bashrc
 ```
 
 {{< note >}}
diff --git a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
similarity index 97%
rename from content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
rename to content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
index 225492631cd6e..6990b943ae135 100644
--- a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
+++ b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-bash-mac.md
@@ -148,14 +148,14 @@ You now have to ensure that the kubectl completion script gets sourced in all yo
 
     ```bash
     echo 'alias k=kubectl' >>~/.bash_profile
-    echo 'complete -F __start_kubectl k' >>~/.bash_profile
+    echo 'complete -o default -F __start_kubectl k' >>~/.bash_profile
     ```
 
 <!-- 
 - If you installed kubectl with Homebrew (as explained [here](/docs/tasks/tools/install-kubectl-macos/#install-with-homebrew-on-macos)), then the kubectl completion script should already be in `/usr/local/etc/bash_completion.d/kubectl`. In that case, you don't need to do anything.
 -->
 - 如果你是用 Homebrew 安装的 kubectl（如
-  [此页面](/zh/docs/tasks/install-with-homebrew-on-macos/#install-with-homebrew-on-macos)
+  [此页面](/zh-cn/docs/tasks/install-with-homebrew-on-macos/#install-with-homebrew-on-macos)
   所描述），则kubectl 补全脚本应该已经安装到目录 `/usr/local/etc/bash_completion.d/kubectl`
   中了。这种情况下，你什么都不需要做。
 
diff --git a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-fish.md b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-fish.md
similarity index 100%
rename from content/zh/docs/tasks/tools/included/optional-kubectl-configs-fish.md
rename to content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-fish.md
diff --git a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-pwsh.md b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-pwsh.md
similarity index 100%
rename from content/zh/docs/tasks/tools/included/optional-kubectl-configs-pwsh.md
rename to content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-pwsh.md
diff --git a/content/zh/docs/tasks/tools/included/optional-kubectl-configs-zsh.md b/content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-zsh.md
similarity index 100%
rename from content/zh/docs/tasks/tools/included/optional-kubectl-configs-zsh.md
rename to content/zh-cn/docs/tasks/tools/included/optional-kubectl-configs-zsh.md
diff --git a/content/zh/docs/tasks/tools/included/verify-kubectl.md b/content/zh-cn/docs/tasks/tools/included/verify-kubectl.md
similarity index 96%
rename from content/zh/docs/tasks/tools/included/verify-kubectl.md
rename to content/zh-cn/docs/tasks/tools/included/verify-kubectl.md
index a587e26cd01ac..53544eaaf105c 100644
--- a/content/zh/docs/tasks/tools/included/verify-kubectl.md
+++ b/content/zh-cn/docs/tasks/tools/included/verify-kubectl.md
@@ -22,7 +22,7 @@ By default, kubectl configuration is located at `~/.kube/config`.
 Check that kubectl is properly configured by getting the cluster state:
  -->
 为了让 kubectl 能发现并访问 Kubernetes 集群，你需要一个
-[kubeconfig 文件](/docs/zh/concepts/configuration/organize-cluster-access-kubeconfig/)，
+[kubeconfig 文件](/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/)，
 该文件在
 [kube-up.sh](https://github.com/kubernetes/kubernetes/blob/master/cluster/kube-up.sh)
 创建集群时，或成功部署一个 Miniube 集群时，均会自动生成。
diff --git a/content/zh/docs/tasks/tools/install-kubectl-linux.md b/content/zh-cn/docs/tasks/tools/install-kubectl-linux.md
similarity index 100%
rename from content/zh/docs/tasks/tools/install-kubectl-linux.md
rename to content/zh-cn/docs/tasks/tools/install-kubectl-linux.md
diff --git a/content/zh/docs/tasks/tools/install-kubectl-macos.md b/content/zh-cn/docs/tasks/tools/install-kubectl-macos.md
similarity index 100%
rename from content/zh/docs/tasks/tools/install-kubectl-macos.md
rename to content/zh-cn/docs/tasks/tools/install-kubectl-macos.md
diff --git a/content/zh/docs/tasks/tools/install-kubectl-windows.md b/content/zh-cn/docs/tasks/tools/install-kubectl-windows.md
similarity index 100%
rename from content/zh/docs/tasks/tools/install-kubectl-windows.md
rename to content/zh-cn/docs/tasks/tools/install-kubectl-windows.md
diff --git a/content/zh/docs/test.md b/content/zh-cn/docs/test.md
similarity index 99%
rename from content/zh/docs/test.md
rename to content/zh-cn/docs/test.md
index 9642299b5d1f1..404dfb9d6870e 100644
--- a/content/zh/docs/test.md
+++ b/content/zh-cn/docs/test.md
@@ -503,10 +503,10 @@ You can also use HTML, but it is not preferred.
 
 - 指向 Kubernetes 文档的站内链接，需要在英文链接之前添加前缀 `/zh`。
   例如，原链接目标为 `/docs/foo/bar` 时，译文中的链接目标应为
-  `/zh/docs/foo/bar`。例如：
+  `/zh-cn/docs/foo/bar`。例如：
 
   - 英文版本链接 [Kubernetes Components](/docs/concepts/overview/components/)
-  - 对应中文链接 [Kubernetes 组件](/zh/docs/concepts/overview/components/)
+  - 对应中文链接 [Kubernetes 组件](/zh-cn/docs/concepts/overview/components/)
 
 - 英文页面子标题会生成对应锚点（Anchor），例如子标题 `## Using object` 会生成
   对应标签 `#using-objects`。在翻译为中文之后，对应锚点可能会失效。对此，有
diff --git a/content/zh/docs/tutorials/_index.md b/content/zh-cn/docs/tutorials/_index.md
similarity index 63%
rename from content/zh/docs/tutorials/_index.md
rename to content/zh-cn/docs/tutorials/_index.md
index 2feb4bd56d5bc..0c77f56652122 100644
--- a/content/zh/docs/tutorials/_index.md
+++ b/content/zh-cn/docs/tutorials/_index.md
@@ -24,9 +24,9 @@ Before walking through each tutorial, you may want to bookmark the
 [Standardized Glossary](/docs/reference/glossary/) page for later references.
 -->
 Kubernetes 文档的这一部分包含教程。
-每个教程展示了如何完成一个比单个[任务](/zh/docs/tasks/)更大的目标。
+每个教程展示了如何完成一个比单个[任务](/zh-cn/docs/tasks/)更大的目标。
 通常一个教程有几个部分，每个部分都有一系列步骤。在浏览每个教程之前，
-你可能希望将[标准化术语表](/zh/docs/reference/glossary/)页面添加到书签，供以后参考。
+你可能希望将[标准化术语表](/zh-cn/docs/reference/glossary/)页面添加到书签，供以后参考。
 
 <!-- body -->
 <!--
@@ -40,10 +40,10 @@ Kubernetes 文档的这一部分包含教程。
 -->
 ## 基础知识  {#basics}
 
-* [Kubernetes 基础知识](/zh/docs/tutorials/Kubernetes-Basics/)
+* [Kubernetes 基础知识](/zh-cn/docs/tutorials/Kubernetes-Basics/)
   是一个深入的交互式教程，帮助你理解 Kubernetes 系统，并尝试一些基本的 Kubernetes 特性。
 * [Kubernetes 介绍 (edX)](https://www.edx.org/course/introduction-kubernetes-linuxfoundationx-lfs158x#)
-* [你好 Minikube](/zh/docs/tutorials/hello-minikube/)
+* [你好 Minikube](/zh-cn/docs/tutorials/hello-minikube/)
 
 <!--
 ## Configuration
@@ -54,8 +54,8 @@ Kubernetes 文档的这一部分包含教程。
 -->
 ## 配置  {#configuration}
 
-* [示例：配置 Java 微服务](/zh/docs/tutorials/configuration/configure-java-microservice/)
-* [使用 ConfigMap 配置 Redis](/zh/docs/tutorials/configuration/configure-redis-using-configmap/)
+* [示例：配置 Java 微服务](/zh-cn/docs/tutorials/configuration/configure-java-microservice/)
+* [使用 ConfigMap 配置 Redis](/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap/)
 
 <!--
 ## Stateless Applications
@@ -66,8 +66,8 @@ Kubernetes 文档的这一部分包含教程。
 -->
 ## 无状态应用程序  {#stateless-applications}
 
-* [公开外部 IP 地址访问集群中的应用程序](/zh/docs/tutorials/stateless-application/expose-external-ip-address/)
-* [示例：使用 Redis 部署 PHP 留言板应用程序](/zh/docs/tutorials/stateless-application/guestbook/)
+* [公开外部 IP 地址访问集群中的应用程序](/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address/)
+* [示例：使用 Redis 部署 PHP 留言板应用程序](/zh-cn/docs/tutorials/stateless-application/guestbook/)
 
 <!--
 ## Stateful Applications
@@ -82,10 +82,10 @@ Kubernetes 文档的这一部分包含教程。
 -->
 ## 有状态应用程序  {#stateful-applications}
 
-* [StatefulSet 基础](/zh/docs/tutorials/stateful-application/basic-stateful-set/)
-* [示例：WordPress 和 MySQL 使用持久卷](/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/)
-* [示例：使用有状态集部署 Cassandra](/zh/docs/tutorials/stateful-application/cassandra/)
-* [运行 ZooKeeper，CP 分布式系统](/zh/docs/tutorials/stateful-application/zookeeper/)
+* [StatefulSet 基础](/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/)
+* [示例：WordPress 和 MySQL 使用持久卷](/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/)
+* [示例：使用有状态集部署 Cassandra](/zh-cn/docs/tutorials/stateful-application/cassandra/)
+* [运行 ZooKeeper，CP 分布式系统](/zh-cn/docs/tutorials/stateful-application/zookeeper/)
 
 <!--
 ## Services
@@ -94,22 +94,22 @@ Kubernetes 文档的这一部分包含教程。
 -->
 ## 服务  {#services}
 
-* [使用源 IP](/zh/docs/tutorials/services/source-ip/)
+* [使用源 IP](/zh-cn/docs/tutorials/services/source-ip/)
 
 <!--
 ## Security
 
 * [Apply Pod Security Standards at Cluster level](/docs/tutorials/security/cluster-level-pss/)
 * [Apply Pod Security Standards at Namespace level](/docs/tutorials/security/ns-level-pss/)
-* [AppArmor](/zh/docs/tutorials/security/apparmor/)
-* [seccomp](/zh/docs/tutorials/security/seccomp/)
+* [AppArmor](/zh-cn/docs/tutorials/security/apparmor/)
+* [seccomp](/zh-cn/docs/tutorials/security/seccomp/)
 -->
 ## 安全  {#security}
 
-* [在集群级别应用 Pod 安全标准](/zh/docs/tutorials/security/cluster-level-pss/)
-* [在名字空间级别应用 Pod 安全标准](/zh/docs/tutorials/security/ns-level-pss/)
-* [AppArmor](/zh/docs/tutorials/security/apparmor/)
-* [seccomp](/zh/docs/tutorials/security/seccomp/)
+* [在集群级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/cluster-level-pss/)
+* [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)
+* [AppArmor](/zh-cn/docs/tutorials/security/apparmor/)
+* [seccomp](/zh-cn/docs/tutorials/security/seccomp/)
 
 ## {{% heading "whatsnext" %}}
 
@@ -118,6 +118,6 @@ If you would like to write a tutorial, see
 [Content Page Types](/docs/contribute/style/page-content-types/)
 for information about the tutorial page.
 -->
-如果你要编写教程，请参阅[内容页面类型](/zh/docs/contribute/style/page-content-types/)
+如果你要编写教程，请参阅[内容页面类型](/zh-cn/docs/contribute/style/page-content-types/)
 以获取有关教程页面类型的信息。
 
diff --git a/content/zh/docs/tutorials/configuration/_index.md b/content/zh-cn/docs/tutorials/configuration/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/configuration/_index.md
rename to content/zh-cn/docs/tutorials/configuration/_index.md
diff --git a/content/zh/docs/tutorials/configuration/configure-java-microservice/_index.md b/content/zh-cn/docs/tutorials/configuration/configure-java-microservice/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/configuration/configure-java-microservice/_index.md
rename to content/zh-cn/docs/tutorials/configuration/configure-java-microservice/_index.md
diff --git a/content/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html b/content/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
similarity index 100%
rename from content/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
rename to content/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive.html
diff --git a/content/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md b/content/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md
similarity index 94%
rename from content/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md
rename to content/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md
index b7c99d0e8e9a5..b46c61ebd35ab 100644
--- a/content/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md
+++ b/content/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice.md
@@ -40,11 +40,11 @@ Although Secrets are also used to store key-value pairs, they differ from Config
 -->
 ConfigMaps 是存储非机密键值对的 API 对象。
 在互动教程中，你会学到如何用 ConfigMap 来保存应用名字。
-ConfigMap 的更多信息，你可以在[这里](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)找到文档。
+ConfigMap 的更多信息，你可以在[这里](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)找到文档。
 
 Secrets 尽管也用来存储键值对，但区别于 ConfigMaps 的是：它针对机密/敏感数据，且存储格式为 Base64 编码。
 secrets 的这种特性使得它适合于存储证书、密钥、令牌，上述内容你将在交互教程中实现。
-Secrets 的更多信息，你可以在[这里](/zh/docs/concepts/configuration/secret/)找到文档。
+Secrets 的更多信息，你可以在[这里](/zh-cn/docs/concepts/configuration/secret/)找到文档。
 
 
 <!-- 
@@ -90,4 +90,4 @@ CDI & MicroProfile 都会被用在互动教程中，
 ### [Start Interactive Tutorial](/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive/) 
 -->
 ## 示例：使用 MicroProfile、ConfigMaps、Secrets 实现外部化应用配置
-### [启动互动教程](/zh/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive/) 
+### [启动互动教程](/zh-cn/docs/tutorials/configuration/configure-java-microservice/configure-java-microservice-interactive/) 
diff --git a/content/zh/docs/tutorials/configuration/configure-redis-using-configmap.md b/content/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap.md
similarity index 82%
rename from content/zh/docs/tutorials/configuration/configure-redis-using-configmap.md
rename to content/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap.md
index fc6f0fa2f13d5..6814327d59d11 100644
--- a/content/zh/docs/tutorials/configuration/configure-redis-using-configmap.md
+++ b/content/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap.md
@@ -1,17 +1,22 @@
 ---
+title: 使用 ConfigMap 来配置 Redis
+content_type: tutorial
+---
+<!--
 reviewers:
 - eparis
 - pmorie
-title: 使用 ConfigMap 来配置 Redis
+title: Configuring Redis using a ConfigMap
 content_type: tutorial
----
+-->
 
 <!-- overview -->
 
 <!--
-This page provides a real world example of how to configure Redis using a ConfigMap and builds upon the [Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task.
+This page provides a real world example of how to configure Redis using a ConfigMap and builds upon the [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task.
 -->
-这篇文档基于[使用 ConfigMap 来配置 Containers](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/) 这个任务，提供了一个使用 ConfigMap 来配置 Redis 的真实案例。
+这篇文档基于[配置 Pod 以使用 ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
+这个任务，提供了一个使用 ConfigMap 来配置 Redis 的真实案例。
 
 
 
@@ -26,7 +31,7 @@ This page provides a real world example of how to configure Redis using a Config
 
 * 使用 Redis 配置的值创建一个 ConfigMap
 * 创建一个 Redis Pod，挂载并使用创建的 ConfigMap
-* 验证配置已经被正确应用。
+* 验证配置已经被正确应用
 
 
 
@@ -35,13 +40,14 @@ This page provides a real world example of how to configure Redis using a Config
 ## {{% heading "prerequisites" %}}
 
 
-* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+
 <!--
 * The example shown on this page works with `kubectl` 1.14 and above.
-* Understand [Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/).
+* Understand [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/).
 -->
-* 此页面上显示的示例适用于 `kubectl` 1.14和在其以上的版本。
-* 理解[使用ConfigMap来配置Containers](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)。
+* 此页面上显示的示例适用于 `kubectl` 1.14 及以上的版本。
+* 理解[配置 Pod 以使用 ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)。
 
 
 
@@ -55,7 +61,7 @@ Follow the steps below to configure a Redis cache using data stored in a ConfigM
 
 First create a ConfigMap with an empty configuration block:
 -->
-## 真实世界的案例：使用 ConfigMap 来配置 Redis
+## 真实世界的案例：使用 ConfigMap 来配置 Redis    {#real-world-example-configuring-redis-using-a-configmap}
 
 按照下面的步骤，使用 ConfigMap 中的数据来配置 Redis 缓存。
 
@@ -79,7 +85,7 @@ Apply the ConfigMap created above, along with a Redis pod manifest:
 
 ```shell
 kubectl apply -f example-redis-config.yaml
-kubectl apply -f https://k8s.io/examples/pods/config/redis-pod.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/config/redis-pod.yaml
 ```
 
 <!--
@@ -100,12 +106,13 @@ ConfigMap above as `/redis-master/redis.conf` inside the Pod.
   ConfigMap 中的 `redis-config` 密钥公开在 `config` 卷上一个名为 `redis-config` 的文件中。
 * 然后 `config` 卷被 `spec.containers[0].volumeMounts[1]` 挂载在 `/redis-master`。
 
-这样做的最终效果是将上面 `example-redis-config` 配置中 `data.redis-config` 的数据作为 Pod 中的 `/redis-master/redis.conf` 公开。
+这样做的最终效果是将上面 `example-redis-config` 配置中 `data.redis-config`
+的数据作为 Pod 中的 `/redis-master/redis.conf` 公开。
 
 {{< codenew file="pods/config/redis-pod.yaml" >}}
 
-<!-- 
-Examine the created objects: 
+<!--
+Examine the created objects:
 -->
 检查创建的对象：
 
@@ -118,7 +125,7 @@ You should see the following output:
 -->
 你应该可以看到以下输出：
 
-```shell
+```
 NAME        READY   STATUS    RESTARTS   AGE
 pod/redis   1/1     Running   0          8s
 
@@ -127,7 +134,7 @@ configmap/example-redis-config   1      14s
 ```
 
 <!--
-Recall that we left `redis-config` key in the `example-redis-config` ConfigMap blank: 
+Recall that we left `redis-config` key in the `example-redis-config` ConfigMap blank:
 -->
 回顾一下，我们在 `example-redis-config` ConfigMap 保留了空的 `redis-config` 键：
 
@@ -298,7 +305,7 @@ values from associated ConfigMaps. Let's delete and recreate the Pod:
 
 ```shell
 kubectl delete pod redis
-kubectl apply -f https://k8s.io/examples/pods/config/redis-pod.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/config/redis-pod.yaml
 ```
 
 <!--
@@ -363,7 +370,7 @@ kubectl delete pod/redis configmap/example-redis-config
 <!--
 * Learn more about [ConfigMaps](/docs/tasks/configure-pod-container/configure-pod-configmap/).
 -->
-* 了解有关 [ConfigMaps](/zh/docs/tasks/configure-pod-container/configure-pod-configmap/)的更多信息。
+* 了解有关 [ConfigMaps](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/) 的更多信息。
 
 
 
diff --git a/content/zh/docs/tutorials/hello-minikube.md b/content/zh-cn/docs/tutorials/hello-minikube.md
similarity index 96%
rename from content/zh/docs/tutorials/hello-minikube.md
rename to content/zh-cn/docs/tutorials/hello-minikube.md
index f9c15568c9e63..09c04dcb23744 100644
--- a/content/zh/docs/tutorials/hello-minikube.md
+++ b/content/zh-cn/docs/tutorials/hello-minikube.md
@@ -166,9 +166,9 @@ recommended way to manage the creation and scaling of Pods.
 
 ## 创建 Deployment
 
-Kubernetes [*Pod*](/zh/docs/concepts/workloads/pods/) 是由一个或多个
+Kubernetes [*Pod*](/zh-cn/docs/concepts/workloads/pods/) 是由一个或多个
 为了管理和联网而绑定在一起的容器构成的组。 本教程中的 Pod 只有一个容器。
-Kubernetes [*Deployment*](/zh/docs/concepts/workloads/controllers/deployment/)
+Kubernetes [*Deployment*](/zh-cn/docs/concepts/workloads/controllers/deployment/)
 检查 Pod 的健康状况，并在 Pod 中的容器终止的情况下重新启动新的容器。
 Deployment 是管理 Pod 创建和扩展的推荐方法。
 
@@ -247,7 +247,7 @@ For more information about `kubectl`commands, see the
 [kubectl overview](/docs/reference/kubectl/).
 -->
 {{< note >}}
-有关 `kubectl` 命令的更多信息，请参阅 [kubectl 概述](/zh/docs/reference/kubectl/)。
+有关 `kubectl` 命令的更多信息，请参阅 [kubectl 概述](/zh-cn/docs/reference/kubectl/)。
 {{< /note >}}
 
 <!--
@@ -262,7 +262,7 @@ Kubernetes [*Service*](/docs/concepts/services-networking/service/).
 
 默认情况下，Pod 只能通过 Kubernetes 集群中的内部 IP 地址访问。
 要使得 `hello-node` 容器可以从 Kubernetes 虚拟网络的外部访问，你必须将 Pod
-暴露为 Kubernetes [*Service*](/zh/docs/concepts/services-networking/service/)。
+暴露为 Kubernetes [*Service*](/zh-cn/docs/concepts/services-networking/service/)。
 
 <!--
 1. Expose the Pod to the public internet using the `kubectl expose` command:
@@ -497,7 +497,7 @@ minikube delete
 * Learn more about [Deploying applications](/docs/tasks/run-application/run-stateless-application-deployment/).
 * Learn more about [Service objects](/docs/concepts/services-networking/service/).
 -->
-* 进一步了解 [Deployment 对象](/zh/docs/concepts/workloads/controllers/deployment/)。
-* 进一步了解[部署应用](/zh/docs/tasks/run-application/run-stateless-application-deployment/)。
-* 进一步了解 [Service 对象](/zh/docs/concepts/services-networking/service/)。
+* 进一步了解 [Deployment 对象](/zh-cn/docs/concepts/workloads/controllers/deployment/)。
+* 进一步了解[部署应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)。
+* 进一步了解 [Service 对象](/zh-cn/docs/concepts/services-networking/service/)。
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/_index.html b/content/zh-cn/docs/tutorials/kubernetes-basics/_index.html
similarity index 57%
rename from content/zh/docs/tutorials/kubernetes-basics/_index.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/_index.html
index 7cf767d5af04c..7054cf6e3c675 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/_index.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/_index.html
@@ -24,15 +24,15 @@
     <div class="row">
       <div class="col-md-9">
         <h2>Kubernetes 基础</h2>
-        <p>本教程介绍了 Kubernetes 集群编排系统的基础知识。每个模块包含关于 Kubernetes 主要特性和概念的一些背景信息，并包括一个在线互动教程。这些互动教程让您可以自己管理一个简单的集群及其容器化应用程序。</p>
-        <p>使用互动教程，您可以学习：</p>
+        <p>本教程介绍了 Kubernetes 集群编排系统的基础知识。每个模块包含关于 Kubernetes 主要特性和概念的一些背景信息，并包括一个在线互动教程。这些互动教程让你可以自己管理一个简单的集群及其容器化应用程序。</p>
+        <p>使用互动教程，你可以学习：</p>
         <ul>
         <li>在集群上部署容器化应用程序</li>
         <li>弹性部署</li>
         <li>使用新的软件版本，更新容器化应用程序</li>
         <li>调试容器化应用程序</li>
         </ul>
-        <p>教程 Katacoda 在您的浏览器中运行一个虚拟终端，在浏览器中运行 Minikube，这是一个可在任何地方小规模本地部署的 Kubernetes 集群。不需要安装任何软件或进行任何配置；每个交互性教程都直接从您的网页浏览器上运行。</p>
+        <p>教程 Katacoda 在你的浏览器中运行一个虚拟终端，在浏览器中运行 Minikube，这是一个可在任何地方小规模本地部署的 Kubernetes 集群。不需要安装任何软件或进行任何配置；每个交互性教程都直接从你的网页浏览器上运行。</p>
       </div>
     </div>
 
@@ -40,8 +40,8 @@ <h2>Kubernetes 基础</h2>
 
     <div class="row">
       <div class="col-md-9">
-        <h2>Kubernetes 可以为您做些什么?</h2>
-        <p>通过现代的 Web 服务，用户希望应用程序能够 24/7 全天候使用，开发人员希望每天可以多次发布部署新版本的应用程序。 容器化可以帮助软件包达成这些目标，使应用程序能够以简单快速的方式发布和更新，而无需停机。Kubernetes 帮助您确保这些容器化的应用程序在您想要的时间和地点运行，并帮助应用程序找到它们需要的资源和工具。Kubernetes 是一个可用于生产的开源平台，根据 Google 容器集群方面积累的经验，以及来自社区的最佳实践而设计。</p>
+        <h2>Kubernetes 可以为你做些什么?</h2>
+        <p>通过现代的 Web 服务，用户希望应用程序能够 24/7 全天候使用，开发人员希望每天可以多次发布部署新版本的应用程序。 容器化可以帮助软件包达成这些目标，使应用程序能够以简单快速的方式发布和更新，而无需停机。Kubernetes 帮助你确保这些容器化的应用程序在你想要的时间和地点运行，并帮助应用程序找到它们需要的资源和工具。Kubernetes 是一个可用于生产的开源平台，根据 Google 容器集群方面积累的经验，以及来自社区的最佳实践而设计。</p>
       </div>
     </div>
 
@@ -55,25 +55,25 @@ <h2>Kubernetes 基础模块</h2>
           <div class="row">
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_01.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_01.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/"><h5>1. 创建一个 Kubernetes 集群</h5></a>
+                  <a href="/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/"><h5>1. 创建一个 Kubernetes 集群</h5></a>
                 </div>
               </div>
             </div>
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_02.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_02.svg?v=1469803628347" alt=""></a>
                   <div class="caption">
-                    <a href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/"><h5>2. 部署应用程序</h5></a>
+                    <a href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/"><h5>2. 部署应用程序</h5></a>
                   </div>
               </div>
             </div>
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/explore/explore-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_03.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_03.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/zh/docs/tutorials/kubernetes-basics/explore/explore-intro/"><h5>3. 应用程序探索</h5></a>
+                  <a href="/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro/"><h5>3. 应用程序探索</h5></a>
                 </div>
               </div>
             </div>
@@ -83,25 +83,25 @@ <h2>Kubernetes 基础模块</h2>
           <div class="row">
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/expose/expose-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_04.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_04.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/zh/docs/tutorials/kubernetes-basics/expose/expose-intro/"><h5>4. 应用外部可见</h5></a>
+                  <a href="/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro/"><h5>4. 应用外部可见</h5></a>
                 </div>
               </div>
             </div>
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/scale/scale-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_05.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_05.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/zh/docs/tutorials/kubernetes-basics/scale/scale-intro/"><h5>5. 应用可扩展</h5></a>
+                  <a href="/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro/"><h5>5. 应用可扩展</h5></a>
                 </div>
               </div>
             </div>
             <div class="col-md-4">
               <div class="thumbnail">
-                <a href="/zh/docs/tutorials/kubernetes-basics/update/update-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_06.svg?v=1469803628347" alt=""></a>
+                <a href="/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro/"><img src="/docs/tutorials/kubernetes-basics/public/images/module_06.svg?v=1469803628347" alt=""></a>
                 <div class="caption">
-                  <a href="/zh/docs/tutorials/kubernetes-basics/update/update-intro/"><h5>6. 应用更新</h5></a>
+                  <a href="/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro/"><h5>6. 应用更新</h5></a>
                 </div>
               </div>
             </div>
diff --git a/content/zh/docs/tutorials/kubernetes-basics/create-cluster/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/create-cluster/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
similarity index 88%
rename from content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
index 87e0659ef89af..c472facc82826 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive.html
@@ -40,7 +40,7 @@
                 <!--
                 <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/" role="button">Continue to Module 2<span class="btn__next">›</span></a>
                 -->
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/" role="button">继续阅读第二单元<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/" role="button">继续阅读第二单元<span class="btn__next">›</span></a>
                 
             </div>
         </div>
diff --git a/content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html
similarity index 89%
rename from content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html
index eb1d9eb7ca25f..0e3f6065009ce 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html
@@ -29,7 +29,7 @@ <h3>目标</h3>
             <div class="col-md-8">
                 <h3> Kubernetes 集群</h3>
                 <p>
-                <b> Kubernetes 协调一个高可用计算机集群，每个计算机作为独立单元互相连接工作。</b> Kubernetes 中的抽象允许您将容器化的应用部署到集群，而无需将它们绑定到某个特定的独立计算机。为了使用这种新的部署模型，应用需要以将应用与单个主机分离的方式打包：它们需要被容器化。与过去的那种应用直接以包的方式深度与主机集成的部署模型相比，容器化应用更灵活、更可用。<b> Kubernetes 以更高效的方式跨集群自动分发和调度应用容器。</b> Kubernetes 是一个开源平台，并且可应用于生产环境。
+                <b> Kubernetes 协调一个高可用计算机集群，每个计算机作为独立单元互相连接工作。</b> Kubernetes 中的抽象允许你将容器化的应用部署到集群，而无需将它们绑定到某个特定的独立计算机。为了使用这种新的部署模型，应用需要以将应用与单个主机分离的方式打包：它们需要被容器化。与过去的那种应用直接以包的方式深度与主机集成的部署模型相比，容器化应用更灵活、更可用。<b> Kubernetes 以更高效的方式跨集群自动分发和调度应用容器。</b> Kubernetes 是一个开源平台，并且可应用于生产环境。
                 </p>
                 <p>一个 Kubernetes 集群包含两种类型的资源:
                     <ul>
@@ -84,11 +84,11 @@ <h2 style="color: #3771e3;">集群图</h2>
 
         <div class="row">
             <div class="col-md-8">
-                <p>在 Kubernetes 上部署应用时，您告诉 Master 启动应用容器。 Master 就编排容器在集群的 Node 上运行。<b> Node 使用 Master 暴露的 Kubernetes API 与 Master 通信。</b>终端用户也可以使用 Kubernetes API 与集群交互。</p>
+                <p>在 Kubernetes 上部署应用时，你告诉 Master 启动应用容器。 Master 就编排容器在集群的 Node 上运行。<b> Node 使用 Master 暴露的 Kubernetes API 与 Master 通信。</b>终端用户也可以使用 Kubernetes API 与集群交互。</p>
 
-                <p> Kubernetes 既可以部署在物理机上也可以部署在虚拟机上。您可以使用 Minikube 开始部署 Kubernetes 集群。 Minikube 是一种轻量级的 Kubernetes 实现，可在本地计算机上创建 VM 并部署仅包含一个节点的简单集群。 Minikube 可用于 Linux ， macOS 和 Windows 系统。Minikube CLI 提供了用于引导集群工作的多种操作，包括启动、停止、查看状态和删除。在本教程里，您可以使用预装有 Minikube 的在线终端进行体验。</p>
+                <p> Kubernetes 既可以部署在物理机上也可以部署在虚拟机上。你可以使用 Minikube 开始部署 Kubernetes 集群。 Minikube 是一种轻量级的 Kubernetes 实现，可在本地计算机上创建 VM 并部署仅包含一个节点的简单集群。 Minikube 可用于 Linux ， macOS 和 Windows 系统。Minikube CLI 提供了用于引导集群工作的多种操作，包括启动、停止、查看状态和删除。在本教程里，你可以使用预装有 Minikube 的在线终端进行体验。</p>
 
-                <p>既然您已经知道 Kubernetes 是什么，让我们转到在线教程并启动我们的第一个 Kubernetes 集群！</p>
+                <p>既然你已经知道 Kubernetes 是什么，让我们转到在线教程并启动我们的第一个 Kubernetes 集群！</p>
 
             </div>
         </div>
@@ -96,7 +96,7 @@ <h2 style="color: #3771e3;">集群图</h2>
 
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/" role="button"> 启动交互教程 <span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/" role="button"> 启动交互教程 <span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/deploy-app/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/deploy-app/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
similarity index 87%
rename from content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
index fbb85aeb4cb39..de3512a5bafde 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive.html
@@ -33,7 +33,7 @@
         <div class="row">
             <div class="col-md-12">
                 <!-- <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/explore/explore-intro/" role="button">Continue to Module 3<span class="btn__next">›</span></a> -->
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/explore/explore-intro/" role="button">继续阅读第3单元<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro/" role="button">继续阅读第3单元<span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
similarity index 88%
rename from content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
index cf44c3f5d5072..348deda8c98b0 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro.html
@@ -41,11 +41,11 @@ <h3>Kubernetes 部署</h3>
                 </p> -->
                 <p>
                   一旦运行了 Kubernetes 集群，就可以在其上部署容器化应用程序。
-                  为此，您需要创建 Kubernetes <b> Deployment </b>配置。Deployment 指挥 Kubernetes 如何创建和更新应用程序的实例。创建 Deployment 后，Kubernetes master 将应用程序实例调度到集群中的各个节点上。
+                  为此，你需要创建 Kubernetes <b> Deployment </b>配置。Deployment 指挥 Kubernetes 如何创建和更新应用程序的实例。创建 Deployment 后，Kubernetes master 将应用程序实例调度到集群中的各个节点上。
                   </p>
 
                 <!-- <p>Once the application instances are created, a Kubernetes Deployment Controller continuously monitors those instances. If the Node hosting an instance goes down or is deleted, the Deployment controller replaces the instance with an instance on another Node in the cluster. <b>This provides a self-healing mechanism to address machine failure or maintenance.</b></p> -->
-                <p>创建应用程序实例后，Kubernetes Deployment 控制器会持续监视这些实例。 如果托管实例的节点关闭或被删除，则 Deployment 控制器会将该实例替换为群集中另一个节点上的实例。 <b>这提供了一种自我修复机制来解决机器故障维护问题。</b></p>
+                <p>创建应用程序实例后，Kubernetes Deployment 控制器会持续监视这些实例。 如果托管实例的节点关闭或被删除，则 Deployment 控制器会将该实例替换为集群中另一个节点上的实例。 <b>这提供了一种自我修复机制来解决机器故障维护问题。</b></p>
 
                 <!-- <p>In a pre-orchestration world, installation scripts would often be used to start applications, but they did not allow recovery from machine failure.  By both creating your application instances and keeping them running across Nodes, Kubernetes Deployments provide a fundamentally different approach to application management. </p> -->
                 <p>在没有 Kubernetes 这种编排系统之前，安装脚本通常用于启动应用程序，但它们不允许从机器故障中恢复。通过创建应用程序实例并使它们在节点之间运行， Kubernetes Deployments 提供了一种与众不同的应用程序管理方法。</p>
@@ -91,10 +91,10 @@ <h2 style="color: #3771e3;">部署你在 Kubernetes 上的第一个应用程序<
             <div class="col-md-8">
 
                 <!-- <p>You can create and manage a Deployment by using the Kubernetes command line interface, <b>Kubectl</b>. Kubectl uses the Kubernetes API to interact with the cluster. In this module, you'll learn the most common Kubectl commands needed to create Deployments that run your applications on a Kubernetes cluster.</p> -->
-                <p>您可以使用 Kubernetes 命令行界面 <b>Kubectl</b> 创建和管理 Deployment。Kubectl 使用 Kubernetes API 与集群进行交互。在本单元中，您将学习创建在 Kubernetes 集群上运行应用程序的 Deployment 所需的最常见的 Kubectl 命令。</p>
+                <p>你可以使用 Kubernetes 命令行界面 <b>Kubectl</b> 创建和管理 Deployment。Kubectl 使用 Kubernetes API 与集群进行交互。在本单元中，你将学习创建在 Kubernetes 集群上运行应用程序的 Deployment 所需的最常见的 Kubectl 命令。</p>
 
                 <!-- <p>When you create a Deployment, you'll need to specify the container image for your application and the number of replicas that you want to run. You can change that information later by updating your Deployment; Modules <a href="/docs/tutorials/kubernetes-basics/scale-intro/">5</a> and <a href="/docs/tutorials/kubernetes-basics/update-intro/">6</a> of the bootcamp discuss how you can scale and update your Deployments.</p> -->
-                <p>创建 Deployment 时，您需要指定应用程序的容器映像以及要运行的副本数。您可以稍后通过更新 Deployment 来更改该信息; 模块 <a href="/zh/docs/tutorials/kubernetes-basics/scale-intro/">5</a> 和 <a href="/zh/docs/tutorials/kubernetes-basics/update-intro/">6</a> 讨论了如何扩展和更新 Deployments。</p>
+                <p>创建 Deployment 时，你需要指定应用程序的容器映像以及要运行的副本数。你可以稍后通过更新 Deployment 来更改该信息; 模块 <a href="/zh-cn/docs/tutorials/kubernetes-basics/scale-intro/">5</a> 和 <a href="/zh-cn/docs/tutorials/kubernetes-basics/update-intro/">6</a> 讨论了如何扩展和更新 Deployments。</p>
 
             </div>
             <div class="col-md-4">
@@ -115,16 +115,16 @@ <h2 style="color: #3771e3;">部署你在 Kubernetes 上的第一个应用程序<
                 <p>Now that you know what Deployments are, let's go to the online tutorial and deploy our first app!</p> -->
                 <p>对于我们的第一次部署，我们将使用打包在 Docker 容器中的 Node.js 应用程序。
                     要创建 Node.js 应用程序并部署 Docker 容器，请按照
-                    <a href="/zh/docs/tutorials/hello-minikube/">你好 Minikube 教程</a>.</p>
+                    <a href="/zh-cn/docs/tutorials/hello-minikube/">你好 Minikube 教程</a>.</p>
 
-                <p>现在您已经了解了 Deployment 的内容，让我们转到在线教程并部署我们的第一个应用程序！</p>
+                <p>现在你已经了解了 Deployment 的内容，让我们转到在线教程并部署我们的第一个应用程序！</p>
             </div>
         </div>
         <br>
 
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/" role="button">开始交互式教程 <span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/" role="button">开始交互式教程 <span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/explore/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/explore/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/explore/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/explore/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/explore/explore-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
similarity index 86%
rename from content/zh/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
index 5e469b8a5a965..c4ce2e4baad66 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-interactive.html
@@ -42,7 +42,7 @@
         </div>
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/expose/expose-intro/" role="button">继续阅读第4单元<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro/" role="button">继续阅读第4单元<span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/explore/explore-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro.html
similarity index 89%
rename from content/zh/docs/tutorials/kubernetes-basics/explore/explore-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro.html
index 2a756d9d551aa..d7d507f2d29fa 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/explore/explore-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro.html
@@ -43,7 +43,7 @@ <h2>Kubernetes Pods</h2>
 <!--
         <p>When you created a Deployment in Module <a href="/docs/tutorials/kubernetes-basics/deploy-intro/">2</a>, Kubernetes created a <b>Pod</b> to host your application instance. A Pod is a Kubernetes abstraction that represents a group of one or more application containers (such as Docker), and some shared resources for those containers. Those resources include:</p>
 -->
-        <p>在模块 <a href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/">2</a>创建 Deployment 时, Kubernetes 添加了一个 <b>Pod</b> 来托管你的应用实例。Pod 是 Kubernetes 抽象出来的，表示一组一个或多个应用程序容器（如 Docker），以及这些容器的一些共享资源。这些资源包括:</p>
+        <p>在模块 <a href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/">2</a>创建 Deployment 时, Kubernetes 添加了一个 <b>Pod</b> 来托管你的应用实例。Pod 是 Kubernetes 抽象出来的，表示一组一个或多个应用程序容器（如 Docker），以及这些容器的一些共享资源。这些资源包括:</p>
 <!--
         <ul>
           <li>Shared storage, as Volumes</li>
@@ -63,7 +63,7 @@ <h2>Kubernetes Pods</h2>
 <!--
         <p>Pods are the atomic unit on the Kubernetes platform. When we create a Deployment on Kubernetes, that Deployment creates Pods with containers inside them (as opposed to creating containers directly). Each Pod is tied to the Node where it is scheduled, and remains there until termination (according to restart policy) or deletion. In case of a Node failure, identical Pods are scheduled on other available Nodes in the cluster.</p>
 -->
-        <p>Pod是 Kubernetes 平台上的原子单元。 当我们在 Kubernetes 上创建 Deployment 时，该 Deployment 会在其中创建包含容器的 Pod （而不是直接创建容器）。每个 Pod 都与调度它的工作节点绑定，并保持在那里直到终止（根据重启策略）或删除。 如果工作节点发生故障，则会在群集中的其他可用工作节点上调度相同的 Pod。</p>
+        <p>Pod是 Kubernetes 平台上的原子单元。 当我们在 Kubernetes 上创建 Deployment 时，该 Deployment 会在其中创建包含容器的 Pod （而不是直接创建容器）。每个 Pod 都与调度它的工作节点绑定，并保持在那里直到终止（根据重启策略）或删除。 如果工作节点发生故障，则会在集群中的其他可用工作节点上调度相同的 Pod。</p>
 
       </div>
       <div class="col-md-4">
@@ -124,7 +124,7 @@ <h2>Nodes</h2>
         </ul>
 -->
         <h2>工作节点</h2>
-        <p>一个 pod 总是运行在 <b>工作节点</b>。工作节点是 Kubernetes 中的参与计算的机器，可以是虚拟机或物理计算机，具体取决于集群。每个工作节点由主节点管理。工作节点可以有多个 pod ，Kubernetes 主节点会自动处理在群集中的工作节点上调度 pod 。 主节点的自动调度考量了每个工作节点上的可用资源。</p>
+        <p>一个 pod 总是运行在 <b>工作节点</b>。工作节点是 Kubernetes 中的参与计算的机器，可以是虚拟机或物理计算机，具体取决于集群。每个工作节点由主节点管理。工作节点可以有多个 pod ，Kubernetes 主节点会自动处理在集群中的工作节点上调度 pod 。 主节点的自动调度考量了每个工作节点上的可用资源。</p>
 
         <p>每个 Kubernetes 工作节点至少运行:</p>
         <ul>
@@ -169,7 +169,7 @@ <h2>使用 kubectl 进行故障排除</h2>
 <!--
         <p>In Module <a href="/docs/tutorials/kubernetes-basics/deploy/deploy-intro/">2</a>, you used Kubectl command-line interface. You'll continue to use it in Module 3 to get information about deployed applications and their environments. The most common operations can be done with the following kubectl commands:</p>
 -->
-        <p>在模块 <a href="/zh/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/">2</a>,您使用了 Kubectl 命令行界面。 您将继续在第3单元中使用它来获取有关已部署的应用程序及其环境的信息。 最常见的操作可以使用以下 kubectl 命令完成：</p>
+        <p>在模块 <a href="/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/">2</a>,你使用了 Kubectl 命令行界面。 你将继续在第3单元中使用它来获取有关已部署的应用程序及其环境的信息。 最常见的操作可以使用以下 kubectl 命令完成：</p>
 <!--
         <ul>
           <li><b>kubectl get</b> - list resources</li>
@@ -187,7 +187,7 @@ <h2>使用 kubectl 进行故障排除</h2>
 <!--
         <p>You can use these commands to see when applications were deployed, what their current statuses are, where they are running and what their configurations are.</p>
 -->
-        <p>您可以使用这些命令查看应用程序的部署时间，当前状态，运行位置以及配置。</p>
+        <p>你可以使用这些命令查看应用程序的部署时间，当前状态，运行位置以及配置。</p>
 <!--
         <p>Now that we know more about our cluster components and the command line, let's explore our application.</p>
 -->
@@ -199,7 +199,7 @@ <h2>使用 kubectl 进行故障排除</h2>
 <!--
           <p><i> A node is a worker machine in Kubernetes and may be a VM or physical machine, depending on the cluster. Multiple Pods can run on one Node. </i></p>
 -->
-          <p><i>工作节点是 Kubernetes 中的负责计算的机器，可能是VM或物理计算机，具体取决于群集。多个 Pod 可以在一个工作节点上运行。 </i></p>
+          <p><i>工作节点是 Kubernetes 中的负责计算的机器，可能是VM或物理计算机，具体取决于集群。多个 Pod 可以在一个工作节点上运行。 </i></p>
         </div>
       </div>
     </div>
@@ -210,7 +210,7 @@ <h2>使用 kubectl 进行故障排除</h2>
 <!--
         <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/explore/explore-interactive/" role="button">Start Interactive Tutorial <span class="btn__next">›</span></a>
 -->
-        <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/explore/explore-interactive/" role="button"> 开始交互式教程 <span class="btn__next">›</span></a>
+        <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-interactive/" role="button"> 开始交互式教程 <span class="btn__next">›</span></a>
       </div>
     </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/expose/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/expose/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/expose/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/expose/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/expose/expose-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
similarity index 86%
rename from content/zh/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
index 6e3f84b6cf519..f222991cca253 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-interactive.html
@@ -38,7 +38,7 @@
         </div>
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/scale/scale-intro/" role="button">继续阅读第5单元<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro/" role="button">继续阅读第5单元<span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/expose/expose-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro.html
similarity index 82%
rename from content/zh/docs/tutorials/kubernetes-basics/expose/expose-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro.html
index b3ce1cbc33200..a4484c6139900 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/expose/expose-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro.html
@@ -1,6 +1,6 @@
 ---
 <!--title: Using a Service to Expose Your App-->
-title: 使用 Service 暴露您的应用
+title: 使用 Service 暴露你的应用
 weight: 10
 ---
 
@@ -35,13 +35,13 @@ <h3>目标</h3>
         <h3>Kubernetes Service 总览</h3>
 
 <!--        <p>Kubernetes <a href="/docs/concepts/workloads/pods/pod-overview/">Pods</a> are mortal. Pods in fact have a <a href="/docs/concepts/workloads/pods/pod-lifecycle/">lifecycle</a>. When a worker node dies, the Pods running on the Node are also lost. A <a href="/docs/concepts/workloads/controllers/replicaset/">ReplicaSet</a> might then dynamically drive the cluster back to desired state via creation of new Pods to keep your application running. As another example, consider an image-processing backend with 3 replicas. Those replicas are exchangeable; the front-end system should not care about backend replicas or even if a Pod is lost and recreated. That said, each Pod in a Kubernetes cluster has a unique IP address, even Pods on the same Node, so there needs to be a way of automatically reconciling changes among Pods so that your applications continue to function.</p>-->
-        <p> Kubernetes <a href="/zh/docs/concepts/workloads/pods/">Pod</a> 是转瞬即逝的。 Pod 实际上拥有 <a href="/zh/docs/concepts/workloads/pods/pod-lifecycle/">生命周期</a>。 当一个工作 Node 挂掉后, 在 Node 上运行的 Pod 也会消亡。 <a href="/zh/docs/concepts/workloads/controllers/replicaset/">ReplicaSet</a> 会自动地通过创建新的 Pod 驱动集群回到目标状态，以保证应用程序正常运行。 换一个例子，考虑一个具有3个副本数的用作图像处理的后端程序。这些副本是可替换的; 前端系统不应该关心后端副本，即使 Pod 丢失或重新创建。也就是说，Kubernetes 集群中的每个 Pod (即使是在同一个 Node 上的 Pod )都有一个唯一的 IP 地址，因此需要一种方法自动协调 Pod 之间的变更，以便应用程序保持运行。</p>
+        <p> Kubernetes <a href="/zh-cn/docs/concepts/workloads/pods/">Pod</a> 是转瞬即逝的。 Pod 实际上拥有 <a href="/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/">生命周期</a>。 当一个工作 Node 挂掉后, 在 Node 上运行的 Pod 也会消亡。 <a href="/zh-cn/docs/concepts/workloads/controllers/replicaset/">ReplicaSet</a> 会自动地通过创建新的 Pod 驱动集群回到目标状态，以保证应用程序正常运行。 换一个例子，考虑一个具有3个副本数的用作图像处理的后端程序。这些副本是可替换的; 前端系统不应该关心后端副本，即使 Pod 丢失或重新创建。也就是说，Kubernetes 集群中的每个 Pod (即使是在同一个 Node 上的 Pod )都有一个唯一的 IP 地址，因此需要一种方法自动协调 Pod 之间的变更，以便应用程序保持运行。</p>
 
 <!--        <p>A Service in Kubernetes is an abstraction which defines a logical set of Pods and a policy by which to access them. Services enable a loose coupling between dependent Pods. A Service is defined using YAML <a href="/docs/concepts/configuration/overview/#general-configuration-tips">(preferred)</a> or JSON, like all Kubernetes objects. The set of Pods targeted by a Service is usually determined by a <i>LabelSelector</i> (see below for why you might want a Service without including <code>selector</code> in the spec).</p>-->
-        <p> Kubernetes 中的服务(Service)是一种抽象概念，它定义了 Pod 的逻辑集和访问 Pod 的协议。Service 使从属 Pod 之间的松耦合成为可能。 和其他 Kubernetes 对象一样, Service 用 YAML <a href="/zh/docs/concepts/configuration/overview/#general-configuration-tips">(更推荐)</a> 或者 JSON 来定义. Service 下的一组 Pod 通常由 <i>LabelSelector</i> (请参阅下面的说明为什么您可能想要一个 spec 中不包含<code>selector</code>的服务)来标记。</p>
+        <p> Kubernetes 中的服务(Service)是一种抽象概念，它定义了 Pod 的逻辑集和访问 Pod 的协议。Service 使从属 Pod 之间的松耦合成为可能。 和其他 Kubernetes 对象一样, Service 用 YAML <a href="/zh-cn/docs/concepts/configuration/overview/#general-configuration-tips">(更推荐)</a> 或者 JSON 来定义. Service 下的一组 Pod 通常由 <i>LabelSelector</i> (请参阅下面的说明为什么你可能想要一个 spec 中不包含<code>selector</code>的服务)来标记。</p>
 
 <!--        <p>Although each Pod has a unique IP address, those IPs are not exposed outside the cluster without a Service. Services allow your applications to receive traffic. Services can be exposed in different ways by specifying a <code>type</code> in the ServiceSpec:</p>-->
-        <p>尽管每个 Pod 都有一个唯一的 IP 地址，但是如果没有 Service ，这些 IP 不会暴露在集群外部。Service 允许您的应用程序接收流量。Service 也可以用在 ServiceSpec 标记<code>type</code>的方式暴露</p>
+        <p>尽管每个 Pod 都有一个唯一的 IP 地址，但是如果没有 Service ，这些 IP 不会暴露在集群外部。Service 允许你的应用程序接收流量。Service 也可以用在 ServiceSpec 标记<code>type</code>的方式暴露</p>
 			<ul>
 <!--        <li><i>ClusterIP</i> (default) - Exposes the Service on an internal IP in the cluster. This type makes the Service only reachable from within the cluster.</li>-->
 <!--        <li><i>NodePort</i> - Exposes the Service on the same port of each selected Node in the cluster using NAT. Makes a Service accessible from outside the cluster using <code>&lt;NodeIP&gt;:&lt;NodePort&gt;</code>. Superset of ClusterIP.</li>-->
@@ -53,9 +53,9 @@ <h3>Kubernetes Service 总览</h3>
 				<li><i>ExternalName</i> - 通过返回带有该名称的 CNAME 记录，使用任意名称(由 spec 中的<code>externalName</code>指定)公开 Service。不使用代理。这种类型需要<code>kube-dns</code>的v1.7或更高版本。</li>
 			</ul>
 <!--        <p>More information about the different types of Services can be found in the <a href="/docs/tutorials/services/source-ip/">Using Source IP</a> tutorial. Also see <a href="/docs/concepts/services-networking/connect-applications-service">Connecting Applications with Services</a>.</p>-->
-        <p>更多关于不同 Service 类型的信息可以在<a href="/zh/docs/tutorials/services/source-ip/">使用源 IP </a> 教程。 也请参阅 <a href="/zh/docs/concepts/services-networking/connect-applications-service">连接应用程序和 Service </a>。</p>
+        <p>更多关于不同 Service 类型的信息可以在<a href="/zh-cn/docs/tutorials/services/source-ip/">使用源 IP </a> 教程。 也请参阅 <a href="/zh-cn/docs/concepts/services-networking/connect-applications-service">连接应用程序和 Service </a>。</p>
 <!--        <p>Additionally, note that there are some use cases with Services that involve not defining <code>selector</code> in the spec. A Service created without <code>selector</code> will also not create the corresponding Endpoints object. This allows users to manually map a Service to specific endpoints. Another possibility why there may be no selector is you are strictly using <code>type: ExternalName</code>.</p>-->
-        <p>另外，需要注意的是有一些 Service 的用例没有在 spec 中定义<code>selector</code>。 一个没有<code>selector</code>创建的 Service 也不会创建相应的端点对象。这允许用户手动将服务映射到特定的端点。没有 selector 的另一种可能是您严格使用<code>type: ExternalName</code>来标记。</p>
+        <p>另外，需要注意的是有一些 Service 的用例没有在 spec 中定义<code>selector</code>。 一个没有<code>selector</code>创建的 Service 也不会创建相应的端点对象。这允许用户手动将服务映射到特定的端点。没有 selector 的另一种可能是你严格使用<code>type: ExternalName</code>来标记。</p>
 			</div>
 			<div class="col-md-4">
 				<div class="content__box content__box_lined">
@@ -95,7 +95,7 @@ <h3>Service 和 Label</h3>
 <!--        <p>A Service routes traffic across a set of Pods. Services are the abstraction that allow pods to die and replicate in Kubernetes without impacting your application. Discovery and routing among dependent Pods (such as the frontend and backend components in an application) is handled by Kubernetes Services.</p>-->
         <p>Service 通过一组 Pod 路由通信。Service 是一种抽象，它允许 Pod 死亡并在 Kubernetes 中复制，而不会影响应用程序。在依赖的 Pod (如应用程序中的前端和后端组件)之间进行发现和路由是由Kubernetes Service 处理的。</p>
 <!--        <p>Services match a set of Pods using <a href="/docs/concepts/overview/working-with-objects/labels">labels and selectors</a>, a grouping primitive that allows logical operation on objects in Kubernetes. Labels are key/value pairs attached to objects and can be used in any number of ways:</p>-->
-        <p>Service 匹配一组 Pod 是使用 <a href="/zh/docs/concepts/overview/working-with-objects/labels">标签(Label)和选择器(Selector)</a>, 它们是允许对 Kubernetes 中的对象进行逻辑操作的一种分组原语。标签(Label)是附加在对象上的键/值对，可以以多种方式使用:</p>
+        <p>Service 匹配一组 Pod 是使用 <a href="/zh-cn/docs/concepts/overview/working-with-objects/labels">标签(Label)和选择器(Selector)</a>, 它们是允许对 Kubernetes 中的对象进行逻辑操作的一种分组原语。标签(Label)是附加在对象上的键/值对，可以以多种方式使用:</p>
 				<ul>
 <!--          <li>Designate objects for development, test, and production</li>-->
 <!--          <li>Embed version tags</li>-->
@@ -132,7 +132,7 @@ <h3>Service 和 Label</h3>
 		<div class="row">
 			<div class="col-md-12">
 <!--        <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/expose/expose-interactive/" role="button">Start Interactive Tutorial<span class="btn__next">›</span></a>-->
-        <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/expose/expose-interactive/" role="button">开始交互式教程<span class="btn__next">›</span></a>
+        <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-interactive/" role="button">开始交互式教程<span class="btn__next">›</span></a>
 			</div>
 		</div>
 	</main>
diff --git a/content/zh/docs/tutorials/kubernetes-basics/scale/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/scale/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/scale/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/scale/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/scale/scale-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
similarity index 85%
rename from content/zh/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
index 14ae3cdbad51c..39a71a889daf0 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-interactive.html
@@ -34,7 +34,7 @@
         </div>
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/update/update-intro/" role="button"><!--Continue to Module 6-->继续参阅第6单元<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro/" role="button"><!--Continue to Module 6-->继续参阅第6单元<span class="btn__next">›</span></a>
             </div>
         </div>
     
diff --git a/content/zh/docs/tutorials/kubernetes-basics/scale/scale-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro.html
similarity index 89%
rename from content/zh/docs/tutorials/kubernetes-basics/scale/scale-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro.html
index 65249f65176e4..16facbe62ec12 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/scale/scale-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro.html
@@ -33,7 +33,7 @@ <h3>扩缩应用程序</h3>
 						<!-- <p>In the previous modules we created a <a href="/docs/concepts/workloads/controllers/deployment/"> Deployment</a>,
 							and then exposed it publicly via a <a href="/docs/concepts/services-networking/service/">Service</a>.
 							The Deployment created only one Pod for running our application.  When traffic increases, we will need to scale the application to keep up with  user demand.</p> -->
-						<p>在之前的模块中，我们创建了一个 <a href="/zh/docs/concepts/workloads/controllers/deployment/"> Deployment</a>，然后通过 <a href="/zh/docs/concepts/services-networking/service/">Service</a>让其可以开放访问。Deployment 仅为跑这个应用程序创建了一个 Pod。 当流量增加时，我们需要扩容应用程序满足用户需求。</p>
+						<p>在之前的模块中，我们创建了一个 <a href="/zh-cn/docs/concepts/workloads/controllers/deployment/"> Deployment</a>，然后通过 <a href="/zh-cn/docs/concepts/services-networking/service/">Service</a>让其可以开放访问。Deployment 仅为跑这个应用程序创建了一个 Pod。 当流量增加时，我们需要扩容应用程序满足用户需求。</p>
 
 						<!-- <p><b>Scaling</b> is accomplished by changing the number of replicas in a Deployment</p> -->
 						<p><b>扩缩</b> 是通过改变 Deployment 中的副本数量来实现的。</p>
@@ -99,7 +99,7 @@ <h2 style="color: #3771e3;">扩缩概述</h2>
 
                 <!-- <p>Scaling out a Deployment will ensure new Pods are created and scheduled to Nodes with available resources. Scaling in will reduce the number of Pods to the new desired state. Kubernetes also supports
 									<a href="/docs/user-guide/horizontal-pod-autoscaling/">autoscaling</a> of Pods, but it is outside of the scope of this tutorial. Scaling to zero is also possible, and it will terminate all Pods of the specified Deployment.</p> -->
-								<p>扩展 Deployment 将创建新的 Pods，并将资源调度请求分配到有可用资源的节点上，收缩 会将 Pods 数量减少至所需的状态。Kubernetes 还支持 Pods 的<a href="/zh/docs/tasks/run-application/horizontal-pod-autoscale/">自动缩放</a>，但这并不在本教程的讨论范围内。将 Pods 数量收缩到0也是可以的，但这会终止 Deployment 上所有已经部署的 Pods。</p>
+								<p>扩展 Deployment 将创建新的 Pods，并将资源调度请求分配到有可用资源的节点上，收缩 会将 Pods 数量减少至所需的状态。Kubernetes 还支持 Pods 的<a href="/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/">自动缩放</a>，但这并不在本教程的讨论范围内。将 Pods 数量收缩到0也是可以的，但这会终止 Deployment 上所有已经部署的 Pods。</p>
 
 								<!-- <p>Running multiple instances of an application will require a way to distribute the traffic to all of them. Services have an integrated load-balancer that will distribute network traffic to all Pods of an exposed Deployment.
 									Services will monitor continuously the running Pods using endpoints, to ensure the traffic is sent only to available Pods.</p> -->
@@ -127,7 +127,7 @@ <h2 style="color: #3771e3;">扩缩概述</h2>
         <div class="row">
             <div class="col-md-12">
 								<!-- <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/scale/scale-interactive/" role="button">Start Interactive Tutorial <span class="btn__next">›</span></a> -->
-								<a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/scale/scale-interactive/" role="button">开始互动教程 <span class="btn__next">›</span></a>
+								<a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-interactive/" role="button">开始互动教程 <span class="btn__next">›</span></a>
             </div>
         </div>
 
diff --git a/content/zh/docs/tutorials/kubernetes-basics/update/_index.md b/content/zh-cn/docs/tutorials/kubernetes-basics/update/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/kubernetes-basics/update/_index.md
rename to content/zh-cn/docs/tutorials/kubernetes-basics/update/_index.md
diff --git a/content/zh/docs/tutorials/kubernetes-basics/update/update-interactive.html b/content/zh-cn/docs/tutorials/kubernetes-basics/update/update-interactive.html
similarity index 86%
rename from content/zh/docs/tutorials/kubernetes-basics/update/update-interactive.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/update/update-interactive.html
index 9befc40bd767f..e736e54638d72 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/update/update-interactive.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/update/update-interactive.html
@@ -32,7 +32,7 @@
         </div>
         <div class="row">
             <div class="col-md-12">
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/" role="button">回到 Kubernetes 的基础<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/" role="button">回到 Kubernetes 的基础<span class="btn__next">›</span></a>
             </div>
         </div>
     </main>
diff --git a/content/zh/docs/tutorials/kubernetes-basics/update/update-intro.html b/content/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro.html
similarity index 97%
rename from content/zh/docs/tutorials/kubernetes-basics/update/update-intro.html
rename to content/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro.html
index 8f53c752c3e4e..6d25312eaca31 100644
--- a/content/zh/docs/tutorials/kubernetes-basics/update/update-intro.html
+++ b/content/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro.html
@@ -177,7 +177,7 @@ <h2 style="color: #3771e3;">滚动更新概述</h2>
                 <!--
                 <a class="btn btn-lg btn-success" href="/docs/tutorials/kubernetes-basics/update/update-interactive/" role="button">Start Interactive Tutorial <span class="btn__next">›</span></a>
                 -->
-                <a class="btn btn-lg btn-success" href="/zh/docs/tutorials/kubernetes-basics/update/update-interactive/" role="button">启动交互教程<span class="btn__next">›</span></a>
+                <a class="btn btn-lg btn-success" href="/zh-cn/docs/tutorials/kubernetes-basics/update/update-interactive/" role="button">启动交互教程<span class="btn__next">›</span></a>
                 
             </div>
         </div>
diff --git a/content/zh/docs/tutorials/security/_index.md b/content/zh-cn/docs/tutorials/security/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/security/_index.md
rename to content/zh-cn/docs/tutorials/security/_index.md
diff --git a/content/zh/docs/tutorials/security/apparmor.md b/content/zh-cn/docs/tutorials/security/apparmor.md
similarity index 98%
rename from content/zh/docs/tutorials/security/apparmor.md
rename to content/zh-cn/docs/tutorials/security/apparmor.md
index f287bc61c90e7..00048de976112 100644
--- a/content/zh/docs/tutorials/security/apparmor.md
+++ b/content/zh-cn/docs/tutorials/security/apparmor.md
@@ -487,7 +487,7 @@ Kubernetes 目前不提供任何本地机制来将 AppArmor 配置文件加载
   [Example](#example). 
 -->
 * 通过在每个节点上运行 Pod 的
-  [DaemonSet](/zh/docs/concepts/workloads/controllers/daemonset/)来确保加载了正确的配置文件。
+  [DaemonSet](/zh-cn/docs/concepts/workloads/controllers/daemonset/)来确保加载了正确的配置文件。
   可以在[这里](https://git.k8s.io/kubernetes/test/images/apparmor-loader)找到实现示例。
 * 在节点初始化时，使用节点初始化脚本(例如 Salt、Ansible 等)或镜像。
 * 通过将配置文件复制到每个节点并通过 SSH 加载它们，如[示例](#example)。
@@ -501,7 +501,7 @@ node with the required profile.
 -->
 调度程序不知道哪些配置文件加载到哪个节点上，因此必须将全套配置文件加载到每个节点上。
 另一种方法是为节点上的每个配置文件（或配置文件类）添加节点标签，
-并使用[节点选择器](/zh/docs/concepts/configuration/assign-pod-node/)确保
+并使用[节点选择器](/zh-cn/docs/concepts/configuration/assign-pod-node/)确保
 Pod 在具有所需配置文件的节点上运行。
 
 <!-- ### Restricting profiles with the PodSecurityPolicy -->
@@ -513,14 +513,14 @@ PodSecurityPolicy is deprecated in Kubernetes v1.21, and will be removed in v1.2
 See [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation for more information.
 -->
 PodSecurityPolicy 在 Kubernetes v1.21 版本中已被废弃，将在 v1.25 版本移除。
-查看 [PodSecurityPolicy](/zh/docs/concepts/security/pod-security-policy/) 文档获取更多信息。
+查看 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/) 文档获取更多信息。
 {{< /note >}}
 
 <!-- 
 If the PodSecurityPolicy extension is enabled, cluster-wide AppArmor restrictions can be applied. To
 enable the PodSecurityPolicy, the following flag must be set on the `apiserver`: 
 -->
-如果启用了 PodSecurityPolicy 扩展，则可以应用群集范围的 AppArmor 限制。
+如果启用了 PodSecurityPolicy 扩展，则可以应用集群范围的 AppArmor 限制。
 要启用 PodSecurityPolicy，必须在 `apiserver` 上设置以下标志：
 
 ```
diff --git a/content/zh/docs/tutorials/security/cluster-level-pss.md b/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
similarity index 95%
rename from content/zh/docs/tutorials/security/cluster-level-pss.md
rename to content/zh-cn/docs/tutorials/security/cluster-level-pss.md
index 714bbca1f79bf..2660631a2df08 100644
--- a/content/zh/docs/tutorials/security/cluster-level-pss.md
+++ b/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
@@ -29,12 +29,12 @@ To apply Pod Security Standards to specific namespaces, refer to [Apply Pod Secu
 Pod 安全准入（PSA）在 v1.23 及更高版本默认启用，
 因为它[升级到测试版（beta）](/blog/2021/12/09/pod-security-admission-beta/)。
 Pod 安全准入是在创建 Pod 时应用
-[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)的准入控制器。
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)的准入控制器。
 本教程将向你展示如何在集群级别实施 `baseline` Pod 安全标准，
 该标准将标准配置应用于集群中的所有名称空间。
 
 要将 Pod 安全标准应用于特定名字空间，
-请参阅[在名字空间级别应用 Pod 安全标准](/zh/docs/tutorials/security/ns-level-pss)。
+请参阅[在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss)。
 
 ## {{% heading "prerequisites" %}}
 <!-- 
@@ -60,9 +60,9 @@ that are most appropriate for your configuration, do the following:
 -->
 ## 正确选择要应用的 Pod 安全标准  {#choose-the-right-pod-security-standard-to-apply}
 
-[Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)
+[Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
 允许你使用以下模式应用内置的
-[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/):
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/):
 `enforce`、`audit` 和 `warn`。
 
 要收集信息以便选择最适合你的配置的 Pod 安全标准，请执行以下操作：
@@ -431,7 +431,7 @@ created.
 - [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
 - [Apply Pod Security Standards at the namespace level](/docs/tutorials/security/ns-level-pss/)
 -->
-- 运行一个 [shell 脚本](/zh/examples/security/kind-with-cluster-level-baseline-pod-security.sh)
+- 运行一个 [shell 脚本](/zh-cn/examples/security/kind-with-cluster-level-baseline-pod-security.sh)
   一次执行前面的所有步骤：
   1. 创建一个基于 Pod 安全标准的集群级别配置
   2. 创建一个文件让 API 服务器消费这个配置
@@ -439,6 +439,6 @@ created.
   4. 设置 kubectl 上下文为这个新集群
   5. 创建一个最小的 Pod yaml 文件
   6. 应用这个文件，在新集群中创建一个 Pod
-- [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)
-- [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)
-- [在名字空间级别应用 Pod 安全标准](/zh/docs/tutorials/security/ns-level-pss/)
\ No newline at end of file
+- [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
+- [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
+- [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)
\ No newline at end of file
diff --git a/content/zh/docs/tutorials/security/ns-level-pss.md b/content/zh-cn/docs/tutorials/security/ns-level-pss.md
similarity index 94%
rename from content/zh/docs/tutorials/security/ns-level-pss.md
rename to content/zh-cn/docs/tutorials/security/ns-level-pss.md
index ae7350d9c048e..ef3ea47a23c1b 100644
--- a/content/zh/docs/tutorials/security/ns-level-pss.md
+++ b/content/zh-cn/docs/tutorials/security/ns-level-pss.md
@@ -30,11 +30,11 @@ level. For instructions, refer to
 Pod 安全准入（PSA）在 v1.23 及更高版本默认启用，
 因为它[升级到测试版（beta）](/blog/2021/12/09/pod-security-admission-beta/)。
 Pod 安全准入是在创建 Pod 时应用
-[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)的准入控制器。
+[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)的准入控制器。
 在本教程中，你将应用 `baseline` Pod 安全标准，每次一个名字空间。
 
 你还可以在集群级别一次将 Pod 安全标准应用于多个名称空间。
-有关说明，请参阅[在集群级别应用 Pod 安全标准](/zh/docs/tutorials/security/cluster-level-pss)。
+有关说明，请参阅[在集群级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/cluster-level-pss)。
 
 ## {{% heading "prerequisites" %}}
 
@@ -47,7 +47,7 @@ Install the following on your workstation:
 在你的工作站中安装以下内容：
 
 - [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
-- [kubectl](/zh/docs/tasks/tools/)
+- [kubectl](/zh-cn/docs/tasks/tools/)
 
 <!--
 ## Create cluster
@@ -247,6 +247,6 @@ Run `kind delete cluster -name psa-ns-level` to delete the cluster created.
       同时在 `warn` 和 `audit` 模式下应用 `restricted` Pod 安全标准。
    4. 创建一个应用以下 Pod 安全标准的新 Pod
 
-- [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)
-- [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)
-- [在集群级别应用 Pod 安全标准](/zh/docs/tutorials/security/cluster-level-pss/)
+- [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
+- [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
+- [在集群级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/cluster-level-pss/)
diff --git a/content/zh/docs/tutorials/security/seccomp.md b/content/zh-cn/docs/tutorials/security/seccomp.md
similarity index 98%
rename from content/zh/docs/tutorials/security/seccomp.md
rename to content/zh-cn/docs/tutorials/security/seccomp.md
index 9fe9b14b12984..e27315a31f425 100644
--- a/content/zh/docs/tutorials/security/seccomp.md
+++ b/content/zh-cn/docs/tutorials/security/seccomp.md
@@ -74,8 +74,8 @@ for the version you are using.
 The tutorial also uses the `curl` tool for downloading examples to your computer.
 You can adapt the steps to use a different tool if you prefer.
 -->
-为了完成本篇教程中的所有步骤，你必须安装 [kind](/zh/docs/tasks/tools/#kind)
-和 [kubectl](/zh/docs/tasks/tools/#kubectl)。
+为了完成本篇教程中的所有步骤，你必须安装 [kind](/zh-cn/docs/tasks/tools/#kind)
+和 [kubectl](/zh-cn/docs/tasks/tools/#kubectl)。
 
 本篇教程演示的某些示例仍然是 alpha 状态（自 v1.22 起），另一些示例则仅使用 seccomp 正式发布的功能。
 你应该确保，针对你使用的版本，
@@ -257,8 +257,8 @@ well as corresponding `--seccomp-default`
 [command line flag](/docs/reference/command-line-tools-reference/kubelet).
 Both have to be enabled simultaneously to use the feature.
 -->
-`SeccompDefault` 是一个可选的 kubelet [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates)
-以及相应的 `--seccomp-default` [命令行标志](/zh/docs/reference/command-line-tools-reference/kubelet)。
+`SeccompDefault` 是一个可选的 kubelet [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates)
+以及相应的 `--seccomp-default` [命令行标志](/zh-cn/docs/reference/command-line-tools-reference/kubelet)。
 两者必须同时启用才能使用该功能。
 
 <!-- 
@@ -732,7 +732,7 @@ type in the security context of a pod or container to `RuntimeDefault`.
 If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
 no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
 -->
-如果你已经启用了 `SeccompDefault` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)，
+如果你已经启用了 `SeccompDefault` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)，
 只要没有指定其他 seccomp 配置文件，那么 Pod 就会使用 `SeccompDefault` 的 seccomp 配置文件。
 否则，默认值为 `Unconfined`。
 {{< /note >}}
diff --git a/content/zh/docs/tutorials/services/_index.md b/content/zh-cn/docs/tutorials/services/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/services/_index.md
rename to content/zh-cn/docs/tutorials/services/_index.md
diff --git a/content/zh-cn/docs/tutorials/services/source-ip.md b/content/zh-cn/docs/tutorials/services/source-ip.md
new file mode 100644
index 0000000000000..eaa8109cc726a
--- /dev/null
+++ b/content/zh-cn/docs/tutorials/services/source-ip.md
@@ -0,0 +1,646 @@
+---
+title: 使用源 IP
+content_type: tutorial
+min-kubernetes-server-version: v1.5
+---
+<!--  
+title: Using Source IP
+content_type: tutorial
+min-kubernetes-server-version: v1.5
+-->
+
+<!-- overview -->
+
+<!-- 
+Applications running in a Kubernetes cluster find and communicate with each
+other, and the outside world, through the Service abstraction. This document
+explains what happens to the source IP of packets sent to different types
+of Services, and how you can toggle this behavior according to your needs.
+-->
+运行在 Kubernetes 集群中的应用程序通过 Service 抽象发现彼此并相互通信，它们也用 Service 与外部世界通信。
+本文解释了发送到不同类型 Service 的数据包的源 IP 会发生什么情况，以及如何根据需要切换此行为。
+
+## {{% heading "prerequisites" %}}
+
+<!-- 
+### Terminology
+
+This document makes use of the following terms:
+-->
+## 术语表  {#terminology}
+
+本文使用了下列术语：
+
+{{< comment >}}
+<!--
+If localizing this section, link to the equivalent Wikipedia pages for
+the target localization.
+-->
+如果本地化此部分，请链接到目标本地化的等效 Wikipedia 页面。
+{{< /comment >}}
+
+<!--
+[NAT](https://en.wikipedia.org/wiki/Network_address_translation)
+: network address translation
+
+[Source NAT](https://en.wikipedia.org/wiki/Network_address_translation#SNAT)
+: replacing the source IP on a packet; in this page, that usually means replacing with the IP address of a node.
+
+[Destination NAT](https://en.wikipedia.org/wiki/Network_address_translation#DNAT)
+: replacing the destination IP on a packet; in this page, that usually means replacing with the IP address of a {{< glossary_tooltip term_id="pod" >}}
+
+[VIP](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
+: a virtual IP address, such as the one assigned to every {{< glossary_tooltip text="Service" term_id="service" >}} in Kubernetes
+
+[kube-proxy](/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
+: a network daemon that orchestrates Service VIP management on every node
+-->
+[NAT](https://zh.wikipedia.org/wiki/%E7%BD%91%E7%BB%9C%E5%9C%B0%E5%9D%80%E8%BD%AC%E6%8D%A2)
+: 网络地址转换
+
+[Source NAT](https://en.wikipedia.org/wiki/Network_address_translation#SNAT)
+: 替换数据包上的源 IP；在本页面中，这通常意味着替换为节点的 IP 地址
+
+[Destination NAT](https://en.wikipedia.org/wiki/Network_address_translation#DNAT)
+: 替换数据包上的目标 IP；在本页面中，这通常意味着替换为 {{<glossary_tooltip text="Pod" term_id="pod" >}} 的 IP 地址
+
+[VIP](/zh-cn/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
+: 一个虚拟 IP 地址，例如分配给 Kubernetes 中每个 {{<glossary_tooltip text="Service" term_id="service" >}} 的 IP 地址
+
+[Kube-proxy](/zh-cn/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
+: 一个网络守护程序，在每个节点上协调 Service VIP 管理
+
+<!-- 
+### Prerequisites
+-->
+## 先决条件  {#prerequisites}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+<!-- 
+The examples use a small nginx webserver that echoes back the source
+IP of requests it receives through an HTTP header. You can create it as follows:
+-->
+示例使用一个小型 nginx Web 服务器，服务器通过 HTTP 标头返回它接收到的请求的源 IP。
+你可以按如下方式创建它：
+
+```shell
+kubectl create deployment source-ip-app --image=k8s.gcr.io/echoserver:1.4
+```
+<!-- 
+The output is:
+-->
+输出为：
+```
+deployment.apps/source-ip-app created
+```
+
+## {{% heading "objectives" %}}
+
+<!--
+* Expose a simple application through various types of Services
+* Understand how each Service type handles source IP NAT
+* Understand the tradeoffs involved in preserving source IP
+-->
+* 通过多种类型的 Service 暴露一个简单应用
+* 了解每种 Service 类型如何处理源 IP NAT
+* 了解保留源 IP 所涉及的权衡
+
+<!-- lessoncontent -->
+
+<!-- 
+## Source IP for Services with `Type=ClusterIP`
+-->
+## `Type=ClusterIP` 类型 Service 的源 IP  {#source-ip-for-services-with-type-clusterip}
+
+<!-- 
+Packets sent to ClusterIP from within the cluster are never source NAT'd if
+you're running kube-proxy in
+[iptables mode](/docs/concepts/services-networking/service/#proxy-mode-iptables),
+(the default). You can query the kube-proxy mode by fetching
+`http://localhost:10249/proxyMode` on the node where kube-proxy is running.
+-->
+如果你在 [iptables 模式](/zh-cn/docs/concepts/services-networking/service/#proxy-mode-iptables)（默认）下运行
+kube-proxy，则从集群内发送到 ClusterIP 的数据包永远不会进行源 NAT。
+你可以通过在运行 kube-proxy 的节点上获取 `http://localhost:10249/proxyMode` 来查询 kube-proxy 模式。
+
+```console
+kubectl get nodes
+```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+NAME                   STATUS     ROLES    AGE     VERSION
+kubernetes-node-6jst   Ready      <none>   2h      v1.13.0
+kubernetes-node-cx31   Ready      <none>   2h      v1.13.0
+kubernetes-node-jj1t   Ready      <none>   2h      v1.13.0
+```
+
+<!-- 
+Get the proxy mode on one of the nodes (kube-proxy listens on port 10249):
+-->
+在其中一个节点上获取代理模式（kube-proxy 监听 10249 端口）：
+```shell
+# 在要查询的节点上的 shell 中运行
+curl http://localhost:10249/proxyMode
+```
+<!-- 
+The output is: 
+-->
+输出为：
+```
+iptables
+```
+
+<!--
+You can test source IP preservation by creating a Service over the source IP app: 
+-->
+你可以通过在源 IP 应用程序上创建 Service 来测试源 IP 保留：
+```shell
+kubectl expose deployment source-ip-app --name=clusterip --port=80 --target-port=8080
+```
+<!-- 
+The output is: 
+-->
+输出为：
+```
+service/clusterip exposed
+```
+```shell
+kubectl get svc clusterip
+```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
+clusterip    ClusterIP   10.0.170.92   <none>        80/TCP    51s
+```
+
+<!-- 
+And hitting the `ClusterIP` from a pod in the same cluster:
+-->
+并从同一集群中的 Pod 中访问 `ClusterIP`：
+```shell
+kubectl run busybox -it --image=busybox:1.28 --restart=Never --rm
+```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+Waiting for pod default/busybox to be running, status is Pending, pod ready: false
+If you don't see a command prompt, try pressing enter.
+```
+<!-- 
+You can then run a command inside that Pod:
+-->
+然后，你可以在该 Pod 中运行命令：
+```shell
+# 从 “kubectl run” 的终端中运行
+ip addr
+```
+```
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue
+    link/ether 0a:58:0a:f4:03:08 brd ff:ff:ff:ff:ff:ff
+    inet 10.244.3.8/24 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::188a:84ff:feb0:26a5/64 scope link
+       valid_lft forever preferred_lft forever
+```
+
+<!--
+…then use `wget` to query the local webserver
+-->
+然后使用 `wget` 查询本地 Web 服务器：
+```shell
+# 将 “10.0.170.92” 替换为 Service 中名为 “clusterip” 的 IPv4 地址
+wget -qO - 10.0.170.92
+```
+```
+CLIENT VALUES:
+client_address=10.244.3.8
+command=GET
+...
+```
+
+<!-- 
+The `client_address` is always the client pod's IP address, whether the client pod and server pod are in the same node or in different nodes.
+-->
+`client_address` 始终是客户端 Pod 的 IP 地址，不管客户端 Pod 和服务器 Pod 位于同一节点还是不同节点。
+
+<!-- 
+## Source IP for Services with `Type=NodePort`
+
+Packets sent to Services with
+[`Type=NodePort`](/docs/concepts/services-networking/service/#type-nodeport)
+are source NAT'd by default. You can test this by creating a `NodePort` Service:
+-->
+## `Type=NodePort` 类型 Service 的源 IP  {#source-ip-for-services-with-type-nodeport}
+
+默认情况下，发送到 [`Type=NodePort`](/zh-cn/docs/concepts/services-networking/service/#type-nodeport)
+的 Service 的数据包会经过源 NAT 处理。你可以通过创建一个 `NodePort` 的 Service 来测试这点：
+```shell
+kubectl expose deployment source-ip-app --name=nodeport --port=80 --target-port=8080 --type=NodePort
+```
+
+<!-- 
+The output is: 
+-->
+输出为：
+```
+service/nodeport exposed
+```
+
+```shell
+NODEPORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services nodeport)
+NODES=$(kubectl get nodes -o jsonpath='{ $.items[*].status.addresses[?(@.type=="InternalIP")].address }')
+```
+
+<!--
+If you're running on a cloud provider, you may need to open up a firewall-rule
+for the `nodes:nodeport` reported above.
+Now you can try reaching the Service from outside the cluster through the node
+port allocated above.
+-->
+如果你在云供应商上运行，你可能需要为上面报告的 `nodes:nodeport` 打开防火墙规则。
+现在你可以尝试通过上面分配的节点端口从集群外部访问 Service。
+
+```shell
+for node in $NODES; do curl -s $node:$NODEPORT | grep -i client_address; done
+```
+<!-- 
+The output is similar to:
+-->
+输出类似于：
+```
+client_address=10.180.1.1
+client_address=10.240.0.5
+client_address=10.240.0.3
+```
+
+<!--
+Note that these are not the correct client IPs, they're cluster internal IPs. This is what happens:
+
+* Client sends packet to `node2:nodePort`
+* `node2` replaces the source IP address (SNAT) in the packet with its own IP address
+* `node2` replaces the destination IP on the packet with the pod IP
+* packet is routed to node 1, and then to the endpoint
+* the pod's reply is routed back to node2
+* the pod's reply is sent back to the client
+
+Visually:
+
+{{< figure src="/docs/images/tutor-service-nodePort-fig01.svg" alt="source IP nodeport figure 01" class="diagram-large" caption="Figure. Source IP Type=NodePort using SNAT" link="https://mermaid.live/edit#pako:eNqNkV9rwyAUxb-K3LysYEqS_WFYKAzat9GHdW9zDxKvi9RoMIZtlH732ZjSbE970cu5v3s86hFqJxEYfHjRNeT5ZcUtIbXRaMNN2hZ5vrYRqt52cSXV-4iMSuwkZiYtyX739EqWaahMQ-V1qPxDVLNOvkYrO6fj2dupWMR2iiT6foOKdEZoS5Q2hmVSStoH7w7IMqXUVOefWoaG3XVftHbGeZYVRbH6ZXJ47CeL2-qhxvt_ucTe1SUlpuMN6CX12XeGpLdJiaMMFFr0rdAyvvfxjHEIDbbIgcVSohKDCRy4PUV06KQIuJU6OA9MCdMjBTEEt_-2NbDgB7xAGy3i97VJPP0ABRmcqg" >}}
+-->
+请注意，这些并不是正确的客户端 IP，它们是集群的内部 IP。这是所发生的事情：
+
+* 客户端发送数据包到 `node2:nodePort`
+* `node2` 使用它自己的 IP 地址替换数据包的源 IP 地址（SNAT）
+* `node2` 将数据包上的目标 IP 替换为 Pod IP
+* 数据包被路由到 node1，然后到端点
+* Pod 的回复被路由回 node2
+* Pod 的回复被发送回给客户端
+
+用图表示：
+{{< figure src="/zh-cn/docs/images/tutor-service-nodePort-fig01.svg" alt="图 1：源 IP NodePort" class="diagram-large" caption="如图。使用 SNAT 的源 IP（Type=NodePort）" link="https://mermaid.live/edit#pako:eNqNkV9rwyAUxb-K3LysYEqS_WFYKAzat9GHdW9zDxKvi9RoMIZtlH732ZjSbE970cu5v3s86hFqJxEYfHjRNeT5ZcUtIbXRaMNN2hZ5vrYRqt52cSXV-4iMSuwkZiYtyX739EqWaahMQ-V1qPxDVLNOvkYrO6fj2dupWMR2iiT6foOKdEZoS5Q2hmVSStoH7w7IMqXUVOefWoaG3XVftHbGeZYVRbH6ZXJ47CeL2-qhxvt_ucTe1SUlpuMN6CX12XeGpLdJiaMMFFr0rdAyvvfxjHEIDbbIgcVSohKDCRy4PUV06KQIuJU6OA9MCdMjBTEEt_-2NbDgB7xAGy3i97VJPP0ABRmcqg" >}}
+
+<!-- 
+To avoid this, Kubernetes has a feature to
+[preserve the client source IP](/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip).
+If you set `service.spec.externalTrafficPolicy` to the value `Local`,
+kube-proxy only proxies proxy requests to local endpoints, and does not
+forward traffic to other nodes. This approach preserves the original
+source IP address. If there are no local endpoints, packets sent to the
+node are dropped, so you can rely on the correct source-ip in any packet
+processing rules you might apply a packet that make it through to the
+endpoint.
+-->
+为避免这种情况，Kubernetes 有一个特性可以[保留客户端源 IP](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)。
+如果将 `service.spec.externalTrafficPolicy` 设置为 `Local`，
+kube-proxy 只会将代理请求代理到本地端点，而不会将流量转发到其他节点。
+这种方法保留了原始源 IP 地址。如果没有本地端点，则发送到该节点的数据包将被丢弃，
+因此你可以在任何数据包处理规则中依赖正确的源 IP，你可能会应用一个数据包使其通过该端点。
+
+<!--
+Set the `service.spec.externalTrafficPolicy` field as follows:
+-->
+设置 `service.spec.externalTrafficPolicy` 字段如下：
+
+```shell
+kubectl patch svc nodeport -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+```
+<!-- 
+The output is:
+-->
+输出为：
+```
+service/nodeport patched
+```
+
+<!-- 
+Now, re-run the test:
+-->
+现在，重新运行测试：
+
+```shell
+for node in $NODES; do curl --connect-timeout 1 -s $node:$NODEPORT | grep -i client_address; done
+```
+<!-- 
+The output is similar to:
+-->
+输出类似于：
+```
+client_address=198.51.100.79
+```
+
+<!-- 
+Note that you only got one reply, with the *right* client IP, from the one node on which the endpoint pod
+is running.
+
+This is what happens:
+
+* client sends packet to `node2:nodePort`, which doesn't have any endpoints
+* packet is dropped
+* client sends packet to `node1:nodePort`, which *does* have endpoints
+* node1 routes packet to endpoint with the correct source IP
+
+Visually:
+
+{{< figure src="/docs/images/tutor-service-nodePort-fig02.svg" alt="source IP nodeport figure 02" class="diagram-large" caption="Figure. Source IP Type=NodePort preserves client source IP address" link="" >}}
+-->
+请注意，你只从运行端点 Pod 的节点得到了回复，这个回复有**正确的**客户端 IP。
+
+这是发生的事情：
+
+* 客户端将数据包发送到没有任何端点的 `node2:nodePort`
+* 数据包被丢弃
+* 客户端发送数据包到 `node1:nodePort`，它**确实**有端点
+* node1 使用正确的源 IP 地址将数据包路由到端点
+
+用图表示：
+{{< figure src="/zh-cn/docs/images/tutor-service-nodePort-fig02.svg" alt="图 2：源 IP NodePort" class="diagram-large" caption="如图。源 IP（Type=NodePort）保存客户端源 IP 地址" link="" >}}
+
+
+<!-- 
+## Source IP for Services with `Type=LoadBalancer`
+
+Packets sent to Services with
+[`Type=LoadBalancer`](/docs/concepts/services-networking/service/#loadbalancer)
+are source NAT'd by default, because all schedulable Kubernetes nodes in the
+`Ready` state are eligible for load-balanced traffic. So if packets arrive
+at a node without an endpoint, the system proxies it to a node *with* an
+endpoint, replacing the source IP on the packet with the IP of the node (as
+described in the previous section).
+-->
+## `Type=LoadBalancer` 类型 Service 的 Source IP  {#source-ip-for-services-with-type-loadbalancer}
+
+默认情况下，发送到 [`Type=LoadBalancer`](/zh-cn/docs/concepts/services-networking/service/#loadbalancer)
+的 Service 的数据包经过源 NAT处理，因为所有处于 `Ready` 状态的可调度 Kubernetes
+节点对于负载均衡的流量都是符合条件的。
+因此，如果数据包到达一个没有端点的节点，系统会将其代理到一个**带有**端点的节点，用该节点的 IP 替换数据包上的源 IP（如上一节所述）。
+
+<!-- 
+You can test this by exposing the source-ip-app through a load balancer:
+-->
+你可以通过负载均衡器上暴露 source-ip-app 进行测试：
+
+```shell
+kubectl expose deployment source-ip-app --name=loadbalancer --port=80 --target-port=8080 --type=LoadBalancer
+```
+<!-- 
+The output is:
+-->
+输出为：
+```
+service/loadbalancer exposed
+```
+
+<!-- 
+Print out the IP addresses of the Service:
+-->
+打印 Service 的 IP 地址：
+```shell
+kubectl get svc loadbalancer
+```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+NAME           TYPE           CLUSTER-IP    EXTERNAL-IP       PORT(S)   AGE
+loadbalancer   LoadBalancer   10.0.65.118   203.0.113.140     80/TCP    5m
+```
+
+<!-- 
+Next, send a request to this Service's external-ip:
+-->
+接下来，发送请求到 Service 的 的外部IP（External-IP）：
+```shell
+curl 203.0.113.140
+```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+```
+CLIENT VALUES:
+client_address=10.240.0.5
+...
+```
+
+<!-- 
+However, if you're running on Google Kubernetes Engine/GCE, setting the same `service.spec.externalTrafficPolicy`
+field to `Local` forces nodes *without* Service endpoints to remove
+themselves from the list of nodes eligible for loadbalanced traffic by
+deliberately failing health checks.
+
+Visually:
+
+![Source IP with externalTrafficPolicy](/images/docs/sourceip-externaltrafficpolicy.svg)
+-->
+然而，如果你在 Google Kubernetes Engine/GCE 上运行，
+将相同的 `service.spec.externalTrafficPolicy` 字段设置为 `Local`，
+故意导致健康检查失败，从而强制没有端点的节点把自己从负载均衡流量的可选节点列表中删除。
+
+用图表示：
+
+![具有 externalTrafficPolicy 的源 IP](/images/docs/sourceip-externaltrafficpolicy.svg)
+
+<!-- 
+You can test this by setting the annotation:
+-->
+你可以通过设置注解进行测试：
+
+```shell
+kubectl patch svc loadbalancer -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+```
+
+<!--
+You should immediately see the `service.spec.healthCheckNodePort` field allocated
+by Kubernetes:
+-->
+你应该能够立即看到 Kubernetes 分配的 `service.spec.healthCheckNodePort` 字段：
+
+```shell
+kubectl get svc loadbalancer -o yaml | grep -i healthCheckNodePort
+```
+<!-- 
+The output is similar to this:
+-->
+输出类似于：
+```yaml
+  healthCheckNodePort: 32122
+```
+
+<!-- 
+The `service.spec.healthCheckNodePort` field points to a port on every node
+serving the health check at `/healthz`. You can test this:
+-->
+`service.spec.healthCheckNodePort` 字段指向每个在 `/healthz`
+路径上提供健康检查的节点的端口。你可以这样测试：
+
+```shell
+kubectl get pod -o wide -l run=source-ip-app
+```
+<!-- 
+The output is similar to this:
+-->
+输出类似于：
+```
+NAME                            READY     STATUS    RESTARTS   AGE       IP             NODE
+source-ip-app-826191075-qehz4   1/1       Running   0          20h       10.180.1.136   kubernetes-node-6jst
+```
+
+<!-- 
+Use `curl` to fetch the `/healthz` endpoint on various nodes:
+-->
+使用 `curl` 获取各个节点上的 `/healthz` 端点：
+```shell
+# 在你选择的节点上本地运行
+curl localhost:32122/healthz
+```
+```
+1 Service Endpoints found
+```
+
+<!-- 
+On a different node you might get a different result:
+-->
+在不同的节点上，你可能会得到不同的结果：
+```shell
+# 在你选择的节点上本地运行
+curl localhost:32122/healthz
+```
+```
+No Service Endpoints Found
+```
+
+<!-- 
+A controller running on the
+{{< glossary_tooltip text="control plane" term_id="control-plane" >}} is
+responsible for allocating the cloud load balancer. The same controller also
+allocates HTTP health checks pointing to this port/path on each node. Wait
+about 10 seconds for the 2 nodes without endpoints to fail health checks,
+then use `curl` to query the IPv4 address of the load balancer:
+-->
+在{{<glossary_tooltip text="控制平面" term_id="control-plane" >}}上运行的控制器负责分配云负载均衡器。
+同一个控制器还在每个节点上分配指向此端口/路径的 HTTP 健康检查。
+等待大约 10 秒，让 2 个没有端点的节点健康检查失败，然后使用 `curl` 查询负载均衡器的 IPv4 地址：
+
+```shell
+curl 203.0.113.140
+```
+<!-- 
+The output is similar to this:
+-->
+输出类似于：
+```
+CLIENT VALUES:
+client_address=198.51.100.79
+...
+```
+
+<!-- 
+## Cross-platform support
+
+Only some cloud providers offer support for source IP preservation through
+Services with `Type=LoadBalancer`.
+The cloud provider you're running on might fulfill the request for a loadbalancer
+in a few different ways:
+-->
+## 跨平台支持  {#cross-platform-support}
+
+只有部分云提供商为 `Type=LoadBalancer` 的 Service 提供保存源 IP 的支持。
+你正在运行的云提供商可能会以几种不同的方式满足对负载均衡器的请求：
+
+<!-- 
+1. With a proxy that terminates the client connection and opens a new connection
+to your nodes/endpoints. In such cases the source IP will always be that of the
+cloud LB, not that of the client.
+
+2. With a packet forwarder, such that requests from the client sent to the
+loadbalancer VIP end up at the node with the source IP of the client, not
+an intermediate proxy.
+-->
+1. 使用终止客户端连接并打开到你的节点/端点的新连接的代理。
+   在这种情况下，源 IP 将始终是云 LB 的源 IP，而不是客户端的源 IP。
+
+2. 使用数据包转发器，这样客户端发送到负载均衡器 VIP
+   的请求最终会到达具有客户端源 IP 的节点，而不是中间代理。
+
+<!-- 
+Load balancers in the first category must use an agreed upon
+protocol between the loadbalancer and backend to communicate the true client IP
+such as the HTTP [Forwarded](https://tools.ietf.org/html/rfc7239#section-5.2)
+or [X-FORWARDED-FOR](https://en.wikipedia.org/wiki/X-Forwarded-For)
+headers, or the
+[proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
+Load balancers in the second category can leverage the feature described above
+by creating an HTTP health check pointing at the port stored in
+the `service.spec.healthCheckNodePort` field on the Service.
+-->
+第一类负载均衡器必须使用负载均衡器和后端之间商定的协议来传达真实的客户端 IP，
+例如 HTTP [转发](https://tools.ietf.org/html/rfc7239#section-5.2)或
+[X-FORWARDED-FOR](https://en.wikipedia.org/wiki/X-Forwarded-For)
+表头，或[代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
+第二类负载均衡器可以通过创建指向存储在 Service 上的 `service.spec.healthCheckNodePort`
+字段中的端口的 HTTP 健康检查来利用上述功能。
+
+## {{% heading "cleanup" %}}
+
+<!-- 
+Delete the Services:
+-->
+删除 Service：
+
+```console
+$ kubectl delete svc -l app=source-ip-app
+```
+
+<!--
+Delete the Deployment, ReplicaSet and Pod: 
+-->
+删除 Deployment、ReplicaSet 和 Pod：
+
+```console
+$ kubectl delete deployment source-ip-app
+```
+
+## {{% heading "whatsnext" %}}
+
+<!-- 
+* Learn more about [connecting applications via services](/docs/concepts/services-networking/connect-applications-service/)
+* Read how to [Create an External Load Balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/)
+-->
+* 详细了解[通过 Service 连接应用程序](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
+* 阅读如何[创建外部负载均衡器](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/)
diff --git a/content/zh/docs/tutorials/stateful-application/_index.md b/content/zh-cn/docs/tutorials/stateful-application/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/stateful-application/_index.md
rename to content/zh-cn/docs/tutorials/stateful-application/_index.md
diff --git a/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md b/content/zh-cn/docs/tutorials/stateful-application/basic-stateful-set.md
similarity index 70%
rename from content/zh/docs/tutorials/stateful-application/basic-stateful-set.md
rename to content/zh-cn/docs/tutorials/stateful-application/basic-stateful-set.md
index 02880bfbc8dc4..cf3a7ac6c87c0 100644
--- a/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/basic-stateful-set.md
@@ -1,123 +1,134 @@
 ---
 title: StatefulSet 基础
 content_type: tutorial
-approvers:
+weight: 10
+---
+<!--
+reviewers:
 - enisoc
 - erictune
 - foxish
 - janetkuo
 - kow3ns
 - smarterclayton
-
----
+title: StatefulSet Basics
+content_type: tutorial
+weight: 10
+-->
 
 <!-- overview -->
 
 <!--
 This tutorial provides an introduction to managing applications with
-[StatefulSets](/docs/concepts/workloads/controllers/statefulset/). It
-demonstrates how to create, delete, scale, and update the Pods of StatefulSets.
+{{< glossary_tooltip text="StatefulSets" term_id="statefulset" >}}.
+It demonstrates how to create, delete, scale, and update the Pods of StatefulSets.
 -->
-
-本教程介绍了如何使用 [StatefulSets](/zh/docs/concepts/workloads/controllers/statefulset/) 来管理应用。
-演示了如何创建、删除、扩容/缩容和更新 StatefulSets 的 Pods。
-
-
+本教程介绍了如何使用
+{{< glossary_tooltip text="StatefulSet" term_id="statefulset" >}}
+来管理应用。
+演示了如何创建、删除、扩容/缩容和更新 StatefulSet 的 Pod。
 
 ## {{% heading "prerequisites" %}}
 
-
 <!--
 Before you begin this tutorial, you should familiarize yourself with the
-following Kubernetes concepts.
+following Kubernetes concepts:
 -->
-
 在开始本教程之前，你应该熟悉以下 Kubernetes 的概念：
 
-* [Pods](/zh/docs/concepts/workloads/pods/)
-* [Cluster DNS](/zh/docs/concepts/services-networking/dns-pod-service/)
-* [Headless Services](/zh/docs/concepts/services-networking/service/#headless-services)
-* [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
+<!--
+* [Pods](/docs/concepts/workloads/pods/)
+* [Cluster DNS](/docs/concepts/services-networking/dns-pod-service/)
+* [Headless Services](/docs/concepts/services-networking/service/#headless-services)
+* [PersistentVolumes](/docs/concepts/storage/persistent-volumes/)
 * [PersistentVolume Provisioning](https://github.com/kubernetes/examples/tree/master/staging/persistent-volume-provisioning/)
-* [StatefulSets](/zh/docs/concepts/workloads/controllers/statefulset/)
-* [kubectl CLI](/zh/docs/user-guide/kubectl/)
+* [StatefulSets](/docs/concepts/workloads/controllers/statefulset/)
+* The [kubectl](/docs/reference/kubectl/kubectl/) command line tool
+-->
+* [Pods](/zh-cn/docs/concepts/workloads/pods/)
+* [Cluster DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
+* [Headless Services](/zh-cn/docs/concepts/services-networking/service/#headless-services)
+* [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
+* [PersistentVolume Provisioning](https://github.com/kubernetes/examples/tree/master/staging/persistent-volume-provisioning/)
+* [StatefulSets](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
+* [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 命令行工具
 
+{{< note >}}
 <!--
 This tutorial assumes that your cluster is configured to dynamically provision
 PersistentVolumes. If your cluster is not configured to do so, you
 will have to manually provision two 1 GiB volumes prior to starting this
 tutorial.
 -->
-
-本教程假设你的集群被配置为动态的提供 PersistentVolumes。如果没有这样配置，在开始本教程之前，你需要手动准备 2 个 1 GiB 的存储卷。
-
-
+本教程假设你的集群被配置为动态制备 PersistentVolume 卷。
+如果没有这样配置，在开始本教程之前，你需要手动准备 2 个 1 GiB 的存储卷。
+{{< /note >}}
 
 ## {{% heading "objectives" %}}
 
-
 <!--
 StatefulSets are intended to be used with stateful applications and distributed
 systems. However, the administration of stateful applications and
 distributed systems on Kubernetes is a broad, complex topic. In order to
 demonstrate the basic features of a StatefulSet, and not to conflate the former
 topic with the latter, you will deploy a simple web application using a StatefulSet.
+-->
+StatefulSet 旨在与有状态的应用及分布式系统一起使用。然而在 Kubernetes
+上管理有状态应用和分布式系统是一个宽泛而复杂的话题。
+为了演示 StatefulSet 的基本特性，并且不使前后的主题混淆，你将会使用 StatefulSet 部署一个简单的 web 应用。
 
+<!--
 After this tutorial, you will be familiar with the following.
+-->
+在阅读本教程后，你将熟悉以下内容：
 
+<!--
 * How to create a StatefulSet
 * How a StatefulSet manages its Pods
 * How to delete a StatefulSet
 * How to scale a StatefulSet
 * How to update a StatefulSet's Pods
 -->
-
-StatefulSets 旨在与有状态的应用及分布式系统一起使用。然而在 Kubernetes 上管理有状态应用和分布式系统是一个宽泛而复杂的话题。
-为了演示 StatefulSet 的基本特性，并且不使前后的主题混淆，你将会使用 StatefulSet 部署一个简单的 web 应用。
-
-在阅读本教程后，你将熟悉以下内容：
-
 * 如何创建 StatefulSet
-* StatefulSet 怎样管理它的 Pods
+* StatefulSet 怎样管理它的 Pod
 * 如何删除 StatefulSet
 * 如何对 StatefulSet 进行扩容/缩容
-* 如何更新一个 StatefulSet 的 Pods
-
-
-
+* 如何更新一个 StatefulSet 的 Pod
 
 <!-- lessoncontent -->
 
 <!--
 ## Creating a StatefulSet
+-->
+## 创建 StatefulSet   {#creating-a-statefulset}
 
+<!--
 Begin by creating a StatefulSet using the example below. It is similar to the
 example presented in the
 [StatefulSets](/docs/concepts/workloads/controllers/statefulset/) concept.
 It creates a [headless Service](/docs/concepts/services-networking/service/#headless-services),
 `nginx`, to publish the IP addresses of Pods in the StatefulSet, `web`.
 -->
-
-## 创建 StatefulSet
-
-
-作为开始，使用如下示例创建一个 StatefulSet。它和 [StatefulSets](/zh/docs/concepts/workloads/controllers/statefulset/) 概念中的示例相似。
-它创建了一个 [Headless Service](/zh/docs/concepts/services-networking/service/#headless-services) `nginx` 用来发布 StatefulSet `web` 中的 Pod 的 IP 地址。
+作为开始，使用如下示例创建一个 StatefulSet。它和
+[StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/) 概念中的示例相似。
+它创建了一个 [Headless Service](/zh-cn/docs/concepts/services-networking/service/#headless-services)
+`nginx` 用来发布 StatefulSet `web` 中的 Pod 的 IP 地址。
 
 {{< codenew file="application/web/web.yaml" >}}
 
 <!--
 Download the example above, and save it to a file named `web.yaml`
+-->
+下载上面的例子并保存为文件 `web.yaml`。
 
+<!--
 You will need to use two terminal windows. In the first terminal, use
 [`kubectl get`](/docs/reference/generated/kubectl/kubectl-commands/#get) to watch the creation
 of the StatefulSet's Pods.
 -->
-
-下载上面的例子并保存为文件 `web.yaml`。
-
-
-你需要使用两个终端窗口。 在第一个终端中，使用 [`kubectl get`](/zh/docs/user-guide/kubectl/{{< param "version" >}}/#get)  来查看 StatefulSet 的 Pods 的创建情况。
+你需要使用两个终端窗口。在第一个终端中，使用
+[`kubectl get`](/docs/reference/generated/kubectl/kubectl-commands/#get)
+来监视 StatefulSet 的 Pod 的创建情况。
 
 ```shell
 kubectl get pods -w -l app=nginx
@@ -126,10 +137,10 @@ kubectl get pods -w -l app=nginx
 <!--
 In the second terminal, use
 [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands/#apply) to create the
-Headless Service and StatefulSet defined in `web.yaml`.
+headless Service and StatefulSet defined in `web.yaml`.
 -->
-
-在另一个终端中，使用 [`kubectl apply`](/zh/docs/reference/generated/kubectl/kubectl-commands/#apply)来创建定义在 `web.yaml` 中的 Headless Service 和 StatefulSet。
+在另一个终端中，使用 [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands/#apply)
+来创建定义在 `web.yaml` 中的 Headless Service 和 StatefulSet。
 
 ```shell
 kubectl apply -f web.yaml
@@ -141,12 +152,10 @@ statefulset.apps/web created
 
 <!--
 The command above creates two Pods, each running an
-[NGINX](https://www.nginx.com) webserver. Get the `nginx` Service and the
-`web` StatefulSet to verify that they were created successfully.
+[NGINX](https://www.nginx.com) webserver. Get the `nginx` Service...
 -->
-
-上面的命令创建了两个 Pod，每个都运行了一个 [NGINX](https://www.nginx.com) web 服务器。
-获取 `nginx` Service 和 `web` StatefulSet 来验证是否成功的创建了它们。
+上面的命令创建了两个 Pod，每个都运行了一个 [NginX](https://www.nginx.com) Web 服务器。
+获取 `nginx` Service：
 
 ```shell
 kubectl get service nginx
@@ -155,10 +164,12 @@ kubectl get service nginx
 NAME      TYPE         CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
 nginx     ClusterIP    None         <none>        80/TCP    12s
 ```
+
 <!--
 ...then get the `web` StatefulSet, to verify that both were created successfully:
 -->
-...然后获取 `web` StatefulSet，以验证两者均已成功创建：
+然后获取 `web` StatefulSet，以验证两者均已成功创建：
+
 ```shell
 kubectl get statefulset web
 ```
@@ -168,19 +179,17 @@ web       2         1         20s
 ```
 
 <!--
-
 ### Ordered Pod Creation
+-->
+### 顺序创建 Pod   {#ordered-pod-creation}
 
-For a StatefulSet with N replicas, when Pods are being deployed, they are
-created sequentially, in order from {0..N-1}. Examine the output of the
+<!--
+For a StatefulSet with _n_ replicas, when Pods are being deployed, they are
+created sequentially, ordered from _{0..n-1}_. Examine the output of the
 `kubectl get` command in the first terminal. Eventually, the output will
 look like the example below.
 -->
-
-### 顺序创建 Pod
-
-
-对于一个拥有 N 个副本的 StatefulSet，Pod 被部署时是按照 {0 …… N-1} 的序号顺序创建的。
+对于一个拥有 _n_ 个副本的 StatefulSet，Pod 被部署时是按照 _{0..n-1}_ 的序号顺序创建的。
 在第一个终端中使用 `kubectl get` 检查输出。这个输出最终将看起来像下面的样子。
 
 ```shell
@@ -200,31 +209,33 @@ web-1     1/1       Running   0         18s
 
 <!--
 Notice that the `web-1` Pod is not launched until the `web-0` Pod is
-[Running and Ready](/docs/user-guide/pod-states).
+_Running_ (see [Pod Phase](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase))
+and _Ready_ (see `type` in [Pod Conditions](/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions)).
 -->
-请注意在 `web-0` Pod 处于 [Running和Ready](/zh/docs/user-guide/pod-states) 状态后 `web-1` Pod 才会被启动。
+请注意，直到 `web-0` Pod 处于 _Running_（请参阅
+[Pod 阶段](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)）
+并 _Ready_（请参阅 [Pod 状况](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions)中的
+`type`）状态后，`web-1` Pod 才会被启动。
 
 <!--
 ## Pods in a StatefulSet
+-->
+## StatefulSet 中的 Pod   {#pods-in-a-statefulset}
 
-
+<!--
 Pods in a StatefulSet have a unique ordinal index and a stable network identity.
+-->
+StatefulSet 中的每个 Pod 拥有一个唯一的顺序索引和稳定的网络身份标识。
 
+<!--
 ### Examining the Pod's Ordinal Index
-
-Get the StatefulSet's Pods.
 -->
+### 检查 Pod 的顺序索引   {#examining-the-pod-s-ordinal-index}
 
-## StatefulSet 中的 Pod
-
-
-StatefulSet 中的 Pod 拥有一个唯一的顺序索引和稳定的网络身份标识。
-
-
-### 检查 Pod 的顺序索引
-
-
-获取 StatefulSet 的 Pod。
+<!--
+Get the StatefulSet's Pods:
+-->
+获取 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pods -l app=nginx
@@ -239,26 +250,31 @@ web-1     1/1       Running   0          1m
 As mentioned in the [StatefulSets](/docs/concepts/workloads/controllers/statefulset/)
 concept, the Pods in a StatefulSet have a sticky, unique identity. This identity
 is based on a unique ordinal index that is assigned to each Pod by the
-StatefulSet controller. The Pods' names take the form
-`<statefulset name>-<ordinal index>`. Since the `web` StatefulSet has two
-replicas, it creates two Pods, `web-0` and `web-1`.
+StatefulSet {{< glossary_tooltip term_id="controller" text="controller">}}.  
+The Pods' names take the form `<statefulset name>-<ordinal index>`.
+Since the `web` StatefulSet has two replicas, it creates two Pods, `web-0` and `web-1`.
+-->
+如同 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/) 概念中所提到的，
+StatefulSet 中的每个 Pod 拥有一个具有黏性的、独一无二的身份标志。
+这个标志基于 StatefulSet
+{{< glossary_tooltip term_id="controller" text="控制器">}}分配给每个
+Pod 的唯一顺序索引。
+Pod 的名称的形式为 `<statefulset 名称>-<序号索引>`。
+`web` StatefulSet 拥有两个副本，所以它创建了两个 Pod：`web-0` 和 `web-1`。
 
+<!--
 ### Using Stable Network Identities
+-->
+### 使用稳定的网络身份标识   {#using-stable-network-identities}
 
+<!--
 Each Pod has a stable hostname based on its ordinal index. Use
 [`kubectl exec`](/docs/reference/generated/kubectl/kubectl-commands/#exec) to execute the
-`hostname` command in each Pod.
+`hostname` command in each Pod:
 -->
-
-如同 [StatefulSets](/zh/docs/concepts/workloads/controllers/statefulset/) 概念中所提到的， 
-StatefulSet 中的 Pod 拥有一个具有黏性的、独一无二的身份标志。
-这个标志基于 StatefulSet 控制器分配给每个 Pod 的唯一顺序索引。
-Pod 的名称的形式为`<statefulset name>-<ordinal index>`。
-`web`StatefulSet 拥有两个副本，所以它创建了两个 Pod：`web-0`和`web-1`。
-
-### 使用稳定的网络身份标识
-
-每个 Pod 都拥有一个基于其顺序索引的稳定的主机名。使用[`kubectl exec`](/zh/docs/reference/generated/kubectl/kubectl-commands/#exec)在每个 Pod 中执行`hostname`。
+每个 Pod 都拥有一个基于其顺序索引的稳定的主机名。使用
+[`kubectl exec`](/docs/reference/generated/kubectl/kubectl-commands/#exec)
+在每个 Pod 中执行 `hostname`：
 
 ```shell
 for i in 0 1; do kubectl exec "web-$i" -- sh -c 'hostname'; done
@@ -272,28 +288,31 @@ web-1
 Use [`kubectl run`](/docs/reference/generated/kubectl/kubectl-commands/#run) to execute
 a container that provides the `nslookup` command from the `dnsutils` package.
 Using `nslookup` on the Pods' hostnames, you can examine their in-cluster DNS
-addresses.
+addresses:
 -->
-
-使用 [`kubectl run`](/zh/docs/reference/generated/kubectl/kubectl-commands/#run) 
+使用 [`kubectl run`](/docs/reference/generated/kubectl/kubectl-commands/#run)
 运行一个提供 `nslookup` 命令的容器，该命令来自于 `dnsutils` 包。
-通过对 Pod 的主机名执行 `nslookup`，你可以检查他们在集群内部的 DNS 地址。
+通过对 Pod 的主机名执行 `nslookup`，你可以检查他们在集群内部的 DNS 地址：
 
 ```shell
 kubectl run -i --tty --image busybox:1.28 dns-test --restart=Never --rm
 ```
+
 <!--
 which starts a new shell. In that new shell, run:
 -->
-这将启动一个新的 shell。在新 shell 中，运行：
+这将启动一个新的 Shell。在新 Shell 中运行：
+
 ```shell
 # Run this in the dns-test container shell
 nslookup web-0.nginx
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 Server:    10.0.0.10
 Address 1: 10.0.0.10 kube-dns.kube-system.svc.cluster.local
@@ -309,29 +328,36 @@ Name:      web-1.nginx
 Address 1: 10.244.2.6
 ```
 
+<!--
+(and now exit the container shell: `exit`)
+-->
+（现在可以退出容器 Shell：`exit`）
+
 <!--
 The CNAME of the headless service points to SRV records (one for each Pod that
 is Running and Ready). The SRV records point to A record entries that
 contain the Pods' IP addresses.
-
-In one terminal, watch the StatefulSet's Pods.
 -->
-
 headless service 的 CNAME 指向 SRV 记录（记录每个 Running 和 Ready 状态的 Pod）。
 SRV 记录指向一个包含 Pod IP 地址的记录表项。
 
-在一个终端中查看 StatefulSet 的 Pod。
+<!--
+In one terminal, watch the StatefulSet's Pods:
+-->
+在一个终端中监视 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pod -w -l app=nginx
 ```
+
 <!--
 In a second terminal, use
 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands/#delete) to delete all
-the Pods in the StatefulSet.
+the Pods in the StatefulSet:
 -->
-
-在另一个终端中使用 [`kubectl delete`](/zh/docs/reference/generated/kubectl/kubectl-commands/#delete) 删除 StatefulSet 中所有的 Pod。
+在另一个终端中使用
+[`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands/#delete)
+删除 StatefulSet 中所有的 Pod：
 
 ```shell
 kubectl delete pod -l app=nginx
@@ -343,10 +369,9 @@ pod "web-1" deleted
 
 <!--
 Wait for the StatefulSet to restart them, and for both Pods to transition to
-Running and Ready.
+Running and Ready:
 -->
-
-等待 StatefulSet 重启它们，并且两个 Pod 都变成 Running 和 Ready 状态。
+等待 StatefulSet 重启它们，并且两个 Pod 都变成 Running 和 Ready 状态：
 
 ```shell
 kubectl get pod -w -l app=nginx
@@ -363,11 +388,11 @@ web-1     1/1       Running   0         34s
 ```
 
 <!--
-Use `kubectl exec` and `kubectl run` to view the Pods hostnames and in-cluster
-DNS entries.
+Use `kubectl exec` and `kubectl run` to view the Pods' hostnames and in-cluster
+DNS entries. First, view the Pods' hostnames:
 -->
-
 使用 `kubectl exec` 和 `kubectl run` 查看 Pod 的主机名和集群内部的 DNS 表项。
+首先，查看 Pod 的主机名：
 
 ```shell
 for i in 0 1; do kubectl exec web-$i -- sh -c 'hostname'; done
@@ -376,26 +401,32 @@ for i in 0 1; do kubectl exec web-$i -- sh -c 'hostname'; done
 web-0
 web-1
 ```
+
 <!--
 then, run:
 -->
 然后，运行：
+
 ```
 kubectl run -i --tty --image busybox:1.28 dns-test --restart=Never --rm /bin/sh
 ```
+
 <!--
 which starts a new shell.  
 In that new shell, run:
 -->
-这将启动一个新的 shell。在新 shell 中，运行：
+这将启动一个新的 Shell。在新 Shell 中，运行：
+
 ```shell
 # Run this in the dns-test container shell
 nslookup web-0.nginx
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 Server:    10.0.0.10
 Address 1: 10.0.0.10 kube-dns.kube-system.svc.cluster.local
@@ -410,19 +441,33 @@ Address 1: 10.0.0.10 kube-dns.kube-system.svc.cluster.local
 Name:      web-1.nginx
 Address 1: 10.244.2.8
 ```
+
+<!--
+(and now exit the container shell: `exit`)
+-->
+（现在可以退出容器 Shell：`exit`）
+
 <!--
 The Pods' ordinals, hostnames, SRV records, and A record names have not changed,
 but the IP addresses associated with the Pods may have changed. In the cluster
 used for this tutorial, they have. This is why it is important not to configure
 other applications to connect to Pods in a StatefulSet by IP address.
+-->
+Pod 的序号、主机名、SRV 条目和记录名称没有改变，但和 Pod 相关联的 IP 地址可能发生了改变。
+在本教程中使用的集群中它们就改变了。这就是为什么不要在其他应用中使用
+StatefulSet 中 Pod 的 IP 地址进行连接，这点很重要。
 
-
+<!--
 If you need to find and connect to the active members of a StatefulSet, you
-should query the CNAME of the Headless Service
+should query the CNAME of the headless Service
 (`nginx.default.svc.cluster.local`). The SRV records associated with the
 CNAME will contain only the Pods in the StatefulSet that are Running and
 Ready.
+-->
+如果你需要查找并连接一个 StatefulSet 的活动成员，你应该查询 Headless Service 的 CNAME。
+和 CNAME 相关联的 SRV 记录只会包含 StatefulSet 中处于 Running 和 Ready 状态的 Pod。
 
+<!--
 If your application already implements connection logic that tests for
 liveness and readiness, you can use the SRV records of the Pods (
 `web-0.nginx.default.svc.cluster.local`,
@@ -430,36 +475,30 @@ liveness and readiness, you can use the SRV records of the Pods (
 application will be able to discover the Pods' addresses when they transition
 to Running and Ready.
 -->
-
-Pod 的序号、主机名、SRV 条目和记录名称没有改变，但和 Pod 相关联的 IP 地址可能发生了改变。
-在本教程中使用的集群中它们就改变了。这就是为什么不要在其他应用中使用 StatefulSet 中的 Pod 的 IP 地址进行连接，这点很重要。
-
-
-如果你需要查找并连接一个 StatefulSet 的活动成员，你应该查询 Headless Service 的 CNAME。
-和 CNAME 相关联的 SRV 记录只会包含 StatefulSet 中处于 Running 和 Ready 状态的 Pod。
-
-
-如果你的应用已经实现了用于测试 liveness 和 readiness 的连接逻辑，你可以使用 Pod 的 SRV 记录（`web-0.nginx.default.svc.cluster.local`，
-`web-1.nginx.default.svc.cluster.local`）。因为他们是稳定的，并且当你的 Pod 的状态变为 Running 和 Ready 时，你的应用就能够发现它们的地址。
-
+如果你的应用已经实现了用于测试是否已存活（liveness）并就绪（readiness）的连接逻辑，
+你可以使用 Pod 的 SRV 记录（`web-0.nginx.default.svc.cluster.local`、
+`web-1.nginx.default.svc.cluster.local`）。因为他们是稳定的，并且当你的
+Pod 的状态变为 Running 和 Ready 时，你的应用就能够发现它们的地址。
 
 <!--
 ### Writing to Stable Storage
-
-Get the PersistentVolumeClaims for `web-0` and `web-1`.
 -->
+### 写入稳定的存储   {#writing-to-stable-storage}
 
-### 写入稳定的存储
-
-获取 `web-0` 和 `web-1` 的 PersistentVolumeClaims。
+<!--
+Get the PersistentVolumeClaims for `web-0` and `web-1`:
+-->
+获取 `web-0` 和 `web-1` 的 PersistentVolumeClaims：
 
 ```shell
 kubectl get pvc -l app=nginx
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 NAME        STATUS    VOLUME                                     CAPACITY   ACCESSMODES   AGE
 www-web-0   Bound     pvc-15c268c7-b507-11e6-932f-42010a800002   1Gi        RWO           48s
@@ -467,27 +506,38 @@ www-web-1   Bound     pvc-15c79307-b507-11e6-932f-42010a800002   1Gi        RWO
 ```
 
 <!--
-The StatefulSet controller created two PersistentVolumeClaims that are
-bound to two [PersistentVolumes](/docs/concepts/storage/persistent-volumes/). As the cluster used in this tutorial is configured to dynamically provision
-PersistentVolumes, the PersistentVolumes were created and bound automatically.
+The StatefulSet controller created two
+{{< glossary_tooltip text="PersistentVolumeClaims" term_id="persistent-volume-claim" >}}
+that are bound to two
+{{< glossary_tooltip text="PersistentVolumes" term_id="persistent-volume" >}}.
+-->
+StatefulSet 控制器创建了两个
+{{< glossary_tooltip text="PersistentVolumeClaims" term_id="persistent-volume-claim" >}}，
+绑定到两个
+{{< glossary_tooltip text="PersistentVolumes" term_id="persistent-volume" >}}。
 
-The NGINX webservers, by default, will serve an index file at
+<!--
+As the cluster used in this tutorial is configured to dynamically provision PersistentVolumes,
+the PersistentVolumes were created and bound automatically.
+-->
+由于本教程使用的集群配置为动态制备
+PersistentVolume 卷，所有的 PersistentVolume 卷都是自动创建和绑定的。
+
+<!--
+The NGINX webserver, by default, serves an index file from
 `/usr/share/nginx/html/index.html`. The `volumeMounts` field in the
-StatefulSets `spec` ensures that the `/usr/share/nginx/html` directory is
+StatefulSet's `spec` ensures that the `/usr/share/nginx/html` directory is
 backed by a PersistentVolume.
+-->
+NginX Web 服务器默认会加载位于 `/usr/share/nginx/html/index.html` 的 index 文件。
+StatefulSet `spec` 中的 `volumeMounts` 字段保证了 `/usr/share/nginx/html`
+文件夹由一个 PersistentVolume 卷支持。
 
+<!--
 Write the Pods' hostnames to their `index.html` files and verify that the NGINX
-webservers serve the hostnames.
+webservers serve the hostnames:
 -->
-
-StatefulSet 控制器创建了两个 PersistentVolumeClaims，绑定到两个 [PersistentVolumes](/zh/docs/concepts/storage/volumes/)。由于本教程使用的集群配置为动态提供 PersistentVolume，所有的 PersistentVolume 都是自动创建和绑定的。
-
-
-NGINX web 服务器默认会加载位于 `/usr/share/nginx/html/index.html` 的 index 文件。
-StatefulSets `spec` 中的 `volumeMounts` 字段保证了 `/usr/share/nginx/html` 文件夹由一个 PersistentVolume 支持。
-
-
-将 Pod 的主机名写入它们的`index.html`文件并验证 NGINX web 服务器使用该主机名提供服务。
+将 Pod 的主机名写入它们的 `index.html` 文件并验证 NginX Web 服务器使用该主机名提供服务：
 
 ```shell
 for i in 0 1; do kubectl exec "web-$i" -- sh -c 'echo "$(hostname)" > /usr/share/nginx/html/index.html'; done
@@ -506,7 +556,6 @@ you will need to fix the permissions of the directory mounted by the `volumeMoun
 (due to a [bug when using hostPath volumes](https://github.com/kubernetes/kubernetes/issues/2630)),
 by running:
 -->
-
 请注意，如果你看见上面的 curl 命令返回了 **403 Forbidden** 的响应，你需要像这样修复使用 `volumeMounts`
 （原因归咎于[使用 hostPath 卷时存在的缺陷](https://github.com/kubernetes/kubernetes/issues/2630)）
 挂载的目录的权限
@@ -517,25 +566,22 @@ by running:
 <!--
 before retrying the `curl` command above.
 -->
-
 在你重新尝试上面的 `curl` 命令之前。
 {{< /note >}}
 
 <!--
-In one terminal, watch the StatefulSet's Pods.
+In one terminal, watch the StatefulSet's Pods:
 -->
-
-在一个终端查看 StatefulSet 的 Pod。
+在一个终端监视 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pod -w -l app=nginx
 ```
 
 <!--
-In a second terminal, delete all of the StatefulSet's Pods.
+In a second terminal, delete all of the StatefulSet's Pods:
 -->
-
-在另一个终端删除 StatefulSet 所有的 Pod。
+在另一个终端删除 StatefulSet 所有的 Pod：
 
 ```shell
 kubectl delete pod -l app=nginx
@@ -544,11 +590,11 @@ kubectl delete pod -l app=nginx
 pod "web-0" deleted
 pod "web-1" deleted
 ```
+
 <!--
 Examine the output of the `kubectl get` command in the first terminal, and wait
 for all of the Pods to transition to Running and Ready.
 -->
-
 在第一个终端里检查 `kubectl get` 命令的输出，等待所有 Pod 变成 Running 和 Ready 状态。
 
 ```shell
@@ -566,10 +612,9 @@ web-1     1/1       Running   0         34s
 ```
 
 <!--
-Verify the web servers continue to serve their hostnames.
+Verify the web servers continue to serve their hostnames:
 -->
-
-验证所有 web 服务器在继续使用它们的主机名提供服务。
+验证所有 Web 服务器在继续使用它们的主机名提供服务：
 
 ```
 for i in 0 1; do kubectl exec -i -t "web-$i" -- curl http://localhost/; done
@@ -583,35 +628,37 @@ web-1
 Even though `web-0` and `web-1` were rescheduled, they continue to serve their
 hostnames because the PersistentVolumes associated with their
 PersistentVolumeClaims are remounted to their `volumeMounts`. No matter what
-node `web-0`and `web-1` are scheduled on, their PersistentVolumes will be
+node `web-0` and `web-1` are scheduled on, their PersistentVolumes will be
 mounted to the appropriate mount points.
+-->
+虽然 `web-0` 和 `web-1` 被重新调度了，但它们仍然继续监听各自的主机名，因为和它们的
+PersistentVolumeClaim 相关联的 PersistentVolume 卷被重新挂载到了各自的 `volumeMount` 上。
+不管 `web-0` 和 `web-1` 被调度到了哪个节点上，它们的 PersistentVolume 卷将会被挂载到合适的挂载点上。
 
+<!--
 ## Scaling a StatefulSet
+-->
+## 扩容/缩容 StatefulSet   {#scaling-a-statefulset}
+
+<!--
 Scaling a StatefulSet refers to increasing or decreasing the number of replicas.
 This is accomplished by updating the `replicas` field. You can use either
 [`kubectl scale`](/docs/reference/generated/kubectl/kubectl-commands/#scale) or
 [`kubectl patch`](/docs/reference/generated/kubectl/kubectl-commands/#patch) to scale a StatefulSet.
-
-### Scaling Up
-
-In one terminal window, watch the Pods in the StatefulSet.
 -->
-
-虽然 `web-0` 和 `web-1` 被重新调度了，但它们仍然继续监听各自的主机名，因为和它们的 PersistentVolumeClaim 相关联的 PersistentVolume 被重新挂载到了各自的 `volumeMount` 上。
-不管 `web-0` 和 `web-1` 被调度到了哪个节点上，它们的 PersistentVolumes 将会被挂载到合适的挂载点上。
-
-
-## 扩容/缩容 StatefulSet
-
 扩容/缩容 StatefulSet 指增加或减少它的副本数。这通过更新 `replicas` 字段完成。
-你可以使用[`kubectl scale`](/zh/docs/user-guide/kubectl/{{< param "version" >}}/#scale) 
-或者[`kubectl patch`](/zh/docs/user-guide/kubectl/{{< param "version" >}}/#patch)来扩容/缩容一个 StatefulSet。
-
-
-### 扩容
+你可以使用 [`kubectl scale`](/docs/reference/generated/kubectl/kubectl-commands/#scale)
+或者 [`kubectl patch`](/docs/reference/generated/kubectl/kubectl-commands/#patch) 来扩容/缩容一个 StatefulSet。
 
+<!--
+### Scaling Up
+-->
+### 扩容   {#scaling-up}
 
-在一个终端窗口观察 StatefulSet 的 Pod。
+<!--
+In one terminal window, watch the Pods in the StatefulSet:
+-->
+在一个终端窗口监视 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pods -w -l app=nginx
@@ -619,9 +666,9 @@ kubectl get pods -w -l app=nginx
 
 <!--
 In another terminal window, use `kubectl scale` to scale the number of replicas
-to 5.-->
-
-在另一个终端窗口使用 `kubectl scale` 扩展副本数为 5。
+to 5:
+-->
+在另一个终端窗口使用 `kubectl scale` 扩展副本数为 5：
 
 ```shell
 kubectl scale sts web --replicas=5
@@ -629,11 +676,11 @@ kubectl scale sts web --replicas=5
 ```
 statefulset.apps/web scaled
 ```
+
 <!--
 Examine the output of the `kubectl get` command in the first terminal, and wait
 for the three additional Pods to transition to Running and Ready.
 -->
-
 在第一个 终端中检查 `kubectl get` 命令的输出，等待增加的 3 个 Pod 的状态变为 Running 和 Ready。
 
 ```shell
@@ -664,19 +711,20 @@ The StatefulSet controller scaled the number of replicas. As with
 created each Pod sequentially with respect to its ordinal index, and it
 waited for each Pod's predecessor to be Running and Ready before launching the
 subsequent Pod.
-
-### Scaling Down
-
-In one terminal, watch the StatefulSet's Pods.
 -->
-
 StatefulSet 控制器扩展了副本的数量。
-如同[创建 StatefulSet](#顺序创建pod) 所述，StatefulSet 按序号索引顺序的创建每个 Pod，并且会等待前一个 Pod 变为 Running 和 Ready 才会启动下一个 Pod。
-
-### 缩容
+如同[创建 StatefulSet](#ordered-pod-creation) 所述，StatefulSet 按序号索引顺序创建各个
+Pod，并且会等待前一个 Pod 变为 Running 和 Ready 才会启动下一个 Pod。
 
+<!--
+### Scaling Down
+-->
+### 缩容   {#scaling-down}
 
-在一个终端观察 StatefulSet 的 Pod。
+<!--
+In one terminal, watch the StatefulSet's Pods:
+-->
+在一个终端监视 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pods -w -l app=nginx
@@ -684,10 +732,9 @@ kubectl get pods -w -l app=nginx
 
 <!--
 In another terminal, use `kubectl patch` to scale the StatefulSet back down to
-three replicas.
+three replicas:
 -->
-
-在另一个终端使用 `kubectl patch` 将 StatefulSet 缩容回三个副本。
+在另一个终端使用 `kubectl patch` 将 StatefulSet 缩容回三个副本：
 
 ```shell
 kubectl patch sts web -p '{"spec":{"replicas":3}}'
@@ -699,7 +746,6 @@ statefulset.apps/web patched
 <!--
 Wait for `web-4` and `web-3` to transition to Terminating.
 -->
-
 等待 `web-4` 和 `web-3` 状态变为 Terminating。
 
 ```shell
@@ -722,21 +768,20 @@ web-3     1/1       Terminating   0         42s
 
 <!--
 ### Ordered Pod Termination
+-->
+### 顺序终止 Pod   {#ordered-pod-termination}
 
+<!--
 The controller deleted one Pod at a time, in reverse order with respect to its
 ordinal index, and it waited for each to be completely shutdown before
 deleting the next.
-
-Get the StatefulSet's PersistentVolumeClaims.
 -->
-
-### 顺序终止 Pod
-
-
 控制器会按照与 Pod 序号索引相反的顺序每次删除一个 Pod。在删除下一个 Pod 前会等待上一个被完全关闭。
 
-
-获取 StatefulSet 的 PersistentVolumeClaims。
+<!--
+Get the StatefulSet's PersistentVolumeClaims:
+-->
+获取 StatefulSet 的 PersistentVolumeClaims：
 
 ```shell
 kubectl get pvc -l app=nginx
@@ -754,46 +799,50 @@ www-web-4   Bound     pvc-e11bb5f8-b508-11e6-932f-42010a800002   1Gi        RWO
 <!--
 There are still five PersistentVolumeClaims and five PersistentVolumes.
 When exploring a Pod's [stable storage](#writing-to-stable-storage), we saw that the PersistentVolumes mounted to the Pods of a StatefulSet are not deleted when the StatefulSet's Pods are deleted. This is still true when Pod deletion is caused by scaling the StatefulSet down.
+-->
+五个 PersistentVolumeClaims 和五个 PersistentVolume 卷仍然存在。
+查看 Pod 的[稳定存储](#stable-storage)，我们发现当删除 StatefulSet 的
+Pod 时，挂载到 StatefulSet 的 Pod 的 PersistentVolume 卷不会被删除。
+当这种删除行为是由 StatefulSet 缩容引起时也是一样的。
 
+<!--
 ## Updating StatefulSets
+-->
+## 更新 StatefulSet   {#updating-statefulsets}
 
+<!--
 In Kubernetes 1.7 and later, the StatefulSet controller supports automated updates.  The
 strategy used is determined by the `spec.updateStrategy` field of the
 StatefulSet API Object. This feature can be used to upgrade the container
 images, resource requests and/or limits, labels, and annotations of the Pods in a
 StatefulSet. There are two valid update strategies, `RollingUpdate` and
 `OnDelete`.
+-->
+从 Kubernetes 1.7 版本开始，StatefulSet 控制器支持自动更新。
+更新策略由 StatefulSet API 对象的 `spec.updateStrategy` 字段决定。这个特性能够用来更新一个
+StatefulSet 中 Pod 的的容器镜像、资源请求和限制、标签和注解。
 
+<!--
 `RollingUpdate` update strategy is the default for StatefulSets.
 -->
+`RollingUpdate` 更新策略是 StatefulSet 默认策略。
 
-五个 PersistentVolumeClaims 和五个 PersistentVolumes 仍然存在。
-查看 Pod 的 [稳定存储](#stable-storage)，我们发现当删除 StatefulSet 的 Pod 时，挂载到 StatefulSet 的 Pod 的 PersistentVolumes 不会被删除。
-当这种删除行为是由 StatefulSet 缩容引起时也是一样的。
-
-
-## 更新 StatefulSet
-
-
-Kubernetes 1.7 版本的 StatefulSet 控制器支持自动更新。
-更新策略由 StatefulSet API Object 的`spec.updateStrategy` 字段决定。这个特性能够用来更新一个 StatefulSet 中的 Pod 的 container images，resource requests，以及 limits，labels 和 annotations。
-`RollingUpdate`滚动更新是 StatefulSets 默认策略。
-
+<!--
+### Rolling Update
+-->
+### 滚动更新   {#rolling-update}
 
 <!--
 The `RollingUpdate` update strategy will update all Pods in a StatefulSet, in
 reverse ordinal order, while respecting the StatefulSet guarantees.
-
-Patch the `web` StatefulSet to apply the `RollingUpdate` update strategy.
 -->
+`RollingUpdate` 更新策略会更新一个 StatefulSet 中的所有
+Pod，采用与序号索引相反的顺序并遵循 StatefulSet 的保证。
 
-### Rolling Update 策略
-
-
-`RollingUpdate` 更新策略会更新一个 StatefulSet 中所有的 Pod，采用与序号索引相反的顺序并遵循 StatefulSet 的保证。
-
-
-Patch `web` StatefulSet 来执行 `RollingUpdate` 更新策略。
+<!--
+Patch the `web` StatefulSet to apply the `RollingUpdate` update strategy:
+-->
+对 `web` StatefulSet 应用 Patch 操作来应用 `RollingUpdate` 更新策略：
 
 ```shell
 kubectl patch statefulset web -p '{"spec":{"updateStrategy":{"type":"RollingUpdate"}}}'
@@ -801,12 +850,12 @@ kubectl patch statefulset web -p '{"spec":{"updateStrategy":{"type":"RollingUpda
 ```
 statefulset.apps/web patched
 ```
+
 <!--
 In one terminal window, patch the `web` StatefulSet to change the container
-image again.
+image again:
 -->
-
-在一个终端窗口中 patch `web` StatefulSet 来再次的改变容器镜像。
+在一个终端窗口中对 `web` StatefulSet 执行 patch 操作来再次改变容器镜像：
 
 ```shell
 kubectl patch statefulset web --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"gcr.io/google_containers/nginx-slim:0.8"}]'
@@ -816,18 +865,19 @@ statefulset.apps/web patched
 ```
 
 <!--
-In another terminal, watch the Pods in the StatefulSet.
+In another terminal, watch the Pods in the StatefulSet:
 -->
-
-在另一个终端监控 StatefulSet 中的 Pod。
+在另一个终端监控 StatefulSet 中的 Pod：
 
 ```shell
-kubectl get po -l app=nginx -w
+kubectl get pod -l app=nginx -w
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 NAME      READY     STATUS    RESTARTS   AGE
 web-0     1/1       Running   0          7m
@@ -869,21 +919,26 @@ StatefulSet controller terminates each Pod, and waits for it to transition to Ru
 Ready prior to updating the next Pod. Note that, even though the StatefulSet
 controller will not proceed to update the next Pod until its ordinal successor
 is Running and Ready, it will restore any Pod that fails during the update to
-its current version. Pods that have already received the update will be
-restored to the updated version, and Pods that have not yet received the
-update will be restored to the previous version. In this way, the controller
-attempts to continue to keep the application healthy and the update consistent
-in the presence of intermittent failures.
-
-Get the Pods to view their container images.
+its current version.
 -->
+StatefulSet 里的 Pod 采用和序号相反的顺序更新。在更新下一个 Pod 前，StatefulSet
+控制器终止每个 Pod 并等待它们变成 Running 和 Ready。
+请注意，虽然在顺序后继者变成 Running 和 Ready 之前 StatefulSet 控制器不会更新下一个
+Pod，但它仍然会重建任何在更新过程中发生故障的 Pod，使用的是它们当前的版本。
 
-StatefulSet 里的 Pod 采用和序号相反的顺序更新。在更新下一个 Pod 前，StatefulSet 控制器终止每个 Pod 并等待它们变成 Running 和 Ready。
-请注意，虽然在顺序后继者变成 Running 和 Ready 之前 StatefulSet 控制器不会更新下一个 Pod，但它仍然会重建任何在更新过程中发生故障的 Pod，使用的是它们当前的版本。
+<!--
+Pods that have already received the update will be restored to the updated version,
+and Pods that have not yet received the update will be restored to the previous
+version. In this way, the controller attempts to continue to keep the application
+healthy and the update consistent in the presence of intermittent failures.
+-->
 已经接收到更新请求的 Pod 将会被恢复为更新的版本，没有收到请求的 Pod 则会被恢复为之前的版本。
 像这样，控制器尝试继续使应用保持健康并在出现间歇性故障时保持更新的一致性。
 
-获取 Pod 来查看他们的容器镜像。
+<!--
+Get the Pods to view their container images:
+-->
+获取 Pod 来查看它们的容器镜像：
 
 ```shell
 for p in 0 1 2; do kubectl get pod "web-$p" --template '{{range $i, $c := .spec.containers}}{{$c.image}}{{end}}'; echo; done
@@ -897,32 +952,37 @@ k8s.gcr.io/nginx-slim:0.8
 
 <!--
 All the Pods in the StatefulSet are now running the previous container image.
+-->
+StatefulSet 中的所有 Pod 现在都在运行之前的容器镜像。
 
-**Tip** You can also use `kubectl rollout status sts/<name>` to view
-the status of a rolling update.
+{{< note >}}
+<!--
+You can also use `kubectl rollout status sts/<name>` to view
+the status of a rolling update to a StatefulSet
+-->
+你还可以使用 `kubectl rollout status sts/<名称>` 来查看
+StatefulSet 的滚动更新状态。
+{{< /note >}}
 
+<!--
 #### Staging an Update
+-->
+#### 分段更新   {#staging-an-update}
+
+<!--
 You can stage an update to a StatefulSet by using the `partition` parameter of
 the `RollingUpdate` update strategy. A staged update will keep all of the Pods
 in the StatefulSet at the current version while allowing mutations to the
 StatefulSet's `.spec.template`.
-
-Patch the `web` StatefulSet to add a partition to the `updateStrategy` field.
 -->
-
-StatefulSet 中的所有 Pod 现在都在运行之前的容器镜像。
-
-
-**小窍门**：你还可以使用 `kubectl rollout status sts/<name>` 来查看 rolling update 的状态。
-
-
-#### 分段更新
-
 你可以使用 `RollingUpdate` 更新策略的 `partition` 参数来分段更新一个 StatefulSet。
-分段的更新将会使 StatefulSet 中的其余所有 Pod 保持当前版本的同时仅允许改变 StatefulSet 的  `.spec.template`。
-
+分段的更新将会使 StatefulSet 中的其余所有 Pod 保持当前版本的同时允许改变
+StatefulSet 的 `.spec.template`。
 
-Patch `web` StatefulSet 来对 `updateStrategy` 字段添加一个分区。
+<!--
+Patch the `web` StatefulSet to add a partition to the `updateStrategy` field:
+-->
+对 `web` StatefulSet 执行 Patch 操作以为 `updateStrategy` 字段添加一个分区：
 
 ```shell
 kubectl patch statefulset web -p '{"spec":{"updateStrategy":{"type":"RollingUpdate","rollingUpdate":{"partition":3}}}}'
@@ -932,10 +992,9 @@ statefulset.apps/web patched
 ```
 
 <!--
-Patch the StatefulSet again to change the container's image.
+Patch the StatefulSet again to change the container's image:
 -->
-
-再次 Patch StatefulSet 来改变容器镜像。
+再次 Patch StatefulSet 来改变容器镜像：
 
 ```shell
 kubectl patch statefulset web --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"k8s.gcr.io/nginx-slim:0.7"}]'
@@ -945,10 +1004,9 @@ statefulset.apps/web patched
 ```
 
 <!--
-Delete a Pod in the StatefulSet.
+Delete a Pod in the StatefulSet:
 -->
-
-删除 StatefulSet 中的 Pod。
+删除 StatefulSet 中的 Pod：
 
 ```shell
 kubectl delete pod web-2
@@ -960,7 +1018,6 @@ pod "web-2" deleted
 <!--
 Wait for the Pod to be Running and Ready.
 -->
-
 等待 Pod 变成 Running 和 Ready。
 
 ```shell
@@ -975,10 +1032,9 @@ web-2     1/1       Running   0         18s
 ```
 
 <!--
-Get the Pod's container.
+Get the Pod's container image:
 -->
-
-获取 Pod 的容器。
+获取 Pod 的容器镜像：
 
 ```shell
 kubectl get pod web-2 --template '{{range $i, $c := .spec.containers}}{{$c.image}}{{end}}'
@@ -989,27 +1045,29 @@ k8s.gcr.io/nginx-slim:0.8
 
 <!--
 Notice that, even though the update strategy is `RollingUpdate` the StatefulSet
-controller restored the Pod with its original container. This is because the
+restored the Pod with its original container. This is because the
 ordinal of the Pod is less than the `partition` specified by the
 `updateStrategy`.
+-->
+请注意，虽然更新策略是 `RollingUpdate`，StatefulSet 还是会使用原始的容器恢复 Pod。
+这是因为 Pod 的序号比 `updateStrategy` 指定的 `partition` 更小。
 
+<!--
 #### Rolling Out a Canary
+-->
+#### 金丝雀发布   {#rolling-out-a-canary}
+
+<!--
 You can roll out a canary to test a modification by decrementing the `partition`
 you specified [above](#staging-an-update).
-
-Patch the StatefulSet to decrement the partition.
 -->
+你可以通过减少[上文](#staging-an-update)指定的
+`partition` 来进行金丝雀发布，以此来测试你的程序的改动。
 
-请注意，虽然更新策略是 `RollingUpdate`，StatefulSet 控制器还是会使用原始的容器恢复 Pod。
-这是因为 Pod 的序号比 `updateStrategy` 指定的 `partition` 更小。
-
-
-#### 灰度发布
-
-你可以通过减少 [上文](#分段更新)指定的 `partition` 来进行灰度发布，以此来测试你的程序的改动。
-
-
-通过 patch 命令修改 StatefulSet 来减少分区。
+<!--
+Patch the StatefulSet to decrement the partition:
+-->
+通过 patch 命令修改 StatefulSet 来减少分区：
 
 ```shell
 kubectl patch statefulset web -p '{"spec":{"updateStrategy":{"type":"RollingUpdate","rollingUpdate":{"partition":2}}}}'
@@ -1021,7 +1079,6 @@ statefulset.apps/web patched
 <!--
 Wait for `web-2` to be Running and Ready.
 -->
-
 等待 `web-2` 变成 Running 和 Ready。
 
 ```shell
@@ -1036,10 +1093,9 @@ web-2     1/1       Running   0         18s
 ```
 
 <!--
-Get the Pod's container.
+Get the Pod's container:
 -->
-
-获取 Pod 的容器。
+获取 Pod 的容器：
 
 ```shell
 kubectl get pod web-2 --template '{{range $i, $c := .spec.containers}}{{$c.image}}{{end}}'
@@ -1053,14 +1109,14 @@ k8s.gcr.io/nginx-slim:0.7
 When you changed the `partition`, the StatefulSet controller automatically
 updated the `web-2` Pod because the Pod's ordinal was greater than or equal to
 the `partition`.
-
-Delete the `web-1` Pod.
 -->
+当你改变 `partition` 时，StatefulSet 会自动更新 `web-2`
+Pod，这是因为 Pod 的序号大于或等于 `partition`。
 
-当你改变 `partition` 时，StatefulSet 会自动的更新 `web-2` Pod，这是因为 Pod 的序号大于或等于 `partition`。
-
-
-删除 `web-1` Pod。
+<!--
+Delete the `web-1` Pod:
+-->
+删除 `web-1` Pod：
 
 ```shell
 kubectl delete pod web-1
@@ -1072,16 +1128,17 @@ pod "web-1" deleted
 <!--
 Wait for the `web-1` Pod to be Running and Ready.
 -->
-
 等待 `web-1` 变成 Running 和 Ready。
 
 ```shell
 kubectl get pod -l app=nginx -w
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 NAME      READY     STATUS        RESTARTS   AGE
 web-0     1/1       Running       0          6m
@@ -1097,10 +1154,9 @@ web-1     1/1       Running   0         18s
 ```
 
 <!--
-Get the `web-1` Pods container.
+Get the `web-1` Pod's container image:
 -->
-
-获取 `web-1` Pod 的容器。
+获取 `web-1` Pod 的容器镜像：
 
 ```shell
 kubectl get pod web-1 --template '{{range $i, $c := .spec.containers}}{{$c.image}}{{end}}'
@@ -1116,28 +1172,31 @@ ordinal that is greater than or equal to the partition will be updated when the
 StatefulSet's `.spec.template` is updated. If a Pod that has an ordinal less
 than the partition is deleted or otherwise terminated, it will be restored to
 its original configuration.
+-->
+`web-1` 被按照原来的配置恢复，因为 Pod 的序号小于分区。当指定了分区时，如果更新了
+StatefulSet 的 `.spec.template`，则所有序号大于或等于分区的 Pod 都将被更新。
+如果一个序号小于分区的 Pod 被删除或者终止，它将被按照原来的配置恢复。
 
+<!--
 #### Phased Roll Outs
+-->
+#### 分阶段的发布   {#phased-roll-outs}
+
+<!--
 You can perform a phased roll out (e.g. a linear, geometric, or exponential
 roll out) using a partitioned rolling update in a similar manner to how you
 rolled out a [canary](#rolling-out-a-canary). To perform a phased roll out, set
 the `partition` to the ordinal at which you want the controller to pause the
 update.
-
-The partition is currently set to `2`. Set the partition to `0`.
 -->
-
-`web-1` 被按照原来的配置恢复，因为 Pod 的序号小于分区。当指定了分区时，如果更新了 StatefulSet 的 `.spec.template`，则所有序号大于或等于分区的 Pod 都将被更新。
-如果一个序号小于分区的 Pod 被删除或者终止，它将被按照原来的配置恢复。
-
-
-#### 分阶段的发布
-
-你可以使用类似[灰度发布](#灰度发布)的方法执行一次分阶段的发布（例如一次线性的、等比的或者指数形式的发布）。
+你可以使用类似[金丝雀发布](#rolling-out-a-canary)的方法执行一次分阶段的发布
+（例如一次线性的、等比的或者指数形式的发布）。
 要执行一次分阶段的发布，你需要设置 `partition` 为希望控制器暂停更新的序号。
 
-
-分区当前为`2`。请将分区设置为`0`。
+<!--
+The partition is currently set to `2`. Set the partition to `0`:
+-->
+分区当前为 `2`。请将分区设置为 `0`：
 
 ```shell
 kubectl patch statefulset web -p '{"spec":{"updateStrategy":{"type":"RollingUpdate","rollingUpdate":{"partition":0}}}}'
@@ -1149,16 +1208,17 @@ statefulset.apps/web patched
 <!--
 Wait for all of the Pods in the StatefulSet to become Running and Ready.
 -->
-
 等待 StatefulSet 中的所有 Pod 变成 Running 和 Ready。
 
 ```shell
 kubectl get pod -l app=nginx -w
 ```
+
 <!--
 The output is similar to:
 -->
 输出类似于：
+
 ```
 NAME      READY     STATUS              RESTARTS   AGE
 web-0     1/1       Running             0          3m
@@ -1176,11 +1236,11 @@ web-0     0/1       Pending   0         0s
 web-0     0/1       ContainerCreating   0         0s
 web-0     1/1       Running   0         3s
 ```
+
 <!--
-Get the Pod's containers.
+Get the container image details for the Pods in the StatefulSet:
 -->
-
-获取 Pod 的容器。
+获取 StatefulSet 中 Pod 的容器镜像详细信息：
 
 ```shell
 for p in 0 1 2; do kubectl get pod "web-$p" --template '{{range $i, $c := .spec.containers}}{{$c.image}}{{end}}'; echo; done
@@ -1192,46 +1252,48 @@ k8s.gcr.io/nginx-slim:0.7
 ```
 
 <!--
-By moving the `partition` to `0`, you allowed the StatefulSet controller to
+By moving the `partition` to `0`, you allowed the StatefulSet to
 continue the update process.
+-->
+将 `partition` 改变为 `0` 以允许 StatefulSet 继续更新过程。
 
+<!--
 ### On Delete
+-->
+### OnDelete 策略   {#on-delete}
 
+<!--
 The `OnDelete` update strategy implements the legacy (1.6 and prior) behavior,
 When you select this update strategy, the StatefulSet controller will not
 automatically update Pods when a modification is made to the StatefulSet's
 `.spec.template` field. This strategy can be selected by setting the
 `.spec.template.updateStrategy.type` to `OnDelete`.
+-->
+`OnDelete` 更新策略实现了传统（1.7 之前）行为，它也是默认的更新策略。
+当你选择这个更新策略并修改 StatefulSet 的 `.spec.template` 字段时，StatefulSet 控制器将不会自动更新 Pod。
 
-
+<!--
 ## Deleting StatefulSets
+-->
+## 删除 StatefulSet   {#deleting-statefulsets}
 
+<!--
 StatefulSet supports both Non-Cascading and Cascading deletion. In a
 Non-Cascading Delete, the StatefulSet's Pods are not deleted when the StatefulSet is deleted. In a Cascading Delete, both the StatefulSet and its Pods are
 deleted.
+-->
+StatefulSet 同时支持级联和非级联删除。使用非级联方式删除 StatefulSet 时，StatefulSet
+的 Pod 不会被删除。使用级联删除时，StatefulSet 和它的 Pod 都会被删除。
 
+<!--
 ### Non-Cascading Delete
+-->
+### 非级联删除   {#non-cascading-delete}
 
+<!--
 In one terminal window, watch the Pods in the StatefulSet.
 -->
-
-将 `partition` 改变为 `0` 以允许 StatefulSet 控制器继续更新过程。
-
-### On Delete 策略
-
-`OnDelete` 更新策略实现了传统（1.7 之前）行为，它也是默认的更新策略。
-当你选择这个更新策略并修改 StatefulSet 的 `.spec.template` 字段时，StatefulSet 控制器将不会自动的更新 Pod。
-
-## 删除 StatefulSet
-
-
-StatefulSet 同时支持级联和非级联删除。使用非级联方式删除 StatefulSet 时，StatefulSet 的 Pod 不会被删除。使用级联删除时，StatefulSet 和它的 Pod 都会被删除。
-
-
-### 非级联删除
-
-
-在一个终端窗口查看 StatefulSet 中的 Pod。
+在一个终端窗口监视 StatefulSet 中的 Pod。
 
 ```
 kubectl get pods -w -l app=nginx
@@ -1243,9 +1305,9 @@ StatefulSet. Make sure to supply the `--cascade=orphan` parameter to the
 command. This parameter tells Kubernetes to only delete the StatefulSet, and to
 not delete any of its Pods.
 -->
-
-使用 [`kubectl delete`](/zh/docs/reference/generated/kubectl/kubectl-commands/#delete) 删除 StatefulSet。
-请确保提供了 `--cascade=orphan` 参数给命令。这个参数告诉 Kubernetes 只删除 StatefulSet 而不要删除它的任何 Pod。
+使用 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands/#delete)
+删除 StatefulSet。请确保提供了 `--cascade=orphan` 参数给命令。这个参数告诉
+Kubernetes 只删除 StatefulSet 而不要删除它的任何 Pod。
 
 ```shell
 kubectl delete statefulset web --cascade=orphan
@@ -1255,10 +1317,9 @@ statefulset.apps "web" deleted
 ```
 
 <!--
-Get the Pods to examine their status.
+Get the Pods, to examine their status:
 -->
-
-获取 Pod 来检查他们的状态。
+获取 Pod 来检查它们的状态：
 
 ```shell
 kubectl get pods -l app=nginx
@@ -1272,11 +1333,10 @@ web-2     1/1       Running   0          5m
 
 <!--
 Even though `web` has been deleted, all of the Pods are still Running and Ready.
-Delete `web-0`.
+Delete `web-0`:
 -->
-
 虽然 `web`  已经被删除了，但所有 Pod 仍然处于 Running 和 Ready 状态。
-删除 `web-0`。
+删除 `web-0`：
 
 ```shell
 kubectl delete pod web-0
@@ -1286,10 +1346,9 @@ pod "web-0" deleted
 ```
 
 <!--
-Get the StatefulSet's Pods.
+Get the StatefulSet's Pods:
 -->
-
-获取 StatefulSet 的 Pod。
+获取 StatefulSet 的 Pod：
 
 ```shell
 kubectl get pods -l app=nginx
@@ -1302,13 +1361,12 @@ web-2     1/1       Running   0          7m
 
 <!--
 As the `web` StatefulSet has been deleted, `web-0` has not been relaunched.
+-->
+由于 `web` StatefulSet 已经被删除，`web-0` 没有被重新启动。
 
+<!--
 In one terminal, watch the StatefulSet's Pods.
 -->
-
-由于 `web` StatefulSet 已经被删除，`web-0`没有被重新启动。
-
-
 在一个终端监控 StatefulSet 的 Pod。
 
 ```shell
@@ -1317,10 +1375,11 @@ kubectl get pods -w -l app=nginx
 
 <!--
 In a second terminal, recreate the StatefulSet. Note that, unless
-you deleted the `nginx` Service ( which you should not have ), you will see
+you deleted the `nginx` Service (which you should not have), you will see
 an error indicating that the Service already exists.
 -->
-在另一个终端里重新创建 StatefulSet。请注意，除非你删除了 `nginx` Service （你不应该这样做），你将会看到一个错误，提示 Service 已经存在。
+在另一个终端里重新创建 StatefulSet。请注意，除非你删除了 `nginx`
+Service（你不应该这样做），你将会看到一个错误，提示 Service 已经存在。
 
 ```shell
 kubectl apply -f web.yaml
@@ -1329,16 +1388,17 @@ kubectl apply -f web.yaml
 statefulset.apps/web created
 service/nginx unchanged
 ```
+
 <!--
-Ignore the error. It only indicates that an attempt was made to create the nginx
-Headless Service even though that Service already exists.
+Ignore the error. It only indicates that an attempt was made to create the _nginx_
+headless Service even though that Service already exists.
+-->
+请忽略这个错误。它仅表示 kubernetes 进行了一次创建 _nginx_ headless Service
+的尝试，尽管那个 Service 已经存在。
 
+<!--
 Examine the output of the `kubectl get` command running in the first terminal.
 -->
-
-请忽略这个错误。它仅表示 kubernetes 进行了一次创建 nginx Headless Service 的尝试，尽管那个 Service 已经存在。
-
-
 在第一个终端中运行并检查 `kubectl get` 命令的输出。
 
 ```shell
@@ -1366,18 +1426,17 @@ Running and Ready, it adopted this Pod. Since you recreated the StatefulSet
 with `replicas` equal to 2, once `web-0` had been recreated, and once
 `web-1` had been determined to already be Running and Ready, `web-2` was
 terminated.
-
-Let's take another look at the contents of the `index.html` file served by the
-Pods' webservers:
 -->
-
 当重新创建 `web` StatefulSet 时，`web-0` 被第一个重新启动。
 由于 `web-1` 已经处于 Running 和 Ready 状态，当 `web-0` 变成 Running 和 Ready 时，
 StatefulSet 会接收这个 Pod。由于你重新创建的 StatefulSet 的 `replicas` 等于 2，
 一旦 `web-0` 被重新创建并且 `web-1` 被认为已经处于 Running 和 Ready 状态时，`web-2` 将会被终止。
 
-
-让我们再看看被 Pod 的 web 服务器加载的 `index.html` 的内容：
+<!--
+Let's take another look at the contents of the `index.html` file served by the
+Pods' webservers:
+-->
+让我们再看看被 Pod 的 Web 服务器加载的 `index.html` 的内容：
 
 ```shell
 for i in 0 1; do kubectl exec -i -t "web-$i" -- curl http://localhost/; done
@@ -1394,21 +1453,20 @@ serves the hostname originally entered into its `index.html` file. This is
 because the StatefulSet never deletes the PersistentVolumes associated with a
 Pod. When you recreated the StatefulSet and it relaunched `web-0`, its original
 PersistentVolume was remounted.
+-->
+尽管你同时删除了 StatefulSet 和 `web-0` Pod，但它仍然使用最初写入 `index.html` 文件的主机名进行服务。
+这是因为 StatefulSet 永远不会删除和一个 Pod 相关联的 PersistentVolume 卷。
+当你重建这个 StatefulSet 并且重新启动了 `web-0` 时，它原本的 PersistentVolume 卷会被重新挂载。
 
+<!--
 ### Cascading Delete
+-->
+### 级联删除   {#cascading-delete}
 
+<!--
 In one terminal window, watch the Pods in the StatefulSet.
 -->
-
-尽管你同时删除了 StatefulSet 和 `web-0` Pod，但它仍然使用最初写入 `index.html` 文件的主机名进行服务。
-这是因为 StatefulSet 永远不会删除和一个 Pod 相关联的 PersistentVolumes。
-当你重建这个 StatefulSet 并且重新启动了 `web-0` 时，它原本的 PersistentVolume 会被重新挂载。
-
-
-### 级联删除
-
-
-在一个终端窗口观察 StatefulSet 里的 Pod。
+在一个终端窗口监视 StatefulSet 里的 Pod。
 
 ```shell
 kubectl get pods -w -l app=nginx
@@ -1418,7 +1476,6 @@ kubectl get pods -w -l app=nginx
 In another terminal, delete the StatefulSet again. This time, omit the
 `--cascade=orphan` parameter.
 -->
-
 在另一个窗口中再次删除这个 StatefulSet。这次省略 `--cascade=orphan` 参数。
 
 ```shell
@@ -1433,7 +1490,6 @@ statefulset.apps "web" deleted
 Examine the output of the `kubectl get` command running in the first terminal,
 and wait for all of the Pods to transition to Terminating.
 -->
-
 在第一个终端检查 `kubectl get` 命令的输出，并等待所有的 Pod 变成 Terminating 状态。
 
 ```shell
@@ -1461,17 +1517,19 @@ As you saw in the [Scaling Down](#scaling-down) section, the Pods
 are terminated one at a time, with respect to the reverse order of their ordinal
 indices. Before terminating a Pod, the StatefulSet controller waits for
 the Pod's successor to be completely terminated.
-
-Note that, while a cascading delete will delete the StatefulSet and its Pods,
-it will not delete the Headless Service associated with the StatefulSet. You
-must delete the `nginx` Service manually.
 -->
-
 如同你在[缩容](#ordered-pod-termination)一节看到的，Pod 按照和他们序号索引相反的顺序每次终止一个。
 在终止一个 Pod 前，StatefulSet 控制器会等待 Pod 后继者被完全终止。
 
-
-请注意，虽然级联删除会删除 StatefulSet 和它的 Pod，但它并不会删除和 StatefulSet 关联的 Headless Service。你必须手动删除`nginx` Service。
+{{< note >}}
+<!--
+Although a cascading delete removes a StatefulSet together with its Pods,
+the cascade does not delete the headless Service associated with the StatefulSet.
+You must delete the `nginx` Service manually.
+-->
+尽管级联删除会删除 StatefulSet 及其 Pod，但级联不会删除与 StatefulSet
+关联的 Headless Service。你必须手动删除 `nginx` Service。
+{{< /note >}}
 
 ```shell
 kubectl delete service nginx
@@ -1482,10 +1540,9 @@ service "nginx" deleted
 ```
 
 <!--
-Recreate the StatefulSet and Headless Service one more time.
+Recreate the StatefulSet and headless Service one more time:
 -->
-
-再一次重新创建 StatefulSet 和 Headless Service。
+再一次重新创建 StatefulSet 和 headless Service：
 
 ```shell
 kubectl apply -f web.yaml
@@ -1498,10 +1555,9 @@ statefulset.apps/web created
 
 <!--
 When all of the StatefulSet's Pods transition to Running and Ready, retrieve
-the contents of their `index.html` files.
+the contents of their `index.html` files:
 -->
-
-当 StatefulSet 所有的 Pod 变成 Running 和 Ready 时，获取它们的 `index.html` 文件的内容。
+当 StatefulSet 所有的 Pod 变成 Running 和 Ready 时，获取它们的 `index.html` 文件的内容：
 
 ```shell
 for i in 0 1; do kubectl exec -i -t "web-$i" -- curl http://localhost/; done
@@ -1515,15 +1571,15 @@ web-1
 <!--
 Even though you completely deleted the StatefulSet, and all of its Pods, the
 Pods are recreated with their PersistentVolumes mounted, and `web-0` and
-`web-1` will still serve their hostnames.
-
-Finally delete the `web` StatefulSet and the `nginx` service.
+`web-1` continue to serve their hostnames.
 -->
+即使你已经删除了 StatefulSet 和它的全部 Pod，这些 Pod 将会被重新创建并挂载它们的
+PersistentVolume 卷，并且 `web-0` 和 `web-1` 将继续使用它的主机名提供服务。
 
-即使你已经删除了 StatefulSet 和它的全部 Pod，这些 Pod 将会被重新创建并挂载它们的 PersistentVolumes，并且 `web-0` 和 `web-1` 将仍然使用它们的主机名提供服务。
-
-
-最后删除 `nginx` service...
+<!--
+Finally, delete the `nginx` Service...
+-->
+最后删除 `nginx` service
 
 ```shell
 kubectl delete service nginx
@@ -1533,7 +1589,10 @@ kubectl delete service nginx
 service "nginx" deleted
 ```
 
-... 并且删除 `web` StatefulSet:
+<!--
+...and the `web` StatefulSet:
+-->
+并且删除 `web` StatefulSet:
 
 ```shell
 kubectl delete statefulset web
@@ -1545,74 +1604,73 @@ statefulset "web" deleted
 
 <!--
 ## Pod Management Policy
+-->
+## Pod 管理策略   {#pod-management-policy}
 
+<!--
 For some distributed systems, the StatefulSet ordering guarantees are
 unnecessary and/or undesirable. These systems require only uniqueness and
 identity. To address this, in Kubernetes 1.7, we introduced
 `.spec.podManagementPolicy` to the StatefulSet API Object.
+-->
+对于某些分布式系统来说，StatefulSet 的顺序性保证是不必要和/或者不应该的。
+这些系统仅仅要求唯一性和身份标志。为了解决这个问题，在 Kubernetes 1.7 中
+我们针对 StatefulSet API 对象引入了 `.spec.podManagementPolicy`。
+此选项仅影响扩缩操作的行为。更新不受影响。
 
+<!--
 ### OrderedReady Pod Management
+-->
+### OrderedReady Pod 管理策略   {#orderedready-pod-management}
 
+<!--
 `OrderedReady` pod management is the default for StatefulSets. It tells the
 StatefulSet controller to respect the ordering guarantees demonstrated
 above.
+-->
+`OrderedReady` Pod 管理策略是 StatefulSet 的默认选项。它告诉
+StatefulSet 控制器遵循上文展示的顺序性保证。
 
+<!--
 ### Parallel Pod Management
+-->
+### Parallel Pod 管理策略   {#parallel-pod-management}
 
+<!--
 `Parallel` pod management tells the StatefulSet controller to launch or
 terminate all Pods in parallel, and not to wait for Pods to become Running
 and Ready or completely terminated prior to launching or terminating another
 Pod. This option only affects the behavior for scaling operations. Updates are not affected.
 -->
-
-## Pod 管理策略
-
-
-
-对于某些分布式系统来说，StatefulSet 的顺序性保证是不必要和/或者不应该的。
-这些系统仅仅要求唯一性和身份标志。为了解决这个问题，在 Kubernetes 1.7 中
-我们针对 StatefulSet API 对象引入了 `.spec.podManagementPolicy`。
-此选项仅影响扩缩操作的行为。更新不受影响。
-
-### OrderedReady Pod 管理策略
-
-
-`OrderedReady` pod 管理策略是 StatefulSets 的默认选项。它告诉 StatefulSet 控制器遵循上文展示的顺序性保证。
-
-
-### Parallel Pod 管理策略
-
-
-`Parallel` pod 管理策略告诉 StatefulSet 控制器并行的终止所有 Pod，
+`Parallel` Pod 管理策略告诉 StatefulSet 控制器并行的终止所有 Pod，
 在启动或终止另一个 Pod 前，不必等待这些 Pod 变成 Running 和 Ready 或者完全终止状态。
 
 {{< codenew file="application/web/web-parallel.yaml" >}}
 
 <!--
 Download the example above, and save it to a file named `web-parallel.yaml`
+-->
+下载上面的例子并保存为 `web-parallel.yaml`。
 
+<!--
 This manifest is identical to the one you downloaded above except that the `.spec.podManagementPolicy`
 of the `web` StatefulSet is set to `Parallel`.
+-->
+这份清单和你在上文下载的完全一样，只是 `web` StatefulSet 的
+`.spec.podManagementPolicy` 设置成了 `Parallel`。
 
+<!--
 In one terminal, watch the Pods in the StatefulSet.
 -->
-
-下载上面的例子并保存为 `web-parallel.yaml`。
-
-
-这份清单和你在上文下载的完全一样，只是 `web` StatefulSet 的 `.spec.podManagementPolicy` 设置成了 `Parallel`。
-
-
-在一个终端窗口查看 StatefulSet 中的 Pod。
+在一个终端窗口监视 StatefulSet 中的 Pod。
 
 ```shell
-kubectl get po -lapp=nginx -w
+kubectl get pod -l app=nginx -w
 ```
 
 <!--
 In another terminal, create the StatefulSet and Service in the manifest:
 -->
-
 在另一个终端窗口创建清单中的 StatefulSet 和 Service：
 
 ```shell
@@ -1626,7 +1684,6 @@ statefulset.apps/web created
 <!--
 Examine the output of the `kubectl get` command that you executed in the first terminal.
 -->
-
 查看你在第一个终端中运行的 `kubectl get` 命令的输出。
 
 ```shell
@@ -1646,14 +1703,14 @@ web-1     1/1       Running   0         10s
 
 <!--
 The StatefulSet controller launched both `web-0` and `web-1` at the same time.
-
-Keep the second terminal open, and, in another terminal window scale the
-StatefulSet.
 -->
-
 StatefulSet 控制器同时启动了 `web-0` 和 `web-1`。
 
-保持第二个终端打开，并在另一个终端窗口中扩容 StatefulSet。
+<!--
+Keep the second terminal open, and, in another terminal window scale the
+StatefulSet:
+-->
+保持第二个终端打开，并在另一个终端窗口中扩容 StatefulSet：
 
 ```shell
 kubectl scale statefulset/web --replicas=4
@@ -1665,7 +1722,6 @@ statefulset.apps/web scaled
 <!--
 Examine the output of the terminal where the `kubectl get` command is running.
 -->
-
 在 `kubectl get` 命令运行的终端里检查它的输出。
 
 ```
@@ -1680,18 +1736,16 @@ web-3     1/1       Running   0         26s
 <!--
 The StatefulSet launched two new Pods, and it did not wait for
 the first to become Running and Ready prior to launching the second.
+-->
+StatefulSet 启动了两个新的 Pod，而且在启动第二个之前并没有等待第一个变成 Running 和 Ready 状态。
 
 ## {{% heading "cleanup" %}}
 
+<!--
 You should have two terminals open, ready for you to run `kubectl` commands as
 part of cleanup.
 -->
-
-StatefulSet 启动了两个新的 Pod，而且在启动第二个之前并没有等待第一个变成 Running 和 Ready 状态。
-
-## {{% heading "cleanup" %}}
-
-您应该打开两个终端，准备在清理过程中运行 `kubectl` 命令。
+你应该打开两个终端，准备在清理过程中运行 `kubectl` 命令。
 
 ```shell
 kubectl delete sts web
@@ -1701,8 +1755,7 @@ kubectl delete sts web
 <!--
 You can watch `kubectl get` to see those Pods being deleted.
 -->
-
-你可以监测 `kubectl get` 来查看那些 Pod 被删除
+你可以监视 `kubectl get` 来查看那些 Pod 被删除
 
 ```shell
 kubectl get pod -l app=nginx -w
@@ -1734,37 +1787,33 @@ web-3     0/1       Terminating   0         9m
 ```
 
 <!--
-The StatefulSet controller deletes all Pods concurrently, it does not wait for
+During deletion, a StatefulSet removes all Pods concurrently; it does not wait for
 a Pod's ordinal successor to terminate prior to deleting that Pod.
+-->
+在删除过程中，StatefulSet 将并发的删除所有 Pod，在删除一个
+Pod 前不会等待它的顺序后继者终止。
 
+<!--
 Close the terminal where the `kubectl get` command is running and delete the `nginx`
-Service.
+Service:
 -->
-
-StatefulSet 控制器将并发的删除所有 Pod，在删除一个 Pod 前不会等待它的顺序后继者终止。
-
-
-关闭 `kubectl get` 命令运行的终端并删除`nginx` Service。
+关闭 `kubectl get` 命令运行的终端并删除 `nginx` Service：
 
 ```shell
 kubectl delete svc nginx
 ```
 
 
-
-## {{% heading "cleanup" %}}
-
-
+{{< note >}}
 <!--
 You also need to delete the persistent storage media for the PersistentVolumes
 used in this tutorial.
+-->
+你需要删除本教程中用到的 PersistentVolume 卷的持久化存储介质。
 
-
+<!--
 Follow the necessary steps, based on your environment, storage configuration,
 and provisioning method, to ensure that all storage is reclaimed.
 -->
-
-你需要删除本教程中用到的 PersistentVolumes 的持久化存储介质。基于你的环境、存储配置和提供方式，按照必须的步骤保证回收所有的存储。
-
-
-
+基于你的环境、存储配置和制备方式，按照必须的步骤保证回收所有的存储。
+{{< /note >}}
\ No newline at end of file
diff --git a/content/zh/docs/tutorials/stateful-application/cassandra.md b/content/zh-cn/docs/tutorials/stateful-application/cassandra.md
similarity index 98%
rename from content/zh/docs/tutorials/stateful-application/cassandra.md
rename to content/zh-cn/docs/tutorials/stateful-application/cassandra.md
index fcf3273d0403f..43be73dc8c9f6 100644
--- a/content/zh/docs/tutorials/stateful-application/cassandra.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/cassandra.md
@@ -30,7 +30,7 @@ For more information on the features used in this tutorial, see
 -->
 使用"StatefulSets"可以更轻松地将有状态的应用程序部署到你的 Kubernetes 集群中。
 有关本教程中使用的功能的更多信息，
-参阅 [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)。
+参阅 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)。
 
 {{< note >}}
 <!--
@@ -160,7 +160,7 @@ If you don't see a Service named `cassandra`, that means creation failed. Read
 for help troubleshooting common issues.
 -->
 如果没有看到名为 `cassandra` 的服务，则表示创建失败。
-请阅读[调试服务](/zh/docs/tasks/debug/debug-application/debug-service/)，以解决常见问题。
+请阅读[调试服务](/zh-cn/docs/tasks/debug/debug-application/debug-service/)，以解决常见问题。
 
 <!--
 ## Using a StatefulSet to create a Cassandra ring
@@ -423,7 +423,7 @@ By using environment variables you can change values that are inserted into `cas
 并且包含 OpenJDK 8。
 
 该映像包括来自 Apache Debian 存储库的标准 Cassandra 安装。
-通过使用环境变量，您可以更改插入到 `cassandra.yaml` 中的值。
+通过使用环境变量，你可以更改插入到 `cassandra.yaml` 中的值。
 
 | 环境变量                 | 默认值           |
 | ------------------------ |:---------------: |
diff --git a/content/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md b/content/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
similarity index 82%
rename from content/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
rename to content/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
index 8bd486d6d56f4..6104c00410ee4 100644
--- a/content/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md
@@ -23,36 +23,35 @@ card:
 <!--
 This tutorial shows you how to deploy a WordPress site and a MySQL database using Minikube. Both applications use PersistentVolumes and PersistentVolumeClaims to store data.
 -->
-
-本示例描述了如何通过 Minikube 在 Kubernetes 上安装 WordPress 和 MySQL。这两个应用都使用 PersistentVolumes 和 PersistentVolumeClaims 保存数据。
-
+本示例描述了如何通过 Minikube 在 Kubernetes 上安装 WordPress 和 MySQL。
+这两个应用都使用 PersistentVolumes 和 PersistentVolumeClaims 保存数据。
 
 <!--
  A [PersistentVolume](/docs/concepts/storage/persistent-volumes/)(PV)is a piece of storage in the cluster that has been manually provisioned by an administrator, or dynamically provisioned by Kubernetes using a [StorageClass](/docs/concepts/storage/storage-classes).  A [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)(PVC)is a request for storage by a user that can be fulfilled by a PV. PersistentVolumes and PersistentVolumeClaims are independent from Pod lifecycles and preserve data through restarting, rescheduling, and even deleting Pods.
- -->
-
-[PersistentVolume](/zh/docs/concepts/storage/persistent-volumes/)（PV）是一块集群里由管理员手动提供，或 kubernetes 通过 [StorageClass](/zh/docs/concepts/storage/storage-classes) 动态创建的存储。
-[PersistentVolumeClaim](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)（PVC）是一个满足对 PV 存储需要的请求。PersistentVolumes 和 PersistentVolumeClaims 是独立于 Pod 生命周期而在 Pod 重启，重新调度甚至删除过程中保存数据。
+-->
+[PersistentVolume](/zh-cn/docs/concepts/storage/persistent-volumes/)（PV）是一块集群里由管理员手动提供，
+或 kubernetes 通过 [StorageClass](/zh-cn/docs/concepts/storage/storage-classes) 动态创建的存储。
+[PersistentVolumeClaim](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
+是用户对存储的请求，该请求可由某个 PV 来满足。
+PersistentVolumes 和 PersistentVolumeClaims 独立于 Pod 生命周期而存在，
+在 Pod 重启，重新调度甚至删除过程中保存数据。
 
 {{< warning >}}
 <!--
  This deployment is not suitable for production use cases, as it uses single instance WordPress and MySQL Pods. Consider using [WordPress Helm Chart](https://github.com/kubernetes/charts/tree/master/stable/wordpress) to deploy WordPress in production.
  -->
-
-这种部署并不适合生产场景，它使用单实例 WordPress 和 MySQL Pods。考虑使用 [WordPress Helm Chart](https://github.com/kubernetes/charts/tree/master/stable/wordpress) 在生产场景中部署 WordPress。
+这种部署并不适合生产场景，它使用单实例 WordPress 和 MySQL Pods。
+在生产场景中，请考虑使用 [WordPress Helm Chart](https://github.com/kubernetes/charts/tree/master/stable/wordpress)
+部署 WordPress。
 {{< /warning >}}
 
 {{< note >}}
-
 <!--
  The files provided in this tutorial are using GA Deployment APIs and are specific to kubernetes version 1.9 and later. If you wish to use this tutorial with an earlier version of Kubernetes, please update the API version appropriately, or reference earlier versions of this tutorial.
 -->
-
-本教程中提供的文件使用 GA Deployment API，并且特定于 kubernetes 1.9 或更高版本。如果您希望将本教程与 Kubernetes 的早期版本一起使用，请相应地更新 API 版本，或参考本教程的早期版本。
+本教程中提供的文件使用 GA Deployment API，并且特定于 kubernetes 1.9 或更高版本。如果你希望将本教程与 Kubernetes 的早期版本一起使用，请相应地更新 API 版本，或参考本教程的早期版本。
 {{< /note >}}
 
-
-
 ## {{% heading "objectives" %}}
 
 <!--
@@ -64,7 +63,6 @@ This tutorial shows you how to deploy a WordPress site and a MySQL database usin
 * Apply the kustomization directory by `kubectl apply -k ./`
 * Clean up
 -->
-
 * 创建 PersistentVolumeClaims 和 PersistentVolumes
 * 创建 `kustomization.yaml` 使用
   * Secret 生成器
@@ -73,11 +71,8 @@ This tutorial shows you how to deploy a WordPress site and a MySQL database usin
 * 应用整个 kustomization 目录 `kubectl apply -k ./`
 * 清理
 
-
-
 ## {{% heading "prerequisites" %}}
 
-
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
 <!--
@@ -89,7 +84,6 @@ Download the following configuration files:
 
 1. [wordpress-deployment.yaml](/examples/application/wordpress/wordpress-deployment.yaml)
 -->
-
 此例在`kubectl` 1.14 或者更高版本有效。
 
 下载下面的配置文件：
@@ -98,16 +92,12 @@ Download the following configuration files:
 
 2. [wordpress-deployment.yaml](/examples/application/wordpress/wordpress-deployment.yaml)
 
-
-
 <!-- lessoncontent -->
 
 <!--
 ## Create PersistentVolumeClaims and PersistentVolumes
 -->
-
 ## 创建 PersistentVolumeClaims 和 PersistentVolumes
-
 <!-- MySQL and Wordpress each require a PersistentVolume to store data.  Their PersistentVolumeClaims will be created at the deployment step.
 
 Many cluster environments have a default StorageClass installed.  When a StorageClass is not specified in the PersistentVolumeClaim, the cluster's default StorageClass is used instead.
@@ -115,9 +105,11 @@ Many cluster environments have a default StorageClass installed.  When a Storage
 When a PersistentVolumeClaim is created, a PersistentVolume is dynamically provisioned based on the StorageClass configuration.
 -->
 
-MySQL 和 Wordpress 都需要一个 PersistentVolume 来存储数据。他们的 PersistentVolumeClaims 将在部署步骤中创建。
+MySQL 和 Wordpress 都需要一个 PersistentVolume 来存储数据。
+他们的 PersistentVolumeClaims 将在部署步骤中创建。
 
-许多群集环境都安装了默认的 StorageClass。如果在 PersistentVolumeClaim 中未指定 StorageClass，则使用群集的默认 StorageClass。
+许多集群环境都安装了默认的 StorageClass。如果在 PersistentVolumeClaim 中未指定 StorageClass，
+则使用集群的默认 StorageClass。
 
 创建 PersistentVolumeClaim 时，将根据 StorageClass 配置动态设置 PersistentVolume。
 
@@ -126,33 +118,34 @@ MySQL 和 Wordpress 都需要一个 PersistentVolume 来存储数据。他们的
 In local clusters, the default StorageClass uses the `hostPath` provisioner.  `hostPath` volumes are only suitable for development and testing. With `hostPath` volumes, your data lives in `/tmp` on the node the Pod is scheduled onto and does not move between nodes. If a Pod dies and gets scheduled to another node in the cluster, or the node is rebooted, the data is lost.
 -->
 
-在本地群集中，默认的 StorageClass 使用`hostPath`供应器。 `hostPath`卷仅适用于开发和测试。使用 `hostPath` 卷，您的数据位于 Pod 调度到的节点上的`/tmp`中，并且不会在节点之间移动。如果 Pod 死亡并被调度到群集中的另一个节点，或者该节点重新启动，则数据将丢失。
+在本地集群中，默认的 StorageClass 使用`hostPath`供应器。 `hostPath`卷仅适用于开发和测试。
+使用 `hostPath` 卷，你的数据位于 Pod 调度到的节点上的`/tmp`中，并且不会在节点之间移动。
+如果 Pod 死亡并被调度到集群中的另一个节点，或者该节点重新启动，则数据将丢失。
 {{< /warning >}}
 
 {{< note >}}
 <!--
 If you are bringing up a cluster that needs to use the `hostPath` provisioner, the `--enable-hostpath-provisioner` flag must be set in the `controller-manager` component.
 -->
-
-如果要建立需要使用`hostPath`设置程序的集群，则必须在 controller-manager 组件中设置`--enable-hostpath-provisioner`标志。
+如果要建立需要使用`hostPath`设置程序的集群，
+则必须在 controller-manager 组件中设置`--enable-hostpath-provisioner`标志。
 {{< /note >}}
 
 {{< note >}}
 <!-- If you have a Kubernetes cluster running on Google Kubernetes Engine, please follow [this guide](https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk). -->
 
-如果你已经有运行在 Google Kubernetes Engine 的集群，请参考 [this guide](https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk)。
+如果你已经有运行在 Google Kubernetes Engine 的集群，
+请参考[此指南](https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk)。
 {{< /note >}}
 
 <!--
 ## Create a kustomization.yaml
 -->
-
 ## 创建 kustomization.yaml
 
 <!--
 ### Add a Secret generator
 -->
-
 ### 创建 Secret 生成器
 
 <!--
@@ -160,10 +153,12 @@ A [Secret](/docs/concepts/configuration/secret/) is an object that stores a piec
 
 Add a Secret generator in `kustomization.yaml` from the following command. You will need to replace `YOUR_PASSWORD` with the password you want to use.
 -->
+[Secret](/zh-cn/docs/concepts/configuration/secret/) 是存储诸如密码或密钥之类的敏感数据的对象。
+从 1.14 开始，`kubectl`支持使用 kustomization 文件管理 Kubernetes 对象。
+你可以通过`kustomization.yaml`中的生成器创建一个 Secret。
 
-A [Secret](/zh/docs/concepts/configuration/secret/) 是存储诸如密码或密钥之类的敏感数据的对象。从 1.14 开始，`kubectl`支持使用 kustomization 文件管理 Kubernetes 对象。您可以通过`kustomization.yaml`中的生成器创建一个 Secret。
-
-通过以下命令在`kustomization.yaml`中添加一个 Secret 生成器。您需要用您要使用的密码替换`YOUR_PASSWORD`。
+通过以下命令在`kustomization.yaml`中添加一个 Secret 生成器。
+你需要用你要使用的密码替换`YOUR_PASSWORD`。
 
 ```shell
 cat <<EOF >./kustomization.yaml
@@ -177,14 +172,13 @@ EOF
 <!--
 ## Add resource configs for MySQL and WordPress
 -->
-
 ## 补充 MySQL 和 WordPress 的资源配置
 
 <!--
 The following manifest describes a single-instance MySQL Deployment. The MySQL container mounts the PersistentVolume at /var/lib/mysql. The `MYSQL_ROOT_PASSWORD` environment variable sets the database password from the Secret.
 -->
-
-以下 manifest 文件描述了单实例 MySQL 部署。MySQL 容器将 PersistentVolume 挂载在`/var/lib/mysql`。 `MYSQL_ROOT_PASSWORD`环境变量设置来自 Secret 的数据库密码。
+以下 manifest 文件描述了单实例 MySQL 部署。MySQL 容器将 PersistentVolume 挂载在`/var/lib/mysql`。 
+`MYSQL_ROOT_PASSWORD`环境变量设置来自 Secret 的数据库密码。
 
 {{< codenew file="application/wordpress/mysql-deployment.yaml" >}}
 
@@ -194,7 +188,6 @@ PersistentVolume at `/var/www/html` for website data files. The `WORDPRESS_DB_HO
 the name of the MySQL Service defined above, and WordPress will access the database by Service. The
 `WORDPRESS_DB_PASSWORD` environment variable sets the database password from the Secret kustomize generated.
 -->
-
 以下 manifest 文件描述了单实例 WordPress 部署。WordPress 容器将网站数据文件位于`/var/www/html`的 PersistentVolume。`WORDPRESS_DB_HOST`环境变量集上面定义的 MySQL Service 的名称，WordPress 将通过 Service 访问数据库。`WORDPRESS_DB_PASSWORD`环境变量设置从 Secret kustomize 生成的数据库密码。
 {{< codenew file="application/wordpress/wordpress-deployment.yaml" >}}
 
@@ -243,11 +236,9 @@ the name of the MySQL Service defined above, and WordPress will access the datab
       EOF
       ```
 
-
 <!--
 ## Apply and Verify
 -->
-
 ## 应用和验证
 
 <!--
@@ -342,14 +333,12 @@ Now you can verify that all objects exist.
 
    ![wordpress-init](https://raw.githubusercontent.com/kubernetes/examples/master/mysql-wordpress-pd/WordPress.png)
 -->
-
-
-`kustomization.yaml`包含用于部署 WordPress 网站的所有资源以及 MySQL 数据库。您可以通过以下方式应用目录
+`kustomization.yaml`包含用于部署 WordPress 网站的所有资源以及 MySQL 数据库。你可以通过以下方式应用目录
 ```shell
 kubectl apply -k ./
 ```
 
-现在，您可以验证所有对象是否存在。
+现在，你可以验证所有对象是否存在。
 
 1. 通过运行以下命令验证 Secret 是否存在：
 
@@ -428,19 +417,17 @@ kubectl apply -k ./
       http://1.2.3.4:32406
       ```
 
-6. 复制 IP 地址，然后将页面加载到浏览器中来查看您的站点。
+6. 复制 IP 地址，然后将页面加载到浏览器中来查看你的站点。
 
-      您应该看到类似于以下屏幕截图的 WordPress 设置页面。
+      你应该看到类似于以下屏幕截图的 WordPress 设置页面。
 
       ![wordpress-init](https://raw.githubusercontent.com/kubernetes/examples/master/mysql-wordpress-pd/WordPress.png)
 
-
-
 {{< warning >}}
 <!--
 Do not leave your WordPress installation on this page. If another user finds it, they can set up a website on your instance and use it to serve malicious content. <br/><br/>Either install WordPress by creating a username and password or delete your instance.
 -->
-不要在此页面上保留 WordPress 安装。如果其他用户找到了它，他们可以在您的实例上建立一个网站并使用它来提供恶意内容。<br/><br/>通过创建用户名和密码来安装 WordPress 或删除您的实例。
+不要在此页面上保留 WordPress 安装。如果其他用户找到了它，他们可以在你的实例上建立一个网站并使用它来提供恶意内容。<br/><br/>通过创建用户名和密码来安装 WordPress 或删除你的实例。
 
 {{< /warning >}}
 
@@ -454,27 +441,21 @@ Do not leave your WordPress installation on this page. If another user finds it,
       ```
 -->
 
-1. 运行一下命令删除您的 Secret，Deployments，Services and PersistentVolumeClaims：
+1. 运行一下命令删除你的 Secret，Deployments，Services and PersistentVolumeClaims：
 
       ```shell
       kubectl delete -k ./
       ```
 
-
-
 ## {{% heading "whatsnext" %}}
 
-
 <!--
-* Learn more about [Introspection and Debugging](/docs/tasks/debug/debug-application)
+* Learn more about [Introspection and Debugging](/docs/tasks/debug/debug-application/debug-running-pod/)
 * Learn more about [Jobs](/docs/concepts/workloads/controllers/jobs-run-to-completion/)
 * Learn more about [Port Forwarding](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
 * Learn how to [Get a Shell to a Container](/docs/tasks/debug/debug-application/get-shell-running-container/)
 -->
-
-* 了解更多关于 [Introspection and Debugging](/zh/docs/tasks/debug/debug-application)
-* 了解更多关于 [Jobs](/zh/docs/concepts/workloads/controllers/jobs-run-to-completion/)
-* 了解更多关于 [Port Forwarding](/zh/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
-* 了解如何 [Get a Shell to a Container](/zh/docs/tasks/debug/debug-application/get-shell-running-container/)
-
-
+* 进一步了解[自省与调试](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/)
+* 进一步了解 [Job](/zh-cn/docs/concepts/workloads/controllers/jobs-run-to-completion/)
+* 进一步了解[端口转发](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
+* 了解如何[获得容器的 Shell](/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/)
diff --git a/content/zh/docs/tutorials/stateful-application/zookeeper.md b/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
similarity index 97%
rename from content/zh/docs/tutorials/stateful-application/zookeeper.md
rename to content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
index e54ea6830f7f3..561cd55ccf43a 100644
--- a/content/zh/docs/tutorials/stateful-application/zookeeper.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
@@ -26,9 +26,9 @@ Kubernetes using [StatefulSets](/docs/concepts/workloads/controllers/statefulset
 and [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
 -->
 本教程展示了在 Kubernetes 上使用
-[StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)，
-[PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget) 和
-[PodAntiAffinity](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#亲和与反亲和)
+[StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)，
+[PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget) 和
+[PodAntiAffinity](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#亲和与反亲和)
 特性运行 [Apache Zookeeper](https://zookeeper.apache.org)。
 
 ## {{% heading "prerequisites" %}}
@@ -39,15 +39,15 @@ Kubernetes concepts.
 -->
 在开始本教程前，你应该熟悉以下 Kubernetes 概念。
 
-- [Pods](/zh/docs/concepts/workloads/pods/)
-- [集群 DNS](/zh/docs/concepts/services-networking/dns-pod-service/)
-- [无头服务（Headless Service）](/zh/docs/concepts/services-networking/service/#headless-services)
-- [PersistentVolumes](/zh/docs/concepts/storage/persistent-volumes/)
+- [Pods](/zh-cn/docs/concepts/workloads/pods/)
+- [集群 DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
+- [无头服务（Headless Service）](/zh-cn/docs/concepts/services-networking/service/#headless-services)
+- [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
 - [PersistentVolume 制备](https://github.com/kubernetes/examples/tree/{{< param "githubbranch" >}}/staging/persistent-volume-provisioning/)
-- [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)
-- [PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget)
-- [PodAntiAffinity](/zh/docs/concepts/scheduling-eviction/assign-pod-node/#亲和与反亲和)
-- [kubectl CLI](/zh/docs/reference/kubectl/kubectl/)
+- [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
+- [PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget)
+- [PodAntiAffinity](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#亲和与反亲和)
+- [kubectl CLI](/zh-cn/docs/reference/kubectl/kubectl/)
 
 <!--
 You must have a cluster with at least four nodes, and each node requires at least 2 CPUs and 4 GiB of memory. In this tutorial you will cordon and drain the cluster's nodes. **This means that the cluster will terminate and evict all Pods on its nodes, and the nodes will temporarily become unschedulable.** You should use a dedicated cluster for this tutorial, or you should ensure that the disruption you cause will not interfere with other tenants.
@@ -140,10 +140,10 @@ and a [StatefulSet](/docs/concepts/workloads/controllers/statefulset/).
 ## 创建一个 ZooKeeper Ensemble
 
 下面的清单包含一个
-[无头服务](/zh/docs/concepts/services-networking/service/#headless-services)，
-一个 [Service](/zh/docs/concepts/services-networking/service/)，
-一个 [PodDisruptionBudget](/zh/docs/concepts/workloads/pods/disruptions/#specifying-a-poddisruptionbudget)，
-和一个 [StatefulSet](/zh/docs/concepts/workloads/controllers/statefulset/)。
+[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)，
+一个 [Service](/zh-cn/docs/concepts/services-networking/service/)，
+一个 [PodDisruptionBudget](/zh-cn/docs/concepts/workloads/pods/disruptions/#specifying-a-poddisruptionbudget)，
+和一个 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)。
 
 {{< codenew file="application/zookeeper/zookeeper.yaml" >}}
 
@@ -308,7 +308,7 @@ The A records in [Kubernetes DNS](/docs/concepts/services-networking/dns-pod-ser
 
 ZooKeeper stores its application configuration in a file named `zoo.cfg`. Use `kubectl exec` to view the contents of the `zoo.cfg` file in the `zk-0` Pod.
 -->
-[Kubernetes DNS](/zh/docs/concepts/services-networking/dns-pod-service/)
+[Kubernetes DNS](/zh-cn/docs/concepts/services-networking/dns-pod-service/)
 中的 A 记录将 FQDNs 解析成为 Pods 的 IP 地址。
 如果 Pods 被调度，这个 A 记录将会使用 Pods 的新 IP 地址完成更新，
 但 A 记录的名称不会改变。
@@ -836,7 +836,7 @@ consider deploying a [sidecar container](/docs/concepts/cluster-administration/l
 -->
 Kubernetes 支持与多种日志方案集成。你可以选择一个最适合你的集群和应用
 的日志解决方案。对于集群级别的日志输出与整合，可以考虑部署一个
-[边车容器](/zh/docs/concepts/cluster-administration/logging#sidecar-container-with-logging-agent)
+[边车容器](/zh-cn/docs/concepts/cluster-administration/logging#sidecar-container-with-logging-agent)
 来轮转和提供日志数据。
 
 <!--
@@ -854,7 +854,7 @@ The `zk` `StatefulSet`'s Pod `template` contains a `SecurityContext`.
 
 在容器中允许应用以特权用户运行这条最佳实践是值得商讨的。
 如果你的组织要求应用以非特权用户运行，你可以使用
-[SecurityContext](/zh/docs/tasks/configure-pod-container/security-context/)
+[SecurityContext](/zh-cn/docs/tasks/configure-pod-container/security-context/)
 控制运行容器入口点所使用的用户。
 
 `zk` StatefulSet 的 Pod 的 `template` 包含了一个 `SecurityContext`。
@@ -1032,7 +1032,7 @@ Use the following command to examine the process tree for the ZooKeeper server r
 -->
 ### 处理进程故障
 
-[重启策略](/zh/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
+[重启策略](/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)
 控制 Kubernetes 如何处理一个 Pod 中容器入口点的进程故障。
 对于 StatefulSet 中的 Pods 来说，Always 是唯一合适的 RestartPolicy，也是默认值。
 你应该**绝不**覆盖有状态应用的默认策略。
diff --git a/content/zh/docs/tutorials/stateless-application/_index.md b/content/zh-cn/docs/tutorials/stateless-application/_index.md
similarity index 100%
rename from content/zh/docs/tutorials/stateless-application/_index.md
rename to content/zh-cn/docs/tutorials/stateless-application/_index.md
diff --git a/content/zh/docs/tutorials/stateless-application/expose-external-ip-address.md b/content/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address.md
similarity index 90%
rename from content/zh/docs/tutorials/stateless-application/expose-external-ip-address.md
rename to content/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address.md
index 8fe79a9a5d010..cd3989c3e840b 100644
--- a/content/zh/docs/tutorials/stateless-application/expose-external-ip-address.md
+++ b/content/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address.md
@@ -28,9 +28,9 @@ external IP address.
 * Configure `kubectl` to communicate with your Kubernetes API server. For instructions, see the
   documentation for your cloud provider.
 -->
- * 安装 [kubectl](/zh/docs/tasks/tools/).
+ * 安装 [kubectl](/zh-cn/docs/tasks/tools/)。
  * 使用 Google Kubernetes Engine 或 Amazon Web Services 等云供应商创建 Kubernetes 集群。
-   本教程创建了一个[外部负载均衡器](/zh/docs/tasks/access-application-cluster/create-external-load-balancer/)，
+   本教程创建了一个[外部负载均衡器](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/)，
    需要云供应商。
  * 配置 `kubectl` 与 Kubernetes API 服务器通信。有关说明，请参阅云供应商文档。
 
@@ -50,7 +50,6 @@ external IP address.
 <!--
 ## Creating a service for an application running in five pods
 -->
-
 ## 为一个在五个 pod 中运行的应用程序创建服务
 
 <!--
@@ -133,7 +132,7 @@ external IP address.
    {{< /note >}}
    -->
    提示：`type=LoadBalancer` 服务由外部云服务提供商提供支持，本例中不包含此部分，
-   详细信息请参考[此页](/docs/concepts/services-networking/service/#loadbalancer)
+   详细信息请参考[此页](/zh-cn/docs/concepts/services-networking/service/#loadbalancer)
 
    <!--
    {{< note >}}
@@ -179,7 +178,7 @@ external IP address.
    -->
    记下服务公开的外部 IP 地址（`LoadBalancer Ingress`)。
    在本例中，外部 IP 地址是 104.198.205.71。还要注意 `Port` 和 `NodePort` 的值。
-   在本例中，`Port` 是 8080，`NodePort` 是32377。
+   在本例中，`Port` 是 8080，`NodePort` 是 32377。
 
 <!--
 1. In the preceding output, you can see that the service has several endpoints:
@@ -187,10 +186,10 @@ external IP address.
    addresses of the pods that are running the Hello World application. To
    verify these are pod addresses, enter this command:
 -->
-7. 在前面的输出中，您可以看到服务有几个端点：
+7. 在前面的输出中，你可以看到服务有几个端点：
    10.0.0.6:8080、10.0.1.6:8080、10.0.1.7:8080 和另外两个，
-   这些都是正在运行 Hello World 应用程序的 pod 的内部地址。
-   要验证这些是 pod 地址，请输入以下命令：
+   这些都是正在运行 Hello World 应用程序的 Pod 的内部地址。
+   要验证这些是 Pod 地址，请输入以下命令：
 
    ```shell
    kubectl get pods --output=wide
@@ -226,9 +225,9 @@ external IP address.
    If you are using minikube, typing `minikube service my-service` will
    automatically open the Hello World application in a browser.
    -->
-   其中 `<external-ip>` 是您的服务的外部 IP 地址（`LoadBalancer Ingress`），
-   `<port>` 是您的服务描述中的 `port` 的值。
-   如果您正在使用 minikube，输入 `minikube service my-service` 将在浏览器中自动打开 Hello World 应用程序。
+   其中 `<external-ip>` 是你的服务的外部 IP 地址（`LoadBalancer Ingress`），
+   `<port>` 是你的服务描述中的 `port` 的值。
+   如果你正在使用 minikube，输入 `minikube service my-service` 将在浏览器中自动打开 Hello World 应用程序。
 
    <!--
    The response to a successful request is a hello message:
@@ -244,7 +243,7 @@ external IP address.
 <!--
 To delete the Service, enter this command:
 -->
-要删除服务，请输入以下命令：
+要删除 Service，请输入以下命令：
 
 ```shell
 kubectl delete services my-service
@@ -266,5 +265,5 @@ kubectl delete deployment hello-world
 Learn more about
 [connecting applications with services](/docs/concepts/services-networking/connect-applications-service/).
 -->
-进一步了解[将应用程序与服务连接](/zh/docs/concepts/services-networking/connect-applications-service/)。
+进一步了解[将应用程序与服务连接](/zh-cn/docs/concepts/services-networking/connect-applications-service/)。
 
diff --git a/content/zh/docs/tutorials/stateless-application/guestbook.md b/content/zh-cn/docs/tutorials/stateless-application/guestbook.md
similarity index 95%
rename from content/zh/docs/tutorials/stateless-application/guestbook.md
rename to content/zh-cn/docs/tutorials/stateless-application/guestbook.md
index b5b9003db52eb..25274ca7ed2f8 100644
--- a/content/zh/docs/tutorials/stateless-application/guestbook.md
+++ b/content/zh-cn/docs/tutorials/stateless-application/guestbook.md
@@ -28,8 +28,8 @@ min-kubernetes-server-version: v1.14
 <!--
 This tutorial shows you how to build and deploy a simple _(not production ready)_, multi-tier web application using Kubernetes and [Docker](https://www.docker.com/). This example consists of the following components:
 -->
-本教程向您展示如何使用 Kubernetes 和 [Docker](https://www.docker.com/) 构建和部署
-一个简单的 _(非面向生产的)_ 多层 web 应用程序。本例由以下组件组成：
+本教程向你展示如何使用 Kubernetes 和 [Docker](https://www.docker.com/)
+构建和部署一个简单的 **(非面向生产的)** 多层 web 应用程序。本例由以下组件组成：
 
 <!--
 * A single-instance [Redis](https://www.redis.io/) to store guestbook entries
@@ -74,7 +74,6 @@ The guestbook application uses Redis to store its data.
 <!--
 ### Creating the Redis Deployment
 -->
-
 ### 创建 Redis Deployment
 
 <!--
@@ -137,7 +136,7 @@ The manifest file, included below, specifies a Deployment controller that runs a
 The guestbook application needs to communicate to the Redis to write its data. You need to apply a [Service](/docs/concepts/services-networking/service/) to proxy the traffic to the Redis Pod. A Service defines a policy to access the Pods.
 -->
 留言板应用程序需要往 Redis 中写数据。因此，需要创建
-[Service](/zh/docs/concepts/services-networking/service/) 来转发 Redis Pod
+[Service](/zh-cn/docs/concepts/services-networking/service/) 来转发 Redis Pod
 的流量。Service 定义了访问 Pod 的策略。
 
 {{< codenew file="application/guestbook/redis-leader-service.yaml" >}}
@@ -240,7 +239,7 @@ The guestbook application needs to communicate with the Redis followers to read
 
 Guestbook 应用需要与 Redis 跟随者通信以读取数据。
 为了让 Redis 跟随者可被发现，你必须创建另一个
-[Service](/zh/docs/concepts/services-networking/service/)。
+[Service](/zh-cn/docs/concepts/services-networking/service/)。
 
 {{< codenew file="application/guestbook/redis-follower-service.yaml" >}}
 
@@ -326,7 +325,7 @@ Guestbook 应用使用 PHP 前端。该前端被配置成与后端的 Redis 跟
    
    ```shell
    kubectl apply -f https://k8s.io/examples/application/guestbook/frontend-deployment.yaml
-      ```
+   ```
 
 <!--
 1. Query the list of Pods to verify that the three frontend replicas are running:
@@ -358,7 +357,7 @@ Guestbook 应用使用 PHP 前端。该前端被配置成与后端的 Redis 跟
 The `Redis` Services you applied is only accessible within the Kubernetes cluster because the default type for a Service is [ClusterIP](/docs/concepts/services-networking/service/#publishing-services-service-types). `ClusterIP` provides a single IP address for the set of Pods the Service is pointing to. This IP address is accessible only within the cluster.
 -->
 应用的 `Redis` 服务只能在 Kubernetes 集群中访问，因为服务的默认类型是
-[ClusterIP](/zh/docs/concepts/services-networking/service/#publishing-services-service-types)。
+[ClusterIP](/zh-cn/docs/concepts/services-networking/service/#publishing-services-service-types)。
 `ClusterIP` 为服务指向的 Pod 集提供一个 IP 地址。这个 IP 地址只能在集群中访问。
 
 <!--
@@ -423,7 +422,6 @@ Some cloud providers, like Google Compute Engine or Google Kubernetes Engine, su
 <!--
 ### Viewing the Frontend Service via `kubectl port-forward`
 -->
-
 ### 通过 `kubectl port-forward` 查看前端服务
 
 <!--
@@ -631,8 +629,8 @@ Deleting the Deployments and Services also deletes any running Pods. Use labels
 * Read more about [connecting applications](/docs/concepts/services-networking/connect-applications-service/)
 * Read more about [Managing Resources](/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively)
 -->
-* 完成 [Kubernetes 基础](/zh/docs/tutorials/kubernetes-basics/) 交互式教程
+* 完成 [Kubernetes 基础](/zh-cn/docs/tutorials/kubernetes-basics/) 交互式教程
 * 使用 Kubernetes 创建一个博客，使用
-  [MySQL 和 Wordpress 的持久卷](/zh/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/#visit-your-new-wordpress-blog)
-* 进一步阅读[连接应用程序](/zh/docs/concepts/services-networking/connect-applications-service/)
-* 进一步阅读[管理资源](/zh/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively)
+  [MySQL 和 Wordpress 的持久卷](/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/#visit-your-new-wordpress-blog)
+* 进一步阅读[连接应用程序](/zh-cn/docs/concepts/services-networking/connect-applications-service/)
+* 进一步阅读[管理资源](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively)
diff --git a/content/zh/docs/update-user-guide-links.py b/content/zh-cn/docs/update-user-guide-links.py
similarity index 100%
rename from content/zh/docs/update-user-guide-links.py
rename to content/zh-cn/docs/update-user-guide-links.py
diff --git a/content/zh/examples/README.md b/content/zh-cn/examples/README.md
similarity index 100%
rename from content/zh/examples/README.md
rename to content/zh-cn/examples/README.md
diff --git a/content/zh/examples/access/certificate-signing-request/clusterrole-approve.yaml b/content/zh-cn/examples/access/certificate-signing-request/clusterrole-approve.yaml
similarity index 100%
rename from content/zh/examples/access/certificate-signing-request/clusterrole-approve.yaml
rename to content/zh-cn/examples/access/certificate-signing-request/clusterrole-approve.yaml
diff --git a/content/zh/examples/access/certificate-signing-request/clusterrole-create.yaml b/content/zh-cn/examples/access/certificate-signing-request/clusterrole-create.yaml
similarity index 100%
rename from content/zh/examples/access/certificate-signing-request/clusterrole-create.yaml
rename to content/zh-cn/examples/access/certificate-signing-request/clusterrole-create.yaml
diff --git a/content/zh/examples/access/certificate-signing-request/clusterrole-sign.yaml b/content/zh-cn/examples/access/certificate-signing-request/clusterrole-sign.yaml
similarity index 100%
rename from content/zh/examples/access/certificate-signing-request/clusterrole-sign.yaml
rename to content/zh-cn/examples/access/certificate-signing-request/clusterrole-sign.yaml
diff --git a/content/zh/examples/access/endpoints-aggregated.yaml b/content/zh-cn/examples/access/endpoints-aggregated.yaml
similarity index 100%
rename from content/zh/examples/access/endpoints-aggregated.yaml
rename to content/zh-cn/examples/access/endpoints-aggregated.yaml
diff --git a/content/zh/examples/admin/cloud/ccm-example.yaml b/content/zh-cn/examples/admin/cloud/ccm-example.yaml
similarity index 57%
rename from content/zh/examples/admin/cloud/ccm-example.yaml
rename to content/zh-cn/examples/admin/cloud/ccm-example.yaml
index 3bce7b58fa6e1..90bf3344cda99 100644
--- a/content/zh/examples/admin/cloud/ccm-example.yaml
+++ b/content/zh-cn/examples/admin/cloud/ccm-example.yaml
@@ -1,7 +1,6 @@
-# This is an example of how to setup cloud-controller-manager as a Daemonset in your cluster.
-# It assumes that your masters can run pods and has the role node-role.kubernetes.io/master
-# Note that this Daemonset will not work straight out of the box for your cloud, this is
-# meant to be a guideline.
+# 这是一个如何将 cloud-controller-manager 安装为集群中的 Daemonset 的示例。
+# 本例假定你的主控节点可以运行 pod 并具有角色 node-role.kubernetes.io/master
+# 请注意，这里的 Daemonset 不能直接在你的云上工作，此例只是一个指导。
 
 ---
 apiVersion: v1
@@ -42,28 +41,32 @@ spec:
       serviceAccountName: cloud-controller-manager
       containers:
       - name: cloud-controller-manager
-        # for in-tree providers we use k8s.gcr.io/cloud-controller-manager
-        # this can be replaced with any other image for out-of-tree providers
+        # 对于树内驱动，我们使用 k8s.gcr.io/cloud-controller-manager，
+        # 镜像可以替换为其他树外驱动的镜像
         image: k8s.gcr.io/cloud-controller-manager:v1.8.0
         command:
         - /usr/local/bin/cloud-controller-manager
-        - --cloud-provider=[YOUR_CLOUD_PROVIDER]  # Add your own cloud provider here!
+        - --cloud-provider=[YOUR_CLOUD_PROVIDER]  # 在此处添加你自己的云驱动！
         - --leader-elect=true
         - --use-service-account-credentials
-        # these flags will vary for every cloud provider
+        # 这些标志因每个云驱动而异
         - --allocate-node-cidrs=true
         - --configure-cloud-routes=true
         - --cluster-cidr=172.17.0.0/16
       tolerations:
-      # this is required so CCM can bootstrap itself
+      # 这一设置是必需的，为了让 CCM 可以自行引导
       - key: node.cloudprovider.kubernetes.io/uninitialized
         value: "true"
         effect: NoSchedule
-      # this is to have the daemonset runnable on master nodes
-      # the taint may vary depending on your cluster setup
+      # 这些容忍度使得守护进程能够在控制平面节点上运行
+      # 如果你的控制平面节点不应该运行 pod，请删除它们
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
       - key: node-role.kubernetes.io/master
+        operator: Exists
         effect: NoSchedule
-      # this is to restrict CCM to only run on master nodes
-      # the node selector may vary depending on your cluster setup
+      # 这是为了限制 CCM 仅在主节点上运行
+      # 节点选择器可能因你的集群设置而异
       nodeSelector:
         node-role.kubernetes.io/master: ""
diff --git a/content/zh/examples/admin/dns/busybox.yaml b/content/zh-cn/examples/admin/dns/busybox.yaml
similarity index 100%
rename from content/zh/examples/admin/dns/busybox.yaml
rename to content/zh-cn/examples/admin/dns/busybox.yaml
diff --git a/content/zh/examples/admin/dns/dns-horizontal-autoscaler.yaml b/content/zh-cn/examples/admin/dns/dns-horizontal-autoscaler.yaml
similarity index 100%
rename from content/zh/examples/admin/dns/dns-horizontal-autoscaler.yaml
rename to content/zh-cn/examples/admin/dns/dns-horizontal-autoscaler.yaml
diff --git a/content/zh/examples/admin/dns/dnsutils.yaml b/content/zh-cn/examples/admin/dns/dnsutils.yaml
similarity index 100%
rename from content/zh/examples/admin/dns/dnsutils.yaml
rename to content/zh-cn/examples/admin/dns/dnsutils.yaml
diff --git a/content/zh-cn/examples/admin/konnectivity/egress-selector-configuration.yaml b/content/zh-cn/examples/admin/konnectivity/egress-selector-configuration.yaml
new file mode 100644
index 0000000000000..2f1cff1aea845
--- /dev/null
+++ b/content/zh-cn/examples/admin/konnectivity/egress-selector-configuration.yaml
@@ -0,0 +1,20 @@
+apiVersion: apiserver.k8s.io/v1beta1
+kind: EgressSelectorConfiguration
+egressSelections:
+# 由于我们要控制集群的出站流量，所以将 “cluster” 用作 name。
+# 其他支持的值有 “etcd” 和 “master”。
+- name: cluster
+  connection:
+    # 这一属性将控制 API 服务器 Konnectivity 服务器之间的协议。
+    # 支持的值为 “GRPC” 和 “HTTPConnect”。
+    # 最终用户不会察觉这两种模式之间的差异。
+    # 你需要将 Konnectivity 服务器设为在相同模式下工作。
+    proxyProtocol: GRPC
+    transport:
+      # 此属性控制 API 服务器使用哪种传输方式与 Konnectivity 服务器通信。
+      # 如果 Konnectivity 服务器与 API 服务器位于同一台机器上，建议使用 UDS。
+      # 你需要将 Konnectivity 服务器配置为侦听同一个 UDS 套接字。
+      # 另一个支持的传输方式是 “tcp”。
+      # 你将需要设置 TLS config 以确保 TCP 传输的安全。
+      uds:
+        udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
diff --git a/content/zh/examples/admin/konnectivity/konnectivity-agent.yaml b/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
similarity index 85%
rename from content/zh/examples/admin/konnectivity/konnectivity-agent.yaml
rename to content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
index 0eb47e1c58bcf..2d34c2d69c875 100644
--- a/content/zh/examples/admin/konnectivity/konnectivity-agent.yaml
+++ b/content/zh-cn/examples/admin/konnectivity/konnectivity-agent.yaml
@@ -1,6 +1,6 @@
 apiVersion: apps/v1
-# Alternatively, you can deploy the agents as Deployments. It is not necessary
-# to have an agent on each node.
+# 作为另一种替代方案，你可以将代理部署为 Deployment。
+# 没有必要在每个节点上都有一个代理。
 kind: DaemonSet
 metadata:
   labels:
@@ -28,8 +28,8 @@ spec:
           args: [
                   "--logtostderr=true",
                   "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
-                  # Since the konnectivity server runs with hostNetwork=true,
-                  # this is the IP address of the master machine.
+                  # 由于 konnectivity 服务器以 hostNetwork=true 运行，
+                  # 所以这是控制面节点的 IP 地址。
                   "--proxy-server-host=35.225.206.7",
                   "--proxy-server-port=8132",
                   "--admin-server-port=8133",
diff --git a/content/zh/examples/admin/konnectivity/konnectivity-rbac.yaml b/content/zh-cn/examples/admin/konnectivity/konnectivity-rbac.yaml
similarity index 100%
rename from content/zh/examples/admin/konnectivity/konnectivity-rbac.yaml
rename to content/zh-cn/examples/admin/konnectivity/konnectivity-rbac.yaml
diff --git a/content/zh/examples/admin/konnectivity/konnectivity-server.yaml b/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
similarity index 83%
rename from content/zh/examples/admin/konnectivity/konnectivity-server.yaml
rename to content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
index f1f378431a330..b13eda8ebac64 100644
--- a/content/zh/examples/admin/konnectivity/konnectivity-server.yaml
+++ b/content/zh-cn/examples/admin/konnectivity/konnectivity-server.yaml
@@ -12,14 +12,13 @@ spec:
     command: ["/proxy-server"]
     args: [
             "--logtostderr=true",
-            # This needs to be consistent with the value set in egressSelectorConfiguration.
+            # 下一行需与 egressSelectorConfiguration 中设置的值一致。
             "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
-            # The following two lines assume the Konnectivity server is
-            # deployed on the same machine as the apiserver, and the certs and
-            # key of the API Server are at the specified location.
+            # 下面两行假定 Konnectivity 服务器被部署在与 apiserver 相同的机器上，
+            # 并且该 API 服务器的证书和密钥位于指定的位置。
             "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
             "--cluster-key=/etc/kubernetes/pki/apiserver.key",
-            # This needs to be consistent with the value set in egressSelectorConfiguration.
+            # 下一行需与 egressSelectorConfiguration 中设置的值一致。
             "--mode=grpc",
             "--server-port=0",
             "--agent-port=8132",
diff --git a/content/zh/examples/admin/logging/fluentd-sidecar-config.yaml b/content/zh-cn/examples/admin/logging/fluentd-sidecar-config.yaml
similarity index 100%
rename from content/zh/examples/admin/logging/fluentd-sidecar-config.yaml
rename to content/zh-cn/examples/admin/logging/fluentd-sidecar-config.yaml
diff --git a/content/zh/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/zh-cn/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
similarity index 100%
rename from content/zh/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
rename to content/zh-cn/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
diff --git a/content/zh/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml b/content/zh-cn/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
similarity index 100%
rename from content/zh/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
rename to content/zh-cn/examples/admin/logging/two-files-counter-pod-streaming-sidecar.yaml
diff --git a/content/zh/examples/admin/logging/two-files-counter-pod.yaml b/content/zh-cn/examples/admin/logging/two-files-counter-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/logging/two-files-counter-pod.yaml
rename to content/zh-cn/examples/admin/logging/two-files-counter-pod.yaml
diff --git a/content/zh/examples/admin/namespace-dev.json b/content/zh-cn/examples/admin/namespace-dev.json
similarity index 100%
rename from content/zh/examples/admin/namespace-dev.json
rename to content/zh-cn/examples/admin/namespace-dev.json
diff --git a/content/zh/examples/admin/namespace-prod.json b/content/zh-cn/examples/admin/namespace-prod.json
similarity index 100%
rename from content/zh/examples/admin/namespace-prod.json
rename to content/zh-cn/examples/admin/namespace-prod.json
diff --git a/content/zh/examples/admin/resource/cpu-constraints-pod-2.yaml b/content/zh-cn/examples/admin/resource/cpu-constraints-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-constraints-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/cpu-constraints-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/cpu-constraints-pod-3.yaml b/content/zh-cn/examples/admin/resource/cpu-constraints-pod-3.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-constraints-pod-3.yaml
rename to content/zh-cn/examples/admin/resource/cpu-constraints-pod-3.yaml
diff --git a/content/zh/examples/admin/resource/cpu-constraints-pod-4.yaml b/content/zh-cn/examples/admin/resource/cpu-constraints-pod-4.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-constraints-pod-4.yaml
rename to content/zh-cn/examples/admin/resource/cpu-constraints-pod-4.yaml
diff --git a/content/zh/examples/admin/resource/cpu-constraints-pod.yaml b/content/zh-cn/examples/admin/resource/cpu-constraints-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-constraints-pod.yaml
rename to content/zh-cn/examples/admin/resource/cpu-constraints-pod.yaml
diff --git a/content/zh/examples/admin/resource/cpu-constraints.yaml b/content/zh-cn/examples/admin/resource/cpu-constraints.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-constraints.yaml
rename to content/zh-cn/examples/admin/resource/cpu-constraints.yaml
diff --git a/content/zh/examples/admin/resource/cpu-defaults-pod-2.yaml b/content/zh-cn/examples/admin/resource/cpu-defaults-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-defaults-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/cpu-defaults-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/cpu-defaults-pod-3.yaml b/content/zh-cn/examples/admin/resource/cpu-defaults-pod-3.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-defaults-pod-3.yaml
rename to content/zh-cn/examples/admin/resource/cpu-defaults-pod-3.yaml
diff --git a/content/zh/examples/admin/resource/cpu-defaults-pod.yaml b/content/zh-cn/examples/admin/resource/cpu-defaults-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-defaults-pod.yaml
rename to content/zh-cn/examples/admin/resource/cpu-defaults-pod.yaml
diff --git a/content/zh/examples/admin/resource/cpu-defaults.yaml b/content/zh-cn/examples/admin/resource/cpu-defaults.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/cpu-defaults.yaml
rename to content/zh-cn/examples/admin/resource/cpu-defaults.yaml
diff --git a/content/zh/examples/admin/resource/limit-mem-cpu-container.yaml b/content/zh-cn/examples/admin/resource/limit-mem-cpu-container.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-mem-cpu-container.yaml
rename to content/zh-cn/examples/admin/resource/limit-mem-cpu-container.yaml
diff --git a/content/zh/examples/admin/resource/limit-mem-cpu-pod.yaml b/content/zh-cn/examples/admin/resource/limit-mem-cpu-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-mem-cpu-pod.yaml
rename to content/zh-cn/examples/admin/resource/limit-mem-cpu-pod.yaml
diff --git a/content/zh/examples/admin/resource/limit-memory-ratio-pod.yaml b/content/zh-cn/examples/admin/resource/limit-memory-ratio-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-memory-ratio-pod.yaml
rename to content/zh-cn/examples/admin/resource/limit-memory-ratio-pod.yaml
diff --git a/content/zh/examples/admin/resource/limit-range-pod-1.yaml b/content/zh-cn/examples/admin/resource/limit-range-pod-1.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-range-pod-1.yaml
rename to content/zh-cn/examples/admin/resource/limit-range-pod-1.yaml
diff --git a/content/zh/examples/admin/resource/limit-range-pod-2.yaml b/content/zh-cn/examples/admin/resource/limit-range-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-range-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/limit-range-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/limit-range-pod-3.yaml b/content/zh-cn/examples/admin/resource/limit-range-pod-3.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/limit-range-pod-3.yaml
rename to content/zh-cn/examples/admin/resource/limit-range-pod-3.yaml
diff --git a/content/zh/examples/admin/resource/memory-available.sh b/content/zh-cn/examples/admin/resource/memory-available.sh
similarity index 100%
rename from content/zh/examples/admin/resource/memory-available.sh
rename to content/zh-cn/examples/admin/resource/memory-available.sh
diff --git a/content/zh/examples/admin/resource/memory-constraints-pod-2.yaml b/content/zh-cn/examples/admin/resource/memory-constraints-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-constraints-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/memory-constraints-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/memory-constraints-pod-3.yaml b/content/zh-cn/examples/admin/resource/memory-constraints-pod-3.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-constraints-pod-3.yaml
rename to content/zh-cn/examples/admin/resource/memory-constraints-pod-3.yaml
diff --git a/content/zh/examples/admin/resource/memory-constraints-pod-4.yaml b/content/zh-cn/examples/admin/resource/memory-constraints-pod-4.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-constraints-pod-4.yaml
rename to content/zh-cn/examples/admin/resource/memory-constraints-pod-4.yaml
diff --git a/content/zh/examples/admin/resource/memory-constraints-pod.yaml b/content/zh-cn/examples/admin/resource/memory-constraints-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-constraints-pod.yaml
rename to content/zh-cn/examples/admin/resource/memory-constraints-pod.yaml
diff --git a/content/zh/examples/admin/resource/memory-constraints.yaml b/content/zh-cn/examples/admin/resource/memory-constraints.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-constraints.yaml
rename to content/zh-cn/examples/admin/resource/memory-constraints.yaml
diff --git a/content/zh/examples/admin/resource/memory-defaults-pod-2.yaml b/content/zh-cn/examples/admin/resource/memory-defaults-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-defaults-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/memory-defaults-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/memory-defaults-pod-3.yaml b/content/zh-cn/examples/admin/resource/memory-defaults-pod-3.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-defaults-pod-3.yaml
rename to content/zh-cn/examples/admin/resource/memory-defaults-pod-3.yaml
diff --git a/content/zh/examples/admin/resource/memory-defaults-pod.yaml b/content/zh-cn/examples/admin/resource/memory-defaults-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-defaults-pod.yaml
rename to content/zh-cn/examples/admin/resource/memory-defaults-pod.yaml
diff --git a/content/zh/examples/admin/resource/memory-defaults.yaml b/content/zh-cn/examples/admin/resource/memory-defaults.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/memory-defaults.yaml
rename to content/zh-cn/examples/admin/resource/memory-defaults.yaml
diff --git a/content/zh/examples/admin/resource/pvc-limit-greater.yaml b/content/zh-cn/examples/admin/resource/pvc-limit-greater.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/pvc-limit-greater.yaml
rename to content/zh-cn/examples/admin/resource/pvc-limit-greater.yaml
diff --git a/content/zh/examples/admin/resource/pvc-limit-lower.yaml b/content/zh-cn/examples/admin/resource/pvc-limit-lower.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/pvc-limit-lower.yaml
rename to content/zh-cn/examples/admin/resource/pvc-limit-lower.yaml
diff --git a/content/zh/examples/admin/resource/quota-mem-cpu-pod-2.yaml b/content/zh-cn/examples/admin/resource/quota-mem-cpu-pod-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-mem-cpu-pod-2.yaml
rename to content/zh-cn/examples/admin/resource/quota-mem-cpu-pod-2.yaml
diff --git a/content/zh/examples/admin/resource/quota-mem-cpu-pod.yaml b/content/zh-cn/examples/admin/resource/quota-mem-cpu-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-mem-cpu-pod.yaml
rename to content/zh-cn/examples/admin/resource/quota-mem-cpu-pod.yaml
diff --git a/content/zh/examples/admin/resource/quota-mem-cpu.yaml b/content/zh-cn/examples/admin/resource/quota-mem-cpu.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-mem-cpu.yaml
rename to content/zh-cn/examples/admin/resource/quota-mem-cpu.yaml
diff --git a/content/zh/examples/admin/resource/quota-objects-pvc-2.yaml b/content/zh-cn/examples/admin/resource/quota-objects-pvc-2.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-objects-pvc-2.yaml
rename to content/zh-cn/examples/admin/resource/quota-objects-pvc-2.yaml
diff --git a/content/zh/examples/admin/resource/quota-objects-pvc.yaml b/content/zh-cn/examples/admin/resource/quota-objects-pvc.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-objects-pvc.yaml
rename to content/zh-cn/examples/admin/resource/quota-objects-pvc.yaml
diff --git a/content/zh/examples/admin/resource/quota-objects.yaml b/content/zh-cn/examples/admin/resource/quota-objects.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-objects.yaml
rename to content/zh-cn/examples/admin/resource/quota-objects.yaml
diff --git a/content/zh/examples/admin/resource/quota-pod-deployment.yaml b/content/zh-cn/examples/admin/resource/quota-pod-deployment.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-pod-deployment.yaml
rename to content/zh-cn/examples/admin/resource/quota-pod-deployment.yaml
diff --git a/content/zh/examples/admin/resource/quota-pod.yaml b/content/zh-cn/examples/admin/resource/quota-pod.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/quota-pod.yaml
rename to content/zh-cn/examples/admin/resource/quota-pod.yaml
diff --git a/content/zh/examples/admin/resource/storagelimits.yaml b/content/zh-cn/examples/admin/resource/storagelimits.yaml
similarity index 100%
rename from content/zh/examples/admin/resource/storagelimits.yaml
rename to content/zh-cn/examples/admin/resource/storagelimits.yaml
diff --git a/content/zh/examples/admin/sched/clusterrole.yaml b/content/zh-cn/examples/admin/sched/clusterrole.yaml
similarity index 100%
rename from content/zh/examples/admin/sched/clusterrole.yaml
rename to content/zh-cn/examples/admin/sched/clusterrole.yaml
diff --git a/content/zh/examples/admin/sched/my-scheduler.yaml b/content/zh-cn/examples/admin/sched/my-scheduler.yaml
similarity index 100%
rename from content/zh/examples/admin/sched/my-scheduler.yaml
rename to content/zh-cn/examples/admin/sched/my-scheduler.yaml
diff --git a/content/zh/examples/admin/sched/pod1.yaml b/content/zh-cn/examples/admin/sched/pod1.yaml
similarity index 100%
rename from content/zh/examples/admin/sched/pod1.yaml
rename to content/zh-cn/examples/admin/sched/pod1.yaml
diff --git a/content/zh/examples/admin/sched/pod2.yaml b/content/zh-cn/examples/admin/sched/pod2.yaml
similarity index 100%
rename from content/zh/examples/admin/sched/pod2.yaml
rename to content/zh-cn/examples/admin/sched/pod2.yaml
diff --git a/content/zh/examples/admin/sched/pod3.yaml b/content/zh-cn/examples/admin/sched/pod3.yaml
similarity index 100%
rename from content/zh/examples/admin/sched/pod3.yaml
rename to content/zh-cn/examples/admin/sched/pod3.yaml
diff --git a/content/zh/examples/admin/snowflake-deployment.yaml b/content/zh-cn/examples/admin/snowflake-deployment.yaml
similarity index 100%
rename from content/zh/examples/admin/snowflake-deployment.yaml
rename to content/zh-cn/examples/admin/snowflake-deployment.yaml
diff --git a/content/zh/examples/application/cassandra/cassandra-service.yaml b/content/zh-cn/examples/application/cassandra/cassandra-service.yaml
similarity index 100%
rename from content/zh/examples/application/cassandra/cassandra-service.yaml
rename to content/zh-cn/examples/application/cassandra/cassandra-service.yaml
diff --git a/content/zh/examples/application/cassandra/cassandra-statefulset.yaml b/content/zh-cn/examples/application/cassandra/cassandra-statefulset.yaml
similarity index 85%
rename from content/zh/examples/application/cassandra/cassandra-statefulset.yaml
rename to content/zh-cn/examples/application/cassandra/cassandra-statefulset.yaml
index a7bdbedc9c5aa..7a36c6f55086d 100644
--- a/content/zh/examples/application/cassandra/cassandra-statefulset.yaml
+++ b/content/zh-cn/examples/application/cassandra/cassandra-statefulset.yaml
@@ -72,15 +72,13 @@ spec:
             - /ready-probe.sh
           initialDelaySeconds: 15
           timeoutSeconds: 5
-        # These volume mounts are persistent. They are like inline claims,
-        # but not exactly because the names need to match exactly one of
-        # the stateful pod volumes.
+        # 这些卷挂载是持久的。它们类似内联申领，但并不完全相同，
+        # 因为这些卷挂载的名称需要与 StatefulSet 中某 Pod 卷完全匹配。
         volumeMounts:
         - name: cassandra-data
           mountPath: /cassandra_data
-  # These are converted to volume claims by the controller
-  # and mounted at the paths mentioned above.
-  # do not use these in production until ssd GCEPersistentDisk or other ssd pd
+  # 这些将被控制器转换为卷申领，并挂载在上述路径。
+  # 请勿将此设置用于生产环境，除非使用了 GCEPersistentDisk 或其他 SSD 持久盘。
   volumeClaimTemplates:
   - metadata:
       name: cassandra-data
diff --git a/content/zh/examples/application/deployment-patch.yaml b/content/zh-cn/examples/application/deployment-patch.yaml
similarity index 100%
rename from content/zh/examples/application/deployment-patch.yaml
rename to content/zh-cn/examples/application/deployment-patch.yaml
diff --git a/content/zh/examples/application/deployment-retainkeys.yaml b/content/zh-cn/examples/application/deployment-retainkeys.yaml
similarity index 100%
rename from content/zh/examples/application/deployment-retainkeys.yaml
rename to content/zh-cn/examples/application/deployment-retainkeys.yaml
diff --git a/content/zh/examples/application/deployment-scale.yaml b/content/zh-cn/examples/application/deployment-scale.yaml
similarity index 86%
rename from content/zh/examples/application/deployment-scale.yaml
rename to content/zh-cn/examples/application/deployment-scale.yaml
index 01fe96d84565e..f6c43ab7f41a2 100644
--- a/content/zh/examples/application/deployment-scale.yaml
+++ b/content/zh-cn/examples/application/deployment-scale.yaml
@@ -6,7 +6,7 @@ spec:
   selector:
     matchLabels:
       app: nginx
-  replicas: 4 # Update the replicas from 2 to 4
+  replicas: 4 # 将副本数从 2 更新为 4
   template:
     metadata:
       labels:
diff --git a/content/zh/examples/application/deployment-update.yaml b/content/zh-cn/examples/application/deployment-update.yaml
similarity index 78%
rename from content/zh/examples/application/deployment-update.yaml
rename to content/zh-cn/examples/application/deployment-update.yaml
index 1c0b9d1ab8a4f..15638fa29c978 100644
--- a/content/zh/examples/application/deployment-update.yaml
+++ b/content/zh-cn/examples/application/deployment-update.yaml
@@ -14,6 +14,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.16.1 # Update the version of nginx from 1.14.2 to 1.16.1
+        image: nginx:1.16.1 # 将 nginx 版本从 1.14.2 更新为 1.16.1
         ports:
         - containerPort: 80
diff --git a/content/zh/examples/application/deployment.yaml b/content/zh-cn/examples/application/deployment.yaml
similarity index 80%
rename from content/zh/examples/application/deployment.yaml
rename to content/zh-cn/examples/application/deployment.yaml
index dbed8bc72b9fc..087d7010caabf 100644
--- a/content/zh/examples/application/deployment.yaml
+++ b/content/zh-cn/examples/application/deployment.yaml
@@ -6,7 +6,7 @@ spec:
   selector:
     matchLabels:
       app: nginx
-  replicas: 2 # tells deployment to run 2 pods matching the template
+  replicas: 2 # 告知 Deployment 运行 2 个与该模板匹配的 Pod
   template:
     metadata:
       labels:
diff --git a/content/zh/examples/application/guestbook/frontend-deployment.yaml b/content/zh-cn/examples/application/guestbook/frontend-deployment.yaml
similarity index 87%
rename from content/zh/examples/application/guestbook/frontend-deployment.yaml
rename to content/zh-cn/examples/application/guestbook/frontend-deployment.yaml
index f97f20dab6763..95f066586d220 100644
--- a/content/zh/examples/application/guestbook/frontend-deployment.yaml
+++ b/content/zh-cn/examples/application/guestbook/frontend-deployment.yaml
@@ -1,4 +1,4 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/content/zh-cn/examples/application/guestbook/frontend-service.yaml b/content/zh-cn/examples/application/guestbook/frontend-service.yaml
new file mode 100644
index 0000000000000..6688f3b0c03f9
--- /dev/null
+++ b/content/zh-cn/examples/application/guestbook/frontend-service.yaml
@@ -0,0 +1,18 @@
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  labels:
+    app: guestbook
+    tier: frontend
+spec:
+  # 如果你的集群支持，请取消注释以下内容以自动为前端服务创建一个外部负载均衡 IP。
+  # type: LoadBalancer
+  #type: LoadBalancer
+  ports:
+    # 此服务应使用的端口
+  - port: 80
+  selector:
+    app: guestbook
+    tier: frontend
\ No newline at end of file
diff --git a/content/zh/examples/application/guestbook/redis-follower-deployment.yaml b/content/zh-cn/examples/application/guestbook/redis-follower-deployment.yaml
similarity index 87%
rename from content/zh/examples/application/guestbook/redis-follower-deployment.yaml
rename to content/zh-cn/examples/application/guestbook/redis-follower-deployment.yaml
index c418cf7364f92..2d96e049a1d10 100644
--- a/content/zh/examples/application/guestbook/redis-follower-deployment.yaml
+++ b/content/zh-cn/examples/application/guestbook/redis-follower-deployment.yaml
@@ -1,4 +1,4 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/content/zh/examples/application/guestbook/redis-follower-service.yaml b/content/zh-cn/examples/application/guestbook/redis-follower-service.yaml
similarity index 63%
rename from content/zh/examples/application/guestbook/redis-follower-service.yaml
rename to content/zh-cn/examples/application/guestbook/redis-follower-service.yaml
index 53283d35c423e..f711f6b85a3e4 100644
--- a/content/zh/examples/application/guestbook/redis-follower-service.yaml
+++ b/content/zh-cn/examples/application/guestbook/redis-follower-service.yaml
@@ -1,4 +1,4 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
 apiVersion: v1
 kind: Service
 metadata:
@@ -9,7 +9,7 @@ metadata:
     tier: backend
 spec:
   ports:
-    # the port that this service should serve on
+    # 此服务应使用的端口
   - port: 6379
   selector:
     app: redis
diff --git a/content/zh/examples/application/guestbook/redis-leader-deployment.yaml b/content/zh-cn/examples/application/guestbook/redis-leader-deployment.yaml
similarity index 86%
rename from content/zh/examples/application/guestbook/redis-leader-deployment.yaml
rename to content/zh-cn/examples/application/guestbook/redis-leader-deployment.yaml
index 9c7547291c376..3ddf6185ca837 100644
--- a/content/zh/examples/application/guestbook/redis-leader-deployment.yaml
+++ b/content/zh-cn/examples/application/guestbook/redis-leader-deployment.yaml
@@ -1,4 +1,4 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/content/zh/examples/application/guestbook/redis-leader-service.yaml b/content/zh-cn/examples/application/guestbook/redis-leader-service.yaml
similarity index 74%
rename from content/zh/examples/application/guestbook/redis-leader-service.yaml
rename to content/zh-cn/examples/application/guestbook/redis-leader-service.yaml
index e04cc183d09bf..386f79e4f37c7 100644
--- a/content/zh/examples/application/guestbook/redis-leader-service.yaml
+++ b/content/zh-cn/examples/application/guestbook/redis-leader-service.yaml
@@ -1,4 +1,4 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
+# 来源：https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/content/zh/examples/application/hpa/php-apache.yaml b/content/zh-cn/examples/application/hpa/php-apache.yaml
similarity index 100%
rename from content/zh/examples/application/hpa/php-apache.yaml
rename to content/zh-cn/examples/application/hpa/php-apache.yaml
diff --git a/content/zh/examples/application/job/cronjob.yaml b/content/zh-cn/examples/application/job/cronjob.yaml
similarity index 100%
rename from content/zh/examples/application/job/cronjob.yaml
rename to content/zh-cn/examples/application/job/cronjob.yaml
diff --git a/content/zh/examples/application/job/indexed-job-vol.yaml b/content/zh-cn/examples/application/job/indexed-job-vol.yaml
similarity index 100%
rename from content/zh/examples/application/job/indexed-job-vol.yaml
rename to content/zh-cn/examples/application/job/indexed-job-vol.yaml
diff --git a/content/zh/examples/application/job/indexed-job.yaml b/content/zh-cn/examples/application/job/indexed-job.yaml
similarity index 100%
rename from content/zh/examples/application/job/indexed-job.yaml
rename to content/zh-cn/examples/application/job/indexed-job.yaml
diff --git a/content/zh/examples/application/job/job-tmpl.yaml b/content/zh-cn/examples/application/job/job-tmpl.yaml
similarity index 100%
rename from content/zh/examples/application/job/job-tmpl.yaml
rename to content/zh-cn/examples/application/job/job-tmpl.yaml
diff --git a/content/zh/examples/application/job/rabbitmq/Dockerfile b/content/zh-cn/examples/application/job/rabbitmq/Dockerfile
similarity index 100%
rename from content/zh/examples/application/job/rabbitmq/Dockerfile
rename to content/zh-cn/examples/application/job/rabbitmq/Dockerfile
diff --git a/content/zh/examples/application/job/rabbitmq/job.yaml b/content/zh-cn/examples/application/job/rabbitmq/job.yaml
similarity index 100%
rename from content/zh/examples/application/job/rabbitmq/job.yaml
rename to content/zh-cn/examples/application/job/rabbitmq/job.yaml
diff --git a/content/zh/examples/application/job/rabbitmq/worker.py b/content/zh-cn/examples/application/job/rabbitmq/worker.py
similarity index 100%
rename from content/zh/examples/application/job/rabbitmq/worker.py
rename to content/zh-cn/examples/application/job/rabbitmq/worker.py
diff --git a/content/zh/examples/application/job/redis/Dockerfile b/content/zh-cn/examples/application/job/redis/Dockerfile
similarity index 100%
rename from content/zh/examples/application/job/redis/Dockerfile
rename to content/zh-cn/examples/application/job/redis/Dockerfile
diff --git a/content/zh/examples/application/job/redis/job.yaml b/content/zh-cn/examples/application/job/redis/job.yaml
similarity index 100%
rename from content/zh/examples/application/job/redis/job.yaml
rename to content/zh-cn/examples/application/job/redis/job.yaml
diff --git a/content/zh/examples/application/job/redis/redis-pod.yaml b/content/zh-cn/examples/application/job/redis/redis-pod.yaml
similarity index 100%
rename from content/zh/examples/application/job/redis/redis-pod.yaml
rename to content/zh-cn/examples/application/job/redis/redis-pod.yaml
diff --git a/content/zh/examples/application/job/redis/redis-service.yaml b/content/zh-cn/examples/application/job/redis/redis-service.yaml
similarity index 100%
rename from content/zh/examples/application/job/redis/redis-service.yaml
rename to content/zh-cn/examples/application/job/redis/redis-service.yaml
diff --git a/content/zh/examples/application/job/redis/rediswq.py b/content/zh-cn/examples/application/job/redis/rediswq.py
similarity index 100%
rename from content/zh/examples/application/job/redis/rediswq.py
rename to content/zh-cn/examples/application/job/redis/rediswq.py
diff --git a/content/zh/examples/application/job/redis/worker.py b/content/zh-cn/examples/application/job/redis/worker.py
similarity index 100%
rename from content/zh/examples/application/job/redis/worker.py
rename to content/zh-cn/examples/application/job/redis/worker.py
diff --git a/content/zh/examples/application/mongodb/mongo-deployment.yaml b/content/zh-cn/examples/application/mongodb/mongo-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/mongodb/mongo-deployment.yaml
rename to content/zh-cn/examples/application/mongodb/mongo-deployment.yaml
diff --git a/content/zh/examples/application/mongodb/mongo-service.yaml b/content/zh-cn/examples/application/mongodb/mongo-service.yaml
similarity index 100%
rename from content/zh/examples/application/mongodb/mongo-service.yaml
rename to content/zh-cn/examples/application/mongodb/mongo-service.yaml
diff --git a/content/zh/examples/application/mysql/mysql-configmap.yaml b/content/zh-cn/examples/application/mysql/mysql-configmap.yaml
similarity index 100%
rename from content/zh/examples/application/mysql/mysql-configmap.yaml
rename to content/zh-cn/examples/application/mysql/mysql-configmap.yaml
diff --git a/content/zh/examples/application/mysql/mysql-deployment.yaml b/content/zh-cn/examples/application/mysql/mysql-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/mysql/mysql-deployment.yaml
rename to content/zh-cn/examples/application/mysql/mysql-deployment.yaml
diff --git a/content/zh/examples/application/mysql/mysql-pv.yaml b/content/zh-cn/examples/application/mysql/mysql-pv.yaml
similarity index 100%
rename from content/zh/examples/application/mysql/mysql-pv.yaml
rename to content/zh-cn/examples/application/mysql/mysql-pv.yaml
diff --git a/content/zh/examples/application/mysql/mysql-services.yaml b/content/zh-cn/examples/application/mysql/mysql-services.yaml
similarity index 100%
rename from content/zh/examples/application/mysql/mysql-services.yaml
rename to content/zh-cn/examples/application/mysql/mysql-services.yaml
diff --git a/content/zh/examples/application/mysql/mysql-statefulset.yaml b/content/zh-cn/examples/application/mysql/mysql-statefulset.yaml
similarity index 100%
rename from content/zh/examples/application/mysql/mysql-statefulset.yaml
rename to content/zh-cn/examples/application/mysql/mysql-statefulset.yaml
diff --git a/content/zh/examples/application/nginx-app.yaml b/content/zh-cn/examples/application/nginx-app.yaml
similarity index 100%
rename from content/zh/examples/application/nginx-app.yaml
rename to content/zh-cn/examples/application/nginx-app.yaml
diff --git a/content/zh/examples/application/nginx-with-request.yaml b/content/zh-cn/examples/application/nginx-with-request.yaml
similarity index 100%
rename from content/zh/examples/application/nginx-with-request.yaml
rename to content/zh-cn/examples/application/nginx-with-request.yaml
diff --git a/content/zh/examples/application/nginx/nginx-deployment.yaml b/content/zh-cn/examples/application/nginx/nginx-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/nginx/nginx-deployment.yaml
rename to content/zh-cn/examples/application/nginx/nginx-deployment.yaml
diff --git a/content/zh/examples/application/nginx/nginx-svc.yaml b/content/zh-cn/examples/application/nginx/nginx-svc.yaml
similarity index 100%
rename from content/zh/examples/application/nginx/nginx-svc.yaml
rename to content/zh-cn/examples/application/nginx/nginx-svc.yaml
diff --git a/content/zh/examples/application/php-apache.yaml b/content/zh-cn/examples/application/php-apache.yaml
similarity index 100%
rename from content/zh/examples/application/php-apache.yaml
rename to content/zh-cn/examples/application/php-apache.yaml
diff --git a/content/zh/examples/application/shell-demo.yaml b/content/zh-cn/examples/application/shell-demo.yaml
similarity index 100%
rename from content/zh/examples/application/shell-demo.yaml
rename to content/zh-cn/examples/application/shell-demo.yaml
diff --git a/content/zh/examples/application/simple_deployment.yaml b/content/zh-cn/examples/application/simple_deployment.yaml
similarity index 100%
rename from content/zh/examples/application/simple_deployment.yaml
rename to content/zh-cn/examples/application/simple_deployment.yaml
diff --git a/content/zh/examples/application/ssa/nginx-deployment-no-replicas.yaml b/content/zh-cn/examples/application/ssa/nginx-deployment-no-replicas.yaml
similarity index 100%
rename from content/zh/examples/application/ssa/nginx-deployment-no-replicas.yaml
rename to content/zh-cn/examples/application/ssa/nginx-deployment-no-replicas.yaml
diff --git a/content/zh/examples/application/ssa/nginx-deployment-replicas-only.yaml b/content/zh-cn/examples/application/ssa/nginx-deployment-replicas-only.yaml
similarity index 100%
rename from content/zh/examples/application/ssa/nginx-deployment-replicas-only.yaml
rename to content/zh-cn/examples/application/ssa/nginx-deployment-replicas-only.yaml
diff --git a/content/zh/examples/application/ssa/nginx-deployment.yaml b/content/zh-cn/examples/application/ssa/nginx-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/ssa/nginx-deployment.yaml
rename to content/zh-cn/examples/application/ssa/nginx-deployment.yaml
diff --git a/content/zh/examples/application/update_deployment.yaml b/content/zh-cn/examples/application/update_deployment.yaml
similarity index 85%
rename from content/zh/examples/application/update_deployment.yaml
rename to content/zh-cn/examples/application/update_deployment.yaml
index 2d7603acb956c..28fcf05675064 100644
--- a/content/zh/examples/application/update_deployment.yaml
+++ b/content/zh-cn/examples/application/update_deployment.yaml
@@ -13,6 +13,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.16.1 # update the image
+        image: nginx:1.16.1 # 更新该镜像
         ports:
         - containerPort: 80
diff --git a/content/zh/examples/application/web/web-parallel.yaml b/content/zh-cn/examples/application/web/web-parallel.yaml
similarity index 100%
rename from content/zh/examples/application/web/web-parallel.yaml
rename to content/zh-cn/examples/application/web/web-parallel.yaml
diff --git a/content/zh/examples/application/web/web.yaml b/content/zh-cn/examples/application/web/web.yaml
similarity index 100%
rename from content/zh/examples/application/web/web.yaml
rename to content/zh-cn/examples/application/web/web.yaml
diff --git a/content/zh/examples/application/wordpress/mysql-deployment.yaml b/content/zh-cn/examples/application/wordpress/mysql-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/wordpress/mysql-deployment.yaml
rename to content/zh-cn/examples/application/wordpress/mysql-deployment.yaml
diff --git a/content/zh/examples/application/wordpress/wordpress-deployment.yaml b/content/zh-cn/examples/application/wordpress/wordpress-deployment.yaml
similarity index 100%
rename from content/zh/examples/application/wordpress/wordpress-deployment.yaml
rename to content/zh-cn/examples/application/wordpress/wordpress-deployment.yaml
diff --git a/content/zh/examples/application/zookeeper/zookeeper.yaml b/content/zh-cn/examples/application/zookeeper/zookeeper.yaml
similarity index 100%
rename from content/zh/examples/application/zookeeper/zookeeper.yaml
rename to content/zh-cn/examples/application/zookeeper/zookeeper.yaml
diff --git a/content/zh-cn/examples/audit/audit-policy.yaml b/content/zh-cn/examples/audit/audit-policy.yaml
new file mode 100644
index 0000000000000..04bfa231c2ecf
--- /dev/null
+++ b/content/zh-cn/examples/audit/audit-policy.yaml
@@ -0,0 +1,68 @@
+apiVersion: audit.k8s.io/v1 # 这是必填项。
+kind: Policy
+# 不要在 RequestReceived 阶段为任何请求生成审计事件。
+omitStages:
+  - "RequestReceived"
+rules:
+  # 在日志中用 RequestResponse 级别记录 Pod 变化。
+  - level: RequestResponse
+    resources:
+    - group: ""
+      # 资源 "pods" 不匹配对任何 Pod 子资源的请求，
+      # 这与 RBAC 策略一致。
+      resources: ["pods"]
+  # 在日志中按 Metadata 级别记录 "pods/log"、"pods/status" 请求
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["pods/log", "pods/status"]
+
+  # 不要在日志中记录对名为 "controller-leader" 的 configmap 的请求。
+  - level: None
+    resources:
+    - group: ""
+      resources: ["configmaps"]
+      resourceNames: ["controller-leader"]
+
+  # 不要在日志中记录由 "system:kube-proxy" 发出的对端点或服务的监测请求。
+  - level: None
+    users: ["system:kube-proxy"]
+    verbs: ["watch"]
+    resources:
+    - group: "" # core API 组
+      resources: ["endpoints", "services"]
+
+  # 不要在日志中记录对某些非资源 URL 路径的已认证请求。
+  - level: None
+    userGroups: ["system:authenticated"]
+    nonResourceURLs:
+    - "/api*" # 通配符匹配。
+    - "/version"
+
+  # 在日志中记录 kube-system 中 configmap 变更的请求消息体。
+  - level: Request
+    resources:
+    - group: "" # core API 组
+      resources: ["configmaps"]
+    # 这个规则仅适用于 "kube-system" 名字空间中的资源。
+    # 空字符串 "" 可用于选择非名字空间作用域的资源。
+    namespaces: ["kube-system"]
+
+  # 在日志中用 Metadata 级别记录所有其他名字空间中的 configmap 和 secret 变更。
+  - level: Metadata
+    resources:
+    - group: "" # core API 组
+      resources: ["secrets", "configmaps"]
+
+  # 在日志中以 Request 级别记录所有其他 core 和 extensions 组中的资源操作。
+  - level: Request
+    resources:
+    - group: "" # core API 组
+    - group: "extensions" # 不应包括在内的组版本。
+
+  # 一个抓取所有的规则，将在日志中以 Metadata 级别记录所有其他请求。
+  - level: Metadata
+    # 符合此规则的 watch 等长时间运行的请求将不会
+    # 在 RequestReceived 阶段生成审计事件。
+    omitStages:
+      - "RequestReceived"
diff --git a/content/zh/examples/configmap/configmap-multikeys.yaml b/content/zh-cn/examples/configmap/configmap-multikeys.yaml
similarity index 100%
rename from content/zh/examples/configmap/configmap-multikeys.yaml
rename to content/zh-cn/examples/configmap/configmap-multikeys.yaml
diff --git a/content/zh/examples/configmap/configmaps.yaml b/content/zh-cn/examples/configmap/configmaps.yaml
similarity index 100%
rename from content/zh/examples/configmap/configmaps.yaml
rename to content/zh-cn/examples/configmap/configmaps.yaml
diff --git a/content/zh/examples/configmap/game-env-file.properties b/content/zh-cn/examples/configmap/game-env-file.properties
similarity index 100%
rename from content/zh/examples/configmap/game-env-file.properties
rename to content/zh-cn/examples/configmap/game-env-file.properties
diff --git a/content/zh/examples/configmap/game.properties b/content/zh-cn/examples/configmap/game.properties
similarity index 100%
rename from content/zh/examples/configmap/game.properties
rename to content/zh-cn/examples/configmap/game.properties
diff --git a/content/zh/examples/configmap/ui-env-file.properties b/content/zh-cn/examples/configmap/ui-env-file.properties
similarity index 100%
rename from content/zh/examples/configmap/ui-env-file.properties
rename to content/zh-cn/examples/configmap/ui-env-file.properties
diff --git a/content/zh/examples/configmap/ui.properties b/content/zh-cn/examples/configmap/ui.properties
similarity index 100%
rename from content/zh/examples/configmap/ui.properties
rename to content/zh-cn/examples/configmap/ui.properties
diff --git a/content/zh/examples/controllers/daemonset.yaml b/content/zh-cn/examples/controllers/daemonset.yaml
similarity index 86%
rename from content/zh/examples/controllers/daemonset.yaml
rename to content/zh-cn/examples/controllers/daemonset.yaml
index d80020210c70c..54fc51a869b8d 100644
--- a/content/zh/examples/controllers/daemonset.yaml
+++ b/content/zh-cn/examples/controllers/daemonset.yaml
@@ -15,8 +15,8 @@ spec:
         name: fluentd-elasticsearch
     spec:
       tolerations:
-      # 这些容忍度设置是为了让守护进程在控制平面节点上运行
-      # 如果你不希望控制平面节点运行 Pod，可以删除它们
+      # 这些容忍度设置是为了让该守护进程集在控制平面节点上运行
+      # 如果你不希望自己的控制平面节点运行 Pod，可以删除它们
       - key: node-role.kubernetes.io/control-plane
         operator: Exists
         effect: NoSchedule
diff --git a/content/zh/examples/controllers/fluentd-daemonset-update.yaml b/content/zh-cn/examples/controllers/fluentd-daemonset-update.yaml
similarity index 78%
rename from content/zh/examples/controllers/fluentd-daemonset-update.yaml
rename to content/zh-cn/examples/controllers/fluentd-daemonset-update.yaml
index dcf08d4fc9545..5c031f9156407 100644
--- a/content/zh/examples/controllers/fluentd-daemonset-update.yaml
+++ b/content/zh-cn/examples/controllers/fluentd-daemonset-update.yaml
@@ -19,9 +19,13 @@ spec:
         name: fluentd-elasticsearch
     spec:
       tolerations:
-      # this toleration is to have the daemonset runnable on master nodes
-      # remove it if your masters can't run pods
+      # 这些容忍度设置是为了让该守护进程集在控制平面节点上运行
+      # 如果你不希望自己的控制平面节点运行 Pod，可以删除它们
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
       - key: node-role.kubernetes.io/master
+        operator: Exists
         effect: NoSchedule
       containers:
       - name: fluentd-elasticsearch
diff --git a/content/zh/examples/controllers/fluentd-daemonset.yaml b/content/zh-cn/examples/controllers/fluentd-daemonset.yaml
similarity index 84%
rename from content/zh/examples/controllers/fluentd-daemonset.yaml
rename to content/zh-cn/examples/controllers/fluentd-daemonset.yaml
index 0e1e7d33450b9..b6dcf64812f53 100644
--- a/content/zh/examples/controllers/fluentd-daemonset.yaml
+++ b/content/zh-cn/examples/controllers/fluentd-daemonset.yaml
@@ -19,8 +19,8 @@ spec:
         name: fluentd-elasticsearch
     spec:
       tolerations:
-      # this toleration is to have the daemonset runnable on master nodes
-      # remove it if your masters can't run pods
+      # 这些容忍度设置是为了让该守护进程集在控制平面节点上运行
+      # 如果你不希望自己的控制平面节点运行 Pod，可以删除它们
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
       containers:
diff --git a/content/zh/examples/controllers/frontend.yaml b/content/zh-cn/examples/controllers/frontend.yaml
similarity index 89%
rename from content/zh/examples/controllers/frontend.yaml
rename to content/zh-cn/examples/controllers/frontend.yaml
index b9f31044ec103..12528338a1f30 100644
--- a/content/zh/examples/controllers/frontend.yaml
+++ b/content/zh-cn/examples/controllers/frontend.yaml
@@ -6,7 +6,7 @@ metadata:
     app: guestbook
     tier: frontend
 spec:
-  # modify replicas according to your case
+  # 按你的实际情况修改副本数
   replicas: 3
   selector:
     matchLabels:
diff --git a/content/zh/examples/controllers/hpa-rs.yaml b/content/zh-cn/examples/controllers/hpa-rs.yaml
similarity index 100%
rename from content/zh/examples/controllers/hpa-rs.yaml
rename to content/zh-cn/examples/controllers/hpa-rs.yaml
diff --git a/content/zh/examples/controllers/job.yaml b/content/zh-cn/examples/controllers/job.yaml
similarity index 90%
rename from content/zh/examples/controllers/job.yaml
rename to content/zh-cn/examples/controllers/job.yaml
index b448f2eb81daf..a6e40bc778d6d 100644
--- a/content/zh/examples/controllers/job.yaml
+++ b/content/zh-cn/examples/controllers/job.yaml
@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
       - name: pi
-        image: perl
+        image: perl:5.34
         command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
       restartPolicy: Never
   backoffLimit: 4
diff --git a/content/zh/examples/controllers/nginx-deployment.yaml b/content/zh-cn/examples/controllers/nginx-deployment.yaml
similarity index 100%
rename from content/zh/examples/controllers/nginx-deployment.yaml
rename to content/zh-cn/examples/controllers/nginx-deployment.yaml
diff --git a/content/zh/examples/controllers/replicaset.yaml b/content/zh-cn/examples/controllers/replicaset.yaml
similarity index 100%
rename from content/zh/examples/controllers/replicaset.yaml
rename to content/zh-cn/examples/controllers/replicaset.yaml
diff --git a/content/zh/examples/controllers/replication-nginx-1.14.2.yaml b/content/zh-cn/examples/controllers/replication-nginx-1.14.2.yaml
similarity index 100%
rename from content/zh/examples/controllers/replication-nginx-1.14.2.yaml
rename to content/zh-cn/examples/controllers/replication-nginx-1.14.2.yaml
diff --git a/content/zh/examples/controllers/replication-nginx-1.16.1.yaml b/content/zh-cn/examples/controllers/replication-nginx-1.16.1.yaml
similarity index 100%
rename from content/zh/examples/controllers/replication-nginx-1.16.1.yaml
rename to content/zh-cn/examples/controllers/replication-nginx-1.16.1.yaml
diff --git a/content/zh/examples/controllers/replication.yaml b/content/zh-cn/examples/controllers/replication.yaml
similarity index 100%
rename from content/zh/examples/controllers/replication.yaml
rename to content/zh-cn/examples/controllers/replication.yaml
diff --git a/content/zh/examples/debug/counter-pod.yaml b/content/zh-cn/examples/debug/counter-pod.yaml
similarity index 100%
rename from content/zh/examples/debug/counter-pod.yaml
rename to content/zh-cn/examples/debug/counter-pod.yaml
diff --git a/content/zh/examples/debug/event-exporter.yaml b/content/zh-cn/examples/debug/event-exporter.yaml
similarity index 100%
rename from content/zh/examples/debug/event-exporter.yaml
rename to content/zh-cn/examples/debug/event-exporter.yaml
diff --git a/content/zh/examples/debug/fluentd-gcp-configmap.yaml b/content/zh-cn/examples/debug/fluentd-gcp-configmap.yaml
similarity index 100%
rename from content/zh/examples/debug/fluentd-gcp-configmap.yaml
rename to content/zh-cn/examples/debug/fluentd-gcp-configmap.yaml
diff --git a/content/zh/examples/debug/fluentd-gcp-ds.yaml b/content/zh-cn/examples/debug/fluentd-gcp-ds.yaml
similarity index 72%
rename from content/zh/examples/debug/fluentd-gcp-ds.yaml
rename to content/zh-cn/examples/debug/fluentd-gcp-ds.yaml
index 4ffd5c0093130..ef81ee4281c3f 100644
--- a/content/zh/examples/debug/fluentd-gcp-ds.yaml
+++ b/content/zh-cn/examples/debug/fluentd-gcp-ds.yaml
@@ -21,9 +21,9 @@ spec:
         k8s-app: fluentd-gcp
         kubernetes.io/cluster-service: "true"
         version: v2.0
-      # This annotation ensures that fluentd does not get evicted if the node
-      # supports critical pod annotation based priority scheme.
-      # Note that this does not guarantee admission on the nodes (#40573).
+      # 如果节点支持基于关键 Pod 注解的优先级方案，
+      # 此注解可确保 fluentd 不会被驱逐。
+      # 请注意，此注解并不保证在这些节点上准入 (#40573)。
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
@@ -31,11 +31,11 @@ spec:
       containers:
       - name: fluentd-gcp
         image: k8s.gcr.io/fluentd-gcp:2.0.2
-        # If fluentd consumes its own logs, the following situation may happen:
-        # fluentd fails to send a chunk to the server => writes it to the log =>
-        # tries to send this message to the server => fails to send a chunk and so on.
-        # Writing to a file, which is not exported to the back-end prevents it.
-        # It also allows to increase the fluentd verbosity by default.
+        # 如果 fluentd 消耗它自己的日志，则可能出现以下情形：
+        # fluentd 将一个块发送到服务器时失败 => 将其写入到日志 =>
+        # 尝试将此消息发送到该服务器 => 发送一个块时失败等等。
+        # 写入一个未导出到后端的文件，可以避免发生这类事情。
+        # 它还默认允许增加 fluentd 的详细程度。
         command:
           - '/bin/sh'
           - '-c'
@@ -60,13 +60,12 @@ spec:
           readOnly: true
         - name: config-volume
           mountPath: /etc/fluent/config.d
-        # Liveness probe is aimed to help in situations where fluentd
-        # silently hangs for no apparent reasons until manual restart.
-        # The idea of this probe is that if fluentd is not queueing or
-        # flushing chunks for 5 minutes, something is not right. If
-        # you want to change the fluentd configuration, reducing amount of
-        # logs fluentd collects, consider changing the threshold or turning
-        # liveness probe off completely.
+        # 存活探针旨在帮助处理 fluentd 无明显原因就静默挂起的情况，
+        # 这种情况通常只能手动重启。这个探针的思路是：
+        # 如果 fluentd 有 5 分钟未执行队列操作或未清洗数据分块，
+        # 那么肯定出现了什么问题。
+        # 如果你要更改 fluentd 配置以减少 fluentd 收集的日志量，
+        # 请考虑更改阈值或彻底关闭存活探针。
         livenessProbe:
           initialDelaySeconds: 600
           periodSeconds: 60
diff --git a/content/zh/examples/debug/node-problem-detector-configmap.yaml b/content/zh-cn/examples/debug/node-problem-detector-configmap.yaml
similarity index 89%
rename from content/zh/examples/debug/node-problem-detector-configmap.yaml
rename to content/zh-cn/examples/debug/node-problem-detector-configmap.yaml
index 654d35106a9e3..76f396ab55131 100644
--- a/content/zh/examples/debug/node-problem-detector-configmap.yaml
+++ b/content/zh-cn/examples/debug/node-problem-detector-configmap.yaml
@@ -37,13 +37,13 @@ spec:
         - name: log
           mountPath: /log
           readOnly: true
-        - name: config # Overwrite the config/ directory with ConfigMap volume
+        - name: config # 使用 ConfigMap 卷中的数据覆盖 config/ 目录内容
           mountPath: /config
           readOnly: true
       volumes:
       - name: log
         hostPath:
           path: /var/log/
-      - name: config # Define ConfigMap volume
+      - name: config # 定义 ConfigMap 卷
         configMap:
           name: node-problem-detector-config
\ No newline at end of file
diff --git a/content/zh/examples/debug/node-problem-detector.yaml b/content/zh-cn/examples/debug/node-problem-detector.yaml
similarity index 100%
rename from content/zh/examples/debug/node-problem-detector.yaml
rename to content/zh-cn/examples/debug/node-problem-detector.yaml
diff --git a/content/zh/examples/debug/termination.yaml b/content/zh-cn/examples/debug/termination.yaml
similarity index 100%
rename from content/zh/examples/debug/termination.yaml
rename to content/zh-cn/examples/debug/termination.yaml
diff --git a/content/zh/examples/examples.go b/content/zh-cn/examples/examples.go
similarity index 100%
rename from content/zh/examples/examples.go
rename to content/zh-cn/examples/examples.go
diff --git a/content/zh/examples/examples_test.go b/content/zh-cn/examples/examples_test.go
similarity index 100%
rename from content/zh/examples/examples_test.go
rename to content/zh-cn/examples/examples_test.go
diff --git a/content/zh/examples/pods/commands.yaml b/content/zh-cn/examples/pods/commands.yaml
similarity index 100%
rename from content/zh/examples/pods/commands.yaml
rename to content/zh-cn/examples/pods/commands.yaml
diff --git a/content/zh/examples/pods/config/example-redis-config.yaml b/content/zh-cn/examples/pods/config/example-redis-config.yaml
similarity index 100%
rename from content/zh/examples/pods/config/example-redis-config.yaml
rename to content/zh-cn/examples/pods/config/example-redis-config.yaml
diff --git a/content/zh/examples/pods/config/redis-config b/content/zh-cn/examples/pods/config/redis-config
similarity index 100%
rename from content/zh/examples/pods/config/redis-config
rename to content/zh-cn/examples/pods/config/redis-config
diff --git a/content/zh/examples/pods/config/redis-pod.yaml b/content/zh-cn/examples/pods/config/redis-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/config/redis-pod.yaml
rename to content/zh-cn/examples/pods/config/redis-pod.yaml
diff --git a/content/zh/examples/pods/init-containers.yaml b/content/zh-cn/examples/pods/init-containers.yaml
similarity index 90%
rename from content/zh/examples/pods/init-containers.yaml
rename to content/zh-cn/examples/pods/init-containers.yaml
index e55895d673f38..d3b614f32e849 100644
--- a/content/zh/examples/pods/init-containers.yaml
+++ b/content/zh-cn/examples/pods/init-containers.yaml
@@ -11,7 +11,7 @@ spec:
     volumeMounts:
     - name: workdir
       mountPath: /usr/share/nginx/html
-  # These containers are run during pod initialization
+  # 这些容器在 Pod 初始化期间运行
   initContainers:
   - name: install
     image: busybox:1.28
diff --git a/content/zh/examples/pods/inject/dapi-envars-container.yaml b/content/zh-cn/examples/pods/inject/dapi-envars-container.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/dapi-envars-container.yaml
rename to content/zh-cn/examples/pods/inject/dapi-envars-container.yaml
diff --git a/content/zh/examples/pods/inject/dapi-envars-pod.yaml b/content/zh-cn/examples/pods/inject/dapi-envars-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/dapi-envars-pod.yaml
rename to content/zh-cn/examples/pods/inject/dapi-envars-pod.yaml
diff --git a/content/zh/examples/pods/inject/dapi-volume-resources.yaml b/content/zh-cn/examples/pods/inject/dapi-volume-resources.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/dapi-volume-resources.yaml
rename to content/zh-cn/examples/pods/inject/dapi-volume-resources.yaml
diff --git a/content/zh/examples/pods/inject/dapi-volume.yaml b/content/zh-cn/examples/pods/inject/dapi-volume.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/dapi-volume.yaml
rename to content/zh-cn/examples/pods/inject/dapi-volume.yaml
diff --git a/content/zh/examples/pods/inject/dependent-envars.yaml b/content/zh-cn/examples/pods/inject/dependent-envars.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/dependent-envars.yaml
rename to content/zh-cn/examples/pods/inject/dependent-envars.yaml
diff --git a/content/zh/examples/pods/inject/envars.yaml b/content/zh-cn/examples/pods/inject/envars.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/envars.yaml
rename to content/zh-cn/examples/pods/inject/envars.yaml
diff --git a/content/zh/examples/pods/inject/pod-multiple-secret-env-variable.yaml b/content/zh-cn/examples/pods/inject/pod-multiple-secret-env-variable.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/pod-multiple-secret-env-variable.yaml
rename to content/zh-cn/examples/pods/inject/pod-multiple-secret-env-variable.yaml
diff --git a/content/zh/examples/pods/inject/pod-secret-envFrom.yaml b/content/zh-cn/examples/pods/inject/pod-secret-envFrom.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/pod-secret-envFrom.yaml
rename to content/zh-cn/examples/pods/inject/pod-secret-envFrom.yaml
diff --git a/content/zh/examples/pods/inject/pod-single-secret-env-variable.yaml b/content/zh-cn/examples/pods/inject/pod-single-secret-env-variable.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/pod-single-secret-env-variable.yaml
rename to content/zh-cn/examples/pods/inject/pod-single-secret-env-variable.yaml
diff --git a/content/zh/examples/pods/inject/secret-envars-pod.yaml b/content/zh-cn/examples/pods/inject/secret-envars-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/secret-envars-pod.yaml
rename to content/zh-cn/examples/pods/inject/secret-envars-pod.yaml
diff --git a/content/zh/examples/pods/inject/secret-pod.yaml b/content/zh-cn/examples/pods/inject/secret-pod.yaml
similarity index 70%
rename from content/zh/examples/pods/inject/secret-pod.yaml
rename to content/zh-cn/examples/pods/inject/secret-pod.yaml
index 8be694cddee0d..b1abd9b0372b9 100644
--- a/content/zh/examples/pods/inject/secret-pod.yaml
+++ b/content/zh-cn/examples/pods/inject/secret-pod.yaml
@@ -7,10 +7,10 @@ spec:
     - name: test-container
       image: nginx
       volumeMounts:
-        # name must match the volume name below
+        # name 必须与下面的卷名匹配
         - name: secret-volume
           mountPath: /etc/secret-volume
-  # The secret data is exposed to Containers in the Pod through a Volume.
+  # Secret 数据通过一个卷暴露给该 Pod 中的容器
   volumes:
     - name: secret-volume
       secret:
diff --git a/content/zh/examples/pods/inject/secret.yaml b/content/zh-cn/examples/pods/inject/secret.yaml
similarity index 100%
rename from content/zh/examples/pods/inject/secret.yaml
rename to content/zh-cn/examples/pods/inject/secret.yaml
diff --git a/content/zh/examples/pods/lifecycle-events.yaml b/content/zh-cn/examples/pods/lifecycle-events.yaml
similarity index 100%
rename from content/zh/examples/pods/lifecycle-events.yaml
rename to content/zh-cn/examples/pods/lifecycle-events.yaml
diff --git a/content/zh/examples/pods/pod-configmap-env-var-valueFrom.yaml b/content/zh-cn/examples/pods/pod-configmap-env-var-valueFrom.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-configmap-env-var-valueFrom.yaml
rename to content/zh-cn/examples/pods/pod-configmap-env-var-valueFrom.yaml
diff --git a/content/zh/examples/pods/pod-configmap-envFrom.yaml b/content/zh-cn/examples/pods/pod-configmap-envFrom.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-configmap-envFrom.yaml
rename to content/zh-cn/examples/pods/pod-configmap-envFrom.yaml
diff --git a/content/zh/examples/pods/pod-configmap-volume-specific-key.yaml b/content/zh-cn/examples/pods/pod-configmap-volume-specific-key.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-configmap-volume-specific-key.yaml
rename to content/zh-cn/examples/pods/pod-configmap-volume-specific-key.yaml
diff --git a/content/zh/examples/pods/pod-configmap-volume.yaml b/content/zh-cn/examples/pods/pod-configmap-volume.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-configmap-volume.yaml
rename to content/zh-cn/examples/pods/pod-configmap-volume.yaml
diff --git a/content/zh/examples/pods/pod-multiple-configmap-env-variable.yaml b/content/zh-cn/examples/pods/pod-multiple-configmap-env-variable.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-multiple-configmap-env-variable.yaml
rename to content/zh-cn/examples/pods/pod-multiple-configmap-env-variable.yaml
diff --git a/content/zh/examples/pods/pod-nginx-preferred-affinity.yaml b/content/zh-cn/examples/pods/pod-nginx-preferred-affinity.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-nginx-preferred-affinity.yaml
rename to content/zh-cn/examples/pods/pod-nginx-preferred-affinity.yaml
diff --git a/content/zh/examples/pods/pod-nginx-required-affinity.yaml b/content/zh-cn/examples/pods/pod-nginx-required-affinity.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-nginx-required-affinity.yaml
rename to content/zh-cn/examples/pods/pod-nginx-required-affinity.yaml
diff --git a/content/zh/examples/pods/pod-nginx-specific-node.yaml b/content/zh-cn/examples/pods/pod-nginx-specific-node.yaml
similarity index 71%
rename from content/zh/examples/pods/pod-nginx-specific-node.yaml
rename to content/zh-cn/examples/pods/pod-nginx-specific-node.yaml
index 5923400d64534..9e76f921b1da7 100644
--- a/content/zh/examples/pods/pod-nginx-specific-node.yaml
+++ b/content/zh-cn/examples/pods/pod-nginx-specific-node.yaml
@@ -3,7 +3,7 @@ kind: Pod
 metadata:
   name: nginx
 spec:
-  nodeName: foo-node # schedule pod to specific node
+  nodeName: foo-node # 调度 Pod 到特定的节点
   containers:
   - name: nginx
     image: nginx
diff --git a/content/zh/examples/pods/pod-nginx.yaml b/content/zh-cn/examples/pods/pod-nginx.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-nginx.yaml
rename to content/zh-cn/examples/pods/pod-nginx.yaml
diff --git a/content/zh/examples/pods/pod-projected-svc-token.yaml b/content/zh-cn/examples/pods/pod-projected-svc-token.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-projected-svc-token.yaml
rename to content/zh-cn/examples/pods/pod-projected-svc-token.yaml
diff --git a/content/zh/examples/pods/pod-rs.yaml b/content/zh-cn/examples/pods/pod-rs.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-rs.yaml
rename to content/zh-cn/examples/pods/pod-rs.yaml
diff --git a/content/zh/examples/pods/pod-single-configmap-env-variable.yaml b/content/zh-cn/examples/pods/pod-single-configmap-env-variable.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-single-configmap-env-variable.yaml
rename to content/zh-cn/examples/pods/pod-single-configmap-env-variable.yaml
diff --git a/content/zh/examples/pods/pod-with-affinity-anti-affinity.yaml b/content/zh-cn/examples/pods/pod-with-affinity-anti-affinity.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-with-affinity-anti-affinity.yaml
rename to content/zh-cn/examples/pods/pod-with-affinity-anti-affinity.yaml
diff --git a/content/zh/examples/pods/pod-with-node-affinity.yaml b/content/zh-cn/examples/pods/pod-with-node-affinity.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-with-node-affinity.yaml
rename to content/zh-cn/examples/pods/pod-with-node-affinity.yaml
diff --git a/content/zh/examples/pods/pod-with-pod-affinity.yaml b/content/zh-cn/examples/pods/pod-with-pod-affinity.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-with-pod-affinity.yaml
rename to content/zh-cn/examples/pods/pod-with-pod-affinity.yaml
diff --git a/content/zh/examples/pods/pod-with-toleration.yaml b/content/zh-cn/examples/pods/pod-with-toleration.yaml
similarity index 100%
rename from content/zh/examples/pods/pod-with-toleration.yaml
rename to content/zh-cn/examples/pods/pod-with-toleration.yaml
diff --git a/content/zh/examples/pods/private-reg-pod.yaml b/content/zh-cn/examples/pods/private-reg-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/private-reg-pod.yaml
rename to content/zh-cn/examples/pods/private-reg-pod.yaml
diff --git a/content/zh/examples/pods/probe/exec-liveness.yaml b/content/zh-cn/examples/pods/probe/exec-liveness.yaml
similarity index 100%
rename from content/zh/examples/pods/probe/exec-liveness.yaml
rename to content/zh-cn/examples/pods/probe/exec-liveness.yaml
diff --git a/content/zh/examples/pods/probe/grpc-liveness.yaml b/content/zh-cn/examples/pods/probe/grpc-liveness.yaml
similarity index 100%
rename from content/zh/examples/pods/probe/grpc-liveness.yaml
rename to content/zh-cn/examples/pods/probe/grpc-liveness.yaml
diff --git a/content/zh/examples/pods/probe/http-liveness.yaml b/content/zh-cn/examples/pods/probe/http-liveness.yaml
similarity index 100%
rename from content/zh/examples/pods/probe/http-liveness.yaml
rename to content/zh-cn/examples/pods/probe/http-liveness.yaml
diff --git a/content/zh/examples/pods/probe/pod-with-http-healthcheck.yaml b/content/zh-cn/examples/pods/probe/pod-with-http-healthcheck.yaml
similarity index 63%
rename from content/zh/examples/pods/probe/pod-with-http-healthcheck.yaml
rename to content/zh-cn/examples/pods/probe/pod-with-http-healthcheck.yaml
index 3f40854e92cf3..9757523852722 100644
--- a/content/zh/examples/pods/probe/pod-with-http-healthcheck.yaml
+++ b/content/zh-cn/examples/pods/probe/pod-with-http-healthcheck.yaml
@@ -6,14 +6,14 @@ spec:
   containers:
   - name: nginx
     image: nginx
-    # defines the health checking
+    # 定义健康检查
     livenessProbe:
-      # an http probe
+      # 一个 http 探针
       httpGet:
         path: /_status/healthz
         port: 80
-      # length of time to wait for a pod to initialize
-      # after pod startup, before applying health checking
+      # Pod 启动之后，实施健康检查之前，
+      # 等待 Pod 初始化的时间长度
       initialDelaySeconds: 30
       timeoutSeconds: 1
     ports:
diff --git a/content/zh/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml b/content/zh-cn/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml
similarity index 61%
rename from content/zh/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml
rename to content/zh-cn/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml
index 5f0bca283c30e..adc2e4546f753 100644
--- a/content/zh/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml
+++ b/content/zh-cn/examples/pods/probe/pod-with-tcp-socket-healthcheck.yaml
@@ -6,13 +6,13 @@ spec:
   containers:
   - name: redis
     image: redis
-    # defines the health checking
+    # 定义健康检查
     livenessProbe:
-      # a TCP socket probe
+      # 一个 TCP 套接字探针
       tcpSocket:
         port: 6379
-      # length of time to wait for a pod to initialize
-      # after pod startup, before applying health checking
+      # Pod 启动之后，实施健康检查之前，
+      # 等待 Pod 初始化的时间长度
       initialDelaySeconds: 30
       timeoutSeconds: 1
     ports:
diff --git a/content/zh/examples/pods/probe/tcp-liveness-readiness.yaml b/content/zh-cn/examples/pods/probe/tcp-liveness-readiness.yaml
similarity index 100%
rename from content/zh/examples/pods/probe/tcp-liveness-readiness.yaml
rename to content/zh-cn/examples/pods/probe/tcp-liveness-readiness.yaml
diff --git a/content/zh/examples/pods/qos/qos-pod-2.yaml b/content/zh-cn/examples/pods/qos/qos-pod-2.yaml
similarity index 100%
rename from content/zh/examples/pods/qos/qos-pod-2.yaml
rename to content/zh-cn/examples/pods/qos/qos-pod-2.yaml
diff --git a/content/zh/examples/pods/qos/qos-pod-3.yaml b/content/zh-cn/examples/pods/qos/qos-pod-3.yaml
similarity index 100%
rename from content/zh/examples/pods/qos/qos-pod-3.yaml
rename to content/zh-cn/examples/pods/qos/qos-pod-3.yaml
diff --git a/content/zh/examples/pods/qos/qos-pod-4.yaml b/content/zh-cn/examples/pods/qos/qos-pod-4.yaml
similarity index 100%
rename from content/zh/examples/pods/qos/qos-pod-4.yaml
rename to content/zh-cn/examples/pods/qos/qos-pod-4.yaml
diff --git a/content/zh/examples/pods/qos/qos-pod.yaml b/content/zh-cn/examples/pods/qos/qos-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/qos/qos-pod.yaml
rename to content/zh-cn/examples/pods/qos/qos-pod.yaml
diff --git a/content/zh/examples/pods/resource/cpu-request-limit-2.yaml b/content/zh-cn/examples/pods/resource/cpu-request-limit-2.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/cpu-request-limit-2.yaml
rename to content/zh-cn/examples/pods/resource/cpu-request-limit-2.yaml
diff --git a/content/zh/examples/pods/resource/cpu-request-limit.yaml b/content/zh-cn/examples/pods/resource/cpu-request-limit.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/cpu-request-limit.yaml
rename to content/zh-cn/examples/pods/resource/cpu-request-limit.yaml
diff --git a/content/zh/examples/pods/resource/extended-resource-pod-2.yaml b/content/zh-cn/examples/pods/resource/extended-resource-pod-2.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/extended-resource-pod-2.yaml
rename to content/zh-cn/examples/pods/resource/extended-resource-pod-2.yaml
diff --git a/content/zh/examples/pods/resource/extended-resource-pod.yaml b/content/zh-cn/examples/pods/resource/extended-resource-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/extended-resource-pod.yaml
rename to content/zh-cn/examples/pods/resource/extended-resource-pod.yaml
diff --git a/content/zh/examples/pods/resource/memory-request-limit-2.yaml b/content/zh-cn/examples/pods/resource/memory-request-limit-2.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/memory-request-limit-2.yaml
rename to content/zh-cn/examples/pods/resource/memory-request-limit-2.yaml
diff --git a/content/zh/examples/pods/resource/memory-request-limit-3.yaml b/content/zh-cn/examples/pods/resource/memory-request-limit-3.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/memory-request-limit-3.yaml
rename to content/zh-cn/examples/pods/resource/memory-request-limit-3.yaml
diff --git a/content/zh/examples/pods/resource/memory-request-limit.yaml b/content/zh-cn/examples/pods/resource/memory-request-limit.yaml
similarity index 100%
rename from content/zh/examples/pods/resource/memory-request-limit.yaml
rename to content/zh-cn/examples/pods/resource/memory-request-limit.yaml
diff --git a/content/zh/examples/pods/security/hello-apparmor.yaml b/content/zh-cn/examples/pods/security/hello-apparmor.yaml
similarity index 60%
rename from content/zh/examples/pods/security/hello-apparmor.yaml
rename to content/zh-cn/examples/pods/security/hello-apparmor.yaml
index 000645f1c72c9..a363d3d6c5052 100644
--- a/content/zh/examples/pods/security/hello-apparmor.yaml
+++ b/content/zh-cn/examples/pods/security/hello-apparmor.yaml
@@ -3,8 +3,8 @@ kind: Pod
 metadata:
   name: hello-apparmor
   annotations:
-    # Tell Kubernetes to apply the AppArmor profile "k8s-apparmor-example-deny-write".
-    # Note that this is ignored if the Kubernetes node is not running version 1.4 or greater.
+    # 告知 Kubernetes 去应用 AppArmor 配置 "k8s-apparmor-example-deny-write"。
+    # 请注意，如果节点上运行的 Kubernetes 不是 1.4 或更高版本，此注解将被忽略。
     container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
 spec:
   containers:
diff --git a/content/zh/examples/pods/security/seccomp/alpha/audit-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/alpha/audit-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/alpha/audit-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/alpha/audit-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/alpha/default-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/alpha/default-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/alpha/default-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/alpha/default-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/alpha/fine-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/alpha/fine-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/alpha/fine-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/alpha/fine-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/alpha/violation-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/alpha/violation-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/alpha/violation-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/alpha/violation-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/ga/audit-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/ga/audit-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/ga/audit-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/ga/audit-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/ga/default-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/ga/default-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/ga/default-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/ga/default-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/ga/fine-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/ga/fine-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/ga/fine-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/ga/fine-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/ga/violation-pod.yaml b/content/zh-cn/examples/pods/security/seccomp/ga/violation-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/ga/violation-pod.yaml
rename to content/zh-cn/examples/pods/security/seccomp/ga/violation-pod.yaml
diff --git a/content/zh/examples/pods/security/seccomp/kind.yaml b/content/zh-cn/examples/pods/security/seccomp/kind.yaml
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/kind.yaml
rename to content/zh-cn/examples/pods/security/seccomp/kind.yaml
diff --git a/content/zh/examples/pods/security/seccomp/profiles/audit.json b/content/zh-cn/examples/pods/security/seccomp/profiles/audit.json
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/profiles/audit.json
rename to content/zh-cn/examples/pods/security/seccomp/profiles/audit.json
diff --git a/content/zh/examples/pods/security/seccomp/profiles/fine-grained.json b/content/zh-cn/examples/pods/security/seccomp/profiles/fine-grained.json
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/profiles/fine-grained.json
rename to content/zh-cn/examples/pods/security/seccomp/profiles/fine-grained.json
diff --git a/content/zh/examples/pods/security/seccomp/profiles/violation.json b/content/zh-cn/examples/pods/security/seccomp/profiles/violation.json
similarity index 100%
rename from content/zh/examples/pods/security/seccomp/profiles/violation.json
rename to content/zh-cn/examples/pods/security/seccomp/profiles/violation.json
diff --git a/content/zh/examples/pods/security/security-context-2.yaml b/content/zh-cn/examples/pods/security/security-context-2.yaml
similarity index 100%
rename from content/zh/examples/pods/security/security-context-2.yaml
rename to content/zh-cn/examples/pods/security/security-context-2.yaml
diff --git a/content/zh/examples/pods/security/security-context-3.yaml b/content/zh-cn/examples/pods/security/security-context-3.yaml
similarity index 100%
rename from content/zh/examples/pods/security/security-context-3.yaml
rename to content/zh-cn/examples/pods/security/security-context-3.yaml
diff --git a/content/zh/examples/pods/security/security-context-4.yaml b/content/zh-cn/examples/pods/security/security-context-4.yaml
similarity index 100%
rename from content/zh/examples/pods/security/security-context-4.yaml
rename to content/zh-cn/examples/pods/security/security-context-4.yaml
diff --git a/content/zh/examples/pods/security/security-context.yaml b/content/zh-cn/examples/pods/security/security-context.yaml
similarity index 100%
rename from content/zh/examples/pods/security/security-context.yaml
rename to content/zh-cn/examples/pods/security/security-context.yaml
diff --git a/content/zh/examples/pods/share-process-namespace.yaml b/content/zh-cn/examples/pods/share-process-namespace.yaml
similarity index 100%
rename from content/zh/examples/pods/share-process-namespace.yaml
rename to content/zh-cn/examples/pods/share-process-namespace.yaml
diff --git a/content/zh/examples/pods/simple-pod.yaml b/content/zh-cn/examples/pods/simple-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/simple-pod.yaml
rename to content/zh-cn/examples/pods/simple-pod.yaml
diff --git a/content/zh/examples/pods/storage/projected-secret-downwardapi-configmap.yaml b/content/zh-cn/examples/pods/storage/projected-secret-downwardapi-configmap.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/projected-secret-downwardapi-configmap.yaml
rename to content/zh-cn/examples/pods/storage/projected-secret-downwardapi-configmap.yaml
diff --git a/content/zh/examples/pods/storage/projected-secrets-nondefault-permission-mode.yaml b/content/zh-cn/examples/pods/storage/projected-secrets-nondefault-permission-mode.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/projected-secrets-nondefault-permission-mode.yaml
rename to content/zh-cn/examples/pods/storage/projected-secrets-nondefault-permission-mode.yaml
diff --git a/content/zh/examples/pods/storage/projected-service-account-token.yaml b/content/zh-cn/examples/pods/storage/projected-service-account-token.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/projected-service-account-token.yaml
rename to content/zh-cn/examples/pods/storage/projected-service-account-token.yaml
diff --git a/content/zh/examples/pods/storage/projected.yaml b/content/zh-cn/examples/pods/storage/projected.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/projected.yaml
rename to content/zh-cn/examples/pods/storage/projected.yaml
diff --git a/content/zh/examples/pods/storage/pv-claim.yaml b/content/zh-cn/examples/pods/storage/pv-claim.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/pv-claim.yaml
rename to content/zh-cn/examples/pods/storage/pv-claim.yaml
diff --git a/content/zh/examples/pods/storage/pv-duplicate.yaml b/content/zh-cn/examples/pods/storage/pv-duplicate.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/pv-duplicate.yaml
rename to content/zh-cn/examples/pods/storage/pv-duplicate.yaml
diff --git a/content/zh/examples/pods/storage/pv-pod.yaml b/content/zh-cn/examples/pods/storage/pv-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/pv-pod.yaml
rename to content/zh-cn/examples/pods/storage/pv-pod.yaml
diff --git a/content/zh/examples/pods/storage/pv-volume.yaml b/content/zh-cn/examples/pods/storage/pv-volume.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/pv-volume.yaml
rename to content/zh-cn/examples/pods/storage/pv-volume.yaml
diff --git a/content/zh/examples/pods/storage/redis.yaml b/content/zh-cn/examples/pods/storage/redis.yaml
similarity index 100%
rename from content/zh/examples/pods/storage/redis.yaml
rename to content/zh-cn/examples/pods/storage/redis.yaml
diff --git a/content/zh/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml b/content/zh-cn/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
similarity index 100%
rename from content/zh/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
rename to content/zh-cn/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
diff --git a/content/zh/examples/pods/topology-spread-constraints/one-constraint.yaml b/content/zh-cn/examples/pods/topology-spread-constraints/one-constraint.yaml
similarity index 100%
rename from content/zh/examples/pods/topology-spread-constraints/one-constraint.yaml
rename to content/zh-cn/examples/pods/topology-spread-constraints/one-constraint.yaml
diff --git a/content/zh/examples/pods/topology-spread-constraints/two-constraints.yaml b/content/zh-cn/examples/pods/topology-spread-constraints/two-constraints.yaml
similarity index 100%
rename from content/zh/examples/pods/topology-spread-constraints/two-constraints.yaml
rename to content/zh-cn/examples/pods/topology-spread-constraints/two-constraints.yaml
diff --git a/content/zh/examples/pods/two-container-pod.yaml b/content/zh-cn/examples/pods/two-container-pod.yaml
similarity index 100%
rename from content/zh/examples/pods/two-container-pod.yaml
rename to content/zh-cn/examples/pods/two-container-pod.yaml
diff --git a/content/zh/examples/policy/baseline-psp.yaml b/content/zh-cn/examples/policy/baseline-psp.yaml
similarity index 69%
rename from content/zh/examples/policy/baseline-psp.yaml
rename to content/zh-cn/examples/policy/baseline-psp.yaml
index 57258bf313255..43e83d7c24838 100644
--- a/content/zh/examples/policy/baseline-psp.yaml
+++ b/content/zh-cn/examples/policy/baseline-psp.yaml
@@ -3,13 +3,13 @@ kind: PodSecurityPolicy
 metadata:
   name: baseline
   annotations:
-    # Optional: Allow the default AppArmor profile, requires setting the default.
+    # 可选：允许 default AppArmor 配置，需要设置 default 配置
     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
 spec:
   privileged: false
-  # The moby default capability set, minus NET_RAW
+  # 这是 moby 默认的权能集，去掉了 NET_RAW
   allowedCapabilities:
     - 'CHOWN'
     - 'DAC_OVERRIDE'
@@ -24,19 +24,19 @@ spec:
     - 'SYS_CHROOT'
     - 'KILL'
     - 'AUDIT_WRITE'
-  # Allow all volume types except hostpath
+  # 允许除 hostpath 外的所有卷类型
   volumes:
-    # 'core' volume types
+    # 'core' 卷类型
     - 'configMap'
     - 'emptyDir'
     - 'projected'
     - 'secret'
     - 'downwardAPI'
-    # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
+    # 假定集群管理员设置的临时 CSI 驱动和 persistentVolume 可以安全使用。
     - 'csi'
     - 'persistentVolumeClaim'
     - 'ephemeral'
-    # Allow all other non-hostpath volume types.
+    # 允许所有其他非 hostpath 的卷类型。
     - 'awsElasticBlockStore'
     - 'azureDisk'
     - 'azureFile'
@@ -64,9 +64,9 @@ spec:
   runAsUser:
     rule: 'RunAsAny'
   seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
-    # The PSP SELinux API cannot express the SELinux Pod Security Standards,
-    # so if using SELinux, you must choose a more restrictive default.
+    # 此策略假定节点正在使用 AppArmor 而不是 SELinux。
+    # PSP SELinux API 无法体现 Pod SELinux 安全标准，
+    # 因此如果使用 SELinux，你必须选择一个限制更多的默认值。
     rule: 'RunAsAny'
   supplementalGroups:
     rule: 'RunAsAny'
diff --git a/content/zh/examples/policy/example-psp.yaml b/content/zh-cn/examples/policy/example-psp.yaml
similarity index 70%
rename from content/zh/examples/policy/example-psp.yaml
rename to content/zh-cn/examples/policy/example-psp.yaml
index 7531949b650ec..b994c2a2516c4 100644
--- a/content/zh/examples/policy/example-psp.yaml
+++ b/content/zh-cn/examples/policy/example-psp.yaml
@@ -3,8 +3,8 @@ kind: PodSecurityPolicy
 metadata:
   name: example
 spec:
-  privileged: false  # Don't allow privileged pods!
-  # The rest fills in some required fields.
+  privileged: false  # 不允许提权的 Pod！
+  # 以下内容负责填充一些必需字段。
   seLinux:
     rule: RunAsAny
   supplementalGroups:
diff --git a/content/zh/examples/policy/priority-class-resourcequota.yaml b/content/zh-cn/examples/policy/priority-class-resourcequota.yaml
similarity index 100%
rename from content/zh/examples/policy/priority-class-resourcequota.yaml
rename to content/zh-cn/examples/policy/priority-class-resourcequota.yaml
diff --git a/content/zh/examples/policy/privileged-psp.yaml b/content/zh-cn/examples/policy/privileged-psp.yaml
similarity index 100%
rename from content/zh/examples/policy/privileged-psp.yaml
rename to content/zh-cn/examples/policy/privileged-psp.yaml
diff --git a/content/zh/examples/policy/restricted-psp.yaml b/content/zh-cn/examples/policy/restricted-psp.yaml
similarity index 100%
rename from content/zh/examples/policy/restricted-psp.yaml
rename to content/zh-cn/examples/policy/restricted-psp.yaml
diff --git a/content/zh/examples/policy/zookeeper-pod-disruption-budget-maxunavailable.yaml b/content/zh-cn/examples/policy/zookeeper-pod-disruption-budget-maxunavailable.yaml
similarity index 100%
rename from content/zh/examples/policy/zookeeper-pod-disruption-budget-maxunavailable.yaml
rename to content/zh-cn/examples/policy/zookeeper-pod-disruption-budget-maxunavailable.yaml
diff --git a/content/zh/examples/policy/zookeeper-pod-disruption-budget-minavailable.yaml b/content/zh-cn/examples/policy/zookeeper-pod-disruption-budget-minavailable.yaml
similarity index 100%
rename from content/zh/examples/policy/zookeeper-pod-disruption-budget-minavailable.yaml
rename to content/zh-cn/examples/policy/zookeeper-pod-disruption-budget-minavailable.yaml
diff --git a/content/zh/examples/priority-and-fairness/health-for-strangers.yaml b/content/zh-cn/examples/priority-and-fairness/health-for-strangers.yaml
similarity index 100%
rename from content/zh/examples/priority-and-fairness/health-for-strangers.yaml
rename to content/zh-cn/examples/priority-and-fairness/health-for-strangers.yaml
diff --git a/content/zh/examples/security/kind-with-cluster-level-baseline-pod-security.sh b/content/zh-cn/examples/security/kind-with-cluster-level-baseline-pod-security.sh
similarity index 100%
rename from content/zh/examples/security/kind-with-cluster-level-baseline-pod-security.sh
rename to content/zh-cn/examples/security/kind-with-cluster-level-baseline-pod-security.sh
diff --git a/content/zh/examples/security/kind-with-namespace-level-baseline-pod-security.sh b/content/zh-cn/examples/security/kind-with-namespace-level-baseline-pod-security.sh
similarity index 100%
rename from content/zh/examples/security/kind-with-namespace-level-baseline-pod-security.sh
rename to content/zh-cn/examples/security/kind-with-namespace-level-baseline-pod-security.sh
diff --git a/content/zh/examples/security/podsecurity-baseline.yaml b/content/zh-cn/examples/security/podsecurity-baseline.yaml
similarity index 100%
rename from content/zh/examples/security/podsecurity-baseline.yaml
rename to content/zh-cn/examples/security/podsecurity-baseline.yaml
diff --git a/content/zh/examples/security/podsecurity-privileged.yaml b/content/zh-cn/examples/security/podsecurity-privileged.yaml
similarity index 100%
rename from content/zh/examples/security/podsecurity-privileged.yaml
rename to content/zh-cn/examples/security/podsecurity-privileged.yaml
diff --git a/content/zh/examples/security/podsecurity-restricted.yaml b/content/zh-cn/examples/security/podsecurity-restricted.yaml
similarity index 100%
rename from content/zh/examples/security/podsecurity-restricted.yaml
rename to content/zh-cn/examples/security/podsecurity-restricted.yaml
diff --git a/content/zh/examples/service/access/Dockerfile b/content/zh-cn/examples/service/access/Dockerfile
similarity index 100%
rename from content/zh/examples/service/access/Dockerfile
rename to content/zh-cn/examples/service/access/Dockerfile
diff --git a/content/zh/examples/service/access/backend-deployment.yaml b/content/zh-cn/examples/service/access/backend-deployment.yaml
similarity index 100%
rename from content/zh/examples/service/access/backend-deployment.yaml
rename to content/zh-cn/examples/service/access/backend-deployment.yaml
diff --git a/content/zh/examples/service/access/backend-service.yaml b/content/zh-cn/examples/service/access/backend-service.yaml
similarity index 100%
rename from content/zh/examples/service/access/backend-service.yaml
rename to content/zh-cn/examples/service/access/backend-service.yaml
diff --git a/content/zh/examples/service/access/frontend-deployment.yaml b/content/zh-cn/examples/service/access/frontend-deployment.yaml
similarity index 100%
rename from content/zh/examples/service/access/frontend-deployment.yaml
rename to content/zh-cn/examples/service/access/frontend-deployment.yaml
diff --git a/content/zh/examples/service/access/frontend-nginx.conf b/content/zh-cn/examples/service/access/frontend-nginx.conf
similarity index 100%
rename from content/zh/examples/service/access/frontend-nginx.conf
rename to content/zh-cn/examples/service/access/frontend-nginx.conf
diff --git a/content/zh/examples/service/access/frontend-service.yaml b/content/zh-cn/examples/service/access/frontend-service.yaml
similarity index 100%
rename from content/zh/examples/service/access/frontend-service.yaml
rename to content/zh-cn/examples/service/access/frontend-service.yaml
diff --git a/content/zh/examples/service/access/hello-application.yaml b/content/zh-cn/examples/service/access/hello-application.yaml
similarity index 100%
rename from content/zh/examples/service/access/hello-application.yaml
rename to content/zh-cn/examples/service/access/hello-application.yaml
diff --git a/content/zh/examples/service/load-balancer-example.yaml b/content/zh-cn/examples/service/load-balancer-example.yaml
similarity index 100%
rename from content/zh/examples/service/load-balancer-example.yaml
rename to content/zh-cn/examples/service/load-balancer-example.yaml
diff --git a/content/zh/examples/service/networking/curlpod.yaml b/content/zh-cn/examples/service/networking/curlpod.yaml
similarity index 100%
rename from content/zh/examples/service/networking/curlpod.yaml
rename to content/zh-cn/examples/service/networking/curlpod.yaml
diff --git a/content/zh/examples/service/networking/custom-dns.yaml b/content/zh-cn/examples/service/networking/custom-dns.yaml
similarity index 100%
rename from content/zh/examples/service/networking/custom-dns.yaml
rename to content/zh-cn/examples/service/networking/custom-dns.yaml
diff --git a/content/zh/examples/service/networking/default-ingressclass.yaml b/content/zh-cn/examples/service/networking/default-ingressclass.yaml
similarity index 100%
rename from content/zh/examples/service/networking/default-ingressclass.yaml
rename to content/zh-cn/examples/service/networking/default-ingressclass.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-default-svc.yaml b/content/zh-cn/examples/service/networking/dual-stack-default-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-default-svc.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-default-svc.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-ipfamilies-ipv6.yaml b/content/zh-cn/examples/service/networking/dual-stack-ipfamilies-ipv6.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-ipfamilies-ipv6.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-ipfamilies-ipv6.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-ipv6-svc.yaml b/content/zh-cn/examples/service/networking/dual-stack-ipv6-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-ipv6-svc.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-ipv6-svc.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-prefer-ipv6-lb-svc.yaml b/content/zh-cn/examples/service/networking/dual-stack-prefer-ipv6-lb-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-prefer-ipv6-lb-svc.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-prefer-ipv6-lb-svc.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-preferred-ipfamilies-svc.yaml b/content/zh-cn/examples/service/networking/dual-stack-preferred-ipfamilies-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-preferred-ipfamilies-svc.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-preferred-ipfamilies-svc.yaml
diff --git a/content/zh/examples/service/networking/dual-stack-preferred-svc.yaml b/content/zh-cn/examples/service/networking/dual-stack-preferred-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/dual-stack-preferred-svc.yaml
rename to content/zh-cn/examples/service/networking/dual-stack-preferred-svc.yaml
diff --git a/content/zh/examples/service/networking/example-ingress.yaml b/content/zh-cn/examples/service/networking/example-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/example-ingress.yaml
rename to content/zh-cn/examples/service/networking/example-ingress.yaml
diff --git a/content/zh/examples/service/networking/external-lb.yaml b/content/zh-cn/examples/service/networking/external-lb.yaml
similarity index 100%
rename from content/zh/examples/service/networking/external-lb.yaml
rename to content/zh-cn/examples/service/networking/external-lb.yaml
diff --git a/content/zh/examples/service/networking/hostaliases-pod.yaml b/content/zh-cn/examples/service/networking/hostaliases-pod.yaml
similarity index 100%
rename from content/zh/examples/service/networking/hostaliases-pod.yaml
rename to content/zh-cn/examples/service/networking/hostaliases-pod.yaml
diff --git a/content/zh/examples/service/networking/ingress-resource-backend.yaml b/content/zh-cn/examples/service/networking/ingress-resource-backend.yaml
similarity index 100%
rename from content/zh/examples/service/networking/ingress-resource-backend.yaml
rename to content/zh-cn/examples/service/networking/ingress-resource-backend.yaml
diff --git a/content/zh/examples/service/networking/ingress-wildcard-host.yaml b/content/zh-cn/examples/service/networking/ingress-wildcard-host.yaml
similarity index 100%
rename from content/zh/examples/service/networking/ingress-wildcard-host.yaml
rename to content/zh-cn/examples/service/networking/ingress-wildcard-host.yaml
diff --git a/content/zh/examples/service/networking/minimal-ingress.yaml b/content/zh-cn/examples/service/networking/minimal-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/minimal-ingress.yaml
rename to content/zh-cn/examples/service/networking/minimal-ingress.yaml
diff --git a/content/zh/examples/service/networking/name-virtual-host-ingress-no-third-host.yaml b/content/zh-cn/examples/service/networking/name-virtual-host-ingress-no-third-host.yaml
similarity index 100%
rename from content/zh/examples/service/networking/name-virtual-host-ingress-no-third-host.yaml
rename to content/zh-cn/examples/service/networking/name-virtual-host-ingress-no-third-host.yaml
diff --git a/content/zh/examples/service/networking/name-virtual-host-ingress.yaml b/content/zh-cn/examples/service/networking/name-virtual-host-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/name-virtual-host-ingress.yaml
rename to content/zh-cn/examples/service/networking/name-virtual-host-ingress.yaml
diff --git a/content/zh/examples/service/networking/namespaced-params.yaml b/content/zh-cn/examples/service/networking/namespaced-params.yaml
similarity index 100%
rename from content/zh/examples/service/networking/namespaced-params.yaml
rename to content/zh-cn/examples/service/networking/namespaced-params.yaml
diff --git a/content/zh/examples/service/networking/network-policy-allow-all-egress.yaml b/content/zh-cn/examples/service/networking/network-policy-allow-all-egress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/network-policy-allow-all-egress.yaml
rename to content/zh-cn/examples/service/networking/network-policy-allow-all-egress.yaml
diff --git a/content/zh/examples/service/networking/network-policy-allow-all-ingress.yaml b/content/zh-cn/examples/service/networking/network-policy-allow-all-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/network-policy-allow-all-ingress.yaml
rename to content/zh-cn/examples/service/networking/network-policy-allow-all-ingress.yaml
diff --git a/content/zh/examples/service/networking/network-policy-default-deny-all.yaml b/content/zh-cn/examples/service/networking/network-policy-default-deny-all.yaml
similarity index 100%
rename from content/zh/examples/service/networking/network-policy-default-deny-all.yaml
rename to content/zh-cn/examples/service/networking/network-policy-default-deny-all.yaml
diff --git a/content/zh/examples/service/networking/network-policy-default-deny-egress.yaml b/content/zh-cn/examples/service/networking/network-policy-default-deny-egress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/network-policy-default-deny-egress.yaml
rename to content/zh-cn/examples/service/networking/network-policy-default-deny-egress.yaml
diff --git a/content/zh/examples/service/networking/network-policy-default-deny-ingress.yaml b/content/zh-cn/examples/service/networking/network-policy-default-deny-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/network-policy-default-deny-ingress.yaml
rename to content/zh-cn/examples/service/networking/network-policy-default-deny-ingress.yaml
diff --git a/content/zh/examples/service/networking/networkpolicy.yaml b/content/zh-cn/examples/service/networking/networkpolicy.yaml
similarity index 100%
rename from content/zh/examples/service/networking/networkpolicy.yaml
rename to content/zh-cn/examples/service/networking/networkpolicy.yaml
diff --git a/content/zh/examples/service/networking/nginx-policy.yaml b/content/zh-cn/examples/service/networking/nginx-policy.yaml
similarity index 100%
rename from content/zh/examples/service/networking/nginx-policy.yaml
rename to content/zh-cn/examples/service/networking/nginx-policy.yaml
diff --git a/content/zh/examples/service/networking/nginx-secure-app.yaml b/content/zh-cn/examples/service/networking/nginx-secure-app.yaml
similarity index 100%
rename from content/zh/examples/service/networking/nginx-secure-app.yaml
rename to content/zh-cn/examples/service/networking/nginx-secure-app.yaml
diff --git a/content/zh/examples/service/networking/nginx-svc.yaml b/content/zh-cn/examples/service/networking/nginx-svc.yaml
similarity index 100%
rename from content/zh/examples/service/networking/nginx-svc.yaml
rename to content/zh-cn/examples/service/networking/nginx-svc.yaml
diff --git a/content/zh/examples/service/networking/run-my-nginx.yaml b/content/zh-cn/examples/service/networking/run-my-nginx.yaml
similarity index 100%
rename from content/zh/examples/service/networking/run-my-nginx.yaml
rename to content/zh-cn/examples/service/networking/run-my-nginx.yaml
diff --git a/content/zh/examples/service/networking/simple-fanout-example.yaml b/content/zh-cn/examples/service/networking/simple-fanout-example.yaml
similarity index 100%
rename from content/zh/examples/service/networking/simple-fanout-example.yaml
rename to content/zh-cn/examples/service/networking/simple-fanout-example.yaml
diff --git a/content/zh/examples/service/networking/test-ingress.yaml b/content/zh-cn/examples/service/networking/test-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/test-ingress.yaml
rename to content/zh-cn/examples/service/networking/test-ingress.yaml
diff --git a/content/zh/examples/service/networking/tls-example-ingress.yaml b/content/zh-cn/examples/service/networking/tls-example-ingress.yaml
similarity index 100%
rename from content/zh/examples/service/networking/tls-example-ingress.yaml
rename to content/zh-cn/examples/service/networking/tls-example-ingress.yaml
diff --git a/content/zh-cn/examples/service/nginx-service.yaml b/content/zh-cn/examples/service/nginx-service.yaml
new file mode 100644
index 0000000000000..e158e0e4b78ed
--- /dev/null
+++ b/content/zh-cn/examples/service/nginx-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service
+spec:
+  ports:
+  - port: 8000 # 在每个 Pod 的容器上要使用的端口；
+    # 服务将在此端口上运行，接受连接。
+    # 端口可以是一个名称（例如：“www”）或一个数字（例如：80）
+    targetPort: 80
+    protocol: TCP
+  # 就像 Deployment 中的选择算符，
+  # 但这里用于识别要对流量进行负载均衡的 Pod 集合。
+  selector:
+    app: nginx
diff --git a/content/zh/examples/tls/server-signing-config.json b/content/zh-cn/examples/tls/server-signing-config.json
similarity index 100%
rename from content/zh/examples/tls/server-signing-config.json
rename to content/zh-cn/examples/tls/server-signing-config.json
diff --git a/content/zh/examples/windows/configmap-pod.yaml b/content/zh-cn/examples/windows/configmap-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/configmap-pod.yaml
rename to content/zh-cn/examples/windows/configmap-pod.yaml
diff --git a/content/zh/examples/windows/daemonset.yaml b/content/zh-cn/examples/windows/daemonset.yaml
similarity index 100%
rename from content/zh/examples/windows/daemonset.yaml
rename to content/zh-cn/examples/windows/daemonset.yaml
diff --git a/content/zh/examples/windows/deploy-hyperv.yaml b/content/zh-cn/examples/windows/deploy-hyperv.yaml
similarity index 100%
rename from content/zh/examples/windows/deploy-hyperv.yaml
rename to content/zh-cn/examples/windows/deploy-hyperv.yaml
diff --git a/content/zh/examples/windows/deploy-resource.yaml b/content/zh-cn/examples/windows/deploy-resource.yaml
similarity index 100%
rename from content/zh/examples/windows/deploy-resource.yaml
rename to content/zh-cn/examples/windows/deploy-resource.yaml
diff --git a/content/zh/examples/windows/emptydir-pod.yaml b/content/zh-cn/examples/windows/emptydir-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/emptydir-pod.yaml
rename to content/zh-cn/examples/windows/emptydir-pod.yaml
diff --git a/content/zh/examples/windows/hostpath-volume-pod.yaml b/content/zh-cn/examples/windows/hostpath-volume-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/hostpath-volume-pod.yaml
rename to content/zh-cn/examples/windows/hostpath-volume-pod.yaml
diff --git a/content/zh/examples/windows/run-as-username-container.yaml b/content/zh-cn/examples/windows/run-as-username-container.yaml
similarity index 100%
rename from content/zh/examples/windows/run-as-username-container.yaml
rename to content/zh-cn/examples/windows/run-as-username-container.yaml
diff --git a/content/zh/examples/windows/run-as-username-pod.yaml b/content/zh-cn/examples/windows/run-as-username-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/run-as-username-pod.yaml
rename to content/zh-cn/examples/windows/run-as-username-pod.yaml
diff --git a/content/zh/examples/windows/secret-pod.yaml b/content/zh-cn/examples/windows/secret-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/secret-pod.yaml
rename to content/zh-cn/examples/windows/secret-pod.yaml
diff --git a/content/zh/examples/windows/simple-pod.yaml b/content/zh-cn/examples/windows/simple-pod.yaml
similarity index 100%
rename from content/zh/examples/windows/simple-pod.yaml
rename to content/zh-cn/examples/windows/simple-pod.yaml
diff --git a/content/zh-cn/includes/default-storage-class-prereqs.md b/content/zh-cn/includes/default-storage-class-prereqs.md
new file mode 100644
index 0000000000000..0dbea685dc588
--- /dev/null
+++ b/content/zh-cn/includes/default-storage-class-prereqs.md
@@ -0,0 +1,12 @@
+你需要有一个带有默认 [StorageClass](/zh-cn/docs/concepts/storage/storage-classes/)的
+[动态 PersistentVolume 供应程序](/zh-cn/docs/concepts/storage/dynamic-provisioning/)，
+或者自己[静态的提供 PersistentVolume](/zh-cn/docs/concepts/storage/persistent-volumes/#provisioning)
+来满足这里使用的 [PersistentVolumeClaim](/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
+
+<!--
+You need to either have a [dynamic PersistentVolume provisioner](/docs/concepts/storage/dynamic-provisioning/) with a default
+[StorageClass](/docs/concepts/storage/storage-classes/),
+or [statically provision PersistentVolumes](/docs/concepts/storage/persistent-volumes/#provisioning)
+yourself to satisfy the [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
+used here.
+-->
diff --git a/content/zh/includes/federation-deprecation-warning-note.md b/content/zh-cn/includes/federation-deprecation-warning-note.md
similarity index 100%
rename from content/zh/includes/federation-deprecation-warning-note.md
rename to content/zh-cn/includes/federation-deprecation-warning-note.md
diff --git a/content/zh/includes/index.md b/content/zh-cn/includes/index.md
similarity index 100%
rename from content/zh/includes/index.md
rename to content/zh-cn/includes/index.md
diff --git a/content/zh/includes/partner-style.css b/content/zh-cn/includes/partner-style.css
similarity index 100%
rename from content/zh/includes/partner-style.css
rename to content/zh-cn/includes/partner-style.css
diff --git a/content/zh/includes/task-tutorial-prereqs.md b/content/zh-cn/includes/task-tutorial-prereqs.md
similarity index 100%
rename from content/zh/includes/task-tutorial-prereqs.md
rename to content/zh-cn/includes/task-tutorial-prereqs.md
diff --git a/content/zh/includes/user-guide-content-moved.md b/content/zh-cn/includes/user-guide-content-moved.md
similarity index 57%
rename from content/zh/includes/user-guide-content-moved.md
rename to content/zh-cn/includes/user-guide-content-moved.md
index ed33f2ac583a7..b9e35e736174e 100644
--- a/content/zh/includes/user-guide-content-moved.md
+++ b/content/zh-cn/includes/user-guide-content-moved.md
@@ -3,6 +3,6 @@ The topics in the [User Guide](/docs/user-guide/) section of the Kubernetes docs
 are being moved to the [Tasks](/docs/tasks/), [Tutorials](/docs/tutorials/), and
 [Concepts](/docs/concepts) sections. The content in this topic has moved to:
 -->
-Kubernetes文档中[用户指南](/zh/docs/user-guide/)部分中的主题被移动到
-[任务](/zh/docs/tasks/)、[教程](/zh/docs/tutorials/)和[概念](/zh/docs/concepts)节。
+Kubernetes文档中[用户指南](/zh-cn/docs/user-guide/)部分中的主题被移动到
+[任务](/zh-cn/docs/tasks/)、[教程](/zh-cn/docs/tutorials/)和[概念](/zh-cn/docs/concepts)节。
 本主题内容已移至:
diff --git a/content/zh/partners/_index.html b/content/zh-cn/partners/_index.html
similarity index 100%
rename from content/zh/partners/_index.html
rename to content/zh-cn/partners/_index.html
diff --git a/content/zh-cn/releases/_index.md b/content/zh-cn/releases/_index.md
new file mode 100644
index 0000000000000..dc89e9f03a67b
--- /dev/null
+++ b/content/zh-cn/releases/_index.md
@@ -0,0 +1,50 @@
+---
+linktitle: 发行版本历史
+title: 发行版本
+type: docs
+---
+<!-- 
+linktitle: Release History
+title: Releases
+type: docs
+-->
+
+
+<!-- overview -->
+
+<!-- 
+The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew currentVersion >}}, {{< skew currentVersionAddMinor -1 >}}, {{< skew currentVersionAddMinor -2 >}}).  Kubernetes 1.19 and newer receive [approximately 1 year of patch support](/releases/patch-releases/#support-period). Kubernetes 1.18 and older received approximately 9 months of patch support.
+-->
+Kubernetes 项目维护最近三个次要版本（{{< skew currentVersion >}}、{{< skew currentVersionAddMinor -1 >}}、{{< skew currentVersionAddMinor -2 >}}）的发布分支。
+Kubernetes 1.19 和更新版本获得[大约 1 年的补丁支持](/zh-cn/releases/patch-releases/#support-period)。
+Kubernetes 1.18 及更早版本获得了大约 9 个月的补丁支持周期。
+
+<!-- 
+Kubernetes versions are expressed as **x.y.z**,
+where **x** is the major version, **y** is the minor version, and **z** is the patch version, following [Semantic Versioning](https://semver.org/) terminology.
+More information in the [version skew policy](/releases/version-skew-policy/) document.
+-->
+
+Kubernetes 版本表示为 **x.y.z**，
+其中 **x** 是主要版本，**y** 是次要版本，**z** 是补丁版本，遵循[语义版本控制](https://semver.org/)术语。
+
+更多信息在[版本偏差策略](/zh-cn/releases/version-skew-policy/)文档中。
+
+<!-- body -->
+
+<!-- ## Release History -->
+## 发行版本历史
+
+{{< release-data >}}
+
+<!-- ## Upcoming Release -->
+## 未来的发行版本
+
+<!-- 
+Check out the [schedule](https://github.com/kubernetes/sig-release/tree/master/releases/release-{{< skew  currentVersionAddMinor 1 >}}) for the upcoming **{{< skew  currentVersionAddMinor 1 >}}** Kubernetes release!
+-->
+查看[时间表](https://github.com/kubernetes/sig-release/tree/master/releases/release-{{< skew currentVersionAddMinor 1 >}})，
+Kubernetes **{{< skew nextMinorVersion >}}** 版本即将发行！
+
+<!-- ## Helpful Resources -->
+## 有用的资源
diff --git a/content/zh-cn/releases/download.md b/content/zh-cn/releases/download.md
new file mode 100644
index 0000000000000..c05432d80d47b
--- /dev/null
+++ b/content/zh-cn/releases/download.md
@@ -0,0 +1,168 @@
+---
+title: 下载 Kubernetes
+type: docs
+---
+<!-- 
+title: Download Kubernetes
+type: docs
+-->
+
+<!-- 
+Kubernetes ships binaries for each component as well as a standard set of client
+applications to bootstrap or interact with a cluster. Components like the
+API server are capable of running within container images inside of a
+cluster. Those components are also shipped in container images as part of the
+official release process. All binaries as well as container images are available
+for multiple operating systems as well as hardware architectures.
+-->
+Kubernetes 为每个组件提供二进制文件以及一组标准的客户端应用程序用来引导集群或与集群交互。
+像 API 服务器这样的组件能够在集群内的容器镜像中运行。
+作为官方发布过程的一部分，这些组件也以容器镜像的形式提供。
+所有二进制文件和容器镜像都可用于多种操作系统和硬件架构。
+
+<!-- 
+## Container Images
+
+All Kubernetes container images are deployed to the
+[k8s.gcr.io](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/GLOBAL)
+container registry.
+-->
+## 容器镜像
+
+所有 Kubernetes 容器镜像都部署到
+[k8s.gcr.io](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/GLOBAL) 容器仓库。
+
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+<!-- 
+For Kubernetes {{< param "version" >}}, the following
+container images are signed using [cosign](https://github.com/sigstore/cosign)
+signatures:
+-->
+对于 Kubernetes {{< param "version" >}}，以下容器镜像使用
+[cosign](https://github.com/sigstore/cosign) 进行签名：
+
+<!-- 
+| Container Image                                                     | Supported Architectures                                                                  |
+-->
+| 容器镜像                                                             | 支持架构                                                                                  |
+| ------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
+| [k8s.gcr.io/kube-apiserver:{{< param "fullversion" >}}][0]          | [amd64][0-amd64], [arm][0-arm], [arm64][0-arm64], [ppc64le][0-ppc64le], [s390x][0-s390x] |
+| [k8s.gcr.io/kube-controller-manager:{{< param "fullversion" >}}][1] | [amd64][1-amd64], [arm][1-arm], [arm64][1-arm64], [ppc64le][1-ppc64le], [s390x][1-s390x] |
+| [k8s.gcr.io/kube-proxy:{{< param "fullversion" >}}][2]              | [amd64][2-amd64], [arm][2-arm], [arm64][2-arm64], [ppc64le][2-ppc64le], [s390x][2-s390x] |
+| [k8s.gcr.io/kube-scheduler:{{< param "fullversion" >}}][3]          | [amd64][3-amd64], [arm][3-arm], [arm64][3-arm64], [ppc64le][3-ppc64le], [s390x][3-s390x] |
+| [k8s.gcr.io/conformance:{{< param "fullversion" >}}][4]             | [amd64][4-amd64], [arm][4-arm], [arm64][4-arm64], [ppc64le][4-ppc64le], [s390x][4-s390x] |
+
+[0]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver
+[0-amd64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-amd64
+[0-arm]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-arm
+[0-arm64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-arm64
+[0-ppc64le]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-ppc64le
+[0-s390x]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-s390x
+[1]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager
+[1-amd64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-amd64
+[1-arm]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-arm
+[1-arm64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-arm64
+[1-ppc64le]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-ppc64le
+[1-s390x]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-s390x
+[2]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy
+[2-amd64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-amd64
+[2-arm]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-arm
+[2-arm64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-arm64
+[2-ppc64le]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-ppc64le
+[2-s390x]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-s390x
+[3]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler
+[3-amd64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-amd64
+[3-arm]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-arm
+[3-arm64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-arm64
+[3-ppc64le]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-ppc64le
+[3-s390x]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-s390x
+[4]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance
+[4-amd64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-amd64
+[4-arm]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-arm
+[4-arm64]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-arm64
+[4-ppc64le]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-ppc64le
+[4-s390x]: https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-s390x
+
+<!-- 
+All container images are available for multiple architectures, whereas the
+container runtime should choose the correct one based on the underlying
+platform. It is also possible to pull a dedicated architecture by suffixing the
+container image name, for example
+[`k8s.gcr.io/kube-apiserver-arm64:{{< param "fullversion" >}}`][0-arm64]. All
+those derivations are signed in the same way as the multi-architecture manifest lists.
+-->
+所有容器镜像都支持多种体系结构，容器运行时应根据下层平台选择正确的镜像。
+也可以通过给容器镜像名称加后缀来拉取特定体系结构的镜像，例如
+[`k8s.gcr.io/kube-apiserver-arm64:{{< param "fullversion" >}}`][0-arm64]。
+所有这些派生镜像都以与多架构清单列表相同的方式签名。
+
+<!-- 
+The Kubernetes project publishes a list of signed Kubernetes container images
+in SBoM (Software Bill of Materials) format.
+You can fetch that list using:
+-->
+Kubernetes 项目以 SBoM（软件物料清单）格式发布已签名的 Kubernetes 容器镜像列表。
+你可以使用以下方法获取该列表：
+
+```shell
+curl -Ls "https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release"  | awk '/PackageName: k8s.gcr.io\// {print $2}'
+```
+<!-- 
+For Kubernetes v{{< skew currentVersion >}}, the only kind of code artifact that
+you can verify integrity for is a container image, using the experimental
+signing support.
+
+To manually verify signed container images of Kubernetes core components, refer to
+[Verify Signed Container Images](/docs/tasks/administer-cluster/verify-signed-images).
+-->
+对于 Kubernetes v{{< skew currentVersion >}}，唯一可以验证完整性的代码工件就是容器镜像，它使用实验性签名支持。
+
+如需手动验证 Kubernetes 核心组件的签名容器镜像，请参考[验证签名容器镜像](/zh-cn/docs/tasks/administer-cluster/verify-signed-images)。
+
+<!-- 
+## Binaries
+
+Find links to download Kubernetes components (and their checksums) in the [CHANGELOG](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) files.
+
+Alternately, use [downloadkubernetes.com](https://www.downloadkubernetes.com/) to filter by version and architecture.
+-->
+## 二进制
+
+在 [CHANGELOG](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) 文件中找到下载 Kubernetes 组件（及其校验和）的链接。
+
+或者，使用 [downloadkubernetes.com](https://www.downloadkubernetes.com/) 按版本和架构进行过滤。
+
+### kubectl
+
+<!-- overview -->
+
+<!-- 
+The Kubernetes command-line tool, [kubectl](/docs/reference/kubectl/kubectl/), allows
+you to run commands against Kubernetes clusters.
+
+You can use kubectl to deploy applications, inspect and manage cluster resources,
+and view logs. For more information including a complete list of kubectl operations, see the
+[`kubectl` reference documentation](/docs/reference/kubectl/).
+-->
+Kubernetes 命令行工具 [kubectl](/zh-cn/docs/reference/kubectl/kubectl/) 允许你对 Kubernetes 集群执行命令。
+
+你可以使用 kubectl 部署应用程序、检查和管理集群资源以及查看日志。
+有关更多信息，包括 kubectl 操作的完整列表，请参阅
+[`kubectl` 参考文档](/zh-cn/docs/reference/kubectl/)。
+
+<!-- 
+kubectl is installable on a variety of Linux platforms, macOS and Windows.
+Find your preferred operating system below.
+
+- [Install kubectl on Linux](/docs/tasks/tools/install-kubectl-linux)
+- [Install kubectl on macOS](/docs/tasks/tools/install-kubectl-macos)
+- [Install kubectl on Windows](/docs/tasks/tools/install-kubectl-windows)
+-->
+kubectl 可安装在各种 Linux 平台、macOS 和 Windows 上。
+在下方找到你首选的操作系统。
+
+- [在 Linux 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-linux)
+- [在 macOS 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-macos)
+- [在 Windows 上安装 kubectl](/zh-cn/docs/tasks/tools/install-kubectl-windows)
diff --git a/content/zh-cn/releases/notes.md b/content/zh-cn/releases/notes.md
new file mode 100644
index 0000000000000..ecf9869ae14a4
--- /dev/null
+++ b/content/zh-cn/releases/notes.md
@@ -0,0 +1,34 @@
+---
+linktitle: 发行版本说明
+title: 说明
+type: docs
+description: >
+  Kubernetes 发行版本说明。
+sitemap:
+  priority: 0.5
+---
+<!--
+linktitle: Release Notes
+title: Notes
+type: docs
+description: >
+  Kubernetes release notes.
+sitemap:
+  priority: 0.5
+-->
+
+<!-- 
+Release notes can be found by reading the [Changelog](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) that matches your Kubernetes version. View the changelog for {{< skew currentVersionAddMinor 0 >}} on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-{{< skew currentVersionAddMinor 0 >}}.md).
+
+Alternately, release notes can be searched and filtered online at: [relnotes.k8s.io](https://relnotes.k8s.io). View filtered release notes for {{< skew currentVersionAddMinor 0 >}} on [relnotes.k8s.io](https://relnotes.k8s.io/?releaseVersions={{< skew currentVersionAddMinor 0 >}}.0).
+-->
+
+可以通过阅读与你的 Kubernetes 版本对应的
+[Changelog](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG)
+找到发行版本说明。
+在 [GitHub](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-{{< skew currentVersionAddMinor 0 >}}.md)
+上查看 {{< skew currentVersionAddMinor 0 >}} 的变更日志。
+
+或者，可以在以下位置在线搜索和筛选发行版本说明：[relnotes.k8s.io](https://relnotes.k8s.io)。
+在 [relnotes.k8s.io](https://relnotes.k8s.io/?releaseVersions={{< skew currentVersionAddMinor 0 >}}.0)
+上查看 {{< skew currentVersionAddMinor 0 >}} 的筛选后的版本说明。
\ No newline at end of file
diff --git a/content/zh-cn/releases/patch-releases.md b/content/zh-cn/releases/patch-releases.md
new file mode 100644
index 0000000000000..df3b65dd2c54a
--- /dev/null
+++ b/content/zh-cn/releases/patch-releases.md
@@ -0,0 +1,312 @@
+---
+title: 补丁版本
+type: docs
+---
+<!-- 
+title: Patch Releases
+type: docs
+-->
+
+<!-- 
+Schedule and team contact information for Kubernetes patch releases.
+
+For general information about Kubernetes release cycle, see the
+[release process description].
+-->
+Kubernetes 补丁版本的发布时间表和团队联系信息。
+
+有关 Kubernetes 发布周期的常规信息，请参阅[发布流程说明]。
+
+<!-- 
+## Cadence
+
+Our typical patch release cadence is monthly. It is
+commonly a bit faster (1 to 2 weeks) for the earliest patch releases
+after a 1.X minor release. Critical bug fixes may cause a more
+immediate release outside of the normal cadence. We also aim to not make
+releases during major holiday periods.
+-->
+## 节奏 {#cadence}
+
+我们的补丁发布节奏通常是每月一次。
+在 1.X 次要版本之后，最早的补丁版本通常要快一些（提前 1 到 2 周）。
+严重错误修复可能会导致超出正常节奏而更快速的发布。
+我们尽量避免在主假期期间发布。
+
+<!-- 
+## Contact
+
+See the [Release Managers page][release-managers] for full contact details on the Patch Release Team.
+
+Please give us a business day to respond - we may be in a different timezone!
+
+In between releases the team is looking at incoming cherry pick requests on a weekly basis. The team will get in touch with submitters via GitHub PR, SIG channels in Slack, and direct messages
+in Slack and [email](mailto:release-managers-private@kubernetes.io) if there are questions on the PR.
+-->
+## 联系  {#contact}
+
+有关补丁发布团队的完整联系方式，请参阅[发布管理员页面][release-managers]。
+
+请给我们一个工作日回复，因为我们可能在不同的时区！
+
+在两次发布之间，团队每周都会查看收到的 cherry pick 请求。
+如果对 PR 有任何问题，团队将通过 GitHub PR、Slack 中的 SIG 频道以及 Slack 中的直接消息和
+[email](mailto:release-managers-private@kubernetes.io) 与提交者取得联系。
+
+<!-- 
+## Cherry picks
+
+Please follow the [cherry pick process][cherry-picks].
+
+Cherry picks must be merge-ready in GitHub with proper labels (e.g.,
+`approved`, `lgtm`, `release-note`) and passing CI tests ahead of the
+cherry pick deadline. This is typically two days before the target
+release, but may be more. Earlier PR readiness is better, as we
+need time to get CI signal after merging your cherry picks ahead
+of the actual release.
+
+Cherry pick PRs which miss merge criteria will be carried over and tracked
+for the next patch release.
+-->
+
+## Cherry Pick
+
+请遵循 [Cherry Pick 流程][cherry-picks]。
+
+Cherry Pick 必须在 GitHub 中准备好合并，带有适当的标签（例如 `approved`、`lgtm`、`release-note`），
+并在 Cherry Pick 截止日期之前通过 CI 测试。这通常是目标发布前两天，但可能更早。
+PR 越早准备好越好，因为在实际发布之前，合并了你的 Cherry Pick 后，我们需要时间来获取 CI 信号。
+
+不符合合并标准的 Cherry Pick PR 将被带入下一个补丁版本中跟踪。
+
+<!-- 
+## Support Period
+
+In accordance with the [yearly support KEP][yearly-support], the Kubernetes
+Community will support active patch release series for a period of roughly
+fourteen (14) months.
+
+The first twelve months of this timeframe will be considered the standard
+period.
+
+Towards the end of the twelve month, the following will happen:
+
+- [Release Managers][release-managers] will cut a release
+- The patch release series will enter maintenance mode
+-->
+## 支持周期  {#support-period}
+
+根据[年度 KEP][yearly-support]，Kubernetes 社区将在大约 14 个月的时间内支持活跃的补丁发布系列。
+
+此时间范围的前 12 个月将被视为标准周期。
+
+在 12 个月后，将发生以下事情：
+
+- [发布管理员][release-managers]将删除一个版本
+- 补丁发布系列将进入维护模式
+
+<!--
+During the two-month maintenance mode period, Release Managers may cut
+additional maintenance releases to resolve:
+
+- CVEs (under the advisement of the Security Response Committee)
+- dependency issues (including base image updates)
+- critical core component issues
+
+At the end of the two-month maintenance mode period, the patch release series
+will be considered EOL (end of life) and cherry picks to the associated branch
+are to be closed soon afterwards.
+
+Note that the 28th of the month was chosen for maintenance mode and EOL target
+dates for simplicity (every month has it).
+-->
+在两个月的维护模式期间，发布管理员可能会删减额外的维护版本以解决：
+
+- CVE（在安全响应委员会的建议下）
+- 依赖问题（包括基础镜像更新）
+- 关键核心组件问题
+
+在两个月的维护模式期结束时，补丁发布系列将被视为 EOL（生命周期结束），相关分支的 Cherry Pick 将很快关闭。
+
+请注意，为简单起见，选择每月 28 日作为维护模式和 EOL 目标日期（每个月都有）。
+
+<!-- 
+## Upcoming Monthly Releases
+
+Timelines may vary with the severity of bug fixes, but for easier planning we
+will target the following monthly release points. Unplanned, critical
+releases may also occur in between these.
+-->
+## 未来发布的月度版本  {#upcoming-monthly-releases}
+
+时间表可能会因错误修复的严重程度而有所不同，但为了便于规划，我们将针对以下每月发布点。
+计划外的关键版本也可能发生在这些版本之间。
+
+<!-- 
+| Monthly Patch Release | Cherry Pick Deadline | Target date |
+| --------------------- | -------------------- | ----------- |
+| May 2022              | 2022-05-20           | 2022-05-24  |
+| June 2022             | 2022-06-10           | 2022-06-15  |
+| July 2022             | 2022-07-08           | 2022-07-13  |
+| August 2022           | 2022-08-12           | 2022-08-16  |
+-->
+| 月度补丁发布   | Cherry Pick 截止日期 |   目标日期   |
+| ------------ | ------------------ | ----------- |
+| 2022 年 5 月  | 2022-05-20         | 2022-05-24  |
+| 2022 年 6 月  | 2022-06-10         | 2022-06-15  |
+| 2022 年 7 月  | 2022-07-08         | 2022-07-13  |
+| 2022 年 8 月  | 2022-08-12         | 2022-08-16  |
+
+<!-- 
+## Detailed Release History for Active Branches
+
+### 1.24
+
+Next patch release is **1.24.1**
+
+End of Life for **1.24** is **2023-09-29**
+
+| PATCH RELEASE | CHERRY PICK DEADLINE | TARGET DATE | NOTE |
+|---------------|----------------------|-------------|------|
+| 1.24.1        | 2022-05-20           | 2022-05-24  |      |
+-->
+## 活动分支的详细发布历史  {#detailed-release-history-for-active-branches}
+
+### 1.24
+
+下一个补丁版本是 **1.24.1**
+
+**1.24** 的生命周期结束时间为 **2023-09-29**
+
+| 补丁发布 | Cherry Pick 截止日期 |  目标日期   | 说明 |
+|--------|---------------------|------------|-----|
+| 1.24.1 | 2022-05-20          | 2022-05-24 |     |
+
+### 1.23
+
+<!-- 
+**1.23** enters maintenance mode on **2022-12-28**.
+
+End of Life for **1.23** is **2023-02-28**.
+-->
+**1.23** 于 **2022-12-28** 进入维护模式。
+
+**1.23** 的生命周期结束时间为 **2023-02-28**。
+
+<!--
+| PATCH RELEASE | CHERRY PICK DEADLINE | TARGET DATE | NOTE |
+
+[Out-of-Band Release](https://groups.google.com/a/kubernetes.io/g/dev/c/Xl1sm-CItaY)
+-->
+| 补丁发布       | Cherry Pick 截止日期   |  目标日期    | 说明  |
+|---------------|----------------------|-------------|------|
+| 1.23.7        | 2022-05-20           | 2022-05-24  |      |
+| 1.23.6        | 2022-04-08           | 2022-04-13  |      |
+| 1.23.5        | 2022-03-11           | 2022-03-16  |      |
+| 1.23.4        | 2022-02-11           | 2022-02-16  |      |
+| 1.23.3        | 2022-01-24           | 2022-01-25  | [带外发布](https://groups.google.com/a/kubernetes.io/g/dev/c/Xl1sm-CItaY) |
+| 1.23.2        | 2022-01-14           | 2022-01-19  |      |
+| 1.23.1        | 2021-12-14           | 2021-12-16  |      |
+
+### 1.22
+
+<!-- 
+**1.22** enters maintenance mode on **2022-08-28**
+
+End of Life for **1.22** is **2022-10-28**
+-->
+**1.22** 于 **2022-08-28** 进入维护模式
+
+**1.22** 的生命周期结束时间为 **2022-10-28**
+
+<!-- 
+| PATCH RELEASE | CHERRY PICK DEADLINE | TARGET DATE | NOTE |
+-->
+| 补丁发布       | Cherry Pick 截止日期   |  目标日期    | 说明  |
+|---------------|----------------------|-------------|------|
+| 1.22.10       | 2022-05-20           | 2022-05-24  |      |
+| 1.22.9        | 2022-04-08           | 2022-04-13  |      |
+| 1.22.8        | 2022-03-11           | 2022-03-16  |      |
+| 1.22.7        | 2022-02-11           | 2022-02-16  |      |
+| 1.22.6        | 2022-01-14           | 2022-01-19  |      |
+| 1.22.5        | 2021-12-10           | 2021-12-15  |      |
+| 1.22.4        | 2021-11-12           | 2021-11-17  |      |
+| 1.22.3        | 2021-10-22           | 2021-10-27  |      |
+| 1.22.2        | 2021-09-10           | 2021-09-15  |      |
+| 1.22.1        | 2021-08-16           | 2021-08-19  |      |
+
+### 1.21
+
+<!-- 
+**1.21** enters maintenance mode on **2022-04-28**
+
+End of Life for **1.21** is **2022-06-28**
+-->
+**1.21** 于 **2022-04-28** 进入维护模式
+
+**1.21** 的生命周期结束时间为 **2022-06-28**
+
+<!-- 
+| Patch Release | Cherry Pick Deadline | Target Date | Note |
+
+[Regression](https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs)
+-->
+| 补丁发布       | Cherry Pick 截止日期   |  目标日期    | 说明  |
+| ------------- | -------------------- | ----------- | ---------------------------------------------------------------------- |
+| 1.21.13       | 2022-05-20           | 2022-05-24  |                                                                        |
+| 1.21.12       | 2022-04-08           | 2022-04-13  |                                                                        |
+| 1.21.11       | 2022-03-11           | 2022-03-16  |                                                                        |
+| 1.21.10       | 2022-02-11           | 2022-02-16  |                                                                        |
+| 1.21.9        | 2022-01-14           | 2022-01-19  |                                                                        |
+| 1.21.8        | 2021-12-10           | 2021-12-15  |                                                                        |
+| 1.21.7        | 2021-11-12           | 2021-11-17  |                                                                        |
+| 1.21.6        | 2021-10-22           | 2021-10-27  |                                                                        |
+| 1.21.5        | 2021-09-10           | 2021-09-15  |                                                                        |
+| 1.21.4        | 2021-08-07           | 2021-08-11  |                                                                        |
+| 1.21.3        | 2021-07-10           | 2021-07-14  |                                                                        |
+| 1.21.2        | 2021-06-12           | 2021-06-16  |                                                                        |
+| 1.21.1        | 2021-05-07           | 2021-05-12  | [版本回退](https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs)    |
+
+<!-- 
+## Non-Active Branch History
+
+These releases are no longer supported.
+-->
+## 非活动分支历史  {#non-active-branch-history}
+
+不再支持这些版本。
+
+<!--
+| Minor Version | Final Patch Release | EOL Date   | Note                                                                   |
+
+Created to resolve regression introduced in 1.18.19
+
+[Regression](https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs)
+-->
+| 次要版本       | 最终补丁发布版本       | EOL 日期    | 说明                                                                   |
+| ------------- | ------------------- | ---------- | ---------------------------------------------------------------------- |
+| 1.20          | 1.20.15             | 2022-02-28 |                                                                        |
+| 1.19          | 1.19.16             | 2021-10-28 |                                                                        |
+| 1.18          | 1.18.20             | 2021-06-18 | 创建用于解决 1.18.19 版本引入的回退                                        |
+| 1.18          | 1.18.19             | 2021-05-12 | [版本回退](https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs)    |
+| 1.17          | 1.17.17             | 2021-01-13 |                                                                        |
+| 1.16          | 1.16.15             | 2020-09-02 |                                                                        |
+| 1.15          | 1.15.12             | 2020-05-06 |                                                                        |
+| 1.14          | 1.14.10             | 2019-12-11 |                                                                        |
+| 1.13          | 1.13.12             | 2019-10-15 |                                                                        |
+| 1.12          | 1.12.10             | 2019-07-08 |                                                                        |
+| 1.11          | 1.11.10             | 2019-05-01 |                                                                        |
+| 1.10          | 1.10.13             | 2019-02-13 |                                                                        |
+| 1.9           | 1.9.11              | 2018-09-29 |                                                                        |
+| 1.8           | 1.8.15              | 2018-07-12 |                                                                        |
+| 1.7           | 1.7.16              | 2018-04-04 |                                                                        |
+| 1.6           | 1.6.13              | 2017-11-23 |                                                                        |
+| 1.5           | 1.5.8               | 2017-10-01 |                                                                        |
+| 1.4           | 1.4.12              | 2017-04-21 |                                                                        |
+| 1.3           | 1.3.10              | 2016-11-01 |                                                                        |
+| 1.2           | 1.2.7               | 2016-10-23 |                                                                        |
+
+[cherry-picks]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md
+[release-managers]: /releases/release-managers
+[发布流程说明]: /releases/release
+[yearly-support]: https://git.k8s.io/enhancements/keps/sig-release/1498-kubernetes-yearly-support-period/README.md
diff --git a/content/zh-cn/releases/release-cycle.jpg b/content/zh-cn/releases/release-cycle.jpg
new file mode 100644
index 0000000000000..8519fca6bd82d
Binary files /dev/null and b/content/zh-cn/releases/release-cycle.jpg differ
diff --git a/content/zh-cn/releases/release-lifecycle.jpg b/content/zh-cn/releases/release-lifecycle.jpg
new file mode 100644
index 0000000000000..ac30788ba322a
Binary files /dev/null and b/content/zh-cn/releases/release-lifecycle.jpg differ
diff --git a/content/zh-cn/releases/release-managers.md b/content/zh-cn/releases/release-managers.md
new file mode 100644
index 0000000000000..3d535c555a57b
--- /dev/null
+++ b/content/zh-cn/releases/release-managers.md
@@ -0,0 +1,378 @@
+---
+title: 发布管理员
+type: docs
+---
+<!-- 
+title: Release Managers
+type: docs
+-->
+
+<!-- 
+"Release Managers" is an umbrella term that encompasses the set of Kubernetes
+contributors responsible for maintaining release branches, tagging releases,
+and building/packaging Kubernetes.
+
+The responsibilities of each role are described below.
+-->
+“发布管理员（Release Managers）”是一个总称，包括一批负责维护发布分支、标记发行版本以及构建/打包
+Kubernetes 的 Kubernetes 贡献者。
+
+每个角色的职责如下所述。
+
+<!-- 
+- [Contact](#contact)
+  - [Security Embargo Policy](#security-embargo-policy)
+- [Handbooks](#handbooks)
+- [Release Managers](#release-managers)
+  - [Becoming a Release Manager](#becoming-a-release-manager)
+- [Release Manager Associates](#release-manager-associates)
+  - [Becoming a Release Manager Associate](#becoming-a-release-manager-associate)
+- [Build Admins](#build-admins)
+- [SIG Release Leads](#sig-release-leads)
+  - [Chairs](#chairs)
+  - [Technical Leads](#technical-leads)
+-->
+- [联系方式](#contact)
+   - [安全禁运政策](#security-embargo-policy)
+- [手册](#handbooks)
+- [发布管理员](#release-managers)
+   - [成为发布管理员](#becoming-a-release-manager)
+- [发布管理员助理](#release-manager-associates)
+   - [成为发布管理员助理](#becoming-a-release-manager-associate)
+- [构建管理员](#build-admins)
+- [SIG 发布负责人](#sig-release-leads)
+   - [首席](#chairs)
+   - [技术负责人](#technical-leads)
+
+<!-- 
+## Contact
+
+| Mailing List | Slack | Visibility | Usage | Membership |
+| --- | --- | --- | --- | --- |
+| [release-managers@kubernetes.io](mailto:release-managers@kubernetes.io) | [#release-management](https://kubernetes.slack.com/messages/CJH2GBF7Y) (channel) / @release-managers (user group) | Public | Public discussion for Release Managers | All Release Managers (including Associates, Build Admins, and SIG Chairs) |
+| [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) | N/A | Private | Private discussion for privileged Release Managers | Release Managers, SIG Release leadership |
+| [security-release-team@kubernetes.io](mailto:security-release-team@kubernetes.io) | [#security-release-team](https://kubernetes.slack.com/archives/G0162T1RYHG) (channel) / @security-rel-team (user group) | Private | Security release coordination with the Security Response Committee | [security-discuss-private@kubernetes.io](mailto:security-discuss-private@kubernetes.io), [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) |
+-->
+## 联系方式  {#contact}
+
+| 邮件列表 | Slack | 可见 | 用法 | 会员资格 |
+| --- | --- | --- | --- | --- |
+| [release-managers@kubernetes.io](mailto:release-managers@kubernetes.io) | [#release-management](https://kubernetes.slack.com/messages/CJH2GBF7Y)（频道）/@release-managers（用户组）| 公共 | 发布管理员的公开讨论 | 所有发布管理员（包括助理、构建管理员和 SIG 主席）|
+| [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) | 不适用 | 私人 | 拥有特权的发布管理员私人讨论 | 发布管理员，SIG Release 负责人 |
+| [security-release-team@kubernetes.io](mailto:security-release-team@kubernetes.io) | [#security-release-team](https://kubernetes.slack.com/archives/G0162T1RYHG)（频道）/@security-rel-team（用户组）| 私人 | 与安全响应委员会协调的安全发布 | [security-discuss-private@kubernetes.io](mailto:security-discuss-private@kubernetes.io), [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) |
+
+<!-- 
+### Security Embargo Policy
+
+Some information about releases is subject to embargo and we have defined policy about how those embargoes are set. Please refer to the [Security Embargo Policy](https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md#embargo-policy) for more information.
+-->
+### 安全禁运政策  {#security-embargo-policy}
+
+发布的相关信息受到禁运，我们已经定义了有关如何设置这些禁运的政策。
+更多信息请参考[安全禁运政策](https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md#embargo-policy)。
+
+<!-- 
+## Handbooks
+
+**NOTE: The Patch Release Team and Branch Manager handbooks will be de-duplicated at a later date.**
+
+- [Patch Release Team][handbook-patch-release]
+- [Branch Managers][handbook-branch-mgmt]
+- [Build Admins][handbook-packaging]
+-->
+## 手册  {#handbooks}
+
+**注意：补丁发布团队和分支管理员手册以后将会删除重复数据。**
+
+- [补丁发布团队][handbook-patch-release]
+- [分支管理员][handbook-branch-mgmt]
+- [构建管理员][handbook-packaging]
+
+<!-- 
+## Release Managers
+
+**Note:** The documentation might refer to the Patch Release Team and the
+Branch Management role. Those two roles were consolidated into the
+Release Managers role.
+
+Minimum requirements for Release Managers and Release Manager Associates are:
+
+- Familiarity with basic Unix commands and able to debug shell scripts.
+- Familiarity with branched source code workflows via `git` and associated
+  `git` command line invocations.
+- General knowledge of Google Cloud (Cloud Build and Cloud Storage).
+- Open to seeking help and communicating clearly.
+- Kubernetes Community [membership][community-membership]
+-->
+## 发布管理员  {#release-managers}
+
+**注意：** 文档可能涉及补丁发布团队和分支管理角色。这两个角色被合并到发布管理员角色中。
+
+发布管理员和发布管理员助理的最低要求是：
+
+- 熟悉基本的 Unix 命令并能够调试 shell 脚本。
+- 熟悉通过 `git` 和 `git` 相关的命令行触发的分支源代码工作流。
+- 谷歌云的常识（云构建和云存储）。
+- 乐于寻求帮助和清晰地沟通。
+- Kubernetes 社区 [会员资格][community-membership]
+
+<!-- 
+Release Managers are responsible for:
+
+- Coordinating and cutting Kubernetes releases:
+  - Patch releases (`x.y.z`, where `z` > 0)
+  - Minor releases (`x.y.z`, where `z` = 0)
+  - Pre-releases (alpha, beta, and release candidates)
+  - Working with the [Release Team][release-team] through each
+  release cycle
+  - Setting the [schedule and cadence for patch releases][patches]
+- Maintaining the release branches:
+  - Reviewing cherry picks
+  - Ensuring the release branch stays healthy and that no unintended patch
+    gets merged
+- Mentoring the [Release Manager Associates](#associates) group
+- Actively developing features and maintaining the code in k/release
+- Supporting Release Manager Associates and contributors through actively
+  participating in the Buddy program
+  - Check in monthly with Associates and delegate tasks, empower them to cut
+    releases, and mentor
+  - Being available to support Associates in onboarding new contributors e.g.,
+    answering questions and suggesting appropriate work for them to do
+-->
+发布管理员负责：
+
+- 协调和确定 Kubernetes 发行版本：
+  - 补丁发布（`x.y.z`，其中 `z` > 0）
+  - 次要版本（`x.y.z`，其中 `z` = 0）
+  - 预发布（alpha、beta 和候选发布）
+  - 通过每个发布周期与[发布小组][release-team]合作
+  - 设置[补丁发布的时间表和节奏][patches]
+- 维护发布分支：
+  - 审查 Cherry Pick
+  - 确保发布分支保持健康并且没有合并意外的补丁
+- 指导[发布管理员助理](#associates)小组
+- 积极开发功能并维护 k/release 中的代码
+- 通过积极参与 Buddy 计划来支持发布管理员助理和贡献者
+  - 每月与助理核对并委派任务，授权他们生成发行版本并指导工作
+  - 支持助理小组加入新的贡献者，例如回答问题并建议他们做适当的工作
+
+<!-- 
+This team at times works in close conjunction with the
+[Security Response Committee][src] and therefore should abide by the guidelines
+set forth in the [Security Release Process][security-release-process].
+
+GitHub Access Controls: [@kubernetes/release-managers](https://github.com/orgs/kubernetes/teams/release-managers)
+
+GitHub Mentions: [@kubernetes/release-engineering](https://github.com/orgs/kubernetes/teams/release-engineering)
+-->
+该团队有时与[安全响应委员会][src]密切合作，因此应遵守[安全发布流程][security-release-process]中规定的指导方针。
+
+GitHub 访问控制：[@kubernetes/release-managers](https://github.com/orgs/kubernetes/teams/release-managers)
+
+GitHub 提及：[@kubernetes/release-engineering](https://github.com/orgs/kubernetes/teams/release-engineering)
+
+- Adolfo García Veytia ([@puerco](https://github.com/puerco))
+- Carlos Panato ([@cpanato](https://github.com/cpanato))
+- Marko Mudrinić ([@xmudrii](https://github.com/xmudrii))
+- Nabarun Pal ([@palnabarun](https://github.com/palnabarun))
+- Sascha Grunert ([@saschagrunert](https://github.com/saschagrunert))
+- Stephen Augustus ([@justaugustus](https://github.com/justaugustus))
+- Verónica López ([@verolop](https://github.com/verolop))
+
+<!--
+### Becoming a Release Manager
+
+To become a Release Manager, one must first serve as a Release Manager
+Associate. Associates graduate to Release Manager by actively working on
+releases over several cycles and:
+
+- demonstrating the willingness to lead
+- tag-teaming with Release Managers on patches, to eventually cut a release
+  independently
+  - because releases have a limiting function, we also consider substantial
+    contributions to image promotion and other core Release Engineering tasks
+- questioning how Associates work, suggesting improvements, gathering feedback,
+  and driving change
+- being reliable and responsive
+- leaning into advanced work that requires Release Manager-level access and
+  privileges to complete
+-->
+### 成为发布管理员  {#becoming-a-release-manager}
+
+要成为发布管理员，首先必须担任发布管理员助理。助理通过在多个周期内积极处理发布，从而毕业成为发布管理员，并且：
+
+- 表现出带头的意愿
+- 与发布管理员合作，为补丁打标记，最终独立制作发行版本
+   - 因为发布具有限制功能，我们还考虑对镜像推广和其他核心发布工程任务的实质性贡献
+- 质疑助理的工作方式、提出改进建议、收集反馈并推动变革
+- 可靠且反应迅速
+- 专注于需要发布管理员级别访问和权限才能完成的高级工作
+
+<!-- 
+## Release Manager Associates
+
+Release Manager Associates are apprentices to the Release Managers, formerly
+referred to as Release Manager shadows. They are responsible for:
+
+- Patch release work, cherry pick review
+- Contributing to k/release: updating dependencies and getting used to the
+  source codebase
+- Contributing to the documentation: maintaining the handbooks, ensuring that
+  release processes are documented
+- With help from a release manager: working with the Release Team during the
+  release cycle and cutting Kubernetes releases
+- Seeking opportunities to help with prioritization and communication
+  - Sending out pre-announcements and updates about patch releases
+  - Updating the calendar, helping with the release dates and milestones from
+    the [release cycle timeline][k-sig-release-releases]
+- Through the Buddy program, onboarding new contributors and pairing up with
+  them on tasks
+
+GitHub Mentions: @kubernetes/release-engineering
+-->
+## 发布管理员助理  {#release-manager-associates}
+
+发布管理员助理是发布管理员的学徒，以前称为发布管理员影子。他们负责：
+
+- 补丁发布工作，Cherry Pick 审查
+- 为 k/release 做贡献：更新依赖并习惯源代码库
+- 为文档做贡献：维护手册，确保发布过程记录在案
+- 在发布管理员的帮助下：在发布周期中与发布团队合作并减少 Kubernetes 发型版本
+- 寻求机会帮助确定优先级和沟通
+   - 发送有关补丁发布的预告和更新
+   - 更新日历，帮助确定[发布周期时间线][k-sig-release-releases]中的发布日期和里程碑
+- 通过 Buddy 计划，加入新的贡献者并与他们合作完成任务
+
+GitHub 提及：@kubernetes/release-engineering
+
+- Arnaud Meukam ([@ameukam](https://github.com/ameukam))
+- Jim Angel ([@jimangel](https://github.com/jimangel))
+- Joyce Kung ([@thejoycekung](https://github.com/thejoycekung))
+- Max Körbächer ([@mkorbi](https://github.com/mkorbi))
+- Seth McCombs ([@sethmccombs](https://github.com/sethmccombs))
+- Taylor Dolezal ([@onlydole](https://github.com/onlydole))
+- Wilson Husin ([@wilsonehusin](https://github.com/wilsonehusin))
+
+<!-- 
+### Becoming a Release Manager Associate
+
+Contributors can become Associates by demonstrating the following:
+
+- consistent participation, including 6-12 months of active release
+  engineering-related work
+- experience fulfilling a technical lead role on the Release Team during a
+  release cycle
+  - this experience provides a solid baseline for understanding how SIG Release
+    works overall—including our expectations regarding technical skills,
+    communications/responsiveness, and reliability
+- working on k/release items that improve our interactions with Testgrid,
+  cleaning up libraries, etc.
+  - these efforts require interacting and pairing with Release Managers and
+    Associates
+-->
+### 成为发布管理员助理  {#becoming-a-release-manager-associate}
+
+贡献者可以通过展示以下内容成为助理：
+
+- 持续参与，包括 6-12 个月的发布工程相关的积极工作
+- 在发布周期内担任发布团队的技术负责人角色的经验
+   - 这种经验为理解 SIG Release 如何整体运作提供了坚实的基础——包括我们对技术技能、沟通、响应能力和可靠性的期望
+- 致力于改进我们与 Testgrid 交互的 k/release 项目，清理仓库等。
+   - 这些工作需要与发布管理员和助理进行互动和合作
+
+<!-- 
+## Build Admins
+
+Build Admins are (currently) Google employees with the requisite access to
+Google build systems/tooling to publish deb/rpm packages on behalf of the
+Kubernetes project. They are responsible for:
+
+- Building, signing, and publishing the deb/rpm packages
+- Being the interlock with Release Managers (and Associates) on the final steps
+of each minor (1.Y) and patch (1.Y.Z) release
+
+GitHub team: [@kubernetes/build-admins](https://github.com/orgs/kubernetes/teams/build-admins)
+-->
+## 构建管理员  {#build-admins}
+
+构建管理员（目前）是谷歌员工，他们拥有对谷歌构建系统/工具的必要访问权限，可以代表 Kubernetes 项目发布 deb/rpm 包。他们负责：
+
+- 构建、签名和发布 deb/rpm 包
+- 在每个次要 (1.Y) 和补丁 (1.Y.Z) 版本的最后步骤中与发布管理员（和助理）互锁
+
+GitHub 团队：[@kubernetes/build-admins](https://github.com/orgs/kubernetes/teams/build-admins)
+
+- Aaron Crickenberger ([@spiffxp](https://github.com/spiffxp))
+- Benjamin Elder ([@BenTheElder](https://github.com/BenTheElder))
+- Grant McCloskey ([@MushuEE](https://github.com/MushuEE))
+- Juan Escobar ([@juanfescobar](https://github.com/juanfescobar))
+
+<!-- 
+## SIG Release Leads
+
+SIG Release Chairs and Technical Leads are responsible for:
+
+- The governance of SIG Release
+- Leading knowledge exchange sessions for Release Managers and Associates
+- Coaching on leadership and prioritization
+
+They are mentioned explicitly here as they are owners of the various
+communications channels and permissions groups (GitHub teams, GCP access) for
+each role. As such, they are highly privileged community members and privy to
+some private communications, which can at times relate to Kubernetes security
+disclosures.
+
+GitHub team: [@kubernetes/sig-release-leads](https://github.com/orgs/kubernetes/teams/sig-release-leads)
+-->
+## SIG Release 负责人  {#sig-release-leads}
+
+SIG Release 主席和技术负责人负责：
+
+- SIG Release 的治理
+- 领导发布管理员和助理的知识交流会议
+- 传授领导力和优先排序方法
+
+此处明确提及他们，因为他们是每个角色的各种沟通渠道和权限组（GitHub 团队、GCP 访问）的所有者。
+因此，他们是享有很高特权的社区成员，并参与了一些私人沟通，这些沟通有时可能与 Kubernetes 安全披露有关。
+
+GitHub 团队：[@kubernetes/sig-release-leads](https://github.com/orgs/kubernetes/teams/sig-release-leads)
+
+<!-- 
+### Chairs
+-->
+### 主席  {#chairs}
+
+- Sascha Grunert ([@saschagrunert](https://github.com/saschagrunert))
+- Stephen Augustus ([@justaugustus](https://github.com/justaugustus))
+
+<!-- 
+### Technical Leads
+-->
+### 技术负责人  {#technical-leads}
+
+- Adolfo García Veytia ([@puerco](https://github.com/puerco))
+- Carlos Panato ([@cpanato](https://github.com/cpanato))
+- Jeremy Rickard ([@jeremyrickard](https://github.com/jeremyrickard))
+
+---
+
+<!-- 
+Past Branch Managers, can be found in the [releases directory][k-sig-release-releases]
+of the kubernetes/sig-release repository within `release-x.y/release_team.md`.
+
+Example: [1.15 Release Team](https://git.k8s.io/sig-release/releases/release-1.15/release_team.md)
+-->
+过去的分支管理员，可以在 `release-x.y/release_team.md`
+中 kubernetes/sig-release 仓库的[发布目录][k-sig-release-releases]中找到。
+
+例如：[1.15 发布团队](https://git.k8s.io/sig-release/releases/release-1.15/release_team.md)
+
+[community-membership]: https://git.k8s.io/community/community-membership.md#member
+[handbook-branch-mgmt]: https://git.k8s.io/sig-release/release-engineering/role-handbooks/branch-manager.md
+[handbook-packaging]: https://git.k8s.io/sig-release/release-engineering/packaging.md
+[handbook-patch-release]: https://git.k8s.io/sig-release/release-engineering/role-handbooks/patch-release-team.md
+[k-sig-release-releases]: https://git.k8s.io/sig-release/releases
+[patches]: /patch-releases.md
+[src]: https://git.k8s.io/community/committee-security-response/README.md
+[release-team]: https://git.k8s.io/sig-release/release-team/README.md
+[security-release-process]: https://git.k8s.io/security/security-release-process.md
diff --git a/content/zh-cn/releases/release.md b/content/zh-cn/releases/release.md
new file mode 100644
index 0000000000000..a36d310d34d9c
--- /dev/null
+++ b/content/zh-cn/releases/release.md
@@ -0,0 +1,660 @@
+---
+title: Kubernetes 发布周期
+type: docs
+---
+<!-- 
+title: Kubernetes Release Cycle
+type: docs
+auto_generated: true
+-->
+
+<!-- THIS CONTENT IS AUTO-GENERATED via ./scripts/releng/update-release-info.sh in k/website -->
+
+{{< warning >}}
+<!-- 
+This content is auto-generated and links may not function. The source of the document is located [here](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/release.md).
+-->
+此内容原文是自动生成的，链接可能无法正常访问。
+文档的来源在[这里](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/release.md)。
+{{< /warning >}}
+
+<!-- 
+# Targeting enhancements, Issues and PRs to Release Milestones
+
+This document is focused on Kubernetes developers and contributors who need to
+create an enhancement, issue, or pull request which targets a specific release
+milestone.
+-->
+# 针对发布里程碑的特性增强、Issue 和 PR  {#targeting-enhancements-issues-and-prs-to-release-milestones}
+
+本文档重点是面向于那些需要创建针对特定发布里程碑的特性增强、问题或拉取请求的 Kubernetes 开发人员和贡献者。
+
+<!-- 
+- [TL;DR](#tldr)
+  - [Normal Dev (Weeks 1-11)](#normal-dev-weeks-1-11)
+  - [Code Freeze (Weeks 12-14)](#code-freeze-weeks-12-14)
+  - [Post-Release (Weeks 14+)](#post-release-weeks-14+)
+- [Definitions](#definitions)
+- [The Release Cycle](#the-release-cycle)
+- [Removal Of Items From The Milestone](#removal-of-items-from-the-milestone)
+- [Adding An Item To The Milestone](#adding-an-item-to-the-milestone)
+  - [Milestone Maintainers](#milestone-maintainers)
+  - [Feature additions](#feature-additions)
+  - [Issue additions](#issue-additions)
+  - [PR Additions](#pr-additions)
+- [Other Required Labels](#other-required-labels)
+  - [SIG Owner Label](#sig-owner-label)
+  - [Priority Label](#priority-label)
+  - [Issue/PR Kind Label](#issuepr-kind-label)
+-->
+- [TL;DR](#tldr)
+   - [正常开发（第 1-11周）](#normal-dev-weeks-1-11)
+   - [代码冻结（第 12-14 周）](#code-freeze-weeks-12-14)
+   - [发布后（第 14 周以上）](#post-release-weeks-14)
+- [定义](#definitions)
+- [发布周期](#the-release-cycle)
+- [从里程碑中删除项目](#removal-of-items-from-the-milestone)
+- [向里程碑添加项目](#adding-an-item-to-the-milestone)
+   - [里程碑维护者](#milestone-maintainers)
+   - [新增特性](#feature-additions)
+   - [问题补充](#issue-additions)
+   - [新增 PR](#pr-additions)
+- [其他必需标签](#other-required-labels)
+   - [SIG 所有者标签](#sig-owner-label)
+   - [优先级标签](#priority-label)
+   - [Issue/PR 分类标签](#issuepr-kind-label)
+
+<!-- 
+The process for shepherding enhancements, issues, and pull requests into a
+Kubernetes release spans multiple stakeholders:
+
+- the enhancement, issue, and pull request owner(s)
+- SIG leadership
+- the [Release Team][release-team]
+
+Information on workflows and interactions are described below.
+-->
+将特性增强、问题和拉取请求引入 Kubernetes 版本的过程涉及多个利益相关者：
+
+- 特性增强、问题和拉取请求的所有者
+- SIG 负责人
+- [发布团队][release-team]
+
+关于工作流程和交互的信息如下所述。
+
+<!-- 
+As the owner of an enhancement, issue, or pull request (PR), it is your
+responsibility to ensure release milestone requirements are met. Automation and
+the Release Team will be in contact with you if updates are required, but
+inaction can result in your work being removed from the milestone. Additional
+requirements exist when the target milestone is a prior release (see
+[cherry pick process][cherry-picks] for more information).
+-->
+作为特性增强、问题或拉取请求 (PR) 的所有者，你有责任确保满足里程碑发布要求。
+如果需要更新，自动化和发布团队将与你联系，但无响应可能会导致你的工作从里程碑中删除。
+当目标里程碑是先前版本时，还存在其他要求（请参阅 [Cherry Pick 流程][cherry-picks]了解更多信息）。
+
+## TL;DR
+
+<!-- 
+If you want your PR to get merged, it needs the following required labels and
+milestones, represented here by the Prow /commands it would take to add them:
+-->
+如果你希望你的 PR 被合并，它需要以下必备的标签和里程碑，它们由 Prow /commands 所添加表示：
+
+<!-- 
+### Normal Dev (Weeks 1-8)
+-->
+### 正常开发（第 1-11 周）  {#normal-dev-weeks-1-11}
+
+- /sig {name}
+- /kind {type}
+- /lgtm
+- /approved
+
+<!-- 
+### [Code Freeze][code-freeze] (Weeks 12-14)
+-->
+### [代码冻结][code-freeze]（第 12-14 周）  {#code-freeze-code-freeze-weeks-12-14}
+
+- /milestone {v1.y}
+- /sig {name}
+- /kind {bug, failing-test}
+- /lgtm
+- /approved
+
+<!-- 
+### Post-Release (Weeks 14+)
+-->
+### 发布后（第 14 周以上）  {#post-release-weeks-14}
+
+<!-- 
+Return to 'Normal Dev' phase requirements:
+-->
+回到“正常开发”阶段要求：
+
+- /sig {name}
+- /kind {type}
+- /lgtm
+- /approved
+
+<!-- 
+Merges into the 1.y branch are now [via cherry picks][cherry-picks], approved
+by [Release Managers][release-managers].
+
+In the past, there was a requirement for a milestone-targeted pull requests to
+have an associated GitHub issue opened, but this is no longer the case.
+Features or enhancements are effectively GitHub issues or [KEPs][keps] which
+lead to subsequent PRs.
+
+The general labeling process should be consistent across artifact types.
+-->
+合并到 1.y 分支现在是[通过 Cherry Pick][cherry-picks]，由[发布管理员][release-managers]批准。
+
+过去，针对里程碑的拉取请求需要打开相关的 GitHub 问题，但现在情况不再如此。
+特性或特性增强实际上是 GitHub 问题或导致后续 PR 的 [KEPs][keps]。
+
+一般的打标签过程应该在不同工件类型之间保持一致。
+
+<!-- 
+## Definitions
+
+- *issue owners*: Creator, assignees, and user who moved the issue into a
+  release milestone
+
+- *Release Team*: Each Kubernetes release has a team doing project management
+  tasks described [here][release-team].
+
+  The contact info for the team associated with any given release can be found
+  [here](https://git.k8s.io/sig-release/releases/).
+
+- *Y days*: Refers to business days
+
+- *enhancement*: see "[Is My Thing an Enhancement?](https://git.k8s.io/enhancements/README.md#is-my-thing-an-enhancement)"
+-->
+## 定义  {#definitions}
+
+- **问题所有者**：将问题移至发布里程碑的创建者、委托人和用户
+
+- **发布小组**：每个 Kubernetes 版本都有一个团队来执行[这里][release-team]所描述的项目管理任务。
+
+  可以在[此处](https://git.k8s.io/sig-release/releases/)找到与任何给定版本相关联的团队的联系信息。
+
+- **Y 天**：指工作日
+
+- **增强**：参见“[我的改进是特性增强吗？](https://git.k8s.io/enhancements/README.md#is-my-thing-an-enhancement)”
+
+<!-- 
+- *[Enhancements Freeze][enhancements-freeze]*:
+  the deadline by which [KEPs][keps] have to be completed in order for
+  enhancements to be part of the current release
+
+- *[Exception Request][exceptions]*:
+  The process of requesting an extension on the deadline for a particular
+  Enhancement
+
+- *[Code Freeze][code-freeze]*:
+  The period of ~4 weeks before the final release date, during which only
+  critical bug fixes are merged into the release.
+
+- *[Pruning](https://git.k8s.io/sig-release/releases/release*phases.md#pruning)*:
+  The process of removing an Enhancement from a release milestone if it is not
+  fully implemented or is otherwise considered not stable.
+-->
+- **[特性增强冻结][enhancements-freeze]**：
+  为了使特性增强成为当前版本的一部分，必须在 [KEPs][keps] 的截止日期前完成
+
+- **[异常请求][exceptions]**：
+  请求延长特性增强的截止日期的过程
+
+- **[代码冻结][code-freeze]**：
+  最终发布日期前约 4 周的时间，在此期间，仅将关键错误修复合并到发布中。
+
+- **[修剪](https://git.k8s.io/sig-release/releases/release*phases.md#pruning)**：
+  如果特性增强未完全实现或被认为不稳定，则在此过程中从发布里程碑中删除它。
+
+<!-- 
+- *release milestone*: semantic version string or
+  [GitHub milestone](https://help.github.com/en/github/managing-your-work-on-github/associating-milestones-with-issues-and-pull-requests)
+  referring to a release MAJOR.MINOR `vX.Y` version.
+
+  See also
+  [release versioning](/contributors/design-proposals/release/versioning.md).
+
+- *release branch*: Git branch `release-X.Y` created for the `vX.Y` milestone.
+
+  Created at the time of the `vX.Y-rc.0` release and maintained after the
+  release for approximately 12 months with `vX.Y.Z` patch releases.
+
+  Note: releases 1.19 and newer receive 1 year of patch release support, and
+  releases 1.18 and earlier received 9 months of patch release support.
+-->
+- **发布里程碑**：语义版本字符串或
+  [GitHub 里程碑](https://help.github.com/en/github/managing-your-work-on-github/associating-milestones-with-issues-and-pull-requests)
+  指的是发布 主.次 `vX.Y` 版本。
+
+  另请参阅[发布版本控制](/contributors/design-proposals/release/versioning.md)。
+
+- **发布分支**：为 `vX.Y` 里程碑创建的 Git 分支 `release-X.Y`。
+
+  在 `vX.Y-rc.0` 发布时创建，并在发布后使用 `vX.Y.Z` 补丁版本，维护大约 12 个月。
+
+  注意：1.19 及更高版本获得 1 年的补丁版本支持，1.18 及更早版本获得 9 个月的补丁版本支持。
+
+<!-- 
+## The Release Cycle
+-->
+## 发布周期  {#the-release-cycle}
+
+![Image of one Kubernetes release cycle](release-cycle.jpg)
+
+<!-- 
+Kubernetes releases currently happen approximately three times per year.
+
+The release process can be thought of as having three main phases:
+
+- Enhancement Definition
+- Implementation
+- Stabilization
+-->
+Kubernetes 目前大约每年发布三次。
+
+发布过程可被认为具有三个主要阶段：
+
+- 特性增强定义
+- 实现
+- 稳定
+
+<!-- 
+But in reality, this is an open source and agile project, with feature planning
+and implementation happening at all times. Given the project scale and globally
+distributed developer base, it is critical to project velocity to not rely on a
+trailing stabilization phase and rather have continuous integration testing
+which ensures the project is always stable so that individual commits can be
+flagged as having broken something.
+-->
+但实际上，这是一个灵活的开源项目，功能规划和实施始终在进行。
+鉴于项目规模和全球分布的开发人员基础，对项目速度至关重要的是不依赖于后续的稳定阶段，
+而是进行持续集成测试，以确保项目始终稳定，以便可以将单个提交标记为有问题。
+
+<!-- 
+With ongoing feature definition through the year, some set of items will bubble
+up as targeting a given release. **[Enhancements Freeze][enhancements-freeze]**
+starts ~4 weeks into release cycle. By this point all intended feature work for
+the given release has been defined in suitable planning artifacts in
+conjunction with the Release Team's [Enhancements Lead](https://git.k8s.io/sig-release/release-team/role-handbooks/enhancements/README.md).
+-->
+随着全年功能定义的不断进行，某些项目将冒泡作为给定版本的目标。
+在发布周期约 4 周后开始 **[冻结特性增强][enhancements-freeze]**。
+至此，针对给定版本的所有预期功能工作都已与发布团队的
+[特性增强负责人](https://git.k8s.io/sig-release/release-team/role-handbooks/enhancements/README.md)
+一起在合适的规划工件中定义。
+
+
+<!-- 
+After Enhancements Freeze, tracking milestones on PRs and issues is important.
+Items within the milestone are used as a punchdown list to complete the
+release. *On issues*, milestones must be applied correctly, via triage by the
+SIG, so that [Release Team][release-team] can track bugs and enhancements (any
+enhancement-related issue needs a milestone).
+-->
+特性增强冻结后，跟踪 PR 和问题的里程碑很重要。里程碑中的项目作为完成发布的下达列表。
+**关于问题**，里程碑必须通过 SIG 的分类正确应用，
+以便[发布团队][release-team]可以跟踪错误和特性增强（任何与特性增强相关的问题都需要里程碑）。
+
+<!-- 
+There is some automation in place to help automatically assign milestones to
+PRs.
+
+This automation currently applies to the following repos:
+-->
+自动化可以自动将里程碑分配给 PR。
+
+此自动化当前适用于以下存储库：
+
+- `kubernetes/enhancements`
+- `kubernetes/kubernetes`
+- `kubernetes/release`
+- `kubernetes/sig-release`
+- `kubernetes/test-infra`
+
+<!--
+At creation time, PRs against the `master` branch need humans to hint at which
+milestone they might want the PR to target. Once merged, PRs against the
+`master` branch have milestones auto-applied so from that time onward human
+management of that PR's milestone is less necessary. On PRs against release
+branches, milestones are auto-applied when the PR is created so no human
+management of the milestone is ever necessary.
+-->
+在创建时，针对 `master` 分支的 PR 需要人工提示他们可能希望 PR 指向哪个里程碑。
+一旦合并，针对 `master` 分支的 PR 会自动应用里程碑，因此从那时起，不再需要人工管理该 PR 的里程碑。
+在指向发布分支的 PR 上，会在创建 PR 时自动应用里程碑，因此不需要对里程碑进行人工管理。
+
+<!-- 
+Any other effort that should be tracked by the Release Team that doesn't fall
+under that automation umbrella should be have a milestone applied.
+
+Implementation and bug fixing is ongoing across the cycle, but culminates in a
+code freeze period.
+
+**[Code Freeze][code-freeze]** starts in week ~12 and continues for ~2 weeks.
+Only critical bug fixes are accepted into the release codebase during this
+time.
+-->
+任何其他应该由发布团队跟踪的不属于该自动化保护伞的工作都应该应用一个里程碑。
+
+整个周期都在进行实施和错误修复，但最终会出现代码冻结期。
+
+**[代码冻结][code-freeze]** 大约从第 12 周开始，持续约 2 周。
+在此期间，只有关键的错误修复才会被接受到发布代码库中。
+
+<!-- 
+There are approximately two weeks following Code Freeze, and preceding release,
+during which all remaining critical issues must be resolved before release.
+This also gives time for documentation finalization.
+
+When the code base is sufficiently stable, the master branch re-opens for
+general development and work begins there for the next release milestone. Any
+remaining modifications for the current release are cherry picked from master
+back to the release branch. The release is built from the release branch.
+
+Each release is part of a broader Kubernetes lifecycle:
+-->
+在代码冻结之后和之前的发布之间大约有两周时间，在此期间，必须在发布版本前解决所有剩余的严重问题。
+这也为文档定稿提供了时间。
+
+当代码库足够稳定时，主分支将重新打开以进行一般开发，并从那里开始下一个发布里程碑的工作。
+当前版本的任何剩余修改都是从 master 挑选回发布分支。发布版本是从发布分支构建的。
+
+每个版本都是更广泛的 Kubernetes 生命周期的一部分：
+
+![Image of Kubernetes release lifecycle spanning three releases](release-lifecycle.jpg)
+
+<!-- 
+## Removal Of Items From The Milestone
+
+Before getting too far into the process for adding an item to the milestone,
+please note:
+
+Members of the [Release Team][release-team] may remove issues from the
+milestone if they or the responsible SIG determine that the issue is not
+actually blocking the release and is unlikely to be resolved in a timely
+fashion.
+
+Members of the Release Team may remove PRs from the milestone for any of the
+following, or similar, reasons:
+-->
+## 从里程碑中删除项目  {#removal-of-items-from-the-milestone}
+
+在深入了解将项目添加到里程碑的过程之前，请注意：
+
+如果[发布小组][release-team]的成员或负责的 SIG
+确定问题实际上并未阻止发布并且不太可能及时解决，则可以从里程碑中删除问题。
+
+发布团队的成员可以出于以下任何原因或类似原因从里程碑中删除 PR：
+
+<!-- 
+- PR is potentially de-stabilizing and is not needed to resolve a blocking
+  issue
+- PR is a new, late feature PR and has not gone through the enhancements
+  process or the [exception process][exceptions]
+- There is no responsible SIG willing to take ownership of the PR and resolve
+  any follow-up issues with it
+- PR is not correctly labelled
+- Work has visibly halted on the PR and delivery dates are uncertain or late
+-->
+- PR 可能会破坏稳定，并且不需要去解决阻塞问题
+- PR 是一个新的、较晚的特性 PR 并且没有经过增强过程或[异常过程][exceptions]
+- 没有负责任的 SIG 愿意接管 PR 并解决任何后续问题
+- PR 未正确标记
+- PR 工作明显停止，交付日期不确定或延迟
+
+<!-- 
+While members of the Release Team will help with labelling and contacting
+SIG(s), it is the responsibility of the submitter to categorize PRs, and to
+secure support from the relevant SIG to guarantee that any breakage caused by
+the PR will be rapidly resolved.
+
+Where additional action is required, an attempt at human to human escalation
+will be made by the Release Team through the following channels:
+-->
+虽然发布团队的成员将帮助标记和联系 SIG，但提交者有责任对 PR 进行分类，
+并获得相关 SIG 的支持，以保证由 PR 引起的任何破坏都会得到迅速解决。
+
+如果需要采取其他措施，发布团队将通过以下渠道尝试进行人与人之间的对话：
+
+<!-- 
+- Comment in GitHub mentioning the SIG team and SIG members as appropriate for
+  the issue type
+- Emailing the SIG mailing list
+  - bootstrapped with group email addresses from the
+    [community sig list][sig-list]
+  - optionally also directly addressing SIG leadership or other SIG members
+- Messaging the SIG's Slack channel
+  - bootstrapped with the slackchannel and SIG leadership from the
+    [community sig list][sig-list]
+  - optionally directly "@" mentioning SIG leadership or others by handle
+-->
+- 在 GitHub 中发表评论，根据问题类型提及 SIG 团队和 SIG 成员
+- 给 SIG 邮件列表发邮件
+   - 使用来自[社区 SIG 列表][sig-list]的群组电子邮件地址进行引导
+   - 也可选择直接与 SIG 负责人或 SIG 其他成员联系
+- 向 SIG 的 Slack 频道发送消息
+   - 在 Slack 频道 和 SIG 负责人的引导下
+     [社区签名列表][签名列表]
+   - 可选地直接 “@” 来提及 SIG 负责人或其他人
+
+<!-- 
+## Adding An Item To The Milestone
+
+### Milestone Maintainers
+
+The members of the [`milestone-maintainers`](https://github.com/orgs/kubernetes/teams/milestone-maintainers/members)
+GitHub team are entrusted with the responsibility of specifying the release
+milestone on GitHub artifacts.
+
+This group is [maintained](https://git.k8s.io/sig-release/release-team/README.md#milestone-maintainers)
+by SIG Release and has representation from the various SIGs' leadership.
+-->
+## 向里程碑添加项目  {#adding-an-item-to-the-milestone}
+
+### 里程碑维护者  {#milestone-maintainers}
+
+[`milestone-maintainers`](https://github.com/orgs/kubernetes/teams/milestone-maintainers/members)
+GitHub 团队的成员负责在 GitHub 工件上指定发布里程碑。
+
+该小组由 SIG Release
+[维护](https://git.k8s.io/sig-release/release-team/README.md#milestone-maintainers)，并有来自各个 SIG 负责人的代表。
+
+<!-- 
+### Feature additions
+
+Feature planning and definition takes many forms today, but a typical example
+might be a large piece of work described in a [KEP][keps], with associated task
+issues in GitHub. When the plan has reached an implementable state and work is
+underway, the enhancement or parts thereof are targeted for an upcoming milestone
+by creating GitHub issues and marking them with the Prow "/milestone" command.
+-->
+### 特性添加  {#feature-additions}
+
+如今，功能规划和定义有多种形式，但一个典型的例子可能是
+[KEP][keps] 中描述的大量工作，以及 GitHub 中的相关任务问题。
+当计划达到可实施状态并且工作正在进行中时，通过创建 GitHub 问题并使用
+Prow "/milestone" 命令对其进行标记，特性增强或其部分指向未来的里程碑。
+
+<!-- 
+For the first ~4 weeks into the release cycle, the Release Team's Enhancements
+Lead will interact with SIGs and feature owners via GitHub, Slack, and SIG
+meetings to capture all required planning artifacts.
+
+If you have an enhancement to target for an upcoming release milestone, begin a
+conversation with your SIG leadership and with that release's Enhancements
+Lead.
+-->
+在发布周期的前 4 周左右内，发布团队的特性增强负责人将通过
+GitHub、Slack 和 SIG 会议与 SIG 和特性所有者互动，以获取所有需要的计划工件。
+
+如果你有针对即将发布的里程碑的特性增强，请与你的 SIG 领导以及该版本的特性增强负责人开始对话。
+
+<!-- 
+### Issue additions
+
+Issues are marked as targeting a milestone via the Prow "/milestone" command.
+
+The Release Team's [Bug Triage Lead](https://git.k8s.io/sig-release/release-team/role-handbooks/bug-triage/README.md)
+and overall community watch incoming issues and triage them, as described in
+the contributor guide section on
+[issue triage](/contributors/guide/issue-triage.md).
+-->
+### 问题补充  {#issue-additions}
+
+通过 Prow “/milestone” 命令标记问题并指向里程碑。
+
+发布团队的[错误分类负责人](https://git.k8s.io/sig-release/release-team/role-handbooks/bug-triage/README.md)和整个社区观察新出现的问题并对其进行分类，
+在贡献者指南部分中描述[问题分类](/contributors/guide/issue-triage.md)。
+
+<!-- 
+Marking issues with the milestone provides the community better visibility
+regarding when an issue was observed and by when the community feels it must be
+resolved. During [Code Freeze][code-freeze], a milestone must be set to merge
+a PR.
+
+An open issue is no longer required for a PR, but open issues and associated
+PRs should have synchronized labels. For example a high priority bug issue
+might not have its associated PR merged if the PR is only marked as lower
+priority.
+-->
+用里程碑标记问题可以让社区更好地了解何时观察到问题以及社区认为何时必须解决问题。
+[代码冻结][code-freeze]期间，必须设置里程碑以合并 PR。
+
+一个 PR 不再需要一个已开启的问题，但已开启的问题和相关的 PR 应该有同步的标签。
+例如，如果 PR 仅标记为较低优先级，则高优先级错误问题可能不会合并其关联的 PR。
+
+<!-- 
+### PR Additions
+
+PRs are marked as targeting a milestone via the Prow "/milestone" command.
+
+This is a blocking requirement during Code Freeze as described above.
+-->
+### PR 补充  {#pr-additions}
+
+PR 通过 Prow “/milestone” 命令标记并指向里程碑。
+
+如上所述，这是代码冻结期间的阻塞要求。
+
+<!-- 
+## Other Required Labels
+
+[Here is the list of labels and their use and purpose.](https://git.k8s.io/test-infra/label*sync/labels.md#labels-that-apply-to-all-repos-for-both-issues-and-prs)
+-->
+## 其他必需的标签  {#other-required-labels}
+
+[这里是标签列表及其用途和目的](https://git.k8s.io/test-infra/label*sync/labels.md#labels-that-apply-to-all-repos-for-both-issues-and-prs)。
+
+<!-- 
+### SIG Owner Label
+
+The SIG owner label defines the SIG to which we escalate if a milestone issue
+is languishing or needs additional attention. If there are no updates after
+escalation, the issue may be automatically removed from the milestone.
+
+These are added with the Prow "/sig" command. For example to add the label
+indicating SIG Storage is responsible, comment with `/sig storage`.
+-->
+### SIG 所有者标签  {#sig-owner-label}
+
+SIG 所有者标签定义了当里程碑问题未取得进展或需要额外关注时，我们应该逐步升级的 SIG。
+如果升级后没有更新，该问题可能会自动从里程碑中删除。
+
+这些是通过 Prow "/sig" 命令添加的。
+例如要添加指示 SIG Storage 负责的标签，请使用 `/sig storage` 进行评论。
+
+<!-- 
+### Priority Label
+
+Priority labels are used to determine an escalation path before moving issues
+out of the release milestone. They are also used to determine whether or not a
+release should be blocked on the resolution of the issue.
+-->
+### 优先级标签  {#priority-label}
+
+优先级标签用于在将问题移出发布里程碑之前确定升级路径。
+它们还用于确定在解决问题时是否应阻止发布。
+
+<!-- 
+- `priority/critical-urgent`: Never automatically move out of a release
+  milestone; continually escalate to contributor and SIG through all available
+  channels.
+  - considered a release blocking issue
+  - requires daily updates from issue owners during [Code Freeze][code-freeze]
+  - would require a patch release if left undiscovered until after the minor
+    release
+- `priority/important-soon`: Escalate to the issue owners and SIG owner; move
+  out of milestone after several unsuccessful escalation attempts.
+  - not considered a release blocking issue
+  - would not require a patch release
+  - will automatically be moved out of the release milestone at Code Freeze
+    after a 4 day grace period
+- `priority/important-longterm`: Escalate to the issue owners; move out of the
+  milestone after 1 attempt.
+  - even less urgent / critical than `priority/important-soon`
+  - moved out of milestone more aggressively than `priority/important-soon`
+-->
+- `priority/critical-urgent`：永远不会自动移出发布里程碑；通过所有可用渠道不断上报给贡献者和 SIG。
+   - 考虑发布阻塞问题
+   - 在[代码冻结][code-freeze]期间需要问题所有者的每日更新
+   - 如果在次要版本之后才被发现，则需要补丁版本
+- `priority/important-soon`：上报给问题所有者和 SIG 所有者；在几次不成功的升级尝试后退出里程碑。
+   - 不考虑发布阻止问题
+   - 不需要补丁版本
+   - 将在 4 天的宽限期后自动移出代码冻结的发布里程碑
+- `priority/important-longterm`：上报给问题所有者；1 次尝试后移出里程碑
+   - 比 `priority/important-soon` 更不紧急/不关键
+   - 比 `priority/important-soon` 更积极地移出里程碑
+
+<!-- 
+### Issue/PR Kind Label
+
+The issue kind is used to help identify the types of changes going into the
+release over time. This may allow the Release Team to develop a better
+understanding of what sorts of issues we would miss with a faster release
+cadence.
+
+For release targeted issues, including pull requests, one of the following
+issue kind labels must be set:
+-->
+### Issue/PR 分类标签  {#issue-pr-kind-label}
+
+Issue 类型用于帮助识别随着时间的推移进入版本的更改类型。
+这可以让发布团队更好地了解我们会在更快的发布节奏下错过哪些类型的 Issue。
+
+对于发布版本的目标问题，包括拉取请求，必须设置以下问题类型标签之一：
+
+<!-- 
+- `kind/api-change`: Adds, removes, or changes an API
+- `kind/bug`: Fixes a newly discovered bug.
+- `kind/cleanup`: Adding tests, refactoring, fixing old bugs.
+- `kind/design`: Related to design
+- `kind/documentation`: Adds documentation
+- `kind/failing-test`: CI test case is failing consistently.
+- `kind/feature`: New functionality.
+- `kind/flake`: CI test case is showing intermittent failures.
+-->
+- `kind/api-change`：添加、删除或更改 API
+- `kind/bug`：修复了一个新发现的错误
+- `kind/cleanup`：添加测试、重构、修复旧错误
+- `kind/design`：与设计相关
+- `kind/documentation`：添加文档
+- `kind/failing-test`：CI 测试用例一直失败
+- `kind/feature`：新功能
+- `kind/flake`：CI 测试用例显示间歇性故障
+
+[cherry-picks]: /contributors/devel/sig-release/cherry-picks.md
+[code-freeze]: https://git.k8s.io/sig-release/releases/release_phases.md#code-freeze
+[enhancements-freeze]: https://git.k8s.io/sig-release/releases/release_phases.md#enhancements-freeze
+[exceptions]: https://git.k8s.io/sig-release/releases/release_phases.md#exceptions
+[keps]: https://git.k8s.io/enhancements/keps
+[release-managers]: https://kubernetes.io/releases/release-managers/
+[release-team]: https://git.k8s.io/sig-release/release-team
+[sig-list]: /sig-list.md
diff --git a/content/zh-cn/releases/version-skew-policy.md b/content/zh-cn/releases/version-skew-policy.md
new file mode 100644
index 0000000000000..d5fb2ef85b5bb
--- /dev/null
+++ b/content/zh-cn/releases/version-skew-policy.md
@@ -0,0 +1,363 @@
+---
+title: 版本偏差策略
+type: docs
+description: >
+  Kubernetes 各个组件之间所支持的最大版本偏差。
+---
+<!-- 
+reviewers:
+- sig-api-machinery
+- sig-architecture
+- sig-cli
+- sig-cluster-lifecycle
+- sig-node
+- sig-release
+title: Version Skew Policy
+type: docs
+description: >
+  The maximum version skew supported between various Kubernetes components.
+-->
+
+<!-- overview -->
+<!-- 
+This document describes the maximum version skew supported between various Kubernetes components.
+Specific cluster deployment tools may place additional restrictions on version skew.
+-->
+本文档描述了 Kubernetes 各个组件之间所支持的最大版本偏差。
+特定的集群部署工具可能会对版本偏差添加额外的限制。
+
+<!-- body -->
+
+<!-- 
+## Supported versions
+
+Kubernetes versions are expressed as **x.y.z**, where **x** is the major version, **y** is the minor version, and **z** is the patch version, following [Semantic Versioning](https://semver.org/) terminology.
+For more information, see [Kubernetes Release Versioning](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/release/versioning.md#kubernetes-release-versioning).
+
+The Kubernetes project maintains release branches for the most recent three minor releases ({{< skew currentVersion >}}, {{< skew currentVersionAddMinor -1 >}}, {{< skew currentVersionAddMinor -2 >}}).  Kubernetes 1.19 and newer receive approximately 1 year of patch support. Kubernetes 1.18 and older received approximately 9 months of patch support.
+-->
+## 支持的版本  {#supported-versions}
+
+Kubernetes 版本以 **x.y.z** 表示，其中 **x** 是主要版本，
+**y** 是次要版本，**z** 是补丁版本，遵循[语义版本控制](https://semver.org/)术语。
+更多信息请参见
+[Kubernetes 版本发布控制](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/release/versioning.md#kubernetes-release-versioning)。
+
+Kubernetes 项目维护最近的三个次要版本（{{< skew currentVersion >}}、{{< skew currentVersionAddMinor -1 >}}、{{< skew currentVersionAddMinor -2 >}}）的发布分支。
+Kubernetes 1.19 和更新的版本获得大约 1 年的补丁支持。
+Kubernetes 1.18 及更早的版本获得了大约 9 个月的补丁支持。
+
+<!-- 
+Applicable fixes, including security fixes, may be backported to those three release branches, depending on severity and feasibility.
+Patch releases are cut from those branches at a [regular cadence](https://kubernetes.io/releases/patch-releases/#cadence), plus additional urgent releases, when required.
+
+The [Release Managers](/releases/release-managers/) group owns this decision.
+
+For more information, see the Kubernetes [patch releases](/releases/patch-releases/) page.
+-->
+适当的修复，包括安全问题修复，可能会被后沿三个发布分支，具体取决于问题的严重性和可行性。
+补丁版本按[常规节奏](https://kubernetes.io/releases/patch-releases/#cadence)从这些分支中删除，并在需要时增加额外的紧急版本。
+
+[发布管理员](/zh-cn/releases/release-managers/)小组拥有这件事的决定权。
+
+有关更多信息，请参阅 Kubernetes [补丁发布](/zh-cn/releases/patch-releases/)页面。
+
+<!-- 
+## Supported version skew
+
+### kube-apiserver
+
+In [highly-available (HA) clusters](/docs/setup/production-environment/tools/kubeadm/high-availability/), the newest and oldest `kube-apiserver` instances must be within one minor version.
+
+Example:
+
+* newest `kube-apiserver` is at **{{< skew currentVersion >}}**
+* other `kube-apiserver` instances are supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+-->
+## 支持的版本偏差  {#supported-version-skew}
+
+### kube-apiserver  {#kube-apiserver}
+
+在[高可用性（HA）集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/)中，
+最新版和最老版的 `kube-apiserver` 实例版本偏差最多为一个次要版本。
+
+例如：
+
+* 最新的 `kube-apiserver` 实例处于 **{{< skew currentVersion >}}** 版本
+* 其他 `kube-apiserver` 实例支持 **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}** 版本
+
+<!-- 
+### kubelet
+
+`kubelet` must not be newer than `kube-apiserver`, and may be up to two minor versions older.
+
+Example:
+
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kubelet` is supported at **{{< skew currentVersion >}}**, **{{< skew currentVersionAddMinor -1 >}}**, and **{{< skew currentVersionAddMinor -2 >}}**
+-->
+### kubelet  {#kubelet}
+
+`kubelet` 版本不能比 `kube-apiserver` 版本新，并且最多只可落后两个次要版本。
+
+例如：
+
+* `kube-apiserver` 处于 **{{< skew currentVersion >}}** 版本
+* `kubelet` 支持 **{{< skew currentVersion >}}**、**{{< skew currentVersionAddMinor -1 >}}** 和 **{{< skew currentVersionAddMinor -2 >}}** 版本
+
+{{< note >}}
+<!--
+If version skew exists between `kube-apiserver` instances in an HA cluster, this narrows the allowed `kubelet` versions.
+-->
+如果 HA 集群中的 `kube-apiserver` 实例之间存在版本偏差，这会缩小允许的 `kubelet` 版本范围。
+{{</ note >}}
+
+<!-- 
+Example:
+
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+* `kubelet` is supported at **{{< skew currentVersionAddMinor -1 >}}**, and **{{< skew currentVersionAddMinor -2 >}}** (**{{< skew currentVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew currentVersionAddMinor -1 >}}**)
+-->
+例如：
+
+* `kube-apiserver` 实例处于 **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}** 版本
+* `kubelet` 支持 **{{< skew currentVersionAddMinor -1 >}}** 和 **{{< skew currentVersionAddMinor -2 >}}** 版本，
+  （不支持 **{{< skew currentVersion >}}** 版本，因为这将比
+  `kube-apiserver` **{{< skew currentVersionAddMinor -1 >}}** 版本的实例新）
+
+<!-- 
+### kube-controller-manager, kube-scheduler, and cloud-controller-manager
+
+`kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` must not be newer than the `kube-apiserver` instances they communicate with. They are expected to match the `kube-apiserver` minor version, but may be up to one minor version older (to allow live upgrades).
+
+Example:
+
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+-->
+### kube-controller-manager、kube-scheduler 和 cloud-controller-manager  {#kube-controller-manager-kube-scheduler-and-cloud-controller-manager}
+
+`kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+不能比与它们通信的 `kube-apiserver` 实例新。
+它们应该与 `kube-apiserver` 次要版本相匹配，但可能最多旧一个次要版本（允许实时升级）。
+
+例如：
+
+* `kube-apiserver` 处于 **{{< skew currentVersion >}}** 版本
+* `kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+  支持 **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}** 版本
+
+{{< note >}}
+<!-- 
+If version skew exists between `kube-apiserver` instances in an HA cluster, and these components can communicate with any `kube-apiserver` instance in the cluster (for example, via a load balancer), this narrows the allowed versions of these components.
+-->
+如果 HA 集群中的 `kube-apiserver` 实例之间存在版本偏差，
+并且这些组件可以与集群中的任何 `kube-apiserver`
+实例通信（例如，通过负载均衡器），这会缩小这些组件所允许的版本范围。
+{{< /note >}}
+
+<!-- 
+Example:
+
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` communicate with a load balancer that can route to any `kube-apiserver` instance
+* `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` are supported at **{{< skew currentVersionAddMinor -1 >}}** (**{{< skew currentVersion >}}** is not supported because that would be newer than the `kube-apiserver` instance at version **{{< skew currentVersionAddMinor -1 >}}**)
+-->
+例如：
+
+* `kube-apiserver` 实例处于
+  **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}** 版本
+* `kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+  与可以路由到任何 `kube-apiserver` 实例的负载均衡器通信
+* `kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+  支持 **{{< skew currentVersionAddMinor -1 >}}** 版本（不支持 **{{< skew currentVersion >}}**
+  版本，因为它比 **{{< skew currentVersionAddMinor -1 >}}** 版本的 `kube-apiserver` 实例新）
+
+<!-- 
+### kubectl
+
+`kubectl` is supported within one minor version (older or newer) of `kube-apiserver`.
+
+Example:
+
+* `kube-apiserver` is at **{{< skew currentVersion >}}**
+* `kubectl` is supported at **{{< skew nextMinorVersion >}}**, **{{< skew currentVersion >}}**, and **{{< skew currentVersionAddMinor -1 >}}**
+-->
+### kubectl  {#kubectl}
+
+`kubectl` 在 `kube-apiserver` 的一个次要版本（较旧或较新）中支持。
+
+例如：
+
+* `kube-apiserver` 处于 **{{< skew currentVersion >}}** 版本
+* `kubectl` 支持 **{{< skew nextMinorVersion >}}**、**{{< skew currentVersion >}}**
+  和 **{{< skew currentVersionAddMinor -1 >}}** 版本 
+
+{{< note >}}
+<!--
+If version skew exists between `kube-apiserver` instances in an HA cluster, this narrows the supported `kubectl` versions.
+-->
+如果 HA 集群中的 `kube-apiserver` 实例之间存在版本偏差，这会缩小支持的 `kubectl` 版本范围。
+{{< /note >}}
+
+<!-- 
+Example:
+
+* `kube-apiserver` instances are at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}**
+* `kubectl` is supported at **{{< skew currentVersion >}}** and **{{< skew currentVersionAddMinor -1 >}}** (other versions would be more than one minor version skewed from one of the `kube-apiserver` components)
+-->
+例如：
+
+* `kube-apiserver` 实例处于
+  **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}** 版本
+* `kubectl` 支持 **{{< skew currentVersion >}}** 和 **{{< skew currentVersionAddMinor -1 >}}**
+  版本（其他版本将与 `kube-apiserver` 组件之一相差不止一个的次要版本）
+
+<!-- 
+## Supported component upgrade order
+
+The supported version skew between components has implications on the order in which components must be upgraded.
+This section describes the order in which components must be upgraded to transition an existing cluster from version **{{< skew currentVersionAddMinor -1 >}}** to version **{{< skew currentVersion >}}**.
+-->
+## 支持的组件升级顺序  {#supported-component-upgrade-order}
+
+组件之间支持的版本偏差会影响必须升级组件的顺序。
+本节介绍了将现有集群从 **{{< skew currentVersionAddMinor -1 >}}**
+版本转换到 **{{< skew currentVersion >}}** 版本时必须升级组件的顺序。
+
+<!-- 
+### kube-apiserver
+
+Pre-requisites:
+
+* In a single-instance cluster, the existing `kube-apiserver` instance is **{{< skew currentVersionAddMinor -1 >}}**
+* In an HA cluster, all `kube-apiserver` instances are at **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersion >}}** (this ensures maximum skew of 1 minor version between the oldest and newest `kube-apiserver` instance)
+* The `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` instances that communicate with this server are at version **{{< skew currentVersionAddMinor -1 >}}** (this ensures they are not newer than the existing API server version, and are within 1 minor version of the new API server version)
+* `kubelet` instances on all nodes are at version **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersionAddMinor -2 >}}** (this ensures they are not newer than the existing API server version, and are within 2 minor versions of the new API server version)
+* Registered admission webhooks are able to handle the data the new `kube-apiserver` instance will send them:
+  * `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration` objects are updated to include any new versions of REST resources added in **{{< skew currentVersion >}}** (or use the [`matchPolicy: Equivalent` option](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy) available in v1.15+)
+  * The webhooks are able to handle any new versions of REST resources that will be sent to them, and any new fields added to existing versions in **{{< skew currentVersion >}}**
+-->
+### kube-apiserver  {#kube-apiserver-1}
+
+先决条件：
+
+* 在单实例集群中，现有的 `kube-apiserver` 实例处于 **{{< skew currentVersionAddMinor -1 >}}** 版本
+* 在 HA 集群中，所有 `kube-apiserver` 实例都处于
+  **{{< skew currentVersionAddMinor -1 >}}** 或 **{{< skew currentVersion >}}** 版本
+  （这确保了最老和最新的 `kube-apiserver` 实例之间的 1 个次要版本的最大偏差）
+* 与此服务器通信的 `kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+  实例的版本为 **{{< skew currentVersionAddMinor -1 >}}**
+  （这确保它们是不比现有 API 服务器版本还要新，并且在新 API 服务器版本的 1 个次要版本内）
+* 所有节点上的 `kubelet` 实例都是
+  **{{< skew currentVersionAddMinor -1 >}}** 或 **{{< skew currentVersionAddMinor -2 >}}**
+  版本（这确保它们不比现有 API 服务器版本新，并且在新 API 服务器版本的 2 个次要版本内）
+* 已注册的 admission webhook 能够处理新的 `kube-apiserver` 实例将发送给他们的数据：
+  * `ValidatingWebhookConfiguration` 和 `MutatingWebhookConfiguration`
+    对象已更新以包含 **{{< skew currentVersion >}}** 中添加的任何新版本的 REST 资源
+    （或使用 v1.15+ 中可用的 [`matchPolicy: Equivalent` 选项](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)）
+  * webhook 能够处理将发送给它们的任何新版本的 REST 资源，
+    以及添加到 **{{< skew currentVersion >}}** 中现有版本的任何新字段
+
+<!-- 
+Upgrade `kube-apiserver` to **{{< skew currentVersion >}}**
+-->
+将 `kube-apiserver` 升级到 **{{< skew currentVersion >}}** 版本
+
+{{< note >}}
+<!-- 
+Project policies for [API deprecation](/docs/reference/using-api/deprecation-policy/) and
+[API change guidelines](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md)
+require `kube-apiserver` to not skip minor versions when upgrading, even in single-instance clusters.
+-->
+[API 弃用](/zh-cn/docs/reference/using-api/deprecation-policy/)和
+[API 变更指南](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md)
+的项目策略要求 `kube-apiserver` 在升级时不跳过次要版本，即使在单实例集群中也是如此。
+{{< /note >}}
+
+<!-- 
+### kube-controller-manager, kube-scheduler, and cloud-controller-manager
+
+Pre-requisites:
+
+* The `kube-apiserver` instances these components communicate with are at **{{< skew currentVersion >}}** (in HA clusters in which these control plane components can communicate with any `kube-apiserver` instance in the cluster, all `kube-apiserver` instances must be upgraded before upgrading these components)
+
+Upgrade `kube-controller-manager`, `kube-scheduler`, and `cloud-controller-manager` to **{{< skew currentVersion >}}**
+-->
+### kube-controller-manager、kube-scheduler 和 cloud-controller-manager  {#kube-controller-manager-kube-scheduler-and-cloud-controller-manager-1}
+
+先决条件：
+
+* 与这些组件通信的 `kube-apiserver` 实例处于 **{{< skew currentVersion >}}** 版本
+  （在 HA 集群中，这些控制平面组件可以与集群中的任何 `kube-apiserver` 实例通信，
+  所有 `kube-apiserver` 实例必须在升级这些组件之前升级）
+
+将 `kube-controller-manager`、`kube-scheduler` 和 `cloud-controller-manager`
+升级到 **{{< skew currentVersion >}}** 版本
+
+<!-- 
+### kubelet
+
+Pre-requisites:
+
+* The `kube-apiserver` instances the `kubelet` communicates with are at **{{< skew currentVersion >}}**
+
+Optionally upgrade `kubelet` instances to **{{< skew currentVersion >}}** (or they can be left at **{{< skew currentVersionAddMinor -1 >}}** or **{{< skew currentVersionAddMinor -2 >}}**)
+-->
+### kubelet  {#kubelet-1}
+
+先决条件：
+
+* 与 `kubelet` 通信的 `kube-apiserver` 实例处于 **{{< skew currentVersion >}}** 版本
+
+可选择将 `kubelet` 实例升级到 **{{< skew latestMinorVersion >}}** 版本
+（或者它们可以留在 **{{< skew currentVersionAddMinor -1 >}}** 或 **{{< skew currentVersionAddMinor -2 >}}** 版本）
+
+{{< note >}}
+<!--
+Before performing a minor version `kubelet` upgrade, [drain](/docs/tasks/administer-cluster/safely-drain-node/) pods from that node.
+In-place minor version `kubelet` upgrades are not supported.
+-->
+在执行次要版本 `kubelet` 升级之前，[排空](/zh-cn/docs/tasks/administer-cluster/safely-drain-node/)该节点的 Pod。
+`kubelet` 不支持原地次要版本升级。
+{{</ note >}}
+
+{{< warning >}}
+<!-- 
+Running a cluster with `kubelet` instances that are persistently two minor versions behind `kube-apiserver` is not recommended:
+
+* they must be upgraded within one minor version of `kube-apiserver` before the control plane can be upgraded
+* it increases the likelihood of running `kubelet` versions older than the three maintained minor releases
+-->
+不建议运行 `kubelet` 实例始终落后 `kube-apiserver` 两个次要版本的集群：
+
+* 它们必须在 `kube-apiserver` 的一个次要版本中升级，然后才能升级控制平面
+* 它增加了运行早于三个处于维护状态的次要版本的 `kubelet` 的可能性
+{{</ warning >}}
+
+<!-- 
+### kube-proxy
+
+* `kube-proxy` must be the same minor version as `kubelet` on the node.
+* `kube-proxy` must not be newer than `kube-apiserver`.
+* `kube-proxy` must be at most two minor versions older than `kube-apiserver.`
+
+Example:
+
+If `kube-proxy` version is **{{< skew currentVersionAddMinor -2 >}}**:
+
+* `kubelet` version must be at the same minor version as **{{< skew currentVersionAddMinor -2 >}}**.
+* `kube-apiserver` version must be between **{{< skew currentVersionAddMinor -2 >}}** and **{{< skew currentVersion >}}**, inclusive.
+-->
+### kube-proxy  {#kube-proxy}
+
+* `kube-proxy` 和节点上的 `kubelet` 必须是相同的次要版本。
+* `kube-proxy` 版本不能比 `kube-apiserver` 版本新。
+* `kube-proxy` 最多只能比 `kube-apiserver` 落后两个次要版本。
+
+例如：
+
+如果 `kube-proxy` 版本处于 **{{< skew currentVersionAddMinor -2 >}}** 版本：
+
+* `kubelet` 必须处于相同的次要版本 **{{< skew currentVersionAddMinor -2 >}}**。
+* `kube-apiserver` 版本必须介于 **{{< skew currentVersionAddMinor -2 >}}** 和 **{{< skew currentVersion >}}** 之间，包括两者。
diff --git a/content/zh/search.md b/content/zh-cn/search.md
similarity index 100%
rename from content/zh/search.md
rename to content/zh-cn/search.md
diff --git a/content/zh/training/_index.html b/content/zh-cn/training/_index.html
similarity index 100%
rename from content/zh/training/_index.html
rename to content/zh-cn/training/_index.html
diff --git a/content/zh/blog/_posts/2018-06-06-4-years-of-k8s.md b/content/zh/blog/_posts/2018-06-06-4-years-of-k8s.md
deleted file mode 100644
index b4e118b58410d..0000000000000
--- a/content/zh/blog/_posts/2018-06-06-4-years-of-k8s.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Kubernetes 这四年
-approvers:
-cn-approvers:
-- congfairy
-layout: blog
-date: 2018-06-06
----
- <!--
-**Author**: Joe Beda (CTO and Founder, Heptio)
- On June 6, 2014 I checked in the [first commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) of what would become the public repository for Kubernetes. Many would assume that is where the story starts. It is the beginning of history, right? But that really doesn’t tell the whole story.
--->
-
- **作者**：Joe Beda( Heptio 首席技术官兼创始人)
- 2014 年 6 月 6 日，我检查了 Kubernetes 公共代码库的[第一次 commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) 。许多人会认为这是故事开始的地方。这难道不是一切开始的地方吗？但这的确不能把整个过程说清楚。
- 
- ![k8s_first_commit](/images/blog/2018-06-06-4-years-of-k8s/k8s-first-commit.png)
- 
- <!--
-The cast leading up to that commit was large and the success for Kubernetes since then is owed to an ever larger cast.
- Kubernetes was built on ideas that had been proven out at Google over the previous ten years with Borg. And Borg, itself, owed its existence to even earlier efforts at Google and beyond.
- Concretely, Kubernetes started as some prototypes from Brendan Burns combined with ongoing work from me and Craig McLuckie to better align the internal Google experience with the Google Cloud experience. Brendan, Craig, and I really wanted people to use this, so we made the case to build out this prototype as an open source project that would bring the best ideas from Borg out into the open.
- After we got the nod, it was time to actually build the system.  We took Brendan’s prototype (in Java), rewrote it in Go, and built just enough to get the core ideas across.  By this time the team had grown to include Ville Aikas, Tim Hockin, Brian Grant, Dawn Chen and Daniel Smith.  Once we had something working, someone had to sign up to clean things up to get it ready for public launch.  That ended up being me. Not knowing the significance at the time, I created a new repo, moved things over, and checked it in.  So while I have the first public commit to the repo, there was work underway well before that.
- The version of Kubernetes at that point was really just a shadow of what it was to become.  The core concepts were there but it was very raw.  For example, Pods were called Tasks.  That was changed a day before we went public.  All of this led up to the public announcement of Kubernetes on June 10th, 2014 in a keynote from Eric Brewer at the first DockerCon.  You can watch that video here:
--->
-
- 第一次 commit 涉及的人员众多，自那以后 Kubernetes 的成功归功于更大的开发者阵容。
- Kubernetes 建立在过去十年曾经在 Google 的 Borg 集群管理系统中验证过的思路之上。而 Borg 本身也是 Google 和其他公司早期努力的结果。
- 具体而言，Kubernetes 最初是从 Brendan Burns 的一些原型开始，结合我和 Craig McLuckie 正在进行的工作，以更好地将 Google 内部实践与 Google Cloud 的经验相结合。 Brendan，Craig 和我真的希望人们使用它，所以我们建议将这个原型构建为一个开源项目，将 Borg 的最佳创意带给大家。
-在我们所有人同意后，就开始着手构建这个系统了。我们采用了 Brendan 的原型（Java 语言），用 Go 语言重写了它，并且以上述核心思想去构建该系统。到这个时候，团队已经成长为包括 Ville Aikas，Tim Hockin，Brian Grant，Dawn Chen 和 Daniel Smith。一旦我们有了一些工作需求，有人必须承担一些脱敏的工作，以便为公开发布做好准备。这个角色最终由我承担。当时，我不知道这件事情的重要性，我创建了一个新的仓库，把代码搬过来，然后进行了检查。所以在我第一次提交 public commit 之前，就有工作已经启动了。
-那时 Kubernetes 的版本只是现在版本的简单雏形。核心概念已经有了，但非常原始。例如，Pods 被称为 Tasks，这在我们推广前一天就被替换。2014年6月10日 Eric Brewe 在第一届 DockerCon 上的演讲中正式发布了 Kubernetes 。您可以在此处观看该视频：
- 
-
-<center><iframe width="560" height="315" src="https://www.youtube.com/embed/YrxnVKZeqK8" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></center>  
-
- <!--
- But, however raw, that modest start was enough to pique the interest of a community that started strong and has only gotten stronger.  Over the past four years Kubernetes has exceeded the expectations of all of us that were there early on. We owe the Kubernetes community a huge debt.  The success the project has seen  is based not just on code and technology but also the way that an amazing group of people have come together to create something special.  The best expression of this is the [set of Kubernetes values](https://github.com/kubernetes/steering/blob/master/values.md) that Sarah Novotny helped curate.
- Here is to another 4 years and beyond! 🎉🎉🎉
--->
-
- 但是，无论多么原始，这小小的一步足以激起一个开始强大而且变得更强大的社区的兴趣。在过去的四年里，Kubernetes 已经超出了我们所有人的期望。我们对 Kubernetes 社区的所有人员表示感谢。该项目所取得的成功不仅基于代码和技术，还基于一群出色的人聚集在一起所做的有意义的事情。Sarah Novotny 策划的一套 [Kubernetes 价值观](https://github.com/kubernetes/steering/blob/master/values.md)是以上最好的表现形式。
- 让我们一起期待下一个4年！🎉🎉🎉
diff --git a/content/zh/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md b/content/zh/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md
deleted file mode 100644
index 5606cf9c2c325..0000000000000
--- a/content/zh/blog/_posts/2018-06-28-Airflow-Kubernetes-Operator.md
+++ /dev/null
@@ -1,676 +0,0 @@
----
-
-layout: blog
-
-title:  'Airflow on Kubernetes (Part 1): A Different Kind of Operator'
-
-date:   2018-06-28
-
-title: 'Airflow在Kubernetes中的使用（第一部分）：一种不同的操作器'
-
-cn-approvers:
-
-- congfairy
-
----
-
-
-<!--
-
-Author: Daniel Imberman (Bloomberg LP)
-
--->
-
-
-
-作者: Daniel Imberman (Bloomberg LP)
-
-
-
-<!--
-
-## Introduction
-
-
-
-As part of Bloomberg's continued commitment to developing the Kubernetes ecosystem, we are excited to announce the Kubernetes Airflow Operator; a mechanism for Apache Airflow, a popular workflow orchestration framework to natively launch arbitrary Kubernetes Pods using the Kubernetes API.
-
--->
-
-
-
-## 介绍
-
-
-
-作为Bloomberg [继续致力于开发Kubernetes生态系统]的一部分（https://www.techatbloomberg.com/blog/bloomberg-awarded-first-cncf-end-user-award-contributions-kubernetes/），我们很高兴能够宣布Kubernetes Airflow Operator的发布; [Apache Airflow](https://airflow.apache.org/)的机制，一种流行的工作流程编排框架，使用Kubernetes API可以在本机启动任意的Kubernetes Pod。
-
-
-
-<!--
-
-## What Is Airflow?
-
-
-
-Apache Airflow is one realization of the DevOps philosophy of "Configuration As Code." Airflow allows users to launch multi-step pipelines using a simple Python object DAG (Directed Acyclic Graph). You can define dependencies, programmatically construct complex workflows, and monitor scheduled jobs in an easy to read UI.
-
-
-
-
-
-
-
--->
-
-
-
-## 什么是Airflow?
-
-
-
-Apache Airflow是DevOps“Configuration As Code”理念的一种实现。 Airflow允许用户使用简单的Python对象DAG（有向无环图）启动多步骤流水线。 您可以在易于阅读的UI中定义依赖关系，以编程方式构建复杂的工作流，并监视调度的作业。
-
-
-
-<img src =“/ images / blog / 2018-05-25-Airflow-Kubernetes-Operator / 2018-05-25-airflow_dags.png”width =“85％”alt =“Airflow DAGs”/>
-
-<img src =“/ images / blog / 2018-05-25-Airflow-Kubernetes-Operator / 2018-05-25-airflow.png”width =“85％”alt =“Airflow UI”/>
-
-
-
-<!--
-
-## Why Airflow on Kubernetes?
-
-
-
-Since its inception, Airflow's greatest strength has been its flexibility. Airflow offers a wide range of integrations for services ranging from Spark and HBase, to services on various cloud providers. Airflow also offers easy extensibility through its plug-in framework. However, one limitation of the project is that Airflow users are confined to the frameworks and clients that exist on the Airflow worker at the moment of execution. A single organization can have varied Airflow workflows ranging from data science pipelines to application deployments. This difference in use-case creates issues in dependency management as both teams might use vastly different libraries for their workflows.
-
-
-
-To address this issue, we've utilized Kubernetes to allow users to launch arbitrary Kubernetes pods and configurations. Airflow users can now have full power over their run-time environments, resources, and secrets, basically turning Airflow into an "any job you want" workflow orchestrator.
-
--->
-
-
-
-## 为什么在Kubernetes上使用Airflow?
-
-
-
-自成立以来，Airflow的最大优势在于其灵活性。 Airflow提供广泛的服务集成，包括Spark和HBase，以及各种云提供商的服务。 Airflow还通过其插件框架提供轻松的可扩展性。但是，该项目的一个限制是Airflow用户仅限于执行时Airflow站点上存在的框架和客户端。单个组织可以拥有各种Airflow工作流程，范围从数据科学流到应用程序部署。用例中的这种差异会在依赖关系管理中产生问题，因为两个团队可能会在其工作流程使用截然不同的库。
-
-
-
-为了解决这个问题，我们使Kubernetes允许用户启动任意Kubernetes pod和配置。 Airflow用户现在可以在其运行时环境，资源和机密上拥有全部权限，基本上将Airflow转变为“您想要的任何工作”工作流程协调器。
-
-
-
-<!--
-
-## The Kubernetes Operator
-
-
-
-Before we move any further, we should clarify that an Operator in Airflow is a task definition. When a user creates a DAG, they would use an operator like the "SparkSubmitOperator" or the "PythonOperator" to submit/monitor a Spark job or a Python function respectively. Airflow comes with built-in operators for frameworks like Apache Spark, BigQuery, Hive, and EMR. It also offers a Plugins entrypoint that allows DevOps engineers to develop their own connectors.
-
-
-
-Airflow users are always looking for ways to make deployments and ETL pipelines simpler to manage. Any opportunity to decouple pipeline steps, while increasing monitoring, can reduce future outages and fire-fights. The following is a list of benefits provided by the Airflow Kubernetes Operator:
-
--->
-
-
-
-## Kubernetes运营商
-
-
-
-在进一步讨论之前，我们应该澄清Airflow中的[Operator](https://airflow.apache.org/concepts.html#operators)是一个任务定义。 当用户创建DAG时，他们将使用像“SparkSubmitOperator”或“PythonOperator”这样的operator分别提交/监视Spark作业或Python函数。 Airflow附带了Apache Spark，BigQuery，Hive和EMR等框架的内置运算符。 它还提供了一个插件入口点，允许DevOps工程师开发自己的连接器。
-
-
-
-Airflow用户一直在寻找更易于管理部署和ETL流的方法。 在增加监控的同时，任何解耦流程的机会都可以减少未来的停机等问题。 以下是Airflow Kubernetes Operator提供的好处：
-
-
-
-<!--
-
- * Increased flexibility for deployments:
-
-Airflow's plugin API has always offered a significant boon to engineers wishing to test new functionalities within their DAGs. On the downside, whenever a developer wanted to create a new operator, they had to develop an entirely new plugin. Now, any task that can be run within a Docker container is accessible through the exact same operator, with no extra Airflow code to maintain.
-
--->
-
-
-
-* 提高部署灵活性：
-
-Airflow的插件API一直为希望在其DAG中测试新功能的工程师提供了重要的福利。 不利的一面是，每当开发人员想要创建一个新的operator时，他们就必须开发一个全新的插件。 现在，任何可以在Docker容器中运行的任务都可以通过完全相同的运算符访问，而无需维护额外的Airflow代码。
-
-
-
-<!--
-
- * Flexibility of configurations and dependencies:
-
-For operators that are run within static Airflow workers, dependency management can become quite difficult. If a developer wants to run one task that requires SciPy and another that requires NumPy, the developer would have to either maintain both dependencies within all Airflow workers or offload the task to an external machine (which can cause bugs if that external machine changes in an untracked manner). Custom Docker images allow users to ensure that the tasks environment, configuration, and dependencies are completely idempotent.
-
--->
-
-
-
-* 配置和依赖的灵活性：
-
-对于在静态Airflow工作程序中运行的operator，依赖关系管理可能变得非常困难。 如果开发人员想要运行一个需要[SciPy](https://www.scipy.org)的任务和另一个需要[NumPy](http://www.numpy.org)的任务，开发人员必须维护所有Airflow节点中的依赖关系或将任务卸载到其他计算机（如果外部计算机以未跟踪的方式更改，则可能导致错误）。 自定义Docker镜像允许用户确保任务环境，配置和依赖关系完全是幂等的。
-
-
-
-<!--
-
- * Usage of kubernetes secrets for added security:
-
-Handling sensitive data is a core responsibility of any DevOps engineer. At every opportunity, Airflow users want to isolate any API keys, database passwords, and login credentials on a strict need-to-know basis. With the Kubernetes operator, users can utilize the Kubernetes Vault technology to store all sensitive data. This means that the Airflow workers will never have access to this information, and can simply request that pods be built with only the secrets they need.
-
--->
-
-
-
-* 使用kubernetes Secret以增加安全性：
-
-处理敏感数据是任何开发工程师的核心职责。 Airflow用户总有机会在严格条款的基础上隔离任何API密钥，数据库密码和登录凭据。 使用Kubernetes运算符，用户可以利用Kubernetes Vault技术存储所有敏感数据。 这意味着Airflow工作人员将永远无法访问此信息，并且可以容易地请求仅使用他们需要的密码信息构建pod。
-
-
-
-<!--
-
-# Architecture
-
-
-
-
-
-
-
-The Kubernetes Operator uses the Kubernetes Python Client to generate a request that is processed by the APIServer (1). Kubernetes will then launch your pod with whatever specs you've defined (2). Images will be loaded with all the necessary environment variables, secrets and dependencies, enacting a single command. Once the job is launched, the operator only needs to monitor the health of track logs (3). Users will have the choice of gathering logs locally to the scheduler or to any distributed logging service currently in their Kubernetes cluster.
-
--->
-
-
-
-＃架构
-
-
-
-<img src =“/ images / blog / 2018-05-25-Airflow-Kubernetes-Operator / 2018-05-25-airflow-architecture.png”width =“85％”alt =“Airflow Architecture”/>
-
-
-
-Kubernetes Operator使用[Kubernetes Python客户端](https://github.com/kubernetes-client/Python)生成由APIServer处理的请求（1）。 然后，Kubernetes将使用您定义的需求启动您的pod（2）。映像文件中将加载环境变量，Secret和依赖项，执行单个命令。 一旦启动作业，operator只需要监视跟踪日志的状况（3）。 用户可以选择将日志本地收集到调度程序或当前位于其Kubernetes集群中的任何分布式日志记录服务。
-
-
-
-<!--
-
-# Using the Kubernetes Operator
-
-
-
-## A Basic Example
-
-
-
-The following DAG is probably the simplest example we could write to show how the Kubernetes Operator works. This DAG creates two pods on Kubernetes: a Linux distro with Python and a base Ubuntu distro without it. The Python pod will run the Python request correctly, while the one without Python will report a failure to the user. If the Operator is working correctly, the passing-task pod should complete, while the failing-task pod returns a failure to the Airflow webserver.
-
--->
-
-
-
-＃使用Kubernetes Operator
-
-
-
-##一个基本的例子
-
-
-
-以下DAG可能是我们可以编写的最简单的示例，以显示Kubernetes Operator的工作原理。 这个DAG在Kubernetes上创建了两个pod：一个带有Python的Linux发行版和一个没有它的基本Ubuntu发行版。 Python pod将正确运行Python请求，而没有Python的那个将向用户报告失败。 如果Operator正常工作，则应该完成“passing-task”pod，而“falling-task”pod则向Airflow网络服务器返回失败。
-
-
-
-
-
-```Python
-
-from airflow import DAG
-
-from datetime import datetime, timedelta
-
-from airflow.contrib.operators.kubernetes_pod_operator import KubernetesPodOperator
-
-from airflow.operators.dummy_operator import DummyOperator
-
-
-default_args = {
-
-    'owner': 'airflow',
-
-    'depends_on_past': False,
-
-    'start_date': datetime.utcnow(),
-
-    'email': ['airflow@example.com'],
-
-    'email_on_failure': False,
-
-    'email_on_retry': False,
-
-    'retries': 1,
-
-    'retry_delay': timedelta(minutes=5)
-
-}
-
-
-
-dag = DAG(
-
-    'kubernetes_sample', default_args=default_args, schedule_interval=timedelta(minutes=10))
-
-start = DummyOperator(task_id='run_this_first', dag=dag)
-passing = KubernetesPodOperator(namespace='default',
-
-                          image="Python:3.6",
-
-                          cmds=["Python","-c"],
-
-                          arguments=["print('hello world')"],
-
-                          labels={"foo": "bar"},
-
-                          name="passing-test",
-
-                          task_id="passing-task",
-
-                          get_logs=True,
-
-                          dag=dag
-
-                          )
-
- failing = KubernetesPodOperator(namespace='default',
-
-                          image="ubuntu:1604",
-
-                          cmds=["Python","-c"],
-
-                          arguments=["print('hello world')"],
-
-                          labels={"foo": "bar"},
-
-                          name="fail",
-
-                          task_id="failing-task",
-
-                          get_logs=True,
-
-                          dag=dag
-
-                          )
-
-passing.set_upstream(start)
-
-failing.set_upstream(start)
-
-```
-
-<!--
-
-## But how does this relate to my workflow?
-
-
-
-While this example only uses basic images, the magic of Docker is that this same DAG will work for any image/command pairing you want. The following is a recommended CI/CD pipeline to run production-ready code on an Airflow DAG.
-
-
-
-### 1: PR in github
-
-Use Travis or Jenkins to run unit and integration tests, bribe your favorite team-mate into PR'ing your code, and merge to the master branch to trigger an automated CI build.
-
-
-
-### 2: CI/CD via Jenkins -> Docker Image
-
-
-
-Generate your Docker images and bump release version within your Jenkins build.
-
-
-
-### 3: Airflow launches task
-
-
-
-Finally, update your DAGs to reflect the new release version and you should be ready to go!
-
--->
-
-##但这与我的工作流程有什么关系？
-
-
-
-虽然这个例子只使用基本映像，但Docker的神奇之处在于，这个相同的DAG可以用于您想要的任何图像/命令配对。 以下是推荐的CI / CD管道，用于在Airflow DAG上运行生产就绪代码。
-
-
-
-### 1：github中的PR
-
-使用Travis或Jenkins运行单元和集成测试，请您的朋友PR您的代码，并合并到主分支以触发自动CI构建。
-
-
-
-### 2：CI / CD构建Jenkins - > Docker Image
-
-
-
-[在Jenkins构建中生成Docker镜像和缓冲版本](https://getintodevops.com/blog/building-your-first-Docker-image-with-jenkins-2-guide-for-developers)。
-
-
-
-### 3：Airflow启动任务
-
-
-
-最后，更新您的DAG以反映新版本，您应该准备好了！
-
-
-
-```Python
-
-production_task = KubernetesPodOperator(namespace='default',
-
-                          # image="my-production-job:release-1.0.1", <-- old release
-
-                          image="my-production-job:release-1.0.2",
-
-                          cmds=["Python","-c"],
-
-                          arguments=["print('hello world')"],
-
-                          name="fail",
-
-                          task_id="failing-task",
-
-                          get_logs=True,
-
-                          dag=dag
-
-                          )
-
-```
-
-<!--
-
-# Launching a test deployment
-
-
-
-Since the Kubernetes Operator is not yet released, we haven't released an official helm chart or operator (however both are currently in progress). However, we are including instructions for a basic deployment below  and are actively looking for foolhardy beta testers to try this new feature. To try this system out please follow these steps:
-
-
-
-## Step 1: Set your kubeconfig to point to a kubernetes cluster
-
-
-
-## Step 2: Clone the Airflow Repo:
-
-
-
-Run git clone https://github.com/apache/incubator-airflow.git to clone the official Airflow repo.
-
-
-
-## Step 3: Run
-
-
-
-To run this basic deployment, we are co-opting the integration testing script that we currently use for the Kubernetes Executor (which will be explained in the next article of this series). To launch this deployment, run these three commands:
-
--->
-
-
-
-＃启动测试部署
-
-
-
-由于Kubernetes运营商尚未发布，我们尚未发布官方[helm](https://helm.sh/) 图表或operator（但两者目前都在进行中）。 但是，我们在下面列出了基本部署的说明，并且正在积极寻找测试人员来尝试这一新功能。 要试用此系统，请按以下步骤操作：
-
-
-
-##步骤1：将kubeconfig设置为指向kubernetes集群
-
-
-
-##步骤2：clone Airflow 仓库：
-
-
-
-运行git clone https：// github.com / apache / incubator-airflow.git来clone官方Airflow仓库。
-
-
-
-##步骤3：运行
-
-
-
-为了运行这个基本Deployment，我们正在选择我们目前用于Kubernetes Executor的集成测试脚本（将在本系列的下一篇文章中对此进行解释）。 要启动此部署，请运行以下三个命令：
-
-
-
-```
-
-sed -ie "s/KubernetesExecutor/LocalExecutor/g" scripts/ci/kubernetes/kube/configmaps.yaml
-
-./scripts/ci/kubernetes/Docker/build.sh
-
-./scripts/ci/kubernetes/kube/deploy.sh
-
-```
-
-<!--
-
-Before we move on, let's discuss what these commands are doing:
-
-
-
-### sed -ie "s/KubernetesExecutor/LocalExecutor/g" scripts/ci/kubernetes/kube/configmaps.yaml
-
-
-
-The Kubernetes Executor is another Airflow feature that allows for dynamic allocation  of tasks as idempotent pods. The reason we are switching this to the LocalExecutor is simply to introduce one feature at a time. You are more then welcome to skip this step if you would like to try the Kubernetes Executor, however we will go into more detail in a future article.
-
-
-
-### ./scripts/ci/kubernetes/Docker/build.sh
-
-
-
-This script will tar the Airflow master source code build a Docker container based on the Airflow distribution
-
-
-
-### ./scripts/ci/kubernetes/kube/deploy.sh
-
-
-
-Finally, we create a full Airflow deployment on your cluster. This includes Airflow configs, a postgres backend, the webserver + scheduler, and all necessary services between. One thing to note is that the role binding supplied is a cluster-admin, so if you do not have that level of permission on the cluster, you can modify this at scripts/ci/kubernetes/kube/airflow.yaml
-
-
-
-## Step 4: Log into your webserver
-
-
-
-Now that your Airflow instance is running let's take a look at the UI! The UI lives in port 8080 of the Airflow pod, so simply run
-
--->
-
-
-
-在我们继续之前，让我们讨论这些命令正在做什么：
-
-
-
-### sed -ie“s / KubernetesExecutor / LocalExecutor / g”scripts / ci / kubernetes / kube / configmaps.yaml
-
-
-
-Kubernetes Executor是另一种Airflow功能，允许动态分配任务已解决幂等pod的问题。我们将其切换到LocalExecutor的原因只是一次引入一个功能。如果您想尝试Kubernetes Executor，欢迎您跳过此步骤，但我们将在以后的文章中详细介绍。
-
-
-
-### ./scripts/ci/kubernetes/Docker/build.sh
-
-
-
-此脚本将对Airflow主分支代码进行打包，以根据Airflow的发行文件构建Docker容器
-
-
-
-### ./scripts/ci/kubernetes/kube/deploy.sh
-
-
-
-最后，我们在您的群集上创建完整的Airflow部署。这包括Airflow配置，postgres后端，webserver +调度程序以及之间的所有必要服务。需要注意的一点是，提供的角色绑定是集群管理员，因此如果您没有该集群的权限级别，可以在scripts / ci / kubernetes / kube / airflow.yaml中进行修改。
-
-
-
-##步骤4：登录您的网络服务器
-
-
-
-现在您的Airflow实例正在运行，让我们来看看UI！用户界面位于Airflow pod的8080端口，因此只需运行即可
-
-
-
-```
-
-WEB=$(kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep "airflow" | head -1)
-
-kubectl port-forward $WEB 8080:8080
-
- ```
-
-<!--
-
- Now the Airflow UI will exist on http://localhost:8080. To log in simply enter airflow/airflow and you should have full access to the Airflow web UI.
-
-
-
-## Step 5: Upload a test document
-
-
-
-To modify/add your own DAGs, you can use kubectl cp to upload local files into the DAG folder of the Airflow scheduler. Airflow will then read the new DAG and automatically upload it to its system. The following command will upload any local file into the correct directory:
-
--->
-
-
-
-现在，Airflow UI将存在于http://localhost:8080上。 要登录，只需输入airflow /airflow，您就可以完全访问Airflow Web UI。
-
-
-
-##步骤5：上传测试文档
-
-
-
-要修改/添加自己的DAG，可以使用kubectl cp将本地文件上传到Airflow调度程序的DAG文件夹中。 然后，Airflow将读取新的DAG并自动将其上传到其系统。 以下命令将任何本地文件上载到正确的目录中：
-
-
-
-kubectl cp <local file> <namespace>/<pod>:/root/airflow/dags -c scheduler
-
-
-
-<!--
-
-## Step 6: Enjoy!
-
-
-
-# So when will I be able to use this?
-
-
-
- While this feature is still in the early stages, we hope to see it released for wide release in the next few months.
-
-
-
-# Get Involved
-
-
-
-This feature is just the beginning of multiple major efforts to improves Apache Airflow integration into Kubernetes. The Kubernetes Operator has been merged into the 1.10 release branch of Airflow (the executor in experimental mode), along with a fully k8s native scheduler called the Kubernetes Executor (article to come). These features are still in a stage where early adopters/contributors can have a huge influence on the future of these features.
-
-
-
-For those interested in joining these efforts, I'd recommend checkint out these steps:
-
-
-
- * Join the airflow-dev mailing list at dev@airflow.apache.org.
-
- * File an issue in Apache Airflow JIRA
-
- * Join our SIG-BigData meetings on Wednesdays at 10am PST.
-
- * Reach us on slack at #sig-big-data on kubernetes.slack.com
-
-
-
-Special thanks to the Apache Airflow and Kubernetes communities, particularly Grant Nicholas, Ben Goldberg, Anirudh Ramanathan, Fokko Dreisprong, and Bolke de Bruin, for your awesome help on these features as well as our future efforts.
-
--->
-
-
-
-##步骤6：使用它！
-
-
-
-#那么我什么时候可以使用它？
-
-
-
- 虽然此功能仍处于早期阶段，但我们希望在未来几个月内发布该功能以进行广泛发布。
-
-
-
-#参与其中
-
-
-
-此功能只是将Apache Airflow集成到Kubernetes中的多项主要工作的开始。 Kubernetes Operator已合并到[Airflow的1.10发布分支](https://github.com/apache/incubator-airflow/tree/v1-10-test)（实验模式中的执行模块），以及完整的k8s本地调度程序称为Kubernetes Executor（即将发布文章）。这些功能仍处于早期采用者/贡献者可能对这些功能的未来产生巨大影响的阶段。
-
-
-
-对于有兴趣加入这些工作的人，我建议按照以下步骤：
-
-
-
- *加入airflow-dev邮件列表dev@airflow.apache.org。
-
- *在[Apache Airflow JIRA]中提出问题（https://issues.apache.org/jira/projects/AIRFLOW/issues/）
-
- *周三上午10点太平洋标准时间加入我们的SIG-BigData会议。
-
- *在kubernetes.slack.com上的＃sig-big-data找到我们。
-
-
-
-特别感谢Apache Airflow和Kubernetes社区，特别是Grant Nicholas，Ben Goldberg，Anirudh Ramanathan，Fokko Dreisprong和Bolke de Bruin，感谢您对这些功能的巨大帮助以及我们未来的努力。
diff --git a/content/zh/blog/_posts/2019-04-26-latest-on-localization.md b/content/zh/blog/_posts/2019-04-26-latest-on-localization.md
deleted file mode 100644
index f1ca86016b77a..0000000000000
--- a/content/zh/blog/_posts/2019-04-26-latest-on-localization.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-layout: blog
-title: '如何参与 Kubernetes 文档的本地化工作'
-date: 2019-04-26
----
-
-**作者: Zach Corleissen（Linux 基金会）**
-
-去年我们对 Kubernetes 网站进行了优化，加入了[多语言内容的支持](https://kubernetes.io/blog/2018/11/08/kubernetes-docs-updates-international-edition/)。贡献者们踊跃响应，加入了多种新的本地化内容：截至 2019 年 4 月，Kubernetes 文档有了 9 个不同语言的未完成版本，其中有 6 个是 2019 年加入的。在每个 Kubernetes 文档页面的上方，读者都可以看到一个语言选择器，其中列出了所有可用语言。
-
-不论是完成度最高的[中文版 v1.12](https://v1-12.docs.kubernetes.io/zh/)，还是最新加入的[葡萄牙文版 v1.14](https://kubernetes.io/pt/)，各语言的本地化内容还未完成，这是一个进行中的项目。如果读者有兴趣对现有本地化工作提供支持，请继续阅读。
-
-## 什么是本地化
-
-翻译是以词表意的问题。而本地化在此基础之上，还包含了过程和设计方面的工作。
-
-本地化和翻译很像，但是包含更多内容。除了进行翻译之外，本地化还要为编写和发布过程的框架进行优化。例如，Kubernetes.io 多数的站点浏览功能（按钮文字）都保存在[单独的文件](https://github.com/kubernetes/website/tree/master/i18n)之中。所以启动新本地化的过程中，需要包含加入对特定文件中字符串进行翻译的工作。
-
-本地化很重要，能够有效的降低 Kubernetes 的采纳和支持门槛。如果能用母语阅读 Kubernetes 文档，就能更轻松的开始使用 Kubernetes，并对其发展作出贡献。
-
-## 如何启动本地化工作
-
-不同语言的本地化工作都是单独的功能——和其它 Kubernetes 功能一致，贡献者们在一个 SIG 中进行本地化工作，分享出来进行评审，并加入项目。
-
-贡献者们在团队中进行内容的本地化工作。因为自己不能批准自己的 PR，所以一个本地化团队至少应该有两个人——例如意大利文的本地化团队有两个人。这个团队规模可能很大：中文团队有几十个成员。
-
-每个团队都有自己的工作流。有些团队手工完成所有的内容翻译；有些会使用带有翻译插件的编译器，并使用评审机来提供正确性的保障。SIG Docs 专注于输出的标准；这就给了本地化团队采用适合自己工作情况的工作流。这样一来，团队可以根据最佳实践进行协作，并以 Kubernetes 的社区精神进行分享。
-
-## 为本地化工作添砖加瓦
-
-如果你有兴趣为 Kubernetes 文档加入新语种的本地化内容，[Kubernetes contribution guide](https://kubernetes.io/docs/contribute/localization/) 中包含了这方面的相关内容。
-
-已经启动的的本地化工作同样需要支持。如果有兴趣为现存项目做出贡献，可以加入本地化团队的 Slack 频道，去做个自我介绍。各团队的成员会帮助你开始工作。
-
-|语种|Slack 频道|
-|---|---|
-|中文|[#kubernetes-docs-zh](https://kubernetes.slack.com/messages/CE3LNFYJ1/)|
-|英文|[#sig-docs](https://kubernetes.slack.com/messages/C1J0BPD2M/)|
-|法文|[#kubernetes-docs-fr](https://kubernetes.slack.com/messages/CG838BFT9/)|
-|德文|[#kubernetes-docs-de](https://kubernetes.slack.com/messages/CH4UJ2BAL/)|
-|印地|[#kubernetes-docs-hi](https://kubernetes.slack.com/messages/CJ14B9BDJ/)|
-|印度尼西亚文|[#kubernetes-docs-id](https://kubernetes.slack.com/messages/CJ1LUCUHM/)|
-|意大利文|[#kubernetes-docs-it](https://kubernetes.slack.com/messages/CGB1MCK7X/)|
-|日文|[#kubernetes-docs-ja](https://kubernetes.slack.com/messages/CAG2M83S8/)|
-|韩文|[#kubernetes-docs-ko](https://kubernetes.slack.com/messages/CA1MMR86S/)|
-|葡萄牙文|[#kubernetes-docs-pt](https://kubernetes.slack.com/messages/CJ21AS0NA/)|
-|西班牙文|[#kubernetes-docs-es](https://kubernetes.slack.com/messages/CH7GB2E3B/)|
-
-## 下一步？
-
-最新的[印地文本地化](https://kubernetes.slack.com/messages/CJ14B9BDJ/)工作正在启动。为什么不加入你的语言？
-
-身为 SIG Docs 的主席，我甚至希望本地化工作跳出文档范畴，直接为 Kubernetes 组件提供本地化支持。有什么组件是你希望支持不同语言的么？可以提交一个 [Kubernetes Enhancement Proposal](https://github.com/kubernetes/enhancements/tree/master/keps) 来促成这一进步。
\ No newline at end of file
diff --git a/content/zh/case-studies/wikimedia/index.html b/content/zh/case-studies/wikimedia/index.html
deleted file mode 100644
index ab6452bfc3ea7..0000000000000
--- a/content/zh/case-studies/wikimedia/index.html
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: 案例研究：Wikimedia
-
-class: gridPage
-cid: caseStudies
----
-
-<section id="hero" class="light-text">
-    <h1> 案例研究：Wikimedia</h1>
-</section>
-
-<section id="mainContent">
-    <main>
-        <div class="content">
-            <!-- <h3 id="caseStudyTitle">Using Kubernetes to Build Tools to Improve the World's Wikis</h3> -->
-<h3 id="caseStudyTitle">利用 Kubernetes 构建工具提升世界的维基</h3>
-            <p>
-                <!-- The non-profit Wikimedia Foundation operates some of the largest collaboratively edited reference projects in the world, including Wikipedia. To help users maintain and use wikis, it runs Wikimedia Tool Labs, a hosting environment for community developers working on tools and bots to help editors and other volunteers do their work, including reducing vandalism. The community around Wikimedia Tool Labs began forming nearly 10 years ago. -->
-非营利的 Wikimedia 基金会运营着一些世界上最大的合作编辑参考项目，包括 Wikipedia。为了帮助用户维护和使用 wiki，它运行 Wikimedia 工具实验室，这是一个托管环境，为社区开发人员工作的工具和机器人，以帮助编辑和其他志愿者做他们的工作，包括减少破坏。Wikimedia 工具实验室周围的社区在近10年前开始形成。
-            </p>
-            <div class="feature">
-                <img src="/images/wikimedia_logo.png" alt="Wikimedia">
-                <p class="quote">
-                    <!-- "Wikimedia Tool Labs is vital for making sure wikis all around the world work as well as they possibly can. Because it's grown organically for almost 10 years, it has become an extremely challenging environment and difficult to maintain. It's like a big ball of mud — you really can't see through it. With Kubernetes, we're simplifying the environment and making it easier for developers to build the tools that make wikis run better." -->
-“ Wikimedia 工具实验室对于确保世界各地的 wiki 尽可能工作至关重要。因为它有机地生长了近10年，它已成为一个极具挑战性的环境，难以维持。它就像一个大的泥球，你真的看不透它。借助 Kubernetes，可以简化环境，使开发人员能够更轻松地构建使 wiki 运行得更好的工具。”
-                </p>
-                <!-- <p class="attrib">— Yuvi Panda, operations engineer at Wikimedia Foundation and Wikimedia Tool Labs</p> -->
-                <p class="attrib">— Yuvi Panda, Wikimedia 基金会和 Wikimedia 工具实验室的运维工程师</p>
-            </div>
-        </div>
-    </main>
-</section>
-
-<section class="bullets">
-    <main>
-        <div class="content">
-            <div class="bullet">
-                <h4>挑战：</h4>
-                <ul>
-                    <!-- <li>Simplify a complex, difficult-to-manage infrastructure</li> -->
-                    <li>简化复杂、难以管理的基础架构</li>
-                    <!-- <li>Allow developers to continue writing tools and bots using existing techniques</li> -->
-                    <li>允许开发人员使用现有技术继续编写工具和机器人</li>
-                </ul>
-            </div>
-            <div class="bullet">
-                <!-- <h4>Why Kubernetes:</h4> -->
-                <h4>为什么要使用 Kubernetes</h4>
-                <ul>
-                    <!-- <li>Wikimedia Tool Labs chose Kubernetes because it can mimic existing workflows, while reducing complexity</li> -->
-                    <li>Wikimedia 工具实验室之所以选择 Kubernetes，是因为它可以模仿现有的工作流程，同时降低复杂性。</li>
-                </ul>
-            </div>
-            <div class="bullet">
-                <!-- <h4>Approach:</h4> -->
-                <h4>解决方案：</h4>
-                <ul>
-                    <!-- <li>Migrate old systems and a complex infrastructure to Kubernetes</li> -->
-                    <li>将旧系统和复杂的基础设施迁移到库贝内特斯</li>
-                </ul>
-            </div>
-            <div class="bullet">
-                <!-- <h4>Results:</h4> -->
-                <h4>结果：</h4>
-                <ul>
-                    <!-- <li>20 percent of web tools that account for more than 40 percent of web traffic now run on Kubernetes</li> -->
-                    <li>占 Web 流量 40% 以上的 Web 工具的 20% 现在都在 Kubernetes 上运行</li>
-                    <!-- <li>A 25-node cluster that keeps up with each new Kubernetes release</li> -->
-                    <li>一个 25 节点集群可跟上每个新 Kubernetes 版本</li>
-                    <!-- <li>Thousands of lines of old code have been deleted, thanks to Kubernetes</li> -->
-                    <li>由于 Kubernetes 数千行旧代码被删除</li>
-                </ul>
-            </div>
-        </div>
-    </main>
-</section>
-
-<section class="details">
-    <main>
-        <div class="content">
-            <!-- <h4>Using Kubernetes to provide tools for maintaining wikis</h4> -->
-            <h4>使用 Kubernetes 提供维护 wiki 的工具</h4>
-            <p>
-                <!-- Wikimedia Tool Labs is run by a staff of four-and-a-half paid employees and two volunteers. The infrastructure didn't make it easy or intuitive for developers to build bots and other tools to make wikis work more easily. Yuvi says, "It's incredibly chaotic. We have lots of Perl and Bash duct tape on top of it. Everything is super fragile." -->
-                Wikimedia 工具实验室由四名半付费员工和两名志愿者管理。基础架构无法使开发人员轻松或直观地构建机器人和其他工具，使 wiki 更易于工作。Yuvi说，“它非常混乱。我们有很多的 Perl 和 Bash 缠绕在上面。一切都是超级脆弱。”
-            </p>
-            <p>
-                <!-- To solve the problem, Wikimedia Tool Labs migrated parts of its infrastructure to Kubernetes, in preparation for eventually moving its entire system. Yuvi said Kubernetes greatly simplifies maintenance. The goal is to allow developers creating bots and other tools to use whatever development methods they want, but make it easier for the Wikimedia Tool Labs to maintain the required infrastructure for hosting and sharing them. -->
-                为了解决这个问题，Wikimedia 工具实验室将其部分基础设施迁移到了 Kubernetes，为最终迁移整个系统做准备。Yuvi 说，Kubernetes 大大简化了维护。目标是允许创建机器人和其他工具的开发人员使用他们想要的任何开发方法，但使 Wikimedia 工具实验室更容易维护托管和共享它们所需的基础结构。
-            </p>
-            <p>
-                <!-- "With Kubernetes, I've been able to remove a lot of our custom-made code, which makes everything easier to maintain. Our users' code also runs in a more stable way than previously," says Yuvi. -->
-                “借助 Kubernetes，我能够删除大量我们定制的代码，这使得所有内容更易于维护。我们的用户代码也以比以前更稳定的方式运行，” Yuvi 说。
-            </p>
-        </div>
-    </main>
-</section>
-
-<section class="details">
-    <main>
-        <div class="content">
-            <!-- <h4>Simplifying infrastructure and keeping wikis running better</h4> -->
-            <h4>简化基础架构让 wiki 更好地运行</h4>
-            <p>
-                <!-- Wikimedia Tool Labs has seen great success with the initial Kubernetes deployment. Old code is being simplified and eliminated, contributing developers don't have to change the way they write their tools and bots, and those tools and bots run in a more stable fashion than they have in the past. The paid staff and volunteers are able to better keep up with fixing issues. -->
-                Wikimedia 工具实验室在最初的 Kubernetes 部署中取得了巨大成功。旧代码正在被简化和消除，使开发人员不必改变他们编写工具和机器人的方式，这些工具和机器人的运行方式比过去更稳定。付费员工和志愿者能够更好地解决问题。
-            </p>
-            <p>
-                <!-- In the future, with a more complete migration to Kubernetes, Wikimedia Tool Labs expects to make it even easier to host and maintain the bots and tools that help run wikis across the world. The tool labs already host approximately 1,300 tools and bots from 800 volunteers, with many more being submitted every day. Twenty percent of the tool labs' web tools that account for more than 60 percent of web traffic now run on Kubernetes. The tool labs has a 25-node cluster that keeps up with each new Kubernetes release. Many existing web tools are migrating to Kubernetes. -->
-                将来，随着更完整的迁移到 Kubernetes，Wikimedia 工具实验室希望使托管和维护帮助在世界各地运行 wiki 的机器人和工具变得更加容易。该工具实验室已经托管了来自 800 名志愿者的大约 1300 个工具和机器人，每天提交更多工具和机器人。占 Web 流量 60% 以上的 20% 的工具实验室 Web 工具现在运行在 Kubernetes 上。该工具实验室有一个 25 节点群集，可跟上每个新的 Kubernetes 版本。许多现有的 Web 工具正在迁移到 Kubernetes。
-            </p>
-            <p>
-                <!-- "Our goal is to make sure that people all over the world can share knowledge as easily as possible. Kubernetes helps with that, by making it easier for wikis everywhere to have the tools they need to thrive," says Yuvi. -->
-                “我们的目标是确保世界各地的人们能够尽可能轻松地分享知识。Kubernetes 通过让世界各地的 wiki 更容易拥有蓬勃发展所需的工具，从而帮助到您，” Yuvi 说。
-            </p>
-        </div>
-    </main>
-</section>
diff --git a/content/zh/community/static/cncf-code-of-conduct.md b/content/zh/community/static/cncf-code-of-conduct.md
deleted file mode 100644
index 0c63979e3e13b..0000000000000
--- a/content/zh/community/static/cncf-code-of-conduct.md
+++ /dev/null
@@ -1,30 +0,0 @@
-<!-- Do not edit this file directly. Get the latest from
-     https://github.com/cncf/foundation/blob/master/code-of-conduct-languages/zh.md -->
-## 云原生计算基金会（CNCF）社区行为准则 1.0 版本
-
-### 贡献者行为准则
-
-作为这个项目的贡献者和维护者，为了建立一个开放和受欢迎的社区，我们保证尊重所有通过报告问题、发布功能请求、更新文档、提交拉取请求或补丁以及其他活动做出贡献的人员。
-
-我们致力于让参与此项目的每个人都不受骚扰，无论其经验水平、性别、性别认同和表达、性取向、残疾、个人外貌、体型、人种、种族、年龄、宗教或国籍等。
-
-不可接受的参与者行为包括：
-
--	使用性语言或图像
--	人身攻击
--	挑衅、侮辱或贬低性评论
--	公开或私下骚扰
--	未经明确许可，发布他人的私人信息，比如地址或电子邮箱
--	其他不道德或不专业的行为
-
-项目维护者有权利和责任删除、编辑或拒绝评论、提交、代码、维基编辑、问题和其他不符合本行为准则的贡献。通过采用本行为准则，项目维护者承诺将这些原则公平且一致地应用到这个项目管理的各个方面。不遵守或不执行行为准则的项目维护者可能被永久地从项目团队中移除。
-
-当个人代表项目或其社区时，本行为准则适用于项目空间和公共空间。
-
-如需举报侮辱、骚扰或其他不可接受的行为，您可发送邮件至 <conduct@kubernetes.io> 联系 [Kubernetes行为守则委员会](https://github.com/kubernetes/community/tree/master/committee-code-of-conduct)。其他事务请联系CNCF项目维护专员，或发送邮件至 <mishi@linux.com> 联系我们的调解员Mishi Choudhary。
-
-本行为准则改编自《贡献者契约》（ https://contributor-covenant.org ）1.2.0 版本，可在 https://contributor-covenant.org/version/1/2/0/ 查看。
-
-### CNCF 活动行为准则
-
-云原生计算基金会（CNCF）活动受 Linux 基金会《[行为准则](https://events.linuxfoundation.org/code-of-conduct/)》管辖，该行为准则可在活动页面获得。其旨在与上述政策兼容，且包括更多关于事件回应的细节。
\ No newline at end of file
diff --git a/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md b/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
deleted file mode 100644
index c06b1c54d77c7..0000000000000
--- a/content/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins.md
+++ /dev/null
@@ -1,302 +0,0 @@
----
-title: 网络插件
-content_type: concept
-weight: 10
----
-<!--
-title: Network Plugins
-content_type: concept
-weight: 10
--->
-
-
-<!-- overview -->
-
-<!--
-Network plugins in Kubernetes come in a few flavors:
-
-* CNI plugins: adhere to the [Container Network Interface](https://github.com/containernetworking/cni) (CNI) specification, designed for interoperability.
-  * Kubernetes follows the [v0.4.0](https://github.com/containernetworking/cni/blob/spec-v0.4.0/SPEC.md) release of the CNI specification.
-* Kubenet plugin: implements basic `cbr0` using the `bridge` and `host-local` CNI plugins
--->
-Kubernetes中的网络插件有几种类型：
-
-* CNI 插件：遵守[容器网络接口（Container Network Interface，CNI）](https://github.com/containernetworking/cni)
-  规范，其设计上偏重互操作性。
-  * Kubernetes 遵从 CNI 规范的
-    [v0.4.0](https://github.com/containernetworking/cni/blob/spec-v0.4.0/SPEC.md)
-    版本。
-* Kubenet 插件：使用 `bridge` 和 `host-local` CNI 插件实现了基本的 `cbr0`。
-
-<!-- body -->
-
-<!--
-## Installation
-
-The kubelet has a single default network plugin, and a default network common to the entire cluster. It probes for plugins when it starts up, remembers what it finds, and executes the selected plugin at appropriate times in the pod lifecycle (this is only true for Docker, as CRI manages its own CNI plugins). There are two Kubelet command line parameters to keep in mind when using plugins:
-
-* `cni-bin-dir`: Kubelet probes this directory for plugins on startup
-* `network-plugin`: The network plugin to use from `cni-bin-dir`.  It must match the name reported by a plugin probed from the plugin directory.  For CNI plugins, this is "cni".
--->
-## 安装
-
-kubelet 有一个单独的默认网络插件，以及一个对整个集群通用的默认网络。
-它在启动时探测插件，记住找到的内容，并在 Pod 生命周期的适当时间执行
-所选插件（这仅适用于 Docker，因为 CRI 管理自己的 CNI 插件）。
-在使用插件时，需要记住两个 kubelet 命令行参数：
-
-* `cni-bin-dir`： kubelet 在启动时探测这个目录中的插件
-* `network-plugin`： 要使用的网络插件来自 `cni-bin-dir`。
-  它必须与从插件目录探测到的插件报告的名称匹配。
-  对于 CNI 插件，其值为 "cni"。
-
-<!--
-## Network Plugin Requirements
-
-Besides providing the [`NetworkPlugin` interface](https://github.com/kubernetes/kubernetes/tree/{{< param "fullversion" >}}/pkg/kubelet/dockershim/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy.  The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.  For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.  If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
-
-By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like Docker with a bridge) work correctly with the iptables proxy.
--->
-## 网络插件要求
-
-除了提供
-[`NetworkPlugin` 接口](https://github.com/kubernetes/kubernetes/tree/{{< param "fullversion" >}}/pkg/kubelet/dockershim/network/plugins.go)
-来配置和清理 Pod 网络之外，该插件还可能需要对 kube-proxy 的特定支持。
-iptables 代理显然依赖于 iptables，插件可能需要确保 iptables 能够监控容器的网络通信。
-例如，如果插件将容器连接到 Linux 网桥，插件必须将 `net/bridge/bridge-nf-call-iptables`
-系统参数设置为`1`，以确保 iptables 代理正常工作。
-如果插件不使用 Linux 网桥（而是类似于 Open vSwitch 或者其它一些机制），
-它应该确保为代理对容器通信执行正确的路由。
-
-默认情况下，如果未指定 kubelet 网络插件，则使用 `noop` 插件，
-该插件设置 `net/bridge/bridge-nf-call-iptables=1`，以确保简单的配置
-（如带网桥的 Docker ）与 iptables 代理正常工作。
-
-<!--
-### CNI
-
-The CNI plugin is selected by passing Kubelet the `--network-plugin=cni` command-line option.  Kubelet reads a file from `--cni-conf-dir` (default `/etc/cni/net.d`) and uses the CNI configuration from that file to set up each pod's network.  The CNI configuration file must match the [CNI specification](https://github.com/containernetworking/cni/blob/master/SPEC.md#network-configuration), and any required CNI plugins referenced by the configuration must be present in `--cni-bin-dir` (default `/opt/cni/bin`).
-
-If there are multiple CNI configuration files in the directory, the kubelet uses the configuration file that comes first by name in lexicographic order.
-
-In addition to the CNI plugin specified by the configuration file, Kubernetes requires the standard CNI [`lo`](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go) plugin, at minimum version 0.2.0
--->
-### CNI
-
-通过给 Kubelet 传递 `--network-plugin=cni` 命令行选项可以选择 CNI 插件。
-Kubelet 从 `--cni-conf-dir` （默认是 `/etc/cni/net.d`） 读取文件并使用
-该文件中的 CNI 配置来设置各个 Pod 的网络。
-CNI 配置文件必须与
-[CNI 规约](https://github.com/containernetworking/cni/blob/master/SPEC.md#network-configuration)
-匹配，并且配置所引用的所有所需的 CNI 插件都应存在于
-`--cni-bin-dir`（默认是 `/opt/cni/bin`）下。
-
-如果这个目录中有多个 CNI 配置文件，kubelet 将会使用按文件名的字典顺序排列
-的第一个作为配置文件。
-
-除了配置文件指定的 CNI 插件外，Kubernetes 还需要标准的 CNI
-[`lo`](https://github.com/containernetworking/plugins/blob/master/plugins/main/loopback/loopback.go)
-插件，最低版本是0.2.0。
-
-<!--
-#### Support hostPort
-
-The CNI networking plugin supports `hostPort`. You can use the official [portmap](https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap)
-plugin offered by the CNI plugin team or use your own plugin with portMapping functionality.
-
-If you want to enable `hostPort` support, you must specify `portMappings capability` in your `cni-conf-dir`.
-For example:
--->
-#### 支持 hostPort
-
-CNI 网络插件支持 `hostPort`。 你可以使用官方
-[portmap](https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap)
-插件，它由 CNI 插件团队提供，或者使用你自己的带有 portMapping 功能的插件。
-
-如果你想要启动 `hostPort` 支持，则必须在 `cni-conf-dir` 指定 `portMappings capability`。
-例如：
-
-```json
-{
-  "name": "k8s-pod-network",
-  "cniVersion": "0.3.0",
-  "plugins": [
-    {
-      "type": "calico",
-      "log_level": "info",
-      "datastore_type": "kubernetes",
-      "nodename": "127.0.0.1",
-      "ipam": {
-        "type": "host-local",
-        "subnet": "usePodCidr"
-      },
-      "policy": {
-        "type": "k8s"
-      },
-      "kubernetes": {
-        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
-      }
-    },
-    {
-      "type": "portmap",
-      "capabilities": {"portMappings": true}
-    }
-  ]
-}
-```
-
-<!--
-#### Support traffic shaping
-
-**Experimental Feature**
-
-The CNI networking plugin also supports pod ingress and egress traffic shaping. You can use the official [bandwidth](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth)
-plugin offered by the CNI plugin team or use your own plugin with bandwidth control functionality.
-
-If you want to enable traffic shaping support, you must add the `bandwidth` plugin to your CNI configuration file
-(default `/etc/cni/net.d`) and ensure that the binary is included in your CNI bin dir (default `/opt/cni/bin`).
--->
-#### 支持流量整形
-
-**实验功能**
-
-CNI 网络插件还支持 pod 入口和出口流量整形。
-你可以使用 CNI 插件团队提供的
-[bandwidth](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth)
-插件，也可以使用你自己的具有带宽控制功能的插件。
-
-如果你想要启用流量整形支持，你必须将 `bandwidth` 插件添加到 CNI 配置文件
-（默认是 `/etc/cni/net.d`）并保证该可执行文件包含在你的 CNI 的 bin
-文件夹内 (默认为 `/opt/cni/bin`)。
-
-```json
-{
-  "name": "k8s-pod-network",
-  "cniVersion": "0.3.0",
-  "plugins": [
-    {
-      "type": "calico",
-      "log_level": "info",
-      "datastore_type": "kubernetes",
-      "nodename": "127.0.0.1",
-      "ipam": {
-        "type": "host-local",
-        "subnet": "usePodCidr"
-      },
-      "policy": {
-        "type": "k8s"
-      },
-      "kubernetes": {
-        "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
-      }
-    },
-    {
-      "type": "bandwidth",
-      "capabilities": {"bandwidth": true}
-    }
-  ]
-}
-```
-<!--
-Now you can add the `kubernetes.io/ingress-bandwidth` and `kubernetes.io/egress-bandwidth` annotations to your pod.
-For example:
--->
-现在，你可以将 `kubernetes.io/ingress-bandwidth` 和 `kubernetes.io/egress-bandwidth`
-注解添加到 pod 中。例如：
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  annotations:
-    kubernetes.io/ingress-bandwidth: 1M
-    kubernetes.io/egress-bandwidth: 1M
-...
-```
-
-<!--
-### kubenet
-
-Kubenet is a very basic, simple network plugin, on Linux only.  It does not, of itself, implement more advanced features like cross-node networking or network policy.  It is typically used together with a cloud provider that sets up routing rules for communication between nodes, or in single-node environments.
-
-Kubenet creates a Linux bridge named `cbr0` and creates a veth pair for each pod with the host end of each pair connected to `cbr0`.  The pod end of the pair is assigned an IP address allocated from a range assigned to the node either through configuration or by the controller-manager.  `cbr0` is assigned an MTU matching the smallest MTU of an enabled normal interface on the host.
-
-The plugin requires a few things:
-
-* The standard CNI `bridge`, `lo` and `host-local` plugins are required, at minimum version 0.2.0. Kubenet will first search for them in `/opt/cni/bin`. Specify `cni-bin-dir` to supply additional search path. The first found match will take effect.
-* Kubelet must be run with the `--network-plugin=kubenet` argument to enable the plugin
-* Kubelet should also be run with the `--non-masquerade-cidr=<clusterCidr>` argument to ensure traffic to IPs outside this range will use IP masquerade.
-* The node must be assigned an IP subnet through either the `--pod-cidr` kubelet command-line option or the `--allocate-node-cidrs=true -cluster-cidr=<cidr>` controller-manager command-line options.
--->
-### kubenet
-
-Kubenet 是一个非常基本的、简单的网络插件，仅适用于 Linux。
-它本身并不实现更高级的功能，如跨节点网络或网络策略。
-它通常与云驱动一起使用，云驱动为节点间或单节点环境中的通信设置路由规则。
-
-Kubenet 创建名为 `cbr0` 的网桥，并为每个 pod 创建了一个 veth 对，
-每个 Pod 的主机端都连接到 `cbr0`。
-这个 veth 对的 Pod 端会被分配一个 IP 地址，该 IP 地址隶属于节点所被分配的 IP
-地址范围内。节点的 IP 地址范围则通过配置或控制器管理器来设置。
-`cbr0` 被分配一个 MTU，该 MTU 匹配主机上已启用的正常接口的最小 MTU。
-
-使用此插件还需要一些其他条件：
-
-* 需要标准的 CNI `bridge`、`lo` 以及 `host-local` 插件，最低版本是0.2.0。
-  kubenet 首先在 `/opt/cni/bin` 中搜索它们。 指定 `cni-bin-dir` 以提供
-  其它搜索路径。首次找到的匹配将生效。
-* Kubelet 必须和 `--network-plugin=kubenet` 参数一起运行，才能启用该插件。
-* Kubelet 还应该和 `--non-masquerade-cidr=<clusterCidr>` 参数一起运行，
-  以确保超出此范围的 IP 流量将使用 IP 伪装。
-* 节点必须被分配一个 IP 子网，通过kubelet 命令行的 `--pod-cidr` 选项或
-  控制器管理器的命令行选项 `--allocate-node-cidrs=true --cluster-cidr=<cidr>`
-  来设置。
-
-<!--
-### Customizing the MTU (with kubenet)
-
-The MTU should always be configured correctly to get the best networking performance.  Network plugins will usually try
-to infer a sensible MTU, but sometimes the logic will not result in an optimal MTU.  For example, if the
-Docker bridge or another interface has a small MTU, kubenet will currently select that MTU.  Or if you are
-using IPSEC encapsulation, the MTU must be reduced, and this calculation is out-of-scope for
-most network plugins.
-
-Where needed, you can specify the MTU explicitly with the `network-plugin-mtu` kubelet option.  For example,
-on AWS the `eth0` MTU is typically 9001, so you might specify `--network-plugin-mtu=9001`.  If you're using IPSEC you
-might reduce it to allow for encapsulation overhead e.g. `--network-plugin-mtu=8873`.
-
-This option is provided to the network-plugin; currently **only kubenet supports `network-plugin-mtu`**.
--->
-### 自定义 MTU（使用 kubenet）
-
-要获得最佳的网络性能，必须确保 MTU 的取值配置正确。
-网络插件通常会尝试推断出一个合理的 MTU，但有时候这个逻辑不会产生一个最优的 MTU。
-例如，如果 Docker 网桥或其他接口有一个小的 MTU, kubenet 当前将选择该 MTU。
-或者如果你正在使用 IPSEC 封装，则必须减少 MTU，并且这种计算超出了大多数网络插件的能力范围。
-
-如果需要，你可以使用 `network-plugin-mtu` kubelet 选项显式的指定 MTU。
-例如：在 AWS 上 `eth0` MTU 通常是 9001，因此你可以指定 `--network-plugin-mtu=9001`。
-如果你正在使用 IPSEC ，你可以减少它以允许封装开销，例如 `--network-plugin-mtu=8873`。
-
-此选项会传递给网络插件； 当前 **仅 kubenet 支持 `network-plugin-mtu`**。
-
-<!--
-## Usage Summary
-
-* `--network-plugin=cni` specifies that we use the `cni` network plugin with actual CNI plugin binaries located in `--cni-bin-dir` (default `/opt/cni/bin`) and CNI plugin configuration located in `--cni-conf-dir` (default `/etc/cni/net.d`).
-* `--network-plugin=kubenet` specifies that we use the `kubenet` network plugin with CNI `bridge`, `lo` and `host-local` plugins placed in `/opt/cni/bin` or `cni-bin-dir`.
-* `--network-plugin-mtu=9001` specifies the MTU to use, currently only used by the `kubenet` network plugin.
--->
-## 用法总结
-
-* `--network-plugin=cni` 用来表明我们要使用 `cni` 网络插件，实际的 CNI 插件
-  可执行文件位于 `--cni-bin-dir`（默认是 `/opt/cni/bin`）下， CNI 插件配置位于
-  `--cni-conf-dir`（默认是 `/etc/cni/net.d`）下。
-* `--network-plugin=kubenet` 用来表明我们要使用 `kubenet` 网络插件，CNI `bridge`，`lo`
-  和 `host-local` 插件位于 `/opt/cni/bin` 或 `cni-bin-dir` 中。
-* `--network-plugin-mtu=9001` 指定了我们使用的 MTU，当前仅被 `kubenet` 网络插件使用。
-
-## {{% heading "whatsnext" %}}
-
-
-
diff --git a/content/zh/docs/concepts/scheduling-eviction/resource-bin-packing.md b/content/zh/docs/concepts/scheduling-eviction/resource-bin-packing.md
deleted file mode 100644
index 6b25f6f80f509..0000000000000
--- a/content/zh/docs/concepts/scheduling-eviction/resource-bin-packing.md
+++ /dev/null
@@ -1,272 +0,0 @@
----
-title: 扩展资源的资源装箱
-content_type: concept
-weight: 80
----
-<!--
----
-reviewers:
-- bsalamat
-- k82cn
-- ahg-g
-title: Resource Bin Packing for Extended Resources
-content_type: concept
-weight: 80
----
--->
-
-<!-- overview -->
-
-{{< feature-state for_k8s_version="1.16" state="alpha" >}}
-
-<!--
-The kube-scheduler can be configured to enable bin packing of resources along with extended resources using `RequestedToCapacityRatioResourceAllocation` priority function. Priority functions can be used to fine-tune the kube-scheduler as per custom needs.
--->
-
-使用 `RequestedToCapacityRatioResourceAllocation` 优先级函数，可以将 kube-scheduler
-配置为支持包含扩展资源在内的资源装箱操作。
-优先级函数可用于根据自定义需求微调 kube-scheduler 。
-
-<!-- body -->
-
-<!--
-## Enabling Bin Packing using RequestedToCapacityRatioResourceAllocation
-
-Kubernetes allows the users to specify the resources along with weights for
-each resource to score nodes based on the request to capacity ratio. This
-allows users to bin pack extended resources by using appropriate parameters
-and improves the utilization of scarce resources in large clusters. The
-behavior of the `RequestedToCapacityRatioResourceAllocation` priority function
-can be controlled by a configuration option called `RequestedToCapacityRatioArgs`. 
-This argument consists of two parameters `shape` and `resources`. The `shape` 
-parameter allows the user to tune the function as least requested or most 
-requested based on `utilization` and `score` values.  The `resources` parameter 
-consists of `name` of the resource to be considered during scoring and `weight` 
-specify the weight of each resource.
-
--->
-
-## 使用 RequestedToCapacityRatioResourceAllocation 启用装箱
-
-Kubernetes 允许用户指定资源以及每类资源的权重，
-以便根据请求数量与可用容量之比率为节点评分。
-这就使得用户可以通过使用适当的参数来对扩展资源执行装箱操作，从而提高了大型集群中稀缺资源的利用率。
-`RequestedToCapacityRatioResourceAllocation` 优先级函数的行为可以通过名为
-`RequestedToCapacityRatioArgs` 的配置选项进行控制。
-该标志由两个参数 `shape` 和 `resources` 组成。
-`shape` 允许用户根据 `utilization` 和 `score` 值将函数调整为
-最少请求（least requested）或最多请求（most requested）计算。
-`resources` 包含由 `name` 和  `weight` 组成，`name` 指定评分时要考虑的资源，
-`weight` 指定每种资源的权重。
-
-<!--
-Below is an example configuration that sets
-`requestedToCapacityRatioArguments` to bin packing behavior for extended
-resources `intel.com/foo` and `intel.com/bar`.
--->
-
-以下是一个配置示例，该配置将 `requestedToCapacityRatioArguments` 设置为对扩展资源
-`intel.com/foo` 和 `intel.com/bar` 的装箱行为
-
-```yaml
-apiVersion: kubescheduler.config.k8s.io/v1beta3
-kind: KubeSchedulerConfiguration
-profiles:
-# ...
-  pluginConfig:
-  - name: RequestedToCapacityRatio
-    args: 
-      shape:
-      - utilization: 0
-        score: 10
-      - utilization: 100
-        score: 0
-      resources:
-      - name: intel.com/foo
-        weight: 3
-      - name: intel.com/bar
-        weight: 5
-```
-
-<!--
-Referencing the `KubeSchedulerConfiguration` file with the kube-scheduler 
-flag `--config=/path/to/config/file` will pass the configuration to the 
-scheduler.
--->
-使用 kube-scheduler 标志 `--config=/path/to/config/file` 
-引用 `KubeSchedulerConfiguration` 文件将配置传递给调度器。
-
-<!--
-**This feature is disabled by default**
--->
-
-**默认情况下此功能处于被禁用状态**
-
-<!--
-### Tuning RequestedToCapacityRatioResourceAllocation Priority Function
-
-`shape` is used to specify the behavior of the `RequestedToCapacityRatioPriority` function.
--->
-### 调整 RequestedToCapacityRatioResourceAllocation 优先级函数
-
-`shape` 用于指定 `RequestedToCapacityRatioPriority` 函数的行为。
-
-```yaml
-shape:
- - utilization: 0
-   score: 0
- - utilization: 100
-   score: 10
-```
-
-<!--
-The above arguments give the node a score of 0 if utilization is 0% and 10 for utilization 100%, thus enabling bin packing behavior. To enable least requested the score value must be reversed as follows.
--->
-
-上面的参数在 `utilization` 为 0% 时给节点评分为 0，在 `utilization` 为
-100% 时给节点评分为 10，因此启用了装箱行为。
-要启用最少请求（least requested）模式，必须按如下方式反转得分值。
-
-```yaml
- shape:
-  - utilization: 0
-    score: 10
-  - utilization: 100
-    score: 0
-```
-
-<!--
-`resources` is an optional parameter which by defaults is set to:
--->
-`resources` 是一个可选参数，默认情况下设置为：
-
-``` yaml
-resources:
-  - name: cpu
-    weight: 1
-  - name: memory
-    weight: 1
-```
-
-<!--
-It can be used to add extended resources as follows:
--->
-它可以用来添加扩展资源，如下所示：
-
-```yaml
-resources:
-  - name: intel.com/foo
-    weight: 5
-  - name: cpu
-    weight: 3
-  - name: memory
-    weight: 1
-```
-
-<!--
-The weight parameter is optional and is set to 1 if not specified. Also, the weight cannot be set to a negative value.
--->
-weight 参数是可选的，如果未指定，则设置为 1。
-同时，weight 不能设置为负值。
-
-<!--
-### Node scoring for capacity allocation
-
-This section is intended for those who want to understand the internal details
-of this feature.
-Below is an example of how the node score is calculated for a given set of values.
--->
-
-### 节点容量分配的评分
-
-本节适用于希望了解此功能的内部细节的人员。
-以下是如何针对给定的一组值来计算节点得分的示例。
-
-```
-请求的资源
-
-intel.com/foo : 2
-memory: 256MB
-cpu: 2
-
-资源权重
-
-intel.com/foo : 5
-memory: 1
-cpu: 3
-
-FunctionShapePoint {{0, 0}, {100, 10}}
-
-节点 Node 1 配置
-
-可用：
-  intel.com/foo : 4
-  memory : 1 GB
-  cpu: 8
-
-已用：
-  intel.com/foo: 1
-  memory: 256MB
-  cpu: 1
-
-节点得分：
-
-intel.com/foo  = resourceScoringFunction((2+1),4)
-               = (100 - ((4-3)*100/4)
-               = (100 - 25)
-               = 75
-               = rawScoringFunction(75)
-               = 7
-
-memory         = resourceScoringFunction((256+256),1024)
-               = (100 -((1024-512)*100/1024))
-               = 50
-               = rawScoringFunction(50)
-               = 5
-
-cpu            = resourceScoringFunction((2+1),8)
-               = (100 -((8-3)*100/8))
-               = 37.5
-               = rawScoringFunction(37.5)
-               = 3
-
-NodeScore   =  (7 * 5) + (5 * 1) + (3 * 3) / (5 + 1 + 3)
-            =  5
-
-
-节点 Node 2 配置
-
-可用：
-  intel.com/foo: 8
-  memory: 1GB
-  cpu: 8
-
-已用：
-  intel.com/foo: 2
-  memory: 512MB
-  cpu: 6
-
-节点得分：
-
-intel.com/foo  = resourceScoringFunction((2+2),8)
-               = (100 - ((8-4)*100/8)
-               = (100 - 50)
-               = 50
-               = rawScoringFunction(50)
-               = 5
-
-memory         = resourceScoringFunction((256+512),1024)
-               = (100 -((1024-768)*100/1024))
-               = 75
-               = rawScoringFunction(75)
-               = 7
-
-cpu            = resourceScoringFunction((2+6),8)
-               = (100 -((8-8)*100/8))
-               = 100
-               = rawScoringFunction(100)
-               = 10
-
-NodeScore   =  (5 * 5) + (7 * 1) + (10 * 3) / (5 + 1 + 3)
-            =  7
-```
diff --git a/content/zh/docs/concepts/security/pod-security-standards.md b/content/zh/docs/concepts/security/pod-security-standards.md
deleted file mode 100644
index e2e6d7890f008..0000000000000
--- a/content/zh/docs/concepts/security/pod-security-standards.md
+++ /dev/null
@@ -1,966 +0,0 @@
----
-title: Pod 安全性标准
-content_type: concept
-weight: 10
----
-<!--
-reviewers:
-- tallclair
-title: Pod Security Standards
-content_type: concept
-weight: 10
--->
-
-<!-- overview -->
-
-<!--
-The Pod Security Standards define three different _policies_ to broadly cover the security
-spectrum. These policies are _cumulative_ and range from highly-permissive to highly-restrictive.
-This guide outlines the requirements of each policy.
-
-| Profile | Description |
-| ------ | ----------- |
-| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. |
-| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. |
-| <strong style="white-space: nowrap">Restricted</strong> | Heavily restricted policy, following current Pod hardening best practices. |
--->
-Pod 安全性标准定义了三种不同的 _策略（Policy）_，以广泛覆盖安全应用场景。
-这些策略是 _渐进式的（Cumulative）_，安全级别从高度宽松至高度受限。
-本指南概述了每个策略的要求。
-
-| Profile | 描述 |
-| ------ | ----------- |
-| <strong style="white-space: nowrap">Privileged</strong> | 不受限制的策略，提供最大可能范围的权限许可。此策略允许已知的特权提升。 |
-| <strong style="white-space: nowrap">Baseline</strong> | 限制性最弱的策略，禁止已知的策略提升。允许使用默认的（规定最少）Pod 配置。 |
-| <strong style="white-space: nowrap">Restricted</strong> | 限制性非常强的策略，遵循当前的保护 Pod 的最佳实践。 |
-
-<!-- body -->
-
-<!--
-## Profile Details
-
-### Privileged
--->
-## Profile 细节    {#profile-details}
-
-### Privileged
-
-<!--
-**The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is
-typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users.
-
-The privileged policy is defined by an absence of restrictions. For allow-by-default enforcement
-mechanisms (such as gatekeeper), the privileged profile may be an absence of applied constraints
-rather than an instantiated policy. In contrast, for a deny-by-default mechanism (such as Pod
-Security Policy) the privileged policy should enable all controls (disable all restrictions).
--->
-**_Privileged_ 策略是有目的地开放且完全无限制的策略。**
-此类策略通常针对由特权较高、受信任的用户所管理的系统级或基础设施级负载。
-
-Privileged 策略定义中限制较少。对于默认允许（Allow-by-default）实施机制（例如 gatekeeper），
-Privileged 框架可能意味着不应用任何约束而不是实施某策略实例。
-与此不同，对于默认拒绝（Deny-by-default）实施机制（如 Pod 安全策略）而言，
-Privileged 策略应该默认允许所有控制（即，禁止所有限制）。
-
-### Baseline
-
-<!--
-**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while
-preventing known privilege escalations.** This policy is targeted at application operators and
-developers of non-critical applications. The following listed controls should be
-enforced/disallowed:
--->
-**_Baseline_ 策略的目标是便于常见的容器化应用采用，同时禁止已知的特权提升。**
-此策略针对的是应用运维人员和非关键性应用的开发人员。
-下面列举的控制应该被实施（禁止）：
-
-{{< note >}}
-<!--
-In this table, wildcards (`*`) indicate all elements in a list. For example,
-`spec.containers[*].securityContext` refers to the Security Context object for _all defined
-containers_. If any of the listed containers fails to meet the requirements, the entire pod will
-fail validation.
--->
-在下述表格中，通配符（`*`）意味着一个列表中的所有元素。
-例如 `spec.containers[*].securityContext` 表示 _所定义的所有容器_ 的安全性上下文对象。
-如果所列出的任一容器不能满足要求，整个 Pod 将无法通过校验。
-{{< /note >}}
-
-<table>
-	<!-- caption style="display:none">Baseline policy specification</caption -->
-	<caption style="display:none">Baseline 策略规范</caption>
-	<tbody>
-		<tr>
-			<td>控制（Control）</td>
-			<td>策略（Policy）</td>
-		</tr>
-    <tr>
-			<!-- <td style="white-space: nowrap">HostProcess</td> -->
-      <td style="white-space: nowrap">HostProcess</td>
-      <!-- <td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an <strong>alpha</strong> feature as of Kubernetes <strong>v1.22</strong>.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
-			<td>
-				<p>Windows Pod 提供了运行
-         <a href="/zh/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力，
-         这使得对 Windows 节点的特权访问成为可能。 
-         基线策略中对宿主的特权访问是被禁止的。 
-         HostProcess Pod 是 Kubernetes <strong>v1.22</strong> 版本的
-          <strong>alpha</strong> 特性。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">Host Namespaces</td> -->
-			<td style="white-space: nowrap">宿主名字空间</td>
-			<!-- 
-      <td>
-				<p>Sharing the host namespaces must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-      -->
-			<td>
-        <p>必须禁止共享宿主名字空间。</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-        <p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">Privileged Containers</td> -->
-			<td style="white-space: nowrap">特权容器</td>
-			<!-- <td>
-				<p>Privileged Pods disable most security mechanisms and must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.privileged</code></li>
-					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>特权 Pod 关闭了大多数安全性机制，必须被禁止。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.privileged</code></li>
-					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">Capabilities</td> -->
-			<td style="white-space: nowrap">权能</td>
-			<!-- <td>
-				<p>Adding additional capabilities beyond those listed below must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>AUDIT_WRITE</code></li>
-					<li><code>CHOWN</code></li>
-					<li><code>DAC_OVERRIDE</code></li>
-					<li><code>FOWNER</code></li>
-					<li><code>FSETID</code></li>
-					<li><code>KILL</code></li>
-					<li><code>MKNOD</code></li>
-					<li><code>NET_BIND_SERVICE</code></li>
-					<li><code>SETFCAP</code></li>
-					<li><code>SETGID</code></li>
-					<li><code>SETPCAP</code></li>
-					<li><code>SETUID</code></li>
-					<li><code>SYS_CHROOT</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>必须禁止添加除下列字段之外的权能。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>AUDIT_WRITE</code></li>
-					<li><code>CHOWN</code></li>
-					<li><code>DAC_OVERRIDE</code></li>
-					<li><code>FOWNER</code></li>
-					<li><code>FSETID</code></li>
-					<li><code>KILL</code></li>
-					<li><code>MKNOD</code></li>
-					<li><code>NET_BIND_SERVICE</code></li>
-					<li><code>SETFCAP</code></li>
-					<li><code>SETGID</code></li>
-					<li><code>SETPCAP</code></li>
-					<li><code>SETUID</code></li>
-					<li><code>SYS_CHROOT</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">HostPath Volumes</td>-->
-			<td style="white-space: nowrap">HostPath 卷</td>
-			<!-- <td>
-				<p>HostPath volumes must be forbidden.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.volumes[*].hostPath</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-				</ul>
-			</td> -->
-			<td>
-        <p>必须禁止 HostPath 卷。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.volumes[*].hostPath</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">Host Ports</td> -->
-			<td style="white-space: nowrap">宿主端口</td>
-			<!-- <td>
-				<p>HostPorts should be disallowed, or at minimum restricted to a known list.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].ports[*].hostPort</code></li>
-					<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
-					<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li>Known list</li>
-					<li><code>0</code></li>
-				</ul>
-			</td>-->
-			<td>
-        <p>应禁止使用宿主端口，或者至少限定为已知列表。</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].ports[*].hostPort</code></li>
-					<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
-					<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li>已知列表</li>
-					<li><code>0</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">AppArmor</td> -->
-			<td style="white-space: nowrap">AppArmor</td>
-			<!-- <td>
-				<p>On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>runtime/default</code></li>
-					<li><code>localhost/*</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>在受支持的主机上，默认使用 <code>runtime/default</code> AppArmor Profile。
-				基线策略应避免覆盖或者禁用默认策略，以及限制覆盖一些 Profile 集合的权限。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>runtime/default</code></li>
-					<li><code>localhost/*</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">SELinux</td> -->
-			<td style="white-space: nowrap">SELinux</td>
-			<!-- <td>
-				<p>Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/""</li>
-					<li><code>container_t</code></li>
-					<li><code>container_init_t</code></li>
-					<li><code>container_kvm_t</code></li>
-				</ul>
-				<hr />
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/""</li>
-				</ul>
-			</td>-->
-			<td>
-        <p>设置 SELinux 类型的操作是被限制的，设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/""</li>
-					<li><code>container_t</code></li>
-					<li><code>container_init_t</code></li>
-					<li><code>container_kvm_t</code></li>
-				</ul>
-				<hr />
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/""</li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap"><code>/proc</code> Mount Type</td> -->
-			<td style="white-space: nowrap"><code>/proc</code> 挂载类型</td>
-			<!-- <td>
-				<p>The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.procMount</code></li>
-					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>Default</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.procMount</code></li>
-					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>Default</code></li>
-				</ul>
-			</td>
-		</tr>
-    <tr>
-  			<td>Seccomp</td>
-  			<!-- <td>
-  				<p>Seccomp profile must not be explicitly set to <code>Unconfined</code>.</p>
-  				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-  			</td> -->
-        <td>
-  				<p>Seccomp Profile 禁止被显式设置为 <code>Unconfined</code>。</p>
-  				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-  			</td>
-  		</tr>
-		<tr>
-			<td>Sysctls</td>
-			<!-- <td>
-				<p>Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.sysctls[*].name</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>kernel.shm_rmid_forced</code></li>
-					<li><code>net.ipv4.ip_local_port_range</code></li>
-					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
-					<li><code>net.ipv4.tcp_syncookies</code></li>
-					<li><code>net.ipv4.ping_group_range</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>Sysctls 可以禁用安全机制或影响宿主上所有容器，因此除了若干“安全”的子集之外，应该被禁止。
-				如果某 sysctl 是受容器或 Pod 的名字空间限制，且与节点上其他 Pod 或进程相隔离，可认为是安全的。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.sysctls[*].name</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>kernel.shm_rmid_forced</code></li>
-					<li><code>net.ipv4.ip_local_port_range</code></li>
-					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
-					<li><code>net.ipv4.tcp_syncookies</code></li>
-					<li><code>net.ipv4.ping_group_range</code></li>
-				</ul>
-			</td>
-		</tr>
-	</tbody>
-</table>
-
-### Restricted
-
-<!--
-**The _Restricted_ policy is aimed at enforcing current Pod hardening best practices, at the
-expense of some compatibility.** It is targeted at operators and developers of security-critical
-applications, as well as lower-trust users. The following listed controls should be
-enforced/disallowed:
-
-In this table, wildcards (`*`) indicate all elements in a list. For example, 
-`spec.containers[*].securityContext` refers to the Security Context object for _all defined
-containers_. If any of the listed containers fails to meet the requirements, the entire pod will
-fail validation.
--->
-**_Restricted_ 策略旨在实施当前保护 Pod 的最佳实践，尽管这样作可能会牺牲一些兼容性。**
-该类策略主要针对运维人员和安全性很重要的应用的开发人员，以及不太被信任的用户。
-下面列举的控制需要被实施（禁止）：
-
-{{< note >}}
-在下述表格中，通配符（`*`）意味着一个列表中的所有元素。
-例如 `spec.containers[*].securityContext` 表示 _所定义的所有容器_ 的安全性上下文对象。
-如果所列出的任一容器不能满足要求，整个 Pod 将无法通过校验。
-{{< /note >}}
-
-<table>
-	<!-- caption style="display:none">Restricted policy specification</caption -->
-	<caption style="display:none">Restricted 策略规范</caption>
-	<tbody>
-		<tr>
-			<!-- td><strong>Control</strong></td -->
-			<td width="30%"><strong>控制（Control）</strong></td>
-			<!-- td><strong>Policy</strong></td -->
-			<td><strong>策略（Policy）</strong></td>
-		</tr>
-		<tr>
-			<!-- <td colspan="2"><em>Everything from the baseline profile.</em></td> -->
-			<td colspan="2"><em>基线策略的所有要求。</em></td>
-		</tr>
-		<tr>
-      <!-- <td style="white-space: nowrap">Volume Types</td>
-			<td>
-				<p>In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.volumes[*]</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:
-				<ul>
-					<li><code>spec.volumes[*].configMap</code></li>
-					<li><code>spec.volumes[*].csi</code></li>
-					<li><code>spec.volumes[*].downwardAPI</code></li>
-					<li><code>spec.volumes[*].emptyDir</code></li>
-					<li><code>spec.volumes[*].ephemeral</code></li>
-					<li><code>spec.volumes[*].persistentVolumeClaim</code></li>
-					<li><code>spec.volumes[*].projected</code></li>
-					<li><code>spec.volumes[*].secret</code></li>
-				</ul>
-			</td> -->
-			<td>卷类型</td>
-			<td>
-        <p>除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.volumes[*]</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值：
-				<ul>
-					<li><code>spec.volumes[*].configMap</code></li>
-					<li><code>spec.volumes[*].csi</code></li>
-					<li><code>spec.volumes[*].downwardAPI</code></li>
-					<li><code>spec.volumes[*].emptyDir</code></li>
-					<li><code>spec.volumes[*].ephemeral</code></li>
-					<li><code>spec.volumes[*].persistentVolumeClaim</code></li>
-					<li><code>spec.volumes[*].projected</code></li>
-					<li><code>spec.volumes[*].secret</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-      <!-- <td style="white-space: nowrap">Privilege Escalation (v1.8+)</td>
-			<td>
-				<p>Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
-			<td style="white-space: nowrap">特权提升（v1.8+）</td>
-			<td>
-        <p>禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。</p>
-				<br>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-      <!-- <td style="white-space: nowrap">Running as Non-root</td> -->
-			<td style="white-space: nowrap">以非 root 账号运行 </td>
-      <!-- <td>
-				<p>Containers must be required to run as non-root users.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsNonRoot</code></li>
-					<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>true</code></li>
-				</ul>
-				<small>
-					The container fields may be undefined/<code>nil</code> if the pod-level
-					<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.
-				</small>
-			</td> -->
-			<td>
-        <p>必须要求容器以非 root 用户运行。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsNonRoot</code></li>
-					<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li><code>true</code></li>
-				</ul>
-				<small>
-					如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 
-          <code>true</code>，则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>。
-				</small>
-			</td>
-		</tr>
-		<tr>
-			<!-- <td style="white-space: nowrap">Running as Non-root user (v1.23+)</td> -->
-			<td style="white-space: nowrap">非 root 用户（v1.23+）</td>
-			<td>
-				<!--
-				<p>Containers must not set <tt>runAsUser</tt> to 0</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsUser</code></li>
-					<li><code>spec.containers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>any non-zero value</li>
-					<li><code>undefined/null</code></li>
-				</ul>
-			</td> -->
-				<p>Containers 不可以将 <tt>runAsUser</tt> 设置为 0</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsUser</code></li>
-					<li><code>spec.containers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
-				</ul>
-				<p><strong>允许的字段</strong></p>
-				<ul>
-					<li>any non-zero value</li>
-					<li><code>未定义/空值</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Seccomp (v1.19+)</td>
-			<td>
-				<!-- <td>
-  				<p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.</p>
-  				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-				<small>
-					The container fields may be undefined/<code>nil</code> if the pod-level
-					<code>spec.securityContext.seccompProfile.type</code> field is set appropriately.
-					Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container-
-					level fields are set.
-				</small>
-  			</td> -->
-        <p>Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> 
-        Profile 或者指定 <em>不存在的</em> Profile。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-				<small>
-					如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code> 
-          已设置得当，容器级别的安全上下文字段可以为 未定义/<code>nil</code>。
-          反过来说，如果 _所有的_ 容器级别的安全上下文字段已设置，则 Pod 级别的字段可为 未定义/<code>nil</code>。 
-				</small>
-			</td>
-		</tr>
-    <tr>
-			<!-- <td style="white-space: nowrap">Capabilities (v1.22+)</td> -->
-      <td style="white-space: nowrap">权能（v1.22+）</td>
-      <!-- <td>
-				<p>
-					Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
-					the <code>NET_BIND_SERVICE</code> capability.
-				</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Any list of capabilities that includes <code>ALL</code></li>
-				</ul>
-				<hr />
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>NET_BIND_SERVICE</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>
-					容器组必须弃用 <code>ALL</code> 权能，并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
-				</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>包含 <code>ALL</code> 的任何一种权能列表。</li>
-				</ul>
-				<hr />
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li><code>NET_BIND_SERVICE</code></li>
-				</ul>
-			</td>
-		</tr>
-	</tbody>
-</table>
-
-<!--
-## Policy Instantiation
-
-Decoupling policy definition from policy instantiation allows for a common understanding and
-consistent language of policies across clusters, independent of the underlying enforcement
-mechanism.
-
-As mechanisms mature, they will be defined below on a per-policy basis. The methods of enforcement
-of individual policies are not defined here.
--->
-## 策略实例化   {#policy-instantiation}
-
-将策略定义从策略实例中解耦出来有助于形成跨集群的策略理解和语言陈述，
-以免绑定到特定的下层实施机制。
-
-随着相关机制的成熟，这些机制会按策略分别定义在下面。特定策略的实施方法不在这里定义。
-
-[**Pod 安全性准入控制器**](/zh/docs/concepts/security/pod-security-admission/)
-
-- {{< example file="security/podsecurity-privileged.yaml" >}}Privileged 名字空间{{< /example >}}
-- {{< example file="security/podsecurity-baseline.yaml" >}}Baseline 名字空间{{< /example >}}
-- {{< example file="security/podsecurity-restricted.yaml" >}}Restricted 名字空间{{< /example >}}
-
-[**PodSecurityPolicy**](/zh/docs/concepts/security/pod-security-policy/) （已弃用）
-
-- {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
-- {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
-- {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
-
-<!--
-## FAQ
-
-### Why isn't there a profile between privileged and baseline?
--->
-## 常见问题    {#faq}
-
-### 为什么不存在介于 Privileged 和 Baseline 之间的策略类型
-
-<!--
-The three profiles defined here have a clear linear progression from most secure (restricted) to least
-secure (privileged), and cover a broad set of workloads. Privileges required above the baseline
-policy are typically very application specific, so we do not offer a standard profile in this
-niche. This is not to say that the privileged profile should always be used in this case, but that
-policies in this space need to be defined on a case-by-case basis.
-
-SIG Auth may reconsider this position in the future, should a clear need for other profiles arise.
--->
-这里定义的三种策略框架有一个明晰的线性递进关系，从最安全（Restricted）到最不安全，
-并且覆盖了很大范围的工作负载。特权要求超出 Baseline 策略者通常是特定于应用的需求，
-所以我们没有在这个范围内提供标准框架。
-这并不意味着在这样的情形下仍然只能使用 Privileged 框架，只是说处于这个范围的
-策略需要因地制宜地定义。
-
-SIG Auth 可能会在将来考虑这个范围的框架，前提是有对其他框架的需求。
-
-<!--
-### What's the difference between a security policy and a security context?
-
-[Security Contexts](/docs/tasks/configure-pod-container/security-context/) configure Pods and
-Containers at runtime. Security contexts are defined as part of the Pod and container specifications
-in the Pod manifest, and represent parameters to the container runtime.
--->
-### 安全策略与安全上下文的区别是什么？
-
-[安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)在运行时配置 Pod
-和容器。安全上下文是在 Pod 清单中作为 Pod 和容器规约的一部分来定义的，所代表的是
-传递给容器运行时的参数。
-
-<!--
-Security profiles are control plane mechanisms to enforce specific settings in the Security Context,
-as well as other related parameters outside the Security Context. As of July 2021, 
-[Pod Security Policies](/docs/concepts/security/pod-security-policy/) are deprecated in favor of the
-built-in [Pod Security Admission Controller](/docs/concepts/security/pod-security-admission/). 
-
-Other alternatives for enforcing security profiles are being developed in the Kubernetes
-ecosystem, such as: 
-- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper).
-- [Kubewarden](https://github.com/kubewarden).
-- [Kyverno](https://kyverno.io/policies/pod-security/).
--->
-安全策略则是控制面用来对安全上下文以及安全性上下文之外的参数实施某种设置的机制。
-在 2020 年 7 月，
-[Pod 安全性策略](/zh/docs/concepts/security/pod-security-policy/)已被废弃，
-取而代之的是内置的 [Pod 安全性准入控制器](/zh/docs/concepts/security/pod-security-admission/)。
-
-Kubernetes 生态系统中还在开发一些其他的替代方案，例如
-- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)。
-- [Kubewarden](https://github.com/kubewarden)。
-- [Kyverno](https://kyverno.io/policies/pod-security/)。
-
-<!--
-### What profiles should I apply to my Windows Pods?
-
-Windows in Kubernetes has some limitations and differentiators from standard Linux-based
-workloads. Specifically, the Pod SecurityContext fields [have no effect on
-Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). As
-such, no standardized Pod Security profiles currently exists.
--->
-### 我应该为我的 Windows Pod 实施哪种框架？
-
-Kubernetes 中的 Windows 负载与标准的基于 Linux 的负载相比有一些局限性和区别。
-尤其是 Pod SecurityContext 字段
-[对 Windows 不起作用](/zh/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext)。
-因此，目前没有对应的标准 Pod 安全性框架。
-
-
-<!-- 
-If you apply the restricted profile for a Windows pod, this **may** have an impact on the pod
-at runtime. The restricted profile requires enforcing Linux-specific restrictions (such as seccomp
-profile, and disallowing privilege escalation). If the kubelet and / or its container runtime ignore
-these Linux-specific values, then the Windows pod should still work normally within the restricted
-profile. However, the lack of enforcement means that there is no additional restriction, for Pods
-that use Windows containers, compared to the baseline profile.
-
-The use of the HostProcess flag to create a HostProcess pod should only be done in alignment with the privileged policy. Creation of a Windows HostProcess pod is blocked under the baseline and restricted policies, so any HostProcess pod should be considered privileged.
--->
-
-如果你为一个 Windows Pod 应用了 Restricted 策略，**可能会** 对该 Pod 的运行时产生影响。
-Restricted 策略需要强制执行 Linux 特有的限制（如 seccomp Profile，并且禁止特权提升）。
-如果 kubelet 和/或其容器运行时忽略了 Linux 特有的值，那么应该不影响 Windows Pod 正常工作。
-然而，对于使用 Windows 容器的 Pod 来说，缺乏强制执行意味着相比于 Restricted 策略，没有任何额外的限制。
-
-你应该只在 Privileged 策略下使用 HostProcess 标志来创建 HostProcess Pod。
-在 Baseline 和 Restricted 策略下，创建 Windows HostProcess Pod 是被禁止的，
-因此任何 HostProcess Pod 都应该被认为是有特权的。
-
-<!--
-### What about sandboxed Pods?
-
-There is not currently an API standard that controls whether a Pod is considered sandboxed or
-not. Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata
-Containers), but there is no standard definition of what a sandboxed runtime is.
-
-The protections necessary for sandboxed workloads can differ from others. For example, the need to
-restrict privileged permissions is lessened when the workload is isolated from the underlying
-kernel. This allows for workloads requiring heightened permissions to still be isolated.
-
-Additionally, the protection of sandboxed workloads is highly dependent on the method of
-sandboxing. As such, no single recommended policy is recommended for all sandboxed workloads.
--->
-### 沙箱（Sandboxed） Pod 怎么处理？
-
-现在还没有 API 标准来控制 Pod 是否被视作沙箱化 Pod。
-沙箱 Pod 可以通过其是否使用沙箱化运行时（如 gVisor 或 Kata Container）来辨别，不过
-目前还没有关于什么是沙箱化运行时的标准定义。
-
-沙箱化负载所需要的保护可能彼此各不相同。例如，当负载与下层内核直接隔离开来时，
-限制特权化操作的许可就不那么重要。这使得那些需要更多许可权限的负载仍能被有效隔离。
-
-此外，沙箱化负载的保护高度依赖于沙箱化的实现方法。
-因此，现在还没有针对所有沙箱化负载的建议策略。
diff --git a/content/zh/docs/contribute/_index.md b/content/zh/docs/contribute/_index.md
deleted file mode 100644
index 90615038e7f49..0000000000000
--- a/content/zh/docs/contribute/_index.md
+++ /dev/null
@@ -1,206 +0,0 @@
----
-content_type: concept
-title: 为 Kubernetes 文档出一份力
-linktitle: 贡献
-main_menu: true
-no_list: true
-weight: 80
-card:
-  name: contribute
-  weight: 10
-  title: 开始贡献
----
-<!--
----
-content_type: concept
-title: Contribute to Kubernetes docs
-linktitle: Contribute
-main_menu: true
-no_list: true
-weight: 80
-card:
-  name: contribute
-  weight: 10
-  title: Start contributing
----
--->
-
-<!-- overview -->
-
-<!--
-*Kubernetes welcomes improvements from all contributors, new and experienced!*
--->
-*Kubernetes 欢迎来自所有贡献者的改进，无论你是新人和有经验的贡献者！*
-
-<!--
-{{< note >}}
-To learn more about contributing to Kubernetes in general, see the
-[contributor documentation](https://www.kubernetes.dev/docs/).
-{{< /note >}}
--->
-{{< note >}}
-要了解有关为 Kubernetes 做出贡献的更多信息，请参阅
-[贡献者文档](https://www.kubernetes.dev/docs/).
-{{< /note >}}
-<!--
-This website is maintained by [Kubernetes SIG Docs](/docs/contribute/#get-involved-with-sig-docs).
-
-Kubernetes documentation contributors:
-
-- Improve existing content
-- Create new content
-- Translate the documentation
-- Manage and publish the documentation parts of the Kubernetes release cycle
-
-Kubernetes documentation welcomes improvements from all contributors, new and experienced!
--->
-
-本网站由 [Kubernetes SIG（特别兴趣小组） Docs](/zh/docs/contribute/#get-involved-with-SIG-Docs) 维护。
-
-Kubernetes 文档项目的贡献者:
-
-- 改进现有内容
-- 创建新内容
-- 翻译文档
-- 管理并发布 Kubernetes 周期性发行版的文档
-
-Kubernetes 文档欢迎来自各方贡献者的改进，无论新手还是高手！
-
-<!-- body -->
-
-<!-- 
-## Getting started
-
-Anyone can open an issue about documentation, or contribute a change with a
-pull request (PR) to the
-[`kubernetes/website` GitHub repository](https://github.com/kubernetes/website).
-You need to be comfortable with
-[git](https://git-scm.com/) and
-[GitHub](https://lab.github.com/)
-to work effectively in the Kubernetes community.
-
--->
-## 入门 {#getting-started}
-
-任何人都可以提出文档方面的问题（issue），或贡献一个变更，用拉取请求（PR）的方式提交到
-[GitHub 上的 `kubernetes/website` 仓库](https://github.com/kubernetes/website)。
-当然你需要熟练使用 [git](https://git-scm.com/) 和 [GitHub](https://lab.github.com/) 才能在 Kubernetes 社区中有效工作。
-<!-- 
-To get involved with documentation:
-
-1. Sign the CNCF [Contributor License Agreement](https://github.com/kubernetes/community/blob/master/CLA.md).
-1. Familiarize yourself with the [documentation repository](https://github.com/kubernetes/website)
-   and the website's [static site generator](https://gohugo.io).
-1. Make sure you understand the basic processes for
-   [opening a pull request](/docs/contribute/new-content/open-a-pr/) and
-   [reviewing changes](/docs/contribute/review/reviewing-prs/).
-
-Some tasks require more trust and more access in the Kubernetes organization.
-See [Participating in SIG Docs](/docs/contribute/participate/) for more details about
-roles and permissions.
--->
-如何参与文档编制:
-
-1. 签署 CNCF 的[贡献者许可协议](https://github.com/kubernetes/community/blob/master/CLA.md)。
-2. 熟悉[文档仓库](https://github.com/kubernetes/website)
-   和网站的[静态站点生成器](https://gohugo.io)。
-3. 确保理解
-   [发起 PR](/zh/docs/contribute/new-content/open-a-pr/) 和
-   [审查变更](/zh/docs/contribute/review/reviewing-prs/)的基本流程。
-
-有些任务要求 Kubernetes 组织内更高的信任级别和访问权限。
-阅读[参与 SIG Docs 工作](/zh/docs/contribute/participate/) ，获取角色和权限的更多细节。
-
-<!--
-## Your first contribution
-
-- Read the [Contribution overview](/docs/contribute/new-content/overview/) to
-  learn about the different ways you can contribute.
-- Check [`kubernetes/website` issues list](https://github.com/kubernetes/website/issues/)
-  for issues that make good entry points.
-- [Open a pull request using GitHub](/docs/contribute/new-content/open-a-pr/#changes-using-github)
-  to existing documentation and learn more about filing issues in GitHub.
-- [Review pull requests](/docs/contribute/review/reviewing-prs/) from other
-  Kubernetes community members for accuracy and language.
-- Read the Kubernetes [content](/docs/contribute/style/content-guide/) and
-  [style guides](/docs/contribute/style/style-guide/) so you can leave informed comments.
-- Learn about [page content types](/docs/contribute/style/page-content-types/)
-  and [Hugo shortcodes](/docs/contribute/style/hugo-shortcodes/).
--->
-## 第一次贡献 {#your-first-contribution}
-
-- 通读[贡献概述](/zh/docs/contribute/new-content/overview/)，了解参与贡献的不同方式。
-- 查看[`kubernetes/website` 问题列表](https://github.com/kubernetes/website/issues/)
-  ，检索最适合作为切入点的问题。
-- 在现有文档上，
-  [使用 GitHub 提交 PR ](/zh/docs/contribute/new-content/open-a-pr/#changes-using-github)，
-  掌握在 GitHub 上登记 Issue 的方法。
-- Kubernetes 社区其他成员会[评审 PR ](/zh/docs/contribute/review/reviewing-prs/)，
-  以确保文档精准和语言流畅。
-- 阅读 kubernetes 的[内容指南](/zh/docs/contribute/style/content-guide/)和
-  [风格指南](/zh/docs/contribute/style/style-guide/)，以发表有见地的评论。
-- 了解[页面内容类型](/zh/docs/contribute/style/page-content-types/)和 
-  [Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/)。
-
-<!--
-## Next steps
-
-- Learn to [work from a local clone](/docs/contribute/new-content/open-a-pr/#fork-the-repo)
-  of the repository.
-- Document [features in a release](/docs/contribute/new-content/new-features/).
-- Participate in [SIG Docs](/docs/contribute/participate/), and become a
-  [member or reviewer](/docs/contribute/participate/roles-and-responsibilities/).
-  
-- Start or help with a [localization](/docs/contribute/localization/).
--->
-## 下一步 {#next-teps}
-
-- 学习在仓库的[本地克隆中工作](/zh/docs/contribute/new-content/open-a-pr/#fork-the-repo)。
-- 为[发行版的特性](/zh/docs/contribute/new-content/new-features/)编写文档。
-- 加入 [SIG Docs](/zh/docs/contribute/participate/), 并成为[成员或评审者](/zh/docs/contribute/participate/roles-and-responsibilities/)。
-  
-- 开始或帮助[本地化](/zh/docs/contribute/localization/) 工作。
-
-<!--
-## Get involved with SIG Docs
-
-[SIG Docs](/docs/contribute/participate/) is the group of contributors who
-publish and maintain Kubernetes documentation and the website. Getting
-involved with SIG Docs is a great way for Kubernetes contributors (feature
-development or otherwise) to have a large impact on the Kubernetes project.
-
-SIG Docs communicates with different methods:
-
-- [Join `#sig-docs` on the Kubernetes Slack instance](https://slack.k8s.io/). Make sure to
-  introduce yourself!
-- [Join the `kubernetes-sig-docs` mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-docs),
-  where broader discussions take place and official decisions are recorded.
-- Join the [weekly SIG Docs video meeting](https://github.com/kubernetes/community/tree/master/sig-docs). Meetings are always announced on `#sig-docs` and added to the [Kubernetes community meetings calendar](https://calendar.google.com/calendar/embed?src=cgnt364vd8s86hr2phapfjc6uk%40group.calendar.google.com&ctz=America/Los_Angeles). You'll need to download the [Zoom client](https://zoom.us/download) or dial in using a phone.
--->
-## 参与 SIG Docs 工作 {#get-involved-with-SIG-Docs}
-
-[SIG Docs](/zh/docs/contribute/participate/) 是负责发布、维护 Kubernetes 文档的贡献者团体。
-参与 SIG Docs 是 Kubernetes 贡献者（开发者和其他人员）对 Kubernetes 项目产生重大影响力的好方式。
-
-SIG Docs 的几种沟通方式:
-
-- [加入 Kubernetes 在 Slack 上的`#sig-docs` 频道](https://slack.k8s.io/)。
-  一定记得自我介绍!
-- [加入`kubernetes-sig-docs` 邮件列表](https://groups.google.com/forum/#!forum/kubernetes-sig-docs),
-  这里有更广泛的讨论，和官方决策的记录。
-- 参加 [SIG Docs 的每周视频会议](https://github.com/kubernetes/community/tree/master/sig-docs)。会议总是在 `#sig-docs` 上发出公告，同时添加到 
-  [Kubernetes社区会议日历](https://calendar.google.com/calendar/embed?src=cgnt364vd8s86hr2phapfjc6uk%40group.calendar.google.com&ctz=America/Los_Angeles)。
-  你需要下载 [Zoom 客户端软件](https://zoom.us/download)，或电话拨号接入。
-
-<!--
-## Other ways to contribute
-
-- Visit the [Kubernetes community site](/community/). Participate on Twitter or Stack Overflow, learn about local Kubernetes meetups and events, and more.
-- Read the [contributor cheatsheet](https://github.com/kubernetes/community/tree/master/contributors/guide/contributor-cheatsheet) to get involved with Kubernetes feature development.
-- Submit a [blog post or case study](/docs/contribute/new-content/blogs-case-studies/).
--->
-## 其他贡献方式 {#other-ways-to-contribute}
-
-- 访问 [Kubernetes 社区网站](/zh/community/)。 参与 Twitter 或 Stack Overflow, 了解 Kubernetes 当地的聚会和活动, 等等。
-- 阅读[贡献者备忘单](https://github.com/kubernetes/community/tree/master/contributors/guide/contributor-cheatsheet)，参与 Kubernetes 功能开发。
-- 提交一篇[博客文章或案例研究](/zh/docs/contribute/new-content/blogs-case-studies/)。
diff --git a/content/zh/docs/contribute/new-content/_index.md b/content/zh/docs/contribute/new-content/_index.md
deleted file mode 100644
index e498891fa9325..0000000000000
--- a/content/zh/docs/contribute/new-content/_index.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: 贡献新内容
-weight: 20
----
diff --git a/content/zh/docs/contribute/new-content/overview.md b/content/zh/docs/contribute/new-content/overview.md
deleted file mode 100644
index 76dd64c211ec8..0000000000000
--- a/content/zh/docs/contribute/new-content/overview.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: 贡献新内容概述
-linktitle: 概述
-content_type: concept
-main_menu: true
-weight: 5
----
-<!--
-title: Contributing new content overview
-linktitle: Overview
-content_type: concept
-main_menu: true
-weight: 5
--->
-
-<!-- overview -->
-<!--
-This section contains information you should know before contributing new content.
--->
-本节包含贡献新内容之前你需要知晓的一些信息。
-
-<!-- body -->
-
-<!--
-## Contributing basics
-
-- Write Kubernetes documentation in Markdown and build the Kubernetes site using [Hugo](https://gohugo.io/).
-- The source is in [GitHub](https://github.com/kubernetes/website). You can find Kubernetes documentation at `/content/en/docs/`. Some of the reference documentation is automatically generated from scripts in the `update-imported-docs/` directory.
-- [Page content types](/docs/contribute/style/page-content-types/) describe the presentation of documentation content in Hugo.
-- In addition to the standard Hugo shortcodes, we use a number of [custom Hugo shortcodes](/docs/contribute/style/hugo-shortcodes/) in our documentation to control the presentation of content.
-- Documentation source is available in multiple languages in `/content/`. Each language has its own folder with a two-letter code determined by the [ISO 639-1 standard](https://www.loc.gov/standards/iso639-2/php/code_list.php). For example, English documentation source is stored in `/content/en/docs/`.
-- For more information about contributing to documentation in multiple languages or starting a new translation, see [localization](/docs/contribute/localization).
--->
-## 基本知识
-
-- 使用 Markdown 来编写 Kubernetes 文档并使用 [Hugo](https://gohugo.io/) 来构建网站
-- 源代码位于 [GitHub](https://github.com/kubernetes/website) 仓库中。
-  你可以在 `/content/en/docs/` 目录下找到 Kubernetes 文档。
-  某些参考文档是使用位于 `update-imported-docs/` 目录下的脚本自动生成的。
-- [页面内容类型](/zh/docs/contribute/style/page-content-types/)使用 Hugo 描述文档内容的表现。
-- 除了基本的 Hugo 短代码（shortcodes）外，我们还在文档中使用一些
-  [定制的 Hugo 短代码](/zh/docs/contribute/style/hugo-shortcodes/)以控制内容的表现。
-- 文档的源代码有多种语言形式，位于`/content/` 目录下。
-  每种语言都有自己的由两个字母代表的目录，这两个字母是基于
-  [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)来确定的。
-  例如，英语文档源码位于`/content/en/docs/` 目录下。
-- 关于在多种语言中为文档做贡献的详细信息，以及如何启动一种新的语言翻译，
-  可参考[本地化](/zh/docs/contribute/localization)文档。
-
-<!--
-## Before you begin {#before-you-begin}
-### Sign the CNCF CLA {#sign-the-cla}
-
-All Kubernetes contributors **must** read the [Contributor guide](https://github.com/kubernetes/community/blob/master/contributors/guide/README.md) and [sign the Contributor License Agreement (CLA)](https://github.com/kubernetes/community/blob/master/CLA.md).
-
-Pull requests from contributors who haven't signed the CLA fail the automated tests. The name and email you provide must match those found in your `git config`, and your git name and email must match those used for the CNCF CLA.
--->
-## 开始之前 {#before-you-begin}
-
-### 签署 CNCF CLA {#sign-the-cla}
-
-所有 Kubernetes 贡献者 **必须** 阅读
-[贡献者指南](https://github.com/kubernetes/community/blob/master/contributors/guide/README.md)
-并[签署贡献者授权同意书（Contributor License Agreement，CLA）](https://github.com/kubernetes/community/blob/master/CLA.md)。
-
-来自尚未签署 CLA 的贡献者的 PR 无法通过自动化服务的测试。
-你所提供的姓名和邮件地址必须与 `git config` 中所找到的完全相同，
-而且你的 git 用户名和邮件地址必须与用来签署 CNCF CLA 的一致。
-
-<!--
-### Choose which Git branch to use
-
-When opening a pull request, you need to know in advance which branch to base your work on.
-
-Scenario | Branch
-:---------|:------------
-Existing or new English language content for the current release | `main`
-Content for a feature change release | The branch which corresponds to the major and minor version the feature change is in, using the pattern `dev-release-<version>`. For example, if a feature changes in the `{{< latest-version >}}` release, then add documentation changes to the ``dev-{{< release-branch >}}`` branch.
-Content in other languages (localizations) | Use the localization's convention. See the [Localization branching strategy](/docs/contribute/localization/#branching-strategy) for more information.
-
-If you're still not sure which branch to choose, ask in `#sig-docs` on Slack.
--->
-### 选择要使用的分支
-
-在发起拉取请求时，你需要预先知道要基于哪个分支来开展工作。
-
-场景      | 分支
-:---------|:------------
-针对当前发行版本的，对现有英文内容的修改或新的英文内容 | `main`
-针对功能特性变更的内容 | 功能特性所对应的版本所对应的分支，分支名字模式为 `dev-<version>`。例如，如果某功能特性在 `v{{< skew nextMinorVersion >}}` 版本发生变化，则对应的文档变化要添加到 ``dev-{{< skew nextMinorVersion >}}`` 分支。
-其他语言的内容（本地化）| 基于本地化团队的约定。参见[本地化分支策略](/zh/docs/contribute/localization/#branching-strategy)了解更多信息。
-
-如果你仍不能确定要选择哪个分支，请在 `#sig-docs` Slack 频道上提问。
-
-<!--
-If you already submitted your pull request and you know that the base branch
-was wrong, you (and only you, the submitter) can change it.
--->
-{{< note >}}
-如果你已经提交了你的 PR，并且你发现所针对的分支选错了，你（且只能是你）可以重新选择分支。
-{{< /note >}}
-
-<!--
-### Languages per PR
-Limit pull requests to one language per PR. If you need to make an identical change to the same code sample in multiple languages, open a separate PR for each language.
--->
-### 每个 PR 牵涉的语言
-
-请限制每个 PR 仅涉及一种语言。
-如果你需要对多种语言下的同一代码示例进行相同的修改，也请为每种语言发起一个独立的 PR。
-
-<!--
-## Tools for contributors
-The [doc contributors tools](https://github.com/kubernetes/website/tree/main/content/en/docs/doc-contributor-tools) directory in the `kubernetes/website` repository contains tools to help your contribution journey go more smoothly.
--->
-
-## 为贡献者提供的工具
-
-`kubernetes/website` 仓库的
-[文档贡献者工具](https://github.com/kubernetes/website/tree/main/content/en/docs/doc-contributor-tools)
-目录中包含了一些工具，能够助你的贡献过程更为顺畅。
-
diff --git a/content/zh/docs/home/supported-doc-versions.md b/content/zh/docs/home/supported-doc-versions.md
deleted file mode 100644
index 1556a62497265..0000000000000
--- a/content/zh/docs/home/supported-doc-versions.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Kubernetes 文档支持的版本
-content_type: custom
-layout: supported-versions
-card:
-  name: about
-  weight: 10
-  title: Kubernetes 文档支持的版本
----
-
-<!-- overview -->
-
-本网站包含当前版本和之前四个版本的 Kubernetes 文档。
diff --git a/content/zh/docs/reference/glossary/kube-apiserver.md b/content/zh/docs/reference/glossary/kube-apiserver.md
deleted file mode 100644
index 05f9605b2adcf..0000000000000
--- a/content/zh/docs/reference/glossary/kube-apiserver.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: kube-apiserver
-id: kube-apiserver
-date: 2018-04-12
-full_link: /zh/docs/reference/command-line-tools-reference/kube-apiserver/
-short_description: >
-  提供 Kubernetes API 服务的控制面组件。
-
-aka: 
-tags:
-- architecture
-- fundamental
----
-
-<!--
-title: kube-apiserver
-id: kube-apiserver
-date: 2018-04-12
-full_link: /zh/docs/reference/command-line-tools-reference/kube-apiserver/
-short_description: >
-  Control plane component that serves the Kubernetes API. 
-
-aka: 
-tags:
-- architecture
-- fundamental
--->
-
-<!--
- The API server is a component of the Kubernetes
-{{< glossary_tooltip text="control plane" term_id="control-plane" >}} that exposes the Kubernetes API.
-The API server is the front end for the Kubernetes control plane.
--->
-API 服务器是 Kubernetes {{< glossary_tooltip text="控制面" term_id="control-plane" >}}的组件，
-该组件公开了 Kubernetes API。
-API 服务器是 Kubernetes 控制面的前端。
-
-<!--more--> 
-
-<!--
-The main implementation of a Kubernetes API server is [kube-apiserver](/docs/reference/generated/kube-apiserver/).
-kube-apiserver is designed to scale horizontally&mdash;that is, it scales by deploying more instances.
-You can run several instances of kube-apiserver and balance traffic between those instances.
--->
-Kubernetes API 服务器的主要实现是 [kube-apiserver](/zh/docs/reference/command-line-tools-reference/kube-apiserver/)。
-kube-apiserver 设计上考虑了水平伸缩，也就是说，它可通过部署多个实例进行伸缩。
-你可以运行 kube-apiserver 的多个实例，并在这些实例之间平衡流量。
diff --git a/content/zh/docs/reference/glossary/kube-controller-manager.md b/content/zh/docs/reference/glossary/kube-controller-manager.md
deleted file mode 100644
index 43aa192d17be5..0000000000000
--- a/content/zh/docs/reference/glossary/kube-controller-manager.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: kube-controller-manager
-id: kube-controller-manager
-date: 2018-04-12
-full_link: /docs/reference/generated/kube-controller-manager/
-short_description: >
-  主节点上运行控制器的组件。
-
-aka: 
-tags:
-- architecture
-- fundamental
----
-
-<!--
----
-title: kube-controller-manager
-id: kube-controller-manager
-date: 2018-04-12
-full_link: /docs/reference/generated/kube-controller-manager/
-short_description: >
-  Component on the master that runs controllers.
-
-aka: 
-tags:
-- architecture
-- fundamental
----
--->
-
-<!--
- Control plane component that runs {{< glossary_tooltip text="controller" term_id="controller" >}} processes.
--->
-运行{{< glossary_tooltip text="控制器" term_id="controller" >}}进程的控制平面组件。
-
-<!--more--> 
-
-从逻辑上讲，每个{{< glossary_tooltip text="控制器" term_id="controller" >}}都是一个单独的进程，
-但是为了降低复杂性，它们都被编译到同一个可执行文件，并在一个进程中运行。
-
diff --git a/content/zh/docs/reference/glossary/kube-proxy.md b/content/zh/docs/reference/glossary/kube-proxy.md
deleted file mode 100644
index 2b1048147f0b9..0000000000000
--- a/content/zh/docs/reference/glossary/kube-proxy.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: kube-proxy
-id: kube-proxy
-date: 2018-04-12
-full_link: /zh/docs/reference/command-line-tools-reference/kube-proxy/
-short_description: >
-  `kube-proxy` 是集群中每个节点上运行的网络代理。
-
-aka:
-tags:
-- fundamental
-- networking
----
-<!-- ---
-title: kube-proxy
-id: kube-proxy
-date: 2018-04-12
-full_link: /zh/docs/reference/command-line-tools-reference/kube-proxy/
-short_description: >
-  `kube-proxy` is a network proxy that runs on each node in the cluster.
-
-aka:
-tags:
-- fundamental
-- networking
---- -->
- <!-- [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/) is a
-network proxy that runs on each node in your cluster, implementing part of
-the Kubernetes {{< glossary_tooltip term_id="service">}} concept. -->
-[kube-proxy](/zh/docs/reference/command-line-tools-reference/kube-proxy/) 是集群中每个节点上运行的网络代理，
-实现 Kubernetes {{< glossary_tooltip term_id="service">}} 概念的一部分。
-
-<!--more-->
-
-<!-- kube-proxy maintains network rules on nodes. These network rules allow
-network communication to your Pods from network sessions inside or outside
-of your cluster. -->
-kube-proxy 维护节点上的网络规则。这些网络规则允许从集群内部或外部的网络会话与 Pod 进行网络通信。
-
-<!-- kube-proxy uses the operating system packet filtering layer if there is one
-and it's available. Otherwise, kube-proxy forwards the traffic itself. -->
-如果操作系统提供了数据包过滤层并可用的话，kube-proxy 会通过它来实现网络规则。否则， kube-proxy 仅转发流量本身。
diff --git a/content/zh/docs/reference/kubectl/_index.md b/content/zh/docs/reference/kubectl/_index.md
deleted file mode 100644
index 5c679220a6e0f..0000000000000
--- a/content/zh/docs/reference/kubectl/_index.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: "kubectl"
-weight: 60
----
diff --git a/content/zh/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md b/content/zh/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md
deleted file mode 100644
index 094da533f0e7d..0000000000000
--- a/content/zh/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: 关于 dockershim 移除和使用兼容 CRI 运行时的外部文章
-content_type: reference
-weight: 20
----
-
-<!-- 
-title: External Articles on dockershim Removal and on Using CRI-compatible Runtimes
-content_type: reference
-weight: 20
--->
-
-<!-- overview -->
-<!-- 
-This is a list of articles about:
-
-	- the Kubernetes' deprecation and removal of _dockershim_
-	- using CRI-compatible container runtimes
--->
-这是有关以下内容的文章列表：
-
-- Kubernetes 弃用和删除 _dockershim_
-- 使用兼容 CRI 的容器运行时
-<!-- body -->
-
-<!-- 
-## Primary sources
-
-* [Kubernetes Blog: "Dockershim Deprecation FAQ", 2020/12/02](/blog/2020/12/02/dockershim-faq/)
-
-* [Kubernetes Documentation: "Migrating from dockershim"](/docs/tasks/administer-cluster/migrating-from-dockershim/)
-
-* [Kubernetes Documentation: "Container runtimes"](/docs/setup/production-environment/container-runtimes/)
-
-* [Kubernetes enhancement issue: "Removing dockershim from kubelet" (`kubernetes/enhancements#2221`)](https://github.com/kubernetes/enhancements/issues/2221)
-
-* [Kubernetes enhancement proposal: "KEP-2221: Removing dockershim from kubelet"](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2221-remove-dockershim/README.md)
-
-* [Kubernetes Blog: "Dockershim removal is coming. Are you ready?", 2021/11/12](/blog/2021/11/12/are-you-ready-for-dockershim-removal/)
--->
-
-## 首要来源
-
-* [Kubernetes 博客: “Dockershim 弃用常见问题解答”, 2020/12/02](/blog/2020/12/02/dockershim-faq/)
-
-* [Kubernetes 文档：“从 dockershim 迁移”](/zh/docs/tasks/administer-cluster/migrating-from-dockershim/)
-
-* [Kubernetes 文档：“容器运行时”](/zh/docs/setup/production-environment/container-runtimes/)
-
-* [Kubernetes 增强提问: “从 kubelet 中删除 dockershim” (`kubernetes/enhancements#2221`)](https://github.com/kubernetes/enhancements/issues/2221)
-
-* [Kubernetes 增强建议：“KEP-2221: 从 kubelet 中删除 dockershim”](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2221-remove-dockershim/README.md)
-
-* [Kubernetes 博客: “移除 Dockershim 即将到来。你准备好了吗？”, 2021/11/12](/blog/2021/11/12/are-you-ready-for-dockershim-removal/)
-
-<!-- 
-## Secondary sources
-
-* [Docker.com blog: "What developers need to know about Docker, Docker Engine, and Kubernetes v1.20", 2020/12/04](https://www.docker.com/blog/what-developers-need-to-know-about-docker-docker-engine-and-kubernetes-v1-20/)
-
-* [Tripwire.com: "How Dockershim’s Forthcoming Deprecation Affects Your Kubernetes"](https://www.tripwire.com/state-of-security/security-data-protection/cloud/how-dockershim-forthcoming-deprecation-affects-your-kubernetes/)
-
-* [Amazon EKS documentation: "Dockershim deprecation"](https://docs.aws.amazon.com/eks/latest/userguide/dockershim-deprecation.html)
-
-* ["Google Open Source" channel on YouTube: "Learn Kubernetes with Google - Migrating from Dockershim to Containerd"](https://youtu.be/fl7_4hjT52g)
-
-* [Mirantis Blog: "The Future of Dockershim is cri-dockerd", 2021/04/21](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/)
-
-* [Github.com: "Mirantis/cri-dockerd" repo](https://github.com/Mirantis/cri-dockerd)
--->
-## 次要来源
-
-* [Docker.com 博客：“开发人员需要了解的关于 Docker、Docker Engine 和 Kubernetes v1.20 的哪些知识”，2020/12/04](https://www.docker.com/blog/what-developers-need-to-know-about-docker-docker-engine-and-kubernetes-v1-20/)
-
-* [Tripwire.com：“Dockershim 即将弃用如何影响你的 Kubernetes”](https://www.tripwire.com/state-of-security/security-data-protection/cloud/how-dockershim-forthcoming-deprecation-affects-your-kubernetes/)
-
-* [Amazon EKS 文档：“Dockershim 弃用”](https://docs.aws.amazon.com/eks/latest/userguide/dockershim-deprecation.html)
-
-* [YouTube 上的 “Google 开源”频道：“与 Google 一起学习 Kubernetes - 从 Dockershim 迁移到 Containerd”](https://youtu.be/fl7_4hjT52g)
-
-* [Mirantis 博客：“Dockershim 的未来是 cri-dockerd”，2021/04/21](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/)
-
-* [Github.com：“Mirantis/cri-dockerd” 仓库](https://github.com/Mirantis/cri-dockerd)
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md
deleted file mode 100644
index e01e7fa4fecce..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_certs_check-expiration.md
+++ /dev/null
@@ -1,82 +0,0 @@
-<!--
-### Synopsis
--->
-### 概要
-
-<!-- 
-Checks expiration for the certificates in the local PKI managed by kubeadm.
--->
-检查 kubeadm 管理的本地 PKI 中证书的到期时间。
-
-```
-kubeadm certs check-expiration [flags]
-```
-
-<!--
-### Options
--->
-### 选项 
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<!--
-<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td> 
--->
-<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: "/etc/kubernetes/pki"</td>
-</tr>
-<tr>
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The path where to save the certificates</td>
--->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">保存证书的路径</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">Path to a kubeadm configuration file.</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubeadm 配置文件的路径</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">help for check-expiration</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">check-expiration 的帮助命令</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-### 继承于父命令的选项 
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
-</tr>
-
-</tbody>
-</table>
-
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md
deleted file mode 100644
index 2f20499dbacb9..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print_init-defaults.md
+++ /dev/null
@@ -1,108 +0,0 @@
-
-<!--
-### Synopsis
--->
-### 概要
-
-<!--
-This command prints objects such as the default init configuration that is used for 'kubeadm init'.
--->
-
-此命令打印对象，例如用于 'kubeadm init' 的默认 init 配置对象。
-
-<!--
-Note that sensitive values like the Bootstrap Token fields are replaced with placeholder values like {"abcdef.0123456789abcdef" "" "nil" &lt;nil&gt; [] []} in order to pass validation but
-not perform the real computation for creating a token.
--->
-
-请注意，Bootstrap Token 字段之类的敏感值已替换为 {"abcdef.0123456789abcdef" "" "nil" &lt;nil&gt; [] []} 之类的占位符值以通过验证，但不执行创建令牌的实际计算。
-
-```
-kubeadm config print init-defaults [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--component-configs stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-A comma-separated list for component config API objects to print the default values for. Available values: [KubeProxyConfiguration KubeletConfiguration]. If this flag is not set, no component configs will be printed.
--->
-组件配置 API 对象的逗号分隔列表，打印其默认值。可用值：[KubeProxyConfiguration KubeletConfiguration]。如果未设置此参数，则不会打印任何组件配置。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for init-defaults
--->
-init-defaults 操作的帮助命令
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">
-<!--
---kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
--->
---kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/admin.conf"
-</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
--->
-与集群通信时使用的 kubeconfig 文件。如果未设置该参数，则可以在一组标准位置中搜索现有的 kubeconfig 文件。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 到 '真实' 主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md
deleted file mode 100644
index 3052b2a5b6efc..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase.md
+++ /dev/null
@@ -1,67 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Use this command to invoke single phase of the init workflow
--->
-
-使用此命令可以调用 init 工作流程的单个阶段
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for phase -->
-phase 操作的帮助命令
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 继承于父命令的选择项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 到 '真实' 主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md
deleted file mode 100644
index d35b86f363b5f..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_control-plane_controller-manager.md
+++ /dev/null
@@ -1,165 +0,0 @@
-
-<!--
-### Synopsis
--->
-### 概要
-
-<!--
-Generates the kube-controller-manager static Pod manifest
--->
-生成 kube-controller-manager 静态 Pod 清单
-
-```
-kubeadm init phase control-plane controller-manager [flags]
-```
-
-<!--
-### Options
--->
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<!-- td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td -->
-<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："/etc/kubernetes/pki"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The path where to save and store the certificates.
--->
-存储证书的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to a kubeadm configuration file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--controller-manager-extra-args mapStringString</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-A set of extra flags to pass to the Controller Manager or override default ones in form of &lt;flagname&gt;=&lt;value&gt;
--->
-一组 &lt;flagname&gt;=&lt; 形式的额外参数，传递给控制器管理器（Controller Manager）
-或者覆盖其默认配置值
-</td>
-</tr>
-
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.-->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录。
-例如，"kube-apiserver0+merge.yaml" 或者 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，分别与 kubectl
-所支持的 patch 格式相匹配。默认的 "patchtype" 是 "strategic"。
-"extension" 必须是 "json" 或 "yaml"。
-"suffix" 是一个可选的字符串，用来确定按字母顺序排序时首先应用哪些 patch。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for controller-manager
--->
-controller-manager 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">
-<!--
---image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "k8s.gcr.io"
--->
---image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："k8s.gcr.io"
-</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Choose a container registry to pull control plane images from
--->
-选择要从中拉取控制平面镜像的容器仓库
-</td>
-</tr>
-
-<tr>
-<td colspan="2">
-<!--
---kubernetes-version string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "stable-1"
--->
---kubernetes-version string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值："stable-1"
-</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Choose a specific Kubernetes version for the control plane.
--->
-为控制平面选择特定的 Kubernetes 版本。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--pod-network-cidr string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
--->
-指定 Pod 网络的 IP 地址范围。如果设置，控制平面将自动为每个节点分配 CIDR。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 到 '真实' 主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md
deleted file mode 100644
index 77517935cab55..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md
+++ /dev/null
@@ -1,75 +0,0 @@
-
-<!-- ### Synopsis -->
-### 概要
-
-
-
-<!-- Enable kubelet client certificate rotation -->
-启用 kubelet 客户端证书轮换
-
-```
-kubeadm init phase kubelet-finalize experimental-cert-rotation [flags]
-```
-
-<!-- ### Options -->
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--cert-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/pki"</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">The path where to save and store the certificates.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">保存和存储证书的路径。</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">Path to a kubeadm configuration file.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">kubeadm 配置文件的路径。</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">help for experimental-cert-rotation</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">experimental-cert-rotation 操作的帮助命令</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
-<!-- ### Options inherited from parent commands -->
-### 继承于父命令的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md
deleted file mode 100644
index ee327bcc7526a..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md
+++ /dev/null
@@ -1,65 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Use this command to invoke single phase of the join workflow
--->
-
-使用此命令来调用 `join` 工作流程的某个阶段
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for phase -->
-phase 操作的帮助命令
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令中继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
deleted file mode 100644
index a051439f2c091..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md
+++ /dev/null
@@ -1,121 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Joins a machine as a control plane instance
--->
-
-添加作为控制平面实例的机器
-
-```
-kubeadm join phase control-plane-join all [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--apiserver-advertise-address string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--->
-如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to kubeadm config file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--experimental-control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create a new control plane instance on this node
--->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for all
--->
-all 操作的帮助命令      
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--node-name string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the node name.
--->
-指定节点名称。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 到 '真实' 主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md
deleted file mode 100644
index 0fce61c11bafc..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md
+++ /dev/null
@@ -1,113 +0,0 @@
-
-<!-- 
-### Synopsis 
--->
-
-## 概要
-
-<!-- 
-Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap 
--->
-
-将新的控制平面节点注册到 kubeadm-config ConfigMap 维护的 ClusterStatus 中
-
-```
-kubeadm join phase control-plane-join update-status [flags]
-```
-
-<!-- 
-### Options 
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--apiserver-advertise-address string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--->
-如果该节点托管一个新的控制平面实例，则 API 服务器将公布其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Path to kubeadm config file.  -->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Create a new control plane instance on this node -->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for update-status -->
-update-status 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--node-name string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- Specify the node name.  -->
-指定节点名称。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令中继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 到 '真实' 主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md
deleted file mode 100644
index 7f3da71e8003c..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md
+++ /dev/null
@@ -1,142 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Generate the manifests for the new control plane components
--->
-
-为新的控制平面组件生成清单（manifest）
-
-```
-kubeadm join phase control-plane-prepare control-plane [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--apiserver-advertise-address string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--->
-对于将要托管新的控制平面实例的节点，指定 API 服务器将公布的其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">
-<!--
---apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 6443
--->
---apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：6443
-</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the port for the API Server to bind to.
--->
-针对将要托管新的控制平面实例的节点，设置 API 服务器要绑定的端口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to kubeadm config file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create a new control plane instance on this node
--->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--experimental-patches string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
--->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for control-plane
--->
-control-plane 操作的帮助命令
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令中继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md
deleted file mode 100644
index 975f69e96680c..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md
+++ /dev/null
@@ -1,181 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-[EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
--->
-
-[实验]从 kubeadm-certs Secret 下载控制平面节点之间共享的证书
-
-```
-kubeadm join phase control-plane-prepare download-certs [api-server-endpoint] [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--certificate-key string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this key to decrypt the certificate secrets uploaded by init.
--->
-使用此密钥可以解密由 init 上传的证书 secret。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to kubeadm config file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create a new control plane instance on this node
--->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For file-based discovery, a file or URL from which to load cluster information.
--->
-对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, the token used to validate cluster information fetched from the API server.
--->
-对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
--->
-对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--->
-对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for kubeconfig
--->
-kubeconfig 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--tls-bootstrap-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--->
-指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--->
-如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令中继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md
deleted file mode 100644
index 4ae6068268e6c..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md
+++ /dev/null
@@ -1,180 +0,0 @@
-
-<!--
-### Synopsis
--->
-### 概要
-
-<!--
-Generate the kubeconfig for the new control plane components
--->
-
-为新的控制平面组件生成 kubeconfig
-
-```
-kubeadm join phase control-plane-prepare kubeconfig [api-server-endpoint] [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--certificate-key string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this key to decrypt the certificate secrets uploaded by init.
--->
-使用此密钥可以解密由 init 上传的证书 secret。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to kubeadm config file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create a new control plane instance on this node
--->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For file-based discovery, a file or URL from which to load cluster information.
--->
-对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, the token used to validate cluster information fetched from the API server.
--->
-对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
--->
-对于基于令牌的发现，请验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--->
-对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for kubeconfig
--->
-kubeconfig 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--tls-bootstrap-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--->
-指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--->
-如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令中继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md
deleted file mode 100644
index 97ad892e9d1fe..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md
+++ /dev/null
@@ -1,258 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Run pre-flight checks for kubeadm join.
--->
-
-运行 kubeadm join 命令添加节点前检查。
-
-```
-kubeadm join phase preflight [api-server-endpoint] [flags]
-```
-
-<!--
-### Examples
-# Run join pre-flight checks using a config file.
--->
-
-### 示例
-
-```
-# 使用配置文件运行 kubeadm join 命令添加节点前检查。
-kubeadm join phase preflight --config kubeadm-config.yml
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--apiserver-advertise-address string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--->
-对于将要托管新的控制平面实例的节点，指定 API 服务器将公布的其正在侦听的 IP 地址。如果未设置，则使用默认网络接口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">
-<!--
---apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: 6443
--->
---apiserver-bind-port int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：6443
-</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If the node should host a new control plane instance, the port for the API Server to bind to.
--->
-针对将要托管新的控制平面实例的节点，设置 API 服务器要绑定的端口。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--certificate-key string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this key to decrypt the certificate secrets uploaded by init.
--->
-使用此密钥可以解密由 `init` 操作上传的证书 secret。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to kubeadm config file.
--->
-kubeadm 配置文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--control-plane</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Create a new control plane instance on this node
--->
-在此节点上创建一个新的控制平面实例
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--cri-socket string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
--->
-提供给 CRI 套接字建立连接的路径。如果为空，则 kubeadm 将尝试自动检测该值；仅当安装了多个 CRI 或具有非标准 CRI 套接字时，才使用此选项。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For file-based discovery, a file or URL from which to load cluster information.
--->
-对于基于文件的发现，给出用于加载集群信息的文件或者 URL。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, the token used to validate cluster information fetched from the API server.
--->
-对于基于令牌的发现，该令牌用于验证从 API 服务器获取的集群信息。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-ca-cert-hash stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, validate that the root CA public key matches this hash (format: "&lt;type&gt;:&lt;value&gt;").
--->
-对于基于令牌的发现，验证根 CA 公钥是否匹配此哈希值（格式："&lt;type&gt;:&lt;value&gt;"）。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--discovery-token-unsafe-skip-ca-verification</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--->
-对于基于令牌的发现，允许在未关联 --discovery-token-ca-cert-hash 参数的情况下添加节点。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for preflight
--->
-preflight 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--->
-错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--node-name string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the node name.
--->
-指定节点名称。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--tls-bootstrap-token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--->
-指定在加入节点时用于临时通过 Kubernetes 控制平面进行身份验证的令牌。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--token string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--->
-如果未提供这些值，则将它们用于 discovery-token 令牌和 tls-bootstrap 令牌。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md
deleted file mode 100644
index 976749eb5e4dd..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_preflight.md
+++ /dev/null
@@ -1,97 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Run pre-flight checks for kubeadm reset.
--->
-
-kubeadm reset（重置）前运行启动前检查。
-
-```
-kubeadm reset phase preflight [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-f, --force</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Reset the node without prompting for confirmation.
--->
-在不提示确认的情况下重置节点。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-help for preflight
--->
-preflight 操作的帮助命令
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--->
-错误将显示为警告的检查列表；例如：'IsPrivilegedUser,Swap'。取值为 'all' 时将忽略检查中的所有错误。
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-[EXPERIMENTAL] The path to the 'real' host root filesystem.
--->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
deleted file mode 100644
index 27f978a773534..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_remove-etcd-member.md
+++ /dev/null
@@ -1,73 +0,0 @@
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Upload configuration about the current state, so that 'kubeadm upgrade' can later know how to configure the upgraded cluster.
--->
-
-上传关于当前状态的配置，以便 'kubeadm upgrade' 以后可以知道如何配置升级后的集群。
-
-```
-kubeadm config upload [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">upload 操作的帮助信息</td>
-</tr>
-
-</tbody>
-</table>
-
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<!-- td colspan="2">kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td -->
-<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值： "/etc/kubernetes/admin.conf"</td>
-</tr>
-<tr>
-<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">The KubeConfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file.</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。</td>
-</tr>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<!-- td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_update-cluster-status.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_update-cluster-status.md
deleted file mode 100644
index 149af508d9537..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset_phase_update-cluster-status.md
+++ /dev/null
@@ -1,69 +0,0 @@
-
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Remove this node from the ClusterStatus object if the node is a control plane node.
--->
-
-如果该节点是控制平面节点，从 ClusterStatus 对象中删除该节点。
-
-```
-kubeadm reset phase update-cluster-status [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- help for update-cluster-status -->
-update-cluster-status 操作的帮助命令
-</td>
-</tr>
-
-</tbody>
-</table>
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!-- [EXPERIMENTAL] The path to the 'real' host root filesystem.  -->
-[实验] 指向 '真实' 宿主机根文件系统的路径。
-</td>
-</tr>
-
-</tbody>
-</table>
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md
deleted file mode 100644
index 4235ef59b5f51..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_control-plane.md
+++ /dev/null
@@ -1,142 +0,0 @@
-<!--
-### Synopsis
--->
-
-### 概要
-
-<!--
-Upgrade the control plane instance deployed on this node, if any
--->
-
-升级部署在此节点上的控制平面实例，如果有的话
-
-```
-kubeadm upgrade node phase control-plane [flags]
-```
-
-<!--
-### Options
--->
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--certificate-renewal</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">更新在升级期间变更的组件使用的证书。</td>
-</tr>
-<!-- 
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Perform the renewal of certificates used by component changed during upgrades.</td>
--->
-
-<tr>
-<td colspan="2">--dry-run</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">不改变任何状态，只输出将要执行的动作。</td>
-</tr>
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Do not change any state, just output the actions that would be performed.</td>
--->
-
-<tr>
-<td colspan="2">--etcd-upgrade&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: true</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">执行 etcd 的升级。</td>
-</tr>
-<!--
-<td colspan="2">--etcd-upgrade&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td> 
--->
-
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Perform the upgrade of etcd.</td>
--->
-
-<tr>
-<td colspan="2">--experimental-patches string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--  
-Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
--->
-包含名为 "target[suffix][+patchtype].extension" 的文件的目录的路径。
-例如，"kube-apiserver0+merge.yaml" 或仅仅是 "etcd.json"。
-"patchtype" 可以是 "strategic"、"merge" 或 "json" 之一，并且它们与 kubectl 支持的补丁格式匹配。
-默认的 "patchtype" 为 "strategic"。 "extension" 必须为 "json" 或 "yaml"。 
-"suffix" 是一个可选字符串，可用于确定首先按字母顺序应用哪些补丁。
-</td>
-</tr>
-
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The path where kustomize patches for static pod manifests are stored.</td>
--->
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">control-plane 的帮助信息</td>
-</tr>
-
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">help for control-plane</td>
--->
-
-<tr>
-<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值: "/etc/kubernetes/admin.conf"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">用于和集群通信的 KubeConfig 文件。如果它没有被设置，那么 kubeadm 将会搜索一个已经存在于标准路径的 KubeConfig 文件。</td>
-</tr>
-
-<!--
-<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
--->
-
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</td>
--->
-
-</tbody>
-</table>
-
-
-
-<!--
-### Options inherited from parent commands
--->
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
-</tr>
-<!--
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td>
--->
-
-</tbody>
-</table>
-
-
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
deleted file mode 100644
index 2fd33ffc6312c..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_node_phase_preflight.md
+++ /dev/null
@@ -1,69 +0,0 @@
-
-<!-- ### Synopsis -->
-### 概要
-
-
-<!-- Run pre-flight checks for kubeadm upgrade node. -->
-
-执行 kubeadm 升级节点的预检。
-
-```
-kubeadm upgrade node phase preflight [flags]
-```
-
-<!-- ### Options -->
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">help for preflight</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">preflight 操作的帮助命令</td>
-</tr>
-
-<tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
-</tr>
-<tr>
-<!-- 
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</td> 
--->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">错误将显示为警告的检查清单。示例：'IsPrivilegedUser,Swap'。值为'all'表示忽略所有检查的错误。</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
-<!-- ### Options inherited from parent commands -->
-### 继承于父命令的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<!-- <td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td> -->
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[实验] 到'真实'主机根文件系统的路径。</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md b/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
deleted file mode 100644
index 88f2510b6e76b..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
+++ /dev/null
@@ -1,201 +0,0 @@
-<!--
-
-```
-### Synopsis
-
-
-Check which versions are available to upgrade to and validate whether your current cluster is upgradeable. To skip the internet check, pass in the optional [version] parameter
-
-​```
-kubeadm upgrade plan [version] [flags]
-​```
-
-### Options
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--allow-experimental-upgrades</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.</td>
-</tr>
-
-<tr>
-<td colspan="2">--allow-release-candidate-upgrades</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Path to a kubeadm configuration file.</td>
-</tr>
-
-<tr>
-<td colspan="2">--feature-gates string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A set of key=value pairs that describe feature gates for various features. Options are:<br/>IPv6DualStack=true|false (ALPHA - default=false)<br/>PublicKeysECDSA=true|false (ALPHA - default=false)</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">help for plan</td>
-</tr>
-
-<tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.</td>
-</tr>
-
-<tr>
-<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</td>
-</tr>
-
-<tr>
-<td colspan="2">--print-config</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">Specifies whether the configuration file that will be used in the upgrade should be printed or not.</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
-### Options inherited from parent commands
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] The path to the 'real' host root filesystem.</td>
-</tr>
-
-</tbody>
-</table>
-```
-
--->
-
-
-### 概述
-
-检查可升级到哪些版本，并验证您当前的集群是否可升级。 要跳过互联网检查，请传递可选的 [version] 参数 
-
-```
-kubeadm upgrade plan [version] [flags]
-```
-
-### 选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--allow-experimental-upgrades</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">显示不稳定版本的 Kubernetes 作为升级替代方案，并允许升级到 Kubernetes 的 Alpha/Beta/发行候选版本。</td>
-</tr>
-
-<tr>
-<td colspan="2">--allow-release-candidate-upgrades</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">显示 Kubernetes 的发行候选版本作为升级选择，并允许升级到 Kubernetes 的发行候选版本。</td>
-</tr>
-
-<tr>
-<td colspan="2">--config string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">配置文件的路径。</td>
-</tr>
-
-<tr>
-<td colspan="2">--feature-gates string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">一组描述各种特征特性门控的键值对。选项有：IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false)</td>
-</tr>
-
-<tr>
-<td colspan="2">-h, --help</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">帮助</td>
-</tr>
-
-<tr>
-<td colspan="2">--ignore-preflight-errors stringSlice</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">检查清单，其错误将显示为警告。 例如：“IsPrivilegedUser，Swap”。 值 “all” 忽略所有检查的错误。</td>
-</tr>
-
-<tr>
-<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">与集群通信时使用的 kubeconfig 文件。 如果标志为未设置，则可以在一组标准位置中搜索现有的 kubeconfig 文件。</td>
-</tr>
-
-<tr>
-<td colspan="2">--print-config</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">指定是否打印将在升级中使用的配置文件。</td>
-</tr>
-
-</tbody>
-</table>
-
-
-
-### 从父命令继承的选项
-
-   <table style="width: 100%; table-layout: fixed;">
-<colgroup>
-<col span="1" style="width: 10px;" />
-<col span="1" />
-</colgroup>
-<tbody>
-
-<tr>
-<td colspan="2">--rootfs string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">[EXPERIMENTAL] “真实”主机根文件系统的路径。</td>
-</tr>
-
-</tbody>
-</table>
diff --git a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-config.md b/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-config.md
deleted file mode 100644
index 363335f25cfe3..0000000000000
--- a/content/zh/docs/reference/setup-tools/kubeadm/kubeadm-config.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: kubeadm config
-content_type: concept
-weight: 50
----
-
-<!-- overview -->
-<!--
-During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your cluster
-in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during
-`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`. To view this ConfigMap call `kubeadm config view`.
--->
-在 `kubeadm init` 执行期间，kubeadm 将 `ClusterConfiguration` 对象上传
-到你的集群的 `kube-system` 名字空间下名为 `kubeadm-config` 的 ConfigMap 对象中。
-然后在 `kubeadm join`、`kubeadm reset` 和 `kubeadm upgrade` 执行期间读取此配置。 
-要查看此 ConfigMap，请调用 `kubeadm config view`。
-
-<!--
-You can use `kubeadm config print` to print the default configuration and `kubeadm config migrate` to
-convert your old configuration files to a newer version. `kubeadm config images list` and
-`kubeadm config images pull` can be used to list and pull the images that kubeadm requires.
--->
-你可以使用 `kubeadm config print` 命令打印默认配置，
-并使用 `kubeadm config migrate` 命令将旧版本的配置转化成新版本。
-`kubeadm config images list` 和 `kubeadm config images pull`
-命令可以用来列出并拉取 kubeadm 所需的镜像。
-
-<!--
-For more information navigate to
-[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
-or [Using kubeadm join with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
--->
-更多信息请浏览[使用带配置文件的 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
-或[使用带配置文件的 kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
-
-<!--
-You can also configure several kubelet-configuration options with `kubeadm init`. These options will be the same on any node in your cluster. 
-See [Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/) for details.
--->
-你也可以在使用 `kubeadm init` 命令时配置若干 kubelet 配置选项。
-这些选项对于集群中所有节点而言都是相同的。
-参阅[使用 kubeadm 来配置集群中的各个 kubelet](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)
-了解详细信息。
- 
-<!--
-In Kubernetes v1.13.0 and later to list/pull kube-dns images instead of the CoreDNS image
-the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
-has to be used.
--->
-在 Kubernetes v1.13.0 及更高版本中，要列出/拉取 kube-dns 镜像而不是 CoreDNS 镜像，
-必须使用[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
-所描述的 `--config` 方法。
-
-<!-- body -->
-## kubeadm config upload from-file {#cmd-config-from-file}
-
-## kubeadm config print{#cmd-config-view}
-{{< include "generated/kubeadm_config_print.md" >}}
-
-## kubeadm config print init-defaults {#cmd-config-print-init-defaults}
-{{< include "generated/kubeadm_config_print_init-defaults.md" >}}
-
-## kubeadm config print join-defaults {#cmd-config-print-join-defaults}
-{{< include "generated/kubeadm_config_print_join-defaults.md" >}}
-
-## kubeadm config migrate {#cmd-config-migrate}
-{{< include "generated/kubeadm_config_migrate.md" >}}
-
-## kubeadm config images list {#cmd-config-images-list}
-{{< include "generated/kubeadm_config_images_list.md" >}}
-
-## kubeadm config images pull {#cmd-config-images-pull}
-{{< include "generated/kubeadm_config_images_pull.md" >}}
-
-## {{% heading "whatsnext" %}}
-
-<!--
-* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
--->
-
-* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
-  将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]
-
-
diff --git a/content/zh/docs/setup/production-environment/container-runtimes.md b/content/zh/docs/setup/production-environment/container-runtimes.md
deleted file mode 100644
index 03380bae14a1d..0000000000000
--- a/content/zh/docs/setup/production-environment/container-runtimes.md
+++ /dev/null
@@ -1,696 +0,0 @@
----
-title: 容器运行时
-content_type: concept
-weight: 20
----
-<!--
-reviewers:
-- vincepri
-- bart0sh
-title: Container runtimes
-content_type: concept
-weight: 20
--->
-
-<!-- overview -->
-
-<!-- 
-You need to install a
-{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-into each node in the cluster so that Pods can run there. This page outlines
-what is involved and describes related tasks for setting up nodes.
- -->
-你需要在集群内每个节点上安装一个
-{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}
-以使 Pod 可以运行在上面。本文概述了所涉及的内容并描述了与节点设置相关的任务。
-
-<!-- body -->
-
-<!-- 
-This page lists details for using several common container runtimes with
-Kubernetes, on Linux:
- -->
-本文列出了在 Linux 上结合 Kubernetes 使用的几种通用容器运行时的详细信息： 
-
-- [containerd](#containerd)
-- [CRI-O](#cri-o)
-- [Docker](#docker)
-
-<!-- 
-{{< note >}}
-For other operating systems, look for documentation specific to your platform.
-{{< /note >}}
- -->
-提示：对于其他操作系统，请查阅特定于你所使用平台的相关文档。
-
-<!--
-## Cgroup drivers
--->
-## Cgroup 驱动程序
-
-<!--
-Control groups are used to constrain resources that are allocated to processes.
-
-When [systemd](https://www.freedesktop.org/wiki/Software/systemd/) is chosen as the init
-system for a Linux distribution, the init process generates and consumes a root control group
-(`cgroup`) and acts as a cgroup manager.
-Systemd has a tight integration with cgroups and allocates a cgroup per systemd unit. It's possible
-to configure your container runtime and the kubelet to use `cgroupfs`. Using `cgroupfs` alongside
-systemd means that there will be two different cgroup managers.
--->
-控制组用来约束分配给进程的资源。
-
-当某个 Linux 系统发行版使用 [systemd](https://www.freedesktop.org/wiki/Software/systemd/)
-作为其初始化系统时，初始化进程会生成并使用一个 root 控制组 (`cgroup`), 并充当 cgroup 管理器。
-Systemd 与 cgroup 集成紧密，并将为每个 systemd 单元分配一个 cgroup。
-你也可以配置容器运行时和 kubelet 使用 `cgroupfs`。
-连同 systemd 一起使用 `cgroupfs` 意味着将有两个不同的 cgroup 管理器。
-
-<!--
-A single cgroup manager simplifies the view of what resources are being allocated
-and will by default have a more consistent view of the available and in-use resources.
-When there are two cgroup managers on a system, you end up with two views of those resources.
-In the field, people have reported cases where nodes that are configured to use `cgroupfs`
-for the kubelet and Docker, but `systemd` for the rest of the processes, become unstable under
-resource pressure.
--->
-单个 cgroup 管理器将简化分配资源的视图，并且默认情况下将对可用资源和使用
-中的资源具有更一致的视图。
-当有两个管理器共存于一个系统中时，最终将对这些资源产生两种视图。
-在此领域人们已经报告过一些案例，某些节点配置让 kubelet 和 docker 使用
-`cgroupfs`，而节点上运行的其余进程则使用 systemd; 这类节点在资源压力下
-会变得不稳定。
-
-<!--
-Changing the settings such that your container runtime and kubelet use `systemd` as the cgroup driver
-stabilized the system. To configure this for Docker, set `native.cgroupdriver=systemd`.
--->
-更改设置，令容器运行时和 kubelet 使用 `systemd` 作为 cgroup 驱动，以此使系统更为稳定。
-对于 Docker, 设置 `native.cgroupdriver=systemd` 选项。
-
-<!--
-{{< caution >}}
-Changing the cgroup driver of a Node that has joined a cluster is a sensitive operation. 
-If the kubelet has created Pods using the semantics of one cgroup driver, changing the container
-runtime to another cgroup driver can cause errors when trying to re-create the Pod sandbox
-for such existing Pods. Restarting the kubelet may not solve such errors.
-
-If you have automation that makes it feasible, replace the node with another using the updated
-configuration, or reinstall it using automation.
-{{< /caution >}}
--->
-注意：更改已加入集群的节点的 cgroup 驱动是一项敏感的操作。
-如果 kubelet 已经使用某 cgroup 驱动的语义创建了 pod，更改运行时以使用
-别的 cgroup 驱动，当为现有 Pods 重新创建 PodSandbox 时会产生错误。
-重启 kubelet 也可能无法解决此类问题。
-如果你有切实可行的自动化方案，使用其他已更新配置的节点来替换该节点，
-或者使用自动化方案来重新安装。
-
-<!--
-## Cgroup v2
-
-Cgroup v2 is the next version of the cgroup Linux API.  Differently than cgroup v1, there is a single
-hierarchy instead of a different one for each controller.
--->
-## Cgroup v2
-Cgroup v2 是 cgroup Linux API 的下一个版本。与 cgroup v1 不同的是，
-Cgroup v2 只有一个层次结构，而不是每个控制器有一个不同的层次结构。
-
-<!--
-The new version offers several improvements over cgroup v1, some of these improvements are:
-
-- cleaner and easier to use API
-- safe sub-tree delegation to containers
-- newer features like Pressure Stall Information
--->
-新版本对 cgroup v1 进行了多项改进，其中一些改进是：
-
-- 更简洁、更易于使用的 API
-- 可将安全子树委派给容器
-- 更新的功能，如压力失速信息（Pressure Stall Information）
-
-<!--
-Even if the kernel supports a hybrid configuration where some controllers are managed by cgroup v1
-and some others by cgroup v2, Kubernetes supports only the same cgroup version to manage all the
-controllers.
-
-If systemd doesn't use cgroup v2 by default, you can configure the system to use it by adding
-`systemd.unified_cgroup_hierarchy=1` to the kernel command line.
--->
-尽管内核支持混合配置，即其中一些控制器由 cgroup v1 管理，另一些由 cgroup v2 管理，
-Kubernetes 仅支持使用同一 cgroup 版本来管理所有控制器。
-
-如果 systemd 默认不使用 cgroup v2，你可以通过在内核命令行中添加 
-`systemd.unified_cgroup_hierarchy=1` 来配置系统去使用它。
-
-```shell
-# dnf install -y grubby && \
-  sudo grubby \
-  --update-kernel=ALL \
-  --args="systemd.unified_cgroup_hierarchy=1"
-```
-
-<!--
-To apply the configuration, it is necessary to reboot the node.
-
-There should not be any noticeable difference in the user experience when switching to cgroup v2, unless
-users are accessing the cgroup file system directly, either on the node or from within the containers.
-
-In order to use it, cgroup v2 must be supported by the CRI runtime as well.
--->
-要应用配置，必须重新启动节点。
-
-切换到 cgroup v2 时，用户体验不应有任何明显差异，
-除非用户直接在节点上或在容器内访问 cgroup 文件系统。
-为了使用它，CRI 运行时也必须支持 cgroup v2。
-
-<!-- 
-### Migrating to the `systemd` driver in kubeadm managed clusters
--->
-### 将 kubeadm 托管的集群迁移到 `systemd` 驱动
-
-<!-- 
-Follow this [Migration guide](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver)
-if you wish to migrate to the `systemd` cgroup driver in existing kubeadm managed clusters.
--->
-如果你想迁移到现有 kubeadm 托管集群中的 `systemd` cgroup 驱动程序，
-遵循此[迁移指南](/zh/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver)。
-
-<!-- 
-## Container runtimes
- -->
-## 容器运行时
-
-{{% thirdparty-content %}}
-
-### containerd
-
-<!--
-This section contains the necessary steps to use containerd as CRI runtime.
-
-Use the following commands to install Containerd on your system:
-
-Install and configure prerequisites:
--->
-本节包含使用 containerd 作为 CRI 运行时的必要步骤。
-
-使用以下命令在系统上安装 Containerd：
-
-安装和配置的先决条件：
-
-```shell
-cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
-overlay
-br_netfilter
-EOF
-
-sudo modprobe overlay
-sudo modprobe br_netfilter
-
-# 设置必需的 sysctl 参数，这些参数在重新启动后仍然存在。
-cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
-net.bridge.bridge-nf-call-iptables  = 1
-net.ipv4.ip_forward                 = 1
-net.bridge.bridge-nf-call-ip6tables = 1
-EOF
-
-# 应用 sysctl 参数而无需重新启动
-sudo sysctl --system
-```
-
-<!--
-Install containerd:
--->
-安装 containerd:
-
-{{< tabs name="tab-cri-containerd-installation" >}}
-{{% tab name="Linux" %}}
-
-<!--
-1. Install the `containerd.io` package from the official Docker repositories.
-   Instructions for setting up the Docker repository for your respective Linux distribution and
-   installing the `containerd.io` package can be found at
-   [Install Docker Engine](https://docs.docker.com/engine/install/#server).
--->
-1. 从官方Docker仓库安装 `containerd.io` 软件包。可以在
-   [安装 Docker 引擎](https://docs.docker.com/engine/install/#server)
-   中找到有关为各自的 Linux 发行版设置 Docker 存储库和安装 `containerd.io`
-   软件包的说明。
-
-<!--
-2. Configure containerd:
--->
-2. 配置 containerd：
-
-   ```shell
-   sudo mkdir -p /etc/containerd
-   containerd config default | sudo tee /etc/containerd/config.toml
-   ```
-
-<!--
-3. Restart containerd:
--->
-3. 重新启动 containerd:
-
-   ```shell
-   sudo systemctl restart containerd
-   ```
-
-{{% /tab %}}
-{{% tab name="Windows (PowerShell)" %}}
-
-<!--
-Start a Powershell session, set `$Version` to the desired version (ex: `$Version=1.4.3`),
-and then run the following commands:
--->
-启动 Powershell 会话，将 `$Version` 设置为所需的版本（例如：`$Version=1.4.3`），
-然后运行以下命令：
-
-<!--
-1. Download containerd:
--->
-1. 下载 containerd：
-
-   ```powershell
-   curl.exe -L https://github.com/containerd/containerd/releases/download/v$Version/containerd-$Version-windows-amd64.tar.gz -o containerd-windows-amd64.tar.gz
-   tar.exe xvf .\containerd-windows-amd64.tar.gz
-   ```
-<!--
-2. Extract and configure:
--->
-2. 提取并配置：
-
-   ```powershell
-   Copy-Item -Path ".\bin\" -Destination "$Env:ProgramFiles\containerd" -Recurse -Force
-   cd $Env:ProgramFiles\containerd\
-   .\containerd.exe config default | Out-File config.toml -Encoding ascii
-
-   # 检查配置。根据你的配置，可能需要调整：
-   # - sandbox_image (Kubernetes pause 镜像)
-   # - cni bin_dir 和 conf_dir 位置
-   Get-Content config.toml
-
-   # (可选 - 不过强烈建议) 禁止 Windows Defender 扫描 containerd
-   Add-MpPreference -ExclusionProcess "$Env:ProgramFiles\containerd\containerd.exe"
-   ```
-<!--
-3. Start containerd:
--->
-3. 启动 containerd:
-
-   ```powershell
-   .\containerd.exe --register-service
-   Start-Service containerd
-   ```
-
-{{% /tab %}}
-{{< /tabs >}}
-
-<!-- 
-#### Using the `systemd` cgroup driver {#containerd-systemd}
---> 
-
-#### 使用 `systemd` cgroup 驱动程序 {#containerd-systemd}
-
-<!-- 
-To use the `systemd` cgroup driver in `/etc/containerd/config.toml` with `runc`, set
--->
-结合 `runc` 使用 `systemd` cgroup 驱动，在 `/etc/containerd/config.toml` 中设置 
-
-```
-[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-  ...
-  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-    SystemdCgroup = true
-```
-
-<!--
-If you apply this change make sure to restart containerd again:
--->
-如果您应用此更改，请确保再次重新启动 containerd：
-
-```shell
-sudo systemctl restart containerd
-```
-
-<!--
-When using kubeadm, manually configure the
-[cgroup driver for kubelet](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-control-plane-node).
--->
-当使用 kubeadm 时，请手动配置
-[kubelet 的 cgroup 驱动](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-control-plane-node).
-
-### CRI-O
-
-<!--
-This section contains the necessary steps to install CRI-O as a container runtime.
-
-Use the following commands to install CRI-O on your system:
--->
-本节包含安装 CRI-O 作为容器运行时的必要步骤。
-
-使用以下命令在系统中安装 CRI-O：
-
-{{< note >}}
-<!--
-The CRI-O major and minor versions must match the Kubernetes major and minor versions.
-For more information, see the [CRI-O compatibility matrix](https://github.com/cri-o/cri-o#compatibility-matrix-cri-o--kubernetes).
--->
-CRI-O 的主要以及次要版本必须与 Kubernetes 的主要和次要版本相匹配。
-更多信息请查阅
-[CRI-O 兼容性列表](https://github.com/cri-o/cri-o#compatibility-matrix-cri-o--kubernetes)。
-{{< /note >}}
-
-<!--
-Install and configure prerequisites:
--->
-安装并配置前置环境：
-
-```shell
-
-# 创建 .conf 文件以在启动时加载模块
-cat <<EOF | sudo tee /etc/modules-load.d/crio.conf
-overlay
-br_netfilter
-EOF
-
-sudo modprobe overlay
-sudo modprobe br_netfilter
-
-# 配置 sysctl 参数，这些配置在重启之后仍然起作用
-cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
-net.bridge.bridge-nf-call-iptables  = 1
-net.ipv4.ip_forward                 = 1
-net.bridge.bridge-nf-call-ip6tables = 1
-EOF
-
-sudo sysctl --system
-```
-
-{{< tabs name="tab-cri-cri-o-installation" >}}
-{{% tab name="Debian" %}}
-
-<!-- 
-To install CRI-O on the following operating systems, set the environment variable `OS`
-to the appropriate value from the following table:
-
-| Operating system | `$OS`             |
-| ---------------- | ----------------- |
-| Debian Unstable  | `Debian_Unstable` |
-| Debian Testing   | `Debian_Testing`  |
-
-<br />
-Then, set `$VERSION` to the CRI-O version that matches your Kubernetes version.
-For instance, if you want to install CRI-O 1.20, set `VERSION=1.20`.
-You can pin your installation to a specific release.
-To install version 1.20.0, set `VERSION=1.20:1.20.0`.
-<br />
-
-Then run
--->
-在下列操作系统上安装 CRI-O, 使用下表中合适的值设置环境变量 `OS`:
-
-| 操作系统          | `$OS`             |
-| ---------------- | ----------------- |
-| Debian Unstable  | `Debian_Unstable` |
-| Debian Testing   | `Debian_Testing`  |
-
-<br />
-然后，将 `$VERSION` 设置为与你的 Kubernetes 相匹配的 CRI-O 版本。
-例如，如果你要安装 CRI-O 1.20, 请设置 `VERSION=1.20`.
-你也可以安装一个特定的发行版本。
-例如要安装 1.20.0 版本，设置 `VERSION=1.20.0:1.20.0`.
-<br />
-
-然后执行
-
-```shell
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /
-EOF
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
-deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /
-EOF
-
-curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add -
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add -
-
-sudo apt-get update
-sudo apt-get install cri-o cri-o-runc
-```
-
-{{% /tab %}}
-
-{{% tab name="Ubuntu" %}}
-
-<!-- 
-To install on the following operating systems, set the environment variable `OS`
-to the appropriate field in the following table:
-
-| Operating system | `$OS`             |
-| ---------------- | ----------------- |
-| Ubuntu 20.04     | `xUbuntu_20.04`   |
-| Ubuntu 19.10     | `xUbuntu_19.10`   |
-| Ubuntu 19.04     | `xUbuntu_19.04`   |
-| Ubuntu 18.04     | `xUbuntu_18.04`   |
-
-<br />
-Then, set `$VERSION` to the CRI-O version that matches your Kubernetes version.
-For instance, if you want to install CRI-O 1.20, set `VERSION=1.20`.
-You can pin your installation to a specific release.
-To install version 1.20.0, set `VERSION=1.20:1.20.0`.
-<br />
-
-Then run
--->
-在下列操作系统上安装 CRI-O, 使用下表中合适的值设置环境变量 `OS`:
-
-| 操作系统          | `$OS`             |
-| ---------------- | ----------------- |
-| Ubuntu 20.04     | `xUbuntu_20.04`   |
-| Ubuntu 19.10     | `xUbuntu_19.10`   |
-| Ubuntu 19.04     | `xUbuntu_19.04`   |
-| Ubuntu 18.04     | `xUbuntu_18.04`   |
-
-<br />
-然后，将 `$VERSION` 设置为与你的 Kubernetes 相匹配的 CRI-O 版本。
-例如，如果你要安装 CRI-O 1.20, 请设置 `VERSION=1.20`.
-你也可以安装一个特定的发行版本。
-例如要安装 1.20.0 版本，设置 `VERSION=1.20:1.20.0`.
-<br />
-
-然后执行
-
-```shell
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /
-EOF
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
-deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /
-EOF
-
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add -
-curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers-cri-o.gpg add -
-
-sudo apt-get update
-sudo apt-get install cri-o cri-o-runc
-```
- 
-{{% /tab %}}
-
-{{% tab name="CentOS" %}}
-
-<!-- 
-To install on the following operating systems, set the environment variable `OS`
-to the appropriate field in the following table:
-
-| Operating system | `$OS`             |
-| ---------------- | ----------------- |
-| Centos 8         | `CentOS_8`        |
-| Centos 8 Stream  | `CentOS_8_Stream` |
-| Centos 7         | `CentOS_7`        |
-
-<br />
-Then, set `$VERSION` to the CRI-O version that matches your Kubernetes version.
-For instance, if you want to install CRI-O 1.20, set `VERSION=1.20`.
-You can pin your installation to a specific release.
-To install version 1.20.0, set `VERSION=1.20:1.20.0`.
-<br />
-
-Then run
--->
-在下列操作系统上安装 CRI-O, 使用下表中合适的值设置环境变量 `OS`:
-
-| 操作系统          | `$OS`             |
-| ---------------- | ----------------- |
-| Centos 8         | `CentOS_8`        |
-| Centos 8 Stream  | `CentOS_8_Stream` |
-| Centos 7         | `CentOS_7`        |
-
-<br />
-然后，将 `$VERSION` 设置为与你的 Kubernetes 相匹配的 CRI-O 版本。
-例如，如果你要安装 CRI-O 1.20, 请设置 `VERSION=1.20`.
-你也可以安装一个特定的发行版本。
-例如要安装 1.20.0 版本，设置 `VERSION=1.20:1.20.0`.
-<br />
-
-然后执行
-
-```shell
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/devel:kubic:libcontainers:stable.repo
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo
-sudo yum install cri-o
-```
-
-{{% /tab %}}
-
-{{% tab name="openSUSE Tumbleweed" %}}
-
-```shell
-sudo zypper install cri-o
-```
-{{% /tab %}}
-{{% tab name="Fedora" %}}
-
-<!-- 
-Set `$VERSION` to the CRI-O version that matches your Kubernetes version.
-For instance, if you want to install CRI-O 1.20, `VERSION=1.20`.
-
-You can find available versions with:
-```shell
-sudo dnf module list cri-o
-```
-CRI-O does not support pinning to specific releases on Fedora.
-
-Then run
--->
-将 `$VERSION` 设置为与你的 Kubernetes 相匹配的 CRI-O 版本。
-例如，如果要安装 CRI-O 1.20，请设置 `VERSION=1.20`。
-你可以用下列命令查找可用的版本：
-
-```shell
-sudo dnf module list cri-o
-```
-
-CRI-O 不支持在 Fedora 上固定到特定的版本。
-
-然后执行
-
-```shell
-sudo dnf module enable cri-o:$VERSION
-sudo dnf install cri-o --now
-```
-
-{{% /tab %}}
-{{< /tabs >}}
-
-<!-- 
-Start CRI-O:
--->
-启动 CRI-O：
-
-```shell
-sudo systemctl daemon-reload
-sudo systemctl enable crio --now
-```
-
-<!--
-Refer to the [CRI-O installation guide](https://github.com/cri-o/cri-o/blob/master/install.md)
-for more information.
- -->
-参阅[CRI-O 安装指南](https://github.com/cri-o/cri-o/blob/master/install.md)
-了解进一步的详细信息。
-
-<!--
-#### cgroup driver
-
-CRI-O uses the systemd cgroup driver per default. To switch to the `cgroupfs`
-cgroup driver, either edit `/etc/crio/crio.conf` or place a drop-in
-configuration in `/etc/crio/crio.conf.d/02-cgroup-manager.conf`, for example:
--->
-#### cgroup 驱动
-
-默认情况下，CRI-O 使用 systemd cgroup 驱动程序。要切换到 `cgroupfs`
-驱动程序，或者编辑 `/ etc / crio / crio.conf` 或放置一个插件
-在 `/etc/crio/crio.conf.d/02-cgroup-manager.conf` 中的配置，例如：
-
-```toml
-[crio.runtime]
-conmon_cgroup = "pod"
-cgroup_manager = "cgroupfs"
-```
-
-<!-- 
-Please also note the changed `conmon_cgroup`, which has to be set to the value
-`pod` when using CRI-O with `cgroupfs`. It is generally necessary to keep the
-cgroup driver configuration of the kubelet (usually done via kubeadm) and CRI-O
-in sync.
- -->
-另请注意更改后的 `conmon_cgroup`，将 CRI-O 与 `cgroupfs` 一起使用时，
-必须将其设置为 `pod`。通常有必要保持 kubelet 的 cgroup 驱动程序配置
-（通常透过 kubeadm 完成）和 CRI-O 一致。
-
-### Docker
-
-<!--
-1. On each of your nodes, install the Docker for your Linux distribution as per
-   [Install Docker Engine](https://docs.docker.com/engine/install/#server).
-   You can find the latest validated version of Docker in this
-   [dependencies](https://git.k8s.io/kubernetes/build/dependencies.yaml) file.
- -->
-1. 在每个节点上，根据[安装 Docker 引擎](https://docs.docker.com/engine/install/#server)
-   为你的 Linux 发行版安装 Docker。
-   你可以在此文件中找到最新的经过验证的 Docker 版本
-   [依赖关系](https://git.k8s.io/kubernetes/build/dependencies.yaml)。
-
-<!--
-2. Configure the Docker daemon, in particular to use systemd for the management of the container’s cgroups.
- -->
-2. 配置 Docker 守护程序，尤其是使用 systemd 来管理容器的 cgroup。
-
-   ```shell
-   sudo mkdir /etc/docker
-   cat <<EOF | sudo tee /etc/docker/daemon.json
-   {
-     "exec-opts": ["native.cgroupdriver=systemd"],
-     "log-driver": "json-file",
-     "log-opts": {
-       "max-size": "100m"
-     },
-     "storage-driver": "overlay2"
-   }
-   EOF
-   ```
-
-   {{< note >}}
-   <!--
-   `overlay2` is the preferred storage driver for systems running Linux kernel version 4.0 or higher,
-   or RHEL or CentOS using version 3.10.0-514 and above.
-   -->
-   对于运行 Linux 内核版本 4.0 或更高版本，或使用 3.10.0-51 及更高版本的 RHEL
-   或 CentOS 的系统，`overlay2`是首选的存储驱动程序。
-   {{< /note >}}
-
-<!--
-3. Restart Docker and enable on boot:
--->
-3. 重新启动 Docker 并在启动时启用：
-
-   ```shell
-   sudo systemctl enable docker
-   sudo systemctl daemon-reload
-   sudo systemctl restart docker
-   ```
-
-{{< note >}}
-<!--
-For more information refer to
-  - [Configure the Docker daemon](https://docs.docker.com/config/daemon/)
-  - [Control Docker with systemd](https://docs.docker.com/config/daemon/systemd/)
--->
-有关更多信息，请参阅
-
-- [配置 Docker 守护程序](https://docs.docker.com/config/daemon/)
-- [使用 systemd 控制 Docker](https://docs.docker.com/config/daemon/systemd/)
-{{< /note >}}
-
diff --git a/content/zh/docs/setup/production-environment/windows/_index.md b/content/zh/docs/setup/production-environment/windows/_index.md
deleted file mode 100644
index 79e0cab400813..0000000000000
--- a/content/zh/docs/setup/production-environment/windows/_index.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: "Windows Kubernetes"
-weight: 50
----
diff --git a/content/zh/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md b/content/zh/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
deleted file mode 100644
index 286ede85a4182..0000000000000
--- a/content/zh/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
+++ /dev/null
@@ -1,2359 +0,0 @@
----
-title: Kubernetes 对 Windows 的支持
-content_type: concept
-weight: 65
----
-<!--
-reviewers:
-- jayunit100
-- jsturtevant
-- marosset
-- perithompson
-title: Intro to Windows support in Kubernetes
-content_type: concept
-weight: 65
--->
-
-<!-- overview -->
-
-<!--
-Windows applications constitute a large portion of the services and
-applications that run in many organizations.
-[Windows containers](https://aka.ms/windowscontainers) provide a modern way to
-encapsulate processes and package dependencies, making it easier to use DevOps
-practices and follow cloud native patterns for Windows applications.
-Kubernetes has become the defacto standard container orchestrator, and the
-release of Kubernetes 1.14 includes production support for scheduling Windows
-containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem
-of Windows applications to leverage the power of Kubernetes. Organizations
-with investments in Windows-based applications and Linux-based applications
-don't have to look for separate orchestrators to manage their workloads,
-leading to increased operational efficiencies across their deployments,
-regardless of operating system.
--->
-在很多组织中，其服务和应用的很大比例是 Windows 应用。
-[Windows 容器](https://aka.ms/windowscontainers)提供了一种对进程和包依赖关系
-进行封装的现代方式，这使得用户更容易采用 DevOps 实践，令 Windows 应用同样遵从
-云原生模式。
-Kubernetes 已经成为事实上的标准容器编排器，Kubernetes 1.14 发行版本中包含了将
-Windows 容器调度到 Kubernetes 集群中 Windows 节点上的生产级支持，从而使得巨大
-的 Windows 应用生态圈能够充分利用 Kubernetes 的能力。
-对于同时投入基于 Windows 应用和 Linux 应用的组织而言，他们不必寻找不同的编排系统
-来管理其工作负载，其跨部署的运维效率得以大幅提升，而不必关心所用操作系统。 
-
-<!-- body -->
-
-<!--
-## Windows containers in Kubernetes
-
-To enable the orchestration of Windows containers in Kubernetes, include
-Windows nodes in your existing Linux cluster. Scheduling Windows containers in
-{{< glossary_tooltip text="Pods" term_id="pod" >}} on Kubernetes is similar to
-scheduling Linux-based containers.
--->
-## kubernetes 中的 Windows 容器  {#windows-containers-in-kubernetes}
-
-若要在 Kubernetes 中启用对 Windows 容器的编排，可以在现有的 Linux 集群中
-包含 Windows 节点。在 Kubernetes 上调度 {{< glossary_tooltip text="Pods" term_id="pod" >}}
-中的 Windows 容器与调用基于 Linux 的容器类似。
-
-<!--
-In order to run Windows containers, your Kubernetes cluster must include
-multiple operating systems, with control plane nodes running Linux and workers
-running either Windows or Linux depending on your workload needs. Windows
-Server 2019 is the only Windows operating system supported, enabling
-[Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node)
-on Windows (including kubelet,
-[container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd),
-and kube-proxy). For a detailed explanation of Windows distribution channels
-see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19).
--->
-为了运行 Windows 容器，你的 Kubernetes 集群必须包含多个操作系统，控制面
-节点运行 Linux，工作节点则可以根据负载需要运行 Windows 或 Linux。
-Windows Server 2019 是唯一被支持的 Windows 操作系统，在 Windows 上启用
-[Kubernetes 节点](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node)
-支持（包括 kubelet, [容器运行时](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd)、
-以及 kube-proxy）。关于 Windows 发行版渠道的详细讨论，可参见
-[Microsoft 文档](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19)。
-
-<!--
-The Kubernetes control plane, including the
-[master components](/docs/concepts/overview/components/),
-continues to run on Linux. 
-There are no plans to have a Windows-only Kubernetes cluster.
--->
-{{< note >}}
-Kubernetes 控制面，包括[主控组件](/zh/docs/concepts/overview/components/)，
-继续在 Linux 上运行。
-目前没有支持完全是 Windows 节点的 Kubernetes 集群的计划。
-{{< /note >}}
-
-<!--
-In this document, when we talk about Windows containers we mean Windows
-containers with process isolation. Windows containers with
-[Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container)
-is planned for a future release.
--->
-{{< note >}}
-在本文中，当我们讨论 Windows 容器时，我们所指的是具有进程隔离能力的 Windows
-容器。具有 [Hyper-V 隔离能力](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container)
-的 Windows 容器计划在将来发行版本中推出。
-{{< /note >}}
-
-<!--
-## Supported Functionality and Limitations
-
-### Supported Functionality
-
-#### Windows OS Version Support
-
-Refer to the following table for Windows operating system support in
-Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows
-and Linux worker nodes. Windows containers have to be scheduled on Windows
-nodes and Linux containers on Linux nodes.
--->
-## 支持的功能与局限性  {#supported-functionality-and-limitations}
-
-### 支持的功能    {#supported-functionality}
-
-#### Windows 操作系统版本支持    {#windows-os-version-support}
-
-参考下面的表格，了解 Kubernetes 中支持的 Windows 操作系统。
-同一个异构的 Kubernetes 集群中可以同时包含 Windows 和 Linux 工作节点。
-Windows 容器仅能调度到 Windows 节点，Linux 容器则只能调度到 Linux 节点。
-
-| Kubernetes 版本 | Windows Server LTSC 版本 | Windows Server SAC 版本 |
-| --- | --- | --- | --- |
-| *Kubernetes v1.20* | Windows Server 2019 | Windows Server ver 1909, Windows Server ver 2004 |
-| *Kubernetes v1.21* | Windows Server 2019 | Windows Server ver 2004, Windows Server ver 20H2 |
-| *Kubernetes v1.22* | Windows Server 2019 | Windows Server ver 2004, Windows Server ver 20H2 |
-
-<!--
-Information on the different Windows Server servicing channels including their
-support models can be found at
-[Windows Server servicing channels](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19).
--->
-关于不同的 Windows Server 版本的服务渠道，包括其支持模式等相关信息可以在
-[Windows Server servicing channels](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19)
-找到。
-
-<!--
-We don't expect all Windows customers to update the operating system for their
-apps frequently. Upgrading your applications is what dictates and necessitates
-upgrading or introducing new nodes to the cluster. For the customers that
-chose to upgrade their operating system for containers running on Kubernetes,
-we will offer guidance and step-by-step instructions when we add support for a
-new operating system version. This guidance will include recommended upgrade
-procedures for upgrading user applications together with cluster nodes.
-Windows nodes adhere to Kubernetes
-[version-skew policy](/docs/setup/release/version-skew-policy/) (node to control plane
-versioning) the same way as Linux nodes do today.
--->
-我们并不指望所有 Windows 客户都为其应用频繁地更新操作系统。
-对应用的更新是向集群中引入新代码的根本原因。
-对于想要更新运行于 Kubernetes 之上的容器中操作系统的客户，我们会在添加对新
-操作系统版本的支持时提供指南和分步的操作指令。
-该指南会包含与集群节点一起来升级用户应用的建议升级步骤。
-Windows 节点遵从 Kubernetes
-[版本偏差策略](/zh/docs/setup/release/version-skew-policy/)（节点到控制面的
-版本控制），与 Linux 节点的现行策略相同。
-
-<!--
-The Windows Server Host Operating System is subject to the
-[Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing)
-licensing. The Windows Container images are subject to the
-[Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula).
--->
-Windows Server 主机操作系统会受
-[Windows Server](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing)
-授权策略控制。Windows 容器镜像则遵从
-[Windows 容器的补充授权条款](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula)
-约定。
-
-<!--
-Windows containers with process isolation have strict compatibility rules,
-[where the host OS version must match the container base image OS version](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility).
-Once we support Windows containers with Hyper-V isolation in Kubernetes, the
-limitation and compatibility rules will change.
--->
-带进程隔离的 Windows 容器受一些严格的兼容性规则约束，
-[其中宿主 OS 版本必须与容器基准镜像的 OS 版本相同](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility)。
-一旦我们在 Kubernetes 中支持带 Hyper-V 隔离的 Windows 容器，
-这一约束和兼容性规则也会发生改变。
-
-<!--
-#### Pause Image
-
-Kubernetes maintains a multi-architecture image that includes support for Windows.
-For Kubernetes v1.22 the recommended pause image is `k8s.gcr.io/pause:3.5`.
-The [source code](https://github.com/kubernetes/kubernetes/tree/master/build/pause)
-is available on GitHub.
-
-Microsoft maintains a multi-architecture image with Linux and Windows amd64 support at `mcr.microsoft.com/oss/kubernetes/pause:3.5`.
-This image is built from the same source as the Kubernetes maintained image but all of the Windows binaries are [authenticode signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode) by Microsoft.
-The Microsoft maintained image is recommended for production environments when signed binaries are required.
--->
-#### Pause 镜像   {#pause-image}
-
-Kubernetes 维护着一个多体系结构镜像，其中包括对 Windows 的支持。
-对于 Kubernetes v1.22，推荐的 pause 镜像是 `k8s.gcr.io/pause:3.5`。
-[源代码](https://github.com/kubernetes/kubernetes/tree/master/build/pause)可在 GitHub 上找到。
-
-Microsoft 维护了一个支持 Linux 和 Windows amd64 的多体系结构镜像： `mcr.microsoft.com/oss/kubernetes/pause:3.5`。
-此镜像与 Kubernetes 维护的镜像是从同一来源构建，但所有 Windows 二进制文件
-均由 Microsoft [签名](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode)。
-当生产环境需要被签名的二进制文件时，建议使用 Microsoft 维护的镜像。
-
-<!--
-#### Compute
-
-From an API and kubectl perspective, Windows containers behave in much the
-same way as Linux-based containers. However, there are some notable
-differences in key functionality which are outlined in the
-[limitation section](#limitations).
--->
-#### 计算    {#compute}
-
-从 API 和 kubectl 的角度，Windows 容器的表现在很大程度上与基于 Linux 的容器
-是相同的。不过也有一些与关键功能相关的差别值得注意，这些差别列举于
-[局限性](#limitations)小节中。
-
-<!--
-Key Kubernetes elements work the same way in Windows as they do in Linux. In
-this section, we talk about some of the key workload enablers and how they map
-to Windows.
--->
-关键性的 Kubernetes 元素在 Windows 下与其在 Linux 下工作方式相同。我们在本节中
-讨论一些关键性的负载支撑组件及其在 Windows 中的映射。
-
-* [Pods](/zh/docs/concepts/workloads/pods/)
-
-  <!--
-  A Pod is the basic building block of Kubernetes–the smallest and simplest
-  unit in the Kubernetes object model that you create or deploy. You may not
-  deploy Windows and Linux containers in the same Pod. All containers in a Pod
-  are scheduled onto a single Node where each Node represents a specific
-  platform and architecture. The following Pod capabilities, properties and
-  events are supported with Windows containers:
-  -->
-  Pod 是 Kubernetes 中最基本的构造模块，是 Kubernetes 对象模型中你可以创建或部署的
-  最小、最简单元。你不可以在同一 Pod 中部署 Windows 和 Linux 容器。
-  Pod 中的所有容器都会被调度到同一节点（Node），而每个节点代表的是一种特定的平台
-  和体系结构。Windows 容器支持 Pod 的以下能力、属性和事件：
-
-  <!--
-  * Single or multiple containers per Pod with process isolation and volume sharing
-  * Pod status fields
-  * Readiness and Liveness probes
-  * postStart & preStop container lifecycle events
-  * ConfigMap, Secrets: as environment variables or volumes
-  * EmptyDir
-  * Named pipe host mounts
-  * Resource limits
-  -->
-  * 在带进程隔离和卷共享支持的 Pod 中运行一个或多个容器
-  * Pod 状态字段
-  * 就绪态（Readiness）和活跃性（Liveness）探针
-  * postStart 和 preStop 容器生命周期事件
-  * ConfigMap、Secrets：用作环境变量或卷
-  * emptyDir 卷
-  * 从宿主系统挂载命名管道
-  * 资源限制
-
-* [控制器（Controllers）](/zh/docs/concepts/workloads/controllers/)
-
-  <!--
-  Kubernetes controllers handle the desired state of Pods. The following
-  workload controllers are supported with Windows containers:
-  -->
-  Kubernetes 控制器处理 Pod 的期望状态。Windows 容器支持以下负载控制器：
-
-  * ReplicaSet
-  * ReplicationController
-  * Deployment
-  * StatefulSet
-  * DaemonSet
-  * Job
-  * CronJob
-
-* [服务（Services）](/zh/docs/concepts/services-networking/service/)
-
-  <!--
-  A Kubernetes Service is an abstraction which defines a logical set of Pods
-  and a policy by which to access them - sometimes called a micro-service. You
-  can use services for cross-operating system connectivity. In Windows, services
-  can utilize the following types, properties and capabilities:
-  -->
-  Kubernetes Service 是一种抽象对象，用来定义 Pod 的一个逻辑集合及用来访问这些
-  Pod 的策略。Service 有时也称作微服务（Micro-service）。你可以使用服务来实现
-  跨操作系统的连接。在 Windows 系统中，服务可以使用下面的类型、属性和能力：
-
-  * Service 环境变量
-  * NodePort
-  * ClusterIP
-  * LoadBalancer
-  * ExternalName
-  * 无头（Headless）服务
-
-<!--
-Pods, Controllers and Services are critical elements to managing Windows
-workloads on Kubernetes. However, on their own they are not enough to enable
-the proper lifecycle management of Windows workloads in a dynamic cloud native
-environment. We added support for the following features:
-
-* Pod and container metrics
-* Horizontal Pod Autoscaler support
-* kubectl Exec
-* Resource Quotas
-* Scheduler preemption
--->
-Pods、控制器和服务是在 Kubernetes 上管理 Windows 负载的关键元素。
-不过，在一个动态的云原生环境中，这些元素本身还不足以用来正确管理
-Windows 负载的生命周期。我们为此添加了如下功能特性：
-
-* Pod 和容器的度量（Metrics）
-* 对水平 Pod 自动扩展的支持
-* 对 kubectl exec 命令的支持
-* 资源配额
-* 调度器抢占
-
-<!--
-#### Container Runtime
-
-##### Docker EE
--->
-#### 容器运行时    {#container-runtime}
-
-##### Docker EE
-
-{{< feature-state for_k8s_version="v1.14" state="stable" >}}
-
-<!--
-Docker EE-basic 19.03+ is the recommended container runtime for all Windows
-Server versions. This works with the dockershim code included in the kubelet.
--->
-Docker EE-basic 19.03+ 是建议所有 Windows Server 版本采用的容器运行时。
-该容器运行时能够与 kubelet 中的 dockershim 代码协同工作。
-
-##### CRI-ContainerD
-
-{{< feature-state for_k8s_version="v1.20" state="stable" >}}
-
-<!--
-{{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+ can
-also be used as the container runtime for Windows Kubernetes nodes.
--->
-{{< glossary_tooltip term_id="containerd" text="ContainerD" >}} 1.4.0+
-也可作为 Windows Kubernetes 节点上的容器运行时。
-
-<!--
-#### Persistent Storage
-
-Kubernetes [volumes](/docs/concepts/storage/volumes/) enable complex
-applications, with data persistence and Pod volume sharing requirements, to be
-deployed on Kubernetes. Management of persistent volumes associated with a
-specific storage back-end or protocol includes actions such as:
-provisioning/de-provisioning/resizing of volumes, attaching/detaching a volume
-to/from a Kubernetes node and mounting/dismounting a volume to/from individual
-containers in a pod that needs to persist data. The code implementing these
-volume management actions for a specific storage back-end or protocol is
-shipped in the form of a Kubernetes volume
-[plugin](/docs/concepts/storage/volumes/#types-of-volumes). The following
-broad classes of Kubernetes volume plugins are supported on Windows:
--->
-#### 持久性存储   {#persistent-storage}
-
-使用 Kubernetes [卷](/zh/docs/concepts/storage/volumes/)，对数据持久性和 Pod 卷
-共享有需求的复杂应用也可以部署到 Kubernetes 上。
-管理与特定存储后端或协议相关的持久卷时，相关的操作包括：对卷的配备（Provisioning）、
-去配（De-provisioning）和调整大小，将卷挂接到 Kubernetes 节点或从节点上解除挂接，
-将卷挂载到需要持久数据的 Pod 中的某容器或从容器上卸载。
-负责实现为特定存储后端或协议实现卷管理动作的代码以 Kubernetes 卷
-[插件](/zh/docs/concepts/storage/volumes/#types-of-volumes)的形式发布。
-Windows 支持以下大类的 Kubernetes 卷插件：
-
-<!--
-##### In-Tree Volume Plugins
-
-Code associated with in-tree volume plugins ship as part of the core
-Kubernetes code base. Deployment of in-tree volume plugins do not require
-installation of additional scripts or deployment of separate containerized
-plugin components. These plugins can handle: provisioning/de-provisioning and
-resizing of volumes in the storage backend, attaching/detaching of volumes
-to/from a Kubernetes node and mounting/dismounting a volume to/from individual
-containers in a pod. The following in-tree plugins support Windows nodes:
--->
-##### 树内卷插件   {#in-tree-volume-plugins}
-
-与树内卷插件（In-Tree Volume Plugin）相关的代码都作为核心 Kubernetes 代码基
-的一部分发布。树内卷插件的部署不需要安装额外的脚本，也不需要额外部署独立的
-容器化插件组件。这些插件可以处理：对应存储后端上存储卷的配备、去配和尺寸更改，
-将卷挂接到 Kubernetes 或从其上解挂，以及将卷挂载到 Pod 中各个容器上或从其上
-卸载。以下树内插件支持 Windows 节点：
-
-* [awsElasticBlockStore](/zh/docs/concepts/storage/volumes/#awselasticblockstore)
-* [azureDisk](/zh/docs/concepts/storage/volumes/#azuredisk)
-* [azureFile](/zh/docs/concepts/storage/volumes/#azurefile)
-* [gcePersistentDisk](/zh/docs/concepts/storage/volumes/#gcepersistentdisk)
-* [vsphereVolume](/zh/docs/concepts/storage/volumes/#vspherevolume)
-
-<!--
-##### FlexVolume Plugins
-
-Code associated with [FlexVolume](/docs/concepts/storage/volumes/#flexVolume)
-plugins ship as out-of-tree scripts or binaries that need to be deployed
-directly on the host. FlexVolume plugins handle attaching/detaching of volumes
-to/from a Kubernetes node and mounting/dismounting a volume to/from individual
-containers in a pod. Provisioning/De-provisioning of persistent volumes
-associated with FlexVolume plugins may be handled through an external
-provisioner that is typically separate from the FlexVolume plugins. The
-following FlexVolume
-[plugins](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows),
-deployed as powershell scripts on the host, support Windows nodes:
--->
-##### FlexVolume 插件   {#flexvolume-plugins}
-
-与 [FlexVolume](/zh/docs/concepts/storage/volumes/#flexVolume) 插件相关的代码是作为
-树外（Out-of-tree）脚本或可执行文件来发布的，因此需要在宿主系统上直接部署。
-FlexVolume 插件处理将卷挂接到 Kubernetes 节点或从其上解挂、将卷挂载到 Pod 中
-各个容器上或从其上卸载等操作。对于与 FlexVolume 插件相关联的持久卷的配备和
-去配操作，可以通过外部的配置程序来处理。这类配置程序通常与 FlexVolume 插件
-相分离。下面的 FlexVolume
-[插件](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)
-可以以 PowerShell 脚本的形式部署到宿主系统上，支持 Windows 节点：
-
-* [SMB](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~smb.cmd)
-* [iSCSI](https://github.com/microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows/plugins/microsoft.com~iscsi.cmd)
-
-<!--
-##### CSI Plugins
--->
-##### CSI 插件   {#csi-plugins}
-
-{{< feature-state for_k8s_version="v1.22" state="stable" >}}
-
-<!--
-Code associated with {{< glossary_tooltip text="CSI" term_id="csi" >}} plugins
-ship as out-of-tree scripts and binaries that are typically distributed as
-container images and deployed using standard Kubernetes constructs like
-DaemonSets and StatefulSets. CSI plugins handle a wide range of volume
-management actions in Kubernetes: provisioning/de-provisioning/resizing of
-volumes, attaching/detaching of volumes to/from a Kubernetes node and
-mounting/dismounting a volume to/from individual containers in a pod,
-backup/restore of persistent data using snapshots and cloning.
--->
-与 {{< glossary_tooltip text="CSI" term_id="csi" >}} 插件相关联的代码作为
-树外脚本和可执行文件来发布且通常发布为容器镜像形式，并使用 DaemonSet 和
-StatefulSet 这类标准的 Kubernetes 构造体来部署。
-CSI 插件处理 Kubernetes 中的很多卷管理操作：对卷的配备、去配和调整大小，
-将卷挂接到 Kubernetes 节点或从节点上解除挂接，将卷挂载到需要持久数据的 Pod
-中的某容器或从容器上卸载，使用快照和克隆来备份或恢复持久数据。
-
-<!--
-CSI plugins communicate with a CSI node plugin which performs the local storage operations.
-On Windows nodes CSI node plugins typically call APIs exposed by the community-managed
-[csi-proxy](https://github.com/kubernetes-csi/csi-proxy) which handles the local storage operations.
-
-Please refer to the deployment guide of the environment where you wish to deploy a Windows CSI plugin
-for further details around installation.
-You may also refer to the following [installation steps](https://github.com/kubernetes-csi/csi-proxy#installation).
--->
-来支持；csi-proxy 是一个社区管理的、独立的可执行文件，需要预安装在每个
-Windows 节点之上。请参考你要部署的 CSI 插件的部署指南以进一步了解其细节。
-
-CSI 插件与执行本地存储操作的 CSI 节点插件通信。
-在 Windows 节点上，CSI 节点插件通常调用处理本地存储操作的 [csi-proxy](https://github.com/kubernetes-csi/csi-proxy) 
-公开的 API, csi-proxy 由社区管理。
-
-有关安装的更多详细信息，请参阅你要部署的 Windows CSI 插件的环境部署指南。
-你也可以参考以下[安装步骤](https://github.com/kubernetes-csi/csi-proxy#installation) 。
-
-<!--
-#### Networking
-
-Networking for Windows containers is exposed through
-[CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/).
-Windows containers function similarly to virtual machines in regards to
-networking. Each container has a virtual network adapter (vNIC) which is
-connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service
-(HNS) and the Host Compute Service (HCS) work together to create containers
-and attach container vNICs to networks. HCS is responsible for the management
-of containers whereas HNS is responsible for the management of networking
-resources such as:
--->
-#### 联网     {#networking}
-
-Windows 容器的联网是通过
-[CNI 插件](/zh/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
-来暴露出来的。Windows 容器的联网行为与虚拟机的联网行为类似。
-每个容器有一块虚拟的网络适配器（vNIC）连接到 Hyper-V 的虚拟交换机（vSwitch）。
-宿主的联网服务（Host Networking Service，HNS）和宿主计算服务（Host Compute
-Service，HCS）协同工作，创建容器并将容器的虚拟网卡连接到网络上。
-HCS 负责管理容器，HNS 则负责管理网络资源，例如：
-
-<!--
-* Virtual networks (including creation of vSwitches)
-* Endpoints / vNICs
-* Namespaces
-* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.)
-
-The following service spec types are supported:
--->
-* 虚拟网络（包括创建 vSwitch）
-* 端点（Endpoint）/ vNIC
-* 名字空间（Namespace）
-* 策略（报文封装、负载均衡规则、访问控制列表、网络地址转译规则等等）
-
-支持的服务规约类型如下：
-
-* NodePort
-* ClusterIP
-* LoadBalancer
-* ExternalName
-
-<!--
-##### Network modes
-
-Windows supports five different networking drivers/modes: L2bridge, L2tunnel,
-Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and
-Linux worker nodes, you need to select a networking solution that is
-compatible on both Windows and Linux. The following out-of-tree plugins are
-supported on Windows, with recommendations on when to use each CNI:
--->
-##### 网络模式    {#network-modes}
-
-Windows 支持五种不同的网络驱动/模式：二层桥接（L2bridge）、二层隧道（L2tunnel）、
-覆盖网络（Overlay）、透明网络（Transparent）和网络地址转译（NAT）。
-在一个包含 Windows 和 Linux 工作节点的异构集群中，你需要选择一种对 Windows 和
-Linux 兼容的联网方案。下面是 Windows 上支持的一些树外插件及何时使用某种
-CNI 插件的建议：
-
-<table>
- <thead>
-  <tr>
-   <th><!--Network Driver-->网络驱动</th>
-   <th><!--Description-->描述</th>
-   <th><!--Container Packet Modifications-->容器报文更改</th>
-   <th><!--Network Plugins-->网络插件</th>
-   <th><!--Network Plugin Characteristics-->网络插件特点</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>L2bridge</td>
-   <td><!--Containers are attached to an external vSwitch. Containers are attached
-      to the underlay network, although the physical network doesn't need to learn
-      the container. MACs because they are rewritten on ingress/egress.-->
-      容器挂接到外部 vSwitch 上。容器挂接到下层网络之上，但由于容器的 MAC
-      地址在入站和出站时被重写，物理网络不需要这些地址。
-   </td>
-   <td>
-      <!--MAC is rewritten to host MAC, IP may be rewritten to host IP using HNS
-      OutboundNAT policy.-->
-      MAC 地址被重写为宿主系统的 MAC 地址，IP 地址也可能依据 HNS OutboundNAT
-      策略重写为宿主的 IP 地址。     
-   </td>
-   <td>
-    <a href="https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge">win-bridge<a>、
-    <a href="https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md">Azure-CNI</a>、
-    <!--Flannel host-gateway uses win-bridge-->
-    Flannel 宿主网关（host-gateway）使用 win-bridge
-   </td>
-   <td>
-     <!--win-bridge uses L2bridge network mode,
-     connects containers to the underlay of hosts, offering best performance.
-     Requires user-defined routes (UDR) for inter-node connectivity.-->
-     win-bridge 使用二层桥接（L2bridge）网络模式，将容器连接到下层宿主系统上，
-    从而提供最佳性能。需要用户定义的路由（User-Defined Routes，UDR）才能
-    实现节点间的连接。
-   </td>
-  </tr>
-  <tr>
-   <td>L2Tunnel</td>
-   <td>
-    <!--This is a special case of l2bridge, but only used on Azure. All packets
-    are sent to the virtualization host where SDN policy is applied.-->
-    这是二层桥接的一种特殊情形，但仅被用于 Azure 上。
-    所有报文都被发送到虚拟化环境中的宿主机上并根据 SDN 策略进行处理。
-   </td>
-   <td>
-    <!--MAC rewritten, IP visible on the underlay network-->
-    MAC 地址被改写，IP 地址在下层网络上可见。
-   </td>
-   <td>
-    <a href="https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md">Azure-CNI</a>
-   </td>
-   <td>
-     <!-- Azure-CNI allows integration of containers with Azure vNET, and allows them
-      to leverage the set of capabilities that
-      <a href="https://azure.microsoft.com/en-us/services/virtual-network/">Azure Virtual Network</a>
-      provides. For example, securely connect to Azure services or use Azure NSGs.
-      See <a href="https://docs.microsoft.com/en-us/azure/aks/concepts-network#azure-cni-advanced-networking">azure-cni</a>
-      for some examples.-->
-     Azure-CNI 使得容器能够与 Azure vNET 集成，并允许容器利用
-     [Azure 虚拟网络](https://azure.microsoft.com/en-us/services/virtual-network/)
-     所提供的功能特性集合。例如，可以安全地连接到 Azure 服务上或者使用 Azure NSG。
-     你可以参考
-     [azure-cni](https://docs.microsoft.com/en-us/azure/aks/concepts-network#azure-cni-advanced-networking)
-     所提供的一些示例。
-   </td>
-  </tr>
-  <tr>
-   <td><!--Overlay (Overlay networking for Windows in Kubernetes is in <B>Alpha</B> stage)-->覆盖网络（Kubernetes 中为 Windows 提供的覆盖网络支持处于 *alpha* 阶段）</td>
-   <td>
-    <!--Containers are given a vNIC connected to an external vSwitch. Each overlay
-    network gets its own IP subnet, defined by a custom IP prefix.The overlay
-    network driver uses VXLAN encapsulation.-->
-    每个容器会获得一个连接到外部 vSwitch 的虚拟网卡（vNIC）。
-    每个覆盖网络都有自己的、通过定制 IP 前缀来定义的 IP 子网。
-    覆盖网络驱动使用 VxLAN 封装。
-   </td>
-   <td>
-    <!--Encapsulated with an outer header.-->
-    封装于外层包头内。
-   </td>
-   <td>
-    <a href="https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay">Win-overlay</a>、
-    Flannel VXLAN<!--(uses win-overlay)-->（使用 win-overlay）
-   </td>
-   <td>
-    <!--win-overlay should be used when virtual container networks are desired to
-    be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs
-    to be re-used for different overlay networks (which have different VNID tags)
-    if you are restricted on IPs in your datacenter.  This option requires
-    <a href="https://support.microsoft.com/help/4489899">KB4489899</a> on Windows Server
-    2019.-->
-    当（比如出于安全原因）期望虚拟容器网络与下层宿主网络隔离时，
-    应该使用 win-overlay。如果你的数据中心可用 IP 地址受限，
-    覆盖网络允许你在不同的网络中复用 IP 地址（每个覆盖网络有不同的 VNID 标签）。
-    这一选项要求在 Windows Server 2009 上安装
-    [KB4489899](https://support.microsoft.com/help/4489899) 补丁。
-   </td>
-  </tr>
-  <tr>
-   <td>
-    <!--Transparent (special use case for <a href="https://github.com/openvswitch/ovn-kubernetes">ovn-kubernetes</a>)-->
-    透明网络（[ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) 的特殊用例） 
-   </td>
-   <td>
-    <!--Requires an external vSwitch. Containers are attached to an external
-    vSwitch which enables intra-pod communication via logical networks (logical
-    switches and routers).-->
-    需要一个外部 vSwitch。容器挂接到某外部 vSwitch 上，该 vSwitch
-    通过逻辑网络（逻辑交换机和路由器）允许 Pod 间通信。
-   </td>
-   <td>
-    <!--Packet is encapsulated either via
-    <a href="https://datatracker.ietf.org/doc/draft-gross-geneve/">GENEVE</a>,
-    <a href="https://datatracker.ietf.org/doc/draft-davie-stt/">STT</a> tunneling to reach
-    pods which are not on the same host.<br/> Packets are forwarded or dropped
-    via the tunnel metadata information supplied by the ovn network controller.
-    <br/>
-    NAT is done for north-south communication.
-    -->
-    报文或者通过 [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) 来封装，
-    或者通过 [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) 隧道来封装，
-    以便能够到达不在同一宿主系统上的每个 Pod。<br/>
-    报文通过 OVN 网络控制器所提供的隧道元数据信息来判定是转发还是丢弃。<br/>
-    北-南向通信通过 NAT 网络地址转译来实现。
-   </td>
-   <td>
-    <a href="https://github.com/openvswitch/ovn-kubernetes">ovn-kubernetes</a>
-   </td>
-   <td>
-     <!-- Deploy via <a href="https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib">Ansible</a>.
-     Distributed ACLs can be applied via Kubernetes policies. IPAM support.
-     Load-balancing can be achieved without kube-proxy. NATing is done without
-     using iptables/netsh.-->
-     [通过 Ansible 来部署](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib)。
-     所发布的 ACL 可以通过 Kubernetes 策略来应用实施。支持 IPAM 。
-     负载均衡能力不依赖 kube-proxy。
-     网络地址转译（NAT）也不需要 iptables 或 netsh。
-   </td>
-  </tr>
-  <tr>
-   <td><!--NAT (<B>not used in Kubernetes</B>)-->NAT（<B>未在 Kubernetes 中使用</B>）</td>
-   <td>
-    <!--Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is
-    provided using an internal component called
-    <a href="https://blogs.technet.microsoft.com/virtualization/2016/05/25/windows-nat-winnat-capabilities-and-limitations">WinNAT</a>.-->
-    容器获得一个连接到某内部 vSwitch 的 vNIC 接口。
-    DNS/DHCP 服务通过名为
-    [WinNAT](https://blogs.technet.microsoft.com/virtualization/2016/05/25/windows-nat-winnat-capabilities-and-limitations/)
-    的内部组件来提供。
-   </td>
-   <td>
-    <!--MAC and IP is rewritten to host MAC/IP.-->
-    MAC 地址和 IP 地址都被重写为宿主系统的 MAC 地址和 IP 地址。
-   </td>
-   <td>
-    <a href="https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat">nat</a>
-   </td>
-   <td>
-    <!--Included here for completeness-->
-    列在此表中仅出于完整性考虑
-   </td>
-  </tr>
- </tbody>
-</table>
-
-<!--
-As outlined above, the [Flannel](https://github.com/coreos/flannel) CNI
-[meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel)
-is also supported on
-[Windows](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental)
-via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
-(**alpha support** ; delegates to win-overlay) and
-[host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw)
-(stable support; delegates to win-bridge). This plugin supports delegating to
-one of the reference CNI plugins (win-overlay, win-bridge), to work in
-conjunction with Flannel daemon on Windows (Flanneld) for automatic node
-subnet lease assignment and HNS network creation. This plugin reads in its own
-configuration file (cni.conf), and aggregates it with the environment
-variables from the FlannelD generated subnet.env file. It then delegates to
-one of the reference CNI plugins for network plumbing, and sends the correct
-configuration containing the node-assigned subnet to the IPAM plugin (e.g.
-host-local).
--->
-如前所述，[Flannel](https://github.com/coreos/flannel) CNI
-[meta 插件](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel)
-在 Windows 上也是
-[被支持](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental)
-的，方法是通过 [VXLAN 网络后端](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
-（**alpha 阶段** ：委托给 win-overlay）和 
-[主机-网关（host-gateway）网络后端](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw)
-（稳定版本；委托给 win-bridge 实现）。
-此插件支持将操作委托给所引用的 CNI 插件（win-overlay、win-bridge）之一，
-从而能够与 Windows 上的 Flannel 守护进程（Flanneld）一同工作，自动为节点
-分配子网租期，创建 HNS 网络。
-该插件读入其自身的配置文件（cni.conf），并将其与 FlannelD 所生成的 subnet.env
-文件中的环境变量整合，之后将其操作委托给所引用的 CNI 插件之一以完成网络发现，
-并将包含节点所被分配的子网信息的正确配置发送给 IPAM 插件（例如 host-local）。
-
-<!--
-For the node, pod, and service objects, the following network flows are
-supported for TCP/UDP traffic:
-
-* Pod -> Pod (IP)
-* Pod -> Pod (Name)
-* Pod -> Service (Cluster IP)
-* Pod -> Service (PQDN, but only if there are no ".")
-* Pod -> Service (FQDN)
-* Pod -> External (IP)
-* Pod -> External (DNS)
-* Node -> Pod
-* Pod -> Node
--->
-对于节点、Pod 和服务对象，可针对 TCP/UDP 流量支持以下网络数据流：
-
-* Pod -> Pod （IP 寻址）
-* Pod -> Pod （名字寻址）
-* Pod -> 服务（集群 IP）
-* Pod -> 服务（部分限定域名，仅适用于名称中不包含“.”的情形）
-* Pod -> 服务（全限定域名）
-* Pod -> 集群外部（IP 寻址）
-* Pod -> 集群外部（DNS 寻址）
-* 节点 -> Pod
-* Pod -> 节点
-
-<!--
-##### IP address management (IPAM) {#ipam}
-
-The following IPAM options are supported on Windows:
-
-* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
-* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set)
-* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only)
--->
-##### IP 地址管理（IPAM）       {#ipam}
-
-Windows 上支持以下 IPAM 选项：
-
-* [host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local)
-* HNS IPAM (Inbox 平台 IPAM，未指定 IPAM 时的默认设置）
-* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md)（仅适用于 azure-cni ）
-
-<!--
-##### Load balancing and Services
-
-On Windows, you can use the following settings to configure Services and load
-balancing behavior:
--->
-##### 负载均衡与服务     {#load-balancing-and-services}
-
-在 Windows 系统上，你可以使用以下配置来设定服务和负载均衡行为：
-
-{{< table caption="Windows 服务设置" >}}
-
-<table>
- <thead>
-  <tr>
-   <th><!--Feature-->功能特性</th>
-   <th><!--Description-->描述</th>
-   <th><!--Supported Kubernetes version-->所支持的 Kubernetes 版本</th>
-   <th><!--Supported Windows OS build-->所支持的 Windows OS 版本</th>
-   <th><!--How to enable-->如何启用</th>
-  </tr>
- <thead>
- <tbody>
-  <tr>
-   <td><!--Session affinity-->会话亲和性</td>
-   <td>
-    <!--Ensures that connections from a particular client are passed to the same
-    Pod each time.-->
-    确保来自特定客户的连接每次都被交给同一 Pod。
-   </td>
-   <td>v1.20+</td>
-   <td>
-    <!--a href="https://blogs.windows.com/windowsexperience/2020/01/28/announcing-windows-server-vnext-insider-preview-build-19551/">Windows Server vNext Insider Preview Build 19551</a> (or higher)-->
-    [Windows Server vNext Insider Preview Build 19551](https://blogs.windows.com/windowsexperience/2020/01/28/announcing-windows-server-vnext-insider-preview-build-19551/)
-    或更高版本
-   </td>
-   <td>
-    <!--Set <code>service.spec.sessionAffinity</code> to "ClientIP"-->
-    将 <code>service.spec.sessionAffinitys</code> 设置为 "ClientIP"
-   </td>
-  </tr>
-  <tr>
-   <td><!--Direct Server Return (DSR)-->直接服务器返回（DSR）</td>
-   <td>
-    <!--Load balancing mode where the IP address fixups and the LBNAT occurs at
-    the container vSwitch port directly; service traffic arrives with the source
-    IP set as the originating pod IP.
-    -->
-    这是一种负载均衡模式，IP 地址的修正和负载均衡地址转译（LBNAT）
-    直接在容器的 vSwitch 端口上处理；服务流量到达时，其源端 IP 地址
-    设置为来源 Pod 的 IP。
-   </td>
-   <td>v1.20+</td>
-   <td>
-    Windows Server 2019
-   </td>
-   <td>
-    <!--Set the following flags in kube-proxy:
-    <code>--feature-gates="WinDSR=true" --enable-dsr=true</code>-->
-    为 kube-proxy 设置标志：`--feature-gates="WinDSR=true" --enable-dsr=true`
-   </td>
-  </tr>
-  <tr>
-   <td><!--Preserve-Destination-->保留目标地址</td>
-   <td>
-    <!--Skips DNAT of service traffic, thereby preserving the virtual IP of the target
-    service in packets reaching the backend Pod. Also disables node-node forwarding.-->
-    对服务流量略过 DNAT 步骤，这样就可以在到达后端 Pod 的报文中保留目标服务的
-    虚拟 IP 地址。还要禁止节点之间的转发。 
-   </td>
-   <td>v1.20+</td>
-   <td><!--Windows Server, version 1903 (or higher)-->Windows Server 1903 或更高版本</td>
-   <td>
-    <!--Set <code>"preserve-destination": "true"</code> in service annotations
-    and enable DSR in kube-proxy.-->
-    在服务注解中设置 `"preserve-destination": "true"` 并启用
-    kube-proxy 中的 DSR 标志。
-   </td>
-  </tr>
-  <tr>
-   <td><!--IPv4/IPv6 dual-stack networking-->IPv4/IPv6 双栈网络</td>
-   <td>
-    <!--Native IPv4-to-IPv4 in parallel with IPv6-to-IPv6 communications to, from,
-    and within a cluster-->
-    在集群内外同时支持原生的 IPv4-到-IPv4 和 IPv6-到-IPv6 通信。
-   </td>
-   <td>v1.19+</td>
-   <td><!--Windows Server, version 2004 (or higher)-->Windows Server 2004 或更高版本</td>
-   <td>
-    <!--See <a href="#ipv4ipv6-dual-stack">IPv4/IPv6 dual-stack</a>-->
-    参见 [IPv4/IPv6 双栈网络](#ipv4ipv6-dual-stack)
-   </td>
-  </tr>
-  <tr>
-   <td><!--Client IP preservation-->保留客户端 IP</td>
-   <td>
-    <!--Ensures that source IP of incoming ingress traffic gets preserved. Also
-    disables node-node forwarding.-->
-    确保入站流量的源 IP 地址被保留。同样要禁止节点之间的转发。
-   </td>
-   <td>v1.20+</td>
-   <td><!--Windows Server, version 2019 (or higher)-->Windows Server 2019 或更高版本</td>
-   <td>
-    <!--Set <code>service.spec.externalTrafficPolicy</code> to "Local" and enable
-    DSR in kube-proxy.-->
-    将 <code>service.spec.externalTrafficPolicy</code> 设置为 "Local"，
-    并在 kube-proxy 上启用 DSR。
-   </td>
-  </tr>
- </tbody>
-</table>
-
-{{< /table >}}
-
-<!--
-#### IPv4/IPv6 dual-stack
-
-You can enable IPv4/IPv6 dual-stack networking for `l2bridge` networks using
-the `IPv6DualStack` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/). See
-[enable IPv4/IPv6 dual stack](/docs/concepts/services-networking/dual-stack#enable-ipv4ipv6-dual-stack)
-for more details.
--->
-#### IPv4/IPv6 双栈支持   {#ipv4ipv6-dual-stack}
-
-你可以通过使用 `IPv6DualStack`
-[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
-来为 `l2bridge` 网络启用 IPv4/IPv6 双栈联网支持。
-进一步的细节可参见
-[启用 IPv4/IPv6 双协议栈](/zh/docs/concepts/services-networking/dual-stack#enable-ipv4ipv6-dual-stack)。
-
-<!--
-On Windows, using IPv6 with Kubernetes require Windows Server, version 2004
-(kernel version 10.0.19041.610) or later.
-
-Overlay (VXLAN) networks on Windows do not support dual-stack networking today.
--->
-对 Windows 而言，在 Kubernetes 中使用 IPv6 需要
-Windows Server 2004 （内核版本 10.0.19041.610）或更高版本。
-
-目前 Windows 上的覆盖网络（VXLAN）还不支持双协议栈联网。
-
-<!--
-### Limitations
-
-Windows is only supported as a worker node in the Kubernetes architecture and
-component matrix. This means that a Kubernetes cluster must always include
-Linux master nodes, zero or more Linux worker nodes, and zero or more Windows
-worker nodes.
--->
-### 局限性    {#limitations}
-
-在 Kubernetes 架构和节点阵列中仅支持将 Windows 作为工作节点使用。
-这意味着 Kubernetes 集群必须总是包含 Linux 主控节点，零个或者多个 Linux
-工作节点以及零个或者多个 Windows 工作节点。
-
-<!--
-#### Resource Handling
-
-Linux cgroups are used as a pod boundary for resource controls in Linux.
-Containers are created within that boundary for network, process and file
-system isolation. The cgroups APIs can be used to gather cpu/io/memory stats.
-In contrast, Windows uses a Job object per container with a system namespace
-filter to contain all processes in a container and provide logical isolation
-from the host. There is no way to run a Windows container without the
-namespace filtering in place. This means that system privileges cannot be
-asserted in the context of the host, and thus privileged containers are not
-available on Windows. Containers cannot assume an identity from the host
-because the Security Account Manager (SAM) is separate.
--->
-#### 资源处理 {#resource-handling}
-
-Linux 上使用 Linux 控制组（CGroups）作为 Pod 的边界，以实现资源控制。
-容器都创建于这一边界之内，从而实现网络、进程和文件系统的隔离。
-控制组 CGroups API 可用来收集 CPU、I/O 和内存的统计信息。
-与此相比，Windows 为每个容器创建一个带有系统名字空间过滤设置的 Job 对象，
-以容纳容器中的所有进程并提供其与宿主系统间的逻辑隔离。
-没有现成的名字空间过滤设置是无法运行 Windows 容器的。
-这也意味着，系统特权无法在宿主环境中评估，因而 Windows 上也就不存在特权容器。
-归咎于独立存在的安全账号管理器（Security Account Manager，SAM），容器也不能
-获得宿主系统上的任何身份标识。
-
-<!--
-#### Resource Reservations
-
-##### Memory Reservations
-
-Windows does not have an out-of-memory process killer as Linux does. Windows
-always treats all user-mode memory allocations as virtual, and pagefiles are
-mandatory. The net effect is that Windows won't reach out of memory conditions
-the same way Linux does, and processes page to disk instead of being subject
-to out of memory (OOM) termination. If memory is over-provisioned and all
-physical memory is exhausted, then paging can slow down performance.
--->
-#### 资源预留   {#resource-reservations}
-
-##### 内存预留    {#memory-reservations}
-
-Windows 不像 Linux 一样有一个内存耗尽（Out-of-memory）进程杀手（Process
-Killer）机制。Windows 总是将用户态的内存分配视为虚拟请求，页面文件（Pagefile）
-是必需的。这一差异的直接结果是 Windows 不会像 Linux 那样出现内存耗尽的状况，
-系统会将进程内存页面写入磁盘而不会因内存耗尽而终止进程。
-当内存被过量使用且所有物理内存都被用光时，系统的换页行为会导致性能下降。
-
-<!--
-Keeping memory usage within reasonable bounds is possible using the kubelet
-parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory
-usage on the node (outside of containers). This reduces
-[NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)).
--->
-使用 kubelet 参数 `--kubelet-reserve` 与/或 `-system-reserve` 可以统计
-节点上的内存用量（各容器之外），进而可能将内存用量限制在一个合理的范围，。
-这样做会减少节点可分配内存
-（[NodeAllocatable](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)）。
-
-<!--
-As you deploy workloads, use resource limits (must set only limits or limits
-must equal requests) on containers. This also subtracts from NodeAllocatable
-and prevents the scheduler from adding more pods once a node is full.
--->
-在你部署工作负载时，对容器使用资源限制（必须仅设置 limits 或者让 limits 等于
-requests 值）。这也会从 NodeAllocatable 中耗掉部分内存量，从而避免在节点
-负荷已满时调度器继续向节点添加 Pods。
-
-<!--
-A best practice to avoid over-provisioning is to configure the kubelet with a
-system reserved memory of at least 2GB to account for Windows, Docker, and
-Kubernetes processes.
--->
-避免过量分配的最佳实践是为 kubelet 配置至少 2 GB 的系统预留内存，以供
-Windows、Docker 和 Kubernetes 进程使用。
-
-<!--
-##### CPU Reservations
-
-To account for Windows, Docker and other Kubernetes host processes it is
-recommended to reserve a percentage of CPU so they are able to respond to
-events. This value needs to be scaled based on the number of CPU cores
-available on the Windows node.To determine this percentage a user should
-identify the maximum pod density for each of their nodes and monitor the CPU
-usage of the system services choosing a value that meets their workload needs.
--->
-##### CPU 预留   {#cpu-reservations}
-
-为了统计 Windows、Docker 和其他 Kubernetes 宿主进程的 CPU 用量，建议
-预留一定比例的 CPU，以便对事件作出相应。此值需要根据 Windows 节点上
-CPU 核的个数来调整，要确定此百分比值，用户需要为其所有节点确定 Pod
-密度的上线，并监控系统服务的 CPU 用量，从而选择一个符合其负载需求的值。
-
-<!--
-Keeping CPU usage within reasonable bounds is possible using the kubelet
-parameters `--kubelet-reserve` and/or `--system-reserve` to account for CPU
-usage on the node (outside of containers). This reduces
-[NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). 
--->
-使用 kubelet 参数 `--kubelet-reserve` 与/或 `-system-reserve` 可以统计
-节点上的 CPU 用量（各容器之外），进而可能将 CPU 用量限制在一个合理的范围，。
-这样做会减少节点可分配 CPU
-（[NodeAllocatable](/zh/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)）。
-
-<!--
-##### Feature Restrictions
-
-* TerminationGracePeriod: not implemented
-* Single file mapping: to be implemented with CRI-ContainerD
-* Termination message: to be implemented with CRI-ContainerD
-* Privileged Containers: not currently supported in Windows containers
-* HugePages: not currently supported in Windows containers
-* The existing node problem detector is Linux-only and requires privileged
-  containers. In general, we don't expect this to be used on Windows because
-  privileged containers are not supported
-* Not all features of shared namespaces are supported (see API section for
-  more details)
--->
-##### 功能特性限制    {#feature-restrictions}
-
-* 终止宽限期（Termination Grace Period）：未实现
-* 单文件映射：将用 CRI-ContainerD 来实现
-* 终止消息（Termination message）：将用 CRI-ContainerD 来实现
-* 特权容器：Windows 容器当前不支持
-* 巨页（Huge Pages）：Windows 容器当前不支持
-* 现有的节点问题探测器（Node Problem Detector）仅适用于 Linux，且要求使用特权容器。
-  一般而言，我们不设想此探测器能用于 Windows 节点，因为 Windows 不支持特权容器。
-* 并非支持共享名字空间的所有功能特性（参见 API 节以了解详细信息）
-
-<!--
-#### Difference in behavior of flags when compared to Linux
-
-The behavior of the following kubelet flags is different on Windows nodes as described below:
-
-* `--kubelet-reserve`, `--system-reserve` , and `--eviction-hard` flags update
-  Node Allocatable
-* Eviction by using `--enforce-node-allocable` is not implemented
-* Eviction by using `--eviction-hard` and `--eviction-soft` are not implemented
-* MemoryPressure Condition is not implemented
-* There are no OOM eviction actions taken by the kubelet
-* Kubelet running on the windows node does not have memory restrictions.
-  `--kubelet-reserve` and `--system-reserve` do not set limits on kubelet or
-  processes running on the host. This means kubelet or a process on the host
-  could cause memory resource starvation outside the node-allocatable and
-  scheduler
-* An additional flag to set the priority of the kubelet process is available
-  on the Windows nodes called `--windows-priorityclass`. This flag allows
-  kubelet process to get more CPU time slices when compared to other processes
-  running on the Windows host. More information on the allowable values and
-  their meaning is available at
-  [Windows Priority Classes](https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities#priority-class).
-  In order for kubelet to always have enough CPU cycles it is recommended to set
-  this flag to `ABOVE_NORMAL_PRIORITY_CLASS` and above
--->
-#### 与 Linux 相比参数行为的差别
-
-以下 kubelet 参数的行为在 Windows 节点上有些不同，描述如下：
-
-* `--kubelet-reserve`、`--system-reserve` 和 `--eviction-hard` 标志
-  会更新节点可分配资源量
-* 未实现通过使用 `--enforce-node-allocable` 来完成的 Pod 驱逐
-* 未实现通过使用 `--eviction-hard` 和 `--eviction-soft` 来完成的 Pod 驱逐
-* `MemoryPressure` 状况未实现
-* `kubelet` 不会采取措施来执行基于 OOM 的驱逐动作
-* Windows 节点上运行的 kubelet 没有内存约束。
-  `--kubelet-reserve` 和 `--system-reserve` 不会为 kubelet 或宿主系统上运行
-  的进程设限。这意味着 kubelet 或宿主系统上的进程可能导致内存资源紧张，
-  而这一情况既不受节点可分配量影响，也不会被调度器感知。
-* 在 Windows 节点上存在一个额外的参数用来设置 kubelet 进程的优先级，称作
-  `--windows-priorityclass`。此参数允许 kubelet 进程获得与 Windows 宿主上
-  其他进程相比更多的 CPU 时间片。
-  关于可用参数值及其含义的进一步信息可参考
-  [Windows Priority Classes](https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities#priority-class)。
-  为了让 kubelet 总能够获得足够的 CPU 周期，建议将此参数设置为
-  `ABOVE_NORMAL_PRIORITY_CLASS` 或更高。
-
-<!--
-#### Storage
-
-Windows has a layered filesystem driver to mount container layers and create a
-copy filesystem based on NTFS. All file paths in the container are resolved
-only within the context of that container.
-
-* With Docker Volume mounts can only target a directory in the container, and
-  not an individual file. This limitation does not exist with CRI-containerD.
-
-* Volume mounts cannot project files or directories back to the host
-  filesystem
-
-* Read-only filesystems are not supported because write access is always
-  required for the Windows registry and SAM database. However, read-only
-  volumes are supported
-* Volume user-masks and permissions are not available. Because the SAM is not
-  shared between the host & container, there's no mapping between them. All
-  permissions are resolved within the context of the container
--->
-#### 存储     {#storage}
-
-Windows 上包含一个分层的文件系统来挂载容器的分层，并会基于 NTFS 来创建一个
-拷贝文件系统。容器中的所有文件路径都仅在该容器的上下文内完成解析。
-
-* Docker 卷挂载仅可针对容器中的目录进行，不可针对独立的文件。
-  这一限制不适用于 CRI-containerD。
-* 卷挂载无法将文件或目录投射回宿主文件系统。
-* 不支持只读文件系统，因为 Windows 注册表和 SAM 数据库总是需要写访问权限。
-  不过，Windows 支持只读的卷。
-* 不支持卷的用户掩码和访问许可，因为宿主与容器之间并不共享 SAM，二者之间不存在
-  映射关系。所有访问许可都是在容器上下文中解析的。
-
-<!--
-As a result, the following storage functionality is not supported on Windows nodes
-
-* Volume subpath mounts. Only the entire volume can be mounted in a Windows container.
-* Subpath volume mounting for Secrets
-* Host mount projection
-* DefaultMode (due to UID/GID dependency)
-* Read-only root filesystem. Mapped volumes still support readOnly
-* Block device mapping
-* Memory as the storage medium
-* File system features like uui/guid, per-user Linux filesystem permissions
-* NFS based storage/volume support
-* Expanding the mounted volume (resizefs)
--->
-因此，Windows 节点上不支持以下存储功能特性：
-
-* 卷的子路径挂载；只能在 Windows 容器上挂载整个卷。
-* 为 Secret 执行子路径挂载；
-* 宿主挂载投射；
-* 默认访问模式 defaultMode（因为该特性依赖 UID/GID）；
-* 只读的根文件系统；映射的卷仍然支持 `readOnly`；
-* 块设备映射；
-* 将内存作为存储介质；
-* 类似 UUID/GUID、每用户不同的 Linux 文件系统访问许可等文件系统特性；
-* 基于 NFS 的存储和卷支持；
-* 扩充已挂载卷（resizefs）。
-
-<!--
-#### Networking {#networking-limitations}
-
-Windows Container Networking differs in some important ways from Linux
-networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture)
-contains additional details and background.
--->
-#### 联网   {#networking-limitations}
-
-Windows 容器联网与 Linux 联网有着非常重要的差别。
-[Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture)
-中包含额外的细节和背景信息。
-
-<!--
-The Windows host networking service and virtual switch implement namespacing
-and can create virtual NICs as needed for a pod or container. However, many
-configurations such as DNS, routes, and metrics are stored in the Windows
-registry database rather than /etc/... files as they are on Linux. The Windows
-registry for the container is separate from that of the host, so concepts like
-mapping /etc/resolv.conf from the host into a container don't have the same
-effect they would on Linux. These must be configured using Windows APIs run in
-the context of that container. Therefore CNI implementations need to call the
-HNS instead of relying on file mappings to pass network details into the pod
-or container.
--->
-Windows 宿主联网服务和虚拟交换机实现了名字空间隔离，可以根据需要为 Pod 或容器
-创建虚拟的网络接口（NICs）。不过，很多类似 DNS、路由、度量值之类的配置数据都
-保存在 Windows 注册表数据库中而不是像 Linux 一样保存在 `/etc/...` 文件中。
-Windows 为容器提供的注册表与宿主系统的注册表是分离的，因此类似于将 /etc/resolv.conf
-文件从宿主系统映射到容器中的做法不会产生与 Linux 系统相同的效果。
-这些信息必须在容器内部使用 Windows API 来配置。
-因此，CNI 实现需要调用 HNS，而不是依赖文件映射来将网络细节传递到 Pod
-或容器中。
-
-<!--
-The following networking functionality is not supported on Windows nodes
-
-* Host networking mode is not available for Windows pods
-
-* Local NodePort access from the node itself fails (works for other nodes or
-  external clients)
-
-* Accessing service VIPs from nodes will be available with a future release of
-  Windows Server
-
-* A single service can only support up to 64 backend pods / unique destination IPs
-
-* Overlay networking support in kube-proxy is a beta feature. In addition, it
-  requires
-  [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887)
-  to be installed on Windows Server 2019
-
-* Local Traffic Policy in non-DSR mode
-* Windows containers connected to overlay networks do not support
-  communicating over the IPv6 stack. There is outstanding Windows platform
-  work required to enable this network driver to consume IPv6 addresses and
-  subsequent Kubernetes work in kubelet, kube-proxy, and CNI plugins.
--->
-Windows 节点不支持以下联网功能：
-
-* Windows Pod 不能使用宿主网络模式；
-* 从节点本地访问 NodePort 会失败（但从其他节点或外部客户端可访问）
-* Windows Server 的未来版本中会支持从节点访问服务的 VIP；
-* 每个服务最多支持 64 个后端 Pod 或独立的目标 IP 地址；
-* kube-proxy 的覆盖网络支持是 Beta 特性。此外，它要求在 Windows Server 2019 上安装
-  [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) 补丁；
-* 非 DSR（保留目标地址）模式下的本地流量策略；
-* 连接到覆盖网络的 Windows 容器不支持使用 IPv6 协议栈通信。
-  要使得这一网络驱动支持 IPv6 地址需要在 Windows 平台上开展大量的工作，
-  还需要在 Kubernetes 侧修改 kubelet、kube-proxy 以及 CNI 插件。
-<!--
-* Outbound communication using the ICMP protocol via the win-overlay,
-  win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane
-  ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/))
-  doesn't support ICMP packet transpositions. This means:
-
-  * ICMP packets directed to destinations within the same network (e.g. pod to
-    pod communication via ping) work as expected and without any limitations
-
-  * TCP/UDP packets work as expected and without any limitations
-
-  * ICMP packets directed to pass through a remote network (e.g. pod to
-    external internet communication via ping) cannot be transposed and thus
-    will not be routed back to their source
-
-  * Since TCP/UDP packets can still be transposed, one can substitute `ping
-    <destination>` with `curl <destination>` to be able to debug connectivity
-    to the outside world.
--->
-* 通过 win-overlay、win-bridge 和 Azure-CNI 插件使用 ICMP 协议向集群外通信。
-  尤其是，Windows 数据面
-  （[VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)）
-  不支持转换 ICMP 报文。这意味着：
-
-  * 指向同一网络内目标地址的 ICMP 报文（例如 Pod 之间的 ping 通信）是可以工作的，
-    没有局限性；
-  * TCP/UDP 报文可以正常工作，没有局限性；
-  * 指向远程网络的 ICMP 报文（例如，从 Pod 中 ping 外部互联网的通信）无法被转换，
-    因此也无法被路由回到其源点；
-  * 由于 TCP/UDP 包仍可被转换，用户可以将 `ping <目标>` 操作替换为 `curl <目标>`
-    以便能够调试与外部世界的网络连接。
-
-<!--
-These features were added in Kubernetes v1.15:
-
-* `kubectl port-forward`
--->
-Kubernetes v1.15 中添加了以下功能特性：
-
-* `kubectl port-forward`
-
-<!--
-##### CNI Plugins
-
-* Windows reference network plugins win-bridge and win-overlay do not
-  currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0
-  due to missing "CHECK" implementation.
-* The Flannel VXLAN CNI has the following limitations on Windows:
-
-  1. Node-pod connectivity isn't possible by design. It's only possible for
-     local pods with Flannel v0.12.0 (or higher).
-  1. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation
-     is being worked on and will be overcome in a future release (open-source
-     flannel changes). See the official
-     [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
-     backend docs for more details on these parameters.
--->
-##### CNI 插件    {#cni-plugins}
-
-* Windows 参考网络插件 win-bridge 和 win-overlay 当前未实现
-  [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0，
-  原因是缺少检查（CHECK）用的实现。
-
-* Windows 上的 Flannel VXLAN CNI 有以下局限性：
-
-  1. 其设计上不支持从节点到 Pod 的连接。
-     只有在 Flannel v0.12.0 或更高版本后才有可能访问本地 Pods。
-  2. 我们被限制只能使用 VNI 4096 和 UDP 端口 4789。
-     VNI 的限制正在被解决，会在将来的版本中消失（开源的 Flannel 更改）。
-     参见官方的 [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)
-     后端文档以了解关于这些参数的详细信息。
-
-##### DNS {#dns-limitations}
-
-<!--
-* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names
-  with a '.' as a FQDN and skips PQDN resolution
-
-* On Linux, you have a DNS suffix list, which is used when trying to resolve
-  PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix
-  associated with that pod's namespace (`mydns.svc.cluster.local` for example).
-  Windows can resolve FQDNs and services or names resolvable with just that
-  suffix. For example, a pod spawned in the default namespace, will have the DNS
-  suffix `default.svc.cluster.local`. On a Windows pod, you can resolve both
-  `kubernetes.default.svc.cluster.local` and `kubernetes`, but not the
-  in-betweens, like `kubernetes.default` or `kubernetes.default.svc`.
-
-* On Windows, there are multiple DNS resolvers that can be used. As these come
-  with slightly different behaviors, using the `Resolve-DNSName` utility for
-  name query resolutions is recommended.
--->
-* 不支持 DNS 的 ClusterFirstWithHostNet 配置。Windows 将所有包含 “.” 的名字
-  视为全限定域名（FQDN），因而不会对其执行部分限定域名（PQDN）解析。
-
-* 在 Linux 上，你可以有一个 DNS 后缀列表供解析部分限定域名时使用。
-  在 Windows 上，我们只有一个 DNS 后缀，即与该 Pod 名字空间相关联的 DNS
-  后缀（例如 `mydns.svc.cluster.local`）。
-  Windows 可以解析全限定域名、或者恰好可用该后缀来解析的服务名称。
-  例如，在 default 名字空间中生成的 Pod 会获得 DNS 后缀
-  `default.svc.cluster.local`。在 Windows Pod 中，你可以解析
-  `kubernetes.default.svc.cluster.local` 和 `kubernetes`，但无法解析二者
-  之间的形式，如 `kubernetes.default` 或 `kubernetes.default.svc`。
-
-* 在 Windows 上，可以使用的 DNS 解析程序有很多。由于这些解析程序彼此之间
-  会有轻微的行为差别，建议使用 `Resolve-DNSName` 工具来完成名字查询解析。
-
-<!--
-##### IPv6
-
-Kubernetes on Windows does not support single-stack "IPv6-only" networking.
-However,dual-stack IPv4/IPv6 networking for pods and nodes with single-family
-services is supported.
-See [IPv4/IPv6 dual-stack networking](#ipv4ipv6-dual-stack) for more details.
--->
-##### IPv6
-
-Windows 上的 Kubernetes 不支持单协议栈的“只用 IPv6”联网选项。
-不过，系统支持在 IPv4/IPv6 双协议栈的 Pod 和节点上运行单协议家族的服务。
-更多细节可参阅 [IPv4/IPv6 双协议栈联网](#ipv4ipv6-dual-stack)一节。
-
-<!--
-##### Session affinity
-
-Setting the maximum session sticky time for Windows services using
-`service.spec.sessionAffinityConfig.clientIP.timeoutSeconds` is not supported.
--->
-##### 会话亲和性    {#session-affinity}
-
-不支持使用 `service.spec.sessionAffinityConfig.clientIP.timeoutSeconds` 来为
-Windows 服务设置最大会话粘滞时间。
-
-<!--
-##### Security
-
-Secrets are written in clear text on the node's volume (as compared to
-tmpfs/in-memory on linux). This means customers have to do two things
-
-1. Use file ACLs to secure the secrets file location
-1. Use volume-level encryption using
-   [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server)
--->
-##### 安全性     {#security}
-
-Secret 以明文形式写入节点的卷中（而不是像 Linux 那样写入内存或 tmpfs 中）。
-这意味着客户必须做以下两件事：
-
-1. 使用文件访问控制列表来保护 Secret 文件所在的位置
-1. 使用 [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server)
-   来执行卷层面的加密
-
-<!--
-[RunAsUserName](/docs/tasks/configure-pod-container/configure-runasusername)
-can be specified for Windows Pod's or Container's to execute the Container
-processes as a node-default user. This is roughly equivalent to
-[RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups).
-
-Linux specific pod security context privileges such as SELinux, AppArmor,
-Seccomp, Capabilities (POSIX Capabilities), and others are not supported.
-
-In addition, as mentioned already, privileged containers are not supported on
-Windows.
--->
-用户可以为 Windows Pods 或 Container 设置
-[`RunAsUserName`](/zh/docs/tasks/configure-pod-container/configure-runasusername)
-以便以非节点默认用户来执行容器中的进程。这大致等价于设置
-[`RunAsUser`](/zh/docs/concepts/policy/pod-security-policy/#users-and-groups)。
-
-不支持特定于 Linux 的 Pod 安全上下文特权，例如 SELinux、AppArmor、Seccomp、
-权能字（POSIX 权能字）等等。
-
-此外，如前所述，Windows 不支持特权容器。
-
-<!--
-#### API
-
-There are no differences in how most of the Kubernetes APIs work for Windows.
-The subtleties around what's different come down to differences in the OS and
-container runtime. In certain situations, some properties on workload APIs
-such as Pod or Container were designed with an assumption that they are
-implemented on Linux, failing to run on Windows.
-
-At a high level, these OS concepts are different:
--->
-#### API
-
-对 Windows 而言，大多数 Kubernetes API 的工作方式没有变化。
-一些不易察觉的差别通常体现在 OS 和容器运行时上的不同。
-在某些场合，负载 API （如 Pod 或 Container）的某些属性在设计时假定其
-在 Linux 上实现，因此会无法在 Windows 上运行。
-
-在较高层面，不同的 OS 概念有：
-
-<!--
-* Identity - Linux uses userID (UID) and groupID (GID) which are represented
-  as integer types. User and group names are not canonical - they are an alias
-  in `/etc/groups` or `/etc/passwd` back to UID+GID. Windows uses a larger
-  binary security identifier (SID) which is stored in the Windows Security
-  Access Manager (SAM) database. This database is not shared between the host
-  and containers, or between containers.
-
-* File permissions - Windows uses an access control list based on SIDs, rather
-  than a bitmask of permissions and UID+GID
--->
-* 身份标识 - Linux 使用证书类型来表示用户 ID（UID）和组 ID（GID）。用户和组名
-  没有特定标准，它们是 `/etc/groups` 或 `/etc/passwd` 中的别名表项，会映射回
-  UID+GID。Windows 使用一个更大的二进制安全标识符（SID），保存在 Windows
-  安全访问管理器（Security Access Manager，SAM）数据库中。此数据库并不在宿主系统
-  与容器间，或者任意两个容器之间共享。
-
-* 文件许可 - Windows 使用基于 SID 的访问控制列表，而不是基于 UID+GID 的访问权限位掩码。
-
-<!--
-* File paths - convention on Windows is to use `\` instead of `/`. The Go IO
-  libraries accept both types of file path separators. However, when you're
-  setting a path or command line that's interpreted inside a container, `\` may
-  be needed.
-
-* Signals - Windows interactive apps handle termination differently, and can
-  implement one or more of these:
-
-  * A UI thread handles well-defined messages including `WM_CLOSE`
-
-  * Console apps handle ctrl-c or ctrl-break using a Control Handler
-
-  * Services register a Service Control Handler function that can accept
-    `SERVICE_CONTROL_STOP` control codes
--->
-* 文件路径 - Windows 上的习惯是使用 `\` 而非 `/`。Go 语言的 IO
-  库同时接受这两种文件路径分隔符。不过，当你在指定要在容器内解析的路径或命令行时，
-  可能需要使用 `\`。
-
-* 信号（Signal） - Windows 交互式应用以不同方式来处理终止事件，并可实现以下方式之一或组合：
-
-  * UI 线程处理包含 `WM_CLOSE` 在内的良定的消息
-
-  * 控制台应用使用控制处理程序来处理 Ctrl-C 或 Ctrl-Break
-
-  * 服务会注册服务控制处理程序，接受 `SERVICE_CONTROL_STOP` 控制代码
-
-<!--
-Exit Codes follow the same convention where 0 is success, nonzero is failure.
-The specific error codes may differ across Windows and Linux. However, exit
-codes passed from the Kubernetes components (kubelet, kube-proxy) are
-unchanged.
--->
-退出代码遵从相同的习惯，0 表示成功，非 0 值表示失败。
-特定的错误代码在 Windows 和 Linux 上可能会不同。不过，从 Kubernetes 组件
-（kubelet、kube-proxy）所返回的退出代码是没有变化的。
-
-<!--
-##### V1.Container
-
-* V1.Container.ResourceRequirements.limits.cpu and
-  V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard
-  limits for CPU allocations. Instead, a share system is used. The existing
-  fields based on millicores are scaled into relative shares that are followed
-  by the Windows scheduler.
-  See [kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go),
-  and [resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls)
-
-  * Huge pages are not implemented in the Windows container runtime, and are
-    not available. They require
-    [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support)
-    that's not configurable for containers.
--->
-* `v1.Container.ResourceRequirements.limits.cpu` 和
-  `v1.Container.ResourceRequirements.limits.memory` - Windows
-  不对 CPU 分配设置硬性的限制。与之相反，Windows 使用一个份额（share）系统。
-  基于毫核（millicores）的现有字段值会被缩放为相对的份额值，供 Windows 调度器使用。
-  参见 [kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go) 和
-  [Microsoft 文档中关于资源控制的部分](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls)。
-
-  * Windows 容器运行时中没有实现巨页支持，因此相关特性不可用。
-    巨页支持需要[判定用户的特权](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support)
-    而这一特性无法在容器级别配置。
-
-<!--
-* V1.Container.ResourceRequirements.requests.cpu and
-  V1.Container.ResourceRequirements.requests.memory - Requests are subtracted
-  from node available resources, so they can be used to avoid overprovisioning a
-  node. However, they cannot be used to guarantee resources in an
-  overprovisioned node. They should be applied to all containers as a best
-  practice if the operator wants to avoid overprovisioning entirely.
-
-* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on
-  Windows, none of the capabilities are hooked up
--->
-* `v1.Container.ResourceRequirements.requests.cpu` 和
-  `v1.Container.ResourceRequirements.requests.memory` - 请求
-  值会从节点可分配资源中扣除，从而可用来避免节点上的资源过量分配。
-  但是，它们无法用来在一个已经过量分配的节点上提供资源保障。
-  如果操作员希望彻底避免过量分配，作为最佳实践，他们就需要为所有容器设置资源请求值。
-
-* `v1.Container.SecurityContext.allowPrivilegeEscalation` - 在 Windows
-  上无法实现，对应的权能无一可在 Windows 上生效。
-
-<!--
-* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not
-  implemented on Windows
-
-* V1.Container.SecurityContext.privileged - Windows doesn't support privileged
-  containers
-
-* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc
-  filesystem
-
-* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on
-  Windows, write access is required for registry & system processes to run
-  inside the container
--->
-* `v1.Container.SecurityContext.Capabilities` - Windows 上未实现 POSIX 权能机制
-* `v1.Container.SecurityContext.privileged` - Windows 不支持特权容器
-* `v1.Container.SecurityContext.procMount` - Windows 不包含 `/proc` 文件系统
-* `v1.Container.SecurityContext.readOnlyRootFilesystem` - 在 Windows 上无法实现，
-  要在容器内使用注册表或运行系统进程就必需写访问权限。
-
-<!--
-* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID
-  support
-
-* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root
-  user. The closest equivalent is ContainerAdministrator which is an identity
-  that doesn't exist on the node.
-
-* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID
-  support as int.
-
-* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux
-
-* V1.Container.terminationMessagePath - this has some limitations in that
-  Windows doesn't support mapping single files. The default value is
-  `/dev/termination-log`, which does work because it does not exist on Windows by
-  default.
--->
-* `v1.Container.SecurityContext.runAsGroup` - 在 Windows 上无法实现，没有 GID 支持
-
-* `v1.Container.SecurityContext.runAsNonRoot` - Windows 上没有 root 用户。
-  与之最接近的等价用户是 `ContainerAdministrator`，而该身份标识在节点上并不存在。
-
-* `v1.Container.SecurityContext.runAsUser` - 在 Windows 上无法实现，
-  因为没有作为整数支持的 GID。
-
-* `v1.Container.SecurityContext.seLinuxOptions` - 在 Windows 上无法实现，
-  因为没有 SELinux
-
-* `V1.Container.terminationMessagePath` - 因为 Windows 不支持单个文件的映射，这一功能
-  在 Windows 上也受限。默认值 `/dev/termination-log` 在 Windows 上也无法使用因为
-  对应路径在 Windows 上不存在。
-
-<!--
-##### V1.Pod
-
-* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows
-
-* V1.Pod.hostNetwork - There is no Windows OS support to share the host network
-
-* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host
-  Networking is not supported on Windows.
-
-* V1.Pod.podSecurityContext - see V1.PodSecurityContext below
-
-* V1.Pod.shareProcessNamespace - this is a beta feature, and depends on Linux
-  namespaces which are not implemented on Windows. Windows cannot share
-  process namespaces or the container's root filesystem. Only the network can be
-  shared.
--->
-##### V1.Pod
-
-* `v1.Pod.hostIPC`、`v1.Pod.hostPID` - Windows 不支持共享宿主系统的名字空间
-* `v1.Pod.hostNetwork` - Windows 操作系统不支持共享宿主网络
-* `v1.Pod.dnsPolicy` - 不支持 `ClusterFirstWithHostNet`，因为 Windows 不支持宿主网络
-* `v1.Pod.podSecurityContext` - 参见下面的 `v1.PodSecurityContext`
-* `v1.Pod.shareProcessNamespace` - 此为 Beta 特性且依赖于 Windows 上未实现
-  的 Linux 名字空间。
-  Windows 无法共享进程名字空间或者容器的根文件系统。只能共享网络。
-
-<!--
-* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in
-  Docker on Windows, see:
-  [reference](https://github.com/moby/moby/issues/25982). The behavior today is
-  that the `ENTRYPOINT` process is sent `CTRL_SHUTDOWN_EVENT`, then Windows waits 5
-  seconds by default, and finally shuts down all processes using the normal
-  Windows shutdown behavior. The 5 second default is actually in the Windows
-  registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183),
-  so it can be overridden when the container is built.
-
-* V1.Pod.volumeDevices - this is a beta feature, and is not implemented on
-  Windows. Windows cannot attach raw block devices to pods.
--->
-* `v1.Pod.terminationGracePeriodSeconds` - 这一特性未在 Windows 版本的 Docker 中完全实现。
-  参见[问题报告](https://github.com/moby/moby/issues/25982)。
-  目前实现的行为是向 `ENTRYPOINT` 进程发送 `CTRL_SHUTDOWN_EVENT` 事件，之后 Windows 默认
-  等待 5 秒钟，并最终使用正常的 Windows 关机行为关闭所有进程。
-  这里的 5 秒钟默认值实际上保存在
-  [容器内](https://github.com/moby/moby/issues/25982#issuecomment-426441183)
-  的 Windows 注册表中，因此可以在构造容器时重载。
-
-* `v1.Pod.volumeDevices` - 此为 Beta 特性且未在 Windows 上实现。Windows 无法挂接
-  原生的块设备到 Pod 中。
-
-<!--
-* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have
-  tests in TestGrid
-
-  * V1.emptyDirVolumeSource - the Node default medium is disk on Windows.
-    Memory is not supported, as Windows does not have a built-in RAM disk.
-
-* V1.VolumeMount.mountPropagation - mount propagation is not supported on Windows.
--->
-* `v1.Pod.volumes` - `emptyDir`、`secret`、`configMap` 和 `hostPath`
-  都可正常工作且在 TestGrid 中测试。
-
-  * `v1.emptyDir.volumeSource` - Windows 上节点的默认介质是磁盘。
-    不支持将内存作为介质，因为 Windows 不支持内置的 RAM 磁盘。
-
-* `v1.VolumeMount.mountPropagation` - Windows 上不支持挂载传播。
-
-<!--
-##### V1.PodSecurityContext
-
-None of the PodSecurityContext fields work on Windows. They're listed here for
-reference.
-
-* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows
-
-* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows
-
-* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows
-
-* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The
-  closest equivalent is ContainerAdministrator which is an identity that
-  doesn't exist on the node.
-
-* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows
-
-* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl
-  interface. There's no equivalent on Windows.
--->
-##### V1.PodSecurityContext
-
-PodSecurityContext 的所有选项在 Windows 上都无法工作。这些选项列在下面仅供参考。
-
-* `v1.PodSecurityContext.seLinuxOptions` - Windows 上无 SELinux
-
-* `v1.PodSecurityContext.runAsUser` - 提供 UID；Windows 不支持
-
-* `v1.PodSecurityContext.runAsGroup` - 提供 GID；Windows 不支持
-
-* `v1.PodSecurityContext.runAsNonRoot` - Windows 上没有 root 用户
-  最接近的等价账号是 `ContainerAdministrator`，而该身份标识在节点上不存在
-
-* `v1.PodSecurityContext.supplementalGroups` - 提供 GID；Windows 不支持
-
-* `v1.PodSecurityContext.sysctls` - 这些是 Linux sysctl 接口的一部分；Windows 上
-  没有等价机制。
-
-<!--
-#### Operating System Version Restrictions
-
-Windows has strict compatibility rules, where the host OS version must match
-the container base image OS version. Only Windows containers with a container
-operating system of Windows Server 2019 are supported. Hyper-V isolation of
-containers, enabling some backward compatibility of Windows container image
-versions, is planned for a future release.
--->
-#### 操作系统版本限制  {#operating-system-version-restrictions}
-
-Windows 有着严格的兼容性规则，宿主 OS 的版本必须与容器基准镜像 OS 的版本匹配。
-目前仅支持容器操作系统为 Windows Server 2019 的 Windows 容器。
-对于容器的 Hyper-V 隔离、允许一定程度上的 Windows 容器镜像版本向后兼容性等等，
-都是将来版本计划的一部分。
-
-<!--
-## Getting Help and Troubleshooting {#troubleshooting}
-
-Your main source of help for troubleshooting your Kubernetes cluster should
-start with this
-[section](/docs/tasks/debug-application-cluster/troubleshooting/). Some
-additional, Windows-specific troubleshooting help is included in this section.
-Logs are an important element of troubleshooting issues in Kubernetes. Make
-sure to include them any time you seek troubleshooting assistance from other
-contributors. Follow the instructions in the SIG-Windows
-[contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs).
--->
-## 获取帮助和故障排查     {#troubleshooting}
-
-对你的 Kubernetes 集群进行排查的主要帮助信息来源应该是
-[这份文档](/docs/tasks/debug-application-cluster/troubleshooting/)。
-该文档中包含了一些额外的、特定于 Windows 系统的故障排查帮助信息。
-Kubernetes 中日志是故障排查的一个重要元素。确保你在尝试从其他贡献者那里获得
-故障排查帮助时提供日志信息。你可以按照 SIG-Windows
-[贡献指南和收集日志](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)
-所给的指令来操作。
-
-<!--
-* How do I know start.ps1 completed successfully?
-
-  You should see kubelet, kube-proxy, and (if you chose Flannel as your
-  networking solution) flanneld host-agent processes running on your node, with
-  running logs being displayed in separate PowerShell windows. In addition to
-  this, your Windows node should be listed as "Ready" in your Kubernetes
-  cluster.
--->
-* 我怎样知道 `start.ps1` 是否已成功完成？
-
-  你应该能看到节点上运行的 kubelet、kube-proxy 和（如果你选择 Flannel
-  作为联网方案）flanneld 宿主代理进程，它们的运行日志显示在不同的
-  PowerShell 窗口中。此外，你的 Windows 节点应该在你的 Kubernetes 集群
-  列举为 "Ready" 节点。
-
-<!--
-* Can I configure the Kubernetes node processes to run in the background as services?
-
-  Kubelet and kube-proxy are already configured to run as native Windows
-  Services, offering resiliency by re-starting the services automatically in the
-  event of failure (for example a process crash). You have two options for
-  configuring these node components as services.
--->
-* 我可以将 Kubernetes 节点进程配置为服务运行在后台么？
-
-  kubelet 和 kube-proxy 都已经被配置为以本地 Windows 服务运行，
-  并且在出现失效事件（例如进程意外结束）时通过自动重启服务来提供一定的弹性。
-  你有两种办法将这些节点组件配置为服务。
-
-  <!--
-  * As native Windows Services
-
-    Kubelet & kube-proxy can be run as native Windows Services using `sc.exe`.
-
-    ```powershell
-    # Create the services for kubelet and kube-proxy in two separate commands
-    sc.exe create <component_name> binPath= "<path_to_binary> -service <other_args>"
-
-    # Please note that if the arguments contain spaces, they must be escaped.
-    sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' <other_args>"
-
-    # Start the services
-    Start-Service kubelet
-    Start-Service kube-proxy
-
-    # Stop the service
-    Stop-Service kubelet (-Force)
-    Stop-Service kube-proxy (-Force)
-
-    # Query the service status
-    Get-Service kubelet
-    Get-Service kube-proxy
-    ```
-  -->
-  * 以本地 Windows 服务的形式
-
-    Kubelet 和 kube-proxy 可以用 `sc.exe` 以本地 Windows 服务的形式运行：
-
-    ```powershell
-    # 用两个单独的命令为 kubelet 和 kube-proxy 创建服务
-    sc.exe create <组件名称> binPath="<可执行文件路径> -service <其它参数>"
-
-    # 请注意如果参数中包含空格，必须使用转义
-    sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' <其它参数>"
-
-    # 启动服务
-    Start-Service kubelet
-    Start-Service kube-proxy
-
-    # 停止服务
-    Stop-Service kubelet (-Force)
-    Stop-Service kube-proxy (-Force)
-
-    # 查询服务状态
-    Get-Service kubelet
-    Get-Service kube-proxy
-    ```
-
-  <!--
-  * Using nssm.exe
-
-    You can also always use alternative service managers like
-    [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet &
-    kube-proxy) in the background for you. You can use this [sample
-    script](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/register-svc.ps1),
-    leveraging `nssm.exe` to register kubelet, kube-proxy, and `flanneld.exe` to run
-    as Windows services in the background.
-  -->
-  * 使用 nssm.exe
-
-    你也总是可以使用替代的服务管理器，例如[nssm.exe](https://nssm.cc/)，来为你在后台运行
-    这些进程（`flanneld`、`kubelet` 和 `kube-proxy`）。你可以使用这一
-    [示例脚本](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/register-svc.ps1)，
-    利用 `nssm.exe` 将 `kubelet`、`kube-proxy` 和 `flanneld.exe` 注册为要在后台运行的
-    Windows 服务。
-
-    <!--
-    ```powershell
-    register-svc.ps1 -NetworkMode <Network mode> -ManagementIP <Windows Node IP> -ClusterCIDR <Cluster subnet> -KubeDnsServiceIP <Kube-dns Service IP> -LogDir <Directory to place logs>
-    ```
-    -->
-    ```powershell
-    register-svc.ps1 -NetworkMode <网络模式> -ManagementIP <Windows 节点 IP> -ClusterCIDR <集群子网> -KubeDnsServiceIP <kube-dns 服务 IP> -LogDir <日志目录>
-    ```
-
-    <!--
-    The parameters are explained below:
-    -->
-    这里的参数解释如下：
-
-    <!--
-    - `NetworkMode`: The network mode l2bridge (flannel host-gw, also the
-      default value) or overlay (flannel vxlan) chosen as a network solution
-    - `ManagementIP`: The IP address assigned to the Windows node. You can use
-      `ipconfig` to find this.
-    - `ClusterCIDR`: The cluster subnet range. (Default: 10.244.0.0/16)
-    - `KubeDnsServiceIP`: The Kubernetes DNS service IP. (Default: 10.96.0.10)
-    - `LogDir`: The directory where kubelet and kube-proxy logs are redirected
-      into their respective output files. (Default value C:\k)
-    -->
-    - `NetworkMode`：网络模式 l2bridge（flannel host-gw，也是默认值）或
-      overlay（flannel vxlan）选做网络方案
-    - `ManagementIP`：分配给 Windows 节点的 IP 地址。你可以使用 ipconfig 得到此值
-    - `ClusterCIDR`：集群子网范围（默认值为 10.244.0.0/16）
-    - `KubeDnsServiceIP`：Kubernetes DNS 服务 IP（默认值为 10.96.0.10）
-    - `LogDir`：kubelet 和 kube-proxy 的日志会被重定向到这一目录中的对应输出文件，
-      默认值为 `C:\k`。
-
-    <!--
-    If the above referenced script is not suitable, you can manually configure
-    `nssm.exe` using the following examples.
-
-    Register flanneld.exe:
-    -->
-    若以上所引用的脚本不适合，你可以使用下面的例子手动配置 `nssm.exe`。
-
-    注册 flanneld.exe：
-
-    ```powershell
-    nssm install flanneld C:\flannel\flanneld.exe
-    nssm set flanneld AppParameters --kubeconfig-file=c:\k\config --iface=<ManagementIP> --ip-masq=1 --kube-subnet-mgr=1
-    nssm set flanneld AppEnvironmentExtra NODE_NAME=<hostname>
-    nssm set flanneld AppDirectory C:\flannel
-    nssm start flanneld
-    ```
-
-    <!--
-    Register kubelet.exe:
-    -->
-    注册 kubelet.exe：
-
-    ```powershell
-    nssm install kubelet C:\k\kubelet.exe
-    nssm set kubelet AppParameters --hostname-override=<hostname> --v=6 --pod-infra-container-image=k8s.gcr.io/pause:3.5 --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns=<DNS-service-IP> --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false  --log-dir=<log directory> --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config
-    nssm set kubelet AppDirectory C:\k
-    nssm start kubelet
-    ```
-
-    <!--
-    Register kube-proxy.exe (l2bridge / host-gw):
-    -->
-    注册 kube-proxy.exe（二层网桥模式和主机网关模式）
-
-    ```powershell
-    nssm install kube-proxy C:\k\kube-proxy.exe
-    nssm set kube-proxy AppDirectory c:\k
-    nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --hostname-override=<hostname>--kubeconfig=c:\k\config --enable-dsr=false --log-dir=<log directory> --logtostderr=false
-    nssm.exe set kube-proxy AppEnvironmentExtra KUBE_NETWORK=cbr0
-    nssm set kube-proxy DependOnService kubelet
-    nssm start kube-proxy
-    ```
-
-    <!--
-    Register kube-proxy.exe (overlay / vxlan):
-    -->
-    注册 kube-proxy.exe（覆盖网络模式或 VxLAN 模式）
-
-    ```powershell
-    nssm install kube-proxy C:\k\kube-proxy.exe
-    nssm set kube-proxy AppDirectory c:\k
-    nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --feature-gates="WinOverlay=true" --hostname-override=<hostname> --kubeconfig=c:\k\config --network-name=vxlan0 --source-vip=<source-vip> --enable-dsr=false --log-dir=<log directory> --logtostderr=false
-    nssm set kube-proxy DependOnService kubelet
-    nssm start kube-proxy
-    ```
-
-    <!--
-    For initial troubleshooting, you can use the following flags in
-    [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file:
-
-    ```powershell
-    nssm set <Service Name> AppStdout C:\k\mysvc.log
-    nssm set <Service Name> AppStderr C:\k\mysvc.log
-    ```
-
-    For additional details, see official [nssm usage](https://nssm.cc/usage) docs.
-    -->
-    作为初始的故障排查操作，你可以使用在 [nssm.exe](https://nssm.cc/) 中使用下面的标志
-    以便将标准输出和标准错误输出重定向到一个输出文件：
-
-    ```powershell
-    nssm set <服务名称> AppStdout C:\k\mysvc.log
-    nssm set <服务名称> AppStderr C:\k\mysvc.log
-    ```
-
-    要了解更多的细节，可参见官方的 [nssm 用法](https://nssm.cc/usage)文档。
-
-<!--
-* My Windows Pods do not have network connectivity
-
-  If you are using virtual machines, ensure that MAC spoofing is enabled on
-  all the VM network adapter(s).
--->
-* 我的 Windows Pods 无发连接网络
-
-  如果你在使用虚拟机，请确保 VM 网络适配器均已开启 MAC 侦听（Spoofing）。
-
-<!--
-* My Windows Pods cannot ping external resources
-
-  Windows Pods do not have outbound rules programmed for the ICMP protocol
-  today. However, TCP/UDP is supported. When trying to demonstrate connectivity
-  to resources outside of the cluster, please substitute `ping <IP>` with
-  corresponding `curl <IP>` commands.
--->
-* 我的 Windows Pods 无法 ping 外部资源
-
-  Windows Pods 目前没有为 ICMP 协议提供出站规则。不过 TCP/UDP 是支持的。
-  尝试与集群外资源连接时，可以将 `ping <IP>` 命令替换为对应的 `curl <IP>` 命令。
-
-  <!--
-  If you are still facing problems, most likely your network configuration in
-  [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
-  deserves some extra attention. You can always edit this static file. The
-  configuration update will apply to any newly created Kubernetes resources.
-  -->
-  如果你还遇到问题，很可能你在
-  [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf)
-  中的网络配置值得额外的注意。你总是可以编辑这一静态文件。
-  配置的更新会应用到所有新创建的 Kubernetes 资源上。
-
-  <!--
-  One of the Kubernetes networking requirements (see
-  [Kubernetes network model](/docs/concepts/cluster-administration/networking/))
-  is for cluster communication to occur without NAT internally. To honor this
-  requirement, there is an
-  [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20)
-  for all the communication where we do not want outbound NAT to occur. However,
-  this also means that you need to exclude the external IP you are trying to
-  query from the ExceptionList. Only then will the traffic originating from your
-  Windows pods be SNAT'ed correctly to receive a response from the outside
-  world. In this regard, your ExceptionList in `cni.conf` should look as
-  follows:
-  -->
-  Kubernetes 网络的需求之一（参见
-  [Kubernetes 网络模型](/zh/docs/concepts/cluster-administration/networking/)）
-  是集群内部无需网络地址转译（NAT）即可实现通信。
-  为了符合这一要求，对所有我们不希望出站时发生 NAT 的通信都存在一个
-  [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20)。
-  然而这也意味着你需要将你要查询的外部 IP 从 ExceptionList 中移除。
-  只有这时，从你的 Windows Pod 发起的网络请求才会被正确地通过 SNAT 转换以接收到
-  来自外部世界的响应。
-  就此而言，你在 `cni.conf` 中的 `ExceptionList` 应该看起来像这样：
-
-  <!--
-  ```conf
-  "ExceptionList": [
-       "10.244.0.0/16",  # Cluster subnet
-       "10.96.0.0/12",   # Service subnet
-       "10.127.130.0/24" # Management (host) subnet
-  ]
-  ```
-  -->
-  ```conf
-  "ExceptionList": [
-      "10.244.0.0/16",  # 集群子网
-      "10.96.0.0/12",   # 服务子网
-      "10.127.130.0/24" # 管理（主机）子网
-  ]
-  ```
-
-<!--
-* My Windows node cannot access NodePort service
-
-  Local NodePort access from the node itself fails. This is a known
-  limitation. NodePort access works from other nodes or external clients.
--->
-* 我的 Windows 节点无法访问 NodePort 服务
-
-  从节点自身发起的本地 NodePort 请求会失败。这是一个已知的局限。
-  NodePort 服务的访问从其他节点或者外部客户端都可正常进行。
-
-<!--
-* vNICs and HNS endpoints of containers are being deleted
-
-  This issue can be caused when the `hostname-override` parameter is not
-  passed to
-  [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/).
-  To resolve it, users need to pass the hostname to kube-proxy as follows:
--->
-* 容器的 vNICs 和 HNS 端点被删除了
-
-  这一问题可能因为 `hostname-override` 参数未能传递给
-  [kube-proxy](/zh/docs/reference/command-line-tools-reference/kube-proxy/)
-  而导致。解决这一问题时，用户需要按如下方式将主机名传递给 kube-proxy：
-
-  ```powershell
-  C:\k\kube-proxy.exe --hostname-override=$(hostname)
-  ```
-
-<!--
-* With flannel my nodes are having issues after rejoining a cluster
-
-  Whenever a previously deleted node is being re-joined to the cluster,
-  flannelD tries to assign a new pod subnet to the node. Users should remove the
-  old pod subnet configuration files in the following paths:
--->
-* 使用 Flannel 时，我的节点在重新加入集群时遇到问题
-
-  无论何时，当一个之前被删除的节点被重新添加到集群时，flannelD 都会将为节点分配
-  一个新的 Pod 子网。 
-  用户需要将将下面路径中的老的 Pod 子网配置文件删除：
-
-  ```powershell
-  Remove-Item C:\k\SourceVip.json
-  Remove-Item C:\k\SourceVipRequest.json
-  ```
-
-<!--
-* After launching `start.ps1`, flanneld is stuck in "Waiting for the Network
-  to be created"
-
-  There are numerous reports of this
-  [issue](https://github.com/coreos/flannel/issues/1066); most likely it is a
-  timing issue for when the management IP of the flannel network is set. A
-  workaround is to simply relaunch start.ps1 or relaunch it manually as follows:
-
-  ```powershell
-  PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows_Worker_Hostname>")
-  PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows_Worker_Node_IP> --ip-masq=1 --kube-subnet-mgr=1
-  ```
--->
-* 在启动了 `start.ps1` 之后，flanneld 一直停滞在 "Waiting for the Network
-  to be created" 状态
-
-  关于这一[问题](https://github.com/coreos/flannel/issues/1066)有很多的报告；
-  最可能的一种原因是关于何时设置 Flannel 网络的管理 IP 的时间问题。
-  一种解决办法是重新启动 `start.ps1` 或者按如下方式手动重启之：
-
-  ```powershell
-  [Environment]::SetEnvironmentVariable("NODE_NAME", "<Windows 工作节点主机名>")
-  C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface=<Windows 工作节点 IP> --ip-masq=1 --kube-subnet-mgr=1
-  ```
-
-<!--
-* My Windows Pods cannot launch because of missing `/run/flannel/subnet.env`
-
-  This indicates that Flannel didn't launch correctly. You can either try to
-  restart flanneld.exe or you can copy the files over manually from
-  `/run/flannel/subnet.env` on the Kubernetes master to
-  `C:\run\flannel\subnet.env` on the Windows worker node and modify the
-  `FLANNEL_SUBNET` row to a different number. For example, if node subnet
-  10.244.4.1/24 is desired:
--->
-* 我的 Windows Pods 无法启动，因为缺少 `/run/flannel/subnet.env` 文件
-
-  这表明 Flannel 网络未能正确启动。你可以尝试重启 flanneld.exe 或者将文件手动地
-  从 Kubernetes 主控节点的 `/run/flannel/subnet.env` 路径复制到 Windows 工作
-  节点的 `C:\run\flannel\subnet.env` 路径，并将 `FLANNEL_SUBNET` 行改为一个
-  不同的数值。例如，如果期望节点子网为 `10.244.4.1/24`：
-
-  ```none
-  FLANNEL_NETWORK=10.244.0.0/16
-  FLANNEL_SUBNET=10.244.4.1/24
-  FLANNEL_MTU=1500
-  FLANNEL_IPMASQ=true
-  ```
-<!--
-* My Windows node cannot access my services using the service IP
-
-  This is a known limitation of the current networking stack on Windows.
-  Windows Pods are able to access the service IP however.
--->
-* 我的 Windows 节点无法使用服务 IP 访问我的服务
-
-  这是 Windows 上当前网络协议栈的一个已知的限制。
-  Windows Pods 能够访问服务 IP。
-
-<!--
-* No network adapter is found when starting kubelet
-
-  The Windows networking stack needs a virtual adapter for Kubernetes
-  networking to work. If the following commands return no results (in an admin
-  shell), virtual network creation — a necessary prerequisite for Kubelet to
-  work — has failed:
--->
-* 启动 kubelet 时找不到网络适配器
-
-  Windows 网络堆栈需要一个虚拟的适配器，这样 Kubernetes 网络才能工作。
-  如果下面的命令（在管理员 Shell 中）没有任何返回结果，证明虚拟网络创建
-  （kubelet 正常工作的必要前提之一）失败了：
-
-  ```powershell
-  Get-HnsNetwork | ? Name -ieq "cbr0"
-  Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*"
-  ```
-
-  <!--
-  Often it is worthwhile to modify the
-  [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7)
-  parameter of the start.ps1 script, in cases where the host's network adapter
-  isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1`
-  script to see if there are errors during virtual network creation.
-  -->
-  当宿主系统的网络适配器名称不是 "Ethernet" 时，通常值得更改 `start.ps1` 脚本中的
-  [InterfaceName](https://github.com/microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1#L7)
-  参数来重试。否则可以查验 `start-kubelet.ps1` 的输出，看看是否在虚拟网络创建
-  过程中报告了其他错误。
-
-<!--
-* My Pods are stuck at "Container Creating" or restarting over and over
-
-  Check that your pause image is compatible with your OS version. The
-  [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources)
-  assume that both the OS and the containers are version 1803. If you have a
-  later version of Windows, such as an Insider build, you need to adjust the
-  images accordingly. Please refer to the Microsoft's [Docker
-  repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both
-  the pause image Dockerfile and the sample service expect the image to be
-  tagged as :latest.
--->
-* 我的 Pods 停滞在 "Container Creating" 状态或者反复重启
-
-  检查你的 pause 镜像是与你的 OS 版本兼容的。
-  [这里的指令](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources)
-  假定你的 OS 和容器版本都是 1803。如果你安装的是更新版本的 Windows，比如说
-  某个 Insider 构造版本，你需要相应地调整要使用的镜像。
-  请参照 Microsoft 的 [Docker 仓库](https://hub.docker.com/u/microsoft/)
-  了解镜像。不管怎样，pause 镜像的 Dockerfile 和示例服务都期望镜像的标签
-  为 `:latest`。
-
-<!--
-* DNS resolution is not properly working
-
-  Check the DNS limitations for Windows in this [section](#dns-limitations).
--->
-* DNS 解析无法正常工作
-
-  参阅 Windows 上 [DNS 相关的局限](#dns-limitations) 节。
-
-<!--
-* `kubectl port-forward` fails with "unable to do port forwarding: wincat not found"
-
-  Port forwarding support for Windows requires wincat.exe to be available in the
-  [pause infrastructure container](#pause-image).
-  Ensure you are using a supported image that is compatable with your Windows OS version.
-  If you would like to build your own pause infrastructure container be sure to include
-  [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat).
--->
-* `kubectl port-forward` 失败，错误信息为 "unable to do port forwarding: wincat not found"
-
-  此功能是在 Kubernetes v1.15 中实现的，pause 基础设施容器
-  `mcr.microsoft.com/oss/kubernetes/pause:3.4.1` 中包含了 wincat.exe。
-  请确保你使用的是这些版本或者更新版本。
-  如果你想要自行构造你自己的 pause 基础设施容器，要确保其中包含了
-  [wincat](https://github.com/kubernetes-sigs/sig-windows-tools/tree/master/cmd/wincat)
-  
-  Windows 的端口转发支持需要在 [pause 基础设施容器](#pause-image) 中提供 wincat.exe。
-  确保你使用的是与你的 Windows 操作系统版本兼容的受支持镜像。
-  如果你想构建自己的 pause 基础架构容器，请确保包含 [wincat](https://github.com/kubernetes/kubernetes/tree/master/build/pause/windows/wincat).。
-
-<!--
-* My Kubernetes installation is failing because my Windows Server node is
-  behind a proxy
-
-  If you are behind a proxy, the following PowerShell environment variables must be defined:
--->
-* 我的 Kubernetes 安装失败，因为我的 Windows Server 节点在防火墙后面
-
-  如果你处于防火墙之后，那么必须定义如下 PowerShell 环境变量：
-
-  ```PowerShell
-  [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine)
-  [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine)
-  ```
-
-<!--
-* What is a `pause` container?
-
-  In a Kubernetes Pod, an infrastructure or "pause" container is first created
-  to host the container endpoint. Containers that belong to the same pod,
-  including infrastructure and worker containers, share a common network
-  namespace and endpoint (same IP and port space). Pause containers are needed
-  to accommodate worker containers crashing or restarting without losing any of
-  the networking configuration.
-
-  Refer to the [pause image](#pause-image) section to find the recommended version
-  of the pause image.
--->
-* `pause` 容器是什么？
-
-  在一个 Kubernetes Pod 中，一个基础设施容器，或称 "pause" 容器，会被首先创建出来，
-  用以托管容器端点。属于同一 Pod 的容器，包括基础设施容器和工作容器，会共享相同的
-  网络名字空间和端点（相同的 IP 和端口空间）。我们需要 pause 容器来工作容器崩溃或
-  重启的状况，以确保不会丢失任何网络配置。
-
-  请参阅 [pause 镜像](#pause-image) 部分以查找 pause 镜像的推荐版本。
-
-<!--
-### Further investigation
-
-If these steps don't resolve your problem, you can get help running Windows
-containers on Windows nodes in Kubernetes through:
-
-* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic
-
-* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/)
-
-* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows)
--->
-### 进一步探究    {#further-investigation}
-
-如果以上步骤未能解决你遇到的问题，你可以通过以下方式获得在 Kubernetes 
-中的 Windows 节点上运行 Windows 容器的帮助：
-
-* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) 主题
-* Kubernetes 官方论坛 [discuss.kubernetes.io](https://discuss.kubernetes.io/)
-* Kubernetes Slack [#SIG-Windows 频道](https://kubernetes.slack.com/messages/sig-windows)
-
-<!--
-## Reporting Issues and Feature Requests
-
-If you have what looks like a bug, or you would like to make a feature
-request, please use the
-[GitHub issue tracking system](https://github.com/kubernetes/kubernetes/issues).
-You can open issues on
-[GitHub](https://github.com/kubernetes/kubernetes/issues/new/choose) and
-assign them to SIG-Windows. You should first search the list of issues in case
-it was reported previously and comment with your experience on the issue and
-add additional logs. SIG-Windows Slack is also a great avenue to get some
-initial support and troubleshooting ideas prior to creating a ticket.
--->
-## 报告问题和功能需求  {#reporting-issues-and-feature-requests}
-
-如果你遇到看起来像是软件缺陷的问题，或者你想要提起某种功能需求，请使用
-[GitHub 问题跟踪系统](https://github.com/kubernetes/kubernetes/issues)。
-你可以在 [GitHub](https://github.com/kubernetes/kubernetes/issues/new/choose)
-上发起 Issue 并将其指派给 SIG-Windows。你应该首先搜索 Issue 列表，看看是否
-该 Issue 以前曾经被报告过，以评论形式将你在该 Issue 上的体验追加进去，并附上
-额外的日志信息。SIG-Windows Slack 频道也是一个获得初步支持的好渠道，可以在
-生成新的 Ticket 之前对一些想法进行故障分析。
-
-<!--
-If filing a bug, please include detailed information about how to reproduce
-the problem, such as:
-
-* Kubernetes version: kubectl version
-* Environment details: Cloud provider, OS distro, networking choice and
-  configuration, and Docker version
-* Detailed steps to reproduce the problem
-* [Relevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)
-* Tag the issue sig/windows by commenting on the issue with `/sig windows` to
-  bring it to a SIG-Windows member's attention
--->
-在登记软件缺陷时，请给出如何重现该问题的详细信息，例如：
-
-* Kubernetes 版本：kubectl 版本
-* 环境细节：云平台、OS 版本、网络选型和配置情况以及 Docker 版本
-* 重现该问题的详细步骤
-* [相关的日志](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)
-* 通过为该 Issue 添加 `/sig windows` 评论为其添加 `sig/windows` 标签，
-  进而引起 SIG-Windows 成员的注意。
-
-## {{% heading "whatsnext" %}}
-
-<!--
-We have a lot of features in our roadmap. An abbreviated high level list is
-included below, but we encourage you to view our
-[roadmap project](https://github.com/orgs/kubernetes/projects/8) and help us make
-Windows support better by
-[contributing](https://github.com/kubernetes/community/blob/master/sig-windows/).
--->
-在我们的未来蓝图中包含很多功能特性（要实现）。下面是一个浓缩的简要列表，不过我们
-鼓励你查看我们的 [roadmap 项目](https://github.com/orgs/kubernetes/projects/8)并
-通过[贡献](https://github.com/kubernetes/community/blob/master/sig-windows/)的方式
-帮助我们把 Windows 支持做得更好。
-
-<!--
-### Hyper-V isolation
-
-Hyper-V isolation is requried to enable the following use cases for Windows
-containers in Kubernetes:
-
-* Hypervisor-based isolation between pods for additional security
-
-* Backwards compatibility allowing a node to run a newer Windows Server
-  version without requiring containers to be rebuilt
-
-* Specific CPU/NUMA settings for a pod
-
-* Memory isolation and reservations
--->
-### Hyper-V 隔离  {#hyper-v-isolation}
-
-要满足 Kubernetes 中 Windows 容器的如下用例，需要利用 Hyper-V 隔离：
-
-* 在 Pod 之间实施基于监管程序（Hypervisor）的隔离，以增强安全性
-* 出于向后兼容需要，允许添加运行新 Windows Server 版本的节点时不必
-  重新创建容器
-* 为 Pod 设置特定的 CPU/NUMA 配置
-* 实施内存隔离与预留
-
-<!--
-### Deployment with kubeadm and cluster API
-
-Kubeadm is becoming the de facto standard for users to deploy a Kubernetes
-cluster. Windows node support in kubeadm is currently a work-in-progress but a
-guide is available
-[here](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/). We are
-also making investments in cluster API to ensure Windows nodes are properly
-provisioned.
--->
-### 使用 kubeadm 和 Cluster API 来部署  {#deployment-with-kubeadm-and-cluster-api}
-
-kubeadm 已经成为用户部署 Kubernetes 集群的事实标准。
-kubeadm 对 Windows 节点的支持目前还在开发过程中，不过你可以阅读相关的
-[指南](/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/)。
-我们也在投入资源到 Cluster API，以确保 Windows 节点被正确配置。
-
diff --git a/content/zh/docs/tasks/access-application-cluster/create-external-load-balancer.md b/content/zh/docs/tasks/access-application-cluster/create-external-load-balancer.md
deleted file mode 100644
index 75fe4b6e1385a..0000000000000
--- a/content/zh/docs/tasks/access-application-cluster/create-external-load-balancer.md
+++ /dev/null
@@ -1,320 +0,0 @@
----
-title: 创建外部负载均衡器
-content_type: task
-weight: 80
----
-
-<!--
-title: Create an External Load Balancer
-content_type: task
-weight: 80
--->
-
-<!-- overview -->
-
-<!--
-This page shows how to create an External Load Balancer.
--->
-本文展示如何创建一个外部负载均衡器。
-
-<!-- 
-This feature is only available for cloud providers or environments which support external load balancers. 
--->
-{{< note >}}
-此功能仅适用于支持外部负载均衡器的云提供商或环境。
-{{< /note >}}
-
-<!--
-When creating a service, you have the option of automatically creating a
-cloud network load balancer. This provides an externally-accessible IP address
-that sends traffic to the correct port on your cluster nodes
-_provided your cluster runs in a supported environment and is configured with
-the correct cloud load balancer provider package_.
--->
-创建服务时，你可以选择自动创建云网络负载均衡器。这提供了一个外部可访问的 IP 地址，
-可将流量分配到集群节点上的正确端口上
-（ _假设集群在支持的环境中运行，并配置了正确的云负载平衡器提供商包_）。
-
-<!--
-For information on provisioning and using an Ingress resource that can give
-services externally-reachable URLs, load balance the traffic, terminate SSL etc.,
-please check the [Ingress](/docs/concepts/services-networking/ingress/)
-documentation.
--->
-有关如何配置和使用 Ingress 资源为服务提供外部可访问的 URL、负载均衡流量、终止 SSL 等功能，
-请查看 [Ingress](/zh/docs/concepts/services-networking/ingress/) 文档。
-
-## {{% heading "prerequisites" %}}
-
-* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-<!-- steps -->
-
-<!--
-## Configuration file
-
-To create an external load balancer, add the following line to your
-[service configuration file](/docs/concepts/services-networking/service/#loadbalancer):
--->
-## 配置文件
-
-要创建外部负载均衡器，请将以下内容添加到
-[服务配置文件](/zh/docs/concepts/services-networking/service/#loadbalancer)：
-
-```yaml
-    type: LoadBalancer
-```
-
-<!--
-Your configuration file might look like:
--->
-你的配置文件可能会如下所示：
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: example-service
-spec:
-  selector:
-    app: example
-  ports:
-    - port: 8765
-      targetPort: 9376
-  type: LoadBalancer
-```
-
-<!--
-## Using kubectl
-
-You can alternatively create the service with the `kubectl expose` command and
-its `--type=LoadBalancer` flag:
--->
-## 使用 kubectl
-
-你也可以使用 `kubectl expose` 命令及其 `--type=LoadBalancer` 参数创建服务：
-
-```bash
-kubectl expose rc example --port=8765 --target-port=9376 \
-        --name=example-service --type=LoadBalancer
-```
-
-<!--
-This command creates a new service using the same selectors as the referenced
-resource (in the case of the example above, a replication controller named
-`example`).
-
-For more information, including optional flags, refer to the
-[`kubectl expose` reference](/docs/reference/generated/kubectl/kubectl-commands/#expose).
--->
-此命令通过使用与引用资源（在上面的示例的情况下，名为 `example` 的 replication controller）相同的选择器来创建一个新的服务。
-
-更多信息（包括更多的可选参数），请参阅
-[`kubectl expose` 指南](/docs/reference/generated/kubectl/kubectl-commands/#expose)。
-
-<!--
-## Finding your IP address
-
-You can find the IP address created for your service by getting the service
-information through `kubectl`:
--->
-## 找到你的 IP 地址
-
-你可以通过 `kubectl` 获取服务信息，找到为你的服务创建的 IP 地址：
-
-```bash
-kubectl describe services example-service
-```
-
-<!--
-which should produce output like this:
--->
-这将获得如下输出：
-
-```bash
-    Name:                   example-service
-    Namespace:              default
-    Labels:                 <none>
-    Annotations:            <none>
-    Selector:               app=example
-    Type:                   LoadBalancer
-    IP:                     10.67.252.103
-    LoadBalancer Ingress:   192.0.2.89
-    Port:                   <unnamed> 80/TCP
-    NodePort:               <unnamed> 32445/TCP
-    Endpoints:              10.64.0.4:80,10.64.1.5:80,10.64.2.4:80
-    Session Affinity:       None
-    Events:                 <none>
-```
-
-<!--
-The IP address is listed next to `LoadBalancer Ingress`.
--->
-IP 地址列在 `LoadBalancer Ingress` 旁边。
-
-<!--
-If you are running your service on Minikube, you can find the assigned IP address and port with:
--->
-{{< note >}}
-如果你在 Minikube 上运行服务，你可以通过以下命令找到分配的 IP 地址和端口：
-
-```bash
-minikube service example-service --url
-```
-{{< /note >}}
-
-<!--
-## Preserving the client source IP
-
-Due to the implementation of this feature, the source IP seen in the target
-container is *not the original source IP* of the client. To enable
-preservation of the client IP, the following fields can be configured in the
-service spec (supported in GCE/Google Kubernetes Engine environments):
--->
-## 保留客户端源 IP
-
-由于此功能的实现，目标容器中看到的源 IP 将 *不是客户端的原始源 IP*。
-要启用保留客户端 IP，可以在服务的 spec 中配置以下字段（支持 GCE/Google Kubernetes Engine  环境）：
-
-<!--
-* `service.spec.externalTrafficPolicy` - denotes if this Service desires to route
-external traffic to node-local or cluster-wide endpoints. There are two available
-options: Cluster (default) and Local. Cluster obscures the client source
-IP and may cause a second hop to another node, but should have good overall
-load-spreading. Local preserves the client source IP and avoids a second hop
-for LoadBalancer and NodePort type services, but risks potentially imbalanced
-traffic spreading.
--->
-* `service.spec.externalTrafficPolicy` - 表示此服务是否希望将外部流量路由到节点本地或集群范围的端点。
-  有两个可用选项：Cluster（默认）和 Local。
-  Cluster 隐藏了客户端源 IP，可能导致第二跳到另一个节点，但具有良好的整体负载分布。
-  Local 保留客户端源 IP 并避免 LoadBalancer 和 NodePort 类型服务的第二跳，
-  但存在潜在的不均衡流量传播风险。
-
-<!--
-* `service.spec.healthCheckNodePort` - specifies the health check nodePort
-(numeric port number) for the service. If `healthCheckNodePort` isn't specified,
-the service controller allocates a port from your cluster's NodePort range. You
-can configure that range by setting an API server command line option,
-`--service-node-port-range`. It will use the
-user-specified `healthCheckNodePort` value if specified by the client. It only has an
-effect when `type` is set to LoadBalancer and `externalTrafficPolicy` is set
-to Local.
--->
-* `service.spec.healthCheckNodePort` - 指定服务的 healthcheck nodePort（数字端口号）。
-  如果未指定 `healthCheckNodePort`，服务控制器从集群的 NodePort 范围内分配一个端口。
-  你可以通过设置 API 服务器的命令行选项 `--service-node-port-range` 来配置上述范围。
-  它将会使用用户指定的 `healthCheckNodePort` 值（如果被客户端指定）。
-  仅当 `type`  设置为 LoadBalancer 并且 `externalTrafficPolicy` 设置为 Local 时才生效。
-
-<!--
-Setting `externalTrafficPolicy` to Local in the Service configuration file
-activates this feature.
--->
-可以通过在服务的配置文件中将 `externalTrafficPolicy` 设置为 Local 来激活此功能。
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: example-service
-spec:
-  selector:
-    app: example
-  ports:
-    - port: 8765
-      targetPort: 9376
-  externalTrafficPolicy: Local
-  type: LoadBalancer
-```
-
-<!--
-## Garbage Collecting Load Balancers
-
-In usual case, the correlating load balancer resources in cloud provider should
-be cleaned up soon after a LoadBalancer type Service is deleted. But it is known
-that there are various corner cases where cloud resources are orphaned after the
-associated Service is deleted. Finalizer Protection for Service LoadBalancers was
-introduced to prevent this from happening. By using finalizers, a Service resource
-will never be deleted until the correlating load balancer resources are also deleted.
--->
-## 回收负载均衡器
-
-在通常情况下，应在删除 LoadBalancer 类型服务后立即清除云提供商中的相关负载均衡器资源。
-但是，众所周知，在删除关联的服务后，云资源被孤立的情况很多。
-引入了针对服务负载均衡器的终结器保护，以防止这种情况发生。
-通过使用终结器，在删除相关的负载均衡器资源之前，也不会删除服务资源。
-
-<!--
-Specifically, if a Service has `type` LoadBalancer, the service controller will attach
-a finalizer named `service.kubernetes.io/load-balancer-cleanup`.
-The finalizer will only be removed after the load balancer resource is cleaned up.
-This prevents dangling load balancer resources even in corner cases such as the
-service controller crashing.
--->
-具体来说，如果服务具有 `type` LoadBalancer，则服务控制器将附加一个名为
-`service.kubernetes.io/load-balancer-cleanup` 的终结器。
-仅在清除负载均衡器资源后才能删除终结器。
-即使在诸如服务控制器崩溃之类的极端情况下，这也可以防止负载均衡器资源悬空。
-
-<!--
-## External Load Balancer Providers
-
-It is important to note that the datapath for this functionality is provided by a load balancer external to the Kubernetes cluster.
--->
-## 外部负载均衡器提供商
-
-请务必注意，此功能的数据路径由 Kubernetes 集群外部的负载均衡器提供。
-
-<!--
-When the Service `type` is set to LoadBalancer, Kubernetes provides functionality equivalent to `type` equals ClusterIP to pods
-within the cluster and extends it by programming the (external to Kubernetes) load balancer with entries for the Kubernetes
-pods. The Kubernetes service controller automates the creation of the external load balancer, health checks (if needed),
-firewall rules (if needed) and retrieves the external IP allocated by the cloud provider and populates it in the service
-object.
--->
-当服务 `type` 设置为 LoadBalancer 时，Kubernetes 向集群中的 Pod 提供的功能等同于
-`type` 等于  ClusterIP，并通过使用 Kubernetes pod 的条目对负载均衡器（从外部到 Kubernetes）
-进行编程来扩展它。 
-Kubernetes 服务控制器自动创建外部负载均衡器、健康检查（如果需要）、防火墙规则（如果需要），
-并获取云提供商分配的外部 IP 并将其填充到服务对象中。
-
-<!--
-## Caveats and Limitations when preserving source IPs
-
-GCE/AWS load balancers do not provide weights for their target pools. This was not an issue with the old LB
-kube-proxy rules which would correctly balance across all endpoints.
--->
-## 保留源 IP 时的注意事项和限制
-
-GCE/AWS 负载均衡器不为其目标池提供权重。
-对于旧的 LB kube-proxy 规则来说，这不是一个问题，它可以在所有端点之间正确平衡。
-
-<!--
-With the new functionality, the external traffic is not equally load balanced across pods, but rather
-equally balanced at the node level (because GCE/AWS and other external LB implementations do not have the ability
-for specifying the weight per node, they balance equally across all target nodes, disregarding the number of
-pods on each node).
--->
-使用新功能，外部流量不会在 pod 之间平均负载，而是在节点级别平均负载
-（因为 GCE/AWS 和其他外部 LB 实现无法指定每个节点的权重，
-因此它们的平衡跨所有目标节点，并忽略每个节点上的 Pod 数量）。
-
-<!--
-We can, however, state that for NumServicePods << NumNodes or NumServicePods >> NumNodes, a fairly close-to-equal
-distribution will be seen, even without weights.
--->
-但是，我们可以声明，对于 `NumServicePods << NumNodes` 或 `NumServicePods >> NumNodes` 时，
-即使没有权重，也会看到接近相等的分布。
-
-<!--
-Once the external load balancers provide weights, this functionality can be added to the LB programming path.
-*Future Work: No support for weights is provided for the 1.4 release, but may be added at a future date*
-
-Internal pod to pod traffic should behave similar to ClusterIP services, with equal probability across all pods.
--->
-一旦外部负载平衡器提供权重，就可以将此功能添加到 LB 编程路径中。
-*未来工作：1.4 版本不提供权重支持，但可能会在将来版本中添加*
-
-内部 Pod 到 Pod 的流量应该与 ClusterIP 服务类似，所有 Pod 的概率相同。
-
diff --git a/content/zh/docs/tasks/administer-cluster/encrypt-data.md b/content/zh/docs/tasks/administer-cluster/encrypt-data.md
deleted file mode 100644
index c63032ca4d342..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/encrypt-data.md
+++ /dev/null
@@ -1,355 +0,0 @@
----
-title: 静态加密 Secret 数据
-content_type: task
----
-
-<!--
-reviewers:
-- smarterclayton
-title: Encrypting Secret Data at Rest
-content_type: task
--->
-
-<!-- overview -->
-<!--
-This page shows how to enable and configure encryption of secret data at rest.
--->
-本文展示如何启用和配置静态 Secret 数据的加密
-
-## {{% heading "prerequisites" %}}
-
-* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-<!--
-* etcd v3 or later is required
--->
-* 需要 etcd v3 或者更高版本
-
-<!-- steps -->
-
-<!--
-## Configuration and determining whether encryption at rest is already enabled
-
-The `kube-apiserver` process accepts an argument `-experimental-encryption-provider-config`
-that controls how API data is encrypted in etcd. An example configuration
-is provided below.
-
-## Understanding the encryption at rest configuration.
--->
-## 配置并确定是否已启用静态数据加密
-
-`kube-apiserver` 的参数 `--experimental-encryption-provider-config` 控制 API 数据在 etcd 中的加密方式。
-下面提供一个配置示例。
-
-## 理解静态数据加密
-
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: EncryptionConfiguration
-resources:
-  - resources:
-    - secrets
-    providers:
-    - identity: {}
-    - aesgcm:
-        keys:
-        - name: key1
-          secret: c2VjcmV0IGlzIHNlY3VyZQ==
-        - name: key2
-          secret: dGhpcyBpcyBwYXNzd29yZA==
-    - aescbc:
-        keys:
-        - name: key1
-          secret: c2VjcmV0IGlzIHNlY3VyZQ==
-        - name: key2
-          secret: dGhpcyBpcyBwYXNzd29yZA==
-    - secretbox:
-        keys:
-        - name: key1
-          secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
-```
-
-<!--
-Each `resources` array item is a separate config and contains a complete configuration. The
-`resources.resources` field is an array of Kubernetes resource names (`resource` or `resource.group`)
-that should be encrypted. The `providers` array is an ordered list of the possible encryption
-providers. Only one provider type may be specified per entry (`identity` or `aescbc` may be provided,
-but not both in the same item).
--->
-每个 `resources` 数组项目是一个单独的完整的配置。
-`resources.resources` 字段是要加密的 Kubernetes 资源名称（`resource` 或 `resource.group`）的数组。
-`providers` 数组是可能的加密 provider 的有序列表。
-每个条目只能指定一个 provider 类型（可以是 `identity` 或 `aescbc`，但不能在同一个项目中同时指定）。
-
-<!--
-The first provider in the list is used to encrypt resources going into storage. When reading
-resources from storage each provider that matches the stored data attempts to decrypt the data in
-order. If no provider can read the stored data due to a mismatch in format or secret key, an error
-is returned which prevents clients from accessing that resource.
--->
-列表中的第一个 provider 用于加密进入存储的资源。
-当从存储器读取资源时，与存储的数据匹配的所有 provider 将按顺序尝试解密数据。
-如果由于格式或密钥不匹配而导致没有 provider 能够读取存储的数据，则会返回一个错误，以防止客户端访问该资源。
-
-<!--
-**IMPORTANT:** If any resource is not readable via the encryption config (because keys were changed),
-the only recourse is to delete that key from the underlying etcd directly. Calls that attempt to
-read that resource will fail until it is deleted or a valid decryption key is provided.
--->
-{{< caution >}}
-**重要：** 如果通过加密配置无法读取资源（因为密钥已更改），唯一的方法是直接从底层 etcd 中删除该密钥。
-任何尝试读取资源的调用将会失败，直到它被删除或提供有效的解密密钥。
-{{< /caution >}}
-
-### Providers:
-
-<!--
-Name | Encryption | Strength | Speed | Key Length | Other Considerations
------|------------|----------|-------|------------|---------------------
-`identity` | None | N/A | N/A | N/A | Resources written as-is without encryption. When set as the first provider, the resource will be decrypted as new values are written.
-`secretbox` | XSalsa20 and Poly1305 | Strong | Faster | 32-byte | A newer standard and may not be considered acceptable in environments that require high levels of review.
-`aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented.
-`aescbc` | AES-CBC with PKCS#7 padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
-`kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with PKCS#7 padding, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/)
-
-Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider
-is the first provider, the first key is used for encryption.
--->
-{{< table caption="Kubernetes 静态数据加密的 Providers" >}}
-名称 | 加密类型   | 强度     | 速度  | 密钥长度   | 其它事项
------|------------|----------|-------|------------|---------------------
-`identity` | 无 | N/A | N/A | N/A | 不加密写入的资源。当设置为第一个 provider 时，资源将在新值写入时被解密。
-`secretbox` | XSalsa20 和 Poly1305 | 强 | 更快 | 32字节 | 较新的标准，在需要高度评审的环境中可能不被接受。
-`aesgcm` | 带有随机数的 AES-GCM | 必须每 200k 写入一次 | 最快 | 16, 24 或者 32字节 | 建议不要使用，除非实施了自动密钥循环方案。
-`aescbc` | 填充 PKCS#7 的 AES-CBC | 弱 | 快 | 32字节 | 由于 CBC 容易受到密文填塞攻击（Padding Oracle Attack），不推荐使用。
-`kms` | 使用信封加密方案：数据使用带有 PKCS#7 填充的 AES-CBC 通过数据加密密钥（DEK）加密，DEK 根据 Key Management Service（KMS）中的配置通过密钥加密密钥（Key Encryption Keys，KEK）加密 | 最强 | 快 | 32字节 | 建议使用第三方工具进行密钥管理。为每个加密生成新的 DEK，并由用户控制 KEK 轮换来简化密钥轮换。[配置 KMS 提供程序](/zh/docs/tasks/administer-cluster/kms-provider/)
-
-每个 provider 都支持多个密钥 - 在解密时会按顺序使用密钥，如果是第一个 provider，则第一个密钥用于加密。
-
-<!--
-__Storing the raw encryption key in the EncryptionConfig only moderately improves your security posture, compared to no encryption.
-Please use `kms` provider for additional security.__ By default, the `identity` provider is used to protect secrets in etcd, which
-provides no encryption. `EncryptionConfiguration` was introduced to encrypt secrets locally, with a locally managed key.
--->
-__在 EncryptionConfig 中保存原始的加密密钥与不加密相比只会略微地提升安全级别。
-请使用 `kms` 驱动以获得更强的安全性。__
-默认情况下，`identity` 驱动被用来对 etcd 中的 Secret 提供保护，
-而这个驱动不提供加密能力。
-`EncryptionConfiguration` 的引入是为了能够使用本地管理的密钥来在本地加密 Secret 数据。
-
-<!--
-Encrypting secrets with a locally managed key protects against an etcd compromise, but it fails to protect against a host compromise.
-Since the encryption keys are stored on the host in the EncryptionConfig YAML file, a skilled attacker can access that file and
-extract the encryption keys.
--->
-使用本地管理的密钥来加密 Secret 能够保护数据免受 etcd 破坏的影响，不过无法针对
-主机被侵入提供防护。
-这是因为加密的密钥保存在主机上的 EncryptionConfig YAML 文件中，有经验的入侵者
-仍能访问该文件并从中提取出加密密钥。
-
-<!--
-Envelope encryption creates dependence on a separate key, not stored in Kubernetes. In this case, an attacker would need to compromise etcd, the kubeapi-server, and the third-party KMS provider to retrieve the plaintext values, providing a higher level of security than locally-stored encryption keys.
--->
-封套加密（Envelope Encryption）引入了对独立密钥的依赖，而这个密钥并不保存在 Kubernetes 中。
-在这种情况下下，入侵者需要攻破 etcd、kube-apiserver 和第三方的 KMS
-驱动才能获得明文数据，因而这种方案提供了比本地保存加密密钥更高的安全级别。
-
-<!--
-## Encrypting your data
-
-Create a new encryption config file:
--->
-## 加密你的数据
-
-创建一个新的加密配置文件：
-
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: EncryptionConfiguration
-resources:
-  - resources:
-    - secrets
-    providers:
-    - aescbc:
-        keys:
-        - name: key1
-          secret: <BASE 64 ENCODED SECRET>
-    - identity: {}
-```
-
-<!--
-To create a new secret perform the following steps:
-
-1. Generate a 32 byte random key and base64 encode it. If you're on Linux or Mac OS X, run the following command:
--->
-遵循如下步骤来创建一个新的 secret：
-
-1. 生成一个 32 字节的随机密钥并进行 base64 编码。如果你在 Linux 或 Mac OS X 上，请运行以下命令：
-
-   ```
-   head -c 32 /dev/urandom | base64
-   ```
-
-<!--
-2. Place that value in the secret field.
-3. Set the `--experimental-encryption-provider-config` flag on the `kube-apiserver` to point to the location of the config file.
-4. Restart your API server.
-
-**IMPORTANT:** Your config file contains keys that can decrypt content in etcd, so you must properly restrict permissions on your masters so only the user who runs the kube-apiserver can read it.
--->
-2. 将这个值放入到 secret 字段中。
-3. 设置 `kube-apiserver` 的 `--experimental-encryption-provider-config` 参数，将其指向
-   配置文件所在位置。
-4. 重启你的 API server。
-
-
-{{< caution >}}
-你的配置文件包含可以解密 etcd 内容的密钥，因此你必须正确限制主控节点的访问权限，
-以便只有能运行 kube-apiserver 的用户才能读取它。
-{{< /caution >}}
-
-<!--
-## Verifying that data is encrypted
-
-Data is encrypted when written to etcd. After restarting your `kube-apiserver`, any newly created or
-updated secret should be encrypted when stored. To check, you can use the `etcdctl` command line
-program to retrieve the contents of your secret.
-
-1. Create a new secret called `secret1` in the `default` namespace:
--->
-## 验证数据已被加密
-
-数据在写入 etcd 时会被加密。重新启动你的 `kube-apiserver` 后，任何新创建或更新的密码在存储时都应该被加密。
-如果想要检查，你可以使用 `etcdctl` 命令行程序来检索你的加密内容。
-
-1. 创建一个新的 secret，名称为 `secret1`，命名空间为 `default`：
-
-   ```shell
-   kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
-   ```
-
-<!--
-2. Using the etcdctl commandline, read that secret out of etcd:
--->
-2. 使用 etcdctl 命令行，从 etcd 中读取 secret：
-   ```shell
-   ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C
-   ```
-
-   <!--
-   where `[...]` must be the additional arguments for connecting to the etcd server.
-   -->
-   这里的 `[...]` 是用来连接 etcd 服务的额外参数。
-
-<!--
-3. Verify the stored secret is prefixed with `k8s:enc:aescbc:v1:` which indicates the `aescbc` provider has encrypted the resulting data.
-4. Verify the secret is correctly decrypted when retrieved via the API:
--->
-3. 验证存储的密钥前缀是否为 `k8s:enc:aescbc:v1:`，这表明 `aescbc` provider 已加密结果数据。
-4. 通过 API 检索，验证 secret 是否被正确解密：
-
-   ```shell
-   kubectl describe secret secret1 -n default
-   ```
-
-   <!--
-   should match `mykey: mydata`, mydata is encoded, check [decoding a secret](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret) to
-   completely decode the secret.
-   -->
-   其输出应该是 `mykey: bXlkYXRh`，`mydata` 数据是被加密过的，请参阅
-   [解密 Secret](/zh/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)
-   了解如何完全解码 Secret 内容。
-
-<!--
-## Ensure all secrets are encrypted
-
-Since secrets are encrypted on write, performing an update on a secret will encrypt that content.
--->
-## 确保所有 Secret 都被加密
-
-由于 Secret 是在写入时被加密，因此对 Secret 执行更新也会加密该内容。
-
-```
-kubectl get secrets --all-namespaces -o json | kubectl replace -f -
-```
-
-<!--
-The command above reads all secrets and then updates them to apply server side encryption.
--->
-上面的命令读取所有 Secret，然后使用服务端加密来更新其内容。
-
-<!--
-If an error occurs due to a conflicting write, retry the command.
-For larger clusters, you may wish to subdivide the secrets by namespace or script an update.
--->
-{{< note >}}
-如果由于冲突写入而发生错误，请重试该命令。
-对于较大的集群，你可能希望通过命名空间或更新脚本来对 Secret 进行划分。
-{{< /note >}}
-
-<!--
-## Rotating a decryption key
-
-Changing the secret without incurring downtime requires a multi step operation, especially in
-the presence of a highly available deployment where multiple `kube-apiserver` processes are running.
-
-1. Generate a new key and add it as the second key entry for the current provider on all servers
-2. Restart all `kube-apiserver` processes to ensure each server can decrypt using the new key
-3. Make the new key the first entry in the `keys` array so that it is used for encryption in the config
-4. Restart all `kube-apiserver` processes to ensure each server now encrypts using the new key
-5. Run `kubectl get secrets -all-namespaces -o json | kubectl replace -f -` to encrypt all existing secrets with the new key
-6. Remove the old decryption key from the config after you back up etcd with the new key in use and update all secrets
-
-With a single `kube-apiserver`, step 2 may be skipped.
--->
-## 轮换解密密钥
-
-在不发生停机的情况下更改 Secret 需要多步操作，特别是在有多个 `kube-apiserver` 进程正在运行的
-高可用环境中。
-
-1. 生成一个新密钥并将其添加为所有服务器上当前提供程序的第二个密钥条目
-2. 重新启动所有 `kube-apiserver` 进程以确保每台服务器都可以使用新密钥进行解密
-3. 将新密钥设置为 `keys` 数组中的第一个条目，以便在配置中使用其进行加密
-4. 重新启动所有 `kube-apiserver` 进程以确保每个服务器现在都使用新密钥进行加密
-5. 运行 `kubectl get secrets --all-namespaces -o json | kubectl replace -f -` 以用新密钥加密所有现有的秘密
-6. 在使用新密钥备份 etcd 后，从配置中删除旧的解密密钥并更新所有密钥
-
-如果只有一个 `kube-apiserver`，第 2 步可能可以忽略。
-
-<!--
-## Decrypting all data
-
-To disable encryption at rest place the `identity` provider as the first entry in the config:
--->
-## 解密所有数据
-
-要禁用 rest 加密，请将 `identity` provider 作为配置中的第一个条目：
-
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: EncryptionConfiguration
-resources:
-  - resources:
-    - secrets
-    providers:
-    - identity: {}
-    - aescbc:
-        keys:
-        - name: key1
-          secret: <BASE 64 ENCODED SECRET>
-```
-
-<!--
-and restart all `kube-apiserver` processes. Then run
--->
-并重新启动所有 `kube-apiserver` 进程。然后运行：
-
-```
-kubectl get secrets -all-namespaces -o json | kubectl replace -f -`
-```
-
-<!--
-to force all secrets to be decrypted.
--->
-以强制解密所有 secret。
-
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md b/content/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
deleted file mode 100644
index cc516e24cdf88..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md
+++ /dev/null
@@ -1,285 +0,0 @@
----
-title: 为命名空间配置默认的 CPU 请求和限制
-content_type: task
-weight: 20
----
-
-<!--
-title: Configure Default CPU Requests and Limits for a Namespace
-content_type: task
-weight: 20
--->
-
-<!-- overview -->
-<!--
-This page shows how to configure default CPU requests and limits for a namespace.
-A Kubernetes cluster can be divided into namespaces. If a Container is created in a namespace
-that has a default CPU limit, and the Container does not specify its own CPU limit, then
-the Container is assigned the default CPU limit. Kubernetes assigns a default CPU request
-under certain conditions that are explained later in this topic.
--->
-本章介绍怎样为命名空间配置默认的 CPU 请求和限制。
-一个 Kubernetes 集群可被划分为多个命名空间。如果在配置了 CPU 限制的命名空间创建容器，
-并且该容器没有声明自己的 CPU 限制，那么这个容器会被指定默认的 CPU 限制。
-Kubernetes 在一些特定情况还会指定 CPU 请求，本文后续章节将会对其进行解释。
-
-## {{% heading "prerequisites" %}}
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-<!-- steps -->
-
-<!--
-## Create a namespace
-
-Create a namespace so that the resources you create in this exercise are
-isolated from the rest of your cluster.
--->
-## 创建命名空间
-
-创建一个命名空间，以便本练习中创建的资源和集群的其余部分相隔离。
-
-```shell
-kubectl create namespace default-cpu-example
-```
-
-<!--
-## Create a LimitRange and a Pod
-
-Here's the configuration file for a LimitRange object. The configuration specifies
-a default CPU request and a default CPU limit.
--->
-## 创建 LimitRange 和 Pod
-
-这里给出了 LimitRange 对象的配置文件。该配置声明了一个默认的 CPU 请求和一个默认的 CPU 限制。
-
-{{< codenew file="admin/resource/cpu-defaults.yaml" >}}
-
-<!--
-Create the LimitRange in the default-cpu-example namespace:
--->
-在命名空间 default-cpu-example 中创建 LimitRange 对象：
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults.yaml --namespace=default-cpu-example
-```
-
-<!--
-Now if a Container is created in the default-cpu-example namespace, and the
-Container does not specify its own values for CPU request and CPU limit,
-the Container is given a default CPU request of 0.5 and a default
-CPU limit of 1.
-
-Here's the configuration file for a Pod that has one Container. The Container
-does not specify a CPU request and limit.
--->
-现在如果在 default-cpu-example 命名空间创建一个容器，该容器没有声明自己的 CPU 请求和限制时，
-将会给它指定默认的 CPU 请求0.5和默认的 CPU 限制值1.
-
-这里给出了包含一个容器的 Pod 的配置文件。该容器没有声明 CPU 请求和限制。
-
-{{< codenew file="admin/resource/cpu-defaults-pod.yaml" >}}
-
-<!--
-Create the Pod.
--->
-创建 Pod。
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod.yaml --namespace=default-cpu-example
-```
-
-<!--
-View the Pod's specification:
--->
-查看该 Pod 的声明：
-
-```shell
-kubectl get pod default-cpu-demo --output=yaml --namespace=default-cpu-example
-```
-
-<!--
-The output shows that the Pod's Container has a CPU request of 500 millicpus and
-a CPU limit of 1 cpu. These are the default values specified by the LimitRange.
--->
-输出显示该 Pod 的容器有一个500 millicpus的 CPU 请求和一个1 cpu的 CPU 限制。这些是 LimitRange 声明的默认值。
-
-```shell
-containers:
-- image: nginx
-  imagePullPolicy: Always
-  name: default-cpu-demo-ctr
-  resources:
-    limits:
-      cpu: "1"
-    requests:
-      cpu: 500m
-```
-
-<!--
-## What if you specify a Container's limit, but not its request?
-
-Here's the configuration file for a Pod that has one Container. The Container
-specifies a CPU limit, but not a request:
--->
-## 你只声明容器的限制，而不声明请求会怎么样？
-
-这是包含一个容器的 Pod 的配置文件。该容器声明了 CPU 限制，而没有声明 CPU 请求。
-
-{{< codenew file="admin/resource/cpu-defaults-pod-2.yaml" >}}
-
-<!--
-Create the Pod:
--->
-创建 Pod
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-2.yaml --namespace=default-cpu-example
-```
-
-<!--
-View the Pod specification:
--->
-查看 Pod 的声明：
-
-```
-kubectl get pod default-cpu-demo-2 --output=yaml --namespace=default-cpu-example
-```
-
-<!--
-The output shows that the Container's CPU request is set to match its CPU limit.
-Notice that the Container was not assigned the default CPU request value of 0.5 cpu.
--->
-输出显示该容器的 CPU 请求和 CPU 限制设置相同。注意该容器没有被指定默认的 CPU 请求值0.5 cpu。
-
-```
-resources:
-  limits:
-    cpu: "1"
-  requests:
-    cpu: "1"
-```
-
-<!--
-## What if you specify a Container's request, but not its limit?
-
-Here's the configuration file for a Pod that has one Container. The Container
-specifies a CPU request, but not a limit:
--->
-## 你只声明容器的请求，而不声明它的限制会怎么样？
-
-这里给出了包含一个容器的 Pod 的配置文件。该容器声明了 CPU 请求，而没有声明 CPU 限制。
-
-{{< codenew file="admin/resource/cpu-defaults-pod-3.yaml" >}}
-
-<!--
-Create the Pod:
--->
-创建 Pod：
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-3.yaml --namespace=default-cpu-example
-```
-
-<!--
-View the Pod specification:
--->
-查看 Pod 的规约：
-
-```
-kubectl get pod default-cpu-demo-3 --output=yaml --namespace=default-cpu-example
-```
-
-<!--
-The output shows that the Container's CPU request is set to the value specified in the
-Container's configuration file. The Container's CPU limit is set to 1 cpu, which is the
-default CPU limit for the namespace.
--->
-结果显示该容器的 CPU 请求被设置为容器配置文件中声明的数值。
-容器的CPU限制被设置为 1 CPU，即该命名空间的默认 CPU 限制值。
-
-```
-resources:
-  limits:
-    cpu: "1"
-  requests:
-    cpu: 750m
-```
-
-<!--
-## Motivation for default CPU limits and requests
-
-If your namespace has a
-[resource quota](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/),
-it is helpful to have a default value in place for CPU limit.
-Here are two of the restrictions that a resource quota imposes on a namespace:
-
-* Every Container that runs in the namespace must have its own CPU limit.
-* The total amount of CPU used by all Containers in the namespace must not exceed a specified limit.
-
-If a Container does not specify its own CPU limit, it is given the default limit, and then
-it can be allowed to run in a namespace that is restricted by a quota.
--->
-## 默认 CPU 限制和请求的动机
-
-如果你的命名空间有一个
-[资源配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)，
-那么有一个默认的 CPU 限制是有帮助的。这里有资源配额强加给命名空间的两条限制：
-
-* 命名空间中运行的每个容器必须有自己的 CPU 限制。
-* 命名空间中所有容器使用的 CPU 总和不能超过一个声明值。
-
-如果容器没有声明自己的 CPU 限制，将会给它一个默认限制，这样它就能被允许运行在一个有配额限制的命名空间中。
-
-<!--
-## Clean up
-
-Delete your namespace:
-
-```shell
-kubectl delete namespace default-cpu-example
-```
--->
-## 清理
-
-删除你的命名空间：
-
-```shell
-kubectl delete namespace constraints-cpu-example
-```
-
-## {{% heading "whatsnext" %}}
-
-<!--
-### For cluster administrators
-
-* [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/memory-default-namespace/)
-* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/memory-constraint-namespace/)
-* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/cpu-constraint-namespace/)
-* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/)
-* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/quota-pod-namespace/)
-* [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
--->
-### 集群管理员参考
-
-* [为命名空间配置默认内存请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
-* [为命名空间配置内存限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置 CPU 限制的最小值和最大值](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
-
-<!--
-### For app developers
-
-* [Assign Memory Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [Assign CPU Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
--->
-### 应用开发者参考
-
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
-
-
diff --git a/content/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md b/content/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
deleted file mode 100644
index 2a1345364cfaf..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md
+++ /dev/null
@@ -1,305 +0,0 @@
----
-title: 为命名空间配置默认的内存请求和限制
-content_type: task
-weight: 10
----
-
-<!--
-title: Configure Default Memory Requests and Limits for a Namespace
-content_type: task
-weight: 10
--->
-
-<!-- overview -->
-
-<!--
-This page shows how to configure default memory requests and limits for a namespace.
-If a Container is created in a namespace that has a default memory limit, and the Container
-does not specify its own memory limit, then the Container is assigned the default memory limit.
-Kubernetes assigns a default memory request under certain conditions that are explained later in this topic.
--->
-
-本文介绍怎样给命名空间配置默认的内存请求和限制。
-如果在一个有默认内存限制的命名空间创建容器，该容器没有声明自己的内存限制时，
-将会被指定默认内存限制。
-Kubernetes 还为某些情况指定了默认的内存请求，本章后面会进行介绍。
-
-## {{% heading "prerequisites" %}}
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-<!--
-Each node in your cluster must have at least 2 GiB of memory.
--->
-你的集群中的每个节点必须至少有 2 GiB 的内存。
-
-<!-- steps -->
-
-<!--
-## Create a namespace
-
-Create a namespace so that the resources you create in this exercise are
-isolated from the rest of your cluster.
--->
-## 创建命名空间
-
-创建一个命名空间，以便本练习中所建的资源与集群的其余资源相隔离。
-
-```shell
-kubectl create namespace default-mem-example
-```
-
-<!--
-## Create a LimitRange and a Pod
-
-Here's the configuration file for a LimitRange object. The configuration specifies
-a default memory request and a default memory limit.
--->
-## 创建 LimitRange 和 Pod
-
-这里给出了一个限制范围对象的配置文件。该配置声明了一个默认的内存请求和一个默认的内存限制。
-
-{{< codenew file="admin/resource/memory-defaults.yaml" >}}
-
-<!--
-Create the LimitRange in the default-mem-example namespace:
--->
-在 default-mem-example 命名空间创建限制范围：
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults.yaml --namespace=default-mem-example
-```
-
-<!--
-Now if a Container is created in the default-mem-example namespace, and the
-Container does not specify its own values for memory request and memory limit,
-the Container is given a default memory request of 256 MiB and a default
-memory limit of 512 MiB.
-
-Here's the configuration file for a Pod that has one Container. The Container
-does not specify a memory request and limit.
--->
-现在，如果在 default-mem-example 命名空间创建容器，并且该容器没有声明自己的内存请求和限制值，
-它将被指定默认的内存请求 256 MiB 和默认的内存限制 512 MiB。
-
-下面是具有一个容器的 Pod 的配置文件。
-容器未指定内存请求和限制。
-
-{{< codenew file="admin/resource/memory-defaults-pod.yaml" >}}
-
-<!--
-Create the Pod.
--->
-创建 Pod
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod.yaml --namespace=default-mem-example
-```
-
-<!--
-View detailed information about the Pod:
--->
-查看 Pod 的详情：
-
-```shell
-kubectl get pod default-mem-demo --output=yaml --namespace=default-mem-example
-```
-
-<!--
-The output shows that the Pod's Container has a memory request of 256 MiB and
-a memory limit of 512 MiB. These are the default values specified by the LimitRange.
--->
-输出内容显示该 Pod 的容器有 256 MiB 的内存请求和 512 MiB 的内存限制。
-这些都是 LimitRange 设置的默认值。
-
-```shell
-containers:
-- image: nginx
-  imagePullPolicy: Always
-  name: default-mem-demo-ctr
-  resources:
-    limits:
-      memory: 512Mi
-    requests:
-      memory: 256Mi
-```
-
-<!--
-Delete your Pod:
--->
-删除你的 Pod：
-
-```shell
-kubectl delete pod default-mem-demo --namespace=default-mem-example
-```
-
-<!--
-## What if you specify a Container's limit, but not its request?
-
-Here's the configuration file for a Pod that has one Container. The Container
-specifies a memory limit, but not a request:
--->
-## 声明容器的限制而不声明它的请求会怎么样？
-
-这里给出了包含一个容器的 Pod 的配置文件。该容器声明了内存限制，而没有声明内存请求：
-
-{{< codenew file="admin/resource/memory-defaults-pod-2.yaml" >}}
-
-<!--
-Create the Pod:
--->
-创建 Pod：
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-2.yaml --namespace=default-mem-example
-```
-
-<!--
-View detailed information about the Pod:
--->
-查看 Pod 的详情：
-
-```shell
-kubectl get pod default-mem-demo-2 --output=yaml --namespace=default-mem-example
-```
-
-<!--
-The output shows that the Container's memory request is set to match its memory limit.
-Notice that the Container was not assigned the default memory request value of 256Mi.
--->
-输出结果显示容器的内存请求被设置为它的内存限制相同的值。注意该容器没有被指定默认的内存请求值 256MiB。
-
-```
-resources:
-  limits:
-    memory: 1Gi
-  requests:
-    memory: 1Gi
-```
-
-<!--
-## What if you specify a Container's request, but not its limit?
--->
-## 声明容器的内存请求而不声明内存限制会怎么样？
-
-<!--
-Here's the configuration file for a Pod that has one Container. The Container
-specifies a memory request, but not a limit:
--->
-这里给出了一个包含一个容器的 Pod 的配置文件。该容器声明了内存请求，但没有内存限制：
-
-{{< codenew file="admin/resource/memory-defaults-pod-3.yaml" >}}
-
-<!--
-Create the Pod:
--->
-创建 Pod：
-
-```shell
-kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-3.yaml --namespace=default-mem-example
-```
-
-<!--
-View the Pod's specification:
--->
-查看 Pod 声明：
-
-```shell
-kubectl get pod default-mem-demo-3 --output=yaml --namespace=default-mem-example
-```
-
-<!--
-The output shows that the Container's memory request is set to the value specified in the
-Container's configuration file. The Container's memory limit is set to 512Mi, which is the
-default memory limit for the namespace.
--->
-输出结果显示该容器的内存请求被设置为了容器配置文件中声明的数值。
-容器的内存限制被设置为 512MiB，即命名空间的默认内存限制。
-
-```
-resources:
-  limits:
-    memory: 512Mi
-  requests:
-    memory: 128Mi
-```
-
-<!--
-## Motivation for default memory limits and requests
-
-If your namespace has a resource quota,
-it is helpful to have a default value in place for memory limit.
-Here are two of the restrictions that a resource quota imposes on a namespace:
--->
-## 设置默认内存限制和请求的动机
-
-如果你的命名空间有资源配额，那么默认内存限制是很有帮助的。
-下面是一个例子，通过资源配额为命名空间设置两项约束：
-
-<!--
-* Every Container that runs in the namespace must have its own memory limit.
-* The total amount of memory used by all Containers in the namespace must not exceed a specified limit.
--->
-* 运行在命名空间中的每个容器必须有自己的内存限制。
-* 命名空间中所有容器的内存使用量之和不能超过声明的限制值。
-
-<!--
-If a Container does not specify its own memory limit, it is given the default limit, and then
-it can be allowed to run in a namespace that is restricted by a quota.
--->
-如果一个容器没有声明自己的内存限制，会被指定默认限制，然后它才会被允许在限定了配额的命名空间中运行。
-
-<!--
-## Clean up
-
-Delete your namespace:
--->
-## 清理
-
-删除你的命名空间：
-
-```shell
-kubectl delete namespace default-mem-example
-```
-
-## {{% heading "whatsnext" %}}
-
-<!--
-### For cluster administrators
-
-* [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/cpu-default-namespace/)
-
-* [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/memory-constraint-namespace/)
-
-* [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/cpu-constraint-namespace/)
-
-* [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/quota-memory-cpu-namespace/)
-
-* [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/quota-pod-namespace/)
-
-* [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
--->
-### 集群管理员参考
-
-* [为命名空间配置默认的 CPU 请求和限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
-* [为命名空间配置最小和最大内存限制](/zh/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
-* [为命名空间配置最小和最大 CPU 限制](/zh/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
-* [为命名空间配置内存和 CPU 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
-* [为命名空间配置 Pod 配额](/zh/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
-* [为 API 对象配置配额](/zh/docs/tasks/administer-cluster/quota-api-object/)
-
-<!--
-### For app developers
-
-* [Assign Memory Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-memory-resource/)
-
-* [Assign CPU Resources to Containers and Pods](/docs/tasks/configure-pod-container/assign-cpu-resource/)
-
-* [Configure Quality of Service for Pods](/docs/tasks/configure-pod-container/quality-service-pod/)
--->
-### 应用开发者参考
-
-* [为容器和 Pod 分配内存资源](/zh/docs/tasks/configure-pod-container/assign-memory-resource/)
-* [为容器和 Pod 分配 CPU 资源](/zh/docs/tasks/configure-pod-container/assign-cpu-resource/)
-* [为 Pod 配置服务质量](/zh/docs/tasks/configure-pod-container/quality-service-pod/)
-
diff --git a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md b/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
deleted file mode 100644
index cdeaed150c451..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/_index.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: "从 dockershim 迁移"
-weight: 10
-content_type: task 
----
-<!-- 
-title: "Migrating from dockershim"
-weight: 10
-content_type: task 
--->
-
-<!-- overview -->
-
-<!-- 
-This section presents information you need to know when migrating from
-dockershim to other container runtimes.
--->
-本节提供从 dockershim 迁移到其他容器运行时的必备知识。
-
-<!-- 
-Since the announcement of [dockershim deprecation](/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)
-in Kubernetes 1.20, there were questions on how this will affect various workloads and Kubernetes
-installations. Our [Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) is there to help you
-to understand the problem better.
--->
-自从 Kubernetes 1.20 宣布
-[弃用 dockershim](/zh/blog/2020/12/08/kubernetes-1-20-release-announcement/#dockershim-deprecation)，
-各类疑问随之而来：这对各类工作负载和 Kubernetes 部署会产生什么影响。
-我们的[弃用  Dockershim 常见问题](/blog/2022/02/17/dockershim-faq/)可以帮助你更好地理解这个问题。
-
-<!-- It is recommended to migrate from dockershim to alternative container runtimes.
-Check out [container runtimes](/docs/setup/production-environment/container-runtimes/)
-section to know your options. Make sure to
-[report issues](https://github.com/kubernetes/kubernetes/issues) you encountered
-with the migration. So the issue can be fixed in a timely manner and your cluster would be
-ready for dockershim removal.
--->
-建议从 dockershim 迁移到其他替代的容器运行时。
-请参阅[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
-一节以了解可用的备选项。
-当在迁移过程中遇到麻烦，请[上报问题](https://github.com/kubernetes/kubernetes/issues)。
-那么问题就可以及时修复，你的集群也可以进入移除 dockershim 前的就绪状态。
diff --git a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md b/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
deleted file mode 100644
index 7a6f3c8df9876..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: 查明节点上所使用的容器运行时
-content_type: task
-weight: 10
----
-<!--
-title: Find Out What Container Runtime is Used on a Node
-content_type: task
-reviewers:
-- SergeyKanzhelev
-weight: 10
--->
-
-<!-- overview -->
-
-<!--
-This page outlines steps to find out what [container runtime](/docs/setup/production-environment/container-runtimes/)
-the nodes in your cluster use.
--->
-本页面描述查明集群中节点所使用的[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
-的步骤。
-
-<!--
-Depending on the way you run your cluster, the container runtime for the nodes may
-have been pre-configured or you need to configure it. If you're using a managed
-Kubernetes service, there might be vendor-specific ways to check what container runtime is
-configured for the nodes. The method described on this page should work whenever
-the execution of `kubectl` is allowed.
--->
-取决于你运行集群的方式，节点所使用的容器运行时可能是事先配置好的，
-也可能需要你来配置。如果你在使用托管的 Kubernetes 服务，
-可能存在特定于厂商的方法来检查节点上配置的容器运行时。
-本页描述的方法应该在能够执行 `kubectl` 的场合下都可以工作。
-
-## {{% heading "prerequisites" %}}
-
-<!--
-Install and configure `kubectl`. See [Install Tools](/docs/tasks/tools/#kubectl) section for details.
--->
-安装并配置 `kubectl`。参见[安装工具](/zh/docs/tasks/tools/#kubectl) 节了解详情。
-
-<!--
-## Find out the container runtime used on a Node
-
-Use `kubectl` to fetch and show node information:
--->
-## 查明节点所使用的容器运行时
-
-使用 `kubectl` 来读取并显示节点信息：
-
-```shell
-kubectl get nodes -o wide
-```
-
-<!--
-The output is similar to the following. The column `CONTAINER-RUNTIME` outputs
-the runtime and its version.
--->
-输出如下面所示。`CONTAINER-RUNTIME` 列给出容器运行时及其版本。
-
-```none
-# For dockershim
-NAME         STATUS   VERSION    CONTAINER-RUNTIME
-node-1       Ready    v1.16.15   docker://19.3.1
-node-2       Ready    v1.16.15   docker://19.3.1
-node-3       Ready    v1.16.15   docker://19.3.1
-```
-
-```none
-# For containerd
-NAME         STATUS   VERSION   CONTAINER-RUNTIME
-node-1       Ready    v1.19.6   containerd://1.4.1
-node-2       Ready    v1.19.6   containerd://1.4.1
-node-3       Ready    v1.19.6   containerd://1.4.1
-```
-
-<!--
-Find out more information about container runtimes
-on [Container Runtimes](/docs/setup/production-environment/container-runtimes/) page.
--->
-你可以在[容器运行时](/zh/docs/setup/production-environment/container-runtimes/)
-页面找到与容器运行时相关的更多信息。
-
diff --git a/content/zh/docs/tasks/administer-cluster/reconfigure-kubelet.md b/content/zh/docs/tasks/administer-cluster/reconfigure-kubelet.md
deleted file mode 100644
index e0e47d3299806..0000000000000
--- a/content/zh/docs/tasks/administer-cluster/reconfigure-kubelet.md
+++ /dev/null
@@ -1,665 +0,0 @@
----
-title: 在运行中的集群上重新配置节点的 kubelet
-content_type: task
----
-
-<!--
-reviewers:
-- mtaufen
-- dawnchen
-title: Reconfigure a Node's Kubelet in a Live Cluster
-content_type: task
--->
-
-<!-- overview -->
-
-{{< feature-state for_k8s_version="v1.22" state="deprecated" >}}
-
-<!--
-{{< caution >}}
-The [Dynamic Kubelet Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration)
-feature is deprecated and should not be used.
-Please switch to alternative means distributing configuration to the Nodes of your cluster.
-{{< /caution >}}
--->
-{{< caution >}}
-[动态 kubelet 配置](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration)
-已经废弃不建议使用。请选择其他方法将配置分发到集群中的节点。
-{{< /caution >}}
-
-<!--
-[Dynamic Kubelet Configuration](https://github.com/kubernetes/enhancements/issues/281)
-allows you to change the configuration of each Kubelet in a live Kubernetes
-cluster by deploying a ConfigMap and configuring each Node to use it.
--->
-[动态 kubelet 配置](https://github.com/kubernetes/enhancements/issues/281)
-允许你通过部署一个所有节点都会使用的 ConfigMap 
-达到在运行中的 Kubernetes 集群中更改 kubelet 配置的目的。
-
-<!--
-All kubelet configuration parameters can be changed dynamically,
-but this is unsafe for some parameters. Before deciding to change a parameter
-dynamically, you need a strong understanding of how that change will affect your
-cluster's behavior. Always carefully test configuration changes on a small set
-of nodes before rolling them out cluster-wide. Advice on configuring specific
-fields is available in the inline
-[`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/).
--->
-{{< warning >}}
-所有 kubelet 配置参数都可以被动态更改，但对某些参数来说这类更改是不安全的。
-在决定动态更改参数之前，你需要深刻理解这个改动将会如何影响集群的行为。
-在将变更扩散到整个集群之前，你需要先在小规模的节点集合上仔细地测试这些配置变动。
-特定字段相关的配置建议可以在文档
-[`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/)中找到。
-{{< /warning >}}
-
-## {{% heading "prerequisites" %}}
-
-<!--
-You need to have a Kubernetes cluster.
-You also need `kubectl`, [installed](/docs/tasks/tools/#kubectl) and configured to communicate with your cluster.
-Make sure that you are using a version of `kubectl` that is
-[compatible](/releases/version-skew-policy/) with your cluster.
-{{< version-check >}}
--->
-你需要一个 Kubernetes 集群。
-你还需要 `kubectl`，[安装](/zh/docs/tasks/tools/#kubectl)并配置好与集群的通信。
-{{< version-check >}}
-确保你使用的 `kubectl` 版本与集群 [兼容](/releases/version-skew-policy/)。
-
-<!--
-Some of the examples use the command line tool
-[jq](https://stedolan.github.io/jq/). You do not need `jq` to complete the task,
-because there are manual alternatives.
-
-For each node that you're reconfiguring, you must set the kubelet
-`-dynamic-config-dir` flag to a writable directory.
--->
-在某些例子中使用了命令行工具 [jq](https://stedolan.github.io/jq/)。
-你并不一定需要 `jq` 才能完成这些任务，因为总是有一些手工替代的方式。
-
-针对你重新配置的每个节点，你必须设置 kubelet 的标志
-`-dynamic-config-dir`，使之指向一个可写的目录。
-
-<!-- steps -->
-
-<!--
-## Reconfiguring the kubelet on a running node in your cluster
-
-### Basic Workflow Overview
--->
-## 重配置 集群中运行节点上的 kubelet 
-
-### 基本工作流程概览
-
-<!--
-The basic workflow for configuring a Kubelet in a live cluster is as follows:
-
-1. Write a YAML or JSON configuration file containing the
-   kubelet's configuration.
-2. Wrap this file in a ConfigMap and save it to the Kubernetes control plane.
-3. Update the Kubelet's corresponding Node object to use this ConfigMap.
--->
-在运行中的集群中配置 kubelet 的基本工作流程如下：
-
-1. 编写一个包含 kubelet 配置的 YAML 或 JSON 文件。
-2. 将此文件包装在 ConfigMap 中并将其保存到 Kubernetes 控制平面。
-3. 更新 kubelet 所在节点对象以使用此 ConfigMap。
-
-<!--
-Each kubelet watches a configuration reference on its respective Node object.
-When this reference changes, the Kubelet downloads the new configuration,
-updates a local reference to refer to the file, and exits.
-For the feature to work correctly, you must be running an OS-level service
-manager (such as systemd), which will restart the Kubelet if it exits. When the
-Kubelet is restarted, it will begin using the new configuration.
--->
-每个 kubelet 都会在其各自的节点对象上监测（Watch）配置引用。当引用更改时，kubelet 将下载新的配置文件，
-更新本地引用指向该文件，然后退出。
-为了使该功能正常地工作，你必须运行操作系统级别的服务管理器（如 systemd），
-它将会在 kubelet 退出后将其重启。
-kubelet 重新启动时，将开始使用新配置。
-
-<!--
-The new configuration completely overrides configuration provided by `--config`,
-and is overridden by command-line flags. Unspecified values in the new configuration
-will receive default values appropriate to the configuration version
-(e.g. `kubelet.config.k8s.io/v1beta1`), unless overridden by flags.
--->
-新配置将会完全地覆盖 `--config` 所提供的配置，并被命令行标志覆盖。
-新配置中未指定的值将收到适合配置版本的默认值
-(e.g. `kubelet.config.k8s.io/v1beta1`)，除非被命令行标志覆盖。
-
-<!--
-The status of the Node's Kubelet configuration is reported via
-`Node.Spec.Status.Config`. Once you have updated a Node to use the new
-ConfigMap, you can observe this status to confirm that the Node is using the
-intended configuration.
--->
-节点 kubelet 配置状态可通过 `node.spec.status.config` 获取。
-一旦你更新了一个节点去使用新的 ConfigMap，
-就可以通过观察此状态来确认该节点是否正在使用预期配置。
-
-<!--
-This document describes editing Nodes using `kubectl edit`.
-There are other ways to modify a Node's spec, including `kubectl patch`, for
-example, which facilitate scripted workflows.
--->
-本文中使用命令 `kubectl edit` 来编辑节点，还有其他的方式可以修改节点的规约，
-比如更利于脚本化工作流程的 `kubectl patch`。
-
-<!--
-This document only describes a single Node consuming each ConfigMap. Keep in
-mind that it is also valid for multiple Nodes to consume the same ConfigMap.
--->
-本文仅仅讲述在单节点上使用每个 ConfigMap。请注意对于多个节点使用相同的 ConfigMap
-也是合法的。
-
-<!--
-While it is *possible* to change the configuration by
-updating the ConfigMap in-place, this causes all Kubelets configured with
-that ConfigMap to update simultaneously. It is much safer to treat ConfigMaps
-as immutable by convention, aided by `kubectl`'s `-append-hash` option,
-and incrementally roll out updates to `Node.Spec.ConfigSource`.
--->
-{{< warning >}}
-尽管通过就地更新 ConfigMap 来更改配置是 *可能的*。
-但是这样做会导致所有使用该 ConfigMap 配置的 kubelet 同时更新。
-更安全的做法是按惯例将 ConfigMap 视为不可变更的，借助于
-`kubectl` 的 `--append-hash` 选项逐步把更新推广到 `node.spec.configSource`。
-{{< /warning >}}
-
-<!--
-### Automatic RBAC rules for Node Authorizer
-
-Previously, you were required to manually create RBAC rules
-to allow Nodes to access their assigned ConfigMaps. The Node Authorizer now
-automatically configures these rules.
--->
-### 节点鉴权器的自动 RBAC 规则
-
-以前，你需要手动创建 RBAC 规则以允许节点访问其分配的 ConfigMap。节点鉴权器现在
-能够自动配置这些规则。
-
-<!--
-### Generating a file that contains the current configuration
-
-The Dynamic Kubelet Configuration feature allows you to provide an override for
-the entire configuration object, rather than a per-field overlay. This is a
-simpler model that makes it easier to trace the source of configuration values
-and debug issues. The compromise, however, is that you must start with knowledge
-of the existing configuration to ensure that you only change the fields you
-intend to change.
--->
-### 生成包含当前配置的文件
-
-动态 kubelet 配置特性允许你为整个配置对象提供一个重载配置，而不是靠单个字段的叠加。 
-这是一个更简单的模型，可以更轻松地跟踪配置值的来源，更便于调试问题。
-然而，相应的代价是你必须首先了解现有配置，以确保你只更改你打算修改的字段。
-
-<!--
-The kubelet loads settings from its configuration file, but you can set command
-line flags to override the configuration in the file. This means that if you
-only know the contents of the configuration file, and you don't know the
-command line overrides, then you do not know the running configuration either.
--->
-组件 kubelet 从其配置文件中加载配置数据，不过你可以通过设置命令行标志
-来重载文件中的一些配置。这意味着，如果你仅知道配置文件的内容，而你不知道
-命令行重载了哪些配置，你就无法知道 kubelet 的运行时配置是什么。
-
-<!--
-Because you need to know the running configuration in order to override it,
-you can fetch the running configuration from the kubelet. You can generate a
-config file containing a Node's current configuration by accessing the kubelet's
-`configz` endpoint, through `kubectl proxy`. The next section explains how to
-do this.
--->
-因为你需要知道运行时所使用的配置才能重载之，你可以从 kubelet 取回其运行时配置。
-你可以通过访问 kubelet 的 `configz` 末端来生成包含节点当前配置的配置文件；
-这一操作可以通过 `kubectl proxy` 来完成。
-下一节解释如何完成这一操作。
-
-<!--
-The kubelet's `configz` endpoint is there to help with debugging, and is not
-a stable part of kubelet behavior.
-Do not rely on the behavior of this endpoint for production scenarios or for
-use with automated tools.
--->
-{{< caution >}}
-组件 `kubelet` 上的 `configz` 末端是用来协助调试的，并非 kubelet 稳定行为的一部分。
-请不要在产品环境下依赖此末端的行为，也不要在自动化工具中使用此末端。
-{{< /caution >}}
-
-<!--
-For more information on configuring the kubelet via a configuration file, see
-[Set kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file)).
--->
-关于如何使用配置文件来配置 kubelet 行为的更多信息可参见
-[通过配置文件设置 kubelet 参数](/zh/docs/tasks/administer-cluster/kubelet-config-file)
-文档。
-
-<!-- #### Generate the configuration file -->
-#### 生成配置文件
-
-<!--
-The steps below use the `jq` command to streamline working with JSON.
-To follow the tasks as written, you need to have `jq` installed. You can
-adapt the steps if you prefer to extract the `kubeletconfig` subobject manually.
--->
-{{< note >}}
-下面的任务步骤中使用了 `jq` 命令以方便处理 JSON 数据。为了完成这里讲述的任务，
-你需要安装 `jq`。如果你更希望手动提取 `kubeletconfig` 子对象，也可以对这里
-的对应步骤做一些调整。
-{{< /note >}}
-
-<!--
-1. Choose a Node to reconfigure. In this example, the name of this Node is
-   referred to as `NODE_NAME`.
-2. Start the kubectl proxy in the background using the following command:
--->
-1. 选择要重新配置的节点。在本例中，此节点的名称为 `NODE_NAME`。
-2. 使用以下命令在后台启动 kubectl 代理：
-
-   ```shell
-   kubectl proxy --port=8001 &
-   ```
-<!--
-3. Run the following command to download and unpack the configuration from the
-   `configz` endpoint. The command is long, so be careful when copying and
-   pasting. **If you use zsh**, note that common zsh configurations add backslashes
-   to escape the opening and closing curly braces around the variable name in the URL.
-   For example: `${NODE_NAME}` will be rewritten as `$\{NODE_NAME\}` during the paste.
-   You must remove the backslashes before running the command, or the command will fail.
--->
-3. 运行以下命令从 `configz` 端点中下载并解压配置。这个命令很长，因此在复制粘贴时要小心。
-   **如果你使用 zsh**，请注意常见的 zsh 配置要添加反斜杠转义 URL 中变量名称周围的大括号。
-   例如：在粘贴时，`${NODE_NAME}` 将被重写为 `$\{NODE_NAME\}`。
-   你必须在运行命令之前删除反斜杠，否则命令将失败。
-
-   ```bash
-   NODE_NAME="the-name-of-the-node-you-are-reconfiguring"; curl -sSL "http://localhost:8001/api/v1/nodes/${NODE_NAME}/proxy/configz" | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' > kubelet_configz_${NODE_NAME}
-   ```
-
-<!--
-You need to manually add the `kind` and `apiVersion` to the downloaded
-object，because they are not reported by the `configz` endpoint。
--->
-{{< note >}}
-你需要手动将 `kind` 和 `apiVersion` 添加到下载对象中，因为它们不是由 `configz` 末端
-返回的。
-{{< /note >}}
-
-<!--
-#### Edit the configuration file
-
-Using a text editor, change one of the parameters in the
-file generated by the previous procedure. For example, you
-might edit the QPS parameter `eventRecordQPS`.
--->
-#### 修改配置文件
-
-使用文本编辑器，改变上述操作生成的文件中一个参数。
-例如，你或许会修改 QPS 参数 `eventRecordQPS`。
-
-<!--
-#### Push the configuration file to the control plane
-
-Push the edited configuration file to the control plane with the
-following command:
--->
-#### 把配置文件推送到控制平面
-
-用以下命令把编辑后的配置文件推送到控制平面：
-
-```bash
-kubectl -n kube-system create configmap my-node-config \
-  --from-file=kubelet=kubelet_configz_${NODE_NAME} \
-  --append-hash -o yaml
-```
-
-<!--
-This is an example of a valid response:
--->
-下面是合法响应的一个例子：
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  creationTimestamp: 2017-09-14T20:23:33Z
-  name: my-node-config-gkt4c2m4b2
-  namespace: kube-system
-  resourceVersion: "119980"
-  selfLink: /api/v1/namespaces/kube-system/configmaps/my-node-config-gkt4c2m4b2
-  uid: 946d785e-998a-11e7-a8dd-42010a800006
-data:
-  kubelet: |
-    {...}
-```
-
-<!--
-You created that ConfigMap inside the `kube-system` namespace because the kubelet
-is a Kubernetes system component.
--->
-你会在 `kube-system` 命名空间中创建 ConfigMap，因为 kubelet 是 Kubernetes 的系统组件。
-
-<!--
-The `-append-hash` option appends a short checksum of the ConfigMap contents
-to the name. This is convenient for an edit-then-push workflow, because it
-automatically, yet deterministically, generates new names for new ConfigMaps.
-The name that includes this generated hash is referred to as `CONFIG_MAP_NAME`
-in the following examples.
--->
-`--append-hash` 选项给 ConfigMap 内容附加了一个简短校验和。
-这对于先编辑后推送的工作流程很方便，
-因为它自动并确定地为新 ConfigMap 生成新的名称。
-在以下示例中，包含生成的哈希字符串的对象名被称为 `CONFIG_MAP_NAME`。
-
-<!--
-#### Set the Node to use the new configuration
-
-
-Edit the Node's reference to point to the new ConfigMap with the
-following command:
--->
-#### 配置节点使用新的配置
-
-```bash
-kubectl edit node ${NODE_NAME}
-```
-
-<!--
-In your text editor, add the following YAML under `spec`:
--->
-在你的文本编辑器中，在 `spec` 下增添以下 YAML：
-
-```yaml
-configSource:
-    configMap:
-        name: CONFIG_MAP_NAME
-        namespace: kube-system
-        kubeletConfigKey: kubelet
-```
-
-<!--
-You must specify all three of `name`, `namespace`, and `kubeletConfigKey`.
-The `kubeletConfigKey` parameter shows the Kubelet which key of the ConfigMap
-contains its config.
--->
-你必须同时指定 `name`、`namespace` 和 `kubeletConfigKey` 这三个属性。
-`kubeletConfigKey` 这个参数通知 kubelet ConfigMap 中的哪个键下面包含所要的配置。
-
-<!--
-#### Observe that the Node begins using the new configuration
-
-Retrieve the Node using the `kubectl get node ${NODE_NAME} -o yaml` command and inspect
-`Node.Status.Config`. The config sources corresponding to the `active`,
-`assigned`, and `lastKnownGood` configurations are reported in the status.
-
-- The `active` configuration is the version the Kubelet is currently running with.
-- The `assigned` configuration is the latest version the Kubelet has resolved based on
-  `Node.Spec.ConfigSource`.
-- The `lastKnownGood` configuration is the version the
-  Kubelet will fall back to if an invalid config is assigned in `Node.Spec.ConfigSource`.
--->
-#### 观察节点开始使用新配置
-
-用 `kubectl get node ${NODE_NAME} -o yaml` 命令读取节点并检查 `node.status.config` 内容。
-状态部分报告了对应 `active`（使用中的）配置、`assigned`（被赋予的）配置和
-`lastKnownGood`（最近已知可用的）配置的配置源。
-
-- `active` 是 kubelet 当前运行时所使用的版本。
-- `assigned` 参数是 kubelet 基于 `node.spec.configSource` 所解析出来的最新版本。
-- `lastKnownGood` 参数是 kubelet 的回退版本；如果在 `node.spec.configSource` 中
-  包含了无效的配置值，kubelet 可以回退到这个版本。
-
-<!--
-The`lastKnownGood` configuration might not be present if it is set to its default value,
-the local config deployed with the node. The status will update `lastKnownGood` to
-match a valid `assigned` config after the Kubelet becomes comfortable with the config.
-The details of how the Kubelet determines a config should become the `lastKnownGood` are
-not guaranteed by the API, but is currently implemented as a 10-minute grace period.
--->
-如果用本地配置部署节点，使其设置成默认值，这个 `lastKnownGood` 配置可能不存在。
-在 kubelet 配置好后，将更新 `lastKnownGood` 为一个有效的 `assigned` 配置。
-决定如何确定某配置成为 `lastKnownGood` 配置的细节并不在 API 保障范畴，
-不过目前实现中采用了 10 分钟的宽限期。
-
-<!--
-You can use the following command (using `jq`) to filter down
-to the config status:
--->
-你可以使用以下命令（使用 `jq`）过滤出配置状态：
-
-```bash
-kubectl get no ${NODE_NAME} -o json | jq '.status.config'
-```
-
-<!--
-The following is an example response:
--->
-以下是一个响应示例：
-
-```json
-{
-  "active": {
-    "configMap": {
-      "kubeletConfigKey": "kubelet",
-      "name": "my-node-config-9mbkccg2cc",
-      "namespace": "kube-system",
-      "resourceVersion": "1326",
-      "uid": "705ab4f5-6393-11e8-b7cc-42010a800002"
-    }
-  },
-  "assigned": {
-    "configMap": {
-      "kubeletConfigKey": "kubelet",
-      "name": "my-node-config-9mbkccg2cc",
-      "namespace": "kube-system",
-      "resourceVersion": "1326",
-      "uid": "705ab4f5-6393-11e8-b7cc-42010a800002"
-    }
-  },
-  "lastKnownGood": {
-    "configMap": {
-      "kubeletConfigKey": "kubelet",
-      "name": "my-node-config-9mbkccg2cc",
-      "namespace": "kube-system",
-      "resourceVersion": "1326",
-      "uid": "705ab4f5-6393-11e8-b7cc-42010a800002"
-    }
-  }
-}
-```
-
-<!--
-If you do not have `jq`, you can look at the whole response and find `Node.Status.Config`
-by eye.
--->
-如果你没有安装 `jq`，你可以查看整个响应对象，查找其中的 `node.status.config`
-部分。
-
-<!--
-If an error occurs, the Kubelet reports it in the `Node.Status.Config.Error`
-structure. Possible errors are listed in
-[Understanding Node.Status.Config.Error messages](#understanding-node-config-status-errors).
-You can search for the identical text in the Kubelet log for additional details
-and context about the error.
--->
-如果发生错误，kubelet 会在 `Node.Status.Config.Error` 中显示出错误信息的结构体。
-错误可能出现在列表[理解节点状态配置错误信息](#understanding-node-config-status-errors)中。
-你可以在 kubelet 日志中搜索相同的文本以获取更多详细信息和有关错误的上下文。
-
-<!--
-#### Make more changes
-
-Follow the workflow above to make more changes and push them again. Each time
-you push a ConfigMap with new contents, the -append-hash kubectl option creates
-the ConfigMap with a new name. The safest rollout strategy is to first create a
-new ConfigMap, and then update the Node to use the new ConfigMap.
--->
-#### 做出更多的改变   {#make-more-changes}
-
-按照下面的工作流程做出更多的改变并再次推送它们。
-你每次推送一个 ConfigMap 的新内容时，kubectl 的 `--append-hash` 选项都会给
-ConfigMap 创建一个新的名称。
-最安全的上线策略是首先创建一个新的 ConfigMap，然后更新节点以使用新的 ConfigMap。
-
-<!--
-#### Reset the Node to use its local default configuration
-
-To reset the Node to use the configuration it was provisioned with, edit the
-Node using `kubectl edit node ${NODE_NAME}` and remove the
-`Node.Spec.ConfigSource` field.
--->
-#### 重置节点以使用其本地默认配置
-
-要重置节点，使其使用节点创建时使用的配置，可以用
-`kubectl edit node $ {NODE_NAME}` 命令编辑节点，并删除 `node.spec.configSource`
-字段。
-
-<!-- 
-#### Observe that the Node is using its local default configuration
-
-After removing this subfield, `Node.Status.Config` eventually becomes
-empty, since all config sources have been reset to `nil`, which indicates that
-the local default config is `assigned`, `active`, and `lastKnownGood`, and no
-error is reported.
--->
-#### 观察节点正在使用本地默认配置
-
-在删除此字段后，`node.status.config` 最终变成空，所有配置源都已重置为 `nil`。
-这表示本地默认配置成为了 `assigned`、`active` 和 `lastKnownGood` 配置，
-并且没有报告错误。
-
-<!-- discussion -->
-
-<!--
-## `kubectl patch` example
-
-You can change a Node's configSource using several different mechanisms.
-This example uses `kubectl patch`:
--->
-## `kubectl patch` 示例
-
-你可以使用几种不同的机制来更改节点的 configSource。
-
-本例使用`kubectl patch`：
-
-```bash
-kubectl patch node ${NODE_NAME} -p "{\"spec\":{\"configSource\":{\"configMap\":{\"name\":\"${CONFIG_MAP_NAME}\",\"namespace\":\"kube-system\",\"kubeletConfigKey\":\"kubelet\"}}}}"
-```
-<!--
-## Understanding how the Kubelet checkpoints config
-
-When a new config is assigned to the Node, the Kubelet downloads and unpacks the
-config payload as a set of files on the local disk. The Kubelet also records metadata
-that locally tracks the assigned and last-known-good config sources, so that the
-Kubelet knows which config to use across restarts, even if the API server becomes
-unavailable. After checkpointing a config and the relevant metadata, the Kubelet
-exits if it detects that the assigned config has changed. When the Kubelet is
-restarted by the OS-level service manager (such as `systemd`), it reads the new
-metadata and uses the new config.
--->
-## 了解 Kubelet 如何为配置生成检查点
-
-当为节点赋予新配置时，kubelet 会下载并解压配置负载为本地磁盘上的一组文件。
-kubelet 还记录一些元数据，用以在本地跟踪已赋予的和最近已知良好的配置源，以便
-kubelet 在重新启动时知道使用哪个配置，即使 API 服务器变为不可用。
-在为配置信息和相关元数据生成检查点之后，如果检测到已赋予的配置发生改变，则 kubelet 退出。
-当 kubelet 被 OS 级服务管理器（例如 `systemd`）重新启动时，它会读取新的元数据并使用新配置。
-
-<!--
-The recorded metadata is fully resolved, meaning that it contains all necessary
-information to choose a specific config version - typically a `UID` and `ResourceVersion`.
-This is in contrast to `Node.Spec.ConfigSource`, where the intended config is declared
-via the idempotent `namespace/name` that identifies the target ConfigMap; the Kubelet
-tries to use the latest version of this ConfigMap.
--->
-当记录的元数据已被完全解析时，意味着它包含选择一个指定的配置版本所需的所有信息
--- 通常是 `UID` 和 `ResourceVersion`。
-这与 `node.spec.configSource` 形成对比，后者通过幂等的 `namespace/name` 声明来标识
-目标 ConfigMap；kubelet 尝试使用此 ConfigMap 的最新版本。
-
-<!--
-When you are debugging problems on a node, you can inspect the Kubelet's config
-metadata and checkpoints. The structure of the Kubelet's checkpointing directory is:
--->
-当你在调试节点上问题时，可以检查 kubelet 的配置元数据和检查点。kubelet 的检查点目录结构是：
-
-<!--
-```none
-- -dynamic-config-dir (root for managing dynamic config)
-| - meta
-  | - assigned (encoded kubeletconfig/v1beta1.SerializedNodeConfigSource object, indicating the assigned config)
-  | - last-known-good (encoded kubeletconfig/v1beta1.SerializedNodeConfigSource object, indicating the last-known-good config)
-| - checkpoints
-  | - uid1 (dir for versions of object identified by uid1)
-    | - resourceVersion1 (dir for unpacked files from resourceVersion1 of object with uid1)
-    | - ...
-  | - ...
-```
--->
-
-```none
-- --dynamic-config-dir （用于管理动态配置的根目录）
-|-- meta
-  | - assigned （编码后的 kubeletconfig/v1beta1.SerializedNodeConfigSource 对象，对应赋予的配置）
-  | - last-known-good （编码后的 kubeletconfig/v1beta1.SerializedNodeConfigSource 对象，对应最近已知可用配置）
-| - checkpoints
-  | - uid1 （用 uid1 来标识的对象版本目录)
-    | - resourceVersion1 （uid1 对象 resourceVersion1 版本下所有解压文件的目录）
-    | - ...
-  | - ...
-```
-
-<!-- 
-## Understanding `Node.Status.Config.Error` messages {#understanding-node-config-status-errors}
-
-The following table describes error messages that can occur
-when using Dynamic Kubelet Config. You can search for the identical text
-in the Kubelet log for additional details and context about the error.
--->
-## 理解 `Node.Status.Config.Error` 消息 {#understanding-node-config-status-errors}
-
-下表描述了使用动态 kubelet 配置时可能发生的错误消息。
-你可以在 kubelet 日志中搜索相同的文本来获取有关错误的其他详细信息和上下文。
-
-<!--
-Error Message    | Possible Causes
-:----------------| :----------------
-failed to load config, see Kubelet log for details | The kubelet likely could not parse the downloaded config payload, or encountered a filesystem error attempting to load the payload from disk.
-failed to validate config, see Kubelet log for details | The configuration in the payload, combined with any command-line flag overrides, and the sum of feature gates from flags, the config file, and the remote payload, was determined to be invalid by the kubelet.
-invalid NodeConfigSource, exactly one subfield must be non-nil, but all were nil | Since Node.Spec.ConfigSource is validated by the API server to contain at least one non-nil subfield, this likely means that the kubelet is older than the API server and does not recognize a newer source type.
-failed to sync: failed to download config, see Kubelet log for details | The kubelet could not download the config. It is possible that Node.Spec.ConfigSource could not be resolved to a concrete API object, or that network errors disrupted the download attempt. The kubelet will retry the download when in this error state.
-failed to sync: internal failure, see Kubelet log for details | The kubelet encountered some internal problem and failed to update its config as a result. Examples include filesystem errors and reading objects from the internal informer cache.
-internal failure, see Kubelet log for details | The kubelet encountered some internal problem while manipulating config, outside of the configuration sync loop.
--->
-
-{{< table caption = "理解 node.status.config.error 消息" >}}
- 错误信息        | 可能的原因
-:----------------| :----------------
-failed to load config, see Kubelet log for details | kubelet 可能无法解析下载配置的有效负载，或者当尝试从磁盘中加载有效负载时，遇到文件系统错误。
-failed to validate config, see Kubelet log for details | 有效负载中的配置，与命令行标志所产生的覆盖配置以及特行门控的组合、配置文件本身、远程负载被 kubelet 判定为无效。
-invalid NodeConfigSource, exactly one subfield must be non-nil, but all were nil | 由于 API 服务器负责对 node.spec.configSource 执行验证，检查其中是否包含至少一个非空子字段，这个消息可能意味着 kubelet 比 API 服务器版本低，因而无法识别更新的源类型。
-failed to sync: failed to download config, see Kubelet log for details | kubelet 无法下载配置数据。可能是 node.spec.configSource 无法解析为具体的 API 对象，或者网络错误破坏了下载。处于此错误状态时，kubelet 将重新尝试下载。
-failed to sync: internal failure, see Kubelet log for details | kubelet 遇到了一些内部问题，因此无法更新其配置。 例如：发生文件系统错误或无法从内部缓存中读取对象。
-internal failure, see Kubelet log for details | 在对配置进行同步的循环之外操作配置时，kubelet 遇到了一些内部问题。
-
-{{< /table >}}
-
-## {{% heading "whatsnext" %}}
-
-<!--
-- [Set kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file)
-  explains the supported way to configure a kubelet.
-- See the reference documentation for Node, including the `configSource` field within
-  the Node's [.spec](/docs/reference/kubernetes-api/cluster-resources/node-v1/#NodeSpec)
-- Learn more about kubelet configuration by checking the
-  [`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/)
-  reference.
--->
-- [使用配置文件设置 kubelet 参数](/zh/docs/tasks/administer-cluster/kubelet-config-file)说明了配置 kubelet 的方法。
-- 阅读 Node 的参考文档，包括 [.spec](/docs/reference/kubernetes-api/cluster-resources/node-v1/#NodeSpec) 里的 `configSource` 字段
-- 查阅[`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/)文献进一步了解 kubelet 
-  配置信息。
\ No newline at end of file
diff --git a/content/zh/docs/tutorials/services/source-ip.md b/content/zh/docs/tutorials/services/source-ip.md
deleted file mode 100644
index 5e2292e5c835d..0000000000000
--- a/content/zh/docs/tutorials/services/source-ip.md
+++ /dev/null
@@ -1,405 +0,0 @@
----
-
-title: 使用 Source IP
-content_type: tutorial
----
-
-<!-- overview -->
-
-
-Kubernetes 集群中运行的应用通过 Service 抽象来互相查找、通信和与外部世界沟通。本文介绍被发送到不同类型 Services 的数据包源 IP 的变化过程，你可以根据你的需求改变这些行为。
-
-
-
-## {{% heading "prerequisites" %}}
-
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-
-## 术语表
-
-
-本文使用了下列术语：
-
-* [NAT](https://en.wikipedia.org/wiki/Network_address_translation): 网络地址转换
-* [Source NAT](https://en.wikipedia.org/wiki/Network_address_translation#SNAT): 替换数据包的源 IP, 通常为节点的 IP
-* [Destination NAT](https://en.wikipedia.org/wiki/Network_address_translation#DNAT): 替换数据包的目的 IP, 通常为 Pod 的 IP
-* [VIP](/zh/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies): 一个虚拟 IP, 例如分配给每个 Kubernetes Service 的 IP
-* [Kube-proxy](/zh/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies): 一个网络守护程序，在每个节点上协调 Service VIP 管理
-
-
-## 准备工作
-
-
-你必须拥有一个正常工作的 Kubernetes 1.5 集群来运行此文档中的示例。该示例使用一个简单的 nginx webserver，通过一个HTTP消息头返回它接收到请求的源IP。你可以像下面这样创建它：
-
-```console
-kubectl create deployment source-ip-app --image=k8s.gcr.io/echoserver:1.4
-```
-输出结果为
-```
-deployment.apps/source-ip-app created
-```
-
-
-
-## {{% heading "objectives" %}}
-
-
-
-* 通过多种类型的 Services 暴露一个简单应用
-* 理解每种 Service 类型如何处理源 IP NAT
-* 理解保留源IP所涉及的折中
-
-
-
-
-<!-- lessoncontent -->
-
-
-## Type=ClusterIP 类型 Services 的 Source IP
-
-
-如果你的 kube-proxy 运行在 [iptables 模式](/zh/docs/user-guide/services/#proxy-mode-iptables)下，从集群内部发送到 ClusterIP 的包永远不会进行源地址 NAT，这从 Kubernetes 1.2 开始是默认选项。Kube-proxy 通过一个 `proxyMode` endpoint 暴露它的模式。
-
-```console
-kubectl get nodes
-```
-输出结果与以下结果类似:
-```
-NAME                           STATUS     ROLES    AGE     VERSION
-kubernetes-node-6jst   Ready      <none>   2h      v1.13.0
-kubernetes-node-cx31   Ready      <none>   2h      v1.13.0
-kubernetes-node-jj1t   Ready      <none>   2h      v1.13.0
-```
-从其中一个节点中得到代理模式
-```console
-kubernetes-node-6jst $ curl localhost:10249/proxyMode
-```
-输出结果为：
-```
-iptables
-```
-
-你可以通过在source IP应用上创建一个Service来测试源IP保留。
-
-```console
-kubectl expose deployment source-ip-app --name=clusterip --port=80 --target-port=8080
-```
-输出结果为：
-```
-service/clusterip exposed
-```
-```console
-kubectl get svc clusterip
-```
-输出结果与以下结果类似：
-```
-NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
-clusterip    ClusterIP   10.0.170.92   <none>        80/TCP    51s
-```
-
-
-从相同集群中的一个 pod 访问这个 `ClusterIP`：
-
-```shell
-kubectl run busybox -it --image=busybox:1.28 --restart=Never --rm
-```
-输出结果与以下结果类似：
-```
-Waiting for pod default/busybox to be running, status is Pending, pod ready: false
-If you don't see a command prompt, try pressing enter.
-```
-
-然后你可以在 Pod 内运行命令：
-
-```shell
-# 在终端内使用"kubectl run"执行
-
-ip addr
-```
-```
-1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
-    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-    inet 127.0.0.1/8 scope host lo
-       valid_lft forever preferred_lft forever
-    inet6 ::1/128 scope host
-       valid_lft forever preferred_lft forever
-3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue
-    link/ether 0a:58:0a:f4:03:08 brd ff:ff:ff:ff:ff:ff
-    inet 10.244.3.8/24 scope global eth0
-       valid_lft forever preferred_lft forever
-    inet6 fe80::188a:84ff:feb0:26a5/64 scope link
-       valid_lft forever preferred_lft forever
-```
-
-然后使用 `wget` 去请求本地 Web 服务器
-```shell
-# 用名为 "clusterip" 的服务的 IPv4 地址替换 "10.0.170.92"
-
-wget -qO - 10.0.170.92
-```
-```
-CLIENT VALUES:
-client_address=10.244.3.8
-command=GET
-...
-```
-
-无论客户端 pod 和 服务端 pod 是否在相同的节点上，client_address 始终是客户端 pod 的 IP 地址。
-
-
-## Type=NodePort 类型 Services 的 Source IP
-
-
-从 Kubernetes 1.5 开始，发送给类型为 [Type=NodePort](/zh/docs/user-guide/services/#nodeport) Services 的数据包默认进行源地址 NAT。你可以通过创建一个 `NodePort` Service 来进行测试：
-
-```console
-kubectl expose deployment source-ip-app --name=nodeport --port=80 --target-port=8080 --type=NodePort
-```
-输出结果为：
-```
-service/nodeport exposed
-```
-
-```console
-NODEPORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services nodeport)
-NODES=$(kubectl get nodes -o jsonpath='{ $.items[*].status.addresses[?(@.type=="InternalIP")].address }')
-```
-
-如果你的集群运行在一个云服务上，你可能需要为上面报告的 `nodes:nodeport` 开启一条防火墙规则。
-现在，你可以通过上面分配的节点端口从外部访问这个 Service。
-
-```console
-for node in $NODES; do curl -s $node:$NODEPORT | grep -i client_address; done
-```
-输出结果与以下结果类似：
-```
-client_address=10.180.1.1
-client_address=10.240.0.5
-client_address=10.240.0.3
-```
-
-请注意，这些并不是正确的客户端 IP，它们是集群的内部 IP。这是所发生的事情：
-
-* 客户端发送数据包到 `node2:nodePort`
-* `node2` 使用它自己的 IP 地址替换数据包的源 IP 地址（SNAT）
-* `node2` 使用 pod IP 地址替换数据包的目的 IP 地址
-* 数据包被路由到 node 1，然后交给 endpoint
-* Pod 的回复被路由回 node2
-* Pod 的回复被发送回给客户端
-
-
-用图表示：
-
-{{< mermaid >}}
-graph LR;
-  client(client)-->node2[节点 2];
-  node2-->client;
-  node2-. SNAT .->node1[节点 1];
-  node1-. SNAT .->node2;
-  node1-->endpoint(端点);
-
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  class node1,node2,endpoint k8s;
-  class client plain;
-{{</ mermaid >}}
-
-
-为了防止这种情况发生，Kubernetes 提供了一个特性来保留客户端的源 IP 地址[(点击此处查看可用特性)](/zh/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip)。设置 `service.spec.externalTrafficPolicy` 的值为 `Local`，请求就只会被代理到本地 endpoints 而不会被转发到其它节点。这样就保留了最初的源 IP 地址。如果没有本地 endpoints，发送到这个节点的数据包将会被丢弃。这样在应用到数据包的任何包处理规则下，你都能依赖这个正确的 source-ip 使数据包通过并到达 endpoint。
-
-
-设置 `service.spec.externalTrafficPolicy` 字段如下：
-
-```console
-kubectl patch svc nodeport -p '{"spec":{"externalTrafficPolicy":"Local"}}'
-```
-输出结果为：
-```
-service/nodeport patched
-```
-
-
-现在，重新运行测试：
-
-```console
-for node in $NODES; do curl --connect-timeout 1 -s $node:$NODEPORT | grep -i client_address; done
-```
-输出结果为：
-```
-client_address=104.132.1.79
-```
-
-
-请注意，你只从 endpoint pod 运行的那个节点得到了一个回复，这个回复有*正确的*客户端 IP。
-
-
-这是发生的事情：
-
-* 客户端发送数据包到 `node2:nodePort`，它没有任何 endpoints
-* 数据包被丢弃
-* 客户端发送数据包到 `node1:nodePort`，它*有*endpoints
-* node1 使用正确的源 IP 地址将数据包路由到 endpoint
-
-
-用图表示：
-
-{{< mermaid >}}
-graph TD;
-  client --> node1[节点 1];
-  client(client) --x node2[节点 2];
-  node1 --> endpoint(端点);
-  endpoint --> node1;
-
-  classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-  classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-  class node1,node2,endpoint k8s;
-  class client plain;
-{{</ mermaid >}}
-
-
-
-## Type=LoadBalancer 类型 Services 的 Source IP
-
-
-从Kubernetes1.5开始，发送给类型为 [Type=LoadBalancer](/zh/docs/user-guide/services/#type-nodeport) Services 的数据包默认进行源地址 NAT，这是因为所有处于 `Ready` 状态的可调度 Kubernetes 节点对于负载均衡的流量都是符合条件的。所以如果数据包到达一个没有 endpoint 的节点，系统将把这个包代理到*有* endpoint 的节点，并替换数据包的源 IP 为节点的 IP（如前面章节所述）。
-
-
-你可以通过在一个 loadbalancer 上暴露这个 source-ip-app 来进行测试。
-
-```console
-kubectl expose deployment source-ip-app --name=loadbalancer --port=80 --target-port=8080 --type=LoadBalancer
-```
-输出结果为：
-```
-service/loadbalancer exposed
-```
-
-打印Service的IPs：
-```console
-kubectl get svc loadbalancer
-```
-输出结果与以下结果类似：
-```
-NAME           TYPE           CLUSTER-IP    EXTERNAL-IP       PORT(S)   AGE
-loadbalancer   LoadBalancer   10.0.65.118   104.198.149.140   80/TCP    5m
-```
-
-```console
-curl 104.198.149.140
-```
-输出结果与以下结果类似：
-```
-CLIENT VALUES:
-client_address=10.240.0.5
-...
-```
-
-
-然而，如果你的集群运行在 Google Kubernetes Engine/GCE 上，可以通过设置 service.spec.externalTrafficPolicy 字段值为 Local ，故意导致健康检查失败来强制使没有 endpoints 的节点把自己从负载均衡流量的可选节点列表中删除。
-
-
-用图表示：
-
-![Source IP with externalTrafficPolicy](/images/docs/sourceip-externaltrafficpolicy.svg)
-
-
-你可以设置 annotation 来进行测试：
-
-```console
-kubectl patch svc loadbalancer -p '{"spec":{"externalTrafficPolicy":"Local"}}'
-```
-
-
-你应该能够立即看到 Kubernetes 分配的 `service.spec.healthCheckNodePort` 字段：
-
-```console
-kubectl get svc loadbalancer -o yaml | grep -i healthCheckNodePort
-```
-输出结果与以下结果类似：
-```
-  healthCheckNodePort: 32122
-```
-
-
-`service.spec.healthCheckNodePort` 字段指向每个节点在 `/healthz` 路径上提供的用于健康检查的端口。你可以这样测试：
-
-```console
-kubectl get pod -o wide -l run=source-ip-app
-```
-输出结果与以下结果类似：
-```
-NAME                            READY     STATUS    RESTARTS   AGE       IP             NODE
-source-ip-app-826191075-qehz4   1/1       Running   0          20h       10.180.1.136   kubernetes-node-6jst
-```
-使用 curl 命令发送请求到每个节点的 `/healthz` 路径。
-```console
-kubernetes-node-6jst $ curl localhost:32122/healthz
-```
-输出结果与以下结果类似：
-```
-1 Service Endpoints found
-```
-```console
-kubernetes-node-jj1t $ curl localhost:32122/healthz
-```
-输出结果与以下结果类似：
-```
-No Service Endpoints Found
-```
-
-
-主节点运行的 service 控制器负责分配 cloud loadbalancer。在这样做的同时，它也会分配指向每个节点的 HTTP 健康检查的 port/path。等待大约 10 秒钟之后，没有 endpoints 的两个节点的健康检查会失败，然后 curl 负载均衡器的 ip：
-
-```console
-curl 104.198.149.140
-```
-输出结果与以下结果类似：
-```
-CLIENT VALUES:
-client_address=104.132.1.79
-...
-```
-
-
-__跨平台支持__
-
-
-从 Kubernetes 1.5 开始，通过类型为 Type=LoadBalancer 的 Services 进行源 IP 保存的支持仅在一部分 cloudproviders 中实现（GCP and Azure）。你的集群运行的 cloudprovider 可能以某些不同的方式满足 loadbalancer 的要求：
-
-
-1. 使用一个代理终止客户端连接并打开一个到你的 nodes/endpoints 的新连接。在这种情况下，源 IP 地址将永远是云负载均衡器的地址而不是客户端的。
-
-2. 使用一个包转发器，因此从客户端发送到负载均衡器 VIP 的请求在拥有客户端源 IP 地址的节点终止，而不被中间代理。
-
-
-第一类负载均衡器必须使用一种它和后端之间约定的协议来和真实的客户端 IP 通信，例如 HTTP [X-FORWARDED-FOR](https://en.wikipedia.org/wiki/X-Forwarded-For) 头，或者 [proxy 协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
-第二类负载均衡器可以通过简单的在保存于 Service 的 `service.spec.healthCheckNodePort` 字段上创建一个 HTTP 健康检查点来使用上面描述的特性。
-
-
-
-## {{% heading "cleanup" %}}
-
-
-
-删除服务：
-
-```console
-$ kubectl delete svc -l app=source-ip-app
-```
-
-
-删除 Deployment、ReplicaSet 和 Pod：
-
-```console
-$ kubectl delete deployment source-ip-app
-```
-
-
-
-## {{% heading "whatsnext" %}}
-
-
-* 进一步学习 [通过 services 连接应用](/zh/docs/concepts/services-networking/connect-applications-service/)
diff --git a/content/zh/examples/admin/konnectivity/egress-selector-configuration.yaml b/content/zh/examples/admin/konnectivity/egress-selector-configuration.yaml
deleted file mode 100644
index c85f25ea51590..0000000000000
--- a/content/zh/examples/admin/konnectivity/egress-selector-configuration.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: apiserver.k8s.io/v1beta1
-kind: EgressSelectorConfiguration
-egressSelections:
-# Since we want to control the egress traffic to the cluster, we use the
-# "cluster" as the name. Other supported values are "etcd", and "master".
-- name: cluster
-  connection:
-    # This controls the protocol between the API Server and the Konnectivity
-    # server. Supported values are "GRPC" and "HTTPConnect". There is no
-    # end user visible difference between the two modes. You need to set the
-    # Konnectivity server to work in the same mode.
-    proxyProtocol: GRPC
-    transport:
-      # This controls what transport the API Server uses to communicate with the
-      # Konnectivity server. UDS is recommended if the Konnectivity server
-      # locates on the same machine as the API Server. You need to configure the
-      # Konnectivity server to listen on the same UDS socket.
-      # The other supported transport is "tcp". You will need to set up TLS 
-      # config to secure the TCP transport.
-      uds:
-        udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
diff --git a/content/zh/examples/application/guestbook/frontend-service.yaml b/content/zh/examples/application/guestbook/frontend-service.yaml
deleted file mode 100644
index 410c6bbaf2950..0000000000000
--- a/content/zh/examples/application/guestbook/frontend-service.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# SOURCE: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook
-apiVersion: v1
-kind: Service
-metadata:
-  name: frontend
-  labels:
-    app: guestbook
-    tier: frontend
-spec:
-  # if your cluster supports it, uncomment the following to automatically create
-  # an external load-balanced IP for the frontend service.
-  # type: LoadBalancer
-  #type: LoadBalancer
-  ports:
-    # the port that this service should serve on
-  - port: 80
-  selector:
-    app: guestbook
-    tier: frontend
\ No newline at end of file
diff --git a/content/zh/examples/audit/audit-policy.yaml b/content/zh/examples/audit/audit-policy.yaml
deleted file mode 100644
index 25b8fd0070e51..0000000000000
--- a/content/zh/examples/audit/audit-policy.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-apiVersion: audit.k8s.io/v1 # This is required.
-kind: Policy
-# Don't generate audit events for all requests in RequestReceived stage.
-omitStages:
-  - "RequestReceived"
-rules:
-  # Log pod changes at RequestResponse level
-  - level: RequestResponse
-    resources:
-    - group: ""
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
-      resources: ["pods"]
-  # Log "pods/log", "pods/status" at Metadata level
-  - level: Metadata
-    resources:
-    - group: ""
-      resources: ["pods/log", "pods/status"]
-
-  # Don't log requests to a configmap called "controller-leader"
-  - level: None
-    resources:
-    - group: ""
-      resources: ["configmaps"]
-      resourceNames: ["controller-leader"]
-
-  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
-  - level: None
-    users: ["system:kube-proxy"]
-    verbs: ["watch"]
-    resources:
-    - group: "" # core API group
-      resources: ["endpoints", "services"]
-
-  # Don't log authenticated requests to certain non-resource URL paths.
-  - level: None
-    userGroups: ["system:authenticated"]
-    nonResourceURLs:
-    - "/api*" # Wildcard matching.
-    - "/version"
-
-  # Log the request body of configmap changes in kube-system.
-  - level: Request
-    resources:
-    - group: "" # core API group
-      resources: ["configmaps"]
-    # This rule only applies to resources in the "kube-system" namespace.
-    # The empty string "" can be used to select non-namespaced resources.
-    namespaces: ["kube-system"]
-
-  # Log configmap and secret changes in all other namespaces at the Metadata level.
-  - level: Metadata
-    resources:
-    - group: "" # core API group
-      resources: ["secrets", "configmaps"]
-
-  # Log all other resources in core and extensions at the Request level.
-  - level: Request
-    resources:
-    - group: "" # core API group
-    - group: "extensions" # Version of group should NOT be included.
-
-  # A catch-all rule to log all other requests at the Metadata level.
-  - level: Metadata
-    # Long-running requests like watches that fall under this rule will not
-    # generate an audit event in RequestReceived.
-    omitStages:
-      - "RequestReceived"
diff --git a/content/zh/examples/service/nginx-service.yaml b/content/zh/examples/service/nginx-service.yaml
deleted file mode 100644
index 810f0ec7d8633..0000000000000
--- a/content/zh/examples/service/nginx-service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx-service
-spec:
-  ports:
-  - port: 8000 # the port that this service should serve on
-    # the container on each pod to connect to, can be a name
-    # (e.g. 'www') or a number (e.g. 80)
-    targetPort: 80
-    protocol: TCP
-  # just like the selector in the deployment,
-  # but this time it identifies the set of pods to load balance
-  # traffic to.
-  selector:
-    app: nginx
diff --git a/content/zh/includes/default-storage-class-prereqs.md b/content/zh/includes/default-storage-class-prereqs.md
deleted file mode 100644
index 63a27a0d409c4..0000000000000
--- a/content/zh/includes/default-storage-class-prereqs.md
+++ /dev/null
@@ -1,12 +0,0 @@
-你需要有一个带有默认 [StorageClass](/zh/docs/concepts/storage/storage-classes/)的
-[动态 PersistentVolume 供应程序](/zh/docs/concepts/storage/dynamic-provisioning/)，
-或者自己[静态的提供 PersistentVolume](/zh/docs/concepts/storage/persistent-volumes/#provisioning)
-来满足这里使用的 [PersistentVolumeClaim](/zh/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)。
-
-<!--
-You need to either have a [dynamic PersistentVolume provisioner](/docs/concepts/storage/dynamic-provisioning/) with a default
-[StorageClass](/docs/concepts/storage/storage-classes/),
-or [statically provision PersistentVolumes](/docs/concepts/storage/persistent-volumes/#provisioning)
-yourself to satisfy the [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
-used here.
--->
diff --git a/data/announcements/scheduled.yaml b/data/announcements/scheduled.yaml
index 50dc452a79de9..319b3a1662e26 100644
--- a/data/announcements/scheduled.yaml
+++ b/data/announcements/scheduled.yaml
@@ -32,7 +32,7 @@ announcements:
 
 - name: Dockershim removal
   startTime: 2022-04-07T00:00:00 # Added in PR: https://github.com/kubernetes/website/pull/32805
-  endTime: 2022-05-10T00:00:00 # Expires 2022-05-10, but will change text slightly on release date
+  endTime: 2022-05-09T00:00:00 
   style: "background: #326ce5"
   title: "Dockershim removed from Kubernetes"
   message: |
@@ -103,3 +103,16 @@ announcements:
   message: |
     2 days of incredible opportunities to collaborate, learn + share with the entire community!<br />
     December 9 + 10, 2021.
+
+- name: Kubecon 2022 EU
+  startTime: 2022-05-10T00:00:00  #Added in https://github.com/kubernetes/website/pull/33578
+  endTime: 2022-05-20T18:00:00
+  style: >-
+    background: linear-gradient(90deg, rgb(253, 225, 203) 0%, rgb(236, 107, 67) 75%, rgb(236, 107, 67) 100%);
+    color: #000;
+  title: |
+    <img src ="/images/announcements/kccnc-eu-2022-black.svg" style="float: right; height: 80px;" />
+    <a href= "https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/">KubeCon + CloudNativeCon EU 2022</a> <em> Valencia, Spain + Virtual</em>.
+  message: |
+    5 days of incredible opportunites to collaborate, learn + share with the entire community!<br />
+    May 16 - 20, 2022.
diff --git a/data/i18n/zh/OWNERS b/data/i18n/zh-cn/OWNERS
similarity index 100%
rename from data/i18n/zh/OWNERS
rename to data/i18n/zh-cn/OWNERS
diff --git a/data/i18n/zh/zh.toml b/data/i18n/zh-cn/zh-cn.toml
similarity index 89%
rename from data/i18n/zh/zh.toml
rename to data/i18n/zh-cn/zh-cn.toml
index 87df34f9d5ff6..3220f77d811e0 100644
--- a/data/i18n/zh/zh.toml
+++ b/data/i18n/zh-cn/zh-cn.toml
@@ -1,4 +1,4 @@
-# i18n strings for the Chinese version of the site (https://kubernetes.io/zh/)
+# i18n strings for the Chinese version of the site (https://kubernetes.io/zh-cn/)
 # 注意：修改此文件时请维持字符串名称的字母顺序并与英文版保持一致
 
 [caution]
@@ -37,6 +37,9 @@ other = " 版本的文档已不再维护。您现在看到的版本来自于一
 [deprecation_file_warning]
 other = "已过时"
 
+[dockershim_message]
+other = """自 1.24 版起，Dockershim 已从 Kubernetes 项目中移除。阅读 <a href="/zh-cn/dockershim">Dockershim 移除的常见问题</a>了解更多详情。"""
+
 [docs_label_browse]
 other = "浏览文档"
 
@@ -94,10 +97,12 @@ other = "电子邮件地址"
 [javascript_required]
 other = "必须[启用](https://www.enable-javascript.com/) JavaScript 才能查看此页内容"
 
+[katacoda_removal_warning]
+other = """本页面上的此在线教程在 <time datetime="2022-06-15">2022 年 6 月 15 日</time>后[无法继续使用](https://www.oreilly.com/online-learning/leveraging-katacoda-technology.html)。"""
+
 [latest_release]
 other = "最新发行版本："
 
-
 [latest_version]
 other = "最新版本。"
 
@@ -167,12 +172,6 @@ other = """Linux 基金会&reg;。保留所有权利。Linux 基金会已注册
 [main_documentation_license]
 other = """The Kubernetes 作者 | 文档发布基于 <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a> 授权许可"""
 
-[main_edit_this_page]
-other = "修改本页面"
-
-[main_github_create_an_issue]
-other = "报告 GitHub 问题"
-
 [main_github_invite]
 other = "想要修改 Kubernetes 的核心源代码？"
 
@@ -217,16 +216,7 @@ other = "教程目标"
 other = "选项"
 
 [outdated_blog__message]
-other = "Kubernetes 项目认为此文章已经过时，因为该页面已经超过一年未修订。请检查页面中的信息是否从发表以来尚未变得不正确。"
-
-[outdated_blog__title]
-other = "过时的文章"
-
-[post_create_child_page]
-other = "创建子页面"
-
-[post_create_issue]
-other = "登记问题"
+other = "这篇文章已经一年多了，较旧的文章可能包含过时的内容。请检查从发表以来，页面中的信息是否变得不正确。"
 
 [prerequisites_heading]
 other = "准备开始"
@@ -237,6 +227,9 @@ other = "补丁版本："
 [release_date_after]
 other = "）"
 
+[release_date_before]
+other = "(发布日期: "
+
 # See https://gohugo.io/functions/format/#gos-layout-string
 # Use a suitable format for your locale
 [release_date_format]
@@ -257,11 +250,12 @@ other = """本部分链接到提供 Kubernetes 所需功能的第三方项目。
 [thirdparty_message_edit_disclaimer]
 other="""第三方内容建议"""
 
+
 [thirdparty_message_single_item]
 other = """&#128711; 本条目指向第三方项目或产品，而该项目（产品）不是 Kubernetes 的一部分。<a class="alert-more-info" href="#third-party-content-disclaimer">更多信息</a>"""
 
 [thirdparty_message_disclaimer]
-other = """<p>本页面中的条目引用了第三方产品或项目，这些产品（项目）提供了 Kubernetes 所需的功能。Kubernetes 项目的开发人员不对这些第三方产品（项目）负责。请参阅<a href="https://github.com/cncf/foundation/blob/master/website-guidelines.md" target="_blank">CNCF 网站指南</a>了解更多细节。</p><p>在提交更改建议，向本页添加新的第三方链接之前，你应该先阅读<a href="/zh/docs/contribute/style/content-guide/#third-party-content">内容指南。</p>"""
+other = """<p>本页面中的条目引用了第三方产品或项目，这些产品（项目）提供了 Kubernetes 所需的功能。Kubernetes 项目的开发人员不对这些第三方产品（项目）负责。请参阅<a href="https://github.com/cncf/foundation/blob/master/website-guidelines.md" target="_blank">CNCF 网站指南</a>了解更多细节。</p><p>在提交更改建议，向本页添加新的第三方链接之前，你应该先阅读<a href="/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南。</p>"""
 
 [ui_search_placeholder]
 other = "搜索"
@@ -283,4 +277,3 @@ other = "警告："
 
 [whatsnext_heading]
 other = "接下来"
-
diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index 726c03e12bc3c..a88fb511a735d 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -1,18 +1,30 @@
 schedules:
 - release: 1.24
   releaseDate: 2022-05-03
-  next: 1.24.1
-  cherryPickDeadline: 2022-05-20
-  targetDate: 2022-05-24
+  next: 1.24.3
+  cherryPickDeadline: 2022-07-08
+  targetDate: 2022-07-13
   endOfLifeDate: 2023-09-29
   previousPatches:
+    - release: 1.24.2
+      cherryPickDeadline: 2022-06-10
+      targetDate: 2022-06-15
+    - release: 1.24.1
+      cherryPickDeadline: 2022-05-20
+      targetDate: 2022-05-24
 - release: 1.23
   releaseDate: 2021-12-07
-  next: 1.23.7
-  cherryPickDeadline: 2022-05-20
-  targetDate: 2022-05-24
+  next: 1.23.9
+  cherryPickDeadline: 2022-07-08
+  targetDate: 2022-07-13
   endOfLifeDate: 2023-02-28
   previousPatches:
+    - release: 1.23.8
+      cherryPickDeadline: 2022-06-10
+      targetDate: 2022-06-15
+    - release: 1.23.7
+      cherryPickDeadline: 2022-05-20
+      targetDate: 2022-05-24
     - release: 1.23.6
       cherryPickDeadline: 2022-04-08
       targetDate: 2022-04-13
@@ -25,7 +37,7 @@ schedules:
     - release: 1.23.3
       cherryPickDeadLine: 2022-01-24
       targetDate: 2022-01-25
-      note: "Out-of-Bound Release https://groups.google.com/u/2/a/kubernetes.io/g/dev/c/Xl1sm-CItaY"
+      note: "Out-of-Bound Release https://groups.google.com/a/kubernetes.io/g/dev/c/Xl1sm-CItaY"
     - release: 1.23.2
       cherryPickDeadline: 2022-01-14
       targetDate: 2022-01-19
@@ -34,11 +46,17 @@ schedules:
       targetDate: 2021-12-16
 - release: 1.22
   releaseDate: 2021-08-04
-  next: 1.22.10
-  cherryPickDeadline: 2022-05-20
-  targetDate: 2022-05-24
+  next: 1.22.12
+  cherryPickDeadline: 2022-07-08
+  targetDate: 2022-07-13
   endOfLifeDate: 2022-10-28
   previousPatches:
+    - release: 1.22.11
+      cherryPickDeadline: 2022-06-10
+      targetDate: 2022-06-15
+    - release: 1.22.10
+      cherryPickDeadline: 2022-05-20
+      targetDate: 2022-05-24
     - release: 1.22.9
       cherryPickDeadline: 2022-04-08
       targetDate: 2022-04-13
@@ -66,47 +84,3 @@ schedules:
     - release: 1.22.1
       cherryPickDeadline: 2021-08-16
       targetDate: 2021-08-19
-- release: 1.21
-  releaseDate: 2021-04-08
-  next: 1.21.13
-  cherryPickDeadline: 2022-05-20
-  targetDate: 2022-05-24
-  endOfLifeDate: 2022-06-28
-  previousPatches:
-    - release: 1.21.12
-      cherryPickDeadline: 2022-04-08
-      targetDate: 2022-04-13
-    - release: 1.21.11
-      cherryPickDeadline: 2022-03-11
-      targetDate: 2022-03-16
-    - release: 1.21.10
-      cherryPickDeadline: 2022-02-11
-      targetDate: 2022-02-16
-    - release: 1.21.9
-      cherryPickDeadline: 2022-01-14
-      targetDate: 2022-01-19
-    - release: 1.21.8
-      cherryPickDeadline: 2021-12-10
-      targetDate: 2021-12-15
-    - release: 1.21.7
-      cherryPickDeadline: 2021-11-12
-      targetDate: 2021-11-17
-    - release: 1.21.6
-      cherryPickDeadline: 2021-10-22
-      targetDate: 2021-10-27
-    - release: 1.21.5
-      cherryPickDeadline: 2021-09-10
-      targetDate: 2021-09-15
-    - release: 1.21.4
-      cherryPickDeadline: 2021-08-07
-      targetDate: 2021-08-11
-    - release: 1.21.3
-      cherryPickDeadline: 2021-07-10
-      targetDate: 2021-07-14
-    - release: 1.21.2
-      cherryPickDeadline: 2021-06-12
-      targetDate: 2021-06-16
-    - release: 1.21.1
-      cherryPickDeadline: 2021-05-07
-      targetDate: 2021-05-12
-      note: Regression https://groups.google.com/g/kubernetes-dev/c/KuF8s2zueFs
diff --git a/i18n/zh-cn.toml b/i18n/zh-cn.toml
new file mode 120000
index 0000000000000..6c092af81a206
--- /dev/null
+++ b/i18n/zh-cn.toml
@@ -0,0 +1 @@
+../data/i18n/zh-cn/zh-cn.toml
\ No newline at end of file
diff --git a/i18n/zh.toml b/i18n/zh.toml
deleted file mode 120000
index e4758b41602ed..0000000000000
--- a/i18n/zh.toml
+++ /dev/null
@@ -1 +0,0 @@
-../data/i18n/zh/zh.toml
\ No newline at end of file
diff --git a/layouts/_default/baseof.html b/layouts/_default/baseof.html
index d7c9d50b2b2c2..aeb9d0229f81a 100644
--- a/layouts/_default/baseof.html
+++ b/layouts/_default/baseof.html
@@ -3,7 +3,7 @@
 {{- if eq hugo.Environment "preview" -}}
   <!-- deploy preview -->
 {{- end -}}
-  <head {{- if hugo.IsProduction -}}class="live-site"{{- end -}}>
+  <head{{- if hugo.IsProduction}} class="live-site"{{- end -}}>
     {{ partial "head.html" . }}
   </head>
   <body class="td-{{ .Kind }}{{- if ne (lower .Params.cid) "" -}}{{- printf " cid-%s" (lower .Params.cid) -}}{{- end -}}">
diff --git a/layouts/index.headers b/layouts/index.headers
index aecac14e3dc8a..09bb5d3e31cb1 100644
--- a/layouts/index.headers
+++ b/layouts/index.headers
@@ -13,7 +13,7 @@
   {{- end -}}
 {{- range $pages }}
 {{- if or (.Params.deprecated) (eq .Params.class "gridPage") (.Params.case_study_styles) (.Params.css) (.Params.js) }}
-{{ .URL }}
+{{ .RelPermalink }}
   {{- if eq .Params.class "gridPage" }}
   Link: </css/gridpage.css>; rel=preload; as=style
   {{- end -}}
diff --git a/layouts/partials/head.html b/layouts/partials/head.html
index 7f42139a68a17..ccfb47f8f1c72 100644
--- a/layouts/partials/head.html
+++ b/layouts/partials/head.html
@@ -6,6 +6,7 @@
 {{- else -}}
 <meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
 {{- end -}}
+{{- if in (slice "production" "nonprod") hugo.Environment -}}
 <!-- Global site tag (gtag.js) - Google Analytics -->
 <script async src="https://www.googletagmanager.com/gtag/js?id=UA-36037335-10"></script>
 <script>
@@ -15,6 +16,7 @@
 
   gtag('config', 'UA-36037335-10');
 </script>
+{{- end -}}
 
 <!-- alternative translations -->
 {{ range .Translations -}}
@@ -31,7 +33,6 @@
 {{ partialCached "favicons.html" . }}
 <title>{{ if .IsHome }}{{ .Site.Title }}{{ else }}{{ with .Title }}{{ . }} | {{ end }}{{ .Site.Title }}{{ end }}</title>
 {{- template "_internal/opengraph.html" . -}}
-{{- template "_internal/google_news.html" . -}}
 {{- template "_internal/schema.html" . -}}
 {{- template "_internal/twitter_cards.html" . -}}
 {{- if hugo.IsProduction -}}
diff --git a/layouts/partials/page-meta-links.html b/layouts/partials/page-meta-links.html
index 83571db5257f0..35d19ea73da20 100644
--- a/layouts/partials/page-meta-links.html
+++ b/layouts/partials/page-meta-links.html
@@ -1,6 +1,7 @@
 {{/* template adapted from Docsy theme */}}
-{{ if .Path }}
-  {{ $pathFormatted := replace .Path "\\" "/" }}
+
+{{ if .File.Path }}
+  {{ $pathFormatted := replace .File.Path "\\" "/" }}
   {{ $gh_repo := ($.Param "github_repo") }}
   {{ $gh_subdir := ($.Param "github_subdir") }}
   {{ $gh_project_repo := ($.Param "github_project_repo") }}
diff --git a/layouts/shortcodes/api-reference.html b/layouts/shortcodes/api-reference.html
index 785044dc17885..90590ba52d7ae 100644
--- a/layouts/shortcodes/api-reference.html
+++ b/layouts/shortcodes/api-reference.html
@@ -2,6 +2,8 @@
 {{ $pageArg := .Get "page" }}
 {{ $anchorArg := .Get "anchor" }}
 {{ $textArg := .Get "text" }}
-{{ $page := site.GetPage "page" (printf "%s/%s" $base $pageArg) }}
+{{ $pagePath := path.Join $base $pageArg }}
+{{ $page := site.GetPage "page" $pagePath }}
+{{ with $page }}{{else}}{{ range where site.Home.AllTranslations "Language.Lang" "en" }}{{ $page = .Site.GetPage "page" $pagePath }}{{ end }}{{ end }}
 {{ $metadata := $page.Params.api_metadata }}
 <a href="{{ $page.RelPermalink }}{{if $anchorArg}}#{{ $anchorArg }}{{end}}">{{if $textArg}}{{ $textArg }}{{else if $anchorArg}}{{ $anchorArg }}{{else}}{{ $metadata.kind }}{{end}}</a>
\ No newline at end of file
diff --git a/layouts/shortcodes/katacoda-tutorial.html b/layouts/shortcodes/katacoda-tutorial.html
new file mode 100644
index 0000000000000..a17b4871a2fbc
--- /dev/null
+++ b/layouts/shortcodes/katacoda-tutorial.html
@@ -0,0 +1 @@
+<script defer src="https://katacoda.com/embed.js"></script>
diff --git a/netlify.toml b/netlify.toml
index 0aee361f396a5..e705fa5436bec 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -8,7 +8,7 @@ command = "git submodule update --init --recursive --depth 1 && make non-product
 
 [build.environment]
 NODE_VERSION = "10.20.0"
-HUGO_VERSION = "0.87.0"
+HUGO_VERSION = "0.101.0"
 RUBY_VERSION = "3.0.1"
 
 [context.production.environment]
diff --git a/scripts/README.md b/scripts/README.md
index 02e3e66ff0d2b..9f1e9fdfbe606 100644
--- a/scripts/README.md
+++ b/scripts/README.md
@@ -147,11 +147,11 @@ since a localized version has been committed.
 
 The following example checks a single file:
 
-    ./scripts/lsync.sh content/zh/docs/concepts/_index.md
+    ./scripts/lsync.sh content/zh-cn/docs/concepts/_index.md
 
 The following command checks a subdirectory:
 
-    ./scripts/lsync.sh content/zh/docs/concepts/
+    ./scripts/lsync.sh content/zh-cn/docs/concepts/
 
 ## check-ctrlcode.py
 
diff --git a/scripts/linkchecker.py b/scripts/linkchecker.py
index 5bc63e1d7fb71..ece90b5c98085 100755
--- a/scripts/linkchecker.py
+++ b/scripts/linkchecker.py
@@ -1,13 +1,12 @@
 #!/usr/bin/env python3
 #
 # This a link checker for Kubernetes documentation website.
-# - We cover the following cases for the language you provide via `-l`, which
-#   defaults to 'en'.
-# - If the language specified is not English (`en`), we check if you are
-#   actually using the localized links. For example, if you specify `zh` as
-#   the language, and for link target `/docs/foo/bar`, we check if the English
-#   version exists AND if the Chinese version exists as well. A checking record
-#   is produced if the link can use the localized version.
+#
+# If the language to check is not English (`en`), we check if you are actually
+# using the localized links. For example, if you checking
+# `content/zh-cn/docs/foo/bar`, we check if the English version exists AND if the
+# Chinese version exists as well.  A checking record is produced if the link
+# can use the localized version.
 #
 # Usage: linkchecker.py -h
 #
@@ -64,12 +63,16 @@
 C_RED = "\033[31m"
 C_GREEN = "\033[32m"
 C_YELLOW = "\033[33m"
-C_GRAY  = "\033[90m"
+C_GRAY = "\033[90m"
 C_CYAN = "\033[36m"
 C_END = "\033[0m"
 
 # Command line arguments shared across functions
 ARGS = None
+# Command line parser
+PARSER = None
+# Language as parsed from the file path
+LANG = None
 # Global result dictionary keyed by page examined
 RESULT = {}
 # Cached redirect entries
@@ -77,6 +80,7 @@
 # Cached anchors in target pages
 ANCHORS = {}
 
+
 def new_record(level, message, target):
     """Create new checking record.
 
@@ -89,7 +93,7 @@ def new_record(level, message, target):
     global ARGS
 
     # Skip info when verbose
-    if ARGS.verbose == False and level == "INFO":
+    if ARGS.verbose is False and level == "INFO":
         return None
 
     result = None
@@ -98,9 +102,9 @@ def new_record(level, message, target):
     else:
         target = C_GRAY + target + C_END
         if level == "INFO":
-            result =  target + ": " + C_GREEN  + message + C_END 
+            result = target + ": " + C_GREEN + message + C_END
         elif level == "WARNING":
-            result = target + ": " + C_YELLOW+ message + C_END
+            result = target + ": " + C_YELLOW + message + C_END
         else:  # default to error
             result = target + ": " + C_RED + message + C_END
 
@@ -286,7 +290,7 @@ def check_target(page, anchor, target):
 
     # link to English or localized page
     if (target.startswith("/docs/") or
-            target.startswith("/" + ARGS.lang + "/docs/")):
+            target.startswith("/" + LANG + "/docs/")):
 
         # target is shared reference (kubectl or kubernetes-api?
         if (target.find("/docs/reference/generated/kubectl/") >= 0 or
@@ -305,22 +309,22 @@ def check_target(page, anchor, target):
         if ok:
             # We do't do additional checks for English site even if it has
             # links to a non-English page
-            if ARGS.lang == "en":
+            if LANG == "en":
                 return None
 
             # If we are already checking localized link, fine
-            if target.startswith("/" + ARGS.lang + "/docs/"):
+            if target.startswith("/" + LANG + "/docs/"):
                 return None
 
             # additional check for localization even if English target exists
-            base = os.path.join(ROOT, "content", ARGS.lang)
+            base = os.path.join(ROOT, "content", LANG)
             found = check_file_exists(base, target)
             if not found:
                 # Still to be translated
                 return None
             msg = ("Localized page detected, please append '/%s' to the target"
-                   % ARGS.lang)
-            return new_record("ERROR", "Link not using localized page", target)
+                   % LANG)
+            return new_record("ERROR", msg, target)
 
         # taget might be a redirect entry
         real_target = get_redirect(target)
@@ -333,15 +337,16 @@ def check_target(page, anchor, target):
     msg = "Link may be wrong for the anchor [%s]" % anchor
     return new_record("WARNING", msg, target)
 
-def check_anchor(target_page, anchor):
+
+def check_anchor(target, anchor):
     """Check if an anchor is defined in the target page
 
-    :param target_page: The target page to check
+    :param target: The target page to check
     :param anchor: Anchor string to find in the target page
     """
-    if target_page not in ANCHORS:
+    if target not in ANCHORS:
         try:
-            with open(target_page, "r") as f:
+            with open(target, "r") as f:
                 data = f.readlines()
         except Exception as ex:
             print("[Error] failed in reading markdown file: " + str(ex))
@@ -351,8 +356,9 @@ def check_anchor(target_page, anchor):
         regex1 = re.compile(anchor_pattern1)
         anchor_pattern2 = r"{#(.*?)}"
         regex2 = re.compile(anchor_pattern2)
-        ANCHORS[target_page] = regex1.findall(content) + regex2.findall(content)
-    return anchor in ANCHORS[target_page]
+        ANCHORS[target] = regex1.findall(content) + regex2.findall(content)
+    return anchor in ANCHORS[target]
+
 
 def check_apiref_target(target, anchor):
     """Check a link to an API reference page.
@@ -360,7 +366,8 @@ def check_apiref_target(target, anchor):
     :param target: The link target string to check
     :param anchor: Anchor string from the content page
     """
-    base = os.path.join(ROOT, "content", "en", "docs", "reference", "kubernetes-api")
+    base = os.path.join(ROOT, "content", "en", "docs", "reference",
+                        "kubernetes-api")
     ok = check_file_exists(base + "/", target)
     if not ok:
         return new_record("ERROR", "API reference page not found", target)
@@ -370,7 +377,9 @@ def check_apiref_target(target, anchor):
 
     target_page = os.path.join(base, target)+".md"
     if not check_anchor(target_page, anchor):
-        return new_record("ERROR", "Anchor not found in API reference page", target+"#"+anchor)
+        return new_record("ERROR", "Anchor not found in API reference page",
+                          target+"#"+anchor)
+
 
 def validate_links(page):
     """Find and validate links on a content page.
@@ -398,8 +407,8 @@ def validate_links(page):
             records.append(r)
 
     # searches for pattern: {{< api-reference page="" anchor=""
-    apiref_pattern = r"{{ *< *api-reference page=\"([^\"]*?)\" *anchor=\"(.*?)\""
-    regex = re.compile(apiref_pattern)
+    apiref_re = r"{{ *< *api-reference page=\"([^\"]*?)\" *anchor=\"(.*?)\""
+    regex = re.compile(apiref_re)
 
     matches = regex.findall(content)
     for m in matches:
@@ -408,8 +417,8 @@ def validate_links(page):
             records.append(r)
 
     # searches for pattern: {{< api-reference page=""
-    apiref_pattern = r"{{ *< *api-reference page=\"([^\"]*?)\""
-    regex = re.compile(apiref_pattern)
+    apiref_re = r"{{ *< *api-reference page=\"([^\"]*?)\""
+    regex = re.compile(apiref_re)
 
     matches = regex.findall(content)
     for m in matches:
@@ -426,31 +435,38 @@ def parse_arguments():
 
     Result is returned and saved into global variable ARGS.
     """
-    parser = argparse.ArgumentParser(description="Links checker for docs.")
-    parser.add_argument("-l", dest="lang", default="en", metavar="<LANG>",
-                        help=("two letter language code, e.g. 'zh'. "
-                              "(default='en')"))
-    parser.add_argument("-v", dest="verbose", action="store_true",
+    global PARSER
+
+    PARSER = argparse.ArgumentParser(description="Links checker for docs.")
+    PARSER.add_argument("-v", dest="verbose", action="store_true",
                         help="switch on verbose level")
-    parser.add_argument("-f", dest="filter", default="/docs/**/*.md",
-                        metavar="<FILTER>",
-                        help=("File pattern to scan, e.g. '/docs/foo.md'. "
-                              "(default='/docs/**/*.md')"))
-    parser.add_argument("-n", "--no-color", action="store_true",
+    PARSER.add_argument("-n", "--no-color", action="store_true",
                         help="Suppress colored printing.")
+    PARSER.add_argument("-f", dest="filter", default="content/en/docs/**/*.md",
+                        metavar="<FILTER>",
+                        help=("File pattern to scan. "
+                              "(default='content/en/docs/**/*.md')"))
 
-    return parser.parse_args()
+    return PARSER.parse_args()
 
 
 def main():
     """The main entry of the program."""
-    global ARGS, ROOT, REDIRECTS
+    global ARGS, ROOT, REDIRECTS, PARSER, LANG
 
     ARGS = parse_arguments()
-    print("Language: " + ARGS.lang)
     ROOT = os.path.join(os.path.dirname(__file__), '..')
-    content_dir = os.path.join(ROOT, 'content')
-    lang_dir = os.path.join(content_dir, ARGS.lang)
+
+    print(ARGS.filter)
+    parts = ARGS.filter.split("/", 2)
+    if len(parts) != 3 or parts[0] != "content":
+        print("ERROR:\nPlease specify file pattern in the format "
+              "'content/<lang>/<path-pattern>', for example:\n"
+              "'content/zh-cn/docs/concepts/**/*.md'\n")
+        PARSER.print_help()
+        sys.exit(-1)
+
+    LANG = parts[1]
 
     # read redirects data
     redirects_fn = os.path.join(ROOT, "static", "_redirects")
@@ -473,7 +489,7 @@ def main():
         print("[Error] failed in reading redirects file: " + str(ex))
         return
 
-    folders = [f for f in glob.glob(lang_dir + ARGS.filter, recursive=True)]
+    folders = [f for f in glob.glob(ARGS.filter, recursive=True)]
     for page in folders:
         validate_links(page)
 
diff --git a/scripts/lsync.sh b/scripts/lsync.sh
index 934e3b91ef1b4..bac46c768a6d1 100755
--- a/scripts/lsync.sh
+++ b/scripts/lsync.sh
@@ -7,7 +7,7 @@ if [ "$#" -ne 1 ] ; then
   echo -e "\nThis script checks if the English version of a page has changed since a " >&2
   echo -e "localized page has been committed.\n" >&2
   echo -e "Usage:\n\t$0 <PATH>\n" >&2
-  echo -e "Example:\n\t$0 content/zh/docs/concepts/_index.md\n" >&2
+  echo -e "Example:\n\t$0 content/zh-cn/docs/concepts/_index.md\n" >&2
   exit 1
 fi
 
diff --git a/static/_redirects b/static/_redirects
index 48a5005f567f9..6e274595a8847 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -18,19 +18,20 @@
 /ru/docs/     /ru/docs/home/ 301!
 /uk/docs/     /uk/docs/home/ 301!
 /vi/docs/     /vi/docs/home/ 301!
-/zh/docs/     /zh/docs/home/ 301!
+/zh/docs/     /zh-cn/docs/home/ 301!
+/zh-cn/docs/     /zh-cn/docs/home/ 301!
 /blog/2018/03/kubernetes-1.10-stabilizing-storage-security-networking/     /blog/2018/03/26/kubernetes-1.10-stabilizing-storage-security-networking/     301!
 /blog/2020/08/25/kubernetes-release-1.19-accentuate-the-paw-sitive/     /blog/2020/08/26/kubernetes-release-1.19-accentuate-the-paw-sitive/     301!
 /docs/admin/     /docs/concepts/cluster-administration/ 301
 /docs/admin/add-ons/     /docs/concepts/cluster-administration/addons/ 301
 /docs/admin/addons/     /docs/concepts/cluster-administration/addons/ 301
 /docs/admin/apparmor/     /docs/tutorials/clusters/apparmor/ 301
-/docs/admin/audit/     /docs/tasks/debug-application-cluster/audit/ 301
+/docs/admin/audit/     /docs/tasks/debug/debug-cluster/audit/ 301
 /docs/admin/authorization/rbac.md     /docs/admin/authorization/rbac/ 301
 /docs/admin/cluster-components/     /docs/concepts/overview/components/ 301
 /docs/admin/cluster-management/     /docs/tasks/administer-cluster/ 302
 /id/docs/admin/cluster-management/     /id/docs/tasks/administer-cluster/ 302
-/docs/admin/cluster-troubleshooting/     /docs/tasks/debug-application-cluster/debug-cluster/ 301
+/docs/admin/cluster-troubleshooting/     /docs/tasks/debug/debug-cluster/ 301
 /docs/admin/daemons/     /docs/concepts/workloads/controllers/daemonset/ 301
 /docs/admin/disruptions/     /docs/concepts/workloads/pods/disruptions/ 301
 /docs/admin/dns/     /docs/concepts/services-networking/dns-pod-service/ 301
@@ -41,8 +42,8 @@
 /docs/admin/ha-master-gce/     /docs/setup/production-environment/#production-control-plane 301
 /docs/admin/ha-master-gce.md/     /docs/setup/production-environment/#production-control-plane 301
 /docs/admin/high-availability/      /docs/setup/production-environment/tools/kubeadm/high-availability/   301
-/docs/admin/kubelet-authentication-authorization/     /docs/reference/command-line-tools-reference/kubelet-authentication-authorization/ 301
-/docs/admin/kubelet-tls-bootstrapping/     /docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/ 301
+/docs/admin/kubelet-authentication-authorization/     /docs/reference/access-authn-authz/kubelet-authn-authz/ 301
+/docs/admin/kubelet-tls-bootstrapping/     /docs/reference/access-authn-authz/kubelet-tls-bootstrapping/ 301
 /docs/admin/limitrange/     /docs/tasks/administer-cluster/cpu-memory-limit/ 301
 /docs/admin/limitrange/Limits/     /docs/tasks/administer-cluster/limit-storage-consumption/#limitrange-to-limit-requests-for-storage/ 301
 /docs/admin/master-node-communication/     /docs/concepts/architecture/master-node-communication/ 301
@@ -56,7 +57,7 @@
 /docs/admin/node-allocatable.md     /docs/tasks/administer-cluster/reserve-compute-resources/ 301
 /docs/admin/node-conformance.md     /docs/admin/node-conformance/ 301
 /docs/admin/node-conformance/       /docs/setup/best-practices/node-conformance/ 301
-/docs/admin/node-problem/     /docs/tasks/debug-application-cluster/monitor-node-health/ 301
+/docs/admin/node-problem/     /docs/tasks/debug/debug-cluster/monitor-node-health/ 301
 /docs/admin/out-of-resource/     /docs/concepts/scheduling-eviction/node-pressure-eviction/ 301
 /docs/admin/rescheduler/     /docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ 301
 /docs/admin/resourcequota/*     /docs/concepts/policy/resource-quotas/ 301
@@ -82,7 +83,7 @@
 /docs/concepts/containers/overview/     /docs/concepts/containers/ 301
 /docs/concepts/cluster-administration/cluster-administration-overview/     /docs/concepts/cluster-administration/ 301
 /docs/concepts/cluster-administration/access-cluster/     /docs/tasks/access-application-cluster/access-cluster/ 301
-/docs/concepts/cluster-administration/audit/     /docs/tasks/debug-application-cluster/audit/ 301
+/docs/concepts/cluster-administration/audit/     /docs/tasks/debug/debug-cluster/audit/ 301
 /docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig   /docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/ 301
 /docs/concepts/cluster-administration/cluster-management/     /docs/tasks/administer-cluster/ 302
 /docs/concepts/cluster-administration/configure-etcd/     /docs/tasks/administer-cluster/configure-upgrade-etcd/ 301
@@ -93,7 +94,7 @@
 /docs/concepts/cluster-administration/master-node-communication/     /docs/concepts/architecture/master-node-communication/ 301
 /docs/concepts/cluster-administration/network-plugins/     /docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ 301
 /docs/concepts/cluster-administration/out-of-resource/     /docs/concepts/scheduling-eviction/node-pressure-eviction/ 301
-/docs/concepts/cluster-administration/resource-usage-monitoring /docs/tasks/debug-application-cluster/resource-usage-monitoring/ 301
+/docs/concepts/cluster-administration/resource-usage-monitoring /docs/tasks/debug/debug-cluster/resource-usage-monitoring/ 301
 /docs/concepts/cluster-administration/monitoring/ /docs/concepts/cluster-administration/system-metrics/ 301
 /docs/concepts/cluster-administration/controller-metrics/ /docs/concepts/cluster-administration/system-metrics/ 301
 /docs/concepts/cluster-administration/sysctl-cluster/ /docs/tasks/administer-cluster/sysctl-cluster/ 301
@@ -161,6 +162,7 @@
 
 /docs/concepts/policy/pod-security-policy/      /docs/concepts/security/pod-security-policy/ 301
 /docs/consumer-guideline/pod-security-coverage/     /docs/concepts/security/pod-security-policy/ 301
+/zh-cn/docs/concepts/policy/pod-security-policy/      /zh-cn/docs/concepts/security/pod-security-policy/ 301
 
 /docs/contribute/create-pull-request/     /docs/home/contribute/create-pull-request/ 301
 /docs/contribute/page-templates/     /docs/home/contribute/page-templates/ 301
@@ -216,6 +218,7 @@
 /docs/reference/glossary/maintainer/    /docs/reference/glossary/approver/ 301
 
 /docs/reference/kubectl/overview/    /docs/reference/kubectl/ 301
+/zh/docs/reference/kubectl/overview/    /zh-cn/docs/reference/kubectl/ 301
 /docs/reference/kubectl/kubectl-cmds/     /docs/reference/generated/kubectl/kubectl-commands/ 301!
 /docs/reference/kubectl/kubectl/kubectl_*    /docs/reference/generated/kubectl/kubectl-commands#:splat 301
 /docs/reference/scheduling/profiles/    /docs/reference/scheduling/config/#profiles 301
@@ -246,12 +249,12 @@
 /docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/     /docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/ 301
 /docs/tasks/access-kubernetes-api/setup-extension-api-server/     /docs/tasks/extend-kubernetes/setup-extension-api-server/ 301
 
-/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/   /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301  
+/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/   /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301
 /docs/tasks/administer-cluster/access-cluster-services/     /docs/tasks/access-application-cluster/access-cluster-services/ 301
 /docs/tasks/administer-cluster/apply-resource-quota-limit/     /docs/tasks/administer-cluster/quota-api-object/ 301
 /docs/tasks/administer-cluster/assign-pods-nodes/     /docs/tasks/configure-pod-container/assign-pods-nodes/ 301
 /docs/tasks/administer-cluster/calico-network-policy/     /docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/ 301
-/docs/tasks/administer-cluster/certificate-rotation/     /docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/ 301
+/docs/tasks/administer-cluster/certificate-rotation/     /docs/reference/access-authn-authz/kubelet-tls-bootstrapping/ 301
 /docs/tasks/administer-cluster/cilium-network-policy/     /docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/ 301
 /docs/tasks/administer-cluster/configure-namespace-isolation/     /docs/concepts/services-networking/network-policies/ 301
 /docs/tasks/administer-cluster/configure-multiple-schedulers/     /docs/tasks/extend-kubernetes/configure-multiple-schedulers/ 301
@@ -301,15 +304,14 @@
 /docs/tasks/configure-pod-container/projected-volume/     /docs/tasks/configure-pod-container/configure-projected-volume-storage/ 301
 /docs/tasks/configure-pod-container/romana-network-policy/     /docs/tasks/administer-cluster/romana-network-policy/ 301
 /docs/tasks/configure-pod-container/weave-network-policy/     /docs/tasks/administer-cluster/weave-network-policy/ 301
-/docs/tasks/debug-application-cluster/sematext-logging-monitoring/     https://sematext.com/kubernetes/ 301
 /docs/tasks/job/work-queue-1/     /docs/concepts/workloads/controllers/job/ 301
 /id/docs/tasks/job/work-queue-1/     /id/docs/concepts/workloads/controllers/job/ 301
 /docs/tasks/setup-konnectivity/setup-konnectivity/   /docs/tasks/extend-kubernetes/setup-konnectivity/ 301
-/docs/tasks/kubectl/get-shell-running-container/     /docs/tasks/debug-application-cluster/get-shell-running-container/ 301
+/docs/tasks/kubectl/get-shell-running-container/     /docs/tasks/debug/debug-application/get-shell-running-container/ 301
 /docs/tasks/kubectl/install/     /docs/tasks/tools/ 301
 /docs/tasks/tools/install-kubectl/     /docs/tasks/tools/ 301
 /docs/tasks/kubectl/list-all-running-container-images/     /docs/tasks/access-application-cluster/list-all-running-container-images/ 301
-/docs/tasks/manage-stateful-set/debugging-a-statefulset/     /docs/tasks/debug-application-cluster/debug-stateful-set/ 301
+/docs/tasks/manage-stateful-set/debugging-a-statefulset/     /docs/tasks/debug/debug-application/debug-statefulset/ 301
 /docs/tasks/manage-stateful-set/delete-pods/     /docs/tasks/run-application/delete-stateful-set/ 301
 /docs/tasks/manage-stateful-set/deleting-a-statefulset/     /docs/tasks/run-application/delete-stateful-set/ 301
 /docs/tasks/manage-stateful-set/scale-stateful-set/     /docs/tasks/run-application/scale-stateful-set/ 301
@@ -318,14 +320,33 @@
 /docs/tasks/stateful-sets/deleting-pods/     /docs/tasks/run-application/force-delete-stateful-set-pod/ 301
 /ja/docs/tasks/tools/install-minikube/     https://minikube.sigs.k8s.io/docs/start/ 302
 /id/docs/tasks/tools/install-minikube/     https://minikube.sigs.k8s.io/docs/start/ 302
-/docs/tasks/troubleshoot/debug-init-containers/     /docs/tasks/debug-application-cluster/debug-init-containers/ 301
+/docs/tasks/troubleshoot/debug-init-containers/     /docs/tasks/debug/debug-application/debug-init-containers/ 301
 /docs/tasks/web-ui-dashboard/     /docs/tasks/access-application-cluster/web-ui-dashboard/ 301
 
+/docs/tasks/debug-application-cluster/troubleshooting/     /docs/tasks/debug/ 301
+/docs/tasks/debug-application-cluster/     /docs/tasks/debug/ 301
+/docs/tasks/debug-application-cluster/debug-init-containers/     /docs/tasks/debug/debug-application/debug-init-containers/ 301
+/docs/tasks/debug-application-cluster/debug-application/     /docs/tasks/debug/debug-application/debug-pods/ 301
+/docs/tasks/debug-application-cluster/debug-pod-replication-controller/     /docs/tasks/debug/debug-application/debug-pods/ 301
+/docs/tasks/debug-application-cluster/debug-application-introspection/     /docs/tasks/debug/debug-application/debug-running-pod/ 301
+/docs/tasks/debug-application-cluster/debug-running-pod/     /docs/tasks/debug/debug-application/debug-running-pod/ 301
+/docs/tasks/debug-application-cluster/debug-service/     /docs/tasks/debug/debug-application/debug-service/ 301
+/docs/tasks/debug-application-cluster/debug-stateful-set/     /docs/tasks/debug/debug-application/debug-statefulset/ 301
+/docs/tasks/debug-application-cluster/determine-reason-pod-failure/     /docs/tasks/debug/debug-application/determine-reason-pod-failure/ 301
+/docs/tasks/debug-application-cluster/get-shell-running-container/     /docs/tasks/debug/debug-application/get-shell-running-container/ 301
+/docs/tasks/debug-application-cluster/debug-cluster/     /docs/tasks/debug/debug-cluster/ 301
+/docs/tasks/debug-application-cluster/audit/     /docs/tasks/debug/debug-cluster/audit/ 301
+/docs/tasks/debug-application-cluster/crictl/     /docs/tasks/debug/debug-cluster/crictl/ 301
+/docs/tasks/debug-application-cluster/local-debugging/     /docs/tasks/debug/debug-cluster/local-debugging/ 301
+/docs/tasks/debug-application-cluster/monitor-node-health/     /docs/tasks/debug/debug-cluster/monitor-node-health/ 301
+/docs/tasks/debug-application-cluster/resource-metrics-pipeline/     /docs/tasks/debug/debug-cluster/resource-metrics-pipeline/ 301
+/docs/tasks/debug-application-cluster/resource-usage-monitoring/     /docs/tasks/debug/debug-cluster/resource-usage-monitoring/ 301
+
 /docs/templatedemos/*     /docs/home/contribute/page-templates/ 301
 /docs/tools/     /docs/reference/tools/ 301
 /docs/tools/kompose/user-guide/     /docs/tasks/configure-pod-container/translate-compose-kubernetes/ 301
 /docs/tools/kompose/     /docs/tasks/configure-pod-container/translate-compose-kubernetes/ 301
-/docs/troubleshooting/     /docs/tasks/debug-application-cluster/troubleshooting/ 301
+/docs/troubleshooting/     /docs/tasks/debug/ 301
 
 /docs/tutorials/clusters/multiple-schedulers/     /docs/tasks/administer-cluster/configure-multiple-schedulers/ 301
 /docs/tutorials/connecting-apps/connecting-frontend-backend/     /docs/tasks/access-application-cluster/connecting-frontend-backend/ 301
@@ -364,7 +385,7 @@
 /docs/user-guide/accessing-the-cluster/     /docs/tasks/access-application-cluster/access-cluster/ 301
 /docs/user-guide/add-entries-to-pod-etc-hosts-with-host-aliases/     /docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ 301
 /docs/user-guide/annotations/     /docs/concepts/overview/working-with-objects/annotations/ 301
-/docs/user-guide/application-troubleshooting/     /docs/tasks/debug-application-cluster/debug-application/ 301
+/docs/user-guide/application-troubleshooting/     /docs/tasks/debug/debug-application/debug-pods/ 301
 /docs/user-guide/compute-resources/     /docs/concepts/configuration/manage-compute-resources-container/ 301
 /docs/user-guide/config-best-practices/     /docs/concepts/configuration/overview/ 301
 /docs/user-guide/configmap/     /docs/tasks/configure-pod-container/configure-pod-configmap/ 301
@@ -376,8 +397,8 @@
 /docs/user-guide/container-environment/     /docs/concepts/containers/container-lifecycle-hooks/ 301
 /docs/user-guide/containers/     /docs/tasks/inject-data-application/define-command-argument-container/ 301
 /docs/user-guide/cron-jobs/     /docs/concepts/workloads/controllers/cron-jobs/ 301
-/docs/user-guide/debugging-pods-and-replication-controllers/     /docs/tasks/debug-application-cluster/debug-pod-replication-controller/ 301
-/docs/user-guide/debugging-services/     /docs/tasks/debug-application-cluster/debug-service/ 301
+/docs/user-guide/debugging-pods-and-replication-controllers/     /docs/tasks/debug/debug-application/debug-pods/ 301
+/docs/user-guide/debugging-services/     /docs/tasks/debug/debug-application/debug-service/ 301
 /docs/user-guide/deploying-applications/     /docs/tasks/run-application/run-stateless-application-deployment/ 301
 /docs/user-guide/deployments/     /docs/concepts/workloads/controllers/deployment/ 301
 /docs/user-guide/docker-cli-to-kubectl/     /docs/reference/kubectl/docker-cli-to-kubectl/
@@ -396,7 +417,7 @@
 /docs/user-guide/images/     /docs/concepts/containers/images/ 301
 /docs/user-guide/ingress/     /docs/concepts/services-networking/ingress/ 301
 /docs/user-guide/ingress.md     /docs/concepts/services-networking/ingress/ 301
-/docs/user-guide/introspection-and-debugging/     /docs/tasks/debug-application-cluster/debug-application-introspection/ 301
+/docs/user-guide/introspection-and-debugging/     /docs/tasks/debug/debug-application/debug-running-pod/ 301
 /docs/user-guide/jsonpath/     /docs/reference/kubectl/jsonpath/
 /docs/user-guide/jobs/     /docs/concepts/workloads/controllers/job/ 301
 /id/docs/user-guide/jobs/     /id/docs/concepts/workloads/controllers/job/ 301
@@ -416,7 +437,7 @@
 /docs/user-guide/logging/     /docs/concepts/cluster-administration/logging/ 301
 /docs/user-guide/logging/overview/     /docs/concepts/cluster-administration/logging/ 301
 /docs/user-guide/managing-deployments/     /docs/concepts/cluster-administration/manage-deployment/ 301
-/docs/user-guide/monitoring/     /docs/tasks/debug-application-cluster/resource-usage-monitoring/ 301
+/docs/user-guide/monitoring/     /docs/tasks/debug/debug-cluster/resource-usage-monitoring/ 301
 /docs/user-guide/namespaces/     /docs/concepts/overview/working-with-objects/namespaces/ 301
 /docs/user-guide/networkpolicies/     /docs/concepts/services-networking/network-policies/ 301
 /docs/user-guide/node-selection/     /docs/concepts/scheduling-eviction/assign-pod-node/ 301
@@ -518,7 +539,7 @@
 /id/docs/setup/minikube/     /id/docs/tasks/tools/ 302
 /docs/setup/learning-environment/     /docs/tasks/tools/  302!
 /id/docs/setup/learning-environment/     /id/docs/tasks/tools/  302!
-/zh/docs/setup/learning-environment/     /zh/docs/tasks/tools/  302!
+/zh/docs/setup/learning-environment/     /zh-cn/docs/tasks/tools/  302!
 /docs/setup/learning-environment/kind/  /docs/tasks/tools/  302
 /id/docs/setup/learning-environment/kind/  /id/docs/tasks/tools/  302
 /docs/setup/learning-environment/minikube/  /docs/tasks/tools/ 302
@@ -543,8 +564,12 @@
 /docs/setup/on-premises-vm/ovirt/     /docs/setup/production-environment/on-premises-vm/ovirt/   301
 /docs/setup/windows/intro-windows-in-kubernetes/     /docs/setup/production-environment/windows/intro-windows-in-kubernetes/   301
 /docs/setup/windows/user-guide-windows-nodes/     /docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/   301
+/docs/setup/production-environment/windows/user-guide-windows-containers/     /docs/concepts/windows/user-guide/   301
 /docs/setup/production-environment/windows/user-guide-windows-nodes/     /docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/   301
+/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/     /docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/   301
 /docs/setup/windows/user-guide-windows-containers/     /docs/setup/production-environment/windows/user-guide-windows-containers/   301
+/docs/setup/production-environment/windows/intro-windows-in-kubernetes/     /docs/concepts/windows/intro/   301
+/docs/setup/production-environment/windows/     /docs/concepts/windows/   301
 /docs/setup/multiple-zones/     /docs/setup/best-practices/multiple-zones/   301
 /docs/setup/cluster-large/     /docs/setup/best-practices/cluster-large/   301
 /docs/setup/node-conformance/     /docs/setup/best-practices/node-conformance/   301
@@ -556,3 +581,4 @@
 /id/docs/concepts/configuration/pod-overhead/     /id/docs/concepts/scheduling-eviction/pod-overhead/   301
 
 /pt/*         /pt-br/:splat  302!
+/zh/*         /zh-cn/:splat  302!
diff --git a/static/docs/reference/generated/kubectl/kubectl-commands.html b/static/docs/reference/generated/kubectl/kubectl-commands.html
index 973473952e8f8..59778118492fc 100644
--- a/static/docs/reference/generated/kubectl/kubectl-commands.html
+++ b/static/docs/reference/generated/kubectl/kubectl-commands.html
@@ -12,7 +12,7 @@
 <link rel="stylesheet" href="stylesheet.css" type="text/css">
 </head>
 <body>
-<div id="sidebar-wrapper" class="side-nav side-bar-nav"><ul><li class="nav-level-1 strong-nav"><a href="#-strong-getting-started-strong-" class="nav-item"><strong>GETTING STARTED</strong></a></li></ul><ul><li class="nav-level-1"><a href="#create" class="nav-item">create</a></li><ul id="create-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-clusterrole-em-" class="nav-item"><em>clusterrole</em></a></li><li class="nav-level-2"><a href="#-em-clusterrolebinding-em-" class="nav-item"><em>clusterrolebinding</em></a></li><li class="nav-level-2"><a href="#-em-configmap-em-" class="nav-item"><em>configmap</em></a></li><li class="nav-level-2"><a href="#-em-cronjob-em-" class="nav-item"><em>cronjob</em></a></li><li class="nav-level-2"><a href="#-em-deployment-em-" class="nav-item"><em>deployment</em></a></li><li class="nav-level-2"><a href="#-em-ingress-em-" class="nav-item"><em>ingress</em></a></li><li class="nav-level-2"><a href="#-em-job-em-" class="nav-item"><em>job</em></a></li><li class="nav-level-2"><a href="#-em-namespace-em-" class="nav-item"><em>namespace</em></a></li><li class="nav-level-2"><a href="#-em-poddisruptionbudget-em-" class="nav-item"><em>poddisruptionbudget</em></a></li><li class="nav-level-2"><a href="#-em-priorityclass-em-" class="nav-item"><em>priorityclass</em></a></li><li class="nav-level-2"><a href="#-em-quota-em-" class="nav-item"><em>quota</em></a></li><li class="nav-level-2"><a href="#-em-role-em-" class="nav-item"><em>role</em></a></li><li class="nav-level-2"><a href="#-em-rolebinding-em-" class="nav-item"><em>rolebinding</em></a></li><li class="nav-level-2"><a href="#-em-secret-em-" class="nav-item"><em>secret</em></a></li><li class="nav-level-2"><a href="#-em-secret-docker-registry-em-" class="nav-item"><em>secret docker-registry</em></a></li><li class="nav-level-2"><a href="#-em-secret-generic-em-" class="nav-item"><em>secret generic</em></a></li><li class="nav-level-2"><a href="#-em-secret-tls-em-" class="nav-item"><em>secret tls</em></a></li><li class="nav-level-2"><a href="#-em-service-em-" class="nav-item"><em>service</em></a></li><li class="nav-level-2"><a href="#-em-service-clusterip-em-" class="nav-item"><em>service clusterip</em></a></li><li class="nav-level-2"><a href="#-em-service-externalname-em-" class="nav-item"><em>service externalname</em></a></li><li class="nav-level-2"><a href="#-em-service-loadbalancer-em-" class="nav-item"><em>service loadbalancer</em></a></li><li class="nav-level-2"><a href="#-em-service-nodeport-em-" class="nav-item"><em>service nodeport</em></a></li><li class="nav-level-2"><a href="#-em-serviceaccount-em-" class="nav-item"><em>serviceaccount</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#get" class="nav-item">get</a></li></ul><ul><li class="nav-level-1"><a href="#run" class="nav-item">run</a></li></ul><ul><li class="nav-level-1"><a href="#expose" class="nav-item">expose</a></li></ul><ul><li class="nav-level-1"><a href="#delete" class="nav-item">delete</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-app-management-strong-" class="nav-item"><strong>APP MANAGEMENT</strong></a></li></ul><ul><li class="nav-level-1"><a href="#apply" class="nav-item">apply</a></li><ul id="apply-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-edit-last-applied-em-" class="nav-item"><em>edit-last-applied</em></a></li><li class="nav-level-2"><a href="#-em-set-last-applied-em-" class="nav-item"><em>set-last-applied</em></a></li><li class="nav-level-2"><a href="#-em-view-last-applied-em-" class="nav-item"><em>view-last-applied</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#annotate" class="nav-item">annotate</a></li></ul><ul><li class="nav-level-1"><a href="#autoscale" class="nav-item">autoscale</a></li></ul><ul><li class="nav-level-1"><a href="#debug" class="nav-item">debug</a></li></ul><ul><li class="nav-level-1"><a href="#diff" class="nav-item">diff</a></li></ul><ul><li class="nav-level-1"><a href="#edit" class="nav-item">edit</a></li></ul><ul><li class="nav-level-1"><a href="#kustomize" class="nav-item">kustomize</a></li></ul><ul><li class="nav-level-1"><a href="#label" class="nav-item">label</a></li></ul><ul><li class="nav-level-1"><a href="#patch" class="nav-item">patch</a></li></ul><ul><li class="nav-level-1"><a href="#replace" class="nav-item">replace</a></li></ul><ul><li class="nav-level-1"><a href="#rollout" class="nav-item">rollout</a></li><ul id="rollout-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-history-em-" class="nav-item"><em>history</em></a></li><li class="nav-level-2"><a href="#-em-pause-em-" class="nav-item"><em>pause</em></a></li><li class="nav-level-2"><a href="#-em-restart-em-" class="nav-item"><em>restart</em></a></li><li class="nav-level-2"><a href="#-em-resume-em-" class="nav-item"><em>resume</em></a></li><li class="nav-level-2"><a href="#-em-status-em-" class="nav-item"><em>status</em></a></li><li class="nav-level-2"><a href="#-em-undo-em-" class="nav-item"><em>undo</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#scale" class="nav-item">scale</a></li></ul><ul><li class="nav-level-1"><a href="#set" class="nav-item">set</a></li><ul id="set-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-env-em-" class="nav-item"><em>env</em></a></li><li class="nav-level-2"><a href="#-em-image-em-" class="nav-item"><em>image</em></a></li><li class="nav-level-2"><a href="#-em-resources-em-" class="nav-item"><em>resources</em></a></li><li class="nav-level-2"><a href="#-em-selector-em-" class="nav-item"><em>selector</em></a></li><li class="nav-level-2"><a href="#-em-serviceaccount-em--1" class="nav-item"><em>serviceaccount</em></a></li><li class="nav-level-2"><a href="#-em-subject-em-" class="nav-item"><em>subject</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#wait" class="nav-item">wait</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-working-with-apps-strong-" class="nav-item"><strong>WORKING WITH APPS</strong></a></li></ul><ul><li class="nav-level-1"><a href="#attach" class="nav-item">attach</a></li></ul><ul><li class="nav-level-1"><a href="#auth" class="nav-item">auth</a></li><ul id="auth-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-can-i-em-" class="nav-item"><em>can-i</em></a></li><li class="nav-level-2"><a href="#-em-reconcile-em-" class="nav-item"><em>reconcile</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cp" class="nav-item">cp</a></li></ul><ul><li class="nav-level-1"><a href="#describe" class="nav-item">describe</a></li></ul><ul><li class="nav-level-1"><a href="#exec" class="nav-item">exec</a></li></ul><ul><li class="nav-level-1"><a href="#logs" class="nav-item">logs</a></li></ul><ul><li class="nav-level-1"><a href="#port-forward" class="nav-item">port-forward</a></li></ul><ul><li class="nav-level-1"><a href="#proxy" class="nav-item">proxy</a></li></ul><ul><li class="nav-level-1"><a href="#top" class="nav-item">top</a></li><ul id="top-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-node-em-" class="nav-item"><em>node</em></a></li><li class="nav-level-2"><a href="#-em-pod-em-" class="nav-item"><em>pod</em></a></li></ul></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-cluster-management-strong-" class="nav-item"><strong>CLUSTER MANAGEMENT</strong></a></li></ul><ul><li class="nav-level-1"><a href="#api-versions" class="nav-item">api-versions</a></li></ul><ul><li class="nav-level-1"><a href="#certificate" class="nav-item">certificate</a></li><ul id="certificate-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-approve-em-" class="nav-item"><em>approve</em></a></li><li class="nav-level-2"><a href="#-em-deny-em-" class="nav-item"><em>deny</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cluster-info" class="nav-item">cluster-info</a></li><ul id="cluster-info-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-dump-em-" class="nav-item"><em>dump</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cordon" class="nav-item">cordon</a></li></ul><ul><li class="nav-level-1"><a href="#drain" class="nav-item">drain</a></li></ul><ul><li class="nav-level-1"><a href="#taint" class="nav-item">taint</a></li></ul><ul><li class="nav-level-1"><a href="#uncordon" class="nav-item">uncordon</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-kubectl-settings-and-usage-strong-" class="nav-item"><strong>KUBECTL SETTINGS AND USAGE</strong></a></li></ul><ul><li class="nav-level-1"><a href="#alpha" class="nav-item">alpha</a></li><ul id="alpha-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-events-em-" class="nav-item"><em>events</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#api-resources" class="nav-item">api-resources</a></li></ul><ul><li class="nav-level-1"><a href="#completion" class="nav-item">completion</a></li></ul><ul><li class="nav-level-1"><a href="#config" class="nav-item">config</a></li><ul id="config-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-current-context-em-" class="nav-item"><em>current-context</em></a></li><li class="nav-level-2"><a href="#-em-delete-cluster-em-" class="nav-item"><em>delete-cluster</em></a></li><li class="nav-level-2"><a href="#-em-delete-context-em-" class="nav-item"><em>delete-context</em></a></li><li class="nav-level-2"><a href="#-em-delete-user-em-" class="nav-item"><em>delete-user</em></a></li><li class="nav-level-2"><a href="#-em-get-clusters-em-" class="nav-item"><em>get-clusters</em></a></li><li class="nav-level-2"><a href="#-em-get-contexts-em-" class="nav-item"><em>get-contexts</em></a></li><li class="nav-level-2"><a href="#-em-get-users-em-" class="nav-item"><em>get-users</em></a></li><li class="nav-level-2"><a href="#-em-rename-context-em-" class="nav-item"><em>rename-context</em></a></li><li class="nav-level-2"><a href="#-em-set-em-" class="nav-item"><em>set</em></a></li><li class="nav-level-2"><a href="#-em-set-cluster-em-" class="nav-item"><em>set-cluster</em></a></li><li class="nav-level-2"><a href="#-em-set-context-em-" class="nav-item"><em>set-context</em></a></li><li class="nav-level-2"><a href="#-em-set-credentials-em-" class="nav-item"><em>set-credentials</em></a></li><li class="nav-level-2"><a href="#-em-unset-em-" class="nav-item"><em>unset</em></a></li><li class="nav-level-2"><a href="#-em-use-context-em-" class="nav-item"><em>use-context</em></a></li><li class="nav-level-2"><a href="#-em-view-em-" class="nav-item"><em>view</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#explain" class="nav-item">explain</a></li></ul><ul><li class="nav-level-1"><a href="#options" class="nav-item">options</a></li></ul><ul><li class="nav-level-1"><a href="#plugin" class="nav-item">plugin</a></li><ul id="plugin-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-list-em-" class="nav-item"><em>list</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#version" class="nav-item">version</a></li></ul><br/><div class="copyright"><a href="https://github.com/kubernetes/kubernetes">Copyright 2020 The Kubernetes Authors.</a></div></div>
+<div id="sidebar-wrapper" class="side-nav side-bar-nav"><ul><li class="nav-level-1 strong-nav"><a href="#-strong-getting-started-strong-" class="nav-item"><strong>GETTING STARTED</strong></a></li></ul><ul><li class="nav-level-1"><a href="#create" class="nav-item">create</a></li><ul id="create-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-clusterrole-em-" class="nav-item"><em>clusterrole</em></a></li><li class="nav-level-2"><a href="#-em-clusterrolebinding-em-" class="nav-item"><em>clusterrolebinding</em></a></li><li class="nav-level-2"><a href="#-em-configmap-em-" class="nav-item"><em>configmap</em></a></li><li class="nav-level-2"><a href="#-em-cronjob-em-" class="nav-item"><em>cronjob</em></a></li><li class="nav-level-2"><a href="#-em-deployment-em-" class="nav-item"><em>deployment</em></a></li><li class="nav-level-2"><a href="#-em-ingress-em-" class="nav-item"><em>ingress</em></a></li><li class="nav-level-2"><a href="#-em-job-em-" class="nav-item"><em>job</em></a></li><li class="nav-level-2"><a href="#-em-namespace-em-" class="nav-item"><em>namespace</em></a></li><li class="nav-level-2"><a href="#-em-poddisruptionbudget-em-" class="nav-item"><em>poddisruptionbudget</em></a></li><li class="nav-level-2"><a href="#-em-priorityclass-em-" class="nav-item"><em>priorityclass</em></a></li><li class="nav-level-2"><a href="#-em-quota-em-" class="nav-item"><em>quota</em></a></li><li class="nav-level-2"><a href="#-em-role-em-" class="nav-item"><em>role</em></a></li><li class="nav-level-2"><a href="#-em-rolebinding-em-" class="nav-item"><em>rolebinding</em></a></li><li class="nav-level-2"><a href="#-em-secret-em-" class="nav-item"><em>secret</em></a></li><li class="nav-level-2"><a href="#-em-secret-docker-registry-em-" class="nav-item"><em>secret docker-registry</em></a></li><li class="nav-level-2"><a href="#-em-secret-generic-em-" class="nav-item"><em>secret generic</em></a></li><li class="nav-level-2"><a href="#-em-secret-tls-em-" class="nav-item"><em>secret tls</em></a></li><li class="nav-level-2"><a href="#-em-service-em-" class="nav-item"><em>service</em></a></li><li class="nav-level-2"><a href="#-em-service-clusterip-em-" class="nav-item"><em>service clusterip</em></a></li><li class="nav-level-2"><a href="#-em-service-externalname-em-" class="nav-item"><em>service externalname</em></a></li><li class="nav-level-2"><a href="#-em-service-loadbalancer-em-" class="nav-item"><em>service loadbalancer</em></a></li><li class="nav-level-2"><a href="#-em-service-nodeport-em-" class="nav-item"><em>service nodeport</em></a></li><li class="nav-level-2"><a href="#-em-serviceaccount-em-" class="nav-item"><em>serviceaccount</em></a></li><li class="nav-level-2"><a href="#-em-token-em-" class="nav-item"><em>token</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#get" class="nav-item">get</a></li></ul><ul><li class="nav-level-1"><a href="#run" class="nav-item">run</a></li></ul><ul><li class="nav-level-1"><a href="#expose" class="nav-item">expose</a></li></ul><ul><li class="nav-level-1"><a href="#delete" class="nav-item">delete</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-app-management-strong-" class="nav-item"><strong>APP MANAGEMENT</strong></a></li></ul><ul><li class="nav-level-1"><a href="#apply" class="nav-item">apply</a></li><ul id="apply-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-edit-last-applied-em-" class="nav-item"><em>edit-last-applied</em></a></li><li class="nav-level-2"><a href="#-em-set-last-applied-em-" class="nav-item"><em>set-last-applied</em></a></li><li class="nav-level-2"><a href="#-em-view-last-applied-em-" class="nav-item"><em>view-last-applied</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#annotate" class="nav-item">annotate</a></li></ul><ul><li class="nav-level-1"><a href="#autoscale" class="nav-item">autoscale</a></li></ul><ul><li class="nav-level-1"><a href="#debug" class="nav-item">debug</a></li></ul><ul><li class="nav-level-1"><a href="#diff" class="nav-item">diff</a></li></ul><ul><li class="nav-level-1"><a href="#edit" class="nav-item">edit</a></li></ul><ul><li class="nav-level-1"><a href="#kustomize" class="nav-item">kustomize</a></li></ul><ul><li class="nav-level-1"><a href="#label" class="nav-item">label</a></li></ul><ul><li class="nav-level-1"><a href="#patch" class="nav-item">patch</a></li></ul><ul><li class="nav-level-1"><a href="#replace" class="nav-item">replace</a></li></ul><ul><li class="nav-level-1"><a href="#rollout" class="nav-item">rollout</a></li><ul id="rollout-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-history-em-" class="nav-item"><em>history</em></a></li><li class="nav-level-2"><a href="#-em-pause-em-" class="nav-item"><em>pause</em></a></li><li class="nav-level-2"><a href="#-em-restart-em-" class="nav-item"><em>restart</em></a></li><li class="nav-level-2"><a href="#-em-resume-em-" class="nav-item"><em>resume</em></a></li><li class="nav-level-2"><a href="#-em-status-em-" class="nav-item"><em>status</em></a></li><li class="nav-level-2"><a href="#-em-undo-em-" class="nav-item"><em>undo</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#scale" class="nav-item">scale</a></li></ul><ul><li class="nav-level-1"><a href="#set" class="nav-item">set</a></li><ul id="set-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-env-em-" class="nav-item"><em>env</em></a></li><li class="nav-level-2"><a href="#-em-image-em-" class="nav-item"><em>image</em></a></li><li class="nav-level-2"><a href="#-em-resources-em-" class="nav-item"><em>resources</em></a></li><li class="nav-level-2"><a href="#-em-selector-em-" class="nav-item"><em>selector</em></a></li><li class="nav-level-2"><a href="#-em-serviceaccount-em--1" class="nav-item"><em>serviceaccount</em></a></li><li class="nav-level-2"><a href="#-em-subject-em-" class="nav-item"><em>subject</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#wait" class="nav-item">wait</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-working-with-apps-strong-" class="nav-item"><strong>WORKING WITH APPS</strong></a></li></ul><ul><li class="nav-level-1"><a href="#attach" class="nav-item">attach</a></li></ul><ul><li class="nav-level-1"><a href="#auth" class="nav-item">auth</a></li><ul id="auth-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-can-i-em-" class="nav-item"><em>can-i</em></a></li><li class="nav-level-2"><a href="#-em-reconcile-em-" class="nav-item"><em>reconcile</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cp" class="nav-item">cp</a></li></ul><ul><li class="nav-level-1"><a href="#describe" class="nav-item">describe</a></li></ul><ul><li class="nav-level-1"><a href="#exec" class="nav-item">exec</a></li></ul><ul><li class="nav-level-1"><a href="#logs" class="nav-item">logs</a></li></ul><ul><li class="nav-level-1"><a href="#port-forward" class="nav-item">port-forward</a></li></ul><ul><li class="nav-level-1"><a href="#proxy" class="nav-item">proxy</a></li></ul><ul><li class="nav-level-1"><a href="#top" class="nav-item">top</a></li><ul id="top-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-node-em-" class="nav-item"><em>node</em></a></li><li class="nav-level-2"><a href="#-em-pod-em-" class="nav-item"><em>pod</em></a></li></ul></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-cluster-management-strong-" class="nav-item"><strong>CLUSTER MANAGEMENT</strong></a></li></ul><ul><li class="nav-level-1"><a href="#api-versions" class="nav-item">api-versions</a></li></ul><ul><li class="nav-level-1"><a href="#certificate" class="nav-item">certificate</a></li><ul id="certificate-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-approve-em-" class="nav-item"><em>approve</em></a></li><li class="nav-level-2"><a href="#-em-deny-em-" class="nav-item"><em>deny</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cluster-info" class="nav-item">cluster-info</a></li><ul id="cluster-info-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-dump-em-" class="nav-item"><em>dump</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#cordon" class="nav-item">cordon</a></li></ul><ul><li class="nav-level-1"><a href="#drain" class="nav-item">drain</a></li></ul><ul><li class="nav-level-1"><a href="#taint" class="nav-item">taint</a></li></ul><ul><li class="nav-level-1"><a href="#uncordon" class="nav-item">uncordon</a></li></ul><ul><li class="nav-level-1 strong-nav"><a href="#-strong-kubectl-settings-and-usage-strong-" class="nav-item"><strong>KUBECTL SETTINGS AND USAGE</strong></a></li></ul><ul><li class="nav-level-1"><a href="#alpha" class="nav-item">alpha</a></li><ul id="alpha-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-events-em-" class="nav-item"><em>events</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#api-resources" class="nav-item">api-resources</a></li></ul><ul><li class="nav-level-1"><a href="#completion" class="nav-item">completion</a></li></ul><ul><li class="nav-level-1"><a href="#config" class="nav-item">config</a></li><ul id="config-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-current-context-em-" class="nav-item"><em>current-context</em></a></li><li class="nav-level-2"><a href="#-em-delete-cluster-em-" class="nav-item"><em>delete-cluster</em></a></li><li class="nav-level-2"><a href="#-em-delete-context-em-" class="nav-item"><em>delete-context</em></a></li><li class="nav-level-2"><a href="#-em-delete-user-em-" class="nav-item"><em>delete-user</em></a></li><li class="nav-level-2"><a href="#-em-get-clusters-em-" class="nav-item"><em>get-clusters</em></a></li><li class="nav-level-2"><a href="#-em-get-contexts-em-" class="nav-item"><em>get-contexts</em></a></li><li class="nav-level-2"><a href="#-em-get-users-em-" class="nav-item"><em>get-users</em></a></li><li class="nav-level-2"><a href="#-em-rename-context-em-" class="nav-item"><em>rename-context</em></a></li><li class="nav-level-2"><a href="#-em-set-em-" class="nav-item"><em>set</em></a></li><li class="nav-level-2"><a href="#-em-set-cluster-em-" class="nav-item"><em>set-cluster</em></a></li><li class="nav-level-2"><a href="#-em-set-context-em-" class="nav-item"><em>set-context</em></a></li><li class="nav-level-2"><a href="#-em-set-credentials-em-" class="nav-item"><em>set-credentials</em></a></li><li class="nav-level-2"><a href="#-em-unset-em-" class="nav-item"><em>unset</em></a></li><li class="nav-level-2"><a href="#-em-use-context-em-" class="nav-item"><em>use-context</em></a></li><li class="nav-level-2"><a href="#-em-view-em-" class="nav-item"><em>view</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#explain" class="nav-item">explain</a></li></ul><ul><li class="nav-level-1"><a href="#options" class="nav-item">options</a></li></ul><ul><li class="nav-level-1"><a href="#plugin" class="nav-item">plugin</a></li><ul id="plugin-nav" style="display: none;"><li class="nav-level-2"><a href="#-em-list-em-" class="nav-item"><em>list</em></a></li></ul></ul><ul><li class="nav-level-1"><a href="#version" class="nav-item">version</a></li></ul><br/><div class="copyright"><a href="https://github.com/kubernetes/kubernetes">Copyright 2020 The Kubernetes Authors.</a></div></div>
 <div id="wrapper">
 <div id="code-tabs-wrapper" class="code-tabs"><ul class="code-tab-list"><li class="code-tab" id="example">example</li></ul></div>
 <div id="page-content-wrapper" class="body-content container-fluid"><h1 id="-strong-getting-started-strong-"><strong>GETTING STARTED</strong></h1>
@@ -38,12 +38,11 @@ <h1 id="create">create</h1>
 <pre class="code-block example"><code class="lang-shell">cat pod.json | kubectl <span class="hljs-keyword">create</span> -f -
 </code></pre>
 <blockquote class="code-block example">
-<p> Edit the data in docker-registry.yaml in JSON then create the resource using the edited data</p>
+<p> Edit the data in registry.yaml in JSON then create the resource using the edited data</p>
 </blockquote>
-<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">create</span> -f docker-registry.yaml --<span class="hljs-keyword">edit</span> -o json
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">create</span> -f registry.yaml --<span class="hljs-keyword">edit</span> -o json
 </code></pre>
-<p>Create a resource from a file or from stdin.</p>
-<p> JSON and YAML formats are accepted.</p>
+<p>Create a resource from a file or from stdin.<br><br> JSON and YAML formats are accepted.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl create -f FILENAME</code></p>
 <h3 id="flags">Flags</h3>
@@ -97,7 +96,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>raw</td>
@@ -127,7 +126,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -144,8 +143,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>windows-line-endings</td>
@@ -235,7 +234,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>resource</td>
@@ -270,8 +269,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>verb</td>
@@ -336,7 +335,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -365,8 +364,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -442,7 +441,7 @@ <h3 id="flags">Flags</h3>
 <td>from-env-file</td>
 <td></td>
 <td>[]</td>
-<td>Specify the path to a file to read lines of key=val pairs to create a configmap (i.e. a Docker .env file). </td>
+<td>Specify the path to a file to read lines of key=val pairs to create a configmap. </td>
 </tr>
 <tr>
 <td>from-file</td>
@@ -460,7 +459,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -483,8 +482,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -542,7 +541,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>restart</td>
@@ -577,8 +576,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -646,7 +645,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>port</td>
@@ -681,8 +680,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -793,7 +792,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>rule</td>
@@ -822,8 +821,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -892,7 +891,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -915,8 +914,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -963,7 +962,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -986,8 +985,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1051,7 +1050,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1080,8 +1079,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1150,7 +1149,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>preemption-policy</td>
@@ -1179,8 +1178,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>value</td>
@@ -1244,7 +1243,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1273,8 +1272,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1336,7 +1335,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>resource</td>
@@ -1371,8 +1370,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>verb</td>
@@ -1437,7 +1436,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>role</td>
@@ -1472,8 +1471,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1573,7 +1572,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1596,8 +1595,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1673,7 +1672,7 @@ <h3 id="flags">Flags</h3>
 <td>from-env-file</td>
 <td></td>
 <td>[]</td>
-<td>Specify the path to a file to read lines of key=val pairs to create a secret (i.e. a Docker .env file). </td>
+<td>Specify the path to a file to read lines of key=val pairs to create a secret. </td>
 </tr>
 <tr>
 <td>from-file</td>
@@ -1691,7 +1690,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1720,8 +1719,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1787,7 +1786,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1810,8 +1809,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1874,7 +1873,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1903,8 +1902,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -1958,7 +1957,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -1987,8 +1986,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -2035,7 +2034,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -2064,8 +2063,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -2118,7 +2117,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -2147,8 +2146,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -2195,7 +2194,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>save-config</td>
@@ -2218,8 +2217,110 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
+</tr>
+</tbody>
+</table>
+<hr>
+<h2 id="-em-token-em-"><em>token</em></h2>
+<blockquote class="code-block example">
+<p> Request a token to authenticate to the kube-apiserver as the service account &quot;myapp&quot; in the current namespace</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">create</span> <span class="hljs-built_in">token</span> myapp
+</code></pre>
+<blockquote class="code-block example">
+<p> Request a token for a service account in a custom namespace</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-built_in">create</span> <span class="hljs-keyword">token</span> myapp <span class="hljs-comment">--namespace myns</span>
+</code></pre>
+<blockquote class="code-block example">
+<p> Request a token with a custom expiration</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-built_in">create</span> <span class="hljs-keyword">token</span> myapp <span class="hljs-comment">--duration 10m</span>
+</code></pre>
+<blockquote class="code-block example">
+<p> Request a token with a custom audience</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">create</span> <span class="hljs-built_in">token</span> myapp --audience https:<span class="hljs-comment">//example.com</span>
+</code></pre>
+<blockquote class="code-block example">
+<p> Request a token bound to an instance of a Secret object</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl create token myapp --bound-object-kind<span class="hljs-built_in"> Secret </span>--bound-object-name mysecret
+</code></pre>
+<blockquote class="code-block example">
+<p> Request a token bound to an instance of a Secret object with a specific uid</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid <span class="hljs-number">0d4691ed</span>-<span class="hljs-number">659b-4935</span>-a832-355f77ee47cc
+</code></pre>
+<p>Request a service account token.</p>
+<h3 id="usage">Usage</h3>
+<p><code>$ kubectl create token SERVICE_ACCOUNT_NAME</code></p>
+<h3 id="flags">Flags</h3>
+<table>
+<thead>
+<tr>
+<th>Name</th>
+<th>Shorthand</th>
+<th>Default</th>
+<th>Usage</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>allow-missing-template-keys</td>
+<td></td>
 <td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. </td>
+</tr>
+<tr>
+<td>audience</td>
+<td></td>
+<td>[]</td>
+<td>Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences. </td>
+</tr>
+<tr>
+<td>bound-object-kind</td>
+<td></td>
+<td></td>
+<td>Kind of an object to bind the token to. Supported kinds are Pod, Secret. If set, --bound-object-name must be provided. </td>
+</tr>
+<tr>
+<td>bound-object-name</td>
+<td></td>
+<td></td>
+<td>Name of an object to bind the token to. The token will expire when the object is deleted. Requires --bound-object-kind. </td>
+</tr>
+<tr>
+<td>bound-object-uid</td>
+<td></td>
+<td></td>
+<td>UID of an object to bind the token to. Requires --bound-object-kind and --bound-object-name. If unset, the UID of the existing object is used. </td>
+</tr>
+<tr>
+<td>duration</td>
+<td></td>
+<td>0s</td>
+<td>Requested lifetime of the issued token. The server may return a token with a longer or shorter lifetime. </td>
+</tr>
+<tr>
+<td>output</td>
+<td>o</td>
+<td></td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
+</tr>
+<tr>
+<td>show-managed-fields</td>
+<td></td>
+<td>false</td>
+<td>If true, keep the managedFields when printing objects in JSON or YAML format. </td>
+</tr>
+<tr>
+<td>template</td>
+<td></td>
+<td></td>
+<td>Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates <span>[</span><a href="http://golang.org/pkg/text/template/#pkg-overview">http://golang.org/pkg/text/template/#pkg-overview</a><span>]</span>. </td>
 </tr>
 </tbody>
 </table>
@@ -2280,12 +2381,14 @@ <h1 id="get">get</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-builtin-name">get</span> rc/web service/frontend pods/web-pod-13je7
 </code></pre>
-<p>Display one or many resources.</p>
-<p> Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.</p>
-<p> By specifying the output as &#39;template&#39; and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.</p>
-<p>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
+<blockquote class="code-block example">
+<p> List status subresource for a single pod.</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">get</span> pod web-pod<span class="hljs-number">-13</span>je7 <span class="hljs-comment">--subresource status</span>
+</code></pre>
+<p>Display one or many resources.<br><br> Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.<br><br> By specifying the output as &#39;template&#39; and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.<br><br>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
 <h3 id="usage">Usage</h3>
-<p><code>$ kubectl get [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns-file|custom-columns|wide] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]</code></p>
+<p><code>$ kubectl get [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns|custom-columns-file|wide] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]</code></p>
 <h3 id="flags">Flags</h3>
 <table>
 <thead>
@@ -2355,7 +2458,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file&#124;custom-columns-file&#124;custom-columns&#124;wide See custom columns <span>[</span><a href="https://kubernetes.io/docs/reference/kubectl/overview/#custom-columns">https://kubernetes.io/docs/reference/kubectl/overview/#custom-columns</a><span>]</span>, golang template <span>[</span><a href="http://golang.org/pkg/text/template/#pkg-overview">http://golang.org/pkg/text/template/#pkg-overview</a><span>]</span> and jsonpath template <span>[</span><a href="https://kubernetes.io/docs/reference/kubectl/jsonpath/">https://kubernetes.io/docs/reference/kubectl/jsonpath/</a><span>]</span>. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file, custom-columns, custom-columns-file, wide). See custom columns <span>[</span><a href="https://kubernetes.io/docs/reference/kubectl/overview/#custom-columns">https://kubernetes.io/docs/reference/kubectl/overview/#custom-columns</a><span>]</span>, golang template <span>[</span><a href="http://golang.org/pkg/text/template/#pkg-overview">http://golang.org/pkg/text/template/#pkg-overview</a><span>]</span> and jsonpath template <span>[</span><a href="https://kubernetes.io/docs/reference/kubectl/jsonpath/">https://kubernetes.io/docs/reference/kubectl/jsonpath/</a><span>]</span>. </td>
 </tr>
 <tr>
 <td>output-watch-events</td>
@@ -2379,7 +2482,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>server-print</td>
@@ -2412,6 +2515,12 @@ <h3 id="flags">Flags</h3>
 <td>If non-empty, sort list types using this field specification.  The field specification is expressed as a JSONPath expression (e.g. &#39;{.metadata.name}&#39;). The field in the API resource specified by this JSONPath expression must be an integer or a string. </td>
 </tr>
 <tr>
+<td>subresource</td>
+<td></td>
+<td></td>
+<td>If specified, gets the subresource of the requested object. Must be one of <span>[</span>status scale<span>]</span>. This flag is alpha and may change in the future. </td>
+</tr>
+<tr>
 <td>template</td>
 <td></td>
 <td></td>
@@ -2571,12 +2680,6 @@ <h3 id="flags">Flags</h3>
 <td>Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). </td>
 </tr>
 <tr>
-<td>hostport</td>
-<td></td>
-<td>-1</td>
-<td>The host port mapping for the container port. To demonstrate a single-machine container. </td>
-</tr>
-<tr>
 <td>image</td>
 <td></td>
 <td></td>
@@ -2607,16 +2710,10 @@ <h3 id="flags">Flags</h3>
 <td>If the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes. </td>
 </tr>
 <tr>
-<td>limits</td>
-<td></td>
-<td></td>
-<td>The resource requirement limits for this container.  For example, &#39;cpu=200m,memory=512Mi&#39;.  Note that server side components may assign limits depending on the server configuration, such as limit ranges. </td>
-</tr>
-<tr>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>override-type</td>
@@ -2667,12 +2764,6 @@ <h3 id="flags">Flags</h3>
 <td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
 </tr>
 <tr>
-<td>requests</td>
-<td></td>
-<td></td>
-<td>The resource requirement requests for this container.  For example, &#39;cpu=100m,memory=256Mi&#39;.  Note that server side components may assign requests depending on the server configuration, such as limit ranges. </td>
-</tr>
-<tr>
 <td>restart</td>
 <td></td>
 <td>Always</td>
@@ -2691,12 +2782,6 @@ <h3 id="flags">Flags</h3>
 <td>If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. </td>
 </tr>
 <tr>
-<td>serviceaccount</td>
-<td></td>
-<td></td>
-<td>Service account to set in the pod spec. </td>
-</tr>
-<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -2771,10 +2856,7 @@ <h1 id="expose">expose</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl expose deployment nginx <span class="hljs-attribute">--port</span>=80 <span class="hljs-attribute">--target-port</span>=8000
 </code></pre>
-<p>Expose a resource as a new Kubernetes service.</p>
-<p> Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.</p>
-<p> Possible resources include (case insensitive):</p>
-<p> pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)</p>
+<p>Expose a resource as a new Kubernetes service.<br><br> Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.<br><br> Possible resources include (case insensitive):<br><br> pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]</code></p>
 <h3 id="flags">Flags</h3>
@@ -2801,12 +2883,6 @@ <h3 id="flags">Flags</h3>
 <td>ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to &#39;None&#39; to create a headless service. </td>
 </tr>
 <tr>
-<td>container-port</td>
-<td></td>
-<td></td>
-<td>Synonym for --target-port </td>
-</tr>
-<tr>
 <td>dry-run</td>
 <td></td>
 <td>none</td>
@@ -2831,12 +2907,6 @@ <h3 id="flags">Flags</h3>
 <td>Filename, directory, or URL to files identifying the resource to expose a service </td>
 </tr>
 <tr>
-<td>generator</td>
-<td></td>
-<td>service/v2</td>
-<td>The name of the API generator to use. There are 2 generators: &#39;service/v1&#39; and &#39;service/v2&#39;. The only difference between them is that service port in v1 is named &#39;default&#39;, while it is left unnamed in v2. Default is &#39;service/v2&#39;. </td>
-</tr>
-<tr>
 <td>kustomize</td>
 <td>k</td>
 <td></td>
@@ -2864,7 +2934,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>override-type</td>
@@ -2959,6 +3029,11 @@ <h1 id="delete">delete</h1>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">delete</span> -k dir
 </code></pre>
 <blockquote class="code-block example">
+<p> Delete resources from all files that end with &#39;.json&#39; - i.e. expand wildcard characters in file names</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">kubectl</span> apply -f <span class="hljs-string">'*.json'</span>
+</code></pre>
+<blockquote class="code-block example">
 <p> Delete a pod based on the type and name in the JSON passed into stdin</p>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">cat pod.json | kubectl <span class="hljs-keyword">delete</span> -f -
@@ -2988,11 +3063,7 @@ <h1 id="delete">delete</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-built_in">delete</span> pods <span class="hljs-comment">--all</span>
 </code></pre>
-<p>Delete resources by file names, stdin, resources and names, or by resources and label selector.</p>
-<p> JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.</p>
-<p> Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the --grace-period flag is ignored.</p>
-<p> IMPORTANT: Force deleting pods does not wait for confirmation that the pod&#39;s processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.</p>
-<p> Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.</p>
+<p>Delete resources by file names, stdin, resources and names, or by resources and label selector.<br><br> JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.<br><br> Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the --grace-period flag is ignored.<br><br> IMPORTANT: Force deleting pods does not wait for confirmation that the pod&#39;s processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.<br><br> Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.<br><br> After a CustomResourceDefinition is deleted, invalidation of discovery cache may take up to 10 minutes. If you don&#39;t want to wait, you might want to run &quot;kubectl api-resources&quot; to refresh the discovery cache.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl delete ([-f FILENAME] | [-k DIRECTORY] | TYPE [(NAME | -l label | --all)])</code></p>
 <h3 id="flags">Flags</h3>
@@ -3094,7 +3165,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on. </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>timeout</td>
@@ -3131,6 +3202,11 @@ <h1 id="apply">apply</h1>
 <pre class="code-block example"><code class="lang-shell">cat pod.json | <span class="hljs-type">kubectl</span> <span class="hljs-built_in">apply</span> -f -
 </code></pre>
 <blockquote class="code-block example">
+<p> Apply the configuration from all files that end with &#39;.json&#39; - i.e. expand wildcard characters in file names</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">kubectl</span> apply -f <span class="hljs-string">'*.json'</span>
+</code></pre>
+<blockquote class="code-block example">
 <p> Note: --prune is still in Alpha # Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx</p>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl apply --prune -f manifest.yaml -l <span class="hljs-attribute">app</span>=nginx
@@ -3140,9 +3216,7 @@ <h1 id="apply">apply</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell"><span class="hljs-comment">kubectl</span> <span class="hljs-comment">apply</span> --<span class="hljs-comment">prune</span> <span class="hljs-literal">-</span><span class="hljs-comment">f</span> <span class="hljs-comment">manifest</span><span class="hljs-string">.</span><span class="hljs-comment">yaml</span> --<span class="hljs-comment">all</span> --<span class="hljs-comment">prune</span><span class="hljs-literal">-</span><span class="hljs-comment">whitelist=core/v1/ConfigMap</span>
 </code></pre>
-<p>Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn&#39;t exist yet. To use &#39;apply&#39;, always create the resource initially with either &#39;apply&#39; or &#39;create --save-config&#39;.</p>
-<p> JSON and YAML formats are accepted.</p>
-<p> Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See <a href="https://issues.k8s.io/34274">https://issues.k8s.io/34274</a>.</p>
+<p>Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn&#39;t exist yet. To use &#39;apply&#39;, always create the resource initially with either &#39;apply&#39; or &#39;create --save-config&#39;.<br><br> JSON and YAML formats are accepted.<br><br> Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See <a href="https://issues.k8s.io/34274">https://issues.k8s.io/34274</a>.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl apply (-f FILENAME | -k DIRECTORY)</code></p>
 <h3 id="flags">Flags</h3>
@@ -3226,7 +3300,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>overwrite</td>
@@ -3262,7 +3336,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>server-side</td>
@@ -3291,8 +3365,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>wait</td>
@@ -3360,7 +3434,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -3387,6 +3461,12 @@ <h3 id="flags">Flags</h3>
 <td>Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates <span>[</span><a href="http://golang.org/pkg/text/template/#pkg-overview">http://golang.org/pkg/text/template/#pkg-overview</a><span>]</span>. </td>
 </tr>
 <tr>
+<td>validate</td>
+<td></td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
+</tr>
+<tr>
 <td>windows-line-endings</td>
 <td></td>
 <td>false</td>
@@ -3453,7 +3533,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -3518,7 +3598,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td>yaml</td>
-<td>Output format. Must be one of yaml&#124;json </td>
+<td>Output format. Must be one of (yaml, json) </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -3530,7 +3610,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 </tbody>
 </table>
@@ -3566,10 +3646,7 @@ <h1 id="annotate">annotate</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl annotate pods foo <span class="hljs-keyword">description</span>-
 </code></pre>
-<p>Update the annotations on one or more resources.</p>
-<p> All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.</p>
-<p> Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.</p>
-<p>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
+<p>Update the annotations on one or more resources.<br><br> All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.<br><br> Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.<br><br>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]</code></p>
 <h3 id="flags">Flags</h3>
@@ -3647,7 +3724,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>overwrite</td>
@@ -3677,7 +3754,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -3705,8 +3782,7 @@ <h1 id="autoscale">autoscale</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl autoscale rc foo <span class="hljs-attribute">--max</span>=5 <span class="hljs-attribute">--cpu-percent</span>=80
 </code></pre>
-<p>Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.</p>
-<p> Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.</p>
+<p>Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.<br><br> Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU]</code></p>
 <h3 id="flags">Flags</h3>
@@ -3778,7 +3854,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -3849,14 +3925,7 @@ <h1 id="debug">debug</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl debug <span class="hljs-keyword">node</span><span class="hljs-title">/mynode</span> -it --<span class="hljs-attr">image=</span>busybox
 </code></pre>
-<p>Debug cluster resources using interactive debugging containers.</p>
-<p> &#39;debug&#39; provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.</p>
-<p> The action taken by &#39;debug&#39; varies depending on what resource is specified. Supported actions include:</p>
-<ul>
-<li>Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version.</li>
-<li>Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.</li>
-<li>Node: Create a new pod that runs in the node&#39;s host namespaces and can access the node&#39;s filesystem.</li>
-</ul>
+<p>Debug cluster resources using interactive debugging containers.<br><br> &#39;debug&#39; provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.<br><br> The action taken by &#39;debug&#39; varies depending on what resource is specified. Supported actions include:<br><br>  <em>  Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version.<br>  </em>  Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.<br>  *  Node: Create a new pod that runs in the node&#39;s host namespaces and can access the node&#39;s filesystem.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl debug (POD | TYPE[[.VERSION].GROUP]/NAME) [ -- COMMAND [args...] ]</code></p>
 <h3 id="flags">Flags</h3>
@@ -3974,12 +4043,7 @@ <h1 id="diff">diff</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">cat service.yaml <span class="hljs-string">| kubectl diff -f -</span>
 </code></pre>
-<p>Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.</p>
-<p> The output is always YAML.</p>
-<p> KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF=&quot;colordiff -N -u&quot;</p>
-<p> By default, the &quot;diff&quot; command available in your path will be run with the &quot;-u&quot; (unified diff) and &quot;-N&quot; (treat absent files as empty) options.</p>
-<p> Exit status: 0 No differences were found. 1 Differences were found. &gt;1 Kubectl or diff failed with an error.</p>
-<p> Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.</p>
+<p>Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.<br><br> The output is always YAML.<br><br> KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF=&quot;colordiff -N -u&quot;<br><br> By default, the &quot;diff&quot; command available in your path will be run with the &quot;-u&quot; (unified diff) and &quot;-N&quot; (treat absent files as empty) options.<br><br> Exit status: 0 No differences were found. 1 Differences were found. &gt;1 Kubectl or diff failed with an error.<br><br> Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl diff -f FILENAME</code></p>
 <h3 id="flags">Flags</h3>
@@ -4018,6 +4082,18 @@ <h3 id="flags">Flags</h3>
 <td>Process the kustomization directory. This flag can&#39;t be used together with -f or -R. </td>
 </tr>
 <tr>
+<td>prune</td>
+<td></td>
+<td>false</td>
+<td>Include resources that would be deleted by pruning. Can be used with -l and default shows all resources would be pruned </td>
+</tr>
+<tr>
+<td>prune-allowlist</td>
+<td></td>
+<td>[]</td>
+<td>Overwrite the default whitelist with &lt;group/version/kind&gt; for --prune </td>
+</tr>
+<tr>
 <td>recursive</td>
 <td>R</td>
 <td>false</td>
@@ -4027,7 +4103,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>server-side</td>
@@ -4040,14 +4116,14 @@ <h3 id="flags">Flags</h3>
 <hr>
 <h1 id="edit">edit</h1>
 <blockquote class="code-block example">
-<p> Edit the service named &#39;docker-registry&#39;</p>
+<p> Edit the service named &#39;registry&#39;</p>
 </blockquote>
-<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-builtin-name">edit</span> svc/docker-registry
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-builtin-name">edit</span> svc/registry
 </code></pre>
 <blockquote class="code-block example">
 <p> Use an alternative editor</p>
 </blockquote>
-<pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">KUBE_EDITOR</span>=<span class="hljs-string">"nano"</span> kubectl <span class="hljs-builtin-name">edit</span> svc/docker-registry
+<pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">KUBE_EDITOR</span>=<span class="hljs-string">"nano"</span> kubectl <span class="hljs-builtin-name">edit</span> svc/registry
 </code></pre>
 <blockquote class="code-block example">
 <p> Edit the job &#39;myjob&#39; in JSON using the v1 API format</p>
@@ -4059,12 +4135,12 @@ <h1 id="edit">edit</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">edit</span> deployment/mydeployment -o yaml --<span class="hljs-keyword">save</span>-config
 </code></pre>
-<p>Edit a resource from the default editor.</p>
-<p> The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to &#39;vi&#39; for Linux or &#39;notepad&#39; for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.</p>
-<p> Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.</p>
-<p> The default format is YAML. To edit in JSON, specify &quot;-o json&quot;.</p>
-<p> The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.</p>
-<p> In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.</p>
+<blockquote class="code-block example">
+<p> Edit the deployment/mydeployment&#39;s status subresource</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-builtin-name">edit</span> deployment mydeployment <span class="hljs-attribute">--subresource</span>=<span class="hljs-string">'status'</span>
+</code></pre>
+<p>Edit a resource from the default editor.<br><br> The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to &#39;vi&#39; for Linux or &#39;notepad&#39; for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.<br><br> Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.<br><br> The default format is YAML. To edit in JSON, specify &quot;-o json&quot;.<br><br> The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.<br><br> In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl edit (RESOURCE/NAME | -f FILENAME)</code></p>
 <h3 id="flags">Flags</h3>
@@ -4106,7 +4182,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>output-patch</td>
@@ -4139,6 +4215,12 @@ <h3 id="flags">Flags</h3>
 <td>If true, keep the managedFields when printing objects in JSON or YAML format. </td>
 </tr>
 <tr>
+<td>subresource</td>
+<td></td>
+<td></td>
+<td>If specified, edit will operate on the subresource of the requested object. Must be one of <span>[</span>status<span>]</span>. This flag is alpha and may change in the future. </td>
+</tr>
+<tr>
 <td>template</td>
 <td></td>
 <td></td>
@@ -4147,8 +4229,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>windows-line-endings</td>
@@ -4295,13 +4377,7 @@ <h1 id="label">label</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">label</span><span class="bash"> pods foo bar-</span>
 </code></pre>
-<p>Update the labels on a resource.</p>
-<ul>
-<li>A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters each.</li>
-<li>Optionally, the key can begin with a DNS subdomain prefix and a single &#39;/&#39;, like example.com/my-app.</li>
-<li>If --overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error.</li>
-<li>If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.</li>
-</ul>
+<p>Update the labels on a resource.<br><br>  <em>  A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters each.<br>  </em>  Optionally, the key can begin with a DNS subdomain prefix and a single &#39;/&#39;, like example.com/my-app.<br>  <em>  If --overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error.<br>  </em>  If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]</code></p>
 <h3 id="flags">Flags</h3>
@@ -4379,7 +4455,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>overwrite</td>
@@ -4409,7 +4485,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -4452,8 +4528,12 @@ <h1 id="patch">patch</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl patch pod valid-pod --<span class="hljs-class"><span class="hljs-keyword">type</span></span>=<span class="hljs-symbol">'jso</span>n' -p='[{<span class="hljs-string">"op"</span>: <span class="hljs-string">"replace"</span>, <span class="hljs-string">"path"</span>: <span class="hljs-string">"/spec/containers/0/image"</span>, <span class="hljs-string">"value"</span>:<span class="hljs-string">"new image"</span>}]'
 </code></pre>
-<p>Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.</p>
-<p> JSON and YAML formats are accepted.</p>
+<blockquote class="code-block example">
+<p> Update a deployment&#39;s replicas through the scale subresource using a merge patch.</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl patch deployment nginx-deployment --subresource=<span class="hljs-symbol">'scal</span>e' --<span class="hljs-class"><span class="hljs-keyword">type</span></span>=<span class="hljs-symbol">'merg</span>e' -p '{<span class="hljs-string">"spec"</span>:{<span class="hljs-string">"replicas"</span>:<span class="hljs-number">2</span>}}'
+</code></pre>
+<p>Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.<br><br> JSON and YAML formats are accepted.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl patch (-f FILENAME | TYPE NAME) [-p PATCH|--patch-file FILE]</code></p>
 <h3 id="flags">Flags</h3>
@@ -4507,7 +4587,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>patch</td>
@@ -4540,6 +4620,12 @@ <h3 id="flags">Flags</h3>
 <td>If true, keep the managedFields when printing objects in JSON or YAML format. </td>
 </tr>
 <tr>
+<td>subresource</td>
+<td></td>
+<td></td>
+<td>If specified, patch will operate on the subresource of the requested object. Must be one of <span>[</span>status scale<span>]</span>. This flag is alpha and may change in the future. </td>
+</tr>
+<tr>
 <td>template</td>
 <td></td>
 <td></td>
@@ -4575,9 +4661,7 @@ <h1 id="replace">replace</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl replace <span class="hljs-params">--force</span> -f <span class="hljs-string">./pod.json</span>
 </code></pre>
-<p>Replace a resource by file name or stdin.</p>
-<p> JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by</p>
-<p>  $ kubectl get TYPE NAME -o yaml</p>
+<p>Replace a resource by file name or stdin.<br><br> JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by<br><br>  $ kubectl get TYPE NAME -o yaml</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl replace -f FILENAME</code></p>
 <h3 id="flags">Flags</h3>
@@ -4643,7 +4727,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>raw</td>
@@ -4670,6 +4754,12 @@ <h3 id="flags">Flags</h3>
 <td>If true, keep the managedFields when printing objects in JSON or YAML format. </td>
 </tr>
 <tr>
+<td>subresource</td>
+<td></td>
+<td></td>
+<td>If specified, replace will operate on the subresource of the requested object. Must be one of <span>[</span>status scale<span>]</span>. This flag is alpha and may change in the future. </td>
+</tr>
+<tr>
 <td>template</td>
 <td></td>
 <td></td>
@@ -4684,8 +4774,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 <tr>
 <td>wait</td>
@@ -4707,13 +4797,17 @@ <h1 id="rollout">rollout</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl rollout <span class="hljs-keyword">status</span> daemonset/foo
 </code></pre>
-<p>Manage the rollout of a resource.</p>
-<p> Valid resource types include:</p>
-<ul>
-<li>deployments</li>
-<li>daemonsets</li>
-<li>statefulsets</li>
-</ul>
+<blockquote class="code-block example">
+<p> Restart a deployment</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl rollout <span class="hljs-built_in">restart</span> deployment/abc
+</code></pre>
+<blockquote class="code-block example">
+<p> Restart deployments with the app=nginx label</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl rollout <span class="hljs-keyword">restart</span> deployment <span class="hljs-comment">--selector=app=nginx</span>
+</code></pre>
+<p>Manage the rollout of one or many resources.<br>  <br> Valid resource types include:<br><br>  <em>  deployments<br>  </em>  daemonsets<br>  *  statefulsets</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl rollout SUBCOMMAND</code></p>
 <hr>
@@ -4764,7 +4858,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -4779,6 +4873,12 @@ <h3 id="flags">Flags</h3>
 <td>See the details, including podTemplate of the revision specified </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -4842,7 +4942,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -4851,6 +4951,12 @@ <h3 id="flags">Flags</h3>
 <td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -4876,6 +4982,11 @@ <h2 id="-em-restart-em-"><em>restart</em></h2>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl rollout <span class="hljs-built_in">restart</span> daemonset/abc
 </code></pre>
+<blockquote class="code-block example">
+<p> Restart deployments with the app=nginx label</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl rollout <span class="hljs-keyword">restart</span> deployment <span class="hljs-comment">--selector=app=nginx</span>
+</code></pre>
 <p>Restart a resource.</p>
 <p>   Resource rollout will be restarted.</p>
 <h3 id="usage">Usage</h3>
@@ -4919,7 +5030,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -4928,6 +5039,12 @@ <h3 id="flags">Flags</h3>
 <td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -4991,7 +5108,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -5000,6 +5117,12 @@ <h3 id="flags">Flags</h3>
 <td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -5060,6 +5183,12 @@ <h3 id="flags">Flags</h3>
 <td>Pin to a specific revision for showing its status. Defaults to 0 (last revision). </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>timeout</td>
 <td></td>
 <td>0s</td>
@@ -5132,7 +5261,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -5141,6 +5270,12 @@ <h3 id="flags">Flags</h3>
 <td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
 </tr>
 <tr>
+<td>selector</td>
+<td>l</td>
+<td></td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
+</tr>
+<tr>
 <td>show-managed-fields</td>
 <td></td>
 <td>false</td>
@@ -5187,9 +5322,7 @@ <h1 id="scale">scale</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl scale <span class="hljs-attribute">--replicas</span>=3 statefulset/web
 </code></pre>
-<p>Set a new size for a deployment, replica set, replication controller, or stateful set.</p>
-<p> Scale also allows users to specify one or more preconditions for the scale action.</p>
-<p> If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.</p>
+<p>Set a new size for a deployment, replica set, replication controller, or stateful set.<br><br> Scale also allows users to specify one or more preconditions for the scale action.<br><br> If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl scale [--resource-version=version] [--current-replicas=count] --replicas=COUNT (-f FILENAME | TYPE NAME)</code></p>
 <h3 id="flags">Flags</h3>
@@ -5243,7 +5376,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -5273,7 +5406,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -5297,8 +5430,7 @@ <h3 id="flags">Flags</h3>
 </table>
 <hr>
 <h1 id="set">set</h1>
-<p>Configure application resources.</p>
-<p> These commands help you make changes to existing application resources.</p>
+<p>Configure application resources.<br><br> These commands help you make changes to existing application resources.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl set SUBCOMMAND</code></p>
 <hr>
@@ -5452,7 +5584,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>overwrite</td>
@@ -5482,7 +5614,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -5582,7 +5714,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -5600,7 +5732,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -5712,7 +5844,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -5736,7 +5868,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -5815,7 +5947,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -5923,7 +6055,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>record</td>
@@ -6034,7 +6166,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -6046,7 +6178,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>serviceaccount</td>
@@ -6076,7 +6208,7 @@ <h1 id="wait">wait</h1>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-built_in">wait</span> <span class="hljs-comment">--for=condition=Ready pod/busybox1</span>
 </code></pre>
 <blockquote class="code-block example">
-<p> The default value of status condition is true; you can set it to false</p>
+<p> The default value of status condition is true; you can wait for other targets after an equal delimiter (compared after Unicode simple case folding, which is a more general form of case-insensitivity):</p>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-built_in">wait</span> --<span class="hljs-keyword">for</span>=condition=Ready=<span class="hljs-literal">false</span> pod/busybox1
 </code></pre>
@@ -6091,10 +6223,7 @@ <h1 id="wait">wait</h1>
 <pre class="code-block example"><code class="lang-shell">kubectl delete pod/busybox1
 kubectl wait <span class="hljs-attribute">--for</span>=delete pod/busybox1 <span class="hljs-attribute">--timeout</span>=60s
 </code></pre>
-<p>Experimental: Wait for a specific condition on one or many resources.</p>
-<p> The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.</p>
-<p> Alternatively, the command can wait for the given set of resources to be deleted by providing the &quot;delete&quot; keyword as the value to the --for flag.</p>
-<p> A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.</p>
+<p>Experimental: Wait for a specific condition on one or many resources.<br><br> The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.<br><br> Alternatively, the command can wait for the given set of resources to be deleted by providing the &quot;delete&quot; keyword as the value to the --for flag.<br><br> A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available|--for=jsonpath=&#39;{}&#39;=value]</code></p>
 <h3 id="flags">Flags</h3>
@@ -6142,7 +6271,7 @@ <h3 id="flags">Flags</h3>
 <td>for</td>
 <td></td>
 <td></td>
-<td>The condition to wait on: <span>[</span>delete&#124;condition=condition-name&#124;jsonpath=&#39;{JSONPath expression}&#39;=JSONPath Condition<span>]</span>. The default status value of condition-name is true, you can set false with condition=condition-name=false. </td>
+<td>The condition to wait on: <span>[</span>delete&#124;condition=condition-name<span>[</span>=condition-value<span>]</span>&#124;jsonpath=&#39;{JSONPath expression}&#39;=JSONPath Condition<span>]</span>. The default condition-value is true.  Condition values are compared after Unicode simple case folding, which is a more general form of case-insensitivity. </td>
 </tr>
 <tr>
 <td>local</td>
@@ -6154,7 +6283,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -6406,7 +6535,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -6538,11 +6667,7 @@ <h1 id="describe">describe</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">kubectl describe pods frontend</span>
 </code></pre>
-<p>Show details of a specific resource or group of resources.</p>
-<p> Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:</p>
-<p>  $ kubectl describe TYPE NAME_PREFIX</p>
-<p> will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.</p>
-<p>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
+<p>Show details of a specific resource or group of resources.<br><br> Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:<br><br>  $ kubectl describe TYPE NAME_PREFIX<br>  <br> will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.<br><br>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME)</code></p>
 <h3 id="flags">Flags</h3>
@@ -6590,7 +6715,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-events</td>
@@ -6819,7 +6944,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on. </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>since</td>
@@ -6884,9 +7009,7 @@ <h1 id="port-forward">port-forward</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl port-forward pod/mypod :<span class="hljs-number">5000</span>
 </code></pre>
-<p>Forward one or more local ports to a pod.</p>
-<p> Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to &#39;pod&#39; if omitted.</p>
-<p> If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.</p>
+<p>Forward one or more local ports to a pod.<br><br> Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to &#39;pod&#39; if omitted.<br><br> If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl port-forward TYPE/NAME [options] [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N]</code></p>
 <h3 id="flags">Flags</h3>
@@ -7042,9 +7165,7 @@ <h3 id="flags">Flags</h3>
 </table>
 <hr>
 <h1 id="top">top</h1>
-<p>Display Resource (CPU/Memory) usage.</p>
-<p> The top command allows you to see the resource consumption for nodes or pods.</p>
-<p> This command requires Metrics Server to be correctly configured and working on the server.</p>
+<p>Display Resource (CPU/Memory) usage.<br><br> The top command allows you to see the resource consumption for nodes or pods.<br><br> This command requires Metrics Server to be correctly configured and working on the server.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl top</code></p>
 <hr>
@@ -7084,7 +7205,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-capacity</td>
@@ -7172,7 +7293,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>sort-by</td>
@@ -7255,7 +7376,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -7327,7 +7448,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>recursive</td>
@@ -7418,7 +7539,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td>json</td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>output-directory</td>
@@ -7477,7 +7598,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 </tbody>
 </table>
@@ -7493,11 +7614,7 @@ <h1 id="drain">drain</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl drain foo <span class="hljs-attribute">--grace-period</span>=900
 </code></pre>
-<p>Drain node in preparation for maintenance.</p>
-<p> The given node will be marked unschedulable to prevent new pods from arriving. &#39;drain&#39; evicts the pods if the API server supports <a href="https://kubernetes.io/docs/concepts/workloads/pods/disruptions/">https://kubernetes.io/docs/concepts/workloads/pods/disruptions/</a> . Otherwise, it will use normal DELETE to delete the pods. The &#39;drain&#39; evicts or deletes all pods except mirror pods (which cannot be deleted through the API server).  If there are daemon set-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings.  If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use --force.  --force will also allow deletion to proceed if the managing resource of one or more pods is missing.</p>
-<p> &#39;drain&#39; waits for graceful termination. You should not operate on the machine until the command completes.</p>
-<p> When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.</p>
-<p> <a href="https://kubernetes.io/images/docs/kubectl_drain.svg">https://kubernetes.io/images/docs/kubectl_drain.svg</a></p>
+<p>Drain node in preparation for maintenance.<br><br> The given node will be marked unschedulable to prevent new pods from arriving. &#39;drain&#39; evicts the pods if the API server supports <a href="https://kubernetes.io/docs/concepts/workloads/pods/disruptions/">https://kubernetes.io/docs/concepts/workloads/pods/disruptions/</a> . Otherwise, it will use normal DELETE to delete the pods. The &#39;drain&#39; evicts or deletes all pods except mirror pods (which cannot be deleted through the API server).  If there are daemon set-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings.  If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use --force.  --force will also allow deletion to proceed if the managing resource of one or more pods is missing.<br><br> &#39;drain&#39; waits for graceful termination. You should not operate on the machine until the command completes.<br><br> When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.<br><br> <a href="https://kubernetes.io/images/docs/kubectl_drain.svg">https://kubernetes.io/images/docs/kubectl_drain.svg</a></p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl drain NODE</code></p>
 <h3 id="flags">Flags</h3>
@@ -7545,7 +7662,7 @@ <h3 id="flags">Flags</h3>
 <td>force</td>
 <td></td>
 <td>false</td>
-<td>Continue even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet. </td>
+<td>Continue even if there are pods that do not declare a controller. </td>
 </tr>
 <tr>
 <td>grace-period</td>
@@ -7569,7 +7686,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>skip-wait-for-delete-timeout</td>
@@ -7612,15 +7729,7 @@ <h1 id="taint">taint</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell"><span class="hljs-selector-tag">kubectl</span> <span class="hljs-selector-tag">taint</span> <span class="hljs-selector-tag">nodes</span> <span class="hljs-selector-tag">foo</span> <span class="hljs-selector-tag">bar</span><span class="hljs-selector-pseudo">:NoSchedule</span>
 </code></pre>
-<p>Update the taints on one or more nodes.</p>
-<ul>
-<li>A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.</li>
-<li>The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  253 characters.</li>
-<li>Optionally, the key can begin with a DNS subdomain prefix and a single &#39;/&#39;, like example.com/my-app.</li>
-<li>The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters.</li>
-<li>The effect must be NoSchedule, PreferNoSchedule or NoExecute.</li>
-<li>Currently taint can only apply to node.</li>
-</ul>
+<p>Update the taints on one or more nodes.<br><br>  <em>  A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.<br>  </em>  The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  253 characters.<br>  <em>  Optionally, the key can begin with a DNS subdomain prefix and a single &#39;/&#39;, like example.com/my-app.<br>  </em>  The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to  63 characters.<br>  <em>  The effect must be NoSchedule, PreferNoSchedule or NoExecute.<br>  </em>  Currently taint can only apply to node.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N</code></p>
 <h3 id="flags">Flags</h3>
@@ -7662,7 +7771,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>overwrite</td>
@@ -7674,7 +7783,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2) </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 <tr>
 <td>show-managed-fields</td>
@@ -7691,8 +7800,8 @@ <h3 id="flags">Flags</h3>
 <tr>
 <td>validate</td>
 <td></td>
-<td>true</td>
-<td>If true, use a schema to validate the input before sending it </td>
+<td>strict</td>
+<td>Must be one of: strict (or true), warn, ignore (or false).<br>        &quot;true&quot; or &quot;strict&quot; will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.<br>        &quot;warn&quot; will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as &quot;ignore&quot; otherwise.<br>        &quot;false&quot; or &quot;ignore&quot; will not perform any schema validation, silently dropping any unknown or duplicate fields. </td>
 </tr>
 </tbody>
 </table>
@@ -7727,7 +7836,7 @@ <h3 id="flags">Flags</h3>
 <td>selector</td>
 <td>l</td>
 <td></td>
-<td>Selector (label query) to filter on </td>
+<td>Selector (label query) to filter on, supports &#39;=&#39;, &#39;==&#39;, and &#39;!=&#39;.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. </td>
 </tr>
 </tbody>
 </table>
@@ -7869,7 +7978,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: wide&#124;name. </td>
+<td>Output format. One of: (wide, name). </td>
 </tr>
 <tr>
 <td>sort-by</td>
@@ -7963,26 +8072,12 @@ <h1 id="completion">completion</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell"><span class="hljs-attribute">kubectl</span> completion powershell &gt;&gt; <span class="hljs-variable">$PROFILE</span>
 </code></pre>
-<p>Output shell completion code for the specified shell (bash, zsh, fish, or powershell). The shell code must be evaluated to provide interactive completion of kubectl commands.  This can be done by sourcing it from the .bash_profile.</p>
-<p> Detailed instructions on how to do this are available here:</p>
-<p>  for macOS:
-  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion</a></p>
-<p>  for linux:
-  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion</a></p>
-<p>  for windows:
-  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion</a></p>
-<p> Note for zsh users: <span>[</span>1<span>]</span> zsh completions are only supported in versions of zsh &gt;= 5.2.</p>
+<p>Output shell completion code for the specified shell (bash, zsh, fish, or powershell). The shell code must be evaluated to provide interactive completion of kubectl commands.  This can be done by sourcing it from the .bash_profile.<br><br> Detailed instructions on how to do this are available here:<br><br>  for macOS:<br>  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion</a><br>  <br>  for linux:<br>  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion</a><br>  <br>  for windows:<br>  <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion">https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion</a><br>  <br> Note for zsh users: <span>[</span>1<span>]</span> zsh completions are only supported in versions of zsh &gt;= 5.2.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl completion SHELL</code></p>
 <hr>
 <h1 id="config">config</h1>
-<p>Modify kubeconfig files using subcommands like &quot;kubectl config set current-context my-context&quot;</p>
-<p> The loading order follows these rules:</p>
-<ol>
-<li>If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.</li>
-<li>If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.</li>
-<li>Otherwise, ${HOME}/.kube/config is used and no merging takes place.</li>
-</ol>
+<p>Modify kubeconfig files using subcommands like &quot;kubectl config set current-context my-context&quot;<br><br> The loading order follows these rules:<br><br>  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.<br>  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.<br>  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl config SUBCOMMAND</code></p>
 <hr>
@@ -8071,7 +8166,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td></td>
-<td>Output format. One of: name </td>
+<td>Output format. One of: (name). </td>
 </tr>
 </tbody>
 </table>
@@ -8158,7 +8253,7 @@ <h2 id="-em-set-cluster-em-"><em>set-cluster</em></h2>
 <pre class="code-block example"><code class="lang-shell">kubectl<span class="hljs-built_in"> config </span>set-cluster e2e --embed-certs <span class="hljs-attribute">--certificate-authority</span>=~/.kube/e2e/kubernetes.ca.crt
 </code></pre>
 <blockquote class="code-block example">
-<p> Disable cert checking for the dev cluster entry</p>
+<p> Disable cert checking for the e2e cluster entry</p>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl<span class="hljs-built_in"> config </span>set-cluster e2e <span class="hljs-attribute">--insecure-skip-tls-verify</span>=<span class="hljs-literal">true</span>
 </code></pre>
@@ -8167,6 +8262,11 @@ <h2 id="-em-set-cluster-em-"><em>set-cluster</em></h2>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell">kubectl<span class="hljs-built_in"> config </span>set-cluster e2e <span class="hljs-attribute">--tls-server-name</span>=my-cluster-name
 </code></pre>
+<blockquote class="code-block example">
+<p> Set proxy url for the e2e cluster entry</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl<span class="hljs-built_in"> config </span>set-cluster e2e <span class="hljs-attribute">--proxy-url</span>=https://1.2.3.4
+</code></pre>
 <p>Set a cluster entry in kubeconfig.</p>
 <p> Specifying a name that already exists will merge new fields on top of existing values for those fields.</p>
 <h3 id="usage">Usage</h3>
@@ -8188,6 +8288,12 @@ <h3 id="flags">Flags</h3>
 <td>false</td>
 <td>embed-certs for the cluster entry in kubeconfig </td>
 </tr>
+<tr>
+<td>proxy-url</td>
+<td></td>
+<td></td>
+<td>proxy-url for the cluster entry in kubeconfig </td>
+</tr>
 </tbody>
 </table>
 <hr>
@@ -8424,7 +8530,7 @@ <h3 id="flags">Flags</h3>
 <td>output</td>
 <td>o</td>
 <td>yaml</td>
-<td>Output format. One of: json&#124;yaml&#124;name&#124;go-template&#124;go-template-file&#124;template&#124;templatefile&#124;jsonpath&#124;jsonpath-as-json&#124;jsonpath-file. </td>
+<td>Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). </td>
 </tr>
 <tr>
 <td>raw</td>
@@ -8458,11 +8564,7 @@ <h1 id="explain">explain</h1>
 </blockquote>
 <pre class="code-block example"><code class="lang-shell"><span class="hljs-selector-tag">kubectl</span> <span class="hljs-selector-tag">explain</span> <span class="hljs-selector-tag">pods</span><span class="hljs-selector-class">.spec</span><span class="hljs-selector-class">.containers</span>
 </code></pre>
-<p>List the fields for supported resources.</p>
-<p> This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:</p>
-<p>  &lt;type&gt;.&lt;fieldName&gt;<span>[</span>.&lt;fieldName&gt;<span>]</span></p>
-<p> Add the --recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.</p>
-<p>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
+<p>List the fields for supported resources.<br><br> This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:<br><br>  &lt;type&gt;.&lt;fieldName&gt;<span>[</span>.&lt;fieldName&gt;<span>]</span><br>  <br> Add the --recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.<br><br>Use &quot;kubectl api-resources&quot; for a complete list of supported resources.</p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl explain RESOURCE</code></p>
 <h3 id="flags">Flags</h3>
@@ -8502,13 +8604,16 @@ <h3 id="usage">Usage</h3>
 <p><code>$ kubectl options</code></p>
 <hr>
 <h1 id="plugin">plugin</h1>
-<p>Provides utilities for interacting with plugins.</p>
-<p> Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.</p>
-<p> The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit <a href="https://krew.sigs.k8s.io/docs/user-guide/setup/install/">https://krew.sigs.k8s.io/docs/user-guide/setup/install/</a></p>
+<p>Provides utilities for interacting with plugins.<br><br> Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.<br><br> The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit <a href="https://krew.sigs.k8s.io/docs/user-guide/setup/install/">https://krew.sigs.k8s.io/docs/user-guide/setup/install/</a></p>
 <h3 id="usage">Usage</h3>
 <p><code>$ kubectl plugin [flags]</code></p>
 <hr>
 <h2 id="-em-list-em-"><em>list</em></h2>
+<blockquote class="code-block example">
+<p> List all available plugins</p>
+</blockquote>
+<pre class="code-block example"><code class="lang-shell">kubectl <span class="hljs-keyword">plugin</span> <span class="hljs-keyword">list</span>
+</code></pre>
 <p>List all available plugin files on a user&#39;s PATH.</p>
 <p> Available plugin files are those that are: - executable - anywhere on the user&#39;s PATH - begin with &quot;kubectl-&quot;</p>
 <h3 id="usage">Usage</h3>
diff --git a/static/docs/reference/generated/kubectl/navData.js b/static/docs/reference/generated/kubectl/navData.js
index f62a507aa42dd..e4ee521832f97 100644
--- a/static/docs/reference/generated/kubectl/navData.js
+++ b/static/docs/reference/generated/kubectl/navData.js
@@ -1 +1 @@
-(function(){navData = {"toc":[{"section":"version","subsections":[]},{"section":"plugin","subsections":[{"section":"-em-list-em-"}]},{"section":"options","subsections":[]},{"section":"explain","subsections":[]},{"section":"config","subsections":[{"section":"-em-view-em-"},{"section":"-em-use-context-em-"},{"section":"-em-unset-em-"},{"section":"-em-set-credentials-em-"},{"section":"-em-set-context-em-"},{"section":"-em-set-cluster-em-"},{"section":"-em-set-em-"},{"section":"-em-rename-context-em-"},{"section":"-em-get-users-em-"},{"section":"-em-get-contexts-em-"},{"section":"-em-get-clusters-em-"},{"section":"-em-delete-user-em-"},{"section":"-em-delete-context-em-"},{"section":"-em-delete-cluster-em-"},{"section":"-em-current-context-em-"}]},{"section":"completion","subsections":[]},{"section":"api-resources","subsections":[]},{"section":"alpha","subsections":[{"section":"-em-events-em-"}]},{"section":"-strong-kubectl-settings-and-usage-strong-","subsections":[]},{"section":"uncordon","subsections":[]},{"section":"taint","subsections":[]},{"section":"drain","subsections":[]},{"section":"cordon","subsections":[]},{"section":"cluster-info","subsections":[{"section":"-em-dump-em-"}]},{"section":"certificate","subsections":[{"section":"-em-deny-em-"},{"section":"-em-approve-em-"}]},{"section":"api-versions","subsections":[]},{"section":"-strong-cluster-management-strong-","subsections":[]},{"section":"top","subsections":[{"section":"-em-pod-em-"},{"section":"-em-node-em-"}]},{"section":"proxy","subsections":[]},{"section":"port-forward","subsections":[]},{"section":"logs","subsections":[]},{"section":"exec","subsections":[]},{"section":"describe","subsections":[]},{"section":"cp","subsections":[]},{"section":"auth","subsections":[{"section":"-em-reconcile-em-"},{"section":"-em-can-i-em-"}]},{"section":"attach","subsections":[]},{"section":"-strong-working-with-apps-strong-","subsections":[]},{"section":"wait","subsections":[]},{"section":"set","subsections":[{"section":"-em-subject-em-"},{"section":"-em-serviceaccount-em--1"},{"section":"-em-selector-em-"},{"section":"-em-resources-em-"},{"section":"-em-image-em-"},{"section":"-em-env-em-"}]},{"section":"scale","subsections":[]},{"section":"rollout","subsections":[{"section":"-em-undo-em-"},{"section":"-em-status-em-"},{"section":"-em-resume-em-"},{"section":"-em-restart-em-"},{"section":"-em-pause-em-"},{"section":"-em-history-em-"}]},{"section":"replace","subsections":[]},{"section":"patch","subsections":[]},{"section":"label","subsections":[]},{"section":"kustomize","subsections":[]},{"section":"edit","subsections":[]},{"section":"diff","subsections":[]},{"section":"debug","subsections":[]},{"section":"autoscale","subsections":[]},{"section":"annotate","subsections":[]},{"section":"apply","subsections":[{"section":"-em-view-last-applied-em-"},{"section":"-em-set-last-applied-em-"},{"section":"-em-edit-last-applied-em-"}]},{"section":"-strong-app-management-strong-","subsections":[]},{"section":"delete","subsections":[]},{"section":"expose","subsections":[]},{"section":"run","subsections":[]},{"section":"get","subsections":[]},{"section":"create","subsections":[{"section":"-em-serviceaccount-em-"},{"section":"-em-service-nodeport-em-"},{"section":"-em-service-loadbalancer-em-"},{"section":"-em-service-externalname-em-"},{"section":"-em-service-clusterip-em-"},{"section":"-em-service-em-"},{"section":"-em-secret-tls-em-"},{"section":"-em-secret-generic-em-"},{"section":"-em-secret-docker-registry-em-"},{"section":"-em-secret-em-"},{"section":"-em-rolebinding-em-"},{"section":"-em-role-em-"},{"section":"-em-quota-em-"},{"section":"-em-priorityclass-em-"},{"section":"-em-poddisruptionbudget-em-"},{"section":"-em-namespace-em-"},{"section":"-em-job-em-"},{"section":"-em-ingress-em-"},{"section":"-em-deployment-em-"},{"section":"-em-cronjob-em-"},{"section":"-em-configmap-em-"},{"section":"-em-clusterrolebinding-em-"},{"section":"-em-clusterrole-em-"}]},{"section":"-strong-getting-started-strong-","subsections":[]}],"flatToc":["version","-em-list-em-","plugin","options","explain","-em-view-em-","-em-use-context-em-","-em-unset-em-","-em-set-credentials-em-","-em-set-context-em-","-em-set-cluster-em-","-em-set-em-","-em-rename-context-em-","-em-get-users-em-","-em-get-contexts-em-","-em-get-clusters-em-","-em-delete-user-em-","-em-delete-context-em-","-em-delete-cluster-em-","-em-current-context-em-","config","completion","api-resources","-em-events-em-","alpha","-strong-kubectl-settings-and-usage-strong-","uncordon","taint","drain","cordon","-em-dump-em-","cluster-info","-em-deny-em-","-em-approve-em-","certificate","api-versions","-strong-cluster-management-strong-","-em-pod-em-","-em-node-em-","top","proxy","port-forward","logs","exec","describe","cp","-em-reconcile-em-","-em-can-i-em-","auth","attach","-strong-working-with-apps-strong-","wait","-em-subject-em-","-em-serviceaccount-em--1","-em-selector-em-","-em-resources-em-","-em-image-em-","-em-env-em-","set","scale","-em-undo-em-","-em-status-em-","-em-resume-em-","-em-restart-em-","-em-pause-em-","-em-history-em-","rollout","replace","patch","label","kustomize","edit","diff","debug","autoscale","annotate","-em-view-last-applied-em-","-em-set-last-applied-em-","-em-edit-last-applied-em-","apply","-strong-app-management-strong-","delete","expose","run","get","-em-serviceaccount-em-","-em-service-nodeport-em-","-em-service-loadbalancer-em-","-em-service-externalname-em-","-em-service-clusterip-em-","-em-service-em-","-em-secret-tls-em-","-em-secret-generic-em-","-em-secret-docker-registry-em-","-em-secret-em-","-em-rolebinding-em-","-em-role-em-","-em-quota-em-","-em-priorityclass-em-","-em-poddisruptionbudget-em-","-em-namespace-em-","-em-job-em-","-em-ingress-em-","-em-deployment-em-","-em-cronjob-em-","-em-configmap-em-","-em-clusterrolebinding-em-","-em-clusterrole-em-","create","-strong-getting-started-strong-"]};})();
\ No newline at end of file
+(function(){navData = {"toc":[{"section":"version","subsections":[]},{"section":"plugin","subsections":[{"section":"-em-list-em-"}]},{"section":"options","subsections":[]},{"section":"explain","subsections":[]},{"section":"config","subsections":[{"section":"-em-view-em-"},{"section":"-em-use-context-em-"},{"section":"-em-unset-em-"},{"section":"-em-set-credentials-em-"},{"section":"-em-set-context-em-"},{"section":"-em-set-cluster-em-"},{"section":"-em-set-em-"},{"section":"-em-rename-context-em-"},{"section":"-em-get-users-em-"},{"section":"-em-get-contexts-em-"},{"section":"-em-get-clusters-em-"},{"section":"-em-delete-user-em-"},{"section":"-em-delete-context-em-"},{"section":"-em-delete-cluster-em-"},{"section":"-em-current-context-em-"}]},{"section":"completion","subsections":[]},{"section":"api-resources","subsections":[]},{"section":"alpha","subsections":[{"section":"-em-events-em-"}]},{"section":"-strong-kubectl-settings-and-usage-strong-","subsections":[]},{"section":"uncordon","subsections":[]},{"section":"taint","subsections":[]},{"section":"drain","subsections":[]},{"section":"cordon","subsections":[]},{"section":"cluster-info","subsections":[{"section":"-em-dump-em-"}]},{"section":"certificate","subsections":[{"section":"-em-deny-em-"},{"section":"-em-approve-em-"}]},{"section":"api-versions","subsections":[]},{"section":"-strong-cluster-management-strong-","subsections":[]},{"section":"top","subsections":[{"section":"-em-pod-em-"},{"section":"-em-node-em-"}]},{"section":"proxy","subsections":[]},{"section":"port-forward","subsections":[]},{"section":"logs","subsections":[]},{"section":"exec","subsections":[]},{"section":"describe","subsections":[]},{"section":"cp","subsections":[]},{"section":"auth","subsections":[{"section":"-em-reconcile-em-"},{"section":"-em-can-i-em-"}]},{"section":"attach","subsections":[]},{"section":"-strong-working-with-apps-strong-","subsections":[]},{"section":"wait","subsections":[]},{"section":"set","subsections":[{"section":"-em-subject-em-"},{"section":"-em-serviceaccount-em--1"},{"section":"-em-selector-em-"},{"section":"-em-resources-em-"},{"section":"-em-image-em-"},{"section":"-em-env-em-"}]},{"section":"scale","subsections":[]},{"section":"rollout","subsections":[{"section":"-em-undo-em-"},{"section":"-em-status-em-"},{"section":"-em-resume-em-"},{"section":"-em-restart-em-"},{"section":"-em-pause-em-"},{"section":"-em-history-em-"}]},{"section":"replace","subsections":[]},{"section":"patch","subsections":[]},{"section":"label","subsections":[]},{"section":"kustomize","subsections":[]},{"section":"edit","subsections":[]},{"section":"diff","subsections":[]},{"section":"debug","subsections":[]},{"section":"autoscale","subsections":[]},{"section":"annotate","subsections":[]},{"section":"apply","subsections":[{"section":"-em-view-last-applied-em-"},{"section":"-em-set-last-applied-em-"},{"section":"-em-edit-last-applied-em-"}]},{"section":"-strong-app-management-strong-","subsections":[]},{"section":"delete","subsections":[]},{"section":"expose","subsections":[]},{"section":"run","subsections":[]},{"section":"get","subsections":[]},{"section":"create","subsections":[{"section":"-em-token-em-"},{"section":"-em-serviceaccount-em-"},{"section":"-em-service-nodeport-em-"},{"section":"-em-service-loadbalancer-em-"},{"section":"-em-service-externalname-em-"},{"section":"-em-service-clusterip-em-"},{"section":"-em-service-em-"},{"section":"-em-secret-tls-em-"},{"section":"-em-secret-generic-em-"},{"section":"-em-secret-docker-registry-em-"},{"section":"-em-secret-em-"},{"section":"-em-rolebinding-em-"},{"section":"-em-role-em-"},{"section":"-em-quota-em-"},{"section":"-em-priorityclass-em-"},{"section":"-em-poddisruptionbudget-em-"},{"section":"-em-namespace-em-"},{"section":"-em-job-em-"},{"section":"-em-ingress-em-"},{"section":"-em-deployment-em-"},{"section":"-em-cronjob-em-"},{"section":"-em-configmap-em-"},{"section":"-em-clusterrolebinding-em-"},{"section":"-em-clusterrole-em-"}]},{"section":"-strong-getting-started-strong-","subsections":[]}],"flatToc":["version","-em-list-em-","plugin","options","explain","-em-view-em-","-em-use-context-em-","-em-unset-em-","-em-set-credentials-em-","-em-set-context-em-","-em-set-cluster-em-","-em-set-em-","-em-rename-context-em-","-em-get-users-em-","-em-get-contexts-em-","-em-get-clusters-em-","-em-delete-user-em-","-em-delete-context-em-","-em-delete-cluster-em-","-em-current-context-em-","config","completion","api-resources","-em-events-em-","alpha","-strong-kubectl-settings-and-usage-strong-","uncordon","taint","drain","cordon","-em-dump-em-","cluster-info","-em-deny-em-","-em-approve-em-","certificate","api-versions","-strong-cluster-management-strong-","-em-pod-em-","-em-node-em-","top","proxy","port-forward","logs","exec","describe","cp","-em-reconcile-em-","-em-can-i-em-","auth","attach","-strong-working-with-apps-strong-","wait","-em-subject-em-","-em-serviceaccount-em--1","-em-selector-em-","-em-resources-em-","-em-image-em-","-em-env-em-","set","scale","-em-undo-em-","-em-status-em-","-em-resume-em-","-em-restart-em-","-em-pause-em-","-em-history-em-","rollout","replace","patch","label","kustomize","edit","diff","debug","autoscale","annotate","-em-view-last-applied-em-","-em-set-last-applied-em-","-em-edit-last-applied-em-","apply","-strong-app-management-strong-","delete","expose","run","get","-em-token-em-","-em-serviceaccount-em-","-em-service-nodeport-em-","-em-service-loadbalancer-em-","-em-service-externalname-em-","-em-service-clusterip-em-","-em-service-em-","-em-secret-tls-em-","-em-secret-generic-em-","-em-secret-docker-registry-em-","-em-secret-em-","-em-rolebinding-em-","-em-role-em-","-em-quota-em-","-em-priorityclass-em-","-em-poddisruptionbudget-em-","-em-namespace-em-","-em-job-em-","-em-ingress-em-","-em-deployment-em-","-em-cronjob-em-","-em-configmap-em-","-em-clusterrolebinding-em-","-em-clusterrole-em-","create","-strong-getting-started-strong-"]};})();
\ No newline at end of file
diff --git a/static/images/announcements/kccnc-eu-2022-black.svg b/static/images/announcements/kccnc-eu-2022-black.svg
new file mode 100644
index 0000000000000..fade071e611c3
--- /dev/null
+++ b/static/images/announcements/kccnc-eu-2022-black.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 400 190"><defs><style>.cls-1{fill-rule:evenodd;}.cls-2{opacity:0.8;}.cls-3{clip-path:url(#clip-path);}.cls-4{clip-path:url(#clip-path-2);}.cls-5{clip-path:url(#clip-path-3);}.cls-6{clip-path:url(#clip-path-4);}</style><clipPath id="clip-path"><rect x="154.68931" y="9.26397" width="0.64658" height="131.58023"/></clipPath><clipPath id="clip-path-2"><rect x="314.13738" y="166.22268" width="81.79309" height="0.64658"/></clipPath><clipPath id="clip-path-3"><rect x="288.46793" y="166.22268" width="109.53207" height="0.64658"/></clipPath><clipPath id="clip-path-4"><rect x="3" y="166.22268" width="109.53207" height="0.64658"/></clipPath></defs><g id="SVGID"><path d="M3.38823,166.22271H85.18134v.64658H3.38823Z"/></g><rect x="3.38823" y="166.22268" width="81.79312" height="0.64658"/><path d="M115.24758,121.70524c.71125-.194,1.5518-.388,2.651-.58192a19.14417,19.14417,0,0,1,3.36224-.25863,7.77882,7.77882,0,0,1,2.9743.45261,4.54575,4.54575,0,0,1,1.8751,1.35783,5.11676,5.11676,0,0,1,.96988,2.06908,11.44875,11.44875,0,0,1,.32329,2.651v8.01766h-3.9442v-7.56506a5.39851,5.39851,0,0,0-.51727-2.71568,2.1168,2.1168,0,0,0-1.93976-.7759,4.5804,4.5804,0,0,0-.90521.06467c-.3233,0-.58193.06466-.84053.06466v10.92731h-4.00883Zm-7.37107,6.53052a5.372,5.372,0,0,0-.71126-2.90964,2.71772,2.71772,0,0,0-4.26746,0,4.8554,4.8554,0,0,0-.77591,2.90964,5.21083,5.21083,0,0,0,.77591,2.97431,2.62059,2.62059,0,0,0,4.26746,0,5.616,5.616,0,0,0,.71126-2.97431m4.07349,0a9.08786,9.08786,0,0,1-.45261,3.039,6.92,6.92,0,0,1-1.42249,2.39236,6.47052,6.47052,0,0,1-5.04337,2.06908,7.95737,7.95737,0,0,1-2.845-.51727,6.48976,6.48976,0,0,1-2.19839-1.5518,6.72558,6.72558,0,0,1-1.42248-2.39236,9.18534,9.18534,0,0,1,0-6.07791,7.03958,7.03958,0,0,1,1.42248-2.32768,6.30777,6.30777,0,0,1,2.19839-1.48715,6.6561,6.6561,0,0,1,2.78032-.51727,7.60275,7.60275,0,0,1,2.78032.51727,7.33248,7.33248,0,0,1,2.19839,1.48715,7.03964,7.03964,0,0,1,1.42248,2.32768,7.71587,7.71587,0,0,1,.58192,3.039m-21.7899,7.50038c-3.03895,0-5.36666-.84053-6.91846-2.52168-1.61646-1.68112-2.39237-4.07349-2.39237-7.17711a11.80643,11.80643,0,0,1,.71126-4.13814,8.35684,8.35684,0,0,1,5.04337-4.91406,10.51033,10.51033,0,0,1,3.81483-.64663,10.90006,10.90006,0,0,1,2.13379.194c.64663.12931,1.22851.25863,1.68112.38795a12.72192,12.72192,0,0,1,1.22852.45261,2.31486,2.31486,0,0,1,.71124.388l-1.22851,3.36225a8.09591,8.09591,0,0,0-2.00442-.7759,10.47379,10.47379,0,0,0-2.58635-.3233,6.007,6.007,0,0,0-1.87509.3233,3.86822,3.86822,0,0,0-1.61646,1.03453,6.24093,6.24093,0,0,0-1.16385,1.81045,8.5163,8.5163,0,0,0-.45261,2.71565,9.36345,9.36345,0,0,0,.25863,2.39236,5.96679,5.96679,0,0,0,.90521,1.93976,4.86864,4.86864,0,0,0,1.68114,1.29318,5.7526,5.7526,0,0,0,2.457.45259,11.69985,11.69985,0,0,0,1.61646-.12931,6.52172,6.52172,0,0,0,1.29318-.25862,8.4585,8.4585,0,0,0,.96988-.3233,3.95481,3.95481,0,0,1,.7759-.32329l1.16386,3.36225a7.88433,7.88433,0,0,1-2.52168.96987,12.49207,12.49207,0,0,1-3.68554.4526M74.1895,126.87788a2.59448,2.59448,0,0,0-.194-.96987,3.48425,3.48425,0,0,0-.45261-.84053,2.58754,2.58754,0,0,0-.77591-.64663,3.08828,3.08828,0,0,0-1.16385-.25862,2.21434,2.21434,0,0,0-1.16386.25862,1.76522,1.76522,0,0,0-.7759.58194,3.02432,3.02432,0,0,0-.51727.90521,4.843,4.843,0,0,0-.25863,1.03454h5.302ZM64.814,128.365a8.81817,8.81817,0,0,1,.58192-3.29759,6.12858,6.12858,0,0,1,1.55181-2.32768,6.49473,6.49473,0,0,1,2.13379-1.42248,6.9333,6.9333,0,0,1,2.52169-.45261,6.28763,6.28763,0,0,1,4.78473,1.81044,7.61706,7.61706,0,0,1,1.74577,5.43131v.7759c0,.25863-.06466.51727-.06466.71125H68.95222a2.4035,2.4035,0,0,0,1.16385,1.93977,4.97763,4.97763,0,0,0,2.71566.71124,11.38429,11.38429,0,0,0,2.13378-.194,8.10972,8.10972,0,0,0,1.74578-.51726l.51728,3.23292a5.7736,5.7736,0,0,1-.84053.32329,6.86836,6.86836,0,0,1-1.22852.25864c-.4526.06466-.90522.1293-1.42248.194a11.94788,11.94788,0,0,1-1.48715.06467,8.35949,8.35949,0,0,1-3.29759-.58192,6.12841,6.12841,0,0,1-2.32768-1.5518,5.28777,5.28777,0,0,1-1.35783-2.32768,7.38057,7.38057,0,0,1-.45261-2.78032m-2.651-.06467a9.07388,9.07388,0,0,1-.51727,3.039,7.03961,7.03961,0,0,1-1.42249,2.32768,6.25379,6.25379,0,0,1-2.32768,1.48715,9.17765,9.17765,0,0,1-3.10361.51726,13.5342,13.5342,0,0,1-1.55181-.06466l-1.55181-.194a11.9345,11.9345,0,0,1-1.48715-.25863c-.45261-.12932-.90522-.194-1.22852-.3233v-19.7855l4.00883-.64663v7.04785a9.15786,9.15786,0,0,1,1.42249-.45261,6.04255,6.04255,0,0,1,1.55181-.12931,6.67928,6.67928,0,0,1,2.651.51727,4.8886,4.8886,0,0,1,1.93976,1.48715,6.56419,6.56419,0,0,1,1.16386,2.32767,9.47953,9.47953,0,0,1,.4526,3.10362m-4.07349-.12931c0-2.58635-.96988-3.87952-2.845-3.87952a7.92461,7.92461,0,0,0-1.22851.12932,7.52847,7.52847,0,0,0-.96988.388v7.30641a2.66357,2.66357,0,0,0,.7759.06467c.3233,0,.64663.06466.96988.06466a2.87857,2.87857,0,0,0,2.457-1.09919,5.07162,5.07162,0,0,0,.84053-2.9743M45.0286,134.89563c-.71123.194-1.55179.388-2.651.58192a19.1442,19.1442,0,0,1-3.36225.25862,7.7787,7.7787,0,0,1-2.97431-.4526,4.54584,4.54584,0,0,1-1.8751-1.35783,5.55613,5.55613,0,0,1-.96988-2.06908,11.02086,11.02086,0,0,1-.32329-2.651v-7.88833H36.817v7.37108a5.86893,5.86893,0,0,0,.51728,2.78033,2.00514,2.00514,0,0,0,1.93975.84053,4.5805,4.5805,0,0,0,.90522-.06467c.3233,0,.58193-.06466.84053-.06466V121.25266h4.00883v13.643Zm-18.49235.45261c-.38795-.58193-.84052-1.29317-1.35783-2.00442a24.22194,24.22194,0,0,0-1.68111-2.13374c-.58193-.71124-1.22853-1.35782-1.87511-2.06908a23.61959,23.61959,0,0,0-1.93976-1.74578v7.88834H15.47938V116.66191h4.20281v7.04778c1.0992-1.16386,2.19839-2.32769,3.29759-3.62089,1.0992-1.22851,2.13374-2.39236,3.10362-3.42691h4.9787c-1.29317,1.48715-2.52168,2.97431-3.81483,4.33212-1.29318,1.42248-2.651,2.78033-4.07349,4.20281a34.94662,34.94662,0,0,1,4.33212,4.39679,57.25243,57.25243,0,0,1,4.00883,5.6253H26.536Z"/><path class="cls-1" d="M60.15847,53.10248l-2.32768.51727c0-.32329-.06467-.64662-.06467-.96987a13.38935,13.38935,0,0,1,1.93976-6.98314l4.5261,4.00884a.89279.89279,0,0,0,.25864.194,7.37338,7.37338,0,0,0-.51727,2.13373c-.12932.06466-.3233.06466-.45261.12931ZM68.952,39.39487v6.33654a5.60576,5.60576,0,0,0-1.74578.90522c-.194-.12932-.38794-.3233-.58193-.45261l-4.59076-3.23293A12.75565,12.75565,0,0,1,68.952,39.39487M37.4633,54.00772c2.19839-9.63414,4.0735-17.78111,6.27189-27.41525.96987-4.33212,1.61646-5.496,5.56063-7.759,5.43132-3.16827,9.50481-5.43132,15.32408-8.79357C68.24078,7.9708,68.952,8.10012,68.952,12.56156V34.93343a17.47951,17.47951,0,0,0-10.604,5.36666l-1.93979-1.35783a.93451.93451,0,0,1-.45261-.64663,3.14929,3.14929,0,0,0-1.03455-1.55177,2.11554,2.11554,0,0,0-2.651,3.29759,2.24045,2.24045,0,0,0,1.03453.51727c.25864.06466.51728.06466.77591.12932a1.59758,1.59758,0,0,1,.58192.25864l1.81045,1.61646a17.70258,17.70258,0,0,0-3.039,9.95742c0,.64663.06465,1.29318.12931,1.93976l-3.94417.84052a3.97745,3.97745,0,0,0-.84053.06466l-.58193.194c-2.58634.51727-5.17268,1.09919-7.82368,1.68112-3.55622.84052-3.68554.12931-2.90964-3.23293m36.0795-8.27629V39.39487a13.59633,13.59633,0,0,1,6.91847,3.49156l-4.97871,3.55622c-.06465.06466-.12932.12932-.194.12932a7.18553,7.18553,0,0,0-1.74578-.84053m11.12127,7.43578-6.20725-1.42256a6.12245,6.12245,0,0,0-.51727-1.93976c.06466-.06466.12931-.12931.194-.12931l4.59077-4.0735a13.5098,13.5098,0,0,1,2.00442,7.04779,1.26028,1.26028,0,0,0-.06466.51727m-8.08233-34.2044c3.36224,1.61647,5.75461,2.78032,9.11682,4.39679,4.65541,2.263,9.31082,4.52611,14.0309,6.7245,1.16386,5.04336,2.32769,10.08673,3.42692,15.1301.71124,3.039,1.03454,4.65542,1.74577,7.62972,1.0992,4.72008.96989,5.108-3.87951,4.00883L89.06082,54.137a12.4583,12.4583,0,0,0,.06466-1.55181,17.33261,17.33261,0,0,0-3.10362-10.02208L87.703,41.01135a1.43533,1.43533,0,0,1,.71124-.32329,3.38409,3.38409,0,0,0,1.74578-.64663,2.11554,2.11554,0,1,0-2.64547-3.302l-.00554.00446h0a2.63279,2.63279,0,0,0-.7759.90522c-.12932.25864-.194.45261-.3233.71125a1.00556,1.00556,0,0,1-.38794.51727l-1.93976,1.35782a17.65449,17.65449,0,0,0-10.604-5.36666V21.22581c.06465-3.16827.32329-3.55622,3.10361-2.26306M72.44362,59.69762a7.16236,7.16236,0,0,1-1.22852.12931,7.02749,7.02749,0,0,1-1.16385-.06465l-.194.388-2.845,5.23739a13.426,13.426,0,0,0,4.26747.71123,14.1404,14.1404,0,0,0,4.33212-.71123l-2.845-5.17269a2.26835,2.26835,0,0,1-.3233-.51727m5.04337-3.42691,6.20723,1.42249a13.412,13.412,0,0,1-5.04337,6.14251l-2.457-5.94862a10.12986,10.12986,0,0,0,1.29317-1.61647M58.80056,57.62849,65.00778,56.206a8.5934,8.5934,0,0,0,1.35783,1.68112l-.194.388-2.263,5.56064a13.31858,13.31858,0,0,1-5.108-6.20723m50.82165,10.9273c-2.97431,3.68554-4.33213,5.43133-7.30643,9.11683-3.36224,4.20281-6.0779,7.62967-9.44016,11.83252-2.39236,3.039-4.13814,3.10362-8.08232,3.10362H57.63677c-5.17269,0-5.56064,0-8.72891-4.00883-3.16827-3.94418-5.62529-7.04778-8.72891-10.992-2.457-3.10362-3.10361-3.87952-5.56063-6.98313-3.81484-4.78473-4.46147-6.53052,1.48715-7.82369l18.363-4.13815a18.157,18.157,0,0,0,7.69437,9.31084l-.84053,1.93975a1.141,1.141,0,0,1-.51727.58193,2.93241,2.93241,0,0,0-1.29317,1.35783,2.12543,2.12543,0,0,0,3.80042,1.90439l.01187-.02406.00257-.00523a3.45283,3.45283,0,0,0,.32329-1.16385,3.14718,3.14718,0,0,0-.06466-.7759,1.16591,1.16591,0,0,1,.12931-.64663L64.74925,69.267a18.08687,18.08687,0,0,0,6.40119,1.16386,17.1478,17.1478,0,0,0,6.46578-1.22836l1.03454,1.87509a1.05813,1.05813,0,0,1,.12931.7759,2.9093,2.9093,0,0,0,.25863,1.81045,2.12544,2.12544,0,0,0,3.83217-1.83967l-.01363-.02786-.0037-.00759a2.70112,2.70112,0,0,0-.71125-.96988,3.92469,3.92469,0,0,0-.64663-.45261.80307.80307,0,0,1-.38794-.51727L80.26719,67.78a17.7342,17.7342,0,0,0,7.62967-9.31084L108.135,63.05988c4.0735,1.09919,3.81484,2.52168,1.48715,5.496"/><path class="cls-1" d="M73.54278,45.73141V39.39487a13.59632,13.59632,0,0,1,6.91849,3.49156l-4.97871,3.55622c-.06466.06466-.12932.12932-.194.12932a7.18528,7.18528,0,0,0-1.74577-.84053m11.12127,7.43578-6.20723-1.42256a6.12245,6.12245,0,0,0-.51727-1.93976c.06466-.06466.12931-.12931.194-.12931l4.59077-4.0735a13.5098,13.5098,0,0,1,2.00442,7.04779,1.26028,1.26028,0,0,0-.06466.51727m-8.08233-34.2044c3.36224,1.61647,5.75461,2.78032,9.11682,4.39679,4.65541,2.263,9.31082,4.52611,14.0309,6.7245,1.16386,5.04336,2.32769,10.08673,3.42692,15.1301.71124,3.039,1.03454,4.65542,1.74577,7.62972,1.0992,4.72008.96989,5.108-3.87951,4.00883L89.06082,54.137a12.4583,12.4583,0,0,0,.06466-1.55181,17.33261,17.33261,0,0,0-3.10362-10.02208L87.703,41.01135a1.43533,1.43533,0,0,1,.71124-.32329,3.38409,3.38409,0,0,0,1.74578-.64663,2.11554,2.11554,0,1,0-2.64547-3.302l-.00554.00446h0a2.63279,2.63279,0,0,0-.7759.90522c-.12932.25864-.194.45261-.3233.71125a1.00556,1.00556,0,0,1-.38794.51727l-1.93976,1.35782a17.65449,17.65449,0,0,0-10.604-5.36666V21.22581c.06465-3.16827.32329-3.55622,3.10361-2.26306m.90522,37.308,6.20722,1.42249a13.41194,13.41194,0,0,1-5.04336,6.14256l-2.457-5.94862A10.12936,10.12936,0,0,0,77.487,56.27072m-6.27187,9.76345V59.827a7.9223,7.9223,0,0,0,1.22851-.12932,1.62044,1.62044,0,0,0,.25863.45261l2.845,5.17269a14.14,14.14,0,0,1-4.33211.71124m38.40717,2.52168c-2.97431,3.68554-4.33212,5.43133-7.30642,9.11683-3.36225,4.20281-6.07791,7.62972-9.44016,11.83252-2.39236,3.039-4.13815,3.10362-8.08233,3.10362H71.27975V70.431a17.14726,17.14726,0,0,0,6.46585-1.22852l1.03453,1.87511a1.05807,1.05807,0,0,1,.12932.7759,2.90914,2.90914,0,0,0,.25863,1.81044,2.12543,2.12543,0,0,0,3.81483-1.87511,2.70074,2.70074,0,0,0-.71124-.96988,3.92548,3.92548,0,0,0-.64663-.4526.80311.80311,0,0,1-.38794-.51728L80.39657,67.78a17.73432,17.73432,0,0,0,7.62967-9.31084l20.23813,4.59076c3.94418,1.09918,3.68554,2.52167,1.35784,5.496"/><path d="M259.63018,67.78H248.89685V92.86752h25.02286V82.13419H259.63018Zm53.73128.06465V82.13419H299.13654l-.12933-.12931V92.86752h25.08752V67.78H313.29679ZM248.8969,42.69245h10.798l-.06467-.06465V28.33825h14.22493l.06466.12931V17.60492H248.8969Zm50.11039-25.08753V28.33825h14.3542V42.69246h10.73333V17.60492Z"/><g class="cls-2"><path d="M297.71408,42.69245l-14.3542-14.3542h15.64738V17.60492H273.91971V28.46756l14.28956,14.22492ZM284.78237,67.78h-9.50481l11.89718,11.89718,2.457,2.457H273.91971V92.86752h25.08752V82.00487l-7.11243-7.11244Zm28.57909-25.08753V58.33982l-2.457-2.457L299.00726,44.05027v9.50481l7.1771,7.11245L313.29679,67.78h10.798V42.69245ZM273.91971,56.91732,259.69478,42.6924H248.83221V67.78h10.798V52.13261l14.28956,14.28955Z"/></g><path d="M196.3941,120.2181l-2.71568,3.23292a6.35641,6.35641,0,0,0-4.65542-2.39236,5.19258,5.19258,0,0,0-5.17557,5.20955v0q.00021.07856.00288.15706a5.17081,5.17081,0,0,0,4.9037,5.42477q.13439.00677.269.00655a6.83749,6.83749,0,0,0,4.65542-2.19838l2.78031,2.90964a11.32077,11.32077,0,0,1-7.62967,3.36223,9.36652,9.36652,0,0,1-9.694-9.02722q-.00852-.2387-.00483-.47759c0-5.36666,4.26748-9.37549,9.89276-9.37549A11.12786,11.12786,0,0,1,196.3941,120.2181Zm2.263,15.51806V116.1446h4.59077v19.59156Zm22.75983-7.11244c0,4.39678-3.1036,7.30642-7.759,7.30642s-7.82369-2.90964-7.82369-7.30642,3.1036-7.24176,7.82369-7.24176c4.6554,0,7.759,2.845,7.759,7.24176Zm-10.992.06467c0,2.19838,1.29317,3.68553,3.16827,3.68553s3.16826-1.48715,3.16826-3.68553-1.29317-3.68553-3.16826-3.68553S210.425,126.49,210.425,128.68839Zm27.35057,7.04778h-4.59074v-2.32768a5.041,5.041,0,0,1-4.65542,2.52168c-3.1036,0-5.108-2.13375-5.108-5.43132V121.5113h4.59075v7.69438c0,1.68112.90521,2.71566,2.39238,2.71566,1.74578,0,2.78031-1.42249,2.78031-3.36224v-7.04778h4.59075Zm17.97507,0h-4.59076v-1.8751a5.27087,5.27087,0,0,1-4.26749,2.06908c-4.00883,0-6.65983-2.9743-6.65983-7.37108,0-4.33212,2.58634-7.24176,6.53053-7.24176a5.25516,5.25516,0,0,1,4.39676,2.06907v-7.24172h4.59076V135.7362Zm-4.59076-7.04778c0-2.1984-1.29318-3.68553-3.16827-3.68553s-3.16827,1.48715-3.16827,3.68553,1.29316,3.7502,3.16827,3.7502c1.93978-.06468,3.1683-1.55183,3.1683-3.75022Z"/><path d="M272.49725,135.73616l-8.53495-11.37992v11.37992h-4.39676V117.2438h4.13816l8.53495,11.44457V117.2438h4.39676v18.49236Zm20.43213-9.31083v9.31083h-4.46145v-1.61647a5.17609,5.17609,0,0,1-4.33213,1.8751c-3.039,0-4.91405-1.8751-4.91405-4.46147,0-2.71567,1.93975-4.26747,5.496-4.33213h3.7502v-.194c0-1.42248-.90523-2.263-2.78031-2.263a10.88647,10.88647,0,0,0-4.26746,1.16385l-1.29319-3.03895a14.82048,14.82048,0,0,1,6.59517-1.61647c3.94417.06469,6.20721,2.00445,6.20721,5.17273Zm-4.46145,4.5261v-1.29317h-2.90964c-1.35782,0-2.06908.4526-2.06908,1.55181,0,1.03454.71126,1.68111,2.00441,1.68111a2.95576,2.95576,0,0,0,2.97431-1.93976Zm16.81124,4.0735a8.13646,8.13646,0,0,1-3.81484.96987c-2.78031,0-4.72006-1.5518-4.72006-4.5261v-6.27189h-2.00441V122.2225h2.00441v-3.94417h4.5261v3.94417h3.75019v3.039h-3.75019v5.56064c0,1.09919.45262,1.61647,1.29315,1.55181a5.3548,5.3548,0,0,0,1.74578-.45262Zm6.9831-17.58713a2.36293,2.36293,0,0,1-2.26673,2.45534q-.06281.00252-.12565.00168a2.42491,2.42491,0,0,1,0-4.8494,2.27338,2.27338,0,0,1,2.39238,2.39236Zm-4.72006,18.29837V121.51125h4.52609v14.22492Zm11.63855,0-5.36665-14.22492h4.72006l3.03894,10.08675,3.10361-10.08675h4.52612l-5.36665,14.22492Zm25.1522-5.88394h-10.0221a3.32655,3.32655,0,0,0,3.36223,2.651,5.08019,5.08019,0,0,0,3.4269-1.42249l2.39238,2.32768a8.07362,8.07362,0,0,1-6.20721,2.52168c-4.65542,0-7.56506-2.90964-7.56506-7.24176,0-4.39679,3.039-7.30643,7.43579-7.30643,4.97871,0,7.43578,3.2976,7.17707,8.47028Zm-4.39677-2.457a2.683,2.683,0,0,0-2.7803-2.90963c-1.61646,0-2.651,1.16385-2.97431,2.90963Z"/><path d="M362.95459,120.2181l-2.71568,3.23292a6.35636,6.35636,0,0,0-4.65542-2.39236,5.1926,5.1926,0,0,0-5.17557,5.20955v0q.00026.07856.00289.15706a5.17082,5.17082,0,0,0,4.90372,5.42477q.13437.00677.269.00655a6.83739,6.83739,0,0,0,4.65542-2.19838l2.78031,2.90964a11.32061,11.32061,0,0,1-7.62967,3.36223,9.36656,9.36656,0,0,1-9.694-9.02726q-.00849-.23868-.00481-.47755c0-5.36666,4.26746-9.37549,9.89274-9.37549A11.26291,11.26291,0,0,1,362.95459,120.2181Zm15.97067,8.40561c0,4.39678-3.1036,7.30641-7.759,7.30641s-7.82367-2.90963-7.82367-7.30641,3.10361-7.24176,7.82367-7.24176C375.82166,121.382,378.92526,124.22692,378.92526,128.62371Zm-10.92732.06466c0,2.19839,1.29318,3.68554,3.1683,3.68554s3.16827-1.48715,3.16827-3.68554-1.29316-3.68553-3.16827-3.68553S367.998,126.49,367.998,128.68837Zm27.9325-1.93976v8.98753h-4.52609v-7.69437a2.433,2.433,0,0,0-2.52171-2.71566,2.89561,2.89561,0,0,0-2.90964,2.90964v7.56506h-4.59075V121.57589H385.973v2.32768a5.24823,5.24823,0,0,1,4.78475-2.52168c3.10361-.06467,5.17269,2.06907,5.17269,5.36666Z"/><g id="SVGID-2"><path d="M154.68931,9.264h.64664V140.84422h-.64664Z"/></g><rect x="154.68931" y="9.26397" width="0.64658" height="131.58023"/><rect x="154.68931" y="9.26397" width="0.64658" height="131.58023"/><rect x="154.68931" y="9.26397" width="0.64658" height="131.58023"/><g class="cls-3"><path d="M154.68931,9.264h.64664V140.84422h-.64664Z"/></g><g id="SVGID-3"><path d="M314.13738,166.22271h81.79309v.64658H314.13738Z"/></g><rect x="314.13738" y="166.22268" width="81.79309" height="0.64658"/><rect x="314.13738" y="166.22268" width="81.79309" height="0.64658"/><rect x="314.13738" y="166.22268" width="81.79309" height="0.64658"/><g class="cls-4"><path d="M314.13738,166.22271h81.79309v.64658H314.13738Z"/></g><path d="M135.91644,175.59379H125.2653V157.09958h10.65114v3.21321h-6.72977v4.0606h6.2616v3.213h-6.2616v4.769h6.72977Z"/><path d="M149.48949,175.59379l-.51844-1.80908h-.20268a4.06966,4.06966,0,0,1-1.758,1.52444,6.00488,6.00488,0,0,1-2.5932.53761,4.93724,4.93724,0,0,1-3.75706-1.33444,5.36868,5.36868,0,0,1-1.265-3.83924v-9.22183h3.85813v8.26041a3.96793,3.96793,0,0,0,.54383,2.29587,1.97888,1.97888,0,0,0,1.73311.76521,2.6053,2.6053,0,0,0,2.34019-1.08146,6.70865,6.70865,0,0,0,.72113-3.58622v-6.65379h3.85817v14.14252Z"/><path d="M164.3912,161.18557a6.21683,6.21683,0,0,1,1.30283.1138l-.29085,3.61785a4.4296,4.4296,0,0,0-1.13848-.1265,4.09134,4.09134,0,0,0-2.87805.94873,3.42957,3.42957,0,0,0-1.0309,2.65644v7.19788h-3.85817v-14.1425h2.92235l.56923,2.378h.18975a5.3178,5.3178,0,0,1,1.77693-1.91637A4.38429,4.38429,0,0,1,164.3912,161.18557Z"/><path d="M181.11419,168.49725a7.59823,7.59823,0,0,1-1.82174,5.40152,6.60415,6.60415,0,0,1-5.07233,1.948,7.09746,7.09746,0,0,1-3.59272-.89171,5.93547,5.93547,0,0,1-2.391-2.5618,8.61028,8.61028,0,0,1-.83469-3.896,7.55708,7.55708,0,0,1,1.80881-5.38882,6.6424,6.6424,0,0,1,5.08528-1.92286,7.139,7.139,0,0,1,3.59271.88548,5.90859,5.90859,0,0,1,2.3905,2.54264A8.52561,8.52561,0,0,1,181.11419,168.49725Zm-9.77861,0a5.93438,5.93438,0,0,0,.68975,3.17512,2.46433,2.46433,0,0,0,2.24511,1.07524,2.42647,2.42647,0,0,0,2.22017-1.069,6.0198,6.0198,0,0,0,.6768-3.18134,5.83992,5.83992,0,0,0-.68327-3.15,2.90442,2.90442,0,0,0-4.46525-.00622,5.83834,5.83834,0,0,0-.6833,3.15619Z"/><path d="M192.06913,175.84677a4.69009,4.69009,0,0,1-3.909-1.80885h-.20225q.20169,1.77084.20225,2.04911v5.73046H184.302V161.45127h3.137l.54434,1.83421h.1768a4.464,4.464,0,0,1,4.01-2.0999,4.58939,4.58939,0,0,1,3.92141,1.93556,8.95271,8.95271,0,0,1,1.41686,5.37612,10.61611,10.61611,0,0,1-.66386,3.9341,5.525,5.525,0,0,1-1.89148,2.54265A4.84618,4.84618,0,0,1,192.06913,175.84677Zm-1.13847-11.57472a2.436,2.436,0,0,0-2.0872.87924,5.04713,5.04713,0,0,0-.68328,2.90321v.41734a5.95861,5.95861,0,0,0,.6768,3.26377,2.41565,2.41565,0,0,0,2.144.98658q2.59368,0,2.59369-4.27551a6.107,6.107,0,0,0-.639-3.131,2.18026,2.18026,0,0,0-2.005-1.04357Z"/><path d="M207.09736,175.84677a7.2991,7.2991,0,0,1-5.33827-1.88475,7.1364,7.1364,0,0,1-1.92286-5.33827,7.84744,7.84744,0,0,1,1.77744-5.49639,6.32787,6.32787,0,0,1,4.91446-1.94175,6.22836,6.22836,0,0,1,4.66742,1.70772,6.45943,6.45943,0,0,1,1.66985,4.71844v1.87206h-9.12023a3.71261,3.71261,0,0,0,.97363,2.568,3.42848,3.42848,0,0,0,2.55534.92333,10.59954,10.59954,0,0,0,2.41638-.2657,12.08727,12.08727,0,0,0,2.37805-.84738v2.98537a9.059,9.059,0,0,1-2.16289.75251A13.63349,13.63349,0,0,1,207.09736,175.84677Zm-.54433-11.91611a2.44614,2.44614,0,0,0-1.92235.77792,3.60048,3.60048,0,0,0-.79733,2.20747h5.41447a3.21723,3.21723,0,0,0-.74653-2.20747A2.52665,2.52665,0,0,0,206.553,163.93066Z"/><path d="M234.67371,175.59379H221.74562v-2.71968l4.64254-4.69309q2.06181-2.1126,2.69428-2.9286a6.43928,6.43928,0,0,0,.91089-1.51148,3.85377,3.85377,0,0,0,.27838-1.44228,2.10159,2.10159,0,0,0-.61356-1.65692,2.38044,2.38044,0,0,0-1.63848-.54409,4.71418,4.71418,0,0,0-2.08719.49329,10.7855,10.7855,0,0,0-2.11261,1.40417l-2.125-2.51724a13.8486,13.8486,0,0,1,2.26449-1.64446,8.3201,8.3201,0,0,1,1.9607-.74,10.04741,10.04741,0,0,1,2.37805-.25922,7.04291,7.04291,0,0,1,3.06133.63249,4.8826,4.8826,0,0,1,2.06181,1.77095,4.70516,4.70516,0,0,1,.73407,2.60589,6.37811,6.37811,0,0,1-.44921,2.397,9.20929,9.20929,0,0,1-1.39147,2.29614,34.03905,34.03905,0,0,1-3.32079,3.35217l-2.37805,2.23909v.17705h8.058Z"/><path d="M249.36029,166.3468q0,4.84484-1.58769,7.17247a5.50836,5.50836,0,0,1-4.889,2.3275,5.444,5.444,0,0,1-4.82581-2.40345q-1.62627-2.40317-1.62554-7.09652,0-4.89563,1.58121-7.21683a6.14864,6.14864,0,0,1,9.7084.10757Q249.36006,161.66618,249.36029,166.3468Zm-9.04454,0a14.38014,14.38014,0,0,0,.58818,4.87636,2.03674,2.03674,0,0,0,1.97964,1.47388,2.05754,2.05754,0,0,0,1.97316-1.49281,19.76988,19.76988,0,0,0-.006-9.74675,2.04923,2.04923,0,0,0-3.94082,0,14.3658,14.3658,0,0,0-.59416,4.88932Z"/><path d="M264.24907,175.59379H251.321v-2.71968l4.64254-4.69309q2.06178-2.1126,2.69429-2.9286a6.43827,6.43827,0,0,0,.91089-1.51148,3.85319,3.85319,0,0,0,.27839-1.44228,2.10161,2.10161,0,0,0-.61355-1.65692,2.38042,2.38042,0,0,0-1.63848-.54409,4.71442,4.71442,0,0,0-2.0872.49329,10.786,10.786,0,0,0-2.11259,1.40417l-2.12506-2.51724a13.8486,13.8486,0,0,1,2.26449-1.64446,8.3201,8.3201,0,0,1,1.9607-.74,10.04746,10.04746,0,0,1,2.37805-.25922,7.043,7.043,0,0,1,3.06134.63249,4.88231,4.88231,0,0,1,2.0618,1.77095,4.70531,4.70531,0,0,1,.73408,2.60589,6.37794,6.37794,0,0,1-.44923,2.397,9.20807,9.20807,0,0,1-1.39146,2.29614,34.03784,34.03784,0,0,1-3.32078,3.35217l-2.378,2.23909v.17705h8.05794Z"/><rect x="288.46793" y="166.22268" width="109.53207" height="0.64658"/><rect x="288.46793" y="166.22268" width="109.53207" height="0.64658"/><g class="cls-5"><path d="M288.46793,166.22271H398v.64658h-109.532Z"/></g><rect x="3" y="166.22268" width="109.53207" height="0.64658"/><rect x="3" y="166.22268" width="109.53207" height="0.64658"/><g class="cls-6"><path d="M3,166.22271H112.53206v.64658H3Z"/></g><path d="M279.00045,175.59379H266.07237v-2.71968l4.64254-4.69309q2.06178-2.1126,2.69429-2.9286a6.43827,6.43827,0,0,0,.91089-1.51148,3.85339,3.85339,0,0,0,.27839-1.44228,2.10161,2.10161,0,0,0-.61355-1.65692,2.38042,2.38042,0,0,0-1.63848-.54409,4.71442,4.71442,0,0,0-2.0872.49329,10.786,10.786,0,0,0-2.11259,1.40417l-2.12506-2.51724a13.8486,13.8486,0,0,1,2.26449-1.64446,8.3201,8.3201,0,0,1,1.9607-.74,10.04746,10.04746,0,0,1,2.37805-.25922,7.043,7.043,0,0,1,3.06134.63249,4.88231,4.88231,0,0,1,2.0618,1.77095,4.70531,4.70531,0,0,1,.73408,2.60589,6.37794,6.37794,0,0,1-.44923,2.397,9.20837,9.20837,0,0,1-1.39146,2.29614,34.03784,34.03784,0,0,1-3.32078,3.35217l-2.378,2.23909v.17705h8.05794Z"/></svg>
\ No newline at end of file
diff --git a/static/images/docs/multi-tenancy.png b/static/images/docs/multi-tenancy.png
new file mode 100755
index 0000000000000..0ce341120a190
Binary files /dev/null and b/static/images/docs/multi-tenancy.png differ